IT Security News Blast 9-19-2017

No one is safe from internet attacks, and A.I. defenses can’t help, Google security veteran says Adkins explained that AI-powered security software is not particularly effective at stopping even 1970s-era attack methods, let alone more recent ones. “The techniques haven’t changed. We’ve known about these kinds of attacks for a long time,” Adkins told the crowd, pointing to a 1972 research paper by James Anderson. While AI is very good for launching cyberattacks, it’s not necessarily any better than non-AI systems for defense — because it produces too many false positives. https://www.cnbc.com/2017/09/18/google-security-veteran-says-internet-not-secure-ai-wont-help.html

NY Gov. Cuomo eyes expanding cyber regs to credit reporting agencies “Oversight of credit reporting agencies will help ensure that personal information is less vulnerable to cyberattacks and other nefarious acts in this rapidly changing digital world.” New York’s cyber regulations for finance include mandatory cybersecurity executives and security testing. It is unclear if abiding by those regulations could have prevented the Equifax breach. http://thehill.com/business-a-lobbying/351147-gov-cuomo-eyes-expansion-of-cyber-regs-to-credit-reporting-agencies

US launches criminal probe into Equifax breach The DoJ investigation, led by the US Attorney’s office in Atlanta where Equifax is headquartered, centres on the actions of three top executives. The Securities and Exchange Commission is also likely to be investigating their trades, according to an attorney involved in the case. Kevin Callahan, an SEC spokesman, said the commission declined to comment. https://www.ft.com/content/dd1948a6-9c8f-11e7-8cd4-932067fbf946

Financial attractiveness of ransomware ensures it remains growing threat It said that ransomware variants generally fall into three categories. First, there are well-designed ones where hackers establish reliable distribution methods, for example spam or exploit kits and/or vibrant afiliate programmes. […] Second are poorly-designed ones from under-resourced and/or low-skilled hackers that attempt but are unable to establish long-term distribution. Third are rebranded ransomware that hackers generate from kits they acquire through underground vendors or open source offerings. https://www.scmagazineuk.com/financial-attractiveness-of-ransomware-ensures-it-remains-growing-threat/article/689004/

HITRUST Urges Collaboration for Improved Healthcare Cybersecurity Lehmann added that the day’s events with HITRUST and PwC spent a good amount of time discussing best practices in risk management, risk assessments, and how to properly leverage certain best practices. “Overall, there aren’t enough of these types of meetings that happen,” he stated. “And for us to begin to build a community around health information security and share some of those best practices, is a step in the right direction.” https://healthitsecurity.com/news/hitrust-urges-collaboration-for-improved-healthcare-cybersecurity

Why Infusion Pumps Are So Easy to Hack According to the NCCoE, wireless infusion pumps can be infected by malware, which can cause them to malfunction or operate differently than intended. And traditional malware protection could negatively impact the pump’s ability to operate efficiently, the agency noted. Most of these pumps contain a maintenance default passcode, the NCCoE said, and if organizations do not change the default passcode when provisioning pumps, or if they do not periodically change the passwords after pumps are deployed, the device will be more vulnerable to attack. https://www.mddionline.com/why-infusion-pumps-are-so-easy-hack

91st Cyber Brigade activated as Army National Guard’s first cyber brigade The 10 previously approved Army Cyber Protection Teams stationed across the country will also align under the 91st Cyber Brigade for training and validation management. The approval for the transformation of the 91st Troop Command to the 91st Cyber Brigade happened at “light speed” and standing up the unit was completed at an impressive pace, Kadavy said. After being presented by National Guard Bureau to the U.S. Army as a concept in June 2016, it was approved in February 2017. https://www.dvidshub.net/news/248764/91st-cyber-brigade-activated-army-national-guards-first-cyber-brigade

Will artificially intelligent weapons kill the laws of war? It is fair to say that military theorists in all major nations are now considering the impact that AI-enabled weapon systems might have in combat. Doctrinal discussions are ongoing within militaries around the world, and no one knows the full shape and contours of future doctrines for any nation. But one might still be able to make inferences based our knowledge of past practice. http://thebulletin.org/will-artificially-intelligent-weapons-kill-laws-war11124

Can Washington Protect America’s Electoral Process from the next Cyber Attack? Even if Washington wanted to do such a thing, it would likely be challenged by states and counties locally in the courts. In any case, it has been miserly in providing funds to help local government address shortcomings with voting machines and related challenges. We need to fix that resource allocation problem. The integrity of the vote is a national-security issue of the first order. The federal government needs to be more forward leaning in mandating that states and localities improve their resilience against future cyberattacks and in providing resources to help ensure this is accomplished quickly. http://nationalinterest.org/feature/can-washington-protect-americas-electoral-process-the-next-22337

Data-hucksters beware – online privacy is making a comeback More significantly, the GDPR extends the concept of “personal data” to bring it into line with the online world. The regulation stipulates, for example, that an online identifier, such as a device’s IP address, can now be personal data. So next year, a wide range of identifiers that had hitherto lain outside the law will be regarded as personal data, reflecting changes in technology and the way organisations collect information about people. https://www.theguardian.com/commentisfree/2017/aug/20/data-hucksters-beware-online-privacy-eu-general-data-protection-regulation

New law firm seeks would-be gov’t whistleblowers, requires Tor and SecureDrop Unlike most other whistleblowing organizations, however, Whistleblower Aid is employing a few crucial digital tools to help, including Tor and SecureDrop—and it’s entirely pro bono. “We’re also helping people go to Robert Mueller if they have evidence of crimes by senior officials,” John Tye, the former official, told Ars, referring to the Department of Justice special counsel that is currently investigating possible collusion between the Trump campaign and Russia during the 2016 presidential election. https://arstechnica.com/tech-policy/2017/09/new-law-firm-seeks-would-be-govt-whistleblowers-requires-tor-and-securedrop/

Digital Future a Fragile Mix of Promise and Uncertainty, Says Global Internet Report AI and IoT alter lives but could result in a “surveillance society”: Artificial Intelligence and the Internet of Things hold huge potential to simplify and enhance people’s lives – but only if ethical considerations steer technology development and guide its use. As AI and IoT enable the collection of massive amounts of personal information, there is a risk that without appropriate safeguards and user control, a “surveillance society” could emerge. http://www.iotjournal.com/articles/view?16616

Motel 6 to revamp privacy, data sharing policies after Phoenix locations send guest info to ICE “Moving forward, to help ensure that this does not occur again, we will be issuing a directive to every one of our more than 1,400 locations nationwide, making clear that they are prohibited from voluntarily providing daily guest lists to ICE,” according to a Motel 6 statement. “Additionally, to help ensure that our broader engagement with law enforcement is done in a manner that is respectful of our guests’ rights, we will be undertaking a comprehensive review of our current practices and then issue updated, company-wide guidelines.” https://www.scmagazine.com/motel-6-to-revamp-privacy-data-sharing-policies-after-phoenix-locations-send-guest-info-to-ice/article/689360/

Take Cybersecurity Away From Spies – For Everyone’s Sake Weaving public-safety responsibility into a secret and secretive operation is always likely to cause conflicts of interest. […] Had the NSA chosen to inform Microsoft of the vulnerability, there would have been no Eternal Blue, and no WannaCry. But intelligence agencies have a different motivation: they want to keep such “zero-day” vulnerabilities secret for potential development into a cyber weapon. https://www.chathamhouse.org/expert/comment/take-cybersecurity-away-spies-everyones-sake

Hackers target ‘vast number’ of devices in CCleaner Cloud software attack Hackers inserted a hidden backdoor in file cleaning software CCleaner which has more than two billions downloads, prompting fears millions of devices may be affected by the breach. The virus was unearthed by tech security researchers, and users of the app have been advised to update their software immediately. The maintenance app is run by British company Piriform, a subsidiary of Avast, one of the world’s biggest anti-virus companies. https://www.rt.com/news/403681-ccleaner-cloud-software-hack-devices-affected/

Feds in California are aggressively going after Silk Road, AlphaBay vendors According to Lauren Horwood, a spokeswoman for the US Attorney’s Office in Sacramento, one of the primary hubs of this federal judicial district, there are currently 11 Silk Road and AlphaBay-related prosecutions underway. Four of the defendants have pleaded guilty, and, of those, two have already been sentenced, while the others’ cases are still ongoing. By comparison, the Los Angeles-based US Attorney’s Office for the Central District of California reports zero ongoing cases, despite being the most populous such district in the country. https://arstechnica.com/tech-policy/2017/09/feds-in-california-are-aggressively-going-after-silk-road-alphabay-vendors/

The Pirate Bay hijacked users’ CPU power to secretly mine cryptocurrency Monero Apparently ads to generate revenue and bitcoin donations weren’t cutting it, so The Pirate Bay decided to run a test without any warning to users. JavaScript code was added that “borrowed” visitors’ CPU cycles in order to mine for the cryptocurrency Monero. While the code for the miner was not embedded on every page, visitors browsing categories or search results experienced huge spikes in CPU usage. A user on Reddit claimed all CPU threads jumped to 100 percent, later modifying that claim to 80 to 85 percent. https://www.csoonline.com/article/3225512/security/the-pirate-bay-hijacked-users-cpu-power-to-secretly-mine-cryptocurrency-monero.html

Equifax’s IT leaders ‘retire’ as company says it knew about the bug that brought it down Equifax’s chief information officer and chief security officer “are retiring” and the company has admitted it knew Apache Struts needed patching in March, but looks to have fluffed attempts to secure the software. The retirements and more details about the company’s mega-breach are revealed in a new entry to equifaxsecurity2017.com in which the company describes what it knew, when it knew it, and how it responded. https://www.theregister.co.uk/2017/09/17/equifax_cio_and_cso_retire/

Please don’t send me to cybersecurity training Today, employees at organizations of all sizes globally are being trained on security. In the future, the market may see individuals signing up for their own training, pre-employment, positioning themselves as cyber-aware job candidates. There’s a shifting dynamic in the security awareness market, with numerous vendors helping employers to position training programs as something more than a perceived punishment. https://www.csoonline.com/article/3225471/security/please-dont-send-me-to-cybersecurity-training.html

 ====

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.