|
Image-I-Nation supply chain breach exposes data of major credit agencies’ customers
“The hack into Image-I-Nation Technologies, which is connected to the big three credit reporting companies, is a perfect example of how cybercriminals are infiltrating the supply chain to steal data from large organizations, said Matan Or-El, co-founder and CEO of Panorays. Image-I-Nation has reviewed its inner workings and has implemented enhanced security measures. It has also notified the major credit bureaus and attached a copy of the Federal Trade Commission’s “Information About Identity Theft Prevention” to its notices for guidance.
https://www.scmagazine.com/home/security-news/image-i-nation-supply-chain-breach-exposes-data-of-major-credit-agencies-customers/
Selling 911 location data is illegal—US carriers reportedly did it anyway
Carriers pledged to stop selling their mobile customers' location information to third-party data brokers in June 2018 after a security breach, but a Motherboard investigation last month found that T-Mobile, Sprint, and AT&T were still doing so. In response, carriers again pledged to stop the practice—this time, for real. The carriers' sale of location data "is unquestionably illegal and the carriers knew it," Colorado Law professor Blake Reid wrote on Twitter. "The only question left is how widespread the practice was." Besides the CPNI rules, Reid wrote that carriers breaking their privacy promises is a violation of Section 5 of the Federal Trade Commission Act, which outlaws "unfair or deceptive acts or practices in or affecting commerce."
https://arstechnica.com/tech-policy/2019/02/att-t-mobile-sprint-reportedly-broke-us-law-by-selling-911-location-data/
Stakeholders Divided Over Ideas to Update HIPAA Privacy Rule
In written responses to OCR, groups representing different stakeholders took contrasting positions. Some are pushing for greater responsiveness to patient data requests, while others seek to avoid any additional burdens on provider groups. Pinpointing its concerns with HIPAA, the American Medical Informatics Association noted that currently it takes too long for protected health information (PHI) to be shared for permitted purposes; AMIA also said that HIPAA has been misused to restrict sharing of PHI and it has been a barrier to sharing mental health data and information.
https://www.hcinnovationgroup.com/cybersecurity/hipaa/article/21068348/stakeholders-divided-over-ideas-to-update-hipaa-privacy-rule
Intermountain CISO West: Cybersecurity for revenue cycle should be a KPI
Intermountain Healthcare's chief information security officer Karl West kicked off the HIMSS19 Revenue Cycle Solutions Summit with a strong message for his captive audience. If you're a revenue cycle leader, you need to understand a fundamental reality: There's a whole host of data available for hackers in your rev cycle. Not only is there payment information, there is also member information and all of your PHI. All of those are sources of cyber risk.
https://www.healthcarefinancenews.com/news/intermountain-ciso-west-cybersecurity-revenue-cycle-should-be-kpi
Legacy applications a ‘healthcare cybersecurity nightmare’
“Attackers are looking for any way they can to compromise systems and networks at scale even if that means threatening patient care. Legacy applications, in particular, are often riddled with vulnerabilities ready to be exploited by everyone from petty opportunists to major organised crime.” There is clearly concern in the industry too, as in its 2019 Top of Mind survey, The Center for Connected Medicine polled IT executives across 38 health systems, concluding that cybersecurity continues to be the biggest concern across the industry.
https://securitybrief.eu/story/legacy-applications-a-healthcare-cybersecurity-nightmare
Cyber attack on Malta bank tried to transfer cash abroad
Bank of Valletta which accounts for almost half of Malta’s banking transactions, had to shut down all of its operations on Wednesday after hackers broke into its systems and shifted funds overseas. [...] Prime Minister Joseph Muscat told parliament the cyber attack involved the creation of false international payments totaling 13 million euros ($14.7 million) to banks in Britain, the United States, the Czech Republic and Hong Kong. The funds have been traced and the Bank of Valletta is seeking to have the fraudulent transactions reversed.
https://www.reuters.com/article/us-bank-valetta-cyber/cyber-attack-on-malta-bank-tried-to-transfer-cash-abroad-idUSKCN1Q21KZ
Cyber criminals increasingly used 'formjacking' to carry out attacks in 2018: study
When a customer goes to pay for something online, the malicious code gathers all their entered data -- like payment card details or their username and address -- and then sends that information to the hackers' servers, which they can then use to commit fraud or even sell them on the dark web. "Requiring only a few simple lines of code loaded onto a website, formjacking represents a significant threat to online retailers, or any anyone who collects personally identifiable information from their customers via their website," the report reads.
https://thehill.com/policy/cybersecurity/429672-new-report-says-cyber-criminals-increasingly-used-formjacking-to-carry
What impact could ransomware threats like the Bashe attack have on cyber insurance?
The Cyber Risk Management project – a co-ordinated effort between several universities and insurance companies that created a fake cyber threat known as the Bashe attack – reported earlier this month that a large-scale ransomware attack could cost $193bn (£150bn) and affect more than 600,000 businesses worldwide. But its revelation that 86% of the total cost – $166bn (£129bn) – would be uninsured should send shockwaves through the cyber insurance sector.
https://www.compelo.com/insurance/news/ransomware-threats-bashe-cyber-insurance/
What if the internet suddenly stopped? Russian tests raise devastating prospect of cyber war
Being able to remain online once the remainder of the world’s internet collapses would give Moscow an overwhelming advantage. Communications would still work. The wheels of industry would still turn. The lights would remain on. Its military would remain operational. But Russian industry is concerned about an impending test ‘unplug’ for the exact same reason: it could seriously damage their businesses. No country has ever been disconnected from the internet deliberately.
https://www.news.com.au/technology/innovation/military/what-if-the-internet-suddenly-stopped-russian-tests-raise-devastating-prospect-of-cyber-war/news-story/82ee5b0b5b473d15082fd7c8e60f900d
Russia and China Can Cripple Critical Infrastructure in United States
The U.S. intelligence agencies also took a broad, sweeping view of the way that Russia and China are coordinating their actions in cyberspace, all in an attempt to weaken U.S. influence abroad. Both nations are bolstering their cyber attack capabilities, while at the same time, probing the United States for cyber weaknesses. While the U.S. might still have military and technological superiority, the ability to damage critical infrastructure (such as power grids and banking networks) could level the playing field for Russia and China.
https://www.cpomagazine.com/cyber-security/russia-and-china-can-cripple-critical-infrastructure-in-united-states/
Watch out for fake DoD websites like this
Marine Corps Forces Cyberspace Command identified a website posing as the Department of Defense Transition Assistance Program this week. Upon visiting the phony URL address, the site asks for a visitor’s personal identification information and attempts to download malicious software onto the visitor’s personal computer. The warning was shared Tuesday by Air Forces Cyber on Facebook. The correct URL for the Transition Assistance Program is https://DoDTAP.mil/. The fake website used the appropriate acronyms but ended in the .com domain name, which brings users to commercial web addresses.
https://www.militarytimes.com/news/your-air-force/2019/02/13/watch-out-for-fake-dod-websites-like-this/
A New Tool Protects Videos From Deepfakes and Tampering
Video has become an increasingly crucial tool for law enforcement, whether it comes from security cameras, police-worn body cameras, a bystander's smartphone, or another source. But a combination of "deepfake" video manipulation technology and security issues that plague so many connected devices has made it difficult to confirm the integrity of that footage. A new project suggests the answer lies in cryptographic authentication. Called Amber Authenticate, the tool is meant to run in the background on a device as it captures video. At regular, user-determined intervals, the platform generates "hashes"—cryptographically scrambled representations of the data—that then get indelibly recorded on a public blockchain.
https://www.wired.com/story/amber-authenticate-video-validation-blockchain-tampering-deepfakes/
‘Go back to paper ballots’: Cybersecurity expert says there’s ‘no digital solution’ to election hacks
“Putting the voter closer to the ballot helps, but also those ballots give us the ability to do the post-election audit,” Hickton said. “It does seem counterintuitive when you think about it that we have to go back to former methods of voting, but the threat factor we face is clear. The machines that we’ve been using which were reformed when they were introduced in the mid-2000s have been demonstrated to be vulnerable over and over again.”
https://www.rawstory.com/2019/02/go-back-to-paper-ballots-cybersecurity-expert-says-theres-no-digital-solution-to-election-hacks/
31 AGs ask FTC to update Identity Theft Rules
Noting the proliferation of identity theft and consumers’ inability to divine how information stolen from breaches is being used, the AGs said that the rules – also known as the Red Flags Rule and the Card Issuers Rule – “appropriately place the burden on certain entities to detect, prevent and mitigate identity theft.” And only those entities, they contended, “have the ability to stop a fraudulent account from being opened at their own place of business or to notify a consumer of a change of address in conjunction with a request for an additional or replacement card, which is a strong indicator that the account may have been taken over by an identity thief.” [...] “Legislation as well as new procedures and technologies are required to battle identity theft.”
https://www.scmagazine.com/home/security-news/31-ags-ask-ftc-to-update-identity-theft-rules/
Snapd Flaw Lets Attackers Gain Root Access On Linux Systems
Ubuntu and some other Linux distributions suffer from a severe privilege escalation vulnerability that could allow a local attacker or a malicious program to obtain root privileges and total control over the targeted system. Dubbed "Dirty Sock" and identified as CVE-2019-7304, the vulnerability was discovered by security researcher Chris Moberly, who privately disclosed it to Canonical, the maker of Ubuntu, late last month. The vulnerability resides in the REST API for snapd service, a universal Linux packaging system that makes an application compatible for various Linux distributions without requiring any modification.
https://thehackernews.com/2019/02/snapd-linux-privilege-escalation.html
Steam Pulled an Indie Game Accused of Being an Elaborate Cryptocurrency Mining Scam
The game, called Abstracticism, allegedly hijacked players’ computers and used them to mine cryptocurrency.The scam is known as “cryptojacking”; when hackers force a victim’s computer to dedicate resources to guessing the correct value that validates a block of cryptocurrency transaction data. This process is extremely resource-intensive and can lead to overheating and slowdowns. Cryptocurrency mining can be lucrative as miners are rewarded with digital coins, which scammers receive without having to buy their own computers to do the mining with.
https://motherboard.vice.com/en_us/article/gy3dx7/steam-pulled-game-for-alleged-cryptocurrency-mining-scam-abstractism
Major Flaw in Runc Poses Mass Container Takeover Risk
Several technology giants have issued fixes for a dangerous vulnerability that could allow a malicious container to "break out" and gain root control of a host system. The emergency updates from Red Hat, Google, Amazon and others demonstrate that while containers are an increasingly used computing resource, any underlying flaws pose a serious data security risk. [...] "Containers share an operating system installed on the server and run as resource-isolated processes, ensuring quick, reliable and consistent deployments, regardless of environment," according to Amazon Web Services. But a flaw, CVE-2019-5736, has been found in runc, a lightweight tool for spawning and running containers. The flaw could be exploited by a remote attacker to execute arbitrary code in the environment.
https://www.bankinfosecurity.com/major-flaw-in-runc-poses-mass-container-takeover-risk-a-12019
Siemens Warns of Critical Remote-Code Execution ICS Flaw
SICAM 230 is used for a broad range of industrial control system (ICS) applications, including use as an integrated energy system for utility companies, and a monitoring system for smart-grid applications. One of the flaws affecting SICAM 230 is rated critical, with a CVSS v.3 score of 10: CVE-2018-3991 allows a specially crafted TCP packet sent to port 22347/tcp to cause a heap overflow, potentially leading to remote code-execution. Another, CVE-2018-3990, has a CVSS score of 9.3. It allows a specially crafted I/O request packet to cause a buffer overflow, resulting in kernel memory corruption and, potentially, privilege-escalation.
https://threatpost.com/siemens-critical-remote-code-execution/141768/
It's now 2019, and your Windows DHCP server can be pwned by a packet, IE and Edge by a webpage, and so on
For Redmond, the February dump covers 77 CVE-listed bugs across Windows, Office, and Edge/IE. Among the most potentially serious was CVE-2019-0626, a remote code execution vulnerability in the Windows Server DHCP component. While the bug won't be much of a risk to everyday PCs, admins running Windows networks will want to make this fix a top priority, says Trend Micro ZDI's Dustin Childs. "If you have a DHCP server on your network, and chances are you do, this patch should be at the top of you lists," Childs explained.
https://www.theregister.co.uk/2019/02/13/patch_tuesday_february/
WordPress plugin Simple Social Buttons flaw allows complete site takeover
The plugin allows users to add social media sharing buttons on the sidebar, inline, above and below the content of the post, on photos, pop ups and fly-ins. The bug is the result of and improper design flow an the lack of a permission check that results in privilege escalation and unauthorized actions in WordPress installation that could allow non-admin users or even subscribers to modify the WordPress installation options from the wp-options table according to a Feb. 11 WebARX blog post.
https://www.scmagazine.com/home/security-news/a-critical-vulnerability-in-the-wordpress-plugin-simple-social-buttons-allows-an-attacker-to-completely-takeover-a-website/
Popular Electric Scooter Can Be Hacked to Speed Up or Stop
Researchers from the mobile security firm Zimperium are warning that Xiaomi’s popular M365 scooter model has a worrying bug. The flaw could allow an attacker to remotely take over any of the scooters to control crucial things like, ahem, acceleration and braking. Rani Idan, Zimperium’s director of software research, says he found and was able to exploit the flaw within hours of assessing the M365’s security. His analysis found that the scooters contain three software components: battery management, firmware that coordinates between hardware and software, and a Bluetooth module that lets users communicate with their scooter via a smartphone app. The latter leaves the devices woefully exposed.
https://www.wired.com/story/xiaomi-scooter-hack/
|
