Inside Security - August 7th, 2017 |

Inside Security (Aug 7th, 2017)

npm hack, how to hijack sessions, solar panel vulnerabilities, setting your AWS access properly, the Russians are coming

Subscribe to Inside Security

New blank template
Subscribe | View in browser

David’s Take

The US DoJ recently released guidance on running bug bounties. One issue that you might not have thought about is that a bounty program researcher can have the same network traffic profile as an actual hacker, so it is important that security managers ensure they can separate the two. Before you implement any bounty program, think about these unintended security challenges. You may need to up your data protection game before you let researchers loose across your network.

-- David Strom, editor of Inside Security

Top story

Testing of various Android-based stock trading apps available for the Hong Kong exchange has revealed the majority of them contain major security weaknesses, such as the lack of MFA and vulnerable to code injection attacks. Cybersecurity incidents resulting in unauthorized trades added up to more than HK$110 million in the past year, according to officials. The report is available here.


During a session hijacking, a malicious hacker places himself in between your computer and the website’s server while you are engaged in an active session. At this point, the malicious hacker actively monitors everything that happens on your account, and can even kick you out and take control of it. Here is a blow-by-blow account of how this works. -- HEIMDAL SECURITY

Hackers seeking developer credentials used a typo-squatting attack to spread malicious code via libraries hosted at the online repository npm. The attack involved a user named HackTask who uploaded the rogue JavaScript libraries during July, according to an account of the incident on the npm blog. Each of the malicious packages was named intentionally to be confused with similar and popular existing npm packages. “If you downloaded and installed any of these packages, you should immediately revoke and replace any credentials you might have had in your shell environment,” the blog post said. -- THREATPOST

An attacker could exploit vulnerabilities found in solar panel components to shut down large parts of a power grid. Security researcher Willem Westerhof found that the components (shown here), which convert direct current into alternating current, suffered from 17 vulnerabilities of different levels. The researcher has been working with the component maker since last winter to fix these issues. -- GRAHAM CLUELEY BLOG

Criminals are going to new lengths to try to disguise their malware using more advanced so-called fileless methods. This analysis dissects the operation of one piece of malware called JS_POWMET, and how it leverages registry autostart features and using other built-in Windows tools to infect a system. -- TREND MICRO BLOG

New product

Mozilla has launched a free online service for private sharing of up to a GB of an encrypted file between two users. It’s called Send, and it’s meant to ensure users’ shared files do not remain online forever. The link will expire after a single download or 24 hours, and it works with both Firefox and Chrome browsers. -- FIREFOX


Russians have attacked in cyberspace to further their geopolitical interests, but their hacking activities also form an integral part of a more sophisticated criminal enterprise, bent on extortion and profiteering from private businesses too. Their targets have included Estonia, Georgia, Germany, and the United States (stealing data from the DNC and emails from John Podesta). You’ll need a diversity of approaches, and those approaches will have to evolve over time. The cyber threat has arrived as a clear and present risk to businesses today and addressing it will become a growing cost of doing business. -- HBR

When building red and blue teams, it’s important to ensure that candidates are willing to work in harmony and share ongoing metrics related to their activities. It is not enough to simply conduct routine penetration testing. CISOs should take a series steps in hiring a red team to go against your blue team defenses. -- SECURITY INTELLIGENCE


How do SPF and DMARC, two long-existing email security standards, stack up and complement each other? Here are the details, along with why it’s only with the addition of DMARC that SPF really functions properly as an anti-fraud tool. -- VALIMAIL BLOG

Amazon warned users with publicly accessible S3 buckets and suggested a review of the AWS S3 bucket policies, as well as the contents of the bucket, in order to avoid the exposure of sensitive data, according to a copy of the email shared by a penetration tester for HackerOne. Amazon wrote in the email: "We encourage you to promptly review your S3 buckets and their contents to ensure that you are not inadvertently making objects available to users that you don't intend." -- SEARCH SECURITY

M&A news

Qualys, Inc., a provider of cloud-based security and compliance solutions, last week announced that it has entered into an asset purchase agreement with Nevis Networks to acquire their passive scanning technologies. Terms of the deal were not disclosed, said Philippe Courtot, chairman and Qualys CEO. -- QUALYS

Just for fun

Chrome is making some progress. -- MATT HOLT @ TWITTER

How likely are you to recommend Inside Security to a friend or colleague?


Copyright ©, All rights reserved.

Our mailing address is:
767 Bryant St. #203
San Francisco, CA 94107

Did someone forward this email to you? Head over to to get your very own free subscription!

You received this email because you subscribed to Inside Security. Click here to unsubscribe from Inside Security list or manage your subscriptions.

Subscribe to Inside Security