The latest round up of recent cybercrime news stories from Phil Ashley, Director of Crossword Labs. A pick of the weird, unexpected and downright scary reminders of why we do what we do.
37% of Android phones have bugs that may enable eavesdropping
Researchers have a found multiple new vulnerabilities in a commonly used Android chip. CheckPoint Research have disclosed the vulnerability which can allow malicious actors to eavesdrop on the audio of a large portion of smartphones. The vulnerabilities were discovered by reverse engineering one of the key components of the chip known as the DSP (Audio Digital Signal Processor) which was designed to lessen the burden on the CPU. These vulnerabilities can then be exploited through malicious app code. CheckPoint informed MediaTek and Xiaomi, and so far MediaTek has released fixes in October to resolve the issues
Vulnerabilities found in Amazon AWS due to Eltima SDK
Vulnerabilities in Amazon cloud services that use USB over the ethernet allow for the escalation of privileges if exploited. The vulnerabilities were discovered in a library which was utilised by Amazon and created by Eltima. Although the actual cloud does not have these flaws due to the code-sharing between the server side and the end user, this puts cloud users at risk and includes services such as Amazon WorkSpaces, Accops and NoMachine. A security researcher at SentinelOne has stated that the vulnerabilities can be used to “disable security products, overwrite system components and corrupt the operating system”.
Lloyds now exclude state-sponsored attacks from their insurance policies
Insurer Lloyds now won’t cover ‘acts of cyber-war’ or nation-state retaliation attacks. Attacks for the purpose of ‘cyber-war’ carried out or related to the states of China, France, Japan, Russia, the U.K. and the U.S are now being excluded from their insurance policy in an attempt to reduce exposure. The market for cyber insurance is immature, and insurers and actuaries are still developing formulas to understand the threats, risks, and vulnerabilities different companies face, along with how different cyber security services and tools mitigate them. By invoking the much used “act of war”, insurers have decided that a hack by a group associated with a nation state or directly by a nation state is now an act of war and will no longer be awarded a pay-out.