Friday Five: 2/02 Edition



Cryptocurrency phishing, gas station hacks, and tax scams -- catch up on the week's infosec news with this roundup!

1. Autosploit Marries Shodan, Metasploit, Puts IoT Devices at Risk by Teri Robinson

There was a lot of controversy - unwarranted, in my opinion – over AutoSploit, a tool that essentially blends Shodan, a search engine that allows users to find computers connected to the internet, and Metasploit, the ubiquitous penetration testing software, this week. The tool didn't require too much overhead; just 400 lines of Python code, likely no more than just a couple of hours of coding but that didn’t stop some folks from hitting the panic button. Richard Bejtlich of TaoSecurity tweeted "There is no need to release this. The tie to Shodan puts it over the edge. There is no legitimate reason to put mass exploitation of public systems within the reach of script kiddies." I think fall more in line with Kim Zetter’s line of thinking – Metasploit has been around for ages, afterall...

Although Cisco Talos' Craig Williams makes a valid point here as well:

2. Flaws in Gas Station Software Let Hackers Change Prices, Steal Fuel, Erase Evidence by Kim Zetter

Speaking of Zetter, great story from her by way of Motherboard this week on attackers who managed to exploit vulnerabilities in automated fuel pumps to make off with credit card numbers, intercept payments, and disable fuel pumps. Kaspersky Lab's Ido Naor and Amihai Neiderman, the researcher who found dozens of bugs in Samsung's Tizen operating system last year, found the flaws. The story is the second to come out over the last two weeks about how cybercriminals have targeted drivers at the pump. The Russian Federal Security Service reportedly arrested a hacker for manipulating pumps and tricking drivers into paying more than they owed for gas earlier this month.

3. Hackers Breached BeeToken’s Email List and Stole $1M Worth of Ethereum by The Next Web's Mix

It’s safe to say not a week goes by these days without news of a cryptocurrency scam, miner, or campaign. This week cryptocurrency startup BeeToken was on the hook; the group had its initial coin offering targeted by phishers who managed to extract more than $1M in Ether, a cryptocurrency whose blockchain is generated by Ethereum, from investors. It's unclear exactly how attackers managed to access investor emails but that hasn’t stopped users from speculating on Reddit.

4. The End of Data Without Borders by Antonio García Martínez

A relatively quick read via Wired on how the storage and transmission of data has evolved over the years, namely how all data these days is locationless and how that compounds confusion when it comes to sharing/regulating data. The author is in favor of regulators coming together to treat data like oil or grain. "In facilitating and safeguarding the lawful exchange of data between independent countries, whether in the name of commerce or the rule of law, these digital trade agreements would help lay the groundwork for the global, digital infrastructure that our future selves deserve," Antonio García Martínez writes.

5. File Your Taxes Before Scammers Do It For You by Brian Krebs

Some sage advice via Brian Krebs here. It almost sounds like a no brainer - do you taxes now before the bad guys do it for you - but the concept takes on a different, an almost urgent light post-Equifax. The dust has barely settled around last year's breach of 145.5 million Americans and it's a safe bet many won't realize until this winter, as they're trying to file their taxes, that they're been a victim of identity theft. Krebs’ advice may be a variation on the same advice that's offered by security pros every year but it's still solid advice worth reading through.

Chris Brook

Do You Know Your Data's Worth?

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with nearly a decade of experience writing about information security, hackers, and privacy. Prior to joining Digital Guardian he helped launch Threatpost.