Stay in the know with “The week in cybersecurity news,” a weekly report on all the industry headlines released every Friday. Sign up to get the report in your inbox every week.

Telegram’s new identity verification app is vulnerable to attack

Telegram, known for its end-to-end encrypted chat messaging platform, recently released a new identity verification app called Passport.

According to the company, Passport claims to store identification documents in the Telegram cloud using end-to-end encryption, and that eventually all personal data will be stored in a decentralized database. Researchers from Virgil Security, however, say the app is vulnerable to attack for two reasons:

  1. Telegram uses SHA-512 to hash passwords.
    A “top-level GPU can brute-force check about 1.5 billion SHA-512 hashes per second.” If there was an internal attack on Telegram, passwords, depending on their strength, could be broken for anywhere between $5 and $135.

  2. Personal information uploaded to Passport isn’t cryptographically signed.
    Without a cryptographic signature, a hacker could alter a user’s personal information without detection.

Read the full story at Coindesk.

Tips aimed at ransomware-proofing your storage environment

An article in GCN proposes that organizations use object storage to protect data from ransomware in the face of limitations with employee vigilance and intrusion detection systems.

The story covers the limitations of employee training and intrusion detection systems for preventing malware from entering an organization’s IT environment and suggests using object storage techniques to thwart the effectiveness of a ransomware attack.

Object storage is recommended because it provides: 1) versioning and 2) write once, read many (WORM) capabilities.

  1. With versioning, any time data is updated a new version is created. This means that an organization has the power to restore an unencrypted version of a file in the event of a ransomware attack.

  2. WORM technology places data in a storage system that prevents alteration for a specified amount of time, preventing ransomware from encrypting data during that time frame.

Read the full article here.

Top CIOs talk security philosophy

A recent CIO article highlighted global IT leaders’ philosophies and principles for cybersecurity. Highlights are below.

Ann Dunkin, CIO, County of Santa Clara, California: “There are two kinds of CIOs: those that have been hacked and know it and those that have been hacked and don’t know it.” Dunkin says that recognizing that their organization has been hacked leads them to apply more resources to protecting and monitoring high-value data assets.

Dick Daniels, Executive Vice President and CIO, Kaiser Permanente: Two tenants form his philosophy on cybersecurity: 1) addressing risks right away, and 2) recognizing that security is only as strong as its weakest component. At his organization, this translates to proactively devoting resources to solving or mitigating potential risks and taking a holistic view of security that considers everything from employees to third-party partners.

Tim Barbee, Director of Research and Information Services/CIO, North Central Texas Council of Governments: “IT security is about acceptance of risk and risk avoidance.” Barbee says the key is finding the most cost-effective means of protecting an IT network.

Read the full article here.

Highlights from the Department of Homeland Security’s National Cybersecurity Summit

The Department of Homeland Security held its National Cybersecurity Summit in New York this week. Below are the key takeaways.

Mike Pence blames Obama for a “cyber crisis” and says the Trump administration has a plan.
Vice President Mike Pence gave a speech blaming the Obama administration for the government’s issues with cybersecurity saying, “We inherited a cyber crisis.” Pence confirmed that the Trump administration is putting together a national cyber strategy “to protect the integrity and security of the American digital domain.”

DHS creates a National Risk Management Center.
Homeland Security Secretary Kristjen Nielsen announced that the DHS is creating a National Risk Management Center, which will provide government agencies and private organizations with a resource for evaluating and responding to cyber threats. The center will increase information-sharing between the government and private sector with the goal of protecting the nation’s critical infrastructure.

Read more at CNET and WIRED.

Reddit breach highlights risk of two-factor authentication with SMS

Reddit recently announced that a breach occurred in June, which resulted in the exposure of user data.

The breach occurred after hackers compromised employee accounts on the platform’s cloud and source code hosting providers, despite its employees using two-factor authentication.
The problem was that the two-factor authentication relied on SMS, and hackers can easily intercept text messages.

Reddit’s disaster is a reminder for organizations that their employees should move away from SMS-based two-factor authentication to a method that is token-based.

Read the full story at Computer Weekly.