IT Security News Blast 10-6-2017

Tech and finance firms should be held to the same account: Goyle
Tech giants should be held to the same account as other companies such as banks and insurers when it comes to their potential influence on politics, according to Raj Goyle, who served two terms in the Kansas House of Representatives and went on to found artificial intelligence startup Bodhala.

Retail brokers, regulators and the authors of MiFID II: Why not embrace facial recognition for compliance?
In this age of biometric national passports and automated airport security systems, the ability for a computerized government database to be able to connect to a biometric recognition system to vet entries and exits across the world is very much proven, and is very likely to be more accurate than human resources.

HHS’s New 5-Year Strategic Plan Includes Cyber Goals
Overall, the privacy and security objectives outlined in the new HHS plan sound similar to themes in the more detailed IT strategic plan that was released in March. Top goals of that IT plan include protecting critical systems and data; improving the security and privacy posture of data and information systems; effectively preventing, monitoring and rapidly responding to emerging threats and vulnerabilities; and prioritizing cybersecurity investments through a risk-based approach.

Hey, IoT vendors. When a paediatric nurse tells you to fix security, you definitely screwed up
A children’s nurse told delegates at the Virus Bulletin conference in Madrid on Thursday to get a grip on Internet of Things security. […] For one thing there is no medical need for such devices to be connected to the net 24/7, she said. More fundamentally, government regulation is needed to mandate baseline security standards. Milosevic advocated coordinated vulnerability disclosure, a process that would mean security researchers would work with manufacturers to fix issues before going public.

City of Englewood, Colo. hit with ransomware
The city of Englewood, Colo. was hit with a ransomware attack which brought down the city’s internal network. The attack left the city’s civic center unable to process credit cards and the city’s library unable to place items on hold or accept late fines, according to an Oct. 4 press release. City IT officials spotted the malware the night of Oct. 3 and are currently working to investigate the full scope of the attack.

Small businesses are cyber targets whether they know it or not
Small and mid-size businesses (SMBs) are especially vulnerable. Long gone are the days when they were mostly ignored by hackers as botnets and other automated attacks have been weaponized. In fact, nearly half of cyberattacks worldwide were against businesses with less than 250 workers.

Russian propaganda may have been shared hundreds of millions of times, new research says
In other words, to understand Russia’s meddling in the U.S. election, the frame should not be the reach of the 3,000 ads that Facebook handed over to Congress and that were bought by a single Russian troll farm called the Internet Research Agency. […] Looked at this way, the picture shifts dramatically. It is bigger — much bigger — but also somewhat different and more subtle than generally portrayed.

Russian Hackers Stole NSA Data on U.S. Cyber Defense
The hackers appear to have targeted the contractor after identifying the files through the contractor’s use of a popular antivirus software made by Russia-based Kaspersky Lab, these people said. The theft, which hasn’t been disclosed, is considered by experts to be one of the most significant security breaches in recent years. It offers a rare glimpse into how the intelligence community thinks Russian intelligence exploits a widely available commercial software product to spy on the U.S.

Russians hacked smartphones of 4,000 NATO troops
NATO troops’ smartphones are under attack by Russian hackers bent on obtaining information on and exploiting soldiers as well as getting a handle on NATO military capabilities. The hackers have so far accessed the phones of 4,000 NATO troops in Europe, the Wall Street Journal reported, using the phones in conjunction with surveillance drones to eavesdrop on troops in the Baltic states and Poland who are guarding the Europe-Russia border.

GCHQ spooks in the dock over UK government bulk data hacking
PI argues the government is “choosing to take advantage of security holes” which weaken security for later hacks. IPT hearings can be held behind closed doors over national security fears as it hears complaints about government surveillance. PI, along with seven internet service providers, says the practice known as computer network exploitation (CNE) is being carried out by GCHQ.

Boom! Lawyered: The Government Can Make Me Say WHAT?
Compelled speech is speech that the government forces you to say and that it conveys a particular belief or ideology. That means in other words, the first amendment both protects your right to speak, and your right to keep your mouth shut—especially if what you’re being asked to speak represents a particular viewpoint that you don’t agree with, or that feels compelled by the government for you to speak.

Miami Beach cops arrest man for Twitter parody of police spokesman
The police statement says that Orsetti was “engaging with local media, elected officials, and the community” as if he were Rodriguez. But it doesn’t offer any examples of how these communications harmed the reputation of the police department. Because the account was suspended, Ars was unable to review tweets made by the fake account.

U.S. lawmakers want to restrict internet surveillance on Americans
Senior U.S. intelligence officials consider Section 702 to be among the most vital tools they have to thwart threats to national security and American allies.  […] A discussion draft of the legislation, a copy of which was seen by Reuters, partially restricts the FBI’s ability to access American data collected under Section 702 by requiring the agency to obtain a warrant when seeking evidence of a crime. That limit would not apply, however, to requests of data that involve counterterrorism or counter-espionage.

The Disturbing Rise of Cyberattacks Against Abortion Clinics
Over the past few years, though, a new front has emerged that many reproductive healthcare organizations struggle to deal with. Cyberattacks and threats, as well as internet harassment, have escalated, aiming to disrupt services, intimidate providers and patients, and prevent women from getting the care they need.

This App Helps Users Detect ATM Skimmers
Electronics company Sparkfun has developed a potential solution, however. A smartphone app, the Skimmer Scanner, can detect these small pieces of hardware. Since skimmers rely on Bluetooth, the app automatically detects the Bluetooth then warns users. For those interested, the app is free to download from the Google Play store, while an iOS app is planned for the future.

Apache Tomcat Patches Important Remote Code Execution Flaw
The Apache Tomcat team has recently patched several security vulnerabilities in Apache Tomcat, one of which could allow an unauthorised attacker to execute malicious code on affected servers remotely. […] The critical Remote Code Execution (RCE) vulnerability (CVE-2017-12617) discovered in Apache Tomcat is due to insufficient validation of user-supplied input by the affected software. Only systems with HTTP PUTs enabled (via setting the “read-only” initialization parameter of the Default servlet to “false”) are affected.

Mattel withdraws kid-focused “smart hub” from market after complaints
Last week, two members of Congress sent a letter (PDF) to Mattel about the device. “Never before has a device had the capability to so intimately look into the life of a child,” wrote Rep. Joe Barton (R-Tex.) and Sen. Ed Markey (D-Mass.). “Consumers should know how this product will work and what measures Mattel will take to protect families’ privacy and secure their data.” Instead of answering those questions, Mattel has withdrawn the product.

Dumb bug of the week: Apple’s macOS reveals your encrypted drive’s password in the hint box
The bug (CVE-2017-7149) undoes the protection afforded to encrypted volumes under the new Apple File System (APFS). The problem becomes apparent when you create an encrypted APFS volume on a Mac with an SSD using Apple’s Disk Utility app. After setting up a password hint, invoking the password hint mechanism during an attempt to remount the volume will display the actual password in plaintext rather than the hint.

Hackers can identify if you are using sex toys and exploit them
Since the communication between the toy and phone is performed via BLE signals, which are not encrypted, therefore, researchers could intercept the transmissions between toy and phone using a single Bluetooth dongle and an antenna. Afterwards, Lomas demonstrated that using a few basic commands can let a hacker to create a connection with the device and control them from outside the house, from a street.



Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.