In brief The United States’ Department of Defense has opened up all of its publicly facing systems and apps to investigation under a bug bounty program.
In a massive expansion of its Vulnerability Disclosure Program, started in 2016, the DoD said it was looking for “ethical hackers” to look for flaws and fixes. The bug bounty system had only been aimed at websites but now Kristopher Johnson, director of its Vulnerability Disclosure Program, has said “websites were only the beginning as they account for a fraction of our overall attack surface” and urged the infosec community to take a wider view.
That said, don’t expect to get rich from this program. The first trial five years ago saw a measly $14,000 paid out between 1,400 flaw-finders. This, compared to last year when the Pentagon spent $4.6m on seafood, shows a depressing lack of priorities.
“This expansion is a testament to transforming the government’s approach to security and leapfrogging the current state of technology within DOD,” said Brett Goldstein, director of the Defense Digital Service.
Some 128 million users installed software from the Apple App Store containing the XCodeGhost malware, according to emails revealed during the Epic vs Apple trial.
‘Bulletproof’ ISP proves anything but: four face 20 years in prison
Four men from Russia and Eastern Europe have pleaded guilty to running a supposedly “bulletproof hosting” service for criminal scumbags.
In filings released on Friday, Aleksandr Grichishkin, 34, and Andrei Skvortsov, 34, of Russia; Aleksandr Skorodumov, 33, of Lithuania; and Pavel Stassi, 30, of Estonia, pleaded guilty to running the ISP for seven years and, in some cases, acting as systems administrators for botnets and malware-spreading tools, including the banking trojans Zeus, SpyEye, and Citadel, and exploit kit Blackhole.
Grichishkin and Skvortsov owned the unnamed ISP, according to the DoJ, with Skorodumov doing IT support while Stassi set up up phoney accounts and managed administration. The operation ran from 2008 to 2015, before being busted in a joint operation between the US, Germany, Estonia, and the UK.
The four were extradited to Michigan and pleaded guilty to one count of Racketeer Influenced Corrupt Organization (RICO) conspiracy in the Eastern District of Michigan. They face up to 20 years in an American prison after believing their own “bulletproof” hype.
Amazon fake reviews site storage bucket left unlocked
A poorly secured ElasticSearch database has shed some interesting insight into the way scammers game reviews on Amazon and other sites, and exposed the personal data of those faking it online.
The open database, discovered by antivirus blog SafetyDetectives, exposed 13,124,962 messages between Amazon vendors and those willing to pump up their reviews. People agreed to buy products, write glowing five-star reviews, and would then get refunded the purchase price on PayPal and get to keep the kit. But the dodgy dealers forgot to practice basic security.
As a result over 75,000 review writers had their emails, phone numbers and PayPal details left open for scraping online, as well as those of vendors. The team said the details of up to 200,000-250,000 people were left exposed.
The server was hosted in China but it’s not clear if it was run by a consortium of vendors or a third-party group organizing the review pumping. Either way it’s another example of ethically dodgy folks getting caught out, so we’re unstrapping the world’s tiniest violin.
IRS gets legal search rights on cryptocurrency users
While cryptocurrencies might be mostly secure, their trading isn’t, and the US Inland Revenue Service has been authorized to seek out currency users who moved more than $20,000 between 2016 to 2020.
The order, in the Northern District of California, applies to cryptocurrency trading systems run by San Francisco-based Payward Ventures Inc, known as Kraken in the US. The John Doe order is open-ended, meaning a lot of folks might be getting a call.
The move follows a similar case in April where the US Department of Justice (DoJ) authorized the tracking of users of the Circle exchange in Massachusetts, and is a sign that the US is cracking down on digital currency. But it was keen to add this isn’t a criminal draghunt.
“The United States’ petition does not allege that Kraken has engaged in any wrongdoing in connection with its digital currency exchange business,” the DoJ said.
“Rather, according to the court’s order, the summons seeks information related to the IRS’s ‘investigation of an ascertainable group or class of persons’ that the IRS has reasonable basis to believe ‘may have failed to comply with internal revenue laws.'”
Skint student’s pirate code takes down EU biomolecular lab
A ransomware outbreak at a major European biomolecular research institute has been traced back to a student trying to use cracked software.
A post-incident report by security specialists Sophos detailed how a student at the lab wanted a copy of his work data visualization software for home use. After failing to find a free copy he searched for “cracked” versions, downloaded the code, and then disabled his Windows Defender and firewall system to allow it to run, but it turned out to be “pure malware.”
Unfortunately the student had access to the institute’s internal network and two-factor authentication wasn’t required. Thirteen days after the initial infection, the attackers moved in with a RDP connection using a Russian language printer driver and 10 days later the facility got a major Ryuk ransomware hit.
Thankfully the boffins didn’t pay up and reconstructed infected systems after a total wipe, but it meant they lost a week of data and projects were significantly hurt. The student in question cooperated fully with the investigation and is presumably dreading their next performance review. ®