Top infosec trends in the social media spotlight
A security breach at Docker Hub that exposed the logins credentials of 190,000 software developer users continued to steal the security headlines this week.
The incident exposed usernames and hashed passwords for the Docker container platforms, along with Github and Bitbucket access tokens. The latter aspect of the breach made it much more serious than might otherwise be the case.
The compromise of secret tokens means that data from breach might be used to hack many other sites. Docker published an FAQ on the hack, offering advice, last Friday.
The continuing fallout was addressed by company execs at the DockerCon user conference which, as luck would have it, took place just days after the calamity became public knowledge.
Small mercies, perhaps, but at least Microsoft was able to say its containers weren’t affected.
Hua-dunnit
From a breach to a leak. UK defence secretary Gavin Williamson was dramatically sacked on Wednesday after he was blamed for leaking news that several cabinet ministers objected to procuring kit from controversial Chinese telecoms kit supplier Huawei for the UK’s 5G rollout.
Williamson strenuously denied leaking information from the National Security Council to the Daily Telegraph, which splashed on the story that the UK government was set to approve usage of Huawei kit in less sensitive parts of the next-gen mobile network.
At this difficult time in the nation’s history, won’t someone think of the children / Williamson’s pet tarantula, Cronus?
There was more debate about networking security after Bloomberg reported that Vodafone Italy uncovered ‘hidden backdoors’ in Huawei-supplied kit back in 2011. Vodafone Italy dismissed the report and said the issue was “nothing more than a failure to remove a diagnostic function after development”, the BBC reports.
The ‘backdoor’ was actually a Telnet-based remote debug interface – not great engineering practice, but far from limited to Huawei or a historic problem that’s largely been overcome. Router giant Cisco is no stranger to problems in this area, either.
Gr0undh)g Day!
Thursday brought around the annual World Password Day. Again.
There’s a consensus that getting consumers (and business) to move on from weak, easily guessed passwords is important – and that password re-use also needs to stop.
But experts continue to differ on how often to change passwords (as often as you change your underwear?), whether getting people to use three random words as a password is a good idea, and on the utility of password managers, especially for mainstream users.
And that’s before we even get into talking about two-factor authentication.
Experts continue to disagree, so it’s no surprise that comments under the #WorldPasswordDay hashtag on Twitter this year threw up plenty of conflicting advice, alongside some pearls of wisdom.
On a related theme, an amusing post on Reddit illustrates how people can easily be tricked into handing over their passwords at work using the most basic of social engineering trickery.
Whether or not a bug bounty can replace traditional pen testing, another long running debate in infosec circles, kicked off again on social media this week.
And over on Medium, projections that by 2021 there might be up to 3.5 million unfilled cybersecurity jobs across the globe attracted plenty of views. The debate came as an announcement by the Trump administration on Thursday revealed plans to boost the US government’s cybersecurity workforce.
Filet-O-Phish
Finally, another Canadian was left temporarily out of pocket after a hacker ordered thousands of dollars’ worth of Chicken McNuggets and poutine through the McDonald’s app (MyMcD’s).
Patrick O'Rourke, Toronto-based managing editor of the tech news site MobileSyrup, got stuck with a bill for meals at different McDonald’s outlets in Montreal.
The latest case follows a string of complaints from other Canadian fast food fans, CBC reports.
O’Rourke, who got his money back from his credit card issuer, is nonetheless critical that McDonald’s isn’t been more pro-active about stamping out the fraud, for example by warning customers and advising them to change their passwords.
The unidentified miscreant has been dubbed the ‘Hamburglar’ by social media wags.