IT Security News Blast 8-3-2017

The Finance Sector – Rhythm Section for the Drumbeat of Regulation

The finance sector has remained largely untouched by direct DHS intervention (as opposed to chemical manufacturing, for example), and there are two reasons for that. First, the Finance Sector took it upon itself to create an information sharing and analysis center (ISAC) that set the standard for all others. […] The second reason is well-known to the financial sector: the number of audits, examinations, and assessments is a never-ending train of requests for documented controls. Along with shareholder pressure (for publicly-traded institutions) and customer expectations, banks have multiple sets of similar requirements that are routinely audited by third parties.

 US male arrested for string of DDoS attacks against Australia, North America

A 37-year-old male has been arrested in Seattle in connection with serious cyber-related offenses targeting business in Australia and North America. The Iranian born US citizen was arrested on Wednesday local time following a two-and-a-half year joint investigation by the Australian Federal Police (AFP), Federal Bureau of Investigation (FBI), and the Toronto Police Department. […] “This is a timely reminder to cyber criminals that international law enforcement is a team sport. Our ability and willingness to work together at a distance and across borders has never been greater,” he added.

 Report: Healthcare Orgs not Keeping Up with Daily Cybersecurity Threats

Perhaps the report’s most noteworthy healthcare-related finding was that as is true in many industries, there are more threats than there are time and staff to investigate. Over 40 percent of the healthcare organizations said they come across thousands of security alerts daily, and only 50 percent of those are investigated. Of the alerts that healthcare security teams investigate, 31 percent of those investigated are legitimate threats—but only 48 percent of those legitimate incidents are remediated.

 Insurance company can be sued over cyber breach

On Tuesday, the DC Circuit Court of Appeals reversed a lower court’s decision dismissing a class-action lawsuit brought against CareFirst, a health insurer that serves one million customers in the District of Columbia, Maryland and Virginia. The customers suing CareFirst attributed a 2014 data breach to the company’s carelessness. It was originally ruled that the plaintiffs lacked standing because they failed to show a present injury or likelihood of being injured in the future, according to a report by The Hill. However, Judge Thomas Griffith, of the appeals court, said that the district court had read the complaint too narrowly.

 CEOs should be held accountable for cyber attacks and data breaches

However, CEOs shouldn’t be the only ones holding responsibility for cyber security. “Foundational security controls should be demonstrated from the board level all the way down to the workforce,” the report states. “Accountability starts with the CEO, but information security is a shared responsibility across every function and level of an organization,” said Tim Erlin, VP at Tripwire.

 Cyber requirements growing for company boards

Earlier this year, Sens. Collins, Warner and Reed introduced a legislation (S. 536) that would require companies to disclose if they have a cyber expert on their board and if not, to explain why. Additionally, New York’s Department of Financial Services issued a rule that took effect in March, requiring banks to take a number of steps to improve their cybersecurity postures and have the board chair or a senior officer certify to the state that the company meets their requirements.

 Breach at Third Party Contractor Affects 18,000 Anthem Members

According to Anthem, the breach stems from a 2016 incident involving a third-party company, LaunchPoint Ventures, that provides insurance coordination services to Anthem. LaunchPoint said last week that on July 8, 2016 an employee emailed a file containing personal information about Anthem members to his personal email address. LaunchPoint didn’t learn of the incident until April of this year, 10 months after the fact.

 What is the Financial Health of Your Third Parties?

A company that, at the beginning of a working relationship, maybe onboarding or the due diligence procurement event, one may do a series of checks from a compliance and info security perspective and that company looks fine, it gets green lit and it comes on board as a supplier. Over time, if that company is weakening in its financial condition, the chances are likely that they are going to begin under-investing in maintaining the quality of their cyber security program.

 Corporate profits to take more hits from Ukraine cyber attack

Cadbury chocolate maker Mondelez and freight logistics company FedEx Corp (FDX.N) are among five multinational firms, three from the United States and two in Europe, to report material financial damage in the closing days of the second quarter from the cyber “worm” known as NotPetya. Mondelez International Inc (MDLZ.O), the world’s second-largest confectionary company, reported a 5 percent drop in quarterly sales on Wednesday, blaming shipping and invoicing delays caused by the attack on computer networks that started on June 27.

 Recent Cyber Attacks Drive Growth in Cyber Security Markets

The report also indicates that North America is the world’s largest market for cyber security, while emerging markets in Asia Pacific will have a huge opportunity. The need for government, military, financial organizations, hospitals and other organizations to protect confidential data on computers is one of the major factors that drive the cyber security market. The cyber security market is divided into network security, cloud security, wireless security and others. Network security is dominating the market, with over 40 percent of market shares.

 Amazon Halts Sale of Android Blu Phone Amid Spyware Concerns

Android phone maker Blu Products was dealt a blow Monday when Amazon said it would no longer sell its phones, citing security and privacy issues. The phone maker came under scrutiny last week by researchers at Kryptowire during a Black Hat session where they criticized the company for collecting personal identifiable information without user consent. “Because security and privacy of our customers is of the utmost importance, all Blu phone models have been made unavailable for purchase on until the issue is resolved,” Amazon said in a statement.

 FTC and FBI Issue Compliance Reminder on Children’s Online Privacy Protection Act

[Both] the Federal Trade Commission (FTC) and the Federal Bureau of Investigation (FBI) have made clear that they are focused on kids’ privacy, particularly as it relates to internet-connected or “smart” toys and other devices directed at children. The FTC recently updated its six-step compliance plan for businesses to comply with the Children’s Online Privacy Protection Act (COPPA). Similarly, the FBI released a Public Service Announcement about the dangers of internet-connected toys and other kids’ devices.

 Teddy Bears and Toasters: A California Legislator’s Pitch to Protect People from their Gadgets

Sen. Hannah-Beth Jackson (D-Santa Barbara) has proposed Senate Bill 327, appropriately nicknamed the “Teddy Bear and Toaster Act.” This bill would require manufacturers to design their products to alert customers when the product is gathering data, either through visual cues like lights or audio prompts. The devices would also have to get consent from the user before transmitting any information that’s been collected. And manufacturers would have to disclose whether the products are capable of collecting particularly sensitive data like location or health information. Additionally, manufacturers would be required to keep customers apprised of patches and other security software updates.

 GDPR TL;DR – What security pros need to know about the new era of privacy regulations

GDPR forces companies to be accountable to their employees and customers through better accounting for the data those organizations collect and process. […] PCI DSS did this for payment card information. HIPAA did this for personal health information. GDPR and similar rules around the world, however, broaden this obligation to all personal data. […] It also requires the organization to inventory or correlate the data back to an individual, a country of residence, consent, purpose of use and more. Under GDPR it’s not enough to just know the data content; it’s also essential to know the context of the data.

 US Cyber Diplomacy Has Bigger Problems Than the Closure of its Coordination Office

It was clear well before Secretary Tillerson’s decision that the Trump administration was not going to emphasize cyberspace in foreign policy as the Obama administration did. Closing the cyber coordinator’s office is consistent with the Trump administration’s marginalization of cyber issues in foreign policy. Nothing communicates this attitude better than the White House’s refusal to confront Russia’s cyber interference in the 2016 election and, instead, express a desire to establish a joint cybersecurity unit with Russia.

 More Than 120,000 Internet Connected Cameras Can Be Easily Hacked, Researcher Warns

The researcher found that two cameras from Chinese gadget maker Shenzhen Neo Electronic have vulnerabilities that allow hackers to remotely access their video stream, or take full control of the cameras, opening up the possibility that someone could amass an an Internet of Things botnet of around 150,000 devices. Alex Balan, a researcher at security firm Bitdefender who found the flaw, told Motherboard that he tried to warn the company, but he claims it never got back to him. So the the flaws have yet to be fixed, and may never be fixed, he said.

 Ghost Telephonist’ Attack Exploits 4G LTE Flaw to Hijack Phone Numbers

According to UnicornTeam, a group of Chinese researchers from country’s leading security firm 360 Technology, there is a dangerous vulnerability in 4G LTE network’s Circuit Switched Fallback (CSFB) which allows hackers to hijack cell phone numbers. Unicorn Team demonstrated the findings (PDF) on Sunday at the Black Hat USA 2017 hacker summit. As per the team of researchers, CSFB’s authentication step is missing from its procedure, which can allow easy access to hackers to the phone.

 Why SSL/TLS attacks are on the rise

When the bulk of the enterprise network traffic is encrypted, it makes sense from the criminal perspective to also encrypt their activities since it would be harder for IT administrators to be able to tell the difference between bad and good traffic. Malware families are increasingly using SSL to encrypt the communications between the compromised endpoint and the command-and-control systems to hide instructions, payloads, and other pieces of information being sent. The number of payloads being sent over encrypted connections doubled in the first six months of 2017 compared to all of 2016, said Desai.

 A Hacker Turned an Amazon Echo Into a ‘Wiretap’

On Tuesday, British security researcher Mark Barnes detailed a technique anyone can use to install malware on an Amazon Echo, along with his proof-of-concept code that would silently stream audio from the hacked device to his own faraway server. The technique requires gaining physical access to the target Echo, and it works only on devices sold before 2017. But there’s no software fix for older units, Barnes warns, and the attack can be performed without leaving any sign of hardware intrusion.


Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.