Friday Five 2/12
A hack of a water treatment plant, SIM swapping used on celebrities, and a popular barcode app turned into malware - catch up on all of the week's infosec news with the Friday Five!
1. A Hacker Tried to Poison a Florida City's Water Supply, Officials Say by Andy Greenberg
The news of the week was the hacking of a water treatment plant in Florida, an incident in which someone attempted to raise the levels of sodium hydroxide in the water to dangerous levels. Fortunately, the attempted sabotage was stopped before anyone was adversely affected by the dangerous altercation. The hack has raised concerns over the vulnerability and lack of funding protecting crucial local infrastructure. Though there were many safeguards in place to stop the public from getting hurt, the details and implications that water could be manipulated raised concerns that resonated beyond the cybersecurity community. As many similar systems around the country are also accessible via the internet, this kind of attack isn’t all that rare, but the public outcry this week has elevated the urgency around fixing the issue of cyber vulnerabilities in local infrastructure.
2. SIM-swapping gang busted for targeting 'influencers, sports stars, musicians' by Joe Warminsky
In a joint operation between UK and European law enforcement agencies, ten suspects were arrested for allegedly stealing personal data and a hundred million in cryptocurrency through the phones of celebrities. The list of those targeted have not been published, but include well-known influencers, sports stars, and musicians. The phones were accessed through SIM swapping, a technique in which someone takes over a digital profile by deactivating the SIM card on a phone and then swapping in their own phone number. This can be accomplished by working through an insider at a phone service provider or social engineering. Once the phone number switch has been made, any number of accounts or profiles can be accessed. The story is a reminder of the importance of extra layers of security on our mobile devices, such as a PIN or multi-factor authentication.
3. With one update, this malicious Android app hijacked millions of devices by Charlie Osborne
After an update, Lavabird Ltd’s Barcode Scanner, a popular scanner app, transformed into malware that was able to hijack ten million devices. The app has been around for years and users have had no major problems with the scanner up to this point. However, the update in question caused advertisements to randomly pop up on Android devices, which researchers were able to trace to the barcode scanner. The change is part of the larger trend of apps shifting from useful resources to adware. Although, this situation took the practice a step further by including malicious code. Though the app has been pulled from the Google Play store, users who have previously downloaded the app need to manually delete it.
4. A Swiss Company Says It Found Weakness that Imperils Encryption by Ryan Gallagher
In a potentially concerning development, a Swiss tech company has announced that it can now use quantum computers to uncover vulnerabilities in popular encryption. Researchers have long worried that quantum computing’s advanced calculation speeds could lead to the cracking of codes that were thought to be indecipherable. Cybersecurity experts are reserving judgment until the company publishes the full results of its research. Even if the results are merited out, major tech companies have anticipated the development in quantum computers and have been developing more sophisticated encryption to meet the challenge. Regardless of the research’s potency, it’s a warning or at least a reminder of an important challenge that will someday face the cybersecurity industry.
5. Federal election agency adopts updated voting security standards. Not everyone is happy. By Tim Starks and Sean Lyngaas
For the first time in more than fifteen years, the Election Assistance Commission has voted to adopt a comprehensive update to its voting security guidelines. Though any update is an improvement, reviews from election security experts have so far been mixed. Notably, some are worried about the new guidelines that will handle wireless connections on voting systems. Though, on the positive side, the new guidelines will encourage “software independence” which means that the machines will produce verifiable paper ballots if there is ever an audit and the incorporation of multi-factor authentication. Though the updates won’t be felt immediately, it will take time for states and equipment manufacturers to catch up to the new standards, the new guidelines are a step in the right direction.