IT Security News Blast 9-20-2017

What Are The Biggest Challenges Facing The Cybersecurity Industry? I believe the biggest challenge for cybersecurity organizations inside companies large and small results from two megatrends: (1) the exponential growth in data from business systems and the security sensors meant to protect those businesses and (2) the extreme and growing shortage of skilled cybersecurity personnel to analyze and respond to incidents illuminated by this data. https://www.forbes.com/sites/quora/2017/09/15/what-are-the-biggest-challenges-facing-the-cybersecurity-industry/#2377c8c12d62

Viacom exposes crown jewels to world+dog in AWS S3 bucket blunder “The presence of this data in an S3 bucket bearing MCS’s name appears to further corroborate the Viacom group’s mission of moving its infrastructure onto Amazon Web Services’ cloud.” The Amazon-hosted bucket could be accessed by any netizen stumbling upon it, and contained the passwords and manifests for Viacom’s servers, as well as the access key and private key for the corporation’s AWS account. Some of the data was encrypted using GPG, but that wouldn’t be an issue because the bucket also contained the necessary decryption keys. https://www.theregister.co.uk/2017/09/19/viacom_exposure_in_aws3_bucket_blunder/

Petya attack on TNT Express takes $300 million bite out of FedEx earnings The June 27 cyber-attack spread an information technology virus to TNT Express systems through a Ukrainian tax software product. “This was not an ordinary cyberattack,” FedEx chief information officer Rob Carter told analysts. “We believe this attack was the result of a nation-state targeting Ukraine and companies that do business there. It is widely believed that these were weaponized cyber tools that were stolen from the U.S. government.” http://www.commercialappeal.com/story/money/industries/logistics/2017/09/19/petya-attack-tnt-express-takes-300-million-bite-out-fedex-earnings/639545001/

Report: Negligent employees are no. 1 cause of cybersecurity breaches at SMBs This is especially concerning due to the rise in ransomware attacks: More than 50% of SMBs surveyed had experienced such an attack in the past year, which often enters an organization via a phishing email aimed at tricking an employee into clicking a malicious link or download. Indeed, in the survey, 79% of those hit said the ransomware entered their system through a phishing or social engineering attack. Further, of those who experienced an attack, 53% were hit more than once in the year. http://www.techrepublic.com/article/report-negligent-employees-are-no-1-cause-of-cybersecurity-breaches-at-smbs/

Future cyber security threats and challenges: Are you ready for what’s coming? Respondents expect legacy governmental and regulatory policies will continue to be counterproductive. Technologies such as artificial intelligence (AI), internet of things (IoT) and blockchain—all of which play significantly in the cyber security space—will further stress policy frameworks. “Neither government nor the private sector can deal with the scope and scale of cyber threats alone. It will require collaboration,” says Constance Bommelaer, senior director, global internet policy at ISOC. https://www.csoonline.com/article/3226392/security/future-cyber-security-threats-and-challenges-are-you-ready-for-whats-coming.html

Cryptocurrencies May Be a Dream Come True for Cyber-Extortionists  Some companies have invested in bitcoin and other cryptocurrencies specifically so they can pay extortionists if it ever becomes necessary. That helps contribute to the rapid growth in use and value of e-currencies. And as digital currencies become more common, ransomware attackers will have an easier time hiding their illicit transactions among the growing crowd of legitimate transfers. http://fortune.com/2017/09/19/cryptocurrency-bitcoin-cyber-extortion/

Why the Equifax hack was not a surprise “[I]n August 2016, MSCI ESG Research downgraded Equifax to CCC – our lowest possible rating,” MSCI said in an emailed statement. The company’s rating has not changed since then. According to a recent factsheet prepared by the ratings firm, Equifax’s security and privacy measures had proven “insufficient in mitigating data breach events.” It cited the exposure of tax and salary data of 431,000 people employed by grocery chain Kroger’s, its key client, in 2016. http://www.insurancebusinessmag.com/us/news/cyber/why-the-equifax-hack-was-not-a-surprise-79433.aspx

HHS to face audit of its own cybersecurity, incident response capabilities The U.S. Department of Health and Human Services’ Office of Inspector General plans to look into the state of HHS cybersecurity, to determine whether it “has sufficiently implemented incident response capabilities.” OIG update its work plan to include the audit of the agency. “Increased threats to critical cyber-based infrastructure systems have created a need for government agencies to increase their computer security efforts,” officials said in a statement. http://www.healthcarefinancenews.com/news/hhs-face-audit-its-own-cybersecurity-incident-response-capabilities

Smiths Medical confirms drug pump vulnerable to cyberhacking The U.S. Homeland Security Department published an advisory Sept. 7 revealing that three versions of Smiths Medical’s Medfusion 4000 drug infusion pump contain vulnerabilities that would allow a skilled computer hacker to remotely take control of the device and alter how it dispenses drugs. http://www.startribune.com/smiths-medical-confirms-drug-pump-vulnerable-to-cyberhacking/445530383/

Rogue governments using ‘off the shelf’ hacks, Google warns Rogue governments are increasingly buying “off the shelf” hacking attacks, according to Google’s security chief, making it easier and cheaper for them to launch cyber attacks. […] “What I see increasing trendwise is the attack platforms are no longer something they need to build themselves, they can buy it off the shelf,” said Ms Adkins. As a result, smaller governments were able to launch cyber attacks inexpensively, without having to assemble their own teams of hackers, she said. https://www.ft.com/content/5e0a5a12-9cbe-11e7-8cd4-932067fbf946

Great Power Competition and the AI Revolution: A Range of Risks to Military and Strategic Stability It is improbable that major powers would accept constraints on capabilities considered critical to their future military power. Even attempts to pursue some form of regulation or an international treaty to restrain military applications of AI could be readily overtaken by technological developments. The diffusion of this dual-use technology will also be difficult to control. https://www.lawfareblog.com/great-power-competition-and-ai-revolution-range-risks-military-and-strategic-stability

A Google security chief considers the NSA a state-sponsored threat Does she worry about the NSA? Yes, she does and it’s good to worry about them because if they can attack, other organizations can attack too. She goes on to say that she thinks less about individual threats and rather focuses on the techniques and the surface available to be attacked. “A technique the NSA can use can easily be used by a Mexican cartel against our users,” she said. “All of these actors have these tools available to them.” https://techcrunch.com/2017/09/18/a-google-security-chief-considers-the-nsa-a-state-sponsored-threat/

Infrared signals in surveillance cameras let malware jump network air gaps Instead of trying to use the Internet to reach attacker-controlled servers, the malware weaves passwords, cryptographic keys, and other types of data into infrared signals and uses a camera’s built-in infrared lights to transmit them. A nearby attacker then records the signals with a video camera and later decodes embedded secrets. The same nearby attackers can embed data into infrared signals and beam them to an infected camera, where they’re intercepted and decoded by the network malware. https://arstechnica.com/information-technology/2017/09/attackers-can-use-surveillance-cameras-to-grab-data-from-air-gapped-networks/

Apple blocking ads that follow users around web is ‘sabotage’, says industry iOS 11 […] will include a new default feature for the Safari web browser dubbed “intelligent tracking prevention”, which prevents certain websites from tracking users around the net, in effect blocking those annoying ads that follow you everywhere you visit. […] In their letter, published by AdWeek, the advertisers argue: “The infrastructure of the modern internet depends on consistent and generally applicable standards for cookies, so digital companies can innovate to build content, services and advertising that are personalised for users and remember their visits. https://www.theguardian.com/technology/2017/sep/18/apple-stopping-ads-follow-you-around-internet-sabotage-advertising-industry-ios-11-and-macos-high-sierra-safari-internet?CMP=share_btn_tw

Why the State of Surveillance in Schools Might Lead to the Next Equifax Disaster In 2013, HeroK12 began offering educators an opportunity to collect and analyze student behavior data. Through its software, every tardy and dress code violation is recorded, stored and analyzed on individual, class and school levels. The violations and consequences are easily tallied with automated responses, and teachers, administrators and students can view the data. HeroK12 is currently used in more than 650 schools around the United States. Other similar technologies include Kickboard and LiveSchool. https://www.edsurge.com/news/2017-09-19-why-the-state-of-surveillance-in-schools-might-lead-to-the-next-equifax-disaster

Sexploitation gang thrown in clink for 171 years after ‘hunting’ kids online and luring them in front of webcams On November 16, 2015, one of the gang members was arrested by the police and charged with possession of child pornography. He quickly folded under questioning and helped the cops identify Kik channels the gang was using to coordinate their actions. After the ring’s public IP addresses were obtained and traced back to their ISPs, via subpoenas, the gang members were cuffed and all pled guilty. https://www.theregister.co.uk/2017/09/19/sexploitation_gang_sentenced_to_171yrs/

Twitter rival Gab faces domain loss over extremist content It’s not easy to host extremist right-wing content on the modern Internet. Gab, a small Twitter rival that bills itself as a bastion of free speech, has received word from its Australian domain registrar that it has five days to find a new registrar, or its domain will be canceled. […] Hosting Anglin and Aurenheimer—as well as other right-wing figures like Internet troll Milo Yiannopoulos—has created headaches for Gab. Days after Anglin became active on Gab, Google kicked Gab out of the Android app store, citing its lax moderation policies. https://arstechnica.com/tech-policy/2017/09/twitter-rival-gab-faces-domain-loss-over-extremist-content/

Google, Spotify Release Open Source Cloud Security Tools The Forseti toolkit currently includes an inventor tool that provides visibility into GCP resources, a scanner that validates access control policies, an enforcement tool that removes unwanted access to resources, and an add-on that helps users understand, test and develop Identity and Access Management (IAM) policies. http://www.securityweek.com/google-spotify-release-open-source-cloud-security-tools

Man who made “Pepe” wants his frog back, and he’ll use copyright to get it Now Furie wants his comic frog back. After years of letting it slide, Furie has lawyered up and sent demand letters to several alt-right personalities, including white supremacist Richard Spencer, Mike Cernovich, and the subreddit “The_Donald.” Last month, Furie took legal action against a man in Texas who created an Islamophobic version of Pepe for a children’s book. That matter reached a settlement. Now, Furie’s lawyers have spoken to Vice about his determination to reclaim ownership of the image and the demand letters they have sent out. https://arstechnica.com/tech-policy/2017/09/pepe-the-frog-creator-lawyers-up-tells-alt-right-blogs-to-cease-and-desist/

 ====

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.