AWS has a security hub, OpenSSL has a new license, London has a problem with cryptocoins, and more

Plus, South Carolina convicts go catfishing

Big Ben and Underground sign. Pic: Crown copyright/MoD

Roundup November ended with a week of medical mishaps, near disaster at Dell, and the introduction of Pesky Pepper.

Here are a few more bits that went under the radar.

Linux gets its own nasty Bitcoin malware

Researchers with Dr Web took credit for the discovery of Linux.BtcMine.174. If the malware gets onto a Linux system it, as the name suggests, attempts to hijack cycles to mine cryptocurrency and also tries to disable any security software.

On top of that, the malware seeks and destroys any competing coin miners that might be running on the host, and also checks for any possible SSH connections to other machines that could be infected for purposes of funbux creation.

Council officials in the City of York in England were under-fire for somewhat overreacting and calling the police on a security researcher who discovered a data-leaking gaffe in an app, One Planet York, which is used for organizing bin collections. The cops declined to investigate, seeing as no crime was committed.

The city's busybodies publicly claimed they couldn't get hold of the researcher after he tipped them off to the vulnerability, causing them to freak out, whereas his bosses at infosec biz RapidStrike demonstrated both sides had been exchanging emails just fine.

The council also alleged the researcher deliberately swiped info from the app without permission, which was an unfair claim. In reality, the software spaffed people's personal info to other users of the app via a leaderboard page. Simply visiting the board caused the application's backend to cough up, in plaintext via its API, other folks' names, email addresses, phone numbers, postal addresses, postcodes, and their SHA-256-hashed password. The API would emit these details for its top-ten users.

The app was pulled, and city residents and the UK's privacy watchdog, the ICO, were alerted.

London calling to the crypto jerks, FCA action is now in the works

British financial regulators are keeping a close eye on the cryptocurrency market, and legal action against bad actors looks to be on the upswing.

This according to a report from The Telegraph, citing the results of an information request from the London Financial Conduct Authority on its investigations of cryptocurrency firms.

The report found that, as of November, it was investigating at least 50 cases of businesses operating in the cryptocurrency market without proper authorization, and at least seven more whistleblower cases from employees who said they believed their company was acting outside of the law.

Of course, with the price of Bitcoin and other currencies currently plummeting, the FCA may see its case load drop in the coming year as cryptocoins become less appealing to the shady get-rich-quick crowd.

An Amazon-hosted ElasticSearch database was discovered misconfigured and wide open containing the first name, last name, employer name, job title, email address, postal address, state, zip code, phone number, and IP address for 56,934,021 US citizens. The database is now hidden from view. It may have been built from publicly disclosed sources.

UrbanMassage gets unhappy ending in data breach caper

Customers of on-demand bodyworkers UrbanMassage are going to be carrying a bit more tension than usual this week, after the company exposed the records on some 300,000 people.

Researcher Oliver Hough discovered that the massage company was the latest firm to leave a database accessible to the open internet (and anyone doing a Shodan search). The lost data included names, email addresses, phone numbers, and referral codes.

More disturbing was the exposure of a collection of sexual misconduct claims the company had fielded, including creepy customers who had a reputation of asking their therapists for "extra service" on top of their normal massage.

The company has since taken down the database and is investigating the matter.

Orange is the new Blackmail

A group of South Carolina inmates are in hot water after they were caught catfishing military members from behind bars.

The US Naval Criminal Investigative Service (NCIS) says it has begun a crackdown on an extortion ring in what it calls "Operation Surprise Party."

According to the NCIS, the prisoners have been scamming money out of military members by posing as young women on social networking and dating sites. After striking up a friendship with the targeted military members, the inmates would send the targets naked photos.

Shortly after, they would contact the targets from a separate account claiming to be the woman's father and alleging the woman was underage. The soldiers, fearful of arrest and the loss of their military careers, were then told to send money in order to keep the entire affair quiet.

Investigators said that, by the time the racket was broken up, it had netted more than $550K to the inmates and their associates outside.

Ebay Japan accidentally leaked its source code onto the web by making its Git repo public from its website.

OpenSSL changes up licensing, version scheme

Those who use OpenSSL should take note: some changes to the library are coming up.

Matt Caswell says that the upcoming release, which will be the first released under the Apache License 2.0, will also introduce a new version scheme that will look to simplify the release process and bring it more into line with other software.

"In practical terms our “letter” patch releases become patch numbers and “fix” is dropped from the concept. In future, API/ABI compatibility will only be guaranteed for the same MAJOR version number. Previously we guaranteed API/ABI compatibility across the same MAJOR.MINOR combination," Caswell explained.

"This more closely aligns with the expectations of users who are familiar with semantic versioning. We are not at this stage directly adopting semantic versioning because it would mean changing our current LTS policies and practices."

Dunkin' puts the D'oh! in donuts

Beloved US coffee chain Dunkin' Donuts is giving out more than tasty pastries to its punters this week after the company caught wind of an attempted hack on its customer rewards program.

It turns out that one or more evil-doers got a cache of stolen email addresses and passwords from other sites and attempted to point them at the Dunkin' Donuts customer portal. Those who had re-used the stolen credentials would have had the attacker pull up a page that would contain their name, email address, and DD Perks account codes.

While that is hardly considered sensitive information in the grand scheme of things, it would be enough to allow the hackers to use other peoples' accounts, and the money stored on them, to pay for food and drink.

If you do get a notice from Dunkn', it would be a good idea to change your password ASAP, and let this be a lesson to never re-use your passwords.

AWS tightens up security with Hub launch

Now you have no excuse not to lock down your Elastic Compute and S3 instances.

AWS has introduced a new security hub that the cloud giant hopes will allow admins to have a better overview of all the security settings in place across their VMs and storage bucks.

"AWS Security Hub reduces the effort of collecting and prioritizing security findings across accounts, from AWS services, and AWS partner tools," AWS says of the hub.

"The service ingests data using a standard findings format, eliminating the need for time-consuming data conversion efforts. It then correlates findings across providers to prioritize the most important findings." ®




Biting the hand that feeds IT © 1998–2018