IT Security News Blast 7-11-2017

Health IT Organizations Urge Congress to Increase NIST Funding

[The] multi-stakeholder letter states, “Lawmakers should understand that the resources NIST needs to undertake industry-government efforts on cybersecurity, including the voluntary Framework for Improving Critical Infrastructure Cybersecurity, comes from the STRS account. Our groups recognize that policymakers need to spend taxpayers’ monies wisely, but the framework has been a remarkable success.”

 Cinema Chain B&B Suffers Suspected Two-Year Card Breach

The chances are that hackers managed to infiltrate the cinema company’s POS systems to scrape card magstripe data. […]He added that with the underground market now flooded with stolen card data, cyber-criminals could turn to POS ransomware to generate profits. “If retailers don’t protect themselves properly, this isn’t much of a stretch. Rather than gain access to a chain’s POS to exfiltrate credit cards over months or even years, cyber-criminals could deploy ransomware that shuts down the POS systems… effectively bringing the business and all revenue to a screeching halt,” argued Christly.

 The Growing Danger of IP Theft and Cyber Extortion

Generally, hackers used to target the payment systems or databases of large corporations in search of card data or sensitive personal data, such as Social Security numbers. Targeting a very small company wasn’t worth the effort. Now, with easy-to-use hacking tools, untraceable payment methods, and the fact that companies (including many third-party vendors) store millions of dollars’ worth of intellectual property on their networks, cybercriminals are getting creative.

 New reality of ransomware attacks spikes FUD in cybersecurity

But when ISE released its Hacking Hospitals report early last year, ransomware attacks targeting hospitals were still fairly new. Since then, the healthcare sector has paid out thousands of dollars in Bitcoin to release encrypted files.  […] Even though I want to resist the inclination to buy into fear, uncertainty and doubt, facts that we are increasingly more vulnerable to widespread disruption continue to mount. Maybe that’s a good thing.

 Federal Amber Security Warning For Critical Infrastructure & Manufacturing

Operators of critical infrastructure and manufacturing in the US have received a warning from The FBI and Homeland Security Department about cyber criminals targeting them. The cyber-attacks have been limited to administrative and business networks, but are ongoing. IT security experts commented below.

 Jim Koenig on Law Firm Hacks and How to Prevent Them

Perhaps there’s no clearer reminder of this than last month’s global malware attack, which, along with a number of global companies, hit DLA Piper and forced the firm to shut down its networks, including email. In light of such cyber threats, Koenig, who co-chairs the cyber practice at Fenwick & West, said that firms and companies alike should take a look at the information they store and ask whether they need to keep it. […] “The best protection from privacy and cyber-security risks is not to have the information at all.”

 New Data Protection Regulations to Reach US Companies

Companies that handle EU citizens’ data must be prepared to comply with a sweeping set of data security regulations that go into effect on May 25, 2018. The EU’s General Data Protection Regulation (GDPR) will significantly burden any company that handles or processes personal data of EU residents. Never before has a privacy regulation had the potential to reach companies anywhere on the globe on such an immense scale.

 BT, KPMG Highlight Cybersecurity Traps

[Firms] should avoid throwing money away on IT security products as a knee-jerk reaction. This is especially true for companies who have matured from the stage of ‘denial’ into the stage of constant ‘worry’, where investing in the latest technology can be viewed as the silver bullet to the problem. This common mistake can make firms a target, not just for cyber criminals, but also for over-zealous IT salespeople.

 Malloy: Cybersecurity plan coming

Malloy on Monday released the Connecticut Cybersecurity Strategy — an outline of a coming action plan containing seven key principles for residents, organizations, government agencies and businesses to protect against cyber attacks. The next step is creation and implementation of an actual cybersecurity plan, work which is well under way, Malloy said.

 A new approach to federal cybersecurity, two years after the OPM breach

It’s clear that if we are to avoid another devastating breach, the U.S. needs a fundamental change in the way we approach cybersecurity on a long-term basis. Key areas include smart investments in technology, collaboration between the public and private sectors, and development of a highly trained security workforce.

 Congress Still Grappling With Cybersecurity Concerns

“I don’t know whether anyone has hacked the U.S. Congress, however, I do know that the security is very lax,” said Toomas Hendrik Ilves, the former president of Estonia, who is an internationally recognized expert on cybersecurity. “Until you have two-factor authentication, I would be careful what you put in your emails, lest you find it on the front page of The New York Times in a few days.”

 NATO: We’re supplying new cybersecurity equipment to Ukraine

At a news conference in Kiev alongside Ukrainian President Petro Poroshenko on Monday, Jens Stoltenberg told journalists that “we are in the process of providing Ukraine with new equipment to some key government institutions.” Few other details were provided, but Stoltenberg said the gear would “help Ukraine investigate who is behind the different attacks.”

 Russia causing ‘cyber-space mayhem’, says ex-GCHQ boss

There was “a disproportionate amount of mayhem in cyber-space” coming from the country, he told the BBC. Mr Hannigan urged people to “push back” against the behaviour of the Russian state, adding some form of cyber-retaliation may be necessary in future. […] “There is an overlap of crime and state, and a deeply corrupt system that allows crime to flourish, but the Russian state could do a lot to stop that and it could certainly rein in its own state activity.”

 Trump on his ‘impenetrable’ cybersecurity unit with Putin: I didn’t mean it

After the meeting, Trump sent a tweet saying he would work with Russia to create an “impenetrable” cybersecurity unit to keep “election hacking, & many other negative things” protected. That comment, coming as pundits began referring to the G-20 Summit as the “G-19 plus one” to signal how isolated the U.S. and Trump appeared, was met with “putting the fox in charge of the henhouse” derision — referencing repeated findings by U.S. and foreign intelligence agencies that Russia was involved in wide-scale hacking campaigns.

 Congress Unnerved by Energy Grid Hack

“The disturbing reports of the past 24 hours indicate that our adversaries are trying to take advantage of the very real vulnerabilities of our energy infrastructure’s cyber defenses,” Cantwell said in a statement to CQ Roll Call. She added that she is “reiterating my call for President Trump to immediately perform the long overdue assessment of cyber vulnerabilities that 19 Senators have requested, and abandon his proposed cuts to the Department of Energy’s Office tasked with protecting our energy networks from cyber attacks.”

 Moving Forward on Cyber Norms, Domestically

[The] United States and a number of other states clearly believe that it is in their interests (and the interests of international peace and security) to further articulate how international law applies in cyberspace. The United States has done more than most states (through speeches by then-Legal Advisers Harold Koh and Brian Egan, for instance) to articulate publicly how it conceives of both binding and voluntary international cyber norms.  It should continue to do so.

 SPAWAR’s Cybersecurity Summer Camp celebrates STEM

This year the camp was held at Burke High School of Charleston County and sponsored by Space and Naval Warfare Systems Center (SSC) Atlantic. More than 30 SSC Atlantic employees volunteered along with others from Trident Technical College for the camp, instructing courses and facilitating exercises in today’s information technology (IT) environment related to cybersecurity and national defense.

 Surveillance reform déjà vu

Congressional surveillance reform advocates are attempting to use the annual National Defense Authorization Act (NDAA) to rein in post-9/11 warrantless mass surveillance programs. If the recent past is any guide, the House GOP leadership will do everything it can to ensure their amendments never get a vote on the House floor.

 Albuquerque police refuse to say if they have stingrays, so ACLU sues

“These devices are incredibly invasive and the government isn’t being transparent about how they are being used,” ACLU of New Mexico Executive Director Peter Simonson said in a statement. “If the APD is using Stingrays to snoop into people’s private information, the public has a right to know. We also need to ensure that protections are in place to prevent these powerful tools from being misused or abused.” A lawyer for the police department did not immediately respond to Ars’ request for comment.

 International Investigatory Group Also Target of Government Spyware

The infection attempts also came shortly after the GIEI publicly criticized the Mexican government for interfering with its investigation by refusing to hand over documents or grant interviews with those involved. The group was comprised of investigators from outside Mexico, including Colombia, Chile, Guatemala and Spain. That’s notable, especially according to the New York Times, because members of the group were essentially given diplomatic immunity.

 Satellite Communication Can Now Be Cracked In Seconds

The GMR-2 primarily encodes a user’s conversation with a 64-bit cipher. Two Chinese researchers have figured out a way to reverse engineer the encryption and hence decode the entire conversation within a matter of seconds. The researchers belong to the National University of Defense Technology in Changsha. They stated that the process simply involves understanding the way in which GMR-2 encrypts data in the first place.

 Closing the CVE gap: Is MITRE up to it?

“For all vulnerabilities disclosed anywhere, commercial databases currently track about 80 percent. CVE tends to have 60 percent of that 80 percent,” he said. “So when you make a risk decision, you’re doing it with a blind spot of about 50 percent. This is a too-big-to-fail thing. It’s like our bridges and tunnels collapsing,” he said, adding, “It is about to get a lot worse,” thanks to the continuing explosion of devices and accompanying vulnerabilities that comprise the Internet of Things (IoT).


Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.