Friday Five: 12/22 Edition
Catch up on the week's infosec news with this recap!
1. 120 Million American Households Exposed in ‘Massive’ ConsumerView Database Leak by Thomas Fox-Brewster
Another week, another leaky Amazon Web Services bucket. This time around the culprit is Alteryx, a US data analytics provider that apparently left data on 123 million US households on an unsecured S3 bucket, reachable by anyone with a free AWS account. While the data didn’t include names, Chris Vickery, a researcher with UpGuard who discovered the data, told Forbes’ Thomas Fox-Brewster that it’d be easy to crosscheck it with previously leaked information. The database contained information like addresses, hobbies, income, ethnicity, and the number of children that lived at each property. The company removed the bucket from public view last week.
Fox-IT, a security firm based in Netherlands, disclosed late last week that attackers used a man-in-the-middle attack to hijack its DNS records and intercept sensitive client data. Ars Technica’s Dan Goodin recapped the attack on Monday: “Attackers were able to decrypt all incoming traffic and to cryptographically impersonate the hijacked domain. After intercepting and reading incoming traffic, the attackers forwarded it to Fox-IT in an attempt to prevent company engineers from detecting the attack,” Goodin wrote. It could have been a lot worse: attackers only made off with credentials for nine users, 10 unique files, one mobile phone number, and just a few names and email addresses of client portal users.
In the wake of WannaCry, NotPetya, and BadRabbit this year, ransomware strains of yore like CTB-Locker, a/k/a Critroni, or Curve-Tor-Bitcoin, almost seem like a distant memory. The malware was one of the first – back in 2015 - to accept Bitcoin and rely on Tor to hide its command and control infrastructure, hence the name. Authorities in Romania said this week they’re close to closing the book on CTB after arresting five suspected of spreading the ransomware throughout the Europe and the U.S. The arrests could lead to an added bonus: Two people in the same group are believed to be behind Cerber, another strain of ransomware still making waves in 2017.
4. The Wassenaar Arrangement's Latest Language is Making Security Researchers Very Happy by Shaun Waterman
There wasn’t much fanfare around it but researchers and infosec experts alike are breathing a little easier after the Wassenaar Arrangement - a 42-nation arms control treaty – was rewritten earlier this week. Before it was reworked many researchers feared much of the day to day goings on in the cybersecurity industry would have been outlawed. New tweaks to the Arrangement provide exemptions to the export control requirements imposed on hacking tools. Per usual Katie Moussouris, founder and CEO of Luta Security, was instrumental when it came to better distilling the treaty’s language down. Shaun Waterman recapped the Arrangement’s reworking while Moussouris herself penned a column for The Hill published on Sunday.
Twitter finally gave users some much needed diversity when it comes to the app’s two factor authentication feature this week. Now users can use apps like Google Authenticator, Duo and Authy to create short lived codes as an added layer of security; previously the app only allowed users to use SMS-based 2FA. While text based 2FA is fine and good, the functionality has had its share of holes poked in it over the last few years. Researchers with Positive Technologies demonstrated how to hijack a text message in September earlier this year. A Wired article citing security researcher and forensics expert Jonathan Zdziarski decried using SMS for 2FA in the summer of 2016: “For services like Twitter that only offer second factor protections that depend on SMS, it's time to wake up, smell the targeted attacks, and give users better options.” It appears Twitter has finally wised up.