This week seems to have flown past very quickly. We’re almost at the end of February but the security goodness (and badness depending on which side of the fence you sit) keeps rolling in at breakneck speed.
I’m actually contemplating moving somewhere warm for the rest of winter. Not that it gets unbearably cold in London, but the winter does seem to drag on with grey skies and rain, and a never-ending cycle of colds, sniffles, not to mention the life-threatening “Man Flu!”
But enough about me, let’s jump into the security goodness!
Threat models are great, and poorly understood, or used by security professionals as a universal ‘get out of jail card’.
“Why don’t you have 2FA on your web app?”
“Oh, that’s not in our threat model.”
“Why don’t you sandbox this?”
“Oh, that’s not in our threat model”
“Why don’t you have your threat model documented?”
“Oh, that’s not in our threat model”
It’s like the security equivalent to the business saying they “accepted the risk”.
An interesting piece in CSO magazine takes a look at common threat model mistakes.
Two billion (with a B), that’s the number of files apparently leaked in the US during 2017.
The most common type of breach after hacking was unintended disclosure such as cloud storage misconfigurations.
That means that millions of records could have been kept secure had someone brushed up on their AWS S3 Bucket security skills and not ticked the box to make it public.
We’ve found the APT, the APT is us!
- Two Billion Files Leaked in US Data Breaches in 2017 | Infosecurity Magazine
- The US witnesses significant number of healthcare breaches in 2017 | Healthcare Global
A SWIFT $6m
Unknown hackers stole 339.5 million roubles ($6 million) from a Russian bank last year in an attack using the SWIFT international payments messaging system.
Well, that’s a surprise. It’s not like SWIFT has been targeted ever for malicious purposes…
- Hackers stole $6 million from Russian bank via SWIFT system: central bank | Reuters
- India's City Union Bank CEO says suffered cyber hack via SWIFT system | Reuters
- SWIFT: The messaging system at the heart of the $1.8 billion PNB fraud | Quartz India
- Indian bank hack bears hallmarks of Bangladesh Bank heist | Finextra
What is personal data?
In case you’ve been living in a cave for the past two years with your fingers in your ears saying LALALALA, you would have heard that there is something called GDPR on its way.
At the heart of it is the issue of protecting personal data. But have you ever wondered what constitutes personal data? Well wonder no more.
- What is personal data? | European Commission
Lawsuits threaten InfoSec research
This is a thought-provoking article by Zack Whittaker over at ZDNet in which he spoke to about a dozen security researchers and journalists who have had legal woes due to finding or reporting vulnerabilities.
While it isn’t a large sample by any stretch of the imagination, the fact that this happens at all is somewhat troubling. After all, in todays day and age where disclosure is a lot better understood than it was years ago, and bug bounties are flourishing, why can we just solve things in a reasonable way?
There are others that don’t agree that it is a problem at all. Renowned researcher Charlie Miller believes, “This is FUD. Not one of 11? Nice sample size. Also don’t know any of those researchers. I don’t know any researchers who are afraid of legal problems.”
This is FUD. Not one of 11? Nice sample size. Also don’t know any of those researchers. I don’t know any researchers who are afraid of legal problems. https://t.co/7rmKZfyVr4— Charlie Miller (@0xcharlie) February 20, 2018
It’s all about the crypto-money money money
Researchers have uncovered what they said is one of the biggest malicious currency mining operations ever, with more than $3 million worth of digital coin. Now, the operators are gearing up to make more.
Related, in this report by Redlock is a changing tide from stealing data to stealing compute. Thanks to Kenn White for also picking up on the fact that an interesting twist is attackers launching mining scripts through CloudFlare to mask their origin.
- Cloud Security Trends (PDF) | Redlock
- Tesla Hackers hijacked Amazon Cloud account to mine cryptocurrency | Fortune
- Hackers can now hide cryptojacking scripts in Microsoft Word documents | Techrepublic
Hunting mosquitoes with a shotgun
I probably spent far too long trying to think of the heading for this story. But I didn’t get my own roundup post by being lazy.
Software developer Flight Sim Labs is in hot water after acknowledging that it installed a password harvester for the Google Chrome browser in its flight simulator product. The company explained it was only targeting pirate users of its software, but critics are calling the tactics “dirty”.
This is pretty much what “hacking back” looks like.
Money Laundering via author impersonation on Amazon?
As you’d expect from Brian Krebs, a well-researched article into how money is laundered through selling bogus books online. It’s probably where criminals go to launder all that stolen cryptocurrency!
- Money Laundering via author impersonation on Amazon? | Krebs on Security
It’s time to kill the pen test
While I won’t be making it out to RSA this year, I wouldn’t be a good friend if I didn’t plug the talk to be given by my good friend Adrian Sanabria who will be discussing why it’s time to kill the pen test.
I expect there to be much disagreement and controversy. Which is exactly why I like Adrian so much! If you’re heading out there, be sure to check out his session.
- It’s time to kill the pentest | RSAConference
Other talks that looked interesting at RSA
- Hacking healthcare live: Bits and bytes meet flesh and blood | Josh Corman
- Recon for the defender: you know nothing (about your assets), Jon Snow | Jonathan Cran, Ed Bellis
You'll be able to visit the rest of the AlienVualt team at RSA at booth 729.