IT Security News Blast 3-14-2017

Invest now to protect your industrial control systems from cyber attacks

Cyber-attacks on ICS/SCADA networks and breakthrough research discoveries, have rendered the “we’re not going to spend more on ICS cybersecurity because it has never happened before,” argument, void. […] The outcome of a successful cyber-attack on critical infrastructure is not something anybody wants to test. A quick look at incidents that have made it to the headlines – be it actual cyber-attacks or new vulnerabilities and campaigns – is all one needs to persuade business executives to allocate more budget to mitigate against modern ICS hacking scenarios.

http://www.engineerlive.com/content/invest-now-protect-your-industrial-control-systems-cyber-attacks

Most security pros expect increasing attacks on Industrial Internet of Things

IIoT are the connected devices in critical infrastructure segments such as energy, utilities, government, healthcare and finance. The study revealed that:

  • Ninety-six percent of those surveyed expect to see an increase in security attacks on IIoT in 2017.
  • Fifty-one percent said they do not feel prepared for security attacks that abuse, exploit or maliciously leverage insecure IIoT devices.
  • Sixty-four percent said they already recognize the need to protect against IIoT attacks, as they continue to gain popularity among hackers.

https://www.helpnetsecurity.com/2017/03/13/attacks-iiot/

‘Charities are a big target for cyber criminals’

Mulhern told the audience that last year half of the Charity Commission’s alerts related to cyber threats but that charities still lacked skills and awareness. “It’s not just about you it’s about the people that you serve – donors, supporters, VIPs, fundraisers, volunteers,” he said and warned that the there were “long lasting consequences” to a cyber attack. He also said it was important to have a plan about how to respond to an attack and said charities needed to think about how much they invest in security.

https://www.civilsociety.co.uk/news/charities-are-a-big-target-for-cyber-criminals.html

Misaligned incentives, executive overconfidence create advantages for cyberattackers

New report outlines how cybercriminals have the advantage, thanks to the incentives for cybercrime creating a big business in a fluid and dynamic marketplace. Defenders on the other hand, often operate in bureaucratic hierarchies, making them hard-pressed to keep up. Attackers thrive in a fluid, decentralized market, while bureaucracy constrains defenders. Ninety-three percent of organizations surveyed have a cybersecurity strategy, but only 49 percent have fully implemented it. Nearly 60 percent of IT executives believe their cybersecurity strategy is fully implemented, while just over 30 percent of IT staff agree. Senior executives designing cyber strategies measure success differently than implementers.

http://www.homelandsecuritynewswire.com/dr20170310-misaligned-incentives-executive-overconfidence-create-advantages-for-cyberattackers

House Small Business Committee holds hearing on coordinating federal resources for cybersecurity

During a hearing with the U.S. House Small Business Committee, a panel of experts said that the government must do a better job coordinating federal resources to protect the country’s small businesses from various cybersecurity threats. […] “A cyber attack can have serious consequences, not only for small businesses, but also their customers, employees, and business partners,” U.S. Rep. Steve Chabot (R-OH), committee chairman, said. “Sixty percent of small businesses that fall victim to a cyber attack close up shop within six months. A 2014 survey from the National Small Business Association estimated the average cost of a cyber attack on a small business to be over $32,000.”

https://homelandprepnews.com/stories/21488-house-small-business-committee-holds-hearing-coordinating-federal-resources-cybersecurity/

GOP senator alleges password-hijack attempts after blasting WikiLeaks founder

Sen. Ben Sasse (R-Neb.) Saturday claimed that hackers were trying to gain access to his personal and government-issued devices through bogus password-reset notifications. In a short flurry of Twitter messages, Sasse blamed the hacking attempts on his criticism of WikiLeaks and its founder, Julian Assange, earlier in the week. “Heads-up…I’ve been critical of Assange & WikiLeaks this week. So…big surprise: Am having multiple ‘password reset’ attempts right now,” Sasse tweeted Saturday. The probing was hitting “basically every device, every platform, personal and govt,” he added in a follow-up tweet.

http://www.networkworld.com/article/3180062/security/gop-senator-alleges-password-hijack-attempts-after-blasting-wikileaks-founder.html

Cybersecurity Collaboration Bill Aims to Help Companies

A bipartisan Senate bill would give states more resources to help companies combat the growing cybersecurity risk, Sen. John Cornyn (R-Tex.) said March 10 in a statement. Companies and organizations struggling to respond to the increased risk would gain important resources at the state and local levels from the Department of Homeland Security and partner institutions under the bill. […] The bill also includes provisions on training for first responders and officials; simulation exercises for state and local governments, critical infrastructure operators and private industry; and incorporating cybersecurity risk to state emergency plans.

https://www.bna.com/cybersecurity-collaboration-bill-n57982085098/

All U.S. Companies Need to Share Cybersecurity Threat Data

No matter the size of the company hit with a cybersecurity incident, all need support from other private- sector companies, state-level cybersecurity programs and the federal government. […] However, there needs to be some hesitation before giving troves of cyberthreat data to small businesses—because they won’t know what to do with it. This is where the “big macro” tech and cybersecurity companies can step in to “help create an automated pathway to help propagate information to the lowest levels of technical wherewithal,” Montgomery said.

https://www.bna.com/us-companies-need-n57982085096/

Cybersecurity Is an Essential Part of the MSP Toolkit

How do you position your business to address the new realities that more than half of SMBs (55%) were victims of a cyber attack within the last 12 months and that 60% go out of business within six months of an attack? […] We’re talking about the success or failure of your client’s business, and that demands a more inclusive approach. This also happens to be good for you: The managed security service market, worth $17.02 billion in 2016, is expected to almost double by 2021 to $33.68 billion, at a Compound Annual Growth Rate of 14.6%.

http://mspmentor.net/blog/cybersecurity-essential-part-msp-toolkit

Energy sector turns to security firms to stop cyberattacks

A growing industry of boutique security firms has emerged as oil and gas companies seek outside help to protect their networks from increasingly savvy and aggressive cyberattacks. Time and again security specialists reveal lingering national security threats in the form of highly vulnerable control systems for valves, pumps, pipelines and refineries in the U.S. Refiners and others are often found to be running facilities with outdated software and aging automated devices that have no built-in security measures, the Houston Chronicle reports (http://bit.ly/2mfWjX5 ). Some companies lack internal detection systems that would allow them to identify cyber intruders.

http://www.macon.com/news/business/article138057188.html

Credit Card Scrapers Continue to Target Magento

Researchers said last week they came across a malicious function snuck into one of the platform’s modules in order to steal credit card information. […] The function, sendCCNumber(), reroutes credit card information entered by a customer from Magento to an attacker’s email address, hidden inside a variable later in the code. The data, encoded in JSON, arrives in the attacker’s inbox without the victim being any the wiser.

https://threatpost.com/credit-card-scrapers-continue-to-target-magento/124267/

Credit Card Stealer Disguises as Google Chrome Browser

A new malicious application tries to disguise itself as the Google Chrome browser to fool victims into entering their payment card details. The app is still active at the time of writing and sends collected user details to an AOL email address. […] This app, named “Betaling – Google Chrome.exe”, tries to pass as the Google Chrome browser and does a good job at it. Betaling uses the standard Chrome icon and window layout, complete with an address bar, and even an HTTPS lock icon to trick users they’re on a real website.

https://www.bleepingcomputer.com/news/security/credit-card-stealer-disguises-as-google-chrome-browser/

Hailing frequencies open! WikiLeaks pings Microsoft after promise to share CIA tools

According to sources close to the matter, WikiLeaks has opened a line of communication with Microsoft since the Vault 7 release. No actual files or other data has been sent in as yet, but talks are continuing. “WikiLeaks has made initial contact with us via secure@microsoft.com,” a Microsoft spokesperson told The Register on Monday. Apple and Google haven’t replied to requests for comment on the matter yet, but it does appear that WikiLeaks will be playing by the rules of responsible disclosure on this one. Which is very good news for the rest of us.

https://www.theregister.co.uk/2017/03/13/wikileaks_cia_vault_7_microsoft/

Intel’s CHIPSEC can detect CIA’s OS X rootkit

In the wake of WikiLeaks’ release of the CIA document dump, Apple has stated that many of the revealed iOS exploits have already been patched, and the company is constantly working to address any new vulnerabilities. […] But it was Intel Security that offered a tool that can identify an EFI (Extensible Firmware Interface) rootkit that is meant to function as a covert implant on machines running Apple’s OS X. […] “[DarkMatter] appears to include multiple EFI executable components that it injects into the EFI firmware on a target system at different stages of infection,” Intel Security’s Christiaan Beek and Raj Samani explained.

https://www.helpnetsecurity.com/2017/03/13/chipsec-detect-os-x-rootkit/

Nintendo Switch Can Be Hacked, Thanks to iOS 9.3 Webkit Exploit

Qwertyoruiop has proved that he was able to hack Nintendo Switch through his tweet that contained an image of the hacked Switch device. Developer LiveOverflow has also confirmed that an iOS 9.3 WebKit exploit (CVE-2016-4657) is effective on Switch. He also has published a proof of concept to prove his point, which confirms that the browser in Switch is vulnerable to hack attacks. There is a strong connection; although Switch doesn’t have its web browser it does have a web browser that is required for performing captive portal logins to enable internet connectivity at any public spot like a parking lot or café hotspot.

https://www.hackread.com/nintendo-switch-hacked-thanks-to-ios-webkit-exploit/

PandaLabs: Attacking computers without running any malware

The attack starts with the attackers launching a brute-force attack against a server with the Remote Desktop Protocol (RDP) enabled. Once they get the computer’s login credentials, they have complete access to it. Then, the first thing that the attackers do is run the sethc.exe file with the parameter 211 from the computer’s Command Prompt window (CMD). This turns on the system’s “Sticky Keys” feature. Next, a program called “Traffic Spirit” is downloaded and run. “Traffic Spirit” is a traffic generator application which in this case is used to make extra money out of the compromised computers.

https://www.scmagazine.com/pandalabs-attacking-computers-without-running-any-malware/article/643308/

Facebook, Instagram: No, you can’t auto-slurp our profiles (cough, cough, border officials)

On Friday a report from the US Department of Homeland Security (DHS) showed that border patrol officers had tried automatically scanning visa applicants’ social media profiles to catch terrorists. The DHS boffins admitted their software didn’t work properly, and that it was looking for companies to help improve the system. […] “Developers cannot ‘use data obtained from us to provide tools that are used for surveillance.’ Our goal is to make our policy explicit,” Facebook said. “Over the past several months we have taken enforcement action against developers who created and marketed tools meant for surveillance, in violation of our existing policies; we want to be sure everyone understands the underlying policy and how to comply.”

https://www.theregister.co.uk/2017/03/13/facebook_social_media_surveillance/

The security threat of quantum computing is real, and it’s coming fast

In 2016 alone, the EU announced a $1.13B investment in the discipline, the UK pledged nearly $300M, Australia put in $25M and Canada devoted $50M. Why? These world powers acknowledge the swift progress being made towards quantum computing that threatens traditional encryption. They’re right to be investing now: Once that technology exists, everything stops. The moment quantum computers succeed in cracking today’s most prevalent encryption techniques – like public and private keys – security breaches won’t be isolated incidents that only affect a few million people or vulnerabilities that result in a minor chink in security’s armor. If the technology’s path of innovation continues at its current pace, quantum computers will soon render today’s cryptography completely vulnerable.

https://www.helpnetsecurity.com/2017/03/09/security-threat-quantum-computing/

Old nemesis spam becoming significant way for attackers to subvert data

The ongoing expansion of domain name choices has added another instrument to the spammer’s toolbox: enticing recipients to click through to malicious sites, ultimately allowing attackers to infiltrate their networks,” wrote Ralf Iffert, Manager, X-Force Content Security in a blog about the spam findings. “More than 35% of the URLs found in spam sent in 2016 used traditional, generic top-level domains (gTLD) .com and .info. Surprisingly, over 20% of the URLs used the .ru country code top-level domain (ccTLD), helped mainly by the large number of spam emails containing the .ru ccTLD.”

http://www.networkworld.com/article/3180056/security/ibm-cisco-old-nemesis-spam-becoming-significant-way-for-attackers-to-subvert-data.html

“Lip password” uses a person’s lip motions to create a password

The use of biometric data such as fingerprints to unlock mobile devices and verify identity at immigration and customs counters are used around the world. Despite its wide application, one cannot change the scan of their fingerprint. Once the scan is stolen or hacked, the owner cannot change his/her fingerprints and has to look for another identity security system. Researchers have invented a new technology called “lip motion password” (lip password) which utilizes a person’s lip motions to create a password.

http://www.homelandsecuritynewswire.com/dr20170314-lip-password-uses-a-person-s-lip-motions-to-create-a-password

No, Microwave Ovens Cannot Spy on You—for Lots of Reasons

It’s true that lots of things can be turned into listening devices. It’s also true that attackers can compromise internet-connected gadgets. And yes, the WikiLeaks data outlines various (alleged) CIA methods of compromising cellphones and Samsung TVs to surveil targets. Conway isn’t even the only one who associates microwave ovens with government spying. “Is the CIA listening to me through my microwave oven, and through my TV, and through my cell phone,” asked late-night host Stephen Colbert of former CIA and NSA head Michael Hayden last week. (The answer was “no,” at least if you’re an American citizen.)

https://www.wired.com/2017/03/kellyanne-conway-microwave-spying/