IT Security News Blast 2-23-2017

Upcoming meeting of the Association of Continuity Professionals – meeting 3/9 at the Space Needle, Seattle

You Are welcome to forward this invite to anyone in your organization that may be interested. Attendance limited to the first 100 registrants. A topic we sometimes do not give much attention to – until it’s needed- then it is too late: Continuity of Operations, Business Continuity and Disaster Recovery Planning. The recent attention to “everything west of I-5 is GONE” has subsided. Come hear nationally renowned security experts and B/C & D/R professionals discuss real survival scenarios.

https://www.eventbrite.com/e/acp-chapter-meeting-how-to-survive-a-disaster-tickets-31724340356

Before you buy another cybersecurity buzzword

Before you purchase that nextgen-APT-machine learning-big data-insider threat-AI-Dark Net-mobile-cloud-IoT solution, ask yourself if you’re getting value out of what you already own. In our industry, the security solutions can be extensible – which is often code for complex. Complex things require tuning to perform. Tuning can be slow, problematic and resource intensive. To overcome this, you need automated security instrumentation solutions to validate use cases[.]

http://www.csoonline.com/article/3171933/security/before-you-buy-another-cybersecurity-buzzword.html

Fewer Than One-Fourth Of Cybersecurity Job Candidates Are Qualified

Sobering news on the cybersecurity hiring front: More than 20% of organizations get fewer than five applicants for an open security job and more than half of all positions (55%) take at least three months to fill with a qualified candidate. Of those who do apply, fewer than 25% are actually qualified for the posted job, according to a new ISACA report released at last week’s RSA Conference in San Francisco.

http://www.darkreading.com/vulnerabilities—threats/fewer-than-one-fourth-of-cybersecurity-job-candidates-are-qualified/d/d-id/1328244?

First-in-nation state-mandated cybersecurity regulation takes effect March 1

The rules as released by the governor along with New York’s Department of Financial Service, were originally proposed in September 2016 and, following a 45-day comment period, a final version was issued on February 20, 2017.  The regulation adapts industry best practices – such as guidelines issued by the Securities and Exchange Commission and Financial Industry Regulatory Authority (FINRA) – and contains 23 sections calling for such things as encryption of data of all non-public information, appointing a CISO, employee training in security, enhanced multifactor authentication and the yearly submission by a senior officer of a certification affirming that the company is in compliance with the regulation’s requirements.

https://www.scmagazine.com/first-in-nation-state-mandated-cybersecurity-regulation-takes-effect-march-1/article/639528/

How to Bury a Major Breach Notification

Amid the hustle and bustle of the RSA Security Conference in San Francisco last week, researchers at RSA released a startling report that received very little press coverage relative to its overall importance. […] RSA said that in April 2016 it “sinkholed” or took control over the Web site that the malware used as a control server — oraclesoft[dot]net — and from there they were able to see indicators of which organizations might still be running the backdoored software. According to RSA, the victims included five major defense contractors; four major telecommunications providers; 10+ western military organizations; more than two dozen Fortune 500 companies; 24 banks and financial institutions; and at least 45 higher educational institutions.

https://krebsonsecurity.com/2017/02/how-to-bury-a-major-breach-notification/

Cyber-Extortion: A How-To Guide

    Is the threat credible?

    If the exploitation of a security vulnerability is threatened, can the organization identify the vulnerability without the aid of the extortionist?

    If the disclosure of non-public information is threatened, is there any evidence that the information has not already been disclosed or shared with others?

    If an extortion demand is paid what is the likelihood that your organization will receive similar demands in the near future?

    If your organization were to pay the demand is it likely that the recipient of the funds may be associated with terrorism or located in a restricted country?

    Is cyber-extortion covered under your cyber insurance policy?

http://www.lexology.com/library/detail.aspx?g=641bbf92-a154-48f3-b37d-8ce335d68e51

I Tracked Myself With $170 Smartphone Spyware that Anyone Can Buy

SpyPhone Android Rec Pro can make copies of all SMS messages sent or received by the infected phone, preserve the device’s call log, steal photos taken with the phone’s camera, and pinpoint where the device is located within 5 metres using GPS. It then sends all of this collected information to a provided email address, either once a day or as frequently as every hour. As the name suggests, the malware also intercepts all incoming and outgoing phone calls, and, as demonstrated, allows the remote activation of the device mic.

https://motherboard.vice.com/en_us/article/i-tracked-myself-with-dollar170-smartphone-spyware-that-anyone-can-buy

What is cyber warfare?

Definitions are important at this level of national security, because legally justifiable responses depend upon them being accurate. In the case of cyber warfare, it’s not as straightforward as you might imagine. The dictionary definition doesn’t even mention attribution, let alone the clear and unambiguous attribution that would be required for an act of cyber warfare to be declared. Is anyone under cyber warfare attack? The answer, if you go by the dictionary definition, is an unequivocal yes.

http://www.itpro.co.uk/security/28170/what-is-cyber-warfare

Russia’s defense chief to mobilize new cyber army

A cyber army has been established within the Russian military, Defense Minister Sergey Shoigu announced while addressing the State Duma (lower house of parliament). “The Information operations forces have been established, that are expected to be a far more effective tool than all we used before for counter-propaganda purposes,” he said. “Propaganda should be smart, competent and effective,” the defense minister stressed.

http://tass.com/defense/932439

Expectations for cyber security risk disclosure published by CSA

While a recently published survey has suggested that cyber security incidents in Canada have significantly increased over the last few years, the CSA found that none of the 240 issuers surveyed disclosed that they had been subject to a cyber-attack that they considered material. Not surprisingly, the foregoing is consistent with practices in the United States where, since 2010, only 95 of the U.S.’s 9,000 publicly listed companies have informed the SEC of a data breach while the number of breaches or hacks across all U.S. businesses totaled 2,642 during the same period.

http://www.lexology.com/library/detail.aspx?g=06d504d9-2255-4f57-93d3-12d04ae63716

DOE tries to spur development of defenses against Ukraine-style electrical grid cyberattack

The Department of Energy doled out $4 million in grant funding earlier this month to four different cybersecurity firms in an effort to spur the development of new technology that can help protect U.S. electricity delivery systems from hackers. […] The research, development and demonstration projects “will lead to next generation tools and technologies that will become widely adopted to enhance and accelerate deployment of cybersecurity capabilities for the U.S energy infrastructure, including cyber secure integration of smart grid technologies,” a summary within the original “Funding Opportunity” document from January 2016 reads.

https://www.fedscoop.com/doe-tries-spur-development-defenses-ukraine-style-electrical-grid-cyberattack/

Threat via Whisper prompts FBI to show up: “holy f**k I’m… going to get raided”

If we’ve said it once, we’ve said it 1,000 times: these so-called “anonymous” messaging apps simply aren’t anonymous. To put it another way, if you’re dumb enough to make violent threats on them, you’ll get caught. According to a newly released federal criminal complaint, Garrett Grimsley of Cary, North Carolina, allegedly used the Whisper app to make such remarks on February 19. Hours later, local police and the FBI arrived at his door to search his apartment.

https://arstechnica.com/tech-policy/2017/02/threat-via-whisper-prompts-fbi-to-show-up-holy-fk-imgoing-to-get-raided/

Trump must address critical cybersecurity expert shortage

President Trump’s administration has a great opportunity to step up and secure digital identities and data by investing in cybersecurity education programs. Boot-camp-style, hands-on training programs could be the answer to America’s digital security problems. Teaching by solving practical cyber challenges with actual cybersecurity tools provides an opportunity for students to obtain up-to-date knowledge and skills in a condensed timeframe. Speedy three-to-six-month training, focusing on practical hands-on experience, would prepare students for entry-level cybersecurity jobs.

http://thehill.com/blogs/pundits-blog/technology/320496-trump-must-address-critical-cybersecurity-expert-shortage

Trump’s hiring freeze is taking jobs away from cybersecurity students

But as long as the hiring freeze continues, critical cybersecurity jobs will go unfilled and students who received federal scholarships to fill those positions will instead be saddled with surprise debt. Because the federal government has struggled to recruit qualified cybersecurity professionals, it offers several scholarship programs to encourage new graduates to work in the public sector. In exchange for tuition, students are required to take government jobs after graduation. If they fail to find a job, graduates have to reimburse the government.

https://techcrunch.com/2017/02/22/trumps-hiring-freeze-is-taking-jobs-away-from-cybersecurity-students/

Why the private sector shouldn’t rely on feds for cybersecurity

Keep your expectations low if you are a private company calling the federal government for help after a cyber incident — at least that’s what two former Department of Homeland Security officials warn. […] Mark Weatherford, chief cybersecurity strategist at vARMOUR and former deputy undersecretary for cybersecurity at the Department of Homeland Security said that when he was at DHS he encouraged the private sector to call his agency, though more often than not, companies would reach out to the FBI, if they reached out at all. “I think what the private sector wants is information” after a breach, he said. “The last thing that the private sector wants is to see a bunch military guys pull up front and say, ‘We’re here to help.'”

https://fcw.com/articles/2017/02/21/private-sector-on-its-own-cyber.aspx

Ars Technica Live: What to do when border officials ask for your passwords

Ghappour, who worked with prisoners at Guantanamo Bay detention camp in Cuba, outlined what happens to the rights of people who are in nebulous zones at the edges of nations. If you’re curious about your rights at the border, how ICE’s future deportations will work, and the longest amount of time any US citizen has been detained by border agents, you need to watch this conversation (or, alternatively, listen to the podcast below).

https://arstechnica.com/video/2017/02/ars-technica-live-what-to-do-when-border-officials-ask-for-your-passwords/

Blundering Boeing bod blabbed spreadsheet of 36,000 coworkers’ personal details in email

Global aerospace firm Boeing earlier this month sent a notification to Washington State Attorney General Bob Ferguson, as required by law, about a company employee who mistakenly emailed a spreadsheet full of employee personal data to his spouse in November, 2016. The spreadsheet, sent to provide the employee’s spouse with a formatting template, contained the personal information of roughly 36,000 other Boeing employees, including Social Security numbers and dates of birth, in hidden columns. Some 7,288 of the affected employees resided in Washington State.

https://www.theregister.co.uk/2017/02/22/boeing_employee_emails_personal_info_36000_colleagues/

Chrome Users Beware- Do Not Fall Prey to Missing Font Malware Campaign

According to their research, Chrome users are mainly being lured to download a missing font. However, this is just a trick and the actual purpose is to get the malware installed on their systems. This campaign was identified by NeoSmart Tech while exploring a WordPress website, which was seemingly compromised as all the text on the site appeared to be mixed-up and then the site’s visitors were prompted to install a missing font to fix the issue. To do this, the victim will have to update the Chrome font pack.

https://www.hackread.com/chrome-missing-font-hacking-campaign/

11-Year Old Linux Kernel Local Privilege Escalation Flaw Discovered

Over a decade old Linux Kernel bug (CVE-2017-6074) has been discovered by security researcher Andrey Konovalov in the DCCP (Datagram Congestion Control Protocol) implementation using Syzkaller, a kernel fuzzing tool released by Google. The vulnerability is a use-after-free flaw in the way the Linux kernel’s “DCCP protocol implementation freed SKB (socket buffer) resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set on the socket.”

http://thehackernews.com/2017/02/linux-kernel-local-root.html

Tunneling Through The “Walls” Of IoT In The Enterprise

Network security architecture can, and should, learn a lot from building and city architecture. The lessons can be abstracted to achieve the same goals, namely spotting intruders as they approach, and confusing them should they gain entry, or at least slowing their progress. Historically, we architected networks with a distinct management network and a separate data network. The management network requires combinations of physical and logical controls to limit access to a small set of administrators.

http://www.darkreading.com/iot/tunneling-through-the–walls–of-iot-in-the-enterprise/a/d-id/1328201?