January was quite the month for IT security news and announcements.
For those who may have been a bit preoccupied with U.S. president Donald Trump’s inauguration and news of his first few weeks in office, here’s the rundown for the month that was:
1. Gmail Restricts .JS Attachments
Google announced in January that it will start restricting JavaScript attachments (.JS) as of Feb. 13. According to Tom’s Hardware, the gradual phasing out of Flash (which has more or less become a factory for zero-day threats) has prompted many hackers to focus their efforts on other areas, namely, JavaScript vulnerabilities.
To stem the tide of ransomware and other malicious executables that are now being disseminated via .JS file format, Gmail will block all .JS files shared over email.
2. New Ransomware Attacks Come to Light
It wouldn’t be an IT security roundup without any mention of ransomware. This month, we have four for you:
- Two police departments: Eight days before Donald Trump’s inauguration, 70 percent of police CCTV cameras in D.C. were rendered inaccessible by a ransomware attack. It took three days to get them back online. In an unrelated incident, the Cockrell Hill Police Department based in Dallas announced the loss of digital evidence from as far back as 2009 after choosing not to pay a ransom, and instead wiping the server.
- One Luxury hotel: A hotel in the Austrian Alps was forced to pay thousands of dollars to hackers after a ransomware intrusion made it impossible to issue key cards to incoming guests. This was the third ransomware attempt on the hotel in one year, and because of the fallout from the attack, the owners have decided to move away from the use of digital key cards.
- The Google Play store: Cybersecurity researchers announced Jan. 24 that an application called EnergyRescue, which is available on the Google Play Store, has been embedded with a type of malware called Charger. First, Charger steals contact information and text messaging data. It then requests admin permissions, which if granted, locks down the device and request .2 bitcoins, equal to $180.
3. The FDA, FTC Talk IoT
Federal regulators are beginning to focus more on IoT.
In early January, news emerged that the Food and Drug Administration (FDA) had released its newest guidelines for the use of internet-connected medical devices Dec. 28. The report titled “Postmarket Management of Cybersecurity in Medical Devices,” was a dense document that, according to The National Law Review, was very similar to the guidance released early 2016. As an increasing number of medical devices become part of hospital networks, their security will be of the utmost importance to ensuring a safe experience for patients.
Likewise, the Federal Communications Commission (FCC) released a 50-page document this month, stating, among other things, that greater data protection is needed to secure the Internet of Things. The problem appears to be that society and the commercial prioritize cybersecurity investment differently, with the latter arguing for more investment into data protection. The FCC has yet to provide explicit guidelines for the IoT, but appears to be moving in that direction, noting “Further research is necessary to provide visibility into the nature and extent of market failures in the market for ISP cybersecurity.”
And that does it for January, but there’s plenty more where that came from. Check back in to the Faronics blog early and often for more news and analysis on all things related to IT security.