|
Now even the FBI is warning about your smart TV's security
"Beyond the risk that your TV manufacturer and app developers may be listening and watching you, that television can also be a gateway for hackers to come into your home. A bad cyber actor may not be able to access your locked-down computer directly, but it is possible that your unsecured TV can give him or her an easy way in the backdoor through your router," wrote the FBI.
https://finance.yahoo.com/news/now-even-fbi-warning-smart-194715311.html
Hacker’s paradise: Louisiana’s ransomware disaster far from over
Louisiana has brought some of its services back as it recovers from a targeted ransomware attack using the Ryuk malware on November 18. The state's Office of Motor Vehicles re-opened offices on Monday in a limited fashion. But OMV and other agencies affected—including the state's Department of Health and Department of Public Safety—are facing a number of potential hurdles to restoring all services, according to people familiar with Louisiana's IT operations.
https://arstechnica.com/information-technology/2019/11/hackers-paradise-louisianas-ransomware-disaster-far-from-over/
Q&A: When hackers have your healthcare IT department outgunned
Between quickly evolving U.S. Health Insurance Portability and Accountability Act (HIPAA), California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR) regulations, it’s now more necessary (and difficult) than ever for healthcare IT departments to ensure they’re following their industry’s rules and standards. Failing to comply with regulations like these could not only result in legal issues and hefty fines but data privacy issues as well.
http://www.digitaljournal.com/tech-and-science/technology/q-a-when-hackers-have-your-healthcare-it-department-outgunned/article/562650
Medical IoT Devices Are Vulnerable to Attack: Are Yours Protected?
Reliable security practices such as regular patching and detailed inventory-keeping can help your organization reduce the likelihood of a cyber event without compromising the unique abilities medical IoT technologies offer. [...] “You need governance behind anything that’s going to have an IP address,” Charles Christian, CTO for Franciscan Health, recently said at the CHIME19 Fall CIO Forum in Phoenix. “Know where a device is, its associated uses, its operating system, and whether can it be patched. It’s not easy but it is doable.”
https://healthtechmagazine.net/article/2019/11/medical-iot-devices-are-vulnerable-attack-are-yours-protected
Financial services must ensure sufficient cyber security to cope with the growing speed of change, according to KPMG cyber security practice leaders
"In the rush to provide a superior customer experience, financial services organisations are embracing robotics, AI blockchain and real-time data analytics. However, they must keep a close eye on fraud and be aware of ever-changing fraud scenarios. Cyber criminals are already using new and advanced methods to manipulate security weaknesses, which means that traditional security and protection mechanisms may not be sufficient to deal with AI and advanced technology-enabled attacks."
https://finance.yahoo.com/news/financial-services-must-ensure-sufficient-071100505.html
Cyber attacks are a new front in assessing corporate risk
When a weather agency gives a hurricane a name in recognition of its size and strength, that affects how much compensation people can claim for its damage under their insurance policies. But as “acts of war” proliferate and become harder to define, who will insure businesses when they suffer catastrophic losses? “Corrupt business practices, cyber attacks, assassination, fake news, propaganda, the usurping of supply chains, the theft of intellectual property are now used to harm the west,” said General Nick Carter, the UK’s highest-ranking military officer, in a speech last year.
https://www.ft.com/content/76506474-0f97-11ea-a7e6-62bf4f9e548a
Building a Cyber Risk Report Your Board Will Love
- How much risk do we have?
- What are our top risks?
- How is our risk posture trending – improving or degrading?
- Are we spending too much or too little?
- What is the cyber risk associated with a new business initiative?
https://www.infosecurity-magazine.com/opinions/build-risk-report-board-love/
The $6 Trillion Problem The Energy Industry Is Ignoring
Over the past several years, attacks on U.S. critical infrastructure has been steadily increasing. From oil and gas pipelines to nuclear plants, the threat is growing, and according the U.S. Department of Defense, these attacks are likely to continue for the foreseeable future. Countries like Russia, Iran and even North Korea are arming themselves with teams of digital aces to go on the offensive. These agents work in the shadows and energy infrastructure is quickly becoming a prime target.
https://finance.yahoo.com/news/6-trillion-problem-energy-industry-000000744.html
Citing security concerns, senators call on White House to appoint coordinator for 5G issues
“China’s leadership [in 5G], combined with the United States’ increased reliance on high-speed, reliable telecommunications services to facilitate both commerce and defense, poses a strategic risk for the country,” the senators wrote to White House national security adviser Robert O’Brien, advising him to tap a senior official to coordinate 5G policy across federal agencies.
https://www.cyberscoop.com/5g-senators-trump-administration/
Why did Cyber Command back off its recent plans to call out North Korean hacking?
The behind-the-scenes reversal by Cyber Command appears to affirm that the VirusTotal sharing program may serve a dual purpose. Over the course of the last year, Cyber Command has been using the Virus Total posts as a way to keep the security community guarded against adversarial threats. In at least one case, a Cyber Command announcement exposed an active attack from Russian-linked hackers. But the agency also has been calling out malware that the security community already had on its radar, in what appears to be an attempt to change adversaries’ behavior.
https://www.cyberscoop.com/cyber-command-north-korea-lazarus-group-fastcash/
Official: Russian-owned company attempted Ohio election hack
Republican Secretary of State Frank LaRose said the “relatively unsophisticated” hacking attempt on Nov. 5, which was Election Day, originated in Panama but was traced to a Russian-owned company. LaRose told The Columbus Dispatch Tuesday that the would-be attackers were looking around for vulnerabilities in his office’s website. “They are poking around for soft spots,” LaRose said.
https://apnews.com/6518b9a986f640c4899a979bbc48390b
Russia infiltrated Kansas nuclear plant's business network, FBI and DHS say
The Wolf Creek Nuclear Operating Corp. in Burlington, Kan., was one target of numerous cyberattacks against electric, water and power plants in the U.S. The New York Times reported that cybersecurity experts saw the attacks as a signal that Russia is positioning itself to disrupt the United States' critical facilities "in the event of a conflict." It even reported Russian agents had the capability to shut down or sabotage some U.S. power plants.
https://www.kansascity.com/news/local/article205581509.html
SMS Replacement is Exposing Users to Text, Call Interception Thanks to Sloppy Telecos
"I'm surprised that large companies, like Vodafone, introduce a technology that exposes literally hundreds of millions of people, without asking them, without telling them," Karsten Nohl from cybersecurity firm Security Research Labs (SRLabs) told Motherboard in a phone call. SRLabs researchers Luca Melette and Sina Yazdanmehr will present their RCS findings at the upcoming Black Hat Europe conference in December, and discussed some of their work at security conference DeepSec on Friday.
https://www.vice.com/en_us/article/j5ywxb/rcs-rich-communications-services-text-call-interception
Amazon Plans Ring Facial Recognition-Based ‘Watch List’, Report
Amazon is planning to use facial recognition software and its Ring smart home security devices to create an artificial-intelligence enabled “neighborhood watch list,” according to reports. According to internal documents reviewed by The Intercept, the “watch list” would automatically alert a Ring owner with a “suspicious activity prompt” on their mobile phones when an individual that was deemed “suspicious” was captured in the camera frame. [...] The report also leaves unclear what constitutes a “suspicious” individual, and how facial features of “suspicious” individuals could be collected in the first place.
https://threatpost.com/amazon-ring-facial-recognition-watch-list/150681/
FCC orders wireless providers to share 'vertical location' data
In a brief, the FCC said it would continue to work on establishing a long-term deadline for wireless carriers to provide specific floor levels for emergency callers. Additionally, the order limits the use of 911 call information to only be used for 911 purposes, an important step for the agency that’s seen caller location data sold on the black market for years.
https://statescoop.com/fcc-orders-wireless-providers-share-vertical-location-data-z-axis/
New Chrome Password Stealer Sends Stolen Data to a MongoDB Database
This trojan is called CStealer, and like many other info-stealing trojans, was created to target and steal login credentials that were saved in Google Chrome's password manager. [...] Instead of compiling the stolen passwords into a file and sending them to a C2 under the attackers control, the malware connects directly to a remote MongoDB database and uses it to store the stolen credentials. To do this, the malware includes hardcoded MongoDB credentials and utilizes the MongoDB C Driver as a client library to connect to the database.
https://www.bleepingcomputer.com/news/security/new-chrome-password-stealer-sends-stolen-data-to-a-mongodb-database/
Someone got their own '.gov' website by pretending to be a small-town mayor and filling out an online form
The person used a fake Google Voice number and fake Gmail address, both of which reportedly cleared the government's authorization process. [...] Once the person obtained a fraudulent .gov domain, they were also able to access Facebook's law enforcement subpoena system, which allows government agencies to request personal information on Facebook users, screenshots obtained by Krebs show.
https://www.businessinsider.com/government-domain-site-fake-mayor-krebs-report-2019-11
Rudy Giuliani’s security company gets an “F” for website security
Mozilla Observatory, an online site-scanning service operated by the nonprofit company behind the Firefox web browser, rates Giuliani Security & Safety’s website an “F” for basic connection security, with a score of 0 out of 100. In a suite of 11 tests, the Giuliani Security & Safety site passes just 3, according to Mozilla. “I’d love to become the person that comes up with a solution to cybersecurity,” Giuliani told Fox News shortly after the 2016 presidential election, referring to a possible position in the Trump White House. Trump appointed Giuliani as his cybersecurity adviser in January 2017.
https://qz.com/1757484/giulianis-security-company-website-gets-an-f-for-security/
|
