Here are a few articles I found interesting this week:

Markets Plunge Briefly on Fake AP Terror Tweet

“A news agency tweet, that turned out to be fake about explosions at the White House injuring President Obama, sent markets on a round trip roller coaster road.” This is one of two situations where online folly and mischief can have some serious real world repercussions that really concern me. Affecting the network by:

  • Stealing, cracking, guessing, or phishing a password for a media outlet
  • Inserting a fake news story into a news website that is vulnerable to a cross-site scripting or SQL injection attack can have disastrous impact!

This is why information security and application security can really make a difference in the world and is not just a bunch of “security zealots” crowing from the roof (well there is some of that too). What is the other situation, you ask? SCADA attacks that can translate that same online folly and mischief into real world motions and movements- say in a factory- that could harm, maim, or kill people. It may be hard to look ahead and see how a silly Twitter account compromise can have such a huge impact- but hopefully this incident will open some eyes before it escalates to a point where the market can’t bounce back…

Spyware used by governments poses as Firefox, and Mozilla is angry

“Mozilla has sent a cease-and-desist letter to a company that sells spyware allegedly disguised as the Firefox browser to governments. The action follows a report by Citizen Lab, which identifies 36 countries (including the US) hosting command and control servers for FinFisher, a type of surveillance software. Also known as FinSpy, the software is sold by UK-based Gamma International to governments, which use it in criminal investigations and allegedly for spying on dissidents.” This story is interesting in that, again, the topic of nation states performing information security campaigns has come up again. Unfortunately, a popular and trusted open source project is being exploited for the trust users have placed in the Firefox name. The twist here is that the targets are not other nation states, but internal citizens under investigation and “dissidents” which can include a broad range of groups to which the label is applied. Mozilla has a right to get angry and seek action, but I fear that for each of these publically exposed shenanigans lies so many undiscovered similar efforts.

Google Glass Has Already Been Hacked By Jailbreakers

“Just days after its release to developers, Google’s Glass headset has already been hacked to give users full control of its Android operating system, according to Jay Freeman, a well-known Android and iOS developer who tested a known exploit for Android on Glass yesterday and announced his success on Twitter Friday afternoon.” I have followed Mr. Freeman’s work for a long time, and I think this case is no less interesting than his other exploits. It remains to be seen what can be done with such a device- including both sides of the jailbreaking fence where the consumer gains control of his purchased device (yay!), and attackers, including clandestine government agencies, can get their grubby mitts on other peoples’ devices (boo!). See the article above about subverting trusted software for surreptitious monitoring- and this device sees and hears all!

Hackers steal more than $1 million from Leavenworth hospital

The Chelan County treasurer says hackers stole more than $1 million from an electronic bank account held by a Leavenworth hospital. Treasurer David Griffiths’ office noticed Monday that three unauthorized transaction files had been logged the previous Friday, April 19.” Here, we see more evidence of the trend for online folly to turn towards financial gain. This has been the case for several years and it shows no signs of slowing. I think it’s safe to say that the majority of attackers are looking to fatten their wallets quickly, cheaply, and with as little risk to themselves as possible… rather than take down governments or even society as we know it. Hopefully that trend keeps them busy long enough for governments and infrastructure to sort out their problems before the financial targets dry up and- once again- we are dealing with bored attackers exploring for new outlets...

These are the top 5 BYOD issues facing the healthcare industry

“The rate at which doctors are choosing to bring mobile devices to work continues to rise at an alarming rate. In fact, a recent study from Jackson & Coker found that four out of five physicians regularly use their mobile devices for medical purposes.” The financial industry seems to be taking a cautious and methodical approach to BYOD. It’s one of the only things about the financial industry that one can applaud these days. The risk can be significant, and jumping in without proper preparation can be disastrous. The healthcare industry as a whole needs to get on this trend and help make users- in this case, doctors and other health professionals- understand the risks and proper handling of data and devices before a large data breach hits these headlines.