28 August 2019

SECURITY NEWS THIS WEEK: CRYPTOCURRENCY MINERS EXPOSE NUCLEAR PLANT TO INTERNET


WHILE THE CYBERSECURITY world took a collective deep breath after the Black Hat and Defcon hacker conferences, there was still plenty of news to be had this week. After first announcing an iOS-compatible YubiKey in January, Yubico has finally released it. We also took a deep dive into the security and privacy enhancements coming to Android 10, the first Android version to ditch the dessert naming system. You can jailbreak your iPhone again for the first time in years, but probably shouldn't. And that's just for starters!

As the robocall crisis rages on, state attorneys general and a dozen major telecoms finally decided to do something about it. Google, Mozilla, and Apple all fought back against Kazakhstan's attempts to spy on its citizens' encrypted internet traffic. China used fake accounts and state media to spread disinformation and denigrating comments about Hong Kong protestors across Facebook, Twitter, and YouTube. And Facebook introduced a long-awaited privacy feature, but (of course) it comes with a catch.

We looked at the state of library cybersecurity and what it means for the upcoming 2020 census. And the Consumer Financial Protection Bureau is proposing some bad security hygiene in its new rules around debt collection.


Lastly, we celebrated the rich history of vanity license plates backfiring, and the decidedly less amusing future of cyberwar.

And there's more! Every Saturday we round up the security and privacy stories that we didn’t break or report on in-depth but which we think you should know about nonetheless. Click on the headlines to read them, and stay safe out there.

Cryptojackers—the hackers who insert themselves into networks to mine cryptocurrency—have targeted critical infrastructure before. But this time, the mining was coming from inside the building. Employees at the South Ukraine Nuclear Power Plant reportedly hooked up their mining rigs to the plant's internal network. The bad news is that they exposed the plant to the broader internet, which is understandably not ideal for high-security nuclear plants. The good news, or at least less-bad news, is that the accused staff apparently hit the administrative offices, rather than the plant's industrial network. Either way, looking forward to a Simpsons episode about this sometime in 2025.

We've written plenty about the perpetual effectiveness of Nigerian email scammers. But if you need any more proof, look no further than this 145-page indictment, in which the Department of Justice chronicles dozens of sophisticated cases, allegedly committed by 80 individuals, that stole tens of millions of dollars from companies and individual victims alike. It's unclear whether any of the culprits will face extradition, but at the very least it underscores the scope of a decades-old problem that, if anything, only continues to get worse.

At this point, it's hard to think of a voice platform that hasn't gotten in trouble for sending conversational snippets to human contractors to transcribe. Add Microsoft's Xbox to that list. A report this week from Motherboard details how Kinect audio commands were sent to third-party contractors as far back as 2014.

The ongoing location data fiasco—carriers have been selling it to third parties without much concern for who ended up with it—was never good, per se, but the Daily Beast has a wild story about just how bad it gets. A bail bondsman allegedly invented a suicide prevention group called the Colorado Public Safety Task Force out of whole cloth to trick phone companies into giving him detailed location information for his targets. And it only gets worse from there.

No comments: