InfoSec News Nuggets – June 28, 2018

Home / InfoSec News Nuggets / InfoSec News Nuggets – June 28, 2018

Cyber Researchers Don’t Think Feds or Congress Can Protect Against Cyberattacks

The federal government doesn’t understand cybersecurity and won’t be able to respond to a digital disaster such as a destructive hack aimed at the energy or financial sector, according to a survey of cybersecurity researchers released Tuesday. Only 13 percent of researchers “believe that Congress and the White House understand cyber threats and will take steps for future defenses,” according to the poll of attendees at the Black Hat cybersecurity conference. Only 15 percent of the researchers believe the U.S. government and private industry are prepared to respond to a major breach of critical infrastructure. When asked about the greatest cyber threats to critical infrastructure, 43 percent of researchers cited a cyberattack by another nation, while 16 percent cited a lack of coordination between government and industry.

Security Startup Quantum Xchange Promises Unbreakable Quantum-Safe Encryption

Bethesda, MD-based start-up Quantum Xchange has announced $10 Million Series A funding from New Technology Ventures, and the launch of the first commercial quantum key distribution (QKD) service in the U.S. The funding will support the deployment of a fiber network serving the Northeast Corridor from Washington D.C. to Boston, connecting the financial markets on Wall Street with back office operations in New Jersey. The business premise is simple. The budding arrival of quantum computers will make current strong public key encryption immensely weak. Where current computing power would take too long or too many computers to make factoring large numbers feasible, one quantum computer could factor current public key lengths in a matter of minutes. Public key encryption will not provide security against quantum computers.

School facial recognition system sparks privacy concerns

A New York school district is hoping to use technology to make its children safer. Lockport City School District (LCSD) is buying facial and object recognition software to pinpoint dangerous people and objects, including guns. The district wants to be a model of security, but it has privacy and civil rights advocates up in arms. LCSD has committed to purchase the facial and object recognition software from Ontario, Canada-based firm SN Technologies, as part of a $3.8m security update using a grant provided by the 2014 Smart School Bond Act (SSBA).

Facebook sends weekly app emails to wrong people

In another one of those privacy hiccups Facebook is making a habit of lately, the company has admitted accidentally copying some weekly app developer emails to the wrong recipients. News of the leak emerged when a developer tipped off a news site that one of these emails had ended up being read by someone outside the company. When queried about the issue, Facebook issued a statement admitting that Facebook Analytics data meant for admins, developers, and analysts had also been sent to app testers: Due to an error in our email delivery system, weekly business performance summaries we send to developers about their account were also sent to a small group of those developer’s app testers. No personal information about people on Facebook was shared. We’re sorry for the error and have updated our system to prevent it from happening again.

With physical key support, Twitter makes hacking into accounts much more difficult

Buried in an announcement Tuesday, Twitter said it will now support physical security keys for login verification, making it far more difficult to break into a user’s account. Known as universal two-factor (U2F) devices, these small keyring-sized devices that you can take anywhere add an extra layer of security to supporting services. Unlike a text message code sent to your phone that can be intercepted and used, a universal two-factor keyfob requires a user to physically push a button to authorize a login. Because an associated key will also only work on genuine Twitter pages, it still helps protect against fake phishing pages that try to steal your password.

Hundreds of Hotels Affected by Data Breach at Hotel Booking Software Provider

The personal details and payment card data of guests from hundreds of hotels, if not more, have been stolen this month by an unknown attacker, Bleeping Computer has learned. The data was taken from FastBooking, a Paris-based company that sells hotel booking software to more than 4,000 hotels in 100 countries —as it claims on its website. In emails the company sent out to affected hotels today, FastBooking revealed the breach took place on June 14, when an attacker used a vulnerability in an application hosted on its server to install a malicious tool (malware). This tool allowed the intruder remote access to the server, which he used to exfiltrate data. The incident came to light when FastBooking employees discovered this malicious tool on its server.

Group Tied to Russia Attacked ProtonMail

Twitter was abuzz this morning after ProtonMail tweeted that its network had been under sustained attack, the result of a distributed denial-of-service (DDoS) attack traced back to a group claiming to have ties with Russia. The attack impacted both ProtonMail and ProtonVPN so that the services were “intermittent at best,” as one person wrote on Twitter. After several hours, the service has been restored and all queued emails have been sent or delivered.

Insider Dangers Are Hiding in Collaboration Tools

Digital collaboration technologies are accelerating productivity in the post-phone-call workplace, but tools like Yammer, Workplace by Facebook, and Slack have their dark side. While these channels can help speed group decision-making, they also serve as an enterprise blind spot for insider threats to do their worst – not to mention being open conduits for spreading negativity and toxic behaviors among the ranks. A new report out today from Wiretap measured the prevalence of insider risks from collaborative communication tools, both in public and private conversations. It found the platforms are rife with uncontrolled sharing of sensitive information and password sharing. 

IEEE Calls for Strong Encryption

The IEEE this week issued a position statement in support of strong encryption and in opposition to government efforts to require backdoors. “IEEE supports the use of unfettered strong encryption to protect confidentiality and integrity of data and communications. We oppose efforts by governments to restrict the use of strong encryption and/or to mandate exceptional access mechanisms such as ‘backdoors’ or ‘key escrow schemes’ in order to facilitate government access to encrypted data,” the organization’s statement reads.

Facebook Built A New Team To Spot Problems Before They Arise

In an attempt to spot vulnerabilities in its system before bad actors exploit them, Facebook has hired a team of ex-intelligence officers, researchers, and media buyers, and set them loose on its products. Facebook calls this group the “Investigative Operations Team” and has directed its members to find the worst possible things that can be done using Facebook, and to help the company prevent them. The group, whose existence is being revealed for the first time in this story, is testing Facebook’s advertising systems, pages, Instagram, Messenger, and more. Facebook told BuzzFeed News the team is searching for troubling behavior in countries like Myanmar, examining keywords and other signals that could be used to promote violence. And it’s investigating Facebook’s merchant tools, attempting to spot problematic product sales.

California is on the verge of passing a sweeping new online privacy law targeting Facebook, Google and other tech giants

California is hurtling toward the adoption of a new online privacy law that would govern how tech giants like Amazon, Facebook, Google and Uber collect and monetize consumers’ personal data – a set of changes that could ripple throughout the country. The Golden State legislature is due to vote Thursday on the California Consumer Privacy Act of 2018, which would require tech companies to disclose the categories of data they collect about consumers as well as the third-party entities, like advertisers, with whom they share that information. Web users would also gain the ability to opt out of having their data sold, and companies wouldn’t be allowed to charge users a fee or provide them less service if they made that choice. And the proposal comes with some teeth: California’s attorney general would be empowered to fine companies that fail to secure consumers’ sensitive details against cyber threats.

Facebook’s ‘keyword snooze’ hides phrases from your News Feed for 30 days

Facebook announced today that it is now testing a Keyword Snooze button, which will allow users to hide TV spoilers, political discussions, or other unsatisfying posts from their News Feeds more effectively. The feature varies slightly from the “mute keywords” on other social media sites, like Twitter. For starters, users can’t preemptively snooze a keyword from their timeline. They have to click on a post that has that keyword, and click on “snooze keywords in this post.” Facebook then provides suggestions of keywords within that post that users can snooze. Once they choose keywords to mute, the user won’t see any posts from a person, Page, or Group that contains those keywords for the next 30 days.

Facebook Rows Back On Cryptocurrency Ad Ban

Facebook has backtracked on its blanket ban on cryptocurrency ads, saying it will now accept them from pre-approved advertisers in certain circumstances. Back in January, the company pulled the plug on ads such as binary options, initial coin offerings and cryptocurrency that, it said, were ‘frequently associated with misleading or deceptive promotional practices’. Now, though, the company has announced that it’s set up a vetting process and that advertisers that come up to scratch can now promote some crypto products – though ads for binary options and initial coin offerings (ICOs) are still banned. “Advertisers wanting to run ads for cryptocurrency products and services must submit an application to help us assess their eligibility — including any licenses they have obtained, whether they are traded on a public stock exchange, and other relevant public background on their business,” explains product management director Rob Leathern.

TLBleed attack can extract signing keys, but exploit is difficult

An interesting, new side-channel attack abuses the Hyper-Threading feature of Intel chips and can extract signing keys with near-perfect accuracy. But both the researchers and Intel downplayed the danger of the exploit. Ben Gras, Kaveh Razavi, Herbert Bos and Cristiano Giuffrida, researchers at Vrije Universiteit’s systems and network security group in Amsterdam, said their attack, called TLBleed, takes advantage of the translation lookaside buffer cache of Intel chips. If exploited, TLBleed can allow an attacker to extract the secret 256-bit key used to sign programs, with a success rate of 99.8% on Intel Skylake and Coffee Lake processors and 98.2% accuracy on Broadwell Xeon chips. However, Gras tweeted that users shouldn’t be too scared of TLBleed, because while it is “a cool attack, TLBleed is not the new Spectre.”