IT Security News Blast 10-2-2017

Cyber Security Regulations : Financial Services

The entities covered by the New York State’s new regulations were permitted 6 months from the effective date to comply with most of the terms, past which, non-compliance will not be tolerated. This makes the next couple of months extremely vital for institutions that haven’t fulfilled the requirements. To be one step ahead of possible attacks though, banks will need to regularly evaluate their potential vulnerabilities. Their threat levels should be under constant surveillance to forecast possible problems, and threat intelligence should be employed to understand when potential cyber attackers might attempt to take advantage of such holes in their armor.

https://www.finextra.com/blogposting/14569/cyber-security-regulations–financial-services

Bankers anxious over consumer reactions to Equifax breach

“Banks hate credit freezes. The banks want people to buy things on credit without a second thought,” said Chris Hoofnagle, a law professor at the University of California, Berkley, and an author on consumer protection law. The time required to remove restrictions could thwart issuance of new credit cards, especially store credit cards that offer instant discounts on purchases. Second thoughts could lead drivers to spend less on cars when they reconsider how much they will have to borrow for more expensive models.

http://www.deccanchronicle.com/technology/in-other-news/011017/bankers-anxious-over-consumer-reactions-to-equifax-breach.html

Relentless Cyber Attacks Make These A Screaming Buy

Each new trend in technology – cloud computing, big data, internet of things – creates new weaknesses for hackers to exploit with malware, ransomware, leakware. The two exchange-traded funds to invest in the hottest tech sector are ETFMG Prime Cyber Security ETF with the symbol HACK, formerly called PureFunds ISE Cyber Security ETF; and First Trust NASDAQ Cybersecurity ETF, which trades under the ticker CIBR.

https://www.forbes.com/sites/trangho/2017/10/01/relentless-cyber-attacks-make-these-a-screaming-buy/#67bea9a1375a

The Global Cyber Attack on Healthcare

“Going for medical treatment is typically a scary enough experience, which puts everyone on edge. Now imagine a world in which patients are told by their doctors, hospitals, and other healthcare providers that they must wait, go to another facility, or worse yet, have their treatment postponed because the healthcare provider cannot access necessary records or machinery,” he explained. “Such is the age we live in.”

http://www.insidecounsel.com/2017/09/28/the-global-cyber-attack-on-healthcare

Security giant McAfee to healthcare CIOs, CISOs: Know your enemy

So just how vulnerable is the healthcare industry? Quite, according to the new “McAfee Labs Threats Report: September 2017” study from security giant McAfee, which not only identifies threats but suggests ways healthcare CIOs and CISOs can protect themselves from the threats. McAfee Labs’ quarterly analysis of publicly disclosed security incidents found the public sector to be the most impacted North American sector over the last six quarters, but healthcare overtook it in the second quarter of 2017 with 26 percent of incidents.

http://www.healthcareitnews.com/news/security-giant-mcafee-healthcare-cios-cisos-know-your-enemy

Cyber Command Is Growing Up. Now For the Real Issue.

Cyber Command no longer acts like a five-year old, but is ready to grow up. It is the latest step in a 20-year journey. The Trump administration has ordered the elevation of the National Security Agency and U.S. Cyber Command; now the discussion can turn to the more important issue, the separation of their dual leadership.

https://www.thecipherbrief.com/column/cyber-advisor/cyber-command-growing-now-real-issue-2

Are Vets the Solution to the Cyberstaffing Gap?

In Washington state, officials are also looking at veterans as ideal candidates for cyberjobs. The state has partnered with the University of Washington to offer scholarships to veterans seeking cybersecurity degrees, and the Washington International Trade Association offers opportunities for veterans to retrain themselves for cyberwork in the public or private sector. The state also partners with local colleges on online certification programs that could help jumpstart a veteran’s retraining for a position in the cybersecurity field.

http://www.govtech.com/security/GT-OctoberNovember-2017-Are-Vets-the-Solution-to-the-Cyberstaffing-Gap.html

Analyzing Cybersecurity’s Fractured Educational Ecosystem

At different institutions, security-related classes emerged over the years in various disciplines, including computer science (CS), information systems (IS), and information technology (IT), as a tangent discipline in the service of broader departmental goals and curricula. In most cases, security education is still maintained within these disciplines. This program diversity makes it difficult for a single evaluation criterion to emerge that is general, yet still useful, within this diluted environment. Indeed, unlike CS, IT, and IS, there currently are no widely adopted academic accreditations for computing security at all.

https://www.darkreading.com/careers-and-people/analyzing-cybersecuritys-fractured-educational-ecosystem/a/d-id/1329980?

North Korean hackers plot to loot Britain’s finances with cyber attack on the City’s banks

The reclusive regime is improving its hacking through collaboration with Iran and criminal networks operating in southeast Asia and China, the expert said. He said the the cyber attack that crippled computers at NHS hospitals and GP surgeries was an attempt to take money. “Their missiles are not going to reach the UK but their cyber-attacks did reach the NHS and other parts of Europe,” the 52-year-old said. “As sanctions bite further and North Korea becomes more desperate for foreign currency, they will get more aggressive and continue to come after the finance sector. They’re after our money.”

https://www.thesun.co.uk/news/4586790/north-korean-hackers-plot-to-loot-britains-finances-with-cyber-attack-on-the-citys-banks/

Attempted voting hacks a ‘wake-up call,’ former DHS chief says

Although there is no evidence that Russian interference altered ballots or election results, Johnson told the panel that those efforts “exposed cyber vulnerabilities” that could have serious ramifications. “Last year, when we saw these voter registration databases being targeted, I was very worried it was the run-up to a huge catastrophic attack” that would result in the deletion of voter registration information, he said. “We were very worried about that, and we continue to worry about the ability of bad cyber actors to compromise voter registration data.”

https://gcn.com/articles/2017/09/29/jeh-johnson-voting-vulnerabilities.aspx?admgarea=TC_SecCybersSec

FBI allowed to keep secret details of iPhone hacking tool, court rules

The FBI will not be forced to reveal details of a hacking tool used to break into a terrorist’s iPhone, a case that sparked months of legal hostilities between Apple and the US government. Vice News, USA Today, and the Associated Press filed a Freedom of Information lawsuit to reveal the name of the hacking tool’s vendor and its price. The Justice Dept. launched legal action against Apple, which had refused to help unlock the phone, arguing the device’s encryption could not be defeated — even by the company. The FBI later obtained a hacking tool — details of which the agency wants to keep secret.

http://www.zdnet.com/article/fbi-allowed-to-keep-secret-details-of-iphone-hacking-tool-court-rules/

Trump lawyers hit Facebook with warrants for activists’ account info

Armed with search warrants, Trump administration lawyers have demanded Facebook turn over account information on three Facebook users who are anti-administration activists. One of the users targeted is Emilio Talarico who ran the disruptj20 page that organized protests on Inauguration Day, according to a CNN report. The Justice Department had previously tried to get web hosting provider DreamHost to hand over information on visitors to the disruptj20 website. A superior judge subsequently ruled that the information must be handed over but ordered that the time period specified by the search warrant should be reduced.

https://www.scmagazine.com/trump-lawyers-hit-facebook-with-warrants-for-activists-account-info/article/696608/

NSA foreign digital surveillance program to wind down unless U.S. Congress renews law

The U.S. National Security Agency would need to begin winding down what it considers its most valuable intelligence program before its expiration at year-end if the U.S. Congress leaves its reauthorization in limbo, the agency’s deputy director said on Friday. The possibility the U.S. government may begin losing access to the surveillance authority even before it would officially lapse on Dec. 31 is likely to increase pressure on lawmakers to quickly renew the law.

https://globalnews.ca/news/3777178/nsa-digital-surveillance-program-expiring/

Here’s a way to make companies with large databases keep our info safe

Relatively few databases are protected by strong encryption — software that turns the contents into gibberish for anyone lacking digital keys to unlock all the goodies.  […] “If they’re holding personally identifiable information, it should absolutely be encrypted,” said Pablo Garcia, chief executive of Aliso Viejo’s FFRI North America, a maker of cybersecurity software. “I’m almost at the point where I expect my personal information to be stolen every now and then.” The main problem, he and other tech-security experts say, is one of convenience.

http://www.latimes.com/business/lazarus/la-fi-lazarus-data-breaches-encryption-20170929-story.html

ICANN Postpones Scheduled DNS Crypto Key Rollover

ICANN said in a statement that the change was to occur on Oct. 11, but new data indicates that a “significant number” of resolvers used by ISPs and large network operators are not ready. ICANN hopes to reschedule the rollover to the first quarter of next year. […] The key signing key (KSK) rollover, as it’s known, requires the generation of a new cryptographic key pair and distribution of the public key to DNSSEC resolvers. ICANN said the rollover would affect 750 million people.

https://threatpost.com/icann-postpones-scheduled-dns-crypto-key-rollover/128212/

Best and Worst Security Functions to Outsource

It’s possible to outsource just about any security function, says IP Architects president John Pironti, but just because you can outsource doesn’t mean you should. The question, he says, is where do you want your team to focus its time and attention? “You have to calibrate expectations of what a third party will provide,” he explains. “They will not have the same interest or passion in your world as you will.”

https://www.darkreading.com/risk/best-and-worst-security-functions-to-outsource/d/d-id/1329995?

Point-of-sale data breach bad for Whole Foods’ health

Amazon’s new acquisition, Whole Foods Market, disclosed on Thursday that its has suffered a point-of-sale data breach that compromised the payment card information of customers who used its taprooms and full table-service restaurants. The actual grocery store checkout systems were not impacted, however, as they run on a separate POS system than those affected. Likewise, Amazon.com’s systems were not in any way impacted. In August, Amazon purchased the food retailer in a $13.7 billion deal.

https://www.scmagazine.com/point-of-sale-data-breach-bad-for-whole-foods-health/article/696792/

Macs Not Receiving EFI Firmware Security Updates as Expected

Duo said it analyzed data such as the build version and hardware model of more than 73,000 Macs, and compared that information to the respective EFI versions that should be running. On average, Duo said, 4.2 percent of machines in production environments did not match their expected EFI versions. […] Duo also said that 16 combinations of Mac hardware and OSes had never received a firmware update during the time when OS X 10.10 and 10.12.6 was available. More details on the data are available in the research report.

https://threatpost.com/macs-not-receiving-efi-firmware-security-updates-as-expected/128191/

 

Want to be a better security leader? Embrace your red team

Successful business leaders understand the power of disruption as a pathway to anticipating unstated future customer needs. The concept of disruption as a force for innovation is powerful in the field of cybersecurity and often pushes business leaders to problem solve in new or unexpected ways. Proactively simulating attacks on your own organization is an excellent example. With now-broad acceptance that attackers will get in and that compromise is expected, there are distinct advantages to being “productively paranoid.”

https://www.csoonline.com/article/3229357/leadership-management/want-to-be-a-better-security-leader-embrace-your-red-team.html

Siemens Patches Improper Access Vulnerability in Ruggedcom Protocol

Industrial manufacturer Siemens is encouraging users running devices that use its Ruggedcom Discovery Protocol (RCDP) to apply firmware updates this week. The updates resolve a serious and remotely exploitable vulnerability that could let an attacker carry out administrative actions. The issue, an improper access control vulnerability, could allow users of networks adjacent to targeted devices to perform unauthorized administrative actions, according to an advisory made public by ICS-CERT, the Industrial Control Systems Cyber Emergency Response Team, on Thursday.

https://threatpost.com/siemens-patches-improper-access-vulnerability-in-ruggedcom-protocol/128214/

 ====

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.

//]]>