You know the BBC have got their priorities really wrong they pitch Meghan Markle saying her father snubbing the Royal wedding as "Breaking news". What is surprising though is that I haven't seen all that many phishing emails related to the wedding hitting my inbox. Maybe the scammers know that I wouldn't pay much attention anyway.
Meghan Markle says her father will not now be attending her wedding to Prince Harry on Saturday https://t.co/g5w2J6kr2V— BBC Breaking News (@BBCBreaking) May 17, 2018
But enough about the royals, let's take a peek under the bonnet and see what the cyber spark plugs bring to us this week.
Watch Me Patch, Nay Nay
In 2017 alone, businesses on average were forced to decide how to address an average of 40 new vulnerabilities per day. With so many new vulnerabilities being published, some businesses may flounder when it comes to developing effective patch strategies.
How much does it cost to run a botnet? Apparently, it can be quite expensive according to the work of C.G.J Putnam at the University of Twente in the Netherlands. For a botnet linked to 10m devices, the cost can be in the region of $16m.
That's a lot of change, until you start looking at the potential returns.
The team says that DDoS attacks using a network of 30,000 bots can generate around $26,000 a month. Spam advertising with 10,000 bots generates around $300,000 a month, and bank fraud with 30,000 bots can generate over $18m per month. But the most profitable undertaking is click fraud, which generates well over $20m a month of profit.
- Inside the business model for botnets | MIT Technology review
Phish Teachers, Hack Grades
Police in Concord, California arrested a teenager and charged him with 14 felony counts after discovering the high-schooler launched a phishing campaign directed at teachers in order to steal their passwords and change grades.
Not only did he raise his own grades, he raised some of his classmates... and in others he lowered his classmates' grades.
- California high schooler changes grades after phishing teachers, gets 14 felonies for his efforts | Gizmondo
When Tech Flaws Can Ruin Your Life
This is a really good and sad story, but one that needs to be looked at in a wider context. It's not very uncommon to see security researchers blocked by legal threats. Sometimes it's because the product manufacturer wants to avoid some bad publicity. However, in this case, the flaws related to a breathalyser that is used widely across the U.S. These flaws meant that the results of the tests are disputable, casting doubt on countless convictions.
As technology creeps / has crept into nearly every aspect of life, and people (including law enforcement) often blindly accept the results which could severely impact people's lives - are legal pressures to stifle research acceptable?
On the topic of law enforcement
- Police department loses 10 months of work to ransomware. Gets infected a second time! | Bleeping computer
It's Way Too Hard to Turn off Facebook Tracking
Citizens Against Monopoly discovered that Facebook makes it difficult. The steps for opting out of ad targeting are almost endless: visiting eleven different areas of Facebook's user preferences section, clearing out three different caches of personal interests, disallowing four different types of ads, and limiting seven different actions on the site to friends only. And even all this doesn't completely turn off ads.
- It's way too hard to turn off Facebook tracking| The Intercept, Medium
A Bad Case Of Gas
Several US gas pipelines have seen their electronic systems for communicating with customers shut down in what is reported to be a cyber attack.
While all systems are up and running now, and didn't impact operational systems, it's not the first time US pipelines have been targeted. In 2012, a federal cyber response team said it had identified a number of 'cyber intrusions' targeting natural gas pipeline sector companies.
- US gas pipelines hit by cyber attack| Infosecurity magazine
- Cyberattack pings data systems of at least four gas networks| Bloomberg
- Cyberattack 'wake-up call' puts pipeline industry in hot seat| Energy Voice
Social Media: The Zero Trust Game
How to we acknowledge, address, and resolve the battlefield that social media has become? The spreading of information via social media platforms has been the subject of multiple studies, particularly in the wake of numerous reported misinformation campaigns. In a recent post by Twitter concerning the 2016 election in the US, the company "expanded the number of people notified about interactions with Twitter accounts potentially connected to a propaganda effort by a Russian government–linked organization known as the Internet Research Agency” and that “approximately 1.4 million people have now received a notification from Twitter.” Tactics to influence people from the bottom up are not limited solely to elections. We have now seen claims that bots are looking to hijack the gun debate.
- Social media: The zero trust game | HelpNetSecurity
- High-profile twitter accounts hit by Turkish propaganda campaign | Infosecurity Magazine
- Russian bots are using 2016 tactics to hijack the gun debate on Twitter | Vanity Fair
and not to miss out the big story
- A DC think tank uses fake twitter accounts and a shady expert to reach the NSA, FBI and White House | Buzzfeed
The good folk over at recorded future have a good analysis on dark networks and broken it down into three distinct communities.
- Dark networks : Social network analysis of dark web communities | Recorded Future
Hacking the Hackers
A hacker has breached Securus, the company that helps cops track phones across the US.
You'd think that if you were a company that collected all sorts of phone data, and location tracking, and work with law enforcement, you'd be a bit more careful in how you store the data.
Last week, the New York Times reported that Securus obtains phone location data from major telcos, such as AT&T, Sprint, T-Mobile, and Verizon, and then makes this available to its customers. The system by which Securus obtains the data is typically used by marketers, but Securus provides a product for law enforcement to track phones in the US nationwide with little legal oversight, the report adds. In one case, a former sheriff of Mississippi County, Mo., used the Securus service to track other law enforcement official’s phones, according to court records.
- Hacker breaches securus, the company that helps cops track phones across the US | Motherboard
- Service meant to monitor inmates' calls could track you, too. | NYTimes
Random Not So Security Stuff
- How many investors should you talk to in a VC fund raise? And how do you prioritise? | Both sides of the table
Well, apparently only 150 people will come to my funeral, and only 50 of those will consider me a "buddy".
- Are my friends really my friends? | NYTimes