Security News for the Week Ending October 18, 2019
Less Than Half of Mississippi State Agencies Even Have a Cybersecurity Policy
In Mississippi’s first ever state cybersecurity audit, the state auditor reported dismal results. 54 state agencies did not respond to the audit. 38% of those responding did not encrypt sensitive data. 22 agencies had not conducted a third party security risk assessment. 11 did not even have a cybersecurity policy plan. Overall, over half of the respondents (remember 54 agencies did not even respond) were less than 75% compliant with state law. State agency heads know that, unlike you or me, they are not going to get hauled into court for breaking the law and if they get fined, it isn’t their money. I wonder how typical this is in other states. Source: Govtech
Karma Wins
Dark web website BriansClub (named after former WaPo journalist turned security author, columnist and speaker Brian Krebs, but which has no relation to him) was hacked,
BriansClub is in the business of selling stolen credit cards and apparently they do very well, thank you. In the first 8 months of this year, the site sold about 9 million stolen credit cards netting the site’s operator $126 million (in 8 months). If we assume an average loss to the credit card issuer of $500, that represents a $4 billion loss.
But now hackers hacked the hacker and stole 26 million credit cards from them. Needless to say, BriansClub can’t ask the cops for help.
Remember that this is only ONE site on the dark web, so you can kind of get an idea of the massiveness of online fraud.
Krebs shared this data with the fraud folks from the credit card industry, so hopefully they can shut off these cards and make live a little better for the victims.
Source: Brian Krebs
Hotel [NON] Security
Kevin Mitnick, the Chief Hacking Officer of security training company KnowBe4, posted a video on YouTube about the security – or more accurately the lack of security – of hotel room safes. I always assumed that they had backdoors because people are pretty likely to forget whatever they set the combination to.
On the other hand, why bother to change the backdoor combination from all zeros. See the video on YouTube.
One Of President Trump’s Websites Was Leaking Donor Information and Open to Attack
One of the President’s web sites left a debugging tool enabled which allowed an attacker to hijack the site’s email server and intercept, read or send emails from that domain. Trump’s website is one of hundreds that have left the tool enabled.
The researcher who discovered it worked very hard – much harder than he should have had work to – in order to get the Trump campaign to fix the bug. How long the data on the site was exposed is unknown. Source: Threatpost.
Samsung Issues Alert for Fingerprint Reader Fail
Apparently Samsung is in trouble because if you put a silicone gel screen protector on the front of your S10 anyone’s fingerprint will unlock the phone.
Samsung’s response was that you should only use official Samsung accessories. FAIL!!! Early Samsung branded screen protectors had a hole over the fingerprint sensor to fix this problem. Why fix the problem if you can die cut the screen protector for a whole lot less?
Samsung is working on a fix, but this is another example of convenience over security. Fingerprint and facial scan readers on inexpensive (relatively) consumer devices are low security. In fact, biometrics should never be used to authenticate you, only to identify you. Source: Ars