I have to thank our editor-in-chief, Kate Brew, for stepping in to compile the week in review last week while I was out topping up my tan on holiday.
So without further ado, let’s dive right in.
Buckets of insecurity
I think this is the week that unsecured Amazon S4 bucket leaks have officially jumped the shark. It’s an almost weekly occurrence, and continues to shine a spotlight on how many organisations simply lack the skills in how to properly secure their cloud environments, or obtain any form of assurance.
Groupsize customer information found in publicly accessible buckets
Enigma Compromised
Enigma, a decentralized platform that’s preparing to raise money via a crypto token sale, had its website and a number of social accounts compromised with the perpetrators netting nearly $500,000 in digital coin by sending out spam.
Having worked over a decade in banking, I’m not the biggest fan of the layers of regulation required in financial services. But as we’re seeing with cryptocurrency, a little additional security can go a long way.
Hackers nab $500,000 as Enigma is compromised weeks before its ICO
Somewhat related
Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency
Boarding passes and stolen accounts
This isn’t a new attack vector. I remember reading about similar attacks not too long ago, but it bears repeating that if you post photos of barcodes, particularly the ones on your airline flights, it’s likely someone can gain access to your account.
- Post a boarding pass on Facebook, get your account stolen
- Dangerous airline boarding pass hacking trend puts travellers at risk
- Your Boarding Pass Barcode Can Reveal Your Future Flight Schedule
Bad guys probably work as much as you do
It’s not easy putting in a dishonest day's work. According to a recent study, it appears as if most criminal hackers put in just as many hours into their daily grind as many legitimate workers.
It’s a shame really, you’d probably think a lot of them would have actually made great colleagues in an alternate reality.
Day in the life of a modern spam kingpin: Why hackers work similar hours to everyone else
Ransomware changed the rules
Another good and insightful post by the Grugq in which he elaborates on a statement (which received some push back on Twitter) on why ransomware (authors and criminals) are doing more to advance the state of cyber security readiness than the last 10 RSA conferences.
A controversial statement for sure, but the article makes some valid points that are worth pondering over.
Accept Ts & Cs or be left with a brick
Sonos is the latest company to throw customer care to the wind and try and dictate all the terms. It has released a new privacy policy that gives it the ability to, well, basically use the information it collects in any way that it wants. There is no ‘opt out’ for customers and those that don’t choose to accept the new policies could end up with a rather expensive brick.
The problem here is that this sets a bad precedent. Going forward, so-called ‘smart’ devices will only increase. To the point that it will probably be impossible to buy a ‘dumb’ device that doesn’t have some form of connected functionality. It gives corporations access to the most innermost and most private areas of people's lives.
I wonder how long before hackers start releasing their own firmware variations for Sonos and other devices, as they did for John Deere tractors.
Sonos says users must accept new privacy policy or devices may “Cease to function”
The Spyware App Store
Google has pulled 500 apps with over 100 million downloads from its official Play store after it was alerted by researchers to a secret backdoor that could allow developers to install a range of spyware at any time.
I don’t envy the job of those that have the responsibility to vet apps to ensure they are all legitimate without any malware. What is really interesting about this story is that the apps contained an SDK called lgexin – and it’s likely a lot of the developers themselves weren’t aware of the backdoor.
It’s another case of supply chain security – but with a good collaborative defensive effort. So, I guess it’s a good job and a pat on everyone's back for making it through another week.
Spyware backdoor prompts Google to pull 500 apps with >100m downloads