October 03, 2016

Cloud Security Weekly #36

This week we're covering account takeovers at Coinbase, the Internet of Things powering record breaking attacks, the US Government launching a new cyber safety education initiative, and more. Enjoy!

Coinbase post-mortem on attack against employee

It's a story we're hearing more and more often - an attacker rings up the victim's mobile phone provider, does a social engineering attack to gain control over their phone number, and goes on to compromise 2FA-protected accounts. (Read more on why 2FA-by-SMS is bad). Coinbase, a popular bitcoin exchange, reveals how this played out in their company recently, and this is a worthwhile read. By all accounts it seems their response was top-notch, and all the employees seem to be on their game!

Follow-up on the record breaking DDoS against Krebs

Last month KrebsOnSecurity, a news website run by Brian Krebs, went down under the load of a 620 gigabit-per-second denial of service attack. Ars is reporting that it and other record-breaking DDoS attacks are being delivered by >145k hacked cameras. Security experts warn that this scale of attacks will only increase as more devices are added to the ✨Internet of Things✨.
Motherboard is reporting that a hacker has released the code that powered these attacks. The malware is designed to infect Internet of Things (IoT) devices that haven’t changed their default usernames and passwords. Motherboard speculates that the reason for dumping the code is to confuse attribution attempts.
arstechnica.com and motherboard.vice.com

Lock Down Your Login - new US Govt. Initiative

The US Government's National Cyber Security Alliance has joined forces with the White House and more than 35 companies and NGOs to launch an online security initiative called “Lock Down Your Login". The goal is to educate the public on how to set up strong authentication on social media, email, and financial accounts. They created a nifty jingle and youtube video to go with it. Facebook and Google are among the companies which will be promoting this and similar initiatives - it'll apparently get a homepage promo on Google some time this month.

97% of Top 1000 Companies have employee creds in breaches

Not super surprising, but this study by Digital Shadows has found that 97% of the companies in the top 1000 of the "Forbes Global 2000" list show up in the credential breaches we've seen over the last few years. They total over 5 million credentials, with 1.6M in the LinkedIn breach, 1.3M in the Adobe breach, 1.1M in MySpace, and a handful of others - including, of course, the Ashley Maddison breach.

Mozilla to distrust WoSign Certificate Authority

Mozilla wants to kick Chinese certificate authority (CA) WoSign out of its trust program. As well as being worried about the certs issued by WoSign, Mozilla accuses the company of buying another CA, StartCom, without telling anyone. In a lengthy analysis posted to Google Docs, Mozilla says its certificate folk have "... lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA." Apple are following suit too to protect their users, citing WoSign have "experienced multiple control failures in their certificate issuance processes".

Cybersecurity startup Shape Security closes $40 million round

Shape Security has closed a Series D round of $40M with investors including Google Ventures, Eric Schmidt, Hewlett Packard Enterprise, and others. They've now raised a total of $106 million. Shape Security claims it has prevented more than $1 billion in fraud losses for its customers, which include governments and Fortune 500 firms. One of Shape Security’s products is ShapeShifter, which serves to make a website’s source code appear different each time it’s viewed. This helps deflect the prying eyes of botnets, malware, and rogue scripts. They also protect from account takeover, brute forcing, content scraping, DDoS, and more.

In Brief

That's all for this week. Feel free to send through any feedback or links, and forward this to your friends and colleagues!


If you want to get this news delivered weekly to you inbox sign up here:
Sign Up For Cloud Security Weekly

The future of authentication

Today I’m excited to announce a deal that we have been working on for the past few months and how that will impact the future of contextual ...

Introducing custom security rules

For the past few years we’ve been working hard to create a plug and play adaptive risk engine. We designed our core service using a mix of b ...