You know all those stories of leaky cloud buckets taken offline? Well, some may still be there, just badly hidden

Plus, Google warns of fake journo phishing attacks

Roundup It's once again time for the El Reg security roundup.

Takedown doesn't quite take down everything

Last week, The Register covered the story of how VPNmentor found and ultimately got a public-facing Amazon-hosted S3 bucket containing financial records of thousands of small businesses removed from view.

In that story, it was reported the misconfigured bucket in question was removed in January after AWS was notified. Shortly after our story was published, an infoec bod, who asked to remain anonymous, told El Reg they could access the files in the leaky bucket weeks after it was supposedly taken down.

After a few days of back and forth, it was concluded that for those weeks between when the takedown was said to have have happened and when everything had actually gone offline, only the public-facing index, listing its contents and URLs to the data, had been removed from public view. This meant the files in the bucket could still have been accessed by anyone who had previously enumerated them.

What it boils down to, is that a takedown request to AWS doesn't mean Amazon steps in and pulls the whole database from public view. Rather, the cloud giant reaches out directly to the contact it has with the customer and lets them know their storage silo was misconfigured. Usually this ends with the database owner reconfiguring their bucket so that it's truly hidden from public view, but sometimes, as in this case, the owner opts to disable just the public directory index. That means URLs scraped from the index still work.

Fortunately, it seems these cases are pretty rare. Multiple vulnerability hunters The Register spoke to on this matter all said that the overwhelming majority of companies respond promptly and positively when they catch word of an exposed database or storage bucket because taking down the whole shebang from public view.

However, some outfits will just remove the bucket's public index, thinking that will hide or obscure the contents, which is not a safe thing to do. Consider this an FYI for in future when organizations say they've taken down a leaky cloud silo.

Yes, is friendly vulture of Register, The. Pleased to have your login now

A report from Google claims phishing attacks from government-backed spies are increasingly disguised as messages from journalists. When state-backed hackers try to infiltrate the networks of activist groups, companies, or government agencies, one of the favored lures is posing as a reporter with an inquiry.

"For example, attackers impersonate a journalist to seed false stories with other reporters to spread disinformation," Google writes. >"In other cases, attackers will send several benign emails to build a rapport with a journalist or foreign policy expert before sending a malicious attachment in a follow up email."

Later in the report, Google revealed it had found one instance where a state-sponsored group packed a whopping five exploits, all of them zero-days, into a single campaign.

"The exploits were delivered via compromised legitimate websites (e.g. watering hole attacks), links to malicious websites, and email attachments in limited spear phishing campaigns," Google said.

"The majority of targets we observed were from North Korea or individuals who worked on North Korea-related issues."

iOS video tool VLC can leak user data

A report from Cognosec security researcher Dhiraj Mishra explains how a vulnerability in the popular VLC video software can be used to lift videos from an iOS device.

The since-patched bug was attributed to an insecure direct object reference.

Hackers try to "frame" white-hat

Threat-hunter Bob Diachenko reports on this rather amusing effort by some criminal hackers to try and get Night Lion Security bod Vinny Troia in hot water.

As you might have guessed, the attempt was unsuccessful. market shuttered

A few weeks after nabbing's alleged founder, the FBI says it has finally closed down the cybercrime market once and for all.

This comes after Kirill Victorovich Firsov was arrested in New York and charged with running a site that racked up an estimated $17m in fraudulent activity. Firsov is due to appear in court on April 6, though the coronavirus health emergency is likely to delay the trial for some time.

GE blames partner company for data leak

General Electric has sent out notifications to employees that some of their personal data was leaked.

In the letter [PDF], also shared with the California Attorney General, GE says that it in fact was Canon who accidentally sent out records containing worker information.

"We were notified on February 28, 2020 that Canon had determined that, between approximately February 3 - 14, 2020, an unauthorized party gained access to an email account that contained documents of certain GE employees, former employees and beneficiaries entitled to benefits that were maintained on Canon’s systems."

Employees who were affected will get two year's free credit monitoring, courtesy of Canon.

Kaspersky offers free AV tools to hospitals

Despite being in a global pandemic, hackers are not taking it easy on the networks of hospitals, and with so many facilities flooded with patients due to the ongoing pandemic, a malware infection has the potential to be catastrophic.

Enter Kaspersky who says that healthcare institutions will now be able to get six free months of AV protection to help keep their networks safe as they ride out the coronavirus outbreak.

Unit42 launched COVID-19 cybersecurity primer

The team at Palo Alto Networks' Unit42 research operation has set up this ongoing report dedicated to listing and tracking threats associated with the coronavirus outbreak.

There is no shortage of material. Malware writers, phishing operators, and scam sites have all exploded around the outbreak.

"The purpose of this report is not to contribute to the fear and anxiety many of us are already experiencing, but to help you be informed about what is happening and how to protect yourself and your organization," says Unit42.

"We will update this blog as new information comes to light."

OpenWRT deals with man-in-the-middle update meddling

The OpenWRT project has patched a man-in-the-middle vulnerability in its software.

Dutch security esearcher Guido Vranken said a miscreant who was able to intercept connections between a vulnerable router or other OpenWRT device and an upstream firmware server could then send the device poisoned software updates, thanks to an error that prevents OpenWRT from properly verifying the checksum of update files.

While an attack isn't particularly likely, owners of OpenWRT gear should still update to versions 18.06.7 or 19.07.1, where the bug is patched.

Bad USB spotted in the wild

This month we got a rare look at an (unsuccessful) badUSB attack in the wild.

Trustwave reports that the poisoned USB stick, disguised as part of a Best Buy gift card giveaway, was not plugged in by the organization that received it, but instead handed off to the security company, who found it was indeed an Arduino microcontroller that tried to harvest and siphon off data.

Naked man crashes school lesson in Norway

Parents in Norway were mortified this week when students reported that a naked man had crashed their video lesson.

The man, apparently, guessed a weak password students were using for remote classes on the Whereby app and, unfortunately, was able to join the video stream.

Cyber-insurer Chubb warns of ransomware

Chubb, a lock company that has a side business in "cyber-insurance," has become the latest victim of the Maze ransomware.

The ransomware operators have threatened to release the infected data should the payout not be delivered. Chubb, meanwhile, says it is investigating the matter. ®

Other stories you might like

  • IT staffing, recruitment biz settles claims it discriminated against Americans
    Foreign workers favored over US residents because that's what clients wanted, allegedly

    Amtex Systems Incorporated, an IT staffing and recruiting firm based in New York City, has agreed to settle claims it discriminated against American workers because company clients wanted workers with temporary visas.

    The US Department of Justice on Wednesday announced the agreement, which followed from a US citizen filing a discrimination complaint with the DoJ's Civil Rights Division’s Immigrant and Employee Rights Section (IER).

    "IT staffing agencies cannot unlawfully exclude applicants or impose additional burdens because of someone’s citizenship or immigration status," said Assistant Attorney General Kristen Clarke of the Justice Department’s Civil Rights Division, in a statement. "The Civil Rights Division is committed to enforcing the law to ensure that job applicants, including US workers, are protected from unlawful discrimination."

    Continue reading
  • Will this be one of the world's first RISC-V laptops?
    A sneak peek at a notebook that could be revealed this year

    Pic As Apple and Qualcomm push for more Arm adoption in the notebook space, we have come across a photo of what could become one of the world's first laptops to use the open-source RISC-V instruction set architecture.

    In an interview with The Register, Calista Redmond, CEO of RISC-V International, signaled we will see a RISC-V laptop revealed sometime this year as the ISA's governing body works to garner more financial and development support from large companies.

    It turns out Philipp Tomsich, chair of RISC-V International's software committee, dangled a photo of what could likely be the laptop in question earlier this month in front of RISC-V Week attendees in Paris.

    Continue reading
  • Did hoodwink Americans with IRS facial-recognition tech, senators ask
    Biz tells us: Won't someone please think of the ... fraud we've stopped

    Democrat senators want the FTC to investigate "evidence of deceptive statements" made by regarding the facial-recognition technology it controversially built for Uncle Sam. made headlines this year when the IRS said US taxpayers would have to enroll in the startup's facial-recognition system to access their tax records in the future. After a public backlash, the IRS reconsidered its plans, and said taxpayers could choose non-biometric methods to verify their identity with the agency online.

    Just before the IRS controversy, said it uses one-to-one face comparisons. "Our one-to-one face match is comparable to taking a selfie to unlock a smartphone. does not use one-to-many facial recognition, which is more complex and problematic. Further, privacy is core to our mission and we do not sell the personal information of our users," it said in January.

    Continue reading
  • Meet Wizard Spider, the multimillion-dollar gang behind Conti, Ryuk malware
    Russia-linked crime-as-a-service crew is rich, professional – and investing in R&D

    Analysis Wizard Spider, the Russia-linked crew behind high-profile malware Conti, Ryuk and Trickbot, has grown over the past five years into a multimillion-dollar organization that has built a corporate-like operating model, a year-long study has found.

    In a technical report this week, the folks at Prodaft, which has been tracking the cybercrime gang since 2021, outlined its own findings on Wizard Spider, supplemented by info that leaked about the Conti operation in February after the crooks publicly sided with Russia during the illegal invasion of Ukraine.

    What Prodaft found was a gang sitting on assets worth hundreds of millions of dollars funneled from multiple sophisticated malware variants. Wizard Spider, we're told, runs as a business with a complex network of subgroups and teams that target specific types of software, and has associations with other well-known miscreants, including those behind REvil and Qbot (also known as Qakbot or Pinkslipbot).

    Continue reading
  • Supreme Court urged to halt 'unconstitutional' Texas content-no-moderation law
    Everyone's entitled to a viewpoint but what's your viewpoint on what exactly is and isn't a viewpoint?

    A coalition of advocacy groups on Tuesday asked the US Supreme Court to block Texas' social media law HB 20 after the US Fifth Circuit Court of Appeals last week lifted a preliminary injunction that had kept it from taking effect.

    The Lone Star State law, which forbids large social media platforms from moderating content that's "lawful-but-awful," as advocacy group the Center for Democracy and Technology puts it, was approved last September by Governor Greg Abbott (R). It was immediately challenged in court and the judge hearing the case imposed a preliminary injunction, preventing the legislation from being enforced, on the basis that the trade groups opposing it – NetChoice and CCIA – were likely to prevail.

    But that injunction was lifted on appeal. That case continues to be litigated, but thanks to the Fifth Circuit, HB 20 can be enforced even as its constitutionality remains in dispute, hence the coalition's application [PDF] this month to the Supreme Court.

    Continue reading

Biting the hand that feeds IT © 1998–2022