IT Security News Blast 3-29-2017

Cyber and privacy risks for professional firms

Professional services firms make attractive targets for malicious actors, not least due to the wealth of confidential data that they hold on behalf of their clients. Firms are often regarded as the backdoor to the sensitive information of their clients, particularly those within the financial services and healthcare sectors, which traditionally have far more sophisticated data security than their professional advisors. Indeed, the NCSC and NCA report that the most common vulnerabilities in 2016 were not novel but well-known, and could have been easily avoided by patching legacy systems.

http://www.lexology.com/library/detail.aspx?g=4530bb43-31df-4da8-92ed-7d010f409db2

4 cybersecurity threats every hospital C-suite admin should be familiar with in 2017

Data protection also needs to consider malicious insider intent, which underscores the need for as-needed data access and protected, individual log-ins – particularly amid quick staff turnover, visiting consultants and the possibility of outsiders being able to walk in and access insider systems. Recent incidents illustrate that surprises do come from within, as when staff engage in billing fraud or improperly view records for celebrity patients, or when outsiders pose as hospital staff.

http://www.healthcaredive.com/news/4-cybersecurity-threats-every-hospital-c-suite-admin-should-be-familiar-wit/436881/

Cerber learns to dodge machine learning

“This latest version of Cerber essentially breaks up the malware in pieces to avoid some static machine learning implementations,” Trend Micro Vice President of Cloud Research Mark Nunnikhoven told SC Media. “These applications analyze files and look for various attributes that their models show as malicious.” He added that if the malicious content of the file is hidden, such as encrypted, injected in real-time, or externally referenced, it’s never evaluated against the model and that skews the results.

https://www.scmagazine.com/cerber-upgrades-evade-machine-learning-techniques/article/646981/

Exploit Kits: Winter 2017 Review

Pseudo-Darkleech and EITest are the most popular redirection campaigns from compromised websites. They refer to code that is injected into – for the most part – WordPress, Joomla and Drupal websites, and automatically redirects visitors to an exploit kit landing page. Malvertising campaigns keep fueling redirections to exploit kits as well, but can greatly vary in size and impact. The daily malverts from shady ad networks continue unchanged, while the larger attacks going after top ad networks and publishers come in waves.

http://www.darkreading.com/partner-perspectives/malwarebytes/exploit-kits-winter-2017-review/a/d-id/1328451?

Why cyber security ignorance is bliss for IoT hackers

“5G is going to provide more functionality for people to put more connected devices on and that’s great, but are they considering if it’s secure by default? And the answer is usually ‘what does that mean?’” […] We’re providing consumers with a road to be able to do anything they want, and the network to do anything they like when what they’re bringing onto this road is just three-wheelers without any seat belts, airbags, or any consideration about safety. It’s not sensible.”

http://www.cbronline.com/news/internet-of-things/cyber-security-ignorance-bliss-iot-hackers/

Vulnerable Smartphones, IoT Devices: 400% increase in infection rate

According to the Nokia threat intelligence report- 2H 2016, the smartphone and IoT devices infection rate is rising rapidly over the past few years, and in the year 2016, the rate reached its peak. While, last year was a nightmare for the smartphone holders and most of all, for Android users. The trend of targeting IoT devices started early in the year 2016, while reached its peak during the latter half of the year. Furthermore, October was the favorite month of the attackers as around 1.35% of all mobile devices were infected in that month alone.

https://www.hackread.com/nokia-report-vulnerable-smartphones-iot-devices/

Commercial IoT: Big Trouble in Small Devices

There are endless scenarios where the industrial IoT, if accessed by hackers, could wreak havoc. […] In my opinion, IoT security needs to be solved at the protocol level. Current security methods, such as firewalls and VPNs, will fail as IoT grows; they are too expensive to deploy and manage in large numbers, and remember we’re talking about hundreds and thousands of IoT devices in a business. At the same time, we can’t rely on the current IP protocol that runs the Internet today to secure the IoT. IP addresses are easily spoofed, which means an attacker could gain access to an IoT device by impersonating a trusted connection.

http://www.darkreading.com/endpoint/commercial-iot-big-trouble-in-small-devices/a/d-id/1328502?

Why was North Korea running a phantom cybersecurity startup in Malaysia?

From the heart of the Malaysian capital of Kuala Lumpur as well as the nearby financial center of Singapore, North Korean spies covertly ran a technology business that, until last year, publicly sold a wide array of products including iPhone apps, web development apps and even cybersecurity tools. Virtually nobody knew who really controlled the company until recently. Even today, nobody is entirely sure how it worked.

https://www.cyberscoop.com/north-korea-cybersecurity-united-nations-adnet-international/

Cheney: Russian Cyberattack On Election Could Be Viewed As ‘Act Of War’

Cheney warned that the Russian autocrat has operated “in ways that none of his predecessors have done for the last 40 years” and said that his actions in the U.S. were profoundly concerning. “I would not underestimate the weight that we as Americans assign to the Russian attempts to interfere with our internal political processes.” He warned that the world can expect more of the same from Putin. Cheney also sounded an alarm about Russia’s military aggression and said Putin would do everything in his power to “undermine” NATO.

http://www.huffingtonpost.com/entry/cheney-russian-hacking-war_us_58d9d67be4b00f68a5ca35ef

UK Government sets out water sector cyber security strategy

The ‘Water Sector Cyber Security’ strategy incorporates contributions from the sector and aims to guide activities across water companies and government. To realise the vision, the government and water sector will work towards five objectives: understanding threats, managing risks, developing capabilities, managing incidents and strengthening capabilities. Defra says the scale and complexity of cyber attacks against the UK is growing, with security presenting an enduring challenge for the water sector.

http://www.energylivenews.com/2017/03/27/uk-government-sets-out-water-sector-cyber-security-strategy/

What keeps cybersecurity experts up at night?

Dan Geer, chief information security officer for In-Q-Tel, a not-for-profit investment firm that works to invest in technology that supports the missions of the intelligence community, took a big picture approach in his answer: The most urgent issue, he says, is people’s overall dependence on technology. “The more people use something, the more it is depended upon. Because the wellspring of risk is dependence, risk is therefore proportional to adoption. We call that on which we most depend critical infrastructures. Because dependence is transitive, so is risk,” Mr. Geer says.

http://www.csmonitor.com/World/Passcode/Passcode-Influencers/2017/0327/What-keeps-cybersecurity-experts-up-at-night

The 2 Biggest Cybersecurity Fears of NASDAQ’s Chief Information Security Officer

Modano told me that his two greatest concerns are:

  1. The speed at which vulnerabilities are exploited to create cyber-weapons.
  2. How does the information-security team know what it does not know?

http://www.inc.com/joseph-steinberg/these-are-the-two-biggest-cybersecurity-fears-of-nasdaqs-chief-information-secur.html

DHS misses deadline to submit cyber strategy to Congress

The DHS was required by annual defense policy legislation passed in December to spell out a departmentwide cybersecurity strategy by last week. Rep. Cedric Richmond (D-La.) signaled at a hearing on Tuesday morning that members of a congressional panel with oversight of the DHS had yet to receive the strategy. A DHS cybersecurity official acknowledged that the department had missed the March 23 deadline and could take months to complete the strategy with input from Trump administration officials.

http://thehill.com/policy/cybersecurity/326133-dhs-yet-to-submit-cyber-strategy-to-congress

As of today, iThings are even harder for police to probe

Characterised by Apple as “strong full-disk encryption” for both files and metadata, with optional “Multi-key encryption with per-file keys for file data and a separate key for sensitive metadata”. That’s an improvement on the file-only encryption offered on older versions of iOS. “Multi-key encryption ensures the integrity of user data,” Apple tells us. “Even if someone were to compromise the physical security of the device and gain access to the device key, they still couldn’t decrypt the user’s files.”

https://www.theregister.co.uk/2017/03/28/apple_file_system_debuts/

Stingray use still shrouded in secrecy and lack regulation despite progress

Courts have been known to throw out cases entirely or drastically reduce sentences in cases where a stingray was used surreptitiously and without much detail as a result of non-disclosure agreements signed between local departments, the Federal Bureau of Investigation (FBI), and the maker of the devices, Harris Corporation. The FBI claims that the NDAs are only to protect certain capabilities and proprietary information concerning the device however, there have been reports of these agreements explicitly instructing agencies to not reveal their use or existence, even to courts.

https://www.scmagazine.com/stingray-use-still-shrouded-in-secrecy-and-lack-regulation-despite-progress/article/647001/

For sale: Your private browsing history

The US House of Representatives voted Tuesday to eliminate ISP privacy rules, following the Senate vote to take the same action last week. The legislation to kill the rules now heads to President Donald Trump for his signature or veto. The White House issued a statement today supporting the House’s action, and saying that Trump’s advisors will recommend that he sign the legislation. That would make the death of the Federal Communications Commission’s privacy rules official.

https://arstechnica.com/tech-policy/2017/03/for-sale-your-private-browsing-history/

Use Secure VPNs (Lifetime Subscription) to Prevent ISPs From Spying On You

1 — VPNSecure: Lifetime Subscription (91% OFF)

2 — PureVPN: Lifetime Subscription (88% OFF)

3 — OneVPN: Lifetime Subscription (89% OFF)

http://thehackernews.com/2017/03/secure-vpn-services.html

CompSci boffins propose scheme to protect privacy in database searches

It’s based on what Wang’s paper calls Function Secret Sharing (FSS), a cryptographic feature that “allows the client to split certain functions into shares that keep parameters of the function hidden unless all the providers collude”, without imposing too heavy a load on the CPUs in the system. FSS was first described in 2015 by Israeli researchers Elette Boyle and Shafi Goldwasser (who partnered with Wang on the new paper).

https://www.theregister.co.uk/2017/03/28/function_secret_sharing/

Alleged vDOS Owners Poised to Stand Trial

Police in Israel are recommending that the state attorney’s office indict and prosecute two 18-year-olds suspected of operating vDOS, until recently the most popular attack service for knocking Web sites offline. […] The police are preparing to recommend prosecutors charge the men with computer fraud and extortion, alleging they caused more than six million shekels worth of damage (approximately USD $1.65 million).

https://krebsonsecurity.com/2017/03/alleged-vdos-owners-poised-to-stand-trial/

Social engineering fake outs [Slideshow]

Social awareness campaigns hinge on keeping employees diligent when it comes to security at their company. That link from the IRS, your bank or the post office sure looks real – but look a bit closer. Enter Anton Abaya. A senior assessment and compliance consultant at Accudata Systems, he is asked to come into a company unannounced to employees to see where the holes are in the network and the physical security. Here he shares some of his experiences. The clients’ names have been withheld to protect the innocent.

http://www.csoonline.com/article/3184217/social-engineering/social-engineering-fake-outs.html

$524.27 Bn expected for Global Cyber Weapon Market at 4.32% CAGR by 2022

With an aim of capitalizing, several traditional weapons manufacturing companies are expanding their businesses in the cyber security segment which will fuel the market growth in the long run. The market is also expected to experience noteworthy growth due to increasing demand for security across critical infrastructure and utilities. Complete security of networks drives the demand for offensive cyber techniques.

http://www.technologynewsextra.com/524-27-bn-expected-global-cyber-weapon-market-4-32-cagr-2022/9159.html

Johnny Depp to Play Cyber Security Icon-Accused Murderer John McAfee

Johnny Depp will star as cyber security icon and accused murderer John McAfee in a new film. Deadline reports the movie, titled King Of The Jungle, will center around McAfee (Depp) taking a Wired magazine writer on a tour of his Belize compound. The story will take inspirations from Apocalypse Now and promises to be a darkly comic look at McAfee’s wild lifestyle, which is filled with murder, sex, and paranoia.

http://www.ign.com/articles/2017/03/27/johnny-depp-to-play-cyber-security-icon-accused-murderer-john-mcafee