IT Security News Blast 05-01-2018

Hospital Zero Day Vulnerability

This Russian Company Sells Zero-Day Exploits for Hospital Software
Gleg offers several different packs of exploits for clients: Agora covers mainstream web software; the “SCADA+ Pack” is focused on “industrial software and hardware environment” issues, and, predictably, the MedPack includes vulnerabilities for medical software. A one year subscription for MedPack costs $4,000, and for that Gleg provides 25 exploits per year, most of which are zero-days, Gurkin wrote.

Orangeworm: Hospitals worldwide warned of ‘aggressive’ malware
The group’s motives remain unclear, and it doesn’t appear particularly concerned about being caught, either. According to Symantec, Orangeworm employs a particularly “noisy” attack that can be easily detected. However, it was noted that this type of attack could still be effective within healthcare environments reliant on outdated IT systems.

Best Practices for Keeping Patient Data Confidential
When you as a provider can promise that your patient’s private information actually stays private, you earn her trust, build solid relationships, and make your organization more credible. The effect helps differentiate you from other healthcare providers. Check out a few tried-and-true best practices for maintaining patient privacy and ensuring their information is safeguarded to the highest degree.

Local governments’ cybersecurity crisis in 8 charts
And they are more evidence of the poor, if not appalling, state of local government cybersecurity in the United States. We know this because in 2016, in partnership with the International City/County Management Association, we conducted the first-ever nationwide survey of local government cybersecurity. Among other things, the survey data showed just how poorly local governments practice cybersecurity.

GDPR — Another Y2K or Real Apocalypse?
If you’ve been in this business long enough, you will have lived through multiple Hype Cycles. They start with some vaguely defined problem that if not addressed will lead to the end of the world, or at least, you and your organization’s world. We’ve seen this before, and now we’re about to see another wave of hype from GDPR, the EU’s latest personal privacy regulation set to take effect on May 25, 2018. The world is holding its breath for that day, much like another hyped event we were holding our collective breath on New Year’s Eve in 1999 — Y2K. After our own thorough evaluation of the GDPR security requirements, we’ve compiled the essential information U.S. companies need to know.

DOD releases new guidance giving teeth to cybersecurity rules to protect data within the supply chain
The new DOD guidance for reviewing system security plans and the NIST SP 800-171 security requirements not yet implemented  assigns risk scores to controls. Security controls that are deemed high risk and have not been implemented pose a continued risk to the government. The latest guidance helps ensure that businesses can assess and prioritize how they wish to go about implementing the 110 security controls. The new guidance also provides specific information on the downsides of not implementing the new security controls.

NIST Updates Cybersecurity Framework to Tackle Supply Chain Threats, Vulnerability Disclosure and More
Like the first version, Version 1.1 of the framework was created through public-private collaboration via a series of recommendations, drafts and comment periods. Changes to Version 1.1 includes updates on authentication and identity, self-assessing cybersecurity risk, managing cybersecurity within the supply chain and vulnerability disclosure, among other changes.

Treasurers Overconfident On Cyber Defenses
[Corporate] treasury departments may not be nearly as prepared or safeguarded as they think. That’s because fraudsters and cybercriminals are often steps ahead of their targets in terms of technology and strategy. “The number of fraud attempts is massive,” said Jeffery. “It’s really high, and increasing, because it’s so automated. Criminals continue to escalate their attacks, and the defense has grown, but you have to more than match what criminals are doing to gain back control.”

Mexican banks said to have been targeted in cyberattack
Three banks experienced “incidents” in recent days when operating the SPEI, Mexico’s interbank electronic transfer system, and will be connecting to the central bank’s network under “contingency schemes,” Banco de Mexico said in a statement Friday evening. That could cause delays in money transfers, according to the statement, which noted that the central bank’s SPEI infrastructure and client money haven’t been affected.

Three Pressing Cyber Threats for IoT in 2018
Humans are still the weakest link in the security chain, but hiring and training people who can understand and respond to issues in the threat space is only becoming more difficult. Demand is rising much faster than supply, with 3.5 million unfilled positions in the cyber security field expected by 2021. At the same time, the eternal catch-up game played between criminals and analysts continues, with threats becoming more sophisticated and widespread every day.

PODCAST: Can ‘gamification’ of cyber training help shrink the human attack vector?
“We’ve successfully applied gamification techniques to a very technical training process that’s now more like Call of Duty than like running through a cyber exercise,” Skelly says. “We have other products that are focused on the entire enterprise. Games that you can play on your mobile phone to teach you more about enterprise security risks and how to protect yourself.”

The Digital Vigilantes Who Hack Back
For help, the private sector is increasingly calling on the cybersecurity industry. Many of these firms are staffed by former N.S.A. employees. Some firms view themselves as masons, helping clients build stronger walls; others see themselves as exterminators, hunting for pests. Many cybersecurity firms offer what is called “active defense.” It is an intentionally ill-defined term. Some companies use it to indicate a willingness to chase intruders while they remain inside a client’s network; for others, it is coy shorthand for hacking back.

As two Koreas shake hands, Hidden Cobra hackers wage espionage campaign
Coinciding with the McAfee discovery, according to a ThaiCERT advisory published Wednesday, Thailand officials seized a server inside the Thammasat University in Bangkok that was being used to communicate with computers infected in the GhostSecret campaign. The server used the same IP address range that was used in the Sony Pictures hack. Thai officials are in the process of analyzing the server now.

Inside the U.S. Army’s New Cyber Command Center
“The U.S. Army Cyber Command (as the Army’s operational command for cyber) and our subordinate units are engaged in the real world cyberspace fight against nation‐state actors, unaffiliated terrorists groups that operate in cyberspace and independent criminal actors,” Vandermaarel says. “The mission of the garrison at Fort Gordon is to provide infrastructure and support to units, civilian, and contract personnel.”

House Dem wants more oversight of Homeland Security’s cyber mission
“Long-term issues about the Department’s capacity to execute this critical mission for the nation continue to be of concern. We should continue to ensure that the government is making the best, most effective issue of its capabilities and assets to help defend both the .gov domain as well as, perhaps even more importantly, the American private sector[.]” “In the long-run, this may require a fundamental restructuring of how the government addresses these issues, both functionally and structurally.”

What to know about the privacy of your DNA in wake of ‘Golden State Killer’ suspect’s arrest
Those who participate in DNA testing websites “are doing it for the purposes of genealogy, family history and in some cases finding their biological family[.]” For “most it never even occurred to them [that] their DNA might be used to identify a serial killer or any sort of perpetrator,” Moore said. “If people didn’t know their DNA was being used in that way, they couldn’t have consented to it. And if they didn’t consent to it is that ethically questionable?

Big Brother’s myriad cyber-ways unpacked
And, just as social media giants sell your data to marketers, they also sell it to surveillance software companies, who then sell it on to government intelligence and law enforcement agencies. Ultimately, the state can use your public social media posts to identify you and walk right up to your door. This outcome is very different from being targeted with advertisements.

Can we balance the freedom of the internet with its dangers?
The idea of a “Yes DIY” might well profit from this scepticism about how platforms are bamboozling us. Emphasising ground-up, face-to-face meets and activities, with networks and media largely serving that, could be a message that chimes with the times. Yet in any future contest, will there also be a mighty war of cyber-position, conducted between parties deploying their expensive tech consultants, to entice the minds and hearts of device-using citizens? You bet there will be.

Failbreak: Bloke gets seven years in the clink for trying to hack his friend out of jail
A Michigan fella will spend up to seven years and three months behind bars – for trying to hack government IT systems in the US state to get a friend out of jail. Konrads Voits, 27, of Ypsilanti, Michigan, received the 87-month sentence after he pleaded guilty to one federal charge of damaging a protected computer. He will also have to give up his laptop, four mobile phones, $385.49 worth of Bitcoin, and one “Green Integrated Circuit Component, Serial No. Y21A2123” in asset forfeiture.

Someone hacked this highway sign & defaced it with “Hail Hitler” text
According to the Pinal County Sheriff’s Office (PCSO), the incident was witnessed by a driver who reported it to the police. Initially, they tried to turn off the hacked highway sign but failed to do so since the device used to operate the signboard was password protected therefore it required a password which they were unable to identify.



Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.