IT Security News Blast 6-22-2017

Fed official: banks must recover from cyber attack in two hours

Financial institutions should be capable of a two-hour return to operations (RTO) following a cyber attack, a senior banking supervisor said on Tuesday (June 20). The two-hour RTO was contained in an advanced notice of proposed rulemaking issued in November 2016 by the Fed and two other US prudential regulators the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation.

http://www.risk.net/risk-management/operational-risk/5293701/banks-must-recover-from-cyber-attack-in-two-hours-fed-official-says

PII of 1 million compromised in Washington State University safe heist

WSU learned on April 21, 2017 that a “locked safe containing a hard drive had been stolen.” The hard drive contained the backup files from WSU’s Social & Economic Science Research Center (SESRC). On April 26, WSU confirmed PII was compromised. On June 9, they began informing those affected and sending breach notification notices to various state’s Attorney General Offices.

http://www.csoonline.com/article/3202071/security/pii-of-1-million-compromised-in-washington-state-university-safe-heist.html

Honda halts production at Japan plant after cyber attacks

The Japanese automaker said it had shut its plant in Sayama, near Tokyo, on Monday after discovering its computer system was infected with the so-called WannaCry virus. […] “The malware affected the production of about 1,000 cars,” a Honda spokeswoman told AFP, adding that production restarted on Tuesday. “There is a possibility that our overseas facilities were also infected… We’re now investigating that,” she added.

http://news.abs-cbn.com/business/06/21/17/honda-halts-production-at-japan-plant-after-cyber-attacks

Why Cybersecurity Is Financially Undervalued

In short, it’s time to provide financial benchmarks to cybersecurity.  Securing corporate America is not a technology problem. Shareholders need to value cybersecurity and begin to punish poor performance in this area. Until the economic incentives driving behavior related to cybersecurity change, very little else will. Take, for example, the truism that stock prices get hammered and CEOs get fired when they consistently miss their revenue or profitability targets. Why do they then get a pass when it comes to losing millions of dollars as a result of negligence in addressing cybersecurity concerns?

http://ww2.cfo.com/cyber-security-technology/2017/06/cybersecurity-financially-undervalued/

Russian government hackers broke into voting systems in 39 states

The cyberattacks targeted software used by states election commissions in the months and weeks before the election and by poll workers on election day. The type of targets the Russian government hackers chose also indicates that in addition to the immediate goal of helping elect Donald Trump president, the hackers were trying to gain knowledge which would allow them to interfere in, and influence, the 2018 mid-term elections of 2020 presidential election even more effectively than they did the 2016 presidential election.

http://www.homelandsecuritynewswire.com/dr20170615-russian-government-hackers-broke-into-voting-systems-in-39-states

Are Elections Safe? Obama Officials Warn Democratic Process Is Vulnerable to More Cyberattacks

“I do believe that the Russians will continue their activities, says Michael Daniel, former cybersecurity coordinator for the Obama administration, referring to hacking attacks by Russian intelligence during the 2016 presidential election. Daniel, who now works in the private sector as president of the Cyber Threat Alliance, says he expects we will see copy cats as well because the Russians have demonstrated to everybody and their cousin that these activities can produce benefits.

http://www.newsweek.com/are-elections-safe-obama-officials-warn-democratic-process-vulnerable-more-628015

10 tough security interview questions, and how to answer them

Anyone who’s experienced a job interview knows that one of the keys to landing a position is answering the interview questions effectively and intelligently without sounding like a robot. It’s no different for high-level security executives. […] We asked several security executives and hiring experts to provide examples of challenging questions job candidates might expect to be asked and their advice on crafting the right kinds of answers.

http://www.csoonline.com/article/2121343/it-strategy/10-tough-security-interview-questions-and-how-to-answer-them.html

Why the NIST framework needs to be the common language of cybersecurity

In fact, according to the NIST Cybersecurity Framework (CSF), NIST has been adopted by about 30 percent of U.S. companies since its release three years ago and that number could reach 50 percent by 2020. This means that the floor opens up for increased collaboration. With everyone on their way to speaking the same language in cyberspace, we are well on our way to exploring the unknown and more deeply developing what we’ve already discovered.

https://federalnewsradio.com/commentary/2017/06/why-the-nist-framework-needs-to-be-the-common-language-of-cybersecurity/

Cybersecurity Demands a Military Mindset

Focusing on alerts generation, these security systems create too much noise, most of which consists of false positives that eventually result in alert fatigue. Even when an actual breach has been detected, it can take a long time to remediate completely because these solutions do not present the full scope of the incident. This reactive ”action and response behavior cycle continually puts the defending team on its heels, reacting to, rather than understanding, what is really happening.

http://ww2.cfo.com/cyber-security-technology/2017/06/cybersecurity-demands-military-mindset/

Canada’s cyber spy agency is about to get a major upgrade

New legislation, tabled Tuesday, will give the Communications Security Establishment the power to do everything from targeting foreign hacking groups to taking out Islamic State propaganda. The new power will embolden CSE to conduct those cyber attacks on its own, but also give it authority to cooperate with the Canadian military to conduct cyber operations during military missions abroad.

https://news.vice.com/story/cse-is-getting-a-major-upgrade

Trump holds meeting to address power grid cyber threats

Trump is said to have communicated his desire to improve existing partnerships between the public and private sectors to protect critical infrastructure during the meeting. Lawmakers on Capitol Hill have raised concerns about threats to the U.S. power grid in the wake of successful cyberattacks on Ukraine’s power grid in 2015 and 2016, both of which are widely believed to have been orchestrated by Russia.

http://thehill.com/policy/cybersecurity/338790-trump-holds-meeting-to-address-power-grid-cyber-threats

Trump’s Cybersecurity Executive Order Under Fire

President Donald Trump’s Cybersecurity Executive Order needs an overhaul, specifically a shift from planning and proposals to the pragmatic. According to Ed Amoroso, former AT&T CSO, there are dire consequences to the U.S. critical infrastructure if the U.S. government pursues its current cybersecurity status quo. How many plans are being drafted by government agencies right now under the current Cyber Executive Order? Hundreds. And who is going to read them? asked Amoroso, currently CEO of TAG Cyber. This is not the way Trump’s executive order should be.

https://threatpost.com/trumps-cybersecurity-executive-order-under-fire/126435/

Fake news: Studying cyber propaganda and false information campaigns

A University of Arkansas at Little Rock professor has received more than $1.5 million to research ways to aid U.S. military forces in the fight against cyber propaganda campaigns. The Office of Naval Research awarded Dr. Nitin Agarwal, the UA Little Rock Jerry L. Maulden-Entergy endowed chair and a professor of information science, a $1,530,778 grant. This new grant enables Agarwal to continue his investigation into the practices, tactics, and motivations of organizers of web-based mass movements and their participants.

http://www.homelandsecuritynewswire.com/dr20170615-fake-news-studying-cyber-propaganda-and-false-information-campaigns

WebSites Found Collecting Data from Online Forms Even Before You Click Submit

During an investigation, Gizmodo has discovered that code from NaviStone used by hundreds of websites, invisibly grabs each piece of information as you fill it out in a web form before you could hit ‘Send’ or ‘Submit.’ NaviStone is an Ohio-based startup that advertises itself as a service to unmask anonymous website visitors and find out their home addresses. There are at least 100 websites that are using NaviStone’s code, according to BuiltWith, a service that tells you what tech sites employ.

http://thehackernews.com/2017/06/online-form-privacy.html

U.S. Firms Issue Principles for Cyber Risk Ratings Used by Insurers

More than two dozen U.S. companies, including several big banks, have teamed up to establish shared principles that would allow them to better understand their cyber security ratings and to challenge them if necessary, the U.S. Chamber of Commerce said on Tuesday. Large corporations often use the ratings, the cyber equivalent of a FICO credit score, to assess how prepared the companies they work with are to withstand cyber attacks. Insurers also look at the ratings when they make underwriting decisions on cyber liability.

http://www.insurancejournal.com/news/national/2017/06/21/455258.htm

Netflix’ Orange Is the New Black Season was Stolen Using Windows Flaw

Although it is unclear what kind of vulnerability the hackers exploited, the chief engineer of Larson Studios Mr. David Dondorf told Variety in an interview that the hackers were looking for random computers using Windows 7 and ended up breaching the one with the unreleased Season 5 of Orange Is the New Black TV show. They were basically just trolling around to see if they could find a computer that they could open, Dondorf explained. It wasn’t aimed at us, said Dondorf.

https://www.hackread.com/netflix-orange-is-the-new-black-season-stolen-windows-flaw/

Skype Suffers Outage Amid Claims of Cyber-Attack

Suspicions have been raised that the outage was caused by some form of attack, DDoS being the most likely, speculations fueled by a Tweet emanating from the Twitter profile of “Mass Ddos Attacker” CyberTeam, who wrote: [June 19] Skype down by CyberTeam Hello World!! Again, whilst this is yet to be confirmed, if indeed the source of the outage was DDoS, it is yet another example of the impact these attacks can cause.

https://www.infosecurity-magazine.com/news/skype-suffers-outage-cyberattack/

OpenVPN Patches Critical Remote Code Execution Vulnerability

CVE-2017-7521 can drain the server of available memory, which may lead to a ‘double-free, which is a way to corrupt the server’s memory. In short, the worst-case scenario is that the user can execute their code on the server, Vranken said. This is the worst vulnerability. They authenticate and then send crafted data, after which the server crashes. I’d say this a worrisome issue for (commercial) VPN providers, so they definitely need to update as soon as possible.

https://threatpost.com/openvpn-patches-critical-remote-code-execution-vulnerability/126425/

US Judge falls for email scam; loses $1 million

The judge in the discussion is Lori Sattler, a 51-year-old Acting State Supreme Court Justice who was in the process of selling her apartment to buy another one. But what she didn’t expect was getting scammed in such a critical situation. […] She told police that on Friday, June 7th she received an email from someone pretending to be her lawyer asking her to send money to a bank account. Following the instruction, she wired $1,057,500 to the bank account however rather than his lawyer the money was sent to a bank in China, reportedly Commerce Bank of China.

https://www.hackread.com/us-judge-falls-email-scam-loses-1-million/

====

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.

//]]>