NTSC Blog

Weekly News Roundup: January 8, 2018

Mike Rogers Leaving U.S. Cyber Command

Reports indicate that “National Security Agency Director Mike Rogers has announced plans to retire this spring and has said he expected a successor to be nominated and approved by the U.S. Senate this month…” (Reuters)

Varied Groups Wanting National Data Breach Notification Legislation

In a letter to the House Energy & Commerce Committee, 22 industry groups that include financial services, technology, retail, and telecom said that they want Congress to consider a national data breach notification law. According to the letter, the groups “support federal legislation to protect personal information and, in the event of a data breach that could result in identity theft or other financial harm, ensure consumers are notified in a timely manner.” The letter includes four elements they would like to see such as “a flexible, scalable standard for data protection” and “clear preemption of the existing patchwork of often conflicting and contradictory state laws.”

Hardware Vulnerabilities Meltdown and Spectre Impact Servers and Devices Worldwide

Two serious hardware vulnerabilities—Meltdown and Spectre—were announced in a paper last Wednesday. Affecting Intel microprocessors, the vulnerabilities impact Apple devices, devices using Windows and older versions of Linux, and even reaches across the cloud and IoT devices. These vulnerabilities received a lot of media coverage and we’ve collected some of the best articles here.

• Breakingviews - Intel flaws hint at tech “too big to fail” risk (Reuters)
• Bruce Schneier: The security of pretty much every computer on the planet has just gotten a lot worse (CNN)
• How the Meltdown Vulnerability Fix Was Invented (IEEE)
• Microsoft Releases Emergency Updates to Fix Meltdown and Spectre CPU Flaws (Bleeping Computer)
• Intel says processor bug isn’t unique to its chips and performance issues are ‘workload-dependent’ (The Verge)
• Fix for critical Intel chip security flaw will slow millions of computers (Yahoo!)
• Intel rushes to deploy firmware updates for critical CPU bug by end of next week (CyberScoop)
• Google told chipmakers about Spectre and Meltdown vulnerabilities last summer (Computing)

Summary of Recent Research Reports

Three recent research reports highlight data about cybersecurity issues affecting public companies, the tangible damage of data breaches, and behavioral biometrics.

• SecurityScorecard Big 500 Index: A Cybersecurity Analysis of 500 Major Publicly-Traded U.S. Companies: According to the report, “The Big 500 group ranked 12th when compared to 18 other U.S. industries in overall cybersecurity performance” and “Seventy percent of top performers exhibited a lack of due diligence regarding patching cadence.”
• Cybersecurity Report: Chief Security Officers Reveal True Cost of Breaches And The Actions That Organizations Are Taking: As reported in Inc., Cisco’s recent report said that “22% of breached organizations lost customers -- 40% of them lost more than a fifth of their customer base. 29% lost revenue, with 38% of that group losing more than a fifth of their revenue. 23% of breached organizations lost business opportunities, with 42% of them losing more than a fifth of such opportunities.”
• Gartner Analysts Predict 80 Percent of Smartphones Shipped Will Have On-Device AI Capabilities by 2022: According to Gartner, “Password-based, simple authentication is becoming too complex and less effective, resulting in weak security, poor user experience, and a high cost of ownership. Security technology combined with machine learning, biometrics and user behavior will improve usability and self-service capabilities.”

NIST Seeking Products and Technical Expertise from Private Sector to Mitigate IoT-based DDoS Attacks

According to Federal News Radio, “NIST is looking for partnerships with the private sector to secure Internet of Things devices. The National Institute of Standards and Technology invited companies to provide products and technical expertise to support and demonstrate security platforms for the Mitigating IoT-Based DDoS Building Block. It wants to start having collaborative events later in January.” NIST says that “Components being sought for inclusion in the project include but are not limited to:

• Network gateways/routers supporting wired and wireless network access
• Manufacturer Usage Description (MUD) Specification controllers and file servers
• Dynamic Host Configuration Protocol (DHCP) and update servers
• Threat signaling servers
• Personal computing devices
• Business computing devices.”

Researchers Note “Multiple Vulnerabilities in the Online Services of (GPS) Location Tracking Devices”

Vangelis Stykas and Michael Gruhn recently published research about significant security vulnerabilities related to location tracking devices. According to SecurityWeek, the researchers “found that over 100 [online services designed for managing location tracking devices] have flaws that can be exploited by malicious actors to gain access to device and personal data. The security holes, dubbed Trackmageddon, can expose information such as current location, location history, device model and type, serial number, and phone number.” While some of these services have been patched, many are not.