You know all those stories of leaky cloud buckets taken offline? Well, some may still be there, just badly hidden

Plus, Google warns of fake journo phishing attacks


Roundup It's once again time for the El Reg security roundup.

Takedown doesn't quite take down everything

Last week, The Register covered the story of how VPNmentor found and ultimately got a public-facing Amazon-hosted S3 bucket containing financial records of thousands of small businesses removed from view.

In that story, it was reported the misconfigured bucket in question was removed in January after AWS was notified. Shortly after our story was published, an infoec bod, who asked to remain anonymous, told El Reg they could access the files in the leaky bucket weeks after it was supposedly taken down.

After a few days of back and forth, it was concluded that for those weeks between when the takedown was said to have have happened and when everything had actually gone offline, only the public-facing index, listing its contents and URLs to the data, had been removed from public view. This meant the files in the bucket could still have been accessed by anyone who had previously enumerated them.

What it boils down to, is that a takedown request to AWS doesn't mean Amazon steps in and pulls the whole database from public view. Rather, the cloud giant reaches out directly to the contact it has with the customer and lets them know their storage silo was misconfigured. Usually this ends with the database owner reconfiguring their bucket so that it's truly hidden from public view, but sometimes, as in this case, the owner opts to disable just the public directory index. That means URLs scraped from the index still work.

Fortunately, it seems these cases are pretty rare. Multiple vulnerability hunters The Register spoke to on this matter all said that the overwhelming majority of companies respond promptly and positively when they catch word of an exposed database or storage bucket because taking down the whole shebang from public view.

However, some outfits will just remove the bucket's public index, thinking that will hide or obscure the contents, which is not a safe thing to do. Consider this an FYI for in future when organizations say they've taken down a leaky cloud silo.

Yes, is friendly vulture of Register, The. Pleased to have your login now

A report from Google claims phishing attacks from government-backed spies are increasingly disguised as messages from journalists. When state-backed hackers try to infiltrate the networks of activist groups, companies, or government agencies, one of the favored lures is posing as a reporter with an inquiry.

"For example, attackers impersonate a journalist to seed false stories with other reporters to spread disinformation," Google writes. >"In other cases, attackers will send several benign emails to build a rapport with a journalist or foreign policy expert before sending a malicious attachment in a follow up email."

Later in the report, Google revealed it had found one instance where a state-sponsored group packed a whopping five exploits, all of them zero-days, into a single campaign.

"The exploits were delivered via compromised legitimate websites (e.g. watering hole attacks), links to malicious websites, and email attachments in limited spear phishing campaigns," Google said.

"The majority of targets we observed were from North Korea or individuals who worked on North Korea-related issues."

iOS video tool VLC can leak user data

A report from Cognosec security researcher Dhiraj Mishra explains how a vulnerability in the popular VLC video software can be used to lift videos from an iOS device.

The since-patched bug was attributed to an insecure direct object reference.

Hackers try to "frame" white-hat

Threat-hunter Bob Diachenko reports on this rather amusing effort by some criminal hackers to try and get Night Lion Security bod Vinny Troia in hot water.

As you might have guessed, the attempt was unsuccessful.

Deer.io market shuttered

A few weeks after nabbing Deer.io's alleged founder, the FBI says it has finally closed down the cybercrime market once and for all.

This comes after Kirill Victorovich Firsov was arrested in New York and charged with running a site that racked up an estimated $17m in fraudulent activity. Firsov is due to appear in court on April 6, though the coronavirus health emergency is likely to delay the trial for some time.

GE blames partner company for data leak

General Electric has sent out notifications to employees that some of their personal data was leaked.

In the letter [PDF], also shared with the California Attorney General, GE says that it in fact was Canon who accidentally sent out records containing worker information.

"We were notified on February 28, 2020 that Canon had determined that, between approximately February 3 - 14, 2020, an unauthorized party gained access to an email account that contained documents of certain GE employees, former employees and beneficiaries entitled to benefits that were maintained on Canon’s systems."

Employees who were affected will get two year's free credit monitoring, courtesy of Canon.

Kaspersky offers free AV tools to hospitals

Despite being in a global pandemic, hackers are not taking it easy on the networks of hospitals, and with so many facilities flooded with patients due to the ongoing pandemic, a malware infection has the potential to be catastrophic.

Enter Kaspersky who says that healthcare institutions will now be able to get six free months of AV protection to help keep their networks safe as they ride out the coronavirus outbreak.

Unit42 launched COVID-19 cybersecurity primer

The team at Palo Alto Networks' Unit42 research operation has set up this ongoing report dedicated to listing and tracking threats associated with the coronavirus outbreak.

There is no shortage of material. Malware writers, phishing operators, and scam sites have all exploded around the outbreak.

"The purpose of this report is not to contribute to the fear and anxiety many of us are already experiencing, but to help you be informed about what is happening and how to protect yourself and your organization," says Unit42.

"We will update this blog as new information comes to light."

OpenWRT deals with man-in-the-middle update meddling

The OpenWRT project has patched a man-in-the-middle vulnerability in its software.

Dutch security esearcher Guido Vranken said a miscreant who was able to intercept connections between a vulnerable router or other OpenWRT device and an upstream firmware server could then send the device poisoned software updates, thanks to an error that prevents OpenWRT from properly verifying the checksum of update files.

While an attack isn't particularly likely, owners of OpenWRT gear should still update to versions 18.06.7 or 19.07.1, where the bug is patched.

Bad USB spotted in the wild

This month we got a rare look at an (unsuccessful) badUSB attack in the wild.

Trustwave reports that the poisoned USB stick, disguised as part of a Best Buy gift card giveaway, was not plugged in by the organization that received it, but instead handed off to the security company, who found it was indeed an Arduino microcontroller that tried to harvest and siphon off data.

Naked man crashes school lesson in Norway

Parents in Norway were mortified this week when students reported that a naked man had crashed their video lesson.

The man, apparently, guessed a weak password students were using for remote classes on the Whereby app and, unfortunately, was able to join the video stream.

Cyber-insurer Chubb warns of ransomware

Chubb, a lock company that has a side business in "cyber-insurance," has become the latest victim of the Maze ransomware.

The ransomware operators have threatened to release the infected data should the payout not be delivered. Chubb, meanwhile, says it is investigating the matter. ®

Similar topics


Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021