IT Security News Blast 4-4-2017

Why all businesses need an incident response plan

The first thing that any incident response plan should include is a list of any and all cyber threats that business could be faced with, whether it’s a data breach, a DDoS takedown or a ransomware attack. […] The plan should also include a list of the business’ most valuable assets and clearly state where these are located, whether those assets are virtual or otherwise. Once listed, the plan must consider the risks that would be posed if those assets were to be seized during an attack.

http://www.itproportal.com/features/why-all-businesses-need-an-incident-response-plan/

What Motivates Targeted Attacks Today?

While data theft and money are two well understood motives for sophisticated targeted hacking attacks, two other goals have emerged for such attacks – propaganda and disruption, says Vicente Diaz principal security researcher with Kaspersky Lab Global Research and Analysis Team. These two aspects of APT attacks are usually not taken in to account, but are going to become more important in the future.

http://www.bankinfosecurity.asia/interviews/what-motivates-targeted-attacks-today-i-3545

Cyber Security Risks To Be Aware Of In The Oil And Gas Industries

Here are some of the risks a company may face in the case of a successful attack:

  • Plant shutdown
  • Equipment damage
  • Utilities interruption
  • Production circle shutdown
  • Inappropriate product quality
  • Undetected spills
  • Safety measures violation resulting in injuries and even death

https://www.forbes.com/sites/forbestechcouncil/2017/04/03/cyber-security-risks-to-be-aware-of-in-the-oil-and-gas-industries/#421470973f0a

Lines Around Cyber Threat Intelligence Sharing Blurring

Lotrionte, a lawyer who previously worked at the Central Intelligence Agency, started her keynote by reciting an old adage, how the role of the government collecting intelligence is often referred to as the second oldest profession. She acknowledged that virtually all nation states collect, often under their own rules, which vary. As a general rule however, it’s not usually regulated under international law, something that puts the onus on governments to outlaw acts under their domestic laws.

https://threatpost.com/lines-around-cyber-threat-intelligence-sharing-blurring/124734/

Ancient Moonlight Maze backdoor remerges as modern APT

The advanced persistent threat (APT), known for targeted attacks against the Pentagon, NASA, and other prominent US agencies and bodies in the 1990s, was kept under wraps following additional security breaches at American universities, the Department of Energy and US military and government networks. At the time, a classified investigation into Moonlight Maze took place and once concluded, US officials destroyed evidence pertaining to the APT — also codenamed as Storm Cloud and Maker’s Mark, as well as being mentioned in the Snowden leaks — in 2008.

http://www.zdnet.com/google-amp/article/ancient-moonlight-maze-backdoor-remerges-as-modern-apt/

Memory Corruption Mitigations Doing Their Job

Memory corruption mitigations that have been integrated into major desktop and mobile operating systems are driving up the cost of client-side exploit development and making viable vulnerabilities scarcer than they were a decade ago. […] “Useful bugs are harder to find,” said Dowd, founder of Azimuth Security. “Bypassing mitigations is not trivial. Now we’re talking about exploit chains where you first have to compromise a process and then develop a sandbox escape.”

https://threatpost.com/memory-corruption-mitigations-doing-their-job/124728/

Fileless Banking Malware Attackers Break In, Cash Out, Disappear

The attackers already had remote access to the bank’s networks through the malware, described in February, but once they were inside, they dropped another piece of malware called ATMitch on some bank ATMs that gave them the ability to dispense money, “at any time, at the touch of a button.” […] Attackers installed the malware on ATMs via the machine’s remote administration modules, something which gave them the ability to execute commands, such as tabulating the number of bills inside a machine or dispensing money.

https://threatpost.com/fileless-banking-malware-attackers-break-in-cash-out-disappear/124711/

President Trump delivers final blow to Web browsing privacy rules

“President Trump has signed away the only rules that guarantee Americans a choice in whether or not their sensitive Internet information is sold or given away,” said Chris Lewis, VP of consumer advocacy group Public Knowledge. Trump’s action also “eliminates the requirement that broadband providers notify their customers of any hacking or security breaches.”

https://arstechnica.com/tech-policy/2017/04/trumps-signature-makes-it-official-isp-privacy-rules-are-dead/

How to Keep Your Internet Browser History Private

Here’s the steps you should take to keep your data from being gathered up and sold to the highest bidder.

  • Install an ad-blocker
  • Turn on HTTPS
  • Use a VPN
  • What about Tor?

Keep an eye on your ISP’s privacy policy, and if it does start selling data, switch — or ask whoever pays the bills to switch — to a smaller, independent ISP that promises to keep your data private. Plus, help anyone you know who isn’t tech savvy, but does need privacy protection.

http://www.teenvogue.com/story/how-to-keep-your-internet-history-private

Empty promises, as coal dwindles, manufacturing falls to automation, but cyber rises

“Sheer nonsense,” he said of Trump’s claims of a coal revival. “No company will bid on new leases when there’s already a glut of unwanted coal on the market.” […] “I’m not in favor of trying to hold back technological advance, he said on CNBC), isn’t going to produce the kind of line work and other jobs that kept our parents and great-grandparents in what we in the South like to call “high cotton” during the ‘60s, ‘70s and ‘80s. […] Not. Going. To. Happen. But that’s not the end of the story – there’s plenty of opportunity for people seeking work and trying to help their kids find a secure career path. Guess where?

https://www.scmagazine.com/empty-promises-as-coal-dwindles-manufacturing-falls-to-automation-but-cyber-rises/article/647886/

AIG taps into consumer fears with new cybersecurity product

The U.S. insurer plans to roll out a product on Monday that offers coverage for expenses that arise from online bullying, extortion and other digital misdeeds. Called “Family CyberEdge,” it includes public relations and legal services, as well as at-home assessments of family electronic devices, executives said in an interview. Wealthy, high-profile individuals have increasingly become hacker targets, said Jerry Hourihan, president of AIG Private Client Group for the United States and Canada. Social media use and online financial information make them vulnerable.

http://www.reuters.com/article/us-usa-insurance-cyber-idUSKBN1751E0

Advice for government leaders looking to strengthen cybersecurity

Government is getting better at visibility of its own environment, but those environments are dynamic and the attack surface is expanding, too – you can get better at protecting your own networks, but the government relies on third parties and contractors to manage operations and to work on sensitive products. So the attack surface has expanded, as many don’t work in government networks. […] From a government perspective, most seniors or cabinet level secretaries don’t necessarily feel that way about their department. A recent executive order had a big senior accountability for cyber, which is a great start.

https://enterprisersproject.com/article/2017/4/advice-government-leaders-looking-strengthen-cybersecurity

County and municipal cybersecurity, Part 1

Your job as a municipal executive is to provide leadership and management in order to get the big picture right throughout your organization. What follows is advice on how to ensure that an appropriate cybersecurity program is established and functional in your organization. I recommend that you, the municipal executive assume high-level responsibility for cybersecurity oversight. You don’t need to know the technical details, but you must know whether or not the infrastructure, policies and procedures are in place and working correctly.

http://www.cio.com/article/3184618/government-use-of-it/county-and-municipal-cybersecurity-part-1.html

County and municipal cybersecurity, Part 2

What’s the first step in establishing your cybersecurity program? It has nothing to do with cybersecurity. Information security and cybersecurity must be components of an overarching information governance (IG) program, overseen by an interdisciplinary team with executive support. Treating cybersecurity as a stand-alone program outside of the context of your organization’s information universe will produce a narrow approach. Do you currently have an IG program?

http://www.cio.com/article/3186510/government-use-of-it/county-and-municipal-cybersecurity-part-2.html

Recognizing the New Face of Cyber-Security

No longer are cyber-threats thwarted by clearly defined perimeters such as firewalls. No longer are malware and cyber-attacks blocked by traditional security tools designed to identify specific viruses and code. “It’s an entirely different landscape,” observes Oswin Deally, vice president of cyber-security at consulting firm Capgemini. To be sure, mobility, clouds, the internet of things (IoT) and the increasingly interconnected nature of business and IT systems have radically changed the stakes. There’s a growing need for security transformation.

http://www.cioinsight.com/security/recognizing-the-new-face-of-cyber-security.html

How To Select The Right Products For Your Cybersecurity Portfolio

So far in my series on building the right cybersecurity portfolio for your business, I’ve outlined three key steps companies should take. I’ve advocated that companies not overspend on prevention, assess their unique cybersecurity needs and create a balanced portfolio that meets those needs by taking into account all five of the categories in the NIST framework for cybersecurity. In this piece, I want to drill down into the fourth step of the portfolio process: choosing the right products for your business.

https://www.forbes.com/sites/danwoods/2017/04/03/how-to-select-the-right-products-for-your-cybersecurity-portfolio/#6f84660512d7

Germany sees growing cyber threat but lacks legal means to retaliate

Suder said the military would only retaliate after a large-scale attack on Germany if parliament ordered it to. She rejected some lawmakers’ concerns about insufficient oversight of the various governmental arms involved in cyber security. “Existing laws apply, even in cyberspace,” she said, noting that any offensive cyber measures would come as part of military mandates that had already been approved by parliament. “The rules are very clear and we observe them.”

http://www.reuters.com/article/us-germany-cyber-idUSKBN17521I

Found: Quite possibly the most sophisticated Android espionage app ever

Pegasus for Android is the companion app to Pegasus for iOS, a full-featured espionage platform that was discovered in August infecting the iPhone of a political dissident located in the United Arab Emirates. […] Pegasus for Android also has the ability to self-destruct when it’s at risk of being discovered or compromised. The self-destruct mechanism can be triggered in several different ways: if the mobile country code associated with the SIM card is invalid; if an “antidote” file exists in the /sdcard/MemosForNotes folder; if the app has been unable to connect to an attacker-controlled server for 60 days; or if the app receives a command from the server to remove itself.

https://arstechnica.com/security/2017/04/found-quite-possibly-the-most-sophisticated-android-espionage-app-ever/

Wi-Fi sex toy with built-in camera fails penetration test

With a little work, PTP was able to siphon the video stream from the dildo, meaning someone’s most intimate activities are badly protected. With a little more work – we’re actually into hacking here, people, PTP had to look at the UART outputs! – the unremarkable Telnet password reecam4debug, and with that, the dildo is rooted: “We’ve got complete control over every inbuilt function in the Siime Eye, easy access to the video stream, a root shell and persistence on a dildo.”

https://www.theregister.co.uk/2017/04/04/intimate_adult_toy_fails_penetration_test/

Fancy Bears Hacked IAAF – Athletes’ Data Stolen

Fancy Bears hackers are back and this time, their target was The International Association of Athletics Federations (IAAF). Apparently, the hackers have managed to get away with the athletes’ medical records, including therapeutic use exemption (TUE). This breach was reported to the athletics’ world governing body, and even though they admitted that unauthorized access was made, they stated that they’re unsure if any information was stolen from the network.

https://www.hackread.com/fancy-bears-hacked-iaaf-athletes-data-compromised/

Zero-day on Windows Server 2003 could affect up to 600,000 servers

“A remote attacker could exploit this vulnerability in the IIS WebDAV Component with a crafted request using PROPFIND method. Successful exploitation could result in denial of service condition or arbitrary code execution in the context of the user running the application,” said Virendra Bisht, a vulnerability researcher at Trend Micro. He added that other threat actors are now in the stages of creating malicious code based on the original proof-of-concept (PoC).

https://www.scmagazine.com/zero-day-on-windows-server-2003-could-affect-up-to-600000-servers/article/647975/