I have to thank our editor-in-chief, Kate Brew, for stepping in to compile the week in review last week while I was out topping up my tan on holiday.
So without further ado, let’s dive right in.
Buckets of insecurity
I think this is the week that unsecured Amazon S4 bucket leaks have officially jumped the shark. It’s an almost weekly occurrence, and continues to shine a spotlight on how many organisations simply lack the skills in how to properly secure their cloud environments, or obtain any form of assurance.
Enigma, a decentralized platform that’s preparing to raise money via a crypto token sale, had its website and a number of social accounts compromised with the perpetrators netting nearly $500,000 in digital coin by sending out spam.
Having worked over a decade in banking, I’m not the biggest fan of the layers of regulation required in financial services. But as we’re seeing with cryptocurrency, a little additional security can go a long way.
Boarding passes and stolen accounts
This isn’t a new attack vector. I remember reading about similar attacks not too long ago, but it bears repeating that if you post photos of barcodes, particularly the ones on your airline flights, it’s likely someone can gain access to your account.
- Post a boarding pass on Facebook, get your account stolen
- Dangerous airline boarding pass hacking trend puts travellers at risk
- Your Boarding Pass Barcode Can Reveal Your Future Flight Schedule
Bad guys probably work as much as you do
It’s not easy putting in a dishonest day's work. According to a recent study, it appears as if most criminal hackers put in just as many hours into their daily grind as many legitimate workers.
It’s a shame really, you’d probably think a lot of them would have actually made great colleagues in an alternate reality.
Ransomware changed the rules
Another good and insightful post by the Grugq in which he elaborates on a statement (which received some push back on Twitter) on why ransomware (authors and criminals) are doing more to advance the state of cyber security readiness than the last 10 RSA conferences.
A controversial statement for sure, but the article makes some valid points that are worth pondering over.
Accept Ts & Cs or be left with a brick
The problem here is that this sets a bad precedent. Going forward, so-called ‘smart’ devices will only increase. To the point that it will probably be impossible to buy a ‘dumb’ device that doesn’t have some form of connected functionality. It gives corporations access to the most innermost and most private areas of people's lives.
I wonder how long before hackers start releasing their own firmware variations for Sonos and other devices, as they did for John Deere tractors.
The Spyware App Store
Google has pulled 500 apps with over 100 million downloads from its official Play store after it was alerted by researchers to a secret backdoor that could allow developers to install a range of spyware at any time.
I don’t envy the job of those that have the responsibility to vet apps to ensure they are all legitimate without any malware. What is really interesting about this story is that the apps contained an SDK called lgexin – and it’s likely a lot of the developers themselves weren’t aware of the backdoor.
It’s another case of supply chain security – but with a good collaborative defensive effort. So, I guess it’s a good job and a pat on everyone's back for making it through another week.