Silk road adviser caught, Kaspersky sues Dutch paper, and Vietnam's tech clampdown

Also, Weight Watchers is light on security

Roundup This week included a big Patch Tuesday bundle, a fresh fine for Yahoo!, and yet another Intel bug that potentially exposes sensitive kernel information.

Here are a few of the other security stories that broke this week.

Kaspersky hungry for some Dutch crunch

Eugene Kaspersky says he's sick of bad news coverage, and he's calling in the lawyers to do something about it.

The namesake behind Kaspersky Lab is filing suit against De Telegraaf, the largest newspaper in the Netherlands. According to the Russian software tycoon, the paper made up a story about a hacker who claimed to have breached the Dutch office of Kaspersky Lab and uncovered details about the company's work with the Russian government.

Kaspersky says the story was fabricated either by the paper itself or by former minister Willem Vermeend, and now the security firm is going to take the paper to court via a defamation suit.

"After exhausting all other possibilities to resolve the issue directly with the Dutch newspaper, we decided that the only option left for us was to turn to court," Kaspersky said.

"Fortunately, European legislation offers organizations the chance to defend their reputation by doing so. So, on May 25 we filed a complaint for defamation against both the newspaper and Mr. Vermeend, with a demand for the newspaper to publish a rectification."

Silk Road "adviser" sent stateside for trial

A man said to have been a key adviser to permanently-imprisoned Silk Road founder Ross Ulbricht now faces a significant prison sentence himself.

The Manhattan US Attorney's office has charged Canadian Roger Clark with narcotics trafficking conspiracy; narcotics trafficking; distributing narcotics by means of the internet; conspiracy to commit, and aid and abet, a computer hacking conspiracy; conspiracy to traffic in fraudulent identification documents; and money laundering conspiracy.

The charges stem from Clark's alleged role as a mentor who helped Ross Ulbricht set up and maintain the drugs traffic on the darknet marketplace. The government says Clark made "hundreds of thousands of dollars" when the Silk Road was active between 2011 and 2013.

"Roger Thomas Clark allegedly served as a trusted confidante to Silk Road founder and operator Ross Ulbricht, advising him on all aspects of this illegal business, including how to maximize profits and use threats of violence to thwart law enforcement," the US Attorney's office claims.

Clark was extradited to the US via Thailand, where he had been held since 2015. He will begin trial in the US later this year.

Weight Watchers leaves S3 buckets wide open

Yet another company has fallen victim to the scourge of unprotected cloud systems.

This time, it's dieting company Weight Watchers, whose sloppy security practices were found by security researchers with Kromtech.

According to Kromtech's write-up on the matter, someone at Weight Watchers forgot to lock down a Kubernetes administration console that provided access to the company's AWS S3 instances as well its AWS access key.

"The words 'public without password' and 'administration Interface' should never go together," noted Kromtech.

"By not properly protecting the administration console Weight Watchers provided all the keys and information needed to gain full root access to their entire cluster."

Fortunately, the exposed data was said to be from a non-production system and no customer data or personally identifiable information was ever exposed.

Homeland Security cyberboss confirmed

The Senate has greenlit the Trump administration's pick to head up the IT security operations at the Department of Homeland Security.

On Tuesday, a voice vote in the Senate confirmed Christopher Krebs as the head of the National Protection and Programs Directorate some four months after he was first nominated to the role. He has previously worked with the Bush administration and with Microsoft on government affairs.

As The Hill notes, Krebs' nomination to the role was delayed in part by the investigation of Stingray technology in Washington DC, with Senator Ron Wyden blocking the nomination in order to get DHS to cough up more details on the matter.

In addition to securing DHS systems, Krebs will also be tasked with helping state and local governments secure their voting systems from outside tampering in the upcoming US elections.

Vietnam clamps down on internet rights

A controversial new law in Vietnam could have a chilling impact on speech online.

The nation's National Assembly has passed what it says is a cybersecurity law that will require companies to store and operate their services within the country's own borders. The law will take effect in June next year.

While data localisation rules are being passed by governments around the world, human rights groups believe that Vietnam has more than just data security in mind with this law.

Brad Adams of Human Rights Watch warns that the government could use the law as an excuse to further tighten censorship and come down on critics.

"This bill, which squarely targets free expression and access to information, will provide yet one more weapon for the government against dissenting voices," said Adams.

"It is no coincidence that it was drafted by the country's Ministry of Public Security, notorious for human rights violations."

For Moodle, 2+2 = pwned

Security researchers are warning of a serious vulnerability in the popular Moodle educational platform.

Ripstech researchers say the remote code execution flaw could be exploited by an attacker who has gained teacher access (via phishing or a separate elevation of privilege flaw). From there, the attacker could potentially get complete control of a Moodle server by targeting a bug in the way Moodle's quiz module (a tool that lets teachers give tests online) handles answers.

"By using a specially crafted math-formula which is evaluated by Moodle - the attacker bypasses an internal security mechanism which prevented the execution of malicious commands," Ripstech explains.

Because the quiz module sends the answer as a PHP eval() call, an attacker with a teacher account could insert malicious PHP strings into the formula and then execute the code when it runs on the quiz. From there, it's pretty much game over for the entire Moodle server instance.

Fortunately, Ripstech said it reported the issue to Moodle privately, and the most recent version of the platform (3.5.0) has been updated to sanitize math formulas and catch attempts at injecting PHP. Needless to say, anyone administering a Moodle instance will want to make sure they are up to date. ®




Biting the hand that feeds IT © 1998–2018