This month’s cybersecurity round-up features the news that a freshly-discovered vulnerability affecting major CPU manufacturers could leave millions of computers at risk and how ‘smart’ toy makers have been urged to get security-friendly.
Security researchers discover critical exploit in computer processors
Security researchers have discovered a critical exploit in processors from Intel, ARM and AMD that could allow hackers to harvest sensitive information from users’ devices, including passwords, emails and photos.
Dubbed Meltdown, the vulnerability makes it possible for hackers to access data stored in the core of a computer’s operating system. The exploit is particularly hazardous as it affects computers at kernel-level, which is where the critical controls between the device’s hardware and software layers take place.
What’s more, it’s been suggested the vulnerability could affect all manner of devices containing CPUs from Intel, ARM and AMD manufactured in the past 10 years.
Intel has now started rolling out software and firmware updates to mitigate the exploits. In a statement, the company said it was “working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively.”
NCSC urges ‘smart’ toy makers to get security-friendly
The National Cyber Security Centre (NCSC) has urged manufacturers of internet-connected toys to ramp up their security efforts, after a report found they could be used by strangers to talk to children.
The report, published by the Consumer’s Association, identified security flaws in several popular toys containing Bluetooth or Wi-Fi that left them at risk of being hacked. Specifically, the devices were found to employ unsecured wireless connections that could be hijacked with little effort to allow hackers to communicate with children.
The NCSC welcomed the report and urged makers of internet-connected toys to ensure their products were secure by design.
A spokesperson said: “Companies must take this responsibility seriously and toy manufacturers need to catch up with the security processes that are embedded within the wider IT industry.
“Parents should be in no doubt that products their children use are safe. The Government’s Secure by Default Programme is helping to spread good practices and initiatives for companies to adopt. People who are worried about issues relating to a specific product should contact the manufacturers.”
Healthcare organisations not hitting DMARC to combat phishing
Research from cybersecurity firm Agari has suggested that up to 99% of NHS e-mail domains don’t provide adequate protection against phishing attacks.
The report, called ‘UK Healthcare: DMARC Adoption Report – Email Security in Critical Condition’ found that the majority of healthcare providers in the UK have not adopted the domain-based message authentication, report and conformance (DMARC) email authentication standard.
DMARC is an email validation system designed to detect and prevent fraudulent emails such as spamming and phishing attacks. The system allows email senders and receivers to share information about emails to make it easier for organisations to block spoof emails.
According to Agari, 95% of key UK healthcare organisations have no DMARC policy in place, despite the majority of phishing emails carry fraudulent healthcare domains.
The report found that the volume of fraudulent or unauthenticated emails carrying spoof domains from healthcare providers was almost three times that of the next most-spoofed sector, which was government.
It also suggested that more than half of the emails a patient received were fraudulent. The research, conducted in November 2017, looked at the DMARC policy of 40 UK healthcare organisations, including hospital groups and healthcare insurers, and 5,000 known NHS domains.
Ransomware, non-malware attacks dominate 2017 cyber-threats
Ransomware is rapidly becoming the attack method of choice for cyber-criminals, with a report from Carbon Black revealing that more than half of cyber-attacks in 2017 were non-malware.
Research from the security software company found that technology companies, government, non-profit organisations and legal firms were the most common targets of non-malware attacks, such as ransomware. In total, such attacks made up 52% of all cyber-attacks last year.
Malware-based attacks accounted for the remaining 48%. According to Carbon Black’s report, financial organisations, retailers and healthcare providers were the markets targeted by cyber-attacks leveraging malware in 2017.
Crackdown on Kaspersky continues
Lithuania has become the latest nation to shun security products from Russian antivirus provider Kaspersky Lab, over fears it could pose a threat to national security.
The Lithuanian government has banned Kaspersky software from being used on computers used to manage critical infrastructure such as energy, finance and transport. The crackdown comes after the NCSC warned central government organisations in the UK dealing with classified information to stop using security products from Russian vendors.
The US has also banned Kaspersky’s products from its government-run networks, over fears that it could provide an attack vector for a nation-state attack from Russia.
In a statement, the company said it “naturally disagreed” with the decision and claimed that businesses and consumers using its products “have nothing to be concerned about”.
It added: “Unfortunately, the company appears to be caught up in a geopolitical fight, and this has resulted in allegations for which no credible evidence has been publicly presented by anyone or any organisation. Kaspersky Lab would like to reiterate its willingness to answer any questions about the business, its leadership, expertise, technologies and methodology. And the recently announced Transparency Initiative is aimed at specifically addressing any concerns that customers, partners or governments may have.
“Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts, and it’s disconcerting that a private company can be considered guilty until proven innocent, due to geopolitical issues.”