|
Critical Windows 10 vulnerability used to Rickroll the NSA and Github
Researcher Saleem Rashid on Wednesday tweeted images of the video "Never Gonna Give You Up," by 1980s heart-throb Rick Astley, playing on Github.com and NSA.gov. The digital sleight of hand is known as Rickrolling and is often used as a humorous and benign way to demonstrate serious security flaws. In this case, Rashid's exploit causes both the Edge and Chrome browsers to spoof the HTTPS verified websites of Github and the National Security Agency.
https://arstechnica.com/information-technology/2020/01/researcher-develops-working-exploit-for-critical-windows-10-vulnerability/
U.S. Army Hacked By 52 Hackers In Five Weeks
There were in excess of 60 publicly accessible U.S. Army online assets that could be targeted by the hackers during the five-week challenge window. These included the army.mil and goarmy.com web domains and the Arlington Cemetery website. The 52 hackers, from countries including the U.S., Canada, Germany and Romania, reported a total of 146 validated vulnerabilities in all.
https://www.forbes.com/sites/daveywinder/2020/01/16/us-army-hacked-by-52-hackers-in-five-weeksheres-why/#65649d6c1669
More Health Quest Patients Added to 2018 Phishing Attack Victims
For the additional patients, both former and current, the compromised data varied by individual and could include dates of birth, Social Security numbers, Medicare Health Insurance Claim Numbers, driver’s licenses, treatment, dates of service, provider names, diagnoses, health insurance plan member and group numbers, financial account information with PINs or security codes, and payment card data.
https://healthitsecurity.com/news/more-health-quest-patients-added-to-2018-phishing-attack-victims
2019 in Review: Data Breach Statistics and Trends
As if healthcare bills weren’t high enough, the past year saw more medical care disrupted and patients exposed to medical identity theft (we explain how it works in this post) than ever before. Part of this development was due to the resurgence of targeted ransomware attacks against hospitals, medical practices, and nursing homes across the nation. Also to blame are third-party vendor breaches and phishing, which caused some of the most massive healthcare data breaches of the past year[.]
https://securityboulevard.com/2020/01/2019-in-review-data-breach-statistics-and-trends/
New York Bank Cyber Rule Deadline Signals Enforcement Risk
The state Department of Financial Services’ April 15 deadline is a reminder to financial firms that they have the next three months to bolster their systems before it’s too late to avoid fines under the first-in-the-nation state cybersecurity rules, attorneys said. There likely will be “a significant increase” in enforcement after the deadline[.] State enforcers are “staffing up” ahead of the deadline, he said.
https://news.bloomberglaw.com/privacy-and-data-security/new-york-bank-cyber-rule-deadline-signals-enforcement-risk
Cyber Daily: Financial Regulators to Bore Into Cloud Agreements at Banks, Brokers
Concerns about cloud security prompt more scrutiny from financial regulators. U.S. financial regulators put banks and brokers on notice that a key part of compliance audits will be the scrutiny of how these firms control the information they store in the cloud. Regardless of any arrangements that divide responsibility between cloud users and providers, regulators [...] said at a Financial Industry Regulatory Authority conference Tuesday that they consider the companies themselves liable for any breaches.
https://www.wsj.com/articles/cyber-daily-financial-regulators-to-bore-into-cloud-agreements-at-banks-brokers-11579183622
Defense Contractors to Face Added Costs With Cybersecurity Audit
The Defense Department plans to release the standards at the end of January as it rushes toward requiring new universal auditing of contractors’ cyber safeguards by this summer. The military’s vast commercial supply chain, especially smaller vendors, has emerged as a critical national security weakness. [...] A total of about 300,000 contractors large and small will be subject to the cyber auditing and certification, which the department has dubbed the Cybersecurity Maturity Model Certification, or CMMC.
https://about.bgov.com/news/defense-contractors-to-face-added-costs-with-cybersecurity-audit/
DHS Bulletin to Hazardous Chemical Sector: Beef Up Cyber, Physical Security at Facilities
The Chemical Security Insights bulletin from the Cybersecurity and Infrastructure Security Agency, “Enhancing Chemical Security During Heightened Geopolitical Tensions,” urges all “facilities with chemicals of interest (COI)—whether tiered or untiered under the Chemical Facility Anti-Terrorism Standards (CFATS) program—to consider enhanced security measures to decrease the likelihood of a successful attack.”
https://www.hstoday.us/subject-matter-areas/infrastructure-security/dhs-bulletin-to-hazardous-chemical-sector-beef-up-cyber-physical-security-at-facilities/
Ukrainian authorities ask FBI for help investigating Russian hack on Burisma
Ukraine’s Ministry of Internal Affairs on Thursday announced that the country’s cyber police had started "criminal proceedings" around the recent hacking of gas company Burisma, and noted that authorities were seeking the assistance of the FBI in pursuing the case. The ministry wrote in a statement that criminal proceedings had been launched, and that “persons involved in committing this criminal offense are being identified.”
https://thehill.com/policy/cybersecurity/478607-ukrainian-authorities-ask-fbi-for-help-in-investigating-russian-hack-on
Expect the unexpected from Iran
What should we expect, if not consistency? Although it’s possible that Iranian leaders will continue the “slow burn” of adversarial efforts (e.g., dealing with the U.S. as if it were a proverbial “boiling frog”), it is doubtful. That’s not to say that they will end attacks against Americans. There may be a temporary de-escalation, but I do not believe they will abandon their war against us.
https://thehill.com/opinion/national-security/478199-expect-the-unexpected-from-iran
US military families receiving ‘menacing’ messages: ‘Leave the Middle East. Go back to your country’
“If you like your life and you want to see your family again, pack up your stuff right now and leave the Middle East,” the message read. “Go back to your country. You and your terrorist clown president brought nothing but terrorism. You fools underestimate the power of Iran. The recent attack on your [expletive] bases was just a little taste of our power[.]"
https://foxwilmington.com/headlines/us-military-families-receiving-menacing-messages-leave-the-middle-east-go-back-to-your-country/
Congress wrestles with deterring China ― beyond nukes
The Pentagon should also find a means to temporarily interrupt China’s ability to target U.S. ships, McDevitt said ― likely through jamming or some sort of anti-satellite warfare. “China is becoming as dependent as we are on space, cyber networks, and so without their ability to surveil the open ocean, they can’t use their anti-ship ballistic missiles; they don’t know where to vector their diesel submarine; they don’t know where to launch their land-based aircraft,” McDevitt said.
https://www.defensenews.com/congress/2020/01/16/congress-wrestles-with-deterring-chinabeyond-nukes/
Election officials should expand audit targets, think tank says
State election officials should audit not just ballots but also “registration databases, physical and cybersecurity procedures, ballot reconciliation protocols, and resource allocation tools,” the Bipartisan Policy Center said in a report published this morning. The document, a product of BPC’s elections task force, made 21 recommendations that went beyond election security measures.
https://www.politico.com/newsletters/morning-cybersecurity/2020/01/16/election-officials-should-expand-audit-targets-think-tank-says-784453
App firms, adtech industry in firing line over possible GDPR violations
According to a report called “Out of Control: How Consumers Are Exploited by the Online Advertising Industry,” released Tuesday by the Norwegian Consumer Council (NCC), app developers are sharing highly personal information with adtech firms as part of their business model, despite the risk of violating tough privacy rules, the prospect of being hit with hefty fines, and the possibility of losing consumer trust and damaging their brands. It has filed complaints under the GDPR against six of the worst offenders, including Twitter.
https://www.complianceweek.com/data-privacy/app-firms-adtech-industry-in-firing-line-over-possible-gdpr-violations/28316.article
More than 600 million users installed Android 'fleeceware' apps from the Play Store
The term fleeceware is a recent addition to the cyber-security jargon. It was coined by UK cyber-security firm Sophos last September following an investigation that discovered a new type of financial fraud on the official Google Play Store. It refers to apps that abuse the ability for Android apps to run trial periods before a payment is charged to the user's account.
https://www.zdnet.com/article/more-than-600-million-users-installed-android-fleeceware-apps-from-the-play-store/
A Practical Guide to Zero-Trust Security
This all makes sense in theory, but what does implementing zero trust look like in practical terms? When talking to customers about steps they can take to build a zero-trust security architecture, I focus on five main pillars – device trust, user trust, transport/session trust, application trust and data trust. Let’s take a closer look at each of these pillars and the underlying technology required to establish trust in each one.
https://threatpost.com/practical-guide-zero-trust-security/151912/
Another reason to hurry with Windows server patches: A new RDP vulnerability
These two separate bugs, identified as CVE-2020-0609 and CVE-2020-0610, are rated as more dangerous than the crypto bug by Microsoft because, while they're not yet exploited, they could be used to remotely execute code on targeted RDP servers before the gateway even attempts to authenticate them. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," the Microsoft Security Response Center summary of both vulnerabilities warned.
https://arstechnica.com/information-technology/2020/01/another-reason-to-hurry-with-windows-server-patches-a-new-rdp-vulnerability/
What do Brit biz consultants and X-rated cam stars have in common? Wide open... AWS S3 buckets on public internet
The second info trove the team uncovered puts the "exposure" in data exposure. That instance, also a misconfigured S3 bucket, contained nearly 20GB belonging to the subtly-named adult cam network PussyCash. According to VPNmentor's crew, within that archive was 875,000 records containing the personal information of 4,000 of the site's saucy performers. These include scans of documents that prove the model's age, things like ID cards, birth certificates, and passport scans. Also included were performer release forms and profile information.
https://www.theregister.co.uk/2020/01/15/open_s3_buckets/
|
