IT Security News Blast 02-06-2018

Penetration Testing as a Reference Point

Penetration Testing Is a Reference Point, Not a Strategy (Originally on CSO Online)
Pen tests are valuable only if the results are properly translated into an effective overall security strategy. I’m often skeptical of survey results, but a recent survey from the 2017 HIMSS (health sector) conference, which suggests that penetration testing is a top priority, caught my eye. Add to this Gartner’s global cybersecurity group estimate of a 14 percent uptick in “security testing,” as well as an 8.5 percent increase in “consulting.”
https://criticalinformatics.com/resources/blog/penetration-testing-is-a-reference-point-not-a-strategy/

Apple, Cisco join forces with insurers in cyber security push
Allianz will offer cheaper insurance to companies that use Cisco’s ransomware defence or Apple’s iPhones, iPads and Macs, which the companies said in a press release was ”acknowledging the superior level of security” they provided. […] The combined package also includes evaluation of companies’ resilience to an attack by Aon consultants and an incident response service if hackers do manage to break in.
https://www.ft.com/content/25b28632-0a8a-11e8-8eb7-42f857ea9f09

Security breaches undermine cryptos, and that’s a good thing
Ironically, the much-touted procedures for verifying cryptocurrency transactions to deter the counterfeiting of cryptocurrency tokens do not prevent theft resulting from hacks. Even if stronger security at the cryptocurrency exchanges reduces hacking and the consequent thefts, investors still should question the wisdom of investing in cryptocurrencies.
http://thehill.com/opinion/finance/372313-cyber-thefts-undermining-cryptocurrencies-thats-a-good-thing

Hacked at sea: Concerns grow for ship, port cybersecurity
The entire shipping and maritime sector, a crucial part of the global economy that impacts ocean health, heard that alarm bell. It is, according to many experts, an industry that is lagging in its preparedness to face modern cybersecurity threats. As ships become more connected to online systems and controlled by software, the risks will only grow. “This summer is when everybody woke up,” then U.S. Federal Maritime Commissioner William Doyle said at the Shipping 2030 North America conference in New York City in November.
https://www.theweathernetwork.com/news/articles/concerns-grow-over-cubersecurity-for-ports-and-ships-worldwide/95100

Every NHS trust tested for cybersecurity has failed, officials admit
“The amount of effort it takes from NHS Providers in such a complex estate to reach the cyber essentials plus standard that we assess against as per the recommendation in Dame Fiona Caldicott’s report, is quite a high bar. So some of them have failed purely on patching which is what the vulnerability was around WannaCry,” he said.
https://www.theguardian.com/technology/2018/feb/05/every-nhs-trust-tested-for-cyber-security-has-failed-officials-admit

Apple’s iOS push could change healthcare data sharing, still won’t kill the fax
Eventually, as Apple envisions, a new electronic document system will prevail. But it’s going to be a very slow changeover, according to Ho, whose company does offer other forms of electronic file exhange. “Healthcare is a large, complex, multi-faceted system, and I don’t think we’re going to see rapid disruption,” Ho said. […] Apple’s new Health Records feature uses the existing Health app (released in 2014 for iOS 8) to enable medical facilities to connect via an API to their EMR systems to share data between providers and patients.
https://www.computerworld.com/article/3251835/mobile-wireless/apples-ios-push-could-change-healthcare-data-sharing-still-wont-kill-the-fax.html

Researchers attribute Flash Player zero-day attacks to rapidly advancing North Korean APT group
“Group 123 [has] now joined some of the criminal elite with this latest payload of ROKRAT… They did use exploits in previous campaigns but never a… new exploit as they have done now,” states a Feb. 2 Talos blog post written by researchers Warren Mercer and Paul Rascagneres. “This change represents a major shift in Group 123’s maturity level. We can now confidentially assess Group 123 as a highly skilled, highly motivated and highly sophisticated group.”
https://www.scmagazine.com/researchers-attribute-flash-player-zero-day-attacks-to-rapidly-advancing-north-korean-apt-group/article/742104/

Lawmakers: Cyber warfare skills critical for future military, homeland security
Several lawmakers agreed skills for cyber warfare, such as developing artificial intelligence, will be key for the military and other domains charged with protecting the homeland in the future. “Cyber warfare in the future, it’s not going to be hacker on hacker,” said Rep. Will Hurd, R-Texas, a former CIA officer and member of the Homeland Security committee. “It’s going to be good AI versus bad AI… and right now we are only teaching that stuff in Ph.D. programs.”
https://www.stripes.com/news/lawmakers-cyber-warfare-skills-critical-for-future-military-homeland-security-1.510216

The New Global Competitive Model Based on Cyber and Asymmetrical Hybrid Warfare
Imagine if Pearl Harbor had been attacked and there had been no response from Washington. This is the actual case today due to a highly sophisticated, mature, and stealth strategy perpetrated against the United States (US) by advanced nation-state military methods leveled at every sector and organization in our society. This includes private sector businesses, all government agencies, the military, and academia – every US organization operating with innovation, intellectual property, or sensitive data.
http://smallwarsjournal.com/jrnl/art/the-new-global-competitive-model-based-on-cyber-and-asymmetrical-hybrid-warfare

Week ahead: Lawmakers zero in on cyber diplomacy
The hearing, scheduled for Tuesday, is the latest congressional effort to put an emphasis on cyber engagement abroad in the evolving digital age. “Authoritarian regimes and foreign actors are working overtime to impose more control online, including through censorship,” House Foreign Affairs Committee Chair Ed Royce (R-Calif.) said when announcing the hearing. “These destructive efforts to weaponize the internet undermine America’s foreign policy and security, as well as our economy.
http://thehill.com/policy/cybersecurity/372045-week-ahead-lawmakers-zero-in-on-cyber-diplomacy

Europe’s shameful role in spy-tech exports that led to torture and jail
Year after year, more evidence emerged that EU member states approved exports of various surveillance technologies to countries with terrible human rights records. Three years ago, the client list of an Italian hacking company, that was itself hacked, was made public. Contracts indicated cyber surveillance products were specifically marketed and sold to countries such as Azerbaijan, Bahrain, Egypt, Ethiopia, Kazakhstan, Morocco, Russia, Saudi Arabia, the UAE and Uzbekistan.
http://www.computerweekly.com/opinion/Europes-shameful-role-in-spy-tech-exports-that-led-to-torture-and-jail

FBI Webcam Surveillance: What You Should Know
Don’t panic; this type of attack remains rare, notes Wheeler. “One or two instances of RATs and teenagers being hacked for video through their webcams creates a lot of media clicks and hysteria, but the truth is that you should be much more concerned about your personal data than your webcam or your phone’s front-facing camera (which no one covers with a sticker).”
https://www.teenvogue.com/story/fbi-webcam-surveillance-meme-and-truth

ICE to Begin Using License Plate Readers
A historical search could provide a detailed record of a target’s movements by supplying every place a given license plate has been spotted in the last five years. That data could then be used to find a given subject’s residence or even identify associates if a given car is regularly spotted in a specific parking lot. ICE agents could also receive instantaneous email alerts whenever a new record of a particular plate is found. Sightings can come in from police dashcams, stationary readers on bridges and toll booths.
https://www.campussafetymagazine.com/public/ice-to-begin-using-license-plate-readers/

Why companies need to implement a ‘zero trust’ approach to their cybersecurity model
[The] reality is that we’ve got a lot of mobile workers and outsourced IT and we’re using stats and infrastructure as a service so a danger is also not residing within the walls that the firewalls were previously protecting. So that model has got to change. And going back to the word trust, we cannot trust a firewall anymore, and we’ve got to now really think of a world where we can’t trust these elements of security and we’ve go to go to a model where we explicitly trust things. So instead of implicitly trusting, we’ve got to go to explicitly trusting.
https://www.techrepublic.com/article/why-companies-need-to-implement-a-zero-trust-approach-to-their-cybersecurity-model/

Strava’s Just the Start: The US Military’s Losing War Against Data Leakage
“We currently have annual training for all DOD personnel” about social media and wearable device do’s and don’ts, Pentagon spokesman Col. Rob Manning told reporters Monday. “With emerging technology there is always a need to reinforce operational security and force protection…We are going to take a look at our policies” he said. When asked if the Strava map revealed information that was sensitive or secret, Manning offered an artful dodge. He was “not aware” that it had, he said.
http://www.defenseone.com/technology/2018/01/stravas-just-start-us-militarys-losing-war-against-data-leakage/145632/

Misconfigured Amazon Web Services bucket exposes 12,000 social media influencers
Another misconfigured Amazon Web Services (AWS) S3 cloud storage bucket has been left insecure this time exposing the sensitive data of 12,000 social media influencers, most of whom were female. On January 4, UpGuard researcher Chris Vickery discovered the bucket containing the real names, addresses, phone numbers, email addresses – including those specified for use with PayPal, from popular YouTube, Instagram, Twitter and Twitch users, according to a Feb. 5 blog post.
https://www.scmagazine.com/the-bucket-was-left-exposed-by-the-paris-based-brand-marketing-company-octoly/article/742119/

Here’s Ajit Pai’s “proof” that killing net neutrality created more broadband
The timing means that it would be impossible for Pai to present evidence today that broadband deployment is increasing as a result of the net neutrality repeal. But the report claims that’s exactly what happened anyway and says that future data will bear that out. To support its argument, the report claims that broadband deployment projects that were started during the Obama administration were somehow caused by Pai’s deregulatory policies. Two weeks ago, we noted that a fact sheet issued by Pai offered no data to back up his deployment claims.
https://arstechnica.com/information-technology/2018/02/heres-ajit-pais-proof-that-killing-net-neutrality-created-more-broadband/

Accused Brit hacker Lauri Love will NOT be extradited to America
Cheers broke out from Love’s 50 or so supporters, who packed themselves into the well of Court 4 at the Royal Courts of Justice, London, to hear the Lord Chief Justice deliver the judgment. As soon as the judge read the sentence “the extradition will not go ahead,” the rest of his judgment was drowned out by the happy crowd. Frowning, the judge barked: “Silence! This is a court of law.”
https://www.theregister.co.uk/2018/02/05/lauri_love_extradition_quashed/

Authorities shut down Luminosity RAT used by buyers in 78 countries
In a joint operation, the law enforcement authorities from Australia, Europe, and North America have shut down a “hacking tool” called Luminosity Link RAT (Remote Access Trojan) also known as LuminosityLink. In the operation over a dozen agencies including Europol, UK’s South West Regional Organised Crime Unit and National Crime Agency (NCA) took part leading to the successful shut down of the sophisticated trojan.
https://www.hackread.com/authorities-shut-down-luminosity-rat-used-by-buyers-in-78-countries/

Bluetooth ‘Panty Buster’ ‘smart’ sex toy fails penetration test
A database containing highly sensitive Vibratissimo customer data – such as explicit images, chat logs, sexual orientation, email addresses, passwords in clear text, etc – was openly accessible on the internet. Enumeration of users’ explicit images was possible due to predictable ID numbers, and missing authorisation checks. Yes, explicit images. From a cyber-dildo. How? Social network stuff.
https://www.theregister.co.uk/2018/02/02/adult_fun_toy_security_fail/

 

====

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.