IT Security News Blast 9-5-2017

Crypto-busters reverse nearly 320 MEELLION hashed passwords

The anonymous CynoSure Prime “cracktivists” who two years ago reversed the hashes of 11 million leaked Ashley Madison passwords have done it again, this time untangling a stunning 320 million hashes dumped by Australian researcher Troy Hunt. CynoSure Prime’s previous work pales compared to what’s in last week’s post.

 Leveraging ERM to drive Information Security (Cybersecurity) results

The company that achieves successful integration of a robust cyber risk management approach and its ERM framework is at a distinct competitive advantage. Not only is such an organization effectively managing its resources and expenses; it is linking cyber security to its business goals, enterprise risk profile, and strategic vision.

 Data breach hits four million Time Warner app users

Security company Upguard, which worked with Gizmodo to analyse the leak, said many people could be “endangered” if the information uncovered was widely shared. In response, TigerSwan said it took information security “very seriously”, found the exposure “inexcusable” and planned to investigate how the data came to be publicly exposed. It added: “The situation is rectified, and we have initiated steps to inform the individuals affected by this breach.” This year has seen a series of breaches involving data uploaded to Amazon’s AWS and cloud services. Verizon, Dow Jones, voting machine maker ES&S and the World Wrestling Entertainment (WWE) have all had data released this way.

 NHS ‘will be hit by more cyber attacks’

Concern about NHS cyber security has increased following the WannaCry attack and healthcare management professionals expect it to come under further attack from “organised hacktivists”, according to a new survey of those registered to attend this year’s UK Health Show. The survey of almost 600 registrants to the show, which is held at Olympia London on 27 September, suggests that leading managers and professionals are very worried about similar cyber-attacks in the future.

 Six million Instagram accounts hacked: how to protect yourself

The scale of the hack  on the photo-sharing site emerged after the Instagram account of singer Selena Gomez was compromised last week. UK security researchers discovered hundreds of contact details on the dark web of celebrities including Emma Watson, Taylor Swift and Harry Styles. In addition to leaking the details of hundreds of A-listers, hackers created an online database where cyber criminals could access private user details for $10 per search.

 Yahoo! must! face! the! music! over! data! breaches! judge! rules!

The corporate carcass of Yahoo! must face trial over its notorious data breaches.

Late last week in this judgement [PDF], US District Court Judge Lucy Koh (Northern California) said the some of the claims over the company’s 2013 and 2014 data breaches could proceed. Verizon shaved US$350 million off what it paid to acquire Yahoo! as a result of the leaks.

 Improving the Public-Private Cybersecurity Partnership

When you need help during an emergency, you call 9-1-1—and each of your first responders has a clear role to play and works together to achieve a common goal: ensuring your well-being. According to former U.S. Secretary of Commerce Penny Pritzker, that same type of coordinated response across the public and private sectors is exactly what “we need to defend our country against major cyber-attacks.” But former Secretary Pritzker also recognized that achieving this unified partnership between government and business may require “fundamentally changing” the way businesses work with federal agencies to counter cyber threats.

 How SMEs are a target for fraud

Emerging technology and improved connectivity have helped SMEs take advantage of new-business opportunities, but they have also presented fresh opportunities for fraudsters, with threats evolving all the time. The annual cost of fraud in the UK could be as high as £193bn per year, according to the 2016 Annual Fraud Indicator. And as ID and fraud expert at Experian Nick Mothershaw explains, SMEs are a prime target for fraudsters because their security systems are generally not as robust as those of larger enterprises.

 ‘People are going to die’ – West warned over covert Russian cyber attacks

Covert Russian cyber-attacks against Western countries could cause civilian fatalities and potentially escalate into a real-world military confrontation, Latvia’s foreign minister has warned. Edgars Rinkevics told the Telegraph that Russia may use a massive war games in September to probe Nato’s resilience to full-spectrum “hybrid” warfare including propaganda and cyber-attacks that Moscow has previously used against Ukraine.

 One of 1st-known Android DDoS malware infects phones in 100 countries

Last year, a series of record-setting attacks hitting sites including KrebsOnSecurity and a French Web host underscored a new threat that had previously gone overlooked: millions of Internet-connected digital video recorders and similar devices that could easily be wrangled into botnets that challenged the resources of even large security services. Now, for one of the first times, researchers are reporting a new platform recently used to wage powerful denial-of-service attacks that were distributed among hundreds of thousands of poorly secured devices: Google’s Android operating system for phones and tablets.

 Leak of >1,700 valid passwords could make the IoT mess much worse

“There’s not much new about devices standing out there with default or weak credentials,” Troy Hunt, a security researcher and maintainer of the Have I Been Pwned breach notification service, told Ars. “However, a list such as we’re seeing on Pastebin makes a known bad situation much worse as it trivializes the effort involved in other people connecting to them. A man and his dog can now grab a readily available list and start owning those IPs.”

 Taringa: Over 28 Million Users’ Data Exposed in Massive Data Breach

Exclusive — If you have an account on Taringa, also known as “The Latin American Reddit,” your account details may have compromised in a massive data breach that leaked login details of almost all of its over 28 million users. Taringa is a popluar social network geared toward Latin American users, who create and share thousands of posts every day on general interest topics like life hacks, tutorials, recipes, reviews, and art.

 Hillary Clinton endorsed a startup — and then it fell victim to a cyber attack

Hillary Clinton is allegedly at the center of another cyber-attack — except this time it involves a startup that’s trying to become something of a social network for her political supporters. The saga began Sunday night when Clinton — to the apparent surprise of her followers — took to Twitter to offer her personal endorsement of a new, relatively unknown website called Verrit.

 Doxxed? Trump’s Inner Circle May Be Under Cyber Attack

Unknown hackers may have dropped private and sensitive information on several members of President Trump’s inner circle onto an open source forum called Hastebin. While the exact time stamp has been masked, the information contains personal phone numbers, email addresses, parking tickets, moving violations, the names of people related to them, and even Amazon Wish Lists.

 Harvey throws Congress’ priorities for cybersecurity into question

Action is still possible this year on a long list of cyber priorities including: Upgrading the Department of Homeland Security’s cyber functions, reauthorizing DHS for the first time, the PATCH Act on creating a process for disclosing vulnerabilities in software, modernizing the government’s information technology, and adopting a national cybersecurity doctrine based on deterrence.

 Give CISOs a Say: The Cyber Security Paradox

Put bluntly, despite the fact that board members are not taking a balanced approach to investing in recovery after a cyber attack, 63% of board members want CISOs to take care of the aftermath of a breach. Not only does this seem a bit paradoxical, it is also reflective of a far greater problem that is present in company boards across the country, and that is the chasm between the reality of IT management and the board’s expectations.

 Let’s not sacrifice privacy by “democratising” AI

Companies must take steps to secure the bot experience for consumers before the ecosystem becomes widespread, rather than trying to do so after it is popular and building “data gathering” clauses into obtuse terms of service. Being prepared also lends itself to becoming compliant with increasingly stringent regulations around data protection that could lead to heavy fines if not addressed adequately.

 Navigating GDPR in the mobile enterprise

Another effective approach is a persona-based technique that starts with understanding the basics: where’s my data, who has access to it, how are they accessing it, and what are they doing with it? The requisite security solutions are then based uniquely on these personae and use cases. For example, for employees with company-owned devices, you may want to manage the whole device.

 University cyber security breaches double in 2 years and leak military secrets

The targeted files range in subjects, from medical record to military designs for ‘stealth fabrics’, which are thought to help ‘disguise’ military weapons and vehicles. Carsten Maple, head of computing and director of cyber security at Warwick University, said hackers were targeting intellectual property that had been in development for years.

 Time to Consider ‘Active Deterrence’ of North Korea

The distinction between “active” and “passive” deterrence has proven useful in the literature on international cyber aggression. “Passive deterrence” is the equivalent of the military strategy of “deterrence by denial.” An aggressor is deterred by the certainty that they will not achieve their objectives because of the defensive capabilities of their opponent.


Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.