The Looming Digital Meltdown*:
- A new class of security vulnerability – a variety of flaws that affect almost all major microprocessor chips – was announced at the beginning of 2018.
- The news prompted a rush of fixes, ruining the holiday vacations of system administrators worldwide.
- We have built the digital world too rapidly; many of the early layers of construction were never meant to guard so many valuable things like personal correspondence and finance.
- Almost all modern processors make predictive movements, with revealing traces left behind, and hackers can take advantage.
- Since the problem is built into the hardware, fixing this class of problems may also be prohibitively expensive.
- Modern computing security is like a flimsy house that needs to be fundamentally rebuilt.
- In recent years, we have suffered small collapses here and there and made superficial fixes in response, but we need better ways to make systems more secure.
*Source: New York Times, January 06, 2018
Swift Institute Challenges University Teams to Tackle Data Privacy Under Open API*:
- The academic research arm of interbank payments network Swift is calling on Australian-based students to devise new ways and means of protecting personal information in an open banking environment.
- With the Australian government’s plans to foster competition and support a growing fintech community by introducing secure data-sharing, major lenders will have to provide more detailed information about their customers to credit agencies.
- The Swift Institute's 2018 competition will address the issue of data privacy in an Open API environment.
- The final presentations will be taking place on 24 October 2018 at Swift's annual international banking event – and the winning concept will receive a check for A$30,000.
- The director of the Swift Institute commented, “The issue of how to keep personal information safe in an open environment is increasingly a question that banks are trying to tackle as open banking becomes more prevalent. This competition will challenge students to provide innovative solutions to this global industry issue.”
*Source: Finextra, January 08, 2018
Florida Phishing Attack Exposes Data for 30,000 Medicaid Recipients*:
- Florida’s Agency for Health Care Administration has warned that a phishing attack compromised data for as many as 30,000 Medicaid recipients.
- One of its staffers fell for a “malicious phishing email,” giving hackers access not only to identifying info like names, addresses, and Medicaid ID numbers, but also diagnoses and medical conditions.
- The agency claimed there was "no reason to believe" the info had been abused, but that's not much consolation.
- It's not clear who was responsible for the attack or what their motivations might be.
- The breach illustrates how medical networks continue to be fragile: an email is all it took to directly expose the most sensitive data of thousands of users.
- The AHCA is taking a step to resolve this by training staff on security measures, but they might not see a lasting solution until private info is further separated from the outside world.
*Source: Engadget, January 07, 2018
Cyber-Attack Could Lead to Inadvertent Nuclear Strike, Think Tank Warns*:
- Nuclear strikes could be launched by mistake because aging or unsophisticated weapons systems are vulnerable to cyber-attacks, an international relations think tank warned Thursday.
- A hack could lead to false information being passed to decision makers during a crisis.
- The report said nuclear weapons systems were first developed at a time when computer capabilities were in their infancy and little consideration was given to potential malicious cyber vulnerabilities.
- The report comes as the U.S. officials grow increasingly concerned that North Korea might use cyberattacks alongside conventional weapons.
- Intelligence officials have long ranked the rogue regime among the world's most dangerous cyber actors trailing only Russia, China and Iran.
- The FBI also suspects North Korea was behind a $81-million cyber-heist of the Bangladesh central bank's account at the Federal Reserve Bank of New York.
- The US is also using cyberwarfare to disrupt North Korea’s weapons program, and was blamed for the April 2017 failure of a rocket that disintegrated seconds after being launched.
- The report also reveals the likelihood of attempted cyberattacks on nuclear weapons systems “is relatively high and increasing.”
*Source: NBC news, January 11, 2018
To Protect Aadhaar Privacy, UIDAI Launches 16-Digit Virtual ID*:
- The UIDAI introduced a new concept of 'Virtual ID' which Aadhaar-card holder can generate from its website and give for various purposes, including SIM verification, instead of sharing the actual 12-digit biometric ID.
- The Virtual ID, which would be a random 16-digit number, together with biometrics of the user would give any authorized agency like a mobile company, limited details like name, address and photograph, which are enough for any verification.
- A user can generate as many Virtual IDs as he/she wants and the older ID gets automatically cancelled once a fresh one is generated.
- The Virtual ID will be a temporary and revocable 16 digit random number mapped to a person's Aadhaar number.
- Agencies that do not migrate to the new system to offer this additional option to their users by the stipulated deadline will face financial disincentives.
- The move aims to strengthen the privacy and security of Aadhaar data and comes amid heightened concerns around the collection and storage of personal and demographic data of individuals.
- Users can go to the UIDAI website to generate their virtual ID which will be valid for a defined period of time, or till the user decides to change it.
*Source: News18, January 10, 2018
Sneaky Malware Disguises Itself as an Adobe Flash Player Installer*:
- A state-sponsored hacking operation is targeting diplomats, using a new attack that bundles malware with a legitimate software update.
- The attacks are targeting embassies and consulates in eastern European post-Soviet states and have been attributed to Turla, a well-known advanced persistent threat group.
- Researchers note that some private companies have been infected, but that they're not the main targets of the campaign.
- Security researchers are still unsure as to how the attackers are bundling their payload alongside a Flash player installer.
- Once a user runs the software, the attackers are able to open backdoors and drop malware onto the compromised machine.
- Some of the victims have been infected with other Turla-related malware such as ComRAT or Gazer, suggesting there's a strong link between the campaigns.
*Source: ZDnet, January 09, 2018
UIDAI Firewalls 5,000 Officials Post ‘Breach’*:
- The Unique Identification Authority of India (UIDAI) restricted the access of all designated officials – numbering about 5,000 – to the Aadhaar portal after a report said demographic details of those enrolled in the system were available for as little as Rs 500.
- UIDAI has overhauled its system to enable access only by entering the biometrics of the person whose details were sought to be verified.
- The price mentioned above was enough to get an administrator-level login ID and password.
- Under the earlier system, state governments had authorised certain officials who had “limited” access.
- Under the new system, access needs to be authenticated by the fingerprint of the Aadhaar holder and the data available will be restricted to that person.
- UIDAI had denied that its security protocols were faulty and has filed a police complaint in the wake of the news report.
- In the past six months, UIDAI has been encouraging all private operators to shift their centres into the premises of government establishments.
- While about 4,000 centres have moved into banks and post offices, another 26,000 are in the process of doing so.
- All telecom operators who use Aadhaar authentication for their mobile subscribers have also been encouraged to use UIDAI-registered biometric devices.
*Source: Economic Times, January 09, 2018