The AT&T Breach & Linux’s XZUtils Backdoor – CyberSecurity News and Discussion

The Daily Decrypt

The AT&T Breach & Linux's XZUtils Backdoor - CyberSecurity News and Discussion

00:00 /

Discover the implications of the latest AT&T data breach exposing 70 million customers’ data on the dark web, and what you can do to safeguard your data now that it’s exposed. Also, learn about the critical backdoor found in XZUtils, a key Linux utility.

Place Credit Freezes: https://www.nerdwallet.com/article/finance/how-to-freeze-credit

Additional Resources referenced in today’s episode.

Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/

Logo Design by https://www.zackgraber.com/

Tags:

AT&T data breach, dark web, social security numbers, XZUtils backdoor, Linux vulnerability, encryption, SSH connections, identity theft protection, password hygiene, credit freeze, cybersecurity, digital security, credential stuffing, identity monitoring, CVE score, enterprise security

Search Phrases:

What to do after AT&T data breach
How to protect yourself from dark web data leaks
Understanding the impact of social security numbers leaked online
Latest cybersecurity threats in Linux utilities
Breaking down the XZUtils backdoor vulnerability
Steps to secure your digital identity after a data breach
Best practices for password management post-breach
How to freeze your credit after personal data exposure
Strategies for combating credential stuffing attacks
Importance of identity monitoring services
Dealing with SSH connection vulnerabilities in Linux
Navigating digital security challenges in 2024
Preventative measures against unauthorized access to systems
Enhancing enterprise security against new cyber threats

Transcript:

Apr 1

Welcome back to the Daily Decrypt.

Today I mostly just wanted to talk about what happened with the AT& T breach where 70 million current and former customers social security numbers and other personal data was discovered on the dark web last week.

Specifically focusing on what it means when this information is found on the dark web, how did it get there, and given the sensitive nature of the information to include social security numbers, what can you do

to reduce your impact and prevent misuse of your information. some other urgent news is also out there. I wanted to talk about the backdoor in XZUtils, which is a widely used compression tool in linux, exposing critical vulnerabilities in major distributions like Red Hat, and Debian, and potentially putting countless systems at risks of unauthorized access.

AT& T is grappling with a significant data breach impacting over 70 million current and former customers with sensitive information now on the dark web. NPR is reporting that this breach occurred two weeks ago and involved a mix of social security numbers, names, contact details, and AT& T account information.

Thank you The company is in the process of notifying the impacted customers, 7 million of which are current customers and the remainder are previous former customers. And they’re going to offer identity theft protection, which is likely just identity theft monitoring,

but that’s become the industry standard. When you get breached, you offer a free subscription to LifeLock or whatever it’s called, where they just monitor for new credit cards and notify you. They might provide some other tools, but to me this is unacceptable. They should be offering you cash.

There should be a class action lawsuit for every one of these major breaches.

A preliminary investigation by AT& T claims that the data that was breached. is from 2019 or earlier and isn’t the current data that’s in their databases.

This would indicate that there was a breach back in 2019,

or maybe there was an insider threat that had access to the data from that point. but social security numbers haven’t changed since 2019. That’s still the same social security number. It might not be directly paired with the same email address you use, but likely it is. And unless your password hygiene is pristine, you probably have the same password maybe used somewhere else.

So this information was just found by AT& T on the dark web.

They weren’t the recipients of a ransom note. They weren’t tipped off by a group of attackers or anything like that. They just stumbled upon 70 million records of current and former customers on the dark web. So what does it mean when your information is found on the dark web?

Basically like it sounds, somebody had come across the database and they posted to the dark web for sale. Whether or not they used hacking techniques to get into AT& T’s

admin portals, and pivoted around until they came across all this user data and exfiltrated it. It could just be an insider threat with a USB stick that they pulled out of the office. But all that you need to know is that the information is on the dark web for sale. You are not a personal target when you find out that your information is on there.

So don’t worry too much. But if you’ve used the password that has been breached, so the password from your 2019 AT& T account, attackers are going to go buy this database and try every username password combination in a bunch of sites, Facebook, Instagram, Bank of America, USAA, whatever. They’re going to try it in there.

It’s really easy to automate this type of attack called credential stuffing.

So like I had mentioned earlier, if your password hygiene is pretty good, most of these breaches are just email addresses and password combinations. So if you’re not reusing any passwords, you don’t really have anything to worry about. You’re just going to want to go in and change the affected site, which in this case is AT& T.

But since this one includes social security numbers, first of all, which is pretty crazy for just a regular cable company to have your social security number.

But yeah, since this includes social security number,

and personal information like email address, phone number, addresses, etc. It’s going to be really imperative that you sign up for the identity monitoring, but also you can put freezes on credit checks I did it earlier today, and if you’re using a password manager, it took me five minutes to place these freezes on all of them. So basically how that works is you put a freeze with these credit bureaus and all credit checks go through one of these three. Then no one can open a credit card in your name because they can’t do a credit check. They can’t take out a new line of credit under your name, which is the biggest risk when someone comes across your social security number,

so unless you’re under an active credit check, like you’re in the process of buying a home. or you’re in the process of applying for a new credit card, I highly recommend going and placing these freezes. I will place the links to do so in the show notes.

You have to create an account at all three of them, and all three will ask you to Answer a security question like what is your mother’s maiden name or what was your former address or your first job.

This is why using a password manager makes this so easy. Go create a secure note in your password manager with the title of the question. What was the make and model of your first car? Then use your password generator to generate a random string of letters, 60 characters long. Copy. Paste that random string of letters into the answer box and into that secure note and save it. Do not use the correct answer. That’s easy to find on Google.

And once you’ve done that for all three of the credit bureaus, saved your username, password, and security questions, in your password manager, you’re good to go. Make sure you change your AT& T password, but there’s not much risk for you. So when you go to buy in your next house or open your next credit card, you will call the credit company and ask, which bureau do I need to unfreeze?

They’ll tell you, you go into your account, you unfreeze it, They run the credit check and then you freeze it again. I heard a story of the founder of LifeLock put his social security number on the side of a truck, like a billboard truck in Las Vegas and let anyone who wants it have it because they had placed the freezes on their credit bureaus. What’s interesting is when most of these breaches happen, the breached company offers identity monitoring, but they don’t actually offer to place these freezes for you.

And even though they’ll never admit it, that’s likely because banks want you to keep your credit open so that you keep opening new lines of credit. They don’t want any barriers between you and creating these. So, even though the solution is simple, you won’t hear about it too often. Because who owns all the money in the world? Who’s the richest? The banks are. And they don’t want you to close off your credit. So they’re gonna pay whatever it takes to monitor it? Which basically means you’ll get a little text message when a credit card is opened.

That’s a huge headache. Even with the monitoring, someone else opens a credit card in your name. You now have to go through a lot of hoops to get that credit card closed. And then guess what you’re going to do. You’re going to place a freeze on your credit accounts. Cause you don’t want that to happen again.

So you might as well get ahead of the curve and place the freeze now. It literally took me less than, I’ll say 10 minutes to be generous. Username, password, security question, freeze. Again, username, password, security question, freeze. So I cannot recommend it enough.

Last week, researchers have uncovered a malicious backdoor in XZ Utils a compression tool integral to Linux distributions such as Red Hat or RHEL and Debian.

The compromised versions 5. 6. 0 and 5. 6. 1 pose a significant threat, although they have not been incorporated into any major Linux distributions production releases.

Luckily, the backdoor’s early detection prevented widespread impact. But we still need continuous monitoring and swift action in the face of potential vulnerabilities. The backdoor is designed to break SSH authentication, allowing unauthorized system access. So, First steps are to check what version of XZUtils you’re using. If it’s 5. 6. 0 or 5. 6. 1, you can consider it compromised. Use a package manager, to check the version that you have running. If it is a compromised version, you can downgrade to a safe version or update to a newer patched version as soon as it becomes available. Recommend downgrading while you wait for that new patched version.

It’s also a good idea to increase the monitoring on systems for unusual SSH activity. You can watch for anomalies in authentication logs, which can help detect potential exploitation attempts. Regularly audit SSH access and keys to ensure that only authorized users have access. It’s also good practice to use SSH key based authentication instead of password based authentication where possible.

This is a pretty big one though. It carries a CVE score of 10. 0, which is the maximum score. So don’t bat an eye at this. If there’s anything you can do, do it.

I know most of our hands are tied when it comes to, enterprise things like this,

but yeah, this one’s pretty big.

That’s all I got for you today. Happy April Fool’s Day! I wish these stories were pranks, unfortunately they’re real.

But I hope you have a great week and we will talk to you some more tomorrow.