Things I Hearted this Year 2018

It’s hard to believe the whole year has gone past and I’ve been hearting things nearly every week since it began.

I’d like to sum up 2018, so I started to look through all the posts from every week and I realised it was a mammoth task. There have been 40 “Things I hearted” blog posts this year, each with an average of 10 stories. And that doesn’t include the dozens of other stories that didn’t make the cut every week.

Suffice to say, it’s been a very busy year as far as information security is concerned. Which could mean that business is very good. Or it could just mean that business is as usual, we’re just getting better at covering the stories.

In YouTube fashion, I decided to do a video rewind of some of the notable stories of the year (minus Will Smith and the big budget)

Conspiracy videos aside, let’s have a recap of an assortment of stories that were hearted over the course of the year.

January 12th Edition

Toy Firm VTech Fined Over Data Breach

VTech, the ‘smart’ toy manufacturer has been fined $650,000 by the FTC after exposing the data of millions of parents and children.

Troy Hunt brought up the issue back in November 2015 and it made for a chilling read. Not only was the website not secure, but the data was not encrypted in transit or at rest.

Hopefully, this kind of crackdown on weak ‘smart’ devices will continue until we see some changes. Not that I enjoy seeing companies being fined, but it doesn’t seem like many manufacturers are paying much attention to security.

• FTC fines VTech toy firm over data breach | SC Magazine
• FTC Fines IoT Toy Vendor VTech for Privacy Breach | eWeek
• After breach exposing millions of parents and kids, toymaker VTech handed a $650K fine by FTC | Techcrunch

March 9th Edition

SAML, SSO Many Vulnerabilities

SAML-based single sign on systems have some vulnerabilities that allow attackers with authenticated access to trick SAML systems into authenticating as different users without knowledge of the victims’ password.

Sounds like a lot of fun.

• Duo Finds SAML Vulnerabilities Affecting Multiple Implementations | DUO

March 30th Edition

Investigating Lateral Movement Paths with ATA

Even when you do your best to protect your sensitive users, and your admins have complex passwords that they change frequently, their machines are hardened, and their data is stored securely, attackers can still use lateral movement paths to access sensitive accounts. In lateral movement attacks, the attacker takes advantage of instances when sensitive users log into a machine where a non-sensitive user has local rights. Attackers can then move laterally, accessing the less sensitive user and then moving across the computer to gain credentials for the sensitive user.

• Investigating lateral movement paths with ATA | Microsoft

May 18th Edition

Hacking the Hackers

A hacker has breached Securus, the company that helps cops track phones across the US.

You’d think that if you were a company that collected all sorts of phone data, and location tracking, and work with law enforcement, you’d be a bit more careful in how you store the data.

Last week, the New York Times reported that Securus obtains phone location data from major telcos, such as AT&T, Sprint, T-Mobile, and Verizon, and then makes this available to its customers. The system by which Securus obtains the data is typically used by marketers, but Securus provides a product for law enforcement to track phones in the US nationwide with little legal oversight, the report adds. In one case, a former sheriff of Mississippi County, Mo., used the Securus service to track other law enforcement official’s phones, according to court records.

• Hacker breaches securus, the company that helps cops track phones across the US | Motherboard
• Service meant to monitor inmates’ calls could track you, too. | NYTimes

June 1st Edition

Your Data

Looking at your data this week, Brian Krebs flips the lid on why your location data is no longer private.

“The past month has seen one blockbuster revelation after another about how our mobile phone and broadband providers have been leaking highly sensitive customer information, including real-time location data and customer account details. In the wake of these consumer privacy debacles, many are left wondering who’s responsible for policing these industries? How exactly did we get to this point? What prospects are there for changes to address this national privacy crisis at the legislative and regulatory levels?”

• Why Is Your Location Data No Longer Private? | Krebs On Security

But wait, there’s a plot twist. Tired of all these companies profiting off your data? Well, maybe you can try what this guy did and make some money yourself by directly selling your data.

• This Guy Is Selling All His Facebook Data on eBay | Motherboard

July 6th Edition

10 Things To Know Before Getting Into Cybersecurity

You may know Kevin Beaumont as @GossiTheDog on twitter. He won the 2018 EU blogger awards for best tweeter. But apparently, he’s a man of more talents than just twits, he also blogs, and has put together a good list of 10 things you should know if you’re considering getting into cybersecurity.  

• 10 things to know before getting into cyber security| Double Pulsar

Related, if you’re looking to break into security, then you’ll want to know which locations offer the best salaries (US-based).

• Cybersecurity spotlight 2018: Where are the highest paying jobs? | Indeed Blog

August 31st Edition

Probably The Best Tech Keynote in the World

I’ll be honest, up until a couple of weeks ago, I hadn’t heard of James Mickens who is a professor at Harvard University.

I watched his keynote presentation at Usenix, and haven’t been this entertained and captivated by a technology talk in … well, never.

It’s well worth carving out 50 minutes out of your day to watch his keynote entitled,

Q: Why Do Keynote Speakers Keep Suggesting That Improving Security Is Possible?

A: Because Keynote Speakers Make Bad Life Decisions and Are Poor Role Models

October 5th Edition

Bupa Fined £175k

International health insurance business Bupa has been fined £175,000 after a staffer tried to sell more than half a million customers’ personal information on the dark web.

The miscreant was able to access Bupa’s CRM system SWAN, which holds records on 1.5 million people, generate and send bulk data reports on 547,000 Bupa Global customers to his personal email account.

The information – which included names, dates of birth, email addresses, nationalities and administrative info on the policy, but not medical details – was then found for sale on AlphaBay Market before it was shut down last year.

• Health insurer Bupa fined £175k after staffer tried to sell customer data on dark web souk | The Register

November 30th Edition

The $1M SIM Swap

A 21-year-old has been accused of SIM-swapping the mobile number of a Silicon Valley executive in order to steal roughly $1 million in cryptocurrency.

• SIM-swapping 21-year-old scores $1 million by hijacking a phone | ZDNet

      

The post Things I Hearted this Year 2018 appeared first on Cybersecurity Insiders.

December 14, 2018 at 09:10PM

Posted in: Cyber Security, Cybersecurity Insiders, Hacking, Hacking Articles, Hacking News, Security