Things I Hearted this Week, 9th Feb 2018

February 9, 2018 | Javvad Malik
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

Much of this week’s news cycles were dominated by Space X successfully launching the Falcon Heavy rocket into space. Putting aside concerns of the cost, the feasibility, or other criticisms, it was just nice to see something positive and optimistic grab the headlines for a change.

But that doesn’t mean the intergalactic world of cyber security sat quietly, oh no, we’ve got a whole bunch of things to talk about, so let’s jump right in.

The House That Spied on Me

By far one of the most engaging pieces I’ve read in a while is this Gizmodo article by Kashmir Hill and Surya Mattu on what happened when they decided to connect a whole bunch of “smart” devices in her apartment, and monitored what data was being collected and sent by these devices.

Related

Ethereum Scammers make $5,000 in a night

“Online scammers have made over $5,000 worth of Ethereum in one night alone, showing how gullible some cryptocurrency users can be.

Miscreants achieved this by creating fake Twitter profiles for real-world celebrities and spamming the social network with messages tricking users to participate in "giveaways."

Crooks deceived users into sending a small amount of Ethereum, promising they would receive the sum ten times over as part of the giveaway.

All the messages followed the same pattern, even if the sums and Ethereum wallet addresses varied between the fake Twitter accounts.”

Hunting Insecure Direct Object Reference

Reading bug bounty reports where the researchers recount their steps are probably some of my favourite types of posts where I always end up learning something new. And this by Mohammed Abdul Raheem is no different.

Privacy down under

While all eyes have been on GDPR, the Ozzies don’t want to be left behind as the Office of the Australian Information Commissioner has updated the Australian Privacy Act 1988 – outlining how individuals privacy needs to be protected. It comes into effect 22nd Feb 2018 and includes the promise of penalties of up to AUD $1.8m for organizations, and introduces the Notifiable Data Breaches scheme (NDB).

SIM swaps

T-mobile in the USA has been sending out text messages to customers stating they may be targeted by a phone number port out scam and to take precautions.

In summary, what happens is that a criminal will impersonate a legitimate user in order to get a new SIM card with the victims phone number, or port the number across to another provider.

While it’s not a particularly new, or even sophisticated attack, the impact has grown as phone numbers are an integral part of ones digital identity and authentication.

AWS bucket spills 12k social media influencers

In what feels like business as usual, another misconfigured AWS S3 bucket was misconfigured to expose the real names, address, phone numbers, addresses, for popular social media users.

Ukraine power distributors $20m cyber defence plans

Ukraine’s state-run power distributor Ukrenergo, a leading target for cyber attacks in the past two years, will invest up to $20 million in a new cyber defense system, identifying about 20 threats that would all be neutralized with the new system

Does that mean they’re spending $1m per identified threat? Well, maybe… but working out the cost of anything in security is pretty hard.

Flaw in Grammarly’s extensions opened user accounts to compromise

Not a day goes by when I don’t see a Grammarly pre-roll ad playing before a YouTube video. It makes a good case and I’d be lying if I hadn’t considered using the product to test out how much gooder my writing would become.

But, for once I’m glad I didn’t, as a vulnerability in the Grammarly Chrome and Firefox extensions allowed websites to read users’ authentication tokes and use to them to log in to the users’ Grammarly accounts and access all the (potentially sensitive) information held in them.

Javvad Malik

About the Author: Javvad Malik
The man, the myth, the blogger; Javvad Malik is a London-based IT Security professional. Better known as an active blogger, event speaker and industry commentator who is possibly best known as one of the industry’s most prolific video bloggers with his signature fresh and light-hearted perspective on security. Prior to joining AlienVault, Javvad was a senior analyst with 451 Research providing technology vendors, investors and end users with strategic advisory services, including competitive research and go-to-market positioning.
Read more posts from Javvad Malik ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL