Inside | Real news, curated by real humans
Inside Security

Inside Security (Feb 6th, 2018)

David’s Take

As many readers of this newsletter know, we produce a special premium-only edition every Thursday for subscribers. This week Incapsula is picking up the tab so that all of you can read it; watch your inboxes then for this edition.

In our top story, we dive deeper into the Strava/Fitbit data leaking controversy, citing a few different researchers who have been working for several years and warning about the consequences of wearables that aren’t very secure.

New research has found that all WordPress websites suffer from a major flaw that could subject them to DoS attacks. The vendor denies this is a bug. I tried to reproduce on my own WP server but wasn’t successful, but I wasn’t too diligent. The HackerNews staff was able to verify it is authentic. The researcher has posted a fix on GitHub.  

--David Strom, editor of Inside Security

  • Email gray
  • Permalink gray

Top Story: Fitbit leaking continues

Stories at the end of January claimed that mobile app Strava produced fitness heatmaps that revealed the location of users who lived on military bases. Now Henrik Lied, a Norwegian journalist, has fooled Strava into showing the names of some of the soldiers and other personnel on those bases. By exploiting a Strava feature known as “Flyby,” he could find other Strava users who are training nearby. It took some effort to generate digital geolocation routes and some Python scripting magic, but he was able to find 18 people from various locations around the world.

Lied isn’t the only one working with this data. It is an active area for security research, as John Scott-Railton examines in what he calls PAPI: Presence, Activity, Profile, and Identification. He and Citizen Lab have done lots of work in this area and published a comparative analysis of various fitness trackers several years ago. They found that almost every device published its Bluetooth MAC address, and many apps sent geolocation data even when the user wasn’t working out, often without any encryption. – CITIZEN LAB

  • Email gray
  • Permalink gray

Funding events of the week

DFLabs, which sells security automation and orchestration tools, announced it has increased its total funding to $9M from existing investor Evolution Equity Partners.  Based in Boston and Milan, its CEO is Dario Forte.

Owl has closed an $18M A funding round, with Defy as the lead investor. The Palo Alto-based company makes broadband security webcams for cars and has Andy Hodge as its CEO.

New Knowledge closed a $1.9M seed funding round, with Moonshots Capital as their lead. The Austin-based vendor of AI anti-disinformation analysis has Jonathon Morgan as its CEO.

BigID closed a $14M A round with ClearSky Security as the lead. The NYC-based vendor of ID/big data analysis has Dimitri Sirota as its CEO.

BehaviorSec closed a $17.5M B funding round with Trident Capital as their lead. It's based in Stockholm and has passive behavioral biometrics tools. Its CEO is Neil Costigan.

  • Email gray
  • Permalink gray

Attacks and vulnerabilities

Here is a clever phishing campaign designed around this week's Korean Olympics. An email that seems to be from the Korean National Counter-Terrorism Center contained a malicious Word document attachment. This blog post analyzes how it does its dirty work, including hidden VB and PowerShell scripts.  – SECURING TOMORROW (McAfee)

  • Email gray
  • Permalink gray

The Grammarly chrome extension is used by about 22M people to check their spelling and grammar when using web forms. A researcher found that it exposes authentication tokens, thereby enabling anyone to gain access to documents, history, logs, and all other user data. Grammarly issued an automatic update yesterday to fix the issue. – CHROMIUM BLOG

  • Email gray
  • Permalink gray

A new botnet has been targeting IoT devices, using tactics borrowed from existing malware to perform remote code execution through three individual SOAP posts. Unlike other IoT botnets, this one uses remote servers to scan the endpoints and perform the actual exploits. – RADWARE BLOG

  • Email gray
  • Permalink gray

The Forrester Wave™: DDoS Mitigation Solutions, Q4 2017 new report features information designed to help you:

  • Gain critical insights into the growing DDoS mitigation solution market
  • Identify the ideal DDoS mitigation solution for your company’s needs
  • Understand the importance of evaluating a DDoS mitigation solution’s ability to detect and mitigate multiple attack types, mitigation capacity, service levels, threat intelligence, reporting, visibility, and client satisfaction, as well as its strategy and market presence

Discover why Forrester has named Imperva a Leader in DDoS mitigation with a top ranking in both the current offering and strategy categories. Read the report HERE

A researcher at Fidelis Cybersecurity devised a new technique that abuses X.509 digital certificates to establish a covert data exchange channel. Jason Reaves demonstrated the exploit at a BSides conference last summer, now he has published the details and a proof-of-concept code, which uses little-known descriptor fields for the data exchange. To prevent this exploit, he suggests blocking self-signed certificates such the ones used in the PoC and check for executables in certificates.  – SECURITY AFFAIRS

  • Email gray
  • Permalink gray

Report 

As phishing has evolved and moved increasingly towards mobile, phishers have also looked beyond email to distribute phishing links. Here is how a phishing landing page can be used to bypass 2FA. -- WANDERA

  • Email gray
  • Permalink gray

Just for fun

Act now, and you can buy into the latest cryptocurrency called "PonziCoin." And yes, it does have Equifax-grade security, at least according to the FAQ. -- PONZICOIN

  • Email gray
  • Permalink gray

Many thanks to Inside Security's corporate supporters.  Please go check them out!

 

Endgame

Endgame's endpoint security platform protects the world’s largest organizations from targeted attacks, eliminating the time & cost associated with incident response. Learn more

 

Nok Nok Labs has the ambition to transform authentication, by unifying it into one standard protocol, giving business the control they need. Learn more

 

[YOUR LOGO HERE – click for details]
 
   

Invest in Ring4, the 2nd phone number startup that was voted best product on ProductHunt. 

 

HackerOne is the #1 hacker-powered security platform for finding critical vulnerabilities.

Subscribe to Inside Security

MORE NEWSLETTERS

A hand-picked selection of products, deals, and ways to save money.

Inside Deals

A hand-picked selection of products, deals, and ways to save money.

TWICE WEEKLY
A hand-picked selection of products, deals, and ways to save money.

Inside Deals

TWICE WEEKLY

SUBSCRIBED!

Share via

Drone news for hobbyists, professionals, and investors

Inside Drones

Drone news for hobbyists, professionals, and investors

TWICE WEEKLY
Drone news for hobbyists, professionals, and investors

Inside Drones

TWICE WEEKLY

SUBSCRIBED!

Share via

Rob May's roundup of stories and commentary on Artificial Intelligence, Robotics, and Neurotechnology

Inside AI

Rob May's roundup of stories and commentary on Artificial Intelligence, Robotics, and Neurotechnology

DAILY
Rob May's roundup of stories and commentary on Artificial Intelligence, Robotics, and Neurotechnology

Inside AI

DAILY

SUBSCRIBED!

Share via

The present and future of virtual/augmented reality news and technology

Inside VR & AR

The present and future of virtual/augmented reality news and technology

DAILY
The present and future of virtual/augmented reality news and technology

Inside VR & AR

DAILY

SUBSCRIBED!

Share via