IT Security News Blast 03-28-2018

Cyber Meltdown the Risk Manager's Guide

Meltdown and Spectre: The Risk Manager’s Guide
In mid-November, we covered the Intel vulnerabilities that were discovered with the IME and AMT technologies, including details on the remote management access vulnerabilities on desktops and laptops (usually corporate fleets) that Intel had super-secured with things like a blank admin password. Intel vulnerabilities hit the mainstream again with the widespread release of details on the Spectre and Meltdown attacks around January of 2018. The following weeks were a veritable trainwreck as Intel, Microsoft, Apple, antivirus software makers, and hardware OEMs scrambled to address the emerging details. In this post, we’re going to dive into the actual risk, where we are today, and some of the timeline and the chain of events of this global (not an understatement) security risk.  We’ll include some translations along the way for the risk managers of the world.  Let’s start at the top.

Outgoing HHS CISO Chris Wlaschin opens up about his departure
“I’m departing HHS in Washington, D.C at the request of my wife,” Wlaschin said. “I’m leaving the office of information security in a much better place than I found it.” When asked about the ongoing controversy over Health Cybersecurity and Communications Integration Center Director Maggie Amato and HHS Deputy CISO Leo Scanlon — who’s been on administrative leave for 160 days — Wlaschin said he was unsure why the situation was taking as long as it was.

Cybersecurity team will ‘lie, cheat and steal’ to protect Blue Cross patients’ data
A team of 200 analysts staffs the company’s regional security operation center, called the Cyber Fusion room[.] Charest’s motto — We watch everything, everywhere, all the time, forever — is written in capital letters on a dry erase board in the suite. The hub is staffed 24-7 and includes remote offices in Richardson and in Waukegan, Ill. As Charest points to the screen full of orange dots and dashes, his brow furrows. On average, the hub tracks thousands of attempts per second made by adversaries attacking its servers. “If you knew what I knew, you wouldn’t sleep either,” he said.

Media Report: Finger Lakes Health Paid Ransom, Restoring Systems After Cyber Attack
Further, the article quotes Turbide: “We are continuing to use our downtime paper procedures, which we have in place and utilize for situations including weather emergencies, power outages or other situations in which we have limited electronic access. This underscores the reason that we regularly conduct downtime procedure drills which proved useful in our response preparedness.” According to the article, Turbide also said the recovery of systems was due significantly to the agency’s prompt response after being notified of the attack.

Vanderbilt University researcher’s claim breaches linked to patient deaths
Choi argued the proportion of heart attack patients who die within 30 days of being admitted to a hospital increased by 0.23 percent one year after a breach and by 0.36 percent two years after a breach, which represents 2,160 additional patient deaths annually. […] He went on to say that disruption doesn’t have to be caused directly by the breach or attack but could be caused during the investigation process.

Cyber Attacks Pose Biggest Threat to Swiss Financial System: Regulator
“The risks connected with these attacks are growing in sync with the pace of global digitalization. Cyber attacks are now the most serious operational hazard facing the financial system, and both the private sector and public authorities should take them extremely seriously,” Chief Executive Mark Branson told the Financial Market Supervisory Authority’s annual news conference.

Accountants can help companies meet SEC demand for cybersecurity disclosures
The 2018 guidance released last month includes two new areas: cybersecurity policies and procedures, and insider trading prohibitions. The guidance spells out the rules of disclosure, including ensuring fair disclosure according to the Reg FD requirements, along with the factors that public companies need to consider to determine whether material information has been compromised.

Hackers pwn Baltimore’s 911 system?! Quick, someone call 91– doh!
The Baltimore Sun reports that a cyber-attack on the city’s network forced the emergency service’s Computer Aided Dispatch (CAD) offline. […] We’re told the attack was directed at a specific server, and took down the CAD system from 8.30am Saturday until around 2am Sunday. Operators were still able to manually dispatch responders during the outage, albeit much less efficiently. The attack came at a particularly bad time, as thousands of protesters from the area gathered Saturday in Baltimore and in nearby Washington DC as part of the nationwide march against gun violence.

Hackers Are Holding The City of Atlanta Hostage
But five days in, the effects are profound, crippling some of the city’s critical functions. As of March 27, city employees remain without email or internet access; residents cannot pay their electric bills; wi-fi is shut down at the Atlanta International Airport; and many departments — including the city jail — “are running on pen and paper while there is no access to electronic records for municipal court,” according to a report from Georgia Public Broadcasting, NPR reports. “This is much bigger than a ransomware attack, this really is an attack on our government,” Atlanta Mayor Keisha Lance Bottoms said at a news conference, Reuters reports. “We are dealing with a (cyber) hostage situation.”

Closer to the fight: Inside the Corps’ plan to deploy tech experts alongside grunts
For example, sitting on the commandant’s desk awaiting his signature is a plan to alter the traditional 13-man rifle squad by adding a Marine proficient in drone operations and electronic warfare. In a sign that the Corps is looking to uphold its tradition of “Every Marine a Rifleman” in the era of cyber operations, officials in March issued a statement to shut down a proposal that sought to allow civilians with vital cyber skills to bypass boot camp or The Basic School for officers.

Army of 01101111: The Making of a Cyber Battalion
Different courses tailored for different ranks, for months at a time, on how to wage war through computer networks in ways both offensive (disabling enemy networks is one potential tactic) and defensive (trying to find vulnerabilities in US military systems before an adversary can). Meanwhile, elsewhere on the base, about 900 cyber operators who’ve already passed through a form of this training—70 percent of the Army’s 1,300 active-duty cyber soldiers—are doing these very things for real.

Trump Extends National Cybersecurity Emergency
President Trump has extended the cyber attack national emergency, which was declared by President Obama in April 2015 but would have terminated April 1, while elsewhere on the broadband front, the White House was promoting efforts by Republicans in Congress to further broadband infrastructure buildouts, which the administration has said are a priority in rural areas.

Britain and US intelligence chiefs vow to work together to take on cyber threats in an unprecedented joint statement amid warnings Putin’s Russia is unleashing wave of attacks
Top brass from the two countries held talks about how they can ‘counter and defend ourselves’ from the new threat of cyber warfare. And the leaders from GCHQ, the UK’s joint forces command (JFC) and the US National Security Agency (NSA) released an unprecedented statement of intent. It comes amid warnings that Vladimir Putin is ordering Russian hackers to target UK and US infrastructure to spark chaos.

Departing U.S. election official hired for new cyber role in Trump administration
Matthew Masterson, a member of the U.S. Election Assistance Commission who until recently served as its chairman, has accepted a senior adviser position within the Department of Homeland Security’s cyber wing to continue working on election security and related issues, the department said in a statement on Monday. The hiring means Masterson, widely viewed as a key election security official, will continue to work with states and federal agencies on the issue heading into November’s midterm contests, which some intelligence specialists fear may be targeted by Russia or others.

Arizona Law Enforcement Leaders: We Need More Intelligence Analysts
Frank Milstead, director of the Arizona Department of Public Safety, said there aren’t enough cyber experts to fill the need. “There’s obviously a pull into the private sector, which normally has a better pay scale than the government sector,” he said. “What we want to do is take young, would-be hackers and turn them into young, would-be investigators.” Milstead said the lack of cyber intelligence analysts was a topic of conversation when he visited FBI headquarters a couple of weeks ago.

What lies beneath: The things Facebook knows go beyond user data
The FTC investigation will likely focus on what data Facebook shares with third parties. But third parties aren’t the only entity hoping to win “friends” and influence people on this social platform. Facebook collects a great deal of information about users for use by its internal algorithms. Those algorithms govern who and what users see, whom they get recommended to “friend,” and other aspects of how our Facebook experiences are subtly (or sometimes not-so-subtly) shaped by advertisers and others leveraging the platform.

Facebook’s Cambridge Analytica problems are nothing compared to what’s coming for all of online publishing
Let’s start with Facebook’s Surveillance Machine, by Zeynep Tufekci in last Monday’s New York Times. Among other things (all correct), Zeynep explains that “Facebook makes money, in other words, by profiling us and then selling our attention to advertisers, political actors and others. […] Irony Alert: the same is true for the Times, along with every other publication that lives off adtech: tracking-based advertising. These pubs don’t just open the kimonos of their readers. They bring people’s bare digital necks to vampires ravenous for the blood of personal data, all for the purpose of returning “interest-based” advertising to those same people.

CISO Calls For Sweeping Policy Changes To Address Cyber Concerns
I see a lot of hesitation on the part of legislators in particular to venture into this space.” He continued: “If we don’t have policy makers that are all in, we won’t end up having comprehensive solutions.” Chronis said more must be done to bring the sectors together. “We need more technology thought leaders in the federal government, influencing and helping to influence the legislative agenda, the priorities of Congress. I think that’ll help,” he added.

Exploit kit development has gone to sh$t… ever since Adobe Flash was kicked to the curb
In contrast to previous years, criminal exploit kits and phishing campaigns favoured Microsoft products in 2017, rather than Adobe Flash vulnerabilities. Exploiting Java and Adobe Flash flaws to push malware after tricking surfers into visiting booby-trapped websites has been the staple of so-called drive-by hacking attacks for years. Java vulnerabilities dropped steadily between 2013 and 2016, prompting cybercriminals to switch over to Adobe Flash. Now that route has also been throttled.



Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.