Cyber Defense Special: Spectre & Meltdown
A fascinating week in the information security world: the discovery of three extremely subtle bugs – vulnerabilities – in the computer chips that drive the world has everyone – properly – concerned. What a tremendous – hopefully painless – learning lesson. So let’s lay it out.
- What’s going on?
- What do we do about it?
- What does it mean?
- Special Cybersecurity News of Week Reference Section
And now … on to the rest of this week’s Cybersecurity News:
Individuals at Risk
240,000 Homeland Security employees, case witnesses affected by data breach: A database used by the Department of Homeland Security’s Office of the Inspector General has been confirmed as breached, affecting 247,167 current and former employees and individuals associated with the department’s previous investigations. ZDNet, January 4, 2018
Google Patches Multiple Critical, High Risk Vulnerabilities in Android: Google patched several Critical and High severity vulnerabilities as part of its Android Security Bulletin for January 2018. SecurityWeek, January 3, 2018
36 fake security apps removed from Google Play: Google has recently pulled 36 fake security apps from Google Play, after they’ve been flagged by Trend Micro researchers. HelpNetSecurity, January 4, 2018
This Android malware mimics Uber to steal your login and password: Uber users with Android smartphones are being targeted with malware that shows victims a fake version of the ride-hailing service, in order to steal their credentials. ZDNet, January 4, 2018
Windows Hello face recognition spoofed with photographs: “You are the password,” is the catchy marketing slogan Microsoft used to launch its Windows 10 Hello face authentication system in 2015. NakedSecurity, January 3, 2018
Many GPS Tracking Services Expose User Location, Other Data: Researchers discovered that many online services designed for managing location tracking devices are affected by vulnerabilities that expose potentially sensitive information. SecurityWeek, January 2, 2018
Do YOU save passwords on your browser? Major security flaw in autofill tool means your personal details and online habits could be revealed to hackers: Passwords stored on web browsers such as Google Chrome or Safari aren’t as secure as you think, according to new research. DailyMail, January 2, 2018
Information Security Management in the Organization
Information Security Management and Governance
Top Cyber Risks Businesses Should Prepare for in 2018: This year’s top six cyber risks for businesses, according to The Chertoff Group principal Adam Isles, include: increase in destructive attacks targeting industrial control systems, expansion of IoT as a threat vector, evolution in nation-state activity tradecraft, advances in identity subversion as a tactic, increased use of software subversion to bypass security controls and increase in third-party risk. Coporate Counsel, January 4, 2018
Server Cryptomix Ransomware Variant Released: The devs behind the Cryptomix ransomware just keep pushing them out. A new Cryptomix variant was released last week that appends the .SERVER extension to encrypted files and changes the contact emails used by the ransomware. BleepingComputer, January 4, 2018
Critical Vulnerability Patched in phpMyAdmin: An update released just before the holidays by the developers of phpMyAdmin patches a serious vulnerability that can be exploited to perform harmful database operations by getting targeted administrators to click on specially crafted links. SecurityWeek, January 2, 2018
VMware Issues 3 Critical Patches for vSphere Data Protection: VMware, a Dell Technologies subsidiary, released several patches Tuesday fixing critical vulnerabilities affecting its vSphere cloud computing virtualization platform. ThreatPost, January 2, 2018
Cybersecurity in Society
Reddit investigating internal hack after users report stolen Bitcoin Cash tips: Another day, another wild mystery in the world of crypto. Reddit has confirmed it is investigating a possible internal security threat after several members of the Bitcoin Cash subreddit – more commonly known as /r/BTC – reported their accounts were purportedly hacked and emptied out of their funds. The Next Web, January 4, 2018
Know Your Enemy
Iranian Hackers: Sophisticated, Frustrated and a Rising Global Threat: SAN FRANCISCO — Between breaking into the email accounts of United States government officials, political dissidents and international human rights organizations, Iranian hackers liked to joke about their slow internet service, poor pay and lack of skilled colleagues. The New York Times, January 4, 2018
Ukraine called a “training ground” for Russian hacking attacks on west: Ukraine has become a “training ground” for Russian hackers wishing to perpetrate cyber-attacks on the west, a Kyiv security expert has claimed. SC Magazine, January 2, 2018
New bill could finally get rid of paperless voting machines: A bipartisan group of six senators has introduced legislation that would take a huge step toward securing elections in the United States. Called the Secure Elections Act, the bill aims to eliminate insecure paperless voting machines from American elections while promoting routine audits that would dramatically reduce the danger of interference from foreign governments. ars technica, January 2, 2018
No Place For Passivity in Cybersecurity Leadership: By and large, the news in 2017 was not good on the cybersecurity front. Whether you follow media headlines or industry studies, attacks are up, breaches are larger and threat actors are more sophisticated than ever. Unfortunately, many organizations fail to take basic precautions to mitigate these risks. As a result, breaches often go unreported, leaving millions of customers unaware that their personal data is exposed. SecurityIntelligence, January 3, 2018
Cyber Conscious: Why Time Is Running Out for Executives With No Cybersecurity Initiatives: With the arrival of the new year comes new changes. Businesses are implementing new sales strategies, new products and services and new management teams. There is no denying that the business landscape has dynamically changed since the start of the 21st century. [Oldie but Goodie]. SecurityIntelligence, January 14, 2016
Cybercriminals dropping Bitcoin for more private cryptocurrencies: Cybercriminals appear to be dropping bitcoin for more private cryptocurrencies as law enforcement develop new technology and techniques to monitor and match transactions to crimes. SC Magazine, January 2, 2018
Louisiana man busted in ‘Nigerian prince’ scam. Faces 269 counts of wire fraud and money laundering for his part in a Nigerian prince email scam: A 67-year-old Louisiana man faces 269 counts of wire fraud and money laundering for his part in a Nigerian prince email scam. SC Magazine, December 30, 2017
Artificial Intelligence to listen for suicidal thoughts on social media: Canada is planning a pilot project to see if Artificial Intelligence (AI) can find patterns of suicidality – i.e., suicidal thoughts or attempts, self-harm, or suicidal threats or plans – on social media before they lead to tragedy. NakedSecurity, January 4, 2018