IT Security News Blast 5-31-2017

States ‘awaken’ to critical infrastructure cyberthreats [Registration]

There have been more than 30 bills brought up in state legislatures across the United States addressing threats to critical infrastructure, according to Dan Shea, a policy associate with the National Conference of State Legislatures — almost double the number introduced in each of the past two years. Many of the bills are aimed at restricting public disclosure of certain information that could leave systems like the power grid vulnerable to attack, he said. Ten would have set up task forces to examine critical infrastructure cybersecurity, though none of those has passed, Shea added.

https://www.eenews.net/energywire/2017/05/30/stories/1060055251

 Target’s data breach settlement sets a low bar for industry security standards

Modern security needs to focus on reducing the amount of time between a compromise when detection, and making it harder for attackers to carry out their operations. While network segmentation and two-factor authentication will slow down attackers, the bulk of the terms are still defensive in nature. “They [settlement terms] represent yesterday’s security paradigm,” Kellermann said.

http://www.csoonline.com/article/3199064/security/targets-data-breach-settlement-sets-a-low-bar-for-industry-security-standards.html

 The malware is extra: Chipotle reveals details on cyberattack against POS system

A payment card security issue reported by Chipotle Mexican Grill in April has been traced back to malware placed on point-of-sale devices at some Chipotle and Pizzeria Locale restaurants between March 24, 2017 and April 18, 2017, according to Chipotle.

The malware was designed to access payment card data from debit and credit cards, according to the result of an investigation that included cybersecurity firms, law enforcement and the payment card networks, according to Chipotle.

http://www.ciodive.com/news/the-malware-is-extra-chipotle-reveals-details-on-cyberattack-against-pos-s/443734/

 Are ATMs sitting ducks for WannaCry-style cyberattack?

Today, most large banks and credit unions have migrated to Windows 7, according to David Tente, executive director of the ATM Industry Association. But the picture is less clear for smaller financial institutions, he said. “Many, if not most, of the 12,000 financial institutions with only one, two or three ATMs are still running Windows XP,” Tente said. ATM manufacturers are just now beginning to make Windows 10 available on their equipment two years after its release.

https://www.americanbanker.com/news/are-atms-sitting-ducks-for-wannacry-style-cyberattack

 Best Practices for Meeting Cybersecurity Requirements

The 2017 examination priorities disclosed by the SEC and Finra include, among other themes, a strong focus on cybersecurity. During audits, these regulatory agencies will be confirming that advisors have clear security protocols in place to protect sensitive financial information, and that they’re testing those protocols regularly. Below are some best practices that advisors can harness to ensure they comply with SEC and Finra cybersecurity regulations.

http://www.barrons.com/articles/best-practices-for-meeting-cybersecurity-requirements-1496138758

 The Cyber Security Industry Could Be the Greatest Threat to Cyber Security Today

The security industry is a market of great need but has fallen into an opportunist industry ready to sell you anything you can imagine.  Most people in general don’t understand the complex world of cyber threats and are falling victim to what equates to a global scam of an industry. Here are a few facts that will help you wade through misleading propaganda:

1. There is no silver bullet and there never will be.

2. Very few people are actually qualified to “test” your system.

3. Encryption does not always equal secure.

4. Your move to the cloud does not protect you.

http://www.cio.com/article/3198926/security/the-cyber-security-industry-could-be-the-greatest-threat-to-cyber-security-today.html

 Cyberattack on UK political party ‘only a matter of time’

“Our research has shown [that] attackers are relentlessly working to exploit the email communication channel regardless of their level of sophistication, motivation, or country. Email is their top target because it provides the easiest opening into an organisation, one of the easiest routes for exporting confidential information and for political purposes, email content itself offers an inside look at strategies, motivations and personalities.”

https://www.theguardian.com/technology/2017/may/30/hacking-uk-political-party-matter-time-us-expert-phishing

 NATO Cyber-Defense Group Adds New Nations to Its Ranks

“International cooperation of like-minded nations in cyber-defense is becoming inevitable. We are witnessing a growing interest towards our applied research, trainings and exercises, but the preparedness of nations to contribute themselves reflects more than just recognition to the work that has been done,” said Sven Sakkov, director of the multinational and interdisciplinary hub of cyber-defense expertise. It proves that we offer needed support for member nations and the international community in building their cyber-defense.”

https://www.infosecurity-magazine.com/news/nato-cyberdefense-group-adds/

 LinkedIn Hacker, Wanted by US & Russian, Can be Extradited to Either State

The alleged Russian hacker, who was arrested by the Czech police in Prague last October on suspicion of massive 2012 data breach at LinkedIn, can be extradited to either the United States or Russia, a Czech court ruled on Tuesday. Yevgeniy Aleksandrovich Nikulin, a 29-years-old Russian national, is accused of allegedly hacking not just LinkedIn, but also the online cloud storage platform Dropbox, and now-defunct social-networking company Formspring. However, he has repeatedly denied all accusations.

http://thehackernews.com/2017/05/linkedin-russian-hacker-extradition.html

 NSA’s failure to disclose led to WannaCry scourge

Despite the fact that the government has criteria in place on whether or not to disclose a software vulnerability, and despite an official statement from NSA Director Michael S. Rogers asserting that the government does in fact disclose 91 percent of the flaws it detects to the various vendors, the basic code used in the WannaCry campaign – code-named EternalBlue – leaked from the NSA. And this despite internal warnings that the code had the potential to do great harm if unleashed.

https://www.scmagazine.com/nsas-failure-to-disclose-led-to-wannacry-scourge/article/665018/

 6 reasons chip hacks will become more popular

The essence is that firmware and chips can be hacked. They (or their related controller chips) contain software-like instructions that usually contain vulnerable security flaws. They are just harder to update. Repeat after me: “Chips and firmware are just harder-to-patch software.” Because of this, and other reasons, I fully expect more frequent hacks at the firmware and hardware-layer in the future.

http://www.csoonline.com/article/3198647/security/6-reasons-why-chip-hacks-will-become-more-popular-in-the-future.html

 New Shadow Brokers 0-day subscription forces high-risk gamble on whitehats

If the group releases similarly catastrophic exploits for Windows 10 or mainstream browsers, security professionals are arguably obligated to have access to them as soon as possible to ensure patches and exploit signatures are in place to prevent similar outbreaks. On the other hand, there’s something highly unsavory and arguably unethical about whitehats paying blackhats with a track record as dark as that of the Shadow Brokers.

https://arstechnica.com/security/2017/05/new-shadow-brokers-0day-subscription-forces-high-risk-gamble-on-whitehats/

 UK surveillance law raises concerns security researchers could be ‘deputised’ by the state

“If you are a security researcher in the UK and the government finds out you have discovered a vulnerability, then it appears you can be forced against your will to hand over your research to GCHQ. It also appears that if you then still try to warn the vendor after being served a warrant, the government can prosecute you,” Clubley explained. “It doesn’t appear that you need to have any direct connection to the vendor in question,” he added.

https://www.theregister.co.uk/2017/05/31/surveillance_law_compulsion/

 iPhone – the likely cause of the EgyptAir Flight 804 crash

According to the French newspaper, Le Parisien, French officials have no doubt about the fact that the plane crashed due to an overheated iPhone. They believe that the overheating caused the explosion and that it might have either been an iPhone or iPad which caused it. The French National Center for Scientific Research is working in collaboration with the country’s Ministry of Defense to see whether this was actually the case. As such, an iPhone 6s and iPad Mini 4 are being tested as part of the investigation.

https://www.hackread.com/iphone-likely-cause-of-the-egyptair-flight-804-crash/

 Dark web services getting attacked too, as Tor sites become less hidden

Over a seven-month period between February and September 2016, researchers from Trend Micro and French communications school Eurecom monitored honeypots that they created, as they were repeatedly subjected to both automated and manual attacks. The honeypots were designed to look just like typical underground services, including an invitation-only drug marketplace, a blog site promoting solutions for hosting in the Tor network; and a custom private forum that required registration and a referral to join.

https://www.scmagazine.com/dark-web-services-getting-attacked-too-as-tor-sites-become-less-hidden/article/665029/

 NORK spy agency blamed for Bangladesh cyberheist, Sony Pictures hack

[Group-IB’s] experts conducted an in-depth investigation of Lazarus activity and gained unique insight into their complex botnet infrastructure built by the hacker group to conduct their attacks. Despite the complex three-layer architecture, encrypted channels, VPN services and other advanced techniques, the researchers managed to identify that the group was operating from Potonggang District, North Korea. Perhaps coincidentally, where National Defence Commission was located – previously the highest military body in North Korea.

https://www.theregister.co.uk/2017/05/30/nork_spy_agency_lazarus_group_attribution/

 Bug Lets Chrome Stealthily Record Audio and Video

According to Bar-Zik, the bug allows a website to record video and audio content once a user grants the website permission to do so. Nevertheless, there can sometimes be no indication that such recording is taking place. Although the bug is quite harmless, the researcher, however, claims that it can be exploited for more sophisticated attacks, reports BleepingComputer.

https://www.hackread.com/bug-lets-chrome-stealthily-record-audio-and-video/

 Hack DHS Act Establishes Bug Bounty Program for DHS

Senators Maggie Hassan (D-NH) and Rob Portman (R-OH) introduced the Hack Department of Homeland Security (DHS) Act on 25 May. Designated S.1281, it is described as “A bill to establish a bug bounty pilot program within the Department of Homeland Security, and for other purposes.” At the time of writing, there is no publicaly published text for the bill. Nevertheless, congress.gov lists it as having been read twice and referred to the Committee on Homeland Security and Governmental Affairs.

http://www.securityweek.com/hack-dhs-act-establishes-bug-bounty-program-dhs

====

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.