Global security crackdown, a host of code nasties, Brit cops mocked, and more
It's the week in security
Roundup Here's a summary of this week's security news beyond what we've already reported.
At the Munich Security Conference in Germany, major companies, including Siemens, Airbus, Allianz, Daimler Group, IBM, NXP, SGS and Deutsche Telekom, signed a Charter of Trust for cybersecurity. The signatories were joined by Elżbieta Bieńkowska, the EU Commissioner for Internal Market, Industry, Entrepreneurship and Small- and Medium-sized Enterprises, and Canada's foreign minister and G7 representative Chrystia Freeland.
The charter has ten rules that signatories – both commercial and governmental – must follow, including having a chief information officer, getting independent third-party security testing of critical infrastructure, sharing of threat data and building in not only security but also patching and upgrading capabilities to all Internet of Things devices.
"We're eating our own dog food on this," said Siemens president and CEO Joe Kaeser. "Siemens is in the top ten programming companies in the world and we will be adhering to the charter in all areas."
Kaeser floated the idea at the World Economic Forum in Davos this year, and said the response from companies and governments had been very promising. But that it was clear that something had to be done on security, he said.
Part of the problem is that regulators are always playing catch-up with technology, he said. Bitcoin was a perfect example, with Kaeser calling it "the biggest money laundering scheme ever invented."
How well the charter will work depends entirely on how many people sign up and whether or not the big players take part. In particular, the Chinese government needs to be on board, and that could be a stretch.
Spectre, coin theft and scammers oh my!
The industry is still sorting out the kerfuffle of the Spectre processor flaws and there was more movement this week.
Microsoft added Spectre tools to Windows Analytics, which will be welcomed by admins, and some boffins made weaponized exploit code to exploit the weakness (don't worry – the code is under wraps).
Now virtual machines are also getting their act in order. The latest build (2.11.1) of the QEMU hypervisor will protect against a Spectre attack for x86 KVM guests, pseries and s390x guests. The work was pushed up the priority list to allow for safer virtualization.
"What is being addressed here is enabling a guest operating system to enable the same (or similar) mitigations to protect itself from unprivileged guest processes running under the guest operating system," the advisory states.
"Thus, the patches/requirements listed here are specific to that goal and should not be regarded as the full set of requirements to enable mitigations on the host side (though in some cases there is some overlap between the two with regard to required patches/etc)."
While digital currency prices continue to go up and down like the Assyrian empire, it's clear that the scummier parts of the internet are taking note. Cisco's Talos security team found an interesting piece of malware that may have netted its operators many millions in virtual currency.
Dubbed Coinhoarder, the attack uses a fake blockchain.info login page to harvest credentials and drain virtual wallets. What made this unusual is that the phishers are using Google Adwords to promote their products in specific locations, primarily Eastern Europe.
"While working with Ukraine law enforcement, we were able to identify the attackers' Bitcoin wallet addresses and thus, we could track their activity for the period of time between September 2017 to December 2017," the Talos team said. "In this period alone, we quantified around $10m was stolen. In one specific run, they made $2m within 3.5 week period."
The team thinks the gang behind the phishing attack has been operating for at least three years. Back when Bitcoin wasn't worth much, it would have provided some income. But the rising price of Bitcoin seems to have given the crooks more money to play with and ply their wares.
Brit plod rocked
Finally, British police were left red-faced after the ringleader of a card skimming operation fled his trial the UK and has begun uploading the blueprints for his devices to mock his former captors. Alexandru Sovu, 39, was sentenced to 11 years in prison in absentia and is believed to be in Romania or China.
"He has released the methods he used on the internet. This will allow fraudsters to build their own scams," said Judge Rajeev Shetty. "He has shown breathtaking arrogance and put two fingers up to law and order."
Sovu came to the UK from Romania as a software engineer but was laid off in 2008. He then developed hardware to install in ATMs and grab card data and PINs and the card creating machinery to exploit the accounts of his victims.
The kit he developed was of very high quality, the court heard, and was easy to install. With the blueprints now out there, be very careful when using your cards. ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust