There was a lot of controversy - unwarranted, in my opinion – over AutoSploit, a tool that essentially blends Shodan, a search engine that allows users to find computers connected to the internet, and Metasploit, the ubiquitous penetration testing software, this week. The tool didn't require too much overhead; just 400 lines of Python code, likely no more than just a couple of hours of coding but that didn’t stop some folks from hitting the panic button. Richard Bejtlich of TaoSecurity tweeted "There is no need to release this. The tie to Shodan puts it over the edge. There is no legitimate reason to put mass exploitation of public systems within the reach of script kiddies." I think fall more in line with Kim Zetter’s line of thinking – Metasploit has been around for ages, afterall...
The controversy over the public release of AutoSploit - an automated tool for attacking IoT devices found via Shodan - is interesting. The criticism that this makes it easier for hackers to attack IoT is same criticism long made about Metasploit. Why is AutoSploit different?
— Kim Zetter (@KimZetter) January 31, 2018
Although Cisco Talos' Craig Williams makes a valid point here as well:
The fact that AutoSploit seems to be designed to target systems across the internet you likely don't control or have permission to attack puts it much closer to malware category for me. https://t.co/L16boqpUgv
— Craig Williams (@security_craig) January 31, 2018
2. Flaws in Gas Station Software Let Hackers Change Prices, Steal Fuel, Erase Evidence by Kim Zetter
Speaking of Zetter, great story from her by way of Motherboard this week on attackers who managed to exploit vulnerabilities in automated fuel pumps to make off with credit card numbers, intercept payments, and disable fuel pumps. Kaspersky Lab's Ido Naor and Amihai Neiderman, the researcher who found dozens of bugs in Samsung's Tizen operating system last year, found the flaws. The story is the second to come out over the last two weeks about how cybercriminals have targeted drivers at the pump. The Russian Federal Security Service reportedly arrested a hacker for manipulating pumps and tricking drivers into paying more than they owed for gas earlier this month.
It’s safe to say not a week goes by these days without news of a cryptocurrency scam, miner, or campaign. This week cryptocurrency startup BeeToken was on the hook; the group had its initial coin offering targeted by phishers who managed to extract more than $1M in Ether, a cryptocurrency whose blockchain is generated by Ethereum, from investors. It's unclear exactly how attackers managed to access investor emails but that hasn’t stopped users from speculating on Reddit.
This is a fake/scam email. Please disregard it. https://t.co/CzhhGvoFl6
— The Bee Token (@thebeetoken) January 31, 2018
A relatively quick read via Wired on how the storage and transmission of data has evolved over the years, namely how all data these days is locationless and how that compounds confusion when it comes to sharing/regulating data. The author is in favor of regulators coming together to treat data like oil or grain. "In facilitating and safeguarding the lawful exchange of data between independent countries, whether in the name of commerce or the rule of law, these digital trade agreements would help lay the groundwork for the global, digital infrastructure that our future selves deserve," Antonio García Martínez writes.
Some sage advice via Brian Krebs here. It almost sounds like a no brainer - do you taxes now before the bad guys do it for you - but the concept takes on a different, an almost urgent light post-Equifax. The dust has barely settled around last year's breach of 145.5 million Americans and it's a safe bet many won't realize until this winter, as they're trying to file their taxes, that they're been a victim of identity theft. Krebs’ advice may be a variation on the same advice that's offered by security pros every year but it's still solid advice worth reading through.