IT Security News Blast 3-31-2017

More than a H/T to @billschrier for #1. Bill has been an unrelenting force to get FirstNet to happen. We all owe ya, Bill.

AT&T gets $6.5 billion to build US-wide public safety network

“FirstNet will provide 20MHz of high-value, telecommunications spectrum and success-based payments of $6.5 billion over the next five years to support the network buildout,” AT&T said in its announcement. FirstNet’s spectrum is located in the 700MHz band often used for consumer LTE networks. The Federal Communications Commission raised $7 billion to fund the network in a spectrum auction that concluded in January 2015. Some of that money came from AT&T itself, as the company led all bidders with $18.2 billion of winning bids.

https://arstechnica.com/information-technology/2017/03/att-gets-6-5-billion-to-build-us-wide-public-safety-network/

New mandatory data breach notification requirements

Under the new requirements, entities that are bound by the Privacy Act 1988 (Privacy Act), known as “APP entities”, will be obliged to notify the Privacy Commissioner and affected customers of any “eligible data breach” as soon as practicable after becoming aware of the occurrence. Where an APP entity merely suspects that its data has been breached, it will have 30 days to conduct an investigation before it must report. In this eBulletin we look at what makes an “eligible breach” and what you should do if your business is bound by the Privacy Act.

http://www.lexology.com/library/detail.aspx?g=88c3db90-db63-4812-ad8f-ca3d3108b7f2

America’s Cybersecurity Emergency That Keeps Getting Worse

Earlier this month, the House Committee on Science, Space and Technology, which I chair, approved on a bipartisan basis a package of reforms that will strengthen federal cybersecurity defenses, require regular audits of cybersecurity preparedness and make agencies and their leaders publicly accountable for performance. H.R. 1224, the NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017, further engages the National Institute of Standards and Technology (NIST) in this effort.

https://www.forbes.com/sites/realspin/2017/03/29/americas-cybersecurity-emergency-that-keeps-getting-worse/2/#7eb6602a51bc

German military to unveil new cyber command as threats grow

The new German command will based in Bonn with an initial staff of 260, growing to around 13,500 in July when the military’s current strategic reconnaissance command and centers for operational communication and geo-information are folded in. By 2021, the command is due to have a total of 14,500 positions, including 1,500 civilian jobs.

http://www.reuters.com/article/us-germany-military-cyber-idUSKBN1712MW

To Understand The Future Of Cyber Power, Look To The Past Of Air Power

Michael Sherry, a leading historian of air power in the 20th century, has argued that while early aviation technologies had limited practical applications, those limitations were not always understood by military commanders and political leaders. Fantasies about air power’s destructive potential outstripped the reality of air power. But before long, the experiences of war enabled military planners and national leaders to experiment with air power, giving the world an early taste of the terror.

http://www.huffingtonpost.com/entry/cyber-war-technology_us_58dbfab2e4b01ca7b4294347

Ransomware: The good and the bad for cyber insurers

Keep in mind that ransomware claims typically encompass not only the ransom amount, should the victimised organisation decide to pay it, but can easily mushroom into an array of other costs related to the attack. These can include third-party experts the carrier has contracted with to act as breach coaches, negotiators, forensic specialists, and legal and public relations pros. In some situations, these response-related expenses can exceed the amount of the ransom demanded.

http://www.insurancebusinessmag.com/uk/news/breaking-news/ransomware-the-good-and-the-bad-for-cyber-insurers-64057.aspx

Internet’s Security Woes are Not All Technical

Vendors and cyber insurance companies realize security leaders can’t get exactly what they want, so they sell other products and services to fill the gap, he said. Much of today’s security tech exists to protect the CISO, Flake said. Functionality comes second. The biggest risk to the CISO is being perceived as missing a threat to the business. It doesn’t matter whether the product performs; it simply has to seem like a reasonable choice. Purchasing security products often relies on marketing and manageability, he admitted.

http://www.darkreading.com/risk/internets-security-woes-are-not-all-technical-/d/d-id/1328523

What project managers need to know about cyber security

Project managers must consider the value of the data, whose data it is (customers and/or clients) and the potential effects if it were breached. […] Cyber security is crucial to every project, regardless of how sensitive the data you’re dealing with is. You don’t want your project to be the weak link in your company’s cyber security policy and you can never be sure what potential points of exploitation your project might open.

http://www.information-age.com/project-managers-need-know-cyber-security-123465431/

38% Of All Cyber Attacks Completely “Avoidable”, As Business Owners Blamed For Failing To Warn Staff

“It’s concerning to see that more than half of small businesses do not have an incident response plan in place that outlines roles and responsibilities in the event of a cyber-attack. “Small businesses must take a two-pronged approach to guarding against an attack, implementing good security and risk management practices along with a strong cyber insurance policy.

http://is4profit.com/38-of-all-cyber-attacks-completely-avoidable-as-business-owners-blamed-for-failing-to-warn-staff/

Charlotte abortion clinic: Our phones, Internet were ‘cyber-attacked’

A Charlotte clinic that offers abortions said its phones and Internet were severed Tuesday, and the clinic believes it was “cyber-attacked” by protesters who have gathered outside the clinic for years. […] “We have never had something this targeted before,” Hales said. “This looks like it’s intentional.” Daniel Parks, the leader of the anti-abortion group Cities4Life, said his group did not attack the clinic.

http://www.charlotteobserver.com/news/politics-government/article141468194.html

Verizon to pre-install a ‘Spyware’ app on its Android phones to collect user data

AppFlash is simply a Google search bar replacement, but instead of collecting and sending telemetry data including what you search, handset, apps and other online activities to Google, it will send to Verizon. […] Then what’s the need for this app? Of course, selling your data to advertisers or other big data companies and make money — thanks to the US Senate that allowed ISPs to collect and sell your data without permission and banned the FCC from ever passing any rule that would limit these powers.

http://thehackernews.com/2017/03/verizon-appflash-evie.html

2017 set to be landmark year for electronic device searches at the U.S. border

The US government are now being sued to figure out why. The Columbia University legal organisation the Knight First Amendment Institute filed the lawsuit in an attempt to find out why US border agents are increasingly seizing and searching traveller’s laptops, computers and mobile devices. The Institute wants to get its hands on internal Department of Homeland Defence (DHS) directives authorising such searches.

https://www.scmagazine.com/2017-set-to-be-landmark-year-for-electronic-device-searches-at-the-us-border/article/647405/

Minnesota, Illinois rebel over America’s ISP privacy massacre, mull fresh info protections

Several other states are said to be considering legislation in response to Congress’ new rules eliminating privacy protections for internet users in America. Public opinion isn’t in favor of letting ISPs have a free hand. If you’re hoping Donald will scupper efforts to open up people’s private data to advertisers, forget it: the White House said in a statement that Trump’s advisors “would recommend that he sign the bill into law.”

https://www.theregister.co.uk/2017/03/30/states_rebel_against_isp_internet_history_grab/

NukeBot Banking Trojan Source Code Leaked Online by Author

NukeBot, also known as Nuclear Bot, first surfaced on underground marketplaces back in December. Researchers with Arbor Networks were among the first to dissect the Trojan and claimed it was replete with commands, a man-in-the-browser functionality, and the ability to download webinjects from its command and control server. When X-Force analyzed NukeBot, also in December, researchers said the malware could be considered an “HTTP bot” that can steal login data on the fly.

https://threatpost.com/nukebot-banking-trojan-source-code-leaked-online-by-author/124653/

Hackers continue to troll LinkedIn

These attacks are becoming more common because it’s easy and inexpensive. Companies have placed a lot of money in their perimeter security and purchased products to find sites with poor reputations scores. LinkedIn circumvents both of these layers. LinkedIn is typically a site that is not blocked by network filters to allow HR departments the capability to find new employees. LinkedIn is also a reputable site, so these reputation-based security products will allow any employee to access the site.

http://www.csoonline.com/article/3186267/security/hackers-continue-to-troll-linkedin.html

Gizmodo found what looks to be FBI Director James Comey’s Twitter account

In a Thursday afternoon e-mail to Ars, the FBI National Press Office wrote: “We don’t have any comment.” The reporter, Ashley Feinberg, wrote up a detailed narrative as to how she was able to locate him by first finding his son, Brien Comey, on Instagram. When she followed this lead, even though that account is locked, Instagram suggested other accounts that Feinberg may wish to follow. Those included one named @reinholdniebuhr. Earlier this month, none other than Edward Snowden pointed out that Comey said publicly that he had an Instagram account.

https://arstechnica.com/tech-policy/2017/03/gizmodo-found-what-looks-to-be-fbi-director-james-comeys-twitter-account/

Senator: Russia used ‘thousands’ of internet trolls during US election

The Russian government used “thousands” of internet trolls and bots to spread fake news, in addition to hacking into political campaigns leading up to the 2016 U.S. election, according to one lawmaker. Disinformation spread on social media was designed to raise doubts about the U.S. election and the campaign of Democratic presidential candidate Hillary Clinton, said Senator Mark Warner, a Virginia Democrat. “This Russian propaganda on steroids was designed to poison the national conversation in America,” Warner said Thursday during a Senate hearing on Russian election hacking. The Russian government used “thousands of paid internet trolls” and bots to spread disinformation on social media.

http://www.csoonline.com/article/3186678/security/senator-russia-used-thousands-of-internet-trolls-during-us-election.html

WONTFIX: No patch for Windows Server 2003 IIS critical bug – Microsoft

Microsoft will not patch a critical security hole recently found and exploited in IIS 6 on Windows Server 2003 R2 – the operating system it stopped supporting roughly two years ago. The buffer overflow bug can be exploited to inject malicious code into a vulnerable machine and execute it, allowing an attacker to gain control of the computer. It requires WebDAV to be enabled. If you have such a machine exposed to or reachable from the internet, and you get hacked, maybe you deserve it.

https://www.theregister.co.uk/2017/03/31/microsoft_wont_patch_server_2003/

To fight Tor hack prosecutions, activist groups offer up legal help

Three legal advocacy organizations have published a new guide for criminal defense attorneys who are defending more than 200 people who are accused of accessing Playpen, a now-shuttered notorious child porn site that was only available as a Tor-hidden service. The Playpen prosecutions, which are unfolding nationwide, have raised significant questions as to what the limits of government surveillance should be—and how much judicial and legislative oversight exists for authorized government hacking.

https://arstechnica.com/tech-policy/2017/03/to-fight-tor-hack-prosecutions-activist-groups-offer-up-legal-help/

10 practical privacy tips for the post-privacy internet

  1. Educate yourself about cookies and clean them out regularly
  2. Use two, or even three, browsers
  3. Disable Flash or option it
  4. Change your DNS server
  5. Lose search engines that track you. Now
  6. Use the Tor browser(s)
  7. Remove your information on websites
  8. If you have the luxury, change ISPs
  9. Use virtual machines
  10. Modify your browser as little as possible

http://www.networkworld.com/article/3186732/internet/10-practical-privacy-tips-for-the-post-privacy-internet.html