IT Security News Blast 3-30-2017

Expert: NY breach report highlights third-party risk

He pointed out that the new requirements, which affect financial firms doing business in the state, require companies to take extra steps to oversee the security at their vendors and business partners. […] “What I’ve been advising people is, as they go about their task of establishing cybersecurity controls, they need to be thinking about how they’re going to impose down on their third-party service providers,” he said. “They really do need to be in sync.”

http://www.networkworld.com/article/3185911/security/expert-ny-breach-report-highlights-third-party-risk.html

New Mirai variant launched a 54 hour DDoS attack on a US college

According to Imperva Incapsula, the attack occurred a month ago on February 28, and yet it is only now that the news it out. Researchers believe it to be a new variant of Mirai that is “more adept at launching application layer assaults.” During the attack, the average traffic flow measured was 30,000 RPS (Requests Per Second), and the highest peak was at 37,000 RPS. The DDoS mitigation firm said that it was the most they have seen out of any Mirai variant so far. They reported that the attack generated more than 2.8 billion requests.

https://www.hackread.com/mirai-variant-launched-54-hour-ddos-attack-on-us-college/

Someone is putting lots of work into hacking Github developers

Dimnie, as the reconnaissance and espionage trojan is known, has largely flown under the radar for the past three years. It mostly targeted Russians until early this year, when a new campaign took aim at multiple owners of Github repositories. One commenter in this thread reported the initial infection e-mail was sent to an address that was used solely for Github, and researchers with Palo Alto Networks, the firm that reported the campaign on Tuesday, told Ars they have no evidence it targeted anyone other than Github developers.

https://arstechnica.com/security/2017/03/someone-is-putting-lots-of-work-into-hacking-github-developers/

AI will transform information security, but it won’t happen overnight

“It is hyped, because security is nothing but hype, but it is good stuff,” said the CTO of Resilient Systems. “We’re a long way off AI from making humans redundant in cybersecurity, but there’s more interest in [using AI for] human augmentation, which is making people smarter. You still need people defending you. Good systems use people and technology together.”

http://www.networkworld.com/article/3185805/application-development/ai-will-transform-information-security-but-it-won-t-happen-overnight.html

US energy systems at the mercy of cyberattack, warns report

The digital systems that run the electricity grid, gas pipelines and other critical infrastructure in the US have 25 years’ worth of fundamental weaknesses to hacking that need fixing. […] Controls on an oil pipeline can use the same hardware as your teenager’s computer,” says Brenner. Suppliers make the most profit by selling general hardware components that have various uses, but they have security flaws. “We know how to fix the vulnerabilities, but there’s no market incentive for companies to do so,” he says.

https://www.newscientist.com/article/2126050-us-energy-systems-at-the-mercy-of-cyberattack-warns-report/

Almost 40 percent of industrial computers face cyber attacks

“Our analysis shows us that blind faith in technology networks’ isolation from the internet doesn’t work anymore,” says Evgeny Goncharov, head of critical infrastructure defense department at Kaspersky Lab. “The rise of cyberthreats to critical infrastructure indicates that ICS should be properly secured from malware both inside and outside the perimeter. It is also important to note that according to our observations, the attacks almost always start with the weakest link in any protection — people.”

https://betanews.com/2017/03/29/industrial-computers-attack/

Feds to battle cybersecurity with analytics

“That could happen all over our internet with knowledge that comes from companies like Akamai that see a big, broad perspective of the world,” Schneck said. “If we could get our internet to recognize something bad and attack it,” she added, “we could start to look at how we not only end the idea where instructions are simply run without thinking about it, but also be able to warn … at the speed of light all the others that might be relevant across the network.”

http://www.networkworld.com/article/3185912/malware-cybercrime/feds-to-battle-cybersecurity-with-analytics.html

Kremlin-backed APT28 doesn’t even bother hiding its attacks, says Finnish secret police

Regarding attempts to compromise the country’s “foreign and security policy,” the report notes: “Most observations were related to an APT28/Sofacy attack in which no particular effort was made to conceal the activity … It is justified to assume that also the number of cases which have not come to the authorities’ knowledge has increased.” APT28 has been blamed for attacks on Georgia, Eastern Europe, NATO, the Organization for Security and Co-operation in Europe, and in 2014, FireEye went public linking the group to the Kremlin.

https://www.theregister.co.uk/2017/03/30/kremlinbacked_apt28_doesnt_hide_its_attacks/

Cyber-Threat and Regulation Priorities for CISOs

One of the current challenges for many CISOs lies not in preventing the threat from cyber within an organization, but rather the organization’s vulnerability through third-party relationships. Financial Services firms might have invested over the years into fool-proofing their own systems, processes and applications, but third party vendors such as cloud providers can be an easy route for hackers to access company data.

https://www.infosecurity-magazine.com/opinions/cyberthreat-and-regulation/

Here Is What Really Is (and Isn’t) a Cyberattack

Schmitt, a professor of law at the U.S. Naval War College and University of Exeter in England, has spent years trying to defuse talk of cyberattacks, an expression used to describe everything from remotely disabling a city’s power grid to stealing a Facebook password. The concern, for Schmitt and others, is that overheated rhetoric could prompt dangerous diplomatic missteps. “We’re very nervous when people say ‘cyberattack,’ because a ‘cyberattack’ opens the door to a state responding at very highest level of severity,” Schmitt said in a recent interview. “If there’s any area where we need to be careful, it’s this.”

http://www.inc.com/associated-press/what-really-is-and-isnt-a-cyberattack.html

Top general: ISIS ‘extraordinarily savvy’ in cyber

“I would share with you that this is an extraordinarily, extraordinarily savvy enemy, and so they have capabilities in this area and we will need to continue to evolve in this,” Votel added. The general also noted that other countries participating in the anti-ISIS coalition have built “unique capabilities” in cyber that have been “well-integrated” into operations. Votel said he would like to further address the issue in a closed setting.

http://thehill.com/policy/cybersecurity/326328-top-general-isis-extraordinarily-savvy-in-cyber

IBM on the state of network security: Abysmal

IBM did note that while the healthcare industry continued to be beleaguered by a high number of incidents, attackers hit on smaller targets resulting in a lower number of leaked records. In 2016, only 12 million records were compromised in healthcare – keeping it out of the top 5 most-breached industries. For perspective, nearly 100 million healthcare records were compromised in 2015 resulting in an 88% drop in 2016, IBM stated.

http://www.networkworld.com/article/3185813/security/ibm-on-the-state-of-network-security-abysmal.html

Women Crack Code on Intel, Cyber, Tech Jobs, Despite Growing STEM Shortage

Consider Lt. Gen. VeraLinn “Dash” Jamieson, Air Force deputy chief of staff for intelligence, surveillance and reconnaissance. […] Despite setbacks that started almost as soon as she joined up, today, she leads one of the most technologically sophisticated branches of perhaps the most technologically sophisticated militaries in the world, pressing the case for artificial intelligence (AI) and the use of advanced algorithms to enhance both the speed and quality of military intelligence for warfighters operating at the tactical edge.

https://www.govtechworks.com/women-crack-code-intel-cyber-tech-jobs-stem-shortage-grows/#gs.v8nG00c

How to Increase the Presence – and Impact – of Women in Cybersecurity

With more than 1 million global cybersecurity jobs unfilled, we can’t afford to let this opportunity slip away. We must do what it takes to make sure that women are well-represented as organizations fill these vacancies. […] Cisco’s sponsorship programs take the mentoring concept to a higher level by designating an executive to map out a professional development/advancement path for a future leader – and then help her make it happen. Organizations need to fully dedicate their efforts to mentorships and sponsorships, particularly those focused upon women in cybersecurity.

https://blogs.cisco.com/security/how-to-increase-the-presence-and-impact-of-women-in-cybersecurity

Girls crack code in CyberFirst challenge and impress judges

A total of 37 girls representing 10 teams travelled to London from all over the country, and gathered at the historic Lancaster House in the heart of Westminster to pit their technological wits against girls from other schools. The competition saw more than 8000 young women aged 13-15 from across the UK enter online heats in teams of three or four. The contest was created to raise more awareness of careers in cyber-security amongst girls, since only seven percent of the global workforce is female.

https://www.scmagazine.com/girls-crack-code-in-cyberfirst-challenge-and-impress-judges/article/647285/

A scramble at Cisco exposes uncomfortable truths about U.S. cyber defense

The Wikileaks documents described how the Central Intelligence Agency had learned more than a year ago how to exploit flaws in Cisco’s widely used Internet switches, which direct electronic traffic, to enable eavesdropping. […] The Cisco engineers worked around the clock for days to analyze the means of attack, create fixes, and craft a stopgap warning about a security risk affecting more than 300 different products, said the employees, who had direct knowledge of the effort.

http://www.reuters.com/article/us-usa-cyber-defense-idUSKBN17013U

Could soldiers, sailors and spies make better CISOs?

Notions like OPFOR, training against dummy enemies to establish your own weak points,  translate almost seamlessly into red teaming or penetration testing, a well worn device of the security industry. You’re really doing the same sorts of things you would do in the military, says Pogue, “with just a different set of information.” The job of information security, Pogue maintains, runs in close parallel to that of a combat soldier.

https://www.scmagazineuk.com/could-soldiers-sailors-and-spies-make-better-cisos/article/646980/

Democrats demand the FCC tackle cybersecurity

Wyden and Lieu specifically call out the Signaling System 7 flaw that received a fair bit of media attention last year. Former FCC chairman Tom Wheeler ordered the Communications Security, Reliability and Interoperability Council to investigate SS7 vulnerabilities, and just this month, the CSRIC working group filed its final report on the matter. The investigation noted security holes in critical US infrastructure, as well as cellular, wireline and 5G networks, and recommended widespread firewall and encryption updates.

https://www.engadget.com/2017/03/28/fcc-cybersecurity-democrats-letter-congress-pai/

Privacy and Information Security – Cyber Incident Response Planning

Cyber incident response planning should not be taken lightly and actions are needed in the event of a potential incident. The following are some suggestions for planning for your company and responding in the event of an incident. Contrary to some views, the use of cloud vendors and other third parties does not negate the need for such a plan. The US Federal Trade Commission has provided a good deal of specific guidance on this topic which must be taken into account when formulating a plan.

http://www.lexology.com/library/detail.aspx?g=71150f7e-2525-49ca-bccd-431445aca06c

How to leak data from an air-gapped PC – using, er, a humble scanner

The technique involves shining an external light, such as a laser or an infrared beam, through the window (or hijacking a manipulable internal light source) so that the illumination alters the scanner output to produce a digital file containing the desired command sequence. To do so, the light must be connected to a micro-controller that modulates the binary-encoded commands from the server into light flashes that register with the scanner’s sensors.

https://www.theregister.co.uk/2017/03/30/scanners_as_covert_command_control_conduit/

//]]>