CyberSecurity Pulse 2017-02-20

CyberSecurity Pulse 2017-02-20

“If you don’t make mistakes, you aren’t really trying.”
Coleman Hawkins

Analyst Insight

Automated Car Driving: the Next Challenge

Although most of the time we are not conscious of what is happening inside our vehicles, they are starting to look like a normal computer  considering the increasing capabilities of the computing systems installed on board. Currently, the posibilities that a user have to access to these programs and patch them or even, study how they behave are limited taling into account that most of the software is propietary software.

CyberSecurity Pulse 2017-02-20It seems that not many efforts have succeded in a very manufacturer-chained industry, even when there exist some free software projects that will give us the chance of monitoring different metrics of our own vehicles. We have to assume that our lives will be flooded by self-controlled devices acting outside controlled environments which will need lots of lines of software to behave properly and communicate with others in a few years time.

Nevertheless, acting in the real world has some serious implications regarding the legal responsibilities to face if things go wrong for one reason or another. Currently, if some kind of Google's car has the undesired effect of provoking an accident, the company, as the hardware and software maker of the product would have to assume some (if not all) part of the blame. As a starting point, United States is already regulating the level of cybersecurity implemented in these cars, but, are we really ready to be blamed of an accident if a bug in the library we used to control whether the lights should be automatically powered on even if a simple brightness sensor fails and causes an accident?

Top Stories

New Wave of Cyberattacks Against Global Banks Linked to Lazarus Cybercrime Group

CyberSecurity Pulse 2017-02-20» More than a hundred banks and financial institutions across the world have been infected with a dangerous sophisticated, memory-based malware that's almost undetectable. Newly published report by the Russian security firm Kaspersky Lab indicates that cybercriminals are targeting banks, telecommunication companies, and government organizations in 40 countries, including the US, South America, Europe and Africa, with Fileless malware that resides solely in the memory of the compromised computers. Last investigations link this aggressive campaign of malware attacks to the notorious cybercriminal group known as Lazarus. Active since 2009, they has been involved in a number of aggressive cyberattacks against financial institutions, including the theft of $81 millions from the Bangladesh Bank.

» More information at Securelist and ZDNet

EPA Officials May Be Using Signal To "Spread Their Goals Covertly"

CyberSecurity Pulse 2017-02-20Two Republican members of Congress sent a formal letter Tuesday to the Environmental Protection Agency’s Office of the Inspector General, expressing concern that "approximately a dozen career EPA officials" are using the encrypted messaging app Signal to covertly plan strategy and may be running afoul of the Freedom of Information Act. The congressmen note that the EPA has previously examined employee use of text messages to conduct government business and found that only a minuscule fraction of those messages was retained under FOIA. "Not only does this demonstrate the vast issues presented with using text messages to conduct official business, but raises additional concerns about using messaging applications to conduct official business, which make it virtually impossible for the EPA to preserve and retain the records created in this manner to abide by federal record-keeping requirements", they concluded.

» More information at Documentcloud

Rest of the Week´s News

Yahoo Warns Users of Account Breaches Related to Recent Attacks

Yahoo has begun to warn individual users of their services about how their accounts may have been compromised in one of the massive data breaches it reported late last year. The warning, delivered in email messages sent from Yahoo's CISO Bob Lord, tells them how a forged cookie may have been used to access their accounts in previous years.

» More information at SC Magazine

A Simple JavaScript Exploit Bypasses ASLR Protection

Security researchers have discovered a chip flaw that could nullify hacking protections for millions of devices regardless of their operating system or application running on them. The vulnerability resides in the way the memory management unit (MMU), a component of many CPUs, works and leads to bypass the Address Space Layout Randomization (ASLR) protection.

» More information at The Hacker News

Researchers Discover Security Problems Under Car Apps

Researchers from Kaspersky Labs revealed more bad news for the Internet of drivable things-connected cars. This tem af researchers has examined seven Android apps for connected vehicles and have found that they were vulnerable to being maliciously exploited by third parties. In fact, up to six of the applications had unencrypted user credentials and even all of them had developed any way of protection themselves against reverse-engineering or the insertion of malicious code into the apps.

» More information at Ars Technica UK

Further Reading

New MacOS Malware Can Steal Passwords and iPhone Backups

» More information at The Hacker News

Word Macro Malware for Apple Mac OS Discovered in the Wild

» More information at The Hacker News

The ViperRAT group is targeting the Israeli Defense Force

» More information at Security Affairs

A Bug in Zerocoin Helped Steal ZCoins Worth $585,000

» More information at Security Affairs