Security News for the Week Ending May 17, 2019

Be Thankful That You Are Not Equifax – Costs Reach $1.4 Billion So Far

Two years after the big breach, Equifax reported financials for the first quarter.   They reported a loss of $555.9 million compared to a net income of $90 million for the same period in 2018 on basically flat revenue.

Equifax had $125 million in cyber risk insurance with a $7.5 million retained liability.  The insurance has paid out the full amount.

So far, the company has accrued $1.35 Billion in data breach costs and this game is far from over.  The say it is not possible to estimate the full costs.  For more information, read the Bank Info Security article.

Boost Mobile Announces Breach – Two Months Ago

Boost mobile apparently got some customer data boosted.  Two months ago.  An undated letter to the California AG and an undated web page on Boost’s website says that the breach happened on March 14, 2019.  We don’t know what the bad guys took, how many customers were affected or even when people were notified.  The only thing we can guess is that since it hit the media today, the notifications were very recent.

If any of the people affected were in Colorado, the notifications came 15-30 days late.  There are probably other states for which the notification was late as well.  Stay tuned- we may see some AGs getting upset.  Source: Techcrunch.

Supply Chain Attacks Get Bigger and Badder

Last week it was WebPrism and 200 college bookstores.   This week it is Picreel, the analytics firm, Alpaca Forms (open source-so much for open source is more secure) and over 4,600 hacked websites.

The attack is still going on; the sites are still infected and the problem is only getting worse.  If you are loading third party code on your website, you need to rethink your security.  Source: ZDNet .

Intel Announces New Family of Speculative Execution Attacks

Intel seems to be challenged to catch a breach.  Err, a break.    After last year’s Spectre and Meltdown attacks comes this year’s ZombieLoad and Fallout attacks.  This is not a surprise – experts predicted more speculative execution attacks would be found.

Other than some new Intel 8th and 9th generation chips, all Intel chips made in the last decade are vulnerable, but ARM and AMD chips are not.  Some older chips will be patched while others, which are likely out of patch space on the chip, will never be fixed.

Apple, Intel, Microsoft and others have all released patches to mitigate these attacks on the chips for which there are fixes.  The attacks can be made either by planting malware on the device or remotely over the Internet.

The good news FOR THE MOMENT is the attack seems to be complex, so likely it will be used in targeted situations, but if used, everything on the device can be compromised including passwords and encryption keys.

Disabling Simultaneous Multi-Threading will significantly reduce the impact of this attack.

Source: Security Week.

For $600 A Hacker Could Confuse Any Commercial Plane’s Instrument Landing System

From a Cessna to a jumbo jet, every commercial plane built in the last 50 years uses a radio based system to guide it to land when it can’t see the runway – such as in rain or in fog.

These radios were not designed to be secure from hacking.

There is no encryption.  There is no authentication.  The system in the plane assumes that any radio signals that come from the ground are legit.

Unfortunately, for $600 a hacker can purchase a software defined radio that can tell the plane that it is off course.  A little high.  A little to the side.

In theory, if the pilot can see the runway, he or she will execute a “missed approach” and go around.  Given how busy the US airspace is, that decision may be at 50 feet off the ground – not a lot of time to react.

Probably, right now, this is an  unlikely attack.  Right now.  But remember, attacks never get less probable, only more probable as attackers figure out how to manipulate things.  Source: Ars Technica.

Facebooktwitterredditlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *

*

code