IT Security News Blast 2-2-2017

NHS trusts vulnerable to cyber attack due to irregular app testing

The findings were drawn from 27 responses to FoI requests sent to 36 NHS. The responses also revealed that half of health trusts scan web perimeter apps only once a year, leaving patient data at risk of cyber attacks through legacy websites and third-party plugins. However, the responses revealed that 12% of trusts do scan web application perimeters daily, demonstrating a growing awareness of the role application security plays in protecting patient data.

Home-pwners: Cisco’s Prime Home lets hackers hijack people’s routers, no questions asked

Cisco is advising ISPs and other service providers using its Prime Home system to install a security update immediately – to squash a serious remote execution bug. Switchzilla says the flaw, which was given a 10.0 CVSS score, could allow an attacker to log into the software as an administrator and remotely take control of thousands upon thousands of customers’ home routers, broadband gateways and similar boxes. “An attacker could exploit this vulnerability by sending API commands via HTTP to a particular URL without prior authentication,” Cisco said today. “An exploit could allow the attacker to perform any actions in Cisco Prime Home with administrator privileges.”

Netgear Addresses Password Bypass Vulns In 31 Router Models

In an alert Monday, security vendor Trustwave said it had found two vulnerabilities in several Netgear routers that give attackers a way to either discover or to bypass any password on the devices. The flaws, which are present in 31 different Netgear models, allow attackers to take complete control of vulnerable devices and to change their configurations, upload rogue firmware on them, or turn the devices into remotely controlled bots. Anywhere from 10,000 devices to potentially one million Netgear routers have the vulnerabilities in them, according to Trustwave.—threats/netgear-addresses-password-bypass-vulns-in-31-router-models/d/d-id/1328036?

Cybersecurity’s million dollar jobs

What’s luring military cyber leaders to the other side? King says that while top cyber experts in the commercial sector can earn as much as 5x what their counterparts in the military earn, money is not the number one motivator. the top reason is because commercial capabilities are now crucial to the national security mission, and the commercial sector will always be more agile and innovative. The passion they have to serve their nation never leaves them.

Shipping industry vulnerable to cyber attacks and GPS jamming

“This includes software to run the engines, complex cargo management systems, automatic identification systems (AIS), global positioning systems (GPS) and electronic chart displays and information systems (ECDIS),” explained Matthew Montgomery, senior associate at international law firm Holman Fenwick Willan, told CNBC via email. “The added incentive for a hacker is that the shipping industry involves high value assets and the movement of valuable cargo on a daily basis.”

The Cyber Vulnerabilities of the U.S. Navy

There are several cyber threats that the Navy continues to face when conducting information operations in cyberspace. Attacks against DoD networks are relentless, with 30 million known malicious intrusions occurring on DoD networks over a ten-month period in 2015. Of principal importance to the U.S. intelligence apparatus are nation states that conduct espionage against U.S. interests. In cyberspace, the Navy contests with rival nations such as Russia, China, Iran, and North Korea, and all are developing their own information warfare capabilities and information dominance strategies.

Tech Titan Warns U.S. is ‘Woefully’ Unprepared for Cyberattack

“We have antiquated computer systems. We have norms that need to be updated. We’ve got hundreds of thousands of employees who basically don’t have the basic safeguards,” he said. Hippeau, Managing Partner at Lerer Hippeau Ventures, said an executive order from President Donald Trump won’t solve the nation’s cyber security problems and more concrete measures are needed to protect the nation.

Trump Outlines Plan to Tighten Government Cybersecurity, Postpones Order

President Trump was expected to sign an executive order Tuesday outlining his approach to protecting federal agencies from hackers. The White House said Tuesday afternoon that the signing had been postponed, but did not give a reason. […] “I will hold my cabinet secretaries and agency heads accountable, totally accountable for the cyber security of their organizations which we probably don’t have as much, certainly not as much as we need,” Trump said just before the afternoon meeting.

Confusion, theories abound as Russia stays silent on cybersecurity treason arrests

The report suggests that various Russian intelligence officers who are at odds with each other may be leaking contradictory details surrounding the arrests of the four suspects – Ruslan Stoyanov, head of cyber investigations at Kaspersky Lab; Col. Sergei Mikhailov, deputy head of the FSB’s Information Security Center (the FSB is Russia’s FBI); Maj. Dmitry Dokuchayev, a subordinate of Mikhailov and an unnamed fourth defendant who also worked for the FSB’s cybercrime division.

Are Apple-specific threats on the rise?

“Many of these incidents are occurring through exploits in third-party solutions from Adobe, Oracle’s Java and others, providing a mechanism for delivering malicious software and malware,” Dufour said. The cause for the rise, said Dufour, is that “Attackers are adept at using exploits in third-party software to deliver malicious programs to Macs and other operating systems.”

Canada: Does Your Insurance Cover Phishing Scam? It May Not.

[Sometimes] there is a disconnect between the type of coverage the buyer thinks it is getting and what the policy actually covers. This was a particularly important focus in Apache Corp. v. Great American Insurance Company decision, where the U.S. Court of Appeals for the 5th Circuit adopted a narrow interpretation of a crime insurance policy, finding that it did not cover a loss resulting from a fraudulent email directing funds to be sent electronically to the imposter’s bank account because the scheme did not constitute “computer fraud” under the policy.

Ex-IDF general: Disabling an entire enemy air force with one keystroke is not imaginary

“With one keystroke on the eve of a war, all enemy aircraft could be disabled without sending a single aircraft on a mission and without risking one human being… it is not beyond imagination,” former IDF Brig.-Gen. Yair Cohen said Tuesday about Israel’s potential cyber capabilities. Speaking at the Cybertech Tel Aviv 2017 conference, Cohen said that Israel may soon be able to achieve the same decisive outcome in war with just one keystroke that it did in its massive air strike during the Six Day War.

Saudi labour ministry still crippled by Jan cyber attack

Saudi Gazette reports that the ministry’s office Al-Marwah district branch in Jeddah was chaotic yesterday as visitors sought information on when the network would be fully restored. A mid-level manager reportedly showed the publication a blank computer seen and was quoted as saying: “This is the only thing we have been able to see on our systems for the past nine days.” There was also no indication of when service would be restored with the manager suggesting it could take a “day, week, month or year”. […] Despite this, banks have frozen the accounts of expats who have been unable to renew their permits.

Cyber-spying, leaking to meddle in foreign politics is the New Normal

DC Leaks released emails purportedly sent by campaign staff of Arizona senator John McCain and South Carolina senator Lindsey Graham and former Minnesota congresswoman Michele Bachmann. All three have staked out political positions hostile to Russia. The traffic goes both ways. Paul Manafort, campaign aide to then candidate Donald Trump, was forced to step down in the wake of a controversy over alleged off-books cash payments received from a pro-Russian political party in Ukraine. One theory is that elements of the Ukrainian government leaked the information in order to damage Trump.

HTTPS Hits 50 Percent Traffic Milestone

“For the first time, the running average crested the 50 percent HTTPS page load mark,” said Sarah Gran, director of communications for Let’s Encrypt, the free certificate authority. “We see that as solid progress when it comes to making the entire internet more secure.” […] “This rate of growth is quite spectacular,” said security researcher Troy Hunt in a blog post noting the milestone. Further analysis of HTTPS adoption by Hunt and security researcher Scott Helme shows that sites implementing HTTPS have doubled in the past year.

WordPress Websites Exposed to Severe Content Injection Vulnerability

Sucuri found a Content Injection or Privilege Escalation vulnerability affecting the REST API allowing an attacker to modify the content of any post or page within a WordPress site. However, there is good news since Sucuri discretely reported the vulnerability to WordPress security team who handled the matter professionally and informed as many security providers and hosts and implemented a patch before this became public.

15 million affected by ID fraud, report

The 2017 Identity Fraud Study, by Javelin, found that 15.4 million people, or about 6.1 percent of all consumers, in the United States were victimized in 2016, a 16 percent increase compared to 2015, with losses increasing by about $1 billion to $16 billion. While identity fraud is not entirely a cybersecurity issue, the vast majority of people found themselves affected due to something that happened online.

Zimperium Program Buys Exploits for Patched Mobile Vulnerabilities

The company’s N-Days Exploit Acquisition Program will pay researchers from a pool of $1.5 million for exploits targeting vulnerabilities in Android and iOS that have already been patched. Zuk Avraham, founder of Zimperium, said the program will not only serve to train the company’s core internal Z9 machine learning engine, but also encourage and reward exploit writers to develop proof-of-concept exploits that could nudge carriers and handset makers to improve patch delivery to devices.

How Facebook and Google are battling internet terrorism

Officials from the popular social network and YouTube parent Google addressed the issue here at a recent tech policy conference, where they described efforts to go beyond simply removing extremist content, and actually engaging in counter-messaging programs to present alternative narratives to those advanced by groups like ISIS. […] “We know the power of our platform, and so we know that the best way to counter messages of hate and violence is to promote messages that push back against that, that push back against the hate and extremism and xenophobia around the world.”

PCI Security Standards Council Issues Guidance For E-Commerce Security

Best Practices for Securing E-commerce is the result of a comprehensive study on payment security challenges by a Special Interest Group that included merchants, financial organizations, and service providers. As online sales have increased significantly, the Council emphasizes the importance of encryption. In 2015, the Council said that those who accept payment cards must employ TLS 1.1 encryption or higher by next year June. Google, meantime, has said that use of HTTPS is necessary and now Chrome browser users are warning users when they visit a non-HTTPS website.