Breaches and leaks
- The XKCD forum was breached, exposing emails and passwords: link.
- The Twitter account of Jack Dorsey (Twitter's CEO) was hijacked: link.
- Segment issued a breach notification. One of their employee's accounts was compromised: link.
- Some of Russia's surveillance equipment has been leaking data: link.
This got enough attention to warrant a separate item. Researchers found an unsecured server containing over 419 million records with a user's Facebook ID and their phone number. It's probably not an actual breach, but rather the result of large scale scraping. It's unknown who owned the database.
Researchers found several issues in SuperMicro base motherboard controllers, or BMC's for short. These controllers allow admins remote access to their servers, with the ability to mount virtual USB devices to install a new OS and send keyboard inputs. Unfortunately these BMC's aren't as secure as they should be.
It's also not just an internal network thing, since over 47.000 BMC's were found exposed on the Internet.
I found this important enough to highlight it separate from the breaches section. The ability to fully fake a voice and/or a video image will make phishing and BEC scams much harder to combat than they already are.
Facebook again. The key that Facebook used to sign the Free Basics by Facebook app has showed up in unofficial repositories signing non-Facebook apps.
Since the new Edge uses Chromium under the hood, Microsoft decided to follow Google's roadmap for deprecating Flash. It will initially be disabled by default, with the user having to re-enable it on a site-by-site basis, after which it will be completely removed by the end of 2020.
It's the first time that they offer more for an Android zero-day than an iOS one, where the top price paid is now $1 million. Zerodium says it's a reflection of "market trends".
An interesting article on the new Sodinokibi ransomware, showing how it's marketed to potential customers and giving an indication of what kind of earnings it generates.
The 21-year old, together with two others, captured over 800.000 devices in their botnets, and created a DDoS-for-hire service. He even created a new botnet while on supervised release last year, and organised a swatting attack on his co-conspirator. He faces a maximum penalty of 10 years in prison and $250,000 in fines, although his sentence will probably be on the lower end of that.
It's no doubt a competitive market, but it sounds like some are doing very well. Interesting to see this space develop.
They deleted a database that Iran reportedly used to plan attacks in the Persian Gulf. They've been throwing punches back and forth for a while now, both in cyberspace and the real world.
The article discusses the current status of NATO's Cyberspace Operations Centre. It sounds like it's still in the early stages, especially when it comes to offensive capabilities.