A company known for backup shuts down after their AWS account gets hacked, the Hedge fund thats under attack, how far you can get with a little cab data…
Your questions, our answers, and much, much more!
Thanks to:
Direct Download:HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds:HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed |
— Show Notes: —
Company shuts down after their AWS account compromised, all customer data deleted
- Code Spaces, a source code hosting and backup service has ceased doing business
- On June 17th the company came under a DDoS attack, which is apparently business as normal for them
- Later, they found messages in their Amazon Web Services portal, urging them to contact a hotmail address
- When contacted, the attacker demanded a large ransom
- When Code Spaces attempted to change their passwords in the AWS control panel, additional administrator accounts added by the attacker were used to delete all EC2 virtual machines, S3 stores and EBS volumes in the account before all accessed could be revoked
- The most embarrassing part of the situation is the text on the original Code Spaces website:
“Backing up data is one thing, but it is meaningless without a recovery plan, not only that [but also] a recovery plan—and one that is well-practiced and proven to work time and time again,” “Code Spaces has a full recovery plan that has been proven to work and is, in fact, practiced.” - It is not clear what the Code Spaces backup strategy was, but it seemed to involve the same Amazon account
- In general, the idea with an “offsite” backup is to separate it from a failure of the primary. If you keep the backups for your database beside the database server and your office burns down, what good are the backups
- What if Amazon suffered a catastrophic data loss? or what if your account is compromised?
- The backups should have at least been in a different Amazon account that was very strictly controlled, or better yet, stored in some other service
- It is still unclear how the account was compromised, but it seems likely that Code Spaces was not making use of the Amazon’s Multi-Factor Authentication service, which offers either a mobile phone app, or two different types of hardware authenticators (key fob and credit-card style)
Poorly anonymized NYC Taxi data, de-anonymized
- Under an Open Data initiative, the New York City Taxi & Limousine Commission released the anonymized GPS logs of all taxi trips in 2013 (173 million trips)
- Chris Whong got a hold of this data and did some interesting stuff with it
- When he was done with it, he posted the data for everyone
- Developer Vijay Pandurangan took a look at the data and noticed that the medallion and hack numbers appeared to simply be MD5 hashes
- In particular, the driver with ID# CFCD208495D565EF66E7DFF9F98764DA appeared to have an impossibly large number of trips
- Turns out, that is the MD5 hash of “0”, cases where the data was unavailable
- Realizing that the data was only anonymized using MD5, and knowing the structure of a drivers license # (5-7 characters, with specific characters being numbers or letters), he was able to brute force all 24 million combinations in only 2 minutes using a single CPU
- Once this was done, he had the original un-anonymized data
- Using other websites, it is possible to link the medallion and hack numbers to the owners names
- Original Post
- Additional Coverage – Ars Technica
- To prevent this, there are a number of approaches, the fastest but weakest is a ‘secret key’. Instead of md5(hack#) just do md5(SUPERLONGSECRETKEYhack#), as long as the attacker doesn’t know the secret key, and it is long enough to make guessing it impractical, the data would remain anonymized
- Another option is to use the md5 hash of the encrypted form of the value. However this eventually just relies on a secret key as well. However, if the data never needs to be anonymized, a very strong key can be used, and that key can then be destroyed, making decryption impossible.
Hackers attack hedge fund for monetary gain
- BAE systems, a British defense contractor that also specializes in cyber security, was called in to investigate after computers at a hedge fund were hacked
- The attackers somehow infiltrated the HFT (High Frequency Trading) system, and injected delays of several hundred microseconds into the order entry system
- This causes the Hedge Fund to miss out on profits it could have made on the trades
- It is suspected, that the attackers capitalized on this to make those profits themselves
- “Hedge funds “really have inadequate cybersecurity as a whole” and the attacks threaten to undermine the systems used globally for high-speed trading, said Tom Kellerman, chief cyber security officer for Trend Micro Inc. ”
Feedback:
Round Up:
- Massachusetts high court orders suspect to decrypt his computers
- Department of Justice Canada IT department runs moch phishing campaign against staff, 37% take the bait in December, rates cut in half in April re-test after awareness campaign and additional training
- Security Industry is failing to fix underlying dangers – applications need to be securely written, rather than have security bolted on
- Huawei (Chinese router manufacturer) has some very strict password complexity requirements
- Company wins law suite with bank to recover funds stolen by hackers. 3.5 million was stolen from the company account in 2011 when it was taken over by hackers. The bank managed to claw back all but $299,000 of it, and the company sued the bank for the remaining balance and won $350,000
- Cisco open sources FNR cipher, designed to very quickly encrypt IP addresses to anonymize log data
- World Cup Security Team Accidentally Shares Its Awful Wi-Fi Password
- “Yo” mobile app hacked by 3 Georgia Tech students, founder hires one of the hackers
- LastPass CEO: The Truth About Your Password Security