IT Security News Blast 4-21-2017

Banks suffer average of 85 attempted serious cyber attacks a year, and one-third are successful

[On] top of daily phishing, malware and penetration attacks, banks faced an average of 85 serious attempts to breach their cyber defences over the previous 12 months, and 36% of these attacks succeeded in stealing some data, the report revealed. Also, the banks were slow to spot breaches, taking an average of 59 days to detect one. […] “Most cyber security assessment programmes, while well-intentioned, are highly theoretical and based on known cyber attack practices. The reality, however, is very different. Fast-moving, dynamic threats are creating new challenges every day. Banks should focus on deploying practical testing scenarios that focus inside the perimeter to ultimately make the crooks’ job as difficult as possible.”

http://www.computerweekly.com/news/450417135/Banks-suffer-average-of-85-attempted-serious-cyber-attacks-a-year-and-one-third-are-successful

How CEO Can Avoid Being A Victim Of Cyber-Attack

Be sure to take basic precautions to protect your home Wi-Fi, like placing the router in the middle of the house so that there’s little range available to outsiders and protect the network using WPA2 encryption and a strong password. On social networks, avoid adding people you don’t personally know and never click on shady web links, sent even by friends. Millions have been affected by clicking on links that brought their systems crashing down. Have strong passwords and do not have the same password for more than one account. It’s a hassle but one that must be endured. And of course, it’s a strict no-no to save passwords on your phone, even if your phone is password-protected.

http://www.cxotoday.com/story/how-ceo-can-avoid-being-a-victim-of-cyber-attack/

Cyber Attack Drill Exposes How Unprepared City Is For Grave Threat

The simulated strike on a critical power system hobbled service for several weeks. Cellular and emergency radio communication were brought to their knees due to depleted backups. Water and sewage treatment plants needed additional fuel to prevent a pollution disaster. Food and water were at a premium, with many grocery stores closed. The exercise, led by the Department of Energy, saw oil refineries in greater Philadelphia shut down by the fictitious attack. That caused a daily shortage of tens of millions of gallons of gas, leading to panic buying and empty fuel stations.

http://philadelphia.cbslocal.com/2017/04/19/cyber-attack-drill-exposes-how-unprepared-city-is-for-grave-threat/

Closing the gap between technology and public policy

Today, the burden of rapidly responding to technology-driven policy issues falls primarily on state officials.  However, the modern technology life cycle is fundamentally incompatible with basic state legislative and regulatory processes. State legislatures may not meet on an annual basis, and if they do, they often lack the time in-session, staff resources and expertise to quickly tackle complex issues like cybersecurity. Technology, on the other hand, measures advances in hours, days and months. This is especially true of cybersecurity technologies where teams must address a non-stop stream of attacks aimed at vulnerable networks and applications — attacks that often pressure for elected officials and regulators to act quickly.

https://gcn.com/articles/2017/04/19/states-technology-security-policies.aspx?admgarea=TC_SecCybersSec

Advice to Trump: Top Cybersecurity Talent Costs Money

That includes expanding a pay incentive program within the Homeland Security Department’s cyber operations division that offers a 20 to 25 percent pay bump for new cyber hires across the federal government, according to the cybersecurity workforce recommendations from (ISC)², a membership organization that offers accreditations for digital security specialists in a variety of fields. The Trump team should also reform the government’s general schedule pay classification system, which makes it difficult to reward top performers and to demote or fire low performers, (ISC)² said.

http://www.nextgov.com/cybersecurity/2017/04/advice-trump-top-cybersecurity-talent-costs-money/137159/

Trump blows his deadline on anti-hacking plan

President-elect Donald Trump was very clear: “I will appoint a team to give me a plan within 90 days of taking office,” he said in January, after getting a U.S. intelligence assessment of Russian interference in last year’s elections and promising to address cybersecurity. Thursday, Trump hits his 90-day mark. There is no team, there is no plan, and there is no clear answer from the White House on who would even be working on what.

http://www.politico.com/story/2017/04/20/trump-cybersecurity-hackers-237385

Reports: German government plans cyberattack ‘hackback’ ahead of election

In the event of a cyberattack, as well as being able to defend against incursions, Germany plans to have the ability to destroy hostile servers if necessary, German daily “Süddeutsche Zeitung” and broadcasters NDR and WDR reported. Among experts, such measures are known as “computer network operations” or “hackback,” the reports said. During an ongoing attack, police, military or intelligence service units would attempt to identify the assailant and block the attack or destroy the servers being used to stage the incursion. A prerequisite for such action would be that a legal aid request is not possible and that the attack from abroad can not be stopped.

http://www.dw.com/en/reports-german-government-plans-cyberattack-hackback-ahead-of-election/a-38506101

The History of Fileless Malware – Looking Beyond the Buzzword

Fileless malware sometimes has files. Most people today seem to be using the term fileless malware in a manner consistent with the following definition: Fileless malware is malware that operates without placing malicious executables on the file system. […] Though initially fileless malware referred to malicious code that remained solely in memory without even implementing a persistence mechanism, the term evolved to encompass malware that relies on some aspects of the file system for activation or presence. Let’s review some of the malicious programs that influenced how we use this term today.

https://zeltser.com/fileless-malware-beyond-buzzword/

Most employees willing to share sensitive information, survey says

According to an end user security survey released this morning, 72 percent of employees are willing to share confidential information. In the financial services sector, the percentage was even higher — 81 percent said they should share sensitive, confidential or regulated information. This is despite the fact that 65 percent said that it was their responsibility to protect confidential data. […] The majority of employees also accessed personal social media accounts and personal email from work devices.

http://www.csoonline.com/article/3191286/security/most-employees-willing-to-share-sensitive-information-survey-says.html

Windows bug used to spread Stuxnet remains world’s most exploited

In 2015, 27 percent of Kaspersky users who encountered any sort of exploit were exposed to attacks targeting the critical Windows flaw indexed as CVE-2010-2568. In 2016, the figure dipped to 24.7 percent but still ranked the highest. The code-execution vulnerability is triggered by plugging a booby-trapped USB drive into a vulnerable computer. The second most widespread exploit was designed to gain root access rights to Android phones, with 11 percent in 2015 and 15.6 percent last year.

https://arstechnica.com/security/2017/04/windows-bug-used-to-spread-stuxnet-remains-worlds-most-exploited/

Flaws found in Linksys routers that could be used to create a botnet

The flaws could be abused to overload a router and force a reboot, deny user access, leak sensitive information about the router and connected devices, or change restricted settings. Many of the active devices exposed were using default credentials, making them particularly susceptible to takeover. Ten separate security issues (ranging from moderate to critical) make more than 20 models of Linksys Smart Wi-Fi Routers susceptible to attack. An initial search identified over 7,000 vulnerable devices exposed on the internet at the time of the scan.

https://www.theregister.co.uk/2017/04/20/linksys_router_vulns/

RawPOS Malware Steals Driver’s License Information

The RawPOS Point-of-Sale (PoS) RAM scraper malware was recently observed stealing driver’s license information from victims, Trend Micro has discovered. RawPOS is one of the oldest PoS malware families out there, with patterns matching its activity dating as far back as 2008. Over time, the actors behind it have focused mainly on the hospitality industry, and have been using the same malware components and tools for lateral movement. These actors have since started gathering additional information from the compromised systems, which put victims at greater risk of identity theft, researchers warn. The driver’s license information stolen by the malware can be used by cybercriminals in their malicious activities.

http://www.securityweek.com/rawpos-malware-steals-drivers-license-information

Man claims his Bose headphones intercept what he’s listening to

According to a proposed class-action lawsuit filed in federal court in Chicago on Tuesday, Kyle Zak bought a $350 (£330) pair of Bose QuietComfort 35 wireless Bluetooth headphones in March 2017. Those headphones use an app, known as “Bose Connect,” to skip, pause, and perform other controls on them. The civil complaint alleges that Bose collects “the names of any music and audio tracks” played through the headphones, along with the customer’s personally identifiable serial number. It also says the information gets sent to third parties, including “data miner Segment.io.”

https://arstechnica.com/tech-policy/2017/04/man-claims-his-bose-headphones-capture-what-hes-listening-to/

‘We should have done better’ – the feeble words of a CEO caught using real patient data in infosec product demos

The CEO of Tanium has admitted staff at his computer security biz logged into live hospital networks and used real patient records in product demos with potential customers. Since 2014 Tanium sales executives have used production healthcare data to demonstrate their endpoint protection software. In doing so, staffers accessed systems at the El Camino Hospital in Mountain View, California, exposing personally identifying information. The hospital had not given its permission for the records to be used in this way.

https://www.theregister.co.uk/2017/04/20/tanium_abused_hospital_data/

Google Fixes Unicode Phishing Vulnerability in Chrome 58, Firefox Standing Pat

Google fixed a handful of issues when it released the latest version of its browser, Chrome 58, on Wednesday, including a vulnerability that could have made it easier for an attacker to carry out a phishing attack with Unicode domains. The vulnerability, based on Punycode – a way to represent Unicode with foreign characters – has been making headlines since it was disclosed last Friday. Discovered by Chinese researcher Xudong Zheng, the bug relies on tricking Chrome into bringing users to sites that appear legitimate. The sites could then convince victims to enter personal login or financial credentials.

https://threatpost.com/google-fixes-unicode-phishing-vulnerability-in-chrome-58-firefox-standing-pat/125099/

Internet Atlas maps the physical elements of the internet to enhance security

Despite the internet-dependent nature of our world, a thorough understanding of the internet’s physical makeup has only recently emerged. Researchers have developed Internet Atlas, the first detailed map of the internet’s structure worldwide. Though the physical elements of the internet may be out of sight for the average user, they are crucial pieces of the physical infrastructure that billions of people rely on.

http://www.homelandsecuritynewswire.com/dr20170420-internet-atlas-maps-the-physical-elements-of-the-internet-to-enhance-security

Millions Download “System Update” Android Spyware via Google Play

Posing as a legitimate application called “System Update” and claiming to provide users with access to the latest Android software updates, the spyware made it to Google Play in 2014, and has registered between 1,000,000 and 5,000,000 downloads by the time Google was alerted and removed it from the store. Instead of delivering to its promise, however, the malware spies on users’ exact geolocation, and can send it to the attacker in real time. It receives commands from its operator via SMS messages, the security researchers explain.

http://www.securityweek.com/millions-download-system-update-android-spyware-google-play

 

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.

//]]>