Welcome to Metacurity’s Friday Report, where we sum up the week’s big trends in information security news.
No single theme dominated the week’s news but a single city did: Las Vegas, where the annual grueling cybersecurity and hacking “summer camp” of back-to-back BSides Las Vegas, BlackHat and DEF CON conferences is hosted at the hottest (literally) peak of the year. True to tradition, security researchers and firms and tech suppliers trotted out a ton of demos, announcements, and findings, all of which is enough to scare the blue out of the sky.
Among just some of the more disturbing things unveiled throughout the week were:
Heart-stopping vulnerabilities in Medtronics devices: Billy Rios and Jonathan Butts demo’ed how easy it is to hack Medtronics’ pacemakers and insulin pumps.
Satcom weaknesses that could fry maritime and military uses: Flaws in the satcom systems used by the military and maritime industry leave users in both of those sectors vulnerable to “high-intensity radio frequency (HIRF)” attacks.
Smart city systems that are dumb when it comes to security: Researchers found 17 zero-day vulnerabilities in four smart city systems, eight of which are critical in severity.
A number of intelligent sprinklers that could theoretically drain a city’s water supply: Researchers studying Internet-connected irrigation devices found so many flaws in the devices that 1,355 sprinklers enslaved in a botnet could theoretically drain a city’s water tower.
A honeypot masquerading as a genuine electricity provider that was hacked by cybercriminals within two days: A honeypot configured to look like a power transmission substation of a major electricity provider took just two days for a cybercrime hacking group to gain a toehold on the network and install malicious tools.
Although not related to the Summer Camp goings-on, another scary development of the week was the re-emergence of the WannaCry worm, which was swiftly stopped by Marcus Hutchins last year when he inadvertently implemented a kill-switch by buying an Internet domain. A variant of WannaCry caused the unprecedented shut-down of top silicon maker Taiwan Semiconductor Manufacturing Company’s factories last weekend, which cost the company $255 million in lost revenue and may jeopardize the timely delivery of Apple’s upcoming new iPhones. Why Hutchins’ kill-switch didn’t work has yet to be revealed.
Finally, in the scary your-government-at-work category, the Federal Communications Commission (FCC) came clean, sort of, about those net neutrality-related DDoS attacks that the Commission had long maintained were real. Pushed by an impending report from the FCC’s Inspector General, which proved those attacks were false, FCC Commissioner Ajit Pai finally copped to their bogus nature but blamed them on the agency’s previous Chief Technology Officer and, of course, the Obama Administration. (This embarrassing episode is far from over because Democrats plan to grill Pai about it next week, Gizmodo has FOIA requests into the Commission and the Justice Department, and Buzzfeed News is suing for access to the same records.)
A lot more happened this week so check out our homepage or use the nifty day-by-day look-back tool at the top of the page to come up to speed (or for faster results, go to our Snacks page and scan just the summaries.)
With that, we leave you with one of our favorite tweets from Black Hat (which, of course, was corrected by an infosec veteran almost immediately but we still like it.)
— Peter Ullrich (@PJUllrich) August 8, 2018
Stay safe and stay sane out there!