IT Security News Blast 6-20-2017

Purple Team: Your First Pentest Results

What I discovered over the months leading up to the engagement is that the pentest became great political tool for remediating problems. The other thing I did to prepare was visit some colleagues of mine who were regularly performing penetration tests at clients across the country. When I asked for advice, they gave me the following suggestions. These are backed by my own experience over the past few years as well.

https://criticalinformatics.com/purple-team-your-first-pentest-results/

The RNC Files: Inside the Largest US Voter Data Leak

In what is the largest known data exposure of its kind, UpGuard’s Cyber Risk Team can now confirm that a misconfigured database containing the sensitive personal details of over 198 million American voters was left exposed to the internet by a firm working on behalf of the Republican National Committee (RNC) in their efforts to elect Donald Trump. […] These RNC IDS uniquely link disparate data sets together, combining dozens of sensitive and personally identifying data points, making it possible to piece together a striking amount of detail on individual Americans specified by name.

https://www.upguard.com/breaches/the-rnc-files

$130K NY State Settlement from Late Data Breach Notification

CoPilot Provider Support Services, Inc. recently agreed to a $130,000 settlement with New York after the company was found to have violated state data breach notification law, according to the New York Attorney General’s office. CoPilot provides healthcare support services, and waited over one year to provide notice that a data breach exposed 221,178 patient records, the AG statement explained.

https://healthitsecurity.com/news/130k-ny-state-settlement-from-late-data-breach-notification

Know the Rules and Tools for Stronger Financial Services Cybersecurity

The SEC’s Office of Compliance Inspections and Examinations (OCIE) has put the Cybersecurity Examination Initiative in place, which outlines a series of examinations they look for within organizations “to promote better compliance practices and inform the Commission’s understanding of cybersecurity preparedness. How can cybersecurity solutions help financial services organizations meet requirements and stay compliant? Let’s take a closer look at some of the examinations mentioned above to get a better understanding.

http://www.techzone360.com/topics/techzone/articles/2017/06/19/432855-know-rules-tools-stronger-financial-services-cybersecurity.htm#

HHS: Microsoft Vulnerabilities Impact Healthcare Cybersecurity

HCCIC explained in its report that the vulnerabilities relate to the same type that allowed the WannaCry ransomware strain to spread. DHS specified that Hidden Cobra will likely target the media, aerospace, financial, and critical infrastructure sectors in the United States and globally. Because of that, it is possible that US healthcare and public health sector systems and devices are also targets.

https://healthitsecurity.com/news/hhs-microsoft-vulnerabilities-impact-healthcare-cybersecurity

It’s 2017, and UPnP is helping black-hats run banking malware

McAfee Labs says the new campaign uses a variant of the ancient Pinkslipbot, and says it uses Universal Plug’n’Play (UPnP) to open ports through home routers, allowing incoming connections from anyone on the Internet to communicate with the infected machine. As with any credential-harvesting botnet, the malware needs to get its booty back to the botmasters without exposing them, and this is where the UPnP exploit comes in.

https://www.theregister.co.uk/2017/06/19/pinkslipbot_returns_withupnp_malware_attack/

Personal info of hundreds of thousands of students targeted in schools hack attack

For three months, the hackers probed the systems, mapping them out and testing their defenses. At one point, they even posted photos of someone dressed as an ISIS fighter on two school district websites. They weren’t just looking for the names of kids and valuable Social Security numbers, UDT found. The hackers were also searching for some way to slip into other sensitive government systems, including state voting systems.

http://www.sacbee.com/news/nation-world/national/article156833299.html

Industrial Security is About Protecting More Than Data

Imagine if a machine safety system was the target of a successful cyberattack. It might not know to slow down or stop if it reached dangerous conditions. In other words, the very protections that safety systems are designed to provide, might be lost. The potential impact of such an attack could lead to an employee being injured or subject an entire facility to widespread safety risks, such as fires, leaks or explosions. The risks are exacerbated in facilities that handle volatile materials, such as oil and gas processing and inherently hazardous operations like mines.

http://www.industryweek.com/cybersecurity/industrial-security-about-protecting-more-data

For DHS cybersecurity funding, Congress asks why states are bypassing millions

In a recent four year span, one official shared, 30 states and 2 tribal territories spent a combined $27.3 million on homeland security grants on cybersecurity as an allowable expense, out of an available funding pool totaling $4 billion. Though cybersecurity is an allowable expense, according to official guidance, it is not explicitly mentioned in the original 2002 law that created the department.

http://statescoop.com/for-dhs-cybersecurity-funding-congress-asks-why-states-are-bypassing-millions

A Brief History of Computing: As Technology Evolves, Cybersecurity Lags Behind

Today, we have computer systems that cannot be reasonably well-secured, mostly due to the inherent complexity of their interoperation. These systems perform tasks involving the resultant efforts of other, uncontrolled actors that may be functionally insecure and use data sources that cannot be verified. Even when those sources have been secured, the system itself may exhibit insecure behaviors.

https://securityintelligence.com/a-brief-history-of-computing-as-technology-evolves-cybersecurity-lags-behind/

Choosing a Sound Path Forward for Cybersecurity

Boards of directors are engaged on the issue, while investors overwhelmingly perceive cybersecurity attacks as one the biggest risks to their portfolios. For policymakers at home and overseas, cybersecurity continues to climb the list of priorities. This rising cyber-awareness is necessary and fitting, given the urgency of confronting cybersecurity threats and the astonishing aggregate cost of today’s cyber-attacks. Yet as momentum picks up, we must carefully consider our overall approach to cybersecurity risk management there are several possible paths ahead.

http://ww2.cfo.com/auditing/2017/06/choosing-sound-path-forward-cybersecurity/

How to make your employees care about cybersecurity: 10 tips

In the past, companies could train employees once a year on best practices for security, said Wesley Simpson, COO of (ISC)2. “Most organizations roll out an annual training and think it’s one and done,” Simpson said. “That’s not enough.” Instead, Simpson said organizations must do people patching: Similar to updating hardware or operating systems, you need to consistently update employees with the latest security vulnerabilities and train them on how to recognize and avoid them.

https://www.techrepublic.com/article/how-to-make-your-employees-care-about-cybersecurity-10-tips/

Tech Funds Profit on Cyber Attack Fears

A high profile cyber-attack on the NHS and a computer system meltdown at British Airways have put cyber security stocks firmly in the spotlight. But experts who have been tracking the trend say the real momentum in the sector started with an attack on US retail group Target (TGT) in 2014. There are around 180,000 recorded data breaches across the world every day. Given an estimated 70% of cyber breaches go undetected, the true scale of this problem is colossal.

http://www.morningstar.co.uk/uk/news/159475/tech-funds-profit-on-cyber-attack-fears.aspx

Web host agrees to pay $1m after it’s hit by Linux-targeting ransomware

As for how this Linux ransomware arrives, we can only infer that Erebus may have possibly leveraged vulnerabilities or a local Linux exploit. For instance, based on open-source intelligence, NAYANA’s website runs on Linux kernel 2.6.24.2, which was compiled back in 2008. Security flaws like DIRTY COW that can provide attackers root access to vulnerable Linux systems are just some of the threats it may have been exposed to.

https://arstechnica.com/security/2017/06/web-host-agrees-to-pay-1m-after-its-hit-by-linux-targeting-ransomware/

Your anti-virus may remove this malware but it will still remain active

The malware also controls a massive botnet of 500,000 infected machines, therefore, making it one of the most extensively used malware against the banking industry. Additionally, researchers found that Pinkslipbot uses universal plug and play (UPnP) networking protocols to remain stealthy while using IP addresses of infected devices linked to the malware server as HTTPS-based proxies to the actual control servers.

https://www.hackread.com/your-anti-virus-may-remove-this-malware-it-remain-active/

Stack Clash Vulnerability in Linux, BSD Systems Enables Root Access

Major Linux and open source distributors have made patches available today, and systems running Linux, OpenBSD, NetBSD, FreeBSD or Solaris on i386 or amd64 hardware should be updated soon. The risk presented by this flaw, CVE-2017-1000364, becomes elevated especially if attackers are already present on a vulnerable system. They would now be able to chain this vulnerability with other critical issues, including the recently addressed Sudo vulnerability, and then run arbitrary code with the highest privileges, said researchers at Qualys who discovered the vulnerability.

https://threatpost.com/stack-clash-vulnerability-in-linux-bsd-systems-enables-root-access/126355/

FOIA documents show the Kafkaesque state of US mass surveillance

The unnamed company refused to obey the surveillance order, and was also denied the ability to even review the outcomes of any previous challenges to help form its case. That’s according to documents obtained via a Freedom of Information Act request filed by the civil-rights warriors at the ACLU and the EFF. […] The heavily redacted documents [PDF] were published this week, and come from the secret Foreign Intelligence Surveillance Court, which oversees Uncle Sam’s spying efforts.

https://www.theregister.co.uk/2017/06/16/state_of_us_mass_surveillance/

Mexican Journalists, Lawyers Focus of Government Spyware

Dozens of Mexican journalists, lawyers, and even a child, had their devices infected with commercially produced spyware during the past two years as part of an overarching campaign believed to be carried out by the nation’s government. The spyware, Pegasus, came in the form of text messages masquerading as correspondence from the United States government, the Embassy of the United States of America to Mexico, and even emergency AMBER alerts about purportedly stolen children.

https://threatpost.com/mexican-journalists-lawyers-focus-of-government-spyware/126367/

With new dynamic capabilities, will whitelisting finally catch on?

We are in an age of destructive and fast-spreading malware, like the recent WannaCry ransomware attack, and this is encouraging companies to give whitelisting a second look. They will see that whitelisting solutions have matured. Capabilities like cloud-based, peer-to-peer whitelists and reputation scoring give the technology a better chance to catch on, although some believe it is still not ready for prime time.

http://www.csoonline.com/article/3198749/cyber-attacks-espionage/with-new-dynamic-capabilities-will-whitelisting-finally-catch-on.html

NYC mayor reveals plan to add 10,000 cybersecurity jobs over the next decade

New York City Mayor Bill de Blasio on Thursday unveiled a ten-year plan to introduce 100,000 jobs with annual salaries of $50,000 or greater by strategically investing in multiple industries, with a strong emphasis on cybersecurity. […] The “New York Works” initiative entails a $30 million investment in cybersecurity training, academic research and development labs, and what is being described as the first business accelerator that specializes exclusively in upstart cybersecurity firms that are based in the city.

https://www.scmagazine.com/nyc-mayor-reveals-plan-to-add-10000-cybersecurity-jobs-over-the-next-decade/article/668902/

====

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.

//]]>