IT Security News Blast 03-19-2018

Penetration Testing and Hacking

Penetration Testing: If You Can’t Beat the Hackers, Join Them
Digital data theft is a booming business, especially in the medical world. As Nye put it, “The records we hold in healthcare are significantly more valuable than the records in a bank,” but significantly less secure. Even so, many health systems continue to have IT departments run by non-IT professionals. […] “If I stack that up against what I saw in [my previous experience] in financial services, it’s safe to say healthcare is the most complicated IT environment we’ve ever seen.” Finding a solution means staying proactive, and getting to know your enemy. Nye’s advice? If you can’t beat the hackers, you can always hire them.
http://www.hcanews.com/news/penetration-testing-if-you-cant-beat-the-hackers-join-them

Chinese-Speaking APT Actor Caught Spying On Pharmaceutical Organisations
Kaspersky Lab’s researchers have discovered evidence of an emerging and alarming trend: more and more advanced cyber threat actors are turning their attention to attacks against the healthcare sector. The infamous PlugX malware has been detected in pharmaceutical organisations in Vietnam, aimed at stealing precious drug formulas and business information.
https://www.informationsecuritybuzz.com/articles/chinese-speaking-apt-actor-caught-spying-on-pharmaceutical-organisations/

What Healthcare Providers Must Know About the HIPAA Security Rule
HHS explains that technical safeguards are “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” Technical safeguards include the specific technology that providers implement for ePHI security. Anti-virus software, multi-factor or two-factor authentication, data encryption, de-identification of data, firewalls, mobile device management (MDM), and remote wipe capability are all types of technical safeguards.
https://healthitsecurity.com/features/what-healthcare-providers-must-know-about-the-hipaa-security-rule

Suspected Chinese cyberespionage group targets U.S. engineering, maritime Industries
The group uses several tools including a JavaScript-based backdoor named “AIRBREAK” that retrieves commands from hidden strings in compromised webpages and actor controlled profiles on legitimate services, and a backdoor named “BADFLICK” that is capable of modifying the file system, generating a reverse shell, and modifying its command and control (C2) configuration. […] Most of the group’s victims were found in the United States[.] The attacks suggest the threat actors were looking for information that could provide an economic advantage, research and development data, intellectual property, or an edge in commercial negotiations.
https://www.scmagazine.com/tempperiscope-cybergang-targets-us-engineering-and-maritime-industries/article/751753/

U.S. says Russian hack did not compromise power grid, nuclear plants
Corporate networks at some of the 99 nuclear power plants licensed by the Nuclear Regulatory Commission were affected by the 2017 hack aimed at the energy grid and other infrastructure, but no safety, security or emergency preparedness functions were affected, the NRC said in a statement.
http://www.tulsaworld.com/news/government/u-s-says-russian-hack-did-not-compromise-power-grid/article_8c53ae66-5394-572f-87d4-7e189c003372.html

Threat of Russian cyber reprisal puts UK finance, power and water on high alert
Hannigan, who was responsible for the UK’s first cyber strategy in 2009 and is now a senior associate fellow at the Royal United Services Institute, said that from his experience, which also includes three years as prime minister Tony Blair’s security adviser, he had never seen Russia so unpredictable and hostile. “In their [the Russians] current mood it’s hard to know what they will do. What’s different now is the willingness to be reckless, not to play by the rules that most civilised countries play by and not to worry about being found out. They no longer seem to care.”
https://www.theguardian.com/world/2018/mar/17/uk-finance-power-water-on-high-alert-threat-russian-cyber-reprisal-grows

Spooked by election hacking, states are moving to paper ballots
Verified Voting is a nonprofit that advocates for transparency in the election process. “When you talk about voting systems, the way you have the ability to recover is that you have a voter-marked paper ballot, and you have a human process that checks that paper ballot against the software-driven process.” […] “We’ve got to secure the systems. But without a cornerstone of auditability and transparency, you know, you’re building your house on a little bit of quicksand,” Smith told CyberScoop.
https://www.cyberscoop.com/paper-ballots-election-security-electronic-voting-machines/

How Trump consultants exploited the Facebook data of millions
So the firm harvested private information from the Facebook profiles of more than 50 million users without their permission, according to former Cambridge employees, associates and documents, making it one of the largest data leaks in the social network’s history. The breach allowed the company to exploit the private social-media activity of a huge swath of the U.S. electorate, developing techniques that underpinned its work on President Donald Trump’s campaign in 2016.
https://www.seattletimes.com/nation-world/how-trump-consultants-exploited-the-facebook-data-of-millions/

How a Norwegian comment section turned chaos into order—with a simple quiz
Should you slap the plugin into your own WordPress install, it’s then a matter of having a story author or editor come up with multiple choice questions (and Grut says he’s still unsure whether basic facts or fuller comprehension make for better quiz questions in this case). He admits having no A/B testing data to confidently determine Know2Comment’s impact, but he says “99 percent” of NRKbeta’s most frequent users were “overwhelmingly positive” about the function.
https://arstechnica.com/gaming/2018/03/how-a-norwegian-comment-section-turned-chaos-into-order-with-a-simple-quiz/

Severe flaws could turn your smart camera into someone else’s surveillance tool
This specific model of camera is pimped as doubling as a baby monitor in addition to being used for “general security purposes” in homes and offices. Yet the 13 critical flaws could allow attackers to remotely take control of the cameras to do the following: access video and audio feeds, remotely “brick” the devices, use the cameras for mining cryptocurrencies, and use the cameras as an entry-point to launch attacks on local and external networks.
https://www.csoonline.com/article/3262667/internet-of-things/severe-flaws-could-turn-your-smart-camera-into-someone-elses-surveillance-tool.html

Cyber criminals using complex financial system, study shows
But cyber criminals are not using any one form of digital currency to move their illicit funds around – they are also using micropayments and gaming currencies. This is done by converting stolen funds into game currencies or in-game items such as gold, which are then converted into bitcoin or other electronic formats. Games such as Minecraft, FIFA, World of Warcraft and GTA 5 are among the most popular options because they allow covert interactions with other players that enable trade of currency and goods.
http://www.computerweekly.com/news/252436986/Cyber-criminals-using-complex-financial-system-study-shows

Hacker Adrian Lamo who tipped off FBI about Chelsea Manning dies at 37
Adrian was also known as “The Homeless Hacker” due to his on the move lifestyle. Kaspersky Labs listed him on number 3 as “Top Ten Most Notorious (Infamous) Hackers of All Time.” In 2010 Chelsea Manning who was stationed in Iraq had access to highly sensitive documents belonging to the US military which Manning ended up leaking to WikiLeaks including a 17-minute helicopter footage showing US military shooting and killing Iraqi civilians including Namir Noor-Eldeen, an Iraqi freelance war photojournalist.
https://www.hackread.com/hacker-adrian-lamo-who-dies-at-37/

US spy lab hopes to geotag every outdoor photo on social media
Imagine if someone could scan every image on Facebook, Twitter, and Instagram, then instantly determine where each was taken. The ability to combine this location data with information about who appears in those photos—and any social media contacts tied to them—would make it possible for government agencies to quickly track terrorist groups posting propaganda photos. (And, really, just about anyone else.) That’s precisely the goal of Finder, a research program of the Intelligence Advanced Research Projects Agency (IARPA), the Office of the Director of National Intelligence’s dedicated research organization.
https://arstechnica.com/information-technology/2018/03/us-spy-lab-hopes-to-geotag-every-outdoor-photo-on-social-media/

We Replaced Leaders with Artificial Intelligence. Here’s What We Learned.
In another AI experiment, we explored whether AI can be used to interpret and evaluate leadership behaviors. But after analyzing data on thousands of leaders’ interactions with employees and coworkers, we found that AI falls short in understanding important leadership behaviors, such as coaching and delegation, as it fails to differentiate effective leadership behaviors from ineffective ones.
https://www.ddiworld.com/blog/tmi/march-2018/we-replaced-leaders-with-artificial-intelligence

Cybercriminals spotted hiding cryptocurrency mining malware in forked projects on GitHub
Users don’t need to download the malicious executables directly from GitHub. Instead, the malware is spread via a phishing ad campaign. When a user visits a site that displays the phishing ads and clicks on one, the executable downloads, the researchers said. If the user clicks on one of these adverts, they’re told their Flash Player is out of date and provided with a fake update which, if downloaded, will infect them with the malware. This update is provided via a redirect to GitHub, where the code is hosted, hidden in forked projects.
http://www.zdnet.com/article/cybercriminals-spotted-hiding-cryptocurrency-mining-malware-in-forked-projects-on-github/

Intel Details CPU ‘Virtual Fences’ Fix As Safeguard Against Spectre, Meltdown Flaws
“We have redesigned parts of the processor to introduce new levels of protection through partitioning that will protect against both Variants 2 and 3,” Brian Krzanich, CEO of Intel, said in a blog post. “Think of this partitioning as additional “protective walls” between applications and user privilege levels to create an obstacle for bad actors.” Krzanich said the new safeguards will be built into Intel’s next-generation Xeon Scalable processors, code-named Cascade Lake, as well as Intel’s eighth-gen Core processors that are expected to ship in the second half of 2018.
https://threatpost.com/intel-details-cpu-virtual-fences-fix-as-safeguard-against-spectre-meltdown-flaws/130501/

Warning – 3 Popular VPN Services Are Leaking Your IP Address
A team of three ethical hackers hired by privacy advocate firm VPN Mentor revealed that three popular VPN service providers—HotSpot Shield, PureVPN, and Zenmate—with millions of customers worldwide were found vulnerable to flaws that could compromise user’s privacy. […] PureVPN is the same company who lied to have a ‘no log’ policy, but a few months ago helped the FBI with logs that lead to the arrest of a Massachusetts man in a cyberstalking case.
https://thehackernews.com/2018/03/vpn-leak-ip-address.html

Firefox Master Password System Has Been Poorly Secured for the Past 9 Years
“I looked into the source code,” Palant says, “I eventually found the sftkdb_passwordToKey() function that converts a [website] password into an encryption key by means of applying SHA-1 hashing to a string consisting of a random salt and your actual master password.” “Anybody who ever designed a login function on a website will likely see the red flag here,” Palant says. The flag Palant is referring to is the fact that the SHA-1 function has an iteration count of 1, meaning it’s applied just once, while industry practices regard 10,000 as a solid minimum for this value, while applications like LastPass use values of 100,000.
https://www.bleepingcomputer.com/news/security/firefox-master-password-system-has-been-poorly-secured-for-the-past-9-years/

Phantom Secure ‘Uncrackable Phone’ Execs Indicted for RICO Crimes
In a statement, the FBI says, “Given the limited functionality of the phones and the fact that they only operate within a closed network of criminals, all of Phantom Secure’s customers are believed to be involved in serious criminal activity.” The FBI worked with Australian Federal Police, Royal Canadian Mounted Police, and law enforcement agencies in Panama, Hong Kong, and Thailand to pursue and arrest CEO Vincent Ramos in Bellingham, Wash. The other four Phantom Secure executives named in the indictments are still at large.
https://www.darkreading.com/endpoint/authentication/phantom-secure-uncrackable-phone-execs-indicted-for-rico-crimes/d/d-id/1331297

 

====

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.