This week we're covering account takeovers at Coinbase, the Internet of Things powering record breaking attacks, the US Government launching a new cyber safety education initiative, and more. Enjoy!
It's a story we're hearing more and more often - an attacker rings up the victim's mobile phone provider, does a social engineering attack to gain control over their phone number, and goes on to compromise 2FA-protected accounts. (Read more on why 2FA-by-SMS is bad). Coinbase, a popular bitcoin exchange, reveals how this played out in their company recently, and this is a worthwhile read. By all accounts it seems their response was top-notch, and all the employees seem to be on their game!
Follow-up on the record breaking DDoS against Krebs
Last month KrebsOnSecurity, a news website run by Brian Krebs, went down under the load of a 620 gigabit-per-second denial of service attack. Ars is reporting that it and other record-breaking DDoS attacks are being delivered by >145k hacked cameras. Security experts warn that this scale of attacks will only increase as more devices are added to the ✨Internet of Things✨.
Motherboard is reporting that a hacker has released the code that powered these attacks. The malware is designed to infect Internet of Things (IoT) devices that haven’t changed their default usernames and passwords. Motherboard speculates that the reason for dumping the code is to confuse attribution attempts.
arstechnica.com and motherboard.vice.com
The US Government's National Cyber Security Alliance has joined forces with the White House and more than 35 companies and NGOs to launch an online security initiative called “Lock Down Your Login". The goal is to educate the public on how to set up strong authentication on social media, email, and financial accounts. They created a nifty jingle and youtube video to go with it. Facebook and Google are among the companies which will be promoting this and similar initiatives - it'll apparently get a homepage promo on Google some time this month.
Not super surprising, but this study by Digital Shadows has found that 97% of the companies in the top 1000 of the "Forbes Global 2000" list show up in the credential breaches we've seen over the last few years. They total over 5 million credentials, with 1.6M in the LinkedIn breach, 1.3M in the Adobe breach, 1.1M in MySpace, and a handful of others - including, of course, the Ashley Maddison breach.
Mozilla wants to kick Chinese certificate authority (CA) WoSign out of its trust program. As well as being worried about the certs issued by WoSign, Mozilla accuses the company of buying another CA, StartCom, without telling anyone. In a lengthy analysis posted to Google Docs, Mozilla says its certificate folk have "... lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA." Apple are following suit too to protect their users, citing WoSign have "experienced multiple control failures in their certificate issuance processes".
Shape Security has closed a Series D round of $40M with investors including Google Ventures, Eric Schmidt, Hewlett Packard Enterprise, and others. They've now raised a total of $106 million. Shape Security claims it has prevented more than $1 billion in fraud losses for its customers, which include governments and Fortune 500 firms. One of Shape Security’s products is ShapeShifter, which serves to make a website’s source code appear different each time it’s viewed. This helps deflect the prying eyes of botnets, malware, and rogue scripts. They also protect from account takeover, brute forcing, content scraping, DDoS, and more.
- 6 Ways To Prepare For The EU’s General Data Protection Regulation with 20 months to go
- Code exec vulnerability in JPEG2000 format, sometimes used to embed images in PDFs. Vulnerable readers include Poppler, MuPDF and Pdfium.
- USA's Amber Alert txts are getting an upgrade
- Zerodium offers a $1.6M bounty for a remote iOS jailbreak
That's all for this week. Feel free to send through any feedback or links, and forward this to your friends and colleagues!
Sign Up For Cloud Security Weekly