The #DataInsecurity Digest | Issue 60

/by

Issue 60 | January 25, 2018

Federal shutdown impact on state election systems’ much-needed repairs; continued fallout from Spectre, Meltdown

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Preparations for securing election systems were an underreported casualty of the federal government shutdown, delaying much-needed fixes to critical systems in advance of the 2018 mid-term elections. Fallout from the Spectre and Meltdown discoveries continued this week, with some experts predicting both a weaponization of the vulnerabilities in the coming days and that Spectre-related bugs will continue to surface over the next five years. A leaked Pentagon security document, which is still awaiting President Trump’s approval, would change U.S. policy to allow for the use of nuclear weapons to retaliate against severe cyber attacks.

And now, on to the clips!

—————–

Government shutdown slows election infrastructure security efforts. Although the government was only shut down for 60 hours, DHS was forced to “suspend the weekly digital scans it was conducting of states’ election systems to suss out flaws.” In addition, “the Election Assistance Commission canceled two important meetings this week, with the agency’s small staff mostly furloughed, raising the prospect that new voting security guidelines might be delayed. With the 2018 primary season less than two months away, digital security advocates said such moves were troubling… EAC officials are now working to reschedule the axed meetings ‘as quickly as we can.’” However, as a former DHS official told @MorningCybersec, “Any interruption in that process is a setback.” (Source: Politico)

Spectre fallout may continue for years. “We’ll see Spectre-related bugs for the next five years,” commented John Michener, the chief scientist at the security consulting firm Casaba Security. As a side effect of fixing a majority of the vulnerabilities, “millions of Windows PCs and servers around the world, even those that are just a few years old, could get noticeably more sluggish—as much as 20 percent slower in some cases.” (Source: Wired)

Spectre and Meltdown-related attacks are on the horizon. @drpizza comments that “it can’t be long now before real-world attacks use [the vulnerabilities] to locate sensitive data or break out of sandboxes. The race is truly on, and it’s by no means guaranteed that the buggy drivers and microcode will be fixed before malicious hackers start exploiting Meltdown.” (Source: Ars Technica)

Quick hit: Meltdown patches are destabilizing industrial control systems. @jleyden reports that the Meltdown patches are “accompanied by even more irksome stability problems on some systems.” One update, for instance, “caused systems to become unbootable.” (Source: The Register)

Pentagon suggests using nuclear weapons to respond to cyber attacks. Last week, @SangerNYT and @WilliamJBroad reported that “a newly drafted United States nuclear strategy that has been sent to President Trump for approval would permit the use of nuclear weapons to respond to a wide range of devastating but non-nuclear attacks on American infrastructure, including what current and former government officials described as the most crippling kind of cyberattacks.” (Source: New York Times)

Uber shows us just how fine the line between a bug bounty program reward and a ransom payout can be. @nicoleperlroth and @MikeIsaac provided a glimpse of the exchanges between Uber and its hacker by publishing email threads. While Uber treated the hacker as a participant of its bug bounty program and “thanked the hacker for helping the company fix the oversight. In two emails, Preacher’s (the hacker’s nickname) motivations appeared to veer closer toward blackmail. In one, he demanded ‘high compensation’ for his findings. After Mr. Fletcher said the company’s maximum bounty was $10,000, Preacher said he and his team would only accept ‘six digits.’” (Source: New York Times)

Morning Consult poll: 67 percent of Americans are concerned about driverless cars’ cybersecurity. The uneasiness over the cybersecurity of driverless cars is also shared by Senator Ed Markey (D-MA). “If we are to imagine a world where massive 18-wheelers carrying hazardous materials and minivans full of children can drive themselves, it shouldn’t be a stretch of the imagination to envision that these vehicles may be targets of cyberattacks and safety vulnerabilities.” (Source: Morning Consult)

Aetna pays $17.1 million to settle data breach suit. @DougOlenick reports that “the deal will resolve the claims made by Aetna customers in 23 states who were notified by the company that their HIV prescription notifications were sent in envelopes with a clear address window, possibly enabling an unauthorised party to view the contents, according to a Tripwire report.” (Source: SC Media)

Events

February 28, 2018 – Privacy Con 2018, Washington, DC
In February, the FTC will host its third Privacy Con, convening a broad array of academics, researchers, consumer advocates, government officials, and industry representatives to address the privacy implications of emerging technologies.

National Consumers League
Published January 25, 2018