Hackers Tear Apart Trend Micro, Find 200 Vulnerabilities in Just 6 Months*:
- Trend Micro is one of the biggest names in cybersecurity, an $120 billion industry that promises to deflect a significant chunk of attacks hitting customers.
- Security researchers Roberto Suggi Liverani and Steven Seeley reported the first bug to Trend in July 2016 and have continued to find a mix of vulnerabilities, from the mundane to the shocking.
- They’ve uncovered a total of 223 weaknesses across 11 TrendMicro products, with a whopping 194 that can be exploited remotely; all are triggered without user interaction, making them significantly more serious.
- One of the more serious issues lay in Trend Micro’s data loss prevention tool. Hackers could take control of the server running the software and send out malicious updates to every PC connected to the server.
- Trend was keen to note that the vulnerabilities found by Suggi Liverani and Seeley were not in its well-known and widely-used endpoint or Deep Security products.
- Professor Alan Woodward, a digital security expert, said Trend was not alone and this case demonstrates how complex systems have become. He pointed out that “complexity is the enemy of security.”
*Source: Forbes, January 25, 2017
Worried About Cybersecurity and the Connected Car?*:
- A bipartisan bill named the Security and Privacy in Your Car Study Act 2017 (SPY Car Study Act) was introduced in the House of Representatives with a major focus on automotive cybersecurity.
- The bill would require the National Highway Traffic Safety Administration, together with the Federal Trade Commission, the National Institutes of Standards and Technology, the Department of Defense, OEMs and suppliers, SAE international and academics to come up with a set of appropriate cybersecurity standards for new vehicles.
- The network architecture of our vehicles is still based on the Controller Area Network (CAN) bus, which wasn't ever envisioned as something that would be permanently networked to the wider digital world.
- The SPY Car Study Act would require the participating groups to identify what's necessary to isolate critical systems in a vehicle from the rest of its software, relevant standards for firewalls and anomaly detection systems, techniques to prevent or discourage malicious intrusions, best practices for storing data from cars, and a timeline for implementing all of the above.
- A preliminary report would be due to Congress within a year of the act passing into law.
- One of the representatives sponsoring the bill stated, “Without good cyber hygiene, a hacker could easily turn a car into a weapon…We need to know that our navigation, entertainment, and operating systems are safe – and that our data is kept private. We must be proactive about our privacy and security.”
*Source: Ars Technica, January 25, 2017
Cyber Lessons from NSA’s Admiral Michael Rogers*:
- Security teams must get better at catching intruders where we have the advantage: on our own networks.
- The Russians spent a year inside the Democratic National Committee before they were discovered.
- It took five months for OPM to catch the thieves that stole the records of more than four million federal employees.
- Yahoo only discovered the hack on their systems when stolen data turned up for sale on the dark web.
- Admiral Michael Rogers, the director of the NSA, told a Senate Committee earlier this month that there are two different kinds of cybersecurity:
- Keeping intruders out of networks
- Identifying, containing, and ejecting them once they get inside
- Most organizations still focus heavily on keeping attackers out, rather than trying to catch the ones that get in, but organizations need to be able to do both.
- A common bit of security wisdom is that hackers have the advantage because they only need to be right once to get in, but once inside the intruders have to hide inside your environment.
- Organizations need real-time visibility into how their devices are communicating so they can identify intruders quickly.
- We should limit access to important systems, segment networks and important data, patch vulnerable systems, and encrypt data – each of these steps increases visibility and control.
*Source: Dark Reading, January 19, 2017
There's No One Perfect Method for Encryption in the Cloud*:
- Security teams are torn between the quest to encrypt everything and the technical feasibility of doing so.
- The advantage of encryption is that it obscures data, even after a breach, and satisfies privacy regulations; but it can also obstruct application performance.
- Concerns over government inspection of data, service provider breaches, and insufficient access controls all drive interest in encryption in the cloud.
- A scheme’s security is always at odds with functionality in the cloud.
- No encryption scheme offers full cloud application functionality and performance with unmatched crypto strength.
- Teams charged with evaluating encryption in the cloud should take a three-step approach:
- Understand their company’s functionality and security requirements
- Understand the best security level and encryption type can achieve
- Select the type of encryption that balances all goals for their intended uses
- In the end, practitioners must weigh the trade-offs between security and functionality to arrive at the best implementation for their needs.
- More details on different types of encryption and their strengths and weaknesses can be found in the source article linked below.
*Source: Dark Reading, January 26, 2017
New Presidential Order Could Affect US-EU Privacy Shield*:
- A new executive order issued by President Donald Trump could have significant implications for the data sharing agreement between the European Union and the United States.
- The EU-US Privacy Shield sets out what data can be shared between businesses on both sides of the Atlantic Ocean and how that data can be used.
- One of Trump’s latest executive orders excludes non-US citizens from protections of the Privacy Act, which could have an impact on the Privacy Shield.
- The European Commission said it was aware of Trump’s order and the US Privacy Act has “never offered data protection rights to Europeans.”
- The Privacy Shield was developed by EU and US negotiators in 2015 after the previous data sharing agreement between the two groups was struck down by Europe's highest court.
*Source: Wired, January 27, 2017
Hackers Downloaded US Government Climate Data and Stored it on European Servers as Trump was Being Inaugurated*:
- As Donald Trump was sworn into office as president of the US, a group of around 60 programmers and scientists were gathered in the Department of Information Studies building at the University of California-Los Angeles, harvesting government data.
- The motley crew of data enthusiasts who assembled included programmers with day jobs as IT consultants and scientists, including ecologists and oceanographers.
- Hackers, librarians, scientists, and archivists had been working around the clock, at these events and in the days between, to download as much federal climate and environment data off government websites as possible before Trump took office.
- Over the first 100 days of the new administration, a volunteer team of programmers will be scanning government websites and comparing them to the archived, pre-Trump versions, to check for changes.
- Volunteer programmers at each of the data rescuing hackathons have been writing custom scripts to harvest bigger, more complicated federal data sets; large data sets are being organized and uploaded to datarefuse.org.
- Michael Riedyk, CEO of the Canadian data-archiving company Page Freezer, offered his help in archiving data and web pages.
- Page Freezer has three data centers, and the US government data will be archived on their European servers.
- Meanwhile, as more “data rescuing” events bubble up across the country, the work is getting easier as best-practices are being handed down from one event to the other.
*Source: Quartz, January 21, 2017