CyberSecurity Pulse 2017-03-6

CyberSecurity Pulse 2017-03-6

“Big goals get big results. No goals get no results or somebody else’s results.”
Mark Victor Hansen

Analyst Insight

Turning Towards Cybersecurity Elections in United States

Six weeks after the U.S. Department of Homeland Security underscored the importance of election computers and physical systems by designating them "critical infrastructure", a group representing the nation’s secretaries of state voted to oppose the federal appellation. In its winter meeting, the National Association of Secretaries of State (NASS) adopted a resolution opposing the "critical infrastructure" designation by the US Department of Homeland Security. "We have members that feel that it is federal encroachment on state authority over elections", she told Kay Stimson, spokeswoman for the association.

CyberSecurity Pulse 2017-03-6The federal government through the Help America Vote Act (HAVA) and the Election Assistance Commission has supported the updating of state voting systems, but each state has taken its own path to modernize and upgrade their own elections processes. NASS has stressed that the current system of decentralized elections actually brings with it significant security benefits. The group argues that decentralization means that the voting process is difficult to disrupt. In addition, election systems are, for the most part, disconnected from the Internet, removing an important attack vector.

The group stressed that each state should approach security in its own way. "The US Department of Homeland Security has no authority to interfere with elections, even in the name of national security", the group stated in its resolution.

» More information at NASS

Top Stories

SHA-1 Collision Can Break SVN Code Repositories

CyberSecurity Pulse 2017-03-6A recently announced SHA-1 collision attack has the potential to break code repositories that use the Subversion (SVN) revision control system. The first victim was the repository for the WebKit browser engine that was corrupted after someone committed two different PDF files with the same SHA-1 hash to it. The incident happened hours after researchers from Google and Centrum Wiskunde & Informatica (CWI) in the Netherlands announced the first practical collision attack against the SHA-1 hash function on Thursday. The Subversion developers have released a script that SVN administrators can use to prevent SHA-1 colliding files from being committed to their repositories. Meanwhile, several experts are still working on a more permanent fix for this issue.

» More information at Google's blog

Serious Cloudflare Bug Exposed Customer Data

CyberSecurity Pulse 2017-03-6Cloudflare, a service that helps optimize the security and performance of more than 5.5 million websites, warned customers that a recently fixed software bug exposed a range of sensitive information that could have included passwords and cookies and tokens used to authenticate users. A combination of factors made the bug particularly severe. On the one hand, the leakage may have been active since September 22, nearly five months before it was discovered, although the greatest period of impact was from February 13 and February 18. On the other hand, some of the highly sensitive data that was leaked was cached by Google and other search engines. Because of the seriousness of such a bug, a cross-functional team from software engineering, infosec and operations formed in San Francisco and London to fully understand the underlying cause, to understand the effect of such a relevant memory leakage, and to work with Google and other search engines to remove any cached HTTP responses.

» More information at Cloudflare

Rest of the Week´s News

How A Simple Command Typo Took Down Amazon S3 and Big Chunk of the Internet

The major internet outage across the United States earlier this week was not due to any cyberattack, rather it was the result of a simple human mistake. On Thursday, Amazon admitted that an incorrectly typed command during a routine debugging of the company's billing system caused the 5-hour-long outage of some Amazon Web Services (AWS) servers on Tuesday. The issue caused tens of thousands of websites and services to become completely unavailable.

» More information at The Hacker News

Search Engines Demote Pirate Sites in UK Web Searches

Google and Microsoft's Bing have signed up to a voluntary code of practice and will ensure offending websites are demoted in their search results. The entertainment industry reached the agreement with the tech giants after talks brokered by the government. The initiative will run in parallel with existing anti-piracy measures. The code is expected to be in operation by the summer.

» More information at BBC

Internet-Connected Teddy Bear Leaks Millions Of Voice Messages and Password

In the latest security failing of the internet-connected smart toys, more than two million voice recordings of children and their parents have been exposed, along with email addresses and passwords for up to 820,000 user accounts. In fact, in early January, when cybercriminals were actively scanning the Internet for exposed or badly-configured MongoDB databases to delete their data and ultimately hold it for ransom, CloudPets' database was overwritten twice.

» More information at CNET

Further Reading

Researchers Find Severe Flaw in WordPress Plugin With 1 Million Installs

» More information at Ars Technica UK

Trump’s VP Used an AOL E-mail Account for State Business and It Got Hacked

» More information at Ars Technica UK

Researchers Spotted a Backdoor in Chinese IoT Devices from the Firm DblTek

» More information at Security Affairs