IT Security News Blast 10-19-2017

TONIGHT! Don’t miss FUD Light at 4-6PM, Owl ‘n Thistle, Seattle
https://criticalinformatics.com/cybersecurity-happy-hour-october-19th/

Financial services to boost security investment on account of breach risks
Almost all (92 percent) will deploy advanced tech, such as IoT, big data or cloud services, with 73 percent doing so before actually preparing appropriate security solutions. Six in ten (60 percent) view privileged users as the biggest threat, followed by executives (48 percent) and contractors (38 percent).
https://betanews.com/2017/10/18/financial-services-security-breach-risks/

Cyber-espionage groups are now attacking banks in Asia Pacific
“These groups who are initially data-hungry are now going beyond traditional cyberespionage. “They added money-stealing on their attack menu as they hunt for vulnerable banks in the Asia Pacific (APAC) region which they can infect mostly through the rising epidemic.”
https://www.networksasia.net/article/cyber-espionage-groups-are-now-attacking-banks-asia-pacific.1508382840

Study Shows: GDPR Is Driving Cyber Risk Planning
The study also shows a strong correlation between GDPR compliance and levels of cyber risk management. For instance, 69% of the fully compliant firms have or plan to deploy encrypted computers, versus only 38% of the non-compliant. And 49% of the firms in full readiness have developed a cyber incident response plan, compared with 10% of those that have not.
https://www.mediapost.com/publications/article/308956/study-shows-gdpr-is-driving-cyber-risk-planning.html

IRS: Tax refund fraudsters already had much of that Equifax stolen data
Beginning next year, more ID theft protection will be used for some business returns. Tax professionals are encouraged to make sure that the name and the Social Security number of the company individual authorized to sign the business return is legitimate. Is the person signing that return really authorized to do so?
http://www.freep.com/story/money/personal-finance/susan-tompor/2017/10/18/koskinen-tax-scams-insurance-schemes/767460001/

Encouraging Collaboration for Improved Data Security Measures
“We do understand that once something occurs it doesn’t necessarily matter if it’s a healthcare vertical,” he pointed out. “It may impact municipal or education or even the financial institutions the same way.” This is also why participating with information sharing organizations, such as NH-ISAC, can be essential for a true partnership. Entities need to be able to work together for successful potential collaboration opportunities, he said.
https://healthitsecurity.com/news/encouraging-collaboration-for-improved-data-security-measures

Cyber Security Market Size to Expand Significantly by the End of 2020
Increasing threats such computer intrusion (hacking), virus deployment and denial of services are increasing the demand for cyber security solutions and services. The governments of various countries such as U.S., Canada, Germany and China etc. are increasing their investment in cyber security due to expansion in computer interconnectivity and dramatic in computing power of government network.
http://www.digitaljournal.com/pr/3527374

North Korea’s cyber-army should worry us all
“How can such an isolated, backward country have this capability?” asked a former British government official. “Well, how can such an isolated backward country have this nuclear ability?” In the Times story, the late North Korean leader Kim Jong Il is quoted, based on the testimony of a defector, as saying in 2003: “If warfare was about bullets and oil until now . . . warfare in the 21st century is about information.”
https://www.washingtonpost.com/opinions/north-koreas-cyber-army-should-worry-us-all/2017/10/18/d47b02b4-b41a-11e7-a908-a3470754bbb9_story.html?utm_term=.4c9c95088721

OMB orders agencies to gauge cyber risk
The Office of Management and Budget used 2017 to develop a standard approach to measuring cyber risk across the government. Now for 2018, OMB wants agencies to use that methodology to conduct risk management assessments. As part of the 2018 Federal Information Security Management Act (FISMA) guidance issued yesterday, OMB told CFO Act agencies to update their data quarterly and non-CFO Act agencies to update their data on a semiannual basis.
https://federalnewsradio.com/federal-newscast/2017/10/omb-orders-agencies-to-gauge-cyber-risk/

Growing threat: Cyber and nuclear weapons systems
What if:
A nuclear watch officer’s computer screens indicated that nuclear missiles were on the way? Could the officer be sure that she wasn’t the victim of a cyber-spoof? How would she respond?
Military officials were unable to communicate with the men and women controlling US nuclear weapons during an international security crisis? What would they think had happened? How would they respond?
https://thebulletin.org/growing-threat-cyber-and-nuclear-weapons-systems11201

‘A race to the moon’: How cyber professionals can communicate with leadership
A reluctance to share threat information between the private and public sector, as well as a glaring talent gap, is limiting recent cybersecurity efforts, according to John Wood, CEO of Telos Corporation, speaking Tuesday at a Cyber Week panel in Washington D.C. The future workforce is a particular concern because of a general lack of interest in math and science, which is often required to pursue cybersecurity careers, he said.
http://www.ciodive.com/news/cyber-professionals-leadership-communication-talent-gap/507501/

McAfee pledges not to share source code with security services
Chris Young, McAfee’s chief executive, followed Symantec, a US-based rival, in pledging publicly to keep its source code secret, with worries about government interference flaring up after questions around Moscow-based Kaspersky Lab’s relationship with the Russian government. Mr Young also warned against cyber security companies or governments being “siloed” in their operations and technologies, saying it made them more vulnerable to attack.
https://www.ft.com/content/e577297e-b2b9-11e7-a398-73d59db9e399

U.S Lawmakers File Bill to Enable Businesses to Pursue Cyber-Criminals
If passed, the legislation would carve out exemptions in the Computer Fraud and Abuse Act (CFAA) of 1986 to allow companies to utilize computers and networks without authorization, but only if they are doing so to attribute or disrupt an attack, to retrieve or destroy stolen files, or to monitor attackers.
http://www.eweek.com/security/u.s-lawmakers-file-bill-to-enable-businesses-to-pursue-cyber-criminals

These are the Facebook posts Russia used to undermine Hillary Clinton’s campaign
By meddling in the 2016 U.S. presidential election, Moscow appears to have initially aimed to plant Donald Trump in the White House. But as signs toward the end of the campaign pointed to Trump’s defeat, actors in Russia were primarily trying to hamstring Hillary Clinton’s perceived ascension to the presidency. That theme ThinkProgress detailed earlier this week by analyzing Russia’s creation of hundreds of fake Facebook accounts, pumped via ads and promotion into Americans’ feeds.
https://thinkprogress.org/russia-facebook-clinton-campaign-d6d76b2a2e82/

How smart cities can protect against IoT security threats
The security issues facing smart cities are unlike anything ever before seen, and solutions to these problems haven’t yet sprung up en masse, meaning many different interest groups have proposed their own respective plans. By combing through some of today’s proposed solutions, we can identify some of the leading trends that will come to dominate the future of smart city security.
https://www.networkworld.com/article/3231988/internet-of-things/how-smart-cities-can-protect-against-iot-security-threats.html

Viral video of man being dragged from United flight gets officers fired
According to the initial police report, Dao was said to have pushed away an officer’s arm, causing “the subject to fall, hit, and injure his mouth on the armrest on the other side of the aisle.” Another officer corroborated that account, but none of this is visible on the videos passengers posted online. Thomas Demetrio, Dao’s attorney, said video evidence is what doomed the officers. “Do not state something that is clearly contrary to video viewed by the world,” he said in a statement. “Our cell phones are the best deterrent to ensure mistreatment becomes a rarity.”
https://arstechnica.com/tech-policy/2017/10/viral-video-of-man-being-dragged-from-united-flight-get-officers-fired/

Post Cyberattack: The Next Steps Your Business Needs to Take
It’s tempting to shut down after a data breach, but it’s important to be proactive to minimize the damage. Make sure you’re communicating properly with your staff, tech specialists, and clients, and be open and sincere about what happened. Provide details if you think they are necessary, and explain how each party will be impacted by what happened. Be sure to take responsibility, even if the attack was the fault of your IT provider rather than your company.
https://www.hackread.com/post-cyberattack-next-steps-business-needs-take/

BoundHook: Microsoft downplays Windows systems exploit technique
The researchers claim the so-called “BoundHook” technique creates a potential mechanism for hackers to exploit design of Intel Memory Protection Extensions to hook applications in user mode and execute code. According to CyberArk Labs, this malfeasance could, in theory, allow attacks to fly under the radar of antiviruses or other security measures on Windows 10, 32-bit and 64-bit OS devices.
https://www.theregister.co.uk/2017/10/18/boundhook_windows_10_exploit_cyberark/

Critical Code Execution Flaw Patched in PeopleSoft Core Engine
“This vulnerability can be exploited by sending a HTTP request to the PeopleSoft service with a serialized JAVA object,” said Alexander Polyakov, CTO at ERPScan. “After unserialization, it can run any command on the server. “Because this vulnerability was found in HTTP service it can be easily available via the internet if company exposes their PeopleSoft system to the Internet,” he added.
https://threatpost.com/critical-code-execution-flaw-patched-in-peoplesoft-core-engine/128510/

US-CERT study predicts machine learning, transport systems, to become security risks
The university’s CERT Coordination Centre (CERT/CC) sees machine learning as a potential security quagmire, since it expects aggressive adoption in the medium term, but use-cases are legion, making it difficult to observe (from a security point of view). “Characteristics of interest likely include big data applications dealing with sensitive information, security products whose efficacy depends on effective anomaly detection, and learning sensors that inform actions in physical reality (such as in self-driving vehicles).”
https://www.theregister.co.uk/2017/10/19/cert_cc_threat_survey/

Oracle Patches 250 Bugs in Quarterly Critical Patch Update
Onapsis is warning users of Oracle EBS (versions 12.1 and 12.2) that they are exposed to SQL injection vulnerabilities that could allow an attacker, over a network without any username and password credentials, to potentially gain access to and modify critical documents and information such as credit card data, customer information, HR documents or financial records.
https://threatpost.com/oracle-patches-250-bugs-in-quarterly-critical-patch-update/128484/

====

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.