IT Security News Blast 9-4-2017

D.C. Circuit Holds Cyber-Theft of Customers’ Medical Identifying Information Created Sufficient Increased Risk of Harm to Establish Standing

Because the plaintiffs’ stolen information had not yet been used to harm them, the district court found they could not demonstrate “actual or imminent” harm at the pleading stage. The DC Circuit disagreed, holding that although no injury had in fact occurred, it was sufficient that plaintiffs established either (1) their threatened injury arising from the data breach was impending with certainty or (2) CareFirst’s conduct created a substantial risk that injury could occur as a result of the breach.

http://www.jdsupra.com/legalnews/d-c-circuit-holds-cyber-theft-of-31509/

 Cybersecurity help wanted: Asperger people

ASPertise may be on to the next and biggest wave of cybersecurity recruits — Asperger people. Vezon’s team currently works on physical and wireless network and security assessments, cyber social engineering, domain password audits, architecture development, vulnerability assessments and penetration testing, policy assessments, and firewall rule review.

http://www.csoonline.com/article/3221606/it-careers/cybersecurity-help-wanted-asperger-people.html

 SharknAT&To

In all fairness, it is uncertain whether these gaping security holes were introduced by Arris (the OEM) or if these problems were added after delivery to the ISP (AT&T U-verse). From examining the firmware, it seems apparent that AT&T engineers have the authority and ability to add and customize code running on these devices, which they then provide to the consumer (as they should).

1. SSH exposed to The Internet; superuser account with hardcoded username/password.

2. Default credentials “caserver” https server NVG599

3. Command Injection “caserver” https server NVG599

4.Information disclosure/hardcoded credentials

5.Firewall bypass no authentication

https://www.nomotion.net/blog/sharknatto/

 Electronic Warfare: How The U.S. Army Could Lose Its Next War

[In] future wars, the Army is likely to face enemies far better equipped than it is to seize control of the electromagnetic spectrum and exploit it to tactical advantage.  Two decades of fighting rag-tag terrorist groups with scant resources has dulled its edge in electronic warfare, while countries like Russia and China have worked hard to maintain and expand their capabilities.

https://www.forbes.com/sites/lorenthompson/2016/03/15/electronic-warfare-how-the-u-s-army-could-lose-its-next-war/#d6a16cc1b09f

 Taking Stock of Trump’s Cybersecurity Executive Order So Far

The goal of a speedy review process is a good one, but has not materialized. “Unfortunately, leadership from the executive branch on cybersecurity has been weak,” senator John McCain said at the end of August. “The last administration offered no serious cyber deterrence policy and strategy. And while the current administration promised a cyber policy within 90 days of inauguration, we still have not seen a plan.”

https://www.wired.com/story/trump-cybersecurity-executive-order/

 Microsoft says every enterprise should have a plan for when cybersecurity fails

Incidents of security breaches and stolen customer information make new headlines on an almost weekly basis, yet organizations are continually caught off guard by malicious criminal elements intent on stealing their data. If your enterprise does not have a strong, practical, and enforceable business continuity and disaster response (BCDR) plan in place, it is asking for serious trouble.

http://www.techrepublic.com/article/microsoft-says-every-enterprise-should-have-a-plan-for-when-cybersecurity-fails/

 Companies should treat cybersecurity as a matter of ethics

And Harkins really does mean fundamental. He argues that companies should formally classify protecting consumer data and privacy as a social responsibility, akin to combatting climate change, fighting poverty, or promoting diversity. Codifying cybersecurity into a company’s ethical DNA is the only way, he argues, to force businesses to weigh consumer safety and privacy risks before creating new products and services.

http://www.sfchronicle.com/business/article/Companies-should-treat-cybersecurity-as-a-matter-12168332.php

 Meet The Russians Helping The Feds Hack Silicon Valley

As a result, hacking tools from Elcomsoft, Oxygen and Passware have become a part of the U.S. government’s surveillance apparatus and sit on some of the nation’s most sensitive networks at a time when suspicions over Russia are at fever pitch. […] Overall anxiety about the potential for Kremlin influence over firms whose products are deeply embedded in critical U.S. networks is palpable. “If a shooting war goes off with Russia, I don’t want this stuff on my computer,” said Jake Williams, a former NSA and DoD analyst, now president of security testing firm RenditionSec.

https://www.forbes.com/sites/thomasbrewster/2017/08/30/russian-hackers-help-us-with-encryption-nightmare/

 Zapad exercise: Russian cyber attacks on the West ‘could lead to fatalities’

Covert Russian cyber attacks against Western countries could cause civilian fatalities and potentially escalate into a real-world military confrontation, Latvia’s foreign minister has warned. Edgars Rinkevics says that Russia may use a massive war game this month to probe Nato’s resilience to full-spectrum “hybrid” warfare including propaganda and cyber attacks that Moscow has previously used against Ukraine.

https://www.brisbanetimes.com.au/world/zapad-exercise-russian-cyber-attacks-on-the-west-could-lead-to-fatalities-20170904-gya0q8.html

 Ransomware represents ‘25% of cyber attacks’ as hackers target UK

In the report, RPC said that this is consistent with other industry sources which suggest a rise in the use of ransomware, in which cyber-criminals encrypt access to data, and threaten to make it inaccessible if the owner does not pay a ransom. The ransom is often demanded in crypto-currencies such as Bitcoin, making tracking the criminals virtually impossible.

http://www.information-age.com/ransomware-represents-25-cyber-attacks-hackers-target-uk-123468329/

 Security Think Tank: Strategies for surviving a cyber attack

In the event of an attack, organisations need trained people from across all business functions ready to work together to fix the problem as quickly as possible. In addition to the IT and security teams, this should include PR teams ready to communicate publicly and deal with any incoming queries. The C-level function must be ready to handle stakeholder queries, and the legal team should be considering any legal implications or risks. This is a business issue, not just a technical one, and warrants management as such.

http://www.computerweekly.com/opinion/Security-Think-Tank-Strategies-for-surviving-a-cyber-attack

 How to: Use OTR for Mac

OTR (Off-the-record) is a protocol that allows people to have confidential conversations using the messaging tools they’re already familiar with. This should not be confused with Google’s “Off the record,” which merely disables chat logging, and does not have encryption or verification capabilities. For Mac users, OTR comes built-in with the Adium client.

https://ssd.eff.org/en/module/how-use-otr-mac

 Hillary Clinton endorsed a new media platform — and then it suffered a cyberattack

Described as a “media platform for the 65.8 million” voters who supported Clinton in last November’s presidential election, Verrit aims to organize supporters of the former first lady by providing them with verified facts. […] Soon after Clinton’s endorsement, the start-up’s founder and former Clinton advisor, Peter Daou, claimed his website had been forced offline after a suspected distributed denial-of-service (DDoS) attack.

https://www.cnbc.com/2017/09/04/hillary-clinton-endorsed-a-new-media-platform–and-then-it-suffered-a-cyberattack.html

 Instagram Hack Bigger Than Thought

Celebrities were the target of the cyberattack, Instagram said according to news from the Wall Street Journal. The photo sharing social network operator said no passwords were stolen in the attack, in which hackers were able to take advantage of a bug in the software. Instagram has sinced patched up the account security issue, reported the paper.  […] The data stolen in the hack has already made its way online and is being sold, some for $10 via Doxagram, an Internet database the Wall Street Journal cited Instagram as saying. Doxagram says it has the contact information of famous people, such as Mark Zuckerberg, the chief executive of Facebook, and Rihanna, the pop artist.

http://www.pymnts.com/news/security-and-risk/2017/instagram-cyberattack-larger-than-thought/

 Are you protecting payment card data well enough?

The Verizon 2017 Payment Security Report: new name, even greater insight. This year’s report goes beyond Payment Card Industry Data Security Standard (PCI DSS) compliance and looks at the biggest payment security challenges facing organizations—and breaks this analysis down by industry and region.

http://www.verizonenterprise.com/verizon-insights-lab/payment-security/2017/

 US Government Site Unwittingly Hosting Malware

[Attackers] focus on hosting malware in legitimate places, such as Google documents, or websites which are “known/proven clean”. As it turns out, one ideal scenario for an attacker would be to host malware on a government site. If they can successfully do it, it gives them automatic immunity from many website reputation-based blacklisting. That being said, we observed a malicious JavaScript downloader leading to the Cerber ransomware which was hosted on a US Government site.

https://blog.newskysecurity.com/us-government-site-unwittingly-hosting-malware-f1f4f11b6a1d

 Thousands of sensitive mercenary resumes exposed after security lapse

Resumes for hundreds of individuals who applied for work at a US-based private security firm have been exposed following a security lapse by a third-party recruiting firm. Around 9,400 resumes were discovered on a public, unlisted Amazon Web Services storage server by Chris Vickery, director of cyber risk research at security firm UpGuard. The server belongs to recruitment company TalentPen, which until February was contracted by the mercenary firm TigerSwan to provide services for voluntary resume submission.

http://www.zdnet.com/article/thousands-of-sensitive-mercenary-resumes-exposed-after-server-security-lapse/

 Justice Department says no evidence Obama had Trump’s ‘wires tapped’ despite President’s claims

The Justice Department admitted there’s no proof to President Trump’s claim that his predecessor had his Trump Tower penthouse under surveillance during the election. Law enforcement officials said “no such records exist” to back up Trump’s assertion, which he made in a series of bombshell tweets on March 4. It’s the first time the DOJ has officially denied President Obama ordered Trump’s residence be bugged last October.

http://www.nydailynews.com/news/national/doj-no-evidence-obama-trump-wires-tapped-article-1.3463689

 ====

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.

//]]>