IT Security News Blast 9-12-2017

The Equifax Cyber Breach and a Lifetime of Vulnerability

Many of these affected consumers are already organizing a massive class-action lawsuit, seeking damages of $70 billion. Equifax’s heartfelt apology from their chairman and CEO, offers people the opportunity to enroll in their subsidiary’s identity monitoring services at no cost for a period of one year. Herein a host of new consumer challenges emerge, especially with the latency of cyber threats, the vast secondary black market where personal data are sold, the lifelong nature of social security numbers and our performance-based credit system.

http://www.huffingtonpost.com/entry/the-equifax-cyber-breach-and-a-lifetime-of-vulnerability_us_59b60b80e4b0c50640cd68db

 Equifax hit with at least 23 class-action lawsuits over massive cyberbreach

The relatively large number of new lawsuits against Equifax that seek class-action status signal the high legal stakes over the potential for identity-theft losses by millions of Americans whose personal data was exposed. The cases also show an eagerness by plaintiff law firms to stake swift claims on behalf of consumers who eventually might be in line for a share of either a court judgment against Equifax or a settlement by the company.

https://www.usatoday.com/story/money/2017/09/11/equifax-hit-least-23-class-action-lawsuits-over-massive-cyberbreach/653909001/

 How Equifax failed miserably at handling its data breach

Equifax has set up a site through which people can check whether they have been affected. Unfortunately for them, they can’t really trust the result of the check – the site will seemingly randomly provide either a confirmation or a denial of whether they’ve been impacted. It seems logical to assume, then, that Equifax doesn’t know which individuals have been affected. Still, they want everybody to sign up for their credit file monitoring and identity theft protection with TrustedID Premier, a credit monitoring service that is also operated by Equifax.

https://www.helpnetsecurity.com/2017/09/11/equifax-failed-miserably/

 Why even smaller enterprises should consider nation-state quality cyber defenses

In 2017, two ransomware variants, WannaCry and Petya spread rapidly throughout Europe. These two attacks utilized an exploit called EternalBlue that was leaked from the NSA in the months prior.   […] This trend is on the rise and there is no reason to believe that things will get better.  Whether an attack escapes the control of a nation-state or a carefully guarded zero-day exploit becomes public knowledge, sophisticated and devastating attacks will become more frequent and destructive. Organizations of all sizes can be caught in the crossfire.  For the chief information security officer (CISO), the cost to the organization is the same, regardless of whether it originated as a target or was merely collateral damage.

https://www.csoonline.com/article/3223866/cyberwarfare/nation-state-quality-cyber-defenses.html

 Healthcare must move from risk to resilience, Tom Ridge says

With that expanding cyberthreat landscape, Ridge recommended that hospitals and healthcare organizations shift their thinking from risk management to resiliency. That means being able to survive an attack and sustain operations and then move forward from there. “We know that risks are sometimes surprise events but resilience should be a goal, an objective,” Ridge said. “It’s a 24/7 responsibility, every day, just like homeland security. It’s a continuous cycle of threats.”

http://www.healthcareitnews.com/news/healthcare-must-move-risk-resilience-tom-ridge-says

 Not So Entertaining: Cybercrime in the Entertainment Industry

Over the past several years, a number of large entertainment companies have fallen victim to cybercriminals, resulting in the threatened and actual leaking of sensitive information including such things as internal emails, passwords, compensation information, and unreleased programming. Unlike a “traditional” cyber attack which poses a threat to credit card numbers or social security numbers, the biggest risk of an entertainment industry cyber attack is the publicity that can result from compromising communication and other information about high-profile individuals, and their associated businesses.

https://www.natlawreview.com/article/not-so-entertaining-cybercrime-entertainment-industry

 Most infosec pros believe election hacks are acts of cyber war

Additional findings include:

  • Eighty-eight percent believe governments have not done enough to deter hackers from interfering with future elections.
  • Sixty percent are concerned that cyber attackers can alter election results.
  • Over a quarter (twenty-seven percent) believe attackers have already altered election results.

https://www.helpnetsecurity.com/2017/09/11/election-hacks-cyber-war/

 Stronger election security with less technology

With the wide variety of voting systems technology and uneven security requirements in local jurisdictions across the country, the best defense against election hacking may involve less technology, experts said. […] “The machines have vulnerabilities that could allow someone to hack in and alter the software that’s running on them,” he said at a Sept. 8 Brookings Institution discussion. “You don’t even need physical access to the machines.”

https://gcn.com/articles/2017/09/11/election-security.aspx?admgarea=TC_SecCybersSec

 New Military Initiative Adds Cybersecurity Training for Soldiers Departing for ‘Civilian’ Careers

“We hope to enroll 25 (military personnel) in the next round of classes beginning in January,” said Martha Laughman, senior manager of workforce investments for SecureSet. “All of our (military) students are preplaced with an employer, who provide them with scholarships. We hope to have 100 percent of them placed by the end of the program in December.”

http://www.govtech.com/security/New-Military-Initiative-Adds-Cybersecurity-Training-for-Soldiers-Departing-for-Civilian-Careers.html

 Cyberwar game tests politicians’ ability to deal with a major attack

The objective of the session was to practice how ministers would respond to a cyber-attack against the EU’s military organisations, and to help develop guidelines to be used in such a real-life crisis — and to make ministers more aware of the potential effects of offensive cyber-campaigns.

http://www.zdnet.com/article/cyberwar-game-tests-politicians-ability-to-deal-with-a-major-attack/

 4 NDAA amendments to watch as Senate takes up bill

Sen. John Thune (R-S.D.) wants to start training cyber service members at an even younger age. His amendment sets up a cybersecurity training program for the Army Senior Reserve Officers Training Corps called Army Cyber ROTC. The program will expend military science instruction in ROTC to include coursework and summer training opportunities for students on cybersecurity. It will also establish criteria for the selection of cyber operations officers when students graduate from ROTC.

https://federalnewsradio.com/legislation/2017/09/4-ndaa-amendments-to-watch-as-senate-takes-up-bill/

 The Pentagon’s Next Frontier for War Might be Space

That is, in fact, the future as the Pentagon imagines it and it’s actually under development, even though most Americans know little or nothing about it. […] Indeed, working in secrecy, the Obama administration was presiding over a revolution in defense planning, moving the nation far beyond bayonets and battleships to cyber warfare and the future full-scale weaponization of space. From stratosphere to exosphere, the Pentagon is now producing an armada of fantastical new aerospace weapons worthy of Buck Rogers.

https://www.thenation.com/article/the-pentagons-next-frontier-for-war-might-be-space/

 Threats on social media highlight need for strategic approach, Army leadership says

As social media continues to evolve, so too has the number of online predators. While only a few years ago cybersecurity implied protecting personal information online, today cybersecurity translates into a more proactive role. “As members of the U.S. military deployed oversees, we need to approach social media in the cyber domain the way we might approach any dangerous and unfamiliar territory: Be smart and keep a low profile,” said USAG Bavaria Garrison Commander, Col. Lance Varney.

https://www.army.mil/article/193626/threats_on_social_media_highlight_need_for_strategic_approach_army_leadership_says

 Online surveillance and digital reputations

The content of files built up about identifiable individuals, such as myself, posting negative information about corporations and executives, could have potentially sinister applications. It will only encourage the use of aliases and deter people who would prefer to engage in free speech on the internet under their own names and without being the subject of secret surveillance by big business and their creepy private spooks.

http://royaldutchshellplc.com/2017/09/11/online-surveillance-and-digital-reputations/

 5 reasons why device makers cannot secure the IoT platform

1. Product developers underestimated IoT security

2. Defending the IoT perimeter and endpoints will fail

3. Bank robbers go where the money is; cyber criminals go where the vulnerabilities are

4. Security and privacy for small memory microprocessor based IoT devices are still being invented

5. IoT does not have the data to train machine learning models to defend the IoT platform

https://www.networkworld.com/article/3223952/internet-of-things/5-reasons-why-device-makers-cannot-secure-the-iot-platform.html

 A cyber manifesto: cut the dilly-dallying…and let’s get after it!

This author puts large blame on this slow-roll squarely on the US Congress.  To be sure, there are members across both chambers who have been out in front on cyber for some time now.  But, as an institution, Congress has been woeful in enacting important “activating” policy.  Further, I believe the root cause behind Congress’ sitting on their proverbial hands is fear.  Fear of the unknown . . . leads to fear of making mistakes . . . leads to fear of residual blowback in the form of pissed-off constituencies, be they district voters or privacy lawyers.

https://www.csoonline.com/article/3222740/cyber-attacks-espionage/a-cyber-manifesto-cut-the-dilly-dallying-and-lets-get-after-it.html

 How Crowdsourcing Can Help Fight Against Cyber Threats

The whole idea behind crowdsourcing cybersecurity is to bring together the best minds, the best technology and best practices to present an unprejudiced observation of impending vulnerabilities, and re-mediate them quickly and effectively. […] The world at present faces a scarcity of cyber security experts. It has been reported that by 2019 there will be a 2 million shortage of cybersecurity professionals internationally. So the idea of crowdsourcing and accumulating skilled and intelligent individuals to work together to fight off cyber crime is a reliable solution.

https://tech.co/cybersecurity-crowdsourcing-online-threats-2017-09

 Keyboard warrior: the British hacker fighting for his life

Love has not protested his innocence – he only points out that, without seeing the evidence, which the US Department of Justice refuses to reveal until he is on US soil, he cannot say one way or the other. But he had the means, motive and opportunity to carry out the crimes of which he stands accused. Even if Love is guilty, however, there are important legal and moral questions about whether he should be extradited to the US – a nation that has prosecuted hackers with unrivalled severity, and one where Love could be sentenced to spend the rest of his life in prison.

https://www.theguardian.com/news/2017/sep/08/lauri-love-british-hacker-anonymous-extradition-us

 Crackas With Attitude troll gets five years in prison for harassment

A member of the short-lived Crackas With Attitude hacking troupe has received five years in prison, despite the fact that he hadn’t actually hacked any accounts himself and had accepted a plea deal. Justin Liverman was sentenced to 60 months inside by Judge Gerald Bruce Lee in the Federal Court of the Eastern District of Virginia on Friday. He had earlier pled guilty to conspiracy to hack US government computer systems and the court awarded him the maximum sentence it could, along with a $145,000 fine.

https://www.theregister.co.uk/2017/09/11/crackas_with_attitude_troll_gets_5yrs/

 Best Buy Drops Kaspersky Products Amid Russia Concerns

The big box retailer, with stores across the country, did not announce the change itself but its website was no longer offering Kaspersky products, and numerous social media reports said they were not on store shelves anymore. A Best Buy spokeswoman confirmed in an email reports that the action was taken due to concerns over Kaspersky’s alleged links to the Russian government. Kaspersky, which denies Russian government links, said the two firms “have suspended their relationship at this time.”

http://www.securityweek.com/best-buy-drops-kaspersky-products-amid-russia-concerns

 ====

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.

//]]>