IT Security News Blast 02-27-2018

Securing Local Government

A 2-Step Approach to Securing Local Government
In the first of our 3-part series for local government, 5 IT Trends Changing Local Government, I talked about the changes upcoming generally for information technology management, and how those changes will manifest in the public sector – specifically for local government. Reminder: this includes cities, counties, public utilities, maritime ports, and any other organization designated as a “special-purpose district” (usually with taxing authority). The following involves moving the narrative from IT in general to IT security, and the challenges that will accompany those changes.

Cyber Risk — Next Steps For Evolving Security?
A good example of that is the new New York Department of Financial Services Cyber Security Regulation[.] There are enforcement provisions in that specific regulation if they lie, or have not done their due diligence to ensure that they’re accurately filling out the certification. As with any sort of certification to the government, there are false claims act liability that comes with it. So, not only do we have the standard liability issues due to the fiduciary obligations of the C-Suite, we’re now starting to see regulations actually take a turn and put affirmative obligations onto the C-Suite.

Watchdog warns of gaps in US financial regulation
The former deputy governor of the Bank of England also remarked on the danger that policymakers “see their task in terms of macro-credit cycles,” rather than ensuring that core services could withstand a range of shocks, including cyber attacks. One way of achieving that would be to change the mandate of the Securities and Exchange Commission and the Commodity Futures Trading Commission, he suggested, giving both agencies a statutory objective to look out for potential weak spots across the landscape.

HIMSS18 Focusing on Holistic Healthcare Cybersecurity
This year’s privacy and security focused presentations, keynotes, and workgroups are highlighting the importance of a holistic healthcare cybersecurity program. Organizations should continue to focus on key topics such as maintaining HIPAA compliance, improving medical device security, and implementing comprehensive employee training. But increasingly sophisticated cyber criminals require entities to ensure that numerous areas of data privacy and security are considered.

Cyber criminals catching up with nation state attacks
Extortion and weaponisation of data have become mainstream among cyber criminals, the report warned, heavily impacting government and healthcare, among other sectors. Nation state-linked attacks and targeted ransomware are also on the rise and could be used for geopolitical and even militaristic exploitation purposes, the report said. Supply chain compromises and crypto fraud and mining will present new attack vectors for both state-sponsored and cyber criminal actors, the report said.

Federal watchdog slams Health Net for ‘unprecedented’ refusal to comply with vulnerability testing
Health Net later refused to comply with data requests necessary to perform critical vulnerability and configuration management testing. On Feb. 7, Health Net responded to a formal memo from OIG, indicating that it would not provide the requested documentation, nor would it allow the agency to conduct testing. “Health Net’s refusal to allow this standard audit test work as part of our audit leaves multiple questions about Health Net’s vulnerability and configuration management programs unanswered,” the OIG stated in its report.

North Korea is a bigger cyber-attack threat than Russia, says expert
The report suggests that in the future, it won’t just be nation states who wield the most damaging hacking tools: technology developed by the world’s militaries will inevitably make it into the hands of criminal groups and other attackers. In 2018, the report says, “DPRK-based adversaries are likely to continue malicious cyber activity against entities in South Korea, Japan and the US. Network access obtained via remote access tools … may be used to deploy wiper malware.

Mao’s ‘people’s war’ revival : China’s military cyber power and ‘cyber militias’’
These groups have grown to feature a collective membership of more than 10 million people since the turn of the millennium, and are often based in universities and civilian corporations. While the PLA endorsed cyber militias as a concept in 2006, these groups will likely be restrained to cyber espionage as opposed to offensive cyber operations, given the risk of potentially undermining the work of regular PLA cyber units. […] These hackers are typically driven by popular nationalism, as demonstrated by instances like the cyber stoushes between US and Chinese hackers that followed the US EP-3 incident in 2001.

US Cyber Command: “When faced with a bully…hit him harder.”
In discussions with the command at a recent strategy conference, it was clear: Cyber Command has moved past thinking like the “father of the Air Force” Brig. Gen. William “Billy” Mitchell, having to prove the worth of a new capability. Now they are thinking like WWII Air Force hero and Chief of Staff of the Air Force Gen. Curtis Lemay. We are at war now, today and must be ready to dominate with overwhelming power, to make the silicon rubble bounce, if called upon.

Wand Waving – Patch Gap Analysis for Energy Utility
Enter the “magic” of Patch Gap analysis which is broken down into two parts.  The first, which we’ll call “Asset Identification” gathers information on tracked assets using safe, non-destructive scripts.  This isn’t a broad-based scan of a network – carelessness like that can knock older, more sensitive systems off line – but a polite and intelligent identification of system state. The results of the asset identification are encrypted and paired up with the vast catalog of patches and assets which are tracked as part of a Patch Availability Report.  This listing of “Available” patches forms the basis of the analysis yet to come.

Private browsing isn’t: Boffins say smut-mode can’t hide your tracks
In a paper (PDF) delivered last week at the Network and Distributed Systems Security Symposium, the three presented the fix: a framework called “Veil” that puts an onus on site operators to stop the leaks. […] Of course, there are plenty of sites either indifferent or hostile to user privacy. The Veil framework won’t change their minds, but Wang says sites that want to protect privacy but “lack the technical skill”, and those who are “actively invested” in protecting users need help.

Senator says Facebook should clean up bots or face fines
The Democratic senator said the social media giants are some of the most sophisticated companies in the world and that bots on Facebook are like “toxic waste” being dumped into the environment. Although not explicitly stated in the bill, the remarks were made concerning proposed legislation seeking to make digital ads part of the campaign finance laws. Klobuchar said there are tens of millions” of bots flooding the social web with vitriol and that Congress should step in to stop the bot pollution.

Global megatrends that are problematic for the state of cybersecurity
·       82% of respondents predict their workplace will suffer a catastrophic data breach in the next three years as a result of unsecured IoT devices. 66% say such an attack would seriously diminish shareholder value.
·       67% believe cyber extortion, such as ransomware and data breaches will increase in frequency and payout.
·       60% predict nation-state attacks against government and commercial organizations will worsen and could potentially lead to a cyber war.

You get a criminal record! And you get a criminal record! Peach state goes bananas with expanded anti-hack law
A proposed anti-hacking law in the US state of Georgia is raising all kinds of alarms – because it could criminalize anyone who breaks a website or ISP’s T&Cs. The bill, SB 315, would expand the state’s computer crime laws to include penalties for accessing a machine without permission even if no information was taken or damaged. Drawn up by state senator Bruce Thompson (R) in January, the proposed legislation has been approved by Georgia’s senate, and is being considered by its house of representatives.

Statement of issue with the cybersecurity jobs gap
Understand the entire development process.  Sit down with the project managers and team, and talk with them about what they do.  One item you will find is that more often than not, they do have a basic understanding of security.  What they will most likely need is guidance and advice from you and your team.  Whether or not it’s the internal team or a third party, speak with them and find out what they do, and address their needs and concerns.

Cybersecurity careers and the internet of things
Because IoT involves physical devices, the traditional cybersecurity principles that stress confidentiality, integrity and availability also need to encompass safety now. That changes how companies should approach security, Giles says. For one, the chief information security officer in charge of cybersecurity needs to work with the chief security officer in charge of physical security to develop a coordinated plan of action in the event of an attack.

Adobe Flash Vulnerability Reappears in Malicious Word Files
This critical vulnerability is a use-after-free bug that enables remote code execution, according to Adobe. It was first spotted in targeted attacks against primarily South Korean victims. In early February, the South Korea Computer Emergency Response Team (KrCERT/CC) issued an advisory on CVE-2018-4878 in Flash Payer ActiveX and earlier versions.

Developer of NanoCore RAT that targeted Canada, US & Steam jailed
The developer of NanoCore RAT (remote access Trojan) has been sentenced to 33 months (2.75 years) in prison for promoting and selling the malware on a popular hacking forum HackForums between 2012 to 2016. The 27-year-old Taylor Huddleston (“Aeonhack” on HackForums) of Hot Springs, Arkansas was arrested in March 2017 and pleaded guilty in July to developing NanoCore malware and admitting that he intended the product to be used maliciously.

Wire-transfer scheme, ransomware attack — tiny Yarrow Point finds itself in criminals’ crosshairs
Yarrow Point Mayor Richard “Dicker” Cahill usually goes by his nickname in messages. But that escaped the notice of the town’s financial coordinator when he wired $49,284 to an unidentified con artist as part of an email scam in August. […] What worries Hamilton, who was Seattle’s chief information security officer, is that theft of money is only a glimpse of what criminals can do to a city. Records, city services, communication and infrastructure also are at risk. “That is the real exposure,” he said. “This is really a canary in the coal mine, and local governments need to wake up.”



Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.