The challenge with compiling this weekly roundup is not finding newsworthy security stories, but whittling down the large number of stories into a selection of my favourite or most impactful ones.
To be honest, I often procrastinate somewhat while doing this and end up trying to work out solutions for different security problems. One of them was to setup a website called sorryaboutthebreach.com
This would be a website where companies could pay a fee to join and are given their own web page with a blog template. Think of it like a similar setup to prepaid funerals. Customers and shareholders can then log on and check whether a message has been left for them about how sorry the company is to have suffered a breach and lost their data.
Anyway, onto the good stuff.
Disqus’ing the breach
Disqus said a 2012 breach discovered on October 5th exposed information on 17.5 million users from as far back as 2007.
That’s a pretty significant breach, however, the silver lining was how well Disqus handled the breach and the speed and clarity with which it shared details. Troy Hunt goes over this on his blog.
- Disqus reveals it suffered a security breach in 2012 | Engadget
- Disqus Breach Exposed 17.5m Emails | Infosecurity
- Disqus Data Breach: 17.5 Million Exposed, Shows Rapid Response | IT Security Central
Bitcoin Miners and AWS
As more companies embrace aspects of cloud computing, we are seeing cyber criminals, and indeed researchers, increasingly turn their focus towards cloud security.
In recent months there have been many instances of misconfigured Amazon databases exposing sensitive information publicly. However, there is more than just precious data in the cloud. This attack shows that the power of cloud computing is sought-after for bitcoin mining or other nefarious purposes.
- Forget stealing data — these hackers hijacked Amazon cloud accounts to mine bitcoin | Business insider
- AWS Cloud Hacked by Bitcoin Miners | Enterprise Tech
Malvertising campaign targets Pornhub
Hackers used malvertising on adult video website Pornhub and abused the Traffic Junky advertising network to redirect users to a malicious website. Chrome and Firefox users were shown a fake browser update window, while IE and Edge users got a fake Flash update one.
Malvertising campaigns are a favoured avenue for many attackers. In 2016, Google removed 112 million bad ads which on top of malware include illegal product promotion and misleading ads.
By and large, the biggest challenge is that there are generally insufficient controls to placing an advert with an ad network. This makes it a far more enticing avenue for mischief than, for example, getting a malicious app approved by an official app store.
Because of this, we’ve seen many large and reputable organisations serve up malvertising, including MSN.com, the New York Times, and BBC amongst others.
Although bad ads can be served up from reputable sites, it is less frequent, so practicing safe browsing and sticking to reputable sites remains a good idea. Similarly hardening your endpoints, ensuring it has the latest patches will afford some protection.
Another tactic, albeit one that can be perceived as being controversial, is using an ad blocker. However, many sites detect the presence of an ad blocker and will ask to remove it.
Perhaps one of the most effective methods of protection is to disable auto-run on browsers and enabling click-to-play plugins. Malvertising will typically rely on exploiting browser plugins, so this will help greatly.
Finally, it is worth remembering that defences will be breached periodically no matter, so it’s worth investing in threat detection controls so that any compromise can be quickly and reliably detected and thus responded to.
- Pornhub users hijacked by malvertising campaign malware infections | SC Magazine
- Pornhub hijacked by hackers in massive malware campaign | Newsweek
Apple fixes two password bugs
Apple has fixed two vulnerabilities that put passwords at risk of theft by hackers.
Synack's Patrick Wardle, who was credited with finding one of the now-fixed vulnerabilities, revealed a password-stealing bug just hours before High Sierra was released.
The bug let an attacker grab and steal every password in plain text using a malicious, unsigned app downloaded from the internet without needing the user's master Keychain password.
Apple fixed the bug by requiring users to enter their password before unlocking their Keychain.
- Emergency Apple patch fixes High Sierra password hint leak | ThreatPost
- Apple just fixed a High Sierra bug that's so bad its embarrassing | Mashable
- Apple Fixes MacOS Bug That Displayed Encrypted Disk Passwords | Silicon
Restricted Australian defence data hacked
The signals intelligence agency has revealed about 30gb of restricted information on the F-35 Joint Strike Fighter, the P-8 submarine hunters and Australian naval vessels was stolen in a hacking attack.
Apparently, the attacker gained access via the default credentials of Admin: Admin to gain access to the web admin portal.