IT Security News Blast 5-26-2017

Cybersecurity & manufacturing: assessing the danger

“The irony is that manufacturers are in reality a prime target, not just in terms of the value of the assets that they have exposed to cybersecurity risk, but also the velocity of their transactions – a velocity that means that there’s a higher chance that a cyberattack might be successful,” warns Robert Holmes, vice-president of products at IT security provider, Proofpoint. “So when looking at manufacturing businesses, attackers see opportunities to help themselves to both cash and data, which when coupled to an apparent lack of cybersecurity awareness among manufacturers tends to make such thefts easier to carry out.”

 Several Vulnerabilities Found in Rockwell Automation PLCs

The most serious of the flaws, based on their CVSS scores, are related to authentication. One of the issues, tracked as CVE-2017-7898 and rated critical, refers to the fact that any number of incorrect passwords can be entered on the web server login page, which can allow brute force attacks. Another critical weakness, CVE-2017-7903, is related to the fact that the web interface is protected by a numeric password whose maximum length is small.

 Here’s one tally of the losses from WannaCry cyberattack

“The estimated damage caused by WannaCry in just the initial four days would exceed $1 billion, looking at the massive downtime caused for large organizations worldwide,” Stu Sjouwerman, chief executive at KnowBe4, a Clearwater, Fla., firm that helps firms avoid phishing efforts, wrote in a statement. The damage estimates include loss of data, lost productivity, disruptions to business, forensic investigation, reputational harm and other factors, the company said.

 FAR 52.204-21 And The Future Of Federal Cybersecurity Enforcement

A Final Rule published by the Department of Defense, NASA, and the General Services Administration in 2016 created a new Federal Acquisition Regulation subpart (4.19) and contract clause (52.204-21) that deal exclusively with Cybersecurity. The Regulation broadly applies to “covered contractor information systems” that process, store, or transmit “Federal contract information.”  These terms are interpreted expansively to cover any information provided by or transmitted to the Federal government in connection with contract performance.  In other words, if the new clause is not included in your Federal contracts yet, it soon will be.

 Unified Cybersecurity Unit Is Necessary to Protect New Jersey Agencies from Threats

One accomplishment Weinstein seemed to be particularly proud of was what he called the “commercialization of our service catalog.” “OIT embraced statutory mandates as a service provider with an emphasis on the provisioning and maintenance of IT infrastructure,” he explained. “We went from having zero service level agreements [SLAs] in fiscal year ’16 to closing out fiscal year ’17 with 11 SLAs — one for every billable service that we offer.” This, Weinstein said, includes networks, servers, databases or data center services.

 West Virginia Reorganizing State’s Cyber Security Effort

In an executive order, Justice has also directed the West Virginia Office of Technology, to conduct risk management oversight to ensure cyber security of electronic records. Under the order, the board will maintain the State Privacy Office responsible for issuing policies and conducting assessments. It was previously organized under the Department of Health and Human Resources’ Health Care Authority. The order, signed last week, says it’s also imperative for the state to engage with its business partners to protect West Virginians’ privacy.

 Adopt Counterinsurgency Security Measures to Patrol the New Network Perimeter

The first strategy is to focus on identity, which is the key that unlocks the new network’s gateway. CISOs must be looking at their authentication, authorization and accounting of what actually happens with each user’s identity. There is much work to be done with identity and access management (IAM), and CISOs should be looking for a more sophisticated approach in correlating access with risk.

 Why Companies Shouldn’t Try to Hack Their Hackers

During a recent cybersecurity competition, teams of students conducting a mock exercise unintentionally caused the U.S. to start a (fake) war. The students were given a variety of options, including diplomatic ones, for responding to a cyberattack by China. The majority of them took an aggressive approach, known as “hack back,” with disastrous consequences. The mock exercise shows how tempting it is to launch a counterstrike in response to a cyberattack — and the potential for significant unintended consequences.

 In Modern Cyber War, the Spies Can Become Targets, Too

The mysterious hacking group that supplied a critical component of the WannaCry “ransomware” software attack that spread across the globe in mid-May has been releasing alleged National Security Agency secrets for the past eight months. […] But something went largely unnoticed outside the intelligence community. Buried in the files’ “metadata”—a hidden area that typically lists a file’s creators and editors—were four names. It isn’t clear whether the names were published intentionally or whether the files were doctored. At least one person named in the metadata worked for the NSA, a person familiar with the matter said.

 Russian disinformation campaign targets 39 countries

These discoveries suggest that there was more to this than just cyber attacks on Hillary Clinton’s 2016 presidential campaign. The researchers said that the targets of espionage were not only in the government, military and industry, but also included various journalists, academics, opposition figures, and activists. According to the report, some of the high-profile targets include a former Russian prime minister, former high-ranking US officials, members of cabinets from Europe and Eurasia, ambassadors, high-ranking military officers and chief executives of energy companies.

 Executive Order 13800 – Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

With President Trump’s executive order on cybersecurity, and with his statements and positions taken during the campaign, it is clear that cybersecurity will be a key area of focus during his administration. Executive Order 13800, with its requirement for federal agencies to use the NIST Cybersecurity Framework, raises questions about the use of the framework by government contractors, and other government agencies: will various agencies now require use of the NIST Cybersecurity Framework by the vendors which they rely upon? And how will agencies resolve conflicts between the framework and other regulations/requirements?

 Trump’s First Cybersecurity Scorecard

Not very, according to cybersecurity lawyer and policy expert Jody Westby. The former PwC senior managing director now heads boutique legal firm Global Cyber Risk LLC. She advised the Department of Homeland Security on cybersecurity research and development for eight years. “I found it all underwhelming,” she says, arguing that so far the administration has focused on talks and reports. “We’ve had so many reports over so many years about cyber that what we really need is funding, action and new direction. What’s proposed is old direction stuff.”

 Cybercom: Pace of Cyberattacks Have Consequences for Military, Nation

In his written testimony, the admiral said that cyber-enabled destructive and disruptive attacks now have the potential to affect the property, rights and daily lives of Americans. “We are particularly concerned as adversaries probe and even exploit systems used by government, law enforcement, military, intelligence and critical infrastructure in the United States and abroad,” Rogers said.

 UK ministers to push anti-encryption laws after election

The UK government will push through orders next month to force all communications companies including Google and Facebook to break data encryption. That’s according to the Sun newspaper, which quotes a government minister as saying “we will do this as soon as we can after the election, as long as we get back in. The level of threat clearly proves there is no more time to waste now.” The same minister is also quoted as saying: “The social media companies have been laughing in our faces for too long.”

 Wanna Cry Again? NSA’s Windows ‘EsteemAudit’ RDP Exploit Remains Unpatched

Brace yourselves for a possible ‘second wave’ of massive global cyber attack, as SMB (Server Message Block) was not the only network protocol whose zero-day exploits created by NSA were exposed in the Shadow Brokers dump last month. Although Microsoft released patches for SMB flaws for supported versions in March and unsupported versions immediately after the outbreak of the WannaCry ransomware, the company ignored to patch other three NSA hacking tools, dubbed “EnglishmanDentist,” “EsteemAudit,” and “ExplodingCan.”

 Student hacks university computer; changes grade from F to B

The culprit, 22-year-old Mr. Sami Adel Ammar was reported by his professor to the authorities who alleged him of tampering with his grades. According to the professor, Ammar “had only completed one assignment the entire semester” which makes it obvious that he would have ended up with low grades, not B. Upon investigation, police found an IP address of the computer system which was hacked by Ammar to change his grades. A surveillance video also helped the police to identify Ammar and another person at the same location where the hacked computer was at the time when grades were changed.

 All Android Phones Vulnerable to Extremely Dangerous Full Device Takeover Attack

Cloak and Dagger attack allows hackers to silently take full control of your device and steal private data, including keystrokes, chats, device PIN, online account passwords, OTP passcode, and contacts. The attack doesn’t exploit any vulnerability in Android ecosystem; instead, it abuses a pair of legitimate app permissions that is being widely used in popular applications to access certain features on an Android device. Researchers at Georgia Institute of Technology have discovered this attack, who successfully performed it on 20 people and none of them were able to detect any malicious activity.


Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.