With Labor Day behind us, most—if not all—of the country has now gone back to school and everyone is getting back to their non-summer routine. For some, September also brings a slight chill in the temperature as Autumn rolls in. Here in Houston, it will still be unbearably hot until…sometime around Christmas.
There are three main stories that caught my eye for this week’s roundup—and they each address an issue that is trending or important for cybersecurity in a broader sense. Cryptojacking, iPhone security, and the privacy of personal data are all serious concerns.
So, here we go:
Capital One Hacker Accused of Cryptojacking
Paige Thompson was arrested in late July for allegedly hacking Capital One and stealing information on approximately 100 million individuals. As the investigation has continued, more than 30 other victims have been discovered, reportedly including Vodafone, Ford, Michigan State University and more. This week it was revealed that she was also apparently using the hacked networks to mine the internet for cryptocurrency—also known as cryptojacking.
At face value, cryptojacking may seem like a somewhat benign crime. The attacker is using compute cycles on the compromised machine(s) to do the cryptomining. If it was a home computer, that amounts to using idle computer time and may have little or no impact on the functionality of the PC—it may even go undetected. Cryptojacking in the cloud is a different story, though, because companies are typically billed based on usage. That means the affected companies end up paying inflated bills for the cloud compute time used for the cryptomining.
That isn’t the only concern, though. “I hope this dispels the myth in some quarters that exploiting servers for cryptomining is somehow less severe than other intrusions,” warned Jonny Milliken, Threat Research Manager for Alert Logic’s Active Intelligence team. “In this instance the attacker gained access and was able to mine cryptocurrency as well carry out other activity, like data exfiltration. Once someone has control over a system sufficient to mine currency, they don’t have to stop there.”
Malicious Websites Hacking iPhones
Apple has enjoyed the perception of better security for its platforms and devices for years. The Mac was (or is) considered by many to be inherently more secure than a Windows PC, and iOS devices like the iPhone are perceived to be more secure than Android devices. Because of Apple’s tight control over its ecosystem—often referred to as a “walled garden”—there is an element of truth to the myth of better security. However, that in no way means that Apple software is invulnerable—which the world found out this week thanks to reports from Google’s Project Zero team.
Google revealed that its researchers discovered a number of hacked websites pushing malware out to iPhones. The activity appears to have been going on for a couple of years and exploited a zero day flaw in iOS. The revelation that there are iOS zero days being exploited in the wild should be a wake up call to Apple and users of Apple devices (myself included) that simply using Apple devices does not make you safe--you still have to remain aware and vigilant.
Pushback against California Privacy Law
The United States does not have a national law protecting privacy and personal data equivalent to the European Union’s General Data Protection Regulation (GDPR). In the absence of federal guidance, many states are pursuing their own privacy regulations—and California led the way. In June of 2018, Governor Jerry Brown signed the California Consumer Privacy Act of 2018 into law. Now, there is apparently a concerted effort—from Silicon Valley heavyweights—against the legislation.
“Pervasive technology inevitably hits up against the buffer of legislative bodies. In this case, much of the monetization of user data and social media has exploded without this oversight,” explained Milliken. “It’s quite expected that these giants of the tech industry are attempting to protect their revenue streams in the face of privacy concerns.”
The irony is that these giants created the problem themselves—similar to the way broadband providers fought against Net Neutrality after creating the need for legislative intervention in the first place. There have been a slew of high-profile examples where data has been lost or misappropriated, and that has required that legislators act. The tech giants should reflect that they might not be in this fight, had they better protected the customer data they hold in the first place.