Yahoo! $50m! hack! damages! bill!, Russian trolls menaced by Uncle Sam inaction, computer voting-machine UI confusion, and more

Plus, GSA shamed for glacial notification pace

Roundup This week's headlines included buggy cranes, WebEx cockups, and DNS drama.

Here are a few more bits of security news, prepared just for you.

Lost money in a crypto-coin scam? Dear Leader Kim Jong Un thanks you for the donation

With economic sanctions making it hard to move cash around, North Korean officials have been using crypto-currencies to bring in cash, sometimes in less-than-honorable ways.

This according to researchers with Recorded Future, who say that the reclusive dictatorship is behind a handful of crypto scams, most notably Marine Chain, a shipping-oriented altcoin scheme that eventually ended with the owners (believed to be North Korean agents) making off with all of the investors' funds.

The moves mark a shift for the North Korean regime, as their previous crypto ventures were limited to mining.

"What has changed dramatically over this March 2018 through August 2018 time frame, however, is the exploitation of cryptocurrencies, asset-backed 'altcoins,' and the cryptocurrency ecosystem by North Korea," the group said.

Yahoo! will fork out $50m in damages, and provide two years of credit-monitoring, to 200 million netizens whose personal information were swiped by hackers in 2013 and 2014.

Backup blackout

If we were to make a list of things in a typical office that could possibly be hacked, the uninterruptible power supply (UPS) would probably fall somewhere in between the paper shredder and the stapler.

And yet, Bishop Fox has disclosed a package of three vulnerabilities in the Eaton UPS 9PX 8000 SP line that could allow an attacker to do just that.

The three flaws are all present on the web interface Eaton uses to allow admins to check on and manage their power supplies. Two of the bugs would let the attacker steal login credentials, while a third would leave users vulnerable to cross-site scripting.

Fortunately, Eaton has released an update, so admins everywhere can be spared the experience of telling the CTO that the battery backup got pwned.

Voting machines in Texas have a confusing user-interface design that causes Americans to pick the wrong candidates at the e-ballot boxes. Make sure you verify your choices before registering them. Officials claim they can't easily update the systems to fix the problem... If only the US was a nation of skilled software engineers who could help out.

US government wants to name and shame Russian trolls

File this one under: "Good luck with that."

The US military is reportedly kicking off a campaign to track down the Russian operatives responsible for recent trolling operations and threaten to… umm… tell people what they did.

That's it. That's the extent of the plan.

Apparently, Uncle Sam believes that privately messaging miscreants to tell them to knock it off, and threatening to publicly name and shame them will be enough to dissuade the Russians from continuing their trollish ways and halt the ongoing flood of disinformation plaguing US social media.

No doubt the Putin-backed state operatives will be quaking in their valenki boots at the thought of receiving a sternly-worded letter from the DOJ.

Microsoft's Bing directed people searching for Google Chrome to a dodgy website, via a malicious advert, that provided a fake version of Chrome. Thus people searching Bing on their Windows PCs for a replacement for Edge were recommended a site that served potential adware or spyware downloads masquerading as Chrome.

The ad, which was able to falsely claim it was "google.com", has been killed – and was previously spotted on Bing in April. Keep your eyes peeled for a return, possibly.

There's slow, and then there's the GSA's breach notification system

In September 2015, an information leak at the US General Services Administration resulted in the names, home and email addresses of more than 8,200 employees being spaffed out.

Nearly three years later, dozens of those whose details were lost in the incident had yet to be notified. According an inspector general report (PDF), the GSA's notification process on the incident was so bad that that the last of the affected were only given notice in December of 2017, more than 800 days after the breach happened.

The IG's office eventually placed the blame for the glacial response on the GSA's IT department and its failure to implement the proper plans and auditing procedures needed to make sure everyone impacted by the breach was found and notified.

"While no further notifications are required, GSA should assess the factors that led to the excessive delay in notifying affected individuals and consider additional controls to ensure timely notifications in the future," the report concluded.

"Additionally, although GSA IT assessed and revised its Breach Notification Policy in accordance with its corrective action plan, the revisions made hinder its ability to notify affected individuals without unreasonable delay in the future."

Spyware masterminds leave their data sitting around

If you thought you had a bad day recently, at least it wasn't as bad as the folks at Wolf Intelligence.

Researchers with Virus Bulletin said the company, which specializes in selling spyware to government agencies, made the mistake of leaving a data cache out visible to the public internet.

Speaking at the VB conference in Canada earlier this month, the researchers said they were able to turn the tables on the spyware outfit and scope data including the passport scans of the company's founder and recordings from internal meetings.

You can view their full talk here.

Open storage bucket raises hell for Democratic fundraiser

If you're a consulting firm charged with handling millions of dollars in fundraising campaigns for a major political party, a little bit of opsec can go a long way.

This lesson was learned the hard way by Rice Consulting, a DC-based outfit that helped bring in funds for the Democratic Party, but apparently didn't bother to set a password on its storage systems. As a result, researchers with Hacken.io were able to walk right in and access databases including backups, donation databases, and spreadsheets with the names and contact details of clients.

According to Hacken.io, the data was basically just left sitting out on the public internet, thanks to a poorly-configured NAS box.

"Nobody can protect your digital assets if you disable authentication and, as a result, NAS web interface is indexed by Shodan or any other IoT search engine (Google in IoT world)," the researchers wrote.

"In lay terms, a misconfiguration had happened what resulted in NAS becoming public."

Cathay Pacific leaves records of 9.4 million out on the runway

Have you flown Cathay Pacific recently? Then there's a pretty good chance you are one of the nearly 10 million people whose info was accessed by a hacker who compromised the Asian airline recently.

CEO Rupert Hogg trotted out to give the obligatory "sincere apology" for the security screw-up.

"We are very sorry for any concern this data security event may cause our passengers," said Boss Hogg.

"We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures."

Unfortunately, this one looks very bad. The pilfered records include passenger name, nationality, date of birth, phone number, email address, passport number, identity card number, frequent flyer programme membership number, customer service remarks and historical travel information.

New Mac malware

You know what? We're sick of this. Time after time, we tell you to put antivirus on your Mac because, yes, there really is malware. And every time it's "but Macs don't get malware you Windoze fanboi!" Every. Damn. Time.

It's like this: if you haven't yet figured out that you should be taking some basic security precautions, you deserve to get this nasty ad-injecting infection discovered by researchers with Malwarebytes. You deserve to have the thing intercept traffic and inject ads into your encrypted web pages.

Either wake up and install some basic anti-malware software and lock down your access permissions, or don't come crying to us when your shiny new Macbook gets overrun with crapware.

That sorted? Right. Off to the pub then. ®




Biting the hand that feeds IT © 1998–2018