Well, this was a bit of a mixed bag in the world of Cyber Security and Data Protection…
Top of my list of newsworthy items which need a mention was the announcement mid-week that the UK’s ICO had fined Facebook over the Cambridge Analytica scandal the sum of £500,000. A pittance in light of the quantity of data which had been misappropriated and misused. Notwithstanding the ICO had their hand’s tied as the Cambridge Analytica fiasco occurred prior to the GDPR enforcement date and the £500,00 was the maximum the ICO’s could fine Facebook under the old Data Protection Act 1998. I’m sure that Facebook executives sighed a huge sigh of relief as the fine represents the income the social media giant generates in 18-minutes so no big loss for them this time around… Though I do question how much reputational damage has been done to Facebook because of this scandal. I for one took myself off Facebook for the month of September and found that while on the one hand my personal life was enhanced by not being on Facebook. However, in our modern world and as Facebook has in recent years evolved into a hybrid platform which connects consumers to product and service providers, I found myself pulled back into the vortex that is Facebook, by client request and in some cases demand.
Another interesting bit of news which caught my eye was Google make two-years of security updates mandatory for android device makes… As someone who uses an android I was in some ways shocked especially as I am so pedantic with making sure that everything on my phone is updated and backed up regularly, it came as a bit of a surprise to find that even though Google roll out their Android updates in a regular and timely manner the manufacturers of Android devices do not.
To deal with this issue, Google at its I/O Developer Conference May 2018 revealed the company’s plan to update its OEM agreements that would require Android device manufacturers to roll out at least security updates regularly. According to the leaked (but unverified) contract, Android OEMs will now be required to regularly roll out security updates for popular devices—launched after January 31st, 2018 and activated by more than 100,000 users—for at least two years.
The Android device makers are mandated to release “at least four security updates” in the first year following a smartphone’s launch, but for the second year, the number of updates is unspecified. Besides this, the contract also stipulates that the manufacturers must not delay patch updates for security vulnerabilities for more than 90 days. In other words, the minimum requirement of the contract is a security patch update every quarter. All in all this is good news for Android users… This revelation might just be enough to get me to reconsider my Apple Options…
Cybersecurity firm FireEye claims to have discovered evidence that proves the involvement of a Russian-owned research institute in the development of the TRITON malware that caused some industrial systems to unexpectedly shut down last year, including a petrochemical plant in Saudi Arabia.
TRITON, also known as Trisis, is a piece of ICS malware designed to target the Triconex Safety Instrumented System (SIS) controllers made by Schneider Electric which are often used in oil and gas facilities.
Triconex Safety Instrumented System is an autonomous control system that independently monitors the performance of critical systems and takes immediate actions automatically if a dangerous state is detected. What’s concerning is that the hackers behind Triton remained an active threat to critical infrastructure across the globe, as the malware has the ability to cause severe, life-threatening damages to an organization or shut down its operations.
A security researcher with Twitter alias SandboxEscaper—who two months ago publicly dropped a zero-day exploit for Microsoft Windows Task Scheduler—has earlier this week released another proof-of-concept exploit for a new Windows zero-day vulnerability.
SandboxEscaper posted a link to a Github page hosting a proof-of-concept (PoC) exploit for the vulnerability that appears to be a privilege escalation flaw residing in Microsoft Data Sharing (dssvc.dll). The Data Sharing Service is a local service that runs as LocalSystem account with extensive privileges and provides data brokering between applications.
The flaw could allow a low-privileged attacker to elevate their privileges on a target system. Since the Microsoft Data Sharing service was introduced in Windows 10 and recent versions of Windows server editions, the vulnerability does not affect older versions of Windows operating systems including 7 or 8.1. The PoC exploit has successfully been tested against “fully-patched Windows 10 system” with the latest October 2018 security updates, Server 2016 and Server 2019. It is seriously recommended that you DO NOT run the PoC, as it could crash your operating system.
No doubt we can expect future updates from Windows to address the vulnerability – so keep an eye out… Windows usually release updates on a Tuesday!
And finally… for this week…
A security researcher has discovered several critical vulnerabilities in one of the most popular embedded real-time operating systems—called FreeRTOS—and its other variants, exposing a wide range of IoT devices and critical infrastructure systems to hackers.
FreeRTOS is a leading open source real-time operating system (RTOS) for embedded systems that has been ported to over 40 micro-controllers, which are being used in IoT, aerospace, medical, automotive industries, and more.
RTOS has specifically been designed to carefully run applications with very precise timing and a high degree of reliability, every time. A pacemaker is an excellent example of the real-time embedded system that contracts heart muscle at the right time, a process that can’t afford delays, to keep a person alive.
Since late last year, FreeRTOS project is being managed by Amazon, who created Amazon FreeRTOS IoT operating system for micro-controllers by upgrading FreeRTOS kernel and some of its components. Amazon enhanced FreeRTOS functionalities by adding modules for secure connectivity, over the air updates, code signing, AWS cloud support, and more.
Besides Amazon, WITTENSTEIN High Integrity Systems (WHIS) also maintains two variants of FreeRTOS—a commercial version of FreeRTOS called WHIS OpenRTOS, and a safety-oriented RTOS called SafeRTOS, for use in safety-critical devices. Ori Karliner, a security researcher at Zimperium Security Labs (zLabs), discovered a total of 13 vulnerabilities. The vulnerabilities could allow attackers to crash the target device, leak information from its memory, and the most worrisome, remotely execute malicious code on it, thus taking complete control over the target device
Thankfully these vulnerabilities were reported to both Amazon, Wittenstein and security patches were rolled out within days.
Till I round up the headlines and stories which grab my attention in the coming week…
Keep your systems backed up and keep an eye out for the next round of Window’s updates.