Security News for the Week Ending August 13, 2021
Android Trojan Hits 140 Countries, 10,000 Victims Via Social Media Hijack
Security company Zimperium says they have found a new trojan they call Flytrap that has been around since March and compromises users’ phones who side load apps from third party app stores. Once the malicious app is on the user’s phone, it uses that user’s social media credibility to infect other users. They say the infected apps are still available for download on third party app stores. Credit: ZDNet
NY Police Department Bought Surveillance Gear Out of a Secret Slush Fund
While the police might not like my term for it, the fund is secret and not subject to oversight by anyone. Since 2007, the city has spent over $150 million this way for mobile x-ray vans, Stingrays and other stuff. The documents that were released were heavily redacted although transparency groups are still trying to get more information. Last year the city passed a law after heavy pressure outlawing the practice, but there are still a lot of gaps in the available information. Credit: Wired
U of Kentucky Had a Bad Day
The University of Kentucky has an active security program. As part of that program they conduct periodic penetration tests. This is a good thing. What made it a bad day is that the pentesters discovered that they weren’t the first people to hack the University. In fact, in January 2021, hackers broke in and stole the entire database of over 350,000 users. How/why did they get in? Two clues. First the university says that the platform was developed in the early 2000’s – long before we were worrying much about hackers. Second, they said they are moving the servers, after the breach, to its centralized server system. This likely means that this system was a second class citizen and protected accordingly. Credit: The Record
Amazon Stepping Up Employee Surveillance Due to Fraud
Data theft, insider threats and imposters accessing customer data at Amazon has gotten so bad that Amazon is considering using keystroke monitoring software to help identify who the good guys are. Credit: Threatpost
Hospitals In Way Over Their Heads on IoT
Phillips and CyberMDX released a new report on the state of IoT in hospitals. They split the survey between hospitals with more than 1,000 beds and those with less. A third of the respondents had less than 10,000 devices, almost a third had less than 25,000 devices and another 20% worked for hospitals with less than 50,000 devices. While most of the hospitals had an idea of the number of the devices on their network, 15% of the mid sized and 13% of the large hospitals did not even know how many devices were on their network. Almost half of the respondents said their staffing for IoT and medical device security was inadequate. The rest just don’t know that it is inadequate. The rest of the article is even more depressing. Credit: ZDNet