The cyber security and open source security news that made headlines this week: Traffic systems at risk of cyber attack, Cortana and Alexa news, and the PyRoMineIoT cryptojacker.
via IBM SecurityIntelligence: New research reveals that consistent practice of secure development and operations (DevOps) remains a challenge for organizations across industries. Only half of DevOps teams integrate application security testing elements in continuous integration and continuous delivery (CI/CD) workflows, despite widespread awareness of the advantages, according to a recent report [Examining DevSecOps Realities and Opportunities, from Synopsys and 451 Research].
via Synopsys Software Integrity (video): The FIFA World Cup overfloweth—with hackers, forgeries take a bite out of Apple security, and routing us to “Hackerville” (a VPNFilter update). Watch this episode here.
via SC Magazine: The Microsoft Windows intelligent digital assistant, Cortana, looked pretty dumb this week after revelations that it enabled the execution of arbitrary commands with elevated privileges on a locked machine…. Larry Trowell, associate principal consultant at Synopsys, points out that while a fix for the Cortana vulnerability has been issued, there are still other areas in which these assistants can be used to carry out an attack. “I see no reason why the ‘dolphin’ attacks triggering mobile phone smart assistants to call numbers and launch apps couldn’t be modified to attack a distracted user” Trowell told SC, adding “the software is neat, interesting, and fun to use—it also opens up a lot of areas that possibly haven’t been thought through properly.”
via Infosecurity Magazine: The UK’s traffic control and transport systems are the latest piece of critical infrastructure (CNI) experts are warning could be sabotaged by nation state hackers…. Michael Fabian, principal consultant at Synopsys, argued that the precedent for disruption of CNI via cyber-attacks has already been set globally. “What we can take away as a positive is that officials are aware of the potential risks, and we can hope they are actively pursuing remediation programs to improve the security of their operations, keeping the UK’s core infrastructure safe,” he added.
via Intelligent CISO: Michael Fabian, Principal Consultant at Synopsys, said an increase in connectivity comes with an increase in risk. “Any time new pathways to these systems are added, they must be properly secured based on their individual characteristics following a risk-based approach,” he said. “With the increase in risk, the opportunity for directed cyberattacks also increases. Potential attackers range from hobbyists to nation-states, disrupting infrastructure. Now, the actual risk versus the perceived risk is complete speculation and is about as difficult to predict as the next location lightning will strike.”
via Search Security: A new malware variant reads like the greatest hits of cyberthreats: a cryptojacker using an NSA exploit to scan for IoT devices with hardcoded passwords to spread and distribute the miner. And according to experts, there’s blame to be had on all sides…. Larry Trowell, principal consultant with Synopsys Software Integrity Group, said the government shares some of the blame for the NSA exploit. “It’s in every country’s interest to develop systems enabling offensive and defensive strategies to protect individuals and national services,” Trowell wrote via email. “There is no fault in that. If the NSA does have some blame to share in this situation, it is for allowing secrets to be exfiltrated—not in developing them.”
via BetaNews: Amazon has struck a deal with Marriott International that will see the introduction of Echo devices into rooms…. But is this something that hotel visitors are ready for? The recent case in which an Echo user had their private conversation shared with a contact after her device misinterpreted general speech as instructions highlights the potential for privacy issues. It’s something that Andrew van der Stock, senior principal consultant at Synopsys, voices concern about.
via Nikkei xTECH (Japan): Japan Synopsys announced the results of an investigation into the security and risk of open source software on June 19, 2018. It was found that open source software is used in 96% of all business applications and that it contains an average of 600 vulnerabilities per IoT application.