IT Security News Blast 9-25-2017

Hack of U.S. Regulator a Blow to Confidence in Financial System
Ironically, the SEC now must point a finger at itself for delaying the disclosure which it requires from publicly traded companies. “The breach itself appears to be fairly minor, but it erodes trust in government organizations where companies are required by law to report confidential or insider information,” said Tatu Ylonen, a computer researcher and founder of SSH Communications Security.
http://www.securityweek.com/hack-us-regulator-blow-confidence-financial-system

Identity Verification Becomes Trickier in Wake of Equifax Breach
“Companies that are relying on knowledge-based assessments—they may need to add additional factors,” he said. “They need extra safeguards— some which will be burdensome, such as proof using documentation—others could use some sort of device-based check.” The Equifax breach will cause repercussions for years and could change the way that identity is verified online. Name, address, birth date and Social Security number have long been the litmus test for people to open accounts. That will have to change, experts say.
http://www.eweek.com/security/identity-verification-becomes-trickier-in-wake-of-equifax-breach

Massachusetts AG sues Equifax over massive data breach
Massachusetts’ lawsuit is the first official enforcement action in what is expected to be a massive legal onslaught against Equifax in the wake of a hack that exposed the personal financial data of as many as 143 million people in the US, including names, Social Security numbers, birthdates and addresses of customers. A handful of attorneys general for other states, including New York, Illinois and Connecticut, and two prominent senators, have asked the company for information about the hack.
https://www.cnet.com/news/massachusetts-ag-sues-equifax-over-massive-data-breach-hack-credit/

The 6 phases of adopting cloud security practices
1. The pushback phase
2. The traditional security phase
3. The cloud monitoring phase
4. The cloud affinity phase5. The cloud security controls phase
6. The central policy phase
https://www.csoonline.com/article/3226764/security/the-6-phases-of-adopting-cloud-security-practices.html

The Problem with Collecting, Processing, and Analyzing More Security Data
There’s also a fundamental storage challenge here.  Do I keep all this data or define some taxonomy of value, keep the valuable data, and throw everything else out?  Do I centralize the data or distribute it?  Do I store the data on my network or in the cloud?  Oh, and how do I manage all this data:  RDBMS?  Elastic search?  Hadoop?  SIEM? Let’s face it, security is a big data application so it’s time that the security industry and cybersecurity professionals come together, think through security data problems, and come up with some communal solutions.
https://www.csoonline.com/article/3227077/security/the-problem-with-collecting-processing-and-analyzing-more-security-data.html

Election systems of 21 states targeted by Russian government hackers ahead of 2016 election: DHS
More revelations about the scope of the Russian government’s cyber-campaign on behalf of Donald Trump in the November 2016 presidential election came to light Friday afternoon, when DHS officials called election officials in twenty-one states to inform them that their states’ election systems had been targeted by Russian government hackers trying to influence the U.S. presidential election. Among the states whose election systems were targeted by Russian government operatives: Alabama, Arizona, Colorado, Connecticut, Illinois, Iowa, Maryland, Minnesota, Ohio, Oklahoma, Pennsylvania, Virginia, Washington, and Wisconsin.
http://www.homelandsecuritynewswire.com/dr20170925-election-systems-of-21-states-targeted-by-russian-government-hackers-ahead-of-2016-election-dhs

Shock! Hackers for medieval caliphate are terrible coders
A few years ago the UCC created three apps for its followers to use – some script-kiddie level malware that was riddled with bugs, a version of PGP called Mujahideen Secrets that the NSA just love, for all the wrong reasons, and a DDOS tool called “Caliphate cannon” that was laughably poor. “ISIS is really really bad at the development of encryption software and malware,” Wilhoit said. “The apps are sh*t to be honest, they have several vulnerabilities in each system that renders them useless.”
https://www.theregister.co.uk/2017/09/25/extremist_hackers_dubious_competence/

ISO Rejects NSA Encryption Algorithms
A number of them voiced their distrust in emails to one another, seen by Reuters, and in written comments that are part of the process. The suspicions stem largely from internal NSA documents disclosed by Snowden that showed the agency had previously plotted to manipulate standards and promote technology it could penetrate. Budget documents, for example, sought funding to “insert vulnerabilities into commercial encryption systems.”
https://www.schneier.com/blog/archives/2017/09/iso_rejects_nsa.html

Justice Department goes nuclear on Google in search warrant fight
Google said it wasn’t complying with the order because it was on appeal. Google also said it was following precedent from a New York-based federal appellate court that ruled Microsoft doesn’t have to comply with a valid US warrant for data if the information is stored on overseas servers. […] The government, meanwhile, accused Google of fashioning a system that kept consumer data stored on various servers across the globe—just so it could defy court orders.
https://arstechnica.com/tech-policy/2017/09/justice-department-goes-nuclear-on-google-in-search-warrant-fight/

Over Half a Million Vehicle Records from SVR Tracking Leaked Online
According to Kromtech Security Centre’s research, login data of more than half a million records of SVR Tracking was leaked online making the personal and vehicle-related information of organizations using the devices and drivers potentially vulnerable. […] The data was available in publicly accessible Amazon Web Services S3 bucket where nearly 540,642 SVR accounts’ information is present. The data included email addresses, passwords, license plates and VIN/vehicle identification numbers.
https://www.hackread.com/over-half-a-million-vehicle-records-from-svr-tracking-leaked-online/

Is Twitter Winning Its War on Terrorism?
[Facebook], Microsoft, Twitter, and YouTube launched the Global Internet Forum to Counter Terrorism this summer, an extension of existing anti-terror measures intended to improve technology for detecting terrorist material online and provide counter-narratives for potential terrorist recruits. It’s unclear how effective the group has been so far, but at least one company involved in the partnership says it has had success in seeking out and removing terrorist activity on its platform. In its biannual transparency report, Twitter announced on Tuesday that it had removed 299,649 accounts for the promotion of terrorism in the first half of 2017, and 935,897 accounts between August 2015 and June 2017.
https://www.vanityfair.com/news/2017/09/is-twitter-winning-its-war-on-terrorism

The dangers of weaponized narratives, and how to respond to them
Criticism of Facebook began last week after a news report said the social network enabled advertisers to seek out self-described anti-Semites and, revealed this week, published Russian-bought divisive political ads. The company responded by saying that it would restrict how advertisers targeted their audiences and actively work with the U.S. government on its Russian-interference investigations. Google also came under fire at the same time after news that it allowed the sale of ads tied to racist and bigoted keywords. Google responded by claiming it would work harder to halt offensive ads. Weaponized narrative is the new global battle space, one expert said: “America and other Western democracies — and indeed the very Enlightenment — are under attack.”
http://www.homelandsecuritynewswire.com/dr20170925-the-dangers-of-weaponized-narratives-and-how-to-respond-to-them

Linux Trojan Using Hacked IoT Devices to Send Spam Emails
New research conducted by Russian security firm Doctor Web has revealed that a Linux Trojan, dubbed Linux.ProxyM that cybercriminals use to ensure their online anonymity has recently been updated to add mas spam sending capabilities to earn money. The Linux.ProxyM Linux Trojan, initially discovered by the security firm in February this year, runs a SOCKS proxy server on an infected IoT device and is capable of detecting honeypots in order to hide from malware researchers.
http://thehackernews.com/2017/09/linux-malware-iot-hacking.html

Massive Spam Runs Distribute Locky Ransomware
Panda Security has also observed the massive distribution campaigns and confirms that the runs started to grow in volume on Tuesday. At the moment, the researchers say, the attackers send around 1 million phishing messages every hour. Most of the messages are disguised as fake Amazon Marketplace and Herbalife invoices, but phony printer orders have been observed. The emails contain an archive as attachment. While in some cases .zip files are used, other emails feature .7z or 7-zip attachments.
http://www.securityweek.com/massive-spam-runs-distribute-locky-ransomware

Ransomware: Where It’s Been and Where It’s Going
“File-based solutions that focus on static indicators of files such as file names, unique strings, and hashes, are missing ransomware attacks as they don’t have visibility into the ‘DNA’ of an attack,” warns Carbon Black. “Without tracking malicious behavior and intent, such defensive methods could be unable to accurately predict future attacks involving volatile code leveraging such tools as JavaScript, PowerShell, Visual Basic, and Active Server Pages (ASP).”
http://www.securityweek.com/ransomware-where-its-been-and-where-its-going

1.4 Million Phishing Sites Are Created Monthly: Report
While the quality of the emails has improved with fewer tell-tale typographical and grammatical errors, so too has the design and implementation of the phishing pages. Webroot provides two example mimicking Microsoft and PayPal. The Microsoft example includes a realistic Windows page combined with the message that the target should telephone support (rather than enter credentials online).
http://www.securityweek.com/14-million-phishing-sites-are-created-monthly-report

Want to get around app whitelists by pretending to be Microsoft? Of course you can…
Usually anyone trying to fool Microsoft’s defenses in this way, via PowerShell, will be caught by the executable signature checks within the Get-AuthenticatedSignature function. However, we’re told, there’s also CryptSIPVerifyIndirectData, which can be abused to green-light malicious applications with a counterfeit signature. The only thing you need are some coding tools and, oh yeah, admin privileges on the target computer.
https://www.theregister.co.uk/2017/09/22/bypassing_app_whitelists_microsoft_windows/

New ransomware scam asks for nude pics to unlock files
“Go to Protonmail.com and create an account. Send an email to 1_kill_yourself_1@protonmail.com. We will not respond immediately. After we reply, you must send at least 10 nude pictures of you.” Furthermore, it informs victims that their pictures will be verified to ascertain if they belonged to them or not. Once it is done; they will sell their pictures on the Deep Web. “After that, we will have to verify that the nudes belong to you. Once you are verified, we will give you your unlock code and sell your nudes on the deep web.”
https://www.hackread.com/new-ransomware-scam-asks-nude-pics-unlock-files/

SANS SEC501 in Kirkland
Former Washington Army National Guard Chief Warrant Officer Mark Elliott will be teaching SANS SEC501, Advanced Security Essentials in Kirkland from December 4-9.  This class just went through a major re-write and has some very exciting content, including penetration testing, incident response, digital network forensics, malware analysis (with an exercise which tricks ransomware into thinking the ransom has been paid), and many more exciting topics.
https://www.sans.org/community/event/sec501-seattle-50340

 ====

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.

//]]>