IT Security News Blast 5-24-2017

Healthcare Among Industries Most Vulnerable to Cyberattack

“Is cyber risk systemic?” […] The survey, which polled cybersecurity, technology, and insurance professionals in the United States, the United Kingdom, and Continental Europe, found that more than half of survey respondents said a simultaneous attack on five to 10 companies is highly likely in the next year. More than one-third estimated the likelihood of a simultaneous attack on as many as 50 companies at greater than 50%. Some even predicted that as many as 100 companies could be attacked.

 Target inks $18.5m deal with US states to settle 2013 data breach

As break-ins go it was a massive hit, possibly the biggest theft of customer data ever reported. The states promptly took Target to task and on Tuesday the firm said that it had finally reached a settlement for the issue. “We’ve been working closely with State Attorneys General for several years to address claims related to Target’s 2013 data breach,” a Target spokeswoman told The Register. “We’re pleased to bring this issue to a resolution for everyone involved. The costs associated with this settlement are already reflected in the data breach liability reserves that Target has previously recognized and disclosed.”

 Ransomware damages rise 15X in 2 years to hit $5 billion in 2017

The massive WannaCry outbreak caused an estimated $1 billion in damage costs in just its first four days, according to Stu Sjouwerman, CEO at KnowBe4. The WannaCry ransom payouts, however, have been minimal. Various media reports peg the payouts at anywhere from five figures to a few hundred thousand dollars. Even if everyone affected coughed up the $300 ransom demand, the total payouts would be roughly $60 million. For 2017, Cybersecurity Ventures predicts global ransomware damage costs will exceed $5 billion, up from $325 million in 2015.

 With Billions Spent on Cybersecurity, Why Are Problems Getting Worse?

In 2016, over $18 billion was spent on cybersecurity. It’s estimated that almost a trillion dollars more will be spent over the next five years. Despite this, research shows that the problem is getting worse. Data breaches are at an all-time high, and the fierceness of these attacks has never been greater. The reason is not that we’re unable to develop smarter, better technologies to secure our data but that we use these technologies in a scattered and siloed approach. Also, we fail to leverage most companies’ greatest asset — their people.

 Cyber security a priority for utilities

Muhammed Khan, a security infrastructure specialist at the Health Authority – Abu Dhabi, said that IoT devices will hit the 20 billion mark by 2020, which means a surge in an entire illicit network. “The criminal network has begun offering ransomware as a service, enabling anyone to extort their favourite targets,” Mr Khan said.But a breech at a power utility is a national security issue as it can involve overriding commands for a nuclear power plant, or shutting off the power supply, which can hurt the economy.

 Looking for a Re-Enlistment Bonus? These Jobs May Be Your Best Bet

Brilakis said cyber and intelligence fields, including human intelligence specialists and counter-intelligence specialists, “have been challenged with retentions,” meaning the service has struggled to keep enough Marines in those jobs. “Part of the challenge … in cyber [comes from] what we call lat-move [military occupational specialties], so we take junior Marines from various MOSs in meeting those requirements because of very technical, very difficult training,” he said.

 Trump budget seeks $1.5B for Homeland Security cyber unit

The proposed budget represents an increase over the fiscal 2017 annualized continuing resolution level for the NPPD. However, a bipartisan spending package hammered out by congressional negotiators in April that funds the government through September allotted $1.8 billion for the NPPD in fiscal 2017 — more than the funds proposed by the administration’s budget.

 Cyber Still Finding Its Way in Defense Funding Process

The House Armed Services Committee is expected to vote on an annual defense policy bill, which authorizes military funding levels, later this year. Thornberry is also pushing legislation that would overhaul the military’s acquisitions process. His bill, introduced on May 18, would allow the military to procure their needs via commercial online portals like Inc., and make it easier for companies to partner with the government.

 Trump’s Cybersecurity Boss Talks Priorities

“The Trump administration signed an executive order that allows us to get our legs underneath us in terms of cybersecurity,” he said. “With this executive order we are going to step back and we are going to manage the federal government’s IT activity as a single enterprise. Even though we are talking millions-upon-millions of assets and thousands-upon-thousands of networks, we are going to step back and try to view it as a sum total of risks.”

 U.N.’s North Korea sanctions monitors hit by ‘sustained’ cyber attack

The hackers eventually breached the computer of one of the experts on May 8, the chair of the panel of experts wrote in an email to U.N. officials and the U.N. Security Council’s North Korea sanctions committee, known as the 1718 committee. “The zip file was sent with a highly personalized message which shows the hackers have very detailed insight into the panel’s current investigations structure and working methods,” read the email, which was sent on May 8.

 Russian interference in 2016 election agressive: Brennan

Former CIA Director John Brennan testified today before the House Intelligence Committee that he personally warned a Russian intelligence agency to stop interfering with the 2016 election. Brennan called the Russian actions involving the election “very aggressive” and that he is aware of “information and intelligence that revealed contacts and interactions” between the Trump campaign and Russian officials. He was not certain if any collusion took place between those on the Trump team and Russia.

 Apple Receives First National Security Letter, Reports Spike in Requests for Data

Monday’s report also indicates a spike in the number of National Security Orders Apple has received. The company said that between July 1 and Dec. 31, 2016 it received between 5,750 and 5,999 orders pertaining to 4,750 and 4,999 accounts. That’s almost double the number it received in the first half of last year when the company reported it received between 2,750 and 2,999 orders pertaining to 2,000-2,249 accounts. Those numbers include orders received under National Security Letters and Foreign Intelligence Surveillance Act (FISA) orders.

 Can a cyberattack trigger a ‘just war’?

Just war theory, rooted in the fifth-century writings of St. Augustine of Hippo, takes a middle ground between pacifism, which never allows for violence, and realpolitik, which is suspect of moral considerations in defense and warfare. Just war theory can be adapted to address technological innovation, said Hehir. But cyberattacks present unique questions to their victims, who often can’t figure out the perpetrators, said panelist Simone Petrella, chief of cyberstrategy at CyberVista, a Washington-based firm that helps companies defend themselves from cyberattacks.

 Is Cybersecurity A Second Coming For AI?

[To] also be able to analyze all of that data, seeking out anomalies that could signal a looming threat, is another story entirely. Even if an enterprise IT team had enough manpower to manage the data at hand, there is just no way for us as humans to analyze that much data in real time. With machine learning, that mountain of data could be whittled down in a fraction of the time, helping organizations quickly identify and then mitigate a security incident. Artificial intelligence could be a game-changer for security teams.

 The Wild West of Cyber Insurance: What Companies Need to Know

“First-party costs are those costs the insured incurs itself to respond directly to a breach, such as expenses for forensic investigative services, attorneys’ fees, and for notifying affected individuals,” they said. “Third-party costs are those expenses incurred because of third party claims such as lawsuits. Third party coverage can also respond to certain regulatory claims. But policies can and do vary markedly, especially for first-party costs.”

 Navigating Misaligned Law Enforcement and Company Interests in Data Breach Investigations

Those unfamiliar with data breach investigations might fail to appreciate the more difficult nuances of that relationship. Navigating these investigations—and crafting sensible policies surrounding them—requires anticipating friction points and better understanding the interests and agendas of all parties. While this piece focuses primarily on cooperation between U.S. companies and law enforcement, many of the same issues arise in the context of cross-border investigations and are relevant to the broader Mutual Legal Assistance dialogue.

 There’s new evidence tying WCry ransomware worm to prolific hacking group

The earlier versions of WannaCry and the one used in the May 12 attacks are largely the same, with some minor changes, chiefly the incorporation of the EternalBlue exploit. The passwords used to encrypt the Zip files embedded in the WannaCry dropper are similar across both versions (“wcry@123”, “wcry@2016”, and “WNcry@2ol7”) indicating that the author of both versions is likely the same group. The small number of Bitcoin wallets used by first version of WannaCry, and its limited spread, indicates that this was not a tool that was shared across cyber crime groups. This provides further evidence that both versions of WannaCry were operated by a single group.

 Indian hacker pwned Air India, SpiceJet & Cleartrip; booked free flights

Kanishk Sajnani, a young ethical hacker who is in his early 20s, recently managed to conduct a hacking spree and reward himself a discounted flight, a free ticket and much more. However, instead of doing the things he could, he simply informed the respective companies about the flaws their systems had. This is what ethical hacking is all about. Sajnani was able to hack into the application tracking system of Air India in 2015 (but only disclosing it now in 2017) and exploited a major vulnerability that allowed him to book a ticket from India to San Francisco for just Re 1.

 Be wary of fake WannaCry fixes

When the WannaCry malware hit, many users were scrambling for fixes — but some of the proffered solutions were actually just more malware, in disguise. Security experts recommend that companies stick with their existing security vendors and established update processes, and be careful about downloading fixes that they come across on the Internet. […] Legitimate vendors aren’t going to send out alerts via viral social media posts, he said. And patches usually don’t require a download.

 Hackers Claim Leaking Thousands of Spotify Login Credentials

The hacker group, Leak Boat, has claimed responsibility for publishing the usernames and passwords of 9,000 Spotify users. Spotify, as you may already know is a well-known music streaming website with a considerable user base that includes celebrities. According to IBT, it was reported that the public website in which the user credentials have been dumped only had 6,410 accounts and not 9,000 like Leak Boat suggested in its tweet.

 Last week: ‘OpenVPN client is secure!’ This week: ‘Unpatched bug in OpenVPN server’

French security outfit Sysdream has gone public with a vulnerability in the admin interface for OpenVPN’s server. The finding is a bit awkward because it comes after OpenVPN’s client got a clean bill of health in two independent security audits earlier this month. The attack, designated CVE-2017-5868, was published by Sysdream’s Julien Boulet 90 days after the company says OpenVPN first acknowledged the issue. While waiting for a fix, this OSS-SEC post suggests users put a reverse proxy between the server and the Internet, and restrict access to the Web interface.

 Examining the FCC claim that DDoS attacks hit net neutrality comment system

According to Bray, FCC staff noticed high comment volumes around 3:00 AM the morning of Monday, May 8. As the FCC analyzed the log files, it became clear that non-human bots created these comments automatically by making calls to the FCC’s API. Interestingly, the attack did not come from a botnet of infected computers but was fully cloud-based. By using commercial cloud services to make massive API requests, the bots consumed available machine resources, which crowded out human commenters. In effect, the bot swarm created a distributed denial-of-service attack on FCC systems using the public API as a vehicle. It’s similar to the distributed denial of service attack on Pokemon Go in July 2016.


Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.