Welcome to 2019! I hope that you had a well-deserved break over the holidays, and a special shout out to all the people that carried on pulling shifts in the SOC, were on-call, and helped ensure stuff stayed as secure as possible while the rest of us were eating and sleeping too much! I’ve said it before, and I’ll say it again, that you are the real backbone of the security industry, and although you may never go to conferences, or be heard on a podcast, or put your name to a blog - you go about your job keeping things as secure as possible.
We’re only half a week into the new year and the security world hasn’t slowed down in the slightest, so let’s just get down to what’s been going on these last few days, and catch up with some of the excitement that I missed while I was busy consuming mince pies.
Victorian Government Employees Details Stolen
We didn’t even make it a day into the new year without news of a data breach where thousands of records were stolen. Sure, it’s small compared to the millions of records we’re getting accustomed to reading about, but it’s significant nonetheless. It’s like data breaches have become an olympic level sport with everyone racing to be first.
The work details of 30,000 Victorian public servants have been stolen in a data breach, after part of the Victorian Government directory was downloaded by an unknown party.
The list is available to government employees and contains work emails, job titles and work phone numbers.
Employees affected by the breach were told in an email their mobile phone numbers may have also been accessed if they had been entered into the directory.
Town of Salem Breach Affects 7 Million Accounts
Getting up to the kind of breach numbers we’re all more used to, The Town of Salem (video game) was hit with a massive data breach last week that exposed the information on more than 7 million users.
The breach was discovered by the cybersecurity research Dehashed on December 28 when he received an anonymous email that indicated someone had gained access to the game’s database. Town of Salem is a role-playing game operated by BlankMediaGames.
- Town of Salem breach affects 7 million accounts | SC Magazine
Promote Your Scams
In the battle for advertising revenue supremacy, social media giants have automated their whole process and seem to have forgotten to include any basic checks for, you know, looking for obvious scams. Like this little gem whereby an obvious PayPal phishing scam was sent as a promoted tweet.
And we think we’re going to clean up fake news.
- Twitter let someone promote an obvious PayPal phishing scam | The Next Web
Subscribe to PewDiePie!
At this point, I am have conflicting opinions on the world's most-subscribed to YouTuber PewDiePie aka Felix Kjellberg.
He either has the most dedicated fans (well fan who goes by the name of TheHackerGiraffe) on the planet, who go around trying to find creative and innovative ways to promote his channel.
Or he has hired a bunch of hackers who operate under the name The HackerGiraffe) to try and find ways to promote him.
Or subscribe to PewDiePie has become the equivalent of popping calc.exe on a box.
Anyway, 2019 has brought about a new campaign that targets Chromecast adapters, Smart TV’s, and Google Home in order to play a YouTube video to promote PewDiePie’s channel.
- Hacker Streaming PewDiePie Videos on Exposed Chromecast Devices | Bleeping Computer
Vulnerability Disclosure Economics
EU’s cybersecurity agency ENISA has delved into the problematics of vulnerability disclosure and has released a report that addresses economic factors, incentives and motivations that influence the behaviour of the various vulnerability disclosure actors, as well as two case studies of recently disclosed high-profile vulnerabilities (Meltdown, Spectre, EternalBlue) that illustrate how the process occurs.
- Economics of Vulnerability Disclosure | ENISA
- Why are some vulnerabilities disclosed responsibly while others are not? | HelpNetSecurity
OWASP IoT Top 10
OWASP released it’s IoT top 10 just before the year ended and is a solid list which is simple and usable.
- OWASP IoT Top 10 | OWASP