Hello February! I was doing some research last night and was surprised to discover that the Target breach is over five years old! Five years! I was sure it only happened a couple of years ago - but such is the fast-paced nature of the industry, and also I guess a testament to how certain major breaches become part of infosec folklore. Like TJX, or Heartland - and no, I’m not going to look up when any of those occurred because I’ll probably end up feeling a lot older than I already do.
Enough reminiscing - let’s get down to it.
The Big Five
There’s been a lot of things I didn’t heart this week, although for one reason or another they ended up in my list of things to talk about. So, if you’re wondering about the stories regarding Facebook and Apple, and also Google, then yes, I did see them, and no, I don’t fancy talking about them.
But speaking of large companies, Kashmir Hill has undertaken what is perhaps becoming my favourite piece of tech journalism ever. WIth detailed write ups and slick videos showcasing how she cut out the big five of Amazon, Facebook, Google, Microsoft, and Apple from her life, one week at a time.
- Life without the tech giants | Gizmondo
- Week 1, Amazon | Gizmondo
- Week 2, Facebook | Gizmondo
- Week 3, Google | Gizmondo
Considerations for When Your Apartment Goes “Smart”
Everything is getting ‘smart’ these days. By smart, I mean connected and vulnerable. So, what should you do if you live in an apartment where everyone is getting fancy new smart locks (or terribly insecure cheap locks depending on how you look at it).
Lesley Carhart recently found herself in the same position, and has written a really good post on security considerations if you ever find yourself in a similar position.
Abusing Exchange: One API Call Away From Domain Admin
An attacker with just the credentials of a single lowly Exchange mailbox user can gain Domain Admin privileges by using a simple tool. Very good writeup here.
- Abusing Exchange: One API call away from Domain Admin | dirkjanm.io
Sending Love Letters
The "Love Letter" malspam campaign has now changed its focus to Japanese targets and almost doubled the volume of malicious attachments it delivers.
- Love Letter Malspam Serves Cocktail of Malware, Heavily Targets Japan | Bleeping Computer
While we’re talking about Japan, a new law in Japan allows the nation's National Institute of Information and Communications Technology (NICT) to hack into citizens' personal IoT equipment as part of a survey of vulnerable devices. The survey is part of an effort to strengthen Japan's network of Internet of Things devices ahead of the 2020 Tokyo Olympic games.
I like the intent behind this initiative, but the execution leaves me a little worried. Scanning for devices is one thing, actively logging into a device is another. Will be interesting to see how this pans out.
- Japan Authorizes IoT Hacking | Dark Reading
South Korean Delivery Apps Accidentally Leaks 26M Documents
The Korean Android Apps Zcall Delivery Agent and Zcall Delivery Account Manager, which are used to schedule and report package pickups and deliveries, have accidentally leaked personal information about their users.
The leaked data includes not only names, addresses, phone numbers, and delivery times, but also plaintext passwords for shop and staff logins, as well as what appears to be plaintext banking information.
A statement on the company’s website acknowledges the leak and assured customers that the outflow route has been blocked, but blames the incident to the Korea Internet Promotion Agency, rather than a hacking intrusion on their servers.
- South Korean Delivery Apps Accidentally Leaks 26m Documents | The Daily Swig
Judge Rejects Yahoo’s Data Breach Settlement Proposal
Yahoo’s proposed a $50 million pay-out, plus two years of free credit monitoring for about 200 million people in the United States and Israel was rebuffed by U.S. District Judge Lucy Koh, who said she couldn’t declare the settlement “fundamentally fair, adequate and reasonable” because it did not say how much victims could expect to recover, according to court documents.
In 2016, the massive data breach compromised the information of more than one billion Yahoo users affecting email addresses and other personal information marking the largest data breach in history.
- Judge rejects Yahoo’s data breach settlement proposal | SC Magazine
Inside the UAE’s Secret Hacking Team of American Mercenaries
Presented without comment - it’s a long article worth reading and drawing your own conclusions.
Other Things I Hearted This Week
- Work Is Not Your Family, As The Fyre Festival Doc Reminds Us | Huffington Post
- 2019 Tech M&A Outlook | 451 Research
- Looking for fraud | Antisocial engineer