Even though I've been very short on time this week, I seem to have written longer summaries than usual. Consider yourself warned. And I'll try to keep them shorter next time ;-)
Breaches and leaks
- Facebook: djees Facebook, enough already. I am not giving you your own item this week, stop trying. The news this time is that they found even more plain-text logged passwords, impacting millions of Instagram users.
- Facebook, again: Sigh. Apparently when they asked users for their e-mail passwords, as reported on last week, they also uploaded these people's e-mail contacts without anyone's consent.
- Matrix.org: this was a big one. The decentralised communication project was hacked through a vulnerable Jenkins server. The attacker had access to unencrypted messages, access tokens and password hashes, but also posted Github issues detailing how he got in. Hackernews discussion here.
- FBI-NAA: the FBI National Academy Association. Had several websites breached and defaced, giving the attackers personal details on several thousand federal officers. They claim they have much more, and are gearing up to sell.
- Round 5 database dumps: the same person who previously sold credential dumps in several rounds, belonging to companies like 500px, Under Armour and others, published a new breach set for sale, this time totalling 65 million records. He says he's going for the 1 billion, and is nearly there.
This does warrant its own item. Hackers hijacked the credentials of a helpdesk employee, which gave them access to any non-corporate Outlook.com and Hotmail accounts. It boggles the mind that that level of access exists, and apparently doesn't even require 2fa or proper auditing on its usage. Seriously uncool Microsoft. Hackernews discussion here.
The campaign has been going on for a while and seems very successful, even hijacking multiple country-code top-level domains. The targets seem to be mostly governmental.
Please make sure your DNS accounts are as secure as you can make them. Remember, once you have control over someones DNS you can do pretty much everything, including hijacking every visit to their website without anyone knowing, or redirecting e-mail.
Some insight in this year's NATO cybersecurity wargame, where blue teams of various countries have to defend both the critical infrastructure and the elections of the fictitious country of Berylia.
Most ransomware infects a computer and then starts encrypting the files on the machine itself. This one tries to brute-force its way into an online exposed Samba server and then encrypts everything remotely. It doesn't change much to the root cause of the problem but I found it interesting, I never realised the nuance between local and remote ransomware.
Pretty cool move from Google. Whatever lowers the bar to proper 2fa sure has my vote. Any Android 7 phone can now be used as a two-factor device, where you validate a login by pressing a button. As with all 2fa, remember to set a backup device or securely store backup codes in case you lose your phone.
It's always fascinating to get a glimpse in the inner workings of cybercrime. I found this to be a great read, detailing how three Romanians went from small-time eBay scamming to operating a 400.000-strong botnet and hijacking bank accounts. All three will be sentenced later this year.