IT Security News Blast 2-27-2017

Blog on using procurement and contracting to set the rules for IoT deployment:,_in_Three_Parts.htm

Everything You Need to Know About Cloudbleed, the Latest Internet Security Disaster

Cloudflare ran into trouble when formatting the source code of cf-html and its old parser Ragel to work with its own software. An error in the code created something called a buffer overrun vulnerability. (The error involved a “==” in the code where there should have been a “>=”.) This means that when the software was writing data to a buffer, a limited amount of space for temporary data, it would fill up the buffer and then keep writing code somewhere else. (If you’re dying for a more technical explanation, Cloudflare laid it all out in a blog post.)

Carders capitalize on Cloudflare problems, claim 150 million logins for sale

Salted Hash covered the story on Thursday evening, as well as updated it on Friday, but even with all the coverage and a detailed explanation by Cloudflare, the full scope of the incident isn’t exactly clear. According to Cloudflare, the impact includes “HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data.” It’s the ‘other sensitive data’ part that has people guessing.

How Secure Is Our Smart Grid?

The U.S. Energy Department’s 494-page report was released during the final days of the Obama administration, and it offered this clear warning for 2017 and beyond: “Cyber threats to the electricity system are increasing in sophistication, magnitude, and frequency. The current cybersecurity landscape is characterized by rapidly evolving threats and vulnerabilities, juxtaposed against the slower-moving deployment of defense measures.”

In The Increasingly High-Tech Oil Business, Cyber Security Is Becoming Essential

In a recent survey of oil and gas risk managers, the majority of those that responded said their companies had lost confidential information, or had their operations disrupted by a security breach within the last year. (That independent survey was funded by a company that sells cyber security services.) Charles McConnell, head of Rice University’s Energy and Environment Initiative, says going forward, companies can’t afford to treat cyber security like a luxury, and they can’t wait for a big attack or security lapse to take it seriously.

Cyber Espionage Seen Expanding to Grasp Trump Policy Changes

Nations regularly spy on one another but with President Donald Trump espousing unconventional approaches to foreign policy, there is an heightened urgency to know what shifts may occur, according to John Hultquist, FireEye’s manager of cyber espionage analysis. “We can anticipate worldwide a surge in cyber espionage because of the changing administration, because of America’s rapidly changing foreign policy, military policy, diplomatic policy,” Hultquist said in an interview in San Francisco. “We have created a lot of uncertainty that foreign countries or foreign adversaries are going to try to unravel with these tools.”

FCC to halt rule that protects your private data from security breaches

The most well-known portion of the privacy order requires ISPs to get opt-in consent from consumers before sharing Web browsing data and other private information with advertisers and other third parties. The opt-in rule is supposed to take effect December 4, 2017, unless the FCC or Congress eliminates it before then. Pai has said that ISPs shouldn’t face stricter rules than online providers like Google and Facebook, which are regulated separately by the Federal Trade Commission. Pai wants a “technology-neutral privacy framework for the online world” based on the FTC’s standards. According to today’s FCC statement, the data security rule “is not consistent with the FTC’s privacy standards.”

Forget DMCA takedowns—RIAA wants ISPs to filter for pirated content

What the RIAA and 14 other groups are telling the US Copyright Office is simple: The 19-year-old Digital Millennium Copyright Act isn’t working. They say the process of granting legal immunity—or “safe harbor”—to ISPs who “expeditiously” remove copyrighted content upon notice of the rights holder needs to be supplanted with fresh piracy controls. That’s because, they say, the process creates a so-called “endless game of whack-a-mole” in which an ISP will remove pirated content only to see it instantaneously reappear at the push of a button by a copyright scofflaw. This requires the rights holder to send a new takedown notice—often again and again.

Governors put spotlight on cybersecurity

The focus on cybersecurity comes in the wake of both the intelligence community’s assessment about Russia’s cyber intrusions in the U.S. presidential election and concerns in states across the country about the security of their voting systems. Nearly all 50 U.S. states asked the Department of Homeland Security for help securing their voting systems in the lead-up to the presidential election last November, following reports that systems in Illinois and Arizona had been breached.

Cybersecurity: Don’t mess with Texas, one lawmaker says. Really.

“We have 254 counties … and with cybersecurity, the weakest point is the part we are most worried about. A lot of times, criminals use the weakest point to get into the whole system.” Capriglione has filed two bills to try to protect the state. One focuses on cybercriminals and the other calls for studies, reviews and ways to boost cybersecurity in Texas. These bills follow reports of cyberattacks being waged against people, businesses and governmental agencies across the state.

Ransomware ‘customer support’ chat reveals criminals’ ruthlessness

“Hello crooks. I agree to pay,” said “0” in a lead-off message. “But 570 dollars for a lot of photos of my grandmother. Can I expect a discount if I leave good feedback on the forum about you?” No go. “We do not provide any discount. Also, we cannot be sure, that you have only photos,” retorted “support.” At times, the messages were pitiful. “Hello, I am 82 and my family pikture [sic] go away — bad, very bad,” reported another victim identified as “0.”

Hacker Shows How Easy It Is To Hack People While Walking Around in Public

Technically, Street hacking device automatically set up an ‘Evil Twin Attack,’ in which an attacker fools wireless users into connecting their smartphones and laptops to an evil (malicious) hotspot by posing as a legitimate WiFi provider. Once connected, all of the victim’s information flows directly into the attacker’s device, allowing cybercriminals to secretly eavesdrop on the network traffic and steal passwords, financial and other sensitive data and even redirect you to malware and phishing sites.

Saudi-Iran: Proxy Wars Escalate To Direct Cyber Attacks

A warning issued by the State Department stated “Devastating Cyber Attack Program Returns to Saudi Arabia”, further adding “The increased tensions and unpredictable future between Iran, Saudi Arabia and the U.S. raises the potential for U.S. companies in the region to be future targets for a cyberattack, either with Shamoon or similar malware tuned for destruction rather than corporate espionage or theft.”

NSA snoops told: Get your checkbooks and pens ready for a cyber-weapon shopping spree

Speaking at the West 2017 Navy conference on Friday, Rogers said he is mulling buying up more infosec tools from corporations to attack and infiltrate computer networks. At the moment the online offensive wing of the US military develops most of its own cyber-weaponry, he claimed, and he figures the private sector has plenty to offer. “In the application of kinetic functionality – weapons – we go to the private sector and say, ‘Build this thing we call a [joint directed-attack munition], a [Tomahawk land-attack munition].’ Fill in the blank,” he said.

New prison law will let mobile networks deploy IMSI catchers

Provisions in the new bill will allow the Justice Secretary to order networks to deploy so-called “IMSI catchers” to prevent, detect or investigate the use of mobile phones in prisons. Currently fake base stations can only be deployed under the legal provisions in the Prisons (Interference with Wireless Telegraphy) Act 2012, which restrict their deployment to within prison walls – and further, only allows prison governors to deploy them. The new proposals therefore expand the ability of the state to spy on innocent citizens by further co-opting mobile phone companies’ technical abilities.

Google Does It Again: Discloses Unpatched Microsoft Edge and IE Vulnerability

[Google] last week disclosed an unpatched vulnerability in Windows Graphics Device Interface (GDI) library, which affects Microsoft’s Windows operating systems ranging from Windows Vista Service Pack 2 to the latest Windows 10. While the Windows vulnerability has yet to be patched by the company, Google today released the details of another unpatched Windows security flaw in its browser, as Microsoft did not act within its 90-day disclosure deadline.

No secret anymore: Russia touts cyber force

The news is the first admission by Russia that a cyber force has been established within the Russian military, although it has long been suspected. Several intelligence agencies in the U.S. blamed Russia for interference in the presidential election campaigns. As well, officials in Germany and France have expressed concern that Russia will interfere in upcoming elections.