Travis CI security vulnerability is bad news for open source
Travis CI is a continuous integration software-testing solution used by over 900,000 open-source projects and 600,000 users. Earlier this month, security researcher Felix Lange discovered a vulnerability that included secure environment variables, like signing keys and API tokens, of all public open source repositories that use Travis CI into pull request builds. This vulnerability is part of the Travis CI activation process and present in builds from September 3 through September 10th. The vulnerability was fixed within 8 days of disclosure by Lange. However, many in the developer community have been critical of how Travis CI handled the vulnerability disclosure, posting a security bulletin on a website with no analysis, security report, post mortem, or warning to users of the severity.
Ransomware accounts for a quarter of cyber insurance claims
This comes from a new study from the insurance giant Marsh, and looked at all cyber insurance claims from 2016 to 2020. Over that whole period ransomware accounted for 25% of claims, but in 2020, this percentage rose to 32%. The cyber insurance market is booming, estimated to be worth $20 billion by 2025. The thing that drives firms to insurance is often fear of ransomware, but ransomware is also a major factor driving up costs for insurers. A recent study by the cyber insurer Coalition found that this rise in costs is due to firms consistently choosing to pay ransoms and cover recovery costs through insurance, while also deferring security upgrade costs.
Microsoft goes passwordless
The company rolled out the ability for consumers to log into a Microsoft account using the Microsoft Authenticator app, Windows Hello, a security key, or an SMS / email verification code rather than a password. Consumers can also now remove passwords from their accounts entirely. Microsoft has been paving the way for going passwordless for a few years, adding support for security keys in 2018 and making Windows 10 passwordless in 2019. The company rolled out passwordless support to commercial customers in March.
Anonymous claims it stole data from Epik
The web host Epik is known for being the host of last resort for sites that run afoul of competitors’ terms of service. Members of the hacktivist collective Anonymous now claim to have stolen “a decade’s worth of data” from the company, including domain purchases and transfers, account credentials for all customers, and employee emails. This should be taken with a grain of salt, it’s sourced from what can generously referred to as a press release issued on 4Chan. Another hacktivist group, Distributed Denial of Secrets, claims to have obtained the leaked data and plans to curate it for publication. At the time of this recording, the site Gizmodo says it downloaded the dataset and is verifying its authenticity.
(Gizmodo)
Thanks to our episode sponsor, Sonrai
Facebook ignored algorithmic changes that led to angrier content
Facebook implemented a change to its News Feed algorithm in 2018 to place a great emphasis on shared content to get users to interact with friends and family more. BuzzFeed alerted the company that after the algorithm change, it’s most divisive content was going viral. Subsequently Facebook’s researchers found that publishers and political parties were reorienting their posts toward outrage and sensationalism, in order to get comments and reactions that would rank it higher, concluding “[m]isinformation, toxicity, and violent content are inordinately prevalent among reshares.” Internal memo’s show CEO Mark Zuckerberg was resistant to making changes that would diminish user engagement, like boosting content likely to be shared with long chains of people. Facebook initially made the algorithm change to combat consistent declining engagement and personal posts through 2017.
(WSJ)
South Africa’s Department of Justice hit with ransomware
The country’s justice ministry is currently working to restore operations after the attack encrypted all of its systems, making systems and service unavailable internally and to end-users. Child maintenance payments and bail services are currently suspended as a result. As part of its contingency plans, the ministry has switched to manual recording of hearing and issuance of certain documents. The attack began on September 6th, and it’s not clear who was behind the attack. The ministry has not said when it expects network services to be restored, but based on the severity, it seems likely they did not pay the operators.
Good Grief! Ransomware gang threatens to delete decryption key
We reported last week that the Ragnar Locker ransomware group threatened to automatically post exfiltrated data if firms attempted to contact law enforcement or negotiating firms. Now the Grief ransomware gang has upped the ante, threatening to delete a victim’s decryption key if they hire a negotiator, making it virtually impossible to decrypt data. Grief is tied to the Russian-based hacking group Evil Corp, which is under US sanctions. It’s possible this new tactic may be an attempt to avoid negotiators who are likely to advise firms to not pay due to the ongoing sanctions.
Amazon wants concerts to talk to the palm
The company has been using it’s Amazon One palm-scanning technology at Amazon facilities and Whole Food stores, mainly focused on speeding payments. Now Amazon will bring the technology to Red Rocks Amphitheatre, as part of a partnership with theticketing firm AXS. The venue will offer dedicated palm scanning stations to validate entry. AXS plans to bring Amazon One to more ticketed venues in the future. Given that Amazon is unlikely to make much money from Amazon One directly, some privacy experts are concerned about what Amazon could do with the data collected.