Friday Five: 1/05 Edition



Catch up on the week's infosec news with this recap!

1. Oracle App Server Hack Let One Attacker Mine $226,000 Worth of Cryptocoins by Sean Gallagher

Attackers took an Oracle proof-of-concept exploit published last month and ran with it over the last couple of weeks. The bug, which affects PeopleSoft and WebLogic servers, was patched by the company as part of its quarterly Critical Patch Update in October but that apparently hasn’t stopped attackers from targeting organizations that haven’t applied the fix yet. Attackers aren’t stealing information from companies though, they’re using the bug to mine cryptocurrency – and a lot of it: 611 Monero, roughly $226,000. Ars Technica's Sean Gallagher recapped the news this week after Renato Marinho with Morphus Labs and Johannes Ullrich with the SANS Technology Institute shared details around the campaign on Sunday and Tuesday respectively.

2. Skype's Rolling Out End-to-End Encryption For Hundreds of Millions of People by Lily Hay Newman

We assume many privacy-conscious Skype users breathed a sigh of relief this week. Signal, an app that provides end-to-end encryption for calls, texts, and other messages, announced Thursday it would partner with Microsoft to bring the same functionality to Skype. The service's 300 million monthly users will have to have to do a little work to enable the feature, dubbed Skype Private Conversations, however. It won't come enabled by default; users will have to initiate it by selecting “New Private Conversation” from Skype's "Compose" menu.

3. Website Operators Are in the Dark About Privacy Violations by Third-Party Scripts by Steven Englehardt, Gunes Acar, and Arvind Narayanan

Researchers behind Freedom to Tinker, an excellent blog run by Princeton University's Center for Information Technology Policy, described in November how some websites – 8,000 in total – use third party session-replay scripts record user information. The researchers followed up that research this week with news that many web publishers behind the sites had no idea sensitive data in some cases health conditions and prescription data - considered Protected Health Information under HIPAA - was being exfiltrated from their sites. When informed, some of the sites, like clothing company Bonobos and drugstore chain Walgreens, removed the scripts. Researchers warn the fact that so few companies knew how the third party script worked, let alone what it was in the first place is cause for concern.

4. AMD Backtracks On 'Near Zero Risk' Processor Claims, Now Must Issue Updates To Combat Spectre by Joe Kovar

As expected, companies like Intel, ARM and AMD were in recovery mode after last week's revelations about Spectre and Meltdown, a pair of flaws in modern computer processors dating back to 1995, were disclosed. AMD, which was fairly bullish when it came to the claims last week, did an about face this week. Mark Papermaster, the company's Senior Vice President and Chief Technology Officer, said Thursday that two variants of Spectre apply to their chips and that its working closely with vendors to address the issues. The company initially said only that only one variant of the attack was expected to have a negligible performance impact on its chips and that another would have “a near zero risk of exploitation.”.

5. Elizabeth Warren and Mark Warner Want Firms Like Equifax Fined $100 For Every Person Affected By Data Breaches by Grace Donnelly

It's still early - and like everything that has to do with the government, it could take time - but Senators Elizabeth Warren (D-Mass.) and Mark Warner (D-Va.) took a step in the right direction this week by unveiling a new bill designed to impose higher fines against data-laden companies hit by data breaches. Unveiled Wednesday, the Data Breach Prevention and Compensation Act (.PDF) would require credit reporting agencies pay $100 for each consumer who has information stolen and another $50 for each additional piece of information compromised.

Chris Brook

ANALYST REPORTS

KLAS DLP 2017 Performance Report

Chris Brook

Chris Brook is the editor of Data Insider.