Cyber Attacks, Threats, and Vulnerabilities
Hackers offering bulk discount to unlock encrypted MedStar data (Baltimore Sun) The hackers who locked up data on MedStar's computers this week are demanding ransom to begin unlocking it — and they're offering a bulk discount to release all of it, according to a copy of the demands obtained by The Baltimore Sun
Following malware attack, MedStar docs regain EHR functionality (FierceHealthIT) Clinicians at MedStar Health can now review medical records and submit orders via the electronic health record after a malware attack March 28 forced computers offline, the Maryland-based hospital chain said in a statement Wednesday morning
Maryland hospital group hit by ransomware launched from within (Ars Technica) Samsam malware exploited MedStar web app server, then spread to rest of network
Why Hospitals Are the Perfect Targets for Ransomware (Wired) Ransomware has been an Internet scourge for more than a decade, but only recently has it made mainstream media headlines.
Hacking Hospitals And Holding Hostages: Cybersecurity In 2016 (Forbes) Yesterday morning MedStar Health became just the latest organization to suffer the damage of a cyberattack in what early reports suggest may be yet another ransomware attack
VIDEO: How a hospital is hacked, Kaspersky finds Health IT is sick (ITWire) A Kaspersky Lab tech expert has found ways to hack into medical devices in an attempt to explore security weaknesses and how to address them - the findings will make you ill
1,400+ vulnerabilities found in automated medical supply system (Help Net Security) Security researchers have discovered 1,418 vulnerabilities in CareFusion’s Pyxis SupplyStation system – automated cabinets used to dispense medical supplies – that are still being used in the healthcare and public health sectors in the US and around the world
Commonly used IoT devices vulnerable to privacy theft (Help Net Security) A technical investigation by Bitdefender has discovered that four commonly used Internet of Things (IoT) consumer devices are vulnerable to attack. The analysis reveals that current authentication mechanisms of many Internet-connected devices can easily be bypassed to expose smart households and their inhabitants to privacy theft
Let Me Get That Door for You: Remote Root Vulnerability in HID Door Controllers (Trend Micro: Simply Security) If you’ve ever been inside an airport, university campus, hospital, government complex, or office building, you’ve probably seen one of HID’s brand of card readers standing guard over a restricted area
Your Linux-based home router could succumb to a new Telnet worm, Remaiten (IDG via CSO) The worm takes advantage of exposed Telnet services with weak passwords to infect routers and other embedded devices
Sidestepper Allows for MiTM Between iOS Devices, MDM Tools (Threatpost) Apple’s Developer Enterprise Program has been abused in the recent past to push malicious apps onto iOS devices, most notably with the WireLurker, XcodeGhost and YiSpecter attacks
Tax Day Extortion: PowerWare Crypto-ransomware Targets Tax Files (TrendLabs Security Intelligence Blog) As we are certain about some aspects of life, the same can be said about cybercrime. Tax Day draws closer in the U.S., and as millions of Americans are in the process of filing their taxes, cybercriminals are also stepping in to make this task profitable for them and difficult for their victims
DHS: Ransomware attacks widely targeting feds (The Hill) More than two dozen federal agencies have been hit by attempted “ransomware” attacks since last July, the Department of Homeland Security (DHS) said on Wednesday
Cravath Admits Breach as Law Firm Hacks Go Public (American Lawyer) While it's no secret that law firms are often targeted by cyber criminals seeking sensitive client information, it’s rare for breaches to become public
Root Servers Were Not Targets of 2015 DDoS Attack (Threatpost) When the Internet’s root name servers are in the line of fire of a DDoS attack, people start to sweat, and with good reason since they are the authoritative servers used to resolve IP addresses
Online ‘activists’ a threat to Middle East security (National) The most prevalent cyber criminals in the Middle East are not online thieves out to pilfer your bank account, but “activists", according to a new report by a UK-based defence, security and aerospace company
Companies could be the next ISIS target (MarketWatch) Companies could become larger targets of pro-Islamic State hackers, according to a security company that analyzes the group’s online activity
Carders use custom built POS malware to hit US retailers (Help Net Security) Crypto-ransomware might be the most prominent type of malware these days, but that doesn’t mean that criminals have stopped using other kinds
FBI Warns of Rise in Schemes Targeting Businesses and Online Fraud of Financial Officers and Individuals (FBI) FBI officials and various federal and local partners warn potential victims of the business e-mail compromise scam or “B.E.C.,” a scheme targeting American businesses that has resulted in massive financial losses. Officials also warn of scams targeting victims of online fraud, to include “Operation Romeo and Juliet,” a series of cases involving American victims who are targeted when they subscribe to online dating services
US Federal Court: “you didn’t show up for jury duty” scammers slicker than ever (Naked Security) You get a call from the federal court or US Marshals
'Anonymous' cyber-attack hits Angola govt after activists jailed (AFP via Yahoo! News) A Portuguese branch of the Anonymous hacking collective says it has shut down about 20 Angolan government websites in retaliation for the jailing of 17 youth activists for plotting "rebellion"
Bad bots love the cloud (Enterprise Times) Distil Networks has released its 2016 Bad Bot Landscape Report and it makes for somewhat depressing reading. Subtitled The Rise of Advanced Persistent Bots the report makes the point that bots are cheap to deploy, are leveraging cloud providers and are becoming increasingly sophisticated. All of this increases the pressure on IT infrastructure teams as they struggle to keep the bad guys out
Cybercrime: A Black Market Price List From The Dark Web (Dark Reading) What does it cost for malware, stolen identities and other tools of the cybercriminal trade? Probably less than you think
Weak IRS controls leave taxpayer data vulnerable, report says (Washington Post) Just in time for tax season, the Government Accountability Office is warning that weak financial controls at the Internal Revenue Service leave taxpayer information at risk
NASA Has a Cyber-Security Problem, Investigator Claims (Softpedia) Jason Miller, executive editor for Federal News Radio, is saying that the National Aeronautics and Space Administration (NASA) has a severe patching problem that's putting many of its systems at risk
Student bypasses Valve’s review process, publishes game on Steam (Help Net Security) Sometimes the only way to get an organization to listen to you when it comes to existing vulnerabilities in their products is to exploit them yourself and make the proof of the exploitation visible
Microsoft's artificial intelligence 'chatbot' messes up again on Twitter (Reuters) Almost a week after being shut down for spewing racist and sexist comments on Twitter, Microsoft Corp's artificial intelligence 'chatbot' called Tay briefly rejoined Twitter on Wednesday only to launch a spam attack on its followers
Security Patches, Mitigations, and Software Updates
Cisco Firepower Malware Block Bypass Vulnerability (Cisco) A vulnerability in the malicious file detection and blocking features of Cisco Firepower System Software could allow an unauthenticated, remote attacker to bypass malware detection mechanisms on an affected system
Apple promises iOS fix “soon” for crashes in Safari and other apps (Naked Security) Apple made iOS 9.3 available last week, fixing a number of serious security holes
Verizon Galaxy Note Edge Marshmallow Update Still Missing As Security Update Blooms (Android Origin) Samsung Galaxy Note Edge owners will have to wait a little longer until they can experience Marshmallow on their devices as Verizon hasn’t updated the device following March’s security update. This is bad news but you shouldn’t feel uneasy as the device is still scheduled to receive the Marshmallow update in the future
Cyber Trends
Encryption Is a Luxury (Atlantic) The people that most need privacy often can’t afford the smartphones that provide it
Mass surveillance silences minority opinions, according to study (Washintgon Post) A new study shows that knowledge of government surveillance causes people to self-censor their dissenting opinions online
It takes 69 days to discover breaches (Business Insurance) It takes an average of 69 days for firms to discover they have been the victims of a data security incident and another seven days to achieve the problem's containment, says a law firm, in a survey issued Wednesday
Merging firms appealing targets for attackers (CSO) Companies going through a merger or acquisition, as well as their lawyers, financial advisers, and other associated firms are all tempting targets for cyberattackers, according to a new report from Digital Shadows
IT Security Survey Shows Company Size, Maturity Level are Crucial for Readiness (BusinessWire) Versasec study shows SMEs are bound by small security budgets, lack of information
Marketplace
In Apple Versus The FBI, Cyberstocks Win (Forbes) Earlier this week we learned that Apple’s security is, well, not that secure after all
CW@50: Fertile British breeding grounds for information security innovation (ComputerWeekly) Computer Weekly is marking its 50th anniversary this year with a series of articles celebrating 50 years of British technology innovation. In this article, we look at the evolution of information security threats and some of the British innovation to counter those threats
Aviation CEOs: Cybersecurity is Under Control (Aviation Today) The panel addressed how the aviation industry and regulatory awareness of aircraft cybersecurity issues have proliferated over the last year after the FBI set out to investigate claims that a professional hacker was able to control aircraft navigation systems after tapping into a seatback In-Flight Entertainment (IFE) interface
Building Stronger Readiness and Response with Cyberinsurance (Legaltech News) New regulations and the increase of cybercriminals using stolen information for payment fraud is spurring the adoption of cyberinsurance
Businesses Turn Their Backs on Banks That Lack the Right IT Security (IT Security Guru) Over two-thirds of companies prefer to bank with a provider who has a solid security reputation, according to a Kaspersky Lab survey. Those banks that make security a priority and take every effort to ensure measures are in place to safeguard against online financial fraud will have an advantage, when it comes to retaining existing customers and reaching new ones
Survey: With all eyes on security, talent shortage sends salaries sky high (CSO) Annual IT Salary Survey shines a light on security hiring and compensation trends
Army's cyber challenge to focus on micro cloud management (Defense Systems) The Army’s latest Cyber Innovation Challenge is looking to industry to help develop a holistic way to manage the tactical “micro clouds” used by deployed forces
BLACKOPS CEO Named Cybersecurity Professional of the Year (iReach) Expert confirms cybersecurity is part of larger economic and industrial war affecting every organization
DarkMatter names PKI specialist to SVP (Financial News) DarkMatter has appointed Scott Rea as Senior Vice President – Public Key Infrastructure (PKI), where he will lead the company´s efforts to elevate Identity Management in the UAE and GCC region by establishing domestic Root Certification Authority services, the company said
Products, Services, and Solutions
LookingGlass Unveils Next-Generation Threat Intelligence Management Platform (NewsChannel10) LookingGlass Cyber Solutions™, the leader in threat intelligence and dynamic threat defense, today announced the availability of its next-generation threat intelligence management platform ScoutPrime™, as well as enhancements to its market leading Cyber Threat Center Open Source Intelligence (OSINT) collection platform and LookingGlass Cyveillance Malicious C2 (Command and Control) Machine Readable Threat Intelligence (MRTI) data feed
Add IRM, data security and encryption to any app (Help Net Security) Vera launched its new IRM-as-a-Service (IRMaaS) product, allowing developers to use Vera’s data security platform to build encryption, tracking, policy enforcement, and access control into custom business applications
SecureRF Announces Multi-Mode Sensor LIME Tag(TM) for the IoT, and an Update to its Credentialing Solution (Street Insider) New MY01 LIME Tag provides integrated Cellular, Bluetooth Low Energy (BLE), classic Bluetooth, and Near Field Communication (NFC) connectivity on single platform with security and sensors
Container security for enterprise computing (Help Net Security) The largest pain-point today for organizations moving to a container strategy is that containers are being adopted and managed by developers. Operations and security do not have the level of visibility and control that they are accustomed to. At the same time, for DevOps to succeed, security and operations controls must be as agile and move as quickly as the assets to be protected
Technologies, Techniques, and Standards
NIST Publishes New Security Standard For Encrypting Credit Card, Medical Info (Dark Reading) NIST published a new cybersecurity standard that specifies 'format- preserving encryption' techniques to secure credit card number and sensitive medical information
Surfing porn can lead to infections (CSO) Could not resist that as a clickbait title
How sandboxing can help in the fight against cybercrime (CSO) Barely a day goes by without new reports of organisations falling victim to cyber-attacks. Data breaches, network outages and system disruptions have become an unfortunate reality of the modern digital world
Machine Learning In Security: Good & Bad News About Signatures (Dark Reading) Why security teams that rely solely on signature-based detection are overwhelmed by a high number of alerts
Protecting identity could be key to enterprise security (TechCrunch) When you hear from people who know about security, the discussion often turns to end users, who are considered the weakest link in the security chain. While IT and the powers that be struggle to secure their networks and IP, the employees are forever screwing up succumbing to phishing scams, using weak credentials and generally causing problems for the security experts who know best — or so says conventional wisdom
How long is a piece of string? The challenges and benefits of benchmarking security culture (CSO) A strong security culture is one of the best ways for organizations to protect themselves in today's digital world. But what defines a strong security culture? And how do you measure that?
A healthy dose of skepticism never hurt a security professional (CSO) Don't click without validation is one lesson that will do a security team a world of good
The Future of Data Protection? 3 New Approaches to Cybersecurity (Legaltech News) From preventing data exfiltration, to examining network behavior, malware and monitoring the dark web, LTN looks at three new approaches to cyberdefense
4 Cybersecurity Pitfalls to Avoid (AICPA Insights) You might break out in a cold sweat at just the thought of criminals on the other side of the world stealing your clients’ or customers’ account information
Over 60 Organizations Take Part in DHS Cyber Storm Exercise (FEDWeek) Over 1,100 people across more than 60 organizations took part in Cyber Storm V, the latest DHS-led national cyber security exercise designed to test a coordinated response to cyber attacks across the nation’s 16 critical infrastructure sectors such as energy, communications and financial services
UK and US to simulate cyber-attack on nuclear plants to test resilience (Guardian) Countries plan to cooperate by exploring the resilience of nuclear infrastructure to a terrorist attack
Design and Innovation
Comprehensive software security for cars will take years (CSO) Professor who pioneered car software security and broke Viagra spam botnets wins computer science prize
U.S. to Fight Cyber Attacks With 'Brain-Inspired' IBM Chip (PC Magazine) Lawrence Livermore National Lab will use the brain-inspired IBM Neuromorphic System for cyber-security issues
Blockchains: The Future of Recordkeeping? (Legaltech News) The need to ensure our digital heritage grows more important. Are blockchains the answer?
Research and Development
Entangled Photons Could Advance Quantum Cryptography (Photonics) Three photons have been experimentally entangled in a high-dimensional quantum property related to the “twist” of their wavefront structure, a milestone achievement for quantum physics
Legislation, Policy, and Regulation
Prepare for the EU Data Protection Law – Start Here (Heimdal Security) Do you know that (slight) sinking feeling when there’s a big change that influences the way you do things?
Former House Intel Chair Mike Rogers: Widened European Privacy Laws Hurt Intelligence Collection (USNI) As is the case in privacy laws created after World War II, and widened in the wake of the Edward Snowden leaks in Europe, “we’re going to pay a price” for limiting intelligence-collection when it comes to knowing what adversaries, terrorists and even allies are thinking, the former chairman of the U.S. House Intelligence Committee said Wednesday
Obama extends cyber sanctions power (The HIll) President Barack Obama on Tuesday expanded upon his statement that the rising number of cyberattacks on the U.S. constitutes a national emergency
Senator Wyden pledges to fight limits on encryption (Reuters) U.S. Senator Ron Wyden pledged on Wednesday to fight legislation expected shortly in Congress that would limit encryption protection in American technology products
Opinion: The San Bernardino iPhone and the 'going dark' myth (Christian Science Monitor Passcode) By breaking into the iPhone at the crux of the FBI v. Apple legal battle, law enforcement officials undercut their argument that encrypted devices are their imperiling efforts to surveil criminal and terror suspects
Encryption: Why Backdoors Are a Bad Idea (Design & Reuse) I have always had a passing interest in encryption and security. My PhD is on network file systems, where managing who has access to what data is an important aspect. I also spent the best part of a year working for a biometric security company (fingerprints and one-time-passcodes)
The New Intelligence Sharing Procedures “Are Not About Law Enforcement” (IC on the Record) There has been a lot of speculation about the content of proposed procedures that are being drafted to authorize the sharing of unevaluated signals intelligence
New Florida Law Lets Agencies Keep Some Breach Details Under Wraps (Dark Reading) Florida governor Rick Scott signs a bill to keep some critical information about data breaches confidential and out of the public eye
Litigation, Investigation, and Law Enforcement
Iran hacking indictment highlights US naming and shaming strategy (Christian Science Monitor Passcode) The Justice Department's indictment of alleged Iranian hackers last week is just the most recent example of the US government and security firms pointing fingers at specific nation-states hackers for cyberattacks
Cyber War Comes to the Suburbs (New Yorker) The Bowman Avenue Dam, in Rye, New York, would seem an unlikely candidate for a new front in the cyber wars
FBI Is Pushing Back Against Judge's Order to Reveal Tor Browser Exploit (Motherboard) Last month, the FBI was ordered to reveal the full malware code used to hack visitors of a dark web child pornography site. The judge behind that decision, Robert J. Bryan, said it was a “fair question” to ask how exactly the FBI caught the defendant
Apple to FBI: Please Hack Us Again (Daily Beast) Now that the FBI has figured out a way to hack into a locked iPhone, Apple wants the feds to pull the same trick a second time, in a different case
John McAfee: 'FBI Knew All Along They Could Unlock An iPhone With Cellebrite's UFED Touch' (Foorbes) Cybersecurity legend and Libertarian candidate John McAfee says the FBI unlocked the San Bernardino iPhone using a device that the FBI had in their possession since 2013
FBI Cracks Apple iPhone: What People Are Saying (Fortune) We waded through the flood of commentary so you don’t have to
The FBI may have dropped one case against Apple, but the battle is far from over (Guardian) The San Bernardino shooter’s iPhone was allegedly unlocked by an ‘outside party’, making that case moot. But many others are going forward
US has asked Apple, Google to help unlock devices in more than 70 cases (CSO) About 30 of the cases are as recent as 2015, according to the ACLU
Google Also Has Been Ordered to Help Unlock Phones, Records Show (Wall Street Journal) Advocacy group finds 63 cases where government sought orders to have phones opened under 1789 law
The Other Reason the FBI Doesn't Want to Reveal Its Hacking Techniques (Motherboard) It's no secret that the FBI uses computer exploits and vulnerabilities in its investigations, but the agency has not exactly been forthcoming with detailing its techniques
Apple’s New Challenge: Learning How the U.S. Cracked Its iPhone (New York Times) Now that the United States government has cracked open an iPhone that belonged to a gunman in the San Bernardino, Calif., mass shooting without Apple’s help, the tech company is under pressure to find and fix the flaw
FBI already called in to unlock another murder case iPhone (Naked Security) Nothing breeds success like success
Former NSA deputy director says Edward Snowden lacks courage (CSO) Thoughts from Chris Inglis, former Deputy Director of NSA, about whistleblower Edward Snowden’s reasons for leaking classified NSA documents
Is Ransomware Considered A Health Data Breach Under HIPAA? (Forbes) While it’s tempting to think of ransomware as a new cyber threat, the history of digital extortion dates back to the 1980s, and one of the first examples of ransomware was the PC Cyborg Trojan
Oil and gas website operator charged for hacking (Reuters via Business Insurance) The founder of an oil and gas networking website was arrested on Wednesday on charges that he hacked and stole information from a rival site he had created and sold to DHI Group Inc., the Federal Bureau of Investigation said
Italian Police Arrest 16-Year-Old Anonymous Member (Softpedia) Today, Italian police arrested a sixteen-year-old boy from Udine, on the suspicion of being the leader of an Anonymous campaign named #OpSafePharma
