It’s been an uneventful week for the most part. I did spend a lot of time reading tweets by Today In Infosec. If you don’t know of it, I suggest checking it out. As the name suggests, it tweets out news from the world of information security from previous years. I was thinking that maybe I could wait five years and then recycle these weekly roundup blogs as “This week in Infosec”

But that’s the future, let’s jump into the news that matters today.

An Olympic hack

What went on behind the scenes at the Olympics? How much hacking went on, who was behind it, and what can be done about it?

• Lessons in Cyber: Influence Operations | Comae technologies (the Grugq)
• 2018 Winter Olympic Games have been hacked, organizers confirm | Digital trends
• Russian spies hacked the Olympics and tried to make it look like North Korea did it, U.S. officials say | Washington Post

SAML, SSO many vulnerabilities

SAML-based single sign on systems have some vulnerabilities that allow attackers with authenticated access to trick SAML systems into authenticating as different users without knowledge of the victims’ password.

Sounds like a lot of fun.

• Duo Finds SAML Vulnerabilities Affecting Multiple Implementations | DUO

Passhunt

I came across this little gem on GitHub this week. Basically, it’s a repository of default credentials for a plethora of network devices, web apps, and so forth for over 500 vendors and near 2100 default passwords.

Remember, Mirai originally only had 61 default passwords to wreak havoc.

• Passhunt | GitHub

Sharing is caring

If you give your information to a business, how many places do you think it shares that information with? None, a dozen, fifty?

Well, thanks to GDPR compliance, PayPal has shared a list of over 600 entities it shares data with.

• List of Third Parties (other than PayPal Customers) with Whom Personal Information May be Shared | PayPal

Related

• What Amazon Echo and Google Home do with your voice data | Wired
• MoviePass CEO admits company creepily tracks users | New York Post
• Single Photo uniquely identifies Smartphone that took it | The Security Ledger
• Amazon working to fix Alexa after users report random burst of 'creepy' laughter | Guardian

The case against hack porn

Joseph Cox at Motherboard raises an interesting point, that while new research is valuable, many times, it is only applicable in the realm of research, or for Bond films.

Personally, I feel that it’s important to allow and encourage new and innovative ways to hack into things. But it’s worth bearing in mind that very few people or companies are hacked with highly sophisticated techniques. The more we can do first to raise the bar to address fundamentals the better.

• Against Hack Porn | Motherboard

Risk Resilience is the future

We are often told about how a big breach can affect a company’s profits, impact its share price, and basically mean bad news.

But as more data is available and we can see the impact of breaches, the general consensus is that while the share price may suffer a major dip in the aftermath of a breach, it is often forgotten in about 12 months.

In this well-written article, Daniel Miessler discussed how companies should focus on resilience, avoiding disruption, and human safety.

• When Companies Stop Caring About Data Loss, Risk Will Be Resilience-based and Focused on Business Disruption and Human Safety | Daniel Miessler

Marcus Hutchins

A really well-written piece on Marcus Hutchins aka Malware Tech Blog. Hard to appreciate how his life has literally been turned upside down.

• Gray Hat | NYMag

Regulating the IoT

Left to their own devices, it’s unlikely that manufacturers will willingly spend time and resources hardening or securing smart devices. So, it’s likely some form of regulation will force some changes soon.

• Regulating the IoT: Discrimination, Privacy, and Cybersecurity in the Artificial Intelligence Age | SSRN
• Smart device security guidelines 'need more teeth' | BBC

Somewhat related to IoT as it involves self-driving cars being attacked. Or as they say, “rage against the machine”

• Raging human drivers slap, body slam innocent self-driving cars | Ars Technica

Cryptocurrencies

I keep thinking to myself that this week I’ll try to steer clear of any cryptocurrency-related news, yet there are always a couple that catch my eye and I think they’d be interesting to include. If for nothing else, just to keep track of how issues are evolving and developing in this new world.

• Ethereum fixes serious “eclipse” flaw that could be exploited by any kid | ars technical
• Bitcoin is not anonymous and is easy to track, says Met police chief | The Telegraph
• US authorities call on cryptocoin 'exchanges' to sign up for regulation | The Register