Things I Hearted this Week, 15th June 2018

June 15, 2018 | Javvad Malik
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

Fear not, after a week without update because I was busy galavanting around at Infosecurity Europe and picking up awards, regular service has been resumed.

Empathy in Incidence Response

His email message to the SOC was succinct. “I clicked on a suspicious link,” he wrote, “What do I do now?”

My first reaction wasn’t that of anger or contempt. I was relieved, actually. Relieved that he alerted the team. (I don’t think I even want to know how many clicks on suspicious links go unreported.) I was eager to take on this challenge and I quickly located the email in question and I examined it.

Then, I called him. On the phone. To talk to him. In person.

Foiling A $110M Bank Heist

Bancomext would later learn that hackers suspected to be from North Korea had tried to siphon off more than $110 million, forcing the lender to temporarily suspend operations in its international payment platform. These accounts of cyberattacks are based on conversations with individuals briefed on the details of the incidents, who asked not to be identified because investigations by authorities haven’t been completed.

On the topic of robbing banks,

When Your Talk Submission Is Rejected

We've all seen people get disheartened and even angry that their talks to conferences, particularly the big ones, don't get accepted.

Joe FitzPatrick breaks down the rejection process and how you can learn and grow from your rejections.

Further Down The Trello Rabbit Hole

Last month’s story about organizations exposing passwords and other sensitive data via collaborative online spaces at Trello.com only scratched the surface of the problem. A deeper dive suggests a large number of government agencies, marketing firms, healthcare organizations and IT support companies are publishing credentials via public Trello boards that quickly get indexed by the major search engines.

Cloud Leaks Data

I bet you thought this was going to be another story about an insecure AWS S3 bucket. For once, you're wrong.

Google groups has had a glitch whereby an estimated 10,000 companies are leaking private data. Google denies it, and has been telling people to read the manual. But it looks like it could be a case of fixing the UX.

Demand More From Your WAF

I want to let you in on a little secret.

About a year ago I had a conversation with a recently departed senior executive from one of the leading legacy WAF vendors. It was a short call and mostly one where I was explaining Signal Sciences and our progress on reinventing the WAF market but it ended with this seemingly puzzling exchange.

Me: Thank you again for your time! You all have paved the way for the WAF market over the last 10 years. Any advice for some ambitious upstarts as you pass the torch?

Him: (Pausing thoughtfully) Well this may seem basic but I think this is the most important lesson I’ve learned in my position. Don’t ignore customers after you close the deal to just focus on the next new deal.

Why Facebook Shared Data With Device Makers

The scrutiny over Facebook’s data-sharing partnerships highlights how critical APIs are to modern development, and how important it is to restrict how much data can be accessed through these interfaces.

Services like Facebook provide application programming interfaces (APIs) to third-party developers so that they can include the data to create games and other apps for the users.

The API owners control what kind of information, and how much, data is available to an API call. If they aren’t careful, they can expose too much. If they don't pay attention to how APIs are being used, they may not notice when someone is abusing the access. If they don't keep track of all their APIs, they don't have a complete picture of who has access to their data.

Seeing as we're talking about Facebook,

Dixons Carphone Beach

According to the company, the vast majority of the cards (5.8M) were protected by chip-and-PIN technology — and it says the data accessed in respect of these cards contains “neither pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made”.

However around 105,000 of the accessed cards were non-EU issued, and lacked chip-and-PIN, and it says those cards have been compromised.

Privacy Stuff

It's not paranoia, and your phone actually is listening, but to get bars in trouble for illegally broadcasting football (soccer) games.

In the UK, credit scores are mostly used to determine whether people can get a credit card or loan. But in China, the government is developing a much broader “social credit” system partly based on people’s routine behaviours with the ultimate goal of determining the “trustworthiness” of the country’s 1.4 billion citizens.

Randomness

A few other stories I enjoyed reading recently.

Javvad Malik

About the Author: Javvad Malik
The man, the myth, the blogger; Javvad Malik is a London-based IT Security professional. Better known as an active blogger, event speaker and industry commentator who is possibly best known as one of the industry’s most prolific video bloggers with his signature fresh and light-hearted perspective on security. Prior to joining AlienVault, Javvad was a senior analyst with 451 Research providing technology vendors, investors and end users with strategic advisory services, including competitive research and go-to-market positioning.
Read more posts from Javvad Malik ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL CHAT