Pre-Installed Phone Malware

Some new Samsung, Motorola, Asus, and LG phones are reported to have come with malware installed. Samsung reports that the malware, which appears to be an altered version of a Netflix app, was not installed at the factory. It is thought most likely that the malware was installed at some point in the supply chain.

The malware in question was harvesting passwords and financial information, and relaying that information to a server in Russia.

Energy Companies Turned Down for Cyber Insurance as Poor Risks

Energy and other physical infrastructure companies have a difficult job to do. The SCADA (Supervisory Control and Data Acquisition) components are difficult to maintain or secure. They are isolated, frequently have inadequate support, are frequently highly customized for a particular installation, and may be so old that no reasonable support or patches are available for them.

Unfortunately, some energy companies appear to view insurance as a replacement for (rather than a supplement to) robust information security. Insurance companies who offer cyber security policies are increasingly turning down these potentially lucrative contracts due to the risk of a loss.

The "Olympic Games" hack involving Stuxnet showed the danger hackers pose to critical infrastructure. Even though Stuxnet was originally targeted at Iran's secretive nuclear program, the virus escaped into the wild and has been found in unrelated and surprising places.

Hopefully the refusal of cyber insurance will be a wake up call to energy and other infrastructure companies. Updates need to be applied, security needs to be designed in, and critical components may need to be separated from the network by an air gap.

Mt Gox: Criminal or Careless?

In recent days, there have been a lot of contradictory reports about a large theft at the Mt Gox Bitcoin exchange. Their bankruptcy filing reported that USD $425 million worth of Bitcoins appear to have disappeared. Mt Gox has done nothing to clear up the confusion, which has led to ever more speculation about exactly what happened.

Much of the information that is being reported has been sourced to a document that has been published on the Internet. At this point, Mt Gox has not validated the document, but many reports believe it to be genuine.

Reports have centered around a known weakness in the Bitcoin infrastructure, known as "malleability." In attacks based on malleability, hackers slightly vary the information in packets about legitimate transactions and flood the exchange with fraudulent information. The exchanges then need to validate every transaction to see which transactions are valid. Most exchanges have built in safeguards to deal with attacks based on malleability.

Serious allegations are being raised that fraud within Mt Gox may itself have been responsible for at least some of the loss. In 2012, Mt Gox reported about USD $380k in revenue. But in 2013, the company had to pay out a USD $5 million fine. Financial reporters are not clear on how Mt Gox was able to keep its doors open after this fine, but there are several reports of slow payments after the fine was paid. Financial reporters have noted that some consider this to be an early warning of a company doing business on a fraudulent basis.

At the very least, it appears clear that Mt Gox continued to do business even after discovering that it was vulnerable to a hacking attack.