IT Security News Blast 9-22-2017

Utilities Will Spend Billions On Cybersecurity As Threat Grows
At present, consistent cybersecurity controls for the distribution system, where utilities deliver electricity to customers, are lacking. If a cyberattack on a utility successfully causes a power outage, a ripple effect that destabilizes electricity in large areas could occur, possibly damaging parts of the interconnected system. So it is easy to understand why research firm Zpryme estimates that U.S. utilities will spend $7.25 billion on grid cybersecurity by 2020.

Asset Managers Must Beef Up Cyber Security Defenses
“Bluntly, asset managers are not prepared for the increased threat landscape,” says Walter Price, fund manager at the Allianz Technology Trust. “This was highlighted by the 35 per cent drop in Equifax’s valuation and their benign comments that they were vigilant with regard to cyber security when, in retrospect, they were not.”

Breakingviews – SEC failure puts U.S. cyber security on back foot
But it, too, is providing a textbook case of what not to do in the event of a cyber attack. Not only did the SEC take a long time to make the breach public. It buried the news in a more wide-ranging statement on such issues by Chairman Jay Clayton, who said he wanted to highlight “importance of cybersecurity to the agency and market participants.” In addition, the watchdog has so far provided scant details.

Here’s what really terrifies Wall Street about the SEC hack
EDGAR is where Corporate America goes to file statements on their businesses. Brad Bondi, an attorney with Cahill Gordon and Reindel and former council at the SEC, called it “the Fort Knox” of the SEC. It’s where the important stuff is stored: quarterly earnings reports, market-moving news, IPOs, mergers and acquisitions, it all goes into the EDGAR system, and is often filed before the news is made public.

U.S. consumer finance agency expected to punish Equifax: lawyers
But because Equifax is not strictly a financial company, questions arose whether the Consumer Financial Protection Bureau, the agency created after the 2008 financial crisis, has the power to penalize the firm for the breach. Legal experts said the CFPB is likely to weigh in using powers it wields under the 2010 Dodd-Frank Act. “Its Dodd-Frank mandate gives the CFPB authority to investigate Equifax even without cyber security rules,” said Quyen Truong, former deputy general counsel for the agency.

Lawmakers worry cyberattacks could cause drug shortages
“While there is no evidence, to date, that Merck’s manufacturing disruption has created a risk to patients, it certainly raises concerns. For example, in a recent update on national vaccine supply, the CDC reported that Merck would not be distributing certain formulations of the Hepatitis B vaccine,” Walden and Murphy wrote.

HIT Think How healthcare organizations are boosting security for IT systems
Surveyed organizations stated that healthcare-information security is a board-level discussion regularly, with at least annual board discussions in 93 percent of cases; 62 percent of providers stated that they discuss security with their board at least quarterly. These results suggest that both interest in and support for effective security measures have grown. No doubt the increased number of very public information breaches has influenced the increased interest and support.

IoT introducing new cyber risks, redrawing federal CISO role
IoT devices follow a process where a sensor collects information, sends it off to an aggregator, who then formats that information and communicates it to the internet or an individual or network.Ideally in that chain, you know what the sensors are, the location of the aggregator, and have control of the internal communication process between the sensors and aggregator, to manage risk, Turk said.

Iran-Linked Hackers Said to Be Attacking U.S. Companies
“These campaigns demonstrate the depth of Iran’s cyber capabilities,” said John Hultquist, director of intelligence analysis for FireEye. “Actors like APT33, now narrowly focused on the Middle East, are the tools Iran will reach for if they choose to carry out attacks in the future.” Attributing cyber activity is a matter of detective work. FireEye traced the hackers to Iran in part through a handle, “xman_1365_x,” that the firm linked to an Iranian government software engineer.

Army turns to Plan X to defend against cyber threats
By creating a visual representation of cyberspace and its many users, Invincea’s Plan X defense platform is designed to immediately recognize threats and improve cyber warfare technology. DARPA has been partnering with Invincea Labs LLC, Arlington, VA, to create Plan X since 2013.  Their partnership was formed out of the military’s need to expand their cyber capabilities to protect U.S. military networks from more advanced attacks.

Another court tells police: Want to use a stingray? Get a warrant
In a 2-1 opinion issued Thursday, the DC Court of Appeals—effectively the equivalent of a state supreme court—agreed with the lower court’s ruling that the use of the device, also known as a stingray, was unconstitutional. In addition, however, the judges went further: they found that the violation was so egregious that any evidence derived from the stingray should be excluded from the case, which overturned the conviction.

ISP involvement suspected in latest FinFisher gov’t spyware campaign
Gamma Group says the malware “helps government law enforcement and intelligence agencies identify, locate and convict serious criminals.” According to ESET researchers, a new campaign spreading the malware has been detected in a total of seven countries. In two of them, Internet Service Providers (ISPs) are “most likely” working in collaboration with governments to infect targets of interest with the surveillance malware. The countries have not been named due to safety concerns.

Released Snowden Doc Shows NSA Thwarting Electronic Dead Drops By Using Email Metadata
One of those published last week mentions the NSA’s targeting of internet cafes in Iraq and other Middle Eastern countries using a program called MASTERSHAKE. Using MASTERSHAKE, analysts were apparently able to drill down location info to which target was sitting in which chair at the cafes under surveillance. Further down the page [PDF], past this brief mention of a program discussed more fully elsewhere, there’s another interesting tidbit. Apparently, the NSA can suss out electronic dead drops using harvested metadata.

Australian military drone supplier warns of ‘likely’ Chinese cyber backdoor in DJI quadcopters
The warning comes after a report in The Australian revealed the Australian Defence Force (ADF) suspended its use of DJI drones on August 9, after the US military banned their use on August 2 citing cybersecurity concerns. But the ADF then resumed DJI flights on August 21 under “revised operating procedures”, a Defence spokesperson told SBS World News. The spokesperson also confirmed the ADF made use of DJI Phantom drones.

Equifax breach is a reminder of society’s larger cybersecurity problems
Several major problems need to be addressed before people can live in a truly secure society: For example, companies must find and hire the right people to actually solve the overall problems and think innovatively rather than just fixing the day-to-day issues. Companies must be made to get serious about cybersecurity – at a time when many firms have financial incentives not to, also. Until then, major breaches will keep happening and may get even worse.

Facebook revamps political-ad rules after discovering Russian ad buys
“The integrity of our elections is fundamental to democracy around the world,” Zuckerberg said in a video posted to Facebook. “We can’t prevent all governments from all interference. But we can make it harder.” One significant change will be greater transparency for political advertising. Facebook’s platform allows advertisers to target different ads at different audiences. The company wants to make it easier for the public to understand how advertisers are using this capability.

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.