IT Security News Blast 8-1-2017

Merck expects June cyberattack to affect company’s 2017 financial performance

The June 27 cyberattack disrupted the company’s global operations, including manufacturing, research and sales, and Merck said it has been working to restore operations. Merck said it “does not yet know the magnitude of the impact of the disruption,” but that guidance would have been higher if not for the cyberattack’s impact. Merck said it can continue to supply its top products, including cancer drug Keytruda and diabetes drug Januvia, but there will be temporary delays in some other products in certain markets.

http://www.marketwatch.com/story/merck-expects-june-cyberattack-to-affect-companys-2017-financial-performance-2017-07-28

 Dramatic Surge in Healthcare Cybersecurity Breaches Since 2015

“Healthcare payers and providers are on treacherous ground here and some organizations are underestimating cyber-security risks,” KPMG Healthcare Advisory Leader Dion Sheidy said in a press release announcing the survey findings. “There needs to be a higher degree of vigilance among boards and executive suites as attacks become much more sophisticated, especially as doctors need to share information to improve quality and as connected medical devices and wearables proliferate.

http://www.healthleadersmedia.com/leadership/dramatic-surge-healthcare-cybersecurity-breaches-2015

 Nation-states are biggest cyber threat for drug and medical device makers

Nation states topped the list of threats from 53 percent of respondents, followed by individual hackers and hacktivists. The data that hackers are seeking are mostly tied to financial information (69 percent) followed by patents and clinical research (63 percent), found the survey of 100 US tech, data, security executives from medical device and pharmaceutical/biotech companies.“Some nations desperately want intellectual property to support local life sciences organizations without incurring R&D costs and challenges[.]”

https://www.helpnetsecurity.com/2017/07/31/cyber-threats-healthcare/

 Cybersecurity Compliance Gets Tougher

The bad news for financial institutions is that this elevated focus on cybersecurity will make meeting their cyber-security regulatory mandates only more challenging as more jurisdictions ramp up their cyber-security requirements. The laws are changing all the time as New York, Colorado, and Connecticut enhance their cybersecurity laws, said Chad Pinson, managing director at Stroz Friedberg during a panel discussion hosted by the US Securities and Exchange Commission and FINRA. “It is hard to keep up with what those different states require.”

https://marketsmedia.com/cybersecurity-compliance-tougher/

 Bank Heists Possible Due To Flawed Code

Most online banking applications (71%) contained flaws in their implementation of two-factor authentication. 33% of online banking applications had vulnerabilities that made it possible to steal money, and in 27% of applications, an attacker could access sensitive client information. Mobile banking applications also have issues with an attacker able to intercept or brute force user credentials to one in three apps. Banking apps on iOS remain more secure than their Android equivalents. The real problems in protection lurk on the server side: Positive Technologies’ researchers found dangerous server-side vulnerabilities in every application tested.

http://www.informationsecuritybuzz.com/study-research/bank-heists-possible-due-flawed-code/

 HBO suffers cyber attack, hacked; Game of Thrones Season 7 upcoming episodes, script, data leaked online

As per a report by Entertainment Weekly, various upcoming series and one script have been put online by the hackers. The hackers have further threatened to post more of these soon. The series that have leaked comprise of “Ballers” and “Room 104.” The leak also contains the script to Game of Thrones season seven upcoming episodes. As per the report, the hackers have not been identified yet, but they stole 1.5 terabytes of data from HBO and promise more leaks are “coming soon.” The entertainment network confirmed the hack said,”HBO recently experienced a cyber incident, which resulted in the compromise of proprietary information.”

http://www.financialexpress.com/entertainment/hbo-suffers-cyber-attack-hacked-game-of-thrones-season-7-upcoming-episodes-script-data-leaked-online/788476/

 How Hackers Can Use ‘Evil Bubbles’ to Destroy Industrial Pumps

Importantly, Krotofil’s hacker had delivered the evil bubbles without having any access to the pump component of her rig. Instead, he had only adjusted a valve further upstream to decrease the pressure in a certain chamber, which caused bubbles to form. When those bubbles strike the pump, they implode and, in a process called “cavitation,” turn back into a liquid, transfering their energy to the pump. “They collapse at very high velocity and high frequency, which creates massive shockwaves,” Krotofil explained.

https://www.wired.com/story/evil-bubbles-industrial-pump-hack

 US Air Force Wants Robots Watching Twitter

The national security community has been scanning social media for broad social, political, and extremist events since at least 2012’s Open Source Indicators Program from the Intelligence Advanced Research Projects Activity. An IARPA researcher, Naren Ramakrishnan, observed political uprisings Mexico and Brazil by applying machine learning to raw Twitter data. Goldfein wants to apply similar methods to virtually the entire open source information sphere, which, he says, now creates usable data faster than classified or clandestine methods.

http://www.defenseone.com/technology/2017/07/us-air-force-wants-robots-watching-twitter/139763/

 Hacker posed as Anonymous to bully Dallas firm into scrubbing his name from site, feds say

In December 2014, Jahanrakhshan requested that his court decisions be deleted and offered to pay a fee to have the post removed. When his requests were denied, he claimed that he met a “group of hackers online whom are willing to launch a massive cycle attack on Leagle.com,” according to the affidavit. A Jan. 25, 2015, email was sent claiming to be “the anonymous hackers group,” saying that the group launched a cyberattack on the website.

https://www.dallasnews.com/news/crime/2017/07/29/hacker-posed-anonymous-bully-dallas-firm-scrubbing-name-site-feds-say

 LeakerLocker Mobile Ransomware Threatens to Expose User Information

While mobile ransomware such as the recent SLocker focuses on encrypting files on the victim’s devices, a new mobile ransomware named LeakerLocker taps into its victims’ worst fears by allegedly threatening to send personal data on a remote server and expose its contents to everyone on their contact lists. The LeakerLocker ransomware is being carried by three applications found in Google Play: “Wallpapers Blur HD”, “Booster & Cleaner Pro”, and “Calls Recorder”.

http://blog.trendmicro.com/trendlabs-security-intelligence/leakerlocker-mobile-ransomware-threatens-expose-user-information/

 Meet Mia Ash, the Fake Woman Iranian Hackers Used to Lure Victims

In February, as SecureWorks helped a Middle Eastern company diagnose an attempted spyware infection, the security analysts found that one of that company’s employees had been communicating with the Ash persona for more than a month. […] After digging further into Mia Ash, SecureWorks found that hackers have cultivated the persona as a lure for staffers at target companies for over a year, with the endgame of infecting computers with spyware, and getting an initial foothold into a victim company’s network.

https://www.wired.com/story/iran-hackers-social-engineering-mia-ash/

 The biggest financial scam you’ve never heard of is taking over the internet – and I just spent weeks investigating it

Last week, I published an investigation into the scope and scale of a rapidly growing online trading scam that largely appears to be targeting pensioners with access to cash and little understanding of the risks involved in doing business on the internet. […] I talked to many people, most of whom were too embarrassed to be identified, who said that they had lost in some cases their entire life savings on platforms like this. This is not a tale of isolated duping. This is a system of sophisticated conmen who are ruining people’s lives.

http://www.independent.co.uk/voices/biggest-financial-scam-internet-cyber-security-pensions-life-savings-gone-a7869746.html

 Thinking About Cyber Due Diligence

I’m talking about asking questions during the diligence process — and perhaps hiring an outside consultant, for maybe $50K or $100K, to do a little more investigation — about the governance, processes, and controls that a company uses to protect the security of its data. Most folks currently don’t do cyber due diligence. Which is funny, since those same people simultaneously insist that cyber risks are near the top of everyone’s concerns. And surely a cyber-attack during deal negotiations could quickly halt an anticipated transaction.

http://abovethelaw.com/2017/07/thinking-about-cyber-due-diligence/

 Cyber-crime ‘undermining’ financial system warns Black Economy boss

Banks and the private sector must unite with federal and state agencies to develop an incorruptible, biometric barrier – using retina scans, facial recognition and electronic finger print recognition – against sophisticated cyber-crooks exploiting gaping holes in the nation’s financial, welfare and security systems, the powerful taskforce is expected to tell the federal government. Michael Andrew, former global chairman and chief executive of professional services giant KPMG, said: “The controls and practices that we have are being subverted by systemic, illicit, unlawful behaviour being operated locally and from overseas.

http://www.afr.com/personal-finance/cybercrime-undermining-financial-system-warns-black-economy-boss-20170727-gxkf3x

 How to write a CISO job description

The job requires a strong background and experience in IT strategy and security architecture, along with the high-level communication and people skills needed to assemble and manage an IT security team and to consult with internal and third-party executives and government agencies. As a C-level position, it requires more than technical knowledge and skills. A good CISO must be able to, “speak the language of business,” if he or she is to be a successful strategic partner in the executive suite.

http://www.csoonline.com/article/3209964/security/how-to-write-a-ciso-job-description.html

 The $10 Hardware Hack That Wrecks IoT Security

On many devices, all it takes to access everything stored on the flash memory chip is a $10 SD card reader, some wire, and some soldering experience. The researchers focus on a type of memory called eMMC flash, because they can access it cheaply and easily by connecting to just five pins (electrical connections). By soldering five wires to the chip—a command line, a clock line, a data line, a power line, and a ground—they can get read/write access that lets them exfiltrate data and start reprogramming to eventually control the whole device.

https://www.wired.com/story/sd-card-hack-iot-zero-days/

 Shorting-For-Profit Viable Business Model For Security Community

The CEO of MedSec Holdings teamed with hedge fund company Muddy Waters Capital to short the stock of St. Jude Medical in order to profit from research that revealed life-threatening vulnerabilities tied indirectly to pacemakers made by the medical device manufacturer. The move ignited a fierce debate over ethical disclosure of vulnerabilities and how viable a business model this type of short selling could be. At a Black Hat session Thursday, Bone told attendees she has no regrets and would do it again.

https://threatpost.com/shorting-for-profit-viable-business-model-for-security-community/127078/

 Putin bans VPNs in web browsing crackdown

Vladimir Putin has banned virtual private networks (VPNs) and Tor in a crackdown on apps that allow access to websites prohibited in Russia. The law, signed by Mr Putin, was passed by Russia’s parliament last week and will now come into force on 1 November. A second law to ban anonymous use of online messaging services will take effect on 1 January next year. It would make it easier for the state to snoop on citizens’ browsing habits, one internet security expert suggested.

http://www.bbc.com/news/technology-40774315

 Hackers claim credit for alleged hack at Mandiant, publish dox on analyst

In addition to that are images detailing the compromise of their One Drive account, Live account, LinkedIn account, geo-tracking of personal devices for at least a year, billing records and PayPal receipts, credentials for an engineering portal at FireEye, WebEx and JIRA portals, as well as Live and Amazon accounts. There are also records related to an alleged customer, Bank Hapoalim, and internal documentation and presentations, including one for the IDF (Israel Defense Forces) from 2016.

http://www.csoonline.com/article/3211894/security/hackers-claim-credit-for-alleged-hack-at-mandiant-publish-dox-on-analyst.html

 Researcher: Metadata the ‘most potent weapon’ against critical infrastructure security

Examples of internet metadata include the title, sender and receiver of emails, the unique identification number (i.e., International Mobile Equipment Identity, or IMEI) of mobile devices and the duration of users’ visits to websites. These examples are just a few of the dozens of data types that contextualize users’ online behavior. […] Armed with detailed knowledge of who victims are and how they behave online, threat actors can conduct a variety of cyber-enabled attacks, from social-engineering techniques such as spear phishing to “psychographic and demographic Big Data algorithms” employed to push “fake news.”

https://www.federaltimes.com/critical-infrastructure/2017/07/28/researcher-metadata-the-most-potent-weapon-against-critical-infrastructure-security/

====

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.