The Raccoon attack, developed by a team of academics, could enable hackers to break TLS encryption and read sensitive internet communications. The researchers were able to target the Diffie-Hellman key exchange process to determine parts of the algorithm used. They admit that the attack vector is hard to exploit and its underlying conditions are rare.

More:

• Transport layer security (TLS) is used to secure data traveling between a web browser and a website using hypertext transfer protocol secure (HTTPS). 
• The Diffie-Helman key exchange method enables two parties to jointly establish a shared secure key over an insecure channel and encrypt communications.
• The attack can only be carried out against the TLS 1.2 protocol and earlier versions; the TLS 1.3 protocol is not vulnerable.

The rapid shift to telehealth in response to COVID-19 has opened up healthcare organizations to increased cybersecurity attacks, according to a report by SecurityScorecard and DarkOwl. The report found a 30% increase in cyberattacks on popular telehealth apps during the COVID-19 pandemic. 

More:

The report compared data from September 2019 and April 2020 and found the following trends:

• 350% increase in telehealth primary care visits
• 117% increase in IP reputation security alerts triggered by malware
• 65% jump in patching cadence, which measures the regularity of installing security patches
• 56% increase in endpoint security issues
• 16% jump in application security issues
• 42% jump in FTP issues (FTP is an insecure network protocol that allows data to travel between a client and a server)
• 27% increase in RDP issues (RDP is a protocol that enables remote connections)

The Russian military-linked Strontium group is harvesting Office365 credentials from U.S. and U.K. political organizations, warned Microsoft. Strontium conducted the attacks against tens of thousands of accounts at more than 200 organizations between September 2019 and June 2020  The group harvests credentials in order to conduct future surveillance or intrusion operations.

More:

• The group is using brute-force/password-spray attacks to conduct large-scale credential harvesting operations.
• Strontium, also known as APT 28, Fancy Bear, Sednit, and Tsar Team, is suspected of being part of the Russian military's Main Intelligence Directorate.
• Strontium (APT 28) is credited with hacking into Hillary Clinton's presidential campaign and the Democratic National Committee during the 2016 election.

ThreatConnect, an Arlington, Va.-based cybersecurity firm, has acquired Nehemiah Security, a Washington, DC-based cyber risk quantification (CRQ) startup, for an undisclosed consideration. ThreatConnect will add Nehemiah's CRQ technology to its existing threat intelligence platform and security orchestration, automation, and response capabilities. 

More:

• In May, Gartner named Nehemiah to its list of "cool vendors" in integrated risk management.
• Nehemiah said that its product enables a CISO to communicate to the board how security investment underpins business operations.
• ThreatConnect recently made Inc. magazine's list of fastest-growing U.S. companies with a growth rate of close to 200%.

Hackers are increasing their attacks on a critical bug in the popular WordPress plugin File Manager, which the developer patched earlier this month. The attackers have targeted more than 2.6 million vulnerable WordPress websites, according to the Wordfence Threat Intelligence team. The bug can enable a hacker to carry out a remote code execution attack. 

More from Wordfence:

• There have been attacks targeting this bug coming from more than 370,000 separate IP addresses.
• A Moroccan threat actor known as bajatax has been the most active in exploiting the File Manager bug.
• Bajatax infects the vulnerable site and deploys malicious code that uses Telegram messenger’s API to steal credentials of any user logging into the site.
• Another attacker is exploiting the bug to installing backdoors in vulnerable websites.

PODCAST NOTES: (This premium content first appeared in the Sept. 10 issue of Inside Security.)

Every Thursday, I summarize a podcast about cybersecurity so you can read it in about five minutes or less. This week features Jack Ogawa, with AWS and formerly with Cypress Semiconductor, who spoke with Brian Santo of the EETimes On Air podcast (#85) about Internet of Things (IoT) security. [Note: Questions and answers were edited for brevity and clarity.]

Brian Santo: Tell me what the security situation is with the IoT today.

Jack Ogawa responded that organizations are coming forward with the intent to secure and protect end-user privacy. In the U.S., California led the way with their Senate Bill 327 that protects end-user privacy. Europe has GDPR as a higher level guiding principle on how to handle user data, but Europe is looking at more specific IoT-oriented legislation. So far, there hasn't been much activity out of Japan or China, but at some point, they are likely to follow suit and address that as well.

Santo: So when you say “data privacy,” are you also including issues that are involved with data security? 

Ogawa said that privacy is about access to data. That is foundational to the concept of privacy. When you think about that from an IoT perspective, a connected washing machine doesn’t have its own identity. So the critical element of enabling an IoT device is deciding what kind of data it can or can’t access.

IoT security will be the marriage of authenticating a user, conferring proper privileges on the user, identifying an actual device, and then conferring similar privileges on that device in terms of data access.

Santo: I scanned the NIST document talking about IoT security. I noticed that they seemed to be fairly good at identifying what they mean by security and leaving it up to the people who make the devices to implement security measures. Is that a reasonable evaluation of what’s going on?

Ogawa agreed that NIST and others are trying to focus on end results rather than how to achieve those end results. He said the NIST document is robust in terms of that orientation. They talk about the concept of risk mitigation areas and device capabilities, rather than prescribing security measures. 

The legislation and NIST guidance are trying to focus on device identification in the context of device configuration, making sure that the integrity of the device has been maintained. In addition, they focus on data protection, such as encryption and how to protect data both sitting in the device as well as being transmitted over a network. In addition, they look at logical access to interfaces, such as preventing somebody remotely from coming into hardware and modifying its capabilities or its functionality. As the state of the art evolves, they want to make sure that these devices can be updated with the latest security patches.

Santo: How much coverage can you provide when your chips have to work in the context of a product and system, and those systems have to work in a network?

Ogawa said there are two contexts. There’s a technical dimension. There are many different ways to achieve a given end result that might be proposed by a piece of legislation or an industry standard. In that regard, it’s not about the technical superiority of one solution over another. If you’re able to protect the data, you’ve accomplished the goal.

So the real question is about the cost of ownership of a solution. Encryption is a well-known technology. It’s been around forever. In fact, you can look at payment transactions today as the epitome of a secure system.

When you look at payments, the deployment of that technology is framed around the cost of ownership. How much does it cost to put a smart chip into a credit card? What capabilities are in a payment terminal that are commensurate with the risk of that transaction? A company could spend millions of dollars making that little swipe terminal at a store very secure, but at the end of the day, maybe you are protecting maybe $100 worth of transactions. There’s a business frame around how much security you really want to implement.

Bringing that over into IoT, the legislation that we were talking about earlier actually is triggering an interesting dynamic within companies. It’s not a technology-driven conversation per se. Their lawyers are coming to them saying, in order to achieve compliance in California, we need to do these things, and they need to be defensible--not from the standpoint of, is it absolutely secure, but if somebody brings a lawsuit against us in California, is it defensible relative to the law that’s been enacted there.

FOR ACCESS TO MY PODCAST NOTES EVERY WEEK, PLEASE SUBSCRIBER TO OUR PREMIUM CONTENT BY CLICKING HERE! 

Leecraso and Guang Gong at Chinese cybersecurity company Qihoo 360 received $20K for finding a sandbox escape bug in Google's Chrome web browser. The researchers said that the bug affects Chrome on all platforms, but they have only exploited it on Android. Google patched the bug in its Chrome 85 update. 

More:

• Leecraso said the vulnerability is easy to find and exploit, but he is not aware of any current attacks exploiting it. 
• The researcher said that the sandbox escape bug could be combined with an RCE bug in Blink to execute arbitrary code in the browser renderer process. 
• Google awarded a $10K bug bounty to CodeColorist of Ant-Financial LightYear Labs for discovering an insufficient policy enforcement bug in the Chrome installer.

Popular video conferencing app Zoom has enabled two-factor authentication (2FA) for all user accounts to stop "zoombombing" and other cyberattacks. The 2FA system requires users to enter a one-time code from a mobile authenticator app, SMS, or phone call, making it harder for hackers to exploit stolen credentials.

More:

Zoom 2FA can be used on the following devices:

• Android or iOS device that can receive text messages or has a 2FA app that supports the TOTP protocol
• Zoom desktop client for Windows, macOS, or Linux, 5.2.2 or higher
• Zoom Rooms for Conference Room for Windows or macOS, 5.2.1 or higher

The opening of schools across the country has prompted a surge in zoombombing and ransomware attacks.

Container security firm StackRox has raised $26.5M in funding to expand into international markets and boost investment in research and development. The Series C round was led by Menlo Ventures, with participation from Highland Capital Partners, Hewlett-Packard Enterprise, Sequoia Capital, and Redpoint Ventures. The startup has raised $60M in funding to date.

More:

• StackRox's container security platform is purpose-built for Kubernetes.
• 78% of companies are running Kubernetes in production, up from 58% the year previous, according to a survey by the Cloud Native Computing Foundation. 
• StackRox was valued at $145M in its last funding round in 2018, according to PitchBook data. 

TO ACCESS MY SECURITY FUNDING COLUMNS, PLEASE SUBSCRIBE TO OUR PREMIUM SERVICE BY CLICKING HERE!

QUICK HITS:

• The U.S. Treasury sanctioned four Russia-linked individuals for trying to interfere in the 2020 elections. 
• In its annual cyber threat report, the Australian Cyber Security Centre found that phishing and spearphishing remain the most common cyberattacks.
• The Portland City Council has passed the strictest facial recognition technology ban in the U.S.
• Japan's Financial Services Agency is expected to require Nomura Holdings to report on how client data was leaked to a rival firm. 
• Conga tapped into insights from tech-forward business leaders in order to create this fact-packed report: The State of Digital Document Transformation*

* This is paid content.