Friday Five: 9/8 edition
It's Friday! Catch up on the top infosec headlines with our weekly news roundup.
Equifax, a credit-reporting company, recently disclosed a giant data breach, compromising the data of around 143 million Americans. Equifax discovered the breach, which happened between May and July, on July 29th and is mailing notices to those affected. Personal data exposed includes social security numbers and addresses. Unfortunately, because Equifax gets data from organizations who report on credit activity and by buying public records, people who were affected might not have known Equifax had their data. To help repair the damage, the company is offering “free identity theft protection and credit file monitoring to all U.S. consumers”. If you want to check if you’ve been affected, you can submit your name and the last six digits of your social security number to Equifax.
2. Sensitive data on former U.S. military personnel exposed on Amazon S3 repository by Teri Robinson
The latest unsecured Amazon S3 server left the resumes of 6000 U.S. veterans, many of whom have top secret security clearance, exposed. The server was being used to transfer resumes from TalentPen to TigerSwan, a security contractor using TalentPen to process its job applicants. TalentPen was notified of the exposure by Amazon but never disclosed it to TigerSwan. Thomas Fischer, Global Security Advocate at Digital Guardian, points out that when utilizing third party solutions, stronger controls need to be put into place to ensure data security. Other recent exposures of S3 servers include Deep Root Analytics, Dow Jones, and WWE.
Hacker group Dragonfly has been launching new campaigns this year targeting energy companies around the globe, especially in the U.S., Turkey, and Switzerland, and has gained access to some of those companies’ networks. In some instances, these hackers have operational access and can change or stop the flow of electricity into homes and businesses. This follows the attacks on the Ukrainian power grid, which caused two black outs in 2015 and 2016 and were attributed to a group called Sandworm. While Dragonfly has yet to trigger a blackout, some security researchers believe that should the hackers be from a nation state, they would wait for a strategic moment to cause a disruption.
4. Dolphins inspire ultrasonic attacks that pwn smartphones, cars and digital assistants by Iain Thomson
New research by Chinese researchers from Zhejiang University finds that hackers can take over your smartphone device by using ultrasonic devices to communicate with voice control systems like Siri or Google Assistant. The method is called DolphinAttack, which uses a small kit consisting of a smartphone, an ultrasonic transducer, an amplifier, and a battery to send ultrasonic commands to voice control. The team was able to use DolphinAttack to dial a number, but it could also be used to instruct the speech recognition system to navigate to a site, which could contain malware. The team will be presenting in Dallas at the ACM Conference on Computer and Communications Security.
A new research report by 451 Research, A Data-Centric Approach to Endpoint Security, finds that a majority of enterprises have up to five endpoint security tools, which they've been accumulating over the years whenever a new threat or risk appeared. However, now there's a shift towards consolidation of tools, mainly driven by the trend towards data-driven endpoint detection. Many security companies offer product suites that would cover the use cases of individual products in one solution. Companies will face obstacles with the move towards consolidation as teams will have to provide a case that a tool is no longer needed, and that the company along with its data will be sufficiently protected.