Creating Fake Identities
Everything today seems to be linked to your identity; or perhaps more specifically, to your digital identity. While safeguarding one's identity is important, it is also equally important to find ways to stop people from creating fake identities.
Kevin Mitnick belonged to an earlier generation that many of this generation's up and comers may not have heard of. While today he is a respectable information security professional, he wasn’t always quite a white hat, and he has some fascinating stories to share from days gone by.
Listening to this, I was reminded of the Defcon talk a couple of years ago by Chris Rock (the security professional, not the comedian / actor) entitled “I will kill you”
Abusing GDI Objects for ring0 Primitives Revolution
Speaking of Defcon, Saif El-Sherei, an analyst at SensePost, gave a talk in which he released two exploits and a new GDI object abuse technique.
Is Amazon’s Cloud Service Too Big To Fail?
Microsoft’s Peers says concentration risk is a “genuine issue”. "I don’t think you can have the world’s financial systems in the hands of one bank or on one cloud provider. It seems completely incomprehensible to think that a Microsoft or Amazon would ever disappear but you can’t allow for that possibility.”
I thought this write up on Amazon Web Services regarding the size and influence it is rapidly gaining was very well-researched and put together.
Vanity, My Favourite Sin
The first organization that Jahanrakhshan targeted was Leagle.com, a website that offers copies of court opinions and decisions. In the beginning, Jahanrakhshan contacted the site's team from his personal email address, asking them nicely to remove copies of past court decisions mentioning his name on the premise that it was tarnishing his reputation and violating his privacy.
When the Leagle team refused, the suspect even offered to pay a $100 fee to have the documents removed. When Leagle refused again, Jahanrakhshan — who also used the name "Andrew Rakhshan" — sent them a threatening email saying that he had made friends with dangerous hackers and that they should heed his final warning.
Sometimes it can be better to let unflattering articles about yourself remain on the internet rather than escalate the issue. Maybe if he’d done that, no-one would have noticed. Instead, he was arrested once again.
Responsible Disclosure Pains
Apparently UK organisation Kids Pass had a serious vulnerability. However, whenever a security researcher would try to contact them, they would promptly be blocked. But thanks to the power of the internet, and with enough people making a fuss, they were finally forced to resolve the issue.
- Troy Hunt writes a good piece of the challenges of responsible disclosure
- Kids discount site exposed client data
Bug Bounty Woes
As he states, it’s not about the money or getting paid for finding bugs, but being clear as to what will or will not be recognised, as, in his experience, the scales are unfavourably tipped in favour of the company running the bug bounty.
One of Tiago’s suggestion is to move more responsibility to the bug bounty platforms:
…the bug bounty platforms should act as escrows, keeping everyone in line, vendors from not messing around with the researchers, and the researchers from going against some of the rules.
No Scraping Around Here!
Microsoft owned LinkedIn is releasing the might of its legal team on hiQ, in a fight that could determine whether an anti-hacking law can be used to curtail the use of scraping tools across the web.
- LinkedIn: It’s illegal to scrape our website without permission
- Scraping the internet’s most popular websites
Leak The Analyst Campaign
In a rather savage display, cyber criminals have launched what they referred to as #Leaktheanalyst, a campaign targeting analysts working for companies that thwart their work.
In this instance, a FireEye / Mandiant employee was targeted and malware installed on his computer which they then used to steal data from; they even broke into and defaced his LinkedIn page.