Things I Hearted This Week, 1st Feb 2019

February 1, 2019 | Javvad Malik
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

Hello February! I was doing some research last night and was surprised to discover that the Target breach is over five years old! Five years! I was sure it only happened a couple of years ago - but such is the fast-paced nature of the industry, and also I guess a testament to how certain major breaches become part of infosec folklore. Like TJX, or Heartland - and no, I’m not going to look up when any of those occurred because I’ll probably end up feeling a lot older than I already do.

Enough reminiscing - let’s get down to it.

The Big Five

There’s been a lot of things I didn’t heart this week, although for one reason or another they ended up in my list of things to talk about. So, if you’re wondering about the stories regarding Facebook and Apple, and also Google, then yes, I did see them, and no, I don’t fancy talking about them.

But speaking of large companies, Kashmir Hill has undertaken what is perhaps becoming my favourite piece of tech journalism ever. WIth detailed write ups and slick videos showcasing how she cut out the big five of Amazon, Facebook, Google, Microsoft, and Apple from her life, one week at a time.

Considerations for When Your Apartment Goes “Smart”

Everything is getting ‘smart’ these days. By smart, I mean connected and vulnerable. So, what should you do if you live in an apartment where everyone is getting fancy new smart locks (or terribly insecure cheap locks depending on how you look at it).

Lesley Carhart recently found herself in the same position, and has written a really good post on security considerations if you ever find yourself in a similar position.

Abusing Exchange: One API Call Away From Domain Admin

An attacker with just the credentials of a single lowly Exchange mailbox user can gain Domain Admin privileges by using a simple tool. Very good writeup here.

Sending Love Letters

The "Love Letter" malspam campaign has now changed its focus to Japanese targets and almost doubled the volume of malicious attachments it delivers.

While we’re talking about Japan, a new law in Japan allows the nation's National Institute of Information and Communications Technology (NICT) to hack into citizens' personal IoT equipment as part of a survey of vulnerable devices. The survey is part of an effort to strengthen Japan's network of Internet of Things devices ahead of the 2020 Tokyo Olympic games.

I like the intent behind this initiative, but the execution leaves me a little worried. Scanning for devices is one thing, actively logging into a device is another. Will be interesting to see how this pans out.

South Korean Delivery Apps Accidentally Leaks 26M Documents

The Korean Android Apps Zcall Delivery Agent and Zcall Delivery Account Manager, which are used to schedule and report package pickups and deliveries, have accidentally leaked personal information about their users.

The leaked data includes not only names, addresses, phone numbers, and delivery times, but also plaintext passwords for shop and staff logins, as well as what appears to be plaintext banking information.

A statement on the company’s website acknowledges the leak and assured customers that the outflow route has been blocked, but blames the incident to the Korea Internet Promotion Agency, rather than a hacking intrusion on their servers.

Judge Rejects Yahoo’s Data Breach Settlement Proposal

Yahoo’s proposed a $50 million pay-out, plus two years of free credit monitoring for about 200 million people in the United States and Israel was rebuffed by U.S. District Judge Lucy Koh, who said she couldn’t declare the settlement “fundamentally fair, adequate and reasonable” because it did not say how much victims could expect to recover, according to court documents.

In 2016, the massive data breach compromised the information of more than one billion Yahoo users affecting email addresses and other personal information marking the largest data breach in history.

Inside the UAE’s Secret Hacking Team of American Mercenaries

Presented without comment - it’s a long article worth reading and drawing your own conclusions.

Other Things I Hearted This Week

Javvad Malik

About the Author: Javvad Malik
The man, the myth, the blogger; Javvad Malik is a London-based IT Security professional. Better known as an active blogger, event speaker and industry commentator who is possibly best known as one of the industry’s most prolific video bloggers with his signature fresh and light-hearted perspective on security. Prior to joining AlienVault, Javvad was a senior analyst with 451 Research providing technology vendors, investors and end users with strategic advisory services, including competitive research and go-to-market positioning.
Read more posts from Javvad Malik ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL