Inside Security | Inside

[ Inside Security ]

David Strom's in-depth cybersecurity news and analysis

David’s Take

Are you as depressed as I am about the Russian troll indictments from last week? Our top story goes into details, and links some other resources you might want to read and listen to. It is only Tuesday and we already have a full complement of malware, bad actors, data leaks, and even a game developer who intentionally infects his customers with malware.

-- David Strom, editor of Inside Security

Screen shot 2018 02 10 at 12.19.32 am


While a bit self-serving, this analysis of how Cloudflare tries to educate its customers about potential account takeovers, phishing attacks, and other social engineering efforts by criminals is worth reading. If nothing else, it shows what lengths these evildoers go to try to compromise your account every day. The post introduces the concept of a domain name generation algorithm, an automatic method of creating complex and lengthy domain names to be used to identify command and control servers. – CLOUDFLARE BLOG

A former California state employee downloaded thousands of personal data of their Fish and Wildlife agency employees last December. The breach wasn’t disclosed until recently, and appeared to be accidental and not malicious. Police are investigating. – SACRAMENTO BEE

Subscribe to Inside Security

Many thanks to Inside Security's corporate supporters.  Please go check them out!


Endgame's endpoint security platform protects the world’s largest organizations from targeted attacks, eliminating the time & cost associated with incident response. Learn more


Nok Nok Labs has the ambition to transform authentication, by unifying it into one standard protocol, giving business the control they need. Learn more


David’s Take

With the news last week about Russian meddling in our last election comes further activity about Russian hackers who dare to travel outside their country and get arrested for cyber crimes. The latest is Pyotr Levashov, who was arrested in 2017 when on vacation in Spain. Recently, the Spanish authorities have agreed to send him to the U.S. for trial. He is accused of being the mastermind of Kelihos, a major spam-generating botnet. As I mentioned in this newsletter after his arrest, next time check the State Department extradition list before you make your travel plans. The Russians have also issued their own travel warnings to its criminally-inclined citizens.

David Strom, editor of Inside Security

Jenkins payouts

Top Story

Monero malware miners are once again in the news. First, a hacker group has made over $3M by breaking into more than 25,000 Jenkins servers and installing malware that mines the Monero cryptocurrency. Jenkins is an automated Java-based testing framework. Check Point calls this one of the largest crypto mining malware schemes it has so far seen, and cites Chinese origins. – CHECK POINT BLOG

Second, there is this report on CouchDB servers and how they can be vulnerable to hidden Monero miners. – TREND MICRO BLOG

Third, Israeli firm Votiro has documented how you can embed a video inside a Word document attachment that contains a hidden miner. While the video plays, it hijacks 99% of your CPU power to mine cryptocurrency. – VOTIRO DOC

Acquisition of the week

Oracle is acquiring Miami-based Zenedge, a cloud security provider and will integrate its DDoS mitigation and Web App Firewall features into its Oracle Cloud Infrastructure services. Terms were not disclosed. -- ORACLE

Over a quarter of UK local council authorities have suffered a security breach in the past five years, with the vast majority not providing any kind of cybersecurity training. The council networks were subject to a staggering 98 million attacks between 2013 and 2017, which works out to 37 attempted breaches every minute. – BIG BROTHER WATCH (pdf)

1519055394193 capture 1

FSLabs is a video flight sim game maker who has taken the rather extreme approach of infected pirated versions of the game with password-stealing malware. The game’s installer checks to see if the user has made a legit purchase; if not, the malware is installed along with the game. Since being outed by the researchers, FSLabs has removed the malware from its installer, admitting the action was “a bit heavy-handed on our part.” – FIDUS INFOSEC BLOG

Researchers have discovered vulnerabilities in the popular WhatsUp Gold network monitoring tool. One allows remote command execution on TFTP servers by an attacker, while another allows SQL injection. Users should upgrade to v.17.1.2 to eliminate these issues. – POSITIVE TECHNOLOGIES

1*umcse czftawjvohxhwsna

Hackers have exploited two different backdoors to gain network access, as explained in this post. The exploit, which originated from South Korean IP addresses, has been labeled DoubleDoor, naturally. – NEWSKY SEC BLOG

The Docket

A spate of lawsuits aimed at security reporters such as Steve Ragan and Dan Goodin, are a threat to overall security progress, says my colleague Zack Whittaker in this post. He reviews recent legal cases and the concerns about them, and how many vulnerability researchers have stepped away from the area rather than be under the threat of litigation. -- ZDNET

Funding announcement

Israeli-based Morphisec raised a $12M B funding round. The company has advanced polymorphic security tools and Jerusalem Venture Partners took the lead. Ronen Yehoshua is its CEO.

Email x1 ssl

Beginner’s corner

Julia Evans explains the innards of an SSL cert from a programmer’s perspective. She dissects the X.509 syntax and in her delightful and very readable style tells you what all the various parts mean and what is involved in digitally signing them. – JULIA EVANS BLOG

Email x1 trend mi


A new report revealed a third increase in new ransomware families between 2016 and 2017, a doubling of email compromise attempts between the first and second half of 2017 and a sharp increase in cryptocurrency mining malware, peaking at 100,000 detections in October. Clear indications that attackers are getting more sophisticated and hitting larger targets.  – TREND MICRO REPORT


Insights from an IT Manager at Alaska Airlines

An IT manager at Alaska Airlines talks about how she has implemented threat management using a variety of manual and automated systems. Jessica Ferguson begins her hunt for malware in less obvious places to find new threat families.ANOMALI BLOG

Email x1 nerds

Just for fun

I often do this (at least the laptop part) myself. From 50 Nerds of Grey @ TWITTER

Text ransom note


A new ransomware family has been detected called Saturn. It looks for a running VM and then exits, trying to hide itself. All the standard prevention suggestions apply. – BLEEPING COMPUTER

India’s City Union Bank has been hacked over the weekend and could have lost about $2M in funds that were sent via the SWIFT interbanking system. Fortunately, transfers were blocked by other banks. -- REUTERS

Google’s Project Zero researcher Ivan Fratric discovered a vulnerability in Microsoft’s Edge browser that can bypass a security feature called Arbitrary Code Guard. Sadly, this was recently implemented in the last Windows builds. The bug was disclosed to Microsoft last year but has not yet been fixed. – CHROMIUM BLOG

Jane frankland

Featured cybersecurity leader: Jane Frankland

Here is an excellent interview with Jane Frankland, who has been involved in cybersec for decades in the UK. She has contributed to numerous open source efforts at OWASP and CREST, written many articles and has a new book titled, IN Security: Why a Failure to Attract and Retain Women in Cybersecurity is Making Us All Less Safe. – HACKER ONE BLOG

load more stories