#SocialSec – hot takes on this week’s biggest cybersecurity news (Jan 10)

CES kicks off as Las Vegas tackles cyber-attack; British electronics retailer slapped with ICO fine; and nominations open for the top 10 web hacking techniques of 2019

CES 2020 opened its doors in Las Vegas this week, with tech enthusiasts from around the world getting a first look at hundreds of thousands of new gadgets and gizmos from more than 4,000 exhibiting companies.

With four conference sessions being dedicated to security and privacy this year, it’s good to see that infosec was not completely overshadowed by the invisible keyboards, next-gen wheelchairs, and other products of the (not too distant) future.

However, dominating Twitter this week was the organizers’ decision to bring in Ivanka Trump as CES keynote speaker.

Trump took to the stage to discuss the importance of government and industry collaboration for jobs creation, along with employer-led strategies to reskill workers.

Many, however, questioned the organizers’ choice of keynote speaker.

“Ivanka is not a woman in tech,” tweeted Brianna Wu, a software engineer who is running for Congress in Massachusetts.

“She’s not a CEO. She has no background. It’s a lazy attempt to emulate diversity, but like all emulation it’s not quite the real thing.”

Outside of the exhibition hall, Las Vegas officials said the city narrowly avoided a security incident on January 7.

Municipal officials confirmed that systems were attacked early on Tuesday morning, forcing government IT staff to take down a number of online services, including its public website.

A full-blown crisis was apparently averted thanks to swift action from those tasked with protecting Sin City’s digital infrastructure.

Elsewhere, the US Department of Homeland Security (DHS) issued a bulletin warning of a potential escalation of malicious cyber activity following the recent killing of Iranian military commander Qasem Soleimani.

Speaking to The Daily Swig this week, Suzanne Spaulding, advisor at Nozomi Networks and former DHS employee said the risk of retaliatory action by Iran is particularly high, given “that the ‘red lines’ are not clearly defined in cyberspace”.

Check out our coverage for more on the Iranian cyber threat.

Over in the UK, electronics retailer DSG Retail has been fined £500,000 ($655,000) after its point of sale system was compromised.

An investigation by the Information Commissioner’s Office (ICO) found that an attacker installed malware on nearly 5,400 checkout tills in Currys PC World and Dixons Travel stores between July 2017 and April 2018.

As previously reported by The Daily Swig, the breach impacted at least 14 million people and resulted in the payment card details of 5.6 million consumers being compromised.

“DSG breached the Data Protection Act 1998 by having poor security arrangements and failing to take adequate steps to protect personal data,” the ICO said.

“This included vulnerabilities such as inadequate software patching, absence of a local firewall, and lack of network segregation and routine security testing.”

Although £500,000 would be enough to make even the world’s biggest organizations sit up and pay attention, some noted that if the breach had taken place just one month later, DSG could have faced a far heftier, GDPR-induced fine.

Hosted annually by PortSwigger, this community-led initiative aims to seek out and honor the best hacking techniques of the past 12 months.

Caching exploits topped the 2018 web security hit list, and while it remains to be seen who will lead the pack this year, nominations in 2019 include developments in server-side request forgery, request smuggling, mutation cross-site scripting, and many other areas of research.

Check out the PortSwigger blog for full details.