Saturday, January 2, 2021

Videotron Breach ? Welcome to 2021

UPDATE JAN 2nd 2020 - 13:45. The 37 gig file contains email addresses used in phishing attacks. The emails contained are a complete mix of domains. 22977 of them are @videotron.ca emails. No other conclusions as to the correlation between this list and the Videotron passwords found in another directory can be made at this time.


Was Videotron breached? A list of 60,000 accounts (email and passwords) was just leaked. This would be a small subset of their entire client base, but remains interesting.

Since most of the media tend to avoid touching Videotron and the Quebecor empire, I doubt we will see much ink on this breach.


A list containing Videotron account information totalling 226084 items, all Videotron email usernames with their passwords was published.






FILE LINE COUNT

wc -l videotron33.txt

    5743 videotron33.txt


wc -l videotron34.txt

   14560 videotron34.txt


wc -l videotron35.txt

   21059 videotron35.txt


wc -l videotron36.txt

   39264 videotron36.txt


wc -l videotron37.txt

   47859 videotron37.txt


wc -l videotron38.txt

   40817 videotron38.txt


wc -l videotron39.txt

   49565 videotron39.txt


wc -l videotron40.txt

    7217 videotron40.txt

Not much details about the source was provided with the leak data, maybe some real journalists will dig through this and get to the bottom of it.


Overall, some duplicates exists, so when you remove duplicates, you are left with 60314 unique items.

sort videotron-full.txt | uniq -d | wc -l

   60314


You can download the list of emails here 

(passwords have been removed for security) and see if your email is in the list 


NOW KEEP IN MIND that this does not mean that Videotron has been breached.  There are a lot of fraudsters out there that try to target companies to make them look bad.

Imagine if somewhere, a list of 50 million usernames had been compromised, and someone sorted them out looking for @videotron.ca... they could generate a list that looks like "only" Videotron yet has nothing to do with Videotron.

Some Montreal based companies do EXACTLY this to try and generate business and sell security related services.  Going one step further, the data could also all be fake or old data... until Videotron comments, we simply cannot know for sure.


Either way, someone is targeting Videotron...   And we should all change our passwords... again...

>> End of warning ;-)

 

The list, totalling 60,000 unique entries could indicate a specific leak from a specific system or division since it does not encompass the entire client base of Videotron.


Number of customers subscribed to Videotron from 2012 to 2019, by segment

SOURCE: https://www.statista.com/statistics/797458/number-of-videotron-subscribers/

The system hosting the leaked data is interesting, as it has other evil looking content, including a 37 gigabyte file of email addresses (with no other information, and no passwords).  I am downloading this file now and will further analyse it once downloaded.




The site also hosts what is clearly phishing attack content such as fake PayPal login pages.  This means that the Videotron data, could also be someone preparing an attack that is targeting Videotron users, and the passwords could be for another service like PayPal.



_______________________________________________

Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies




www.eva-technologies.com

 

Wednesday, December 16, 2020

Who really got hacked. Air Canada? Vancouver international?

News is flowing that Everest hacking group hacked Vancouver Airport and Air Canada, but this appears false.



When you visit the Everest Ransomware groups darkweb site, the information published looks to be a contractors data with regards to construction projects @ Vancouver International, that includes the Air Canada Lounge and various other enterprises across Canada including Pomerleau.


At first glance, it looks more like a contractor got hit and the files have been broken down into the various subjects since every leak on the Everest site has the exact same type of data (architecture diagrams, electrical diagrams, demolition plans, etc.)




Everyone is reaming on Air Canada/Vancouver airport today without looking at the data, and this looks more like a consultant got hit.



Now, since we have the plans for Vancouver International Airport (or partial plans), and the Annex Skywalk that leads to the Air Canada Lounge, should we now expect John McClane to kill off Colonel Stuart's mercenaries with his Beretta 92?


After all, we are certainly in the Christmas period and a nice Die Hard scenario would certainly spice things up.





Wednesday, December 9, 2020

FireEye piraté, une occasion manquée de se taire

Grande nouvelle cette semaine : FireEye fait les gros titres avec un nouvel incident cybernétique très médiatisé.


On dirait que leur boîte à outils d'exploits militarisés qui utilise des vulnérabilités connues a été levée.


https://www.nytimes.com/2020/12/08/technology/fireeye-hacked-russians.html


En entendant et en lisant ceci, j'ai pensé... oui ... et alors...  Tout le monde peut se faire pirater, c'est juste un avant l'autre.

Cependant, ils semblent mettre tellement l'accent sur "leurs outils militarisés", presque comme s'ils voulaient avoir l'air cool en se vantant que leur boîte à outils est si géniale.


Jetons un coup d'œil à cela....  Si vous aviez une arme nucléaire... la sécuriseriez-vous avec :


1) Une surveillance 24 heures sur 24, 7 jours sur 7.

2) Un registre détaillé de toutes les personnes qui s'en approchent.

3) Des alertes et alarmes et toutes sortes de trucs sympas pour le protéger.


Je suppose donc qu'ils ont échoué sur quelques points.


Mais en voici quelques autres.  Ces exploits semblent faire appel à des CVE pour la plupart documentés


Donc rien qui soit vraiment un ZERO DAY dans le sens où il serait totalement inconnu.  Ils en ont probablement des juteux dont ils ne parlent pas encore....



Voici le véritable coup de pied... ils ont publiquement révélé qu'ils mettraient désormais à la disposition de leurs clients des outils pour détecter ces attaques.


C'est mon moment WTF.   Pourquoi ne pas avoir mis cela à la disposition de leurs clients avant cette brèche.

Pensent-ils vraiment que personne sur la planète n'aurait trouvé ces vulnérabilités "connues" ?


ou bien veulent-ils simplement continuer à exploiter ces vulnérabilités avec leurs propres clients lorsqu'ils font des tests de pénétration pour pouvoir obtenir des résultats garantis.


Peut-être n'auraient-ils pas dû révéler tout cela pour être ouvertement critiqués


Ce que j'appelle une occasion manquée de se taire.   Non pas à propos de la brèche, mais à propos de leur excellente offre de protéger désormais leurs clients.....


De tout cela peuvent surgir d'importantes questions d'éthique.


De quoi alimenter une bonne réflexion.


_______________________________________________


Eric Parent est un expert en sécurité (et un pilote chevronné), spécialisé dans le coaching de cadres supérieurs.  Il enseigne la cyber-sécurité à l'École Polytechnique et aux HEC de Montréal, et est le PDG de Logicnet/EVA-Technologies, l'une des plus anciennes sociétés de sécurité privées du Canada.


Suivez Eric :

Twitter @ericparent

LinkedIn : EVA-Technologies



www.eva-technologies.com



FireEye Hacked, missed opportunity to shut up

Big news this week as FireEye makes the charts with yet another high profile cyber incident.


Looks like their toolkit of weaponized exploits that makes use of mostly known vulnerabilities was lifted.


https://www.nytimes.com/2020/12/08/technology/fireeye-hacked-russians.html


As I heard and read this, I thought... yeah .. so what...  Everyone can get hacked, this is just the one before the next one.


However, they seem to put so much emphasis on "their weaponized tools" almost like they want to seem all cool by bragging that their toolkit is so awesome.


Lets take a look at that....  If you had a nuclear weapon... wouldn't you:


1) Have it watched 24x7.

2) Have detailed logging of everyone who comes near it.

3) Have alerts and alarms and all sorts of cool stuff to protect it.


So I guess they failed on a few things.


But here are a few more.  These exploits appear to be making use of mostly documented CVE's


So nothing that is truly a zero day in the sense that it would be fully unknown.  They probably have some juicy ones that they are not yet talking about....



Here is the real kicker... they publicly disclosed that they would now make tools available to their clients to detect these attacks.


This is my WTF moment.   Why not have made this available to their clients before this breach.


Do they really think that no one on the planet would have found these "known" vulnerabilities?


or did they simply want to continue milking these vulnerabilities with their own clients when they do penetration tests so they can score.


Perhaps they shouldn't have tossed that out there to be torn apart ;-)

What I call a missed opportunity to shut up.   Not about the breach, but about their great offer to now protect their clients.....


Some serious ethics questions can surface from all this.


Food for thought.


_______________________________________________


Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.


Follow Eric on:

Twitter @ericparent

LinkedIn :  EVA-Technologies



www.eva-technologies.com





Do we really want to stop cheating

Cheating in colleges and universities.   This may be news to the normal citizen, but for people who have been in the education field, this is another Monday morning.


If you have "feelings", you might want to stop reading now.




Many news articles have been written over the last weeks, because final exams are taking place, and with COVID this means finding new ways to do exams, and control cheating.


Here is a reality, plagiarism and cheating cannot be successfully subdued with marketing campaigns.


This is much more a PR (public relations) stunt, to save face, and inspire students and employeurs that the universities take this so so seriously.


I call bullshit.


Here is why.


After teaching in a dozen different establishments over the last two decades:

  • I have seen them ignore it internally
  • I have seen them take a purely political stance at enforcing punishment
  • I have seen them protect the student because the student is a "paying client"


Why will  the marketing campaign not really change anything...Simple...


They let in students that would NEVER pass without cheating.

Think about that for a minute.


YOU WILL NEVER PASS.... why wouldn't you risk cheating or copying since it is the only way you WILL pass.


Our education system tends to shovel a lot of shit in my opinion.


They will tell you that they want to produce the best students.  They will not tell you that this is a secondary objective.  


Of course, who would offer to sell you a car and tell you the engineers can't count to 20 without an iPhone.


And our schooling system relies on money..... lots and lots of money... and for every student that is enrolled, a large financial incentive is present that goes well beyond what the student is paying.


So in other words, the motivation to enrol students is larger than the desire to kick them out when they cheat.  Of course, we cannot say this, so what we do is put in place complexe political processes that protects the poor innocent student in case the bad bad teacher doesn't like them.  And then throw in any other excuse such as "I'm too short", "I had a bad cough last week", "the teacher doesn't like me", or the race or gender card and you have yourself the entire recipe for a system that will continue to fail, and continue to produce sub quality students.  


Here is the reality, I do not know your name.  I have 60 students, they all have a number, I correct everything without even knowing your name.  I do not care what your sexual orientation is, or your hair colour, I am a professional, I do my job.  You are a student, why don't you do yours.   


I have had a case that even accused me of discrimination because the individual wasn't a minority.  As a society, we have become weak, spineless imbeciles who refuse to take responsibility for our lack of effort.  It is a classic case off finding an angle that make you look good, and makes you the poor helpless victim.


Think about that if you have open heart surgery... Did my doctor graduate because he took the class 11 times or cheated consistently through his educational career?  Was he lucky enough to always be sitting near the "smart" asian kid.


Yeah yeah, I know, that is cultural appropriation.  Yet another term for all the losers who need to have their feelings protected.  We all know that asian kids rock because THEY READ THE FUCKING BOOK and show up in class prepared you whiny ass losers.


Obviously, medical studies have other safeguards in place.  Yet we still get shit doctors.


What about all the other fields that are not regulated or controlled for quality, aside from trusting that beautiful certificate from a prestigious establishment.


Things will have to get worst before they get better.


Obviously, when management is looking at the short term, these are the results you get and should expect.

 

Will we ever see the quality we once had along with long term vision and values?


Since society is going to hell in a hand basket, and since the people in power are in it for their yearly bonus....   I will not hold my breath.


In the mean time, perhaps a good safe guard is to ask for a PhD for any position, this way you know that person has gone through a long process of refining their political skills ;-).  Instead of getting a normal cheater, you will get a professional who has demonstrated mastery of multiple domains combined with patience and perseverance!


In closing, most students I have had demonstrated good values, good competency, and I would hire them.  My point is simply that by tolerating the 5% who are beyond shit, the image of an entire industry can be impacted, and the trust over time will erode.  This will result in people like me not being able to simply "recommend" someone because they went to XYZ academy.  My response will always be... let us interview the candidate and determine what the quality is on our own.


End of rant.


Wednesday, April 1, 2020

Zoom is being blamed for a Windows bug.

Journalist often paint outside of the lines looking for a punchy story.

Zoom this week is being targeted by what almost looks like a coordinated smear campaign with an overwhelming amount of bad press with regards to exposed credentials.

As a security veteran I do clearly get upset when security stories are blown way out of proportion.

Especially when it appears that someone is trying to manipulate the public opinion and bash a specific product.  Even more so, when the issue is actually a Windows OS issue.

Journalists are irresponsibly claiming that using zoom sends off you username and passwords and allows attackers to connect to your computer.

THIS IS FALSE.

First off, this issue only manifests itself if someone in your meeting sends you a link to click via a chat session and you click on it.

Secondly, your username and password is not just sent out in clear, it is still hashed (protected with some cryptography).  So this applies to you if your password sucks and not if you use a good quality and length password.

Thirdly, inbound connections are blocked by your home router/firewall and your enterprise firewalls. This means an attacker can't just reconnect to your computer.  And remember number 1, the attacker would be someone you invited into your meeting.

So if your meetings have passwords and you don't just let everybody in, how would the attacker even know your meeting is happening and get in there......

Also, simple fix.... turn off the chat function in your meetings until this gets fixed.

Wow... simply fix eh!  The sky is not falling after all.

Second thing of high importance as pointed out by a colleague.  Don't click on Zoom links that come into your email unless you are expecting it.  

Another attack vector currently in play is that a malicious link sent to you, could open your zoom client and trigger this vulnerability.  So the old rule still stands, don't click on links that you don't trust.  If you are expecting a meeting invite, all good.

Some technical changes can be made to your Windows workstation so that it no longer sends off NTLM outbound, and this would be the ideal scenario, however, not everyone is technically tooled to do this.

What would be ideal is if Microsoft would patch this and change the default forcing Windows to NOT send out NTLM to the Internet.

keep in mind that if your password is of good quality (a long and complex password), this vulnerability fails since the attacker cannot break your password.

So lets all calm the hell down.  Yes you can keep using Zoom.  This risk is LOW.

Until these articles, I had not created a Zoom account.  Well, I just did, and I actually really like the thing.  It allows me to change my background to a beach, and with all the self isolation we are going through during this Covid crisis....  I think I really like that option.



In closing, Zoom has had numerous security shortcomings in the last months and years.  They certainly do not appear to be perfect in any sense.  Lets just keep the over exaggeration of security findings down to a minimum. 

There currently is a significant increase in malicious meeting invites and the bad guys are targeting the most common tools like Zoom.  

So this means that we will see breaches attributed when all these factors are combined.  

Keep in mind that some of these tools (like Zoom) are free, and that means that you are the product in some way.

_______________________________________________

Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies









Monday, February 24, 2020

Qualified lead, or outright fraud. When journalists help push snake oils and magic dust.

Journalists look for good stories.....  and sometimes someone serves them one that is too good to be true.  But a journalist isn't a security expert, so if the speech is really good, they too fall victim and inadvertently help market something they shouldn't.

Nothing gets me out of bed faster then receiving a message about an article showing a journalist falling for a manipulative marketing trick and actually become part of the unjustified hype machine that promotes unethical services. 

Well, ok... that's not exactly true... I can think of a few things that would get me up in the morning, but I digress.

All joking aside, this subject is so important, that I felt compelled to produce a video in both French and English to address the subject with my clients.

Their are hundreds of sites offering DarkWeb monitoring...

In fact, as I teach in various Universities and Colleges, I made it a mission to give an entire class on this subject over the last few months.



---

Just to be clear, this is about cybersecurity and lacking morals, willing to do anything to get business, not sales, but let me open with this.

Qualified leads.   The bread and butter of a heathy sales cycle.

What if we could find a way to drive customers directly into our sales pipeline....

Well, many companies are doing this today with the help of cool and frightening cybersecurity term that you may have heard.   "SEARCH THE DARK WEB".

So here is the problem with that.

Marketing and security do not play well together.  If your motivation is to sell something, chances are security is a secondary objective.

What if someone told you they could check out your health at the click of a button, and come back and tell you they found nothing wrong with you.  Or worst, they found two things wrong with you, and you can correct them with the "doctors" help.

You would feel great.  Thank goodness someone was nice enough to help me identify these two things so I could handle them.  

Well, the problem is, that "doctor" didn't actually check much of anything compared to what you perceive.  After all, are you qualified to know if that doctor did a good job.  Or even did anything qualified for that matter.

----

Searching the dark web and telling you if you have been breached so you can sleep well at night is as close to fraud as you can get unless it is clearly explained to you that the chances of finding your data is slim, and that you are mostly looking for passwords, not actual corporate data.

It isn't that you cannot find things on the dark web, it is that you cannot find your things on the dark web with any level of certainty.

Let me explain with a visual diagram, take a good look at these three tiers:





So lets break this down into logical and comparable pieces.

PART 1:  Surface web

The surface web is you everyday Google searchable results.  Compare that to a published catalog or menu of items.

If someone is selling your data on the surface web, you MAY find it by crafting a good search query in google.  It still remains unlikely to find it, because the internet is endless, but it is certainly possible.

Sites like PASTBIN are common grounds to at least start the exchange of data by providing samples, and an email to start the trade.

So lets compare this to visiting every bar in the world, sitting at every table, and asking every shady individual if they are selling your data.

Not impossible because of tools like google, but still a challenge.

PART 2:  Deep web

This is still on the regular public internet, but, it requires a user account to log in.  So imagine we compare this to visiting a bar again, well, this time, you have to find the right bar, AND when you sit at the table to chat, they have to know you, trust you, and decide they want to share information with you.  

Now some of these bars are listed in the phone book, and some aren't and you have to get a referral to find them. 

This is where it becomes IMPOSSIBLE to guarantee that a service can tell you if your data has been exposed.  So when marketing folks tell you that you can sleep tight, they have clearly committed an ethical fraud.   

PART 3:  Dark web

This is the funniest one.  Everyone uses this term to inspire fear and misunderstanding.  History has shown us many times how fear can be used to sell snake oils, and magical cures, and this is no different.

The dark web is an isolated network.

The dark web is similar to the deep web, some listings exists, but all the good stuff is not listed.  That is the point of the dark web.  So not only do you not know all the addresses for these bars you want to visit, but you most definitely need an invite to get into the good stuff.

Bottomline, it remains an impossible objective to infiltrate even a small number of actual dark web ecosystems that would yield results.

The best you could do, is manually navigate SilkRoad3 (the eBay of the darkweb) and maybe get lucky.  But this is not where the REAL exchanges of sensitive information takes place.

PART 4:  Cyber criminals
Yes folks, there is a part four......  The fact is, your information might be out in the criminal world and NEVER touch any of these "sites".  

You see, cybercriminals are smarter than you think.  If they have valuable information, they hang on to it, they share information behind closed doors, and they may never leak the information because of an espionnage golden rule.

"A tactic known is a tactic blown".  Your information looses value quickly once it is known.   Lets face it, once a data breach is published, people normally change their passwords.

So lets go back to these "services" that will allow you to sleep good at night because they checked the "Dark Web" cough cough for you.

Surely you have heard of these emails people get, that tells them their computer has been hacked and shows them a password they are familiar with.  They then ask you to pay a ransom in bitcoins or they will publish videos recorded from your laptops camera.  Now I have had people call me in a panic that didn't even have a built in camera on their computer.  So these tactics work.

These passwords are taken from LEAKED password databases.

There are tons of these sites.  RAIDFORUMS is one.  Several terabytes of leaked data.

But, you can also check for yourself for free at HAVE I BEEN PAWNED to see if your email address or domain name has been exposed in the past.

So just like these fraudulent emails, these "services" that claim to check the dark web only check the most basic of elements.... leaked password databases.

Now... how do you test this.

Well, it is actually quite simple:
  • You create a leak of false data representing a new and fictitious enterprise.
  • You insert it into several EASY places found on the Internet
  • You insert it into several known, but closed forums
  • You insert it into Silkroad3 (the darkweb market place)
  • You insert it into one or two REAL underground sites

And then you test the service.

You know what will come up.

Nothing.

And if you read the disclaimer on these services you are subscribing to, the legal wording makes it clear that you have no guarantees and it may become clear that they are not catching much.  I have read a dozen disclaimers from carious sites, and non of them made me feel good about the service.

So it's a great way to drive the uneducated and unqualified to your sales pipeline.  Great way to sell them something else after you have established a relationship.   But for many qualified security professional, this is unethical and immoral since the client perceives that their are somehow protected.

Lately, some articles have been published that in Quebec alone we have over 17,000 security resources.

No, we have less than a 1,000 in my view, and less then 100 in the highly qualified portion.  

This type of marketing proves that point.

Security is about maturity and about perception.  The fact that you add the word security in your marketing literature does not make you a valued security partner.

A false sense of security is what resulted in the sinking of a 46,328 ton vessel called the Titanic.

Now, to the journalists and websites that cover these less then ideal services and push referrals to them and actually help these snake oil salesmen sell more magic dust, please... please... validate your stories with vetted security professionals and make sure to explain the limits of these services.




_______________________________________________

Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies










Friday, February 21, 2020

DNA sequencing computer attacks - The large security gap chasm that enterprises face

I was having a discussion with a friend who works in a three letter agency about the large gap that most enterprises have in their security and overall maturity.

Overall, maturity across most enterprises remains low when you look at the full width of what would be expected of a secure enterprise.

In a humorous text message, my friend sent me an really cool conference on DNA sequencing used to attack a computer system.

Here I am arguing 

  • about the value of isolating a compromised workstation even if it is the CEO's laptop.
  • that Winter2019 is a terrible password 
  • that the user who changed his password when told it was a bad password, from Summer2019 to Winter2019 lack computer security competency
  • that if performing a simple vulnerability scan across your network causes major issues it means your systems are at the bottom end of the quality scale

.... and in a lab somewhere in Washington, they hacked a computer using DNA.

Yes, you read that right.

If you want to expand your views of the complexities enterprises face in defending against malicious attacks, listen to this 29 minute talk.




Summary (extract):
A group of researchers from the University of Washington has shown for the first time that it's possible to encode malicious software into physical strands of DNA, so that when a gene sequencer analyzes it the resulting data becomes a program that corrupts gene-sequencing software and takes control of the underlying computer.

Thats right folks, as security professionals, we have to test users for weak passwords, test computers for malware, and test software for out of band attacks coming in through DNA.

I thought this was a really cool image that is being painted about how wide protecting enterprises against attacks can be.

We have to explain to management that Winter2019 is a bad password AND we have to explain that software in an embedded system could be exploited by a DNA sample.  If they do not even understand the first one..... that second one is going to be a hard sell.

The reality is that attackers invest all their time in finding weaknesses that they can exploit.  Enterprises still struggle to have enough budget just to keep systems updated. 

Lets just say that breaches will continue to happen, and sites like databreachtoday.com might have to change their names soon to data breach this hour . com


So if you are competent in cyber security... job security is probably ensured.

This week, our local government announced yet another data breach where a user account was used to log in and steals the personal information of 360,000 employees (TVA Nouvelle - Ministère de l'Éducation).   

A single user account that can suck out all the records over the Internet.

What a wide chasm we indeed are facing.


_______________________________________________

Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies









Videotron Breach ? Welcome to 2021

UPDATE JAN 2nd 2020 - 13:45. The 37 gig file contains email addresses used in phishing attacks. The emails contained are a complete mix of...