Friday Five: 11/10 Edition
Catch up on all the week's InfoSec news with this roundup!
1. Ex-NSA Director Says Companies Should Never Hack Back Because They Could Start Wars by Lorenzo Franceschi-Biccherai
Little news actually made it out of CyberConnect 2017, a cybersecurity conference held this week in New York City. One of the more newsworthy items was the fact conference organizers forbid the press from asking keynote speaker, former NSA Director Keith Alexander, any questions regarding national or cybersecurity. Alexander dug up the "hacking back" debate on Monday again too though, just a few weeks after a bill was introduced in Congress. In his talk Alexander said private companies shouldn’t be allowed to strike back at hackers. “If it starts a war, you can’t have companies starting a war. That’s an inherently governmental responsibility, and plus the chances of a company getting it wrong are fairly high,” Alexander said.
Speaking of hacking back: An odd story here from The Daily Beast’s Joseph Cox that alleges a London-based plastic surgery practice attempted to hack back at the Dark Overlord, a well known hacking group behind attacks against healthcare software developers and Netflix (the group released most of Orange Is The New Black’s fifth season earlier this year). According to Cox the head surgeon for London Bridge Plastic Surgery (LBPS) sent the group a rigged Word document designed to reveal the user’s IP address. The Dark Overlord reportedly hacked the practice, spilling a slew of sensitive photos, in October. While the surgeon’s "hack back" attack was unsuccessful the mere fact that it was mounted in the first place is nothing short of brazen.
This was a fascinating, albeit slightly confusing story if you don’t follow cryptocurrency news. According to Ars Technica’s Sean Gallagher a multi signature vulnerability in the Parity line of cryptographic wallets left 1 million ETH (Ether) roughly $280 million USD, frozen this week. The bug was accidentally triggered by a user on Monday, paralyzing mutli-sig wallets created after July. Multisignature or multisig wallets require more than one key to authorize transactions. There were a couple of hot takes on this bug but none quite as astute as Matt Suiche, founder of in-memory malware detection platform company Comae Technologies: “We have seen a lot of enthusiasm from a lot of people about blockchain-based smart contracts, and the general assumption from users is that they would be secure. But just like any other piece of software a smart-contract can be vulnerable,” Suiche wrote Tuesday.
Another great long read via Wired’s Andy Greenberg this week. Greenberg retraces the history behind Mimikatz, a hacking tool that’s become almost synonymous with penetration testing over the last several years. Notably, the tool - created by Kiwi Benjamin Delphy - found its way into two ransomware attacks as of late, this summer’s NotPetya and last month’s BadRabbit. The tool wasn’t created to be used maliciously but that hasn’t stopped hackers; it’s remains effective because so many machines run old, outdated versions of Windows.
Tom Spring recaps Charlie Miller and Chris Valasek’s return to the security conference stage in Boston this week at Threatpost. The two, famed of course for their 2014 Jeep Cherokee hack, have been shied away from spotlight a bit since joining General Motors’ Cruise Automation division this past July. Miller and Valasek discussed Internet of Things security at Black Duck Software's Flight 2017 conference on Wednesday. Per usual with the two, there were a lot of great lines, chief among them the following words of advice from Miller: “We learn from our mistakes. We were bad on security with a lot of these things like servers and browsers. And now we are better. And that’s fine. People want to solve security. But you can’t. You are never going to make it impossible to hack something. But, you can make it really hard.”