Hope for Hutchins, Navy sinks contractor, there's another Russian hacking scandal, and more

Also, make sure you update your Juniper kit quickly

Roundup This week, when we weren't watching the football and sobbing uncontrollably, we saw security headaches at NPM and Ticketmaster, and a priest in hot water with cybercrime charges.

But there's always more in the security world. Here are a few other bits of security news from recent days.

Russians could be behind 'cyber caliphate'

The US Senate is asking the Justice Department to look into the possibility that an Islamic extremist hacking group was actually the work of the Russian government.

Senators Ron Wyden (D-OR) and Cory Gardner (R-CO) have written a letter [PDF] to Attorney General Jeff Sessions asking for an investigation into whether 'Cyber Caliphate,' a group that targeted military families with a series of attacks in 2015, was just a front for APT28, a Kremlin hacking operation.

"If substantiated, the claims about APT28 posing as the Cyber Caliphate could be the first public evidence that influence operations have specifically targeted American military families," the senators write.

"If left unchecked, such operations would threaten the personal liberty, financial security, mental health, and morale of our military families."

Smart or spying TV?

Speaking of senators, Ed Markey (D-MA) and Richard Blumenthal (D-CT) have written to America's trade watchdog, the FTC, demanding a probe into the privacy implications of smart TVs. They're upset that internet-connected tellies could be used to spy on folks.

"Many Internet-connected smart TVs are equipped with sophisticated technologies that can track the content users are watching and then use that information to tailor and deliver targeted advertisements to consumers," the pair wrote.

"Regrettably, smart TV users may not be aware of the extent to which their televisions are collecting sensitive information about their viewing habits."

Windows fixes for Intel's lazy CPU hole

Buried in the July 2018 Patch Tuesday release, Microsoft mitigated the LazyFP processor flawCVE-2018-3665 – for Windows 10, 8.x, Server 2008 R2, and Server 2012. It was believed modern Windows was immune to the security vulnerability in Intel chips, however, they are not – so get patching by grabbing and installing these updates.

Firebase admins: Wake up

If you use Firebase to store data for your mobile applications, then make sure they are secured – someone's made a tool to scan for and identify vulnerable installations.

Hutchins moves to toss hacking charges

Reverse-engineer ace and accused hacker Marcus Hutchins is trying to have charges, filed against him by the FBI, that he developed malware dropped by a US federal district court in eastern Wisconsin.

In a fresh submission, Hutchins' lawyers allege that investigators did not have the jurisdiction to charge the Brit with criminal acts when he was living in the UK at the time and had no interactions with anyone in the Milwaukee area where the case is being heard.

"None of Mr Hutchins’ acts is alleged to have occurred while he was in the United States or to have been directed toward the United States," the motion argues.

If successful, the motion would have Hutchins' charges tossed, and free the Brit to return home to Britain from America, where he is living while awaiting trial. Hutchins, best known for his work in stopping the WannaCry malware, was charged with allegedly creating and selling a banking malware known as Kronos back in 2014 and 2015.

Navy blue over contractor's theft

A former electrical engineer faces decades in the clink after being convicted of stealing software and building plans from the US Navy.

Jared Sparks, 35, was convicted on six counts of trade secret theft, six counts of uploading trade secrets, and one count of transmission of trade secrets by a federal jury in Hartford, Connecticut.

The convictions stem from allegations that Sparks, working for Navy contractor LBI Inc, copied and uploaded thousands of files related to the company's contracts with the Navy for underwater drones and buoys.

Sparks was found to have copied the docs to his personal Dropbox account with the aim of shifting the data with him to a new job at competing company Charles River Analytics.

"Jared Sparks stole thousands of documents—including proprietary designs and renderings - from his former employer when he left to work for a competitor," Acting Assistant Attorney General John Cronan said of the conviction.

"Yesterday’s verdict sends a clear message that the Department of Justice is committed to protecting American intellectual property and will aggressively prosecute those who steal it."

Experts worry (again) over attacks on power grid (again)

Stop us if you've heard this one before: the world's power grids are dangerously prone to infrastructure attacks on their embedded hardware.

This time, it's researchers with Applied Risk who are sounding the alarm (PDF) after discovering multiple vulnerabilities in hardware made by Schweitzer Engineering Laboratories, a company that develops the security systems power plants use to keep hackers out.

According to researcher Gjoko Krstic, the flaws could allow bad guys to do things like inject commands into servers and shut down key systems.

"An unauthenticated user can craft a malicious project and/or template file that will enable her to read arbitrary files within the context of an affected system allowing disclosure of valuable information via out of band channels," Krstic said.

"It can also cause a denial of service scenario requiring an application restart, by running a malicious FTP server."

Juniper patches up JunOS bugs

Before checking out entirely for the week, admins will want to check if their Juniper Networks gear needs an update.

The vendor has issued a patch to shore up CVE-2018-0030, a denial of service bug present in the Junos OS in MPC7/8/9, PTX-FPC3 (FPC-P1, FPC-P2) or PTX3K-FPC3 and PTX1K 15.1, 15.1F, 16.1, 16.1X65, 16.2, 17.1, 17.2, 17.2X75, 17.3, 17.4.

Juniper says the cards can be crashed by an attacker who sends specially-crafted MPLS packets to the targeted device. As there is no workaround for the issue other than installing a patch, Juniper is recommending customers check for and install the fix as soon as possible. ®




Biting the hand that feeds IT © 1998–2018