IT Security News Blast 9-26-2017

Equifax breach is a reminder of society’s larger cybersecurity problems
Several major problems need to be addressed before people can live in a truly secure society: For example, companies must find and hire the right people to actually solve the overall problems and think innovatively rather than just fixing the day-to-day issues. Companies must be made to get serious about cybersecurity — at a time when many firms have financial incentives not to, also. Until then, major breaches will keep happening and may get even worse.

Mobile stock trading apps riddled with security holes
Alejandro Hernandez, senior security consultant at IOActive, found vulnerabilities that could allow the would-be hacker to sell user’s stock, steal money or snoop into the personal details of the user’s net worth and investment strategy. Hernandez put 21 of the most used and well-known mobile trading apps available on the Apple Store and Google Play through their paces. Testing focused only on the mobile apps; desktop and web platforms were not tested.

Equifax CEO retires following massive cyber attack
U.S. credit reporting firm Equifax Inc said on Tuesday its Chief Executive Richard Smith will retire, a week before he was expected to testify before a Senate Banking Committee in the wake of a massive cyber attack. Equifax disclosed earlier this month that personal details of up to 143 million U.S. consumers were accessed by hackers between mid-May and July, in one of the largest data breaches in the United States.

Major accounting firm Deloitte reports extensive cybersecurity breach
Along with emails and their sometimes sensitive attachments, the hackers may have gotten their hands on usernames, passwords, IP addresses, business information and workers’ health records. […] Deloitte hasn’t stated which of its clients, which include US government agencies, have been impacted, but said, “As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators.

Docs ran a simulation of what would happen if really nasty malware hit a city’s hospitals. RIP 🙁
On average, a connected device had about 1,000 exploitable CVE flaws, with some going over the 1,400 mark, it was claimed. Not all of these flaws are remotely exploitable, but many are, “and it only takes one,” said Joshua Corman, director of the Atlantic Council’s Cyber Statecraft Initiative and one of the aforementioned speakers. “Governments aren’t ready for this and hospitals certainly aren’t – 85 per cent of US hospitals don’t have any IT security staff,” he added.

Healthcare sector accounts for most cyber security incidents
The healthcare industry accounted for 26 percent of security incidents in the second quarter of 2017 according to a new report. The study from McAfee Labs sees healthcare surpass the public sector to report the greatest number of security incidents in Q2. The health, public, and education sectors combined comprised more than 50 percent of total incidents in 2016-2017 worldwide.

Healthcare sector accounts for most cyber security incidents

Myth busted: Physical security is not separate from cybersecurity
In just the last few years, the U.S. Department of Health and Human Services’ Office for Civil Rights has settled with a number of organizations that failed to secure or protect physical devices. CardioNet was fined $2.5 million by OCR, after a company laptop was stolen from an employee’s car. OCR found CardioNet failed to produce any final policies regarding the safeguard of patient information — including that for mobile devices.

New effort seeks to aid small doc practices with cyber security
The organizations have scheduled 14 workshops, with cities and dates available here. Issues to be covered include performing cyber and HIPAA risk assessments, fundamentals of good cyber hygiene, implementing cost-effective and manageable cyber security solutions, and lessons learned from other practices.

The borderless threat: Army Cyber Command helping defend nation’s network
To stay relevant in the cyber domain, ARCYBER operates and aggressively defends the Defense Department’s information network. The command employs both offensive and defensive cyberspace techniques to keep the United States safe from threats posed by global adversaries, for instance. Additionally, they rapidly develop and deploy new capabilities to defend against a resilient, adaptive enemy.

ISIS Cyber Jihadis Are ‘Garbage’ at Hacking, Top Researcher Says
“As it stands ISIS are not hugely operationally capable online,” Wilhoit added. “There’s a lack of expertise in pretty much everything.” The attacks by the group’s cyber wing have largely been limited to de-facing several websites. But, more unnerving for Americans, ISIS-linked hackers released hit lists with the names and addresses of thousands of civilians, as well as diplomatic and military personnel, in 2015.

We’re under constant threat of cyberattack, and Congress isn’t prepared to do anything about it
Rep. Marsha Blackburn (R-Tenn.) did appear on CNN to comment about the Mirai botnet. But instead of announcing plans to force recalls of the hijacked devices, Blackburn blamed the attack on software piracy — an utterly unrelated subject. […] This lack of understanding might be less concerning if Blackburn were just one of the 435 voices in Congress. But she serves on the House Communications and Technology subcommittee, where just 15 votes determine the fate of much of the legislation related to technology, including cybersecurity, communication and privacy.

US spy chief urges Congress to renew surveillance authority
The administration of President Donald Trump has called on Congress to renew and make permanent some powers under the Foreign Intelligence Surveillance Act, which expire at the end of this year. Those powers permit collection of electronic communications of foreigners who are deemed potential threats to U.S. national security, a list of targets that this year topped 106,000.

Cyberspace needs better laws, and more trustworthy companies
As most of our social and private lives are taken over by private companies that work through the almost border-less Internet, governing the millions of bytes of data that transfer huge amounts of information about users across the Internet becomes vitally important. From banking to sharing photos, and from calling our mothers to shopping, almost every aspect of our lives is now mediated by private technology companies. […] Mr. Nadella is therefore absolutely right in saying that technology companies must work towards making themselves more trustworthy to users.

Trump’s Resigned Cybersecurity Council Looks Bad for National Security
The significant points from the loss of needed voices in the White House’s National Infrastructure Advisory Council is that it underscores the Administrations inability to act on long-term threats to our National Security. The inability to maintain focus and talent on hard policy topics is a source of continuous concern, said Jones.

Password-theft 0-day imperils users of High Sierra and earlier macOS versions
The video shows a Mac virtual machine running High Sierra as it installs an app. Once the app is installed, the video shows an attacker on a remote server running the Netcat networking utility. When the attacker clicks the “exfil keychain” button, the app surreptitiously exfiltrates all the passwords stored in the keychain and uploads them to the server. The theft requires no user interaction beyond the initial installation of the rogue app, and neither the app nor macOS provides any warning or seeks permission.

Adobe Private PGP Key Leak a Blunder, But It Could Have Been Worse
The risks posed by this leak, such as stealing private messages or carrying out a phishing attack, were lessened by a number of factors said researcher Juho Nurminen who works for Finnish security company 2NS (Second Nature Security) as a pen-tester. Nurminen discovered the publication of the private key as he was trying to report a vulnerability in an Adobe product to the company’s security team.

Adobe Private PGP Key Leak a Blunder, But It Could Have Been Worse

TV broadcasts in California interrupted to show “end of the world” alert
According to Orange County, these weird warning messages appeared on mainstream TV channels and affected Spectrum and Cox cable users. Some of the warning videos have been uploaded on YouTube. In one of the videos, we can hear a breathless voice stating that the “space program” has been contacted with and “they are not what they claim to be.” The whole message read: “The space program made contact with… They are not what they claim to be. They have infiltrated a lot of, uh, a lot of aspects of military establishment, particularly Area 51. The disasters that are coming—the military—I’m sorry the government knows about them…”

TV broadcasts in California interrupted to show “end of the world” alert

Banking Trojan Uses NSA-Linked Exploit
Unlike previous malware attacks that exploited EternalBlue, however, the new campaign doesn’t abuse it to spread in an infinite loop. In fact, the exploit-carrying samples are distributed via spam emails, while the version dropped via EternalBlue lacks the exploit. EternalBlue is a NSA-linked tool that became public in April, one month after Microsoft released a patch for it. The exploit leverages a vulnerability in Windows’ Server Message Block (SMB) on port 445, allowing attackers to have malicious code automatically executed on vulnerable systems.

Researchers promise demo of ‘God-mode’ pwnage of Intel mobos
Positive Technologies researchers say the exploit “allows an attacker of the machine to run unsigned code in the Platform Controller Hub on any motherboard via Skylake+”. Intel Management Engine (ME), a microcontroller that handles much of the communication between the processor and external devices, hit the headlines in May 2017 due to security concerns regarding the Active Management Technology (AMT) that runs on top of the engine.



Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.