Top infosec trends in the social media spotlight this week
Large chunks of the internet temporarily dropped offline on Monday after a routing configuration screw-up.
Verizon customer Allegheny mistakenly announced itself as a preferred route for global internet traffic. Verizon passed on these changes, resulting in a Border Gateway Protocol (BGP) route leak that affected an estimated 10-15% of traffic handled by content distribution network Cloudflare.
Amazon and Linode were also affected by the “cascading catastrophic failure” – exacerbated by use of a ‘BGP Optimizer’ product from Noction – before the changes were reverted and normality restored.
Cloudflare has published a post-mortem on the mess-up, which social media commenters were quick to note was far from the first of its type.
A thread on Twitter offers a crash course in how BGP works, and how a mistake led to a “big chunk of the internet” including Cloudflare getting “accidentally rerouted to a random steel factory”.
The Daily Swig has previously reported on how a BGP experiment knocks Linux routers offline as well as how China Telecom allegedly misdirected large quantities of internet traffic using BGP announcements.
Incoming!
A more dramatically-caused outage came about after US forces were reported to have launched a cyber-attack against Iranian missile systems as a reprisal for an American drone being shot down in the Arabian Gulf.
Infosec commentators questioned the wisdom of publicly disclosing such an attack – a move that might potentially yield intel about US cyber-warfare capabilities to other potential adversaries.
The action comes just a few weeks after Israel bombed what it claimed was a hacking cell run by Hamas on the Gaza Strip – a military operation that reignited the debate about how cyberspace has become an arena of military conflict and what (if anything) might be done to regulate it.
Get back to work, you Slackers
Back on the ground, Microsoft has banned its employees from using Slack over security concerns. Internal use of both AWS and Google Docs in Redmond has also been discouraged.
Microsoft Team product competes against Slack, but security rather than commercial self-interest is the driver of the ban, GeekWire reports. Even use of Microsoft-owned GitHub is discouraged for “highly confidential types of information, specs or code”, according to leaked internal memos.
It’s far from the first-time tech giant have grappled with these kinds of issues. For example, back in 2012 IBM reportedly told workers not to use rival Apple’s Siri voice assistant for similar reasons.
iCloud, Dropbox and external webmail services were also designated as out of favour at Big Blue.
Fox in the hen house
Attempts to abuse a recently patched zero-day vulnerability in Mozilla Firefox were put under the microscope on social media this week.
The high-impact Firefox flaw was abused in an attack against a cryptocurrency exchange staffer – a class of worker that’s a prime target for this kind of malfeasance.
Rob Heaton of payments firm Stripe has put together a detailed blog post explaining how he was targeted by an attempted phishing attack that relied, in part, on the Firefox vulnerability.
Unbreakable, you say
Infosec Twitter collectively rolled its eyeballs and gave a large sigh after it emerged that somebody had started a crowdfunding campaign for a self-described “unhackable” computer.
Doubters were inflamed rather than assuaged to learn that the device had secured a patent. And sarcasm flowed.
Applying the term ‘unhackable’ to anything to do with computers is like waving a red flag at a bull, not least because some rather capable hackers go out of their way to disprove such claims, so far invariably successfully.
This story is always the same. Last year the John McAfee-promoted digital currency wallet Bitfi was “unhackable”, until a team of researchers debunked the claim.
Years back, Oracle made the similarly ill-advised claim that its latest database was unbreakable… which was true, until (quite quickly) it wasn’t.
There’s little expectation that they’ll be a twist in the tale in the case of the “unhackable” computer, the work of Pritam Nath, CEO of MicrosafeX Company.
Green hair blue
Staying with crowdfunding, but moving onto a more uplifting theme, cryptographer Matthew Green raised more than $12,000 for refugee centers by simply dying his hair blue.
Green said he died his hair blue is solidarity with his child, who had earlier decided to make the same fashion choice. It’s unclear whether or not the choice of hair color by both was subconsciously inspired by Microsoft Window’s infamous Blue Screen of Death.
One thing’s for sure: his choice of color wasn’t inspired by nominative determinism.