IT Security News Blast 3-27-2017

New Bill Forces Cybersecurity Responsibility Into the Boardroom
The bill (PDF) defines a cyber security threat as any action not protected by the First Amendment that “may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system…” The bill then proposes just three requirements under the aegis of the Securities and Exchange Commission (SEC): that annual reports to the SEC must disclose the level of cyber security expertise of the board; or, if none exists, what “other cybersecurity steps taken by the reporting company were taken into account”; and that the definition of what constitutes that expertise should come from the SEC in consultation with NIST.
3,000 Industrial Plants Per Year Infected with Malware
A piece of crimeware posing as legitimate Siemens PLC software has been in circulation for four years by an unknown attack group attempting to infect industrial networks mainly in the US. The backdoor malware is packaged to appear as a Siemens programmable logic controller installer file, and around 10 industrial sites have reported coming across the targeted attack campaign, seven of which are located in the US as well as some in Europe and China, according to new research from Dragos.
Critical infrastructures under daily attack – ERNCIP head Georg Peter
‘Attackers may try to achieve a denial of service (where servers are overwhelmed by the number of requests for information), or probe systems to find whether they suffer from a given vulnerability, or prepare for future unauthorised access to a system, or execute a complex attack that aims at disrupting the functioning of the critical infrastructures in order to impact the lives of citizens.’ […] ‘The risk of attacks against such infrastructures is expected to continue to increase in the future as society becomes increasingly dependent on (the infrastructures) and particularly as they become more and more interconnected and interdependent.
This is how Russian hackers will attack the US next
Because cybertools have become so accessible, it’s unlikely that even a limitless defense budget could stop every attack. With this in mind, response must be the key priority. Based on my qualitative analysis of Russia’s previous military motives, strategies, and tools, any Russian attempt to exploit US cybervulnerabilities will most likely target the US’s communications and IT critical infrastructure. […] As an example, conducting denial of service attacks (DDoS) against central IT networks could cripple government operations, disrupting service for thousands of phone customers or severing internet access for millions of consumers.
Online stores under attack; a new fraudster bot spotted in the wild
Hackers have designed a new bot named Giftghostbot which is being used to defraud thousands of gift card owners. As per reports, these attacks were first spotted by the cyber security firm, Distil Networks on February 26th, and since then almost 1000 websites have been the victim of this hack. The criminals are using this bot to automatically generate possible account numbers of consumers and requesting the account balance of each card number. Whenever a card balance is received rather than an error or zero, this means that the attack was successful and the credentials could be then sold on the Darkweb or use to make a purchase.
Jefferies Has 4 Cybersecurity Stocks to Buy as Growth to Continue for Years
Then suddenly, things slowed to a crawl. The hot IPOs crashed, and the huge earnings growth slowed. One thing has remained: the need for cybersecurity is just as big now, if not bigger than the recent past. In an exhaustive 200-page report from Jefferies, the analysts stress that while growth has tapered some, the critical need remains intact. High-profile hacking at the government and corporate levels has stayed in the headlines, so investors remain aware that the overall need has not diminished.
Cyber war: Defense firms face battle to guard secrets
In an untold number of cases, cyber spies targeted defense contractors in the supply chain viewed as an easier target with weaker defenses than the military or prime contractors may have in place. […] The Pentagon counts about 60,000 contractors it does business with, and 42,000 have contractual requirements to protect information in cyberspace, officials have said.
The Cybersecurity Industry Is Failing: Time to Get Smart About ‘Dumb’ Homes
Right now we have four billion connected devices; research consultancy Gartner predicts that will rise to 13.5 billion in the next three years. Wilder predictions have that figure rising to 150 billion by 2030—that’s 15 devices per human. […] Imagine a future of micro-ransomware threats that take over your devices and hold them to ransom. Hackers will invade your home, steal all your money, go through all your accounts, turn off your electricity or set off your alarms unless you pay up. This nightmare is going to happen unless security companies educate the consumer and provide them with products that can stand up to attack.
Google takes Symantec to the woodshed for mis-issuing 30,000 HTTPS certs [updated]
In a severe rebuke of one of the biggest suppliers of HTTPS credentials, Google Chrome developers announced plans to drastically restrict transport layer security certificates sold by Symantec-owned issuers following the discovery they have allegedly mis-issued more than 30,000 certificates. […] Extended validation certificates are supposed to provide enhanced assurances of a site’s authenticity by showing the name of the validated domain name holder in the address bar.
Why America’s Current Approach to Cybersecurity Is So Dangerous
How to account for our public interest but our personal … well … meh? We should be concerned that, as a society, our minds go mushy when it comes to “digital literacy,” “information security,” “online safety,” or whichever name we choose. In fact, that mushiness is a major reason why America’s current approach to cybersecurity is so dangerous. We’re ignoring the behaviors of the overwhelming majority of actual users, and therefore leaving the largest attack surface undefended.
Canada and Nato attempt to define threshold for cyber-attack response
It is unclear, however, how far they will be able to act when countering cyber and information warfare threats coming from Russia. Rutherford confirmed that his country’s cyber rules of engagement are still “under development”, and added that there is no intention on Nato’s or Canada’s part to conduct offensive online operations against hackers, state-sponsored or otherwise. The uncertainty surrounds Article 5 of the NATO agreement, which triggers the alliance’s self-defence clause. Defining exactly what dictates a “significant cyber-attack” and when response moves from the online to the real world is still a matter of debate.
Wanna hack your car? Macchina is a plug-and-vroom solution
Macchina is a little device that plugs into your car. Nothing revolutionary so far; Automatic has been offering that for years. What is new, however, is that Macchina’s little wonderchild can read and write to your car’s ECU. Which means it can be used not just to figure out what is happening in the dark, mysterious crevasses of your car’s intestines… It also can be used to change things. Suffice to say; it’s probably a good idea to know what you’re doing before you start changing numbers.
Cyber Firm Rewrites Part of Disputed Russian Hacking Report
In December, CrowdStrike said it found evidence that Russians hacked into a Ukrainian artillery app, contributing to heavy losses of howitzers in Ukraine’s war with pro-Russian separatists. VOA reported Tuesday that the International Institute for Strategic Studies (IISS), which publishes an annual reference estimating the strength of world armed forces, disavowed the CrowdStrike report and said it had never been contacted by the company. Ukraine’s Ministry of Defense also has stated that the combat losses and hacking never happened.
North Korea’s Rising Ambition Seen in Bid to Breach Global Banks
When hackers associated with North Korea tried to break into Polish banks late last year they left a trail of information about their apparent intentions to steal money from more than 100 organizations around the world, according to security researchers. […] The list of targets, which has not been previously reported, is part of a growing body of evidence showing how North Korea, a country that is cut off from much of the global economy, is increasingly trying to use its cyberattack abilities to bring in cash — and making progressively bolder attempts to do so.
Snowden’s ex-boss offers tips on stopping insider threats
For instance, Snowden had early on asked for access to NSA’s classified PRISM surveillance program. Two weeks later, he asked for it again, explaining that the data would help him in his NSA-related work. […] Snowden also claimed he had epilepsy and had to take a leave of absence from Booz Allen because of it. Normally, employees will file short-term disability with human resources so they can still receive their wages, Bay said. But Snowden didn’t care to. “Wanting leave without pay, instead of short-term disability, was weird,” he said. However, none of these actions were unreasonable either.
Ever visited a land now under Islamic State rule? And you want to see America? Hand over that Facebook, Twitter, pal
US embassies have been told to examine social media accounts of visa applicants who have ever set foot in Islamic-State-controlled areas. The edict was sent out earlier this month by Secretary of State Rex Tillerson in diplomatic cables. These memos, leaked to journalists and revealed on Friday, direct officials to identify “populations warranting increased scrutiny” and perform a “mandatory social media check” on anyone who has visited lands that have been under Islamic State rule. Given that social media is apparently rarely reviewed by consular staff, this move will result in significant upheaval for background checkers.
Facial-recognition technology will make life a perpetual police lineup for all
Facial-recognition technology combined with policy body cameras could “redefine the nature of public spaces,” Alvaro Bedoya, executive director of the Georgetown Law Center on Privacy & Technology, told the US House Oversight Committee at a hearing on March 22. It’s not a distant reality and it threatens civil liberties, he warned. […] Rather than looking back retrospectively at footage, cops with cameras and this technology can scan people as they pass and assess who they are, where they’ve been, and whether they are wanted for anything from murder to a traffic ticket, with the aid of algorithms. This, say legal experts, puts everyone—even law-abiding citizens—under perpetual surveillance and suspicion.
Feds Have Found A Way To Search Locked Phones Of 100 Trump Protestors
There’s a quirk to the way in which the data will be made available too. Prosecutors expect to have retrieved all data from the cellphones in the next several weeks and they will then make information from every device available to all defendants’ legal teams via a secure cloud-based portal called USAfx. That means that defendants’ lawyers will likely be able to view the private information of people they aren’t even representing. Prosecutors admitted in the court filings that much “irrelevant” data had already been extracted, including medical data, photos and videos. The government has requested the court order attorneys not to copy or reproduce any information not deemed useful for a defense.
A feminist cybersecurity guide exists for those experiencing digital domestic violence
Have you ever felt that your partner’s online behaviour is out of control? Do they send constant messages that leave you feeling on edge, use location features to track where you are, and demand to have access to your phone? All of this behaviour is unacceptable – which is why Noah Kelly decided to do something about it. […] And so DIY Cybersecurity for Domestic Violence was born – a website that offers a safe space for people to devise DIY strategies so they can protect themselves against online domestic violence.
How ISPs can sell your Web history—and how to stop them
Senate Democrats warned before yesterday’s vote that ISPs will be able to “draw a map” of where families shop and go to school, detect health information by seeing which illnesses they use the Internet to gather information on, and build profiles of customers’ listening and viewing history. The Senate vote was 50-48, with every Republican senator voting to kill privacy rules and every Democratic senator voting to preserve them. […] Harris encourages Internet users to go to their ISP’s website or call the ISP to figure out exactly how they can opt out of tracking. It’s not convenient, but the option should be there.
Did you know: Crimelords behind DDoS attacks offer customer loyalty points?
Crooks operating DDoS services through black market websites often offer a sophisticated service featuring convenient payment and reports about attacks, according to a new study from Kaspersky Lab. In some cases, there is even a customer loyalty programme, with clients receiving rewards or bonus points for each attack. Attacks are priced based on their generation as well as the source of attack traffic, among other factors. For example, a botnet made up of popular IoT devices is cheaper than a botnet of servers.
Hack of ABC’s Twitter account hails Trump
The tweets, which began sometime after 6 a.m., also included a claim that the perpetrators were Russian hackers and one claiming that the rapper Tyler the Creator had died in a tour bus crash. Others were filled with profanity. Administrators at ABC News were able to remove the tweets and contain the damage by 7 a.m., but not before some of the posts were captured in screen grabs. One post to the ABC News account read, “follow @CNN for real news, our news is wack.” The actor or actors behind the tweets is still unknown.