17 October 2018

News round-up 17 October 2018

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy.

The round-up:

Reaction to last week’s explosive Bloomberg story that China had compromised motherboards bound for the US consumed much attention this week, largely due to strong push-back against the veracity of the article from senior government officials. Still, good password practices got some airtime this week too as a result of an unlikely pairing – the California legislature and Kanye West.

Key articles:

The security community increasingly thinks a bombshell Bloomberg report on Chinese chip hacking could be bogus

Summary: A number of government officials and security commentators cast doubt on an explosive media report last week that Chinese spies had implanted chips into motherboards bound for US companies including Amazon and Apple.

Key risk takeaway: The unraveling of the original Bloomberg story has been a story itself this week. While the specific scenario detailed in the coverage has been critically questioned, government officials nonetheless underscored genuine concerns that exist relating to securing increasingly long and complex hardware and software supply chains. Analysis and commentary by independent experts and researchers proved pivotal in casting doubts over the story. This highlights the value in organisations being able to engage with a variety of influential analysts – not just media outlets – as part of their communications or reputation management strategies.

Tags: #supplychain #security #suppliersecurityassessment #reputation #communications

Google shuts down Google+ after API bug exposed details for over 500,000 users

Summary: Google announced it would shut down its Google+ social networking after revealing a security bug that allowed third-party apps to also gain access to user data marked private.

Key risk takeaway: While Google found no evidence the bug had resulted in misuse of data, it nevertheless attracted criticism for its approach to disclosure. An internal memo revealed Google refrained from disclosing the bug – which it patched in March 2018 – to avoid being put in the spotlight alongside Facebook, which was dealing with the Cambridge Analytica crisis. Companies are increasingly being judged not solely on the fact of a security breach, but their attitude and response to the breach. Proactively developing breach and security incident communications helps embed the right processes and behaviours in the event of a breach.

Tags: #privacy #breachdisclosure

In California, it’s going to be illegal to make routers with weak passwords

Summary: A new California law would make it illegal to manufacture or sell internet-connected devices that aren’t equipped with a unique password, or a feature that forces the consumer to set a personal password when the device is first used.

Key risk takeaway: The proposed new law is a further indication of the increased appetite and willingness of legislators across the globe to take action to mitigate cyber risks. Attacks have been escalating against internet-connected devices, with routers in particular being a target for compromise so they can be linked with other infected devices into “botnets”. This new law serves as a useful reminder to any organisation to practice good device security “hygiene” – such as patching devices and changing default passwords.

Tags: #regulations #security #IOT

Payment-card-skimming Magecart strikes again

Summary: A cybercrime campaign titled Magecart that steals payment card data from website checkout pages is continuing to find victims, the latest being a US-based ecommerce site titled ‘Shopper Approved’.

Key risk takeaway: Security companies have noticed a considerable uptick in cybercrime campaigns using this method in recent months, with recent victims including Ticketmaster and British Airways. Any organisation that processes payments online should be wary of this form of attack, and have measures to detect suspicious or unauthorised changes to their website code. Analysts have observed that victims’ websites are often compromised by Magecart through third-parties, such as services that provide website analytics or support.

Tags: #cybercrime #malware #supplychain

Kanye West accidentally reveals password to his phone is ‘000000’

Summary: The US rapper accidentally revealed to cameras in the Oval Office his password,  just as he was about to show the US president a hydrogen-powered plane made by Apple.

Key risk takeaway: The news can often provide security teams with useful hooks to remind their staff about good security practices – such as the importance of having strong passwords – and here Kanye may have provided the most viral security awareness video of all time. Surprisingly, reactions to the video prompted hearty debate among some security professionals. Many cautioned against the temptation to ridicule “stupid” users or practices, and instead recognise the imperative for security teams to better support people in their need to use their devices daily in the most convenient way.

Tags: #kanye #passwords #securityawareness