Things I Hearted this Year 2018

December 14, 2018 | Javvad Malik
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

It’s hard to believe the whole year has gone past and I’ve been hearting things nearly every week since it began.

I’d like to sum up 2018, so I started to look through all the posts from every week and I realised it was a mammoth task. There have been 40 “Things I hearted” blog posts this year, each with an average of 10 stories. And that doesn’t include the dozens of other stories that didn’t make the cut every week.

Suffice to say, it’s been a very busy year as far as information security is concerned. Which could mean that business is very good. Or it could just mean that business is as usual, we’re just getting better at covering the stories.

In YouTube fashion, I decided to do a video rewind of some of the notable stories of the year (minus Will Smith and the big budget)

Conspiracy videos aside, let’s have a recap of an assortment of stories that were hearted over the course of the year.

January 12th Edition

Toy Firm VTech Fined Over Data Breach

VTech, the ‘smart’ toy manufacturer has been fined $650,000 by the FTC after exposing the data of millions of parents and children.

Troy Hunt brought up the issue back in November 2015 and it made for a chilling read. Not only was the website not secure, but the data was not encrypted in transit or at rest.

Hopefully, this kind of crackdown on weak ‘smart’ devices will continue until we see some changes. Not that I enjoy seeing companies being fined, but it doesn’t seem like many manufacturers are paying much attention to security.

March 9th Edition

SAML, SSO Many Vulnerabilities

SAML-based single sign on systems have some vulnerabilities that allow attackers with authenticated access to trick SAML systems into authenticating as different users without knowledge of the victims’ password.

Sounds like a lot of fun.

March 30th Edition

Investigating Lateral Movement Paths with ATA

Even when you do your best to protect your sensitive users, and your admins have complex passwords that they change frequently, their machines are hardened, and their data is stored securely, attackers can still use lateral movement paths to access sensitive accounts. In lateral movement attacks, the attacker takes advantage of instances when sensitive users log into a machine where a non-sensitive user has local rights. Attackers can then move laterally, accessing the less sensitive user and then moving across the computer to gain credentials for the sensitive user.

May 18th Edition

Hacking the Hackers

A hacker has breached Securus, the company that helps cops track phones across the US.

You'd think that if you were a company that collected all sorts of phone data, and location tracking, and work with law enforcement, you'd be a bit more careful in how you store the data.

Last week, the New York Times reported that Securus obtains phone location data from major telcos, such as AT&T, Sprint, T-Mobile, and Verizon, and then makes this available to its customers. The system by which Securus obtains the data is typically used by marketers, but Securus provides a product for law enforcement to track phones in the US nationwide with little legal oversight, the report adds. In one case, a former sheriff of Mississippi County, Mo., used the Securus service to track other law enforcement official’s phones, according to court records.

June 1st Edition

Your Data

Looking at your data this week, Brian Krebs flips the lid on why your location data is no longer private.

"The past month has seen one blockbuster revelation after another about how our mobile phone and broadband providers have been leaking highly sensitive customer information, including real-time location data and customer account details. In the wake of these consumer privacy debacles, many are left wondering who’s responsible for policing these industries? How exactly did we get to this point? What prospects are there for changes to address this national privacy crisis at the legislative and regulatory levels?"

But wait, there's a plot twist. Tired of all these companies profiting off your data? Well, maybe you can try what this guy did and make some money yourself by directly selling your data.

July 6th Edition

10 Things To Know Before Getting Into Cybersecurity

You may know Kevin Beaumont as @GossiTheDog on twitter. He won the 2018 EU blogger awards for best tweeter. But apparently, he's a man of more talents than just twits, he also blogs, and has put together a good list of 10 things you should know if you're considering getting into cybersecurity.  

Related, if you're looking to break into security, then you'll want to know which locations offer the best salaries (US-based).

August 31st Edition

Probably The Best Tech Keynote in the World

I’ll be honest, up until a couple of weeks ago, I hadn’t heard of James Mickens who is a professor at Harvard University.

I watched his keynote presentation at Usenix, and haven’t been this entertained and captivated by a technology talk in … well, never.

It’s well worth carving out 50 minutes out of your day to watch his keynote entitled,

Q: Why Do Keynote Speakers Keep Suggesting That Improving Security Is Possible?

A: Because Keynote Speakers Make Bad Life Decisions and Are Poor Role Models

October 5th Edition

Bupa Fined £175k

International health insurance business Bupa has been fined £175,000 after a staffer tried to sell more than half a million customers' personal information on the dark web.

The miscreant was able to access Bupa's CRM system SWAN, which holds records on 1.5 million people, generate and send bulk data reports on 547,000 Bupa Global customers to his personal email account.

The information – which included names, dates of birth, email addresses, nationalities and administrative info on the policy, but not medical details – was then found for sale on AlphaBay Market before it was shut down last year.

November 30th Edition

The $1M SIM Swap

A 21-year-old has been accused of SIM-swapping the mobile number of a Silicon Valley executive in order to steal roughly $1 million in cryptocurrency.

Javvad Malik

About the Author: Javvad Malik
The man, the myth, the blogger; Javvad Malik is a London-based IT Security professional. Better known as an active blogger, event speaker and industry commentator who is possibly best known as one of the industry’s most prolific video bloggers with his signature fresh and light-hearted perspective on security. Prior to joining AlienVault, Javvad was a senior analyst with 451 Research providing technology vendors, investors and end users with strategic advisory services, including competitive research and go-to-market positioning.
Read more posts from Javvad Malik ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
Get Price Free Trial