IT Security News Blast 7-12-2017

Micro Market Vendor Warns of Bankcard And Biometric Data Breach

Avanti Markets, which specializes in self-serve food kiosks typically located in company breakrooms, said an undisclosed number of its 1.5 million customers may have had their personal and bankcard data compromised along with stored biometric data. The company, based in Tukwila, WA, said on July 4 it discovered a “sophisticated” malware attack against a number of its kiosks, used for self-checkout at one of its 5,000 so-called micro-markets.

https://threatpost.com/micro-market-vendor-warns-of-bankcard-and-biometric-data-breach/126742/

 The Dark Side of Fintech: Navigating the Hidden Risks of Digital Financial Services

Lacking strong credit and capital adequacy standards, P2P lenders have loaned to terrorists, money launderers and hundreds of fictitious companies. Without deposit insurance, hacked cryptocurrency exchanges have gone out of business, leaving depositors high and dry. More digital disruptions are being introduced. New lending platform SALT is using cryptocurrencies as collateral for loans.

https://www.chipin.com/fintech-cybersecurity-risks/

 UK financial services groups hit by steady rise in data thefts

Insurers experienced the biggest increase in data breaches, with the number doubling last year. Financial advisers also saw a big jump. Banks performed far better, with the number of reported data breaches down 45 per cent. “There’s a lot more cyber crime out there, and the entities that aren’t ready for it are getting hit more,” said Philip Tansley, legal director at the RPC law firm that accessed the data from the ICO via a freedom of information request.

https://www.ft.com/content/20e132e0-6493-11e7-8526-7b38dcaef614

 Global Survey: 95 Percent of Healthcare Orgs Don’t Use Security Governance or Risk Management Software

What’s more, the survey found that 79 percent of IT operations are at least partially responsible for security, and 68 percent of healthcare providers do not have a separate cybersecurity function, which means the responsibility for security-related tasks will most likely fall on the IT operations teams. Only 31 percent of healthcare organizations claim to be well prepared to beat IT risks, and more than half (56 percent) of healthcare organizations plan to invest in security solutions to protect against data breaches, the survey found.

https://www.healthcare-informatics.com/news-item/cybersecurity/global-survey-95-percent-healthcare-orgs-don-t-use-security-governance-or

 Healthcare Cyber Security Market Is Estimated To Reach $10.85 Billion By 2022: Grand View Research, Inc.

ack of adequate IT spending by healthcare organizations and lack of awareness about cyber crime have exposed the vulnerabilities of healthcare organizations. The overall impact of cyber attacks on the hospitals and healthcare systems is estimated to be nearly six billion per year.

https://www.medgadget.com/2017/07/healthcare-cyber-security-market-is-estimated-to-reach-10-85-billion-by-2022-grand-view-research-inc.html

 SMBs lack clear plans on cyber-attack aftermaths

his is despite a third of those surveyed saying that they think a cyber-attack is inevitable, with a further quarter believing it is “likely” to happen. Yet, three quarters (74 percent) haven’t put aside any budget to deal with the aftermath, and over four in ten (43 percent) say they will just react if and when an attack happens and have no plans set up. Overall, only 14 percent of the SMBs surveyed said they had a detailed and tested plan.

https://betanews.com/2017/07/12/smbs-struggle-with-cyber-attack-aftermath-planning/

 Cyber attacks on bitcoin exchanges prove its value according to executive

Ransomware has become a popular way for criminals to extort cash in the form of bitcoin from their victims, like the most recent LeakerLocker threat found in the Google Play Store. Bitcoin has surpassed the value of gold in a historic run this year, and the executive thinks that this is only the beginning, with him predicting the digital currency’s value to reach $1 million.

https://www.neowin.net/news/cyber-attacks-on-bitcoin-exchanges-prove-its-value-according-to-executive

 Cyber Security Effects Company Financial Performance

Everybody is a target and size doesn’t really matter anymore—ransomware goes after fairly small organizations so size doesn’t protect them from that. These people are talented, they are organized, they are tenacious, they are very good at figuring out how to attack you and monetize your misfortune. People used to think of hackers as kids in their garages with something to prove, but these are organized businesses now that have CEOs, management structures, business plans, and hire smart people.

https://www.forbes.com/sites/christopherskroupa/2017/07/11/cyber-security-effects-company-financial-performance/#2924650e5c09

 IoT cybersecurity a hot topic for White House adviser

Unknown “shadow IT” in federal, as well as public, networks is a “huge issue” for cybersecurity. There are problems with knowing who is patching what and when, as well as who is responsible for doing the security work, he said. That explosion of interconnections and resulting responsibilities, he said, are among the important background elements that shaped the President’s Executive Order on cybersecurity and how it addresses security for federal networks and critical infrastructure.

https://fcw.com/articles/2017/07/11/dhs-joyce-iot-cyber.aspx

 IT is NOT Cybersecurity

IT and Cybersecurity should be thought of as two entirely different fields, much like police officers and firefighters. You wouldn’t expect a police officer to show up at a house fire alone, just like you wouldn’t expect a firefighter to show up at an armed robbery alone. Sure, both professions are there to help you out in a time of need, but their training is specific to their purpose. The same can be said about IT and Cybersecurity. There’s a lot of crossover between the two fields, but it’s two different battlefields in the same war.

http://www.csoonline.com/article/3206707/data-protection/it-is-not-cybersecurity.html

 Virginia’s cybersecurity training program for veterans begins producing

Through industry partnerships with Amazon Web Services, Cisco Systems, Fortinet, (ISC)2, Onward to Opportunity, and Palo Alto Networks, the initiative is part of a larger push by McAuliffe to position the state as both a cybersecurity leader and government and industry catalyst. Cyber Vets Virginia estimates the commonwealth has about 17,000 vacancies for cybersecurity jobs. […] About 40 veterans of all ages showed up to the latest cohort, he said, and nearly 40 more participated online — roughly double the attendance of the first round.

http://statescoop.com/virginias-cybersecurity-training-program-for-veterans-begins-producing

 How Swiss-based ProtonMail is making your email communications surveillance proof

Set up by four CERN scientists in 2013, ProtonMail is an end-to-end encrypted email service. The startup’s newest product, ProtonVPN, will further its long-term vision of making internet communications more secure. […] The thought that everyday emails, social media and chat conversations were being monitored was too much to handle for a group of engineers and scientists at CERN, or the European Organisation for Nuclear Research, in Switzerland.

https://yourstory.com/2017/07/protonmail-swiss-email-surveillance-proof/

 Millions of Verizon customer records exposed in security lapse

As many as 14 million records of subscribers who called the phone giant’s customer services in the past six months were found on an unprotected Amazon S3 storage server by an employee of Nice Systems, a Ra’anana, Israel-based company. […] Privacy watchdogs have linked the company to several government intelligence agencies, and it’s known to work closely with surveillance and phone cracking firms Hacking Team and Cellebrite.

http://www.zdnet.com/article/millions-verizon-customer-records-israeli-data/

 China trial paves way for ‘unhackable’ communications network

The Beijing-Shanghai network is set to host the world’s longest land-based quantum communication channels, stretching over 2,000km, and will be used by commercial banks across the two cities’ financial hubs and by the government. The trials involved sending highly secure information between 200 different terminals in Jinan over a network covering several hundred square kilometres.

http://www.todayonline.com/chinaindia/china/china-trial-paves-way-unhackable-communications-network

 Kaspersky under scrutiny after Bloomberg story claims close links to FSB

The article, which was published in the early morning hours on Tuesday, says that the Moscow-based firm “has maintained a much closer working relationship with Russia’s main intelligence agency, the FSB, than it has publicly admitted. It has developed security technology at the spy agency’s behest and worked on joint projects the CEO knew would be embarrassing if made public.” Media organization McClatchy made seemingly similar claims in a July 3 report.

https://arstechnica.com/security/2017/07/kaspersky-denies-inappropriate-ties-with-russian-govt-after-bloomberg-story/

 Trump administration pulls Russian cyber firm from government-approved list

The decision comes as the Moscow-based company, Kaspersky Lab, faces increasing scrutiny from U.S. officials over alleged ties to Russian intelligence services. The government list — known as a schedule — is maintained by the General Services Administration, and GSA “made the decision to remove Kaspersky Lab-manufactured products” after “review and careful consideration,” a GSA spokeswoman said in a statement to ABC News.

http://abcnews.go.com/US/trump-administration-pulls-russian-cyber-firm-government-approved/story?id=48578556

 FBI didn’t need warrant for stingray in attempted murder case, DOJ says

The DOJ says that because the stingray was configured to act like a “pen register,” originally a century-old device designed to capture incoming and outgoing calls, and solely capture non-content data, then it was not a search. Use of pen registers, as well as the use of 1970s and 1980s-era “beepers” (short-range FM radio transponders) that can reveal a given location, have been repeatedly upheld by the Supreme Court. Plus, because Ellis wasn’t found in his own apartment, but in another apartment, he could not claim a privacy interest. And finally, even if Ellis could claim a privacy interest in his phone, that still doesn’t matter, DOJ attorneys claim.

https://arstechnica.com/tech-policy/2017/07/fbi-didnt-need-warrant-for-stingray-in-attempted-murder-case-doj-says/

 Vulnerabilities Expose Oracle OAM 10g to Remote Session Hijacking

The software features a proprietary multiple network domain SSO capability. Critical to that is ObSSOCookie, a super cookie of sorts. If a user was tricked into clicking through a link via phishing email, for example, and logging into the OAM portal, a remote attacker could read that cookie value and hijack that session, Nabeel Ahmed and Tom Gilis, security researchers based in Belgium warned on Monday.

https://threatpost.com/vulnerabilities-expose-oracle-oam-10g-to-remote-session-hijacking/126775/

 Smart Home Device Calls Police Amid Domestic Dispute

ABC News recently reported that Eduardo Barros was apparently having a fight with his girlfriend when Barros pointed a gun at his girlfriend and asked her whether she called the sheriff. According to reports, “Did you call the sheriffs?” is what he said. A Smart Home device nearby heard only part of the question and understood it as “Call the Sheriffs.” This prompted the device to dial 911. The police stated that once they received the call, they heard background noises.

https://www.hackread.com/smart-home-device-calls-police-amid-domestic-dispute/

====

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.