Continuing the trend from last week, I’ll continue trying to put a positive spin on the week’s security news.
Why? I hear you ask. Well, I’ve been mulling over the whole optimist thing, and glass half full analogy and it does work wonders. Side note, a tweet about half full / empty glasses and infosec took on a life of its own a few days ago.
But I’m reminded of the ending monologue by Morgan Freeman in “The Shawshank Redemption”, in which he starts off by saying, “Get busy living or get busy dying.”
So the thought of the week is, “Get busy securing, or get busy insecuring.” Hmm doesn’t quite have the same ring to it. Will have to think of a better word – but you catch my drift. Let’s jump into this week’s interesting security bits
Mirai Mirai on the wall
I picture Brian Krebs as being a Liam Neeson type – he sees that his website is under attack by a never-before seen DDoS attack. He mutters to himself, “I don’t know who you are, but I will hunt you, I will find you, and I will blog about it until you get arrested, prosecuted, and thrown in jail.”
It so happens that this week the hackers behind the Mirai botnet and a series of DDoS attacks pled guilty.
- The Hackers Behind Some of the Biggest DDoS Attacks in History Plead Guilty | Motherboard
- Mirai IoT Botnet Co-Authors Plead Guilty | KrebsonSecurity
- Botnet Creators Who Took Down the Internet Plead Guilty | Gizmondo
Bug Laundering Bounties
Apparently, HBO negotiated with hackers. Paying them $250,000 under the guise of a bug bounty as opposed to a ransom.
Maybe in time, it will be found that HBO acted above board, maybe it was a sting operation, maybe it was a misconstrued email.
The worrying fact is that any payment exchange system can be used to launder money. However, bug bounty providers don’t (as far as I can tell) have financial services obligations. Does the bug bounty industry need more regulation (shudder)?
- Leaked email shows HBO negotiating with hackers | Calgary Herald
- Remember the 'Game of Thrones' leak? An Iranian hacker was charged with stealing HBO scripts to raise bitcoin | USA Today
- Uber used bug bounty program to launder blackmail payment to hacker | ars Technica
Inside a low budget consumer hardware espionage implant
I’m not much of a hardware expert – actually, I’m not much of a hardware novice either. But this writeup by Mich is awesome. I didn’t even know there were so many ways to sniff, intercept and basically mess around with stuff at such small scale. It’s extremely detailed and I’ve permanently bookmarked it for future reference.
Tailoring Infosec communication
This is a great blog post by Claire Tills on the importance of tailoring infosec communication. In this post, Tills goes over five scenarios on how to tailor your message accordingly. I’ll be trying out some of these methods for sure.
- Tailoring Infosec communication | Claire Tills
North Korea, and free penetration tests
“This all may sound quite Ian Fleming James Bond villain-esque but the reality is that in the world of hacking and crime, this kind of activity is still evolving and now that the nation state of North Korea has opened Pandora's box, there is little to stop them if the goals of sowing chaos and potentially gaining funds have no real blowback. After all, what would happen next if they were tied to another attack on financial systems? More sanctions? The world would be hard pressed to have any kind of norms work on the Hermit Kingdom.”
Not everything is sophisticated
McAfee’s Chief Scientist Raj Samani reiterates what needs to be said far more often. There are very few really sophisticated attacks that they can’t be addressed. Similarly, it’s also wrong for companies to be complacent in the belief that they are too small to be a target.
“…for almost 30 years the fundamentals of protecting systems have stood the test of time, and they generally still apply today. Yet the headlines we hear today are so far removed from reality that the very people we are hoping to influence and adopt better practices simply shrug their shoulders because “sophisticated, advanced” doesn’t apply to me. How many of us have heard people say “I am too small to be hacked”, or “this doesn’t apply to me.””
- Not everything is sophisticated, let’s keep it simple | HelpNetSecurity
Inside Quebec’s great, multi-million-dollar maple-syrup heist
Finally – if the heading sounds familiar, it’s because it is from last year – thankfully multi-million-dollar maple-syrup heists aren’t an annual occurrence.
It’s a little longer than usual – but excellent read.