Friday Five: 1/26 Edition



IoT botnets, encryption, GDPR -- catch up on the week's infosec news with this roundup!

1. IT 'Heroes' Saved Maersk From NotPetya With Ten-day Reinstallation Blitz by Richard Chirgwin

The fact that Copenhagen-based shipping giant A.P. Moller-Maersk was hit hard - $300M hard – by last year’s NotPetya ransomware attacks is well established at this point. What wasn’t known, at least until this week, was exactly how much work the company had to do to get back on its feet. Over the course of 10 days IT admins had to reinstall 4,000 new servers, 45,000 new PCs, and 2,500 applications, a "complete infrastructure" rebuild essentially. The company's chair Jim Hagemann Snabe recapped the attack and the rehab that followed in a panel at the World Economic Forum this week. The Register's Richard Chirgwin recapped the chat on Thursday but those looking for more insight – like how Maersk plans to tackle future cyber attacks – may find the actual video worth watching.

2. This Unusual New IoT Botnet is Spreading Rapidly via Peer-to-Peer Communication by Danny Palmer

A fairly new botnet has ensnared thousands of IoT devices this week. On Wednesday it had 14,000, across the world but that number blossomed to more than 24,000 on Thursday. The botnet, dubbed Hide N' Seek by researchers at BitDefender, is co-opting a decentralized peer-to-peer communication techniques according to ZDNet's Danny Palmer, who reported on it Wednesday. The botnet bares a similarity, at least in the way it propagates, to Hajime, the Mirai-like botnet uncovered last year. Hajime also used a peer-to-peer architecture, in lieu of a command and control server, to send commands to bots.

3. Tinder's Lack of Encryption Lets Strangers Spy on Your Swipes by Andy Greenberg

The internet's come a long way over the last decade. Practically everything - site, service, you name it - uses HTTPS. Except Tinder apparently. Researchers with Checkmarx revealed this week the app lacks encryption for photos, meaning all it would take for an hacker to eavesdrop on a user would be ensuring they're on the same WiFi network. Wired's Andy Greenberg delved into the Israeli firm's research on Tuesday. Turns out an attacker could easily snoop on a user to watch each swipe left, right, or match. The proof of concept software researchers devised certainly makes it look easy enough:

4. Facebook To Roll Out Global Privacy Settings Hub — Thanks to GDPR by Natasha Lomas

Like LinkedIn before it, Facebook said this week it plans to implement a new privacy center for users worldwide as it aims to support looming General Data Protection Regulation (GDPR) compliance. According to TechCrunch's Natasha Lomas the social network's COO Sheryl Sandberg revealed the plans at an event in Brussels on Tuesday. Earlier this month LinkedIn posted a Data Processing Agreement on its site, essentially an info sheet recapping how it plans to put new protections in place for users to keep with GDPR. We’ve written on this blog before how this will continue to be a trend through the beginning half of 2018; looks like Facebook is the latest to conform to the new norm.

5. Electron Framework Flaw Puts Popular Desktop Apps at Risk by Michael Heller

It feels like every few weeks there's a damning new vulnerability in a relatively unknown third party or open source framework. This week it was in Electron, a framework that uses node.js and Chromium to build desktop apps. Researchers warned that apps like Slack, Skype, Wordpress, Twitch, and briefly (and incorrectly) Signal were vulnerable and could be exploited by attackers to remotely execute code. Signal chimed in on Wednesday and said that since the app doesn’t register any custom protocol handlers it’s not affected by this vulnerability. Electron pushed oput two patched versions: 1.8.2-beta.4, 1.7.11, and 1.6.16 to address the issue.

Chris Brook

INFOGRAPHICS

Don't Get Hooked: How to Recognize and Avoid Phishing Attacks