The SecuriTea News - Issue #1
Every Friday the Weekly Tea Report brings you the latest week’s trending information security news. Read on and join the conversation.
Too much to handle? Despite having all their systems up-to-date, research is showing that IT managers are not keeping their head above water when it comes to dealing with the volume of cyberattack attempts to their company networks. The Impossible Puzzle of Cybersecurity, released by Sophos, is a research report interviewing thousands of IT managers across 12 countries to get the latest trends in security. 2 out of 3 managers (or 68% of organizations) stated they suffered a cyberattack in 2018. Though the percentage of time spent on cybersecurity issues have increased to 26%, good intentions and behaviors are not enough as attackers are still infiltrating through. IT departments have to secure and manage a vast number of assets whilst an attacker only needs one entry way to gain access. Phishing(think those weird emails when someone says they will send you a million dollars through the wire) is still #1 (53 percent) in terms of the types of attacks that are succeeding. Malware infections (viruses on your computer/device), software exploits (bug in software) and ransomeware (locking you out of your network and demanding money usually via bitcoin) round out the top 4 threats organizations are facing in 2019. To read the report click here.
New meaning to a hot hairstyle. Sometimes its okay to not have bluetooth in an ordinary item. Researchers from Pen Test Partners proved this when they hacked into a hair straightener, sent some maliciously crafted Bluetooth commands (think if someone tried to sneak into your airpods) and was able to take control of the hair device. The implications of this can prove to be deadly as an attacker who has control can possibly raise the temperature to maximum (455°F) - higher than paper's burning point - and set something on fire depending on how long it remains on. Luckily, an attacker would need to be close by as Bluetooth range is limited and thus the probability of this happening is low. The issue here is the rise in IoT (Internet-of-things - think Alexa) devices in the everyday household that is not created with Security in mind.
Google out of bounds. Google is in trouble after a report shows that its Home devices were recording audio despite the "wake-up" word not being used. Last Wednesday a subcontractor for the company disclosed this privacy issue to Dutch news outlets after realizing extra recordings with sensitive information was being obtained. Hired as a "language transcriber" in order to improve the way Google devices understands accents, the subcontractor and news outlets were able to “clearly hear addresses and other sensitive information. This made it easy for us to find the people involved and confront them with the audio recordings.” Google confirmed that these recordings were authentic but said they were in error. Despite the error, it is possible for situations to happen like this one to any home IoT device. This situation highlights the concerns around third-party security and Google’s data retention and sharing policies, given that a subcontractor leaked these recordings to a news outlet.
Zoom not quick enough. If you have Zoom, the web- and video-conferencing service, installed on your machine it is important you install the latest update to your software. The company is under scrutiny after their response to a zero-day (meaning a vulnerability that is unknown and unpatched) was discovered by researcher Jonathan Leitschuh. The issue found was this zero-day vulnerability (again, think a huge undiscovered hole in your wall that allows people in and out of your home that you never knew existed) allowed an attacker to hijack a user’s web camera without their permission. That isn't even the worst of the situation, apparently even if you uninstall Zoom from your computer, the service maintained an internet connection on computers via a hidden localhost web server. Luckily in response Apple helped its user base out by silently removing this web-server from its devices.
Speaking of Apple, no more walkie-talkie. If you have an Apple watch you might have noticed that you can no longer use Walkie-Talkie to contact users (or in my case randomly start singing to my friends during peak work hours). Apple has temporarily disabled the Walkie-Talkie feature from the Apple Watch due to a vulnerability that could allow potential attackers to eavesdrop in on iPhone call. Tech Crunch received confirmation of this flaw from Apple. This seems oddly familiar, doesn't it? Well if you remember earlier this year a huge FaceTime flaw was found that allowed anyone with iOS to FaceTime other iOS users and listen in on their private conversations – without the user on other end rejecting or accepting the call. Hopefully this is fixed soon, so we can all go back to the random singing, and further features are fixed to prevent this from happening again.
And that's a wrap for your Weekly SecuriTea Report. Be sure to check out the latest every week for the latest in Information Security News.