This week’s Cyber Security Headlines – Week in Review, October 10-14, is hosted by Rich Stroffolino with our guest, Matt Honea, Head Of Security, SmartNews
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Security chiefs fear ‘CISO scapegoating’ following Uber-Sullivan verdict
CISOs are split on whether Wednesday’s conviction of Uber’s former security chief Joe Sullivan will have more wide-ranging consequences for people in their position. According to The Record, some fear the case will prompt more CISO whistleblowers in the future, while others feel that security chiefs should be prepared to be held responsible for incidents that they are involved in. A federal jury convicted Sullivan of two charges related to his attempted cover-up of a 2016 security incident at Uber, where hackers stole the personal details of 57 million customers and the personal information of 600,000 Uber drivers.
Finger heat can leak your password
Researchers at the University of Glasgow’s School of Computing Sciences developed a system called ThermoSecure, designed to reveal a computer’s password with heat signatures. It uses cheap consumer thermal-imaging cameras with a machine-learning algorithm to look at a keyboard to reveal recent keypresses. The researchers previously found that humans were fairly accurate at guessing passwords based on thermal signatures, but using the algorithms could achieve up to 86% accuracy if captured within 20 seconds of input. This fell to 76% accuracy within 30 seconds and 62% after 60 seconds. Shorter passwords were even easier to guess. With six or less characters it guessed 100% of the time, making it an ideal way to steal a PIN. The researchers said longer passwords would be the most effective mitigation.
US airport sites targeted by KillNet
The pro-Russian threat group claimed it orchestrated large scale DDoS attacks against the websites of several major US airports. This intermittently took several sites offline including those for Hartsfield-Jackson Atlanta International, LAX, and Chicago O’Hare preventing travelers from accessing airport services or getting flight information. THe DDoS did not impact flights. This follows KillNet’s recent expansion into targeting US organizations. Last week it ran DDoS campaigns against government sites in Colorado, Kentucky, and Mississippi.
Thanks to today’s episode sponsor, NoName Security
Android leaks traffic even when ‘Always-on VPN’ is enabled
Mullvad VPN has discovered that Android leaks some traffic every time the device connects to a WiFi network, even with “Always-on VPN” features enabled. Data being leaked outside VPN tunnels includes source IP addresses, DNS lookups, HTTPS traffic, and also likely NTP traffic. The issue stems from a design choice in the Android operating system to allow special use cases such as identifying captive portals (like hotel WiFi) that must be checked before a user can log in or use split-tunnel features. Android users are likely unaware of the issue due to Android’s inaccurate documentation related to “VPN Lockdown” features. Mullvad has contacted Google, requesting them to add an option to disable connectivity checks.
Digital license plates legalized in California
California has ended a pilot program and fully legalized digital license plates for private and commercial vehicles. The E Ink digital license plates known as the Rplate, are manufactured by California-based company Reviver. It can reportedly function in extreme temperatures, has some customization features, and is managed via Bluetooth using a smartphone app. Rplates are also equipped with an LTE antenna, which can be used to push updates, change the plate if the vehicle is reported stolen or lost, and notify vehicle owners if their car may have been stolen.
RSA Conference reveals CISO-Board relationships
The RSA Conference Executive Security Action Forum (ESAF) released a research report on Wednesday, that describes how CISOs are communicating risk, accountability, security maturity and metrics to boards, and the challenges that this can sometimes entail. Among the findings:
• CISOs and boards are generally well aware of the legal ramifications of a data breach, and the need to document their efforts to adequately managed cyber risk
• There is debate among the CISO community about the types of metrics used in board reports, specifically whether narratives or numbers are better.
• CISOs who have evaluated building a capability to quantify cyber risk in dollar values found that the resources and talent, including actuaries, would be prohibitive for most security teams.
• Security teams use risk scoring systems internally to prioritize their efforts but do not find it useful to share those numbers with the board.
We have link to the full report in the show notes to this episode, at CISOSeries.com
First exemption from US chip equipment ban
Earlier this month, the US Commerce Department announced further export bans on advanced chipmaking equipment to China. This impacted technology up to a decade old and would have made manufacturing DRAM difficult in the country. The memory-chip maker SK Hynix confirmed it received a one-year temporary exemption from new US rules. This will allow SK Hynix to supply its own China-based facilities without additional licensing requirements from the US Commerce Department. It’s expected for the US to grant further exemptions to other DRAM makers like Samsung.