A roundup of the top news stories in information security this week, including a USB stick containing sensitive Heathrow security data found on the street, FireEye releases a password cracking tool for free, and Apple finally addresses the KRACK flaw.
DATA BREACH
USB Stick Containing Sensitive Heathrow Airport Security Information Found
Officials at London’s Heathrow Airport have launched an investigation after a USB memory stick containing the airport’s security information was found on the street in the city. The USB stick contained information such as the Queen of England’s route when using the airport, in addition to maps pin-pointing CCTV cameras and a network of tunnels and escape routes.
INFOSEC INDUSTRY
Kaspersky Lab Expects U.S. Sales Decline Following 2017 Allegations
Russian cybersecurity firm Kaspersky Lab expects its U.S. revenue to drop by single digits following allegations this year that it has close ties to the Kremlin, according to a recent Reuters report. Kaspersky CEO Eugene Kaspersky told the media outlet that he still expects global revenue to increase. “We have zero, zero wrong connections, contacts or assistance to espionage agencies,” he said.
GOVERNMENT
Bill Aims to Boost Election Cybersecurity Across the Country
A new bipartisan bill draft by two members of the Senate Intelligence Committee is aimed at bolstering the security of voting systems in states. Proposed on Tuesday by Republican Susan Collins of Main and Democrat Martin Heinrich of New Mexico, the bill would authorize federal grants to states to upgrade their systems, in addition to requiring them to share more information tied to hacks tied to voting systems.
IDENTITY MANAGEMENT
Managed Password Cracking Tool Released for Free to Aid Admins in Testing Security
The GoCrack password cracking tool has been released free of charge by cybersecurity FireEye to help security professionals to test password effectiveness. The company’s Innovation and Custom Engineering (ICE) team released the open-sourced tool that was designed to aid red teams to manage password cracking tasks. “Some use cases for a password cracking tool can include cracking passwords on exile archives, auditing password requirements in internal tools, and offensive/defensive operations,” FireEye said.
MOBILE SECURITY
KRACK Vulnerability Addressed by Apple in iOS 11.1
Apple has released patches for its iOS, mac OS, and other products to protect its users from the KRACK vulnerability impacting the WPA2 Wi-Fi security protocol. If leveraged, any attackers within the range of the devices’ Wi-Fi network would have the ability to read encrypted traffic. Many vendors addressed the vulnerability before its public disclosure on October 16.
PATCHES
Oracle Issued Emergency Fix Addressing Remote System Hijack Flaw
Oracle has issued an out-of-cycle patch to fix a vulnerability that allows attackers to access enterprise software remotely without authentication. CVE-2017-10151 would allow an attacker to perform a “complete compromise of Oracle Identity Manager via an unauthenticated network attack,” the company said in its security bulletin.
PASSWORD SECURITY
Recent Study Suggests Password Habits Are Improving
A recent study conducted by security firm Digital Guardian surveyed 1,000 people on their password security habits. When compared to a 2012 CSIO Consumer Survey, the findings of the latest study suggest that password habits are improving. From updating their passwords regularly and creating complex passwords to leveraging two-factor authentication, positive strides have been made in the last five years.
SETTLEMENT
Hilton to Pay $700,000 in Breach Settlement
The 2015 data breach that affected Hilton hotels has resulted in a $700,000 settlement that will be paid to New York and Vermont. A total of 363,952 crew card numbers were compromised by attackers during the incident. Hilton Domestic Operating Company will pay $400,000 to New York and $300,000 to Vermont. “Businesses have a duty to notify consumers in the event of a breach and protect their personal information as securely as possible,” New York Attorney General Eric Schneiderman said in a release.
ARREST
FBI Arrests College Student for Hacking Grades More Than 90 Times
A former University of Iowa wrestler and student was arrested last week by the FBI on computer-hacking charges. The student allegedly leveraged keyloggers in a high-tech cheating scheme that allowed him to intercept exams and test questions in advance, and change grades on assignments. The FBI claims that Trevor Graves, 22, changes his grades more than 90 times in less than two years.
