Week in Review 30th June 2017

New Petya Variant

Unless you’ve been away for the week on a deserted location with no access to the internet, radio, or television, you’ve likely been bombarded with news of the Petya ransomware variant that took offline most of the Ukraine as well as spreading around to other countries. It echoes the disastrous impact WannaCry had just a few short weeks ago.

Perhaps the biggest victim this time round was Cadbury’s, as it had to shut down its famous chocolate factory in Hobart.

How I obtained direct publish access to 13% of npm packages

This is a great post on how ChALkeR was able to obtain direct publish access to 13% of npm packages – with an estimated reach of up to 52% once you factor in dependency chains.

It’s interesting because it’s relatively straightforward using three basic techniques of bruteforcing, reusing passwords from leaks, and npm credentials on GitHub.

You are not Google

Neither are you Amazon, or LinkedIn, or Facebook, or Netflix etc. A great post especially for engineers.

This line of thinking can be expanded into security too. Just because a large, well-funded, and highly targeted company is using the latest bleeding edge next generation security products and tools, it doesn’t mean every company needs to adopt the same toolset. Rather, it’s about looking at what matters most, and getting security controls that are appropriate.

I really need to find better ways of explaining my thoughts, the paragraph I just wrote throws me back to days of being a consultant.

Legal boundaries and privacy

The long-running case between the US Department of Justice and Microsoft has taken another turn as the DoJ has petitioned the US supreme court to get involved in allowing the US government access to Microsoft emails stored at its Dublin data centre.

As Microsoft president and chief counsel Brad Smith argued in a blog post, if the US government has the right to directly seize internationally-held data, then other countries will of course expect the same right. This in effect would allow international digital raids for American or other nations’ data, in the US or around the world, with near-impunity.

The EU will be keeping a close eye on this, especially from a GDPR perspective. And the results of this case could have a significant impact on cloud computing.

I fought the law and the law won

The German parliament has passed an expansion of police hacking powers which allows the police to hack, crack, bypass, and use malware in all manner of investigations.

However, the mindset where leaders believe encryption is a nuisance doesn’t appear to be limited to Europe. Australia recently pushed for weaker encryption at a ‘five eyes’ meeting.

Related, the new EU digital commissioner, Mariya Gabriel, fails to clarify position on encryption.

With more and more governments around the world looking at weakening online security measures, one has to wonder how long before the algorithm breaks.

Draft defense bill would ban Kaspersky products

Not to say the US Department of Defense is Russian to conclusions (thanks Shannon for the pun); but the DoD may ban the use of security products from Kaspersky. The Moscow-based company is accused by US oficials of possibly being under Russian influence.

There has been no public evidence provided to substantiate the claims against Kaspersky – which again, can set a dangerous precedent.

Skype Zero-Day

A security researcher uncovered a Skype vulnerability that allows attackers to remotely execute code and do all sorts of nasty stuff.

Technical details can be found here

Microsoft has a patch available and recommends users upgrade to the latest version of Skype immediately to avoid disappointment.


Article Link: http://feeds.feedblitz.com/~/381207770/0/alienvault-blogs~Week-in-Review-th-June