IT Security News Blast 3-17-2017

Hyperconnectivity and IoT Set to Radically Disrupt Cyber by 2019

By 2019, organizations will be faced with a hyper-connected world where the pace and scale of change—particularly in terms of technology—will have accelerated substantially. ISF said that we’ll see premeditated internet outages bringing trade to its knees; ransomware hijacking the IoT; privileged insiders coerced into giving up the crown jewels; automated misinformation and falsified information that compromises performance; subverted blockchains that shatter trust; surveillance laws exposing corporate secrets; privacy regulations impeding the monitoring of insider threats; and a headlong rush to deploy artificial intelligence that will lead to unexpected outcomes.

https://www.infosecurity-magazine.com/news/hyperconnectivity-and-iot-set-to/

Wanna make a fortune in crime? Forget drug dealing – try hacking

On another social media account on ASKfm, Baratov gave more details of amassing wealth: “I was making more than both of my parents combined. At 15 I got my first million.” Baratov, who sports a one-carat black diamond stud in right ear lobe and has tattoos across his chest and right arm, voiced disdain for formal education. “I almost failed high school . . . Never did homework, never showed up,” Baratov wrote on ASK.fm. On his Facebook page, Baratov added: “You don’t need to go to #College or #University to do well; real world experience is way more valuable.”

http://www.mcclatchydc.com/news/nation-world/national/national-security/article138921688.html

North Korean Hackers Were Behind a Recent Major Cyber Attack

A North Korean hacking group known as Lazarus was likely behind a recent cyber campaign targeting organizations in 31 countries, following high-profile attacks on Bangladesh Bank, Sony and South Korea, cyber security firm Symantec said on Wednesday. […] “We are reasonably certain” Lazarus was responsible, Symantec researcher Eric Chien said in an interview. The North Korean government has denied allegations it was involved in the hacks, which were made by officials in Washington and Seoul, as well as security firms.

http://fortune.com/2017/03/15/north-korea-hackers-cyber-attack/

FBI won’t release iPhone hacking tool and is still using it to ‘gather intelligence information’

The biggest issue, Hardy’s filing said, is that releasing the details of the hacking tool could allow bad actors and hackers to understand the current methods being used by the FBI, and understand the weaknesses of those methods. As reported by ZDNet’s Zack Whittaker, the news comes as various news outlets are still fighting for information about the tool to be released. Another reason that the FBI has chosen not to reveal its iPhone hacking tool is because they’re likely still using it. According to the filing, “intelligence activities or methods withheld in this case are still used by and/or useful to the FBI today to gather intelligence information.”

http://www.techrepublic.com/article/fbi-wont-release-iphone-hacking-tool-and-is-still-using-it-to-gather-intelligence-information/

Top Women in Cybersecurity: Lesley Carhart

In honor of Women’s History Month, we present our inaugural Top Women in Cybersecurity list, filled with individuals who are upending the status quo. This list contains a group of minds who are not just knee-deep in code, but are making the business and legal decisions that will push cybersecurity forward in both the public and private sector. These women do not solely represent what women are capable of, but what a community can achieve when a diverse set of ideas and novel thinking is encouraged and embraced.

https://www.cyberscoop.com/2017-top-women-in-cybersecurity/

Trump’s budget proposal gives DHS $1.5 billion for cybersecurity

The budget request, which bolsters DHS funding by 6.8 percent while making deep cuts to other agencies and departments, also calls for heightened cooperation between the government and the private sector on cybersecurity.  The proposed budget “safeguards cyberspace with $1.5 billion for DHS activities that protect federal networks and critical infrastructure from an attack,” according to the blueprint, which was publicly released Thursday morning.

http://thehill.com/policy/cybersecurity/324238-trumps-budget-proposal-gives-dhs-15-billion-for-cybersecurity

Facebook Forbids the Use of User Data for Surveillance

Public pressure to limit access to user data has been mounting. Just last week, for instance, we reported that civil liberties advocates were more concerned than ever about the government’s “incidental” tracking of U.S. residents’ communications during surveillance of foreign targets. Now, Facebook has announced that developers cannot use data obtained from either Facebook or Instagram, which it owns, to produce systems that can provide surveillance capabilities. Under its Platform Policy it now says: “Don’t use data obtained from us to provide tools that are used for surveillance.”

https://www.technologyreview.com/s/603855/facebook-forbids-the-use-of-user-data-for-surveillance/

Microsoft’s silence over unprecedented patch delay doesn’t smell right

Last month, Microsoft took the unprecedented step of canceling Patch Tuesday, the company’s monthly release of security fixes for its large stable of software products. The move meant that customers had to wait 28 days to receive updates that fixed vulnerabilities that allowed hackers to completely hijack computers and networks. The last-minute move was all the more unusual because Microsoft made it a few days after exploit code for a Windows 10 flaw was released into the wild. In the nine days that followed the cancellation, technical details for two more serious vulnerabilities—one in Windows and the other in the Edge and Internet Explorer browsers—were also disclosed.

https://arstechnica.com/security/2017/03/microsofts-silence-over-unprecedented-patch-delay-doesnt-smell-right/

Ransomware: Now cybercriminals are stealing code from each other, say researchers

However, the authors of a new form of malware dubbed PetrWrap have managed to crack the Petya code and are using it to perform ransomware attacks, apparently without paying the creators of Petya, according to researchers at security company Kaspersky Lab. It said the PetrWrap Trojan has been active since February this year and uses its own cryptographic keys to lock victims’ files, rather than using those which come with the ‘stock’ version of Petya — and waits for an hour and a half after the initial compromise before striking.

http://www.zdnet.com/article/ransomware-now-cybercriminals-are-stealing-code-from-each-other-say-researchers/

Are you undermining your web security by checking on it with the wrong tools?

The issue comes with the use of HTTPS interception middleboxes and network monitoring products. They are extremely common and are used to check that nothing untoward is going on. However, the very method by which these devices skirt the encryption on network traffic through protocols like SSL, and more recently TLS, is opening up the network to man-in-the-middle attacks. In the paper, titled The Security Impact of HTTPS Interception, the researchers tested out a range of the most common TLS interception middleboxes and client-side interception software and found that the vast majority of them introduced security vulnerabilities.

https://www.theregister.co.uk/2017/03/17/are_you_undermining_your_web_security_by_checking_on_it_with_the_wrong_tools/

Cybersecurity in seven minutes

That’s why we’ve put together a short guide to cybersecurity essentials. It will walk you through some of the most common risks, and the specific ways to protect yourself when it comes to three critical areas:

  • Privacy: How someone else can see what you’re doing online or on your device.
  • Security: How someone can intercept data.
  • Control: How someone can take over your smartphone or computer.

http://www.csmonitor.com/World/Passcode/2017/0315/Cybersecurity-in-seven-minutes

NSA hacking chief’s mission impossible: Advising White House on cybersecurity

Whispers have been sloshing around since the weekend that Joyce was tapped to shape cybersecurity policy for the Trump administration. On Wednesday morning, at the Cyber Disrupt 2017 conference in Washington DC, White House aide Thomas Bossert went on stage and confirmed the rumors are true. […] All in all, Joyce joins a group that should be strictly business but instead finds itself snagged again and again in political chess games. It’s still not clear where ex-New York City major Rudy Giuliani fits in all of this: he was supposed to be a cybersecurity tsar to the president.

https://www.theregister.co.uk/2017/03/15/white_house_cyberczar/

Think like a bad guy and embrace cybersecurity

Companies should take both a short- and medium-term approach to cybersecurity, he continues. “So the first thing they need to do is lay out their key assets that differentiate them in the marketplace, and protect those assets first, putting in place protective and detective controls. Then they can work through their other assets. “It’s almost like chipping away at an iceberg. You can’t do the whole thing at one time, so do the things that are most important first and then move down the line.”

http://www.telegraph.co.uk/connect/better-business/leadership/accenture/cybersecurity-to-keep-business-safe-online/

Cybersecurity not a one-time effort for small businesses; requires constant vigilance

Symantec, a maker of computer security software, analyzed threats and cyberattacks that its network encountered and found that 43 percent of all cyberattacks in 2015 targeted small businesses. […] The costs of an invasion can be steep. Heath estimates he lost $10,000 in business because the site was down. He didn’t have to pay to have the website rebuilt, because his business was part of an incubator where tech help was available for free. But recreating a website could run a business well into the thousands of dollars.

http://www.nhregister.com/business/20170315/cybersecurity-not-a-one-time-effort-for-small-businesses-requires-constant-vigilance

How Russian agents allegedly directed massive Yahoo cyberattack

This is the first time Russian government officials have been charged by the U.S. for a cybercrime, for a breach that officials say affected at least 500 million accounts. Officials said some of the information had intelligence value and some was also leveraged for financial gain. “The defendants targeted Yahoo accounts of Russian and U.S. government officials, including cybersecurity, diplomatic and military personnel,” said Mary McCord, the head of the DOJ’s national security division. “They also targeted Russian journalists, numerous employees of other providers whose networks the conspirators sought to exploit and employees of financial services and other commercial entities.”

http://abcnews.go.com/US/russian-agents-facing-charges-yahoo-hacking-attacks/story?id=46142396

How risk modeling propels the cyber insurance market forward

It took a while for cyber risk modeling to shift from guesswork to science due to the complexity of the problem. […] The lack of data and empirical modeling meant insurers were forced to rely on existing risk models designed for other areas. For instance, actuaries were using models designed for professional liability or errors and omissions (E&O) to write cyber policies. While E&O data ties loosely to cyber at best, companies reluctantly used these risk models in order to avoid missing the growing market altogether, often at cost.

http://www.propertycasualty360.com/2017/03/16/how-risk-modeling-propels-the-cyber-insurance-mark

Researchers present early warning system for mass cyber attacks

[Rossow] has developed a special kind of digital bait for distributed attacks (also known as honeypots), in collaboration with the CISPA researchers Lukas Kraemer and Johannes Krupp and with colleagues from Japan. 21 of these honeypot traps were laid out in the more obscure corners of the Internet, enabling the researchers to document more than 1.5 million attacks. In this manner, he could identify the different phases of attacks which helped develop an early warning system from the data. He additionally attached secret digital markers to the attack codes he discovered in the digital wilderness, and was thus able to trace the source of the attacks.

https://scienceblog.com/492872/researchers-present-early-warning-system-mass-cyber-attacks/

Judge OKs warrant to reveal who searched a crime victim’s name on Google

Police in a small suburban town of 50,000 people just outside Minneapolis, Minnesota, have won a court order requiring Google to determine who has used its search engine to look up the name of a local financial fraud victim. The court order demanding such a massive search is perhaps the most expansive one we’ve seen unconnected to the US national security apparatus and, if carried out, could set an Orwellian precedent in a bid by the Edina Police Department to solve a wire-fraud crime worth less than $30,000.

https://arstechnica.com/tech-policy/2017/03/judge-oks-warrant-to-reveal-who-searched-a-fraud-victims-name-on-google/

Linux Kernel Gets Patch For Years-Old Serious Vulnerability

“Double Free” is one of the most common memory corruption bug that occurs when the application releases same memory location twice by calling the free() function on the same allocated memory. An unauthenticated attacker may leverage this vulnerability to inject and execute arbitrary code in the security context of currently logged in user. The vulnerability affects the majority of popular Linux distributions including Red Hat Enterprise Linux 6, 7, Fedora, SUSE, Debian, and Ubuntu.

http://thehackernews.com/2017/03/linux-kernel-vulnerability.html