IT Security News Blast 01-09-2018

Hackers Print Digital Money

Wary Businesses Test Fixes for Chip Flaws Before Installing
Banks and other financial institutions spent much of the week studying the vulnerabilities, said Greg Temm, chief information risk officer with the Financial Services Information Sharing and Analysis Center, an industry group that shares data on emerging cyber threats. […] “It’s like getting a diagnosis of high blood pressure, but not having a cardiac arrest,” Temm said. “We’re taking it seriously, but it’s not something that is killing us.”


More stuff broken amid Microsoft’s efforts to fix Meltdown/Spectre vulns
More examples have emerged of security fixes for the Meltdown vulnerability breaking things. Patching against CVE-2017-5753 and CVE-2017-5715 (Spectre) and CVE-2017-5754 (Meltdown) borks both the PulseSecure VPN client and Sandboxie, the sandbox-based isolation program developed by Sophos.


D.A.G. Rosenstein: ‘Sophisticated Attacks Focus On Particular Businesses’
“Increasingly, technology frustrates traditional law enforcement efforts to collect evidence needed to protect public safety and solve crimes.” He continues, “For example, many instant-messaging services now encrypt messages by default. And smartphone manufacturers made a conscious decision to engineer their phones to eliminate the capability to recover data stored on the devices.”


The financial impact of data breaches is just the beginning
Though every data breach is different, Ponemon has identified the average cost of a breach as $3.62 million in its 2017 Cost of Data Breach study, though certain industries can have more costly breaches. However, it is almost as important to consider those indirect costs which can also affect a company’s chance of rebounding from a cyber attack.


Cybersecurity Needs to Move from IT to Boardrooms
What Palo Alto Networks found in its survey was that most of the companies also followed a ‘response’ mechanism – reacting to threats after they had occurred and already resulted in significant damage and loss of data. Companies, especially those in the financial services sector have to move away from this mind-set and think about ‘prevention’.


Report: Ransomware Attacks Against Healthcare Orgs Increased 89 Percent in 2017
According to the report, there were a total of 140 data breach events characterized and reported to HHS OCR as IT/hacking in 2017, representing an almost 24 percent increase over the 113 IT/hacking events reported in 2016. For an historical view, there were 57 reports for IT/hacking in 2015 and 35 reports in 2014. The number of reported major IT/hacking events attributed to ransomware by health care institutions increased by 89 percent from 2016 to 2017.


IoT risks, insider threats, password hacks, biometric cracks: Cybersecurity in 2018 looks messy
This is what 2018 will look like on the cybersecurity front, according to professional services firm Aon’s industry specialists in its new 2018 Cybersecurity Predictions report. “In 2018, we anticipate heightened cyber exposure due to a convergence of three trends: first, companies’ increasing reliance on technology; second, regulators’ intensified focus on protecting consumer data; and third, the rising value of non-physical assets,” said Jason Hogg, CEO of Aon Cyber Solutions.


War Games: Cyber Espionage and the New ‘Cold War’
With nation-states continuing to expand and deploy their new capabilities, history looks as if it is doomed to repeat itself. The prospect of cyber war draws a haunting parallel to the strained diplomacy of the Cold War era, and perhaps more significantly, will intensify the already uneasy relations between the United States, Russia, China, Iran, and North Korea. But while media stories certainly reflect this escalating ‘cold war’ diplomacy, they fail to ask the obvious, yet unspoken question: Are we at war?


Global backlash over Iran’s cyber battle against protesters
“The Iranian government tends to slow the Internet in times of big protests like 2009 and this past week’s protests. They also have censored Twitter, Facebook, and YouTube. But that hasn’t stopped Iranians from using circumvention tools like VPNs to override the censorship. Iranians are professionals when it comes to circumvention, and though the government attempted to curb social media coverage of the protests, it hasn’t stopped Iranians from sharing information with the world.”


Indonesia to hire hundreds of employees for new Cyber Security Agency
The agency will monitor cyber crimes and identify perpetrators. The government did not say whether the National Cyber and Encryption Agency will also have the authority to prosecute crimes. “We will be coordinating with the police, military, and other institutions with cyber capabilities on the information we check”, Setiadi also said.–1226734


China’s Cybersecurity Law Pushes Cyber Sovereignty Vision
According to the framework of China’s Cybersecurity Law, Chinese authorities have the ability to conduct spot-checks on any company’s network operations at any time. Moreover, China’s Cybersecurity Law includes a provision for data localization, in which sensitive personal data about Chinese citizens would need to be stored within mainland China itself rather than outside its borders.


CBP releases new guidelines on phone, laptop searches at US borders
Border searches of electronic devices will be limited to only the information that is resident on the device. Information that is “solely stored remotely” (i.e. only in the cloud) is off limits, and to make sure that this limitation is complied with, officers will disable device connectivity to any network. Searches should be conducted in the presence of the individual whose information is being examined (with exceptions), but that doesn’t mean that the individual will always get to observe the search.


VTech hack fallout: What is a kid’s privacy worth? About 22 cents – FTC
The government watchdog said VTech will pay $650,000 and agree to a set of privacy and security requirements in order to settle charges it violated both the Children’s Online Privacy Protection Act (COPPA) and the FTC Act. The settlement deal puts to bed allegations by the FTC that VTech broke the law with its operation of its Learning Lodge, Kid Connect, and Planet VTech games and educational websites for kids.


Hundreds of Android Gaming Apps are Tracking Your TV Viewing Habits
The software allows apps to use the microphone on a device to identify audio signals from TV advertisement, collect and share the data with companies for targeted advertising. However what may worry some is the fact that once the apps are running in the background the software could detect audio even when the phone is in a pocket.


Nebraska Introduces Law to Reinstate Net Neutrality
Nebraska is not the only place using state law to fight the deeply unpopular repeal. In Washington state, lawmakers hope to force broadband companies to disclose accurate information about the price and speed of their services and prevent them from creating “fast lanes” of internet access for consumers who pay more. […] Additionally, 16 state attorney generals have pledged to sue the FCC to stop the repeal, led by New York Attorney General Eric Schneiderman.


Ex-NSA hacker builds AI tool to hunt hate groups’ symbols online
The images her tool automatically seeks out are so-called dog whistles, be they the Black Sun (also known as the “Schwartze Sonne,” an image based on an ancient sun wheel artifact created by pagan German and Norse tribes that was later adopted by the Nazi SS and which has been incorporated into neo-Nazi logos) or alt-right doctored Pepe the frog memes. Crose dubbed the AI tool NEMESIS. She says the name is that of the Greek goddess of retribution against those who succumb to arrogance against the gods[.]


Marcus Hutchins was coerced into admitting to cyber charges, his lawyers claim
“The defense believes the requested discovery will show the government was aware of Mr. Hutchins’ activities while he was in Las Vegas, including the fact that he had been up very late the night before his arrest, and the high likelihood that the government knew he was exhausted and intoxicated at the time of his arrest,” claimed his lawyers in a motion filed on Friday.


Hackers find new ways to print digital money for free
Based on the rate the underlying cryptographic hashes are being generated, Morphus Labs Chief Research Officer Renato Marinho estimated that about 450 separate conscripted machines are participating. Marinho analyzed one of the servers and found that attackers gained control over it by exploiting CVE-2017-10271, a critical vulnerability in Oracle’s WebLogic package that was patched in October. The owner of the compromised server, however, had yet to install the fix.


Facial recognition fooling glasses could subvert TSA security
Using seemingly inconspicuous glasses, a user can trick the algorithm into producing an inaccurate reading of a person’s face prompting researchers to present their findings to the Transportation Security Administration and recommend the agency require people to remove glasses and jewelry to prevent the attack from being carried out, according to their study.



Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.