IT Security News Blast 1-30-2017

Hackers hit D.C. police closed-circuit camera network, city officials disclose

Hackers infected 70 percent of storage devices that record data from D.C. police surveillance cameras eight days before President Trump’s inauguration, forcing major citywide reinstallation efforts, according to the police and the city’s technology office. City officials said ransomware left police cameras unable to record between Jan. 12 and Jan. 15. The cyberattack affected 123 of 187 network video recorders in a closed-circuit TV system for public spaces across the city, the officials said late Friday.

https://www.washingtonpost.com/local/public-safety/hackers-hit-dc-police-closed-circuit-camera-network-city-officials-disclose/2017/01/27/d285a4a4-e4f5-11e6-ba11-63c4b4fb5a63_story.html?utm_term=.e2b1aca05532

Web-connected medical devices are great. Unless . . .

But remote control of such a sensitive piece of equipment can be a detriment.  Anything connected to the Internet potentially is at risk of hacking — and when the device being hacked is a medical device, the risk could be fatal. […] Recently the FDA released new recommendations, a year in the making, that deal with maintaining the cybersecurity of medical devices after the devices have entered the marketplace.  It is important to note that these are merely recommendations and not enforceable regulations.

http://www.usatoday.com/story/money/columnist/2017/01/28/web-connected-medical-devices-great-unless/97084180/

It might be time to stop using antivirus

The problem, from the perspective of the browser makers, is that antivirus software is incredibly invasive. Antivirus, in an attempt to catch viruses before they can infect your system, forcibly hooks itself into other pieces of software on your computer, such as your browser, word processor, or even the OS kernel. O’Callahan gives one particularly egregious example: “Back when we first made sure ASLR was working for Firefox on Windows, many AV vendors broke it by injecting their own ASLR-disabled DLLs into our processes.” ASLR, or address-space layout randomisation, is one of the better protections against buffer overflow exploits.

https://arstechnica.com/information-technology/2017/01/antivirus-is-bad/

Dozens of Netgear products vulnerable to authentication bypass flaws

The following day he started gathering other Netgear devices to test. While repeating the process, he made an error, but that didn’t prevent him from obtaining credentials. That accidental discovery resulted in CVE-2017-5521. “After few trials and errors trying to reproduce the issue, I found that the very first call to passwordrecovered.cgi will give out the credentials no matter what the parameter you send. This is totally new bug that I haven’t seen anywhere else. When I tested both bugs on different NETGEAR models, I found that my second bug works on a much wider range of models,” Sigler explained in a recent blog post.

http://www.csoonline.com/article/3162850/security/dozens-of-netgear-products-vulnerable-to-authentication-bypass-flaws.html

Texas Police Unit Loses Years Of Evidence To Ransomware

Data lost in the attack dates back to 2009, the department reported. Information stored on CDs and DVDs remains intact, but officials are more concerned about data that relates to ongoing investigations. The hackers used an email with a spoofed address to infect the system and demanded $4,000 to unlock the files. After consulting the FBI, the police ignored the demand. Instead, they wiped the server clean and reinstalled everything.

http://www.darkreading.com/texas-police-unit-loses-years-of-evidence-to-ransomware-/d/d-id/1328008?

‘Real fear’ of jihadi terror attack that could paralyse a transport network or bring down a power grid, warn experts

Analysts fear that while groups such as ISIS may not have the skills themselves, they could hire someone else for the job. ‘Digital attacks with major impacts are unlikely in the short term,’ said Guillaume Poupard, head of France’s digital security service ANSSI, at an international cyber security conference in Lille, France. ‘However, that could change very fast. ‘Our real fear, and we may already be there, is that they will use mercenaries, people who will do anything for money.

http://www.dailymail.co.uk/news/article-4167398/Jihadi-cyber-attack-real-threat-warn-experts.html

Things to Consider When Crossing the US Border

Are your devices encrypted? We recommend full-disk encryption on your devices (laptops, mobile phones, etc.) and choosing secure passphrases. If a border agent asks for your passphrase, you do not have to comply. Only a judge can force you to reveal such information. However, refusal to comply could bear consequences: for noncitizens, you may be refused entry into the country; for citizens, you may be detained until the border patrol decides what to do, which may include seizing your computer, phone, camera, USB sticks, etc.

https://ssd.eff.org/en/module/things-consider-when-crossing-us-border

Luxury Hotel Goes Analog to Fight Ransomware Attacks

But even though Brandstaetter is confident in the hotel’s new and improved cybersecurity measures, he wants to take the security measures a step further. “With our next modernization, we are planning to change the key system so that we go back to old, normal keys,” he said. Brandstaetter’s description of the recent cyberattack on the hotel as “normal” is telling. This is the third time the hotel has been targeted by ransomware in under a year, a nuisance that cost the hotel thousands of dollars during the previous two attacks last summer.

http://motherboard.vice.com/en_uk/read/luxury-hotel-goes-analog-to-fight-ransomware-attacks

Here’s how to hack Donald Trump’s phone

Hacking group Anonymous has repeatedly tweeted against Trump and has warned it will be targeting him. The group on Friday attached a screenshot in a tweet explaining how Trump’s phone is vulnerable to hacking as the phone runs on Android 4.4 OS, which is out-of-date with existing security requirements. The tweet mentioned a software called Stagefright which could be used by anyone to hack into the phone.

http://www.rawstory.com/2017/01/heres-how-to-hack-donald-trumps-phone/

Cyberwarfare: US no longer has geography as defense, ally

“Our adversaries have reached a common conclusion, that the reward for attacking America in cyberspace outweighs the risk,” McCain said. With most of the U.S. critical infrastructure in private hands and Americans among the most connected citizens in the world, the potential attack surface for any hacker is vast and increasing. U.S. officials and lawmakers have argued that because there is no official policy on cyberwarfare, the response to any attack can be slow, politicized and ultimately ineffectual.

http://newsinfo.inquirer.net/866303/cyberwarfare-us-no-longer-has-geography-as-defense-ally

Trump Executive Order May Shatter ‘Privacy Shield’ Pact

Section 14 of the order instructs federal agencies to “ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.” The Privacy Act, passed in 1974, establishes a code of fair information practices that governs the collection, maintenance, use and dissemination of information about individuals that is maintained in systems of records by federal agencies, according to the U.S. Department of Justice.

http://www.bankinfosecurity.com/trump-executive-order-may-shatter-privacy-shield-pact-a-9655

Rogue tweeters in government could be prosecuted as hackers

The online campaign began with unauthorized tweets — on subjects such as climate change inconsistent with Trump’s campaign statements and policies — that have been mostly deleted from official agency accounts. It shifted tactics Thursday as at least 40 new but unofficial “alternative” accounts for federal agencies began spreading across Twitter. […] Employees or former employees publishing unauthorized messages on official accounts could be prosecuted under the U.S. Computer Fraud and Abuse Act, which prohibits someone from exceeding authorized access to computers.

https://www.yahoo.com/tech/rogue-tweeters-government-could-prosecuted-082919326.html

The `Star Wars’ botnet with >350k Twitter bots

One of the major challenges of research on Twitter bots is the lack of ground truth data. Here we report our discovery of the Star Wars botnet with more than 350k bots. We show these bots were generated and centrally controlled by a botmaster. These bots exhibit a number of unique features, which reveal profound limitations of existing bot detection methods. Our work has significant implications for cybersecurity, not only because the size of the botnet is larger than those analysed before, but also because it has been well hidden since its creation in 2013.

https://arxiv.org/abs/1701.02405

UK military computers ‘are wide open to Russian hackers’, says one of Britain’s top cyber experts

Major General Jonathan Shaw, a former head of the UK’s cyber defences security programme, said nothing could be done to stop the attacks, which may lead to top-secret information being read by Vladimir Putin. The retired officer also claimed he expects 800 British troops to be targeted by Russian cyber attacks when they deploy to Estonia this summer.

Maj Gen Shaw said: ‘The Russians are past masters at electronic warfare. They will be trying to hack into our systems and we should recognise that total cyber security in unachievable. ‘Essentially we cannot defend ourselves, so it is better to limit the information we store on our military computers.

http://www.dailymail.co.uk/news/article-4167624/UK-military-computers-wide-open-Russian-hackers.html

Wow, look out, hackers: Trump to order 60-day cybersecurity probe

The executive order also notes that the internet is “currently vulnerable to attacks from both state and non-state actors” “that impose significant costs on the US economy and significantly harm vital national interests” and could lead to “significant property damage and loss of life.” Where the order starts to veer away from the policies of the previous administration, however, comes in the degree of importance placed on the internet strategically, and by extension the amount of influence that the US government should be given over the internet – which remains a global network of largely private servers communicating with one another.

https://www.theregister.co.uk/2017/01/27/trump_60day_cybersecurity_review/

Survey: Americans Have Kinda Just Given Up on Cybersecurity

“Many Americans lack faith in various public and private institutions to protect their personal information from bad actors. They express some level of concern about a variety of entities, ranging from telecommunications firms to credit card companies. But their fears are especially pronounced for two institutions in particular: the federal government and social media platforms. Some 28 percent of Americans are not confident at all that the federal government can keep their personal information safe and secure from unauthorized users, while 24 percent of social media users lack any confidence in these sites to protect their data. By contrast, just 12 percent of Americans (and 9 percent of social media users) have a very high level of confidence that these entities can keep their personal information safe and secure.”

http://tech.co/survey-americans-kinda-just-given-cybersecurity-2017-01

There’s Something Very Weird Happening Inside Russia’s Cybersecurity World

“There are a small handful of people who would know if one or both of these men was a US asset or in any way involved in any intelligence operation, and I’m not one of them,” said the US intelligence officer, who asked not to be named due to the sensitivity of the story. “Obviously, this could also be an internal struggle within the FSB, in which case we would have little daylight into what was happening.” […] While most news reports do not directly tie the arrested men to the DNC hack, the Moscow Times reported that Mikhailov’s arrest was due to suspicions that he tipped US officials off to the Russian server rental company “King Servers” which the Arlington-based ThreatConnect cybersecurity company identified last September as a “nexus” used by Russian hackers in attacks against the US.

http://www.cnbc.com/2017/01/27/theres-something-very-weird-happening-inside-russias-cybersecurity-world.html

Quantum Computers Versus Hackers, Round One. Fight!

The early commercial interest in quantum computing, though, focuses less on offense and more on helping beleaguered security analysts not just identify incidents, but decide which of those incidents represent an actual threat. IBM estimates that companies have to sift through 200,000 security events per day on average; that’s certainly more than a human team can dependably vet on their own, and generates enough data over time to challenge traditional computers.

https://www.wired.com/2017/01/quantum-computers-versus-hackers-round-one-fight/

FBI v. Apple: One year later, it hasn’t settled much

Some of those may be coming, however, possibly this year. Congressional committees have studied and reported on the issue. There is draft legislation focused on it in the works. There are ongoing conflicts – legal, legislative and philosophical – over whether forcing private firms to grant government access to data for criminal investigations or surveillance can be done without eroding personal privacy and civil rights. Of course there is the arrival of President Donald Trump, who has not promised any executive orders on the matter, but did famously call for a boycott of Apple when the company refused to comply with the FBI demand.

http://www.csoonline.com/article/3160485/mobile-security/fbi-v-apple-one-year-later-it-hasn-t-settled-much.html

Breach Notification Website LeakedSource Allegedly Raided, Shut Down

Speculations are rife that the website has become the target of a raid from law enforcement for being a controversial platform of breach notification. The assumption comes from the message posted on Pastebin by a user. The message read: “LeakedSource is down forever and won’t be coming back. Owner raided early this morning. Wasn’t arrested, but all SSD’s got taken, and LeakedSource servers got subpoenaed and placed under federal investigation. If somehow he recovers from this and launches LS again, then I’ll be wrong. But I am not wrong.”

https://www.hackread.com/data-breach-notification-website-leakedsource-raided/

//]]>