IT Security News Blast 4-18-2017

HIMSS Urges Holistic Approach in NIST Cybersecurity Framework

“Both care providers and public health leaders have great concerns with respect to the medical device supply chain, given the potentially significant risk to patient safety,” the letter stated. “Accordingly, HIMSS recommends that the Framework provide more granular detail on the ‘how’ and ‘why’ of SCRM, to include a relevant context of insider threat detection and management.” HIMSS also urged NIST to better address the lifecycle of assets (i.e. software, hardware, devices, equipment).

http://healthitsecurity.com/news/himss-urges-holistic-approach-in-nist-cybersecurity-framework

Stopping TDoS attacks

In the past few years, 911 emergency call centers, financial services companies and a host of other critical service providers and essential organizations have been victims of telephony denial of service (TDoS) attacks. These attacks are a type of denial of service (DoS) attack in which a voice service is flooded with so many malicious calls valid callers can’t get through. DHS S&T is working to make sure TDoS attacks cannot disrupt critical phone systems.

http://www.homelandsecuritynewswire.com/dr20170417-stopping-tdos-attacks

Information Governance: Law Firms’ Cybersecurity Weak Spot

With a strong information governance strategy, law firms can restrict access to sensitive work product to employees who need this information, and also quickly and accurately identify potential attacks that have bypassed perimeter security systems. Such successful law firm information governance strategies secure work product on a need-to-know basis so that all users do not have broad access to information that is not immediately relevant to their business purpose.

http://www.legaltechnews.com/id=1202783730424/Information-Governance-Law-Firms-Cybersecurity-Weak-Spot?slreturn=20170317191501

Getting power to the grid after a cyber attack

In the event of a cyberattack on the electric grid, most communications networks would go down, making it more difficult to restore and recover power. To address that problem, the Rapid Attack Detection, Isolation and Characterization Systems (RADICS) program, being developed by the Defense Advanced Research Project Agency and BAE Systems, is  testing technologies that can detect and respond to cyberattacks on U.S. critical infrastructure, especially those parts critical to the Defense Department.

https://gcn.com/articles/2017/04/17/darpa-radics-power-grid.aspx

Hacker served Shoney’s POS malware for three months

The locations – primarily in Tennessee but with a few in South Carolina, Georgia, Louisiana, Alabama, Mississippi and several other states – had the malware remotely installed on their POS systems resulting in the loss of customer payment card information, the company said in a statement. The malware was operating from December 27, 2016 until March 6, 2017, and for the most part pulled the card owner’s name and number off the magnetic strip, although in some cases the name was not removed.

https://www.scmagazine.com/hacker-served-shoneys-pos-malware-for-three-months/article/650998/

Women in cybersecurity: Slowly but surely, change is coming

While the perception may be that those wishing to pursue a career in cybersecurity need to have a technological background, this is not necessarily the case – Myers herself started her career as a florist, moving on to a receptionist’s role, before gaining experience in her company’s virus lab. A 2015 report written by Myers on Women in Federal Cybersecurity also revealed that several high-profile female cybersecurity experts started their careers in different fields. Nothing is impossible.

https://www.welivesecurity.com/2017/04/17/women-cybersecurity-slowly-surely-change-coming/

The NSA Is Hosting a Free Cybersecurity Summer Camp for Teen Girls

The program, called GenCyber, will be entirely free thanks to the National Security Agency (NSA), which is footing the bill for tuition, boarding and registration fees for all participants. The NSA’s goal for the camp is to inspire young people to direct their talents toward cybersecurity careers they believe are critical to national and economic security. Another goal is to increase diversity in tech. Currently, women earn only 28 percent of computer science degrees, own only five percent of startups and hold only 11 percent of executive positions at Silicon Valley companies.

http://observer.com/2017/04/nsa-cybersecurity-summer-camp-middle-high-school-girls/

Why you can’t afford not to train veterans in cyber security

Security analysts and security managers are two of the most in demand cyber security roles on the market. Many of our veterans are already very adept at analyzation and managing. Now we just need to teach them the cyber specific skillset. Most veterans have spent their entire careers learning on the fly and quickly integrating into new roles. Organizations such as Operation Code and CyberTraining 365 are dedicated to teaching veterans the skills necessary for a career within the cyber security sector.

http://www.csoonline.com/article/3190083/it-careers/why-you-can-t-afford-not-to-train-veterans-in-cyber-security.html

The Threat, Defense, and Control of Cyber Warfare

For the military, the irony is that the more modern and advanced a military is with its concomitant reliance on technology and network centric warfare, the more vulnerable it is to a potential cyber Pearl Harbor attack that will render its technological superiority over its adversary impotent. Given the symbiotic relation between the government and the military, a successful simultaneous cyber-attack on both government and the military can achieve Sun Tze’s axiom that the supreme art of war is to subdue the enemy without fighting.

http://cimsec.org/threat-defense-control-cyber-warfare/32106

John McCain casts doubt on missile failure cyber attack speculation

It was reported in October that Mr Kim had ordered an investigation into a series of failed tests of the Musudan mid-range ballistic missile amid suspicion of foreign cyber interference. Sir Malcolm Rifkind, who chaired Parliament’s Intelligence and Security Committee until 2015, said it was possible that the latest missile test either malfunctioned or was sabotaged by a US cyber attack. He said: “There is a very strong belief that the US – through cyber methods – has been successful on several occasions in interrupting these sorts of tests and making them fail.”

https://www.energyvoice.com/other-news/136641/john-mccain-casts-doubt-missile-failure-cyber-attack-speculation/

Lawyers, malware, and money: The antivirus market’s nasty fight over Cylance

Last November, a systems engineer at a large company was evaluating security software products when he discovered something suspicious. One of the vendors had provided a set of malware samples to test—48 files in an archive stored in the vendor’s Box cloud storage account. […] In testing, Protect identified all 48 of the samples as malicious, while competing products flagged most but not all of them. Curious, the engineer took a closer look at the files in question—and found that seven weren’t malware at all. That led the engineer to believe Cylance was using the test to close the sale by providing files that other products wouldn’t detect—that is, bogus malware only Protect would catch.

https://arstechnica.com/information-technology/2017/04/the-mystery-of-the-malware-that-wasnt/

Windows admins, has Microsoft completely screwed up its security reports?

In a change announced last November, Microsoft originally intended to introduce a new system of describing its patches and their respective security fixes this February. […] We weren’t initially sure what to think of the new format. Any change to a long-established system is going to bring some wailing and gnashing of teeth as workflows have to be updated and adjusted to accommodate the things that are now different. But different doesn’t mean better or worse, necessarily; it takes a bit of time to figure that out. Since the change, we’ve heard from readers and it seems many aren’t really happy with what Microsoft has done.

https://arstechnica.com/information-technology/2017/04/windows-admins-what-do-you-think-about-microsoft-getting-rid-of-security-bulletins/

PGP public key and self-service postal kiosk expose online drug dealers

In May 2016, Rabaut, working undercover, set up two purchases from AREA51 and had them sent to a Fresno address—both turned out to be heroin. (Fresno is also the location of the scheduled September 19, 2017 trial of David Ryan Burchard. According to the affidavit by special agent Matthew Larsen of Homeland Securities Investigations (HSI), the FBI estimates that Burchard was the 18th largest vendor on Silk Road. That made Burchard the third-largest US-based vendor on the notorious and now-shuttered online drug market.)

https://arstechnica.com/tech-policy/2017/04/pgp-keyserver-and-self-service-postal-kiosk-expose-online-drug-dealer/

Leaked NSA point-and-pwn hack tools menace Win2k to Windows 8

This is the same powerful toolkit Uncle Sam used once upon a time to hack into and secretly snoop on foreign governments, telcos, banks, and other organizations. The files range from Microsoft Windows exploits to tools for monitoring SWIFT interbank payments. Ongoing analysis of the leaked documents and executables has revealed Cisco firewalls and VPN gateways are also targets. The Shadow Brokers tried auctioning off the stolen cyber-weapons to the highest bidder, but when that sale flopped with no buyers, the team started releasing the gear online for free anyway.

https://www.theregister.co.uk/2017/04/14/latest_shadow_brokers_data_dump/

VMware Fixes Critical RCE in vCenter Server

The vulnerability affected two versions of vCenter, 6.5 and 6.0. Users are encouraged to update to the most recent versions, 6.5c, and 6.0U3b, pushed on Thursday. US-CERT warned about the vulnerability, stressing exploitation could result in an attacker taking control of an affected system, in an alert posted on Friday. vCenter Server, formerly known as VirtualCenter, is a tool used for managing vSphere virtual environments.

https://threatpost.com/vmware-fixes-critical-rce-in-vcenter-server/125000/

How a man’ life was ruined due to a typo in IP address by Police

The man in question is Mr. Nigel Lang, a UK resident who in 2011 got arrested at his home because, according to the police, he was a suspect for keeping child pornographic content on his electronic devices. That’s when his nightmare began. Even though he was innocent, his arrest was carried out as a result of a typo in an IP address. This means the person who was involved in the crime was never arrested while Lang went through hell due to a police officer who didn’t even bother to double check the IP address and the address they were going to raid.

https://www.hackread.com/ip-address-typo-by-police-ruins-man-life/

The Republican Party Is Ready to Sell Off Your Internet Privacy at a Level That Boggles the Mind

[Now] that those ISPs can read – and regulate – your browsing (remember, less government regulation means more power for billionaires and their corporations to regulate you), what happens when your favorite website runs an article critical of one of these giant ISPs? You could find that Alternet takes minutes to load a page, whereas more corporate-friendly sites like Breitbart or others funded in part by billionaires are blazing fast. At first it would probably be a simple pay-to-play, but since censorship is already rampant on our corporate “news” channels, it’s not a stretch to expect it to come soon to your web browser.

http://www.alternet.org/news-amp-politics/republican-party-ready-sell-your-internet-privacy-level-boggles-mind

Cyber Insurance Becomes a Must for More Manufacturers

Abbott Laboratories ABT 1.50% was pilloried last week by regulators for, in part, botching its response to a report that certain company defibrillators and pacemakers could be manipulated by hackers. Shares of the health-care giant, which acquired the devices in its purchase of St. Jude Medical Inc., fell 1.9%. […] For years cyber insurance was overwhelmingly purchased by consumer-facing business—retailers, financial-service providers and hospitals. Mostly this was to protect against customer data theft. The St. Jude situation helps explain why manufacturers are now rushing to make sure they are covered.

https://www.wsj.com/articles/cyber-insurance-becomes-a-must-for-more-manufacturers-1492426801

Linux remote root bug menace: Make sure your servers, PCs, gizmos, Android kit are patched

A Linux kernel flaw that potentially allows miscreants to remotely control vulnerable servers, desktops, IoT gear, Android handhelds, and more, has been quietly patched. The programming blunder – CVE-2016-10229 – exposes machines and gizmos to attacks via UDP network traffic: any software receiving data using the system call recv() with the MSG_PEEK flag set on a vulnerable kernel opens up the box to potential hijacking. The hacker would have to craft packets to trigger a second checksum operation on the incoming information, which can lead to the execution of malicious code within the kernel, effectively as root, we’re warned.

https://www.theregister.co.uk/2017/04/14/new_critical_linux_kernel_flaw/

This Phishing Attack is Almost Impossible to Detect On Chrome, Firefox and Opera

[Hackers] can use a known vulnerability in the Chrome, Firefox and Opera web browsers to display their fake domain names as the websites of legitimate services, like Apple, Google, or Amazon to steal login or financial credentials and other sensitive information from users. […] Homograph attack has been known since 2001, but browser vendors have struggled to fix the problem. It’s a kind of spoofing attack where a website address looks legitimate but is not because a character or characters have been replaced deceptively with Unicode characters.

http://thehackernews.com/2017/04/unicode-Punycode-phishing-attack.html

 

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.

//]]>