back to article LAPD loses job applicant details, Project Zero pokes holes in iOS, AWS S3 whack-a-mole continues, and more

Here is a quick roundup of the recent happenings in the world of computer security beyond what we've already reported. Also, look out this week for our Black Hat, DEF CON, and Bsides Las Vegas coverage: our vultures out in the Nevada desert will produce a string of articles from the hacking conferences. Amazon closes one open …

  1. Jamesit
    Unhappy

    "While not critical, the bugs could potentially allow an attacker to gather detailed system data on a target by intercepting and reading the status reports SanDisk drives send back to the company."

    Why would an SSD need to spy on users? Is anything safe?

    1. revenant Silver badge

      re Why would an SSD need to spy on users?

      That was my thought, but then I read the linked report - it is a management utility installed by the user on Windows that does the reporting, not the SSD itself. Perhaps the article could do with a tweak.

    2. Pascal Monett Silver badge

      Well, to be fair, it appears to be disk status reports, not what you do with your files.

      It is, however, just another example of a company choosing to do what it wants with your bandwidth "with the best of intentions" and "to improve customer service" because it can, without wondering if it has the right.

      I think that we should start invoicing our bandwidth under default terms, as in €100/month flat rate, for unauthorized usage of our bandwidth. That would probably set things straight pretty quick.

      1. Anonymous Coward
        Anonymous Coward

        But you don't understand how hard my job is. If I was not throwing stones at windows, how could I make money as a double glazing installer!?!?!

    3. Hstubbe

      "Why would an SSD need to spy on users? Is anything safe?".

      No.

      IT isn't about odd concepts such as "safe" and "secure", it's about hoarding data (any data) and then finding ways to flog that data to the highest bidder. Even if you pay for a service (say office 365), your data is still being stored, analyzed and sold.

      1. sitta_europea Bronze badge

        "Even if you pay for a service (say office 365), your data is still being stored, analyzed and sold."

        And if you DON'T pay for the service, probably the only reason for it to exist is to sell your data.

        Last month I signed up to a free Excel forum. Within a couple of days I was getting spam from domains at the hosting company that hosts the forum, and in a couple more days from elsewhere on the planet -- all to the spamtrap that I'd set up for it. }:-)

        https://www.mrexcel.com/forum/excel-questions/1104708-cannot-run-macro-add-post5317833.html#post5317833

  2. Anonymous Coward
    Anonymous Coward

    Hmmm...

    "Late last week, a Register ad-sales exec who buys shoes from StockX.com got an email from the e-tailer asking him to reset his account password. "

    Are you trying to encourage the use of ad blockers on your site ElReg?

    Or would less ad revenue still pay for expensive shiny things for the ad execs while the writes get their bread and water^H^H^Halcohol rations reduced?

  3. Tom Paine Silver badge
    Go

    Good story you missed

    Mildly surprised you passed over Kevin "@GossiTheDog" Beaumont's latest escapades. Whilst poking around S3 checking for signs any of his employers' data was leaking, he found an enormous cache of WAF logs for the main websites of a rollcall of household names, including several well-known UK high street banks. Starts here: https://twitter.com/GossiTheDog/status/1156555634936074242

    Full list of filenames (named for the customer) is on the OpenSecurity.global page linked down the thread. My bank and telco are on the list. No customer notification from any of 'em so far, so I suspect they're going to end up saying hello to the ICO's little friend (a huge fine).

  4. Adelio

    is'nt it about time that amazon insisted on secure access to these (No exceptions)

    1. Phil Endecott Silver badge

      There are plenty of legitimate uses for publicly-readable s3 buckets.

      They are private by default.

      1. Doctor Syntax Silver badge

        If so it should take a lot of hard work to make them public.

        1. Anonymous Coward
          Anonymous Coward

          "If so it should take a lot of hard work to make them public."

          Have you never witnessed the troubleshooting process when security is involved? Do you:

          a) try and understand the process, check individual components for logs/hits and ensure everything is understood and functioning as expected.

          b) remove all security and try and reapply it later...

  5. jms222

    Cardiff Electric

    If Bank of Cardiff had simply used the services of Cardiff Electric this would never have happened.

  6. Alister Silver badge

    Amazon S3

    To use the phrase "left open" in regard to the Amazon S3 buckets gives the impression that by default these are insecure, and users have to do something to make them secure.

    This is absolutely NOT the case, Users have to actively disable the default security to make them public. They are not "left open", they are "made open".

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019