IT Security News Blast 6-7-2017

A devastating global cyber attack is imminent, warn experts: The hack, called ‘ExplodingCan’ could target computers running Microsoft Windows 2003

The ExplodingCan hack targets Microsoft Windows 2003 servers running the Internet Information Services version 6.0 (IIS 6.0) web server. The hack targets Microsoft Windows 2003 servers running the Internet Information Services version 6.0 (IIS 6.0) web server. […] This in turn can be used for remote access to the computer, and could allow hackers to plant ransomware in a similar fashion to the WannaCry worm.

http://www.dailymail.co.uk/sciencetech/article-4573210/Hackers-working-global-ExplodingCan-cyber-attack.html

NSA’s EternalBlue Exploit Ported to Windows 10

The NSA’s EternalBlue exploit has been ported to Windows 10 by white hats, meaning that every unpatched version of the Microsoft operating system back to Windows XP ”and likely earlier”can be affected by one of the most powerful attacks ever made public. Researchers at RiskSense, among the first to analyze EternalBlue, its DoublePulsar backdoor payload, and the NSA’s Fuzzbunch platform (think: Metasploit), said they would not release the source code for the Windows 10 port for some time, if ever.

https://threatpost.com/nsas-eternalblue-exploit-ported-to-windows-10/126087/

Cybersecurity Is Dead

Laying down firewalls or perimeter security measures, paying premium prices for executive intelligence on emerging threats, adhering to checkbox compliance regimens — whatever benefits such measures bring, cyber resilience is not among them. For most consumers and enterprise customers, they believe cybersecurity programs will be able to protect systems against all hacks and breaches — a belief more or less encouraged by such providers. The reality is no company can do that.

https://www.forbes.com/sites/forbestechcouncil/2017/06/06/cybersecurity-is-dead/#2b1f72f40121

Contract obligations, third parties, and cyber insurance [Registration]

Do you rely on third parties in your organization? Are you a third party to others? And have you signed agreements with these parties? For many, the answer to all three questions is “yes.” Do you know what obligations/risks you’ve contractually assumed in those agreements? Or what risks you expect others to take on? Do they know it? Does your insurance coverage dovetail with your contractual obligations? A large part of contracts today is assuming or transferring risk to others. Once you understand the risk-shifting game in third party contracts, you can unlock the power to ask the right questions and make better decisions.

http://www.csoonline.com/article/3199686/leadership-management/contract-obligations-third-parties-and-cyber-insurance.html

Cybersecurity is on the Precipice of a New and Dark Era

With an incredible number of Internet of Things devices with default security settings are flooding the market, loads of insecure software, a massive grey market for data and knowledge on vulnerabilities, AND ALSO loads of people who don’t understand the most basic best practices for information security, you have a recipe for disaster. The era of relatively low-risk cybersecurity has ended. We are entering a new one dominated by chaos. We well-organized state hackers standing shoulder-to-shoulder with lone wolves who can dramatically magnify their power and influence with botnet-based attacks.

https://www.geek.com/tech-science-3/cybersecurity-is-on-the-precipice-of-a-new-and-dark-era-1702279/

Federal task force: Here’s how to fix healthcare cybersecurity

It’s not just that small- and medium-sized businesses lack funding to incentivize talent. It’s not just the growing lack of talent or encouraging people to go to rural locations. It’s all of them, Corman said. Though the Health Insurance Portability and Accountability Act (HIPAA) requires healthcare offices to designate an employee in charge of information privacy, many have no training in cybersecurity. Some offices only employ staff in the single digits, meaning an investment in a new full-time worker to handle information security would be an untenable investment.

http://thehill.com/policy/cybersecurity/336394-federal-healthcare-cybersecurity-task-force-releases-report

Insurance industry increasingly anxious about its own cyber risks

The survey, of 836 insurance practitioners and observers in 52 countries, found growing levels of anxiety in the industry. Globally, the top 10 risks were rated as follows (with the rating from the last survey in 2015 in brackets):

  •     Change management (6)
  •     Cyber risk (4)
  •     Technology (-)
  •     Interest rates (3)
  •     Investment performance (5)
  •     Regulation (1)
  •     Macro-economy (2)
  •     Competition (-)
  •     Human talent (15)
  •     Guaranteed products (7)

https://www.cyberscoop.com/insurance-industry-anxious-cyber-risks/

Russia is struggling to keep its cybercrime groups on a tight leash

Russia’s hybridisation of tools, actors and missions has created one of the most “potent and ill-defined advanced threats that the cybersecurity community faces”, Cybereason claims. Russia’s use of private contractors also has other benefits in helping to decrease overall operational costs, mitigating the risk of detection and gaining technical expertise that they cannot recruit directly into the government. Combining a cyber-militia with official state-sponsored hacking teams has “created the most technically advanced and bold cybercriminal community in the world”.

https://www.theregister.co.uk/2017/06/06/russia_cyber_militia_analysis/

Russian Outsourcing Provides Plausible Deniability for State-Sponsored Hacking

The reality is that all nations have their own ‘patriotic hackers’. The US has The Jester (@th3j35t3r), who describes himself as a ‘hacktivist for good’. In 2012, he DDoS’d John Young’s Cryptocomb, calling it a ‘treasonous site’. While the site was down, it responded with the message, “Cryptocomb will be back after the state sponsored attack ends.” This is the dilemma caused by ‘patriotic hackers’. Was Jester sponsored by the US government? Almost certainly not. Is he tolerated by the US government? Almost certainly yes. At what point, if ever, does tolerance become sponsorship? It is this imponderable that Russia uses with great efficacy.

http://www.securityweek.com/russian-outsourcing-provides-plausible-deniability-state-sponsored-hacking

North Korea Proves You Barely Need Computers to Win a Cyberwar

The sophistication of Pyongyang’s cyberarsenal presents a challenge for the United States and its allies. Kaspersky Lab, a world leader in cybersecurity that has extensively researched North Korea’s cyberarmy, has stated that the scale of operations is “shocking.” But a separate Kaspersky report stated that the North Koreans routinely commit operational mistakes, such as exposing a North Korean IP address in the WannaCry attack. […] Such slip-ups create opportunities for swift and effective response.

http://foreignpolicy.com/2017/06/05/north-korea-proves-you-barely-need-computers-to-win-a-cyberwar/

Russian government hackers planted false news story which caused Gulf crisis: U.S. intelligence

U.S. intelligence officials say Russian government hackers planted a false news story into the text prepared for release by the official Qatari news agency. The release of the Russian-manufactured story by the official Qatari news agency prompted Saudi Arabia and several of its regional allies to suspend diplomatic relations with Qatar and impose economic sanctions on it. U.S. officials say the Russian goal appears to be to cause rifts among the U.S. and its allies.

http://www.homelandsecuritynewswire.com/dr20170607-russian-government-hackers-planted-false-news-story-which-caused-gulf-crisis-u-s-intelligence

Kremlin hackers’ new target: Montenegro

The assaults were motivated by Montenegro’s decision to join the North Atlantic Treaty Organization (NATO), a move that was confirmed with a ceremony on Monday. APT28 (Advanced Persistent Threat 28), aka Fancy Bear, tried to hack into systems using spear-phishing, a standard hacking tactic involving baiting marks with booby-trapped documents. Lure documents used in the spear-phishing attacks pertain to a NATO Secretary meeting and another described a visit by a European army unit to Montenegro.

https://www.theregister.co.uk/2017/06/06/russian_hackers_target_montenegro/

Pentagon revamps cyber weapons acquisition strategy

Some of the more time-sensitive cyber projects also move faster because authorities are delegated down to the program manager. The Army’s project manager for defensive cyber operations, for example, is allowed to sign off on “rapid prototyping contracts up to $50 million. The top acquisition executive of each military service is authorized to green-light projects worth up to $250 million. One industry official said the C5 consortium has become a key tool to prototype technologies for defensive operations.

https://defensesystems.com/articles/2017/06/05/sandra-cyber.aspx

NSA leaker bust gets weirder: Senator claims hacking is wider than leak revealed

Warner said several US states’ election-management systems were targeted by Russian interests, but that not all of them know about the attacks. We need to declassify more of that information, he said, so that American citizens can understand the extent of the attacks. With a nod to president Donald Trump’s insistence his campaign received no Russian assistance, Warner said he wants to release the information not to re-litigate 2016 [the presidential election] but in order to ensure future US elections can be defended against similar attacks.

https://www.theregister.co.uk/2017/06/07/nsa_leaker_bust_gets_weirder_senator_claims_hacking_is_wider_than_leak_revealed/

Organizations Failing to Upgrade Systems, Enforce Patches

For example, although the uptake of Microsoft’s latest Windows 10 (Win10) operating system has doubled from 15% last year to 31% this year, that still means that the vast majority of Windows usage in business is using old and sometimes unsupported versions of Windows. More than half (59%) of business Windows systems are still using Windows 7; and 1% are still using XP.

http://www.securityweek.com/organizations-failing-upgrade-systems-enforce-patches

UK police arrest man via automatic face-recognition tech

Back in April, it emerged that South Wales Police planned to scan the faces “of people at strategic locations in and around the city centre” ahead of the UEFA Champions League final, which was played at the Millennium Stadium in Cardiff on June 3. On May 31, though, a man was arrested via AFR. “It was a local man and unconnected to the Champions League,” a South Wales Police spokesperson told Ars. It’s not clear whether this was due to the technology being tested ahead of the match.

https://arstechnica.com/tech-policy/2017/06/police-automatic-face-recognition/

Kaspersky files antitrust suit against Microsoft

Kasperky Lab claims that Microsoft is abusing its “dominant position in the computer operating system (OS) market to fiercely promote its own – inferior – security software (Windows Defender)” at the expense of any third-party security software users have chosen to install. This applies to Kasperky Lab’s rivals as much as it does to the Russian software maker, it is alleged.

https://www.theregister.co.uk/2017/06/06/windows_defender_competition_complaint/

New App Will Stop Voice Hacks Using Smartphone Compass

The app essentially uses the phone’s built-in magnetometer to detect if a voice that is being played is recorded. It was designed keeping in mind the various ways an attacker can use a person’s voice to infiltrate their system. One of the ways is to try impersonating the voice. However, this may not break open the phone as there are integrated algorithms which can find out a fake voice. The other way is to record the victim’s voice and then play it so that the phone mistakes it for the actual user. It is this hacking that the app targets to stop.

https://www.hackread.com/new-app-will-stop-voice-hacks-using-smartphone-compass/

Slack, Telegram, Other Chat Apps Being Used as Malware Control Channels

While free and convenient, these externally hosted tools let hackers operate undetected. The same API that enables communication can be turned into a C&C infrastructure to control malware. “They’re using legitimate services as a way of communicating with their malware and their campaigns against victims,” says Mark Nunnikhoven, VP of cloud research at Trend Micro. “Once they’ve infected your laptop, they’re going to want to make sure they’re able to send it updates, add commands, and get data off your system.”

https://www.darkreading.com/endpoint/slack-telegram-other-chat-apps-being-used-as-malware-control-channels/d/d-id/1329063?

Raspberry PI attack compromises networks, steals admin credentials

While other attacks can be carried out which exploit physical access to devices, researchers noted this attack is special because it can be carried out by anyone who has physical access to any USB port on the victim’s network and could allow an attacker to retrieve user authentication data even when the targeted system is locked, according to a June 6 blog post. It’s also possible to obtain administrator credentials or cookies from a PC and can be implemented using a device that costs no more than $20 without any special skills, all that is needed is physical access to corporate computers.

https://www.scmagazine.com/raspberry-pi-attack-compromises-locked-devices-steal-admin-creds/article/666772/

====

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.