Security news for the Week Ending January 11, 2019
Australian Emergency Notification System Hacked
The Australian Emergency Warning Network, run by a private company, was hacked. The hacker sent out a message that said “EWN has been hacked. Your personal data stored with us is not safe. We are trying to fix the security issues. Please email support at .. if you want to unsubscribe.”
This service seems similar to the CodeRED system that many Colorado cities subscribe to. In Colorado it is a voluntary sign up process. It seems like that is the case with this one too.
The alerts went out by email, text and voice. The company shut down the system during the attack to limit the number of messages that went out; still tens of thousands did go out.
This happened right after the Australian government passed a law requiring companies to create backdoors to their software and make data available to the government on request. Are these related? Unknown. Details here.
Federal Shutdown is Impacting Cyber Defenders
As a follow up to this week’s opinion piece on the Federal shutdown impacting cybersecurity, the Department of Homeland Security cancelled its 2019 Cybersecurity and Innovation Showcase due to the shutdown. That was supposed to be their largest cybersecurity event of the year. They said the hope to reschedule it after the government reopens.
The Department of Commerce has also cancelled events and powered down web servers that have cybersecurity standards on them.
DHS’s new cyber security agency, the Cybersecurity and Infrastructure Security Agency (CISA)has furloughed 45 percent of its workforce. CISA is still manning its “Watch floor” and has some unpaid people who will respond to a major attack on critical infrastructure.
A former attorney at the FTC pointed out the obvious – that “the government shutdown is anxiety inducting, and drives great employees away from government service.” If it wasn’t bad enough that people who do cybersecurity work get paid less than those doing the same work in the private sector, now they have to worry about getting paid too. Details here.
Comcast Debuts Xfinity xFI Advanced Security
Comcast announced a new service using the buzzword of the week, AI, saying that their AI powered service is designed to monitor, block and inform customers about online threats while providing protection for all connected devices in the home. It appears to run inside the Comcast router. A solution like that is a smart way to do it since you do not have to install anything on a device, but it is limited in what it can do since most data is encrypted.
Cost is $5.99 a month, but you have to have the xFi Gateway, which rents for $11 to $13 a month, depending on the market. Details here.
Coinbase Suspends Ethereum Classic
In the ongoing saga of cryptocurrency attacks, this one creates a new low.
One thing people have always said is that since cryptocurrency uses distributed ledgers, it is immune from people changing history and reusing coins.
W.R.O.N.G.!!!
Multiple sources said that they saw more than 100 ledger blocks “reorganized” (i.e. changed after the fact) – something that should never happen.
Coinbase suspended trading on that particular cryptocurrency. It is only one of over 2,500 different currencies.
Coinbase said that they saw about 88,000 Ethereum coins being double spent, worth about $460,000, but I saw other reports that said the attack is ongoing and the numbers were much larger. Source: Coindesk.
Weather Channel (App) Caught Selling User Data Without Permission
The Weather Channel collected user location data under the guise of telling you what the weather is where you are, but in fact, was selling that location data. The City of Los Angeles is suing them over the misrepresentation.
The NY Times article said that they also sold the data for targeted marketing and to hedge funds for gathering consumer preference information. The Weather Channel is owned by IBM.
Amazon’s Ring Video Camera Allow Employees in Ukraine Unrestricted Access to All Videos
Let me start by saying that an Amazon spokesperson says that this is not the case, but the Intercept says that multiple former employees say that Ring has given R&D employees in Ukraine unrestricted access to all videos, including those from inside your home to employees, executives and engineers. The videos are not encrypted because, they say, that would make the company less valuable.
A Ring spokesperson refused to answer questions about their data security practices but offered a written statement that says that they have strict policies in place for all employees.
After the article was published, Ring tried to do some damage control by still not answering questions, but issuing another email saying “Ring employees never have and never did provide employees with access to livestreams of their Ring devices,” a claim contradicted by multiple sources.
I have a Ring device and was considering buying more. Not anymore. Looking for a competitor.
One more time, caveat emptor. Source: The Intercept.