Much of this week’s news cycles were dominated by Space X successfully launching the Falcon Heavy rocket into space. Putting aside concerns of the cost, the feasibility, or other criticisms, it was just nice to see something positive and optimistic grab the headlines for a change.
But that doesn’t mean the intergalactic world of cyber security sat quietly, oh no, we’ve got a whole bunch of things to talk about, so let’s jump right in.
The House That Spied on Me
By far one of the most engaging pieces I’ve read in a while is this Gizmodo article by Kashmir Hill and Surya Mattu on what happened when they decided to connect a whole bunch of “smart” devices in her apartment, and monitored what data was being collected and sent by these devices.
- The house that spied on me | Gizmodo
- Your TV is probably tracking you -- here's how to stop it | Cnet
- Boffins crack smartphone location tracking – even if you've turned off the GPS | The Register
- Amazon Says Don't Worry About This Raspberry Pi Key Hack -- But Is Fixing It Anyway | Forbes
Ethereum Scammers make $5,000 in a night
“Online scammers have made over $5,000 worth of Ethereum in one night alone, showing how gullible some cryptocurrency users can be.
Miscreants achieved this by creating fake Twitter profiles for real-world celebrities and spamming the social network with messages tricking users to participate in "giveaways."
Crooks deceived users into sending a small amount of Ethereum, promising they would receive the sum ten times over as part of the giveaway.
All the messages followed the same pattern, even if the sums and Ethereum wallet addresses varied between the fake Twitter accounts.”
- Ethereum Scammers Make $5,000 in a Night by Impersonating Celebs on Twitter | Bleeping Computer
Hunting Insecure Direct Object Reference
Reading bug bounty reports where the researchers recount their steps are probably some of my favourite types of posts where I always end up learning something new. And this by Mohammed Abdul Raheem is no different.
- Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (part 1) | Codeburst.io
- Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART 2) | Codeburst.io
Privacy down under
While all eyes have been on GDPR, the Ozzies don’t want to be left behind as the Office of the Australian Information Commissioner has updated the Australian Privacy Act 1988 – outlining how individuals privacy needs to be protected. It comes into effect 22nd Feb 2018 and includes the promise of penalties of up to AUD $1.8m for organizations, and introduces the Notifiable Data Breaches scheme (NDB).
- Australian Privacy Act Gets New Notification Requirements | Sacha Dawes, AlienVault
- Australian Privacy Principle guidelines (PDF) | Office of the Australian Information Commissioner
T-mobile in the USA has been sending out text messages to customers stating they may be targeted by a phone number port out scam and to take precautions.
In summary, what happens is that a criminal will impersonate a legitimate user in order to get a new SIM card with the victims phone number, or port the number across to another provider.
While it’s not a particularly new, or even sophisticated attack, the impact has grown as phone numbers are an integral part of ones digital identity and authentication.
- T-Mobile Is Sending a Mass Text Warning of ‘Industry-Wide’ Phone Hijacking Scam | Motherboard
- T-Mobile Customers: If You Got a Confusing Text About Phone Hijacking Scams, You’re Not Alone | Gizmodo
AWS bucket spills 12k social media influencers
In what feels like business as usual, another misconfigured AWS S3 bucket was misconfigured to expose the real names, address, phone numbers, addresses, for popular social media users.
- Misconfigured Amazon Web Services bucket exposes 12,000 social media influencers | SC Magazine
- Bad Influence: How A Marketing Startup Exposed Thousands of Social Media Stars | Upguard
Ukraine power distributors $20m cyber defence plans
Ukraine’s state-run power distributor Ukrenergo, a leading target for cyber attacks in the past two years, will invest up to $20 million in a new cyber defense system, identifying about 20 threats that would all be neutralized with the new system
Does that mean they’re spending $1m per identified threat? Well, maybe… but working out the cost of anything in security is pretty hard.
Flaw in Grammarly’s extensions opened user accounts to compromise
Not a day goes by when I don’t see a Grammarly pre-roll ad playing before a YouTube video. It makes a good case and I’d be lying if I hadn’t considered using the product to test out how much gooder my writing would become.
But, for once I’m glad I didn’t, as a vulnerability in the Grammarly Chrome and Firefox extensions allowed websites to read users’ authentication tokes and use to them to log in to the users’ Grammarly accounts and access all the (potentially sensitive) information held in them.