Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.
Big items to consider: A company that supplies audio-visual and building control equipment to the US Army, the White House, and other security-conscious organizations built a deliberately concealed backdoor into dozens of its products that could be used to hack or spy on users. An Austrian airplane component maker for Boeing and Airbus said earlier this week a cybercrime-related fraud has caused $54 million in damages. Security experts are warning corporates to redouble their efforts to guard against the insider threat after federal prosecutors indicted five people including two scientist at GlaxoSmithKline on charges of stealing trade secrets. The battle between CISA and Safe Harbor continues as both governments debate whether a universal law could apply to both US and EU citizens. The European union is set to meet on Feb. 2nd to determine how data transfers to the US should continue, meanwhile the US government debates over what is actually considered personally identifiable information and what information they can legally collect.
Researchers from Austrian firm SEC Consult have uncovered what they claim are deliberately hidden backdoors in products from AMX, a provider of conference room communications to private firms and government organizations the world over, including the White House and US military bodies. The researchers first became suspicious after encountering a function called “setUpSubtleUserAccount” that added an highly privileged account with a hard-coded password to the list of users authorized to log in. Unlike most other accounts, this one had the ability to capture data packets flowing between the device and the network it’s connected to.
An Austrian airplane component maker for Boeing and Airbus said earlier this week a cybercrime-related fraud has caused $54 million in damages. It characterized the incident as an “outflow” of $54 million of “liquid funds.” The loss does not pose an economic threat to the company. FACC did say the attack did not affect its IT infrastructure, data security, or intellectual property rights, and its production and engineering units are operating normally.
Security experts are warning corporates to redouble their efforts to guard against the insider threat after federal prosecutors indicted five people including two scientist at GlaxoSmithKline on charges of stealing trade secrets. The two research scientists, Yu Xue and Lucy Xi, are said to have emailed and downloaded information on around a dozen products to co-conspirators who wanted to “market and sell” the trade secrets through a newly formed Chinese company they set up: Renopharma. Many of the products targeted were designed to treat cancer or other serious diseases.UK managing director at access management firm 8MAN, argued that managers need to exercise vigilance round-the-clock – especially in industries which generate valuable IP like pharmaceuticals.
European Union privacy regulators will meet in Brussels Feb. 2, and hope to decide at that time whether and how data transfers to the United States should continue. The U.S. also didn’t improve matters when they delayed action this week on the proposed Judicial Redress Act, which would allow European citizens to sue the U.S. if law enforcement agencies misused their personal data. The US Attorney General and the Department of Homeland Security have been given 60 days from the passage of the law to issue more guidelines on how precisely cyber threat indicators must be shared. The details of those rules will provide a clearer picture of what data government agencies may and may not obtain.