Notices by BrianKrebs (briankrebs@infosec.exchange), page 3

Just notified a company specializing in email security that their internal email -- and that of their customers -- was sitting out on the web.

Each inbox -- whether for company customers or employees of those companies -- was viewable just by visiting a link with a web browser and clicking links. Everything was exposed in basically one big file index.

This level of ineptitude is remarkable, and somehow they have a lot of customers (think state/local govs). To their credit, they took everything offline within a few minutes of my notifying them. But their entire business schtick is about how all your email is encrypted and protected and scanned and blah blah. Meanwhile, no it's not. At all.

Google is too big to fail, and yet they seem to be failing at basic things they used to do well (like search) while removing useful features (like cache) and adding a bunch of crap nobody needs or wants.

Want to know if a given domain name shows up anywhere in search? Well screw you, we're not going to tell you that anymore, but here's 1,400 completely useless and irrelevant results that could possibly have some info (but don't). When the search engine could have done what it's done for years, and admit that it doesn't know WTF you're talking about and say "no results found." Now it just makes shit up if it doesn't know the answer.

Hey cool! My search result shows the term I was looking for is present on 7 websites. Shoot! None of them are online anymore. How about showing us your cached version of the site, you know the one that was used to create this search result? Oh wait, no, you can't see that anymore. Why? Here's Danny Sullivan's dismissive and mystifying explanation: "“It was meant for helping people access pages when way back, you often couldn’t depend on a page loading,” Sullivan wrote on X. “These days, things have greatly improved. So, it was decided to retire it.”

Want software? Great, Google will serve a malicious ad on top that looks a lot like an organic search result but which is paid for by scammers and installs malware.

@gsuberland I looked at this story and thought, 3 million toothbruth botnet! Wow. But the source research can't be viewed unless you subscribe to something. Hrm. Likelihood of some toothbrushes being owned bc shitty app or whatever is not nothing, but a 3M strong botnet is going to get noticed by a lot of places. I assigned this a "probably wildly untrue" label and promptly forgot about it.

@nixCraft Sounds like a pyramid or MLM scheme.

Another unhappy customer of BriansClub who got phished complains to me, as if in my spare time I run the underground's biggest stolen credit card shop.

https://krebsonsecurity.com/?s=briansclub

As several people responding here have already noted, what this suggests is there is broad downward pressure on what companies are willing to pay for security.

Which again seems slightly nuts when you think about how the costs of not paying adequately for security are increasing. I mean, the security headlines just in the past week alone are frankly terrifying and to my mind paint a pretty grim near-term future cyber-wise.

Perhaps the costs of not investing enough in security are not high enough yet?

There's a huge disconnect for me rn in the IT space. Companies love to talk about an increasing deficit of smart, talented and skillful people available to help defend the cybers. Welp, a lot of those people are somehow now seeking gainful employment bc they've been laid off. Which is just nuts to me given the sheer scale, resources and effort our adversaries are throwing at everything now.

p.s. AI isn't going to fix anyone's security problems. If anything, it's going to compound them by orders of magnitude (at least in terms of data governance).

Hot off the presses:

Three Americans were charged this week with stealing more than $400 million in a November 2022 SIM-swapping attack. The U.S. government did not name the victim organization, but there is every indication that the money was stolen from the now-defunct cryptocurrency exchange FTX, which had just filed for bankruptcy on that same day.

https://krebsonsecurity.com/2024/02/arrests-in-400m-sim-swap-tied-to-heist-at-ftx/

Google continues to struggle with cybercriminals running malicious ads on its search platform to trick people into downloading booby-trapped copies of popular free software applications. The malicious ads, which appear above organic search results and often precede links to legitimate sources of the same software, can make searching for software on Google a dicey affair.

h/t @th3_protoCOL for the image

https://krebsonsecurity.com/2024/01/using-google-search-to-find-software-can-be-risky/

If you've ever wondered why some Wi-Fi is free (like in hotels), it's because typically data about your browsing is sold to countless ad companies that will happily buy it.

Had to use the hotel WiFi recently on a trip, and after clicking "agree" to their terms of service, the Little Snitch firewall on my Mac went bonkers. I must have denied 20-30 outbound requests to advertising networks. It still worked, though, so I'm guessing I didn't manage to block all of it.

This is some impressive research: IOActive researchers figured out how to get root access on a bitcoin ATM, using the same physical access that a regular customer might have (the touch screen).

https://labs.ioactive.com/2024/01/atm-security-owning-bitcoin-atm.html

E-Crime Rapper ‘Punchmade Dev’ Debuts Card Shop

The rapper and social media personality Punchmade Dev is perhaps best known for his flashy videos singing the praises of a cybercrime lifestyle. With memorable hits such as “Internet Swiping” and “Million Dollar Criminal” earning millions of views, Punchmade has leveraged his considerable following to peddle tutorials on how to commit financial crimes online. But until recently, there wasn’t much to support a conclusion that Punchmade was actually doing the cybercrime things he promotes in his songs.

https://krebsonsecurity.com/2024/01/e-crime-rapper-punchmade-dev-debuts-card-shop/

p.s., yes, that is a functioning diamond-crusted card skimming device hanging from his neck.

This is fine.

Heads up everyone! 10/10 in GitLab:

GitLab has released security updates for both the Community and Enterprise Edition to address two critical vulnerabilities, one of them allowing account hijacking with no user interaction.

The vendor strongly recommends updating as soon as possible all vulnerable versions of the DevSecOps platform (manual update required for self-hosted installations) and warns that if there is "no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.”

https://www.bleepingcomputer.com/news/security/gitlab-warns-of-critical-zero-click-account-hijacking-vulnerability/

Been noodling a lot about AI stuff lately, and just keep SMH about how willing so many people seem to be to trust this technology.

My problem w/ the idea of AI chat bots being asked to do anything consequential is that we seem to want them to be ever-more human, while at the same time expecting them not to make mistakes.

Probably what we really want is for them to also learn from their mistakes. But that requires admitting when you're wrong -- changing your mind, if you will -- and letting others impacted know that you were in the wrong. On some levels, that seems incompatible with what many expect out of AI today.

This story is an important development in piracy, but it also portends an increase in malware infections from more people seeking pirated content from any available source. There has always been and will always be a strong connection between pirated software, music, movies, etc. and malware droppers that turn systems into proxies or worse. And pirated products remain a major source of malware infections.

https://www.techdirt.com/2024/01/10/piracy-is-surging-again-because-streaming-execs-ignored-the-lessons-of-the-past/

Why does Apple Music continue to suck at suggesting music I might actually want to listen to? Maybe I have enabled some setting to make it obtuse, but it has to know by now what I listen to and what I never even bother with, and yet every time I launch the app it's just tons of whatever is most popular right now. Am I alone in this experience?

Rediscovering some real gems here. Added as new stations under TuneIn, by adding an URL.

https://somafm.com/listen/sonoscustom.html

https://support.sonos.com/s/article/260?language=en_US

It's nice to see what appears to be real movement toward law enforcement here and globally to go after the perpetrators and enablers of pig butchering scams. These four accused were living in the United States, allegedly working w/ human traffickers throughout E. Asia to trick or kidnap people into perpetrating romance scams over the Internet 24/7.

https://www.justice.gov/usao-cdca/pr/four-individuals-charged-laundering-millions-cryptocurrency-investment-scams-known-pig

I wish I still didn't get several desperate emails from people a month, full of shame and anger and frustration at having fallen for a pig butchering scam and lost their life's savings. The FBI said this year that pig butchering scams are now a $3B problem.

I'm not particularly proud of some of my early responses to these messages, which basically said, "sorry, but your money is almost certainly gone forever, and anyone offering to help you get some or all of it back for a fee is scamming you."

While this is still mostly true, I always now advise every single crypto scam victim -- pig butchering, theft, whatever -- to be sure to file both a police report and a report with the Internet Crime Complaint Center (IC3.gov), which collects stats on cybercrime and sometimes bundles victim reports into cases for DOJ/FBI prosecutors and investigators.

It is not out of the realm of possibility that you could see some of this money back many years from now if they ever catch the people responsible and/or are able to seize their financial accounts. Again, an outcome like this is unlikely and could take years. However, if you don't file official complaints it can be hard to learn if any of that ever comes to pass, because if they do one day seize some money from a crime group, they would try to contact victims and help them with remuneration.

One thing I've learned is that very often stolen funds are not gone forever in some badguy bank account but instead held by the U.S. govt in legal limbo because they were seized in the process of law enforcement actions. But the money just sits there in the govt's possession while the legal process goes forward, and meanwhile victims have no idea that some or all of their money is being held by the govt, and can't access that either b/c it's officially "evidence" of a crime.

IMHO, there is a yawning disconnect between the government's ability and eagerness to seize ill-gotten crypto funds and any process to figure out who got robbed and notifying them within some kind of time frame that is likely to be meaningful to their lives. So many people really have lost everything, and yet they really haven't. Anyway, the process here is super spotty, but I think it will improve over time. It has to.

https://krebsonsecurity.com/2022/07/massive-losses-define-epidemic-of-pig-butchering/

I mean, why shouldn't we count on more organizations just observing best practices? It's so simple, I just don't understand why everyone can't do this? /s

This is not sustainable. We probably need to scrap everything and start over. But in the meantime, yeah, let's make it illegal to pay a ransom. I think we've long past reached that point.