IT Security News Blast 3-8-2017

FIN7 spearphishing campaign targets SEC filings

All of the observed targets appeared to be involved with SEC filings for their respective organizations some of which were even listed in their company’s SEC filings including businesses in the financial services, transportation, retail, education, IT services, and electronics sectors. In the phishing emails, FIN7 spoofed the sender email address as “EDGAR” in an email with an attachment reading disguised as a word doc entitled “Important_Changes_to_Form10_K.doc”. The malicious file is used to drop a VBS script that installs a PowerShell backdoor that uses DNS TXT records for its command and control.

Cybersecurity skills shortage holding steady

In 2017, 45 percent of organizations say they have a “problematic shortage” of cybersecurity skills. This is right in line with 2016 (46 percent), but these last two years represented a big increase. In 2015, 28 percent of organizations said they had a “problematic shortage” of cybersecurity skills, 25 percent in 2014, 23 percent in 2013, and 24 percent in 2012. The increase over the past two years has me especially concerned.

Is Mentorship the Key to Recruiting Women to Cybersecurity?

As a way to bring attention to International Women’s Day later this week, ISACA commissioned a global survey among more than 500 of its female members across the general IT workforce. It found that nearly nine out of 10 respondents are somewhat or very concerned about the lack of women in the technology space, and it examined the top barriers faced by women who work in IT. Topping the list is a lack of mentors, cited by 48% of participants. Another 42% of respondents cited a lack of female role models, and 39% said gender bias in the workplace stood as the second and third top barrier. Rounding out the top five were problems around unequal growth opportunities compared to men, and unequal pay for the same skills.

What is Vault 7? WikiLeaks releases ‘Year Zero’ files as part of ‘largest ever’ CIA leak

A statement from WikiLeaks announced: “Today, Tuesday 7 March 2017, WikiLeaks begins its new series of leaks on the US Central Intelligence Agency.  “Code-named ‘Vault 7’ by WikiLeaks, it is the largest ever publication of confidential documents on the agency.Internet users around the world are now able to download the Year Zero documents after the passphrase was made public earlier today. Mr Assange was not able reveal the contents of Vault 7 during a online press conference because the live stream fell victim to a cyber attack.

After NSA hacking exposé, CIA staffers asked where Equation Group went wrong

“As for what ‘Equation’ did wrong… All their tools shared code,” one user, who like all the others was identified only by a unique identifier WikiLeaks used in place of a username, concluded on February 18, 2015, two days after the Kaspersky Lab findings were published. “The custom RC5 was everywhere. The techniques for positive ID (hashing) was used in the same way in multiple tools across generations.” The person continued: “The shared code appears to be the largest single factor is [sic] allowing [Kaspersky Lab] to tie all these tools together. The acquisition and use of C&C domains was probably number 2 on the list, and I’m sure the [CIA’s computer operations group] infrastructure people are paying attention to this.”

Say goodbye to enhanced data privacy, US web surfers

Under the rule, broadband providers couldn’t do anything with sensitive data unless the consumer gave them explicit permission first, by opting in. Sensitive data includes things like geographic location, app usage history and communications content (including, for example, your web browsing history). The rule let ISPs do what they wanted with non-sensitive user data, but users could still stop them by opting out and telling them not to. It also called on ISPs to take reasonable security measures to protect customer data.

Google boosts some bug bounty rewards

Starting on March 6 the bug bounty for confirmed remote code execution flaws will jump to $31,337, from $20,000 and for those bounty hunters who find a confirmed Unrestricted file system or database access the price is now $13,337, up from $10,000. “Because high severity vulnerabilities have become harder to identify over the years, researchers have needed more time to find them. We want to demonstrate our appreciation for the significant time researchers dedicate to our program, and so we’re making some changes to our VRP,” Josh Armour, security program manager, wrote in Google’s security blog.

Cybercrooks charging more than the price of a new car for undetectable Mac malware

The Proton malware boasts capabilities including taking full control of macOS devices by evading antivirus detection, its sellers claim. Hackers offered to add an Apple-approved developer signature to the attacker’s custom RAT software in order to bypass Apple’s Gatekeeper protection on targeted Macs, according to Mac security firm Intego. Offers touting the malware first appeared on a Russian cybercrime message board last month and were first reported by Israeli threat intelligence firm Sixgill.

WikiLeaks says it has obtained trove of CIA hacking tools

The authenticity of the trove could not immediately be determined. A CIA spokesman would say only that “we do not comment on the authenticity or content of purported intelligence documents.” WikiLeaks indicated that it obtained the files from a current or former CIA contractor, saying that “the archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.”

AI’s PR Problem

For the most part, the AI achievements touted in the media aren’t evidence of great improvements in the field. The AI program from Google that won a Go contest last year was not a refined version of the one from IBM that beat the world’s chess champion in 1997; the car feature that beeps when you stray out of your lane works quite differently than the one that plans your route. Instead, the accomplishments so breathlessly reported are often cobbled together from a grab bag of disparate tools and techniques. It might be easy to mistake the drumbeat of stories about machines besting us at tasks as evidence that these tools are growing ever smarter—but that’s not happening.

More Printer Security Talk

Are you using a default configuration or have you locked down all the things you don’t need? Better yet, I’m sure you wiped and re-imaged it, right? Are you panicking yet? You should be.Printers, like VoIP phones, are just another computer masquerading as something else—in this case, a device that turns electronic documents into paper, or vice versa. If it’s not locked down and configured securely, it’s going to get hacked. How Bad could it Be? So I’m sure you are now thinking that it can’t be that big of a deal, right? Let’s look at some of the ways this could end up being a really bad situation.

FCC chair wants carriers to block robocalls from spoofed numbers

“One particularly pernicious category of robocalls is spoofed robocalls—i.e., robocalls where the caller ID is faked, hiding the caller’s true identity,” the proposal says […] The proposed rules would let providers “block spoofed robocalls when the spoofed Caller ID can’t possibly be valid.” Providers would be able to block numbers that aren’t valid under the North American Numbering Plan and block valid numbers that haven’t been allocated to any phone company. They’d also be able to block valid numbers that have been allocated to a phone company but haven’t been assigned to a subscriber.

Weak Homegrown Crypto Dooms Open Smart Grid Protocol

The paper, “Dumb Crypto in Smart Grids: Practical Cryptanalysis of the Open Smart Grid Protocol” explains how the authenticated encryption scheme used in the OSGP is open to numerous attacks—the paper posits a handful—that can be pulled off with minimal computational effort. Specifically under fire is a homegrown message authentication code called OMA Digest. “This function has been found to be extremely weak, and cannot be assumed to provide any authenticity guarantee whatsoever,” the researchers wrote.

Payments Giant Verifone Investigating Breach

San Jose, Calif.-based Verifone is the largest maker of credit card terminals used in the United States. It sells point-of-sale terminals and services to support the swiping and processing of credit and debit card payments at a variety of businesses, including retailers, taxis, and fuel stations. On Jan. 23, 2017, Verifone sent an “urgent” email to all company staff and contractors, warning they had 24 hours to change all company passwords. “We are currently investigating an IT control matter in the Verifone environment,” reads an email memo penned by Steve Horan, Verifone Inc.’s senior vice president and chief information officer. “As a precaution, we are taking immediate steps to improve our controls.”

Using Cyber Threat Intelligence to Understand the Cyber Extortion Epidemic

While malicious actors demanding ransoms is not new, the surge of organizations being targeted with fake extortion demands and empty threats is. Ransomware gathers so many headlines these days and cyber criminals know they can exploit the fear of an unprepared organization being told that their data has been stolen/encrypted. As ransomware campaigns have ramped up, so too have extortion efforts. Let’s look at how extortion campaigns are carried out through the “avenue of approach” lens.

Hack my dust

Miniature computers are already about the size of a pinhead—and they’re going to get smaller. “You literally could make these things airborne, in the millions and or trillions, and let them go. And what they do is they collect data,” said Bob Noel of Plixer. He’s talking about “smart dust.” It’s already in use in some factories and buildings, though in a somewhat larger form. Researchers are developing ways for the tiny processors—also called motes— to keep people alive, watch over bridges for cracks and monitor pollution. But Noel and his colleagues want to make sure life-saving smart dust does not also put people at risk. “It’s going to be all around us,” said Bob Noel of cybersecurity company Plixer. “And we won’t be aware of what it is or what it’s monitoring.”

Zombie messages broadcast after Indiana radio station hack

Randolph County Homeland Security and Emergency Management and the Randolph County Sheriff’s Department are investigating after a radio station’s emergency alert system was hacked and zombie emergency bulletins were broadcast over the airwaves. Around 12:15 p.m. Wednesday, officials were notified that radio station WZZY, 98.3, was releasing emergency bulletins relating to a health emergency surrounding a disease outbreak, diseased bodies and zombies, according to the Randolph County Sheriff’s Department.

Amazon’s Latest AI Push: Cybersecurity

TechCrunch is reporting that Amazon has acquired AI-based cyber-security company According to its website, uses AI-based algorithms to identify the most important documents and intellectual property of a business, then combines user behavior analytics with data loss prevention techniques to protect them from cyber attacks. already had ties to Amazon, as a customer who was featured in an AWS Startup Spotlight article, which focuses on innovative and disruptive young companies.

Coordination, Communication Equal Better Outcomes Following Cyberattack

While the panelists all agreed that speaking out after an incident can be a disheartening experience, they also agreed it is essential to communicating a potentially active threat and coordinating an appropriate response. “What this means is, yes, you will get increased attention when an incident occurs within your networks, but also, you get a whole host of capabilities that you can roll in to help you resolve your issue,” Liebert said, adding that he hopes agencies will allow the California Cyber Security Integration Center (Cal-CSIC) to handle large-scale incidents, while day-to-day operations and minor incidents would remain in the hands of federated response teams.

The Cyberwar Information Gap

When a cyberattack has been carried out, at least one party, the attacker, knows about it immediately. Sometimes, the attack’s target quickly becomes aware of what happened, but often, because of the confusing and covert nature of cyberwar, the victim remains in the dark for months or even years. When Chinese hackers stole personal data on more than 22 million Americans from the Office of Personnel Management, they gained access to two database systems in May and October of 2014—but OPM didn’t discover them until May and April 2015, respectively.