IT Security News Blast 1-19-2017

Maritime Cybersecurity Regulation on the Horizon

Six months ago, the United Nations (UN) International Maritime Organization (IMO) published Interim Guidelines on Maritime Cyber Risk Management (“Interim Guidelines”),[6] which were drafted with input from representatives of 44 Member States, including the United States Coast Guard (USCG). Six months before that, the U.S. House of Representatives sent a bill to the Senate that would require USCG to enforce cybersecurity standards at U.S. ports and in maritime operations. Meanwhile, the two federal agencies with primary jurisdiction over industrial maritime operations—USCG and the Bureau of Safety and Environmental Enforcement (BSEE)—have been speaking out publicly about the need for regulatory involvement in maritime cybersecurity.[7] In 2017, we expect maritime operations will emerge as the next frontier of cybersecurity regulation affecting in the energy industry.

How to get fired in 2017: Have a security breach

There are many reasons why IT professionals can be fired, but six out of the top nine are related to security, said a survey released this morning. For example, having a tech investment that leads to a security breach was considered a fireable offense by 39 percent of organizations, according to Osterman Research, which conducted the survey. A data breach that becomes public was a fireable offense for 38 percent of companies. Other fireable offenses included failing to modernize a security program, data breaches with unknown causes, data breaches that do not become public, and the failure of a security product or program investment.

The cyber curse of ‘interesting times’

This year was always shaping up to be a critical one for cybersecurity, with both government and industry finally starting to come to grips with what’s needed to counteract the rising tide of attacks. Potential election meddling aside, there have been more than enough problems unearthed over the past few years to satiate the security mill. […] NIST published its first draft update to the framework a few weeks ago, updating and expanding definitions of terms and introducing the concept of identity proofing as a way of measuring the strength and validity of an individual’s online presence.

Defending against Stingrays and other cellular attacks at protests

Having secure communications while minimizing data linkability is a critical part of defending yourself from people who want to scare you or hurt you. This post is not about the broad problem of Detecting and Defending Against a Surveillance State. This post is about your need to communicate and coordinate with other activists or publish information online while at a protest event. This post provides meaningful defenses against specific attacks carried out at protests.

Mac malware is found targeting biomedical research

A Mac malware that’s been spying on biomedical research centers may have been circulating undetected for years, according to new research. Antivirus vendor Malwarebytes uncovered the malicious code, after an IT administrator spotted unusual network traffic coming from an infected Mac. The malware, which Apple calls Fruitfly, is designed to take screen captures, access the Mac’s webcam, and simulate mouse clicks and key presses, allowing for remote control by a hacker,  Malwarebytes said in a blog post on Wednesday.

The Looming Cybersecurity Crisis And Why Opportunity Youth Are The Solution

As the new administration enters the fray, the next recalculation should not be how to expand the $175 billion cybersecurity market.  The focus should include practical strategies for assuring there are enough cybersecurity professionals to make the nation resilient. […] Intel recently released a survey stating the cybersecurity skills shortage is worse than talent deficits in other IT professions.  The results confirmed what we knew – 82 percent of IT professionals see a shortfall in the cybersecurity workforce, while 71 percent of respondents thought there was a direct correlation between the skills gap, and “measurable damage” to their organizations.

McAfee: Hackers Faked Locations In DNC Hack

By the variety of IP address traces alone, McAfee states that the group of hackers faked their location and eliminated any branches of data that could have linked back to them. It is more likely that a third party organization or group initiated the attack to create controversy involving the Russian government. According to McAfee said in an interview with Larry King, “If I was the Chinese and I wanted to make it look like the Russians did it, I would use the Russian language within the code, I would use Russian techniques of breaking into the organization. There simply is no way to assign a source for any attack.

Oracle patches raft of vulnerabilities in business applications

Oracle released its first batch of security patches this year, fixing 270 vulnerabilities, mostly in business-critical applications. Many of the flaws can be exploited remotely without authentication. The majority of the fixes are for flaws in business products such as Oracle E-Business Suite, Oracle Fusion Middleware, Oracle PeopleSoft, Oracle Retail Applications, Oracle JD Edwards, Oracle Supply Chain Products and Oracle Database Server.

Security Pros Say On-The-Job Experience Counts The Most

Experience wins out over education. 83% of those surveyed say experience in the field rates more highly than education or certifications. Certifications ranked at 25%, while degrees came in at 23% and success in capture-the-flag competitions was slightly lower, at 18%. “Keep in mind that the vast majority of security professionals don’t have degrees,” says Chris Schueler, senior vice president of managed security services at Trustwave. “While college degrees aren’t always a requirement, they do help because a candidate has to be able to articulate and write, but the degree is not a hard and fast requirement.”———–/d/d-id/1327920

Who is Anna-Senpai, the Mirai Worm Author?

After months of digging, KrebsOnSecurity is now confident to have uncovered Anna Senpai’s real-life identity, and the identity of at least one co-conspirator who helped to write and modify the malware. […] The first clues to Anna Senpai’s identity didn’t become clear until I understood that Mirai was just the latest incarnation of an IoT botnet family that has been in development and relatively broad use for nearly three years.

Opinion: Obama’s surveillance legacy

Obama’s administration has reinterpreted “foreign security threats” to also mean “domestic security threats” and increased the number of agencies that have access to the National Security Agency’s (NSA) surveillance data. With the CIA, FBI, Drug Enforcement Agency, Treasury Department/IRS, Homeland Security, Coast Guard, and “such other elements of any department or agency as may be designated by the president” now able to get this data, there’s really no meaningful limit to how widely information might be shared nor who might be targeted.

Ransomware: How A Security Inconvenience Became The Industry’s Most-Feared Vulnerability

From an IT perspective, one of the most aggravating things about ransomware is that even after the attack gains a foothold, it should be relatively easy to stop. The file encryption — which actually does the damage — is the final stage of a multistep process. In fact, there are several opportunities to block the attack before it affects valuable data. First, if the attack is caught by URL filters or secure Web gateways, it will be averted. The second step is where the initial malware “drop” downloads the ransomware program.

Billion-dollar Hacker Gang Abuses Google Services To Control Malware

This might sound like an odd way to control malware, but it’s actually a technique that cybercriminals have been employing for years. Back in 2012, Symantec discovered a Trojan they dubbed Makadocs that was utilizing Google Docs to facilitate communications. Why would someone distributing malware want to host critical files on Google’s servers? Because, as Forcepoint notes, the kinds of organizations and businesses the Carbanak gang are likely to target are probably doing their best to block any communications with sketchy-looking domains. It’s extremely unlikely that they would block access to Google’s domains.

Report: Law Enforcement Must Consider, Adapt to Potential Technology Issues

The report, published Jan. 10 by the RAND Corporation and titled Future-Proofing Justice, looks at the criminal justice system from the perspective of those on the enforcement side, as well as those in academia and the civil rights arena. Brian Jackson, a researcher on the project, said the goal of the work was not to outline more convenient ways for law enforcement to negotiate the technology world, but rather to try to think through these technology issues before they become a crisis situation.

Republican bill aims to bolster U.S. attack attribution capabilities

The Rapid Innovation Act of 2017, co-sponsored by Texas Republican Reps. John Ratcliffe and Michael McCaul, would make innovation in cybersecurity a responsibility of the Department of Homeland Security’s undersecretary for science and technology. The bill, which emerged from the Homeland Security Subcommittee on Cybersecurity, passed the House last week and is now headed to the Senate. Ratcliffe is the subcommittee’s chairman, and McCaul is the full Homeland Security panel’s chairman.

Docker Patches Container Escape Vulnerability

According to Aqua Security, the vulnerability is exploited when running an exec command inside an already running container. Exec is a Unix command where one exec command replaces the current shell process without creating a new process. “When that happens, a malicious process inside the container can access a ‘forgotten’ file descriptor of a directory that resides on the host. This in turn can be used to perform directory traversal to the host’s file system, thus facilitating a nasty and easy escape,” wrote Sagie Dulce, senior researcher at Aqua Security.

On cyber issues, Obama’s Pentagon ‘matured’ as norms rapidly changed

“The majority of the future fights we will be in will encompass this cross-domain activity and there will absolutely be information warfare components: Disinformation, [and] engagement with the public [by our enemies] to to turn discourse against us,” said Aaron Hughes, deputy assistant secretary of Defense for cyber policy. “It’s going to be the norm not the exception as we go forward,” he told CyberScoop in a wide-ranging interview, looking back at the Obama administration’s record of achievements and defeats on the cybersecurity issue over the past eight years. “We need to be postured … to defend ourselves against that.”

Will cyberwar tie into ground warfare?

The Ukrainian ministry of defense is beginning to develop standards of practice for cyber defense. However, many pro-western websites have been brought down. The Russian-backed separatists wage cyberwar on Ukrainian institutions, sometimes daily. It might not be far into the future when internet blackouts are accompanied with large invading forces. It’s only a matter of time until the Special Forces Qualification Course adds an MOS (Military Operational Specialty) just for cyber defense and warfare on top of the existing Communications Sergeant. Because understanding cyber will be full-time in a field that’s constantly innovating and changing.

Cyber Insurance: Coming of Age in 2017?

2016 was definitely the year of cyber insurance emergence. As large-scale attacks and disclosures of massive data-breaches were reoccurring along the year, we realized once again that allocating tremendous efforts and resources to your cybersecurity defense does not provide any guarantee you won’t experience an incident. […] With this understanding, many businesses acknowledge cyber insurance as an important tool in the multilayer cybersecurity defense approach and declare it is an essential part of their risk mitigation strategy.

Tech companies offer cyberinsurance guarantees

Grossman points to a recent Sentinel One survey which found that 95 percent of U.S. companies want to see their IT security vendors offer a guarantee on their products and services, and another 88 percent said they would change providers if they could find an alternate IT security vendor that offers a guarantee. […] “Our goal is to serve as a complement to cyberinsurance,” Grossman says, who adds that Sentinel One will pay for the event, but companies will still need cyberinsurance for the cost of downtime and any fines incurred.

Report: malicious ‘fake’ news links used to socially engineer

Malicious newslinks are used not only as a means but as an end in itself. In its campaign against leading western media organisations, The Syrian Electronic Army was noted for gaining control of the social media accounts of those organisations and then posting news and propaganda in support of embattled Syrian president, Bashar Al Assad. This kind of tactic exploits people’s natural inclination to follow major developments in the world. Victims might click on a suspect news link for the same reason they might click on legitimate news. That said, the success of the lure is largely independent from veracity that the link itself claims to hold. Anything that will get the unlucky victim to click will work.

7 ways to filter out cyber alert false positives

Modern organizations deal with a virtual tsunami of security alerts on a daily basis. In a recent survey, 10 percent of the respondents reported that they handled more than 50,000 alerts every day, and approximately 33 percent reported that their daily total exceeds 1,000 alerts. A separate study conducted by the Ponemon Institute found that 37 percent of respondents faced more than 10,000 daily alerts, with 52 percent of them being false positives. False positives can cost an organization tens of thousands of wasted hours, which can easily add up to hundreds of thousands or even millions of dollars.