IT Security News Blast 4-27-2017

Lack of Security Talent Afflicts Healthcare

“There’s no one there to apply patches, receive threat intelligence, or respond to emergencies,” Corman said. “It’s basically nurses and medical technicians. There’s no one there.” The lack of talent, coupled with a staggering number of vulnerabilities afflicting life-saving, connected medical equipment, is creating a critical situation in an industry that accounts for 20 percent of the U.S. economy.

https://threatpost.com/lack-of-security-talent-afflicts-healthcare/125224/

CardioNet slammed with $2.5 million fine for failed risk management and analysis

ardioNet reported to HHS’ Office of Civil Rights in January 2012 that an employee’s laptop was stolen from a parked vehicle outside of the employee’s home. The laptop contained data of 1,391 patients. The following investigation found CardioNet had insufficient risk analysis and management processes, and its HIPAA Security Rule policies and procedures were in draft form and not implemented. Further, the provider was unable to show final policies and procedures for implementing safeguards for ePHI — including those found on mobile devices.

http://www.healthcareitnews.com/news/cardionet-slammed-25-million-fine-failed-risk-management-and-analysis

A Heart-To-Heart From The Hackers: Cyber-Vulnerabilities In Cardiac Devices

In particular, the FDA contended in its letter that Abbott’s manufacturing, marketing, and sale of implantable defibrillators and cardiac resynchronization devices, as well as of a monitor that receives and transmits data from such devices, is in violation of the Federal Food, Drug, and Cosmetic Act (“FDCA”) because Abbott allegedly has not acted in conformity with current requirements for good manufacturing practice.

https://www.forbes.com/sites/insider/2017/04/26/a-heart-to-heart-from-the-hackers-cyber-vulnerabilities-in-cardiac-devices/#13f073e227b0

Cyber infrastructure: Too big to fail, and failing

In the cases of ICS and medical devices, the risks go well beyond identity theft, compromises of credit card information or loss of privacy. “There is no coverage of vulnerabilities that could have a kinetic effect,” he said, citing the February 2016 ransomware attack on Hollywood Presbyterian Hospital that took down its computer systems for a week until it paid a $17,000 ransom. […] The potential life-and-death implications, he said, are obvious. “Can you imagine coming to the emergency room and being told you have to go somewhere else, when seconds count?

http://www.csoonline.com/article/3192519/security/cyber-infrastructure-too-big-to-fail-and-failing.html

Danish defence minister accuses Russia of cyber espionage

Although the report did not name a country, Danish defence minister Claus Hjort Frederiksen blamed Russia being behind the cyber attacks in an interview with Danish newspaper Berlingske. “What’s happening is very controlled. It’s not small hacker groups doing it for the fun of it,” Frederiksen told the Copenhagen Post. “It’s connected to intelligence agencies or central elements in the Russian government, and holding them off is a constant struggle.”

http://www.computerweekly.com/news/450417515/Danish-defence-minister-accuses-Russia-of-cyber-espionage

Picture this: Senate staffers’ ID cards have photo of smart chip, no security

The Government Accountability Office repeatedly warned of gaps in federal information security, including the lack of two-factor authentication on critical federal systems like those at OPM. […] But apparently Congress never took its own advice. A letter from Senator Ron Wyden (D-Ore.) to the Senate’s Committee on Rules and Administration last week pointed out that while many executive branch employees now have PIV cards with chips embedded in them, Senate employees get ID cards with a picture of a chip on them[.]

https://arstechnica.com/information-technology/2017/04/picture-this-senate-staffers-id-cards-have-photo-of-smart-chip-no-security/

Invasion Of The Body Snatchers: A Public-Private Partnership Is Needed To Combat Cybersecurity Threats

Cyber damage costs the global economy at least a half-trillion dollars a year – and probably more, a figure larger than the gross national product of many countries. For thousands of executives and board members, cybersecurity has become their #1 risk management concern. Why the sleepless nights? Two reasons. A company’s usual cyber incident response – two years of credit monitoring – is increasingly unsatisfactory for aggrieved parties. Equally troubling, cyber insurance is evolving behind the pace of both the sophistication and frequency of these attacks.

https://www.forbes.com/sites/richardlevick/2017/04/25/invasion-of-the-body-snatchers/#4e3bd38b7018

Can an app really track you after you delete it?

The subject became hotly debated online this week in response to a New York Times profile of ride-hailing app Uber. Uber had marked iPhones with persistent digital ID tags that would remain after users had deleted the Uber app and wiped the phone, the Times said. Apple CEO Tim Cook scolded Uber CEO Travis Kalanick for the practice, but didn’t kick Uber out of the App Store.

http://www.msn.com/en-us/news/technology/can-an-app-really-track-you-after-you-delete-it/ar-BBAp9jO?li=AA4Zoy&ocid=spartandhp

The Threat to Critical Infrastructure – Growing Right Beneath Our Eyes

Clearly, there are major gaps that need to be filled on the IT side to drive better security – and as a result, this needs to be a priority. But where the argument falls apart rather quickly is when we do the math – literally! The only way to adequately prioritize activities is to calculate the risk. I’ve attempted this below by using the cyber risk framework outlined in NIST 800-82, taking into account the rapidly evolving ICS threat landscape, and measuring the consequence (impact) of attacks on these networks against those felt in the IT domain.

http://www.securityweek.com/threat-critical-infrastructure-growing-right-beneath-our-eyes

Report: Pawn Storm a growing cyber threat

The report details a variety of tactics used by Pawn Storm, including credential phishing, spear-phishing, watering hole attacks, tabnabbing (a technique that spoofs open browser tabs to collect user information) and compromising DNS settings. The group will often attack on multiple fronts at the same time, Trend Micro says, and that increases the odds it will penetrate the defenses of even the most social-engineering-savvy target. Pawn Storm is well financed and able to run campaigns for significant periods of time and be “single-minded in their pursuit of their targets,” says the report.

https://fcw.com/articles/2017/04/25/critical-trendmicro-pawn-storm.aspx

Suspected U.S. Cyberattack on North Korea Highlights Cybersecurity Controversy

“Hacking activities conducted by the U.S. Government to pre-emptive defense is one thing. However, American businesses have also been seeking permission to be able to defend their organizations from cyberattacks for some time now,” explained MacKay. “Frustrated over what some believe is a shortcoming in our national defense capabilities, businesses have been seeking to take matters into their own hands.”

http://www.insidecounsel.com/2017/04/25/suspected-us-cyberattack-on-north-korea-highlights

Israel says it repelled a wide-ranging cyberattack

The national cyber bureau at the prime minister’s office said Wednesday that hackers posed as a “legitimate organization” and targeted “about 120 organizations, government offices, public institutions and private citizens.” The Haaretz daily said Israel believes the attack was directed by a foreign country with a group of hackers. It said the attack was aimed at infiltrating organizations involved in civilian research, development and “advanced technologies.”

http://abcnews.go.com/Technology/wireStory/israel-repelled-wide-ranging-cyberattack-47030854

Air Force Hopes To Attract Hackers With Bug Bounty Program

The initiative will be an invite-only program managed by HackerOne, which also ran Hack the Pentagon and Hack the Army. The Air Force’s bounty program will select from applicants from the U.S. and for the first time security experts from outside the U.S. from countries such as the United Kingdom, Canada, Australia and New Zealand.

https://threatpost.com/air-force-hopes-to-attract-hackers-with-bug-bounty-program/125235/

U.S. Air Force invests millions this month on cyberweapons projects

Raytheon, Northrop Grunman and Booz Allen Hamilton have all seen their stock prices rise 10 to 20 percent since the November 2016 U.S. election. Investors sprinted to military contractors based on Trump’s promises for higher spending on — among other warfighting capabilities — the cyber domain. Many of the world’s biggest weapons manufacturers are expanding aggressively into offensive and defensive cybersecurity in search of the same level of profitability found in building conventional weapons systems.

https://www.cyberscoop.com/us-air-force-invested-millions-on-new-cyber-weapons/

After blitzing FlexiSpy, hackers declare war on all stalkerware makers: ‘We’re coming for you’

A Brit biz selling surveillance tools that can be installed on phones to spy on spouses, kids, mates or employees has been comprehensively pwned by hackers – who promise similar stalkerware peddlers are next. The miscreants, supposedly Brazilian and dubbing themselves the Decepticons, have explained how they, allegedly, easily infiltrated FlexiSpy before snatching its source code and other files, and wiping as many servers as they could. That code has now leaked online, and the gang say they are on the warpath.

https://www.theregister.co.uk/2017/04/25/hackers_attack_stalkerware_flexispy/

A vigilante is putting a huge amount of work into infecting IoT devices

A technical analysis published Wednesday reveals for the first time just how much technical acumen went into designing and building the renegade network, which just may be the Internet’s most advanced IoT botnet. […] Once Hajime infects an Internet-connected camera, DVR, and other Internet-of-things device, the malware blocks access to four ports known to be the most widely used vectors for infecting IoT devices. It also displays a cryptographically signed message on infected device terminals that describes its creator as “just a white hat, securing some systems.”

https://arstechnica.com/security/2017/04/a-vigilante-is-putting-huge-amount-of-work-into-infecting-iot-devices/

Apprenticeship program aims to fill cybersecurity jobs

The paid, 18-month program will pair individuals with area businesses looking to address cybersecurity issues. Apprentices will work about 32 hours per week at the businesses and spend some time receiving training and instruction from MC². The apprenticeships are open to anyone 18 or older with a high school degree or GED.

http://www.stltoday.com/business/local/apprenticeship-program-aims-to-fill-cybersecurity-jobs/article_5fa72d93-5b74-5651-9958-e557d126add2.html

Comcast and other ISPs celebrate imminent death of net neutrality rules

Net neutrality rules were issued by the FCC in 2010, but they were struck down by a federal appeals court in 2014 after a lawsuit was filed by Verizon. The court said that the FCC could not enforce its net neutrality rules against blocking, throttling, and paid prioritization without reclassifying ISPs as common carriers under Title II of the Communications Act. An FCC decision in 2015 reinstated the net neutrality rules by reclassifying ISPs under Title II. Now, ISPs claim they support net neutrality rules but not the use of the legal authority that allows the FCC to enforce those net neutrality rules.

https://arstechnica.com/tech-policy/2017/04/isps-claim-to-love-net-neutrality-while-praising-death-of-net-neutrality-rules/

Samsung Smart TV pwnable over Wi-Fi Direct, pentester says

Neseso says it’s published its discovery at Full Disclosure because Samsung doesn’t consider it a security risk. The Smart TVs have a convenience feature so users don’t have to authenticate every time they turn the TV on: trusted devices are instead whitelisted by MAC address. “The user will get notified about the whitelisted device connecting to the Smart TV, but no authentication [is] required”, the post states.

https://www.theregister.co.uk/2017/04/26/samsung_smart_tv_wifi_direct_security_flaw/

New Linux SSH Brute-force LUA Bot Shishiga Detected in the Wild

A new Linux malware has been spotted in the wild by security researchers at Eset, and it is much more sophisticated than any of the previously known Linux based malware. The security researchers have named this malware as “Linux/Shishiga” which utilizes four different protocols according to Eset research team. The protocols used are Telnet, HTTP and BitTorrent, SSH and Lua scripts. Eset researchers revealed that the malware is a new Lua family which means it’s written in Lua programming language and is capable of doing much more damage than any of the previously known malware.

https://www.hackread.com/new-ssh-brute-force-lua-bot-shishiga-detected-in-the-wild/

====

Archived articles from the IT Security news blast are at https://criticalinformatics.com/it-security-news/

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.