The Good, the Bad and the Ugly in Cybersecurity – Week 13

The Good

The trend of “Hacker on Hacker” attacks seems to be continuing with news this week that the notorious criminal forum ‘Carding Mafia’ is the latest to suffer a data breach. Carding Mafia is a haven for those wanting to buy and sell stolen credit cards, with reportedly almost 300,000 registered users.

Data breach expert and creator of the Have I Been Pwned service, Troy Hunt, discovered the breach earlier this week. The exposed data included email and IP addresses, usernames and salted MD5 password hashes, a trove that we are sure will be of great interest to law enforcement agencies.

There’s no indication at this point as to who was behind the attack or what their objective was in leaking the data. According to one report, the data may have been available since late January.

At the time of writing, Carding Mafia appear not to have informed their users, but as news of the leak circulates (happy to help there!), we can only hope that the distrust this should engender in the site’s management may serve to disrupt in some small way the ongoing theft and trade of stolen credit cards.

The Bad

“Sounds like you can crash most OpenSSL servers on the Internet today” is not a phrase you want to hear on a Friday, we know. Alas, that seems to be the case in light of openssl.org patching two bugs yesterday and releasing an advisory warning that both CVE-2021-3449 and CVE-2021-3450 are high severity bugs impacting OpenSSL 1.1.1.

CVE-2021-3449 makes servers with a default OpenSSL configuration vulnerable to a crash and a denial of service attack if sent a maliciously crafted renegotiation ClientHello message.

The silver lining on this particular dark cloud is that neither OpenSSL TLS clients nor OpenSSL 1.0.2 are impacted. Everyone else should upgrade to OpenSSL 1.1.1k before the inevitable flood of bad actors start taking advantage.

CVE-2021-3450 requires a more specific configuration in order to be exploited. An application must have set the X509_V_FLAG-X509_STRICT verification flag along with either not setting a “purpose” for the certificate verification or, for TLS client and server applications, having overridden the default “purpose”. OpenSSL versions 1.1.1h and higher are affected and users are advised to patch to 1.1.1k as a matter of urgency.

The Ugly

As many a security researcher has found out, trying to report a security issue to a company can sometimes lead the reporter into hot water. It’s why there’s a fuzzy but widely-acknowledged playbook for ‘ethical reporting’ that’s intended to protect both reporter and reportee. Unfortunately, it seems that even when both sides apparently play by the ‘rules’, things can still turn ugly. Ethical researcher Rob Dyke this week revealed how one company turned the police on him even after thanking him for his report.

Dyke informed Apperta Foundation that they had left passwords, API keys and financial records openly exposed on a Github repository since at least 2019. After being thanked by the company for his report, Dyke next received a letter from their lawyers about his “unlawful” actions, followed up this week with a message from a police investigator stating that he’d been reported for a possible offence under the U.K.’s Computer Misuse Act.

It’s unclear what Apperta think Mr Dyke has done wrong at this point, but it may be related to the fact that he made an encrypted copy of the exposed data as part of the disclosure process. Dyke says he had already given assurances that the data would be destroyed.

It seems clear from the undisputed description of Mr Dyke’s actions that this was a genuine ‘ethical disclosure’, and bringing in lawyers and the police appears ‘heavy-handed’ to say the least. If security researchers can’t trust a company to behave ethically when handed a report in good faith, that can only be a bad thing for said company’s long-term cyber security hygiene. Surely both parties would agree that is was better that Mr Dyke discovered (and reported) the exposed data rather than criminals who would immediately seek to profit from it.