Stunning infosec tips from Uncle Sam, furries exposed, Chase bank web leak, and more
A busy and bonkers week in security
Roundup Happy weekend, everyone. Here's a roundup of computer security news beyond everything we've already reported this week.
Last week a consortium of biz giants got together to set the bar on computer security because governments weren't getting their act together. Sadly, based on Uncle Sam's actions this week, it's clear such concerns were justified.
Take, for example, the new guidance [PDF] from the US Securities and Exchange Commission on IT security, which was about as insightful as the ingredients list on a breakfast cereal box. The executive summary is: companies should advise investors of risks, and not use law enforcement investigations as an excuse to keep quiet.
OK, let's dial back the cynicism. While the SEC memo is not bad advice, it's straight out of the department of the bleedin' obvious: don't break the law, basically. It also virtually identical to the advisory the SEC released in 2011, and the threat landscape, for want of a better buzzword, has changed considerably since then.
In a similar vein, US Attorney General Jeff Sessions announced the creation of a Justice Department-run Cyber-Digital Task Force. This "force" is actually just a bunch of administrators who can talk about threats and they have been tasked with preparing a report to Sessions in June about online threats.
"The internet has given us amazing new tools that help us work, communicate, and participate in our economy, but these tools can also be exploited by criminals, terrorists, and enemy governments," Sessions said.
"At the Department of Justice, we take these threats seriously. That is why today I am ordering the creation of a Cyber-Digital Task Force to advise me on the most effective ways that this Department can confront these threats and keep the American people safe."
A few things struck us as odd about this. Firstly, the NSA is tasked with defending against such threats, but won’t be having any staff on the "force." Secondly the group will also set up subcommittees to handle specific issues. This sounds like bureaucratic waffle on a massive scale.
Killing the messenger
Where the government does seem to have people of talent it's dumping them. Matthew Masterson, chairman of the US Election Assistance Commission, has been doing some sterling work in working with election officials and security professionals to try and fix the parlous state of voting machine security.
But now he's out of a job and his likely replacement is fellow commission member Christy McCormick, who in the past has expressed skepticism that election hacking is even a serious issue and criticized the Department of Homeland Security for designating election mechanisms as critical infrastructure. The 2018 midterms should be interesting…
One thing the government isn't bad at, is telling everyone how awful the situation has become. A research report [PDF] from the White House's Council of Economic Advisers put the cost to the US of online crime at between $57bn and $107bn and reached this stunning conclusion.
Cyber connectivity is an important driver of productivity, innovation, and growth for the U.S. economy, but it comes at a cost. Companies, individuals, and the government are vulnerable to malicious cyber activity. Effective public and private-sector efforts to combat this malicious activity would contribute to domestic GDP growth. However, the ever-evolving nature and scope of cyber threats suggest that additional and continued efforts are critical, and the cooperation between public and private sectors is key.
That's a little like the mice getting together for a meeting and deciding the best course of action is to put a bell around the bat's neck, but with no clue on how to achieve this miracle.
Still, one shouldn’t be too hard on governments alone. Verizon also released a report on mobile security, looking at the lessons from the last year. Oddly, it didn’t include any mention of Verizon's own snafu when it left the account information for 14 million of its customers online in an open Amazon S3 bucket. Selection bias anyone?
Furries and fixes
We're a broad church here at The Register, so unlike a lot of people online we don’t have a problem with furries – folks known for dressing up as animals, and hanging out online or in real life with likeminded fans of anthropomorphic art. But such netizens are understandably concerned about privacy, and a dodgy software interface left them exposed.
The software, made by Civet Solutions, is used by conference organizers to register and log attendees and is used in many furry conventions, such as Alamo City Furry Invasion, Vancoufur and Pacific Anthropomorphics Weekend. The researcher found that simply entering someone's real name into the system would show their last-used badge name which might be their online alias, thus outing them as a furry. This blunder was eventually patched.
Given the privacy needs of such an out-there community this is a bit of an issue. And, for the record, no Reg journalists have a penchant for slipping into a fur suit.
Unicode code patched
Hirsute hijinks aside it has been a very good week for flaw fixes. Apple released a security update for customers that fixed a Unicode problem that could have made it possible to crash their shiny iDevices.
The issue was triggered when an attacker sent out a message containing a symbol composed of characters used in the Indian language Telugu. In a few cases rebooting didn't help, and the machine tried to rerender the message and crashed again. If you haven't updated already do so now for the fix.
Chasing the flaggin' security
US bank Chase has also been doing some frantic patching after a serious flaw showed up in its online banking system. When some users tried to log in to check their accounts they got account information, just not their own.
One Chase customers recounted finding someone else's bank account details when they logged in, but since the person in question had very little money and a lot of debt they joked that they had decided not to stage a heist. Chase says it has now fixed the issue.
Briefly last night, a limited number of customers saw the wrong information when logging into their account online. We resolved this technical glitch quickly.— Chase Support (@ChaseSupport) February 22, 2018
Sponsored: Becoming a Pragmatic Security Leader