The opening of movies sets the tone for the rest of the film. Within the first few minutes you usually get an idea of the characters, whether it's a slow suspense, a drama, or action flick.
If the first few days of 2018 are any indication, the IT Security world has kicked off with a dizzying Michael Bay-esque opening action sequence with rapid cuts that would rival any Edgar Wright montage.
So let's jump head first right into it.
Meltdown
Step aside Heartbleed, and forget all about WannaCry, there's a new duo of attacks in town, complete with logos, websites, and tales of doom.
- Meltdown Attack, the website.
- Google Project Zero blog
- NCSC’s advice
- Replace CPU hardware – legit advice.
- Linus Torvald was not happy, and issued a strongly-worded statement
- Mozilla Confirms Web-Based Execution Vector for Meltdown and Spectre Attacks | Bleeping Computer
Facebook and India’s controversial National ID Database
Facebook has clarified that it’s not asking new users in India for their Aadhaar information while signing up for a new Facebook account.
Aadhaar is India’s biometric ID system that links the demographic information of more than a billion Indians with their fingerprints and iris scans, and stores it in a centralized government-owned database that both government agencies and private companies can access to authenticate people’s identities. The program has been slammed by critics for enabling surveillance and violating privacy.
Facebook said this was a “small test” that the company ran with a limited number of Indian users, and that its goal was to help new users understand how to sign up to Facebook with their real names.
It sounds an awful lot like the “wallet inspector” in the school playground that would also then keep my money safe for me.
- Facebook Just Clarified That It Is Not Collecting Data From India's Controversial National ID Database |Buzzfeed
- Rs 500, 10 minutes, and you have access to billion Aadhaar details | The Tribune India
Trackmageddon
Two researchers have disclosed problems with hundreds of vulnerable GPS services using open APIs and trivial passwords (123456), resulting in a multitude of privacy issues including direct tracking. Further, many of the vulnerable services have open directories exposing logged data.
For some, the vulnerabilities discovered and disclosed by Vangelis Stykas (@evstykas) and Michael Gruhn (@0x6d696368) aren't new. They were disclosed during Kiwicon in 2015 by Lachlan Temple, who demonstrated flaws in a popular car tracking immobilization device.
DHS leak
The US Department of Homeland Security has confirmed a major privacy leak affecting 247,000 employees. According to a DHS statement, it appears as though it was an inside leak, as opposed to an external hack.
- DHS Admits Major Leak Affecting 247,000 Employees | Infosecurity magazine
- Critical DHS breach put 250K employees' personal data at risk | Tech Republic
Uber Malware
Android users should be on alert for a new malware variant which is posing as the Uber app, in an attempt to steal passwords.
Of course, users that download Uber have probably got low security expectations to begin with.
Guessing Smartphone PIN codes
Security researchers have discovered a brand new method that hackers can potentially use to unlock and compromise a user's smartphone using just the device's sensors. According to researchers at Nanyang Technology University (NTU) in Singapore, information gathered from six different sensors in smartphones paired with machine learning and deep learning algorithms could be used to unlock Android smartphones within only three tries.
Forever 21 breach lasted over seven months
Anyone can get breached, that’s not a bad thing. But detection controls should be designed to alert when something goes wrong… seven months is a long, long time.
- Forever 21 breach lasted over seven months | Infosecurity Magazine
- Forever 21 investigation reveals malware presence at some stores | ZDNet