IT Security News Blast 4-13-2017

Hackers hit startups, too: Top 5 cybersecurity mistakes startups make

“A lot of startups think, ‘We’re new. We’re small. We don’t have anything yet that a hacker would want,’” said Sarah Pavelek, principal of cybersecurity at Plante Moran, a certified public accounting and business advisory firm. “The truth is, anyone can be a target. And startups tend to have fewer resources, making it more difficult to recover in the event that there is an attack.” In fact, Verizon’s 2012 Data Breach Investigations Study shows that 71 percent of data breaches occurred in businesses with fewer than 100 employees.

http://www.builtinchicago.org/blog/tips-for-cybersecurity

Can AI and ML slay the healthcare ransomware dragon?

James Scott, ICIT senior fellow and author of the report, agrees that AI/ML alone will not make any organization bulletproof. Organizations must, “effectively implement fundamental layered cybersecurity defenses and promote cyber-hygiene among personnel,” he said. But, he said the use of AI/ML can definitely solve the low-hanging fruit problem. “They will no longer be an attractive target for unsophisticated ransomware and malware threat actors,” he said, “so adversaries will dedicate their resources to attacking easier targets – likely in other sectors – that do not have algorithmic defense solutions.”

http://www.csoonline.com/article/3188917/application-security/can-ai-and-ml-slay-the-healthcare-ransomware-dragon.html

Insider hacks Marriott hotel reservation system; slashes rate up to 95%

An ex-Marriott employee, Juan Rodriguez, got fired in August 2016 and told to stay away from the hotel’s computer systems whatsoever. After a few weeks, Rodriguez decided to take revenge by hacking into the hotel reservation system from his apartment in New York City and reduced rates on more than 3,000 rooms from $159 – $499 per night … to $12 – $59. Although it is unclear how Rodriguez hacked into the system, but as dumb it may sound Rodriguez knew how to hack into the system but he forgot to hide his IP address which led authorities to track him all the way back to his home.

https://www.hackread.com/marriott-hotel-reservation-system-hacked/

Cyber crime: How architects, engineers and contractors may be at risk

Cyber breaches are big news. Large corporations get hacked with alarming frequency, and hundreds of thousands of consumers are vulnerable. You may not think your architectural, engineering or contracting firm is at risk, but that is simply not the case. […] Customer information, intellectual property and your firm’s financial information are all at risk. Social engineering and phishing scams can defraud your company of thousands of dollars. Your firm could experience damage to your reputation, business interruption or construction delays, and lawsuits by affected clients.

http://www.propertycasualty360.com/2017/04/12/cyber-crime-how-architects-engineers-and-contracto

Shift in cyber security pressures from boardroom to individuals

Security is now becoming more personal, with 24% of respondents citing pressure exerted by oneself as the second-biggest human pressure pusher, up 13% from the previous year. This is compared to 46% citing the most people pressure coming from boards, owners and c-level executives, which dropped 13% in the last year. This shift in pressure highlights that individuals may be starting to understand the bigger role they play in helping to enable their organisation’s security posture.

http://www.information-age.com/cyber-security-boardroom-individuals-123465709/

Pirate radio: Signal spoof set off Dallas emergency sirens, not network hack

Dallas officials initially blamed “a hack” for causing the midnight siren escapade—a statement that was initially interpreted as some sort of network intrusion into Dallas’ emergency services computer systems. But in a statement issued yesterday, Dallas City Manager T.C. Broadnax clarified the cause, saying that the “hack” used a radio signal that spoofed the system used to control the siren network. He would not go into details. “I don’t want someone to understand how it was done so that they could try to do it again,” Broadnax said. “It was not a system software issue, it was a radio issue.”

https://arstechnica.com/information-technology/2017/04/dallas-siren-hack-used-radio-signals-to-spoof-alarm-says-city-manager/

Hackers attacking WordPress sites via home routers

Administrators of sites using the popular blogging platform WordPress face a new challenge: hackers are launching coordinated brute-force attacks on the administration panels of WordPress sites via unsecured home routers, according to a report on Bleeping Computer. Once they’ve gained access, the attackers can guess the password for the page and commandeer the account. The home routers are corralled into a network which disseminates the brute-force attack to thousands of IP addresses negotiating around firewalls and blacklists, the report stated.

https://www.scmagazine.com/hackers-attacking-wordpress-sites-via-home-routers/article/649992/

5 Cybersecurity Spring Cleaning Tips for In-House Counsel

  1. Disaster Recovery Plan
  2. Incident Response Plan
  3. Cyber Insurance
  4. Human Resources Training
  5. Employees and Phishing Scams

http://www.lexology.com/library/detail.aspx?g=fe917c88-64cb-4cfb-990f-ddb82aa5071a

Tens of thousands of AQA examiners have personal details stolen in cyber attack

Personal data belonging to thousands of current and past examiners and moderators for exam board AQA has been stolen, the exam board has revealed. The stolen data includes names, contact details, answers to security questions and passwords for other online examiner systems. But the board has stressed that the systems which were attacked did not contain bank details, data belonging to any schools or students taking exams or exam material.

https://www.tes.com/news/school-news/breaking-news/tens-thousands-aqa-examiners-have-personal-details-stolen-cyber

Cybersecurity & Fitness: Weekend Warriors Need Not Apply

The “weekend warrior” approach doesn’t work, and often simply results in frustration and little to no improvement. There is also, in both cases, a steady stream of products or features flooding the market on a continuous basis, each with a slightly nuanced set of promises, gimmicks, and buzzwords. Consequently, despite all of these promises and good intentions, our overall levels of physical fitness and cybersecurity resilience are on the rapid decline.

http://www.darkreading.com/operations/cybersecurity-and-fitness-weekend-warriors-need-not-apply/a/d-id/1328615

Prisoners built two PCs from parts, hid them in ceiling, connected to the state’s network and did cybershenanigans

We are impressed by five prisoners in the US who built two personal computers from parts, hid them behind a plywood board in the ceiling of a closet, and then connected those computers to the Ohio Department of Rehabilitation and Correction’s (ODRC) network to engage in cybershenanigans. Compliments are less forthcoming from the State of Ohio’s Office of the Inspector General, which published its 50-page report [PDF] into this incident yesterday, following a lengthy investigation.

https://www.theregister.co.uk/2017/04/12/prisoners_built_computer_connected_to_states_network/

To Split or Not to Split: The Future of CYBERCOM’s Relationship with NSA

Cutting the “umbilical cord” from NSA may be a longer process, but momentum seems strong within the new administration. In the 2017 NDAA, Congress mandated that CYBERCOM must reach full operational capacity (FOC) before the dual-hat leadership arrangement can be terminated. FOC is achieved when a command has the institutional capability and expertise to independently carry out any mission within its ambit of responsibility.

https://www.lawfareblog.com/split-or-not-split-future-cybercoms-relationship-nsa

Closing the Skills Gap and Empowering Veterans With CyberTraining 365 and Operation Code

“We are increasingly being shown that veterans are team oriented and excel at handling high-pressure environments, giving them the abilities to excel in cybersecurity positions. They may have already acquired security clearances that are needed for a lot of cybersecurity positions in the public sector and have a unique perspective while understanding the cultural foundations of the field,” says Bally Kehal, CISO at CyberTraining 365.

http://finance.yahoo.com/news/closing-skills-gap-empowering-veterans-181100829.html

US, Europe partner to counter ‘fake news’ and cyberattacks

France, Germany, Sweden, Poland, Finland, Latvia, and Lithuania also signed up as members, announced in the Finnish capital on Tuesday. An effort to counter these non-military, so-called “hybrid threats,” which NATO says combines military aggression with “political, diplomatic, economic, cyber, and disinformation measures” comes months after Russia was accused of influencing the recent US presidential election by hacking into Democratic party servers in order to embarrass candidates.

http://www.zdnet.com/article/eu-nato-countries-open-center-to-counter-fake-news-and-cyber-threats/

Nasa cyber chief claims it’s only a matter of time before hackers target space missions

Hanna-Ruiz says a great concern for Nasa is that one day someone could take over the controls of an active satellite mission. She thinks it would be possible as most people working there would be “focused on getting this particular thing to space.” But she added: “The truth is I don’t know if I want [those working at Nasa] to be thinking about security. I want them to be excited and passionate about going to space.” The IT chief also explained that communications sent between spacecraft and bases could be intercepted. Last year, more than 10,000 machines at Nasa were found to be infected with malware.

http://talkradio.co.uk/news/nasa-cyber-chief-claims-its-only-matter-time-hackers-target-space-missions-17041212586

Cyber Insurance: Many Choices Now That There Is No Choice

No organization is off the radar for bad actors who relentlessly seek the weakest links for accessing valuable personal and financial information, threatening to shut down an operation, or seeking to do physical damage. For example, said Robert Anderson, a managing director for Navigant, the health care sector is now under siege from “rampant” attacks by “ransomware,” malicious computer coding that essentially captures or disables an organization’s information assets until a ransom is paid. “It’s not just payroll that’s affected,” he said. “You can’t do surgery. You can’t do dialysis. Every aspect of the institution is tied up.”

http://www.insurancejournal.com/news/national/2017/04/12/447585.htm

Ajit Pai can’t convince websites that killing net neutrality is a good idea

“The Internet industry is uniform in its belief that net neutrality preserves the consumer experience, competition, and innovation online. In other words, existing net neutrality rules should be enforced and kept intact. The OI Order is working well and has been upheld by a DC Circuit panel. Further, IA preliminary economic research suggests that the OI Order did not have a negative impact on broadband Internet access service (BIAS) investment.”

https://arstechnica.com/tech-policy/2017/04/killing-net-neutrality-is-a-bad-idea-web-companies-tell-fcc-chair/

MPs worried Brexit vote website wobble caused by foreign hackers

We do not rule out the possibility that there was foreign interference in the EU referendum caused by a DDOS (distributed denial of service attack) using botnets, though we do not believe that any such interference had any material effect on the outcome of the EU referendum. Lessons in respect of the protection and resilience against possible foreign interference in IT systems that are critical for the functioning of the democratic process must extend beyond the technical.

https://www.theregister.co.uk/2017/04/12/brexit_vote_website_wobble/

Microsoft Word 0-day was actively exploited by strange bedfellows

A critical Microsoft Word zero-day that was actively exploited for months connected two strange bedfellows, including government-sponsored hackers spying on Russian targets and financially motivated crooks pushing crimeware. That assessment, made Wednesday with “moderate confidence” from researchers at security firm FireEye, is all the more intriguing because the payload delivered to the Russian targets was developed by Gamma Group, the controversial UK-based seller of so-called “lawful intercept” spyware to governments around the world.

https://arstechnica.com/security/2017/04/microsoft-word-0day-was-actively-exploited-by-strange-bedfellows/

Phone Hack Uses Sensors To Steal PINs

University researchers have created a method to steal a smartphone user’s PIN by leveraging sensor data generated by the targeted phone. Researchers say the method has a 74 percent success rate when it comes to accurately determining four-digit PIN data inputted by a phone’s owner. Researchers from U.K.-based Newcastle University created a JavaScript app called PINlogger.js that has the ability to access data generated by the phone’s sensors, including GPS, camera, microphone, accelerometer, magnetometer, proximity, gyroscope, pedometer and NFC protocols.

https://threatpost.com/phone-hack-uses-sensors-to-steal-pins/124945/

Half-baked security: Hackers can hijack your smart Aga oven ‘with a text message’

To control someone’s Aga, all you need is the phone number associated with the appliance’s SIM card, we’re told. The control system makes no attempt to authenticate whoever sent the command texts. This shortcoming clears the way for all sorts of mischief: these electric powered machines can draw up to 30 amps, so you could run up a small chunk of change on a victim’s power bill as well as wasting energy while they are away – or ruining dinner by switching the thing off.

https://www.theregister.co.uk/2017/04/13/aga_oven_iot_insecurity/

Detecting insider threats is easier than you think

“For companies today, where old corporate lines are disappearing more frequently, the challenges only increase. Enterprises need to adapt their policies and procedures to prevent threats by securing corporate end-point equipment and the right tools that protect and allow users to do their work,” said Matias Brutti, a hacker at Okta. “Work environments are constantly changing, so monitoring is difficult on a corporate level.”

http://www.csoonline.com/article/3188193/data-protection/detecting-insider-threats-is-easier-than-you-think.html

//]]>