|
“Operation Sharpshooter” Targeting Global CI, Finance And Defense
“Critical infrastructure organizations, especially those who deal with defense-related initiatives, should always be on high alert for unexpected threats that might negatively impact their ability to keep sensitive information or critical personnel secure. This is a given, but the lesson learned is that it takes a balanced weighting of people, process, and technology to facilitate a high-performing, always-alert cybersecurity program that can more effectively stop the original threat.
https://www.informationsecuritybuzz.com/expert-comments/operation-sharpshooter-targeting-global-ci/
Facebook Flaw Exposes Private Photos for 6.8M Users
While Facebook usually only grants apps with permissions access to photos that people share on their timeline, “In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories,” Tomer Bar, engineering director at Facebook, said in a post Friday. “The bug also impacted photos that people uploaded to Facebook but chose not to post.”
https://threatpost.com/facebook-photos-exposed/139940/
TSA says it no longer tracks regular travelers as if they may be terrorists
The agency said it has also has stopped following passengers through baggage claim and no longer compiles extensive reports on travelers who failed to rouse suspicions. [...] The sweeping changes followed a series of Globe reports revealing that thousands of ordinary citizens had been swept up in the Quiet Skies program and subjected to minute-by-minute surveillance by armed, undercover air marshals through airports and on flights.
https://www.msn.com/en-us/travel/news/tsa-says-it-no-longer-tracks-regular-travelers-as-if-they-may-be-terrorists/ar-BBQZhiQ
How To Protect Healthcare Records In A Zero Trust World
Treating healthcare’s breach epidemic needs to start by viewing every threat surface, access point, identity, and login attempt as the new security perimeter. Healthcare providers urgently need to take a “never trust, always verify” approach, adopting Zero Trust Security to protect every threat surface using Next-Gen Access for end-user credentials and Privileged Access Management (PAM) for privileged credentials.
https://www.forbes.com/sites/louiscolumbus/2018/12/16/how-to-protect-healthcare-records-in-a-zero-trust-world/#2738e25ef517
Attorneys General File First HIPAA Related Data Breach Suit
The AGs have alleged that MIE failed to institute proper data security safeguards to protect ePHI from unauthorized access. Moreover, the AGs argue that the company did not have appropriate controls in place to prevent the exploitation of its system’s vulnerabilities, and when the breach occurred, the company failed to disclose it in a timely fashion. Other than federal HIPAA violations, the AGs’ suit alleges numerous violations of state laws, including data breach notification and deceptive trade practices. The complaint requests injunctive relief as well as an undetermined amount of money for restitution and civil penalties.
https://www.jdsupra.com/legalnews/attorneys-general-file-first-hipaa-17269/
SEC getting more aggressive on financial cyber lapses
The Federal Trade Commission (FTC) has been at it for a number of years, and as a recent post in Lawfare noted, the Securities and Exchange Commission (SEC) intends to get more aggressive about it in the financial sector. [...] On its website, the agency lists 60 cyber enforcement actions it has taken going back to 2012. They include 27 involving digital assets or ICOs (initial coin offerings), 3 for account intrusions, 4 for hacking or insider trading, 5 for market manipulation, 3 for failure to safeguard customer information, 2 involving public company disclosure and controls, and 17 involving trading suspensions.
https://securityboulevard.com/2018/12/sec-getting-more-aggressive-on-financial-cyber-lapses/
Sextortion gang found to be behind email bomb threat spree
Jaeson Schultz, Cisco Talos technical leader, noted there are many similarities between the bomb threat emails and sextortion/extortion attacks Cisco Talos has monitored previously. Some of the subject headers used in the bomb threats, including “You’re my victim” and “Your life in your hands” were previously used in the sextortion emails. Additionally, the written text between the two is similar and when the IP addresses behind the bomb threats were studied, messages from early October that were from a sextortion attack were found.
https://www.scmagazine.com/home/security-news/sextortion-gang-found-to-be-behind-email-bomb-threat-spree/
Marriott Breach Exposes Weakness in Cyber Defenses for Hotels
Now, as Marriott grapples with the fallout from its Nov. 30 disclosure that as many as 500 million guests had their data exposed to hackers, there is a growing sense that an industry whose bedrock business is providing real-world security isn’t equipped to look after its guests in cyberspace. The company is preparing to deliver written responses next week to a U.S. Senate inquiry amid reports the attack was carried out by the Chinese government.
https://www.bloomberg.com/news/articles/2018-12-14/marriott-cyber-breach-shows-industry-s-hospitality-to-hackers
The ‘Global Cybercrime Problem’ Is Actually the ‘Russia Problem’
Earlier this year, the Justice Department broke up one cybercrime ring based in Russia whose literal motto was “In fraud we trust.” The Justice Department charged 36 individuals, many of whom live in Russia beyond the law’s reach, and outlined a scheme by which they stole more than a half-billion dollars. It’s hardly the only example from this year; last week, the FBI announced that it had dismantled two other cybercrime rings and charged eight people—seven of them Russian—with running a multimillion-dollar ad-fraud scheme. (Three of those charged were able to be caught overseas in friendly countries that respect the rule of law: Malaysia, Bulgaria, and Estonia.)
https://www.theatlantic.com/ideas/archive/2018/12/how-trump-can-stand-russian-cybercrime/578185/
Chinese hackers targeting U.S. Navy contractors with multiple breaches: WSJ
Chinese hackers have breached U.S. Navy contractors to steal a raft of information, including missile plans, through what some officials describe as some of the most debilitating cyber campaigns linked to Beijing, the Wall Street Journal reported on Friday. Victims have included contractors of all sizes, with some of the smaller ones struggling to invest in securing their networks, as hackers over the last 18 months have conducted numerous breaches to gather intelligence, sabotage American systems, and steal intellectual property, the Journal reported.
https://www.reuters.com/article/us-usa-cyber-china-navy/chinese-hackers-targeting-u-s-navy-contractors-with-multiple-breaches-wsj-idUSKBN1OD1V6
Iranian hackers take aim at foreign nuclear experts and US officials
Government-backed Iranian hackers scrambled to break into the personal emails of US Treasury officials after harsh economic sanctions were reimposed on Tehran last month, a cybersecurity group said. The hacking group, nicknamed Charming Kitten, also took aim at foreign nuclear experts in data tracked by Certfa analysts in the UK. In another sign of how deeply cyber espionage is woven into the fabric of US-Iranian relations, nuclear deal defenders and detractors, Arab atomic scientists, Iranian civil society figures and Washington think-tank employees were on the hackers' hit list.
https://www.thenational.ae/world/mena/iranian-hackers-take-aim-at-foreign-nuclear-experts-and-us-officials-1.803259
Audit finds cyber vulnerabilities in US missile defense system
Investigators visited five sites that manage ballistic missile defense elements and technical information, but the names of the commands were redacted in the publicly released report. “The Army, Navy and MDA did not protect networks and systems that process, store, and transmit (missile defense) technical information from unauthorized access and use,” the declassified report states. Such inadequacies “may allow U.S. adversaries to circumvent (missile defense) capabilities, leaving the United States vulnerable to missile attacks,” the report states.
https://www.armytimes.com/news/your-navy/2018/12/14/audit-finds-cyber-vulnerabilities-in-us-missile-defense-system/
[VIDEO] NewsJacker November 2018: Midterm Elections, Healthcare Cybersecurity Programs, Data Privacy Trends, and More
November was an interesting month, no doubt. In my latest episode of NewsJacker, I cover headlines from this past month, including the midterm election, recent research on healthcare orgs lacking comprehensive cybersecurity programs, trends in data privacy, and more, all in 7 minutes. Check it out.
https://ci.security/news/article/video-newsjacker-november-2018-midterm-elections-healthcare-cybersecurity-programs-data-privacy
Internet of Bodies: The Privacy and Security Implications
With AI, it is possible to process massive amounts of data instantaneously, and to use powerful machine learning algorithms to arrive at conclusions. AI could be used to create a dystopian Orwellian state, in which all behaviors are tracked, all genetic anomalies are edited or removed entirely, and all citizens are under constant 24-hour surveillance. Imagine being turned down for healthcare coverage because an AI system detected certain warning signs in all of your biometric or physiological data, or being required by the state to undergo behavioral modification training for committing a “health crime.”
https://www.cpomagazine.com/2018/12/14/internet-of-bodies-the-privacy-and-security-implications/
Signal app to Australia: Good luck with that crypto ban
Signal, one of the most secure messaging apps, essentially told Australia this week that its attempts to thwart strong crypto are rather cute. "By design, Signal does not have a record of your contacts, social graph, conversation list, location, user avatar, user profile name, group memberships, group titles, or group avatars," Joshua Lund, a Signal developer wrote. "The end-to-end encrypted contents of every message and voice/video call are protected by keys that are entirely inaccessible to us. In most cases now we don’t even have access to who is messaging whom."
https://arstechnica.com/tech-policy/2018/12/signal-to-australia-good-luck-with-that-crypto-ban/
How Congress could force tech companies to stop exposing your personal data
The Data Care Act would require tech companies to promptly inform users of security breaches, prohibit them from using data to “harm users,” and ensure that security measures are in place even when companies share users’ data with third parties. The act would be enforced by the Federal Trade Commission, which would establish fines and other punishments if companies violate it. [...] Another bill, introduced by Sen. Ron Wyden of Oregon, suggested a jail sentence of 10 to 20 years for tech executives who fail to follow rules around data use and would allow the FTC to fine tech companies up to 4% of their annual revenue for a violation.
https://www.marketwatch.com/story/how-congress-could-force-tech-companies-to-stop-exposing-your-personal-data-2018-12-14
How our data got hacked, scandalized, and abused in 2018
Without a doubt, this was the biggest data scandal of 2018, though technically it began years earlier. On March 17, 2018, the Guardian and the New York Times broke the story of how British political consulting firm Cambridge Analytica harvested the data of at least 87 million Facebook users without their knowledge after obtaining it from people who partook in a quiz app. Cambridge Analytica then sold this data to the Donald Trump campaign, which used it to target election messages at Facebook users in the 2016 presidential election campaign.
https://www.fastcompany.com/90272858/how-our-data-got-hacked-scandalized-and-abused-in-2018
Magecart-style credit card sniffer spotted for sale, online retailers beware
The tool is advertised to contain two components: a standard universal payment card sniffer and a control panel. The tool’s control panel is capable of generating a custom credit card sniffer in a JavaScript file that will work on any e-commerce site that employs Magento, OpenCart or OsCommerce payment forms. In addition, researchers noted it used Secure Socket Layer (SSL) protocol to encrypt the outbound payment card data being collected, which makes it harder for security teams to see the data being exfiltrated from the e-commerce site.
https://www.scmagazine.com/home/security-news/armor-researchers-are-warning-retailers-after-spotting-the-tool-for-sale-on-the-dark-web-for-1300-usd-on-a-russian-forum/
Smart home charging networks vulnerable to cyber attacks
For example, the researchers found a way to initiate commands on the charger and to either stop the charging processor or set it to the maximum current possible. While the first option would only prevent a person from using the electric car, the second one could potentially cause the wires to overheat on a device that is not protected by a trip fuse. All an attacker needs to do to change the amount of electricity being transmitted is obtain Wi-Fi access to the network the charger is connected to.
https://www.electrive.com/2018/12/16/smart-home-charging-networks-vulnerable-to-cyber-attacks/
|
