The Good
The trend of “Hacker on Hacker” attacks seems to be standing with news this week that the notorious criminal forum ‘Carding Mafia’ is the latest to suffer a data breach. Carding Mafia is a oasis for those wanting to buy and sell stolen credit cards, with reportedly scrutinizingly 300,000 registered users.
Data violate expert and creator of the Have I Been Pwned service, Troy Hunt, discovered the violate older this week. The exposed data included email and IP addresses, usernames and salted MD5 password hashes, a trove that we are sure will be of unconfined interest to law enforcement agencies.
There’s no indication at this point as to who was overdue the wade or what their objective was in leaking the data. According to one report, the data may have been misogynist since late January.
At the time of writing, Carding Mafia towards not to have informed their users, but as news of the leak circulates (happy to help there!), we can only hope that the distrust this should engender in the site’s management may serve to disrupt in some small way the ongoing theft and trade of stolen credit cards.
The Bad
“Sounds like you can crash most OpenSSL servers on the Internet today” is not a phrase you want to hear on a Friday, we know. Alas, that seems to be the specimen in light of openssl.org patching two bugs yesterday and releasing an newsy warning that both CVE-2021-3449 and CVE-2021-3450 are upper severity bugs impacting OpenSSL 1.1.1.
CVE-2021-3449 makes servers with a default OpenSSL configuration vulnerable to a crash and a withholding of service attack if sent a maliciously crafted renegotiation ClientHello message.
The silver lining on this particular visionless deject is that neither OpenSSL TLS clients nor OpenSSL 1.0.2 are impacted. Everyone else should upgrade to OpenSSL 1.1.1k surpassing the inevitable inflowing of bad actors start taking advantage.
CVE-2021-3450 requires a increasingly explicit configuration in order to be exploited. An using must have set the X509_V_FLAG-X509_STRICT verification flag withal with either not setting a “purpose” for the document verification or, for TLS vendee and server applications, having overridden the default “purpose”. OpenSSL versions 1.1.1h and higher are unauthentic and users are well-considered to patch to 1.1.1k as a matter of urgency.
The Ugly
As many a security researcher has found out, trying to report a security issue to a visitor can sometimes lead the reporter into hot water. It’s why there’s a fuzzy but widely-acknowledged playbook for ‘ethical reporting’ that’s intended to protect both reporter and reportee. Unfortunately, it seems that plane when both sides theoretically play by the ‘rules’, things can still turn ugly. Ethical researcher Rob Dyke this week revealed how one visitor turned the police on him plane without thanking him for his report.
Dyke informed Apperta Foundation that they had left passwords, API keys and financial records openly exposed on a Github repository since at least 2019. Without stuff thanked by the visitor for his report, Dyke next received a letter from their lawyers well-nigh his “unlawful” actions, followed up this week with a message from a police investigator stating that he’d been reported for a possible offence under the U.K.’s Computer Misuse Act.
It’s unclear what Apperta think Mr Dyke has washed-up wrong at this point, but it may be related to the fact that he made an encrypted reprinting of the exposed data as part of the disclosure process. Dyke says he had once given assurances that the data would be destroyed.
It seems well-spoken from the undisputed unravelment of Mr Dyke’s deportment that this was a genuine ‘ethical disclosure’, and bringing in lawyers and the police appears ‘heavy-handed’ to say the least. If security researchers can’t trust a visitor to behave ethically when handed a report in good faith, that can only be a bad thing for said company’s long-term cyber security hygiene. Surely both parties would stipulate that is was better that Mr Dyke discovered (and reported) the exposed data rather than criminals who would immediately seek to profit from it.
Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.
Read increasingly well-nigh Cyber Security
