Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

News This Week

 

LW’s NEWS WRAP: ‘Spectre-NG’ — the latest family of chip vulnerabilities; expect more to come

By Byron V. Acohido

Last Watchdog’s News Wrap Vol. 1, No. 7.  Google and Microsoft don’t team up very often. But the software rivals, to their credit, have been moving in unison to help the business community get ahead of a new class of hardware-level security flaws  that affect most of the networks now in service.

Researchers at Google’s Project Zero recently uncovered more such hardware flaws, which originate inside the central processing unit, or CPU, and first came to light when the milestone Meltdown and Spectre vulnerabilities came to light in early January.

Related article: A primer on ‘microcode’ vulnerabilities

I’ve previously unraveled how a design short cut, called ‘speculative execution,’  has finally come home to roost in the form of a vast security exposure. Speculative execution was a shortcut which Intel decided to take some 20 years ago in order to increase processing speed.

Google on Monday VERIFY formally disclosed this latest iteration of these chip flaws: eight new vulnerabilities dubbed  ‘Spectre Next Generation’ or ‘Spectre-NG.’ Then on Tuesday VERIFY Microsoft issued security patches to eliminate this specific flaw on chips companies are using to run Windows operating systems.

Get used to this pattern of disclosure and patching. These vulnerabilities won’t be eliminated until the next generation of chips arrive years from how.

“It’s safe to assume there are still quite a few flaws that have yet to be discovered,” Craig Dods, Juniper Networks chief security architect, told me. “I’m hesitant to conclude that things will only get worse with time. The barrier to entry for this type of research is quite high and generally remains possible for only the most skilled engineers.”

It will be nice if Dods’ conservative assessment holds true and we never seen anything bad come from chip flaws. However,  Russia- and China-backed cyber operatives and for-profit criminal rings certainly have deep pockets and top engineering talent – so why wouldn’t they jump into a race with white … more

LW’s NEWS WRAP: Mirai botnet variants take Internet-of-Things hacking to higher levels

By Byron V. Acohido

Last Watchdog’s News Wrap, Vol. 1, No. 2. Don’t look now but the weaponization of the Internet of Things just kicked into high gear. The Mirai botnet, which I first wrote about in December 2016, is back — in two potent variants. Mirai Okiru targets ARC processors – the chips embedded autos, mobile devices, smart TVs, surveillance cameras and many more connected products.

Related article: Massive IoT botnet hits German home routers

Mirai Satori, meanwhile, hijacks crypto currency mining operations, syphoning off newly created digital coins infects.Whether these variants are the work of Mirai’s creator, or copycats, hasn’t been determined.

“It is important to understand that the development community for malware is just as active and often more driven to create improved versions as the conventional software industry is,” Mike Ahmahdi, DigiCert’s global director of IoT security solutions, told me. “System builders and device manufacturers need to have a greater focus on implementing mitigation’s and controls that address the root issues that allow malware to flourish, rather than focusing on addressing the malware ‘flavour du jour’.”

Fancy Bear targets Olympic officials

Meanwhile, Russian hackers continue to be very methodical about interfering in U.S. politics —  for obvious strategic advantage. It turns out they also are passionate about preserving the stature of their star athletes.

The infamous hacking collective known as Fancy Bear has been tied to disruptive hacks targeting the DNC. Now those same hackers are also bedeviling the International Olympic Committee in apparent retribution for restricting Russia’s participation in the  upcoming Winter Games.

The hackers aim is to discredit Canadian lawyer Richard McLaren, who led the investigation into Russia’s widespread cheating in previous Olympic Games. It was because of the findings in his investigation that many Russian athletes are banned from the 2018 games in Pyeongchang, South Korea.

NEWS WRAP-UP: Kaspersky ban underway for U.S. agencies; Equifax data breach lawsuits pile up; Europe plans new agency to quell cyber threats

By Byron V. Acohido

Week ending Sept. 15.The U.S. government moved to ban the use of a Russian brand of security software by federal agencies amid concerns the company has ties to state-sponsored cyber espionage activities. Acting Homeland Security Secretary Elaine Duke ordered that federal civilian agencies identify Kaspersky Lab software on their networks. After 90 days, unless otherwise directed, they must remove the software, on the grounds that the company has connections to the Russian government, and its software poses a security risk.

The Department of Homeland Security “is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” the department said in a statement. “The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.” Source: The Washington Post

Lawsuits against Equifax start to pile up after massive data breach

Equifax is facing nearly two dozen class-action lawsuits, along with a separate suit from Massachusetts, over the data breach that compromised the personal information—names, addresses, birth dates and Social Security numbers—of more than 143 million people. Sensitive data from about half of the U.S. population has been available to hackers for weeks. Check your status on Equifax’s website: Equifaxsecurity2017.com. Source: PBS

One line in lengthy bill may allow law enforcement to pursue WikiLeaks

A Senate panel may be trying to give federal law enforcement a new tool to go after the anti-secrecy group WikiLeaks and its U.S. collaborators. A one-sentence “Sense of Congress” clause tacked onto the end of an 11,700-word bill approved by the Senate Intelligence Committee is likely to come before the full Senate this month. The clause says that WikiLeaks “resembles a non-state hostile intelligence … more

NEWS WRAP-UP: Equifax admits losing data for 143 consumers; Symantec finds dozens of U.S. power plants compromised; Trump wants hacked email lawsuit thrown out

By Byron V. Acohido

Week ending Sept. 9. Credit-reporting agency Equifax said hackers gained access to sensitive personal data—Social Security numbers, birth dates and home addresses—for up to 143 million Americans, a major cybersecurity breach at a firm that serves as one of the three major clearinghouses for credit histories. Equifax said the breach began in May and continued until it was discovered in late July. It said hackers exploited a “website application vulnerability” and obtained personal data about British and Canadian consumers as well as Americans. Social Security numbers and birth dates are particularly sensitive data.

Those who possess them have the ingredients for identity fraud and other crimes. Equifax also lost control of an unspecified number of driver’s licenses, along with the credit card numbers for 209,000 consumers and credit dispute documents for 182,000 others. The company said it did not detect intrusions into its “core consumer or commercial credit reporting databases.” Equifax is one of the largest U.S.-based credit reporting agencies that collect and analyze detailed records of financial data for records of a wide range of consumers worldwide.  Source: The Washington Post

SEC chief says smaller investors need more info on cyber crime, fraud

Regulators must do more to help mom-and-pop investors understand the risks posed by cyber crime and new technologies used to commit fraud, said Securities and Exchange Commission Chairman Jay Clayton. He said cybersecurity would be one of the top enforcement issues during his tenure at the head of the Wall Street regulator. “I am not comfortable that the American investing public understands the substantial risks that we face systemically from cyber issues,” he said. One concern relates to a rise in cases of information being stolen by hackers to gain some sort of market advantage. Other areas of focus include: ensuring financial firms take the appropriate steps to safeguard sensitive information; cyber-related disclosure failures; and the growing prevalence of “initial coin offerings (ICOs).” Source: Reuters

U.K.… more

NEWS WRAP-UP: Scammers target hurricane victims; pacemakers at risk of being hacked; Tillerson signals closure of cybersecurity office

By Byron V. Acohido

Week ending Sept. 2. Scammers are using robocalls to try to fleece survivors of Hurricane Harvey. The robocalls tell people that their premiums are past due and that they must send money immediately or else have their flood insurance canceled. “That is pure fraud. You should only be taking information from trusted sources,” said Roy E. Wright, director of the National Flood Insurance Program at the Federal Emergency Management Agency. Saundra Brown, who handles disaster response for Lone Star Legal Aid in Houston, described a typical move by dishonest contractors: They ask a survivor to sign a contract for repairs on a digital tablet, but when printed out, the bid is thousands of dollars higher. Or the survivor may have unwittingly assigned FEMA disaster aid over to the scammer. Source: The Washington Post

Pacemaker patients could be at risk for hack

Nearly a half-million pacemaker patients could be at risk for cyber attacks thanks to a known security vulnerability, according to an alert from the Food and Drug Administration. The FDA issued an alert regarding manufacturer Abbott Laboratories’ recall notice affecting six pacemaker devices. The FDA has issued safety communications recalls like this in the past, but this is the first to affect implanted devices, said Josh Corman, director of the Cyber Statecraft Initiative at the Atlantic Council. Abbott said it would issue updates to reduce the risk of its St. Jude heart implants being hacked and to warn patients that the devices’ batteries may run down earlier than expected. Sources: FCW, Reuters

Some Instagram users’ phone numbers, emails exposed

Instagram, the 700 million-user photo-sharing service owned by Facebook, informed some users that hackers gained access to phone numbers and emails of high-profile accounts. The attack came through Instagram’s API, or its software that allows other sites and apps to connect with it. The company said the bug was fixed within a few hours of being identified. Source: CNetmore

NEWS WRAP-UP: Identity theft hits record levels globally; Researchers find robots susceptible to hacks; Sen. McCain calls Trump’s cybersecurity policy ‘weak’

By Byron V. Acohido

Week ending Aug. 26. Identity theft is reaching “epidemic levels,” says U.K. fraud prevention group Cifas, with people in their 30s the most targeted group. A total of 89,000 cases were recorded in the first six months of the year, a 5 percent increase over the same period last year and a new record. “We have seen identity fraud attempts increase year on year, now reaching epidemic levels, with identities being stolen at a rate of almost 500 a day,” said Cifas CEO Simon Dukes. “The vast amounts of personal data that is available either online or through data breaches is only making it easier.” ID theft accounts for more than half the fraud that Cifas records. More than four in five crimes were committed online, with many victims unaware that they had been targeted until they received a bill or realized their credit rating had fallen. Fraudsters steal identities by gathering name, address, date of birth and bank account details, often by stealing mail, hacking computers, trawling social media, tricking people into giving details, or buying data through the dark web. Cifas said the latest figures show there has been a sharp rise in fraudsters applying for loans, online retail, telecoms and insurance products. Sources: BBC News, Huffington Post U.K.

$500,000 offered for messaging mobile app exploits

Zerodium is offering $500,000 for weaponized exploits that work against mobile apps that offer confidential messaging or privacy, such as Signal, WhatsApp, iMessage, Viber, WeChat, and Telegram. The broker said it would pay the same rate for exploits against default mobile email apps. Those are among the highest prices Zerodium offers. Only remote jailbreaks for Apple’s iOS devices fetch a higher fee, with $1.5 million offered for those that require no user interaction and $1 million for those that do. Source: Ars Technica

A hack wrapped inside an Enigma mailing list

Enigma, a platform that’s preparing to raise money via a … more

NEWS WRAP-UP: Ukrainian hacker with tied to DNC hack surrenders; Uber agrees to improve privacy; Scottish paliament hacked

By Byron V. Acohido

Week ending Aug. 18. A Ukrainian hacker called “Profexer” who built one of the tools used to penetrate the Democratic National Committee servers last year has turned himself in to authorities. The man, who first contacted Ukrainian police earlier this year, claims he wrote a piece of software called the PAS Web shell, which the Department of Homeland Security has identified as malware used in the hack. The hacker maintains that he wasn’t behind the attack, which resulted in the release of thousands of emails sent by DNC staffers during the presidential campaign. Because there is no evidence that he used the tool to carry out the attack, he wasn’t arrested. Profexer is in touch with the FBI and is able to identify users involved in the DNC hack by their online handles. Also emerging from Ukraine is a sharper picture of what the U.S. government believes is a Russian government hacking group known as Fancy Bear. American intelligence believes it is operated by Russian military intelligence. Sources: Technology Review, The New York Times

Neo-Nazi site claims it was hacked; Anonymous says maybe not

Members of the Anonymous hacktivist collective claim that neo-Nazi website the Daily Stormer may have faked a claim that it had been taken over by hackers. Web-hosting service GoDaddy removed the Daily Stormer after it published an article viciously insulting the activist killed after a car hit her at a white nationalist rally in Charlottesville, Virginia.  Later, a message posted on the site claimed to be from Anonymous hacktivists who had taken over the site. Source: Newsweek

Tech companies ask high court to protect customers’ privacy

More than a dozen technology and wireless companies called on the Supreme Court to make it harder for government officials to access individuals’ sensitive cellphone data. The case involves a high-profile dispute over whether police should have to get a warrant before obtaining data that could reveal a cell … more