Where has the year gone? Give it a few weeks and summer will be officially over, and I’ve not even been able to attain a “beach body” yet. I suppose there could be worse things to worry about. So without further ado, let’s jump right into this weeks greatest, worst, and weirdest infosec news.
Social media, leaks if you do, leaks if you don’t
Facebook-owned Instagram was the target of unknown attackers that leveraged a flaw in its API to obtain contact details of some high-profile stars.
Instagram has apparently notified some users and warned its verified users to be “extra vigilant” about unexpected phone calls, texts, and emails.
Social media is a weird game. If you participate, it will probably share far more data about you than you ever wanted. But not playing the game is also not an option, as information security veteran Bruce Schneier discovered recently.
Someone noticed that Schneier doesn’t use LinkedIn so they created a profile on his behalf. Schneier was able to get the fake account deleted, but then signed up for LinkedIn in order to prevent a recurrence.
One can imagine that while Schneier was able to quickly identify and have the fake profile deleted, not everyone else that has a fake profile would be able to identify or remove it so efficiently.
Patch your heart
An estimated half a million people in the US are getting notices that they should update the firmware on their pacemakers.
St. Jude pacemakers produced by Abbott Laboratories contain critical flaws that allow an attacker within radio range to seize control of the pacemaker.
Unlike updating the software on your phone though, patients will have to visit a clinic to allow doctors to safely upgrade the firmware.
- 465k patients told to visit doctor to patch critical pacemaker vulnerability (ars Technica)
- Pacemaker patch passes probe by US watchdog (The Register)
- Abbott Recalls 465,000 Pacemakers for Cybersecurity Patch (RAPS)
Essential shared customer driver's licences over email
Last night, some customers who had preordered an Essential phone received an email asking for a copy of their driver’s license, ostensibly to verify their address in an attempt to prevent fraud.
Dozens of customers replied with their personal information, but those emails didn’t just go to Essential; they went out to everybody who had received the original email. That means that an unknown number of Essential customers are now in possession of each other’s drivers license, birth date, and address information.
- In colossal screw up, Essential shared customers’ driver’s licenses over email (the Verge)
- Essential apologizes for 'humiliating' customer data leak (ZDNet)
The Hotel Room Hacker
This is a really well written, fascinating article on how a man exploited a known bug in millions of hotel locks to commit over 100 burglaries.
711 Million record online spambot dump
Troy Hunt has posted the largest spam list into Have I been pwned to date at a staggering 711m records. His blog post makes some interesting observations on the data and some of the patterns.
There appears to be some combinations of older databases, and some of the information is out of date. But goes to show that people actively go around merging database dumps.
- Why are we so stupid about allowing overused passwords (Data Breach today)
- 320 million hashes exposed (CynoSure Prime)
4 reasons being a hacker is the best job you haven’t considered
“… behind the computer screen, your gender and superficial characteristics don’t matter. Hackers have no identity; they’re anonymous. It’s the work you produce that earns you respect among peers.”
Teen Vogue ran a good article by Amanda Rousseau aka Malware Unicorn giving four good reasons why being a hacker is a good career choice you may not have considered, and what it’s like being a woman in the field.
Stop, Collaborate, and Stop DDoS
Cloudflare has a nice writeup on the Wire botnet, comprised mainly of Android devices running malicious apps designed to create DDoS traffic.
The conclusion sums up that discoveries were only possible due to open collaboration between DDoS targets, DDoS mitigation companies, and threat intelligence firms. Each player provides a missing piece of the puzzle, without which, the botnet would have remained a mystery.
- The WireX Botnet: How Industry Collaboration Disrupted a DDoS Attack (CloudFlare)
- New DDoS Botney called WireX discovered (Free Hacker guide)
Reverse Engineering IoT Devices
This is a great post by Ayan Pahwa on his adventures in reverse engineering his IoT devices. As you’d (unfortunately) expect, many IoT devices don’t protect the traffic in any way. As Ayan sums up, companies are focussed on reducing time to market of their IoT product and not taking time to secure the devices.