HackFest
This week has seen a large number of hacking announcements; it is going to be tricky to squeeze even the interesting ones into a single blog, but here goes.
To our mind, the announcement by digital wallet provider Komodo that it had hacked its own customers and without any authorisation or approval, transferred their funds to another location, presumably secured with the oh so secure smart chain development framework that they always bang on about. Yes of course they mean Blockchain but where is the value in that when you can get the marketing people to call it something else and rub it down with lashings of snake oil.
The reason? In line with swallowing a spider to catch a fly, Komodo executed this dastardly scheme to protect their customers from hackers. It turns out that the code for one of their wallet products (Agama) uses a third-party library (bizarrely called electron-native-notify) and the developers of that library had updated it to include a backdoor and then started to use that backdoor to steal people’s wallet credentials. Sneaky huh?
The suspicious activity was discovered by the JavaScript tool repository npm, who worked with Komodo to jack their own customers for their own safety.
If we overlook the ethical issues presented by the self hack, and if you have a Komodo wallet you should read the links referenced and do the right thing, there are a number of other issues presented here. Sure we have all read the blurb and even the technical documents which prove beyond belief that Blockchain and the like are a security nirvana. Unfortunately the implementation of that nirvana could be like a Michaelangelo but is more likely to be like a kid’s work or something more at that end of the scale.
According to npm, this attack vector – providing a useful library or tool, publishing it on a repository and then adding a dodgy payload down the line is on the rise and developers, especially the ones that wear chaps and go to work by horse, should be very careful. Building a functioning and secure Software Development Lifecycle methodology with associate processes and technology is an imperative. Unfortunately not one that is widely enough recognised.
In other news (in America) the medical testing outfit LabCorp has announced that details of no fewer than 7.7 meellion users were exposed via a breach at the debt collection company American Medical Collection Agency, who as it happens are well known for aggressive and bullying tactics when collecting debts, even from sick people. 7.7 million is a big number, coincidentally about the same number of Uruk-hai in Tolkien’s Lord Of The Rings (with apologies to LOTR fans for any rounding errors, please forgive us). Whilst this breach is unlikely to affect any of us over here in Blighty, it is a stark reminder of the perils of not securing your digital, or physical for that matter, supply chain.
A week doesn’t seem to go by without us bleating on about public facing servers, especially RDP servers. Hot on the heels of the RDP backdoor announcements it transpires (no brown stuff Sherlock) that there is a brand new shiny botnet targeting the over 1.5 million Internet facing RDP servers (you blummin’ nutters) and brute forcing them.
Add to this the fact that it appears that newer versions of RDP can be used to bypass the Windows lock screen, really it can, even if Microsoft say this is a feature, really they do, and it would seem that RDP is becoming a terrifying attack vector and should be used and managed carefully. Get it?
If you are confused about Blockchain and digital wallets, welcome to the club. Fortunately ITC has some wily consultants who do. We also have a great service to help you manage your third-party supply chain and even have experts who can help you implement RDP securely and safely. What a team!
If you would like some help or just a chat about the general high levels of Cyber Risk, contact us at: [email protected] or call 020 7517 3900.