Stunning infosec tips from Uncle Sam, furries exposed, Chase bank web leak, and more
A busy and bonkers week in security
Miners, miners everywhere
Over the last few months we've seen an explosion of digital currency mining software springing up online. This is due to a couple of factors –the increasing valuations of such online cash and mining code supplied by outfits like Coinhive.
Now, it seems, this stuff is everywhere, and some big names are getting hit. Possibly the biggest was Tesla, who were revealed to have been hit hard by cryptocurrency mining software that was slipped into its servers.
Musk may be a master at launching rockets and kickstarting mass demand for electric cars but his IT team could use a good talking to. They had left several Kubernetes instances wide open on AWS, one of which contained the admin login credentials for Tesla's account with Bezos' cloudy services.
Some hackers saw the opportunity for some quick coin and took it. The mining software ran as expected for some time before it was discovered by researchers at security shop Redlock and shut down. Given Elon's habits of being blunt with staff the IT admin also got a strip torn off him, most likely.
But Microsoft too also had a mining slip of its own this week. A researcher spotted that there was an issue with Microsoft Word documents that could be used to sneak a Monero miner onto user's computers.
Word has a handy little feature that allows a video to be shown in a document without having to embed the whole file. The Word's Online Video function instead opens an Internet Explorer window and plays the video that way.
The downside of this is that a canny adversary can use this window to run a coin miner. It's a bit limited, in that the user has to be actively watching the video for the coin miner to work, but it's a good example of how sneaky these digital thieves are getting.
And finally, some good news
We like to end things on a positive note and there was some excellent news this week for fans of secure communications.
Signal, the end-to-end encrypted application developed by the Whisper team, has been running on a shoestring pretty much from the start. Moxie Marlinspike, the dreadlocked anarchist who came up with the idea, has done wonders but now the team has got a massive cash infusion.
Brian Acton, the cofounder of WhatsApp, has kicked in $50m to the group, who is now reforming as a nonprofit organization. That's going to allow for a lot more development of the application.
"We can now increase the size of our team, our capacity, and our ambitions," said Moxie in a blog post.
"This means reduced uncertainty on the path to sustainability, and the strengthening of our long-term goals and values. Perhaps most significantly, the addition of Brian brings an incredibly talented engineer and visionary with decades of experience building successful products to our team."
Some online dismissed the news as a sign that the group is selling out. But anyone who has had any dealings with Moxie knows that Satan will have to ride to work on a snowplough before that happens – the guy is vociferous in standing up to any such interference and exposing it when it occurs. ®