Global security crackdown, a host of code nasties, Brit cops mocked, and more

It's the week in security

Roundup Here's a summary of this week's security news beyond what we've already reported.

At the Munich Security Conference in Germany, major companies, including Siemens, Airbus, Allianz, Daimler Group, IBM, NXP, SGS and Deutsche Telekom, signed a Charter of Trust for cybersecurity. The signatories were joined by Elżbieta Bieńkowska, the EU Commissioner for Internal Market, Industry, Entrepreneurship and Small- and Medium-sized Enterprises, and Canada's foreign minister and G7 representative Chrystia Freeland.

The charter has ten rules that signatories – both commercial and governmental – must follow, including having a chief information officer, getting independent third-party security testing of critical infrastructure, sharing of threat data and building in not only security but also patching and upgrading capabilities to all Internet of Things devices.

"We're eating our own dog food on this," said Siemens president and CEO Joe Kaeser. "Siemens is in the top ten programming companies in the world and we will be adhering to the charter in all areas."

Kaeser floated the idea at the World Economic Forum in Davos this year, and said the response from companies and governments had been very promising. But that it was clear that something had to be done on security, he said.

Part of the problem is that regulators are always playing catch-up with technology, he said. Bitcoin was a perfect example, with Kaeser calling it "the biggest money laundering scheme ever invented."

How well the charter will work depends entirely on how many people sign up and whether or not the big players take part. In particular, the Chinese government needs to be on board, and that could be a stretch.

Spectre, coin theft and scammers oh my!

The industry is still sorting out the kerfuffle of the Spectre processor flaws and there was more movement this week.

Microsoft added Spectre tools to Windows Analytics, which will be welcomed by admins, and some boffins made weaponized exploit code to exploit the weakness (don't worry – the code is under wraps).

Now virtual machines are also getting their act in order. The latest build (2.11.1) of the QEMU hypervisor will protect against a Spectre attack for x86 KVM guests, pseries and s390x guests. The work was pushed up the priority list to allow for safer virtualization.

"What is being addressed here is enabling a guest operating system to enable the same (or similar) mitigations to protect itself from unprivileged guest processes running under the guest operating system," the advisory states.

"Thus, the patches/requirements listed here are specific to that goal and should not be regarded as the full set of requirements to enable mitigations on the host side (though in some cases there is some overlap between the two with regard to required patches/etc)."

While digital currency prices continue to go up and down like the Assyrian empire, it's clear that the scummier parts of the internet are taking note. Cisco's Talos security team found an interesting piece of malware that may have netted its operators many millions in virtual currency.

Dubbed Coinhoarder, the attack uses a fake login page to harvest credentials and drain virtual wallets. What made this unusual is that the phishers are using Google Adwords to promote their products in specific locations, primarily Eastern Europe.

"While working with Ukraine law enforcement, we were able to identify the attackers' Bitcoin wallet addresses and thus, we could track their activity for the period of time between September 2017 to December 2017," the Talos team said. "In this period alone, we quantified around $10m was stolen. In one specific run, they made $2m within 3.5 week period."

The team thinks the gang behind the phishing attack has been operating for at least three years. Back when Bitcoin wasn't worth much, it would have provided some income. But the rising price of Bitcoin seems to have given the crooks more money to play with and ply their wares.

Brit plod rocked

Finally, British police were left red-faced after the ringleader of a card skimming operation fled his trial the UK and has begun uploading the blueprints for his devices to mock his former captors. Alexandru Sovu, 39, was sentenced to 11 years in prison in absentia and is believed to be in Romania or China.

"He has released the methods he used on the internet. This will allow fraudsters to build their own scams," said Judge Rajeev Shetty. "He has shown breathtaking arrogance and put two fingers up to law and order."

Sovu came to the UK from Romania as a software engineer but was laid off in 2008. He then developed hardware to install in ATMs and grab card data and PINs and the card creating machinery to exploit the accounts of his victims.

The kit he developed was of very high quality, the court heard, and was easy to install. With the blueprints now out there, be very careful when using your cards. ®

Similar topics

Other stories you might like

  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading

Biting the hand that feeds IT © 1998–2022