IT Security News Blast 3-2-2017

2017: How Will Banks Address Gaps in Cybersecurity?

This leads into the second major step most banks are likely to take in 2017 when it comes to cybersecurity preparedness—using external teams of cybersecurity experts and even developing internal cybersecurity departments in their own right. The number of cybersecurity businesses has been growing at an increasing pace to meet accelerating demand in this high-priority area—seeking to meet the needs not just of those in the banking sector but in every area of personal and business life as it is increasingly based online.

New Data: High Cyber Security Maturity in IT, Telco, Finance, but Health Care and Energy Lag Behind.

The VRA tool was developed by Hivint in conjunction with a major financial services client, to ensure that their vendors were not a cause of business disruption, and gain assurance that information entrusted to them is secure. […] A study identified that 32% of companies do not evaluate third party vendors and this can be attributed to the cause of many global data breaches.  However, the VRA space is a growing market where the demand for vendor security and risk management solutions are increasing.

HITRUST Develops Security Framework for Small Healthcare Organizations

HITRUST has developed CSFBASICs, a streamlined versions of the HITRUST CSF and supporting HITRUST CSF Assurance Program designed to help small and lower-risk healthcare organizations meet otherwise difficult regulatory and risk management requirements. […] Further, the organization announced its CSF Assurance Program v9, which has been enhanced so that a HITRUST CSF Assessment also includes a National Institute of Standards and Technology (NIST) Cybersecurity Framework certification with auditable documentation in addition to a Health Portability and Accountability Act of 1996 (HIPAA) risk assessment.

Threatcasting 2026: Anticipating a Blended Cyber Attack with Up to 2M Fatalities

[Up] until now, we have been largely dealing with physical attacks and cyberattacks as different and discrete, but threatcasting, a practice of collaboratively predicting the future, similar to the Delphi method, is now showcasing they won’t remain separate for much longer. In the near-term future, a cyberattack will be used in conjunction with a physical attack to increase the damage and delay or eliminate timely response.

Yahoo cookie hacks affected 32 million accounts, CEO foregoes bonus

The Company took certain remedial actions, notifying 26 specifically targeted users and consulting with law enforcement. While significant additional security measures were implemented in response to those incidents, it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company’s information security team.

Online shops plundered by bank card-stealing malware after bungling backend Aptos hacked

The security breach occurred late last year when a crook was able to inject spyware into machines Aptos used to host its retail services for online shops. This software nasty was able to access customer payment card numbers and expiration dates, full names, addresses, phone numbers and email addresses, we’re told. Rather than being alerted to the infiltration by Aptos itself, instead we were warned this week by Aptos’ customers – the retailers whose websites were infected by the malware on the backend provider’s servers.

Phish and ships: Understanding cyber risk at sea

Today’s onboard Operational Technology (OT) and Information Technology (IT) systems are becoming increasingly connected like never before. This hyper-connectivity greatly increases the risk of critical systems, such as safety, propulsion, or navigation, being exposed to internet-based and insider cyber-threats. Additionally, shipping companies, their vessels, energy providers and platforms are not immune to the relentless cyber-criminal threat that seek financial rewards, as well as sensitive company or employee information, by using common social engineering techniques such as phishing, business email compromise (BEC), and other basic scams.

New Global Cybersecurity Report Reveals Misaligned Incentives, Executive Overconfidence Create Advantages for Attacker

Based on interviews and a global survey of 800 cybersecurity professionals from five industry sectors, the report outlines how cybercriminals have the advantage, thanks to the incentives for cybercrime creating a big business in a fluid and dynamic marketplace. Defenders on the other hand, often operate in bureaucratic hierarchies, making them hard-pressed to keep up. Additional misalignments occur within defenders’ organizations. For instance, while more than 90 percent of organizations report having a cybersecurity strategy, less than half have fully implemented them.

Fully 84 Percent of Hackers Leverage Social Engineering in Cyber Attacks

A recent Nuix survey of 70 hackers at DEFCON 2016 found that 84 percent of respondents use social engineering as part of their attack strategy, and 50 percent change their attack methodologies with every target. When asked why they change attack methodologies, 56 percent said they do so to learn new techniques. Just 5 percent of respondents said they change methodologies because they no longer work. Eighty-one percent of respondents claimed that they could identify and exfiltrate data from a target in less than 12 hours, and 69 percent said security teams almost never catch them in the act.

Montenegro asks for British help after cyber attacks in wake of ‘Russian-backed coup plot’

The Balkan nation says it suffered sustained cyber attacks against state websites on the day the foiled coup was due to take place, and then faced another wave of attacks in February. Both Montenegro and British officials have accused Russia of being behind the coup plot, to stop Montenegro joining Nato. Russia has rejected the accusations.

US FCC stays data security regulations for broadband providers

In a 2-1 vote that went along party lines, the FCC voted Wednesday to stay temporarily one part of privacy rules passed in October that would give consumers the right to decide how their data is used and shared by broadband providers. The rules include the requirement that internet service providers should obtain “opt-in” consent from consumers to use and share sensitive information such as geolocation and web browsing history, and also give customers the option to opt out from the sharing of non-sensitive information such as email addresses or service tier information.

US-Europe Privacy Shield not worth the paper it’s printed on – civil liberties groups

In a letter to European Union leaders responsible for overseeing the agreement, the two organizations outline in some detail why they believe President Trump’s recent executive order on immigration undermines the agreement, and highlights that the accountability structures intended to make it effective are non-functional. In direct contrast to US officials – who have argued that Privacy Shield is unaffected by Trump’s order – the letter argues that the order does in fact directly impinge on the agreement.

US surveillance law may see no new protections for foreign targets

Section 702 of the Foreign Intelligence Surveillance Act expires on Dec. 31, and some digital rights groups are calling on Congress to overhaul the law to protect the privacy of residents of both the U.S. and other countries. Congress will almost certainly extend the provision in some form.  But a congressional hearing on Wednesday focused largely on the NSA’s “inadvertent” collection of U.S. residents’ data, with little time given to the privacy concerns of people overseas.

Why Internet of Things is the world’s greatest cyber security threat

  • Privacy
  • Poor authentication
  • Lack of control
  • Insecure software
  • Automatic updates

We found a hidden backdoor in Chinese Internet of Things devices – researchers

The backdoor was discovered in almost all devices produced by VoIP specialist dbltek, and appears to have been purposefully built in for use by the vendor, according to security firm TrustWave. The firm says that it followed a responsible disclosure process, but claims the vendor responded only with modifications that leave the backdoor open. Trustwave claims the vendor then cut off contact with it. The security firm says it has since been able to write exploits that open both the old and new backdoors. The vulnerable firmware is present in almost all dbltek GSM-to-VoIP devices, a range of equipment mostly used by small to medium size businesses, it claims. Trustwave researchers claimed they had found hundreds of vulnerable devices on the internet.

Dridex Banking Trojan Gains ‘AtomBombing’ Code Injection Ability to Evade Detection

Dridex is one of the most well-known Trojans that exhibits the typical behavior of monitoring a victim’s traffic to bank sites by infiltrating victim PCs using macros embedded in Microsoft documents or via web injection attacks and then stealing online banking credentials and financial data. However, by including AtomBombing capabilities, Dridex becomes the first ever malware sample to utilize such sophisticated code injection technique to evade detection.

Only 1.2% of Android phones have the most up-to-date version of the OS

According to Promon, these figures clearly indicate just how inconsistently security fixes are implemented across Android devices and how assuming that the operating system alone can keep apps safe is a naïve approach. The latest version of the Android OS is 7.1.1, released in December. Despite this, over 50 percent of devices run operating systems that are more than two years old. Despite being released in November 2014 and October 2015, Lollipop 5.0 and 5.1 are installed on 32.9 percent of devices and Marshmallow 6.0 is installed on 30.7 percent of devices – making them the most popular versions of the Android operating system.

Coachella festival website hacked; user data at risk

According to the official announcement made by the festival authorities, they have already started the investigation process and it is confirmed that none of the financial data has been compromised or stolen. The released statement has been emailed to registered users. AEG, the company that runs Coachella festival, has stated that they suspect the involvement of unauthorized third parties in illegally obtaining access to critically important user data including username, first name, last name, shipping addresses, phone numbers, email IDs and dates of birth.

Old Windows malware may have tampered with 132 Android apps

The 132 apps were found generating hidden iframes, or an HTML document embedded inside a webpage, linking to two domains that have hosted malware, according to security firm Palo Alto Networks. Google has already removed the apps from its Play store. But what’s interesting is the developers behind the apps probably aren’t to blame for including the malicious code, Palo Alto Networks said in a Wednesday blog post.

Malware Kits, Advertising Trojans Drive Mobile Risk

In their investigations of mobile malware platforms, INTERPOL experts found mobile malware is increasingly sold on the Dark Web in the form of software packages, individual products, sophisticated tools, or smaller-scale tools as part of a “Bot as a Service” model. […] “Some of this malware was available in 2014 and 2015, but this year we saw it much more,” he says. “It’s easier for regular people who want to steal money to go to the Dark Web, go to forums, and buy kits to infect users.”