IT Security News Blast 11-30-2017

Canadian Equifax Hack

SWIFT warns banks on cyber heists as hack sophistication grows
“Adversaries have advanced their knowledge,” SWIFT said in a 16-page report co-written with BAE Systems Plc’s (BAES.L) cyber security division. “No system can be assumed to be totally infallible, or immune to attack.” SWIFT has declined to disclose the number of attacks, identify victims or say how much money has been stolen. Still, details on some cases have become public.


What New Cyber Protocol Rules in New York means for Directors and Officers
The Regulation requires the CISO to prepare an annual report to the board of directors of the regulated entity regarding its cybersecurity program. The report must: i) specifically address the identification of material cyber risks to the regulated entity, including any past material cybersecurity event and ii) report on any penetration testing and vulnerability assessments. The Regulation also requires reporting on multifactor authentication and cyber awareness training for all personnel.


More than double the number of Canadians hit by Equifax cyber attack than first thought
The company previously said about 8,000 Canadian customers had their personal information compromised in the cyber attack, but couldn’t say how many additional credit cards were impacted across the country. Equifax issued a statement on Tuesday saying 11,670 of the affected credit cards are Canadian, bringing the total number of Canadians impacted by the hack to about 19,000.


OpenEMR flaw leaves millions of medical records exposed to attackers
The vulnerable component is the setup.php installation script, which allows users to easily install the application through a web browser. Isaac Sears, who released details and exploit code for another SQL flaw involving the setup.php script in late October, found that it could allow unauthenticated remote database copying because it exposes functionality for cloning an existing OpenEMR site to an attacker-controlled MySQL server.


Senate appropriators ramp up cyber at DHS
“The bill … recommends an unprecedented level of investment in cybersecurity,” the committee wrote in its explanatory statement accompanying the bill. The National Protection and Programs Directorate comes in for $700 million for cybersecurity operations for 2018 — a boost of approximately $27 million over 2017 levels — out of a total $1.4 billion budget. […] The committee expressed “concern that [state and local] governments are falling behind” the federal government when it comes to information-sharing efforts, and it included an additional $3 million for NPPD to promote pilot projects that do not conflict with current DHS information-sharing programs.


Closing the Security Gap: How Many Devices are on Your Network?
Most healthcare organizations don’t know the full inventory of devices that are connected to the network or that print devices pose equally dangerous risks. The fact that print devices are an emerging vehicle of penetration into our systems by those that mean us harm is too often overlooked or forgotten. This threat is real, and best evidenced by the recent report of several hundred devices of a particular manufacturer exposed directly to the internet as a result of a vulnerability within the devices.


The Cyber Diplomacy Act of 2017: Giving Cyber the Importance It Needs at the State Department
The bill would create an “Office of Cyber Issues” within the Department of State. This effectively reinstates the office formerly headed by Christopher Painter and disbanded in July. It creates a Senate-confirmed position with ambassadorial rank to head the office. The office would be placed under the undersecretary for political affairs, though it can report to “an official holding a higher position.”


The Pluses and Perils of Trump’s Cyber Strategy
When it comes to basic management of the government’s cybersecurity responsibilities, they say, it might be difficult to distinguish Trump’s cybersecurity program from his predecessor’s. When it comes to shaping and enforcing international rules of the road in cyberspace, however, the Trump administration may be taking a step back from the U.S.’s historic role, a move experts worry could cede ground to an anti-Democratic model for the internet championed by U.S. adversaries such as Russia and China.


Canadian hacker working for Russian government pleads guilty
His alleged accomplices — three Russian nationals named Dmitry Dokuchaev, 33, Igor Sushchin, 43, and Alexsey Belan, 29 — remain fugitives and are believed to be in Russia. “This case is a prime example of the hybrid cyber threat we’re facing, in which nation states work with criminal hackers to carry out malicious activities,” Paul Abbate, executive assistant director of the FBI’s Criminal, Cyber, Response and Services Branch, said in a statement.


What Cyber Command learned from ISIS operations
Chief among those lessons is “how we approach the intelligence problems, how we approach intelligence sharing, understanding the battlespace and also (ensuring) that traditional things like our targeting process were sound and repeatable within the cyber domain,” Haugh said. Many military leaders are careful to stress that cyber operations do not occur in a vacuum and must support the other functions and domains of warfare.


Experts: States need federal help to protect voting machines from Russian hackers
“In many electronic voting systems in use today, a successful attack that exploits a software flaw might leave behind little or no forensic evidence,” warned Matthew Blaze, an associate professor of computer and information science at the University of Pennsylvania. “This can make it effectively impossible to determine the true outcome of an election or even that a compromise has occurred.”


Vote-Hacking Fears Help State Officials Get Security Clearance
The federal government is “clear-eyed” that threats to election systems remain an ongoing concern after Russia’s meddling in the 2016 election[.] […] After the U.S. intelligence community reached its conclusion on hacking in the 2016 election, the federal government in January designated election systems as “critical infrastructure,” a move that opened up federal assistance to election officers around the country.


We’re hitting rock bottom in cyber — let’s do something
It seems cyberspace not only remains an environment prone to compromise but is hurtling toward a state of chaos where, as Columbia University scholar Jason Healey has put it, the internet “would no longer be merely the Wild West, but a failed state like Somalia.” And yet, where is the outrage? Reeling from one attack after another, we sometimes appear dazed and confused rather than mustering a collective commitment that treats cyber insecurity as a crisis of the highest order.


Cybersecurity breaches: It’s time to break the silence and work together
According to Dimension Data’s Global Threat Intelligence Report, cyberattacks on the government sector doubled from seven percent in 2015 to 14 percent in 2016 — resulting in a first-place tie with the finance industry. With rival nation-states such as China, Russia, North Korea and Iran ramping up attacks, agencies must work together to be better prepared and change the current culture around communicating breaches.


People Are Getting Robocalls About Their “Derogatory” Trump Posts
A man’s voice in a pre-recorded message says, “We’ve been monitoring some of your posts and it does seem that you’ve been making some rather negative comments about President Trump. Is that correct?” After pausing as if waiting for a response, the man says, “Listen. We’re going to have to ask you to lay off on the negative and derogatory posts about President Trump, OK?” After another pause, the man says, “What’s your problem, anyways? Don’t you want to make America great again?” “Well, you’ve been warned,” says the man to end the message. “We’ll be keeping an eye on you. Have a nice day.”


Cellphone tracking case in front of SCOTUS could have broad privacy implications
When the Supreme Court takes up Carpenter vs. the United States Wednesday, the likely landmark case will clarify if law enforcement must obtain court-issued warrants to access location data from wireless providers rather than invoke the lower standard for access imposed by the 30-year-old Stored Communications Act. In broader terms, the court’s decision could codify Fourth Amendment rights in the digital era.


Comcast deleted net neutrality pledge the same day FCC announced repeal
Comcast spokesperson Sena Fitzmaurice has been claiming that we got the story wrong. But a further examination of how Comcast’s net neutrality promises have changed over time reveals another interesting tidbit—Comcast deleted a “no paid prioritization” pledge from its net neutrality webpage on the very same day that the Federal Communications Commission announced its initial plan to repeal net neutrality rules.


Hey girl, what’s that behind your Windows task bar? Looks like a hidden crypto-miner…
Miscreants have found a way to continue running cryptocurrency-crafting JavaScript on Windows PCs even after netizens browse away from the webpage hosting the code. […] The idea, said Segura, is that when you visit a site, a small hard-to-spot window is opened up. That pop-under window runs the actual mining code, rather than the main page, and is tucked under the Windows task bar.


Study: 90 percent of top cryptocurrency apps carry security and privacy risks
When combined together, 84.6 percent of the apps were determined to contain at least two high-risk vulnerabilities, while 84.3 percent were found with a minimum of three medium-risk bugs. Nearly half of the apps, 47 percent, were deemed vulnerable to man-in-the-middle attacks, while 48 percent were found to contain hardcoded sensitive data such as passwords or API keys. And 46.6 percent were said to feature functionality that can endanger user privacy.


Cut the FUD: Why Fear, Uncertainty and Doubt is harming the security industry
Security vendors themselves obviously have a vested interest in having potential buyers worried about the risks of an imminent cyberattacks, as this fear will sway their decision to invest in more security solutions. […] This does not help people take action, but rather pushes them in one of two counterproductive directions. It’s possible all the doom saying will shake some cash lose from the organisation, which is unlikely to go to the right places, and will instead be wasted on whatever the new technology of the moment is.



Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.