Hello again, back to your regularly scheduled weekly security news, views, and opinions roundup.
So without further ado, let’s jump straight into it.
Pwned GPS eatches
A German security researcher has printed the word "PWNED!" on the tracking maps of hundreds of GPS watches after the watch vendor ignored vulnerability reports for more than a year, leaving thousands of GPS-tracking watches open to attackers.
The culprit, a common backend API between watches and other devices which allowed attackers to eavesdrop and track users wearing the watches.
Man behind fatal ‘swatting’ gets 20 years
Tyler Barriss, a 26-year-old California man who admitted making a phony emergency call to police in late 2017 that led to the shooting death of an innocent Kansas resident, has been sentenced to 20 years in federal prison.
Man Behind Fatal ‘Swatting’ Gets 20 Years | Krebs on Security
RFID’s guilty secret
Great introductory piece to RFID.
In your average hotel key card is a chip that contains nothing more than a tiny little radio wave processor and a small amount of data storage – around 1KB. Nothing else. Not even a battery. But when it comes into contact with a reader (on your hotel room door), the chip pulls just the amount of power it needs to spring to life, telling the door to unlock. This is basic Radio Frequency Identification technology (RFID) and it’s been around for a long time. And although it’s certainly evolved - some cards are more secure than others - RFID fundamentally remains unchanged since it first came into use in 1983.
RFID’s Guilty Secret | Canon Europe
Insurers creating a consumer ratings service for cybersecurity industry
Will the insurance industry influence InfoSec? It could potentially be beneficial, but at the same time, we know that current evaluation metrics aren’t particularly great - so this could have some negative outcomes too.
6 forgotten technologies hackers could use to infiltrate your manufacturing network
The back offices of manufacturing and factory facilities present a very legitimate—yet often neglected—attack vector that attackers can infiltrate to make lateral movements through an organization’s network and even into the manufacturing floor. While a lack of investment in cybersecurity is one of the biggest risk factors for manufacturers, there are also several older technologies that can be found throughout most manufacturing facilities—everywhere from the back office, to the factory floor—and should be phased out or patched to help shore up holes in the network.
Towards better vendor security assessments
Dropbox has shared it’s vendor security assessment process in a detailed blog. It’s great to see people talking about their vendor security assessment programs and helps drive greater maturity in this aspect.
Towards better vendor security assessments | Dropbox
Prime and punishment
Not quite an infosec story, but too good to simply put into the other stories category. If for nothing else for gems like this:
She’s outgoing and cheerful, happy to digress into war stories about the time an algorithm change suspended a swath of the Jewish Orthodox pearl dealing industry or a years-long “bloodbath” between two sellers of electric wheelchair batteries.
Prime and Punishment | The Verge
Toyota announces second security breach in the last five weeks
Not a good time to be Toyota, or well a subsidiary of it.
The first breach was at an Austrialian subsidiary, and the recent one being in Japan. Toyota said the servers that hackers accessed stored sales information on up to 3.1 million customers. The carmaker said there's an ongoing investigation to find out if hackers exfiltrated any of the data they had access to.
A little wireless wackiness
A great blog post explaining some of the basics. This is good blogging and what I wish I could find more of on a daily basis.
A Little Wireless Wackiness | PirateMoo
Company suing employee for $138,000 in BEC losses
This just sounds wrong on so many levels. Sure, employees need to exercise caution, but it is the company's responsibility to provide adequate training and guidance to employees. Also, if one employee can set up a new payee and send payments of hundreds of thousands, then there’s something lacking in your company processes.
Security Un-Awareness: Company Suing Employee for $138,000 in BEC Losses | Secure World Expo
Other stories I hearted this week
The House We Live In | Real life mag
From moms to medical doctors, burnout is everywhere these days | Washington Post
The future of staying safe online | HackerNoon