Things I Hearted this Week, 23rd Feb 2018

February 23, 2018  |  Javvad Malik

This week seems to have flown past very quickly. We’re almost at the end of February but the security goodness (and badness depending on which side of the fence you sit) keeps rolling in at breakneck speed.

I’m actually contemplating moving somewhere warm for the rest of winter. Not that it gets unbearably cold in London, but the winter does seem to drag on with grey skies and rain, and a never-ending cycle of colds, sniffles, not to mention the life-threatening “Man Flu!”

But enough about me, let’s jump into the security goodness!

Threat modeling

Threat models are great, and poorly understood, or used by security professionals as a universal ‘get out of jail card’.

“Why don’t you have 2FA on your web app?”

“Oh, that’s not in our threat model.”

“Why don’t you sandbox this?”

“Oh, that’s not in our threat model”

“Why don’t you have your threat model documented?”

“Oh, that’s not in our threat model”

It’s like the security equivalent to the business saying they “accepted the risk”.

An interesting piece in CSO magazine takes a look at common threat model mistakes.

Two Billion!

Two billion (with a B), that’s the number of files apparently leaked in the US during 2017.

The most common type of breach after hacking was unintended disclosure such as cloud storage misconfigurations.

That means that millions of records could have been kept secure had someone brushed up on their AWS S3 Bucket security skills and not ticked the box to make it public.

We’ve found the APT, the APT is us!


Unknown hackers stole 339.5 million roubles ($6 million) from a Russian bank last year in an attack using the SWIFT international payments messaging system.

Well, that’s a surprise. It’s not like SWIFT has been targeted ever for malicious purposes…

What is personal data?

In case you’ve been living in a cave for the past two years with your fingers in your ears saying LALALALA, you would have heard that there is something called GDPR on its way.

At the heart of it is the issue of protecting personal data. But have you ever wondered what constitutes personal data? Well wonder no more.

Lawsuits threaten InfoSec research

This is a thought-provoking article by Zack Whittaker over at ZDNet in which he spoke to about a dozen security researchers and journalists who have had legal woes due to finding or reporting vulnerabilities.

While it isn’t a large sample by any stretch of the imagination, the fact that this happens at all is somewhat troubling. After all, in todays day and age where disclosure is a lot better understood than it was years ago, and bug bounties are flourishing, why can we just solve things in a reasonable way?

There are others that don’t agree that it is a problem at all. Renowned researcher Charlie Miller believes, “This is FUD. Not one of 11?  Nice sample size.  Also don’t know any of those researchers.  I don’t know any researchers who are afraid of legal problems.”

It’s all about the crypto-money money money

Researchers have uncovered what they said is one of the biggest malicious currency mining operations ever, with more than $3 million worth of digital coin. Now, the operators are gearing up to make more.

Related, in this report by Redlock is a changing tide from stealing data to stealing compute. Thanks to Kenn White for also picking up on the fact that an interesting twist is attackers launching mining scripts through CloudFlare to mask their origin.


Hunting mosquitoes with a shotgun

I probably spent far too long trying to think of the heading for this story. But I didn’t get my own roundup post by being lazy.

Software developer Flight Sim Labs is in hot water after acknowledging that it installed a password harvester for the Google Chrome browser in its flight simulator product. The company explained it was only targeting pirate users of its software, but critics are calling the tactics “dirty”.

This is pretty much what “hacking back” looks like.

Money Laundering via author impersonation on Amazon?

As you’d expect from Brian Krebs, a well-researched article into how money is laundered through selling bogus books online. It’s probably where criminals go to launder all that stolen cryptocurrency!

It’s time to kill the pen test

While I won’t be making it out to RSA this year, I wouldn’t be a good friend if I didn’t plug the talk to be given by my good friend Adrian Sanabria who will be discussing why it’s time to kill the pen test.

I expect there to be much disagreement and controversy. Which is exactly why I like Adrian so much! If you’re heading out there, be sure to check out his session.

Other talks that looked interesting at RSA

You'll be able to visit the rest of the AlienVualt team at RSA at booth 729.

Share this with others

Get price Free trial