Friday Five: 4/6 Edition
Chip card scams, tracing stolen Bitcoin and more - catch up with the week's infosec news in this roundup!
1. Survey Finds Lax Patching Practices Feed Healthcare Data Breaches by Fred Donovan
Not exactly a newsflash here but it seems the healthcare industry is lagging behind when it comes to patching vulnerabilities. HealthITSecurity.com reviewed a recent survey carried out by the Ponemon Institute on behalf of the cloud computing company ServiceNow. Their findings? 28 percent of IT professionals in the healthcare field acknowledged not scanning for vulnerabilities in their systems and applications. Even more troubling: 77 percent of those who responded said their organizations didn't have enough staff to patch vulnerabilities in a timely manner. This isn't surprising either; it's been a nearly ubiquitous pitch leading up to RSA later this month: the skills shortage is getting worse. Some reports say the cybersecurity workforce gap will allegedly widen to 1.5 million job openings by 2019. This is something all fields, especially the healthcare industry, needs to focus on and get better at.
2. A 200-Year Old Idea Offers a New Way to Trace Stolen Bitcoins by Andy Greenberg
It's been a few weeks since we've highlighted an Andy Greenberg article here. He makes his valiant return to the Friday Five today with a fascinating article recapping a Cambridge University academic paper (.PDF) released last week. The paper suggests, cryptographically speaking, that there's actually a way to distinguish dirty Bitcoin from clean Bitcoin. Dirty Bitcoin in this instance being any cryptocurrency that's been stolen or extracted from victims. With a proof-of-concept software tool the researchers are planning on publishing later this year users will be able to trace the history of a Bitcoin more easily via the blockchain. It's admittedly a nerdy read but interesting, especially if you think that any cryptocurrency can be 100 percent untraceable.
3. Secret Service Warns of Chip Card Scheme by Brian Krebs
Brian Krebs broke one of the biggest stories this week but another story he published that's just as scary in our opinion didn't get much play in the news. Krebs warned of a U.S. Secret Service warning on Thursday in which attackers are apparently intercepting chip-based debit cards, stealing the chips and replacing them with old chips. Criminals are attempting to melt the glue that affixes the chips to the cards, then regluing old chips to the vandalized cards. This Krebs article serves as a good PSA: If it looks suspicious, it probably is.
Healthcare Breaches & Why DLP is Part of the Cure
4. DARPA is looking to avoid another version of Meltdown or Spectre by Sean Lyngaas
A brief but interesting bit news of news this week around this January's Meltdown and Spectre vulnerabilities: The Department of Defense's DARPA, a/k/a the Defense Advanced Research Projects Agency, is looking to avoid future/similar versions of the bugs. According to CyberScoopNews DARPA has contracted Tortuga Logic, a company that raised $2 million in seed funding last year to help maintain chip-level security, to find vulnerabilities in chips before they're released. “More than ever, hardware designers need solutions to identify security vulnerabilities throughout the chip design lifecycle, rather than post-fabrication or post-deployment. This contract …will integrate our patented information flow technology with commercial emulation platforms, completing a full end-to-end design suite dedicated to security verification,” Dr. Jason Oberg, the company's CEO said this week.
5. Android Security: Cryptocurrency Mining-Malware Hidden in VPNs, Games, and Streaming Apps, Downloaded 100,000 Times by Danny Palmer
Thought cryptocurrency malware was limited to browser-based exploits that mine Monero via Coinhive? Apparently not. Researchers with Kaspersky Lab discovered that several apps distributed via Google's Play marketplace secretly use the device's computing power to mine Monero, a cryptocurrency popular with cybercriminals. According to ZDNet, which recapped the research Thursday, the apps masqueraded as VPNs, sports streaming apps, and games. Roman Unuchek, the Seattle-based researcher who uncovered the apps, has a history of digging up malicious apps on Google Play. He's previously found apps that steal credentials, data, secretly charge users money, and even root phones.
VIDEO: I Hacked an Election. So Can the Russians by Matteen Mokalla, Taige Jensen, and J. Alex Halderman
Okay, we’re cheating this week. This isn’t an article but a video the New York Times published Thursday on voting security. The Gray Lady went to Ann Arbor to chat with J. Alex Halderman, a professor of Computer Science in the University of Michigan College of Engineering and perhaps the nation's preeminent voice on voting machine security to discuss just that. It's a clever, quick video filmed at the university designed to demonstrate weaknesses in the "same dangerous, obsolete machines in use today."