IT Security News Blast 6-27-2017

Updated Google Policy May Affect Patient Data Security

The Google “Removal Policies” page now lists “confidential, personal medical records of private people” as types of information it may remove from its search. […] Patient data becoming available through public search engines can create issues for both individuals and the healthcare provider that was in charge of keeping that data secure. In 2016, a class action lawsuit stemming from a 2012 incident with PHI made searchable via an internet search engine resulted in a $7.5 million settlement.

https://healthitsecurity.com/news/updated-google-policy-may-affect-patient-data-security

FBI: $1.45 Billion in Losses to Internet Crime Reported in 2016

The most prolific crimes detailed and analyzed in the report are business email compromise (BEC) and the personal equivalent, email Account compromise (EAC); ransomware; the tech support scam; and extortion. The BEC scam, notes the report, “began to evolve in 2013 when victims indicated the email accounts of Chief Executive Officers or Chief Financial Officers of targeted businesses were hacked or spoofed, and wire payments were requested to be sent to fraudulent locations.”  Since then it has grown and evolved.

http://www.securityweek.com/fbi-145-billion-losses-internet-crime-reported-2016

Thoughts on the Active Cyber Defense Certainty Act 2.0

News reports about proposals like this typically invoke the “attacker” / “victim” (self-defense with force) frame, describing the outcome of an amendment like ACDC Act as, “[giving] cyberattack victims the go­-ahead to retaliate against their attackers.”[Robinson(2017)] It is difficult discuss this topic without using terms like “attack” and “attacker,” so I will reluctantly use those terms in this analysis, but think it’s important to note that using this terminology only accommodates a rigid paradigm of a physical attack against a victim who (as seen in the quotes above) retaliates in kind with physical violence to the exclusion of other more common real-world scenarios.

https://medium.com/@dave.dittrich/thoughts-on-the-active-cyber-defense-certainty-act-2-0-d0b456a56d8b

What your SMB can do to get big-business cybersecurity

Consider this: In 2011, small business hacks represented fewer than 20 percent of all attacks; nowadays the number is close to 50 percent. While large companies make the headlines, the reality is one-in-three documented data breaches occur in smaller businesses. And the aftermath is often grim. About 60 percent of small businesses close their doors within six months following a cyberattack, according to Brian Kearney, chief underwriting officer for Travelers Small Commercial Accounts.

https://www.cnet.com/how-to/11-things-small-businesses-can-do-to-get-big-business-level-cybersecurity/

Bankers Are Hiring Cyber-Security Experts to Help Get Deals Done

The wake-up call for cybersecurity expertise during mergers and acquisitions came after a 2014 Yahoo! Inc. hack affected about 500 million accounts, damaging the company’s reputation and causing Verizon Communications Inc. to cut its offer to buy the company by $350 million. There’s concern that computer viruses can be planted and remain dormant until after a deal, leaving the acquirer to cope with stolen customer data, industrial secrets or ransom demands.

https://www.bloomberg.com/news/articles/2017-06-26/bankers-are-hiring-security-experts-to-help-get-deals-done

The world needs more cybersecurity pros, but millennials aren’t interested in the field

“The numbers are going in the wrong direction,” said Wesley Simpson, COO of ISC(2), of the study, which surveyed 19,000 cybersecurity professionals. “It’s a huge concern to organizations as well as people in this profession.” One major reason for the shortage? Millennials aren’t going into the field. Only 7% of cybersecurity workers surveyed were under age 29, and 13% were between ages 30 and 34. The average age of cyber professionals is 42, Simpson said.

http://www.techrepublic.com/article/the-world-needs-more-cybersecurity-pros-but-millennials-arent-interested-in-the-field/

Apple, Cisco team up to push for cyber security insurance discounts

Apple Inc (AAPL.O) is working with Cisco Systems Inc (CSCO.O) to help businesses that primarily use gear from both companies to get a discount on cyber-security insurance premiums, Apple Chief Executive Officer Tim Cook said on Monday. […] “The thinking we share here is that if your enterprise or company is using Cisco and Apple, the combination of these should make that (cyber-security) insurance cost significantly less,” Cook said. “This is something we’re going to spend some energy on. You should reap that benefit.”

https://www.reuters.com/article/us-tech-cyber-apple-cisco-systems-idUSKBN19H2BK

Beijing’s Views on Norms in Cyberspace and Cyber Warfare Strategy Pt. 1

The following is a two-part series looking at PRC use of cyberspace operations in pursuit of its national strategies and the establishment of the Strategic Support Force. Part 1 considers the centrality of information operations and information war to the PRC’s approach toward its current struggle against the U.S. Part 2 looks at the PRC’s use of international norms and institutions in cyberspace, and possible U.S. responses.

http://cimsec.org/beijings-views-norms-cyberspace-cyber-warfare-strategy-pt-1/33099

Cyber-attack on UK parliament: Russia is suspected culprit

Although the investigation is at an early stage and the identity of those responsible may prove impossible to establish with absolute certainty, Moscow is deemed the most likely culprit. The disclosure follows the release of the first details of the “sustained” cyber-attack that began on Friday. Fewer than 90 email accounts belonging to parliamentarians are believed to have been hacked, a parliamentary spokesman said.

https://www.theguardian.com/politics/2017/jun/25/cyber-attack-on-uk-parliament-russia-is-suspected-culprit

Ohio Governor John Kasich the Latest Target of Cyber-Attack

Ohio Governor John Kasich’s website, 10 Ohio state websites, and two servers have been affected, according to the Ohio Department of Administrative Services. Governor Kasich’s website had a pro-ISIS message on its homepage. “You will be held accountable, Trump. You and all your people for every drop of blood flowing in Muslim countries.” Kasich was a Republican candidate for Presidential nominee last year. The attackers of the Governor’s website claim to be ISIS.

https://www.infosecurity-magazine.com/news/john-kasich-website-attack/

Tremble in fear, America, as Daesh-bags scrawl cyber-graffiti on .gov webpages no one visits

“You will be held accountable Trump,” reads the text on the vandalized pages. “You and all your people for every drop of blood flowing in Muslim countries. I Love Islamic state.” There’s no evidence this was anything more than script kiddies playing around doing the online equivalent of graffiti, as is usual given the low level of computer skills the moron terror cheerleaders have displayed. All the sites were back up and running on Monday after IT staff had earned themselves a tasty chunk of overtime.

https://www.theregister.co.uk/2017/06/26/us_government_websites_defaced_isis/

House vote on DHS reauthorization could clear way for other cyber-related measures [Subscription]

The House could vote this week on first-ever legislation to reauthorize the Department of Homeland Security, which includes a number of new cybersecurity requirements as well as renewing the department’s ongoing efforts to secure critical infrastructure from cyber attacks. But perhaps more important than the specific provisions of the DHS reauthorization legislation is the bipartisan nature by which the bill was moved, and whether it clears a path for other cybersecurity legislation.

https://insidecybersecurity.com/daily-news/house-vote-dhs-reauthorization-could-clear-way-other-cyber-related-measures

Treasury Executive Order Report Key on Cyber Improvements

It is natural that financial services regulators are also paying close attention to cyber. As the industry is driving toward better security, the regulatory community is working hard to do the same, issuing more than 40 new rules, regulations, tools and guidance since mid-2014 at the federal and state level. But rather than simply implementing large numbers of regulation, it’s important that smart, coordinated regulations are put on the books to best protect consumers.

https://morningconsult.com/opinions/treasury-executive-order-report-key-cyber-improvements/

New EU Privacy Laws Will Complicate B2B Data Sharing

Sullivan said that U.S. companies need to be well aware of the EU privacy rules because of their global impact. Part of a Georgetown University project called Cyber Threat Sharing Project, found that many countries that trade with the EU are also adopting the EU privacy rules. “Most countries around the world follow the EU privacy model,” she said. The major exception is the United States she said. “At the moment most countries around the world base their data protection and privacy laws on the current EU directive and will soon be moving to the new regulation (GDPR) set to be enforced in May 2018.”

https://threatpost.com/new-eu-privacy-laws-will-complicate-b2b-data-sharing/126518/

Finally, The Perfect App For Superfans, Stalkers, And Serial Killers

Case in point: Dating.ai, a new app which uses neural network-based facial recognition AI to scour dating platforms for profiles that match a user’s specified ‘type’–or even belong to a specific person. As with many of our great cyber ‘success stories,’ the concept is a simple one–using extant technology to find the faces we’d most like to caress (or whatever)–but fails to account for a wide range of complicated, very human concerns, touching on everything from online privacy to real-life values.

https://www.forbes.com/sites/janetwburns/2017/06/23/finally-the-perfect-dating-app-for-superfans-stalkers-and-serial-killers/amp/

Ringless voicemail spam won’t be exempt from anti-robocall rules

A petition to exempt ringless voicemails from anti-robocall rules has been withdrawn after heavy opposition. In March, a marketing company called All About the Message petitioned the Federal Communications Commission for a ruling that would prevent anti-robocall rules from applying to ringless voicemails. But the company withdrew its petition without explanation in a letter to the FCC last week, even though the commission hadn’t yet ruled on the matter.

https://arstechnica.com/information-technology/2017/06/ringless-voicemail-spam-wont-be-exempt-from-anti-robocall-rules/

Enable Ghost Mode in Snapchat NOW if you want to keep your location private

“With public accounts, this will include those who are not known to the user. This highlights why it’s vital children are automatically offered safer accounts on social media to ensure they are protected from unnecessary risks.” […] Enter the Snap Map feature by going to your camera screen, and pinching your fingers as if you are zooming out from a photograph. Then, click on the settings icon in the top right-hand corner and you should be able to enable “Ghost Mode”.

https://www.welivesecurity.com/2017/06/26/enable-ghost-mode-snapchat-now-want-keep-location-private/

Researcher bombards IRS and tech support scammers with robocalls

A security researcher developed a script to bombard IRS scammers with phone calls 28 times per second, preventing their phone lines from making or receiving calls. The researcher goes by the moniker YesItWasDataMined and hosts the YouTube channel Project Mayhem where they post voice recordings of scammers being bombarded with the automated recordings. YesItWasDataMined also developed a script to target scammers impersonating computer technicians from well-known companies to sell malware and or unnecessary services as well as telemarketers. So far, two videos have been posted to the account.

https://www.scmagazine.com/grey-hat-bombards-scammers-with-robocalls/article/671250/

We desperately need a way to defend against online propaganda

Last year, Time published a massive report in which senior intelligence officials talked about how Russians pretending to be American voters infiltrated social media groups, spread conspiracy stories via Facebook accounts for fictional media outlets, and bought Facebook ads to spread fake news. Anyone who has ever succumbed to the clickbait headlines on Russia Today knows that Russian media hacks are adept at crafting dank memes of legendary stickiness. The weird part is that those hacks are now working alongside state-sponsored hackers. We don’t typically think of Facebook posts as a “cyberthreat,” but now we have ample evidence that they are.

https://arstechnica.com/staff/2017/06/its-time-to-teach-people-online-self-defense/

Another RCE Vulnerability Patched in Microsoft Malware Protection Engine

The vulnerability was found in the same full system, unsandboxed x86 system emulator that Microsoft quietly patch in late May. This is the third critical vulnerability in MsMpEng that Ormandy has had a hand in disclosing and patching since early May. Ormandy said in a bug report made public on Friday after the update was pushed to Windows machines that he wrote a custom fuzzer that unturned a heap corruption in the KERNEL32.DLL!VFS_Write API.

https://threatpost.com/another-rce-vulnerability-patched-in-microsoft-malware-protection-engine/126536/

Fake Pornography App Infecting Devices with Android Ransomware

Reveton, as you may know, was a ransomware that targeted Windows and once it was executed, it locked out the victims from their systems and displayed a lock-screen as such. The ransomware was being advertised through Russian-speaking hacking forums. The latest Koler ransomware is a similar ransomware that locks users out of their systems and displays a message that is seemingly from the FBI, asking people to pay a fine as a penalty for visiting pornographic websites.

https://www.hackread.com/android-ransomware-infected-with-fake-pornography-app/

 

====

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.