IT Security News Blast 11-13-2017

Stocks Prices Fall After Cyber Breach

Customers Punish Breached Companies
Equifax’s 25% reduction in share value and other industry-wide stats show that consumers aren’t so apathetic about cybersecurity after all. Many executives don’t take secondary breach costs very seriously: the numbers have long been tricky to pin down and many within the C-suite believe that consumer breach fatigue and apathy about cybersecurity buffer their brand in the wake of a breach. But growing evidence is showing that customers really do care, and they’ll put a wallop on the brand when the circumstances are egregious enough.


If hackers attacked the hospital
Take robotic surgical systems. As a test, researchers at the University of Washington in 2015 hacked into and maliciously controlled the Raven II Surgical Robot, which can be operated from afar. While the possibility of an evil genius commandeering a robotic surgical system seems a bit far-fetched, malware reportedly slowed down fetal monitors used on women with high-risk pregnancies at one hospital.


The Next U.S. Election Hack Is a Matter of When, Not If
Americans need to view the entire electoral infrastructure as a critical asset — like a power grid or communications network — deserving of the same attention and resources. Officials must also consider non-cybersecurity, low-tech approaches such as ensuring that the voting process produces a clear, checkable paper trail that is kept for an extended period of time after the vote.


Michigan to implement 211 cybercrime hotline
The Cybercrime Support Network (CSN) is launching a pilot program in western Michigan to train 911 and 211 front-line specialists to triage cybercrime calls, after which the local community will be trained to call 211 in the event of a cybercrime, according to a Nov. 7 press release. The goals of the program include building awareness, identifying community resources for recovery and crime victim compensation, improving victim education and restitution, serving cybercrime victims and connecting them to law enforcement.


BEC scammers stealing millions from home buyers
It has been revealed last week that art galleries and collectors are being actively targeted, and recent reports by The Washington Post and CNBC show that email accounts of home buyers and sellers, lawyers, real estate, title and escrow agents are increasingly being compromised by scammers, and access to them misused to redirect wired money to accounts under the scammers’ control. […] According to the latest FBI numbers, in 2017, nearly $1 billion was diverted or attempted to be diverted from real estate purchase transactions to accounts controlled by criminals.


Russian Twitter accounts tried to influence the UK’s EU departure
The discovery isn’t entirely shocking: if Russia was using Twitter bots to skew American sentiment, it wouldn’t take much effort to do the same for Britons. Still, findings like this could be crucial to an official investigation into Russia’s influence over Brexit. They also underscore how easy it can be to mount a modern propaganda campaign — you can target audiences around the world with minimal effort.


Experience matters: Veterans fill a cybersecurity niche
The concentration of military installations, federal agencies and contractors has allowed for a “Cyber Corridor” to emerge in the greater Washington area, particularly in Arlington. Feeding into that are the scores of veterans in the area who are uniquely suited for cybersecurity and looking to work in the private sector.


The iOS 11 Privacy and Security Settings You Should Check Right Now
Just head to Settings, then Privacy, then Location Services to set how liberally you want to share your GPS info. After that, head straight to Safari settings to flip on a few new features that weren’t available in earlier iOS versions. Go ahead and turn on Block Pop-ups, Prevent Cross-site Tracking, and Ask Websites Not To Track Me. They’ll go a long way to keep advertisers from following your every move online.


OPINION: To thwart North Korean hackers, hold China and Russia accountable
Today the Chinese government has an arsonist living in its basement. China is providing a safe haven for North Korean cyber actors, and Russia is providing an alternate route for North Korean hacks. If the North Koreans had missile units stationed in Shenyang, China, there would be repercussions for allowing them to be based there. Simply because these attacks are carried out in cyberspace does not change this fundamental premise.


Weaponized social media and search may spark the ultimate cyberwar
“The year 2020 is going to be a tug of war for the psychological core of the population, and it’s fair game,” said James Scott (pictured), co-founder and senior fellow at the Institute for Critical Infrastructure Technology. “There are very few things that you believe in that you came up with yourself. The digital space expedites that process, and that’s dangerous because now it’s being weaponized.”


Muslim Hacktivists Hack ISIS website; expose 20,000 subscribers list
Upon taking over the site, hackers sent a number of emails to subscribers from the site’s official email address displaying a hooded man and the following message: “We have hacked the full “secure” email list of Amaq! Daesh…shall we call you dogs for your crimes or snakes for your cowardice? We are the bugs in your system.”


UK spymasters raise suspicions over Kaspersky software’s Russia links
British spymasters fear that anti-virus software given away for free by Barclays to more than 2m customers may be being used as an intelligence-gathering tool by the Russian government. […]
Intelligence officials worry that the widespread distribution of Kaspersky by Barclays in particular exposes at-risk individuals — such as employees of British government departments or members of the military — who are customers of the bank and have downloaded Kaspersky software to boost their home security.


WikiLeaks: CIA impersonated Kaspersky Labs as a cover for its malware operations
WikiLeaks alleges that part of the CIA’s obfuscation methodology has it use faked digital certificates that are created by impersonating legitimate organizations “In this way, if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated,” the group wrote.


The Public is Not that Fussed About the Surveillance State: Confidence in the Intelligence Community and its Authorities
As we reported last week, public confidence in the intelligence community as a national security actor is relatively high in general—significantly higher than confidence in any other institution about which we poll, save the military. […] Only 32 percent of respondent suggest that the intelligence agencies have too much authority, while somewhat fewer (25 percent) contend it doesn’t have enough.


DOJ: Strong encryption that we don’t have access to is “unreasonable”
“We have an ongoing dialogue with a lot of tech companies in a variety of different areas,” he told Politico Pro. “There’s some areas where they are cooperative with us. But on this particular issue of encryption, the tech companies are moving in the opposite direction. They’re moving in favor of more and more warrant-proof encryption.”


All it took for researchers was a mask to bypass iPhone X Face ID
However, now, the IT security researchers at Bkav claimed to have bypassed Face ID with a 3D-printed frame, makeup, silicone nose and 2D images along with special processing on the cheeks and around the face, where there are large skin areas, to fool Face ID system. Furthermore, the company claims they didn’t cheat via the use of any special software or hack to bypass Face ID. This shows that facial recognition is still vulnerable and “not mature enough” at this point.


Privacy Fears Over Artificial Intelligence as Crimestopper
Police in the US state of Delaware are poised to deploy “smart” cameras in cruisers to help authorities detect a vehicle carrying a fugitive, missing child or straying senior. […] The program is part of a growing trend to use vision-based AI to thwart crime and improve public safety, a trend which has stirred concerns among privacy and civil liberties activists who fear the technology could lead to secret “profiling” and misuse of data.


Stealthy New PLC Hack Jumps the Air Gap
Researchers have devised a sneaky reconnaissance attack that drops rogue ladder-logic code onto a Siemens programmable logic controller (PLC) to gather sensitive plant data from an industrial network with no Internet connection, and then siphons it remotely via Radio Frequency (RF) transmission. A nation-state or other hacker group could use the stolen information for a future attack that sabotages the plant’s physical operations.


Schneider Electric Patches Critical Flaw in HMI Products
“A remote malicious entity could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability during tag subscription, with potential for code to be executed. The code would be executed under high privileges and could lead to a complete compromise of the InduSoft Web Studio or InTouch Machine Edition server machine.” […] According to ICS-CERT, an exploit for the flaw is publicly available and only low-level hacking skills are required for exploitation.


What is quantum encryption? It’s no silver bullet, but could improve security
It is, as the BBC recently vividly showed in a video, like holding ice cream in the sun. Take it out of the box, expose the sun, and the ice cream will be visibly different than before. A 2004 Stanford paper explains this better, saying, “Quantum cryptography, which uses photons and relies on the laws of quantum physics instead of ‘extremely large numbers,’ is the cutting edge discovery which seems to guarantee privacy even when assuming eavesdroppers with unlimited computing powers.”



Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.