News Items

Children need to be protected when they use programmable Internet computing devices such as the BBC micro:bit. The BBC micro:bit is a small easily-programmable device that could be used by children in the creation of digital technologies. Although such devices provide educational benefits to children, the security of these devices must be taken into consideration. Therefore, a team of scientists at Lancaster University developed new guidelines to help designers implement security into such devices in order to strengthen the protection of children in the digital world. The framework provided by scientists helps designers visualize the different ways in which their devices could be used by children and adopt approaches to mitigating the risks posed by these devices. This article continues to discuss the use of programmable IoT devices by children, the risks posed by these devices, and the framework developed by researchers to help designers address these risks.

Lancaster University "Keeping Children Safe in the 'Internet of Things' Age"

The Chief Security and Privacy Officer at Georgian Partners, Alex Manea, has pointed out four common mistakes made by CEOs in their approaches to mitigating the cybersecurity risks faced by their companies. According to Manea, CEOs often skip the performance of ethical hacking assessments, forget about establishing a good cybersecurity architecture, fail to think about the severity and likelihood of security risks, and more. This article continues to discuss the most common cybersecurity mistakes made by CEOs and how to avoid them.

Chief Executive reports "Avoid These Top Four Cybersecurity Mistakes"

Medtronic is recalling its insulin pumps as a result of their vulnerability to being hijacked by hackers. The U.S. Food and Drug Administration (FDA) has warned of the danger of vulnerabilities in Medtronic's MiniMed insulin pumps, stating that the exploitation of these vulnerabilities could allow malicious actors to alter a pump's settings. According to the FDA, the tampering of insulin pumps could lead to extremely low or high blood sugar, posing a significant threat to the well-being of patients. This article continues to discuss the risks posed by vulnerable insulin pumps, the recall of these devices, and Medtronic's efforts to improve the security of their medical devices.

Help Net Security reports "Medtronic Recalls Vulnerable MiniMed Insulin Pumps"

The National Institute of Standards and Technology (NIST) publication, NISTIR 8228, provides a guide that could be used by federal and private sector organizations in the management of IoT privacy and cybersecurity risks. The report is the first in a planned series of NIST publications aimed at helping organizations reduce IoT vulnerabilities. The report categorizes cybersecurity and privacy risks posed by IoT devices. These categories include device security, data security, and individuals' privacy. NIST recommends that organizations make changes to their policies and processes to mitigate challenges faced in managing IoT devices and vulnerabilities. This article continues to discuss the goal and key points made in the NIST guide in relation to the management of cybersecurity and privacy risks posed by IoT devices.

HealthITSecurity reports "Managing IoT Privacy, Cybersecurity Guidance Released by NIST"

In a new study, it was discovered that payment card fraud is being used around the world to fund and launder the proceeds from organized crime, drug and human trafficking, terrorism and more. Payment fraud caused over 1 billion dollars in losses associated with those 274 cases that were studied. It was also discovered that in North America, most payment care fraud was linked to identity fraud (33%), organized crime (32.5%), human trafficking (17.5%) and drug trafficking (15%). In Europe payment card fraud was linked to, organized crime (62%), drug trafficking (41%) and money laundering (41%). Payment fraud is not just a fraud problem, it should no longer be viewed as a non-violent crime, mere annoyance, or unfortunate cost of doing business.

Infosecurity reports: "Payment Fraud Linked to Terrorism and Trafficking"

Cybercriminals are now using shimmers more than skimmers in the execution of attacks against automated teller machines (ATMs). Skimmers are small devices that can be attached to an ATM's card reader to harvest data as users swipe their cards, which could allow for the cloning of cards. The implementation of the European Mastercard Visa (EMV) payment standard has prevented cybercriminals from using skimmers as the EMV method stores data on integrated circuits. As a result, there has been an increase in the use of shimmers, which differ from skimmers in regard to position, size, and more. This article continues to discuss how shimmers differ from skimmers, ATM security measures, and mitigation for ATM shimming attacks.

Security Week reports "Hackers Favoring Shimmers Over Skimmers for ATM Attacks"

In a new study it was discovered that 1 in 10 open source components downloaded in 2018 had known security vulnerabilities. It was discovered that there was a 71% increase in open source related breaches over the past five years, and that 24% of organizations confirmed or suspected an OSS related breach. It is important as more people use and download software from open sources, that one does their research first to make sure that they are secure.

Help Net Security reports: "1 in 10 Open Source Components Downloaded in 2018 had a Known Security Vulnerability"

Data breaches have become a common occurrence. In Australia, the Australian Information Commissioner (OAIC) found that a data breach affected more than 10 million Australians. This data breach is just one of many that have recently been experienced by organizations across the world. According to Verizon's 2019 Data Breach Investigation Report (DBIR), web application attacks remain the most common attack vector for data breaches, which calls for all organizations to examine their application security practices. Organizations are encouraged to adopt new approaches to application security in which automation, artificial intelligence, and human intelligence is used. This article continues to discuss recent massive data breaches, findings of Verizon's 2019 DBIR, challenges faced by organizations in securing software, consequences of inadequate application security measures, and recommended approaches to software security.

SDTimes report "Top Roadblocks to Securing Web Applications"

Security researchers with Cybereason have identified an advanced, persistent attack, which they have dubbed Operation Soft Cell. The attack is aimed at stealing sensitive data from telecommunications providers located in Europe, Asia, Africa, and the Middle East. Findings from the investigation of this attack revealed that it has been active since 2012. Operation Soft Cell has allowed hackers to gain access into multiple mobile carriers and steal a significant amount of customer data. Researchers have highlighted the severity of Operation Soft Cell, stating that it could lead to the shut down of phone networks as the attack gives hackers highly privileged access. This article continues to discuss the motive, operations, targets, and impacts of Operation Soft Cell, in addition to how mobile carriers should respond.

CNET reports "Hackers Hit over a Dozen Mobile Carriers and Could Shut down Networks, Researchers Find"

In a study it was discovered that 26 percent of individuals use the top 20 most used PIN numbers, which makes guessing of PIN numbers quite easy. Most individuals also use important dates when it comes to creating PIN numbers. It is important that the person that creates a PIN makes sure that the number that is used is not able to be found publicly, for example a birthday or wedding date. It is important that PIN numbers be at least 6 numbers in length, but the more numbers a PIN is made up of, the harder it will be to guess for the hackers.

WeLiveSecurity reports: "You'd Better Change Your Birthday - Hackers may Know Your PIN"

Researchers have discovered the distribution of malware via the Google Play Store that can evade security firewalls. This discovery follows Google's confirmation that some low-end Android devices contain pre-installed malware. According to cybersecurity researchers from We Live Security by ESET, Google's new SMS restrictions can be circumvented by specific applications that can be downloaded from the Google Play Store. These malicious applications can bypass two-factor authentication (2FA). As a result of the evasion of 2FA, one-time passwords (OTPs) in SMS 2FA messages can be accessed. In addition, OTPs from emails can also be accessed by the malware. This article continues to discuss the capabilities and evolution of the malware.

Z6 Magazine reports "A Malware Can Bypass '2FA' In 'Android' Phones, Researchers Found"

SoS Musings #27
DNS Attacks

A study has been done by researchers from Stanford University in which they examined user-initiated scans of 16 million homes and 83 million devices to further explore the use of Internet of Things (IoT) devices. From the analysis of scans and devices, researchers found that the security of older IoT devices such as printers, game consoles, and more, are often overlooked by consumers and the security research community. This article continues to discuss other findings of the study in relation to the varied use and security of IoT devices in different regions as well as the domination of IoT devices by a small group of vendors, the security of older IoT devices, and how privacy was ensured by researchers in the performance of this study.

Security Boulevard reports "New Research Reveals a Surprising World of IoT"

According to Positive Technologies' Vulnerabilities and Threats in Mobile Applications 2019 report, most iOS and Android applications contain vulnerabilities that could allow hackers to steal sensitive data. These vulnerabilities derive from insecure data storage, posing a threat to the security and privacy of users' sensitive information. This article continues to discuss key findings of the report in relation to the common vulnerabilities identified in the tested mobile applications and what the exploitation of these vulnerabilities could allow hackers to do, along with the importance of designing apps with security in mind and how users can protect themselves.

ZDNet reports "Three Quarters of Mobile Apps Have This Security Vulnerability Which Could Put Your Personal Data at Risk"

The growing frequency of cyberattacks has resulted in more interest in cognitive security. Cognitive security solutions are expected to help increase the speed at which risk patterns in internal and external sources are analyzed. The implementation of cognitive security can also help security analysts get a better understanding of business functions' different cognitive components to increase the effectiveness of those functions. A research report that explores the cognitive security market has been released. This article continues to discuss the contents of the report in relation to the cognitive security market and the growing demand for cognitive security solutions.

Global Market Research reports "Report on Cognitive Security Market, Trend, Segmentation and Forecast 2026"

According to security researchers from IBM, Wi-Fi extenders from the router company, TP-Link, contain a critical vulnerability that could allow attackers to take over them. Through the exploitation of this vulnerability, attackers could perform malicious activities such as add the extenders to a botnet, redirect people to malicious pages, and more. Wi-Fi extenders expand the coverage of Wi-Fi by amplifying the wireless signal from a router, enabling the connection of distant Internet of Things devices such as security cameras and doorbells. This article continues to discuss the critical vulnerability discovered in Wi-Fi extenders, the extenders affected by the vulnerability, and the potential attacks that could be executed as a result of this flaw.

CNET reports "These Wi-Fi Extenders Had Vulnerabilities That Gave Hackers Complete Control"

During a study, researchers were able to remotely affect various aspects of the driving experience of the Tesla Model 3, including navigation, mapping, power calculations, and the suspension system, through GPS spoofing. During a test drive using Tesla's Navigate on Autopilot feature, a staged attack caused the car to suddenly slow down and unexpectedly veer off the main road. Even though the effect of GPS spoofing on Tesla cars is minimal when an individual is not using autopilot, it can be dangerous when autopilot is in use, and if the individual does not have control of the vehicle. Even in autopilot mode, users are expected to still be in control of the vehicle, which makes this attack not to much of a safety risk. This research shows how important it is for automobile companies to take security seriously as vehicles become more controlled by computers.

HELP NET SECURITY reports: "Research Shows Tesla Model 3 and Model S are Vulnerable to GPS Spoofing Attacks"

A new solution to speculative memory side-channel attacks such as Meltdown and Spectre has been proposed by researchers from Uppsala University, NTNU, and the University of Murcia. The security vulnerability used to execute speculative memory side-channel attacks derive from the prediction of future instructions by high-performance microprocessors. Misspeculations leave traces of information behind that could be exploited by such attacks to retrieve sensitive information. Unlike previous security solutions to these attacks, the new solution increases security without sacrificing the performance that users demand of their computer systems. This article continues to discuss speculative memory side-channel attacks and the new method to address these attacks.

EurekAlert! reports "Eliminating Infamous Security Threats"

Quantum computers are expected to lead to highly secure cryptography. However, these computers are also expected to break current encryption algorithms as a result of their quantum-mechanical properties that could allow them to calculate at a much faster rate than regular computers. Sensitive data can be exposed through the use of quantum computers, posing a significant threat to the privacy of data within the government, medical industry, financial industry, and more. This article continues to discuss how quantum computers pose a threat to the security of modern communications, the concept of quantum key distribution (QKD), and the improvement of quantum random-number generators.

Homeland Security News Wire reports "Quantum - a Double-Edged Sword for Cryptography"

The Alaris Gateway Workstation is widely used in hospitals for medical infusion pumps. Infusion pumps are powered, monitored, and controlled via Alaris Gateway Workstations. Attacks on infusion pumps pose a significant threat to safety as these devices are used to deliver doses of medicine directly to patients. Researchers at CyberMDX, a healthcare security firm, discovered two vulnerabilities in the workstation, one of which has been rated high in severity. These vulnerabilities could be exploited by hackers to perform malicious activities such as altering drug doses and stopping the administration of drugs. This article continues to discuss the exploitation and mitigation of vulnerabilities contained by the Alaris Gateway Workstation, as well as the challenges faced by hospitals in regard to securing connected medical devices.

Threatpost reports "Max-Severity Bug in Infusion Pump Gateway Puts Lives at Risk"

With the incidence of reported data breaches on the rise, it was discovered that 53 percent of C-suite executives, and nearly three in ten (28%) of small business owners who suffered a breach was caused by human error or accidental loss by an external vendor/source. Employee training is critical, in order to decrease the amount of breaches that occur, that are caused by human error.

HELP NET SECURITY reports: "Human Error Still the Cause of Many Data Breaches"

The arrival of 5G networks is expected to introduce new security vulnerabilities. Enterprises are encouraged to think about the possibility of new security vulnerabilities in the implementation of 5G as this next-generation mobile communication standard comes with reduced latency and a boost in bandwidth, increasing the number of users and devices. This article continues to discuss findings revealed by Gartner about the deployment of 5G in 2020, what 5G requires of enterprises in regard to infrastructure, 5G authentication, the security challenges posed by 5G, and the multi-level approach that should be adopted by enterprises to secure the next-generation of mobile networks.

Information Age reports "How 5G Introduces New Security Vulnerabilities"

The financially-motivated hacking group, FIN8, has returned after a two-year hiatus. According to researchers from Morphisec, the FIN8 group is now mainly targeting point-of-sale (PoS) systems used within the hotel industry. Customized malware, called ShellTea, is being installed on PoS systems via a spear-phishing campaign in order to steal payment information and other financial data. Many of the PoS machines being used by companies in the hotel industry have been found to be using older versions of Microsoft Windows 7, which increases their vulnerability to such attacks. This article continues to discuss the FIN8 hacking group in relation to its techniques, targets, and connections to other groups.

ISMG Network reports "FIN8 Group Returns, Targeting PoS Devices With Malware"

The General Data Regulation (GDPR) introduced the "right to be forgotten", which empowers individuals to request that their personal data is erased. The enactment of this regulation has sparked debates about the collection, storage, and usage of data, as well as the level of control the public should have over their personal data. One aspect that is often overlooked in the discussion of digital privacy is the control of data once it is fed into artificial intelligence (AI) and machine-learning algorithms. Recommendation engines such as those that suggest videos, purchases, and more, use AI trained on customer or user data. The question arises as to how AI can be taught to forget data. This article continues to discuss AI systems' inability to forget data and how this poses a threat to privacy.

Wired reports "The Next Big Privacy Hurdle? Teaching AI to Forget"