More Cryptocurrency Thefts

In the previous cyber update, we mentioned the theft of a $10m worth of Ethereum during the Coinbase ICO. Since that hack there have been (at least) 2 other serious cryptocurrency thefts. First, a vulnerability in a cryptocurrency wallet developed by Parity allowed attackers to steal $30m worth of Ethereum. Then, a few days later, another company in the middle of an Initial Coin Offering had $8.5m of their token stolen.

Key takeaways:

• As we said previously, this is a continuing trend and should be addressed as a matter of urgency by companies in this space.

When your coffee machine infects you with ransomware

This story came from a reddit post so is not independently verified but sounds highly plausible. The author of this post effectively tells a story of how their company had Industrial Control Systems running an a separate, non-Internet connected network. They were therefore puzzled to discover that machines in this environment had been hit by ransomware. It turned out that a 3rd party supplier had installed a coffee machine which bridged the company’s Internet connected and non-Internet networks so when it got infected, so did the machines in the non-connected network!

Key takeaways:

• All networks should be monitored for unknown or unexpected devices.
• On particularly sensitive networks, a new device should cause an alert and an investigation.
• Any 3rd party working with the IT network should be under heavy supervision and escort.

Node.JS package typo squatting

Node.JS uses the npm package management tool to allow Node developers to make use of prebuilt libraries to perform particular functions or operations. A developer called Ivan Akulov wrote a blog post about how he discovered fake versions of popular packages which included code to send sensitive data such as API keys back to the malicious packages’ developer.

Key takeaways:

• Beware of your dependencies, make sure you are reviewing exactly which external libraries you are using.
• Understand the importance of each dependency and how you would cope if it was suddenly removed.

OWASP Top 10 news

Following the controversy over RC1 of the OWASP Top 10 2017, OWASP published a blog post this week providing some updates from the new project leaders on the plans for the project. Anyone who is involved at all in Application Security would be advised to read the post in detail.

Key takeaways:

• The most controversial addition, (A7 Insufficient Attack Protection) appears to have been rejected as it does not represent a vulnerability
• AppSec professionals are being asked to provide data regarding vulnerabilities found in applications to help guide which vulnerabilities should be in the top 10.
• AppSec professionals are also being asked to complete a future-looking survey about what newer vulnerabilities are on an upward trend and should therefore already be considered, even if they are currently less widespread.