IT Security News Blast 3-9-2017

The CIA can hack your TV? So what else is new?

“As all this stuff gets weaponized and it gets pointed back at us, that’s when there will be an uptick” in the cybersecurity business, Hamilton said. “It’s kind of a race.” Schneider echoed that sentiment: “Our concern is that Vault7 makes it even easier for a crop of new cyber-actors to get in the game.” But Bambenek said the disclosure about “Weeping Angel,” the program that allows the CIA to activate the microphones on Samsung smart television sets, was not particularly new. He said he’d seen a similar exploit at a trade show in Vancouver in 2013. “OK, so the CIA has a tool that can help them listen through a TV. What did you think the CIA does?” Bambenek asked.

http://www.mcclatchydc.com/news/nation-world/national/national-security/article137272958.html

Exposure of CIA hacking tools renews debate over Americans’ cybersecurity vs. national security

“At a time of increasingly damaging hacking by cybercriminals and governments, it’s essential that U.S. agencies not undermine the security of our digital systems,” said Ben Wizner, director of the American Civil Liberties Union’s Speech, Privacy and Technology Project. “These documents, which appear to be authentic, show that the intelligence community has deliberately maintained vulnerabilities in the most common devices used by hundreds of millions of people.”

https://www.washingtonpost.com/world/national-security/exposure-of-cia-hacking-tools-renews-debate-over-americans-cybersecurity-vs-national-security/2017/03/07/f9bd36cc-0368-11e7-b9fa-ed727b644a0b_story.html

Focus on technology aspects of cyber security may imperil organizations

“While technology has an important role to play, it really needs to be linked with an understanding of the human element,” Dagostino said. “The simple truth is that a data compromise is more likely to come from an employee leaving a laptop on the train than from a malicious criminal hack. We believe employees and companies with a strong culture and cyber-aware workforce are the first line of defense against cyber risk.”

https://www.information-management.com/news/focus-on-technology-aspects-of-cyber-security-may-imperil-organizations

Federal cybersecurity officials highlight hacker ‘dwell time’ metric

The metric, called a “dwell time,” is crucial to understanding an organization’s resilience in the wake of cyberattacks, Rod Turk, acting chief information officer at the Department of Commerce, said at a meeting of industry experts and government officials on Tuesday.  “[Dwell time is a] really, really good metric to be looking at throughout the government in terms of making our systems resilient,” Turk said.

http://thehill.com/policy/cybersecurity/322804-federal-information-security-officials-highlight-need-to-monitor-hacker

Could a corps of civilian cybersecurity volunteers save state networks?

Paul Groll, Michigan’s deputy chief security officer and the executive department sponsor of the Michigan Cyber Civilian Corps, or MiC3, said Tuesday that the model established in Michigan could help underprepared state and local governments to handle cyberthreats. […] “We would love to see this blossom into a national model where we could do interstate cooperation and maybe even large-scale training conferences and exercises,” Groll said at the National Association of State Technology Directors’ Southern Region conference. “As far as I know, this is the only thing of its kind in the country so far.”

http://statescoop.com/could-a-corps-of-cyber-civilian-volunteers-save-state-networks

Foreign cyber weapons ‘far exceed’ US ability to defend critical infrastructure, Defense panel says

On the civilian side, the new report warns that for at least the next five-to-10 years, other nations will have offensive cyber capabilities that “far exceed the United States’ ability to defend and adequately strengthen the resilience of its critical infrastructures.” To make matters worse, the traditional weapons systems the military relies on to deter countries from actually launching those attacks are themselves vulnerable to cyber attack, undermining a deterrence policy one Defense official articulated six years ago: “If you shut down our power grid, maybe we’ll put a missile down one of your smokestacks.”

http://federalnewsradio.com/dod-reporters-notebook-jared-serbu/2017/03/foreign-cyber-weapons-far-exceed-u-s-ability-defend-critical-infrastructure-defense-panel-says/

Cyber-Ops and North Korean Missile Systems: Three Questions

According to the recently published DoD Law of War Manual, “if cyber operations cause effects that, if caused by traditional physical means, would be regarded as a use of force under jus ad bellum, then such cyber operations would likely also be regarded as a use of force.” Like other recent U.S. government statements on this issue, it says that many factors are relevant to this assessment (e.g. context, target, location, intent), and it specifically states that cyber-attacks “that cripple a military’s logistics systems, and thus its ability to conduct and sustain military operations, might also be considered a use of force under jus ad bellum.”

https://www.lawfareblog.com/cyber-ops-and-north-korean-missile-systems-three-questions

Government report warns China and Russia dangerously ahead of U.S. in cyberwar capabilities

The findings also advise that secondary superpower threats such as North Korea and Iran have ‘growing potential’ to use native or third-party cyber-weaponry to carry out ‘catastrophic attacks’ on United States infrastructure across the board. It further iterates that more minor nation states similarly enabled by easy access to distributed cyberattack methods could, while individually unable to severely compromise the U.S. economy, cause significant aggregate damage over a sustained period in a way the report characterises as ‘death by 1,000 hacks’.

https://thestack.com/security/2017/03/08/government-report-warns-china-and-russia-dangerously-ahead-of-u-s-in-cyberwar-capabilities/

Clock starts on cyber compliance

Financial institutions governed by New York’s new cyber security regulation will have numerous and perhaps confusing implementation deadlines, but many firms have already started down the compliance path. “The companies knew ever since this was proposed that this was going to happen,” said Angela Gleason, senior counsel for the American Insurance Association in Washington. In response to concerns about implementation time frames, the New York State Department of Financial Services added several transitional periods to its regulation.

http://www.businessinsurance.com/article/20170306/NEWS06/912312197/Clock-starts-cyber-compliance-New-York-state-cyber-security-regulations

Report: Higher ed still woefully unprepared against cyber attacks

Twenty percent of education respondents reported monthly cyber attacks, 31 percent reported 1-2 per year, 4 percent said they have never experienced a cyber attack, and 19 percent were unsure. The report characterized the education industry at a “medium likelihood” for cyber attacks, along with the retail and health industries. But of all sectors, education is the most vulnerable to cyber attacks, scoring the lowest in terms of being extremely or very well prepared to defend against various attacks.

http://www.ecampusnews.com/it-newsletter/higher-ed-unprepared-cyber-attacks/

11 months later, insurance still reviewing BWL cyber attack

Close to 11 months after a cyber attack locked the Lansing Board of Water & Light’s communications systems, officials are still waiting to find out how much this security breach will cost the city-owned utility. A BWL spokesman wrote Tuesday in an email to the Lansing State Journal that it could take at least “a few more weeks” for the utility to get an insurance claim back. Steve Serkaian, the spokesman, added in a second email the claim process could take until the end of June to be wrapped up.

http://www.lansingstatejournal.com/story/news/local/2017/03/08/11-months-later-insurance-still-reviewing-bwl-cyber-attack/98847680/

Confide, the White House’s favorite messaging app, has multiple critical vulnerabilities

Security researchers at Seattle-based IOActive found multiple critical vulnerabilities in Confide after it underwent a security audit for the first time in February. The critical vulnerabilities impacting Confide include impersonating another user by hijacking an account session or by guessing a password, learning the contact details of Confide users, becoming an intermediary in a conversation and decrypting messages, and potentially altering the contents of a message or attachment in transit without first decrypting it.

https://www.cyberscoop.com/confide-app-security-audit-donald-trump-white-house/

Critical vulnerability under “massive” attack imperils high-impact sites

The code-execution bug resides in the Apache Struts 2 Web application framework and is trivial to exploit. Although maintainers of the open source project patched the vulnerability on Monday, it remains under attack by hackers who are exploiting it to inject commands of their choice into Struts servers that have yet to install the update, researchers are warning. Making matters worse, at least two working exploits are publicly available.

https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/

Oops! 185,000-plus Wi-Fi cameras on the web with insecure admin panels

et ready for the next camera-botnet: a Chinese generic wireless webcam sold under more than 1,200 brands from 354 vendors has a buggy and exploitable embedded web server. According to this advisory by Pierre Kim at Full Disclosure, the problems are in the camera’s GoAhead administrator’s interface and in a weak cloud connection protocol. Kim posts a Shodan link that lists around 185,000 vulnerable Wi-Fi-connected cameras exposed to the internet, ready and waiting to be hijacked. The cameras’ CGI script for configuring FTP has a remote code execution hole known since 2015, Kim writes, and this can be used to run commands as root or start a password-less Telnet server.

https://www.theregister.co.uk/2017/03/09/185000_wifi_cameras_naked_on_net/

Dark Web Suffers After Anonymous Hacked Firm Hosting Child Porn Sites

According to the OnionScan report, out of over 30,000 Tor-based hidden services, only 4,400 are active on the Dark Web currently. It is much lower in comparison to previous such scans, stated the OnionScan project operator Sarah Jamie Lewis. […] Apart from the absence of such a huge number of hidden services, the scan report also detected 4,000 HTTP services, 250 TLS services, 270 SSH services, 100 SMTP services, 220 Bitcoin nodes and some FTP and VNC services too on the Dark Web. Moreover, it was identified that most of the hidden sites were not configured appropriately as yet since researchers extracted around one thousand unique IP addresses, which belonged to hidden services or the clearnet clients who access these sites.

https://www.hackread.com/dark-web-suffering-after-anonymous-hacking/

Apple has already fixed most of the iOS exploits the CIA used

Apple wasn’t the only company whose devices the CIA was attempting to crack or had already hacked. According to the WikiLeaks documents, in 2016 the agency had 24 zero-day exploits for Android and one specific attack, called “Weeping Angel,” which targets Samsung’s smart TVs. The attack allows the CIA to use the TV as a microphone, which records conversation sand than transmits them back to a CIA server.

http://www.csoonline.com/article/3178648/security/apple-has-already-fixed-most-of-the-ios-exploits-the-cia-used.html

Comey says encryption stymies law enforcement, calls for ‘hard conversation’

The FBI director noted that the agency was not able to open any of the 2,800 devices received between September and November of 2016 – and which it legally had the right to open – “with any technique.” The private sector and law enforcement to “stop bumper-stickering each other. We need to stop tweeting at each other,” he said. “This isn’t Apple vs. the FBI,” he explained, referring to the battle between the two over access to iPhones, most notably the iPhone 5c belonging to one of the shooters in the San Bernardino terrorist attack. “We need to build trust between the government and private sector.”

https://www.scmagazine.com/comey-says-encryption-stymies-law-enforcement-calls-for-hard-conversation/article/642915/

Vigilante who conspired to hack local football website sentenced to 2 years

As Ars has reported previously, the case stretches back to 2012. After The New York Times published a December 2012 story detailing a horrific rape involving a teenage girl in Steubenville, Ohio, an activism campaign began. Spearheaded by someone calling himself “KYAnonymous,” the campaign targeted local officials whom the vigilantes felt weren’t taking the rape investigation seriously because the alleged perpetrators were high school football players.

https://arstechnica.com/tech-policy/2017/03/vigilante-who-conspired-to-hack-local-football-website-sentenced-to-2-years/

Want to improve risk management? Do the basics

“They have nothing in writing when it comes to cybersecurity policies and plans,” he said. “That’s a big problem, because there’s a disconnect between what the C suite thinks is happening and what is actually happening.” He said the CEO at one firm confidently told him his firm was not using cloud services at all. “But I talked to other departments, and they were using just about all the cloud-based services on the planet – Dropbox and everything else,” he said.

http://www.csoonline.com/article/3178661/security/want-to-improve-risk-management-do-the-basics.html

Profiling 10 types of hackers [Slideshow]

Hackers, like the attacks they perpetrate, come in many forms, with motivations that range from monetary to political to ethical. Understanding the different types of hackers that exist and what motivates them can help you to identify the attackers you are most susceptible to and properly defend yourself and your organization against cyberattacks. Travis Farral, director of security strategy at Anomali, outlines the top 10 types of hackers you should have on your radar.

http://www.networkworld.com/article/3178711/security/profiling-10-types-of-hackers.html