NSA foreign spying, biotech snooping, Hamas hackers bombed, airline cams, and much more from infosec land

Quick-fire summary of the past few days of news

Roundup Welcome back, Brits, from your three-day Bank Holiday week. Allow us to catch you up on recent infosec comings and goings.

'Hamas hackers' bombed: Israeli Defence Forces claim they destroyed a building in the Gaza Strip on Saturday said to be used by Hamas hackers. The Palestinian militants were targeted in the air strike in response to cyber-attacks against Israel, the IDF said in a tweet: "We thwarted an attempted Hamas cyber offensive against Israeli targets. Following our successful cyber defensive operation, we targeted a building where the Hamas cyber operatives work. HamasCyberHQ.exe has been removed."

A tentative ceasefire is now underway. It's thought to be the first publicly known kinetic response by a military to an ongoing digital offensive. We note that rogue Brit hacker Junaid Hussain was killed by a US drone strike in 2015, though that was probably because he was an ISIS recruiter in Syria at the time.

Internet of Things: The UK government announced a public consultation internet-of-things security as it mulls regulations on forcing manufacturers to proactively protect devices from attack. "We recognise the urgent need to move the expectation away from consumers securing their own devices and instead ensure that strong cyber security is built into these products by design," the civil servants thundered. Do let them know your thoughts, enlightened readers.

Office 365: Take a moment to secure your company Office 365 accounts. Barracuda claims: "A recent analysis of account-takeover attacks targeted at Barracuda customers found that 29 percent of organizations had their Office 365 accounts compromised by hackers in March 2019."

NSA transparency: Over in the US, the Office of the Director of National Intelligence's annual transparency report [PDF] into Uncle Sam's surveillance programs had mixed news on the privacy front.

On the one hand, the number of issued National Security Letters, used to investigate corporate data under a permanent gagging order, dropped in 2018 to 10,235, nearly half of the total five years ago. But on the other hand, the number of foreign individuals under communication surveillance rose 28 per cent to 164,770 and the number of Americans under similar watch rose from 7,512 in 2017 to 9,637 last year.

Man on old phone, image via Shutterstock

UK taxman falls foul of GDPR, agrees to wipe 5 million voice recordings used to make biometric IDs


Jenkins plugins: If you're using third-party plugins in your Jenkins installation, be aware NCC Group's Viktor Gazdag has found and reported security flaws in at least one hundred of them, and not all of them have been fixed. Now would be a good time to look over Gazdag's findings, and ensure you're not running vulnerable code.

Bitcoin scammers: A UK Channel Islands man from Jersey was scammed out of £1.2m ($1.5m) in Bitcoin after crooks convinced him to invest the sum in an online investment scheme. After being promised 15x returns, local media reports, the man then lost the lot and called the police, although he's unlikely to see the money again.

Extradition: Ukrainian Oleksii Petrovich Ivanov, 31, was extradited from the Netherlands to the US this month to face one charge of conspiracy to commit wire fraud, four charges of wire fraud, and one of computer fraud, over an alleged malvertising campaign. Millions of netizens were exposed to web adverts designed to infect their systems with malware, prosecutors claim.

Marcus Hutchins sentencing: It looks as though the Marcus Hutchins saga is coming to an end. After pleading guilty to two charges of creating and distributing malware earlier this month, his sentencing hearing has been set for July 26, nearly two years to the day after he was first arrested. There have been calls for a pardon, or community service rather than a custodial sentence, but that's up to the judge.

Ladders leak: An executive recruitment agency was left red-faced after accidentally exposing the personal information of more than 13 million people on its books. The New York-based Ladders agency left the data in an unsecured Amazon Elasticsearch database and it was found by GDI Foundation member Sanyam Jain. The data included names, job and salary histories, security clearances and work authorizations, and addresses, and while it doesn't appear to have been accessed by hackers, it's still highly unprofessional. The database has since been hidden from public.

Laboratory IP theft: A financial filing by American biotech biz Charles River Lab this week reports that "a highly sophisticated, well-resourced intruder," got onto its corporate servers and stole sensitive client information. The lab doesn't say exactly what was stolen beyond estimating one per cent of its files, suggesting a highly targeted attack.

Google wiping data: Google takes a lot of flack, sometimes deservedly so, for slurping too much info on us all. Now it's offering a tool to cut back on the tracking of location history and online activities. In a blog post it explains that netizens can now set up their Google accounts to auto-delete this data after three to 18 months. The new controls will be out in a few days or so.

China's Muslim spying: The level of surveillance undergone by Muslim inhabitants of China has been uncovered and revealed by Human Rights Watch. The non-profit reverse engineered a government app used by Chinese police to monitor and detain ethnic Uyghurs and other Turkic Muslims. Meanwhile, a Chinese smart city's face-recognizing surveillance system was caught leaking info all over the internet.

Hardcoded passwords: Gas stations, or petrol stations, or servo, depending on where you live, were found running insecure firmware on their fuel pumps – from hardcoded passwords to stack-based buffer overflows. Patches are available; affected equipment is mostly in the US.

US airlines cover cameras: United and Delta airlines in the US have reportedly said that will cover up passenger-facing cameras in their seats, with American Airlines planning to follow suit. The cameras, located in the premium and business class seats, were never used and just included with the in-flight entertainment hardware, the airlines insisted, but they made high-paying passengers nervous so they'll now be covered up. ®

Similar topics

Other stories you might like

  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • What keeps Mandiant Intelligence EVP Sandra Joyce up at night? The coming storm
    The next wave of security maturity is measuring effectiveness, she told The Register

    RSA Conference When Sandra Joyce, EVP of Mandiant Intelligence, describes the current threat landscape, it sounds like the perfect storm. 

    The threat intelligence firm, which is being acquired by Google Cloud, made its annual cybersecurity predictions for the year ahead. And this year, they all materialized at once.

    "We predicted supply-chain attacks four years ago," Joyce said, in an interview with The Register at the RSA Conference. "We predicted deployment of wipers during wartime. And now we're watching all of these things happen at the same time, and in amounts that are greater than ever and at frequencies of scale that are more than ever."

    Continue reading

Biting the hand that feeds IT © 1998–2022