IT Security News Blast 9-18-2017

Equifax Hackers Stole 200k Credit Card Accounts in One Fell Swoop
Visa has updated their advisory about these 200,000+ credit cards stolen in the Equifax breach. Visa now says it believes the records also included the cardholder’s Social Security number and address, suggesting that (ironically enough) the accounts were stolen from people who were signing up for credit monitoring services through Equifax. Equifax also clarified the breach timeline to note that it patched the Apache Struts flaw in its Web applications only after taking the hacked system(s) offline on July 30, 2017. Which means Equifax left its systems unpatched for more than four months after a patch (and exploit code to attack the flaw) was publicly available.
https://krebsonsecurity.com/2017/09/equifax-hackers-stole-200k-credit-card-accounts-in-one-fell-swoop/

New York State’s new financial services cybersecurity policy relies on encryption
The regulatory framework has multiple requirements, including the writing of a cyber security policy, the hiring of a CISO, and the running of vulnerability assessments. Critical to compliance is an encryption strategy, which companies must have in place by September 2018. How should financial services companies approach an encryption strategy? The foundation begins with implementing protected security intelligence logs that identify irregular access patterns and breaches in progress.
https://betanews.com/2017/09/15/new-york-states-new-financial-services-cybersecurity-policy-relies-on-encryption/

Cybersecurity is hard, got it? But let’s stop blaming hospitals for every breach
Infosec executives and security teams, at the same time, need to stop blaming the end users they support. “The most insidious part of being a security professional?” Figueora said. “The mantra: People are the weakest link.”  Many would argue that’s true and I won’t counter because the more important reality is the downstream effect such a mindset creates.
http://www.healthcareitnews.com/news/cybersecurity-hard-got-it-lets-stop-blaming-hospitals-every-breach

Cybersecurity is not a cost, it’s an investment, experts say
University of California Irvine Health CIO Chuck Podesta knew this when he joined the health system three years ago after working in a similar capacity in Vermont. So getting the medium-sized academic medical center to invest $7 to $8 million the first year came down to telling the CEO, and other executives, that it would cost them a lot more if the system suffered a data breach. And not just financially due to fines and possibly civil suits. The CEO would have to apologize to the community.
http://www.healthcarefinancenews.com/news/cybersecurity-not-cost-its-investment-experts-say

Fears of Cybersecurity Threats Increase Projected to Ignite the Market
Data compiled from Cybersecurity Ventures, project the cybersecurity market to be worth up to $120 billion by the end of 2017. The market is expected to grow up to $231.94 Billion by 2022, at a Compound Annual Growth Rate (CAGR) of 11.0 percent. According to reports, the primary driver for the market growth is due to the increasing number of mobile devices that have internet access, such as phones or laptops, demand cybersecurity services.
http://www.financialbuzz.com/fears-of-cybersecurity-threats-increase-projected-to-ignite-the-market-876782

Satellites, Cyber Attacks and Defense
For investors, one potential approach to profiting from space is with companies that launch and repair satellites and other space infrastructure. Another is to bet on companies that protect the security of space infrastructure, including major defense companies that have big space components.Below are our four top picks that give you a stake in the ever more important realm of space.
https://www.moneyshow.com/articles/guru-46930/satellites-cyber-attacks-and-defense/

When Food Safety Meets Cyber Risk
It is not inconceivable to think that, in the near future, someone with malicious intent could hack into a food processing system and make slight adjustments to machinery without anyone noticing. A few degrees warmer in the refrigerator or a few minutes off of the time in the oven could be all it takes for an item to go from consumable to unsafe food, with a risk of harm.
https://www.foodsafetymagazine.com/signature-series/when-food-safety-meets-cyber-risk/

How to Stop the Next Unstoppable Mega-Breach—Or Slow It Down
Legislation and regulation may also help create more clearly defined repercussions for consumer data loss that motivate organizations to prioritize data security. […] Lawsuits can also help deter to lax security practices. So far more than 30 suits have been filed against Equifax, including at least 25 in federal court. […] Beyond what individual organizations can achieve on their own, increasing data security overall will require technological overhauls of network systems and user identification/authentication.
https://www.wired.com/story/how-to-stop-breaches-equifax/

US Military Leaders Worry About Iran’s Media Operations
“One of the key things that we see here is their [Iran’s] use of cyber capabilities to manipulate the information environment[.] This is where you see the most significant influence of these actors in this particular space. Their ability to use cyberspace to manipulate information, propagate a message is a key aspect of what see.” […] They work almost entirely in the gray zone,” a reference to not-quite-warfare waged through non-uniformed fighters and aggressive propaganda.
http://www.defenseone.com/threats/2017/09/isis-loses-territory-military-leaders-worry-about-irans-media-operations/141044/

The US is taking aim at Russia’s cyber industry
Alex McGeorge, the head of threat intelligence at Immunity Inc., told Business Insider that the US government’s decision to ban federal agencies from using Kaspersky products could be part of an effort to punish Russia for its increasingly aggressive behavior in the cyber arena, and will likely be more effective than more traditional avenues for recourse, like imposing economic sanctions.
http://www.businessinsider.com/us-government-bans-kaspersky-2017-9?r=UK&IR=T

Feds move to ramp up cyber hiring
The General Services Administration (GSA) on Thursday announced the event, which will be held November 6-7 in Maryland. The administration is looking to recruit computer scientists, cyber analysts, engineers and others in order to “fill critical skills gaps” in top IT and cybersecurity roles across the federal government.
http://thehill.com/policy/cybersecurity/350753-feds-move-to-ramp-up-cyber-hiring

How Secure Is the iPhone X’s FaceID? Here’s What We Know
The new iPhone uses an infrared system Apple calls TrueDepth to project a grid of 30,000 invisible light dots onto the user’s face. An infrared camera then captures the distortion of that grid as the user rotates his or her head to map the face’s 3-D shape—a trick similar to the kind now used to capture actors’ faces to morph them into animated and digitally enhanced characters.
https://www.wired.com/story/iphone-x-faceid-security/

Another iPhone Change to Frustrate the Police
There’s another, more significant, change: iOS now requires a passcode before the phone will establish trust with another device. In the current system, when you connect your phone to a computer, you’re prompted with the question “Trust this computer?” and you can click yes or no. Now you have to enter in your passcode again. That means if the police have an unlocked phone, they can scroll through the phone looking for things but they can’t download all of the contents onto a another computer without also knowing the passcode.
https://www.schneier.com/blog/archives/2017/09/another_iphone_.html

Devs unknowingly use “malicious” modules snuck into official Python repository
The packages contained the exact same code as the upstream libraries except for an installation script, which was changed to include a “malicious (but relatively benign) code.” “Such packages may have been downloaded by unwitting developer[s] or administrator[s] by various means, including the popular ‘pip’ utility (pip install urllib),” Thursday’s advisory stated. “There is evidence that the fake packages have indeed been downloaded and incorporated into software multiple times between June 2017 and September 2017.”
https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/

Rolls-Royce planning autonomous naval ship for patrol, surveillance and mine detection
But without humans on board, nobody is physically standing by in the event of a malfunction. Rolls-Royce says it prioritized the reliability of its power and propulsion systems to reduce the number of unsolvable maintenance issues. This meant adding in some mechanical redundancies and implementing machine learning-powered predictive and remote maintenance capabilities.
https://techcrunch.com/2017/09/12/rolls-royce-planning-autonomous-naval-ship-for-patrol-surveillance-and-mine-detection/

Ad industry “deeply concerned” about Safari’s new ad-tracking restrictions
The infrastructure of the modern Internet depends on consistent and generally applicable standards for cookies, so digital companies can innovate to build content, services, and advertising that are personalized for users and remember their visits. Apple’s Safari move breaks those standards and replaces them with an amorphous set of shifting rules that will hurt the user experience and sabotage the economic model for the Internet.
https://arstechnica.com/tech-policy/2017/09/ad-industry-deeply-concerned-about-safaris-new-ad-tracking-restrictions/

Alaska Voter Database Exposed Online
The database with 593,328 records was available to the public for anyone to download without any security or login credentials. Each record contained names, date of birth, addresses, voting preferences, marital status, income details, children’s age, gun ownership related data and points which might help decide what issue the voter might be appealed to.
https://www.hackread.com/alaska-voter-database-exposed-online/

VMware Patches Bug That Allows Guest to Execute Code on Host
A NULL pointer dereference vulnerability can also be exploited when the software handles guest RPC requests, something that could allow an attacker with normal user privileges to crash virtual machines. The moderate severity bug affects version 6.5, 6.0, and 5.5 of ESXi, version 12.x of Workstation, and 8.x of Fusion. Users are urged to apply patches released on Friday as no workaround exist for the vulnerability.
https://threatpost.com/vmware-patches-bug-that-allows-guest-to-execute-code-on-host/127990/

Here’s a real-life, slimy example of Uber’s regulator-evading software
The Greyball software employs a dozen data points on a new user in a given market, including whether a rider’s Uber app is opened repeatedly in or around municipal offices, which credit card is linked to the account, and any publicly available information about the new user on social media. If the data suggests the new user is a regulator in a market where Uber is not permitted, the company would present that user with false information about where Uber rides are. This includes showing ghost cars or no cars in the area.
https://arstechnica.com/tech-policy/2017/09/heres-a-real-life-slimy-example-of-ubers-regulator-evading-software/

Fitbit’ Fitness Tracker Devices Leak Personal Data: Researchers
The analysis revealed that there was indeed a way through which communication between fitness tracker device and cloud server could be intercepted. It is worth noting that the data captured by the fitness tracker device is transmitted to a cloud server for further analysis. Hence, by intercepting their communication, it is quite easy for anyone to access personal information and also generate fake activity logs/records.
https://www.hackread.com/fitbits-fitness-tracker-devices-leak-personal-data/

 ====

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.

//]]>