IT Security News Blast 6-5-2017

HHS task force wants cybersecurity treated as a patient safety issue

The task force called for a new healthcare-specific cybersecurity framework and for amendments to the Physician Self-Referral Law and the Anti-Kickback Statute to make it easier for large health systems assist smaller practices with their cybersecurity. “Cybersecurity has historically been treated as an IT issue,” Emery Csulak, co-chair of the task force, said during a conference call with reporters. “We want to make sure it’s treated as a patient safety issue.”HHS task force wants cybersecurity treated as a patient safety issue.”

 Health Care: Cybersecurity in an Insecure World

Health care falls prey to cybersecurity threats for, arguably, three main reasons. First, records remain consistently valuable to criminals: any random “health care record” could contain a smattering of personal information, including Social Security numbers, driver’s license numbers, and marital status alongside PHI.  […] Second, health care records exist in multiple forms depending on the entity. Digital records can be housed on networks and devices, and paper records are still common in many facilities. […] Third, access control is a balancing act. As this type of information must be accessible quickly if necessary, it is difficult to add on security procedures as an afterthought if they have not been baked in beforehand.

 Kmart cyber attack highlights PoS vulnerabilities

The cyber attack on Kmart should be a major wake up call for retailers to review the security of their point-of-sale systems, say security experts […] Sears said Kmart store payment data systems were infected with a form of malicious code that was “undetectable” by current antivirus systems and application controls.

 Hackers Behind Jaff Ransomware Selling Victims’ Data on Dark Web

The information includes account data stolen from credit cards, PayPal transactions, payments made online on e-commerce portals such as Amazon and eBay and much more. Furthermore, the cyber criminal does not have to go through any sort of verification process before being approved for purchasing information. As such, it makes it ever more efficient for attackers to purchase the compromised accounts that have a value of up to $275,241.

 C-suite: Cybersecurity is #1 issue, ISA report

“Each of these risks can adversely affect competitive positioning, stock price, and shareholder value,” the report stated. This is where an educated boardroom is essential, the report explained. “Managing and mitigating cyber-risk impact requires strategic thinking, and it starts with realizing cybersecurity is an enterprise-wide risk management issue, not merely an IT issue,” the report stated.

 Oversight of Cybersecurity Matters Is Good for Business

Since the cyberrisk is clearly on companies’ radar screens and not going away in the near future, boards of directors need to establish an effective governance structure to oversee cybersecurity matters and monitor management’s plans and progress in this critical area. An effective oversight mechanism can also serve as a good defense of a board’s business judgement in the event of a cyberbreach and related lawsuits claiming that directors breached their fiduciary duties.

 Cybercrime and security: A Russian perspective

“The trends that we are seeing now, and I’m sure it’s going to be the same in the future, is that cybercrime is getting a lot more professional,” says Kaspersky. “They are able to attack very well-protected victims.” […] “When we come to the professional criminal gangs, they are mostly Russian-speaking. They don’t only develop and use the tools, they also trade the technology. So, we can see the traces of the Russian-made technologies in the hands of criminals from other nations as well,” he says.

 ‘ExplodingCan’ NSA exploit menaces thousands of servers

Code-named ExplodingCan, the exploit uses a known flaw in IIS 6.0 servers that have the WebDAV (distributed authoring and versioning) extension enabled for remote content creation and management, British security company Secarma said. ExplodingCan sends a long request to the WebDAV PROPFIND function triggering a buffer overlow, which in turn can be used for remote code execution and to obtain command shell on the target Windows 2003 machine.

 ‘Tallinn Manual 2.0’ – A unique collection of law on cyber conflict

The Tallinn Manual 2.0 is a unique collection of law on cyber-conflict, says Professor Michael Schmitt from the UK’s University of Exeter, who led work on the tome. Published by Cambridge University Press and first compiled by a team of 19 experts in 2013, the latest updated edition aims to pin down the rules that governments should follow when doing battle in virtual reality. The manual was among the hot topics this week as over 500 IT security experts from across the globe gathered at NATO’s Cycon cyber security conference in Tallinn.

 Patriotic Russians may have staged cyber attacks on own initiative: Putin

Putin, speaking to international media at an economic forum in St Petersburg, was answering a question about allegations Moscow might try to interfere in this year’s German elections.  […] “If they (hackers) are patriotically-minded, they start to make their own contribution to what they believe is the good fight against those who speak badly about Russia. Is that possible? Theoretically it is possible,” said Putin. […] “On a state level we haven’t been involved in this (hacking), we aren’t planning to be involved in it. Quite the opposite, we are trying to combat it inside our country,” said Putin.

 Don’t Buy Into Putin’s Latest Misdirection on Election Hacking

While Putin didn’t address the US election directly, close observers still see a glimmer of an acknowledgement, even outright boasting. “He’s never going to do an outright state-sponsored admission because that could be seen as an act of war,” says Watts. “Now, he’s basically taking credit in a certain way that his country was involved in election meddling.” That the comments come shortly after the Trump administration eased sanctions the Obama administration imposed by returning two compounds on US soil to Russian ownership, simply adds to the intrigue. “I also see it as him just laughing,” says Watts about the timing.

 A pioneering computer scientist wants algorithms to be regulated like cars, banks, and drugs

In a lecture on May 30 to the Alan Turing Institute in London, he called for a “National Algorithm Safety Board,” similar to the US’s National Transportation Safety Board for vehicles, which would provide both ongoing and retroactive oversight for high-stakes algorithms. Such algorithms are already deeply embedded in many aspects of our lives. They do such things as setting prices on stock markets, flying aircraft on autopilot, calculating insurance risks, finding you an Uber, and devising routes for delivery trucks. In the future they’ll be used increasingly for even more critical tasks, such as controlling self-driving cars and making medical diagnoses.

 Hack Brief: Dangerous ‘Fireball’ Adware Infects a Quarter Billion PCs

The security firm Check Point has warned of a massive new outbreak: They count 250 million PCs infected with malicious code they’ve called Fireball, designed to hijack browsers to change the default search engine, and track their web traffic on behalf of a Beijing-based digital marketing firm called Rafotech. But more disturbingly, Check Point says it found that the malware also has the ability to remotely run any code on the victim’s machine, or download new malicious files. It’s potentially serious malware, disguised as something more trivial.

 Wikileaks reveals pandemic malware for Windows developed by the CIA

As the name suggests, a single computer on a local network with shared drives that is infected with the “Pandemic” implant will act like a “Patient Zero” in the spread of a disease. It will infect remote computers if the user executes programs stored on the pandemic file server. Although not explicitly stated in the documents, it seems technically feasible that remote computers that provide file shares themselves become new pandemic file servers on the local network to reach new targets.

 EternalBlue Exploit Spreading Gh0st RAT, Nitol

According to FireEye, Backdoor.Nitol has been linked to campaigns involving a remote code execution vulnerability using the ADODB.Stream ActiveX Object that affects older versions of Internet Explorer. In the past, Backdoor.Nitol and Gh0st have also been delivered via exploitation of the CVE-2014-6332 vulnerability and in spam campaigns that target PowerShell commands, researchers said. “The initial exploit technique used at the SMB level (by Backdoor.Nitol and Gh0st) is similar to what we have been seen in WannaCry campaigns; however, once a machine is successfully infected, this particular attack opens a shell to write instructions into a VBScript file and then executes it to fetch the payload on another server,” researchers wrote.

 Crapness of WannaCrypt coding offers hope for ransomware victims

Most of the whoopsies make it possible to restore files with the help of publicly available software tools. In one case a mistake in the malware’s read-only file processing mechanism does not allow it to encrypt read-only files at all. Instead, the malware creates encrypted copies of the files, while the original files remain untouched and are only given a “hidden” attribute, which is easy to undo.

 OneLogin hacker swiped AWS keys, can decrypt stolen data

“This risk could have been averted,” said Simon Hunt, EVP and chief technology officer at WinMagic. “Maintaining exclusive enterprise control of a business’s keys isn’t a nice-to-do. Emerging hypervisor vulnerabilities create a real security gap, and cloud-based key management solutions can leave keys open to theft or transfer of authority.”

 “Good hackers” took over billboard to send security warning

But then some good guys do good things just like in this incident when a group of hackers took over a digital billboard at a shopping mall in Liverpool, England and defaced with a message suggesting the authorities improve their security.

“We suggest you improve your security.” Sincerely, your friendly neighborhood hackers. #JFT96.”

Those who witnessed the incident took it to Twitter and Reddit where some commenters called the feat “Such polite young hackers,” “British manners,” “I wonder if the hacker was drinking tea as he did it” and I bet it was actually Canadians on vacation.”

 Tell the FCC you don’t want robo-voicemail, spammy direct-to-voicemail messages

The FCC is currently deciding if it should ban ringless voicemail or if those spammy voicemail messages don’t count as calls as companies using direct-to-voicemail insertion technology claim. All About the Message, a ringless voicemail company, petitioned the FCC to “declare that the delivery of a voice message directly to a voicemail box does not constitute a call that is subject to the prohibitions on the use of an automatic telephone dialing system (ATDS) or an artificial or prerecorded voice” under the Telephone Consumer Protection Act (pdf).

 How to Succeed at Incident Response Metrics

Establish a baseline of what information you need to answer the questions that are most important to your team. Below are the most basic metrics all teams should keep, but you may have others you want to track to help with making a business case for control.

  • Time from compromise to discovery (dwell time)
  • Time from alarm to triage
  • Time to close
  • Incident classification
  • Detection method


Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.