IT Security News Blast 3-24-2017

Adviser support service hit by cyber attack

Derek Bradley, head of Panacea, an online community of 17,000 financial services professionals, has warned that phishing emails have been sent out that are purporting to be from him. […] Mr Bradley also warned that the hackers are continuing to try and get access to other contact lists, and told advisers to ignore emails to undisclosed recipients.

Dark Matter

Today, March 23rd 2017, WikiLeaks releases Vault 7 “Dark Matter”, which contains documentation for several CIA projects that infect Apple Mac firmware (meaning the infection persists even if the operating system is re-installed) developed by the CIA’s Embedded Development Branch (EDB). These documents explain the techniques used by CIA to gain ‘persistence’ on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware.

WikiLeaks Dump Shows CIA Interdiction of iPhone Supply Chain

“Intelligence agencies used to put these beacons in someone’s car and track its radio signals. Modern beacons infest iPhones and report over the internet the location of an iPhone and other information from the phone,” said WikiLeaks founder, exiled publisher Julian Assange, during a press conference aired over the WikiLeaks Periscope account.

Amazing new WikiLeaks CIA bombshell: Agents can install software on Apple Macs, iPhones right in front of them

Yes, of course, it’s possible the agency can get its spyware onto devices by slipping operatives into supply chains – just like the NSA does – but none of today’s documents show that. It’s just internal user guides and wish-lists for surveillance software that you have to install by hand, on a machine physically in front of you. It’s not even clear if any of the described techniques work against Apple’s latest products and software.

If incident response automation is hot, threat detection automation is sizzling

Automating the resulting IR would save time, but the bulk of that team’s human bandwidth was devoted to triage on those 750 alerts.  And, to be clear, their SIEM system had several tens of rules generating comparable volume. That investigation activity, much of it manual and repetitive in a way similar to IR, is an order of magnitude larger opportunity to save resources through automation. When you combine the scale of TD work with the cybersecurity skills shortage called out in the article, you have an extremely compelling case for TD automation.

Cybersecurity market: Channel firms target larger customers

To tap the market’s potential, resellers and managed service providers (MSPs) need to recruit and retain security engineers who may rank among a company’s most expensive employees. Channel partners also need to acquire the appropriate tools and infrastructure to offer IT security services, which contributes to the cost of entry. Then there’s the non-trivial matter of learning to market security services to clients.

Illinois unifies cybersecurity policy with statewide strategy

The five goals of the strategy are to:

Protect State of Illinois Information and Systems

Reduce Cyber Risk

[Attain] Best-in-Class Cybersecurity Capabilities

[Take an] Enterprise Approach to Cybersecurity

[Build] A Cyber Secure Illinois

Idaho Department of Labor hacked; personal data of 170,000 people at risk

A hacking incident that occurred on March 12 and March 13 compromised more than 170,000 job-seeker accounts, as reported by Idaho Statesman. The accounts in question, active and past, are a part of a much larger group of 530,000 accounts registered with Idaho Department of Labor. […] The compromised information include dates of birth, Social Security numbers, and names of some of the America’s Job Link customers. This hack potentially compromised the job search services provided by this system connect up to ten states, and a total of 4.8 million accounts.

Senate votes to let ISPs sell your Web browsing history to advertisers

The US Senate today voted to eliminate broadband privacy rules that would have required ISPs to get consumers’ explicit consent before selling or sharing Web browsing data and other private information with advertisers and other companies. […] The House, also controlled by Republicans, would need to vote on the measure before the privacy rules are officially eliminated. President Trump could also preserve the privacy rules by issuing a veto. If the House and Trump agree with the Senate’s action, ISPs won’t have to seek customer approval before sharing their browsing histories and other private information with advertisers.

Dem senators reintroduce cybersecurity bills for cars, planes

The Security and Privacy in Your Car (SPY Car) Act would require the National Highway Traffic Safety Administration and Federal Trade Commission to develop automotive cybersecurity and privacy standards. […] The Cybersecurity Standards for Aircraft to Improve Resilience (Cyber AIR) Act would introduce a bevy of new baseline standards for air carriers. Companies would have to take “reasonable measures” to prevent cyber attacks, including testing and maintenance, and secure wifi access on airplanes.

Tech crime as a service escalates

Criminals are increasingly offering crime as a service (CaaS) and using sharing-economy ride-sharing and accommodation services, too, a major law enforcement agency says. Europol, the European Union’s policing office says tech-oriented CaaS is being offered to swathes of the underbelly of Europe. Criminals gain an advantage because they can perform crimes better and more efficiently, and they can work at scales greater than their existing technical proficiency.

Mean blind spot’ leaves organisations vulnerable to cyber attack

A study by the University of Portsmouth found the length of recovery time between cyber attacks can leave organisations susceptible to further attacks. This ‘mean blind spot’ is the average interval between the recovery from an existing incident and the occurrence of a new incident. […] “When you layer recovery times on top of each other there is a blind spot, where your resources are depleted and recovery time is slow. This is when companies are in danger of leaving themselves open to multiple attacks.”

NSA deputy says U.S. cyberattack responses must improve

“The analogy a colleague of mine uses,” Ledgett explained, “is … if your house catches on fire, you have to call the mayor to see if he’ll let you call the water department to ask them to turn the water on. And then you call the city council to see if you can get funding for the fire department to send a truck. And by the time that’s all happened, your cyber house has burned to the ground.”

Need a job? U.S. military looking for cyber warriors

“The cyber talent crisis has persisted long enough,” the report said. “Our nation is at risk as the number and sophistication of cyber-attacks continue to grow, but the government has failed to act with urgency.” The Pentagon counts about 5,000 cyber operators with a targeted goal of nearly 1,200 more by the end of 2018. The federal workforce has roughly 93,000 cyber employees, the 2015 report concluded.

International Law and Deterring Cyber-Attacks

Two documents dedicated to the topic and well-worth reading have been published in the last month: the Defense Science Board’s Task Force Report on Cyber Deterrence (DSB Report) and Joseph Nye’s article on Deterrence and Dissuasion in Cyberspace. They’re rich documents with a lot to digest, including a common conclusion that the U.S. government will need to rely more heavily on denial strategies over punishments in cyber compared to deterrence of other threats, and a common conclusion that U.S. deterrence strategy will necessarily vary significantly with the type of actor and type of cyber-attack.

A hacker’s guide to fixing automotive cybersecurity

Together, these two design changes enabled the end-to-end hacking that landed us in the security conundrum we find ourselves in today. […] The first such change was that additional safety and convenience features were added to automobiles. One of the more interesting was Automated Parking Assist that is a convenience feature that will help steer a vehicle into a parallel parking spot. […] The other significant change that allows for the possibility of car hacking is allowing outside data into the car.

99 Percent Of People Couldn’t Ace Pew’s Online Security Quiz

Ask Americans to define a “botnet,” and most can’t. Can turning off a GPS prevent smartphone location tracking? That’s also a tough question—so, too, is whether our e-mail is encrypted by default. In order to find out whether or not our failure to safeguard our digital privacy is based in ignorant bliss or intentional disregard, Pew created a 13-question cybersecurity quiz, with questions ranging from the obvious to the technical. The 1,055 adult respondents were also asked to identify the most secure password out of four given options, identify a phishing scam, and pick which of multiple login screens included multi-factor authentication.

Twitter suspended 377,000 accounts for promoting terror and extremism

The report further reveals that from the prior six-month period there has been a 7 percent increase in government requests for user data since the company received 88 requests from governments all over the world with suspension requests, including accounts of journalists and “recognized” media organization. However, no further action was taken in most cases, with some exceptions for Germany and Turkey, where 88% of these requests came from.

Feds: We’re pulling data from 100 phones seized during Trump inauguration

The court filing, which was first reported Wednesday by BuzzFeed News, states that approximately half of the protestors prosecuted with rioting or inciting a riot had their phones taken by authorities. Prosecutors hope to uncover any evidence relevant to the case. Under normal judicial procedures, the feds have vowed to share such data with defense attorneys and to delete all irrelevant data. “All of the Rioter Cell Phones were locked, which requires more time-sensitive efforts to try to obtain the data,” Jennifer Kerkhoff, an assistant United States attorney, wrote.

FBI director floats international framework on access to encrypted data

Speaking on Thursday, Comey suggested that the U.S. might work with other countries on a “framework” for creating legal access to encrypted tech devices. “I could imagine a community of nations committed to the rule of law developing a set of norms, a framework, for when government access is appropriate,” he said on Thursday. Comey made his comments at the University of Texas at Austin, when trying to address a key concern facing U.S. tech firms in the encryption debate: the fear that providing government access to their products might dampen their business abroad.