The niner noteworthy stories of 2016 (week 52)

These are the noteworthy stories, in no particular order, that peaked my interest last week.

Ransomware Attack Takes Over Android TV


yes, smart tv’s are just computers and in this case it is running the Android operating system. This story ended happily with the TV being factory reset, the malware removed and the tv back in good functional order (so far as you can call a smart TV ever being in that state at all).
Luckily in this case the family member on hand was quite tech savvy and therefore able to assist in the recovery efforts, but most consumers won’t be that lucky. And yes if a smart TV can be bricked with ransomware it can become part of an IOT botnet too.
source: The Daily Dot (external link)

New variant of KillDisk wiper threatens industrial control networks with ransomware


This is then precisely the reason why office attachment have no place on your industrial networks or anywhere nearby for that matter. As long as industrial systems are controlled by computer systems running the same operating system and software as can be found on an office machine, the same threats can attack your industrial control system and if they get the chance will do so as well.
As most of these computers are not patched frequently, sometimes for very good reasons, other security measures need to be taken to mitigate these risks. If your company needs help with setting up and designing adequate defences for your industrial systems, please contact me.
As for the combination of used cryptographic algorithms, combining an asymmetric algorithm probably with multiple keys within a symmetric algorithm is a pretty neat defence against cyphertext attacks that could undermine the ransomware demand.
source: SC Magazine (external link)

Russian malware detected in US electricity utility – report


The main question here is actually not what the intentions could have been but what the piece of malware was ultimately designed to do. Besides the fact that it was found on a laptop, a portable device that should have been surrounded by extra safeguards if it needed to come in contact with any computer network or system related to the electricity grid in the first place.
The fact that an official states that this should be taken seriously

because the electric grid is a vulnerable and interconnected part of the nation’s critical infrastructure

, is extremely worrying by itself.
source: The Guardian (external link)

Star Wars card firm Topps hit by ‘unforgiveable’ hack


If you are warned, apparently have a record of insecurity (see the statement in the article about their mobile apps) and then you are being hacked? The entire breach is unforgivable and certainly unnecessary.
Then again, if it remains cheaper to get hack as I wrote about in day 8 of the 2016 recaps series, we should not be that surprised this happened in the first place.
As a final remark I respectfully disagree with cyber-security expert Prof Alan Woodward from Surrey University. Creditcards can be blocked and reissued, the real damage of loss of creditcard data is felt by the issuing cart company which in turn will probably sue Topps for their liability and damages.
The fact that names, addresses and e-mail addresses were leaked as well is much more damaging in the long run when identity fraude is concerned. Yes the leakage of creditcard data will also get appropriate attention from the relevant regulatory authorities, but it is and certainly won’t become the biggest issue for the customers of this company.
source: BBC News (external link)

Uber, Apple Maps and location tracking: what’s really going on?


So it’s all Apple’s fault now, according to Uber at least. Well if it turns out to be, then how much is that constant privacy promise by Tim Cook worth in the long run? This story probably will drag on into 2017 a bit longer I suspect. Here is one earlier remark I made on this topic in the niner 12 recaps of 2016 series.
Here are Apple’s instructions for background app updates and tasks on the Apple developer support pages.
source: Naked Security (external link)

Why the largest insurance companies are pouring into Silicon Valley


Is it just me or are their more people out there that see major issues with this kind of involvement of insurance companies in our daily lives and specifically if fitness and health data is concerned? Ultimately insurance firms aren’t their to help you stand up when you have fallen let alone prevent it, they are their to make money and loads of it. So if more data, personal data, about you reduces your risk of falling in the first place they are happy as they don’t have to pay out damages because you did fall.
Will your insurance costs go down because of that? Of course not, as there is still a chance of you falling so they certainly won’t drop the premium for your insurance, whilst in the mean time their risk factor go down and therefore they make more money.
The other way round is possible as well, they simply charge double or more if you don’t grand them access to your fitness and health data or won’t even accept or terminate your contact if they find you are living unhealthy or didn’t tell them about that rare condition you may not have known yourself you carried around.
In other words, we need to be extremely careful with these kind of joint ventures and what types of data, if any, insurance companies are collecting about us, specifically the ones they don’t tell us about.
source: TechCrunch (external link)

FAA Takes Action to Correct Boeing 787 Technical Glitch


Following battery issues back in 2014 which grounded all dreamliners for months and which got it the nickname dragonliner from some industry insiders, now we are facing a rebooting cycle for all machines that can not exceed 22 days. According to a Boeing captain with 20000+ flight hours, this issue has to do with the batteries as well.
Then again this isn’t the only technical issue with the Boeing 787 over recent months. The website Aviation Herald reported at least two incidents where in one case the automation on-board gave of a mayday emergency call after an engine shutdown in flight see Incident: Aeromexico B788 over Atlantic on Sep 22nd 2016, automated declaration of Emergency reporting engine failure (external link.
It is unclear if this incident is related to the bugs in the flight control modules or not, but it is at least an interesting set of circumstances.
source: Points Miles & Martinis (external link)

Are you wearing your boarding pass?


But with all these technologies you may wonder what data is shared with home and is everything really setup with security and privacy by default? Or can I actually unlock the authors’ suitcase remotely or track, steel and then open it by having captured that bluetooth communication first obviously.
Or is all that wearable technology within the aviation industry secured with that same booking code? (see the next story for details).
source: Amadeus Corporate Blog (external link)

Flight booking systems lack basic privacy safeguards, researchers say


The moment you book a flight you indeed start to wonder why the booking code is indeed the only method of authentication used, together with your lastname, to change booking details which in some cases even may include ID card data as well btw.
The fact that the travel industry is using extremely outdated methods of identification, methods that would work perfectly in a paper-only world, is worrying to say the least. The problem is that if this needs to change, the effort needs to be industry wide. Although the booking numbers could remain as the basic identifier, they must be extended with modern day authentication methods for online platforms to make the system safe and privacy friendly.
The fact that these improvements may have happened if EU and Canadian privacy laws were enforced is the final nail in the coffin though and is unfortunately indicative of how companies care about our personal data.
source: Reuters (external link)
And another somewhat more detailed article by the Guardian (external link) and a second one also linking to the CCC talk about this topic by PCMag (external link).
And finally, I think the aviation industry would do wisely to have enough information security expertise available that also understand their industry to help with this issue. As such, I am open for any offer to assist in improving customer privacy and booking system security, so don’t hesitate to contact me directly.