IT Security News Blast 2-9-2017

The unexpected legal consequences of cyber-attacks

They can be exposed to lawsuits from customers whose personal details are compromised, from credit card companies and from companies with which they have specific confidential contracts. Individual executives and directors can also be exposed to personal suits for breach of fiduciary duty and a duty of care that they are binded by. Thus, for example, during 2015, US retail giant Target was required to pay an aggregate $250 million to settle a suit filed against it by a credit card company after Target’s computers were breached with the details of 70 million credit card numbers leaked, compelling the credit card company to issue millions of new cards.

http://www.globes.co.il/en/article-The-unexpected-legal-consequences-of-cyber-attacks-1001176111

Feds fine Dallas hospital $3.2M for HIPAA security violations

The medical center also appears to have not fully cooperated with OCR during an investigation, agency documents show. OCR traditionally enters into a settlement agreement with a HIPAA covered entity following negotiations over the size of a monetary fine and conditions of a corrective action plan. […] OCR Director Jocelyn Samuels has significantly ramped up HIPAA enforcement actions during the past year and has indicated that such actions will continue this year.

http://www.healthdatamanagement.com/news/feds-fine-dallas-hospital-32m-for-hipaa-security-violations

U.S. Visitors May Have to Hand Over Social Media Passwords: DHS

Homeland Security Secretary John Kelly told Congress on Tuesday the measure was one of several being considered to vet refugees and visa applicants from seven Muslim-majority countries. “We want to get on their social media, with passwords: What do you do, what do you say?” he told the House Homeland Security Committee. “If they don’t want to cooperate then you don’t come in.”

http://www.nbcnews.com/news/us-news/amp/us-visitors-may-have-hand-over-social-media-passwords-kelly-n718216

Security firm agrees many others use fear to propel sales

Many venture capital companies have started to collect money aggressively to reinvest into startups, promising their investors to create a new Facebook or Google in cyber security, he said. “Once they enter into a startup, they usually start pressuring the founders to boost sales by all possible means, without really caring if their solutions actually help the customers,” said Kolochenko. “At the end of the day, companies purchase cyber security products that they don’t really need or are not appropriate for their risks, business processes or infrastructure.”

http://www.computerweekly.com/news/450412311/Security-firm-agrees-many-others-use-fear-to-propel-sales

Maryland bill boosts criminal penalties against ransomware perpetrators

Susan Lee’s (D-Montgomery) bill redefines a ransomware attack as a stand-alone felony in a case where the intent is to extort money, property, or anything of value from another. If passed those convicted would face a possible 10-year prison sentence and a fine up to $10,000. The proposed law would lower the standard of what is considered a felony to include extortion attempts of less than $1,000, according to NBCWashington.

https://www.scmagazine.com/maryland-bill-boosts-criminal-penalties-against-ransomware-perpetrators/article/636868/

End the Privacy Shield: Access Now urges the European Commission to suspend Privacy Shield due to changes in US policies

The Commission must react to the recent changes in US law and policies that put in doubt the validity of ‘written assurances’ which are the basis of the data transfer arrangement”, said Fanny Hidvegi, European Policy Manager at Access Now. “The EU should take a stand against government surveillance whether it’s coming from the US or EU member states, and ensure the application of the Charter for Fundamental Rights in this context to complement the jurisprudence of the European Court of Human Rights”.

https://www.accessnow.org/end-privacy-shield-access-now-urges-european-commission-suspend-privacy-shield-due-changes-us-policies/

Tokenization vs. Encryption: Understanding the Difference

Whether your organization should opt for tokenization or encryption will depend on your own unique requirements. If you want to stay compliant while reducing your obligations under PCI DSS, you can opt to use tokenization. If you want scalability, and have to encrypt large volumes of data, then encryption is ideal since you only need a small encryption key. But regardless of which one you choose for protecting private information, both tokenization and encryption can help satisfy regulatory requirements imposed by PCI DSS, HIPAA-HITECH, GLBA, ITAR and the upcoming EU Data Protection Regulation.

https://dzone.com/articles/tokenization-vs-encryption-understanding-the-diffe

Valve Patches Trivial XSS Bug in Steam

Valve Corp., has patched a cross-site scripting vulnerability on its popular Steam gaming platform that could be exploited by viewing a maliciously crafted profile. The flaw could allow an attacker to carry out phishing attacks or execute malicious scripts just by opening a crafted profile page. “I would advise against viewing suspicious profiles until further notice and disable JavaScript in your browser options,” said a Steam subreddit moderator yesterday before the bug was fixed. “Do NOT click suspicious (real) steam profile links and Disable JavaScript on Browser.

https://threatpost.com/valve-patches-trivial-xss-bug-in-steam/123647/

Mac malware from Iran targeting US defense industry, human rights activist

The malware is easily available for download via an Adobe Flash Installer and interested downloaders can choose from getting either Windows-based or Mac-based version. The malware is designed to spy on the targeted computer and obtain important credentials. To perform its task, the malware generates fake system login boxes, which it collects from Keychain, the password management system of Apple Inc. Researchers claim that the malware is not of superior quality and seems like the work of an “amateur developer.”

https://www.hackread.com/iranian-hackers-targeting-us-defense-mac-malware/

Cellphone Spy Tools Have Flooded Local Police Departments

Hundreds of documents obtained by CityLab from the country’s top fifty largest police departments over the last ten months reveal that similar cellphone surveillance devices have been quietly acquired by local authorities nationwide. The majority of these departments have at least one of two main types of digital-age spy tools: cellphone interception devices, used to covertly track or grab data from nearby mobile devices, and cellphone extraction devices, used to crack open locked phones that are in police possession and scoop out all sorts of private communications and content.

http://www.citylab.com/crime/2017/02/cellphone-spy-tools-have-flooded-local-police-departments/512543/

House Republicans Just Voted to Eliminate the Only Federal Agency That Makes Sure Voting Machines Can’t Be Hacked

In a little-noticed 6-3 vote today, the House Administration Committee voted along party lines to eliminate the Election Assistance Commission, which helps states run elections and is the only federal agency charged with making sure voting machines can’t be hacked. The EAC was created after the disastrous 2000 election in Florida as part of the Help America Vote Act to rectify problems like butterfly ballots and hanging chads. (Republicans have tried to kill the agency for years.)

https://www.thenation.com/article/house-republicans-just-voted-to-eliminate-the-only-federal-agency-that-makes-sure-voting-machines-cant-be-hacked/

Important lessons on cybersecurity

As you begin your term, I encourage you to take the lessons learned from your predecessor to heart when crafting cybersecurity policy. This means adopting the recommendations of the national action plan and going beyond them. It means ensuring there is an advocate for cybersecurity in the room when budget and policy decisions are made. It means working with Congress to implement existing law on information sharing and to pass new legislation on developing the workforce needed to address these issues and securing the internet of things.

http://thehill.com/opinion/op-ed/318386-important-lessons-on-cybersecurity

Snowden Spawns Wave of Cybersecurity Startups (T, CSCO)

Since the former NSA contractor’s revelations that the federal government was sponsoring a nationwide surveillance program, more companies have been turning away from market leaders like Cisco while making a beeline for network infrastructure startups that offer cheaper and easier solutions. As a result, nascent companies in this space have been raking in serious coin. According to Bloomberg News, citing data from CB Insights, the researcher that tracks tech startups and venture capital funding, this startup space has surged 47%, to $6.35 billion.

http://www.investopedia.com/news/snowden-spawns-wave-cybersecurity-startups-t-csco/

Fort Gordon activates 2 cyber units

The two units began the first day of their history Tuesday as part of the Cyber Protection Battalion. The battalion commander, Lt. Col. John Popiak, oversaw the ceremony and installed the battalion’s new companies, including the unfurling of the unit flags, or guidons. “This ceremony is rare,” Popiak said. “Typically, you’ll see movement of units from place to place but here we are substantiating new units where we had none before.”

http://chronicle.augusta.com/news/2017-02-07/fort-gordon-activates-2-cyber-units

New charges for ex-NSA contractor for allegedly taking elite hacking tools

According to prosecutors, Harold “Hal” Martin took a slew of highly classified documents out of secure facilities and kept them at his home and in his car. Earlier this week, the Washington Post reported that among those materials, Martin is alleged to have taken 75 percent of the hacking tools that were part of the Tailored Access Operations, an elite hacking unit within NSA. The indictment outlines 20 specific documents that he is accused of having taken, including “a March 2014 NSA leadership briefing outlining the development and future plans for a specific NSA organization.”

https://arstechnica.com/tech-policy/2017/02/new-charges-for-ex-nsa-contractor-for-allegedly-taking-elite-hacking-tools/

Revealed: Malware that skulks in memory, invisibly collecting sysadmins’ passwords

Kaspersky Lab experts were set on the trail on the malware campaign by “banks in CIS which had found the penetration-testing software, Meterpreter, now often used for malicious purposes, in the memory of their servers when it was not supposed to be there”. The Meterpreter code was combined with a number of legitimate PowerShell scripts and other utilities. The combined tools had been adapted into malicious code that could hide in the memory, invisibly collecting the passwords of system administrators.

https://www.theregister.co.uk/2017/02/08/hidden_malware_menaces_enterprises/

76 Famous iOS Apps Vulnerable to Silent Data Interception

Verify.ly founder Will Strafach released a detailed report in which he outlined the findings clearly, and stated that 33 apps out of the vulnerable 76 are categorized as low-risk while 24 are in the medium-risk group and 19 are counted as high-risk apps. Strafach further stated that their system has shortlisted “hundreds of applications” that are likely to have higher vulnerability to data interception. He tested the company’s claim using a “live iPhone running iOS 10” along with a “malicious proxy” to embed an invalid TLS certificate inside the connection.

https://www.hackread.com/76-ios-apps-vulnerable-to-silent-data-interception/

Report: More than 100K WordPress web pages defaced following disclosure of patched bug

WordPress developers waited nearly a week to acknowledge the severe vulnerability so that they could first privately inform various content delivery platforms and website hosts of the issue and give them time to install the CMS’ latest update, version 4.7.2.  Apparently, however, many other website owners didn’t bother to download the patch, even after the disclosure – opening the door for adversaries to swoop in and attack. Indeed, researchers at Sucuri reported on Monday that hackers began probing for and exploiting the flaw within 48 hours of it going public.

https://www.scmagazine.com/report-more-than-100k-wordpress-web-pages-defaced-following-disclosure-of-patched-bug/article/636877/

Opinion: How to have a FUD-free RSA Conference

First, steer clear of booths draped in yellow, orange, red, and black. It’s the first indication to proceed with caution. There’s a reason why warning and danger signs use these colors – they are meant to scare you. Turn around if you see stereotypical hacker images: guys in ski masks, people wearing gloves while typing, or anyone in dark hoodies. Anything that looks ominous is a pure sign of FUD.

http://www.csmonitor.com/World/Passcode/Passcode-Voices/2017/0208/Opinion-How-to-have-a-FUD-free-RSA-Conference