IT Security News Blast 3-6-2017

Howard Schmidt, Cybersecurity Adviser to Two Presidents, Dies at 67

Howard A. Schmidt, a computer crime expert who advised two presidents and drafted cybersecurity safeguards that were approved by Congress in 2015, died on Thursday at his home in Muskego, Wis. He was 67. The cause was brain cancer, his wife, Raemarie, said. The legislation, which evolved from precautions Mr. Schmidt proposed several years earlier, enabled government and industry to share information about potential risks from attackers’ codes and techniques, shielded companies from liability lawsuits for trading data and provided privacy protections for consumers.

https://www.nytimes.com/2017/03/04/us/howard-schmidt-dead-white-house-cybersecurity-aide.html

In Appreciation: Howard A. Schmidt

Schmidt left Microsoft after being called up by the Bush White House to serve as its cybersecurity advisor in 2001. “He left to go join the White House because he felt that was a higher calling, something he ought to do,” Lipner said. “He was a very practical, down-to-earth guy. He was very dedicated to security and doing security right,” Lipner said. “He was also just a good person … a friend. And a nice guy.” Schmidt was an avid outdoorsman who enjoyed riding his Harley-Davidson and spending time with his family, including eight grandchildren.

http://www.darkreading.com/careers-and-people/in-appreciation–howard-a-schmidt/d/d-id/1328307?

Security alert overload threatens to bury security teams

  • When asked to identify their top incident response challenges, 36 percent of the cybersecurity professionals surveyed said, “keeping up with the volume of security alerts.”
  • Forty-two percent of cybersecurity professionals say their organization ignores a significant number of security alerts because they can’t keep up with the volume.
  • When asked to estimate the percentage of security alerts ignored at their organization, 34 percent say between 26 percent and 50 percent, 20 percent of cybersecurity professionals say their organization ignores between 50 percent and 75 percent of security alerts, and 11 percent say their organization ignores more than 75 percent of security alerts. Mama Mia, that’s a lot of security alerts left on the cutting room floor.

http://www.networkworld.com/article/3176718/security/dealing-with-overwhelming-volume-of-security-alerts.html

‘Previously unseen’ malware behind cyberattack against UK’s biggest hospital group

A malware attack which forced parts of the UK’s largest hospital group offline has been blamed on a new form of malware, which bypassed antivirus software and infected the network. […] A Barts Health NHS Trust spokesperson said the exact form of malware which infected systems couldn’t be disclosed at this time due to an ongoing investigation into the incident. The minutes also reveal that the virus affected four of the hospital’s five sites: Mile End Hospital, Newham University Hospital, The Royal London Hospital, and St Bartholowmew’s Hospital. Whipps Cross University Hospital was the only trust location which was not infected.

http://www.zdnet.com/article/previously-unseen-malware-behind-cyberattack-against-uks-biggest-hospital-group/

Hackers Using Unmonitored System Tools, Protocols for Malicious Goals

The sample that the researchers analyzed was utilizing DNS TXT record queries/response for creating a “bidirectional Command and Control channel.” The findings of their research have been published in a report compiled by Edmund Brumaghin and Colin Grady. “This malware sample is a great example of the length attackers are willing to go to stay undetected while operating within the environments that they are targeting. It also illustrates the importance that in addition to inspecting and filtering network protocols such as HTTP/HTTPS, SMTP/POP3, etc.”

https://www.hackread.com/dnsmessenger-malware-attack-fud/

Why healthcare must overcome 3 challenges to beef up security

On top of the data format, there is also the need to disseminate that data to many different places. Each of these elements creates a security risk, which, in turn, makes comprehensive security difficult. […] After considering the dimensions that make security in healthcare difficult, there is also a talent shortage. Cobb referenced studies that found a shortage of skilled people worldwide who can fight cybercrime. It is not a healthcare problem, but an overall system problem. The rapid pace of cyber crime development means that, right now, the fight is almost all defensive. Hopefully, reinforcements, or just first-line defenders, will arise soon.

https://www.healthdatamanagement.com/opinion/why-healthcare-must-overcome-3-challenges-to-beef-up-security

A Cyberattack Used ‘Zombie’ Calls To Take Down 911 Systems In 12 States In One Night

The cyberattack spanned parts of California, Florida, Texas, and Washington. Federal officials were reportedly worried that something like this could have happen since many of the systems are outdated and could have been susceptible to these attacks. Trey Forgety, the director of government affairs at the National Emergency Number Association, said their greatest fears were realized with this incident, and they need to change their methods and systems: “If this was a nation-state actor that wanted to damage or disable 911 systems during an attack, they could have succeeded spectacularly. This was a serious wake-up call.”

http://uproxx.com/news/cyberattack-takes-down-911-systems/

Report: U.S. military can’t guarantee retaliation against major cyber attack

For at least the next decade, cyber superpowers Russia and China will have the capability to launch devastating online attacks against U.S. vital industries like banking and telecommunication, that will “far exceed” any ability of the U.S. military to defend against, Pentagon science advisors say in a new report. Worse, concludes the “Final Report of the Defense Science Board Task Force on Cyber Deterrence,” published this week, the U.S. military itself has a “deep and extensive dependence on information technology as well” — making it vulnerable to cyberattacks that might thwart an American response to such an online assault.

https://www.cyberscoop.com/defense-science-board-cyber-deterrence-task-force/

Network security demands better procurement processes

So we are spending $500 million to deal with the aftermath of the breaches (and possible future breaches), but somehow we never have enough money to prevent these breaches from the start. It begs the question of where that money was before the problem? […] Technology companies are going to need to treat security as a fundamental feature in their products from day one. That means putting security up front in product development, with a sound plan and security features designed into products from the start.

http://www.csoonline.com/article/3175019/security/network-security-demands-better-procurement-processes.html

Ex-NSA head: Cybersecurity agencies don’t share enough information to be successful

“It’s not working,” Alexander said of the government’s organization on cybersecurity. “There are four stovepipes and it doesn’t make sense. If we were running this like a business, we would put them together.” Alexander suggested that all four groups be brought together under one cybersecurity framework in order to defend the country’s networks and critical infrastructure and respond to cyberattacks. […] “What you have is people acting independently, and with those seams, we will never defend this country,” said Alexander, who now leads a private cybersecurity firm.

http://thehill.com/policy/cybersecurity/322061-ex-nsa-head-agencies-too-stove-piped-to-be-successful-on-cybersecurity

‘Do not mess with Nato’: Alliance’s British chief warns Russian election hacking and fake news could be seen as an act of war

General Sir Adrian Bradshaw said Article 5 of the Nato charter – in which an attack on one member state is an attack on all – could apply to unconventional forms of warfare. His comments signal a possible expansion of the interpretation of the mutual defence guarantee – which means all states in the alliance could decide to strike back. […] Asked if disinformation and meddling, such as Russia’s alleged interference in the US election came under Article 5, he said: ‘Article 5 is when it’s declared to be Article 5.

http://www.dailymail.co.uk/news/article-4278618/Do-not-mess-Nato-says-Alliance-s-British-chief.html

Trump Inherits a Secret Cyberwar Against North Korean Missiles

Last fall, Mr. Kim was widely reported to have ordered an investigation into whether the United States was sabotaging North Korea’s launches, and over the past week he has executed senior security officials. The approach taken in targeting the North Korean missiles has distinct echoes of the American- and Israeli-led sabotage of Iran’s nuclear program, the most sophisticated known use of a cyberweapon meant to cripple a nuclear threat. But even that use of the “Stuxnet” worm in Iran quickly ran into limits. It was effective for several years, until the Iranians figured it out and recovered. And Iran posed a relatively easy target: an underground nuclear enrichment plant that could be attacked repeatedly.

https://www.nytimes.com/2017/03/04/world/asia/north-korea-missile-program-sabotage.html?_r=0

Congress proposes grants for state, local cybersecurity

State, local, and tribal governments typically devote less than two percent of their IT budget to cybersecurity, according to the bill’s sponsors, Reps. Derek Kilmer (D-Wash.) and Barbara Comstock (R-Va.), along with Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo.). The sponsors cited studies that showed in 2015, 50 percent of state and local governments had six or more cyber breaches within the last two years. They also noted that in the past year hackers had breached more than 200,000 personal voter records in the states of Arizona and Illinois.

https://gcn.com/articles/2017/03/03/cyber-grants-states.aspx

Cybersecurity Bill Defines Radio as Critical Infrastructure

The Cybersecurity Responsibility Act, introduced by Rep. Yvette Clarke (D-N.Y.), would require the FCC to adopt rules on cybersecurity protections for communications networks. The FCC would have 180 days “to secure communications networks through managing, assessing, and prioritizing cyber risks and actions to reduce such risks.” The Interagency Cybersecurity Cooperation Act, from Rep. Eliot Engel (D-N.Y.), would create an interagency committee (actually, the FCC would be charged with doing so) to review cybersecurity incidents, recommend investigations into such incidents, and report on the results, including with any policy recommendations.

http://www.radiomagonline.com/fcc/0019/cybersecurity-bill-defines-radio-as-critical-infrastructure/38672

Someone hacked this billboard in Mexico and defaced with porn video

The video displayed a woman using an electronic toy on herself. It must be noted that along with the video one can also see TeamViwer warning tab which leads to the conclusion that the sign board may not have been hacked but someone used TeamViwer to play the video using the computer that was operating the board. In this case, the browser was either Internet Explorer or Edge while the operating system was Microsoft Windows.

https://www.hackread.com/mexico-billboard-hacked-with-porn-video/

Enough with “the Cyber”!

What we should all be concerned about is why so little is being done to address what are crucial digital security issues and why the willful ignorance continues. Until people know enough to loudly and derisively laugh at anyone, including the president, who utters the phrase “the Cyber” in public and to hold the machineries of government accountable for their digital security failures, we’re going to be nowhere near to having the secure national infrastructure that, as a nation, we not only need but also deserve.

http://www.networkworld.com/article/3176887/security/enough-with-the-cyber.html

Uber Greyball tool gathered info, tagged riders to avoid law enforcement

The tool was originally developed as part of Uber’s violation of terms of service (VTOS) program which helped the company weed out those people who might be misusing its service. […] The tool helped identify and spurn law enforcement officials using 12 identifiers and perused user payment information to see if it was linked to an organization affiliated with the police, like particular credit unions. The company also put digital geofences around certain locations housing authorities’ offices then observed which users in those locales might be opening and closing the Uber app often.

https://www.scmagazine.com/uber-greyball-tool-gathered-info-tagged-riders-to-avoid-law-enforcement/article/642035/

Microsoft tech support scam leverages full-screen mode to trick victims

Clicking “OK” on the message opens what appears to be a second pop-up, as if the user is stuck in a never-ending dialogue loop (a common tech support scam tactic), but in this case the unwanted dialogue box is actually just a web element built into the page. Clicking “OK” on this element places users in full-screen mode and introduces yet another web element, designed to look like users have been redirected to the Chrome browser’s version of the Microsoft support page. But it is actually still the scam site, despite what appears to be an address bar that reads “support.microsoft.com/ru-ru/en“.

https://www.scmagazine.com/microsoft-tech-support-scam-leverages-full-screen-mode-to-trick-victims/article/642024/

Pence v Clinton: Both used private email for work, one hacked, one accused of hypocrisy

In short, as far as Pence’s critics are concerned, the use of a private email account by the then-governor for sensitive state business – an account that was actually compromised – smacks of hypocrisy. “There is an issue of double standard here,” said Gerry Lanosga, a professor at Indiana University and past president of the Indiana Coalition for Open Government. “He has been far from forthcoming about his own private email account on which it’s clear he has conducted state business. So there is a disconnect there that cannot be avoided.”

https://www.theregister.co.uk/2017/03/03/pence_private_email/

DOJ drops case against child porn suspect rather than disclose FBI hack

The case, United States v. Jay Michaud, is one of nearly 200 cases nationwide that have raised new questions about the appropriate limitations on the government’s ability to hack criminal suspects. Michaud marks just the second time that prosecutors have asked that case be dismissed. “The government must now choose between disclosure of classified information and dismissal of its indictment,” Annette Hayes, a federal prosecutor, wrote in a court filing on Friday. “Disclosure is not currently an option. Dismissal without prejudice leaves open the possibility that the government could bring new charges should there come a time within the statute of limitations when and the government be in a position to provide the requested discovery.”

https://arstechnica.com/tech-policy/2017/03/doj-drops-case-against-child-porn-suspect-rather-than-disclose-fbi-hack/