Skip to main content

Friday Five: 11/10 Edition

by Chris Brook on Friday November 10, 2017

Contact Us
Free Demo

Catch up on all the week's InfoSec news with this roundup!

1. Ex-NSA Director Says Companies Should Never Hack Back Because They Could Start Wars by Lorenzo Franceschi-Biccherai

Little news actually made it out of CyberConnect 2017, a cybersecurity conference held this week in New York City. One of the more newsworthy items was the fact conference organizers forbid the press from asking keynote speaker, former NSA Director Keith Alexander, any questions regarding national or cybersecurity. Alexander dug up the "hacking back" debate on Monday again too though, just a few weeks after a bill was introduced in Congress. In his talk Alexander said private companies shouldn’t be allowed to strike back at hackers. “If it starts a war, you can’t have companies starting a war. That’s an inherently governmental responsibility, and plus the chances of a company getting it wrong are fairly high,” Alexander said.

2. Hackers Say Plastic Surgeon to the Stars Hacked Back at Them by Joseph Cox

Speaking of hacking back: An odd story here from The Daily Beast’s Joseph Cox that alleges a London-based plastic surgery practice attempted to hack back at the Dark Overlord, a well known hacking group behind attacks against healthcare software developers and Netflix (the group released most of Orange Is The New Black’s fifth season earlier this year). According to Cox the head surgeon for London Bridge Plastic Surgery (LBPS) sent the group a rigged Word document designed to reveal the user’s IP address. The Dark Overlord reportedly hacked the practice, spilling a slew of sensitive photos, in October. While the surgeon’s "hack back" attack was unsuccessful the mere fact that it was mounted in the first place is nothing short of brazen.

3. With Deletion of One Wallet, $280M in Ethereum Wallets Gets Frozen by Sean Gallagher

This was a fascinating, albeit slightly confusing story if you don’t follow cryptocurrency news. According to Ars Technica’s Sean Gallagher a multi signature vulnerability in the Parity line of cryptographic wallets left 1 million ETH (Ether) roughly $280 million USD, frozen this week. The bug was accidentally triggered by a user on Monday, paralyzing mutli-sig wallets created after July. Multisignature or multisig wallets require more than one key to authorize transactions. There were a couple of hot takes on this bug but none quite as astute as Matt Suiche, founder of in-memory malware detection platform company Comae Technologies: “We have seen a lot of enthusiasm from a lot of people about blockchain-based smart contracts, and the general assumption from users is that they would be secure. But just like any other piece of software a smart-contract can be vulnerable,” Suiche wrote Tuesday.

4. He Perfected a Password-Hacking ToolThen the Russians Came Calling by Andy Greenberg

Another great long read via Wired’s Andy Greenberg this week. Greenberg retraces the history behind Mimikatz, a hacking tool that’s become almost synonymous with penetration testing  over the last several years. Notably, the tool - created by Kiwi Benjamin Delphy - found its way into two ransomware attacks as of late, this summer’s NotPetya and last month’s BadRabbit. The tool wasn’t created to be used maliciously but that hasn’t stopped hackers; it’s remains effective because so many machines run old, outdated versions of Windows.

5. IoT is Insecure, Get Over It! Say Researchers by Tom Spring

Tom Spring recaps Charlie Miller and Chris Valasek’s return to the security conference stage in Boston this week at Threatpost. The two, famed of course for their 2014 Jeep Cherokee hack, have been shied away from spotlight a bit since joining General Motors’ Cruise Automation division this past July. Miller and Valasek discussed Internet of Things security at Black Duck Software's Flight 2017 conference on Wednesday. Per usual with the two, there were a lot of great lines, chief among them the following words of advice from Miller: “We learn from our mistakes. We were bad on security with a lot of these things like servers and browsers. And now we are better. And that’s fine. People want to solve security. But you can’t. You are never going to make it impossible to hack something. But, you can make it really hard.”

Tags:  Security News

Recommended Resources

The Definitive Guide to DLP

All the essential information you need about DLP in one eBook.

The Ultimate Guide to Data Protection

Everything you need to know about data protection but were afraid to ask.