It's unlikely there will be an update next week as I'll be heading to Infosecurity Europe and Bsides London. If you're in the area feel free to come and say hello. I'll be at the AlienVault stand #L60 at Infosecurity. And if I'm not there, go up to one of my colleagues and say my name three times to win a special prize.
HAVE YOU TRIED TURNING IT OFF AND ON AGAIN?
The FBI believes Russian computer hackers have compromised hundreds of thousands of routers around the world, and are advising everyone to reboot their routers to prevent the spread of malware.
According to an announcement, the malicious actors used VPNFilter malware to target 500,000 routers allowing them to snoop, block, and exploit.
- FBI Public service announcement | IC3.gov
- FBI: Kindly Reboot Your Router Now, Please | Krebs on Security
- Why the FBI says rebooting your router can weaken a global malware attack | Washington Post
Related,
- For the love of God, stop renting routers from Comcast | Motherboard
TAKING THE PEPSI CHALLENGE
Coca-Cola suffered a data breach in September 2017 in which the personal data of 8,000 employees was compromised after a former employer at one of its subsidiaries stole an external hard drive. Law enforcement officials notified the company and initially requested that Coca-Cola not disclose the incident, as they were still investigating the breach.
The company has now notified affected employees with a letter that explains what happened, what information was involved and what the company is doing in response to the breach.
"Our investigation identified documents containing certain personal information for Coca-Cola employees and other individuals that was contained in the data held by the former employee. We do not have any information to suggest that the misappropriated information was used to commit identity theft," the notification letter said.
- Coca-Cola Suffers Breach at the Hands of Former Employee | Bleeping Computer
- No Smiles for Coca-Cola After Data Breach | Infosecurity Magazine
BRANDED VULNERABILITIES
Disclaimer: I've followed and been a fan of Jennifer Leggio's work for a long time and hope to be half as articulate as her one day!
She has written up the key points from her Hack in the Box (HITB) Amsterdam keynote from a few weeks ago and covers some of the marketing fails in information security - including logo's and branded vulnerabilities.
YOUR DATA
Looking at your data this week, Brian Krebs flips the lid on why your location data is no longer private.
"The past month has seen one blockbuster revelation after another about how our mobile phone and broadband providers have been leaking highly sensitive customer information, including real-time location data and customer account details. In the wake of these consumer privacy debacles, many are left wondering who’s responsible for policing these industries? How exactly did we get to this point? What prospects are there for changes to address this national privacy crisis at the legislative and regulatory levels?"
- Why Is Your Location Data No Longer Private? | Krebs On Security
But wait, there's a plot twist. Tired of all these companies profiting off your data? Well, maybe you can try what this guy did and make some money yourself by directly selling your data.
- This Guy Is Selling All His Facebook Data on eBay | Motherboard
BLACKLISTING AD PASSWORDS
This is a pretty nifty development by Joseph Ryan Ries. A password filter for Active Directory that uses a blacklist of bad passwords / character sequences. I think something like this tied in with something like HIBP or similar could be quite useful.
- PassFiltEx by Joseph Ryan Ries | GitHub
DON'T CONNECT THAT
ZDNet has a nice breakdown of 24 internet-connected things that really shouldn't be online. The list includes a ski lift gondola, cold storage control systems, and a pot factory.
Counter-point to connected devices
- I’m Not (Overly) Concerned About Smart Speaker Security, And You Shouldn’t Be Either | Daniel Messier
GDPR IS UPON US
Two years after the EU created its General Data Protection Regulation, on Friday the EU's 28 member states began enforcing the privacy law.
But don't fixate on May 25 being the enforcement start date. "It's not an absolute deadline; it's the start of a new journey in the privacy regulations and environment within the EU and indeed, due to the nature of GDPR, globally as a well," says Brian Honan, who heads BH Consulting, a Dublin-based cybersecurity consultancy that has been helping organizations achieve GDPR compliance.
- GDPR Enforcement Deadline: If You Blew It, What's Next? | Data breach today
- Indian Startups Struggle to Comply With GDPR | Info risk today
YAHOO HACKER SENTENCED
One of the most prominent computer hacking cases in recent years reached a new chapter as Karim Baratov was sentenced to five years in prison and fined an amount equivalent to his remaining assets. Baratov, a Kazakhstan-born Canadian citizen, was sentenced for his role in the massive Yahoo credentials breach that exposed more than 1 billion records to criminals.
- Hacker Sentenced to 5 Years in Yahoo Credential Theft Case | Dark Reading
THE 20-YEAR-OLD ENTREPRENEUR IS A LIE
Apparently the average age of successful business founders is 42. And here I was thinking that I'm over the hill. I guess I should start hiring for my startup soon. Well, as soon as I turn 42 (which is in the very very very distant future)
- The 20-year-old entrepreneur is a lie | MIT Management Sloan School
