IT Security News Blast 01-25-2018

Board Room Cybersecurity

Cyber security risks rise with adoption of new technology: Survey
“The adoption of new technologies has resulted in treasury and finance practitioners managing cyber risk almost twice as much as business continuation and errors and omissions risks,” says the survey report issued by the Bethesda, Maryland-based Association for Financial Professionals, which was based on a survey of 614 officials.
http://www.businessinsurance.com/article/20180124/NEWS06/912318705/Cyber-security-risks-rise-adoption-new-technology-Marsh-McLennan-survey

Cybersecurity: What Does the Board Want and Need?
Now more than ever, it is up to a company’s CISO to lay out the landscape in a way that is easily accessible with actionable information to ensure the organization is making cost-effective decisions regarding its handling of cyber-risks. Here is what they need to hear from the security team.
https://www.infosecurity-magazine.com/opinions/cybersecurity-board/

Lloyd’s: cloud failure could cost $15bn
In the report, it was found that companies outside of the Fortune 1000 — who are more likely to use cloud provider services — would carry a larger share of the economic and insurance losses than Fortune 1000 companies. However, the biggest 1000 companies in the US would still carry 38 per cent of economic losses.
http://www.royalgazette.com/business/article/20180124/lloyds-cloud-failure-could-cost-15bn

What’s Ahead in Health Informatics for 2018? The Ransomware Crisis and Beyond
Without an accepted standard for reasonable cybersecurity, organizations will remain unable to protect themselves from litigation claiming negligence in their data management. […] And in many cases, they will remain behind, because IT security involves what professionals describe as “asymmetric warfare,” a fancy way of saying that the cost of the attack is many times less than the cost of defense.
https://www.racmonitor.com/what-s-ahead-in-health-informatics-for-2018-the-ransomware-crisis-and-beyond

The Graham Leach Bliley Act (GLBA) is one of the central regulations for financial service companies.
While The Financial Privacy Rule governs how institutions collect and disclose customers’ personal financial information, the Safeguards Rule requires financial institutions to have controls in place to secure customer information. […] The infographic below describes the 5 key elements required to comply with the GLBA Safeguards Rule. You can also download the PDF for reference here.
https://criticalinformatics.com/resources/blog/5-glba-requirements-for-infosec-programs/

Expect More Cybersecurity ‘Meltdowns’
First, these flaws often affect consumers devices, many of which are not designed to receive patches. Second, firmware flaws are tricky for consumers to install, and sometimes OEMs never even build and distribute patches. Finally, for 20 years, microprocessors have been built to prioritize speed over security. “Security researchers are starting to look more closely at these systems, so expect to hear about more vulnerabilities along these lines,” he says.
https://www.bankinfosecurity.com/blogs/expect-more-cybersecurity-meltdowns-p-2586

The New Rules Of Cybersecurity
Iran is no longer only taking a disruptive approach; it now has destructive capability as well. North Korea has also demonstrated a growing ability to successfully target institutions around the world.  America’s sophisticated, networked critical infrastructure—our financial institutions, our electrical grid, our telecommunications sector—also make the U.S. potentially vulnerable to nation-states as well as cyber-terrorists who have a clear intent to do us harm, but only lack capability for the time being.
https://chiefexecutive.net/the-new-rules-of-cybersecurity/

Southeast Asia is hugely at risk of cyberattacks. It’s not investing nearly enough in security, report says [Video]
·       The Association of Southeast Asian Nations need to significantly increase their spending on cybersecurity to protect the bloc’s growing digital economy
·       A report from A.T. Kearney said the 10-member bloc needs to spend about $171 billion collectively on cybersecurity between 2017 and 2025
·       Not doing so can potentially cost the top 1,000 companies in ASEAN about $750 billion in market capitalization, the report noted
https://www.cnbc.com/2018/01/23/asean-need-to-increase-cybersecurity-spending-says-new-report.html

Singapore and Malaysia ahead in cyber-security, but concerns remain
A RECENT report by global consulting firm A.T. Kearney has found that Singapore and Malaysia are leading the Asean region with advanced cyber-security policies and plans already in place. The research report, titled Cybersecurity in Asean: An Urgent Call To Action, was commissioned by Cisco and pointed out that national cyber-security strategies have been laid out by Singapore, Malaysia, Thailand and the Philippines. A few countries have set up national agencies to consolidate and coordinate cyber-security agendas, the report highlighted.
https://www.digitalnewsasia.com/digital-economy/singapore-and-malaysia-ahead-cyber-security-concerns-remain

Chinese companies ‘increasingly falling victim to bitcoin, cryptocurrency fraud’
One commonly seen type of scam is when someone hacks into the email system of a company and pretends to be the chief executive or other senior management and tells the junior staff to transfer money to their personal accounts, said Violet Ho, head of Kroll’s Greater China investigations and dispute practice. “Many of these monetary transfers were made in Hong Kong as the city is an international financial centre[.]”
http://www.scmp.com/business/banking-finance/article/2130293/chinese-companies-increasingly-falling-victim-bitcoin

Hacker steals data from up to 100,000 Bell Canada customers in second breach in eight months
“BCE Inc. confirmed Tuesday that hackers got hold of ‘fewer than 100,000′ customers’ information, including names and email addresses. This follows a hack in May 2017 when 1.9 million email addresses and about 1,700 names and phone numbers were stolen from Bell’s database. “There is no indication that any credit card or other banking information was accessed,” Bell spokesman Marc Choma said in a statement.
http://business.financialpost.com/telecom/hacker-steals-data-from-up-to-100000-bell-canada-customers-in-second-breach-in-eight-months

Fresh botnet recruiting routers with weak credentials
It is possible to craft a SOAP query which can bypass authentication by using hxxp://purenetworks.com/HNAP1/GetDeviceSettings. Also, it is feasible to run system commands (leading to arbitrary code execution) because of improper string handling. When both issues are combined, one can form a SOAP request which first bypasses authentication, and then causes arbitrary code execution.
https://www.theregister.co.uk/2018/01/24/fresh_botnet_recruiting_routers_with_weak_credentials/

Here’s what the military’s ‘flight simulator’ for cyberwarfare might look like
The demo, seen below, was primarily intended to show how a cadet could learn about and then remediate a distributed denial of service (DDoS) attack, which in this scenario, had eliminated communications between a drone and other vehicles in a faux battlefield.
https://www.cyberscoop.com/cyber-command-training-raytheon-lockheed-martin-pcte/

The Pentagon Should Adjust Standards for Cyber Soldiers — As It Has Always Done
In fact, however, the armed forces have been down this road before. When there’s a need for more troops, especially with critical skills, the services have been known to resort to creative personnel policies (including modifying or ignoring some standards) to keep troops in uniform. Though these measures are often fraught with risks, they are risks the U.S. military must undertake if it is to be relevant in cyberspace.
https://warontherocks.com/2018/01/pentagon-adjust-standards-cyber-soldiers-always-done/

Europe should not help dictators spy on their own citizens #DualUse #HumanRights
The new rules would add certain cyber-surveillance tools to the list of items that need to be approved by national authorities before being exported. These include devices for intercepting mobile phones, hacking computers, circumventing passwords or identifying internet users, as such dual-use items are widely used to suppress civilians, political opposition and activists around the world.
https://www.eureporter.co/frontpage/2018/01/24/europe-should-not-help-dictators-spy-on-their-own-citizens-dualuse-humanrights/

The Role AI Plays in Security Intelligence Analytics
Some say that this artificial intelligence arms race might lead to a bolstering of a cyber security evolution.  Although it is growing in proficiency, some tasks remain that is ill-suited for AI, which enables professionals of human security a type of edge over those attackers that use fire-and-forget methods of attack that depend on AI exclusively. Therefore, artificial intelligence is a double-edged sword, considering that the maturing market will benefit both defenders and attackers from using machine learning tools throughout 2018.
https://sanvada.com/2018/01/24/role-ai-plays-security-intelligence-analytics/

Net neutrality comment fraud will be investigated by government
While the investigation request was spurred by widespread fraud in the FCC’s net neutrality repeal docket, Democrats asked the GAO to also “examine whether this shady practice extends to other agency rulemaking processes.” The GAO will do just that, having told Democrats in a letter that it will “review the extent and pervasiveness of fraud and the misuse of American identities during federal rulemaking processes.”
https://arstechnica.com/tech-policy/2018/01/net-neutrality-comment-fraud-will-be-investigated-by-government/

The Cynical Misdirection Behind #ReleaseTheMemo
Nunes has successfully manufactured a controversy designed to undermine the Justice Department’s investigation into the Trump campaign’s connections to Russia, and he used FISA to do it. (This also isn’t his first time.) The 1978 surveillance law is not only densely complicated, but operates via a secret court staffed by judges entirely appointed by the Chief Justice of the Supreme Court, making it a prime target for conspiracy theories.
https://www.wired.com/story/release-the-memo-nunes-fisa-702/

Want to see all data Windows 10 sends Microsoft? There’s an app for that
Windows 10 has two settings for its data collection, “basic” and “full.” The documentation last year described all the data collected in the “basic” setting but only gave a broad outline of the kinds of things that the “full” setting collected. The new app will show users precisely what the full setting entails and a comparison with what would be sent with the basic setting.
https://arstechnica.com/gadgets/2018/01/want-to-see-all-data-windows-10-sends-microsoft-theres-an-app-for-that/

Critical Flaw Hits Popular Windows Apps Built With Electron JS Framework
The vulnerability, assigned as the number CVE-2018-1000006, affects only those apps that run on Microsoft Windows and register themselves as the default handler for a protocol like myapp://. “Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron’s app.setAsDefaultProtocolClient API,” Electron says in an advisory published Monday.
https://thehackernews.com/2018/01/electron-js-hacking.html

 

====

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.