Vulnerability disclosure leads to stock price manipulation

Late last week a hedge fund by the name of Muddy Waters and information security company MedSec made a surprising maneuver. They shorted the stock of St Jude Medical after telling them of two vulnerabilities which St. Jude Medical said were non issues. After being told this, they shorted the stock and published their findings. The St. Jude Medical stock took a 10% tumble on Thursday and a further 2% before trading was halted. MW with MedSec made a tidy profit.

This is the first time we have seen vulnerabilities in cyber defenses being actively exploited to gain a market advantage by hurting a publicly traded company.

So considering the general path for disclosure is either tell the vendor and wait, or sell the vulnerabilities into the vulnerability market (if they can find a buyer) this shows a departure from the standard venues to people finding vulns and making a profit.

60 million accounts from dropbox hack has been dumped on the internet

On the 31st of august 60 million account details for online cloud storage provider Dropbox has now surfaced on the internet. The accounts were stolen during a previously disclosed breach in 2012, and Dropbox has already forced password resets earlier this week, previously it was not known how many users had been affected, and only now is it clear that it was the entire database at the time that was compromised.

Sources for various publications have received samples and in all the leak contains about 5GB of data and include the account details of 68,680,741 accounts including usernames, e-mail addresses and encrypted password hashes.

The data is legitimate, according to a senior Dropbox employees.

Earlier this week, Dropbox announced it was forcing password resets for a number of users after discovering a set of account details linked the 2012 data breach. Dropbox did not publish any figure on the number of resets performed. According to dropbox statement in 2012

Credential stuffing and resold accounts on the dark web

This month several databases including databases claiming to be from targeted attacks of companies like o2 and other providers has surfaced on the dark web. o2 is denying that there has been any data breach and are citing the cause as a likely incident of Credential stuffing. Credential stuffing is an attack where the attacker take previously known leaked credentials and cross reference them against other services. Many companies are now experiencing similar types of attacks where we have mega breaches and criminal organizations are working as fast as possible to reuse old credentials after the original breach is discovered so their hacking investment has not gone to waste and the maximum amount of value is extracted.

What can one do to protect yourself? Often it’s very difficult to stop this outright if a customers credentials are identical and you’re using traditional passwords for authentication. A great way to thwart these attacks is to turn on mandatory 2FA for your customers. A next step would be acquiring these breach lists and doing a internal comparison of customer passwords by hash, and forcing a password reset if you’re worried about two factor authentication running over a side channel. In summary just because a competitor or an unrelated company is compromised doesn’t mean it can’t affect you.

National Democratic party hacked and emails released to the public

This months Wikileaks have published internally sensitive documents that come from a hack that targeted the Democratic National Committee (DNC). This lead to the eventual resignation of the Chair Debbie Wasserman Schultz. CrowdStrike broke news that the Russians had hacked the Democratic National Convention email but not details of how the attribution was performed have been shared with the public. Researchers could not definitively find how the groups got into the system, but the typical way in for the groups is through carefully crafted deceptive emails, called “spearphishing,” that trick recipients into clicking malicious links.

At the same time a independent threat actor known as “Guccifier 2.0” as a homage to the independent Rumanian hacker “Guccifier” That now awaits sentencing for similar hacks in the U.S. claims responsibility for the attacks and has posted other documents claimed to be from the attack online on various forums. Sources close to Wikileaks seems to support this version. Weather the attack can be attributed to Russian Nation State attackers or independent adversaries is of little relevance. What matters, for the DNC hack, is that people learn the importance of end-to-end encryption via S/MIME or PGP for email, and people start focusing more on those problems.