Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

News This Week

 

LW’s NEWS WRAP: ‘Spectre-NG’ — the latest family of chip vulnerabilities; expect more to come

By Byron V. Acohido

Last Watchdog’s News Wrap Vol. 1, No. 7.  Google and Microsoft don’t team up very often. But the software rivals, to their credit, have been moving in unison to help the business community get ahead of a new class of hardware-level security flaws  that affect most of the networks now in service.

Researchers at Google’s Project Zero recently uncovered more such hardware flaws, which originate inside the central processing unit, or CPU, and first came to light when the milestone Meltdown and Spectre vulnerabilities came to light in early January.

Related article: A primer on ‘microcode’ vulnerabilities

I’ve previously unraveled how a design short cut, called ‘speculative execution,’  has finally come home to roost in the form of a vast security exposure. Speculative execution was a shortcut which Intel decided to take some 20 years ago in order to increase processing speed.

Google on Monday VERIFY formally disclosed this latest iteration of these chip flaws: eight new vulnerabilities dubbed  ‘Spectre Next Generation’ or ‘Spectre-NG.’ Then on Tuesday VERIFY Microsoft issued security patches to eliminate this specific flaw on chips companies are using to run Windows operating systems.

Get used to this pattern of disclosure and patching. These vulnerabilities won’t be eliminated until the next generation of chips arrive years from how.

Dods

“It’s safe to assume there are still quite a few flaws that have yet to be discovered,” Craig Dods, Juniper Networks chief security architect, told me. “I’m hesitant to conclude that things will only get worse with time. The barrier to entry for this type of research is quite high and generally remains possible for only the most skilled engineers.”

It will be nice if Dods’ conservative assessment holds true and we never seen anything bad come from chip flaws. However,  Russia- and China-backed cyber operatives and for-profit criminal rings certainly have deep pockets and top engineering talent – so why wouldn’t they jump into a race with white hats to find more vulnerabilites — and/or exploit known flaws in unpatched systems?  I have a feeling we’ll hear from them sooner, rather than later. …more

LW’s NEWS WRAP: Mirai botnet variants take Internet-of-Things hacking to higher levels

By Byron V. Acohido

Last Watchdog’s News Wrap, Vol. 1, No. 2. Don’t look now but the weaponization of the Internet of Things just kicked into high gear. The Mirai botnet, which I first wrote about in December 2016, is back — in two potent variants. Mirai Okiru targets ARC processors – the chips embedded autos, mobile devices, smart TVs, surveillance cameras and many more connected products.

Related article: Massive IoT botnet hits German home routers

Mirai Satori, meanwhile, hijacks crypto currency mining operations, syphoning off newly created digital coins infects.Whether these variants are the work of Mirai’s creator, or copycats, hasn’t been determined.

“It is important to understand that the development community for malware is just as active and often more driven to create improved versions as the conventional software industry is,” Mike Ahmahdi, DigiCert’s global director of IoT security solutions, told me. “System builders and device manufacturers need to have a greater focus on implementing mitigation’s and controls that address the root issues that allow malware to flourish, rather than focusing on addressing the malware ‘flavour du jour’.”

Fancy Bear targets Olympic officials

Meanwhile, Russian hackers continue to be very methodical about interfering in U.S. politics —  for obvious strategic advantage. It turns out they also are passionate about preserving the stature of their star athletes.

The infamous hacking collective known as Fancy Bear has been tied to disruptive hacks targeting the DNC. Now those same hackers are also bedeviling the International Olympic Committee in apparent retribution for restricting Russia’s participation in the  upcoming Winter Games.

The hackers aim is to discredit Canadian lawyer Richard McLaren, who led the investigation into Russia’s widespread cheating in previous Olympic Games. It was because of the findings in his investigation that many Russian athletes are banned from the 2018 games in Pyeongchang, South Korea.

…more

NEWS WRAP-UP: Kaspersky ban underway for U.S. agencies; Equifax data breach lawsuits pile up; Europe plans new agency to quell cyber threats

By Byron V. Acohido

Week ending Sept. 15.The U.S. government moved to ban the use of a Russian brand of security software by federal agencies amid concerns the company has ties to state-sponsored cyber espionage activities. Acting Homeland Security Secretary Elaine Duke ordered that federal civilian agencies identify Kaspersky Lab software on their networks. After 90 days, unless otherwise directed, they must remove the software, on the grounds that the company has connections to the Russian government, and its software poses a security risk.

The Department of Homeland Security “is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian …more

NEWS WRAP-UP: Equifax admits losing data for 143 consumers; Symantec finds dozens of U.S. power plants compromised; Trump wants hacked email lawsuit thrown out

By Byron V. Acohido

Week ending Sept. 9. Credit-reporting agency Equifax said hackers gained access to sensitive personal data—Social Security numbers, birth dates and home addresses—for up to 143 million Americans, a major cybersecurity breach at a firm that serves as one of the three major clearinghouses for credit histories. Equifax said the breach began in May and continued until it was discovered in late July. It said hackers exploited a “website application vulnerability” and obtained personal data about British and Canadian consumers as well as Americans. Social Security numbers and birth dates are particularly sensitive data.

Those who possess them have the ingredients for identity fraud and other crimes. Equifax also lost control of an unspecified number of driver’s licenses, along with the credit …more

NEWS WRAP-UP: Scammers target hurricane victims; pacemakers at risk of being hacked; Tillerson signals closure of cybersecurity office

By Byron V. Acohido

Week ending Sept. 2. Scammers are using robocalls to try to fleece survivors of Hurricane Harvey. The robocalls tell people that their premiums are past due and that they must send money immediately or else have their flood insurance canceled. “That is pure fraud. You should only be taking information from trusted sources,” said Roy E. Wright, director of the National Flood Insurance Program at the Federal Emergency Management Agency. Saundra Brown, who handles disaster response for Lone Star Legal Aid in Houston, described a typical move by dishonest contractors: They ask a survivor to sign a contract for repairs on a digital tablet, but when printed out, the bid is thousands of dollars higher. Or the survivor may have …more

NEWS WRAP-UP: Identity theft hits record levels globally; Researchers find robots susceptible to hacks; Sen. McCain calls Trump’s cybersecurity policy ‘weak’

By Byron V. Acohido

Week ending Aug. 26. Identity theft is reaching “epidemic levels,” says U.K. fraud prevention group Cifas, with people in their 30s the most targeted group. A total of 89,000 cases were recorded in the first six months of the year, a 5 percent increase over the same period last year and a new record. “We have seen identity fraud attempts increase year on year, now reaching epidemic levels, with identities being stolen at a rate of almost 500 a day,” said Cifas CEO Simon Dukes. “The vast amounts of personal data that is available either online or through data breaches is only making it easier.” ID theft accounts for more than half the fraud that Cifas records. More than four in …more

NEWS WRAP-UP: Ukrainian hacker with tied to DNC hack surrenders; Uber agrees to improve privacy; Scottish paliament hacked

By Byron V. Acohido

Week ending Aug. 18. A Ukrainian hacker called “Profexer” who built one of the tools used to penetrate the Democratic National Committee servers last year has turned himself in to authorities. The man, who first contacted Ukrainian police earlier this year, claims he wrote a piece of software called the PAS Web shell, which the Department of Homeland Security has identified as malware used in the hack. The hacker maintains that he wasn’t behind the attack, which resulted in the release of thousands of emails sent by DNC staffers during the presidential campaign. Because there is no evidence that he used the tool to carry out the attack, he wasn’t arrested. Profexer is in touch with the FBI and is …more