IT Security News Blast 10-20-2017

Local government agencies remain concerned about lack of cyber awareness
In addition to the top concern around cybersecurity, the poll also found that the cybersecurity framework from the National Institute of Standards and Technology and  the security framework from the FBI’s Criminal Justice Information Services are the top guidelines for IT security in local government.

Healthcare IoT Infrastructure Relies on Device-to-Cloud Security
The IoT modules are able to provide this level of security because they establish trust between the devices and the cloud by storing unique ID keys stored in tamper-resistant hardware. The public key infrastructure also requires mutual authentication to the cloud so each device accessing the network is identified and verified.

DOD, HHS Recommend Collaboration with Industry to Fight Ransomware
The DOD has long recognized that American adversaries and competitors might try to gain an “asymmetric advantage” against that Pentagon’s formidable military technology via attacks on the agency’s supply chain and the intellectual property of the country’s defense industrial base, Komaroff said. […] That includes being clearer about cybersecurity requirements in contracts and sharing lots of information with the industry on threats, he said.

Pentagon chief asks Congress to not hinder cyber defense
Language in a draft of the NDAA says that when a cyber attack transits a third party country’s infrastructure or relies upon its networks the U.S. should encourage that nation to take action to eliminate the threat. However, the draft NDAA say the U.S. reserves the right to act unilaterally if needed.

US, allies grapple with countering Russia’s cyberoffensive
NATO’s three-day cyber symposium, which drew together national leaders, experts and industry specialists, comes at a time when Russia is being widely blamed for targeting Western troops and institutions with a more aggressive cyber-battlefield strategy. U.S. soldiers deployed to Poland have had their smartphones hacked while operating near Russia’s bordering enclave of Kaliningrad, according to Army leaders.

John McCain calls on military to protect elections from Russian attack
McCain, in a tense exchange with a top Pentagon official during a Senate Armed Services Committee, said new legislation could allow the department to intervene in the event of an attack. McCain, in a tense exchange with a top Pentagon official during a Senate Armed Services Committee, said new legislation could allow the department to intervene in the event of an attack.

Frustrated senators demand cyber war strategy from Trump
Frustrations over the lack of a comprehensive cyber policy boiled over during a Senate Armed Services Committee hearing on Thursday. The hearing ended with Chairman John McCain (R-Ariz.) issuing a veiled threat to subpoena the White House national security official responsible for coordinating cybersecurity policy across the federal government.

Kasperksy denies its software can be used for Russian espionage
Mr Kaspersky wrote on his blog on Thursday that Kaspersky Lab could not have spied on the US government or American users. A backdoor would be discoverable because its products and databases were all available for inspection on public servers, he said. “Our products’ functionality completely and utterly depends on the application code and entries in updated databases — there is no mysterious magic at work,” he wrote.

George W. Bush: US must confront ‘new era of cyber threats’
“America must harden its own defenses. Our country must show resolve and resilience in the face of external attacks on our democracy and that begins with confronting a new era of cyber threats,” Bush said. “This effort is broad, systemic and stealthy. It’s conducted across a range of social media platforms,” Bush said of the threats. “Ultimately this assault won’t succeed, but foreign aggressions including cyberattacks, disinformation and financial influence should never be downplayed or tolerated.”

Digital Fascism Rising?
Often heard arguments to justify digital fascism – such as the need to fight terrorism, cyber threats and climate change – have been skilfully used to undermine our privacy, our rights and democracy itself. The emergence of mass surveillance after 9/11, enabled by the Patriot Act in the United States and other laws, has led to the incremental erosion of liberties and human rights. Since the Snowden revelations, we know that there is mass surveillance of billions of people around the world.

G7 to put squeeze on internet giants at terror talks
In a first for a G7 meeting, representatives from Google, Microsoft, Facebook and Twitter will take part in the talks between the seven ministers from Britain, Canada, France, Germany, Italy, Japan and the United States. “The internet plays a decisive role in radicalization. Over 80 percent of conversations and radicalisation happen online,” said Italy’s Marco Minniti, who is hosting the summit on the volcanic island off Naples.

Russian Cyberspies Are Rushing to Exploit Recent Flash 0-Day Before It Goes Cold
It is clear that APT28 is trying to exploit the CVE-2017-11292 zero-day before the vast majority of users receive patches or update their systems. […] This is also not the first time the group races to exploit a zero-day before most of its targets patch their systems. The group did the same in May this year after Microsoft patched three zero-days — CVE-2017-0261 (Office EPS feature), CVE-2017-0262 (Microsoft Word), and CVE-2017-0263 (Windows).

Navigating Cybersecurity on a Stretch of “Regulatory Rapids”
Not unlike NY state requirements, under GDPR there is a 72-hour window to notify a client if there is a breach of data. […] Moreover, regulatory reporting, data retrieval for liquidity risk assessment, capital calculations, and simply the ability to identify every location client data is used and stored within a firm is not as easy as it may seem.  This issue is only amplified for global firms that may outsource business support to affiliated entities, use third party vendors or transfer client data across borders.

Researchers surveil mobile users using just $1,000 worth of targeted ads
Using less than $1,000 worth of targeted advertising, University of Washington researchers were able to surveil individual users, determining location and habits. Researchers found that advertising can be used by the individuals buying ads to track a target’s location in relative real-time and to determine which apps a target uses and when, for apps with ads, according to the ADINT: Using Targeted Advertising for Personal Surveillance report. […] A targeted individual need not click the ad to be targeted and by using a canonical demand-side provider (DSP), researchers were able to identify a target’s, home, routes and place of work, and even which apps were on a user’s phone.

Google exec: Our society is in real jeopardy
Government-backed groups may be behind some of the more sophisticated attacks. But increasingly, weapons and resources that were once only available to governments have become available to anyone. Some of the attackers’ tools are even available for free. This is not a drill: The threats to our most personal data, our businesses, our infrastructure, our democracy, are absolutely real. […] Small organizations should be consulting with security experts on a regular basis; larger organizations should have a chief security officer who can drive a sound security strategy, and the supporting processes and procedures to eliminate vulnerability.

Facebook is struggling to meet the burden of securing itself, security chief says
The way that I explain to [management] is that we have the threat profile of a Northrop Grumman or a Raytheon or another defense contractor, but we run our corporate network, for example, like a college campus, almost. We have made intentional decisions to give access to data and systems to engineers to make them “move fast,” but that creates other issues for us.

Hackers Take Aim at SSH Keys in New Attacks
SSH private keys are being targeted by hackers who have stepped up their scanning of thousands of servers hosting WordPress websites in search of private keys. Since Monday, security researchers said they have observed a single entity scanning as many as 25,000 systems a day seeking vulnerable SSH keys to be used to compromise websites.

Russian Hacker Exploits GTA 5 PC Mod to Install Cryptocurrency Miner
Gamers were delighted with the release of world’s second most popular video game Grand Theft Auto V (GTA 5) released by Rockstar North. […] According to researchers, a mod maker going by the online handle of ‘Anton’ is reportedly distributing malware into the GTA 5 mods. The young, Russian speaking cybercriminal is apparently trying to hijack the computer power secretly to mine cryptocurrency.

Google Play Store Launches Bug Bounty Program to Protect Popular Android Apps
Google has finally launched a bug bounty program for Android apps on Google Play Store, inviting security researchers to find and report vulnerabilities in some of the most popular Android apps. Dubbed “Google Play Security Reward,” the bug bounty program offers security researchers to work directly with Android app developers to find and fix vulnerabilities in their apps, for which Google will pay $1000 in rewards.

Denuvo’s DRM now being cracked within hours of release
This week’s release of South Park: The Fractured but Whole is the latest to see its protections broken less than 24 hours after its release, but it’s not alone. Middle Earth: Shadow of War was broken within a day last week, and last month saw cracks for Total War: Warhammer 2 and FIFA 18 the very same day as their public release.

Few people know it’s National Cybersecurity Awareness Month. That’s a problem
Napolitano said, “This new hiring authority will enable DHS to recruit the best cyber analysts, developers and engineers in the world to serve their country by leading the nation’s defenses against cyber-threats.” Wow, great stuff that really had me proud to be an American and a cybersecurity professional. Unfortunately, my pride soon waned, and I came to a stark realization — NCSAM plays well in D.C. (and yes, in state/local government and academia to some extent), but the rest of the country could care less.


Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.