The top 10 biggest cyber security stories in March
UK government warning over Huawei, China's surveillance state laid bare, 4G security flaws and industrial ransomware
In Autumn 2016, the vulnerabilities of millions of internet-connected devices were laid bare when the Mirai ransomware was unleashed. Taking advantage of surveillance cameras and digital video recorders (DVRs) running out-of-date and unpatched versions of Linux, Mirai was used to wreak havoc.
And now, warn security researchers, it's back…
10) New variant of Mirai botnet malware targets enterprise IoT devices
Security experts from Palo Alto Networks' Unit 42 threat intelligence group claim to have uncovered a new variant of the Mirai IoT malware targeting enterprise IoT devices, as well as high-end smart TVs from LG.
Unit 42, which investigated the new Mirai malware in detail, reveals that the variant boasts several new capabilities, including 11 new exploits. In total, the malware now contains 27 exploits. "These new features afford the botnet a large attack surface," Unit 42 researcher Ruchna Nigam warned in blog post.
9) Major security flaw found in Switzerland's online voting system
"It's not the people who vote that count. It's the people who count the votes," Josef Stalin, the despotic leader of the Soviet Union, supposedly once observed.
That's why security flaws in online voting systems (and voting machines) is such a big issue: it requires a lot of effort to fiddle conventional pen-and-paper votes, but only a few smart people to subvert a computerised vote.
It's not the people who vote that count. It's the people who count the votes
The Swiss e-voting system was developed by a company called Scytl, and manages a large number of electoral 'events' all over the world. But a team of researchers claim to have found a critical security flaw that could enable hackers to manipulate votes without detection.
And in referendum-happy Switzerland, of course, it's not just the composition of the government that is decided by the electorate, but many important national issues.
However, in an exclusive interview with Computing, David Galindo, one of the developers behind the Swiss online voting system, claimed that there was a low probability of the security flaw ever being exploited, adding that Scytl's bug bounty system had done its job.
8) Lack of resources is preventing cyber threat hunting
Computing regularly conducts research among CIOs and other IT leaders about their projects and priorities. In recent research, sponsored by Carbon Black, Computing found that more than three-quarters of organisations simply lack the resources to employ threat hunters to find security holes before the black hats do.
That wasn't the only finding from the report: One-third of organisations, according to the research, are targeted in multiple cyber attacks every week, with more than a quarter claiming that they experience attacks at least once a month.
To learn more, read the full report: Outsmarting the Smart: Entering the Age of Threat Hunting
7) How hackers stole $20 million from Bank of Mexico
It's bad enough that the world would appear to be full of very smart miscreants, targeting companies and organisations across the globe for fun and profit. But, in a number of cases, nation states are also targeting the same organisations - and for the same reason.
The finger of blame for a series of sophisticated cyber attacks on banks in recent years has been pointed squarely at the government of North Korea, which has a record of making the Cosa Nostra look like little more than a bunch of over-enthusiastic entrepreneurs.
But despite missing out on a $951 million payday in the Bangladesh Bank heist - getting away with ‘only' $81 million - North Korean government cyber crooks cast around for some more lackadaisical banks to target and, in April 2018, alighted on Bank of Mexico.
The attackers, according to security expert Josu Loza, were assisted by multiple flaws in the bank's network security, as well as security lapses in SPEI (Mexico's domestic money transfer platform, run by Banco de México) assisted the hackers in their attacks.
Loza claimed that Bank of Mexico's network lacked the kind of segmentation and access controls that would have made it much harder to access something as sensitive as the SPEI transaction servers.
Of course, North Korea isn't the only country known to target banks and their payments infrastructures - the US National Security Agency has some pretty nifty tools enabling it to obtain a God's eye into the SWIFT global payments network as well.
6) Unprotected MongoDB databases expose millions of surveilled social media accounts in China - as well as the ‘BreedReady' status of 1.8 million women
Hollywood films depicting dystopian Orwellian societies rarely feature anything as banal as the omniscient state, err, accidentally exposing its various surveillance activities for all to see in unprotected online databases.
It's been known for years, of course, that early iterations of MongoDB were not secure by default. However, that clearly isn't in the computer science curriculum at universities in China, with the news that various government surveillance databases had been bunged online using insecurely configured iterations of MongoDB.
These didn't just expose millions of social media accounts that had caught the eye of the authorities in China, but also, bizarrely, the ‘BreedReady' status of 1.8 million young women in China.
Once the news went public, remedial action was quickly taken, although it might have been considered poetic justice if they'd been found first by ransomware scammers.
[Next page: RBS to test biometric fingerprint bank cards, NSA releases Ghidra tool, and Huawei slammed in UK government report]
The top 10 biggest cyber security stories in March
UK government warning over Huawei, China's surveillance state laid bare, 4G security flaws and industrial ransomware
5) RBS to test biometric fingerprint bank cards to replace PINs
Apparently, it's too much time and trouble for some people to remember and tap-in a four-digit code in order to authenticate a purchase on their credit or debit card. While tap-and-pay has helped speed things up for the cash rich and time poor, it remains a security risk in terms of payments under £30.
That's where the Royal Bank of Scotland (RBS) trial using fingerprint recognition instead comes in. Rather than tap-and-pay or key-in a four digit number, 200 customers will instead use fingerprint cards.
Cards will be equipped with the user's biometrics, matching each card with the unique fingerprint of a user. When conducting a transaction, customers will insert their card in the machine in the normal way. But, instead of keying-in their four-digit PIN to complete the transaction, they will touch one corner of the card featuring a built-in sensor with their finger.
The sensor, powered by payment terminals, will match the user's scanned fingerprint with the data stored on the card. If the fingerprints match, the payment will be completed.
4) NSA releases its Ghidra reverse-engineering tool open source
Strictly speaking, this isn't the first time that the US National Security Agency's reverse-engineering tool Ghidra has been released - it first saw the light of day in 2017 when the Shadow Brokers released a slew of NSA hacking tools of dubious provenance.
Releasing Ghidra also benefits NSA because we will be able to hire folks who know the tool
Now, the NSA has decided to formally release one of those tools, Ghidra, as it might help the organisation attract the kind of roister-doisters who fancy working in the same place as Edward Snowden.
"We expect the tool will enhance cybersecurity education from capture-the-flag competitions, to school curriculums and cybersecurity training. Releasing Ghidra also benefits NSA because we will be able to hire folks who know the tool. When they're coming through our doors, they'll be able to be impactful faster," claimed the NSA.
3) Thirty-six new security flaws found in 4G mobile networks
With user names and passwords proving utterly inadequate as a secure means of authentication, people have been urged to use two-factor authentication, typically involving a text-messaged code, instead. But what if the mobile network is not as secure as we'd like to think?
Security researchers at the Korea Institute of Science & Technology have identified not one, but 36 new security flaws in the 4G standard used in mobile networks across the world.
In their research paper [PDF], they claim to have found vulnerabilities enabling attackers to eavesdrop and access user data traffic, distribute spoofed text messages, interrupt communications between base station and phones, block calls and disconnect users from the network.
It's not the first time that security flaws in supposedly secure 4G networks have been uncovered - hopefully, 5G will be better…
2) "End-to-end integrity" of Huawei hardware questioned in UK government report
The US government has maintained for some time that Huawei hardware should not be deployed at the heart of new 5G networks on security grounds - leaning on key allies to persuade them to ban Huawei from bidding for 5G network contracts.
It's not been quite so quick to provide convincing evidence to back up its claims.
The report also suggested that the company has questions to answer over the end-to-end integrity of its hardware
However, the annual report of the Oversight Board of the Huawei Cyber Security Evaluation Centre (HCSEC) released just this week ought to provide plenty of food for thought. The HCSEC was set-up almost a decade ago after Huawei unexpectedly won key contracts in BT's 21st Century Network, elbowing out Marconi in the process.
A typically British compromise, the HCSEC would provide reassurance that everything was above board with Huawei's communications kit, enabling it to be rolled out not just by BT, but also telecoms companies and mobile operators, such as Three.
But the report claims that there are significant issues with Huawei's engineering processes, that no improvements have been made to remediate of problems identified by the organisation last year, and raised question marks over the company's software development practices.
Perhaps, most damning, the report also suggested that the company has questions to answer over the end-to-end integrity of its hardware.
While Huawei's founder has strongly defended his company, the report provides a number of reasons why BT appears to have gone cold on Huawei after once welcoming it into its networks.
1) Norsk Hydro ransomware losses estimated at $40 million
Norsk Hydro is one of the largest aluminium producers in the world, running major industrial plants across the world, as well as a major producer of hydro-electric power in its home country Norway.
So when it admitted in a stock exchange announcement that its computer systems had been crippled in a cyber attack it illustrated how even the biggest companies can fall victim to crippling (and expensive) security breaches.
Initially, it was believed to be the work of environmental activists, but the company later revealed that the attack came in the form of ransomware - and that it would cost at least $40 million to clean up.
The cost, it added, ought to be met by a "solid cyber risk insurance policy", but it remains to be seen how keen they are to pay-up.
Delta is a new market intelligence service from Computing to help CIOs and other IT decision makers make smarter purchasing decisions - decisions informed by the knowledge and experience of other CIOs and IT decision makers.
Delta is free from vendor sponsorship or influence of any kind, and is guided by a steering committee of well-known CIOs, such as Charles Ewen, Christina Scott, Steve Capper and Laura Meyer.
Ten crucial technology areas are already covered at launch, with more data appearing and more areas being covered every week. Sign-up here for your free trial of the Computing Delta website.