IT Security News Blast 01-24-2018

GLBA Financial Regulation

The Graham Leach Bliley Act (GLBA) is one of the central regulations for financial service companies.
While The Financial Privacy Rule governs how institutions collect and disclose customers’ personal financial information, the Safeguards Rule requires financial institutions to have controls in place to secure customer information. Additionally, institutions covered by the Rule must take steps to ensure that their service providers and affiliates protect customer data as well. The infographic below describes the 5 key elements required to comply with the GLBA Safeguards Rule. You can also download the PDF for reference here.
https://criticalinformatics.com/blog/resources/5-glba-requirements-for-infosec-programs

Criminals Finding FinTech to Their Liking
Flashpoint analysts identified a number of fintech gaining traction that are in criminals’ crosshairs, including digital wallets such as Apple Pay and Android Pay, peer-to-peer payment platforms such as Venmo and Zelle, free credit reporting services, and financial management and data aggregation platforms such as Mint and Power Wallet.
https://www.flashpoint-intel.com/blog/criminals-finding-fintech-liking/

Express Scripts Clashes With Investor Over Cyber-Risk Disclosure
“We’re at the point where everyone — investors, directors, regulators — is recognizing that this is a critical issue,” said Gianna McCarthy, director of corporate governance at the comptroller’s office, which oversees about $164 million of Express Scripts stock for the $200 billion New York State Common Retirement Fund. “Investors need more disclosure.”
https://www.bloomberg.com/news/articles/2018-01-23/express-scripts-clashes-with-investor-over-cyber-risk-disclosure

Most Companies Suffer Reputation Damage After Security Incidents
Seventy percent of organizations worldwide suffered at least one security incident during the past year – up from 68% in the previous year, a new study by Kroll found. […] Nearly two-thirds of companies said incidents due to fraud (65%), cyber (67%), or security (66%) incidents had damaged their reputations. Some 23% say their company suffered losses of 7% or more in revenues.
https://www.darkreading.com/cloud/most-companies-suffer-reputation-damage-after-security-incidents/d/d-id/1330869

Filing Deadline Approaching for New York’s Cybersecurity Regulation
Vullo also announced that DFS will now be incorporating cybersecurity in all examinations. This includes adding questions related to cybersecurity to “first day letters,” which are notices the department issues to commence its examinations of financial services companies, including examinations of banks and insurance companies for safety, soundness and market conduct.
https://www.insurancejournal.com/news/east/2018/01/23/478107.htm

Cybersecurity Guru Mac McMillan on Disruption that Could be Coming in 2018 [Podcast]
“[The year] 2017 saw new attacks, bigger attacks, and attacks against things that we hadn’t considered before on the scale that they were, such as the NotPetya and WannaCry [incidents]. We also saw the evolution of attacks, going from ransomware to the disruptive model we have today, which is very effective. And the attackers know that it’s effective; that’s why they’re doing it.”
https://www.healthcare-informatics.com/article/cybersecurity/healthcare-informatics-podcast-cybersecurity-guru-mac-mcmillan-disruption

UK Army chief warns of major Russia cyber-attack
The suggestion came shortly after Chief of the General Staff Nick Carter said in a rare public speech that Russia poses the “most complex and capable” security challenge since the end of the Cold War, and warned against complacency. […] The Army chief detailed Moscow’s growing military capabilities, which he illustrated with a Russian-language video he described as “information warfare at its best”.
https://www.deccanchronicle.com/world/europe/240118/uk-army-chief-warns-of-major-russia-cyber-attack.html

Uncontrolled cyber attacks on UK cyber defenders’ radar
In the UK, the biggest impact of WannaCry was on the NHS, but despite the level of disruption caused, it ranked only as a category two (C2) attack, requiring a cross-government response. Martin reiterated the NCSC’s fairly long-standing view that the UK in all likelihood could face a major category one (C1) cyber attack of national significance by 2020.
http://www.computerweekly.com/news/252433607/Uncontrolled-cyber-attacks-on-UK-cyber-defenders-radar

Cyber takes on new prominence in shutdown government
A spokesperson for the Department of Homeland Security, which oversees both programs, referred FCW to OMB for all questions related to how the agency prepares for a shutdown. According to the latest DHS shutdown plan, the National Protection and Programs Directorate, which helps manage both CDM and AIS, would furlough approximately 45 percent of its total workforce and up to 80 percent of its cyber workforce in the event of a shutdown.
https://fcw.com/articles/2018/01/23/cyber-shutdown-johnson.aspx

Hacking nuclear systems is the ultimate cyber threat. Are we prepared?
The stakes are high for this multibillion-dollar sector: a cyberattack combined with a physical one could, in theory, lead to the release of radiation or the theft of fissile material. However remote the possibility, the nuclear industry doesn’t have the luxury of banking on probabilities. And even a minor attack on a plant’s IT systems could further erode public confidence in nuclear power. It is this cruelly small room for error that motivates some in the industry to imagine what, until fairly recently, was unimaginable.
https://www.theverge.com/2018/1/23/16920062/hacking-nuclear-systems-cyberattack

Here’s why the epidemic of malicious ads grew so much worse last year
Now, researchers have uncovered one of the forces driving that spike—a consortium of 28 fake ad agencies. The consortium displayed an estimated 1 billion ad impressions last year that pushed malicious antivirus software, tech support scams, and other fraudulent schemes. By carefully developing relationships with legitimate ad platforms, the ads reached 62 percent of the Internet’s ad-monetized websites on a weekly basis[.]
https://arstechnica.com/information-technology/2018/01/malvertising-factory-with-28-fake-agencies-delivered-1-billion-ads-in-2017/

Net neutrality is bad? 1 million PornHub employees can’t be wrong. Oh, wait
In some cases, it was clear that email addresses used for the submissions were fake. For instance, Figueroa noted that more than one million bulk submissions used email addresses associated with the domain pornhub.com. […] Of those comments that were clearly submitted directly to the FCC (rather than through a bulk upload system), the vast majority favored network neutrality. And while “the majority of the raw total number of comments fall into the anti-neutrality camp,” Figueroa said, the majority of the comments that were likely organic—including those submitted through another system—were in favor of network neutrality.
https://arstechnica.com/tech-policy/2018/01/analysis-shows-majority-of-anti-net-neutrality-comments-came-from-bots/

Apple Is Blocking an App That Detects Net Neutrality Violations From the App Store
Update: After this article was published, Apple told Dave Choffnes that his iPhone app, designed to detect net neutrality violations, will be allowed in the iTunes App Store. According to Choffnes, Apple contacted him and explained that the company has to deal with many apps that don’t do the things they claim to do. Apple asked Choffnes to provide a technical description of how his app is able to detect if wireless telecom providers throttle certain types of data, and 18 hours after he did, the app was approved.
https://motherboard.vice.com/en_us/article/j5vn9k/apple-blocking-net-neutrality-app-wehe

Electronic voting box makers try to get gear stripped from eBay and out of hackers’ hands
Vendor intimidation, default passwords, official state seals for sale. Yes, we’re talking about computer-powered election machines. […] Speaking at the Shmoocon conference in the US capital last week, Finnish programmer and village organizer Harri Hursti said the team was having trouble getting voting machines to compromise for this year’s hackfest, in part because manufacturers weren’t keen to sell kit that could expose their failings.
https://www.theregister.co.uk/2018/01/23/electronic_voting_machine_update/

Florida makes info on 1K Kansas voters public, lawmakers ask DHS to clarify role regarding election integrity commission
Florida released partial social security numbers for close to 1,000 Kansas voters after receiving data from Kansas Secretary of State Kris Kobach as part of the Crosscheck program that identifies double voter registration. […] The commission was disbanded in early January after it faced resistance from states fearing privacy concerns and voter suppression as well as a wide array of lawsuits.
https://www.scmagazine.com/florida-makes-info-on-1k-kansas-voters-public-lawmakers-ask-dhs-to-clarify-role-regarding-election-integrity-commission/article/738989/

Psychologically-engineered elections and how the US fights against it
“Russia interfered with the elections, but so did China, the Muslim Brotherhood, special interest groups within our borders, the metadata curators, and the dragnet surveillance capitalists, that turned into dragnet surveillance propagandists like Google, Facebook, YouTube, [and] Twitter[.]” […] CyberFrame’s Rob Bathrust called it “the manipulation of the perception of the people based on the targeting of ads for content not products. If you think about it in a large scale, the candidate running or the policy that they are looking to pass becomes the product. So the more fervor you can make to reach the base that believes in that product, the better success you’re going to have in the overall election.”
https://federalnewsradio.com/cyber-chat/2018/01/psychologically-engineered-elections-and-how-the-u-s-fights-against-it/

Penetration testing is a reference point, not a strategy
If penetration and other testing of your defenses is something you’re prioritizing this year, be aware: the information you will obtain is not revelatory, and simply addressing the specifics of whatever vulnerability was exploited will not appreciably change the outcome for the next penetration test (which may not be a test).
https://www.csoonline.com/article/3250267/network-security/penetration-testing-is-a-reference-point-not-a-strategy.html

Meltdown and Spectre Patching Has Been a Total Train Wreck
Now both individuals and organizations continue to struggle with understanding whether they have the right updates installed to actually protect their systems without causing more problems. “This has probably been some of the most confusion I’ve ever seen on an exposure,” TrustedSec’s Kennedy says. “It wasn’t well coordinated.”
https://www.wired.com/story/meltdown-spectre-patching-total-train-wreck/

App Flaws Allow Snoops to Spy On Tinder Users, Researchers Say
Attackers can view a user’s Tinder profile, see the profile images they view and determine the actions they take, such as swiping left or right, if they are on the same wi-fi network as a target, according to a Checkmarx report released Tuesday. […] One vulnerability lies in the fact that currently, both the iOS and Android versions of Tinder download profile pictures via insecure HTTP connections, Checkmarx said.
https://threatpost.com/app-flaws-allow-snoops-to-spy-on-tinder-users-researchers-say/129625/

Pirated Version of Fire and Fury Book Loaded with Malware
As per Molsner, there is a pirated version of the book that is loaded with malicious malware. Digital version of Fire and Fury is officially being sold by renowned eBook retailers like Apple and Amazon and these versions are free from malware. It is the pirated version of the book that is infected and easily available on torrents and social media.
https://www.hackread.com/pirated-version-of-fire-and-fury-loaded-with-malware/

 

====

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.