IT Security News Blast 10-9-2017

Your Secrets Are Wearing Emperor’s Clothes

Institutions which rely on customer identify-proofing and authentication need to shift their thinking on what constitutes identity – and you, as a consumer, need to hold your institutions accountable. If the companies providing you financial, health, or other private services don’t meet the bar for verifying your identity, you need to consider moving your business to other institutions.

https://criticalinformatics.com/yesterdays-secrets-are-wearing-the-emperors-new-clothes/

Your biggest cyber threat? It’s not who you think it is

It would be one thing if this were a one-off incident that only affected poker sites and others you might not admit to visiting in a job interview, but it is not, say those at the front line of the cyber security industry, and the companies affected. Mr Nagy’s assailant used the ploy known as a “distributed denial of service”, or DDoS attack, where websites are bombarded by a crippling barrage of fake traffic.

https://www.ft.com/content/b69fc21e-a9d6-11e7-93c5-648314d2c72c

Equifax rival TransUnion has hired cybersecurity lobbyists in Washington, D.C.

For its part, TransUnion has acknowledged that it has felt the fallout from Equifax’s cybersecurity crisis. The chief financial officer of TransUnion, Todd Cello, said last week that the company is spending more money on call centers as consumers seek answers and credit freezes. While Cello acknowledged at the time that TransUnion used the same software implicated in the Equifax breach, he said that TransUnion had kept that software up to date — so it does not believe it has fallen victim to the same attack.

https://www.recode.net/2017/10/8/16441368/equifax-transunion-cyber-security-hack-congress-lobbyists-regulation

Yahoo breach underscores importance of heeding risk factors, renews interest in legislation

The breach “is now the unfortunate poster child for unexamined risk, as its networks contained long-neglected vulnerabilities for years that eventually led it to becoming the largest global data breach of all time, said Joe Fantuzzi, CEO of RiskVision, who said that Yahoo is “far from the only enterprise that has consistently overlooked critical factors in its risk environment.”

https://www.scmagazine.com/yahoo-breach-underscores-importance-of-heeding-risk-factors-renews-interest-in-legislation/article/698527/

Personal cyber insurance: Deploy in case of attack

Personal cyber insurance is likely to come on top of another policy. Hartford Steam Boiler and NAS Insurance offer cyber policies through other companies as add-ons to homeowners or renters insurance. Chubb offers cyber insurance in its Masterpiece homeowners policies. Similarly, AIG offers cyber coverage to customers with Private Client Group insurance policies for high net-worth customers.

https://www.usatoday.com/story/money/personalfinance/2017/10/08/personal-cyber-insurance-deploy-case-attack/720073001/

Prioritizing Data Security Strategies for Health IT Infrastructure

Healthcare providers must consider access control, audit controls, integrity controls, transmission security, and authentication. Essentially, entities need to monitor how data is transferred, stored, and accessed at all times. For example, a physician’s identity should be confirmed before she is able to access a network or EHR. A provider could opt for a multi-factor authentication process, ensuring that an individual who has been granted a certain level of access is the same person attempting to log on to the system.

https://healthitsecurity.com/features/prioritizing-data-security-strategies-for-health-it-infrastructure

The CISO’s Guide to Minimizing Health Care Security Risks

The CISO is responsible for protecting patients’ health data, which requires collaboration across the organization and with business partners such as vendors and insurers. For the common good of the health care industry at large — which includes individual practitioners, third parties and, most importantly, patients — all health care organizations must invest in solutions and strategies to protect PHI and manage risks to critical systems.

https://securityintelligence.com/the-cisos-guide-to-minimizing-health-care-security-risks/

Cybersecurity firm finds ‘90% crud’ rule rings true among 100 billion DNS records

Cybersecurity investigators in healthcare organizations can access DNS records to increase the speed and accuracy of detecting and responding to cyberattacks, FarSight said. The company added that hackers and cybercriminals leave so-called digital footprints in the DNS, which means that hospital infosec teams can follow those to track down attackers by domain name and IP address.

http://www.healthcareitnews.com/news/cybersecurity-firm-finds-90-crud-rule-rings-true-among-100-billion-dns-records

Time is running out for state officials to be approved for cybersecurity intel ahead of elections

The processing for each of these applications varies by person and as a result, there’s no average wait time. Over the last several months, however, DHS has been able to issue “interim” clearances when necessary within 30 days of an application, officials told CyberScoop. Final clearance approvals are taking much longer, the officials said.

https://www.cyberscoop.com/time-running-approve-state-officials-receive-cybersecurity-intel-ahead-elections/

Russians Still Have An Open Path to U.S. Election Subversion

Not only that, the White House hasn’t even nominated someone to replace now-White House chief of staff John Kelly as secretary of the Department of Homeland Security (DHS), or someone to run its units responsible for protecting the nation’s strategic infrastructure, which includes federal, state and local voting systems. Both are in the hands of “acting” officials. “The administration is having a hard time finding individuals that want to do the job, could do a good job, and could pass Senate confirmation,” a congressional expert tells Newsweek, speaking candidly only on the basis he not be quoted by name.

http://www.newsweek.com/spy-talk-jeff-stein-donald-trump-russia-homeland-security-election-russia-680179

China denies links to alleged cyber attacks in United States targeting exiled tycoon Guo

China has denied responsibility for alleged cyber attacks in the United States appearing to target exiled tycoon Guo Wengui, who has levelled corruption allegations against senior Communist Party officials and applied for political asylum. The Ministry of Public Security said in a statement provided to Reuters on Sunday an investigation had found “no evidence” of Chinese government involvement in the alleged cyber attacks.

http://www.reuters.com/article/us-china-corruption-tycoon/china-denies-links-to-alleged-cyber-attacks-in-united-states-targeting-exiled-tycoon-guo-idUSKBN1CD0AP?il=0

Secret Service nixes personal mobile devices in West Wing after Kelly hack

Kelly’s personal phone was hacked, possibly as long ago as December, and, the chief of staff, who typically used his government-issued phone, has apparently now switched personal devices, Politico had reported. The new Secret Service policy, which Maddow said will go into effect after a “30-day management period,” will apply to visitors to the West Wing, including tour groups.

https://www.scmagazine.com/secret-service-nixes-personal-mobile-devices-in-west-wing-after-kelly-hack/article/698727/

VPN logs helped unmask alleged ‘net stalker, say feds

The Feds allege Lin used various privacy services: logging in via Tor, to conceal his IP address; VPN services; anonymised international texting services; and offshore private email providers. However, the complaint revealed, he made a fundamental error by using a work computer for some of his campaign, and even though he’d been terminated and the OS reinstalled on the machine, there were footprints left behind for investigators to associate Lin with the 16-month campaign against Smith.

https://www.theregister.co.uk/2017/10/08/vpn_logs_helped_unmask_alleged_net_stalker_say_feds/

Job seekers, freelance journalists targeted in Atlantic Magazine scam

Atlantic Media General Counsel Aretae Wyler told staffers about the scam in an Oct. 5 email. The phishers created many false email addresses using the names of the publication’s editors along with the Atlantic’s name in some fashion, such as recruitment.atlanticmagazine.com. The emails asked the victims for personal information like Social Security numbers and bank account information under the guise of offering them employment.

https://www.scmagazine.com/job-seekers-freelance-journalists-targeted-in-atlantic-magazine-scam/article/698734/

Millions of Accounts From Previous Bitly and Kickstarter Breaches Exposed

Troy Hunt, an IT security researcher and founder of breach notification website HaveIBeenPwned (HIBP) has discovered that Bitly, a URL shortener service provider was compromised back in May 2014 exposing over 9 million accounts of registered users. As a result, usernames and encrypted passwords were breached.

https://www.hackread.com/millions-of-accounts-from-previous-bitly-kickstarter-exposed/

It’s 4PM on Friday, almost time to log off and, oh look, Disqus says it’s been hacked

The software maker, which produces reader comment boards for blogs and newspapers everywhere, admitted at 4pm Pacific Time, Friday, that a network intruder was able to grab a copy of a database snapshot from 2012 – which contained nearly 18 million account records, from email addresses to, in about a third of them, SHA1-hashed passwords.

https://www.theregister.co.uk/2017/10/06/disqus_hacked/

FreeMilk Phishing Scam Hijacks Active Email Conversations to Deploy Malware

The scheme has been named FreeMilk while the researchers have claimed that it is a “limited spear-phishing campaign,” which the security firm discovered in May 2017. The scope of this campaign is wide enough as it is targeting users around the world. According to researchers, this is quite a sophisticated campaign that exploits the CVE-2017-0199 Microsoft Word Office or WordPad Remote Code Execution Vulnerability. The decoy material is intelligently customized as per the recipient while the campaign seems to be a targeted one.

https://www.hackread.com/phishing-scam-freemilk-hijacks-active-email-conversations-to-deploy-malware/

Cybersecurity technology: Everything is transforming and in play

The most recent battle is for the whole enchilada — comprehensive endpoint security suites that span across ESG’s endpoint security continuum. While startups continue to act as new shiny objects, old-guard players such as McAfee, Sophos, Symantec, and Trend Micro have spruced up their offerings with advanced prevention/detection/response features of their own. In the meantime, confused users are getting dozens of phone calls from vendors asking for meetings.

https://www.csoonline.com/article/3231665/security/cybersecurity-technology-everything-is-transforming-and-in-play.html

 

 ====

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.

//]]>