Friday Report: No Weaponized Stuxnets in Sight But Other Fakes Were Real, Hackers Can’t Escape Long Arm of the Law

By Cynthia Brumfield,

Welcome to Metacurity’s Friday report where we try to wrap up the week’s infosec news into big picture themes.

At the outset, one top development that wasn’t actually bona fide news nevertheless lit up infosec Twitter with shouts of outrage. It all started when a famous hacker, known on Twitter as “Jester,” idly speculated whether the spate of gas fires across the city of Lawrence, Massachusetts and nearby towns was a kind of cyberattack targeting gas-related SCADA systems.

Then, a Twitter user known as AwareMap ratcheted up the alarm level by saying that some mysterious “agencies” were investigating the fires looking for traces of “weaponized Stuxnet” viruses (a redundant phrase given that Stuxnet is already considered a weapon.) Stuxnet was a sophisticated Israeli-U.S. cyber attack used against an Iranian enrichment facility that caused damage to the facility’s SCADA systems, the first known exploit to actually cause physical damage. Top pros were agog at the alarming tweets, decrying this speculation as misleading at best, damaging at worst and a distraction to the real-world work of ensuring public safety.

That’s all it took for the term “weaponized Stuxnet” to become a meme, one that is likely to stick around in cybersecurity circles for a long time. Lorenzo Franceschi-Bicchierai has the low-down on this Twitter side-show.

However, some “real fake” developments did occur this week. HuffPo India broke the news that India’s controversial Aadhaar identity database, which contains the biometrics and personal information of over 1 billion Indians, had been compromised by a software patch that disables critical security features of the software used to enroll new Aadhaar users, allowing fakers to sign up for their own spoofed identities.

Popular cryptocurrency wallet Jaxx’s website had a very convincing fraudulent version that served malicious links to trick users into revealing the backup phrase that protected the virtual funds, researchers discovered. The crooks even copied the original Jaxx website word for word and installed a real-deal wallet on the victims’ computers.

Finally, a big head fake took place on Capitol Hill when a Senate Commerce Committee hearing featuring six major tech and ISP giants was announced supposedly to look at Internet privacy in some kind of earnest way but really was patently engineered by those same giants, and its industry association, to start laying the groundwork to get rid of California’s recently enacted tough privacy law, slated to go into effect on 2020.

In other news, the past week proved that cybercrime really doesn’t pay in the end. On the heels of the Justice Department announcing it had nabbed and extradited a Russian hacker accused of being part of the group who stole around 80 million customers’ data from JP Morgan Chase in 2014, a Romanian Court ruled that hacker Guccifer should be extradited to the U.S. After that, a Russian hacker behind a number of international botnet and spamming operations, most notably the Kelihos botnet, pleaded guilty to a slew of counts in Federal Court in Connecticut.

A Latvian hacker was sentenced to 33 months in federal prison after earning between $150,000 to $250,000 in a “scareware” scheme that infected computers after visiting the Minneapolis Star Tribune’s website in 2010. Finally, a proverbial Nigerian email scammer was given a 60-month sentence and ordered to pay $2.5 million in restitution after pleading guilty to charges of wire fraud and conspiracy to commit wire fraud amounting to $25 million for his role in a series of business email compromise scams.

A lot more happened this past week, so check out our home page or go to our snacks page for an easy to scroll run-down of the news.

That’s it for this week. We leave you with an image that shows just how ridiculous smartphones and tablets and all the technology we use today might seem 40 years from now.

Be safe and be sane out there!