Inside | Real news, curated by real humans
Inside Security

Inside Security (Jun 12th, 2018)

By my probably incorrect accounting, this is the 365th edition of this newsletter. My thanks to the continued sponsorship of these newsletters by Endgame. You might be interested in this recent blog post about their efforts to help complement and improve MITRE’s ATT&CK framework through a new open source tool. The post discusses how offensive measures can help improve overall enterprise security by better understanding our adversaries. I have written recently about ATT&CK for CSOonline, first this explainer about the framework and a second piece reviewing various tools that are based on it, including Endgame’s Red Team Automation. You should read all of them if you want to get a head start in this area.

--David Strom, editor of Inside Security

  • Email gray
  • Permalink gray

Are you as confused with the new top-level domain names as I am? Back in those simpler times, we had .com and a few others. Now there are more than 1,500 of them.  Brian Krebs summarizes the latest research that shows they are ripe for abuse, including domains that end in .country, .stream, .men, .work and .gdn. On all three, the majority of registered domains are used by spammers, to send malware, or both. Sadly, security experts warned this would happen years ago, but advertisers and domain speculators won out. Many of these new domains can be purchased for less than a buck a year, especially using the registrar Namecheap. To help with this, check out this report from Robert Spotswood: he reviews the alternative DNS services and how they stack up in blocking these domains. – KREBS ON SECURITY

  • Email gray
  • Permalink gray

The APWG has a new report looking at the rise of fake web storefronts in Japan. These pose as shopping sites but just steal customers’ money without actually selling any goods. The report categorizes the various types of fake storefronts that use a number of sneaky tactics, such as the one illustrated below of redirecting traffic through a compromised website. There are several mitigation tactics also suggested.  – ANTI-PHISHING WORKING GROUP REPORT

  • Email gray
  • Permalink gray

CNIL, the French data protection authority, has decided to impose a 250,000 euro (about US$300,000) fine on Optical Center. They are a French company selling eye and hearing aids. The fine was levied because the company failed to secure the data of customers that ordered products via its website. It is their largest fine to date for a security breach and reflects the thousands of IDs and documents leaked. – HELPNET SECURITY

  • Email gray
  • Permalink gray

This post is the end of a series of explainer articles on XSS injection attacks, covering things from the client side. They can happen, even though you have checked all of your server-side inputs. It looks at what causes the attacks, the three different types of scripting attacks, and how to change your code to prevent them. – ALERT LOGIC BLOG

  • Email gray
  • Permalink gray

Yes, there really are Nigerian princes, at least when it comes to collecting money from duped email users. U.S. law enforcement announced today the arrests of 74 people accused of orchestrating email scams through which they stole millions from users across the world. Authorities arrested 42 members of the gang in the U.S. and 29 in Nigeria, among others. They also seized $2.4M from the accounts of the arrested suspects and recovered another $14M in fraudulent wire transfers. The feds are calling this Operation Wire Wire. Funds were stolen from a wide collection of individuals and businesses in several different locations.  – BLEEPING COMPUTER

  • Email gray
  • Permalink gray

Weight Watchers forgot to set a password for the administration console of one of its Kubernetes instances. Researchers found details about the company's internal IT infrastructure, such as AWS access keys, pod specifications, and several dozen AWS S3 buckets holding the company's data. It isn’t clear whether the exposed data was production or on a test system. -- KROMTECH

  • Email gray
  • Permalink gray

This is a very informative article on how to prepare your AWS environment to maximize your security and help you recover from a breach or when a researcher discovers unprotected data (such as the Kromtech piece above). First, take advantage of built-in AWS logging tools such as CloudWatch and Cloudtrail, because not all incidents will be caught immediately, so it’s important to ensure all your logs are not rolled over and lost. Next, create an EC2 Security Group that can be used to isolate any compromised systems in the network. – DELTA RISK BLOG

  • Email gray
  • Permalink gray

If you have enjoyed Baratunde Thurston’s posts in the past on a number of tech blogs (including The Onion), you will find his latest piece both entertaining and informative. Called A New Tech Manifesto, he lists suggestions for tech companies to become really transparent about their data collection, switch their defaults for data to be closed rather than open (since most users never change them), respect users’ rights to own their own data, and implement true diversity hiring practices. There is a lot to take away here. – THURSTON@ MEDIUM

  • Email gray
  • Permalink gray

What do criminals do once they obtain personal health data? They sell it in bulk, called “fullz,” which can be used to further launch fraud attacks and ransomware. There are also cases of selling SMTP servers that can specialize in particular spear phishing campaigns mimicking hospital domains.  – CYNERIO BLOG

  • Email gray
  • Permalink gray

This does seem to be how the process of starting a new cloud service works. -- BOB RESELMAN @ DEVOPS

  • Email gray
  • Permalink gray

Subscribe to Inside Security

MORE NEWSLETTERS

Financial, legislative, agricultural, and all the other most important news about the cannabis industry

Inside Cannabis

Financial, legislative, agricultural, and all the other most important news about the cannabis industry

TWICE WEEKLY
Financial, legislative, agricultural, and all the other most important news about the cannabis industry

Inside Cannabis

TWICE WEEKLY

SUBSCRIBED!

Share via

Rob May's roundup of stories and commentary on Artificial Intelligence, Robotics, and Neurotechnology

Inside AI

Rob May's roundup of stories and commentary on Artificial Intelligence, Robotics, and Neurotechnology

WEEKLY
Rob May's roundup of stories and commentary on Artificial Intelligence, Robotics, and Neurotechnology

Inside AI

WEEKLY

SUBSCRIBED!

Share via

Explaining the business and consumer sides of social media networks

Inside Social

Explaining the business and consumer sides of social media networks

DAILY
Explaining the business and consumer sides of social media networks

Inside Social

DAILY

SUBSCRIBED!

Share via

The best source of in-depth news and analysis about Amazon

Inside Amazon

The best source of in-depth news and analysis about Amazon

TWICE WEEKLY
The best source of in-depth news and analysis about Amazon

Inside Amazon

TWICE WEEKLY

SUBSCRIBED!

Share via