Things I Hearted this Week, 18th May 2018

May 18, 2018 | Javvad Malik
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

You know the BBC have got their priorities really wrong they pitch Meghan Markle saying her father snubbing the Royal wedding as "Breaking news". What is surprising though is that I haven't seen all that many phishing emails related to the wedding hitting my inbox. Maybe the scammers know that I wouldn't pay much attention anyway.

But enough about the royals, let's take a peek under the bonnet and see what the cyber spark plugs bring to us this week.

Watch Me Patch, Nay Nay

In 2017 alone, businesses on average were forced to decide how to address an average of 40 new vulnerabilities per day. With so many new vulnerabilities being published, some businesses may flounder when it comes to developing effective patch strategies. 

Related,

Botnet Cashouts

How much does it cost to run a botnet? Apparently, it can be quite expensive according to the work of C.G.J Putnam at the University of Twente in the Netherlands. For a botnet linked to 10m devices, the cost can be in the region of $16m.

That's a lot of change, until you start looking at the potential returns.

The team says that DDoS attacks using a network of 30,000 bots can generate around $26,000 a month. Spam advertising with 10,000 bots generates around $300,000 a month, and bank fraud with 30,000 bots can generate over $18m per month. But the most profitable undertaking is click fraud, which generates well over $20m a month of profit.

Phish Teachers, Hack Grades

Police in Concord, California arrested a teenager and charged him with 14 felony counts after discovering the high-schooler launched a phishing campaign directed at teachers in order to steal their passwords and change grades.

Not only did he raise his own grades, he raised some of his classmates... and in others he lowered his classmates' grades.

When Tech Flaws Can Ruin Your Life

This is a really good and sad story, but one that needs to be looked at in a wider context. It's not very uncommon to see security researchers blocked by legal threats. Sometimes it's because the product manufacturer wants to avoid some bad publicity. However, in this case, the flaws related to a breathalyser that is used widely across the U.S. These flaws meant that the results of the tests are disputable, casting doubt on countless convictions.

As technology creeps / has crept into nearly every aspect of life, and people (including law enforcement) often blindly accept the results which could severely impact people's lives - are legal pressures to stifle research acceptable?

On the topic of law enforcement

It's Way Too Hard to Turn off Facebook Tracking

Citizens Against Monopoly discovered that Facebook makes it difficult. The steps for opting out of ad targeting are almost endless: visiting eleven different areas of Facebook's user preferences section, clearing out three different caches of personal interests, disallowing four different types of ads, and limiting seven different actions on the site to friends only. And even all this doesn't completely turn off ads.

A Bad Case Of Gas

Several US gas pipelines have seen their electronic systems for communicating with customers shut down in what is reported to be a cyber attack.

While all systems are up and running now, and didn't impact operational systems, it's not the first time US pipelines have been targeted. In 2012, a federal cyber response team said it had identified a number of 'cyber intrusions' targeting natural gas pipeline sector companies.

Social Media: The Zero Trust Game

How to we acknowledge, address, and resolve the battlefield that social media has become? The spreading of information via social media platforms has been the subject of multiple studies, particularly in the wake of numerous reported misinformation campaigns. In a recent post by Twitter concerning the 2016 election in the US, the company "expanded the number of people notified about interactions with Twitter accounts potentially connected to a propaganda effort by a Russian government–linked organization known as the Internet Research Agency” and that “approximately 1.4 million people have now received a notification from Twitter.” Tactics to influence people from the bottom up are not limited solely to elections. We have now seen claims that bots are looking to hijack the gun debate.

Related

and not to miss out the big story

Dark Networks

The good folk over at recorded future have a good analysis on dark networks and broken it down into three distinct communities.

Hacking the Hackers

A hacker has breached Securus, the company that helps cops track phones across the US.

You'd think that if you were a company that collected all sorts of phone data, and location tracking, and work with law enforcement, you'd be a bit more careful in how you store the data.

Last week, the New York Times reported that Securus obtains phone location data from major telcos, such as AT&T, Sprint, T-Mobile, and Verizon, and then makes this available to its customers. The system by which Securus obtains the data is typically used by marketers, but Securus provides a product for law enforcement to track phones in the US nationwide with little legal oversight, the report adds. In one case, a former sheriff of Mississippi County, Mo., used the Securus service to track other law enforcement official’s phones, according to court records.

Random Not So Security Stuff

Well, apparently only 150 people will come to my funeral, and only 50 of those will consider me a "buddy".

Javvad Malik

About the Author: Javvad Malik
The man, the myth, the blogger; Javvad Malik is a London-based IT Security professional. Better known as an active blogger, event speaker and industry commentator who is possibly best known as one of the industry’s most prolific video bloggers with his signature fresh and light-hearted perspective on security. Prior to joining AlienVault, Javvad was a senior analyst with 451 Research providing technology vendors, investors and end users with strategic advisory services, including competitive research and go-to-market positioning.
Read more posts from Javvad Malik ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL