IT Security News Blast 2-24-2017

New blog on securing your IOT, using a 3-part strategy: https://www.criticalinformatics.com/threat_intel_-_Smart_Security_for_the_Internet_of_Things,_in_Three_Parts.htm

Also, note correction on date for ACP meeting, 3/15 and not 3/9. Seats still left, but not for long.

Upcoming meeting of the Association of Continuity Professionals – meeting 3/15 at the Space Needle, Seattle

You Are welcome to forward this invite to anyone in your organization that may be interested. Attendance limited to the first 100 registrants. A topic we sometimes do not give much attention to – until it’s needed- then it is too late: Continuity of Operations, Business Continuity and Disaster Recovery Planning. The recent attention to “everything west of I-5 is GONE” has subsided. Come hear nationally renowned security experts and B/C & D/R professionals discuss real survival scenarios.

https://www.eventbrite.com/e/acp-chapter-meeting-how-to-survive-a-disaster-tickets-31724340356

Malwarebytes Survey Highlights New Threats That Need New Cybersecurity Thinking

“Businesses deployed multiple cybersecurity defenses (e.g., firewalls, AV, VPNs, IPS) but still suffered cyberattacks from worms/viruses, APTs, phishing, ransomware and zero-day exploits which caused system downtime, loss of customer confidence, and theft of customer data. With their necks on the line, IT managers (72%) and CISOs (60%) will be responsible for upgrading their current security systems or investing in additional security solutions to reduce their exposure to evolving threats.”

https://finance.yahoo.com/news/malwarebytes-survey-highlights-threats-cybersecurity-172000661.html

I was authorized to trash my employer’s system, sysadmin tells court

In essence, Thomas is arguing that, yes, while he did intentionally cause damage it wasn’t “without authorization.” In fact, he was expressly authorized to access all the systems he accessed, and he was expressly authorized to carry out the deletions he did – every sysadmin in the world deletes backups, edits notification systems and adjusts email systems. In fact, it’s fair to say that is a big part of the job they are paid to carry out. His legal filing to the Fifth Circuit also points out that none of his actions were forbidden by the company’s own policies. Thomas is telling the court: sure, I trashed their systems but I did nothing illegal. And he has a point. It’s just that every company in America is terrified that he might win the argument.

https://www.theregister.co.uk/2017/02/23/michael_thomas_appeals_conviction/

Cyber security from a hacker’s perspective

For example, respondents said traditional countermeasures such as firewalls and antivirus almost never slowed them down, but endpoint security technologies were more effective at stopping attacks. More than half of respondents changed their methodologies with every target, severely limiting the effectiveness of security defenses based on known files and attacks. Around one-third of attackers said their target organisations never detected their activities.

http://www.information-age.com/cyber-security-hackers-perspective-123464671/

Frank Abagnale, world-famous con-man, explains why technology won’t stop breaches

Abagnale warned that the value of a medical record to identity thieves far surpasses that of just a name, date of birth, and social security number. That’s because it provides an even bigger window into an individual’s life. Abagnale says the responses of organizations (including the state government of South Carolina and the OPM) to theft of sensitive personal information is far from adequate—and because there’s no way to effectively change the data, it can be held for years by criminals and still be valuable.

https://arstechnica.com/security/2017/02/phish-me-if-you-can-frank-abagnale-says-tech-will-never-defeat-social-engineering/

Cellebrite can now unlock iPhone 6 and 6+, also extract data from array of popular apps

CAIS is the in-house product on sale from Cellebrite. They also offer products like the new version of the Universal Forensic Extraction Device (UFED) Physical Analyzer 6.0 for use in the field by their customers. The company has been increasingly advertising their newest product’s ability to easily extract and investigate data from encrypted secure messengers including Signal, Telegram, Threema and Surespot.

https://www.cyberscoop.com/cellebrite-iphone-6-ufed-samsung-galaxy-facebook-messenger-snapchat/

How to Install TOR on Android and iOS Devices

You can safeguard your online privacy when you are using an Android or iOS device to browse the internet by using TOR. TOR hides and occasionally changes your IP address when you are online. Thus, when you are using TOR on either of these devices, your privacy and identity will be safe when you visit social media sites or any other sites on the internet. Here is a detailed guide on how you can successfully install TOR on your Android or IOS device.

https://www.hackread.com/how-to-install-tor-on-android-and-ios-devices/

First Practical SHA-1 Collision Attack Arrives

The attack, which was in the works for two years, stems from the colliding of two PDF files. Bursztein and company claim that through the attack, it’s possible to obtain the SHA-1 digital signature on the first PDF file and then use that to abuse the second PDF file by mimicking that signature. The researchers claim the collision–which they got off the ground with help from Google’s cloud infrastructure–is “one of the largest computations ever completed.” The numbers back up the claim. In order to perform the attack, the researchers claim they needed to carry out nine quintillion SHA-1 computations in total, something that took 6,500 years of CPU computation time to complete the first phase and 110 years of GPU computations to finish the second.

https://threatpost.com/first-practical-sha-1-collision-attack-arrives/123868/

We’re Halfway to Encrypting the Entire Web

The movement to encrypt the web has reached a milestone. As of earlier this month, approximately half of Internet traffic is now protected by HTTPS. In other words, we are halfway to a web safer from the eavesdropping, content hijacking, cookie stealing, and censorship that HTTPS can protect against. Mozilla recently reported that the average volume of encrypted web traffic on Firefox now surpasses the average unencrypted volume.

https://www.eff.org/deeplinks/2017/02/were-halfway-encrypting-entire-web

Russian military admits significant cyber-war effort

Speaking to Russian MPs, Mr Shoigu said “we have information troops who are much more effective and stronger than the former ‘counter-propaganda’ section”. […] “The aim is to control information in whatever form it takes,” he wrote in a Nato report called “The Next Phase of Russian Information Warfare”. “Unlike in Soviet times, disinformation from Moscow is primarily not selling Russia as an idea, or the Russian model as one to emulate. “In addition, it is often not even seeking to be believed. Instead, it has as one aim undermining the notion of objective truth and reporting being possible at all,” he wrote.

http://www.bbc.com/news/world-europe-39062663

Military still working out ‘effectiveness’ of cyber tools

“Typically, we fight in declared hostility areas that are geographically defined. Within that come certain authorities, and those are managed very tightly in the U.S. government,” Vice Adm. Michael Gilday, commander of Fleet Cyber Command/10th Fleet, said a day earlier at the same conference. “I think we need to be really cautious about tipping too much in the offensive side in those areas. It needs to be well thought out in terms of the second- and third-order effects for those activities — not just as a military but as a country.”

http://www.c4isrnet.com/articles/military-still-working-out-effectiveness-of-cyber-tools

Cyberattacks threaten democracy itself, warns NATO

“Cyber is facilitating more advanced and more effective psychological warfare, information operations, coercion and intimidation attacks. We used to worry about [hackers targeting] banks or credit cards or inconvenience to customers, now we worry about the future of democracy, the stability and health of our institutions,” he said, speaking at the European Information Security Summit in London.

http://www.zdnet.com/article/cyberattacks-threaten-democracy-warns-nato/

Road Map To A $200,000 Cybersecurity Job

And as high-ranking roles including chief security officers begin reporting directly to CEOs and corporate boards, compensation is likely to jump further. For those with the right skills and experience, it’s a job-seeker’s market. But universal demand and negligible supply don’t change the fact that cybersecurity is an evolving field. Strategies, threats, and the skills to combat them can and will pivot over the coming months, making it more difficult for candidates to qualify — and stay relevant — for these lucrative opportunities.

http://www.darkreading.com/careers-and-people/road-map-to-a-$200000-cybersecurity-job/a/d-id/1328218

The cybersecurity side of cryptocurrency

There’s reason for the excitement. The technology lets people and institutions shift funds instantly and without the need for a middleman. Unlike paper currencies controlled by governments, cryptocurrencies are fully decentralized and operate independently of central banks. The digital assets work as a medium of exchange using principles of cryptography to secure transactions. […] But with regulators and governments still trying to figure out appropriate legal structures and business norms governing cryptocurrencies, cybercriminals are finding clever ways to exploit that window of opportunity.

http://www.csoonline.com/article/3166938/data-breach/the-cybersecurity-side-of-cryptocurrency.html

Reaching the cybersecurity tipping point

Remember that moment when you really committed yourself to solid security and privacy practices? The moment when you committed to never clicking on a link you weren’t sure about, to always checking for badges on people coming in the door, to always using your password manager to create a complex password? If you do, you reached your “cybersecurity tipping point.” For many, that moment has not yet come. And if you are reading this article, it might be your job to get your employees to hit that point. And you already know that the hard part is figuring out how.

http://www.networkworld.com/article/3171733/security/reaching-the-cybersecurity-tipping-point.html

Judge: No, feds can’t nab all Apple devices and try everyone’s fingerprints

A federal magistrate judge in Chicago recently denied the government’s attempt to force people in a particular building to depress their fingerprints in an attempt to open any seized Apple devices as part of a child pornography investigation. This prosecution, nearly all of which remains sealed, is one of a small but growing number of criminal cases that pit modern smartphone encryption against both the Fourth Amendment protection against unreasonable search and seizure, and also the Fifth Amendment right to avoid self-incrimination. According to the judge’s opinion, quoting from a still-sealed government filing, “forced fingerprinting” is part of a broader government strategy, likely to combat the prevalence of encrypted devices.

https://arstechnica.com/tech-policy/2017/02/judge-no-feds-cant-nab-all-apple-devices-and-try-everyones-fingerprints/

Many Companies Taking a Pass on Buying Cyber Insurance

For the purposes of underwriting, there is also the challenge of a lack of sufficient cyber-attack data. Because companies aren’t required to disclose all hacks and breaches, many go unreported. “As a result, the insurance industry faces a rampant reporting bias that is hard to translate into policies,” the Deloitte report says. There is an answer for this: “Insurers can implement risk-informed models as opposed to definitive predictive models and break down data silos across the industry to better pool underwriting resources,” Deloitte suggests. But, for now, the issue still exists.

http://ww2.cfo.com/risk-management/2017/02/companies-passing-cyber-insurance/

Study finds taxpayers unaware, unprepared to combat fraud

Despite the inherent danger taxpayers also aren’t bothering to take additional steps to ensure their tax preparation firm is properly securing their information, with only 35 percent of taxpayers demanding these people use two-factor authentication and only 18 percent asking tax preparers to use an encrypted USB drive to save important tax documents, according to the annual CyberScout Tax Season Risk Report. The study also found that 38 percent of the people surveyed themselves stored information using an unsecure method that leaving them open to attacks.

https://www.scmagazine.com/recent-study-found-taxpayers-dont-take-the-necessary-precautions-to-prevent-tax-fraud/article/638880/

Amid cyberattacks, ISPs try to clean up the internet

he tracking capabilities of Level 3 highlight how internet service providers can spot malicious patterns of activity over the internet, and even pinpoint the IP addresses that are being used for cybercrime. In more extreme cases, Level 3 can essentially block bad traffic from harassing victims, and effectively shut down or disrupt the hackers’ attacks. So why aren’t ISPs doing more to crack down on cybercrime? The issue is that an ISP’s ability to differentiate between normal and malicious internet traffic has limits, and finding ways to properly respond can open a whole can of worms.

http://www.csoonline.com/article/3173274/security/amid-cyberattacks-isps-try-to-clean-up-the-internet.html

Hacker Who Knocked Million Routers Offline Using MIRAI Arrested at London Airport

Mirai is the same botnet that knocked the entire Internet offline last year, crippling some of the world’s biggest and most popular websites. The BKA got involved in the investigation as the attack on Deutsche Telekom was deemed to be a threat to the country’s national communication infrastructure. German police from the city of Cologne identified the suspect and issued the international arrest warrant. The BKA said the cops would extradite the 29-year-old man to Germany to face charges of computer sabotage. If convicted, he can get a prison sentence of up to 10 years.

http://thehackernews.com/2017/02/mirai-router-hacking.html

Survey: Most Attackers Need Less Than 12 Hours To Break In

The results showed that most pen testers find it almost trivially easy to break into any network that they take a crack at, with nearly 75% able to do it in less than 12 hours. Seventeen percent of the respondents in the Nuix survey claimed to need just two hours to find a way through. […] About one-third of the pen testers claimed that they have never been caught so far while breaking into a client network and accessing the target data, while about 36% said they were spotted in one out of three tries.

http://www.darkreading.com/threat-intelligence/survey-most-attackers-need-less-than-12-hours-to-break-in/d/d-id/1328256?

//]]>