Friday Five: 12/1 Edition
Catch up on all the week's InfoSec news with this roundup!
One of the larger drone companies in the world, DJI, has increasingly found itself in hot water as of late. If you’ve been following security Twitter the last few weeks it was almost impossible to miss a story that went viral about Sean Malia and Kevin Finisterre, researchers who found issues in one of the company’s drones. When the researchers elected to contact the Chinese company through its recently formed bug bounty program they received threats instead of a bug bounty. CyberScoop’s Chris Bing has a good recap of that story and the public relations onslaught DJI has experienced since. Some quality insight from bug bounty experts Casey Ellis and Katie Moussouris in there as well. The story was published a day after a New York Times report, released on Wednesday and also worth a read, in which an unnamed United States government office alleges DJI’s drones are sending sensitive information on U.S. infrastructure to China.
The massive 2016 Uber breach was conveniently disclosed last Wednesday while everyone was traveling for Thanksgiving, meaning Capitol Hill had to wait until this week to weigh in. As he usually does, Sen. Mark Warner (D-Va) led the charge, pressing Uber on Monday to explain why it kept quiet about the theft of 57 million customers’ personal information and why it tried to cover up the breach by paying hackers $100,000 to destroy the files. The Hill’s Morgan Chalfant summed up Warner’s letter (.PDF) to the company’s new CEO, Dara Khosrowshahi.
Could Mirai, the Internet of Things (IoT) malware that rippled through the internet last year, be making a comeback? The botnet behind the malware crippled DNS provider Dyn in October 2016 and brought down Spotify, Twitter, PayPal, and GitHub, to name a few companies. Researchers with Netlab 360 said late last week they observed a new variant of the malware that allows Mirai to spread via ZyXEL devices. Ars Technica’s Dan Goodin reported earlier this week the strain spread to approximately 10,000 devices over the course of 60 hours starting on November 22. Like Mirai this strain relies on default credentials – the same su, or superuser, password – something that can make it easy for attackers to propagate the malware.
Motherboard’s Lorenzo Franceschi-Bicchierai got on his soapbox this week and for good reason: All too often these days people on the internet are conflating the term crypto. As interest in cryptocurrencies surges, “people in the world of Bitcoin and other digital currencies are starting to use the word ‘crypto’ as a catch-all term for the lightly regulated and burgeoning world of digital currencies in general,” he wrote Tuesday. This is an issue especially in the security world and on the internet where the term has pretty much always been used in reference to cryptography. It’s a good quick read and worth it for the astute takes from cryptographers Matthew Green and Emin Gün Sirer alone.
Another week, another cache of information found on an insecure Amazon S3 instance. This week it was sensitive information that was part of Red Disk, a project under the US Army’s Intelligence and Security Command, INSCOM, a division of both the Army and the NSA. Like most leaks this one was left on an unlisted but public AWS storage server and was discovered by Chris Vickery, director of cyber risk at UpGuard. Vickery has sleuthed out data belonging to hotel chains, plastic surgeons, and electrical companies, so it isn’t a surprise he found the data. It’s more of a surprise the kind of data, a top secret military grade intelligence sharing platform, was left accessible to anyone who wanted it.