IT Security News Blast 9-11-2017

Equifax data breach could create lifelong identity theft threat

“It’s very problematic for hackers to have all that important information all in one place,” says John Ulzheimer, a credit expert who once worked for Equifax and credit-score firm FICO. “This information is perpetually valuable. You are not going to change your name or date of birth or Social Security number. In five years they will be the same, unlike a credit card that takes five minutes to cancel over the phone.”

https://www.usatoday.com/story/money/2017/09/09/equifax-data-breach-could-create-life-long-identity-theft-threat/646765001/

 

Equifax blames giant breach on vendor software flaw

Equifax on Friday blamed a flaw in the software running its online databases for allowing hackers to steal the personal information of as many as 143 million Americans, The Post has learned. Hackers were able to access the info — including Social Security numbers — because there was a flaw in the open-source software created by the Apache Foundation, the company told Jeffrey Meuler, an analyst at RW Baird & Co. […] Apache has put out several patches — or software fixes — for its STRUTS system since March. It’s unclear if the company had patched its systems since then.

http://nypost.com/2017/09/08/equifax-blames-giant-breach-on-vendor-software-flaw/

 

Are you an Equifax breach victim? You could give up right to sue to find out [Updated]

But if you want to find out if your data might have been exposed, you waive your right to sue the Atlanta-based company. We’re not making this up. The company has now published a website allowing consumers to input their last six digits of their Social Security numbers to find out. Like most websites, at the bottom of this new site is a section called “Terms of Use.” There, in paragraph 4, is bolded, uppercase text of note. It tells site visitors that you agree to waive your right to sue and instead must “resolve all disputes by binding, individual arbitration.”

https://arstechnica.com/tech-policy/2017/09/are-you-an-equifax-breach-victim-you-must-give-up-right-to-sue-to-find-out/

 

Equifax sued for Billions after 143 million data hack

“Plaintiffs file this complaint as a national class action on behalf of over 140 million consumers across the Country harmed by Equifax’s failure to adequately protect their credit and personal information. This complaint requests Equifax provide fair compensation in an amount that will ensure every consumer harmed by its data breach will not be out-of-pocket for the costs of independent third-party credit repair and monitoring services,” the complaint reads.

https://www.hackread.com/equifax-sued-for-billions-after-143-million-data-hack/

 

Trust But Verify: New York Cyber Regs Mean Managing Third-Party Security

The challenges of 23NYCRR and other regulations can certainly be daunting, especially for smaller businesses that may be impacted, but tackling the seemingly insurmountable task of compliance can be achieved if businesses establish and execute against a solid cybersecurity plan. The first steps include designating a CISO and other parties within the organization who are responsible for the security plan and its implementation. Typically, the CISO will work with the Chief Information Officer (CIO) and report to the CEO and board.

http://www.insurancejournal.com/news/east/2017/09/08/463662.htm

 

Markets, GPS could be first to go in the event of global cyber conflict

Just what that might look like is known, but seldom discussed. Remember the NASDAQ flash crash? It happened on May 6, 2010, at 2:32 pm and lasted for more than 30 minutes. Still not ringing any bells? It was a trillion-dollar stock market crash. At the time, a minority in the cybersecurity community believed that crash was a hack. Some time ago the Washington Post chided the tendency to cry “hacking” when something systemic fails.

http://thehill.com/blogs/pundits-blog/technology/349559-markets-gps-systems-could-be-first-to-go-in-the-event-of-global

 

The U.S. Oil Patch Has A Serious Cybersecurity Problem

Study after study finds that key energy assets are especially vulnerable to digital attackers, but only a “handful” of players in the private sector are really ready to defend themselves. Though hurricane season puts fossil fuel companies on high alert for natural disaster-related catastrophes, it is time the big players take a serious look at the storm that may be brewing within their own computer systems.

http://oilprice.com/Energy/Energy-General/US-Oil-Patch-Has-A-Serious-Cybersecurity-Problem.html

 

Putin Tells Russia Tech Sector to Ditch Foreign Software

In terms of security, there are things that are critically important for the state, for sustaining life in certain sectors and regions,” Interfax news agency quoted Putin as telling a meeting with Russian technology producers. “And if you are going to bring in hardware and software in such quantities, then in certain areas the state will inevitably say to you: ‘You know, we cannot buy that, because somewhere a button will be pressed and here everything will go down’,” the agency quoted him as saying.

https://financialtribune.com/articles/economy-sci-tech/72054/putin-tells-russia-tech-sector-to-ditch-foreign-software

 

How and why hackers are targeting our hospitals

Hackers are targeting the healthcare industry for two reasons. Firstly, it is lucrative, and secondly, it is vulnerable. ‘The healthcare industry’, says Alex Margovsky, Healthcare Security Consultant at Alpharidge, ‘is much easier to get into than a bank. And the value of that information is also the highest.’ In 2012, U.S. healthcare spending reached a landmark $3 trillion and has continued to swell. Thanks to aging populations and the development of emerging markets, Deloitte predicts that the amount spent on global health care will reach $8.7 trillion by 2020, equating to 10.5% as a percentage of GDP. This has made the healthcare industry a prime target for hackers, as should you be able to hold a healthcare provider for ransom, you can be sure they have money.

http://sociable.co/technology/how-why-hackers-targeting-hospitals/

 

Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott’s (formerly St. Jude Medical’s) Implantable Cardiac Pacemakers: FDA Safety Communication

To address these cybersecurity vulnerabilities and improve patient safety, St. Jude Medical has developed and validated this firmware update as a corrective action (recall) for all of their RF-enabled pacemaker devices, including cardiac resynchronization pacemakers. […] After installing this update, any device attempting to communicate with the implanted pacemaker must provide authorization to do so. The Merlin Programmer and Merlin@home Transmitter will provide such authorization.

https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm

 

DHS Warns of 8 Cybersecurity Vulnerabilities in Smiths Medical Wireless Infusion Pumps

The vulnerabilities, identified by cybersecurity researcher Scott Gayou, range in severity from low severity to critical on the Common Vulnerability Scoring System (CVSS V3), and according to ICS-CERT, could be exploited remotely by a skilled hacker. “Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access and impact the intended operation of the pump. Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump,” ICS-CERT says.

http://www.raps.org/Regulatory-Focus/News/2017/09/08/28438/DHS-Warns-of-8-Cybersecurity-Vulnerabilities-in-Smiths-Medical-Wireless-Infusion-Pumps/

 

Cybersecurity Experts Urge Faster Threat Alerts From Homeland Security

In response to news of the Equifax hack, which could affect up to 143 million people in the United States, Sen. Mark Warner raised the prospect of passing legislation to more effectively alert consumers to cyberattacks that affect them. The hack “raises serious questions about whether Congress should not only create a uniform data breach notification standard, but also whether Congress needs to rethink data protection policies,” the Virginia Democrat said in a statement Thursday.

https://morningconsult.com/2017/09/08/recent-cyber-threats-show-need-for-dhs-to-improve-public-private-information-sharing/

 

Spy chiefs set sights on AI and cyber

“We have to be much more data-centric, much more savvy in how we handle data,” said Melissa Drisko, the Defense Intelligence Agency’s deputy director. “There are secrets there that we got to find. It’s how do you find those.” “As we’re looking at algorithmic analysis, artificial intelligence, machine learning, we’re finding the we’re having to examine what the role of the human and the analyst,” she said. “It’s kind of scary…but what’s the role, what do we look like in 10 years…and even as we try to define it does that make [the role of the analyst] obsolete.”

https://fcw.com/articles/2017/09/07/intel-insa-ai-tech-chiefs-insa.aspx

 

Fancy a well-paying job that requires no prior experience? Cybersecurity in China may be your answer

Demand for cybersecurity talent in China surged by 232 per cent year-on-year in the first half of this year on Zhaopin.com, one of the nation’s biggest online recruitment websites, the company said in a recent joint report with 360 Internet Security Centre. […] “Nearly half of cybersecurity jobs require no work experience, reflecting a severe shortfall of veteran specialists as businesses are lowering the bar on experience to fill the vacancies,” the report said.

http://www.scmp.com/business/china-business/article/2110519/fancy-well-paying-job-requires-no-prior-experience

 

42: The answer to life, the universe and how many Cisco products have Struts bugs

Like many vendors, Cisco long ago adopted the open-source Apache for its Web interfaces, and went to work identifying where the vulnerable Struts frameworks are in use. […] Products in its collaboration and network management ranges, the Identity Services Engine, a bunch of Cisco Prime software, voice and unified communication, video and telepresence, and hosted services are currently under investigation. Because the bug allows remote attackers to execute code – in this case, on sensitive kit – Cisco has assigned the “critical” tag to its advisory (in line with Apache).

https://www.theregister.co.uk/2017/09/11/ciscos_crack_vuln_investigators_get_the_file_marked_apache_struts/

 

Security Apps Fail to Detect Malware Threats Due to Windows Kernel Bug

The bug is so old that it dates back to Windows 2000 and is found in all the subsequent Windows OS versions including the most recent release while the actual issue underlies with the PsSetLoadImageNotifyRoutine. This is a feature in Microsoft OS that notifies developers about the drives that are newly registered. Therefore, the bug is quite serious as it renders security tools useless as it blocks the program’s ability to detect malware threats.

https://www.hackread.com/security-apps-fail-to-detect-malware-threats-due-to-windows-kernel-bug/

 

New Dridex Phishing Campaign Delivers Fake Accounting Invoices

“On execution, this JavaScript downloads and launches banking malware on to the victim’s computer that steals their personal and private information and leaves them vulnerable to the mercy of their attackers,” said Trustwave researchers Fahim Abbasi and Rodel Mendrez who coauthored a report on the campaign published Wednesday.

https://threatpost.com/new-dridex-phishing-campaign-delivers-fake-accounting-invoices/127867/

 

Return of the EMOTET Trojan, spreads via spambots

The bulk of infections are in the U.S. which account for 58 percent of all detected infections, while Great Britain and Canada were at 12 percent and 8 percent respectively. The new EMOTET variants often are sent via phishing emails claiming to be an invoice or payment notification with the body of the email containing a malicious URL. Clicking the link will download a document containing malicious macros designed to execute a PowerShell command line responsible for downloading the trojan.

https://www.scmagazine.com/emotet-trojan-returns-with-new-variants-and-targets/article/687619/

 

Virginia scraps poke-to-vote machines hackers destroyed at DefCon

The decision was announced in the minutes of the Board’s September 8th meeting: “The Department of Elections officially recommends that the State Board of Elections decertify all Direct Recording Electronic (DRE or touchscreen) voting equipment.” In addition to the “current security environment”, the report cites the DefCon demonstration in July that showed how quickly DRE voting systems could be pwned.

https://www.theregister.co.uk/2017/09/11/virginia_to_scrap_touchscreen_voting_machines/

 

Researcher Discloses 10 Zero-Day Flaws in D-Link 850L Wireless Routers

D-Link DIR 850L wireless AC1200 dual-band gigabit cloud routers are vulnerable to 10 security issues, including “several trivial” cross-site scripting (XSS) flaws, lack of proper firmware protection, backdoor access, and command injection attacks resulting in root access. If successfully exploited, these vulnerabilities could allow hackers to intercept connection, upload malicious firmware, and get root privileges, enabling them to remotely hijack and control affected routers, as well as network, leaving all connected devices vulnerable to cyber attacks as well.

http://thehackernews.com/2017/09/d-link-router-hacking.html

 

 ====

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.

//]]>