back to article Facebooker swatted, Kaspersky snares an NSA thief, NASA server exposed, and more

This week we saw a Huawei official cuffed (again), telcos caught selling tracking data (again) and Microsoft patching dozens of bugs (again). Here are a few other notable security happenings. Chaturbate rubbed raw by card cache bug Adult webcam service Chaturbate has plugged a security hole that left some of its customers a …

  1. John Smith 19 Gold badge
    Unhappy

    Xterm re-implemented in Javascript.

    What could possibly go wrong with this plan?

    We're talking a binary parsing task. That suggests get a tool to do the heavy lifting and most of the core code generation first.

    1. Nick Kew

      Re: Xterm re-implemented in Javascript.

      It's not new. It rings a bell associated with stuff I was playing with around '97-ish, from which I infer it's been around in some form since last century.

  2. amanfromMars 1 Silver badge

    The Future Trade ....... Something Else to Fluff and Have a Crazy Flutter On? :-)

    This prompted police to respond with multiple vehicles, surround the house, and briefly handcuff the man while the home was searched. The whole thing was eventually found to be a "prank" and everyone went on their way.

    Hmmm ....Ahoy SociopathsRUS . Permission to Board that Journey is Almightily Protected, n'est ce pas? Raw Root Source is Exchanged and InterMingled there, in those WayOut In Control Spaces with Venus the Insatiable Temptress Exercising Her Finest Works to Render Surrender to Perfect Submission for Galactic Leading Powers.

    Virgin AIdDVenture Territory, Sir Richard ? Wir Dienen No Stark Future Space at All. ........ 100% Concentrated Heaven . Such is More than Enough to Slay Every Dragon Dumped into the Drudge of Dungeon with Special AI Services Sharing an Engaging Way Out of Madness and Mayhem with a Seamless AI Transition that Delivers to CHAOS, Clouds Hosting Advanced Operating Systems, Global Whether Command to Free Dominions Domain Controllers. .... Fellow Brothers and Sisters in CHAOS Casting Mighty Seeds for Almighty Feeds thus to Better More Quickly Evolve and Progress into and onto Future Virgin AIdDVenture Territories...... with Virtual HeadQuarters to Populate.

    Very Lucrative and Rewarding that Ancient Art for Leading Pioneers Capturing and Captivating Venture Capital Angels.

    1. Cliff Thorburn

      Re: The Future Trade ....... Something Else to Fluff and Have a Crazy Flutter On? :-)

      https://youtu.be/UQIVeD-Uudk

  3. Anonymous Coward
    Anonymous Coward

    Security? Yes, we've heard of it

    So the government thinks that Kaspersky might be working for Russian intelligence? If they were a US corporation then it's likely that they would be working with the NSA so - maybe, maybe not - all AV companies have the potential for national security cooperation behind the scenes. But Booz Allen Hamilton have been leaking US secrets like a broken water main for years yet nobody ever suggests that it's way past time to hire a different contractor.

    The Harold Martin case is interesting - there's not a lot of information around about it, and what there is doesn't make very much sense although I used to work with a bunch of folks in that area and a significant number of them were mentally out in the left field.

  4. Anonymous Coward
    Anonymous Coward

    TCL caught slinging Android malware

    This can't be right.

    TCL is one of Facebook's "Trusted Providers" that was vetted to give low level access to users social media data.

    Besides, Facebook made TCL and others sign contracts promising to be good.

    Nothing to see here, move along.

    https://www.nytimes.com/interactive/2018/06/03/technology/facebook-device-partners-users-friends-data.html

  5. arthoss

    Why loathed care to elaborate?

    Using this in consulting, all happy at every customer, can you give some facts?

    1. Michael Wojcik Silver badge

      Re: Why loathed care to elaborate?

      Wouldn't it be great if there were some global repository of information you could query for general questions like this?

      http://lmgtfy.com/?q=why+loathe+jira

    2. Wilco

      Re: Why loathed care to elaborate?

      Ill informed journo - it's better than a lot of the alternatives.

      Jira is a very good issue management system. It's not as good as it could/should be as a tool to manage Scrum/Kanban projects but if you have distributed teams or need to do some level of management reporting on progress it's better than a physical board.

      My main complaint is that the agile feature set isn't really evolving - it doesn't seem to have changed much for years. I guess atlassian are now too big to be able to innovate

  6. Evil Auditor Silver badge

    Jira

    Can someone please explain how one misconfigured (Jira) server could expose employee and project details to people wanting to infiltrate NASA? Obviously, my understanding of network security is extremely limited and that's why I can't follow that reasoning. Until now I thought that such a (internal?) server would be behind layers of protection which an outsider cannot simply penetrate to access said server. And as such, a misconfiguration would maybe expose sensitive data within the organisation, i.e. to people who already successfully (and rightfully) "infiltrated" NASA.

    Maybe I'm wrong and shortsighted. But somehow this reminds me of an ex-colleague at an ex-employer - when he found a misconfigured parameter on one system he liked to create an issue "the company is at risk!" without considerations for the whole control system in place.

    EDIT: Okay, so the Jira system is accessible from the outside world and the server seems to allow anonymous access; otherwise I wouldn't get to the login page. Makes me think...

    1. Rajesh Kanungo Bronze badge

      Re: Jira

      I don't know the specifics of THIS case, but I have seen this all to often. Most developers like remote access. Sometimes Jira is opened up for customer/partner/collaborator/vendor access too. They may have done it to 'simplify' access.

  7. Barry Rueger

    Take down the power grid? Old News.

    Don't panic, but Russia might be able to kill the US power grid

    From David Sanger's "Perfect Weapon."

    As the lights went out in western Ukraine the day before Christmas Eve 2015, Andy Ozment had a queasy feeling.

    The giant screens in the war room just down the hall from his office—in an unmarked Department of Homeland Security building a quick drive over the Potomac River from the White House—indicated that something more nefarious than a winter storm or a blown-up substation had triggered the sudden darkness across a remote corner of the embattled former Soviet republic. The event had all the markings of a sophisticated cyberattack, remote-controlled from someplace far from Ukraine. ...

    The more data that flowed in about what was happening that winter day in Ukraine, the deeper Ozment’s stomach sank. “This was the kind of nightmare we’ve talked about and tried to head off for years,” he recalled later. It was a holiday week, a rare break from the daily string of crises, and Ozment had a few minutes to dwell on a chilling cell-phone video that his colleagues were passing around. Taken in the midst of the Ukraine attack by one of the operators at the beleaguered electricity provider, Kyivoblenergo, it captured the bewilderment and chaos among electric-grid operators as they frantically tried to regain control of their computer systems.

    As the video showed, they were helpless. Nothing they clicked had any effect. It was as if their own keyboards and mice were disconnected, and paranormal powers had taken over their controls. Cursors began jumping across the screens at the master control center in Ukraine, driven by a hidden hand. By remote control, the attackers systematically disconnected circuits, deleted backup systems, and shut down substations. Neighborhood by neighborhood, the lights clicked off. “It was jaw-dropping for us,” said Ozment. “The exact scenario we were worried about wasn’t paranoia. It was playing out before our eyes.”

    And the hackers had more in store. They had planted a cheap program—malware named “KillDisk”—to wipe out the systems that would otherwise allow the operators to regain control. Then the hackers delivered their finishing touch: they disconnected the backup electrical system in the control room, so that not only were the operators now helpless but they were sitting in darkness. All the Kyivoblenergo workers could do was sit there and curse.

    For two decades—since before Ozment began his career in cyber defense—experts had warned that hackers might switch off a nation’s power grid, the first step in taking down an entire country. And for most of that time, everyone seemed certain that when the big strike came, it would take out the power from Boston to Washington, or San Francisco to Los Angeles. “For twenty years we were paranoid about it, but it had never happened,” Ozment recalled.

    “Now,” he said, “it was happening.

    1. muhfugen

      Re: Take down the power grid? Old News.

      Sounds like a bunch of bullshit. Their cursors moving around the screen? Because things like ssh, rdp or x window servers all of which allow multiple sessions dont exist? I really doubt state sponsored attackers would put so little effort in to their malware that it is nothing more than goto assist.

  8. John Smith 19 Gold badge
    Unhappy

    Remember it's always "You're hysterical scare mongering"

    Until it happens.

  9. Anonymous Coward
    Anonymous Coward

    For his work

    Paray was given a $300 bounty payout and a hand.....

    * shake of course

  10. Anonymous Coward
    Anonymous Coward

    Don't panic, but Russia might be able to kill the US power grid. Or at least a sizable portion of it. This according to a report from the Wall Street Journal

    That has always been the case.

    Disclaimer: my dad made a fairly sizeable amount of side income in the days when the Iron Curtain was still in place and we were on its other side. He was working on grid control and stability from both optimal control and game theory perspective. Based on what I remember from those days the "sequence" of actions to kill a grid is well known for pretty much every grid out there and the Russians regularly recompute that.

    AFAIK, due to the deregulation/private ownership aspects of the USA it is easier than with other countries too.

  11. Big Al 23

    Kaspersky hoping for love

    I don't think anyone with a security clue will be trusting Kaspersky any time soon. Pretending to be good guys to gain credibility with the NSA is a typical ploy.

  12. steviebuk Silver badge

    Swatting

    I still don't understand, as someone mentioned on other new articles about the one where the guy got shot and killed, why the 911 centre doesn't do a call back to the actual address if they get a number? Surely they should have a database of numbers for set address', even if the number may no longer be valid. Isn't it at least worth a try calling it.

    1. Valeyard

      Re: Swatting

      yes that's what the emergency services need, more bureaucracy!

      1. steviebuk Silver badge

        Re: Swatting

        I probably should of said the police should call the number. Just as a first port of call. But, although this might be a massive generalisation but there just seems to be so much evidence of it, the first option American law enforcement seem to go for is "attack, attack, attack", much like their army.

        Evident in the Waco siege (watched a documentary on that the other day on BBC 4) and when a General ordered British and NATO soldiers to attack a airport in Kosovo that Russians had managed to capture first. Gen Mike Jackson said why not just surround the airfield instead. They soon ran out of food and water and allowed them to share the airfield, preventing World War 3.

        1. jackalek

          Re: Swatting

          Would you share the title of said documentary?

    2. Michael Wojcik Silver badge

      Re: Swatting

      In the Finch case, Barriss (the swatter) didn't call 911. He spoofed a local number and called a non-emergency Wichita City Hall number, and someone there transferred him to the emergency services desk. Then Wichita PD took everything Barriss told them at face value, stationed themselves around Finch's house with weapons ready, and one officer fired seconds after Finch opened the door.

      The department didn't do any critical thinking and an adrenaline-drunk trigger-happy asshole failed to control himself. And no, I'm not buying any "first responders have to make split-second decisions" bullshit - this is a direct consequence of police militarization, lousy training and procedures, poor screening, and a lack of consequences. You can't fix that by tweaking procedures at the 911 call center (and I don't think yours is workable anyway, to be honest).

      This case has been discussed extensively by security experts and others. The Wikipedia article is decent.

  13. muhfugen

    "You can see why this would be an extremely useful tool to anyone wanting to infiltrate the US space agency."

    Pretty sure all this information would be available under a FOIA request.

  14. Michael Wojcik Silver badge

    harmless fun

    anyone who still thinks swatting people is harmless fun

    I don't believe I've ever read an account of a swatting case where the swatter plausibly claimed he (I don't know of any female swatters) thought it was "harmless fun". Swatters are nasty, violent, and probably manifesting some form of antisocial personality disorder. They're perfectly aware that swatting is a form of violence. Was anyone surprised when swatter Mir Islam was arrested for helping to dispose of a murdered woman's body? I wasn't.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020