We’ve got three new ReThink Security articles for you this month including two follow-on articles after the None of Us Knows What We Are Doing post. In addition there have been some interesting security related news stories this month. It hasn’t been a month of massive exploits or malware attacks, but there have certainly been some eyebrow raising moments.
Recent ReThink Articles
Security Takes Commitment - Jason explores how we can dig ourselves out of the pit of despair we might find ourselves in as we learn how little we know about truly securing our systems. He talks about fully committing to a cybersecurity program and what that means for the organization, the culture, and how that can be done from top to bottom.
You are Spending Too Much on Security - Security takes commitment, but how do you know how much to spend? How do you have any idea what’s working and how to measure. In this article Joe writes about creating a framework of security goals to help you make better security decisions, spend the right amount of money and time on your security challenges, and to measure when you’ve made it.
Deconstructing a Sexploitation Attack - Imagine receiving an email with your username and password as the subject line. Inside the email there is a PDF that has been encrypted with a password provided in the body of the email. That’s the position Joe found himself in about a month ago. This is a deep, slightly technical, dive into how he vetted the risk and protected himself against some unknown threats.
More Security Headlines
I love this story of how AI learned to play hide-and-seek. The seekers and hiders consistently found new ways to outdo each other. My key takeaway was how the AI was able to find and exploit bugs in the constraints of the system to “cheat” by locking ramps or surfing blocks. It reminds me how woefully ill-equipped humans will be if General Artificial Intelligence is ever achieved.
An AI learned to play hide-and-seek. The strategies it came up with were astounding. - Vox
Google recognized the ossification occurring in the security landscape and tried their hand at a solution with Google Chronicle. Unfortunately, it appears to be ending in failure, as leadership missteps relegate it to the trash heap. Where and when will we see some true innovation?
‘Chronicle Is Dead and Google Killed It’ - VICE
The iPhone bootrom vulnerabilities I wrote about last month has been developed into a working jailbreak. This is a great development for security researchers to learn more about the inner workings of apps and iOS in general. This does not allow the authorities to decrypt iPhones or to steal data.
checkra1n
IoT devices are almost all in bad shape when connected to the internet. An example of this is thousands of internet connected NAS devices have been infected with malware. The malware is reported to be persistent, steal data and credentials.
Thousands of QNAP NAS devices have been infected with the QSnatch malware | ZDNet
This is a fun story about how researchers have been able to manipulate voice assistants remotely, by pointing a laser at the device’s microphones. Everybody thinks this attack is fascinating because it allows an attacker to unlock doors or turn on lights from 100’s of feet away. I find it interesting because we don’t know why it should work or how to protect against it.
With a Laser, Researchers Say They Can Hack Alexa, Google Home or Siri - The New York Times
Today, in news-that-should-send-a-shiver-down-your-spine we heard about a Senior InfoSec Staffer resigning from the White House. He was appointed after hacks against the government during Obama. He says they were making progress up until recently when incentives were cut and the team was systematically displaced. In his opinion we are setting ourselves up for a new cyber attack. If there was ever a topic to bury the partisan hatchet over, national security seems like a good place to start.
Read Forbes’ take on it here: Senior Infosec Staffer Resigns, Says White House On Track To Be Hacked Again
Read the original memo here: Exclusive: White House cyber memo warns of new network risks - Axios
BlueKeep, a recent exploit against Windows RDP, has been weaponized and turned into a worm. Thankfully we’re not talking about a CodeRed or NIMDA worm or a rolling ransomware worm, instead the hackers are just stealing some CPU cycles to mine cryptocurrencies. Obviously, patch your systems, this malware isn’t too bad, but the next version will most certainly be worse.
The First BlueKeep Mass Hacking Is Finally Here—but Don’t Panic | WIRED
A federal probe was launched to look into Google’s collection of the healthcare information of 50 million Americans. Considering their recent purchase of FitBit and how broad and diverse Google is this isn’t surprising, but it certainly feels underhanded and problematic. Google isn’t screaming privacy to me any more. I think the next tech land-grabs are in FinTech (ApplePay, Facebook Libra, Google Wallet) and in medical and healthcare information (Apple Watch, FitBit and whatever just happened here). I’m sure it won’t be long before Facebook enters into the medical/healthcare area too.
Google’s ‘Project Nightingale’ Triggers Federal Probe - WSJ
If you have any questions or comments, please don't hesitate to email us at newsletter@rethinksecurity.io
- Thank you for reading, J&J
