The first one was a doozie. A guy from Nigeria - actually from Nigeria, but he was no prince, created a ransomware scheme where he tried to recruit disgruntled employees to deploy ransomware from INSIDE corporate networks for a cut of the ransom! He was a student who wanted to create his own social media company but had no money and no job, thus no resources to start the operation.
So why not kickstart the money through a crime spree!
He's been arrested by Nigerian authorities. Another problem with having no money is the inability to pay off cops to avoid arrest.
Now, here's the really funny bit. Brian Krebs, former Washington Post reporter, who now solely writes about cybercrime and computer security, wrote about this guy when he launched his scheme. His identity wasn't known at that point. Krebs' web site is Krebsonsecurity.com. This scammer accused him of defaming his operation calling him Mister Krebson. :-) I thought that was hilarious! Guy clearly didn't do his homework on the people investigating him. He apparently wasn't difficult to take down.
https://krebsonsecurity.com/2021/11/arrest-in-ransom-your-employer-email-scheme/The second story is quite good, but I just have to ask:
WHY THE [BLEEP BLANKETY-BLANK] DIDN'T YOU IDIOTS DO THIS TWENTY YEARS AGO? I knew default passwords were a bad idea then, why are you just now coming around to this idea?!!!
The UK Parliament is passing an act that will require most, not all, devices that connect to the internet to not have weak/embedded passwords. Basically, when you get a device (WiFi router, web cam, thermostat, whatever) you MUST change the password on it and it cannot be reset to a factory default password.
Why?
Aside from the fact that it's a stupid and easily-prevented security hole, a British internet provider sent out thousands of WiFi routers with the same simple password, trusting that the users would change it when they set it up. Yeah, right. So rectal haberdashers went around, using these free WiFi hotspots (once you knew what the password was and how to find hotspots where the SSID is not broadcasted) to download childporn, leading to a lot of innocent people being raided by the police because their router was insecure.
From the article:
The Product Security and Telecommunications Infrastructure Bill lays out three new rules:
-easy-to-guess default passwords preloaded on devices are banned. All products now need unique passwords that cannot be reset to factory default
-customers must be told when they buy a device the minimum time it will receive vital security updates and patches. If a product doesn't get either, that must also be disclosed
-security researchers will be given a public point of contact to point out flaws and bugsThat last item will be a pain to implement, it's something that has been clamored for in the security community for ages. There's no standard for that so the implementation is going to be very uneven if it's not codified AND regularly updated! I've seen stories on Krebs and Schnier.com where security researchers have found
proof, not just evidence, that a company's network has been compromised, but they haven't been able to reach anyone in the company's IT department to report it!
There are specific exceptions to the act of certain types of devices that are exempt. Still, progress!
https://www.bbc.com/news/technology-59400762I do some computer installation work for a couple of very small companies in my area, people who are too intimidated to replace their own router. And that's fine, I'm happy to help them, and I make a few bucks on the side. I give them a strong password, it's written down for them, and I record the password in a protected file on my phone so when I'm working with them again later, I've got records in my pocket.
For the iPhone, I use a program called mSecure. I think it cost me $5-10 to buy, it has very strong encryption. If it's not available for the Android universe, I'm sure there's something similar.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
