Welcome to our new blog series, covering the week’s trending topics in the world of information security. In this quick news roundup, we’ll let you know of the latest research, reports and discussions that the industry has been talking about recently.
Here’s what you don’t want to miss from the week of July 24, 2015:
- Adultery website AshleyMadison.com made headlines after a hacking group gained access to the company’s user databases and threatened to expose the personal information of all 37 million members, unless the website was taken down. The stolen data included everything from user profiles to financial records to salary information of Avid Life Media (ALM) employees, AshleyMadison’s parent company. “For a website that prides itself on secrecy and anonymity, a breach like this can be catastrophic,” said critics. Meanwhile, the hackers have already leaked snippets of the sensitive information online.
- Wired Magazine published an eye-opening story on how two security researchers were able to remotely hack a speeding 2014 Jeep Cherokee driven by a news reporter. The white-hat hackers successfully took control of the car’s radio, locks and air conditioning, and even managed to shut off the engine, disable its brakes and drive the car off the road. Their research revealed the vulnerability in the car’s U-Connect system, which relies on the Sprint Network, is also present in Chrysler 200s, Dodge Rams and several other vehicles. Fiat Chrysler has announced it’s recalling approximately 1.4 million vehicles for emergency security patches.
- Authorities arrested several suspects in Florida and Israel believed to have been involved in the hack of JP Morgan Chase last summer. Though the four arrests were not publicly tied to the breach, an official said the suspects, which were rounded up over an alleged pump-and-dump scheme and an illegal bitcoin operation, initially surfaced in the government’s investigation of the bank’s intrusion.
- Microsoft issued an out-of-band patch for a critical vulnerability found in all supported versions of Windows. The security bug could potentially allow an attacker to execute arbitrary code by leveraging the way the Windows Adobe Type Manager Library handles fonts that use Microsoft’s OpenType format. Ars Technica reported that attackers can exploit it by luring targets to booby-trapped websites or by tricking a target into opening a malicious file.
- Controversy over the Milan-based tech company Hacking Team is far from over after a security researcher claimed his codes were wrongfully used to build monitoring software for Android, which were reportedly sold to governments and law enforcement agencies. Collin Mulliner was only made aware of this after the company was hit with a cyberattack, leading to the disclosure of 400GB in confidential corporate data.
- The FTC is taking action against LifeLock, an identity theft protection company, for allegedly violating a 2010 settlement agreement. The New York Times reported the FTC stated that from 2012 to 2014 LifeLock failed to alert customers as soon as their identities were used by thieves and also failed to protect data with the same high-level safeguards used by financial institutions, both claims the company has made to its customers. LifeLock’s stock has since plummeted, closing 49 percent down at $8.15.
- Canada is beefing up its cyber security measures with a CAN$142 million investment aimed to help private companies fight off attacks. The additional funding brings the campaign total to CAN$237 million over the next five years, which would also help fund Canada’s Cyber Incident Response Center, among other initiatives. The announcement comes after several Canadian government websites were taken down in a cyber attack last month.
- A security researcher published a zero-day vulnerability found in the latest versions of OS X Yosemite, including the beta version of 10.10.5. Stefan Esser explained this privilege-escalation flaw is connected to a new environment variable that has been added to the dynamic linker dyld. Esser said he warned Apple of the bug several months ago but “irresponsibly” issued a fix only for El Capitan’s beta version.
- Department of Homeland Security Secretary Jeh Johnson came clean and admitted that he and 28 senior staffers have been using private web-based email, such as GMail, on work computers for the past year. The department had banned private e-mail on DHS computer since April 2014 after the OPM breach. Johnson responded by saying he and other officials had received waivers that allowed them to continue accessing personal webmail accounts. Nonetheless, critics question why the secretary and the most senior people should be exempt from such policy.