Some weeks the news is straightforward. Other weeks it’s a winding webbed trail (haha). Some weeks the headlines grab you by the neck and shake you. Other weeks they leave you scratching your head.
This week the cyber week in review is a week of contradictions: the things that happen and the things that unhappen (or maybe didn’t happen…or maybe are different, but the same)…it’s contradictory week, but it’s your cyber week in review.
Smack on Slack
Bug bounties have been an important piece of the cybersecurity puzzle in recent years: big payout for potentially risky invitations to hackers to find security flaws in your programming. The bigger the bug, the bigger the bounty!
Well, Slack got a real doozy of a bug and paid the bounty, but—pay attention here folks—other programs may still have this flaw!
A researcher at a web security company submitted a bug and got a little bonus check in February. The bug could have allowed an attacker to login to a Slack account via a configuration flaw with WebSocket. A hacker could have stolen the user’s Slack authentication token and then access anything—chats, shared files, anything the user had access to.
Other companies use interfaces like the PostMessage function or WebSocket protocol to communicate between websites. If that’s part of a company’s interfacing, an inspection, and repair of the problem is overdue!
As far as Slack is concerned, though, they say they did a thorough analysis and could find no instances of that particular bug being exploited.
Translation: your Slack is safe.
Mike Pence’s Hilarious Hack
If you hadn’t already heard, Mike Pence’s personal email account was hacked. The circumstances surrounding the hack might be worth a chuckle or two. Here they are:
- Hackers breached his email with a phishing scheme claiming that he and his wife were out-of-the-country and stranded and needed money.
- The account they breached was his AOL account (yep, still had one).
- On that account, he conducted personal and state business.
- Despite being so outspoken against Hillary Clinton’s use of an outside server for official business, he used this personal email for state business (same but different).
- Since it wasn’t through his public service account, it was not backed up and documented the way that state documents (emails included) are required to be. The United States has required that official documents be maintained and accessible by the public for certain public officials.
- He is in the middle of a heated negotiation about some of that content—even though some of the items are “state” business he does not want them in the public access category.
So is Mike Pence a punchline? Perhaps. A head-scratcher? Certainly. Also, a contradiction this week in cyber land.
Not Cool, Coachella
The Coachella Valley Music and Arts Festival is one of the biggest (and most star-studded) music festivals in the world. Held each April in Indio, California: Madonna, Rihanna, OutKast, Prince, Daft Punk, and so many more have played over the years. The warm California weather and the laid-back vibe signal the start of the musical summer.
So a hack of users and their passwords would…definitely contradict their image.
Two suggestions: 1) If you have a Coachella account, change the password and 2) Take this as yet another example of one simple password rule: never, ever, use the same password for more than one site.
A lot of wind would be let out of hacker sails if we could just get everyone to agree to not reuse passwords.
Not Really a Rant
Every week we bring you top (and pop) stories in the world of cybersecurity. Not to confuse, but to amuse. Not really a rant about passwords (unless a little extra time on that soapbox would actually make a difference).
Also, a little bit about cyber threat prevention strategies: because when we learn from the mistakes of others we need not bother making them ourselves.
Until next week…as ever…enjoy the headlines (but stay out of them).