Security researchers Riskiq have identified 17,000 domains that they say Magecart has compromised this way, including 2,000 of "the world's biggest sites." It's not clear how many of those actually have credit-card processing scripts that would allow Magecart to steal card details from their customers.
Amazon S3 buckets are secure by default. Companies run into trouble when they actively change those permissions, either somewhere in the development process or when they hand off cloud work to a third-party contractor. Those Amazon S3 bucket misconfigurations have caused plenty of problems before. The fallout, though, was usually limited to the exposure of personally identifiable information, huge databases of usernames and passwords and birthdays and Social Security numbers that wind up for sale, or for free, on the dark web and elsewhere. That’s because those goofs typically give read permission to interlopers, but not the ability to write code. The Magecart hackers figured out a way to scan for misconfigurations that do both—and now they know 17,000 vulnerable domains.
“This is a whole new level of misconfiguring,” says Klijnsma. “These buckets are pretty much owned by anybody who talks to it, which is on a different scale, a different type of data leakage. Pretty much anybody can do anything in those S3 buckets, and the reach of those is quite big.”
Hack Brief: A Card-Skimming Hacker Group Hit 17K Domains—and Counting [Brian Barrett/Wired]
(Image: Mary Rose Trust, CC-BY-SA, modified)
Iowa state court officials contracted with Coalfire to conduct "penetration tests" on its security; as part of those tests, two Coalfire employees broke-and-entered the Adel, Iowa courthouse, and were caught by law-enforcement, whose bosses in Dallas County were not notified of the test.
Eleanor Saitta's (previously) 2016 essay "Coercion-Resistant Design" (which is new to me) is an excellent introduction to the technical countermeasures that systems designers can employ to defeat non-technical, legal attacks: for example, the threat of prison if you don't back-door your product.
For decades, people (including me) have predicted that cyberinsurers might be a way to get companies to take security seriously. After all, insurers have to live in the real world (which is why terrorism insurance is cheap, because terrorism is not a meaningful risk in America), and in the real world, poor security practices destroy […]
Breaking into the big leagues as a project manager isn’t done overnight, but there are principles that anyone can learn, and they’re applicable to nearly any business. No matter what your field, if there are multiple teams working toward a common goal, you’re going to need a roadmap. The Project Management Professional Certification Training Suite […]
On the one hand, nostalgia is “a corruption of the historical impulse,” according to William Gibson. On the other hand, “Super Mario Bros.” will never not be cool. Luckily, there’s a way to satisfy that retro gaming while still keeping an eye on the future: The GameShell Kit. This thing is simultaneously the last handheld […]
The field of data analytics can get intimidating, even for business professionals who constantly rely on it. But at its heart, its purpose is to simplify. To take mounds of information and distill their insights into a single clear picture. Currently, the go-to software for painting that picture is Tableau. And if you want to […]