In the headlines: Cyber bank heist, Federal bug bounty program, Facebook flaw and more

Billion dollar cyber bank job foiled by spelling mistake

A huge cyber bank heist was uncovered this week when the perpetrator made some spelling errors. Having already successfully drained $101m from the central bank of Bangladesh by penetrating their systems and impersonating officials, they were detected when one of their transfer requests misspelled the word ‘foundation’ as ‘fandation’. This was picked up by one of the routing banks, Deutsche Bank and the fraudsters were subsequently caught. Had they continued undetected, they could have drained a total of $1billion.

Pentagon announces federal bug bounty program

The US Department of Defense has announced the first governmental bug bounty program, dubbed ‘Hack the Pentagon’. Naturally, this is a very restricted program only inviting legitimate vulnerability testers to study their public facing websites. However, this does represent a major shift in the security mindset of the government, coming not long after the announcement of a new heavily funded Cyber National Action Plan. Considering the breaches suffered in the last couple of years, the introduction of programs such as this one should be reassuring to US citizens. Bug bounty programs are now a popular method used by big companies to detect vulnerabilities before they are used maliciously. Following the breach of 20 million employee records and a number of government login credentials, it’s clear that some government agencies are in need of a helping hand.

Facebook flaw nets researcher $15,000 and reminds us nobody is immune

An Indian security researcher recently uncovered a flaw in Facebook’s password reset function, duly reported it to Facebook and received $15,000 in gratitude. Anand Prakash realised that the 6 digit security code sent out when a password is reset, was only subject to rate limiting on the main Facebook domain. Visiting the beta versions of the site allowed him to try as many times as he liked to use a brute force attack to reset the password of any user he chose. The lesson? Make sure your test servers are every bit as secure as the main ones.

Yet another Flash zero day

We could almost set a place holder for this one. Yes, another Flash zero day has been uncovered and duly patched. This vulnerability consisted of 23 ‘loopholes’ and was already actively being exploited in targeted attacks. The vulnerability was classed as critical and Adobe soon issued an emergency update. Left untouched, this vulnerability could allow remote code execution and see an attacker gaining full access to targeted machines. Therefore if you’re still using Flash, it’s essential this update is applied.

Big tech companies to beef up encryption

Following the hugely high profile battle between Apple and the FBI to allow access to the encrypted data of a terrorist, UK newspaper The Guardian is reporting that many of the big tech companies are making efforts to strengthen the encryption they have and apply it to more of their products. Whatsapp has already been reported as being inaccessible to investigators due to its end-to-end encryption and owner Facebook is reportedly now seeking to apply similar encryption to voice messages and group chats. Google and Snapchat are apparently also taking similar measures. A number of major tech companies have come forward in support of Apple and against the sustained efforts of the US government to establish an encryption backdoor for use in investigations. A hearing on the case will take place on 22 March and this is definitely a technical and ethical dilemma we have yet to hear the end of.

ISIS breached; 22,000 member details released

ISIS have just suffered a major breach and despite Anonymous’ best efforts (taking down hundreds of websites and social media accounts) this breach was caused by an insider. A defector in the group has reportedly leaked the details of 22,000 ISIS members, information received by some media outlets and German intelligence officials. So far, it’s reported that the information seems to be legitimate and includes personal details and even blood groups of the members concerned. The data represents a majority of ISIS members and is a huge coup for intelligence agencies, though it will create a huge volume of work.

Anti DDOS firm Staminus hacked

Security firm Staminus, an ISP based in California who specialize in protecting customers from DDoS attacks, have been left with egg on their face after becoming a target themselves. Their entire network was taken down for more than 20 hours and in that time, sensitive customer data appeared online. The attackers revealed that they had managed to gain control of all Staminus’ internet routers and return them to their factory settings. They also revealed that Staminus had used the same root password for all of these devices. As yet it’s unclear why Staminus was targeted but we can surmise that it might be something to do with their clients; one of which is the KKK.