IT Security News Blast 3-10-2017

Health industry plays catch-up on cybersecurity

Hospitals and other medical businesses have worked to adopt modern information technology, including electronic health records. But at the same time, they are falling behind in the cybersecurity needed to protect confidential patient data and networks. All eyes are on an upcoming report from a Department of Health and Human Services (HHS) task force established under the Obama administration that will detail the industry’s cybersecurity shortfalls. “We have very few specific challenges to healthcare, but a lot of the smaller individual challenges that other sectors face, we have all of them,” Josh Corman, head of the Atlantic Council’s Cyber Statecraft Initiative and a member of the task force, told The Hill.

http://thehill.com/business-a-lobbying/323081-health-industry-plays-catch-up-on-cybersecurity

New Report Finds IT Cybersecurity Shortage Hurting Companies In Fight Against Ransomware

In addition, nine out of 10 respondents reported their company is feeling the impact of a global shortage of skilled IT security personnel, which makes them more susceptible to an attack. In fact, a whopping 61 percent of responding organizations were compromised by ransomware in 2016. And while one in five is unsatisfied with the protection available through Microsoft’s for securing Office 365 deployments, many employees admit that they are not doing all they can to secure their employers’ networks, citing “low security awareness among employees” as a top response, followed by “lack of skilled personnel” and “too much data to analyze.”

http://www.pymnts.com/fraud-prevention/2017/new-report-finds-it-cybersecurity-shortage-hurting-companies-in-fight-against-ransomware/

The CIA Didn’t Break Signal or WhatsApp, Despite What You’ve Heard

Instead, it has the ability, in some cases, to take control of entire phones; accessing encrypted chats is simply one of many security implication of this. Wikileaks’ own analysis of the documents at least briefly acknowledges this, stating that CIA “techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the ‘smart’ phones that they run on and collecting audio and message traffic before encryption is applied.”

https://theintercept.com/2017/03/07/the-cia-didnt-break-signal-or-whatsapp-despite-what-youve-heard/

Is US cyber defense a key weapon against N. Korea’s missile program?

If US cyber attacks contributed to, or were the reason behind these missile failures, it would be a key success for the US in conducting a new type of warfare. However, it is very difficult to independently verify the causal link between US cyber attacks and defective missiles. “We’ll never know for sure, because North Korean missiles crash on their own without any outside help[.]” “On the other hand, some say the military officers recently executed by Kim Jong Un were killed because they had failed to block the missile hacks.”

http://www.dw.com/en/is-us-cyber-defense-a-key-weapon-against-n-koreas-missile-program/a-37871895

Cybersecurity Expert says, “Prepare for a Tidal Wave of New Hacks”

On a scale of the seriousness of threat agents, script kiddies are on the lower end, but at the top, the most serious, are state-sponsored hackers and we have the best of the best. Now with this event the tools and techniques of our best cyber warriors are within reach of common criminals and others who would be typically be easy to defend against with common cybersecurity countermeasures.”

http://www.military-technologies.net/2017/03/09/cybersecurity-expert-says-prepare-for-a-tidal-wave-of-new-hacks/

The CIA’s Hacking Disclosure Highlights Mobile Security Challenges for Cyber Security Firms

A single news cycle worth of cyber paranoia isn’t enough to drive significant changes in corporate security, JMP Securities analyst Erik Suppiger said, but it certainly serves as a reminder of what enterprises must guard against.  “Something like this could raise awareness at the board level that enterprises need to be very careful about what exactly is going on on their networks that they don’t know about” he said. “Obviously they are using cell phones so there is certainly some reason for them to be more aware of it.”

https://www.thestreet.com/story/14033566/1/the-cia-s-hacking-disclosure-highlights-mobile-security-challenges-for-cyber-security-firms.html

Cyber Expert: Haven’t Seen CIA Hacking Tools on Black Market Yet

“We have never seen the authentic tools from Vault 7 leak on the ‘black market,’ and I assume that the leak is organized from one of the subcontractors or civilian employees working for CIA in specific areas.” However, he said some of the “components for the tools” had already been available on the black market. Komarov said his firm had looked at all the documents released by WIkiLeaks and said they didn’t contain any of the tools, just “their descriptions and tutorials how to use them.”

http://www.nbcnews.com/card/cyber-expert-havent-seen-cia-hacking-tools-black-market-yet-n731186

Some question government’s responsibility in cyber security after latest breach

“When you have a government agency talking about having the ability to unlock any phone in the country or they know about a vulnerability, but don’t tell the vendor. It starts to make you question who they are looking out for,” said Andrew Fausett. Fausett works within the Central Community College IT department. He said withholding that kind of information could do more harm than good. Many students on campus don’t see it that way and said they had no problem with government having the power to access phones.

http://www.nbcneb.com/content/news/Some-question-governments-responsibility-in-cyber-security-after-latest-breach-415836253.html

Assange accuses CIA of “historic act of devastating incompetence”

In a video statement on Periscope today, Assange asserted that the CIA “lost control of its entire cyber-weapons arsenal. Now, this is a historic act of devastating incompetence to have created such an arsenal and stored it all in one place and not secured it.” Assange repeated the claim that WikiLeaks had stumbled upon the archive “as the result of it being passed around a number of different members of the US intelligence community out of control in unauthorized fashion.”

https://arstechnica.com/security/2017/03/assange-accuses-cia-of-historic-act-of-devastating-incompetence/

Amnesty International and ProtonMail join forces to fight cyber censorship

On the occasion of World Day Against Cyber Censorship, ProtonMail and Amnesty International join forces to show how internet restrictions affect people around the world. As the world’s largest encrypted email provider, ProtonMail is the privacy tool of choice for journalists, activists and privacy conscious everyday users. Today when logging into their inboxes, ProtonMail’s 2 million users from 150 countries will see Amnesty International’s latest findings on cyber censorship.

https://www.amnesty.org/en/latest/news/2017/03/amnesty-international-and-protonmail-join-forces-to-fight-cyber-censorship/

West-African cyber-crime more than doubled, says Trend Micro

According to the report, the volume of cyber-crime related complaints received in West Africa increased from 940 incidents in 2013 to 2182 incidents in 2015. Law enforcement agents in the region did not remain idle though, as the INTERPOL survey revealed that an average of 30 percent of the cyber-crimes reported to them each year led to arrests. Trend Micro research on BEC fraud showed that the most-targeted country was the United States, closely followed by China.

https://www.scmagazineuk.com/west-african-cyber-crime-more-than-doubled-says-trend-micro/article/643298/

Google tries to beat AWS at cloud security

At the conference this week, Google unveiled tools that would let IT teams provide granular access to applications, better manage encryption keys, and enforce stronger authentication mechanisms for applications running on Google Cloud. While some of the features, such as Key Management Service, is similar to the security tools AWS has already rolled out (in this case, the AWS Key Management Service), others, such as DLP API for GCP (Google Cloud Platform), go beyond the infrastructure to protect individual applications.

http://www.csoonline.com/article/3179357/security/google-tries-to-beat-aws-at-cloud-security.html

Is the cyber crisis real or fiction?

Cyber needs to be a skill within each job description. Cyber awareness needs to be integrated into every aspect of how an organization thinks strategically and operates tactically. The real cyber crisis is not that there are not enough cyber professionals in the market. The crisis is that organizations have not defined cyber as a core capability required across the employee population and they have not stepped up to making the required investment in people for the future.

http://www.csoonline.com/article/3178752/security/is-the-cyber-crisis-real-or-fiction.html

Lawmakers receive lukewarm assessment of cyber cooperation between feds, private sector

The DHS, which is now headed by John Kelly, has a number of programs to engage and share information with the private sector, including the Automated Indicator Sharing (AIS) capability that allows the public and private sectors to trade information about cyber threat indicators, such as malicious IP addresses or the origin address of a phishing email.  Despite these efforts, lawmakers acknowledged on Thursday that the government has a ways to go on cybersecurity cooperation with private industry.

http://thehill.com/policy/cybersecurity/323245-lawmakers-receive-lukewarm-assessment-of-cyber-cooperation-between-feds

US spies still won’t tell Congress the number of Americans caught in dragnet

Two of the programs, called Upstream and Prism, are allowed under Section 702 of the Foreign Intelligence Surveillance Act. That section expires at year’s end, and President Donald Trump’s administration, like his predecessor’s administration, wants the law renewed so those snooping programs can continue. That said, even as the administration seeks renewal of the programs, Congress and the public have been left in the dark regarding questions surrounding how many Americans’ electronic communications have been ensnared under the programs. Congress won’t be told in a classified setting either, despite repeated requests.

https://arstechnica.com/tech-policy/2017/03/nsa-spy-law-up-for-renewal-but-feds-wont-say-how-many-americans-targeted/

MAC randomization: A massive failure that leaves iPhones, Android mobes open to tracking

Regularly changing a device’s MAC address is supposed to defeat this tracking. But it turns out to be completely worthless, due to a combination of implementation flaws and vulnerabilities. […] In a paper published on Wednesday, US Naval Academy researchers report that they were able to “track 100 per cent of devices using randomization, regardless of manufacturer, by exploiting a previously unknown flaw in the way existing wireless chipsets handle low-level control frames.” Beyond this one vulnerability, an active RTS (Request to Send) attack, the researchers also identify several alternative deanonymization techniques that work against certain types of devices.

https://www.theregister.co.uk/2017/03/10/mac_address_randomization/

640,000 Decrypted PlayStation Accounts Being Sold on DarkWeb

The vendor who goes by the handle of “SunTzu583” is selling 640,000 accounts of PlayStation users in just USD 35.71 (0.0292 BTC) stolen from an unknown database. These accounts contain emails along with their clear-text passwords. According to SunTzu583, the database was not directly stolen from PlayStation servers, but it does contain unique accounts of PlayStation users. SunTzu583 goes on to explain that these accounts may also work on other sites however they can be mainly used for PlayStation-related activities.

https://www.hackread.com/640000-decrypted-playstation-accounts-sold-darkweb/

Want a Career in Cybersecurity? Find Out Which Degrees Can Get You There

Entry level positions require a relevant bachelor’s degree, but the more specialized and highest paid roles usually require a master’s degree. If you’ve got amazing computer skills, you might be able to walk into a lucrative position without any formal qualifications, but you’ll stand a better chance of getting a job in the field if you have one of the following degrees.

https://www.hackread.com/career-in-cybersecurity-and-degree/

In Cybersecurity, ‘Sales Engineers’ Rake in Higher Salaries Than Tech Workers

And with the global cybersecurity industry looking to spend $1 trillion between 2017 and 2021, SEs are likely to get the biggest cut from this budget. According to a US industry recruiter, SEs are paid annual salaries ranging between $180,000 to $220,000. A sales engineer, writes CSO, not only needs technical knowhow, but must be adept at soft skills. For a cybersecurity engineer, moving from writing code to giving demos, could mean a pay boost – for an expert, it could be a jump of 50 percent in salary.

http://www.darkreading.com/careers-and-people/in-cybersecurity-sales-engineers-rake-in-higher-salaries-than-tech-workers/d/d-id/1328354?

After CIA leak, Intel Security releases detection tool for EFI rootkits

EFI, also known as UEFI (Unified EFI), is the low-level firmware that runs before the operating system and initializes the various hardware components during the system boot process. It’s the replacement for the older and much more basic BIOS in modern computers and resembles a mini operating system. It can have hundreds of “programs” for different functions implemented as executable binaries. A malicious program hidden inside the EFI can inject malicious code into the OS kernel and can restore any malware that has been removed from the computer. This allows rootkits to survive major system updates and even reinstallations.

http://www.csoonline.com/article/3179450/security/after-cia-leak-intel-security-releases-detection-tool-for-efi-rootkits.html

Attacks Under Way Against Easily Exploitable Apache Struts Flaw

Security experts today urged enterprises using Apache Struts2 for Web applications to upgrade to either versions 2.3.32 or 2.5.10.1 as soon as possible after researchers from Cisco Talos disclosed an easily exploitable bug in all other versions of the open-source framework. Exploits for the flaw are already available in the wild and attackers are using them to actively look for and target vulnerable Web servers. Most of the attacks appear to be taking advantage of a proof-of-concept exploit that was released publicly, Talos said in an advisory.

http://www.darkreading.com/attacks-breaches/attacks-under-way-against-easily-exploitable-apache-struts-flaw/d/d-id/1328362?