New laws, old ransomware, responsible disclosures and some of the worst people in the world.
It’s been another busy week, which means it’s the perfect time to roll out our newest weekly feature at Hashed Out: the weekly Cyber Security News Roundup.
Every Friday, we’ll run a roundup of the most interesting stories from the past week. There’s no shortage of things to discuss when it comes to cyber security, despite our best efforts to touch on everything—sometimes things slip through the cracks. The roundup will be where we catch them, in addition to re-hashing any major events we’ve already covered.
So, without further ado, here’s this week’s Cyber Security News Roundup…
Major League Lacrosse Suffers From Lax Security
Major League Lacrosse, the professional lacrosse league in the United States, had to make an unfortunate admission to its players this week. In an email dated August 28th, MLL notified its players that their information – all of it, names, addresses, social security numbers, EVERYTHING – had been exposed after an employee had mistakenly linked to a spreadsheet containing said information on a public-facing website. The email goes on to suggest that the players set up credit alerts and maybe even freeze their accounts. Not surprisingly, the players are not pleased.
Using Apple Facial Recognition to Unlock Your Phone is a Bad Idea
Despite the fact it’s an extremely cool concept, many experts are warning against using the facial recognition technology that is rumored to be coming with Apple’s next iPhone. There are a number of reasons that facial recognition is less than ideal. Among them: hands-free facial recognition means your phone may always be watching you. Additionally, it’s not as secure as it seems, people’s faces are extremely public. Samsung’s version of facial recognition can be fooled with a photograph, making it no safer than a thumb swipe. And then there’s the question of how this information will be stored and the privacy concerns that accompany that debate. No doubt, facial recognition will make people’s lives easier. But safer? Maybe not.
Two Campaigns Send Out over 23 Million Locky Ransomware Emails
The Locky ransomware strain is nothing new, it’s been in use for a while and that continued this week as researchers announced they had discovered a pair of campaigns that had sent out a combined 23-million spam emails including the newest version of Locky, Lukitus. One campaign was requesting .5 bitcoin (~$2,300 USD) to decrypt a user’s files while the other was asking for between .5 and 1 bitcoin for decryption.
[Source: The Hacker News]
GitLab Patches Session Hijacking Bug
This past week GitHub announced it had patched a bug that would have allowed hackers to perform session hijacking by using session tokens that had been left visible in secure access URLs. Complicating matters more was the fact that GitLab uses session tokens that don’t expire. The bug was initially discovered by a security researcher at Imperva who held off on disclosing the vulnerability until GitLab could patch it.
FDA Recalls Nearly Half a Million Pacemakers
As far as things you’d never want to have hacked, your pacemaker would likely be pretty high on that list. Unfortunately, that nightmare is a potential reality for those with four different models of pacemaker from Abbott Laboratories—the ones that communicate with radio frequencies. The pacemakers are susceptible to hacking that would potentially allow an attacker to issue commands, change settings and disrupt them. A firmware update is available that mitigates the problem.
Foreign Companies Should be Wary of China’s New Cyber-Law
Foreign companies with business interests in China may need to take time to examine and understand China’s recently proposed new cybersecurity laws. A new report from the security firm Recorded Future warns that the law could ultimately force companies and organizations to choose between handing over proprietary data and technology or being blocked out of the Chinese market. There are also concerns over the reach the new law extends to the Chinese government, in addition to how the government will use information turned up in its “investigations.”
[Source: Recorded Future]
- StartCom and WoSign Roots Will Be Removed for Firefox 58
- Beware of Hurricane Harvey Phishing Scams
- Google Removes 300 Apps from its App Store
- Root Changes in Android 8.0 Oreo
- Experts Agree: HPKP is More Trouble Than It’s Worth