IT Security News Blast 2-10-2017

Chances Are Your Startup Is Going To Get Hacked–Here’s What To Do

At the rate hackers are breaking into businesses computer records, chances are unfortunately pretty good that your startup has already been compromised in some way. The odds are so strong, in fact, that the federal government recently released guidelines to help businesses of all sizes recover from a cyber attack. […] Attacks on small- and medium-sized businesses, including startups, get less media attention but those organizations have just as much to lose.

Malware distributors are switching to less suspicious file types

Last week, researchers from the Microsoft Malware Protection Center warned about a new wave of spam emails that carried malicious .LNK files inside ZIP archives. Those files had malicious PowerShell scripts attached to them. PowerShell is a scripting language for automating Windows system administration tasks. It has been abused to download malware in the past and there are even malware programs written entirely in PowerShell.

A Hogwarts For Cyber Protection?

Now they’ve established a new school of cybersecurity wizardry — the National College of Cybersecurity is slated to open its doors  — where else? — at historic Bletchley Park. This investment in the UK’s defense against cyber risks is good news, and represents a collaborative effort between the industry and government in facing the challenge of skill shortages. The National College of Cybersecurity also seems to be taking a smart approach to recruiting a student body by accepting the most gifted 16- to 19-year-olds, selected through aptitude testing or on the basis of their technology skills, rather than academic qualifications.

ICS, SCADA Security Woes Linger On

Honeywell published in September new firmware that patches vulnerabilities privately disclosed by researcher Maxim Rupp in its XL Web II controllers. The flaws could give an attacker the ability to access relatively unprotected credentials and use those to manipulate, for example, environmental controls inside a building. While these aren’t critical infrastructure systems such as wastewater, energy or manufacturing, building automation system hacks can be expensive to remedy, and in a worst-case scenario, afford an attacker the ability to pivot to a corporate network.

Google AI invents its own cryptographic algorithm; no one knows how it works

The Google Brain team (which is based out in Mountain View and is separate from Deep Mind in London) started with three fairly vanilla neural networks called Alice, Bob, and Eve. Each neural network was given a very specific goal: Alice had to send a secure message to Bob; Bob had to try and decrypt the message; and Eve had to try and eavesdrop on the message and try to decrypt it. Alice and Bob have one advantage over Eve: they start with a shared secret key (i.e. this is symmetric encryption).

Business Email Compromises – Covered by Insurance?

While it is too early to know how the QSC/Twin City Fire dispute will play out, similar cases have been springing up all around the country over the last several years with mixed results. Many commercial policies will not cover BECs because the insured (though duped) wired the funds voluntarily. Cyber policies may cover BEC’s, but as is always the case, it depends on the policy. In a 2015 survey by the Betterley Report, only 8 of 31 leading cyber insurance providers covered fraudulent wire transfers.

Air National Guard uses crash courses to narrow cyber training backlog

From there they are sent to Keesler Air Force Base in Biloxi, Mississippi,  “to get the top off of cyber war training and then get them out the door, not in two years but in some cases two months,” said Air National Guard Director Lt. Gen. L. Scott Rice during a Feb. 7 Air Force Association event in Arlington, Virginia. “We are really rapidly getting people based upon their capability and what they came in the door with, out the other end of the door faster and quicker. That’s a pretty innovative thing we are doing down there trying to ‘modulize’ our training and adapt it to individuals.”

Army looking at direct commissions for civilian cybersecurity experts

Civilians with expertise in cybersecurity could be directly commissioned into the Army with a rank up to colonel to help the service improve its expanding cyber domain operations under a Pentagon pilot program authorized in recent weeks. The program would be similar to the Army’s direct commissioning programs for medical doctors, lawyers and chaplains, which place experts in those fields into the Army at a rank that is commensurate with their experience in the civilian sector, said Army Brig. Gen. Patricia Frost, the service’s cyber director for operations and planning. The Pentagon tasked the Army with the project on Jan. 30.

What is the CFO’s role in preventing a cyber attack?

Today, information equates to power and customer information is not the only data that is at risk. A company’s internal assets, including financial and strategic plans, can also be targets. An attack on this data (either for leakage, manipulation, ransom, or other malicious intent) could endanger a CFO’s relationships and trust with a number of important parties. It could also lead to business disruptions and loss of market share, not to mention potentially hefty fines. In this environment, how can CFOs and their organizations more broadly implement an effective cybersecurity strategy?

Should U.S. CFOs Worry About EU Cyber Risk Rules?

CFOs around the world have one more risk to fold into their financial planning strategies. The European Union General Data Protection Regulation (EU GDPR), set to come into effect on May 25, 2018, will apply to every organization of every size, industry, and geography that processes data from EU citizens. The rule subjects a violator of the EU GDPR to a fine of up to 4% of annual global turnover. Thus, U.S. finance chiefs need to  impress upon their companies of the potential financial statement effects of the requirements.

Say Hello to the Super-Stealthy Malware That’s Going Mainstream

So-called fileless malware avoids detection by hiding its payload in secluded spots, like a computer’s random-access memory or kernel, meaning it doesn’t depend on hard drive files to run. The technique first surfaced a couple of years ago, as part of a sophisticated nation-state reconnaissance attack, but has experienced a recent surge in popularity. It’s also not just hitting high-priority targets; research released by Kaspersky Lab on Wednesday found that fileless malware infected more than 140 financial institutions, government organizations, and telecom companies across 40 countries.

Why Your Company Could Be Wrong About Cyber Risks

According to BAE Systems (baesy, -0.17%), those in the C-Suite, including chief technology and chief information officers, often don’t agree with their leading decision-making colleagues in IT on what the biggest threats are, how much a hack could cost their company—and worst of all, they can’t even agree who’s responsible for stopping a cyberattack. The cognitive dissonance doesn’t end there. Although many companies accept in principle that sharing relevant information with cybersecurity firms could help them fend off hackers more effectively, 38% of bosses still refuse to under any circumstances.

Microsoft Allowed to Sue U.S. Government Over E-mail Surveillance

Microsoft Corp. persuaded a judge not to let the U.S. government out of a lawsuit alleging the company’s free-speech rights are violated by a law that blocks it from alerting users to the clandestine interception of their e-mails. The judge said Microsoft has at least made a plausible argument that federal law muzzles its right to speak about government investigations, while not ruling on the merits of the case.[…] Robart rejected the tech giant’s argument that the so-called sneak-and-peek searches amount to an unlawful search and seizure of property.

Cybersecurity a Top Priority for the Capitol

House officers, the Capitol Police, the Library of Congress and the Architect of the Capitol have all made cybersecurity a top priority for fiscal 2018, officials told a House committee at hearings through Tuesday on their Legislative Branch spending bill budget goals. […] “The increased amount of state-sponsored activity waged against the United States underscores the serious threat posed by malicious actors, constantly attempting to exploit IT vulnerabilities,” House Chief Administrative Officer Philip G. Kiko told the House Administration Committee. “There is no doubt that we are a target.”

Secrecy surrounds White House cybersecurity staff shakeup

The chief information security officer for the White House’s Executive Office of the President has been removed from his position, sources have confirmed. Cory Louie was appointed to the position by former President Obama in 2015, charged with keeping safe the staff closest to the president — including the president himself — from cyber-threats posed by hackers and nation-state attackers. But circumstances surrounding his departure, weeks after President Donald Trump took office, remain unclear.

Trump cybersecurity order morphs into 2,200-plus-word extravaganza

The latest draft of a cybersecurity executive order to be signed by President Trump has become an unusually precise, report-ordering extravaganza. […] The new cybersecurity order is none of those. At over 2,200 words it is very long. It is also very precise, listing individuals and giving them specific tasks. Rather than focus on a particular goal – the creation of a new taskforce or the development of a singular report – the order calls for the production of no fewer than 10 reports, six of which will go direct to the President, on a range of aspects of cybersecurity.

Newly discovered flaw undermines HTTPS connections for almost 1,000 sites

The bug resides in a wide range of firewalls and load balancers marketed under the F5 BIG-IP name. By sending specially crafted packets to vulnerable sites, an attacker can obtain small chunks of data residing in the memory of connected Web servers. The risk is that by stringing together enough requests, an attacker could obtain cryptographic keys or other secrets used to secure HTTPS sessions end users have established with the sites, security researcher Filippo Valsorda told Ars.

Hummingbad overtaken as leading mobile malware in threat index

According to the new January Global Threat Impact Index from its Threat Intelligence Research Team, Triada is a modular backdoor for Android which grants super-user privileges to downloaded malware, as helps it to get embedded into system processes. In total, mobile malware accounted for nine percent of all recognised attacks while the Index ranked Kelihos, a botnet used in bitcoin theft, as the most prevalent malware family overall, with five percent of organisations globally is impacted by it.

Windows Trojan hacks into embedded devices to install Mirai

Researchers from Russian antivirus vendor Doctor Web have recently come across a Windows Trojan program that was designed to gain access to embedded devices using brute-force methods and to install the Mirai malware on them. Mirai is a malware program for Linux-based internet-of-things devices, such as routers, IP cameras, digital video recorders and others. It’s used primarily to launch distributed denial-of-service (DDoS) attacks and spreads over Telnet by using factory device credentials.