By Byron Acohido, Third Certainty
(Editor’s note: Welcome to the debut of 3C’s Security & Privacy News Roundup. Each Thursday this column will highlight a diverse mix of breaking news, fresh analysis and telling disclosures culled from a variety of sources. Our intent is to keep you informed and foster discussion. Curation is manual. Attitude, probing. So let’s get to it.)
Banks’ monitoring found lacking. What do U.S. Comptroller of the Currency Thomas Curry and New York state’s Department of Financial Services superintendent Benjamin Lawsky have in common? Answer: Serious concerns about the banking sector’s capacity to monitor and detect money laundering and cyber intrusions – shortfalls that could pose significant threats to the nation’s critical infrastructure. Bankinforsecurity.com reports that the regulators aired these fears at different forums. Don’t be surprised if tighter banking regulations ultimately follow.
Hillary’s private email. In contrast to the banking industry’s lax monitoring, former Secretary of State Hillary Clinton is taking heat for assuming too much control of her daily email correspondence when she headed the State Department. Clinton set up a private email server in her home, in effect putting up an inner wall to insulate her communiqués from public disclosure rules and legal discovery. But she also created another, presumably easier, hacking target for elite nation-state hackers. Her political adversaries, no doubt, will leverage this disclosure to the hilt.
Not-so-secure chip cards. The deadline for U.S. businesses and banks to replace easy-to-forge magnetic-striped payment cards with much-more-secure chip-embedded smart cards is in October. We’ve known that for a while. But now Reuters is reporting the U.S. chip cards won’t be up to snuff, security-wise. It seems the card companies have decided not to issue PINs with each chip card, which is standard practice in Europe and Asia, and adds considerably to the security design.
Google reneges. Ars Technica is reporting that Google is now backing down from its boast that the next Android release will provide full device encryption by default. It seems encryption causes unacceptably slow performance on some devices, and so won’t be available on some Android platforms scheduled to get the next version of the mobile device-targeted OS.
Xen flaw exposes Amazon cloud users. The Register is reporting that Xen, the software many cloud vendors use to lease virtual servers to customers, seems to have a major vulnerability. The flaw leaves companies like Amazon and Rackspace rushing to patch and reboot their physical servers. Details on the nature of the security hole are still sketchy. Xen has a track record of similar high profile vulnerabilities, so at least customers should be familiar with the routine.
WordPress plugin flaw. And here’s a vulnerability disclosure for those of us running WordPress websites to heed. If you’re one of the 1 million or so users of the WP Slimstat plugin, be forewarned that it provides access to hashed passwords and in some cases, direct admin access, the tech trade press is reporting. A patched version is out but exposed sites are likely to persist for some time. It appears manual code modifying will be required in some cases.
Naughty Lenovo. Multiple news outlets reported on Lenovo accepting a payment to bundle Superfish adware into their PCs and laptops. In addition to injecting ads into search results, Superfish is insecure by design, allowing man-in-the-middle attacks. This is another example of hardware manufacturers bundling software which not only creates security holes but is an inconvenience by design.
That’s it for now. Stay informed.