Weekly Security Roundup #41: Can We Secure Anything?
Because we clearly can’t secure everything
We keep building and we keep innovating in the tech industry, but a question remains: can we actually secure what we build?
This is a question that keep popping up in my head as I go through this week’s news to pick the 10 subjects for the Weekly Security Roundup. This question was part of a conversation I had last week with a cyber security specialist, and the results will be posted on the blog soon.
What made it stick is that the question of securing essential assets, such as critical infrastructure, medtech, edtech, etc. is becoming increasingly important (and challenging) to address.
And, what’s more, the current elements that define cyber attacks are dangerous enough to make the tech industry (and not only information security experts) to strive to find new and improved solutions to sophisticated treats. We exposed the the 6 Need-to-Know Attributes of Advanced Cyber Attacks in a recent article, which we promise will be worth the read and provide some actionable insights.
That being said, this week’s roundup also includes some articles that will make you think about the bigger picture and maybe even help shape your perspective on information security.
Security articles of the week
With the launch of Windows 10 this week, one of the most frequent questions will revolve around security.
So it’s great news that the new Windows OS will uninstall all your third party software, such as Flash or Java, a move that can also enhance your PC’s security by removing security holes.
This is all well and good, but Windows 10 has a clever feature called refresh that uninstalls all your third-party software and applications from your system, but fear not, all your music, videos and other files will still remain on your computer.
The recent vulnerability in Steam has been patched, so gamers can breathe easy for now.
Valve Software has reportedly patched a vulnerability in the popular online Steam gaming platform that enabled account hijacking through its password reset mechanism.
But since security holes seem to pop up more often than ever (which is at least worrying), it’s best to be prepared for the next one. These 18 security tips for gamers can be really helpful if you want to protect your progress and the time and even money you’ve invested in your favorite game(s).
Hawking, Musk and Wozniak disagree. And they’re probably not the only one.
Forward thinkers such as these amazing mind have always warned about the development of things that can spin out of control, and weapons embedded with artificial intelligence are more dangerous than we can imagine.
Renowned scientist Stephen Hawking, Tesla Motors CEO Elon Musk and co-founder of Apple Steve Wozniak have all spoken out in favour of more regulation on AI weapons. In the open letter posted on A Future For Life Institute, which Musk donated $10 million (£6.4 million) to see further research into AI, it asked for government to not allow offensive weapons manufacturing that uses AI to pick out targets.
The story of the hackers who remotely took control over a Jeep Cherokee traveled across the world, but it also had serious consequences.
US auto giant Chrysler is recalling 1.4 million cars after researchers demonstrated that the connected Jeep Cherokee could be hacked via the car’s internal 4G connection.
The company has already issued a patch on its website for drivers, and has pushed an over-the-air update to some vehicles to block unauthorized remote access.
The good part is that the general public became a bit more aware of the dangers that connected devices pose. The bad part? This is just a piece of the puzzle.
Attacking critical infrastructure has become key for cyber criminals, study shows, as they learn how to better exploit software vulnerabilities and ineffective security measures to gain access to important assets.
“DNS is critical infrastructure for the Internet that can’t be turned off. Through our analysis, it’s apparent that cyber-criminals recognize this and see DNS as a vector for penetrating government, corporate and personal networks,” said Rod Rasmussen, CTO at IID.
Oliver Tavakoli, CTO at Vectra Networks, shared his thoughts on a matter that is at the middle of an important debate in the security sector: the inadequacy of current reactive, traditional security products and the need for a different protection model.
We recommend you read the entire article, since it’s very insightful, so to get your appetite started, here’s a preview:
The key to understanding the value of signatures is to understand their weaknesses. Signatures are valuable for detecting large-scale commodity threats, such as the command-and-control communications of botnets, automated crawlers and vulnerability scanners that scour the Internet.
But the signature model falls flat with attackers who value stealth over the number of systems they control. And unfortunately, these more sophisticated attackers are more apt to think strategically and can pose a significant risk to organizations.
If you haven’t heard the news:
Researchers have uncovered a remote code execution Android vulnerability that could be exploited with only a malicious media file and a phone number. The bug in Android’s Stagefright multimedia playback engine leaves 95 percent of Android devices worldwide critically exposed. It is being called “Heartbleed for mobile,” but will be prove harder than Heartbleed to fully fix.
What’s worse is that this vulnerability will take a lot of time to patch, because the Android market is very segmented both in terms of hardware and software. Hopefully, this will be over soon. Until then, try to use as much protection for your Android as possible.
At the beginning of July, we sent out a security alert about ransomware being delivered through Google Drive in a new CryptoWall campaign. And now it’s happened again!
Leveraging Google Drive poses serious security risks, because the user trusts the service, because the source code is not publicly available and because the Google login may be associated with other accounts as well.
“The basic idea behind this attack is the attacker wants to go after the Google SSO login accounts because it is used for multiple services and once you get a hold of it you can access all those services configured for a specific user account,” he says.
Always be careful where you click and reach yourself how to identify security threats!
Malvertizing is a vector that cyber criminals prefer for its scale and the anonymity that infected ad servers provide (and a couple of other reasons). So it’s no wonder that malvertizing campaigns are so frequent.
Upwards of 10 million people may have visited websites carrying malicious advertisements in the last ten days, possibly infecting their computers with malware, according to computer security company Cyphort.
That why it’s important to protect your digital assets with a security product that can identify and block malicious content, preventing further malware infections.
JPMorgan has had more than a few security issues caused by malicious insiders who tried to sell customer data for hefty sums. And the issue keeps reemerging periodically.
It seems that, in spite of the fact that “JPMC spends over $250M a year on the cybersecurity personnel, tools and services to protect their digital assets“, the breaches continue to occur.
It’s a difficult challenge to figure out how to make employees act ethically (since they don’t really care about corporate data), one that will will probably take a lot of time to figure out.
What was the article that caught your eye this week?