IT Security News Blast 02-28-2018

Hacking Pacemakers

Fed Focusing on Cyber Risks to Financial Stability
He acknowledged the role banks play in providing services to maintain the financial system’s functionality. “But at the same time, some of the solutions in place to improve the resiliency of those critical services may actually contribute to a cyber event,” Quarles said, adding that “one example would be the replication of bad data across data centers. As the Federal Reserve thinks about its financial stability mandate, this concern will be a particular focus.”

An Approach ‘Essential To Creating Robust, Sustainable Cyber Security’
We need a cultural shift to a point where organizations finally treat cyber security risks as a business issue and govern cyber security with the same level of leadership engagement as financial risks. The leaders’ participation is critical, because only the leadership has the knowledge and visibility to define the organization’s budgets, priorities and, ultimately, its risk tolerance.

Forget Sanctions and Red Lines — Fight Cyberattacks with Cyber-retaliation
Enough with all the worried words and empty threats over foreign cyber attacks. Haven’t we sat around and bemoaned breaches enough? When are we actually going to do something in self-defense? Hardening government and corporate security is tardy and clearly ineffective. What about some flat-out electronic retaliation?

A 2-Step Approach to Securing Local Government
In the first of our 3-part series for local government, 5 IT Trends Changing Local Government, I talked about the changes upcoming generally for information technology management, and how those changes will manifest in the public sector – specifically for local government. Reminder: this includes cities, counties, public utilities, maritime ports, and any other organization designated as a “special-purpose district” (usually with taxing authority). The following involves moving the narrative from IT in general to IT security, and the challenges that will accompany those changes.

SEC Refreshes Cyber Guidance
The SEC’s updated guidance reiterates and reinforces the Commission’s Staff guidance issued in 2011 by the Division of Corporate Finance, which called for companies to assess what disclosures might be required about cybersecurity risks and incidents. But the new guidance issued by the Commission itself underscores the “grave threats to investors” and our financial systems posed by cybercrime and the uptick in the sophistication and severity of cyber-attacks on public companies.

WannaCry hits 12 Connecticut state agencies is reporting that the attack began late Friday afternoon and eventually impacted 12 separate agencies. NECN learned the attack involved WannaCry when it became privy to a state email discussing the attack. The agencies involved in the attack were not named. The news site is reporting that Connecticut officials do not believe the malware will not negatively impact any state-delivered services.

Defending Your Data From the Dark Overlord
THE FIRST TWEET that the Dark Overlord sent to a small chiropractor in Poughkeepsie, New York, read: “We’re watching you. Make the right choise [sic].” […] The pattern is typical of the Dark Overlord: Choose a vulnerable target, steal its data, announce the theft, and demand payment via Bitcoin. If the victim does not pay, the group threatens to release the information or sell it on dark web exchanges, the anonymous underbelly of the internet. […] The Dark Overlord punches above its weight through strong branding, a focus on terrorizing its victims, and a deliberate press strategy.

Hacking pacemakers is good TV, but is it for real?
“The likelihood of an individual hacker successfully affecting a cardiovascular implantable electronic device or being able to target a specific patient is very low. A more likely scenario is that of a malware or ransomware attack affecting a hospital network and inhibiting communication,” Lakkireddy said in a news release.

Military-grade hacking techniques are now in the hands of amateurs
“The biggest takeaway is that there is now a blurring between statecraft and tradecraft hacking. It’s becoming a more level playing field between military-grade techniques and more amateur hacktivism,” said Sentonas. “State-sponsored hacking has always been there – countries have investigated each other and used espionage techniques for decades. “But when that moves online what we see is that the scale changes dramatically. Because of how many devices we all use the potential to do larger damage is immense.”

DHS Funds Cyber Data Research
The U.S. Department of Homeland Security recently awarded the research projects to seven organizations, including four universities, under its data-sharing effort called Information Marketplace for Policy and Analysis of Cyber-risk and Trust, or IMPACT. Among the goals is broadening “access to expanded, improved and new types of data resources,” said William Bryan, the acting DHS undersecretary for science and technology. (Underscoring the lack of confirmed department heads in the Trump administration, Bryan’s official title is listed as: “the DHS Senior Official Performing the Duties of the Under Secretary for Science and Technology.”)

Inside the dark web of the UAE’s surveillance state
As the threat of cyber attacks has increased worldwide, there have been numerous reports of attempted attacks from external actors on critical infrastructure in the country. Since the Arab uprisings of 2011, however, internal “cyber-security governance”, which has been utilised to quell the harbingers of revolt and suppress dissident voices, has become increasingly important to the Emirati government and other regimes across the region.

Cellebrite reportedly can unlock every iPhone Model
While the company hasn’t made a public announcement concerning its capabilities, anonymous sources told Forbes that in the last few months the company has developed undisclosed techniques to get into iOS 11 and is advertising them to law enforcement and private forensics firms across the globe. A separate source in the police forensics community told the publication Cellebrite told him the company could unlock an iPhone 8 and that he believed the same was possible for the most recent iPhone X.

Apple Tackles Cellebrite Unlock Claims, Sort Of
Apple’s response falls well short of a full-throated debunk of the iPhone hack, but suggest some merit to the claim – hence a call for customers to upgrade. In a response to a request for comment, Apple told Threatpost that the most recent iteration of iOS (11.2.6) ensures customers have the latest protections. […] “I’d be zero-percent surprised if Cellebrite had a zero-day that allowed them to unlock iPhones with physical access,” said Patrick Wardle, chief research officer at Digita Security. “These guys clearly have the skills, and there is also a huge financial motivation to find such bugs.”

Microsoft doesn’t want to turn over foreign server data, SCOTUS to weigh in
During oral arguments, the Department of Justice, by contrast, urged the court to compel Microsoft to hand over the data. The DOJ said that allowing Microsoft to refuse the order is tantamount to encouraging companies to keep particularly sensitive data overseas as a way to evade authorities. Two liberal justices, Sonia Sotomayor and Ruth Bader Ginsburg, who have recently ruled on the side of privacy in the past, questioned whether the court should be stepping in. They said that the onus should be on Congress to regulate appropriately.

The Olympics Show That Attendees At Any Global Event Risk Being Hacked
So, what can those organizing large-scale global events do to prevent such damaging intrusions? For now, it’s unclear. Besides running higher cyber surveillance, our communications systems are simply vulnerable to pretty much anything hackers set out to do, whether it’s for fun or to damage international relations. Perhaps in the future, the heightened security of a quantum communications network might provide a strong enough barrier, but for now officials are still scrambling for answers. And the public is increasingly spooked.

Cyber security experts warn that AI could mimic writing styles and habits of millions of users to launch devastating scams
‘Imagine a piece of malicious software on your laptop that can read your calendar, emails, messages etc,’ it said. ‘Now imagine that it has AI that can understand all of that material and can train itself on how you differently communicate with different people. ‘It could then contextually contact your co-workers and customers replicating your individual communication style with each of them to spread itself.

Democrats submit plan to save net neutrality, still one vote short in Senate
“The grassroots movement to reinstate net neutrality is growing by the day, and we will get that one more vote needed to pass my CRA resolution,” Markey said. “I urge my Republican colleagues to join the overwhelming majority of Americans who support a free and open Internet. The Internet is for all—the students, teachers, innovators, hard-working families, small businesses, and activists, not just Verizon, Charter, AT&T, and Comcast and corporate interests.”

In-the-wild DDoSes use new way to achieve unthinkable sizes
DDoS vandals have long intensified their attacks by sending a small number of specially designed data packets to publicly available services. The services then unwittingly respond by sending a much larger number of unwanted packets to a target. The best known vectors for these DDoS amplification attacks are poorly secured domain name system resolution servers, which magnify volumes by as much as 50 fold, and network time protocol, which increases volumes by about 58 times.

Massive Malspam Campaign Targets Unpatched Systems
According to the research firm Morphisec, cybercriminals are blasting spam messages that urge recipients to click a link to download a Word document. And when a victim opens the document and enables macros, malware attempts to exploit an Adobe Flash Player bug (CVE-2018-4878) patched by Adobe earlier this month. Victims who fall for the ploy could ultimately hand over control of their systems to an attacker, according to researchers.

NSA boss: Trump won’t pull trigger for Russia election hack retaliation
Despite repeated testimony from US intelligence officials stating that Russia has waged a years-long campaign to destabilize the US by spreading disinformation, discourse and divisive messaging online, very little action has been taken as President Trump maintains the issue is overblown. Congress voted for a serious crack down on Russia with the Countering America’s Adversaries Through Sanctions Act, but so far the White House has chosen not to follow through and take punitive action.

Fender’s ‘smart’ guitar amp has no Bluetooth pairing controls
Permissions-based security is absent from the preset feature, meaning mischief-makers could push a new sound preset to the amp over BLE: a musician could expect to sound like Hendrix but instead come out sounding rather different. The same trick could be used to mute the amp by enabling a feature designed to be used only when musicians are tuning up their kit.



Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.