It’s hard to believe the whole year has gone past and I’ve been hearting things nearly every week since it began.
I’d like to sum up 2018, so I started to look through all the posts from every week and I realised it was a mammoth task. There have been 40 “Things I hearted” blog posts this year, each with an average of 10 stories. And that doesn’t include the dozens of other stories that didn’t make the cut every week.
Suffice to say, it’s been a very busy year as far as information security is concerned. Which could mean that business is very good. Or it could just mean that business is as usual, we’re just getting better at covering the stories.
In YouTube fashion, I decided to do a video rewind of some of the notable stories of the year (minus Will Smith and the big budget)
Conspiracy videos aside, let’s have a recap of an assortment of stories that were hearted over the course of the year.
January 12th Edition
Toy Firm VTech Fined Over Data Breach
VTech, the ‘smart’ toy manufacturer has been fined $650,000 by the FTC after exposing the data of millions of parents and children.
Troy Hunt brought up the issue back in November 2015 and it made for a chilling read. Not only was the website not secure, but the data was not encrypted in transit or at rest.
Hopefully, this kind of crackdown on weak ‘smart’ devices will continue until we see some changes. Not that I enjoy seeing companies being fined, but it doesn’t seem like many manufacturers are paying much attention to security.
- FTC fines VTech toy firm over data breach | SC Magazine
- FTC Fines IoT Toy Vendor VTech for Privacy Breach | eWeek
- After breach exposing millions of parents and kids, toymaker VTech handed a $650K fine by FTC | Techcrunch
March 9th Edition
SAML, SSO Many Vulnerabilities
SAML-based single sign on systems have some vulnerabilities that allow attackers with authenticated access to trick SAML systems into authenticating as different users without knowledge of the victims’ password.
Sounds like a lot of fun.
March 30th Edition
Investigating Lateral Movement Paths with ATA
Even when you do your best to protect your sensitive users, and your admins have complex passwords that they change frequently, their machines are hardened, and their data is stored securely, attackers can still use lateral movement paths to access sensitive accounts. In lateral movement attacks, the attacker takes advantage of instances when sensitive users log into a machine where a non-sensitive user has local rights. Attackers can then move laterally, accessing the less sensitive user and then moving across the computer to gain credentials for the sensitive user.
- Investigating lateral movement paths with ATA | Microsoft
May 18th Edition
Hacking the Hackers
A hacker has breached Securus, the company that helps cops track phones across the US.
You'd think that if you were a company that collected all sorts of phone data, and location tracking, and work with law enforcement, you'd be a bit more careful in how you store the data.
Last week, the New York Times reported that Securus obtains phone location data from major telcos, such as AT&T, Sprint, T-Mobile, and Verizon, and then makes this available to its customers. The system by which Securus obtains the data is typically used by marketers, but Securus provides a product for law enforcement to track phones in the US nationwide with little legal oversight, the report adds. In one case, a former sheriff of Mississippi County, Mo., used the Securus service to track other law enforcement official’s phones, according to court records.
- Hacker breaches securus, the company that helps cops track phones across the US | Motherboard
- Service meant to monitor inmates' calls could track you, too. | NYTimes
June 1st Edition
Looking at your data this week, Brian Krebs flips the lid on why your location data is no longer private.
"The past month has seen one blockbuster revelation after another about how our mobile phone and broadband providers have been leaking highly sensitive customer information, including real-time location data and customer account details. In the wake of these consumer privacy debacles, many are left wondering who’s responsible for policing these industries? How exactly did we get to this point? What prospects are there for changes to address this national privacy crisis at the legislative and regulatory levels?"
- Why Is Your Location Data No Longer Private? | Krebs On Security
But wait, there's a plot twist. Tired of all these companies profiting off your data? Well, maybe you can try what this guy did and make some money yourself by directly selling your data.
- This Guy Is Selling All His Facebook Data on eBay | Motherboard
July 6th Edition
10 Things To Know Before Getting Into Cybersecurity
You may know Kevin Beaumont as @GossiTheDog on twitter. He won the 2018 EU blogger awards for best tweeter. But apparently, he's a man of more talents than just twits, he also blogs, and has put together a good list of 10 things you should know if you're considering getting into cybersecurity.
- 10 things to know before getting into cyber security| Double Pulsar
Related, if you're looking to break into security, then you'll want to know which locations offer the best salaries (US-based).
August 31st Edition
Probably The Best Tech Keynote in the World
I’ll be honest, up until a couple of weeks ago, I hadn’t heard of James Mickens who is a professor at Harvard University.
I watched his keynote presentation at Usenix, and haven’t been this entertained and captivated by a technology talk in … well, never.
It’s well worth carving out 50 minutes out of your day to watch his keynote entitled,
Q: Why Do Keynote Speakers Keep Suggesting That Improving Security Is Possible?
A: Because Keynote Speakers Make Bad Life Decisions and Are Poor Role Models
October 5th Edition
Bupa Fined £175k
International health insurance business Bupa has been fined £175,000 after a staffer tried to sell more than half a million customers' personal information on the dark web.
The miscreant was able to access Bupa's CRM system SWAN, which holds records on 1.5 million people, generate and send bulk data reports on 547,000 Bupa Global customers to his personal email account.
The information – which included names, dates of birth, email addresses, nationalities and administrative info on the policy, but not medical details – was then found for sale on AlphaBay Market before it was shut down last year.
- Health insurer Bupa fined £175k after staffer tried to sell customer data on dark web souk | The Register
November 30th Edition
The $1M SIM Swap
A 21-year-old has been accused of SIM-swapping the mobile number of a Silicon Valley executive in order to steal roughly $1 million in cryptocurrency.