Solana network goes dark after bot swarm
A swarm of bots hit the popular NFT minting tool called Candy Machine over the weekend, hiting it with four million transaction requests and 100 gigabits of data per second, ultimately pushing validators of the blockchain out of consensus. The network went dark for roughly seven hours as a result, only coming back online after restarting the validators in an effective hard fork. It’s unclear at this point how the bot swarm caused it to lose consensus.
(CoinDesk)
The spyware in Spain falls mostly on the politicians
The Spanish government announced that mobile phones belonging to prime minster Pedro Sánchez and defense minister Margarita Robles were both infected in mid-2021 with NSO Group’s Pegasus spyware. Both devices had information exfiltrated. Last month, Citizen Lab reported that dozens of pro-independence Catalan figures were targeted with Pegasus software. NSO maintains Pegasus is used by foreign government clients to target serious criminals, and that it does not obtain any information from Pegasus or know which targets its clients use it on..
Security isn’t top of mind for mental health apps
Mozilla’s “Privacy Not Included” guide did an analysis of 32 mental health and prayer apps across app stores. It gave 29 of the apps warning labels for concerns over how the apps were managing extremely sensitive data, with vaguely defined privacy policies over how it is handled. Most apps also had poor security practices, letting new users create accounts with extremely weak passwords. Some therapy apps collect user chat transcripts, while other collect user information from third-parties and share info for advertising purposes. This seemingly isn’t new within the industry, a 2018 study by the journal Internet Interventions found that less than half of 116 apps for depression had any privacy policy at all.
DoD phished for $23.5 million
The US Department of Justice convicted California resident Sercan Oyuntur of multiple counts related to phishing activities against the Defense Department, finding he incurred $23.5 million in damages. This began in September 2018, when Oyuntur registered the dia-mil.com domain for its phishing operations, similar to the legitimate dla.mil domain. He used the domain to send emails to users of a vendor database to a fake login.gov site, where Oyuntur would steal credentials. He eventually obtained credentials for a Southeast Asia corporation with active fuel provision contracts, and changed the banking information to a foreign account he controlled.
Thanks to our episode sponsor, Censys
Grindr location data for sale
The Wall Street Journal’s sources say that from 2017 through 2020, precise location data on millions of Grindr users were collected from a digital ad network and offered for sale. This data did not include personal information like names or phone numbers, but could certainly be used to infer intimate relationships or establish home addresses of users. Grinder cut off the flow of location data to ad networks in 2020, but historical data may still be obtainable. The company said it originally provided the location data to serve hyperlocal advertising.
(WSJ)
Results from the first defense industrial base bug bounty
Almost 300 security researchers took part in the Defense Industrial Base Vulnerability Disclosure Program (DIB-VDP) Pilot over the last twelve months, turning up over 400 valid vulnerabilities. HackOne ran the pilot in coordination with the Defense Cyber Crime Center and Defense Counterintelligence and Security Agency, looking at 41 entities and 348 systems. This represents a small amount of the organizations that contract directly with the Pentagon, estimated on the low-end to be 100,000. The Pentagon hopes to take lessons learned from the pilot to inform a larger funded program.
Cyberattack rocks Trinidad’s largest supermarket chain
Last week Massy Stores released a statement that it was experiencing “technical challenges” with its checkout systems, impacting all 21 locations across Trinidad in what was later characterized as a cyberattack. It’s unknown if this involved ransomware. The chain was able to open some stores on April 30th but card systems were completely down, with all stores reopened Sunday, with intermittent card outages. Massy Stores claims no customer or partner data was lost in the attacks.
Your “Should Have Patched” Tuesday bug roundup
Microsoft patched a bug discovered by researchers at Aiz Research called ExtraReplica, which could allow for malicious code execution in Azure PostreSQL. Rapid7 security researchers warm of thousands of Linux servers impacted by a Redis sandbox escape vulnerability that was already patched by Debian and Ubuntu on February 18th. Microsoft documented a pair of Linux privilege escalation flaws dubbed Nimbuspwn that could create a permanent root access backdoor on systems. And Qnap asked users to disable AFP file service protocol on their NAS devices until they fix multiple critical Netatalk vulnerabilities.
(ZDNet, Security Week [1] [2], Bleeping Computer)