IT Security News Blast 1-12-2017

Information security internships available at MultiCare.

Minimum Qualifications

  • Must be enrolled in a program for a Bachelor’s Degree in Computer Science, Information Technology, or a related field
  • Must have completed at least two years of college prior to effective hire date
  • Basic proficiency in Microsoft Office products and basic computer usage
  • Ability to work in a team environment
  • Ability to work on multiple deadlines and projects based on priorities established by the supervisor
  • Excellent planning, written and oral communication, organizational skills, professionalism and self-motivation

Contact: kduffy@multicare.org

How much is a data breach going to cost you? [Slideshow]

A recent IBM study found that the average cost of a data breach has hit $4 million—up from $3.8 million in 2015. There are countless factors that could affect the cost of a data breach in your organization, and it’s virtually impossible to predict the exact cost. You might be able to estimate a range with the help of a data breach calculator, but no single tool is perfect. BitSight looks at a number of factors companies should keep in mind when it comes to calculating the actual cost of a future data breach.

http://www.csoonline.com/article/3156845/data-breach/how-much-is-a-data-breach-going-to-cost-you.html

10 biggest weaknesses and lessons learned from cybersecurity in 2016

We spoke recently with four security experts: Pam Hepp, shareholder, healthcare practice at Buchanan, Ingersoll & Rooney; ESET Security Researcher Lysa Myers; CynergisTek co-founder and CEO Mac McMillan, and ICIT Senior Fellow James Scott. Here’s what they said were the biggest weaknesses, threats and lessons learned from 2016.

http://www.healthcareitnews.com/news/10-biggest-weaknesses-and-lessons-learned-cybersecurity-2016

UK SMEs targeted 230,000 times each by cyber criminals in 2016

While a third of attacks against UK businesses attempted to access company databases in the first quarter of 2016, cyber criminals have since shifted their focus to connected devices such as networked security cameras and building control systems that can be controlled remotely over the internet. […] With the Internet of Things, businesses are punching holes in their own firewalls to provide suppliers with access to devices on their networks. This can open the door to criminals too if not done properly.

http://smallbusiness.co.uk/smes-targeted-cyber-criminals-2536150/

US Warns of Unusual Cybersecurity Flaw in Heart Devices

Information on the security flaw, identified by researchers at MedSec Holdings in reports months ago, was only formally made public after the manufacturer, St. Jude Medical, made a software repair available Monday. MedSec is a cybersecurity research company that focuses on the health-care industry. The government advisory said security patches will be rolled out automatically over months to patients with a device transmitter at home, as long as it is plugged in and connected to the company’s network. The transmitters send heart device data back to medical professionals.

http://abcnews.go.com/Technology/wireStory/us-warns-unusual-cybersecurity-flaw-heart-devices-44691122

The Dumb ‘Smart’ Gear That Someone’s Gonna Hack in 2017

In some cases, as with many baby monitor models, that’s actually happened. The more realistic scenario, though, is usually more boring on a local level but potentially devastating on a large scale. Internet-connected devices, if not properly secured, can be roped into botnets capable of making web sites inaccessible to huge numbers of people. The following smart devices aren’t necessarily insecure. They’re also not necessarily bad ideas. They do, though, introduce potentially vulnerable devices into the home in areas that were, for the most part, doing just fine being dumb.

https://www.wired.com/2017/01/dumb-smart-gear-thatll-get-hacked-2017/

‘Molecular’ Cybersecurity Vs. Information Cybersecurity

Now, imagine a similar attack on an oil refinery where compromised systems include the proprietary industrial control systems that manage volatile processes. When I say volatile, I’m referring to processes where a boiler is heating oil by hundreds of degrees separating molecules to produce gasoline and other products. With appropriate access, a bad actor can change how hot that boiler is configured to run. If you combine that with disabled safety systems, production, environments —  even lives —  can be severely affected.

http://www.darkreading.com/threat-intelligence/molecular-cybersecurity-vs-information-cybersecurity/a/d-id/1327826

Russia Cyberattacks On US: Moscow Denies Knowledge Of Cyberwarfare Agency

Viktor Ozerov, the head of Federation Council Committee on Defense and Security, earlier denied a cyberwarfare division even existed in the Russian military. “We do not interfere in any information system in peacetime, be it military or civilian,” he said, adding that Moscow only worked on protecting its own systems. Their comments come at a time when the Russian military is reportedly seeking to recruit candidates with knowledge of programming for specialized “science companies.”

http://www.ibtimes.com/russia-cyberattacks-us-moscow-denies-knowledge-cyberwarfare-agency-2473585

Ukraine power cut ‘was cyber-attack’

It said that both the 2015 and 2016 attacks were connected, along with a series of hacks on other state institutions this December, including the national railway system, several government ministries and a national pension fund. Oleksii Yasnskiy, head of ISSP labs, said: “The attacks in 2016 and 2015 were not much different – the only distinction was that the attacks of 2016 became more complex and were much better organised.”

http://www.bbc.com/news/technology-38573074

Is DC’s Subway Ready for a Cyberattack?

“Should a cyberattack cripple WMATA’s ability to collect fares for days at a time, or have the effect of deterring alarmed riders, the financial implications would only exacerbate WMATA’s serious and mounting fiscal problems,” Warner said. “A cyberattack could potentially threaten these vital networks as well, putting riders at risk if an accident or emergency were to occur during a cyberattack.”

http://www.nextgov.com/cybersecurity/2017/01/dcs-subway-ready-cyberattack/134482/

UK Parliament suddenly remembers it wants to bone up cyber security *cough* Russia *cough*

The chair of the Joint Committee on the National Security Strategy, Margaret Beckett MP, commented: “Attention has recently focused on the potential exploitation of the cyber domain by other states and associated actors for political purposes, but this is just one source of threat that the Government must address through its recently launched five-year strategy.”

http://www.theregister.co.uk/2017/01/10/mps_cybersecurity_inquiry/

Wary of Russian Cyber Threat, France Plans to Bolster its Army of ‘Digital Soldiers’

Bracing for the new cyber front in warfare, French Defense Minister Jean Yves Le Drian said France is ramping up its defenses and doubling its ranks of “digital soldiers.” In a nod to Russia’s meddling in the U.S. elections, he also acknowledged  France’s infrastructure, media, and democracy are vulnerable to cyber incursions. France, says Le Drian, is prepared to respond to cyber attacks with more traditional military means. “France reserves the right to respond by all means it deems appropriate,” he said.

http://foreignpolicy.com/2017/01/10/wary-of-the-russian-cyber-threat-france-plans-to-bolster-its-army-of-digital-soldiers-cyber-attack-europe-elections-hack/

Security chief: Germany must go on cybersecurity offensive

“We cannot only operate defensively,” Hans-Georg Maaβen, head of the Bundesamt für Verfassungsschutz (BfV), told Deutschen Presse-Agentur Tuesday. “We must also be in a position to attack an enemy and stop them from carrying out further attacks on us.” […] The security chief’s statement echoes Interior Minister Thomas de Maizière’s previous comments on cyberattacks. In proposals to reform the country’s security architecture, he said: “When we have identified the origin of the cyberattack, we also need to be able to actively fight back.”

http://www.politico.eu/article/security-chief-germany-must-go-on-cybersecurity-offensive/

Top obstacles and benefits of security framework adoption

The top five impediments to cybersecurity framework implementation were reported as follows:

  •     Lack of trained staff
  •     Lack of necessary tools to automate controls
  •     Lack of budget
  •     Lack of appropriate tools to audit continuous effectiveness of controls
  •     Lack of integration among tools.

https://www.helpnetsecurity.com/2017/01/09/security-framework-adoption/

‘Zero Trust’: The Way Forward in Cybersecurity

“Zero Trust,” a widely accepted term originally coined by Forrester, is a data-centric network design that puts micro-perimeters around specific data or assets so that more-granular rules can be enforced. Zero Trust networks solve the “flat network” problem that helps attackers move undetected inside corporate networks so they can find and exfiltrate sensitive data The shift to Zero Trust is applicable across all industries — from government to retail, healthcare, and everything in between. Here are five steps to get companies started on the path to Zero Trust.

http://www.darkreading.com/attacks-breaches/zero-trust-the-way-forward-in-cybersecurity/a/d-id/1327827

Buggy Domain Validation Forces GoDaddy to Revoke Certs

“GoDaddy inadvertently introduced the bug during a routine code change intended to improve our certificate issuance process,” Thayer said in a statement. “The bug caused the domain validation process to fail in certain circumstances.” […] “When the bug was introduced, certain web server configurations caused the system to provide a positive result to the search, even if the code was not found,” Thayer explained, adding that GoDaddy was not aware of any compromises related to the bug.

https://threatpost.com/buggy-domain-validation-forces-godaddy-to-revoke-certs/123038/

How Spy Agency Vets Read That Bombshell Trump Report: With Caution

At the very least, the document is no hoax: According to CNN and the Guardian, senior intelligence officials presented a two-page summary of its contents to both Trump and President Obama. Trump, for his part, denied the report immediately and furiously. […] But those who spent their careers in the intelligence world are reading the report with more tempered skepticism, what ex-CIA analyst Patrick Skinner describes as “interested caution.” He says he’s neither dismissing the report nor taking its claims at face value, but like other intelligence agency alums WIRED spoke to, called it “raw intelligence” that would require far more work before it can be considered useful evidence.

https://www.wired.com/2017/01/spy-agency-vets-read-bombshell-trump-report-caution/

NSF seeks proposals exploring blockchain potential to improve resiliency of cyberinfrastructure

Although the grant is not explicitly focused on blockchain, it notes the potential of the technology to ensure the integrity and confidentiality of data. It stated: “With the growing amount of remote instruments and the increasing amount of data being collected from multiple, often remote, wireless and mobile sensors, science is increasingly distributed and virtual. Solutions such as the introduction of blockchain technology are needed to ensure the integrity and confidentiality of data as it traverses multiple environments such as mobile, cloud, campus, and Internet networks.”

http://www.econotimes.com/NSF-seeks-proposals-exploring-blockchain-potential-to-improve-resiliency-of-cyberinfrastructure-482753

Missouri bill limits warrantless stingray use

The proposed legislation, HB 403, would also prohibit a law enforcement officer from using the device to assist an investigation conducted by a federal law enforcement agency or agency from another state without the consent of the owner or possessor of the monitored communications device or a warrant issued under the act, according to a summary of the bill. HB 403 would also require authorization to use stingrays for up to a 30-day period however, additional 30-day extensions could be granted and also specifies how and when the data obtained by the devices can be used. It also includes a provision allowing a motion to suppress unlawfully obtained information derived from the device.

https://www.scmagazine.com/missouri-bill-hb-403-limits-warrantless-stingray-use/article/631033/

Professionally designed ransomware Spora might be the next big thing

The malware does contain a hard-coded RSA public key, but this is used to encrypt a unique AES key that is locally generated for every victim. This AES key is then used to encrypt the private key from a public-private RSA key pair that’s also locally generated and unique for every victim. Finally, the victim’s public RSA key is used to encrypt the AES keys that are used to encrypt individual files. In other words, the Spora creators have added a second round of AES and RSA encryption to what other ransomware programs have been doing until now.

http://www.csoonline.com/article/3156984/security/professionally-designed-ransomware-spora-might-be-the-next-big-thing.html