Cyber Security

GOT(IT) #4: Deloitte’s leak,  Cloudflare free DDoS protection, plus credit cards stolen from Sonic Drive-Ins.

Hackers Access Deloitte’s Client and Staff Emails


The giant accountancy & services firm Deloitte, with clients such as government agencies and top-shelf banks, has discovered a breach that might have occurred in October or November of 2016. The attacker managed to get his hands on an administrator account, which he used to tackle the firm’s email servers.

In a nutshell, the hacker had “unrestricted access to all areas”. It’s estimated that around 5 million emails from Deloitte’s 244,000 staff members were stored in the Azure cloud service, but the real pain is in the information accessed: sensitive attached files, IP addresses, passwords, and business diagrams.

The firm reacted as soon as they discovered this event, implementing high security protocols and starting a thorough review, working together with the US law firm Hogan Lovells to prepare for any potential repercussions.

The impact’s scope is currently under review and the accountancy firm has yet to confirm the attacker’s identity and the possible damage to client and corporate data.


Cloudflare Seeks to Tackle DDoS with Free Protection


DDoS (denial of service) attacks constantly tackle online services by overloading their servers with loads and loads of traffic. It’s simple, effective, easy to use, and super difficult to counter effectively. Basically, they are a real pain in the ass.

Cloudflare’s quite aware of that, and the internet security and online services company wants DDoS to be “something you only read about in the history books”. Matthew Prince, CEO of Cloudflare announced the new Unmetered Mitigation feature, available for paying and non-paying users.

And unmetered means… unmetered. There’s no limits, no scalable price, nada. “We’ve grown our network to a scale that we felt comfortable that we were far enough out in front of the big DDoS attacks to take any hit the internet threw at us”, explained Prince and added that this global-free protection is “the inevitable direction the internet should go”.

The biggest registered DDoS attack happened in last year’s September, when the hosting company OVH was overwhelmed by a 1.1 terabits-per-second attack. This scale is hard to arrange, but possible, and Cloudflare’s Unmetered Mitigation has 15 terabits per second of capacity available at any time to mitigate these attacks.

In theory, their plan could kick-start the end of DDoS attacks, but as their protection scope grows, their servers should too and it can be financially crippling if not supported globally. Other projects like this had emerged in the past, Google’s Project Shield, but never at this level of inclusion. The key for a DDoS future? Cooperation. Without it, a tough baseline security won’t be implemented. 


Sonic Drive-In Breached, Millions of Credit Cards Stolen


What? Drive-In’s have been compromised!? Run, run you fools! OK, let’s relax, grab some fries and get to it: The restaurant with over 3,600 shops in the U.S confirmed to Krebsonsecurity that they suffered an… incident. Brian Krebs carried the investigation and indeed discovered that around 5 million credit cards had been put up for sale in the Joker’s Stash, a huge stolen credit card black market.

The hint that caught Kreb’s and several financial’s institutions’ attention was the pattern all compromised cards showed: they had all been recently used at Sonic. The magnitude is still being determined, since it hasn’t been confirmed that the whole batch was obtained through the restaurant’s breach.

This event resembles Wendy’s credit card leak, that affected over 1,000 locations for over 9 months. Hackers usually inject malicious software into point-of-sale systems and clone the credit card’s magnetic stripe, meaning any customer that drops by for a burger… is actually casually handing in his credit card information.

As for the credit card’s market, their price goes as low as $25 and as high as $50 on the Joker’s Stash “FireTigerrr” base, and can be found arranged by type of card, their level, location, and ZIP code. According to Krebs, their price is slightly higher than average and it might answer to the magnitude and freshness of the attack.

The U.S alone is a huge potential target for credit card fraud, since its transition to chip-based cards has been relatively slow, with only half of all U.S-based Visa credit cards issued being chip-based as of March 2017. The outdated magnetic system is well known by hackers, and can’t be compared to the modern chip system: magnetic cards store static data, while data on chips is constantly changing.


About the author

Nicolas Poggi

Nicolas Poggi is the head of mobile research at Prey, Inc., provider of the open source Prey Anti-Theft software protecting eight million mobile devices. Nic’s work explores technology innovations within the mobile marketplace, and their impact upon security. Nic also serves as Prey’s communications manager, overseeing the company’s brand and content creation. Nic is a technology and contemporary culture journalist and author, and before joining Prey held positions as head of indie coverage at TheGameFanatics, and as FM radio host and interviewer at IndieAir.