Week In Review – 4th August 2017

August 4, 2017  |  Javvad Malik

Creating Fake Identities

Everything today seems to be linked to your identity; or perhaps more specifically, to your digital identity. While safeguarding one's identity is important, it is also equally important to find ways to stop people from creating fake identities.

Kevin Mitnick belonged to an earlier generation that many of this generation's up and comers may not have heard of. While today he is a respectable information security professional, he wasn’t always quite a white hat, and he has some fascinating stories to share from days gone by.

Motherboard has an interesting podcast with Kevin on the topic of creating fake identities.

Listening to this, I was reminded of the Defcon talk a couple of years ago by Chris Rock (the security professional, not the comedian / actor) entitled “I will kill you

Abusing GDI Objects for ring0 Primitives Revolution

Speaking of Defcon, Saif El-Sherei, an analyst at SensePost, gave a talk in which he released two exploits and a new GDI object abuse technique.

Is Amazon’s Cloud Service Too Big To Fail?

Microsoft’s Peers says concentration risk is a “genuine issue”. "I don’t think you can have the world’s financial systems in the hands of one bank or on one cloud provider. It seems completely incomprehensible to think that a Microsoft or Amazon would ever disappear but you can’t allow for that possibility.”

I thought this write up on Amazon Web Services regarding the size and influence it is rapidly gaining was very well-researched and put together.

Azure security boss tells sysadmins to harden up and properly harden Windows server.

Vanity, My Favourite Sin

The first organization that Jahanrakhshan targeted was Leagle.com, a website that offers copies of court opinions and decisions. In the beginning, Jahanrakhshan contacted the site's team from his personal email address, asking them nicely to remove copies of past court decisions mentioning his name on the premise that it was tarnishing his reputation and violating his privacy.

When the Leagle team refused, the suspect even offered to pay a $100 fee to have the documents removed. When Leagle refused again, Jahanrakhshan — who also used the name "Andrew Rakhshan" — sent them a threatening email saying that he had made friends with dangerous hackers and that they should heed his final warning.                                                                                             

Sometimes it can be better to let unflattering articles about yourself remain on the internet rather than escalate the issue. Maybe if he’d done that, no-one would have noticed. Instead, he was arrested once again.

Responsible Disclosure Pains

Apparently UK organisation Kids Pass had a serious vulnerability. However, whenever a security researcher would try to contact them, they would promptly be blocked. But thanks to the power of the internet, and with enough people making a fuss, they were finally forced to resolve the issue.

Bug Bounty Woes

In a separate issue, Tiago Alexandre has written about some of the challenges he has had with bug bounty programmes, focusing in particular on the need for more transparency.

As he states, it’s not about the money or getting paid for finding bugs, but being clear as to what will or will not be recognised, as, in his experience, the scales are unfavourably tipped in favour of the company running the bug bounty.

One of Tiago’s suggestion is to move more responsibility to the bug bounty platforms: 

…the bug bounty platforms should act as escrows, keeping everyone in line, vendors from not messing around with the researchers, and the researchers from going against some of the rules.

No Scraping Around Here!

Microsoft owned LinkedIn is releasing the might of its legal team on hiQ, in a fight that could determine whether an anti-hacking law can be used to curtail the use of scraping tools across the web.

Leak The Analyst Campaign

In a rather savage display, cyber criminals have launched what they referred to as #Leaktheanalyst, a campaign targeting analysts working for companies that thwart their work.

In this instance, a FireEye / Mandiant employee was targeted and malware installed on his computer which they then used to steal data from; they even broke into and defaced his LinkedIn page.

Share this with others

Get price Free trial