Things I Hearted this Week, 22nd June 2018

Malware News
1

The Tesla Insider

Elon Musk sent out an email stating an employee had stabbed the company in the back like Brutus, changing production code, and leaking inside information. I'll admit that like many people who have talked about or written about insider threats in the past, I instinctively punched the air and yelled, "YES! I warned you but you didn't listen."

The incident is also notable for the impact it had on the companies share price which dropped more than 6% in trading.

"I was dismayed to learn this weekend about a Tesla employee who had conducted quite extensive and damaging sabotage to our operations, this included making direct code changes to the Tesla Manufacturing Operating System under false usernames and exporting large amounts of highly sensitive Tesla data to unknown third parties."

Can't Fix Won't Fix, Don't Fix

Organisations cannot afford to view penetration testing as a tick box exercise. How should they mitigate the fact some vulnerabilities can’t be fixed, won’t be fixed, and in some instances, actually shouldn’t be fixed?

On the topic of pen tests, check out Adrian Sanabria's presentation slides from RSA earlier this year on killing the pen test.

To add balance, and to convince you pen testers out there that I'm not a bad person who hates all pen testers, here's an awesome collection of penetration testing resources that include tools, online resources, books, courses, conferences, magazine...

A Case Study In Bad Disclosure

Imagine you're a researcher and have found a vulnerability, you then disclose it responsibly to a vendor, then that vendor fixes the issue - but instead of sending the chopper over to you with a care package, they pretend like you didn't exist. Akin to Tom Cruise getting disavowed in every single Mission Impossible movie.

Then imagine that vendor submitted the vulnerability details to Google and received a bug bounty award to the tune of $5,000.

Then to top it off, they sat back in a massive reclining chair, threw their head back and laughed as they donated the full $5,000 to a good cause.

It would make anyone want to go all Liam Neeson on wanting to hunt, find, and make them pay... or alternatively, write a blog post detailing the whole saga.

Not So Anonymous Dark Web

This is a heart-warming tale of how a drug vendor pled guilty after feds traced his bitcoin transactions.

Seriously though, the best part of the story has to be, "US authorities arrested Vallerius in September last year, at the Atlanta airport after he arrived in the US to attend and participate in the World Beard and Mustache Championships that was being held in Austin, Texas."

I can imagine him paraphrasing Al Capone, "I got taken down for my magnificent beard and moustache, the least of my crimes."

IBM Report On TSB'S IT Problems

For what seems like far too long now, TSB has been unable to fully service its banking customers after a complete botch job left systems unavailable.

An initial report by IBM has been published that outlines some of the preliminary findings. If you read between the lines it doesn't bode well for whoever was in charge of the program. Moving to new infrastructure, divesting, or even migrating core apps to the cloud is always great in theory, but it still needs a lot of hard work to make sure things go off smoothly. It's unfortunate to see what appears to be many captains asleep at the wheel and not asking the right questions at the right time.

The Architechure Of GitHub

Not strictly security news, but a really thorough and comprehensive writeup of GitHub's database architecture.

$31M Cryptocurreny Hack In S.Korea

Bithumb, South Korea’s second-largest exchange, said cyberattacks from late Tuesday night to Wednesday morning led to the loss of 35 billion won worth of cryptocurrencies.

Randomess

A few other stories I enjoyed reading recently.

Article Link: https://www.alienvault.com/blogs/security-essentials/things-i-hearted-this-week-22nd-june-2018