Week in review: Linux Mint hack, crypto ransomware hits hospitals, and educating policymakers on cybersecurity

Here’s an overview of some of last week’s most interesting news and articles:

Can poorly designed embedded devices kill?
The industry is not taking safety and security seriously enough, according to the Barr Group, who conducted a survey to better understand the state of safety- and security-aware embedded systems design around the world.

MouseJack: Remote exploitation via radio frequencies
Using an attack which researchers have named MouseJack, malicious actors are able to take over a computer through a flaw in wireless dongles.

Google offers free DDoS protection to independent news sites
Google (i.e. Alphabet) has created a free DDoS protection service to help independent news sites, sites focused on human rights and on election monitoring withstand DDoS attacks, which have become a very modern form of censorship.

Start getting ready for Europe’s new data protection regulation today
If yours is a EU-based company or a non-EU one that deals with personal data of EU citizens, the General Data Protection Regulation (GDPR) brings a new legal obligation that your organization has to comply with: when a personal data breach has occurred, you have to notify the competent data protection authorities within 72 hours and, if the leaked data is likely to impact the rights of the individuals concerned, let the individuals themselves know about it.

Linux Mint hack: Backdoored ISOs, stolen forums database
The web properties of the project developing Linux Mint have been compromised, and the attacker managed to put up a backdoored version of the distro for download for a little while.

Review: ICLOAK Pro
The ICLOAK device started as a portable online anonymity tool aimed at giving users a fast, convenient and flexible way to browse the Internet anonymously from any computer. Its creation was made possible by a successful Kickstarter project in 2014.

Pirated App Store client for iOS found on Apple’s App Store
An app called 开心日常英语 (“Happy Daily English”), which has been offered for download via Apple’s official App Store, has been revealed to be a fully functional third party App Store client for iOS, offering users in mainland China a way to install modified versions of iOS apps on non-jailbroken devices.

Crypto ransomware hits German hospitals
According to DW, it’s still unclear if they have been hit with the same ransomware, but they didn’t get any targeted ransom demand apart from the usual one shown by the malware, and the authorities believe that the attacks were not targeted at all.

Mastercard’s Selfie ID: Playing Russian Roulette with consumer identities?
At this week’s Mobile World Congress in Barcelona, MasterCard announced it will accept selfie photographs and fingerprints as an alternative to passwords when verifying IDs for online payments.

German police allowed to use its own “federal Trojan”
The malware has been developed in-house, and has been available since autumn 2015. It is supposed to be used only for so-called telecommunication surveillance at the source, i.e. to read emails, chats and wiretap phone calls made by the target via his or her computer or smartphone, and not to access files, steal passwords, or set up video or audio surveillance via the device.

Mobile banking Trojan bypasses Google Play security
The Acecard malware is capable of attacking users of nearly 50 different online financial applications and services.

Insecure APIs allow anyone to mess with Nissan LEAF electric car
A vulnerability in the mobile app used to interact with Nissan LEAF, a popular electric car, can be exploited by remote, unauthenticated attackers to switch the car’s AC and heating system on and off, but also to extract details about the owner’s journeys.

Coalition aims to educate policymakers on cybersecurity
A group of vendors launched the Coalition for Cybersecurity Policy and Law, a new organization that will focus on education and collaboration with policymakers on the increasingly complicated legislative and regulatory policies related to cybersecurity.

Deep and Dark Web: Complexity and escalating cybercriminal activity
Malicious actors regularly congregate in the Deep and Dark Web to plan, execute, and profit from a range of illicit activity – from hacking, financial fraud, and intellectual property theft to terrorism and other violent acts. Intelligence about this activity can help organizations prepare for the latest threats before they surface.

Sensitive child profiles, private messages exposed online
Security researcher Chris Vickery has discovered another database containing sensitive user data exposed online (i.e. accessible via Internet). Leveraging Shodan, he unearthed a database compiled and used by US-based uKnowKids, a company that helps parents monitor what their kids do online and on the mobile phone.

Apple says DoJ’s request for iPhone unlocking is unconstitutional
Apple has filed a motion to vacate the earlier court order that would force them to help the FBI access the contents of the iPhone of the San Bernardino gunman by creating a new OS that would bypass existing security measures.

Source code of “game changer” Android banking malware leaked online
GM Bot, first offered for sale in late 2014 in the Russian-speaking cybercrime underground, was a game changer because it offered the capability to overlay (customized) screens on top of running banking applications.

A third of IT managers admit to hacking
A high percentage of IT personnel admitted to not following the same security protocols they are expected to enforce, according to Absolute Software. Of those surveyed, 33% of respondents admitted to successfully hacking their own or another organization and 45% admitted to knowingly circumventing their own security policies.

Porn Clicker Android malware hits Google Play hard
In a little over seven months, cybercriminals using click-jacking mobile malware to earn affiliate income have managed to push over 340 instances of the malware into Google Play.

Volvo to launch a car without a physical key
Can you imagine accessing and driving your car without a physical key? In a first for the automotive industry, Volvo is set to become the first car manufacturer to offer cars without keys from 2017.

Perceptions and buying practices of infosec decision makers
CyberEdge Group surveyed 1,000 IT infosec decision makers and practitioners from 10 countries, five continents, and 19 industries, and unsurprisingly, the news is not good.

Hacking hospitals: Cyber attacks can result in physical harm
Independent Security Evaluators (ISE) published a study that demonstrates security flaws to be pervasive within the healthcare industry. The research found that adversaries could deploy cyber attacks that result in physical harm to patients. 100% of the hospitals investigated all had very serious security issues, suggesting broader implications across the entire industry.

FTC forces Asus to improve router security
The Federal Trade Commission (FTC) is actively trying to make sure that companies secure the software and devices that they provide to consumers, and Tuesday’s settlement with Taiwan-based hardware maker ASUSTeK Computer is one step towards that goal.

Is zero-effort computer security a dream?
Researchers from the University of Alabama at Birmingham and Aalto University have found vulnerabilities in a recently proposed user-verification security system for computers. This new security system, developed by Dartmouth College researchers, was created in response to a need for easy-to-use authentication systems.

FBI subpoenaed Carnegie Mellon University for Tor-using suspect’s IP address
A court order in the case of U.S. vs Brian Farrell, a man charged with conspiracy to distribute illegal drugs while he was allegedly an administrator of the Silk Road 2.0 website, has provided official confirmation that the FBI identified him thanks to the IP address provided by the Software Engineering Institute of Carnegie Mellon University, who did some research on the Tor network.