IT Security News Blast 03-08-2018

Cost of Cyber on the Economy

Banking regulator warns major cyber breaches are ‘probably inevitable’
“Just as it’s often said that it’s not the crime but the cover-up that gets you, the lack of a tested and effective response to a cyber security breach can be a bigger risk for entities than the related incident,” he said. […] Institutions will be required to take undertake regular testing of their cyber defences, have robust systems in place to detect threats, and set out which senior staff are responsible for cyber security.

The Cost of Malicious Cyber Activity to the U.S. Economy
·       We estimate that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016.
·       Scarce data and insufficient information sharing impede cybersecurity efforts and slow down the development of the cyber insurance market.
·       Damages from cyberattacks and cyber theft may spill over from the  initial target to economically linked firms, thereby magnifying the damage to the economy
·       Cyberattacks against critical infrastructure sectors could be highly damaging to the U.S.economy.

The charity raising funds to fight cyber security
The foundation started by donating $15m each to three US universities — Stanford, University of California, Berkeley, and Massachusetts Institute of Technology — to establish multidisciplinary cyber security centres. These centres would bring together policy and tech people. “The policy people didn’t know the tech people and vice versa — they all hate each other,” says Kramer. “It is actually a wild west. And the way the west was tamed was the development of institutions. We have to start behaving; we can’t come into the bar drunk and shoot it up.”

2018 Ransomware Trends
Some industries are still being targeted and will continue to be targeted by ransomware campaigns. Industries like healthcare, and more specifically hospitals, have continued to be lucrative targets by attackers. Figure 1 shows that hospital attacks have not abated recently, instead they continue to move along at a steady pace and continue to be effective.

What you can do about patient safety’s latest threat—cyberattacks
The AMA is using the survey data to look “at how we can encourage the federal government to provide positive incentives to physicians who start to really integrate good cyber practices” when providing patient care[.] Those incentives are based on the long-overlooked physician perspectives captured in the survey, combined with HIPAA’s own standards of “reasonable and appropriate” solutions in other contexts.

NIST poised to seek health industry input on securing patient imaging systems
The National Institute of Standards and Technology within the next few weeks will request industry participation in a proposed project for improved security of patient imaging, archiving and communications systems, as part of a broader NIST effort to assist healthcare providers and device manufactures address the growing threat of cyber attacks.

AI experts list the real dangers of artificial intelligence
The paper, titled “The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and Mitigation,” calls this the “dual-use” attribute of AI, meaning the technology’s ability to make thousands of complex decisions every second could be used to both help or harm people, depending on the person designing the system. The experts considered the malicious uses of AI that either currently exists or could be developed over the next five years, and broke them out into three groups: digital, physical, and political.

Hackers can Send Fake Emergency Alerts by Exploiting 4G LTE Protocol Flaws
The new attacks include an authentication relay attack that lets an attacker connect to an LTE network while tricking another device’s identity and location without needing to submit legitimate credentials. Researchers have referred to this as the worst of all attacks. Moreover, an attacker can easily change the victim’s device location in the core networks that would allow setting up of false alibi or inclusion of fake evidence in case a criminal investigation is underway.

Integrating Cyber and Electronic Warfare
The DOD recognizes that the synchronization of cyber and electronic warfare is key for U.S. forces to succeed. High-end peer conflict will not be won by leveraging electromagnetic spectrum use—such as utilizing space-based satellites to provide global communications, surveillance, missile warning or position navigation—but instead, it will be won by projecting control from within the spectrum itself.

Senators ask vote machine vendors about Russian access to source code
The senators requested that the three largest election equipment vendors – Election Systems & Software, Dominion Voting Systems and Hart Intercivic – answer whether they have shared source code, or inner workings, or other sensitive data about their technology with any Russian entity. They also asked whether any software on those companies’ products had been shared with Russia and for the vendors to explain what steps they have taken to improve the security of those products against cyber threats to the election.

Should States Call in the Guard to Combat Election Hacking?
[While] the Department of Defense (DoD) shouldn’t have a primary responsibility of protecting elections, the Guard could help by educating state officials on the latest cyber threats and training local officials to work with DHS in detecting signs of outside influence. The Guard also could step into the role of white-hat hackers, which is what Ohio already has done. The state called on the Ohio National Guard’s cyberprotection unit in 2016 to hack the state’s network in search of vulnerabilities.

FBI Director says hacking has “mushroomed into full-blown economic espionage”
“We’re seeing an increase in nation-state sponsored computer intrusions, intrusions like last year’s massive WannaCry ransomware attack, recently attributed to North Korea. Or NotPetya – the most destructive and costly cyber attack in history,” Wray said during a keynote address at a Boston cyber security conference. “Launched by the Russian military, NotPetya resulted in billions of dollars in damage across Europe, Asia, and the Americas.” “We’ve also been seeing a “blended threat” – nation-states using criminal hackers to do their dirty work,” Wray added. “We also see Nation-state turning to more creative avenues to steal information.”

How Cellphone Chips Became a National-Security Concern
Cellular-tower radios, internet routers and related electronics use increasingly complex hardware and software, with millions of lines of code. Hackers can potentially control the equipment through intentional or inadvertent security flaws[.] […] “Unless you have tight supply chains, you can insert insecurity at the base of every device[.]” […] Some Congress members worry that in a decade or two, Huawei and China’s ZTE Corp. might become so dominant that American carriers such as AT&T Inc. will have no choice but to use Chinese equipment for at least some of their needs.

FBI again calls for magical solution to break into encrypted phones
A key escrow system, with which the FBI or another entity would be able to unlock a device given a certain set of circumstances, is by definition weaker than what cryptographers would traditionally call “strong encryption.” There’s also the problem of how to compel device and software makers to impose such a system on their customers—similar efforts were attempted during the Clinton administration, but they failed. A consensus of technical experts has said that what the FBI has asked for is impossible.

Cyber hacks driving ‘bug bounty’ jobs and programs in corporate America
Through carefully implemented bug bounty programs, organizations can crowdsource the expertise of security researchers to help identify vulnerabilities in exchange for money and recognition, and fix vulnerabilities before they can be exploited. Without proactive efforts such as bug bounty programs, organizations run higher reputational and financial risks of hackers or security researchers trying to extort or blackmail them over discovered flaws.

That Time Of Year Again: Cisco Systems Releases Its Annual Cybersecurity Report
One of the big findings from the new report was that malware, particularly ransomware, is becoming increasingly more sophisticated and dangerous. Now attackers are building their malware to be self-propagating and “worm-like,” capable of spreading throughout a network to cause unprecedented damage. According to the report, while previous malware required an actual human actor to initiate (via email, drive-by download, or physical media), all it takes now is an active, unpatched workstation.

Spectre-like attack exposes entire contents of Intel’s SGX secure enclave
Researchers at Ohio State University have demonstrated a method to adapt Spectre to read data protected by Software Guard Extensions (SGX), which allows for the creation of a secure enclave in memory to protect data from being used by applications at a higher privilege level. While the original Spectre vulnerability relied on branch prediction and speculation to read kernel-level memory, it was not able to read the contents of SGX-protected secure enclaves.

A Data Scientist Was Sick of Seeing Spam on His Facebook so He Built a Fake News Detector
[Estela] trained a neural network to recognize patterns based on all the examples in the database and their respective tags. So it would look for similarities between sites labelled “fake news,” or “extremely left wing,” and began to learn the patterns associated in subject matter, language, and patterns of speech. Once it had enough examples, the model was able to look at previously unseen sites and make a judgement call on a number of categories. Here is part of the results for Alex Jones’s InfoWars site, for example[.]

Memcached DDoS Attack PoC Code & 17,000 IP addresses Posted Online
Until now, to the masses, it was unclear how hackers are exploiting the vulnerability in Memcached servers but now, a set of three proof of concept codes along with 17,000 IP addresses (vulnerable servers) has been published online for public access which is a jackpot for attackers. This means anyone with knowledge of scripts and coding can carry out large-scale DDoS attacks.



Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.