IT Security News Blast 5-19-2017

Medical Systems Hacks Are Scary, but Medical Device Hacks Could Be Even Worse

Researchers in Belgium and the UK have demonstrated that it’s possible to transmit life-threatening (if not fatal) signals to implanted medical devices such as pacemakers, defibrillators, and insulin pumps. A catheter lab in a Virginia facility was temporarily closed when malware was discovered on the computers supporting cardiac surgery. In three other similar cases, malware capable of opening up “backdoor” access to a hospital’s IT network was found in software residing on X-ray, blood gas analyzer, and communications devices.

 Cyberattacks Prompt Massive Security Spending Surge

The fight against cyberattacks has sparked exponential growth in global protection spending, with the cyber security market estimated at $120 billion this year, more than 30 times its size just over a decade ago. But even that massive figure looks set to be dwarfed within a few years, experts said, after ransomware attacks crippled computers worldwide in the past week. The “global cyber security market was worth $3.5 billion” in 2004, according to a study by Cyber security research firm CyberSecurity Ventures, but in 2017, “we expect it to be worth more than $120 billion”.

 Cyber ‘clampware’ could strand cars and force owners to pay to move them

Cyber criminals would target software defects in radios, ECUs and on-board WiFi to immobilise cars and hold motorists to ransom at the roadside. Drivers would then have a choice whether to pay up to release their car or be left stranded, waiting for assistance. The warning comes in the wake of the WannaCry cyberattack which took out the entire NHS system and experts believe it’s only a matter of time before car software is targeted on a wider scale.

 The Cyber Workforce Gap: A National Security Liability?

When taken in the context of national security, this skills gap has some very unsettling real-world consequences. As high private-sector salaries and enticing intelligence community job descriptions draw in the limited population of trained workers, other employers are pushed out of the hiring market. This is especially true for small businesses and state governments, many of whom control very valuable and sensitive data sets and systems (for example, drivers’ license and voter registration databases).

 My job is to constantly think about cyber attacks — this is the first time I’ve been truly alarmed

This attack fits the recent trend of criminal enterprises leveraging these now freely available capabilities with the M.O. of hacking and selling stolen information or launching ransomware attacks, a booming business for the attackers (ransomware alone took in an estimated $1 billion last year). This tech transfer of nation-state capabilities only amplifies the Wild West of cybersecurity, where new weapons are being built every day and very few rules exist to govern actions or prosecute anyone who steps too far. Friday’s ransomware attack demonstrates how these issues actually impact matters of life and death.

 Major global ‘Adylkuzz’ cyber-attack is already underway and it could dwarf last week’s hacks, experts claim

But rather than lock files, it takes controls of computers and puts them to work “mining” a virtual currency which criminals can then exchange for real cash. Researchers at the tech firm Proofpoint said the new virus was linked to WannaCry and may have infected hundreds of thousands of computers. Nicolas Godier, a researcher at the computer security firm, told AFP: “It uses the hacking tools recently disclosed by the NSA and which have since been fixed by Microsoft in a more stealthy manner and for a different purpose.”

 With Ransomware Concerns Fresh, Cybersecurity Firms Tap VC Funding

As cybersecurity stocks rose across the board Monday after a weekend full of hacks, a variety of startups rode the wave of interest in Web security by announcing new rounds of financing. This morning, San Francisco-based Wandera said it added a $27.5 million Series C round of equity and venture debt financing led by Sapphire Ventures. Existing investors Bessemer Venture Partners and 83North also participated in the funding round, bringing the company’s total raised to $50 million.

 PATCH Act Calls for VEP Review Board

The bipartisan act, sponsored by U.S. Senators Brian Schatz (D-Hawaii), Ron Johnson (R-Wis.), and Cory Gardner (R-Colo.) and U.S. Representatives Ted Lieu (D-Calif.) and Blake Farenthold (R-Texas), calls for the establishment of a VEP Review Board that would consist of the highest-ranking members of the intelligence community. The board mandate would be to formalize the process rather than have it be an ad hoc activity within the Executive Branch.

 Proposed PATCH Act forces US snoops to quit hoarding code exploits

Two US senators have proposed a law limiting American intelligence agencies’ secret stockpiles of vulnerabilities found in products. The Protecting our Ability To Counter Hacking (PATCH) Act [PDF] would set up a board chaired by an Department of Homeland Security (DHS) official to assess security flaws spies have found in code and hardware, and decide if manufacturers should be alerted to the bugs so they can be fixed for everyone.

 Mitsubishi Electric develops cyber-attack detection technology for critical infrastructure systems

The technology detects ingenious cyber-attacks disguised as normal commands targeted on critical infrastructure for electric power, natural gas, water, chemicals and petroleum without reducing the real-time control capability, which is expected to help ensure infrastructure stability. Commercialization for electric power infrastructure is planned from around fiscal 2018. Other applications will be developed in collaboration with the Strategic Innovation Promotion Program (SIP) challenge for the cyber security of critical infrastructure.

 How to get your staff to take cybersecurity seriously

Education is the key to teach employees a shared sense of responsibility for the data that they work with. Any campaign should become part of an ongoing process. While some small businesses may feel they lack the resources, there are ways to direct an effective cybersecurity education campaign without breaking the bank.

 NIST workshop debates new cybersecurity framework

It emphasizes risk management rather than meeting systems of standards and is generally seen as a good building point for organizations of all sizes and types. The workshop debated ways to update the guide for advice on modern security standards like multifactor identification, supply chain management or easing the way for third-party researchers to report security flaws. Also on the table were topics such as internet of things and security metrics.

 Senate’s Use of Signal A Good First Step, Experts Say

On Tuesday the United States Senate made it official and approved the use of encrypted messaging app Signal by staffers. […] “The move to secure communications applications–and, one hopes, other equally important forms of security (e.g., multi-factor authentication)–is a healthy and important step,” wrote Susan Landau, a cyber security policy expert at Worcester Polytechnic Institute, in commentary posted to the Lawfare website. “Such efforts should extend well past the community of Senate staffers.”

 White House Adviser Wants to Move Cyber Risk Decisions Up the Chain

The Trump administration’s goal, he said, is to pinpoint where those outdated or risky systems exist, to make governmentwide decisions about whether those risks are acceptable and to reallocate money to update those systems when the risk is unacceptable. “If we allow individual departments and agencies to fend for themselves, we often will get the lowest common denominator as our weakest link in what is an interlinked federal network,” he said.

 Something about Trump cybersecurity executive order seems awfully familiar

Last week, amidst the whirlwind surrounding the firing of FBI Director James Comey, President Donald Trump signed his long-promised executive order on federal government cybersecurity. While many of the other orders issued by Trump have been politically fraught, this one is not; it’s possibly the least controversial document to be adorned with the president’s signature since his inauguration. In fact, aside from some of the more Trumpian language in the order, this Executive Order could have easily been issued by the Obama administration. That’s because it largely is based on policies and procedures that were spearheaded by President Obama’s staff.

 WordPress Fixes CSRF, XSS Bugs, Announces Bug Bounty Program

The latest iteration of the software, version 4.7.5, was released on Tuesday. If users have have automatic background updates enabled for sites, it’s likely they’ve already been updated. Webmasters who don’t have the feature turned on can update by going to Dashboard ? Updates. Until updated, versions 4.7.4 and earlier of WordPress are considered vulnerable.

 Don’t gripe if you hand your PC to Geek Squad and they rat you out to the Feds – judge

The ruling, by US District Court Judge Cormac Carney, came this week over the case of Dr Mark Rettenmaier, a prominent California gynecologist who is accused of possessing child sex abuse images. The case kicked off after he took his defunct HP Pavilion computer into a Mission Viejo Best Buy and asked its Geek Squad to find out why it wouldn’t boot. An examination of the computer’s hard drive brought up an allegedly dodgy image of an prepubescent girl, and the engineers called in the FBI. The agency has a close relationship with Geek Squads, and offers $500 bounties for successful finds of illegal material.

 Net neutrality going down in flames as FCC votes to kill Title II rules

The Notice of Proposed Rulemaking (NPRM) proposes eliminating the Title II classification and seeks comment on what, if anything, should replace the current net neutrality rules. But Chairman Ajit Pai is making no promises about reinstating the two-year-old net neutrality rules that forbid ISPs from blocking or throttling lawful Internet content or prioritizing content in exchange for payment. Pai’s proposal argues that throttling websites and applications might somehow help Internet users.

 Russia suggests introducing global cyber security rules

“We are interested in the elaboration of the common rules of behavior in the information space,” he said. “In this regard, not all agree, of course,” he added. According to Patrushev, there are countries, which believe that they can solve particular tasks on their own but bearing in mind that they can exert certain influence. These states do not agree so far that common rules should be elaborated, he added.


Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.