IT Security News Blast 2-16-2017

The 10 Most Cyber-Exposed Cities In The US

The findings show that distributions of exposed cyber assets were disproportionate according to population size. The US’ second-most populous city, Los Angeles, topped the list of US cities with approximately 4 million exposed devices online. Meanwhile, the most populous city in the country by a landslide – New York – was a respectable seventh place when ranking these ten cities by overall exposed cyber assets. Even though New York has nearly four times the population of Houston, for example, it has 3.78 times fewer exposed cyber assets.

http://www.darkreading.com/vulnerabilities—threats/the-10-most-cyber-exposed-cities-in-the-us/d/d-id/1328149?

A.I. faces hype, skepticism at RSA cybersecurity show

“I think it (the technology) moves the needle,” he said on Wednesday. “The real open question to me is how much has that needle actually moved in practice?” It’s not as much as vendors claim, Ramzan warned, but for customers it won’t be easy cutting through the hype and marketing. The reality is that a lot of the technology now being pushed isn’t necessarily new. In particular, he was talking about machine learning, a subfield in A.I. that’s become a popular marketing term in cybersecurity. In practice, it essentially involves building algorithms to spot bad computer behavior from good.

http://www.networkworld.com/article/3170866/security/ai-faces-hype-skepticism-at-rsa-cybersecurity-show.html

Company boards and management becoming more engaged with cyber-risks

“Despite a positive trend towards increased levels of engagement observed from senior management and the board on cyber-security matters, a high percentage of organisations are still lacking confidence in their ability to identify their most valuable data assets – the ‘crown jewels’, said Ryan Rubin, managing director of security and privacy services within the UK. Rubin added: “This will become even more challenging as organisations further adopt cloud and mobile computing to support new digital initiatives and increasingly rely on third parties to support their business initiatives.”

https://www.scmagazine.com/company-boards-and-management-becoming-more-engaged-with-cyber-risks/article/638149/

Only 43% of Canadian companies could detect a sophisticated cyber-attack

“Creating a robust cybersecurity program is a long, focused process, and many companies haven’t taken that step. That’s why 72% of our survey’s respondents said they need up to 50% more budget for their cyber needs.” Raman adds, “Only 6% of organizations evaluate the financial impact of every significant breach. If companies can’t paint a picture of how much a cyber-attack dented their bottom line, it’s difficult to make a case for greater investment. Evaluating impact is paramount.”

https://finance.yahoo.com/news/only-43-canadian-companies-could-143000306.html

Yahoo’s hack warning comes from a third breach, the company says

“As we have previously disclosed, our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users’ accounts without a password,” a Yahoo spokesperson said in an emailed statement. “The investigation has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders.”

http://www.cnbc.com/2017/02/15/yahoo-sends-new-warning-to-customers-about-data-breach.html

 Cyber attacks lead Yahoo to accept price cut on $4.8bn Verizon deal

Yahoo has agreed to take a price cut on the original $4.8bn sale of its core business to Verizon, marking one of the first times that the discovery of a cyber attack has resulted in revising an acquisition price, people involved in the negotiations said.

After both sides struggled for months to assess the economic impact of the data breaches suffered by Yahoo, the California-based internet company and its telecom acquirer are close to agreeing a $300m discount, people briefed about the deal said.

https://www.ft.com/content/ed743ace-f3a9-11e6-8758-6876151821a6

Professional Service Companies Face Significant Cyber Risk

Breaches of professional service companies can result in grave damage because the lost data is so immediately and directly useful for financial and identity theft, and their clients are commonly wealthy individuals and profitable businesses with well-funded accounts and valuable identities and credit.  Though hurtful to the clients, such breaches can be catastrophic – even a killer – for a professional service company, which relies heavily on its reputation in the community and the trust of its clients for its welfare and future business.

http://www.mclane.com/thought-leadership/professional-service-companies-face-significant-cyber-risk

RSA: Elite cryptographers scoff at idea that law enforcement can ‘overcome’ encryption

U.S. Attorney General Jeff Sessions’ call for a way to “overcome” cryptography met with scorn from a panel of elite cryptographers speaking at this week’s RSA Conference 2017 in San Francisco. “Any one of my students will be capable of writing good crypto code,” says Adi Shamir, the ‘S’ in RSA and a professor at the Weizmann Institute in Israel. Sessions’ use of the term “overcome” during his confirmation hearings actually means installing backdoors, says Ronald Rivest, the ‘R’ in RSA and a professor at MIT. He cited a joint Congressional study that concluded that weakening encryption works against the national interest, and that encryption is global anyway — so the U.S. can’t call all the shots.

http://www.csoonline.com/article/3170163/security/rsa-elite-cryptographers-scoff-at-idea-that-law-enforcement-can-overcome-encryption.html

Cyber Geneva Convention Is A Must, Says Microsoft President

“Just as the Fourth Geneva Convention has long protected civilians in times of war, we now need a Digital Geneva Convention that will commit governments to protecting civilians from nation-state attacks in times of peace,” the post reads. “And just as the Fourth Geneva Convention recognized that the protection of civilians required the active involvement of the Red Cross, protection against nation-state cyber-attacks requires the active assistance of technology companies.”

http://www.econotimes.com/Cyber-Geneva-Convention-Is-A-Must-Says-Microsoft-President-540358

Bill orders Pentagon to fix knowledge gap in National Guard, reserve cyber capabilities

That would change under legislation that’s just been introduced by four senators who argue the lack of such a database is a major gap in the department’s readiness to support civil authorities, especially considering the breadth and depth of cyber expertise already resident in the Guard and reserve, where many service members are IT and cyber professionals in their civilian careers.

http://federalnewsradio.com/dod-reporters-notebook-jared-serbu/2017/02/bill-orders-pentagon-fix-knowledge-gap-national-guard-reserve-cyber-capabilities/

Russia’s cyber war: past, present, and future

Some of these attacks are more significant than others, such as the Russian assault on the American election of 2016. Now France and Germany are voicing concerns that their elections may be the next target. Other serious incidents involve cyber attacks on critical infrastructure, such as the power grid in western Ukraine. In this context, it is instructive to revisit the beginnings of Russia’s cyber warfare strategy.

https://euobserver.com/opinion/136909

 ‘Cyber Confusion’ Takes Ahold Of American Consumers

Of the 5,000 U.S. consumers surveyed, just 36 percent said they would choose to be a customer of their employer knowing what they know about the cybersecurity practices the company has in place. Whether a company works with hackers to help boost security also had an impact on the purchasing decisions of those surveyed. More than one in five (22 percent) said they would be more likely to shop with a brand that hired hackers as part of its cybersecurity efforts. That number rose to 29 percent for customers aged 35–44 years old specifically, while those 55 and older said it would not impact their purchasing decision at all (55 percent).

http://www.pymnts.com/news/security-and-risk/2017/cyber-confusion-takes-ahold-of-american-consumers/

Doubts abound over US action on cybersecurity

“I wish the federal government could do this, but it’s very hard, unfortunately, due to partisan politics,” said Virginia State Governor Terry McAuliffe, during a speech at the show. “They haven’t been able to take the lead on this issue as they should have.” […] Collectively, state governments store more data than the federal government, including residents’ tax returns, healthcare records and drivers’ licenses, he said. That can make them targets of hackers, so McAuliffe has been urging other states to make cybersecurity a priority. “It’s up to the governors of this country to lean in and take the lead,” he said.

http://www.pcworld.com/article/3170192/security/doubts-abound-over-us-action-on-cybersecurity.html

A Chip Flaw Strips Away Hacking Protections for Millions of Devices

[A] team of Dutch researchers has found a technique that undermines that so-called address space layout randomization, creating the You Are Here arrow that hackers need to orient themselves inside a stranger’s computer. That means any of the common memory corruption bugs found in software applications on a daily basis could lead to a much deeper takeover of a target PC or smartphone. And because the attack exploits not software but hardware, it leaves millions of devices at risk regardless of their operating system—and it can’t be fully fixed with any mere software update.

https://www.wired.com/2017/02/flaw-millions-chips-strips-away-key-hacking-defense-software-cant-fully-fix/

House members: EPA officials may be using Signal to “spread their goals covertly”

Two Republican members of Congress sent a formal letter Tuesday to the Environmental Protection Agency’s Office of the Inspector General, expressing concern that “approximately a dozen career EPA officials” are using the encrypted messaging app Signal to covertly plan strategy and may be running afoul of the Freedom of Information Act. The open source app has gained renewed interest in the wake of the election of President Donald Trump.

https://arstechnica.com/tech-policy/2017/02/house-members-epa-officials-may-be-using-signal-to-spread-their-goals-covertly/

OK, it’s time to talk mass spying again: America’s Section 702 powers are up for renewal

Section 702 of the Foreign Intelligence Surveillance Act (FISA) expires at the end of the year – December 31, 2017. As such, it will need to be actively renewed by Congress. And the drumbeat has begun on getting Congress to have a full, public debate on the measure before it authorizes any extension. Just this week, the American Civil Liberties Union (ACLU) called on tech companies to start pushing for reform as it fought a critical legal battle in Ireland over the legality of data sharing between Europe and the United States.

https://www.theregister.co.uk/2017/02/15/section_702_mass_surveillance/

What To Do When All Malware Is Zero-Day

In today’s detection industry, one should think of hashing as more of a shortcut to locate the easy stuff, or rule out known good files (whitelisting). It’s also a data transfer shortcut: one can avoid moving an entire file across the network or into the cloud by instead sending a small hash value, and then query it against a hash database. While detection products have adjusted, file hashes are still used in categorizing malware, sharing intelligence, and working backward to figure out who your adversary is, referred to as attribution. Herein lies a growing problem.

http://www.darkreading.com/threat-intelligence/-what-to-do-when-all-malware-is-zero-day/a/d-id/1328155?

 Homeland Security Chairman: We’re in the Fight of Our Digital Lives

McCaul said he had “no doubt” the Russian government tried to undermine the most recent presidential election by spreading false stories. McCaul said he was briefed by intelligence agencies about the Russian actions last spring and warned the Obama administration and the Trump administration after it took office. “I pushed the issue, but was disappointed with the response in both cases,” he said. “Our democracy is at risk. It didn’t matter to me if this was about a Democrat or Republican.”

http://www.eweek.com/security/homeland-security-chairman-were-in-the-fight-of-our-digital-lives.html

 JavaScript-based ASLR bypass attack simplifies browser exploits

The mitigation technique involves randomly arranging the memory address space positions used by a process so that attackers don’t know where to inject malicious code so that the process executes it. There are methods to bypass ASLR, but they often involve chaining multiple vulnerabilities together, including one that allows for memory disclosure. This new attack removes the need for such additional vulnerabilities, making the exploitation of remote code execution bugs much easier.

http://www.networkworld.com/article/3170579/security/javascript-based-aslr-bypass-attack-simplifies-browser-exploits.html

Researchers trick ‘CEO’ email scammer into giving up identity

Businesses targeted in email scams don’t always have to play the victim. They can actually fight back. Researchers at Dell SecureWorks have documented how they identified a suspected email scammer from Nigeria, by essentially playing along with the scheme to fool the attacker into revealing his true whereabouts. Anyone can use these tips, said Joe Stewart, director of malware research at SecureWorks. “We’re letting them (the scammers) give us all the information about themselves,” he said.

http://www.csoonline.com/article/3170645/security/researchers-trick-ceo-email-scammer-into-giving-up-identity.html