IT Security News Blast 11-14-2017

USB Drive Exploits

5 Things to Do Now: the USB/JTAG/IME Exploit
On November 8th, a security researcher (twitter: @h0t_max) announced they have found a vulnerability using the JTAG bus via USB to attack the Intel IME.  This vulnerability is present in most, and possibly all, Intel Skylake and newer processors, with some reports claiming that “all Intel procs from 2008 and newer are susceptible.” Let’s pause there.  If you’re wondering what that fearsome word salad means, you’re not alone.  To bring everyone to the same page, here’s a mocha breve we’ve disguised as a skinny latte.


New IcedID Trojan Targets US Banks
“At this time, the malware targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites in the U.S.,” researchers wrote in a report released Monday explaining the discovery. Two U.K.-based banks are also targeted by the malware. Similar to the TrickBot and Dridex Trojans, IcedID both webinjection and redirection attack techniques, researchers said.


Poor coding is leaving banks at risk of cyber attacks
The report also had harsh words about Microsoft’s .NET programming language, warning that .NET applications had more vulnerabilities on average than Java apps, though it didn’t provide numbers. Microsoft’s .NET apps developed with the waterfall software evelopment method had the worst scores overall.


Report suggests US is in a ‘pre-9/11’ cyberattack moment — here’s what you need to know
The authors take the federal cyber apparatus to task for not applying the necessary emphasis and diligence in securing the government’s networks and data at this late stage, and it’s hard to argue that critique. The NIAC’s report is one of the more comprehensive analyses of the state of the nation relative to cyber security preparedness, and its conclusions and recommendations are numerous and significant.


Financial Impact of NotPetya Ransomware Keeps Rising
Multiple organizations over the course of 2017 have attempted to quantify the impact of ransomware with varying results. One of the best sources on measuring the financial impact of ransomware so far has become looking at the financial earnings of companies that have been victims of ransomware.


North Korean Cyber Operations: Weapons of Mass Disruption
What is particularly alarming about DPRK operations is their willingness to initiate escalatory actions, such as their likely connections to the now infamous WannaCry ransomware, and their targeting of the global financial system. North Korea’s disregard for the consequences of its actions sets them apart from other nation-states, and is particularly dangerous.


Equifax scraps bonuses and buybacks as hacking cost mounts
Revenues are also expected to come under pressure. Nervous corporate clients are putting off signing new contracts until Equifax can assure them its systems are secure. Several have demanded IT audits. “We’re hoping to win back their trust,” Mr Gamble said. Net income in the third quarter dropped 27 per cent from a year ago to $96m as the costs of the breach began to bite.


S&T Reveals a Determined Cyber-Posture for National Cyber Security Awareness Month
As the complexity of cyber-threats evolve at an exponential rate, so does the urgency to imagine, develop and implement innovative solutions to defend against them. For instance, CSD’s Mobile Security R&D program recently awarded 8.6 million to five mobile application security research projects; it then awarded $640,000 to the Critical Infrastructure Resilience Institute for research into prepositioned cyber-threats originating in the mobile device supply chain.


Factors like growing defensive expenditure, rising demand for cybersecurity in critical infrastructure as well as utilities and the ever-expanding traditional arms manufacturing companies in the cybersecurity business are some of the factors that are responsible for driving the global cyber weapons market. The market is forecasted to rise with a CAGR of 4.07% over the estimated period of 2017-2025.


HHS cybersecurity initiative paralyzed by ethics, contracting investigation
A fledgling HHS initiative to protect the nation’s health care system from cyberattack has been paralyzed by the removal of its two top officials amid allegations of favors and ethical improprieties. The executive running the Health Cybersecurity and Communications Integration Center was put on administrative leave in September, while his deputy left the government. An HHS official says the agency is investigating irregularities and possible fraud in contracts they signed.


Beyond data: are connected medical equipment and wearables the next big target for cyberattack?
Attacks targeting medical equipment with the aim of extortion, malicious disruption or worse, will rise. The volume of specialist medical equipment connected to computer networks is increasing.  Many such networks are private, but one external Internet connection can be enough for attackers to breach and spread their malware through the ‘closed’ network. Targeting equipment can disrupt care and prove fatal – so the likelihood of the medical facility paying up is very high.


Do Young Humans + Artificial Intelligence = Cybersecurity?
Even when cybersecurity automation does come of age, Brumley said, we’ll still need those elite humans. “What these top hackers are able to do… is come up with new ways of attacking problems that the computer wasn’t programmed to do,” he said. ” I don’t think computers or autonomous systems are going to replace humans; I think they’re going to augment them. They’re going to allow the human to be free to explore these creative pursuits.”


Tackling the world’s biggest security threat
This war is shifting for the worse-fast. The massive attacks we’ve seen already, and this trillion-dollar problem, is just the early phase. “I believe we’re witnessing the testing of early prototypes for cyber warfare development programs. It’s similar to detecting underground nuke tests, like those we see in North Korea,” says Anup Ghosh, Chief Strategist for Sophos.


An NSA Breach and the New Hobbesian War on Our Privacy
Aside from puncturing the aura of the NSA as an all-seeing eye, the Times story also shows that today the greatest threat to our privacy is not an organization with a monopoly of surveillance power, but rather the disaggregation of surveillance power. It is not the citizen versus the state. Rather it is a Hobbesian state of nature, a war of all against all. Today, foreign governments and private hackers can use the same tools we all feared the U.S. government would use.


US Police, Military Bases Using Hackable Chinese Government-Owned Surveillance Cameras
According to the DHS, some cameras manufactured by Hikvision contained a security vulnerability that made the devices exploitable by hackers. The DHS flagged the flaw and assigned it the worst security rating available. […] Hikvision for its part has disputed any concerns over security issues with its products, noting that it follows the law in any country it does business in and took action to patch the flaws identified by the DHS.


Cheap Tricks: The Low Cost of Internet Harassment
As a reporter who has covered technology for more than two decades, I am familiar with the usual forms of internet harassment — gangs that bring down a website, haters who post your home address online, troll armies that hurl insults on a social network. But I’d never encountered this type of email onslaught before. I wasn’t sure what to do. “Hey Twitter — any advice on what to do when somebody malevolent signs you up for a thousand email subscriptions, making your email unusable?”


Idaho shared voters’ private info with Kobach’s ‘Crosscheck’ system, despite cyber vulnerabilities
Denney assured the public that other personal information collected on Idaho’s voter registration forms — a voter’s date of birth, driver’s license number and the last four digits of their Social Security number — is not releasable under Idaho’s public records law. Kobach, he said, could not have it. In fact, Denney had already given it to Kobach.


Lawmakers grapple with cyber-sleuthing technologies
Rep. John Lesch, DFL-St. Paul, a former St. Paul prosecutor, said that automated license plate readers and police body cameras threaten to widen social disparities. Both tend to be deployed in high-crime neighborhoods, he said, which tend to be poorer, more ethnically diverse areas. To Lesch, that suggests data on African-Americans and other minorities are captured in law enforcement databases at rates exceeding their proportion of Minnesota’s population. “That is a disparate impact—which the Supreme Court has stated is an issue—whether you intend to do it or not,” Lesch said.


Homeland Security Hackers Remotely Hack Boeing 757
According to Avionics Today, Hickey said “We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration. [Which] means I didn’t have anybody touching the airplane, I didn’t have an insider threat. I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft.”


Hackers say they broke Apple’s Face ID. Here’s why we’re not convinced
The supposed hack was carried out by researchers from Vietnamese security firm Bkav, which in 2009 demonstrated a way to bypass face-based authentication in Toshiba and Lenovo laptops. On Friday, company researchers published a video showing them unlocking an iPhone X by presenting it with a custom-made mask instead of the live human face that Apple has repeatedly insisted is the only thing that can satisfy the requirements of the facial recognition system.


You can soon securely unlock smartphone with your “body sweat”
Researchers explained that this new approach relies upon analyzing the skin secretions, that is, sweat to generate a unique amino acid profile. […] To create a user’s profile, the device will undergo a stage that is referred to as Monitoring Period by the research team. During this phase, the device would measure the sweat levels of the owners continuously, and at different times of the day.



Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.