A new joint FBI-DHS report dishes the dirt on recent sophisticated attacks targeting the US energy grid and critical infrastructure, saying third party firms and web sites to gain access to energy and other critical infrastructure networks. It also names a sophisticated hacking group believed to be linked to the government of Russia.
With no simple way to patch affected systems, the security vulnerability in Trusted Platform Module (TPM) chipsets made by the firm Infineon may be with us for years to come, security experts warn.
In the latest Security Ledger podcast, we analyze the breach of Deloitte by talking to two people who spend a lot of time judging the security of firms by how they look to the outside world. Dan Tentler of the firm Phobos Group tells us what he found out about Deloitte doing some fast and dirty open source research. Also: we talk to Stephen Boyer of the firm BitSight about a new study that firm did of the gap between the security readiness of financial services firms and the third-party software supply chain they rely on.
The firm that discovered the CCleaner attack thinks there may be other common applications that, like CCleaner, have been secretly compromised and used to gain access to corporate networks. Engineers at the firm Morphisec are reviewing historical reports that were considered “false positives” to determine if any of those reports may have been evidence of compromises of other common applications, Chief Technology Officer Michael Gorelik told The Security Ledger. “It’s something we’re doing right now. We’re revalidating stuff that we caught within the last several months,” he said. While Gorelik declined to say whether they had found evidence that other, similar attacks had taken place, he said the initial findings of the investigation were “very interesting.” “They’re very interesting events and when you go deeper they become more interesting,” he said. He said he believed there were other so-called supply chain attacks like CCleaner, but declined to say whether his firm […]
In the latest Security Ledger podcast, Paul speaks with Michael Gorelik of the firm Morphisec about the hack of security software vendor CCleaner – a hack that Gorelik’s firm discovered. CCleaner, he says, may just be the tip of the iceberg when it comes to supply chain hacks. And: “Alexa: have we been hacked by China?” Paul speaks with Grant Wernick of the firm Insight Engines, which is releasing a product this week that integrates the Splunk log management tool with Amazon’s voice assistant.
