Security News This Week: Google Ups the Ante on Web Encryption
As the presidential campaign charges ahead, the saga of Hillary Clinton’s use of a private email server continues. Fresh criticism emerged this week that Clinton must have been hiding terrible things because one of her aides smashed two of her personal Blackberrys with a hammer. But from a data security perspective, that’s not a bad thing; in fact some experts say the discarded devices should have been destroyed more thoroughly. Meanwhile, House Oversight Committee leader Elijah Cummings released a 2009 email sent by former Secretary of State Colin Powell to Clinton in which he describes in detail all the ways he himself skirted State Department technology requirements.
This week we grappled with the question of why Baltimore has become a bastion of surveillance tech. Over in the private sector, the Google-owned tech incubator Jigsaw is developing a program to try to identify ISIS recruits and deter them from joining the organization. And an op-ed contributor says it’s time to acknowledge that whoever wins the presidency will need to set new policy for autonomous weapons systems and their scope of use in warfare when the old Department of Defense Directive expires in 2017.
But wait, there’s more: Each Saturday we round up the news stories that we didn’t break or cover in depth but still deserve your attention. As always, click on the headlines to read the full story in each link posted. And stay safe out there.
Not too long ago, the standard for a secure website was to not offer gaping holes for hackers to exploit or infect visitors with malware. Now even plain-old HTTP itself, that venerable web protocol, is about to be considered insecure. Google has announced that its web browser Chrome will soon take a more aggressive stance on web encryption, marking any site as insecure if it doesn’t use HTTPS, a protocol that encrypts web pages with the encryption schemes SSL or TLS, and putting a red “X” over a padlock in the corner of the address bar. The rollout will begin in January by applying the rule to any site that asks for a password or credit card information. It will later expand to all sites when the user is browsing in Chrome’s incognito mode. Eventually, Chrome will label all HTTP sites as insecure. In other words, the web giant is taking a giant step toward a fully encrypted web and putting anyone who isn’t taking HTTPS seriously on notice: If your website isn’t already encrypted, start working on it or become the subject of shaming messages in millions of users’ browsers.
In the long history of controversies over hackers who find and publicize hackable bugs, the case of St. Jude Medical and the finance firm Muddy Waters may be one of the messiest. Last month Muddy Waters and the security research firm MedSec teamed up to expose what they described as flaws in St. Judge’s pacemakers and defibrillators that could put patients’ lives in danger, potentially bricking the medical implants. And they went a step further: Muddy Waters also short-sold St. Jude’s stock, then profited from the resulting drop after the expose went public. Now St. Jude is firing back with a lawsuit accusing both the hackers and traders of illegal and damaging behavior like market manipulation and false accusations. Meanwhile, researchers at the University of Michigan published a rebuttal to MedSec prior to the lawsuit, claiming to refute some of the vulnerabilities MedSec found.
A hacker breach of the Office of Personnel Management that was revealed last year was the worst cyber attack on a federal agency in recent history, exposing as many as 22 million federal employees’ private records. Now a group of Republican members of Congress has released the results of its investigation into the attack and places the blame squarely on the agency’s management. The detailed postmortem runs through a series of known, unfixed security vulnerabilities in the agency’s systems prior to its discovery of hackers compromising its network in 2014 and describes how after OPM identified the initial breach and focused on containing the intrusion, another group of hackers ran rampant through its systems, eventually stealing millions of the highly personal background check records. The report lists the agency’s obstructions of the Office of the Inspector General, which investigated the breach, along with OPM’s misleading statements to Congress about its technology setup and security measures.
As part of the Obama administration’s $19 billion Cybersecurity National Action Plan, the White House appointed its first federal chief information security officer. The position will be filled by retired Brigadier General Gregory J. Touhill, who was previously deputy assistant secretary for cybersecurity and communications in the Department of Homeland Security’s Office of Cybersecurity and Communications. As CISO he will report to Tony Scott, the federal chief information officer. Touhill’s goal will be to improve government network security, evaluate security measures at agencies across the government, and raise awareness nationally about the importance of cybersecurity. It’s not going to be an easy job if he does it right.
The Isreali “booter” service vDOS, which offered to wage distributed denial-of-service (DDoS) attacks for its clients, was itself hacked, exposing information about tens of thousands of customers and targets. The hack also leaked information about the company itself. Between April and July 2016, vDOS generated more than 277 million seconds of attack time, or almost nine years of malicious traffic, by maintaining multiple attack campaigns every day. As Krebs on Security puts it, “To say that vDOS has been responsible for a majority of the DDoS attacks clogging up the Internet over the past few years would be an understatement.” The company was breached by a hacker who had found a vulnerability in the server configuration data of another attack firm. He tried it on vDOS and it worked, allowing him to exploit an additional bug that gave him access to the company’s databases. vDOS has made over $600,000 in the past two years.
See original article: