IT Security News Blast 3-15-2017

For those of you that knew Becky Bace, she died yesterday after a short illness. Becky was a damn smart member of the community, and touched many. Picture courtesy of Spaf.

Wikileaks is Connected to Russia – Despite Their Claims

This information is the same for both IP addresses, and if you notice the last modified date as “2016-09-30” that is when the IP address’s pointing to a server was changed. So we can safely bet that this is when wikileaks added these addresses to their systems. In turn, this proves Wikileaks gained Russian hosting on September 30th 2016, one week before the Podesta emails were made public. Wikileaks got Russian Federation virtual addresses one week before the Podesta emails. Let that sink in.

Do you trust IT vendors too much when it comes to cybersecurity?

Seventy-seven percent of IT decision makers believe their organization will experience a serious information breach within the next two years as a result of vendor activity on their networks, according to a study by cybersecurity vendor Bomgar. The survey of 608 decision makers with visibility over the processes associated with enabling any external parties to connect to their systems remotely, “Vendor Vulnerability: How to Prevent the Security Risk of Third-Party Suppliers,” included executives in various industries, including healthcare.

Despite open jobs, veterans face problems landing civilian cybersecurity roles

Coming from a world that’s often indecipherable to civilians, veterans face a mountain of challenges entering the cybersecurity workforce despite over a million vacant cybersecurity jobs existing as of 2015 — a number that illustrates an industry begging for new talent. In the U.S. military, career progression doesn’t require the certifications and academic degrees that are highly valued in the private sector. There is often no clear cybersecurity career path available when serving.

Home Depot to pay $25M in breach settlement

Following a massive breach, retailer Home Depot has agreed to pay off a settlement of $25 million for damages resulting from the incursion in 2014 that exposed personal information of more than 50 million customers. Hackers managed to infiltrate the chain store’s self check-out terminals to purloin email and credit card data Under terms of the agreement, Home Depot also must improve its cybersecurity implementations, including tighter oversight of its vendors.

Connected Cities, Hackable Streets [SXSW panel]

In cities around the world, street lights, public transit systems, and electric meters are already connected to the internet. Soon, smartphone controlled, self-driving cars will roam cities and every part of the urban fabric could be Wi-Fi enabled. While tomorrow’s smart cities will usher in efficiencies and convenience, they’ll also bring about security threats and vulnerabilities. Hackers have already demonstrated they can remotely take over cars and switch off traffic lights.

Can Border Agents Search Your Electronic Devices? It’s Complicated.

The government has long claimed that Fourth Amendment protections prohibiting warrantless searches don’t apply at the border. The ACLU takes issue with this position generally, especially when it comes to electronic devices like smartphones and laptops. […] Unfortunately, the government doesn’t agree, and the law on the matter is far from settled. Because of the high-stakes implications of these kinds of searches, and amidst evidence suggesting they’re on the rise, it’s important to understand the landscape so that you can make decisions that are right for you ahead of your travels.

Thieves are pickpocketing wallet apps in China

[After] an incident last week involving fraudulent QR codes and US$13 million of stolen money, the security of China’s most popular offline-to-online tool is coming under fresh scrutiny. “Some criminals paste their own QR codes over the original ones to illicitly obtain money, as ordinary consumers simply cannot tell the difference,” wrote China Daily, a state-owned English media site, in an op-ed. “That is why we are powerless to prevent QR codes from being used for fraudulent activities, and that is precisely why the enterprises using QR codes should assume their share of the responsibility for protection.”

DOD scientists say microchips in weapons can be hacked

In its latest report, the Defense Science Board published the results of research by its Task Force on Cyber Supply Chain, concluding that despite the risk, the capital cost of building and maintaining a DoD-owned “foundry” to make its own microchips “is not a feasible expense.” The task force warns in stark terms that current weapons systems may already have been back-doored, meaning they would be useless — or worse — in a shooting war.

Online cybersecurity course targets business professionals

A growing trend in the cybersecurity industry is rooted in educating everyone about the risks of a cyber attack. Universities around the world are developing undergrad and graduate degree programs, professional mentors are engaging with high school students, girls are coding. Everyone’s getting in on cybersecurity awareness, particularly as it relates to business risk. That’s why MIT is launching a new online course for business professionals titled, Cybersecurity: Technology, Application and Policy.

What President Donald Trump Means For Cybersecurity

Another issue that was never really touched by the EO itself, but one that concerns us very much nevertheless, is a possible emphasis on surveillance. President Trump has been more than vocal about his views on terrorism during his campaign year, and it is clear that when asked to choose between privacy and security, he is very likely to pick security. Under the new administration, we can expect to see a steady increase in surveillance measures throughout the country, probably even more legislation to allow for such invasive profiling of the general populace.

Expect internet infrastructure to be the target of ‘most impactful’ cyber attacks of 2017, say UK agencies

The National Cyber Security Centre (NCSC) and National Crime Agency (NCA) highlighted the threat in a new report which they said contains the most detailed assessment to-date of the cyber threats facing UK businesses (24-page / 3.75MB PDF). […] The joint NCSC and NCA report also flagged the growing cyber risk that stems from the connectivity of devices. They said that “huge numbers of insecure devices can easily be found online” and that consumers can expect to see a rise in number of ransomware attacks on their connected devices in 2017, as attacker seek “personal data such as photos, emails, and even fitness progress information”.

Sonic cyber attack shows security holes in ubiquitous sensors

Sound waves could be used to hack into critical sensors in a broad array of technologies including smartphones, automobiles, medical devices and the Internet of Things, University of Michigan research shows. The new work calls into question the longstanding computer science tenet that software can automatically trust hardware sensors, which feed autonomous systems with fundamental data they need to make decisions.

Advertisers look forward to buying your Web browsing history from ISPs

Six advertising industry trade groups yesterday thanked Republican lawmakers for introducing legislation that would overturn rules that protect the privacy of Internet users. If the rules are overturned, advertisers would not be prevented from buying consumers’ Web browsing history from Internet service providers. Sen. Jeff Flake (R-Ariz.) and Rep. Marsha Blackburn (R-Tenn.) last week introduced Congressional Review Act resolutions that would overturn the Federal Communications Commission’s privacy rules for Internet service providers and prevent the FCC from issuing similar regulations in the future.

Trump camp could have fallen into ‘backdoor’ surveillance

If Trump or his advisors were speaking directly to foreign individuals who were the target of U.S. spying during the election campaign, and the intelligence agencies recorded Trump by accident, it’s plausible that those communications would have been collected and shared amongst intelligence agencies, surveillance law experts say. The intelligence community’s ability to use data gathered through incidental collection outrages civil liberties advocates, who say law enforcement agencies should be required to get a warrant.

FBI’s methods to spy on journalists should remain classified, judge rules

A Freedom of Information Act lawsuit brought by the Freedom of the Press Foundation sought FBI procedures surrounding the agency’s protocol when issuing National Security Letters (NSLs) against members of the media. […] The items withheld from the organization, according to US District Judge Haywood Gilliam, included “instructions for managing and conducting cyber investigations,” the “instructions for investigating and charging members of the news media,” an NSL “PowerPoint training presentation,” and other materials in draft form.

Cybercriminals getting as good as nation state spies – report

The European energy sector is being targeted by advanced threat actors seeking proprietary information to advance the capabilities of domestic companies, according to FireEye Mandiant. The latest annual report by FireEye’s incident response arm further warns that cyber threat groups are also targeting European industrial control systems for potentially disruptive or destructive operations. The capability of cybercriminals is starting to rival that of nation state spies[.]

Misconfigured Drive Leads to Data Leak of Thousands of US Air Force Officials

The leaked device has made thousands of US Air Force documents vulnerable. There is sensitive information like passport and social security numbers of high-ranking and senior USAF officials as well as celebrities like Channing Tatum. The entire data is equivalent of several gigabytes. It got leaked because it was stored on an unprotected web-connected backup drive and that’s why it was accessible publicly. It wasn’t protected by password at all however when the news of exposing of such a huge number of USAF files became public; the data was immediately secured.

SAP Patches Critical HANA Vulnerability That Allowed Full Access

SAP HANA, an in-memory database, has been increasingly targeted by hackers over the last year; the management system is primarily used to store, retrieve, and process core business data. These particular vulnerabilities affect a specific component, User Self Service, or USS, which lets users carry out tasks, such as account creation or password recovery. While the service comes disabled by default, some users activate it in order to allow external users access to internal capabilities–something that exposes the component to the Internet.

Google Kicks Out Largest Android Adware Family From The Play Store

In its recent efforts to make its Play Store ecosystem safe, Google has recently discovered a new massive ad-fraud family of a botnet that was infecting Android users through apps hosted on its official Play Store. Dubbed Chamois, the family of PHAs (potentially harmful applications) was capable of bombarding users with pop-up ads, boosting app promotion by automatically installing other applications in the background, subscribing users to premium services by sending text messages and downloading additional plugins without their knowledge.

In-the-wild exploits ramp up against high-impact sites using Apache Struts

As of Tuesday morning, 503 unique IP addresses were attempting to exploit the code execution bug, Jaime Blasco, chief scientist with security firm AlienVault Labs, told Ars. Based on the addresses, the attack origins were most concentrated in China (300 unique IPs), followed by the US (92), Taiwan (71), Hong Kong (15), the Netherlands (9), Russia (4), Canada (3), Italy (3), the UK, (3), and Indonesia (3). In an attempt to go undetected, the attackers in many cases have tweaked the two exploits that were being widely used in last week’s wave.

Today’s WWW is built on pillars of sand: Buggy, exploitable JavaScript libs are everywhere

The web has a security problem: code libraries. Almost 88 per cent of the top 75,000 websites and 47 per cent of .com websites rely on at least one vulnerable JavaScript library. […] The web is full of JavaScript, the most popular development technology outside of the mobile world, at least by Stack Overflow’s measure. “Notorious for security vulnerabilities,” as the paper’s six authors put it, JavaScript has come to depend on a wide variety of libraries that extend its capabilities, such as jQuery, Angular, and Bootstrap.

Cyberterrorism threat must be addressed: Pool Re’s chief

This significantly impairs (re)insurers’ ability to allocate capital, to model losses with confidence, and, as a result, to price insurance products accurately. The gap between the available global insurance capacity and market exposure has become increasingly stark: market capacity stands at approximately $500 million, but the exposure is estimated to be more than $130 billion. Pool Re, the U.K.’s $7.3 billion terrorism reinsurance fund, wants to extend its cover to include cyberattacks on property, chief executive Julian Enoizi said.