New Petya Variant
Unless you’ve been away for the week on a deserted location with no access to the internet, radio, or television, you’ve likely been bombarded with news of the Petya ransomware variant that took offline most of the Ukraine as well as spreading around to other countries. It echoes the disastrous impact WannaCry had just a few short weeks ago.
- Our own AlienVault labs team broke down what they saw
- Microsoft has a nice technical post on how the attack works
- Lesley Carhart has written a very accessible post explaining the attack and the surrounding issues.
Perhaps the biggest victim this time round was Cadbury’s, as it had to shut down its famous chocolate factory in Hobart.
How I obtained direct publish access to 13% of npm packages
This is a great post on how ChALkeR was able to obtain direct publish access to 13% of npm packages – with an estimated reach of up to 52% once you factor in dependency chains.
It’s interesting because it’s relatively straightforward using three basic techniques of bruteforcing, reusing passwords from leaks, and npm credentials on GitHub.
You are not Google
Neither are you Amazon, or LinkedIn, or Facebook, or Netflix etc. A great post especially for engineers.
This line of thinking can be expanded into security too. Just because a large, well-funded, and highly targeted company is using the latest bleeding edge next generation security products and tools, it doesn’t mean every company needs to adopt the same toolset. Rather, it’s about looking at what matters most, and getting security controls that are appropriate.
I really need to find better ways of explaining my thoughts, the paragraph I just wrote throws me back to days of being a consultant.
Legal boundaries and privacy
The long-running case between the US Department of Justice and Microsoft has taken another turn as the DoJ has petitioned the US supreme court to get involved in allowing the US government access to Microsoft emails stored at its Dublin data centre.
As Microsoft president and chief counsel Brad Smith argued in a blog post, if the US government has the right to directly seize internationally-held data, then other countries will of course expect the same right. This in effect would allow international digital raids for American or other nations’ data, in the US or around the world, with near-impunity.
The EU will be keeping a close eye on this, especially from a GDPR perspective. And the results of this case could have a significant impact on cloud computing.
I fought the law and the law won
The German parliament has passed an expansion of police hacking powers which allows the police to hack, crack, bypass, and use malware in all manner of investigations.
However, the mindset where leaders believe encryption is a nuisance doesn’t appear to be limited to Europe. Australia recently pushed for weaker encryption at a ‘five eyes’ meeting.
Related, the new EU digital commissioner, Mariya Gabriel, fails to clarify position on encryption.
With more and more governments around the world looking at weakening online security measures, one has to wonder how long before the algorithm breaks.
Draft defense bill would ban Kaspersky products
Not to say the US Department of Defense is Russian to conclusions (thanks Shannon for the pun); but the DoD may ban the use of security products from Kaspersky. The Moscow-based company is accused by US officials of possibly being under Russian influence.
There has been no public evidence provided to substantiate the claims against Kaspersky – which again, can set a dangerous precedent.
- https://www.engadget.com/2017/06/28/defense-bill-would-ban-kaspersky-software/
- http://thehill.com/homenews/senate/339981-senate-moves-to-ban-moscow-based-kaspersky-use-due-to-concerns-about-russian
- https://www.bleepingcomputer.com/news/government/senate-gets-ready-to-ban-kaspersky-products-as-fbi-interviews-companys-us-employees/
Skype Zero-Day
A security researcher uncovered a Skype vulnerability that allows attackers to remotely execute code and do all sorts of nasty stuff.
Technical details can be found here
Microsoft has a patch available and recommends users upgrade to the latest version of Skype immediately to avoid disappointment.