Bug Bytes for November 30: Cyber Criminals Never Sleep


  •  
  •  
  •  
  •  

We hope everyone in the U.S. had a happy and restful Thanksgiving holiday… and everyone outside of the U.S. enjoyed a lull in emails from the U.S. While many of us took a few days off last week, adversaries did not.

Last week, we learned that a hacker gained legitimate access to a widely used JavaScript library to steal bitcoin.

Bugcrowd CTO Casey Ellis told SC Magazine that the main takeaway of the attack is that “in the world of modern software, it’s turtles all the way down… Just because the code you write is secure, doesn’t mean that the code other developers write for you is. The only way to get ahead of this is to practice deep and continuous abuse-case (i.e., security) testing,”

Open source software wasn’t the only target of attack. TechCrunch reported that a broken US Postal Service API exposed from over 60 million users and allowed a researcher to pull millions of rows of data by sending wildcard requests to the server. The USPS service, called InformedDelivery, allows you to view your mail before it arrives at your home and offered an API to allow users to connect their mail to specialized services like CRMs. The anonymous researcher showed that the service accepted wildcards for many searches, allowing any user to see any other users on the site. However there was good news — the resulting security hole has been patched.

This week ZDNet reported that the German government published an initial draft for rules on securing Small Office and Home Office (SOHO) routers. The attempt to standardize router security stems from an incident that took place at the end of 2016 when a British hacker known as “BestBuy” attempted to hijack Deutsche Telekom routers, but bungled a firmware update and crashed nearly a million routers across Germany. Published by the German Federal Office for Information Security (BSI), the rules have been put together with input from router vendors, German telecoms, and the German hardware community.

In the wake of the 2017 WannaCry ransomware outbreak, which took down large portions of the National Health Service in the UK and caused disruption to hospitals across the country, the UK Parliamentary committee has warned that an ongoing failure to act with “meaningful sense of purpose or urgency” in the face of threats posed by cyber criminals and hackers puts critical national infrastructure at unnecessary risk from cyber attack, reported ZDNet.

Back in the U.S.  Cyberscoop, The Wall Street Journal and The Associated Press reported that U.S. prosecutors in New York have filed a 13-count cybercrime indictment against 8 from Russia, Ukraine and Kazakhstan, with criminal violations including wire fraud, computer intrusion, aggravated identity theft and money laundering for running Methbot, a purported advertising network that used 1,900 computer servers to load ads on more than 5,000 fabricated websites leasing around 650,000 IP addresses to falsify billions of visits and charge real companies for ads between 2014 and 2016. The list includes Aleksander Zhukov, one of the Department of Justice’s recent high-profile cybercrime arrests.

Finally, today Marriott announced the company’s Starwood reservations database had been breached and the personal information of 500 million guests stolen. The Washington Post reports that Marriott first learned that an unauthorized party had access to its systems on Sept. 8, but because the hackers encrypted the stolen data the company was unable to determine the nature of the breach until Nov. 19.

For consumers, credit monitoring is key. The growing number of large breaches have also highlighted the importance of password management. Implementing a password manager such as 1Password or LastPass for ALL accounts — no matter how old. As with Yahoo and again with Marriott, old, reused passwords can be an achilles heel. Read more tips in our CTO Casey Ellis’ post about the breach.

That’s all for this week’s edition of Bug Bytes. Tune in next week for another recap of the week’s cyber security news.

Learn the ins and outs of Crowdsourced Security, Managed Bug Bounty and Vulnerability Disclosure ProgramsDownload the Guide
+