IT Security News Blast 7-28-2017

NY hospital spent nearly $10M recovering from massive cyber-attack

About half of that amount is for computer hardware, software and assistance needed in the response. The other half represents a combination of increased expenses, such as for staff overtime pay, and lower revenues from the loss of business during the system down time. That’s just the costs related to the incident. Going forward, medical center officials also anticipate an ongoing additional expense of $250,000 to $400,000 a month for investments in upgraded technology and employee education to harden its computer system defenses to reduce the risk and impact of future attacks.

 Corporate Cyber Risk Disclosures Jump Dramatically in 2017

More public companies described “cybersecurity” as a risk in their financial disclosures in the first half of 2017 than in all of 2016, suggesting that board and C-suite fears over data breaches may be escalating. A Bloomberg BNA analysis found 436 companies cited “cybersecurity” as a risk factor in their Securities and Exchange Commission periodic filings in the first six months of 2017, compared to 403 companies in 2016 and 305 companies in 2015.

 SEC must improve how it protects against cyber attacks: report

The 27-page report by the Government Accountability Office found the Securities and Exchange Commission did not always fully encrypt sensitive information, used unsupported software, failed to fully implement an intrusion detection system and made missteps in how it configured its firewalls, among other things. “Information security control deficiencies in the SEC computing environment may jeopardize the confidentiality, integrity, and availability of information residing in and processed by its systems,” the GAO said. “Until SEC mitigates its control deficiencies, its financial and support systems and the information they contain will continue to be at unnecessary risk of compromise.”

 Can Your Risk Assessment Stand Up Under Scrutiny?

Weak risk assessments have gotten a pass up until now, but that may be changing. On April 12, 2017, the FTC issued a warning letter to Abbot Labs for a number of security failings in their medical devices. A key cause that was singled out was poor risk assessment. They noted: “Your firm identified the hardcoded universal unlock code as a risk control measure for emergent communication. However, you failed to identify this risk control also as a hazard. Therefore, you failed to properly estimate and evaluate the risk associated with the hardcoded universal lock code in the design of your High Voltage devices.”

 How Attackers Use Machine Learning to Predict BEC Success

Ankit Singh, threat analyst engineer, explained how this reconnaissance and profiling prepares threat actors to launch BEC attacks. They can use machine learning to increase the success rate of access and get more money from their targets. “Machine learning can help the attacker to bypass signature-based detection systems,” he explained. “It can be used to predict various outcomes of new data based on patterns of old data.” These models can also defeat other machines and anti-spam telemetry, he added.—threats/how-attackers-use-machine-learning-to-predict-bec-success/d/d-id/1329475?

 Active Directory Botnet sets up C&C infrastructure inside infected networks, while bypassing defenses

According to the researchers, if an organization were to be infected by an AD botnet – say via a phishing campaign for example – an attacker could then leverage one of over 50 writable and readable AD user attributes to take over the domain controllers as a central communications point. […] “It’s not something that going to be easily visible on any of your network detection mechanisms,” added Kalinin, noting that security logs are generally not going to raise any red flags either, because there typically are so many updates to AD objects that any malicious activity would likely get lost in the noise.

 Researcher: In two decades, adversaries at war could cause mass destruction via IoT attacks

Two decades from now, warring adversaries could conceivably attack each other by sabotaging a population’s Internet-connected consumer devices en masse, respected cybersecurity expert Mikko Hypponen predicted at Black Hat on Thursday. “One thing that I worry about is targeting consumer devices and making them fail physically, making them catch fire,” said Hypponen, chief research officer at F-Secure. “You can imagine a conflict when one party of the conflict sets fire to every home in the country that’s on the other side of the conflict.”

 IoT Security Incidents Rampant and Costly

Internet of Things breaches and security incidents have hit nearly half of the companies that use such devices, and the cost to deal with these attacks is usually more than traditional breaches, according to recent survey results. In two separate reports, each of the studies found that 46% of respondents report they suffered a security breach or incident as a result of an attack on IoT devices.—threats/iot-security-incidents-rampant-and-costly/d/d-id/1329367

 3 New CIA-developed Hacking Tools For MacOS & Linux Exposed

WikiLeaks has just published a new set of classified documents linked to another CIA project, dubbed ‘Imperial,’ which reveals details of at least three CIA-developed hacking tools and implants designed to target computers running Apple Mac OS X and different flavours of Linux operating systems.

  • Achilles — Tool to Backdoor Mac OS X Disk Images
  • SeaPea — Stealthy Rootkit For Mac OS X Systems
  • Aeris — An Automated Implant For Linux Systems

 Reminder: Spies, cops don’t need to crack WhatsApp. They’ll just hack your smartphone

While everyone freaks out about strong encryption, and how you can’t change the laws of math to only allow the good guys to decrypt messages, don’t forget: if crypto can’t be tamed, the authorities will just exploit software and firmware bugs to compromise targets’ phones, PCs and tablets. When politicians talk of mandatory backdoors, this is probably what they mean: not necessarily backdoors in the cryptography, but back passages into suspects’ software and apps.

 Adobe announces end-of-life for Flash, the InfoSec world cheers

Come December 31, 2020, websites with Flash content will stop working because all  major web browsers will have disabled the capability to play those files. In independent announcements, Google, Mozilla, Apple and Microsoft outlined their plans for how their browsers will handle Flash over the next two-and-a-half years, with the ultimate goal of disabling Flash completely. […] By mid-to-late 2019, Microsoft will disable Flash by default in Edge and Internet Explorer, and fully remove Flash from all supported versions of Windows by 2020.

 Hackers can take over Car Wash, trap you and smash your vehicle

IT security researchers at WhiteScope Billy Rios and Jonathan Butts have discovered a critical security flaw in the design of the software responsible for running a huge number of Internet connected car washes in the United States. The flaw can allow an attacker to gain remote access to the equipment and take control of the doors, including locking them and causing whatever damage possible.

 Bitcoin Exchange Operator Arrested For $4 Billion Money Laundering Scheme

“After the coins entered Vinnik’s wallets, most were moved to BTC-e and presumably sold off or laundered (BTC-e money codes were a popular choice). In total some 300,000 BTC ended up on BTC-e,” according to WizSec, a Japanese security firm that has long been investigating the Mt. Gox case. “To be clear, this investigation turned up evidence to identify Vinnik not as a hacker/thief but as a money launderer; his arrest news also suggests this is what he is being suspected for. He may have merely bought cheap coins from thieves and offered a laundering service.”

   The opsec blunders that landed a Russian politician’s fraudster son in the clink for 27 years

Last year, Roman V Seleznev, 32, was found guilty of multiple counts of fraud and hacking by a jury in Washington, USA. He was later thrown in the cooler for 27 years. Seleznev – the son of an ultra-nationalist Russian politician Valery Seleznev – also faces other charges. This week, US Department of Justice prosecutors who worked on the case told the Black Hat security conference how the fraudster was brought down.

 Threat Intelligence Market Worth 8.94 Billion USD by 2022

According to a new market research report”Threat Intelligence Marketby Solution (SIEM, Log Management, IAM, SVM, Risk Management, Incident Forensics), Service (Managed, Professional), Deployment Mode, Organization Size, Vertical, and Region – Global Forecast to 2022″, published by MarketsandMarkets(TM), the Threat Intelligence Market is expected to grow from USD 3.83 Billion in 2017 to USD 8.94 Billion by 2022, at a CAGR of 18.4%.

 Two-thirds of consumers suspect governments abuse their powers to access data

Identity protection company Venafi surveyed 3,000 consumers in the US, UK and Germany about initiatives that would grant governments more access to private, encrypted data. 68 percent of respondents say they believe governments shouldn’t force private companies to hand over encrypted personal data without consumer consent. But despite these concerns 41 percent believe laws that provide government access to encrypted personal data would make them safer from terrorists.

 Someone Is Selling More Than 40 Million Voter Records on the Dark Web

The data was discovered by Jonathan Tomek, the director of threat research at LookingGlass Cyber Solutions, a cybersecurity services firm. The “dark web” refers to a part of the internet accessible only via a special internet browser that allows for semi-anonymity. The voter data for sale includes first, last, and middle names, voter ID numbers, birthdates, voter status, party affiliation, and addresses for some voters in Arkansas, Colorado, Connecticut, Delaware, Florida, Michigan, Ohio, Oklahoma, and Washington state.

 Senators to release bipartisan legislation on email privacy

The bill, titled the ECPA Modernization Act of 2017, aims to update the Email Communications Privacy Act of 1986. The bill will initially be released without any co-sponsors, the sources said. Currently, law enforcement can obtain Americans’ email correspondence with a written statement saying the emails are necessary to an investigation, a process that does not require judicial review. The new bill would change this and require law enforcement agencies to get warrants through a court to gain access to residents’ emails.

 Google May Have Just Uncovered An Israeli Surveillance Start-Up Spying On Androids

Of the 20 different forms in which the spyware was delivered, Google found a handful on its Play store. Typically, Lipizzan would appear as a legitimate tool, such as a backup or sound recorder app. It rooted, monitored and stole user email, SMS messages, location and voice calls. The tool also sought to gather data from specific apps, undermining their encryption, including WhatsApp, Viber and Telegram, while LinkedIn, Gmail and Skype were also on its target list.

 Germany’s state spyware set to hack WhatsApp and other encrypted messaging apps by end of 2017

According to a classified report by the German interior ministry, obtained by the German newspaper Netzpolitik, RCIS has been under development since early 2016 and can crack the encryption built into WhatsApp, Telegram, Signal and other messaging services by directly hacking the phones and reading messages directly from targets’ screens.

 The artificial intelligence arms race

States are slowly coming to realise the importance and the need to become a tangible, regulatory actor in the anarchic cyberspace. For instance, while it is hard to establish criminal liability for international war crimes in the real world, cyber warfare has elevated the burden of proof to a whole new level – agents can operate from anywhere in the world, do not require large scale facilities such as military compounds, and do not even have to be human at all, but can be bots, viruses, or worms.


Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.