Friday Five: 4/13 Edition
FTC settlements, data exfiltration, and more -- catch up on the week's infosec news with this roundup!
1. Uber agrees to expand FTC settlement to include 2016 breach by Kia Kokalitcheva
The gears of the court system never stop turning and this week's news regarding Uber's ongoing battle with its privacy and data security practices is a perfect example of that. Uber will have to submit all reports from the third-party audits of its privacy program to the Federal Trade Commission going forward, according to an expanded, proposed settlement it agreed to this week that included 2016’s breach it failed to disclose. To recap: The original settlement was based on an incident from four years ago where hackers infiltrated the transportation company's systems to make off with information on 100,000 drivers.
Federal Trade Commission image via bluemaumau's Flickr photostream, Creative Commons
2. Data exfiltrators send info over PCs' power supply cables by Richard Chirgwin
You have to wonder if the researchers at Ben-Gurion University will ever run out of interesting ways to exfiltrate data. Over the past several years researchers at the university's Cyber Security Research Center have managed to extract data from fanless computers, USB ports, LEDs, heat, a computer's speakers, and even the mechanical movements of a computer's hard-disk drive. This week the group claimed they could use malware to exploit how current flows through the power cords of an air-gapped computer. You can’t fault the researchers for not giving their research a catch name though: they called it PowerHammer. (.PDF)
3. SirenJack flaw exposes problems in emergency alert system by Rene Millman
Speaking of vulnerabilities with catchy names. Bastille, the same security firm that warned of MouseJack, a collection of security vulnerabilities affecting non-Bluetooth wireless mice and keyboards, unveiled SirenJack this week. According to SC Magazine, researchers with the firm say that an emergency alert system developed by ATI Systems and used in cities and towns worldwide lacks encryption. Because of the vulnerability it wouldn't be difficult for an attacker to remotely exploit sirens connected to the system and in turn, cause panic. One only needs to flash back to the Hawaii employee that accidentally sent out a false alarm warning of a missile attack earlier this year to consider how dangerous an errant warning could be.
What is Data Exfiltration? (Definition & Prevention)
4. Google Chrome to Boost User Privacy by Improving Cookies Handling Procedure by Catalin Cimpanu
Some interesting browser news here via Bleeping Computer: Google is going to put a shorter lifespan on cookies delivered via HTTP connections, something that should force site owners hands into pushing them via HTTPS. The move is expected to take place in Chrome 70, scheduled for release in October later this year. Google's decision, ideally, would help curb the storage of data in cookies, or from advertisers using the same cookie to track users across multiple sites.
5. We Already Know How to Protect Ourselves From Facebook by Zeynep Tufecki
We couldn’t have a Friday Five this week without at least one story about Facebook, right? In case you missed it Tuesday and Wednesday saw CEO Mark Zuckerberg make the circuit around D.C., testifying in front of two congressional committees over last month’s Cambridge Analytica debacle. Zeynep Tufecki's opinion piece in the Times this week was published before the hearings but that doesn't make it any less worth reading. Tufecki theorizes what legislation around Facebook would look like in the perfect world. One of the main takeaways is asking how we can reintroduce competition into the digital economy - and how it could be a boon for not just us, but innovation.