IT Security News Blast 01-04-2018

Intel CPU Flaws

Intel In Security Hot Seat Over Reported CPU Design Flaw
The impact of this type attack on Intel chips is far reaching, affecting Intel endpoint computers, but also cloud computing environments such as Amazon EC2, Microsoft Azure and Google Compute Engine, according to an analysis of the flaw by a developer blogging at Python Sweetness.
https://threatpost.com/intel-in-security-hot-seat-over-serious-cpu-design-flaw/129289/

 

“Meltdown” and “Spectre”: Every modern processor has unfixable security flaws
At their heart, both attacks takes advantage of the fact that processors execute instructions speculatively. All modern processors perform speculative execution to a greater or lesser extent; they’ll assume that, for example, a given condition will be true and execute instructions accordingly. If it later turns out that the condition was false, the speculatively executed instructions are discarded as if they had no effect.
https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-every-modern-processor-has-unfixable-security-flaws/

 

Tech giants race to fix chip design flaw
The problem, described as unprecedented by experts, affects one of the most fundamental architectural elements of all computing systems, making it far more pervasive than the software flaws that are the usual source of computer security failures. Both Intel, whose chip designs are at the heart of all PCs and many servers, and Arm Holdings, whose designs are used in almost all smartphones, said they were working to try to fix the problem.
https://www.ft.com/content/456875fc-f0e2-11e7-b220-857e26d1aca4

 

NIST develops draft update to cyber-security framework
Providing new details on managing cyber supply chain risks, clarifying key terms, and introducing measurement methods for cyber-security, the updated framework aims to further develop NIST’s voluntary guidance to organizations on reducing cyber-security risks. The Cyber-security Framework was published in February 2014 following a collaborative process involving industry, academia and government agencies, as directed by a presidential executive order.
https://www.complianceweek.com/blogs/the-filing-cabinet/nist-develops-draft-update-to-cyber-security-framework

 

Best Practices for Preventing Healthcare Cybersecurity Breaches
Unfortunately, healthcare organizations typically have large computer networks holding vast troves of sensitive data that need to be accessed by many employees in multiple locations. These networks run software from third party business associates and usually connect with dozens of IoT devices at once. And every hospital works within a larger ecosystem, requiring employees to communicate and exchange data with a wide range of outside players. A recent attempt by the Health Care Industry Cybersecurity Task Force to diagram the healthcare sector shows the complexity of hospital environments.
https://www.campussafetymagazine.com/hospital/healthcare-cybersecurity-breaches-attacks-best-practices-hipaa-compliance-2018/

 

Connected healthcare means better patient outcomes: Digital transformation and the rise of smart hospitals
There are three major areas where healthcare is seeing the positive benefits of this digital disruption:
·       Healthcare Information Systems
·       Medical devices
·       Collaboration
https://www.enterpriseinnovation.net/article/connected-healthcare-means-better-patient-outcomes-digital-transformation-and-rise-smart-0

 

Ransomware, Automation, and IoT Bots, Oh My!
Medical records began trade for a higher value than a credit card on the Darknet, and governments and civil services were targeted for their confidential documents. Throughout the last couple of years, we saw cyber-attacks grow in frequency, complexity, size, and more, making them even more difficult to defend against. Adding to the challenge of protecting data was the advent of IoT botnets. In fact, 55% of security professionals indicated they thought the Internet of Things complicated their detection or mitigation requirements.
https://securityboulevard.com/2018/01/ransomware-automation-and-iot-bots-oh-my/

 

The Labs That Protect Against Online Warfare
The first nation state-level cyber-attack on critical infrastructure, widely attributed to a joint collaboration between American and Israeli intelligence against Iran, was uncovered in 2010. Known as the Stuxnet virus, the attack aimed to take down Iran’s nuclear program. The virus failed to achieve its mission. But by destroying nearly 1,000 uranium-enriching centrifuges, it was unprecedented for having caused physical damage by way of virtual attack. And it ushered in a new era of conflict: that of offensive cyber-warfare.
http://www.bbc.com/future/story/20180103-the-labs-that-protect-against-online-warfare

 

The cutting-edge IDF unit revolutionizing field intelligence
Formed in September 2014 as part of a reorganization of responsibilities by Military Intelligence, Unit 3060 has some 400 soldiers (half of them career intelligence officers) who specialize in technology-related fields. The unit, which reports to the head of Military Intelligence, is made up of 75% men and 25% women. Its mission? Use modern data science for operational and visual intelligence for commanders and intelligence officers to increase the combat effectiveness of the IDF.
http://www.jpost.com/Israel-News/The-cutting-edge-IDF-unit-revolutionizing-field-intelligence-532753

 

What will it take for the US to win against China in cyberspace?
In contrast to China, the U.S. political system isn’t conducive to forming long-term strategic efforts; our four year political cycles and annual budget cycles make it difficult to commit to a plan and fund the plan throughout. We are at the mercy of rapidly transitioning politicians and their often self-serving proposals. As a result, we operate in periods of growth and deficit, leaving us with a sense of long-term aimlessness.
http://thehill.com/opinion/cybersecurity/367325-what-will-it-take-for-the-us-to-win-against-china-in-cyberspace

 

Cyber Security Statistics 2017: Data Breaches and Cyber Attacks
By December 20, the Identity Theft Resources Center (ITRC) had recorded 1,293 U.S. data breaches in 2017, exposing more than 174 million confidential records. That was 21 percent higher than what was recorded at the same time in 2016. By year’s end, the total number of breaches was expected to reach a record-setting 1,300. In 2016, the ITRC recorded 1,093 breaches. Who’s Affected? The ITRC report broke down the breach results into five industry sectors: business (50.5 percent), medical/healthcare (28.3 percent), educational (8.8 percent), banking/credit/financial (7.1 percent) and government/military (5.3 percent).
https://itsecuritycentral.teramind.co/2018/01/03/cyber-security-statistics-2017-data-breaches-and-cyber-attacks/

 

Ex-U.S. NSA contractor to plead guilty to massive theft of secret data
Prosecutors said Martin, who was indicted last February, spent up to 20 years stealing highly sensitive government material from the U.S. intelligence community related to national defense, collecting a trove of secrets he hoarded at his home in Glen Burnie, Maryland. Authorities said they seized 50 terabytes of data from Martin’s home, which officials said could be the biggest theft of classified information in U.S. history. The government has not said what, if anything, Martin did with the stolen data.
https://www.reuters.com/article/us-usa-cyber-nsa/ex-u-s-nsa-contractor-to-plead-guilty-to-massive-theft-of-secret-data-idUSKBN1ET05R

 

Mother of “swatting” victim wants cop criminally charged for shooting
In reality, there was no hostage situation, and the caller had no connection to the Finch family. But police didn’t know that, so they surrounded the house and demanded that Finch come out of the house. Finch came out the door with his hands up. But then he briefly lowered his hands, and a police officer shot him. The officer says he feared Finch was reaching for a gun tucked into his waistband. In reality, Finch was unarmed.
https://arstechnica.com/tech-policy/2018/01/mother-of-swatting-victim-wants-cop-criminally-charged-for-shooting/

 

Cybersecurity is Microsoft’s New Year’s resolution
“The first half of the year should provide the opportunity for global technology leaders to come together and adopt a cyber-security tech sector accord. This would create a stronger basis for tech companies to act effectively as internet first responders in protecting customers from the full range of cybersecurity threats. Microsoft is committed to helping to advance this effort.
https://www.itproportal.com/news/cybersecurity-is-microsofts-new-years-resolution/

 

VMware Issues 3 Critical Patches for vSphere Data Protection
Each of the vulnerabilities (CVE-2017-15548, CVE-2017-15549, CVE-2017-15550) are rated critical. Affected are VDP versions 6.1.x, 6.0.x and 5.x running on VMware’s Virtual Appliances. The company said no workarounds are available. vSphere Data Protection is a backup solution for use in vSphere environments, and is usually run in tandem with VMware’s vCenter Server and vSphere Web Client.
https://threatpost.com/vmware-issues-3-critical-patches-for-vsphere-data-protection/129277/

 

Security Flaws in GPS Trackers Puts Millions of Devices’ Data at Risk
Reportedly, hundreds of GPS services are vulnerable, most of which use open APIs and weak passwords, such as 123456. This ignorance has led to a wide range of privacy issues, for instance, direct tracking, while logged data is exposed due to open directories of these services. More than 100 vulnerable services were identified by the security experts while it was identified that the devices could be attacked by cybercriminals to access personal data.
https://www.hackread.com/security-flaws-in-gps-trackers-millions-of-data-at-risk/

 

36 malicious apps advertised as security tools spotted in Google Play
Many of the apps boost a variety of features such as scanning, cleaning junk, saving battery, cooling the CPU, locking apps, as well as message security, and WiFi security. While the apps are actually able to perform the advertised tasks, they also secretly harvest user data, tracked user location, and aggressively pushed advertisements on nearly every action a user performs.
https://www.scmagazine.com/36-malicious-apps-spotted-in-google-play-tracking-users-location/article/734646/

 

Anonymous no more: Reusing complex passwords gives your identity away
A person trying to stay anonymous might think that if they were to reuse that password, there would be no way to unmask their identity. Yet that is not true, according to article posted on STS Cyber Research. In this case, the research showed, the rarer your password is, the more it “uniquely identifies the person who uses it. If a person uses the same unique password with multiple accounts, then that password can be used as a digital fingerprint to link those accounts.” Although this is not something previously unknown, there seems to be a lack of awareness about the practice.
https://www.csoonline.com/article/3245646/security/deanonymized-through-use-of-complex-passwords.html

 

Sex dolls can be remotely programmed by hackers to harm people or even kill them
According to a recent statistic released by security firm Gemalto, the amount of money that IoT device makers in the UK invest in device security is the second lowest globally, with just 9% of their resources committed towards cyber security. Considering that almost next to nothing is being spent on their security, devices sold by such vendors also rank poorly when it comes to data encryption. The firm added that only 52% of all data captured on IoT devices is encrypted in the UK. As far as AI-powered sex dolls are concerned, the statistic could be no different.
https://teiss.co.uk/news/sex-dolls-hackers-harm-people/

 

====

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.