IT Security News Blast 01-18-2018

Cyber Attack Costs as Much As a Hurricane

CISOs’ No. 1 Concern in 2018: The Talent Gap
The top concern among CISOs for 2018 falls outside the typical realm of attacks, employee negligence, or staffing shortages, according to findings released this week in a Ponemon Institute Survey. The top concern: “lack of competent in-house staff.” “I am not surprised that this was a leading concern – it is consistent with what we have been hearing as a critical need and gap in the market.
https://www.darkreading.com/vulnerabilities—threats/cisos-no-1-concern-in-2018-the-talent-gap/d/d-id/1330800

 

Cyber attack damage could cost as much as Hurricane Katrina 
“If an attacker took down a major cloud provider, the damages could be $50bn (£36bn) to $120bn, so something in the range of a [Hurricane] Sandy event to a Katrina event,” said John Drzik from Marsh, speaking at the launch of the WEF’s annual Global Risks Report. Cyber attacks now cost around $1 trillion in damage per year compared to 2017’s record of $300bn for natural disasters, he said.
http://www.telegraph.co.uk/business/2018/01/17/cyber-attack-damage-could-cost-much-hurricane-katrina/

 

Banks can once again be fortresses — this time in the cyber world
Yet despite all these modern examples of destructive, cunning or insidious mechanisms for cyber-attack, the defences of financial institutions appear to be holding out well. […] There will always be some luck involved, but the lack of any significant breaches and the successful defence against WannaCry implies bank information security teams are doing a lot right.
https://www.fnlondon.com/articles/banks-can-once-again-be-fortresses-this-time-in-the-cyber-world-20180117

 

Why Are There No Cyber Arms Control Agreements?
Arms control regimes may also form if governments are able to make reasonable calculations regarding the likely military effect of technological changes. However, the rapid and unpredictable pace of technological innovation in the cyber domain complicates these assessments. At the tactical level, attack vectors and offensive capabilities are continuously evolving, in contrast to the nuclear arena where innovations had long development timelines and could often be observed.
https://www.cfr.org/blog/why-are-there-no-cyber-arms-control-agreements

 

New national defense strategy to shed light on Pentagon’s thinking about war in space
Space and cyber are “new investment categories that are trying to displace, to some extent, existing force structure,” he said. Defense leaders and strategists have said the military needs to invest in modern technology to improve data analysis, intelligence, surveillance and other information-centric capabilities. But most of the Pentagon’s budget today is spent on old-school weapons. This creates a dilemma for the administration as it tries to position the military to win in the so-called “great power competition” against Russia and China.
http://spacenews.com/new-national-defense-strategy-to-shed-light-on-pentagons-thinking-about-war-in-space/

 

ANALYSIS: Unveiling Iranian pro-government trolls and cyber-warriors
Iranian trolls may be divided into several categories. Many of these trolls use VPN to bypass Facebook & Twitter blocks and then extol their country’s authorities, its regime and, as they think, protect their Motherland’s interests in these social networks. Of course, they also attack critics of the regime and Iran as a whole. A Western reader may consider this illogical, but from the point of view of Iranian “Internet-patriots” this is perfectly normal.
http://english.alarabiya.net/en/perspective/features/2018/01/17/ANALYSIS-Unveiling-Iranian-pro-government-trolls-and-cyber-warriors.html

 

Time for election reform
Congressional investigations have uncovered extensive interference – attempted fraud – by Russia and other foreign agents, including attempts to hack electronic voting machines, attempts to hack voter rolls to add or delete voters, targeted internet advertising, and targeted fake news and trolling. Here are five obvious reforms to strengthen the “critical infrastructure” of our democracy.
http://www.homelandsecuritynewswire.com/dr20180116-time-for-election-reform

 

Proposed Pentagon plan sees nuclear response to some cyberattacks
If put into practice the plan, called the Nuclear Posture Review, would break decades of precedent that had the United States using its nuclear arsenal only in response to limited type of attacks, such as nuclear or biological, according to a report in The New York Times. The proposed nuclear strategy would encompass cyberattacks against the power grid or communications ability.
https://www.scmagazine.com/proposed-pentagon-plan-sees-nuclear-response-to-some-cyberattacks/article/737616/

 

Internet of Things security issues bleed into 2018
The great majority of the new IoT security schemes proposed do not work to protect the devices already installed within your networks, and the many competing and new ideas for protecting IoT are still years away from volume deployment. This combination of perpetually-connected and never secure makes IoT devices the perfect storm of opportunity for cyberattackers.
https://www.helpnetsecurity.com/2018/01/16/internet-of-things-security-issues-2018/

 

Supply-Chain Security as a Market Force [Slideshow with witty insights]
Audio of Mike Hamilton speaking at T-Mobile last November 30, along with the slides, discussing IoT landmines, executive negligence, and creepy ad tracking that are pointing us all toward market-based security. Highlights:
·       The entire internet is booby-trapped
·       Don’t click on anything, ever
·       That karaoke site you went to yesterday is no longer okay
·       There are no records left to steal
·       How government infosec regulations are similar to tostadas
https://criticalinformatics.com/resources/blog/bonus-video-mike-hamilton-discusses-your-favorite-infosec-trends-for-2018/

 

Cyberthreat Update: Efficiency Versus Security
The emerging threats to cybersecurity are growing. Col. Hall focused on the global supply chain, artificial intelligence (AI) weapons factories, information warfare and critical infrastructure. “The entire supply chain is something you need to look at. We are seeing companies and subcontractors end up with a very vast supply chain because in order to do things you need to do a lot of outsourcing,” he said.
https://www.afcea.org/content/cyberthreat-update-efficiency-versus-security

 

The impromptu Slack war room where ‘Net companies unite to fight Spectre-Meltdown
“When this stuff broke, nobody had heard a peep from Intel or from anybody else directly,” Zachary Smith, CEO of the hosting service Packet, told Ars. “All we could see is what was going on Google’s blog about how to exploit this stuff. So we were all scrambling. The big guys—Google, Amazon, and Microsoft—have had 60 days at least of prep time, and we’ve had negative prep time.”
https://arstechnica.com/information-technology/2018/01/the-impromptu-slack-war-room-where-net-companies-unite-to-fight-spectre-meltdown/

 

Potent Skygofree Malware Packs ‘Never-Before-Seen’ Features
Researchers have identified a powerful new Android malware strain called Skygofree capable of eavesdropping on WhatsApp messages, siphoning private data off phones and allowing adversaries to open reverse shell modules on targeted devices, giving attackers ultimate remote control. Researchers said the malware was developed three years ago and has evolved significantly since then to include 48 unique commands in it most recent iteration.
https://threatpost.com/potent-skygofree-malware-packs-never-before-seen-features/129479/

 

HTML5 may as well stand for Hey, Track Me Longtime 5. Ads can use it to fingerprint netizens
For example, different browsers process sound files in slightly different ways, and allowing an ad network – or any website – to potentially work out which version of a browser is being used on which operating system. Couple this with other details – such as the battery level and WebRTC – and you can start to form a fingerprint for an individual user.
https://www.theregister.co.uk/2018/01/17/html5_online_tracking/

 

New botnet infects cryptocurrency mining computers, replaces wallet address
After gaining control of the coin-mining software, the malware replaces the wallet address the computer owner uses to collect newly minted currency with an address controlled by the attacker. From then on, the attacker receives all coins generated, and owners are none the wiser unless they take time to manually inspect their software configuration.
https://arstechnica.com/information-technology/2018/01/in-the-wild-malware-preys-on-computers-dedicated-to-mining-cryptocurrency/

 

BIND comes apart thanks to ancient denial-of-service vuln
The result: if you’re running a vulnerable version of BIND and using DNSSEC, you need to patch the server against a denial-of-service vulnerability. […] The vulnerability, disclosed on January 16th, is in the named (name daemon): “Improper sequencing during cleanup can lead to a use-after-free error, triggering an assertion failure and crash in named”, the advisory states.
https://www.theregister.co.uk/2018/01/17/bind_patch_catches_crashes/

 

Wi-Fi Alliance announces WPA3 to secure modern networks
There are four main enhancements to the standard, but the Alliance did not divulge technical details on how these will be implemented. The first is “robust protections” for people who use weak passwords, as well as protection against what are known as dictionary attacks to try and brute force the password. Second, WPA3 aims to simplify the configuration process and security for devices with limited display interfaces. This will be ideal for sensors and Internet of Things (IoT) devices.
https://www.networkworld.com/article/3247658/wi-fi/wi-fi-alliance-announces-wpa3-to-secure-modern-networks.html

 

Virtual Reality (VR) Porn App Exposed Personal Data of 20k Users
On December 28th, 2017, one of the researchers from Digital Interruption discovered vulnerabilities in SinVR’s app, upon exploiting, it gave him access to usernames, email addresses and download details of 20,000 users. But it did not end there, the researcher noted that there was no authentication on the endpoint making it possible for hackers to download a full list of users of SinVR. This means the vulnerabilities would let hackers know everything about a user, for instance, their fantasies and who bought scenes through PayPal.
https://www.hackread.com/virtual-reality-vr-porn-app-exposed-user-data/

 

====

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.