Friday Five: 3/18 Edition
Happy Friday! Catch up on this week’s top infosec news with our Friday Five.
A new ransomware campaign was discovered earlier in the week, this time using infected web advertisements to deliver malware to unsuspecting visitors of major websites. The malvertising campaign spread the Bedep Trojan and TeslaCrypt ransomware via drive-by downloads on sites including The New York Times, the BBC, AOL, MSN, Xfinity, the NFL, and Newsweek, amongst others. The ads were displayed to “tens of thousands of people,” but it isn’t clear how many were infected with the ransomware. Read the full article for more analysis of the ransomware campaign.
Earlier this week news broke that American Express has notified customers of a potential data breach via a compromised third party service provider. According to a notice filed with the California attorney general, data exposed could include “AmEx account numbers, user names and other information including expiration dates.” It seems that this third party compromise could potentially affect customers of other credit card issuers as well due to the fact that the service provider is used by “numerous merchants.” As is often the case in third party data breaches, AmEx maintains that its own systems were not compromised in the incident. Read the article for more on the breach.
The FBI has released an alert after the recent wave of ransomware attacks targeting businesses, this time warning of ransomware attacks that encrypt entire networks as opposed to files or other data. This capability would make ransomware attacks that much more destructive (and, therefore, costly) for businesses, as any data backups stored on the network would also be encrypted and unusable for recovery efforts. Read the article from Paul Roberts for more on the FBI’s latest warning.
Internet of Things security concerns made headlines again this week when a security researcher staying in a London hotel discovered that the smart controls for guests’ rooms lacked basic protections against unauthorized access or use. Security researcher Matthew Garrett was attending the KubeCon Kubernetes conference and decided to explore the Android tablet in his hotel room that was used to control lighting, blinds, and other in-room settings. Garrett used a packet analyzer to determine that the tablet used Modbus – a protocol notorious for its lack of authentication mechanisms. Upon further investigation, Garrett was able to gain access to the control systems for the in-room tablets on every floor of the hotel. Read the full article for more on the latest IoT security vulnerability.
A new report from Google shows that many of the highest-trafficked websites still don’t use HTTPS by default, leaving users’ connections – and any information sent over them – vulnerable to interception by attackers. According to Google’s findings, 79 of the top 100 websites (not including Google) do not have HTTPS enabled by default, and 67 use connections with obsolete encryption or none at all. While many major websites are lagging on implementing HTTPS technology, there are still some sites – such as Yahoo, Amazon, Twitter, LinkedIn, Facebook, PayPal, and, of course, Google – that are leading the charge to protect users with encryption, as Dennis Fisher noted in a blog post earlier this week. Read the article from Brian Barrett for more on Google’s report.