A bunch of malicious actors who have been sending email bomb threats are believed to be the same actors who engaged in a sextortion campaign. In the bomb threat campaign, schools, government offices, and private organizations were told to send bitcoins to prevent an explosion from going off. However, this was not a financially successful endeavor for the perpetrators. In relation to our course content, this is a classic example of social engineering, not sophisticated hacking. However, as we’ve learned, social engineering attacks make up the brunt of most hacks and are extremely effective. People need to be aware of these kinds of attacks in the future so that they don’t fall for them.

 

https://www.scmagazine.com/home/security-news/sextortion-gang-found-to-be-behind-email-bomb-threat-spree/

Quora recently acknowledged that they were hacked by a malicious third party. In a classic tale, user data was stolen through a breach. Quora has alerted the authorities. The breach has implications for around 100 million users:

• Account information, e.g. name, email address, encrypted password (hashed using bcrypt with a salt that varies for each user), data imported from linked networks when authorized by users
• Public content and actions, e.g. questions, answers, comments, upvotes
• Non-public content and actions, e.g. answer requests, downvotes, direct messages (note that a low percentage of Quora users have sent or received such messages)

One interesting find here in my opinion is that Quora uses bcrypt to encrypt passwords. That’s a pretty standard way that people do it when they build apps. That’s how I encrypted user passwords this summer at my internship. I guess I expected Quora to have maybe a proprietary way of encrypting passwords. Maybe bcrypt is just that good. I don’t know.

https://blog.quora.com/Quora-Security-Update

One day one of us may be the ones auditing US Ballistic Missile Defense Systems. As the title suggests, they failed a cyber security audit recently. Numerous vulnerabilities were found. Users were instructed to only use single-factor authentication for 15 days after account creation. However, there was no mechanism for enforcing this, and people used single-factor authentication for a long time after 15 days. Once identified, multiple vulnerabilities were not patched at at numerous stations. Data that was stored on removable devices was not being encrypted. These vulnerabilities, among many others, contributed to the systems’ failure to pass the cybersecurity audit. These are all relatively fixable things. It seems like the employees or whoever is responsible for cyber security is simply being lazy.

https://www.bleepingcomputer.com/news/security/us-ballistic-missile-defense-systems-fail-cybersecurity-audit/

Chinese hackers have gained access to American military technology and other sensitive information by hacking US Navy contractors. Contractors are civilians that are hired by government agencies and the military on a contract basis. Especially over the past year, the Navy and Air Force have suffered breaches. These two branches of the military are prime targets because they utilize the latest technologies accessible to the military. Contractors frequently are more vulnerable to attacks.

https://www.wsj.com/articles/u-s-navy-is-struggling-to-fend-off-chinese-hackers-officials-say-11544783401?ns=prod/accounts-wsj