IT Security News Blast 9-15-2017

Also, enjoy NewsJacker #1.

DHS instructs government agencies to stop using Kaspersky Lab’s software
DHS on Wednesday, referring to reports about the links between the Russian cybersecurity company and Russian intelligence agencies, ordered all U.S. government agencies to stop using Kaspersky Lab software products. DHS gave the agencies thirty days to identify any Kaspersky products they were using, and ninety days to remove all such products. The DHS directive was signed by Elaine Duke, the acting DHS chief.

The best enterprise antivirus: Kaspersky leads in latest tests
The AV_TEST Institute recently tested the most popular Windows 10 client antivirus products on three primary criteria: protection, performance, and usability. Products that ranked highest in all three areas were Kaspersky Lab Endpoint Security 10.3 and Small Office Security 5, Symantec Endpoint Protection 14.0 and Endpoint Protection Cloud 22.9, and Trend Micro Office Scan 12.

Smart Buildings Require Full-Stack Cybersecurity
Cyber-attackers seek to maximize damage and profit, while minimizing their effort, leaving smart buildings as an excellent target. Therefore, we can anticipate that attacks on smart buildings will surge in the coming decade. Unlike IT environments, which have developed mature workflows and technologies to address cyber threats, smart building cybersecurity lags years behind, specifically as it relates to the converged attack surfaces.

FTC Opens Probe into Equifax Data Breach
The US Federal Trade Commission (FTC) has launched a formal investigation into the massive data breach of Equifax, which yesterday confirmed its failure to address a previously disclosed Apache Struts vulnerability that was exploited in the attack. Meanwhile, Equifax share prices continued to plummet this week – now 35% lower than before the breach – in an ominous sign of the breach’s potential finanical devastation to the credit-monitoring firm.

On the Equifax Data Breach
Market failures like this can only be solved through government intervention. By regulating the security practices of companies that store our data, and fining companies that fail to comply, governments can raise the cost of insecurity high enough that security becomes a cheaper alternative. They can do the same thing by giving individuals affected by these breaches the ability to sue successfully, citing the exposure of personal data itself as a harm.

Using Threat Intelligence to Improve Healthcare Cybersecurity
Difficulty in the integration of a threat intelligence platform with other security technologies and tools was cited by 64 percent of those surveyed, while just over half – 52 percent – said a lack of alignment between analyst activities and operational security events was the top issue. A lack of staff expertise, a lack of ownership, and a lack of suitable technologies were also listed as top reasons for threat intelligence ineffectiveness.

Ransomware and electronic records access, healthcare’s biggest threats
“The longer term and newer threat with ransomware is medical devices,” he said. “Already hackable, but no real economic model yet for adversaries to focus on. That can change quickly. For example, they can simply extend the ransomware model by denying medical device use until a ransom is paid. The complexity of the medical device supply chain, however, poses even more exotic ransom possibilities.”

Frequent Ransomware and Hacking Raise Profile of Cyber Security Market
Use of cloud-based services to handle diverse workloads such as data backups, email clients, CRM, collaboration services, and ERP is predicted to account for the maximum growth in the software segment of the cyber security market. […] The shift towards the Internet of Things will be boosted by interconnected medical devices becoming commonplace. These technological advancements are poised to allow healthcare professionals and patients to efficiently and effectively manage healthcare data.

Cloud Security’s Shared Responsibility Is Foggy
Most cloud security incidents result from a combination of misconfigurations or inadequate protections put in place by the enterprise, and too much complexity or a lack of inherent security policies by the software, hardware, or service provider. In the case of the recent AWS data leaks, both the cloud providers and their customers should reflect on how they contributed to each incident, and how they can do better going forward.

The Navy is still investigating possibility of cyberattack in destroyer collisions
A team from the U.S. 10th Fleet is now in Singapore, Moran said, to assess all computer and network information from the McCain and find out if any anomalies or disruptions exist in the data. In a defense environment in which the possibility of cyberattacks is becoming an increasingly frightening reality, these first-time investigative measures the Navy is taking may become the new normal for mishap investigations.

What is the cyber equivalent of ‘use of force’? When do we send in the tanks?
Part of the problem is that no one – particularly the sophisticated United States – wants to agree that something represents an attack when they could also be accused of the same thing. “If we say something is ‘use of force,’ it can be used against us,” Haines says. “We need a framework where we can go to other countries and say ‘this is a problem, you should join us’.”

Hacking for the government: Germany opens ZITiS cyber surveillance agency
Interior Minister Thomas de Maiziere opened a new cyber security agency in Munich on Thursday as part of a centralized attempt to tackle cyber-crime and digital espionage via mass telecommunication surveillance, data encryption, and mass data collection. However, the German government’s own data protection commissioner has complained publicly that she was not consulted as promised about the new “central office for information technology in the security sphere” (ZITiS).

How the NSA Built a Secret Surveillance Network for Ethiopia
In the aftermath of 9/11, according to classified U.S. documents published Wednesday by The Intercept, the National Security Agency forged a relationship with the Ethiopian government that has expanded exponentially over the years. What began as one small facility soon grew into a network of clandestine eavesdropping outposts designed to listen in on the communications of Ethiopians and their neighbors across the Horn of Africa in the name of counterterrorism.

New Bill Would Outlaw Warrantless Phone Searches At The Border
The lawmakers argue that searching devices — even after obtaining permission to do so — is an invasion of privacy that should be tightly controlled. The bill would require law enforcement to establish probable cause before searching or seizing a phone belonging to an American. “Manual searches,” in which a border agent flips through a person’s stored pictures would be covered under the proposed law as well. But the bill does allow for broad emergency exceptions.

Facebook, Google, ISPs fight California broadband privacy bill
The bill’s opponents also complain of a rushed legislative process; claim the bill could expose internet users to security risks as they encounter pop-ups as they have to opt in again and again; and say that it would keep ISPs from using customer information to prevent cyber attacks. The EFF disputes those security claims, saying that because ISPs would have less of an incentive to collect and share customer information, customers would be exposed to fewer security risks.

Malicious apps with >1 million downloads slip past Google defenses twice
The apps, all from a family of malware that security firm Check Point calls ExpensiveWall, surreptitiously uploaded phone numbers, locations, and unique hardware identifiers to attacker-controlled servers. The apps then used the phone numbers to sign up unwitting users to premium services and to send fraudulent premium text messages, a move that caused users to be billed. Check Point researchers didn’t know how much revenue was generated by the apps.

4,000 ElasticSearch servers found hosting PoS malware
The command and control servers of the two malware strains run on the infected hosts. Therefore, every infected server at ElasticSearch becomes part of a wider POS Botnet network providing command and control facility to POS malware clients, who then collect, encrypt and transfer sensitive financial data like credit card information. The data is stolen from infected Windows based computers, POS terminals and/or RAM. What’s even more surprising is the fact that almost 99% of these infected servers are hosted in AWS/Amazon Web Services, which is an otherwise trusted source.

Researchers claim new security bypass could threaten 400M Windows devices
The attack leverages a new Windows 10 feature called Subsystem for Linux (WSL), which allows native Linux ELF binaries to run on Windows, and could potentially affect nearly 400 million computers currently running Windows 10 PC globally, according to a Sept. 11 blog post. […] The proof of concept could allow an attacker to load the malware using only four steps which include loading the WSL components, enabling developer mode, installing Linux and using Wine to translate Windows API calls into POSIX (Portable Operating System Interface).

Disguised as Citrix Utility, Kedi RAT Exploits Gmail to Transfer Data
The malware relies upon spear phishing mechanism for its distribution. The infected email opens a 32-bit Mono/.Net Windows executable that is written in C# language. The malware is disguised as a Citrix utility, but once it invades the targeted device, it changes its guise into an Adobe file and installs itself in Adobe’s %Appdata% folder. The registry starter hook shows this path: HKCU\Software\Microsoft\Windows\CurrentVersion\Run “Adobe Updates” = c:\Users\<username>\AppData\Roaming\Adobe\reader_sl.exe

Secure Kernel Extension Loading in macOS Easily Bypassed: Researcher
An attacker with root privileges can load a vulnerable copy of the LittleSnitch.kext (versions earlier than 3.61), which would be allowed, given that the vulnerable driver is still validly signed, and then exploit the heap-overflow to gain arbitrary code execution within the kernel. Next, the attacker can bypass system integrity protection (SIP), load unsigned kexts, and perform other nefarious operations.


Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.