Things I Hearted this Week - 16th November 2018

Collecting stories over the course of the week is always fun. You start reading one story, and before you know it you’re down the rabbit hole of technology, security, and privacy reading up papers on how scientists want to embed IoT devices in giraffes necks.

Fear not, I am here to strip away the mundane and irrelevant and bring you only the best in news, designed to make your heart flutter.

Why Google consuming DeepMind Health is scaring privacy experts

Google’s decision to bring DeepMind Health, the medical unit of the AI-powered company it acquired four years ago, closer to the mothership may leave 1.6 million NHS patients with “zero control” over where their personal data goes, experts say – while an independent body set up to oversee the protection of such data has been broken up.

While there’s not denying that there are huge benefits to be gained from better aggregation and analysis, but by whom, with what oversight, and where does it end?

In related Google news, the company has published its first quarterly transparency report with stats on the security of the Android ecosystem.

On a side note, maybe we give big data analytics too much credit sometimes.

User Behavior Analytics Could Find a Home in the OT World of the IIoT

UBA has been around in data-centric IT for at least four years, but it has never become industry-standard primarily because in the real world, user behavior in IT is so varied and complex that UBA often creates more false alarms than useful ones. In IT, UBA has often failed to find the dangerous needle in the immense haystack of user behavior. But user behavior in process-centric OT is much simpler: OT systems run the plant, and scripted user activity is nowhere near as varied as in IT, with its multiple endpoints and inputs, email browsing, multipart software stacks, etc.

Busting SIM Swappers and SIM Swap Myths

SIM swapping attacks primarily target individuals who are visibly active in the cryptocurrency space. This includes people who run or work at cryptocurrency-focused companies; those who participate as speakers at public conferences centered around Blockchain and cryptocurrency technologies; and those who like to talk openly on social media about their crypto investments.

REACT Lieutenant John Rose said in addition to or in lieu of stealing cryptocurrency, some SIM swappers will relieve victims of highly prized social media account names (also known as “OG accounts“) — usually short usernames that can convey an aura of prestige or the illusion of an early adopter on a given social network. OG accounts typically can be resold for thousands of dollars.

The deep, dark reach of the magecart group

For at least four years, a distributed, sophisticated network of cybercrime groups known collectively as Magecart has been compromising ecommerce sites small and large, as well as payment processors,installing web skimmers to steal confidential information, and raking in a fortune by selling pilfered card numbers on the underground, largely without any repercussions. Although security researchers have been tracking some of the groups since 2015, only recently has the Magecart name begun to ring out, as some elements of the group have hit major targets, including Ticketmaster and Newegg, drawing the attention of several law enforcement agencies and heightened interest in the research community.

Fake news 'to get worse' by 2020 election

Krikorian, a computer scientist who previously held senior positions at Uber and Twitter, acknowledged social media companies like Facebook are taking steps to increase transparency. But he said their business models, driven by revenue and engagement, do not incentivize solutions for fighting fake news, and the problem wouldn't fix itself by the next U.S. presidential election.

DOD prepares endpoint cybersecurity strategy as mobility booms

In the end, will it come back to the endpoint? As the use of mobile devices and services pervades the lives of civilians and military personnel alike, the Department of Defense is taking a more endpoint-driven approach to how it secures its networks, developing a forthcoming enterprise cybersecurity strategy focused specifically around the gadgets people use.

DOD CIO Dana Deasy said, “One of the things I keep stressing is we have to step up and face the reality about the world around us becoming more and more mobile, each and every day.” And it’s getting to a point where DOD must begin to embrace mobility, even if it means added security challenges.

The rise of multivector DDoS attacks

A really good post on DDoS trends, and the rise of multivector DDoS attacks, which shouldn’t come as a complete surprise to most; but seeing this analysis helps quantify it all

Six month prison sentence for motor industry employee in first ICO Computer Misuse Act prosecution

So, the ICO does have some teeth after all.

A motor industry employee has been sentenced to six months in prison in the first prosecution to be brought by the Information Commissioner’s Office (ICO) under legislation which carries a potential prison sentence.

Mustafa Kasim, who worked for accident repair firm Nationwide Accident Repair Services (NARS), accessed thousands of  customer records containing personal data without permission, using his colleagues’ log-in details to access a software system that estimates the cost of vehicle repairs, known as Audatex.

He continued to do this after he started a new job at a different car repair organisation which used the same software system.  The records contained customers’ names, phone numbers, vehicle and accident information.

Six month prison sentence for motor industry employee in first ICO Computer Misuse Act prosecution | ICO

Clickjacking on Google MyAccount Worth 7,500$

A nice writeup by a researcher who found a clickjacking bug on Google. My favourite was the timeline at the end:

Aug 11 : Report to Google

Aug 15 : Google Staff Ask Detail

Aug 15 : Adding Detail

Aug 21 : Google Can’t Prove Bug

Aug 21 : Give them Video to PoC

Aug 28 : Google Ask About Attack Scenario

Aug 28 : Give the Attack Scenario

Sep 11 : Nice Catch!

Sep 25 : Bounty 7,500$

Sep 25 : I Cry.

Other things I liked this week


Article Link: