Copy
Get the latest cybersecurity, privacy, and surveillance news for information security professionals

IT Security News Blast – 4-30-2021

Experian API Exposed Credit Scores of Most Americans
Big-three consumer credit bureau Experian just fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address, KrebsOnSecurity has learned. [...] Demirkapi found the Experian API could be accessed directly without any sort of authentication, and that entering all zeros in the “date of birth” field let him then pull a person’s credit score.
https://krebsonsecurity.com/2021/04/experian-api-exposed-credit-scores-of-most-americans/
 
Biden Order Will Require New Cybersecurity Standards In Response To SolarWinds Attack
The order, as now written, lays out a series of new requirements for companies that do business with the government. The initiative includes plans for more systematic investigations of cyber events and standards for software development. The idea is to use the federal contracting process to force changes that will eventually trickle down to the rest of the private sector.
https://www.npr.org/2021/04/29/991333036/biden-order-to-require-new-cybersecurity-standards-in-response-to-solarwinds-att
 
NIST, CISA Share Software Supply Chain Attack Defense Guidance
Recent guidance from CISA and NIST is designed to tackle these challenges. Defending Against Software Supply Chain Attacks is an interagency resource for software vendors and customers, which provides an overview of supply chain risks and recommendations.
https://www.cisa.gov/publication/software-supply-chain-attacks
 
MEDICAL DEVICE CYBER-VULNERABILITY CASTS A CLOUD OVER GROWING USE
The attack surface of healthcare in the cybersecurity realm is forecast to explode in size in the next few years, in large part due to the proliferation of internet-attached medical devices. [...] The FDA’s Postmarket Cybersecurity Guidance (December 2016) incentivizes medical device vendors to participate in cyber-risk information sharing through a variety of ways[.]
https://www.healthleadersmedia.com/technology/medical-device-cyber-vulnerability-casts-cloud-over-growing-use
 
Should Doctors Receive a Cybersecurity Education?
As technology has evolved and we have moved to a more remote work environment, it is essential that cybersecurity becomes part of training for everyone in a medical organization, from human resources to the doctors themselves. By knowing the threats and understanding the solutions, doctors can protect their patients and provide advice to keep them safe even after they leave the office.
https://securityboulevard.com/2021/04/should-doctors-receive-a-cybersecurity-education/
 
Attention! FluBot Android Banking Malware Spreads Quickly Across Europe
Primarily distributed via SMS phishing (aka smishing), the messages masquerade as a delivery service such as FedEx, DHL, and Correos, seemingly notifying users of their package or shipment delivery status along with a link to track the order, which, when clicked, downloads malicious apps that have the encrypted FluBot module embedded within them.
https://thehackernews.com/2021/04/attention-flubot-android-banking.html
 
The data focused approach to ATM security
On the face of it, ATMs seem like simple machines to interface and conduct transactions. However, physical ATMs also act as a portal to the wider network and a spoofed card can easily cause an ATM to lose connection with the central server, allowing it, or other machines on the same network to be taken over - without triggering any alerts or logs.
https://www.finextra.com/blogposting/20229/the-data-focused-approach-to-atm-security
 
Precision Agriculture ‘Ripe for the Picking’ by Hackers
“Precision agriculture” is the collection of IoT devices that make up an ecosystem of global positioning systems, remote sensors and vast communication networks that are now considered critical to the success of the food and agriculture sector. Sensors are integrated into agricultural implements to determine the rate of application of water, pesticides and herbicides.
https://www.ajg.com/us/news-and-insights/2020/feb/precision-agriculture-ripe-for-the-picking-by-hackers/
 
Multi-Gov Task Force Plans to Take Down the Ransomware Economy
The Institute for Security and Technology (IST) put together the coalition, which includes more than 60 members from software companies, government agencies, cybersecurity vendors, financial services companies, nonprofits and academic institutions. Big names associated with the project include the U.S. Department of Justice, Europol and the U.K.’s National Cybersecurity Centre (NCSC); along with Amazon, Cisco, FireEye and Microsoft, et al.
https://threatpost.com/gov-task-force-ransomware-economy/165715/
 
US Government Taking Creative Steps to Counter Cyberthreats
An FBI operation that gave law enforcement remote access to hundreds of computers to counter a massive hack of Microsoft Exchange email server software is a tool that is likely to be deployed "judiciously" in the future as the Justice Department, aware of privacy concerns, develops a framework for its use, a top national security official said Wednesday.
https://www.voanews.com/silicon-valley-technology/us-government-taking-creative-steps-counter-cyberthreats
 
Ransomware Poses a Threat to National Security, Report Warns
The U.S. government in recent weeks has made clear its intention to aggressively pursue ransomware gangs. Homeland Security Secretary Alejandro Mayorkas described ransomware as a threat to national security in a speech on March 31. “Those behind these malicious activities should be held accountable for their actions. That includes governments that do not use the full extent of their authority to stop the culprits,” he said.
https://www.wsj.com/articles/ransomware-now-seen-as-threat-to-national-security-11619728378
 
Civilian Cyber Reserve Program Proposed
Creating the cybersecurity reservists program would require addressing credentialing and indemnification issues, says Mike Hamilton, a former vice chair of the Department of Homeland Security's State, Local, Tribal, and Territorial Government Coordinating Council. "How someone is identified and trusted as an emergency response volunteer for IT and OT systems is not universally defined," says Hamilton, now the CISO for CI Security.
https://www.bankinfosecurity.com/civilian-cyber-reserve-program-proposed-a-16486
 
U.S. government probes VPN hack within federal agencies, races to find clues
A recent report by the Atlantic Council, a Washington think tank, studied 102 supply chain hacking incidents and found they surged the last three years. Thirty of the attacks came from government-backed groups, primarily in Russia and China, the report said.The Pulse Secure response comes as the government is still grappling with the fallout of three other cyberattacks.
https://www.reuters.com/article/us-usa-cyber-vpn-idUSKBN2CG2EB
 
Was China behind last October’s power outage in India? Here’s what we know. [Subscription]
Foreign relations experts in the United States and India cite as fact that China was using its computing capabilities to coerce India in the border spat. But the evidence linking the power outage to a Chinese cyberattack is shaky, with little information in the public domain to indicate whether China attacked India’s electrical grid.
https://www.washingtonpost.com/politics/2021/04/29/was-china-behind-last-octobers-power-outage-india-heres-what-we-know/
 
New Tools, Old Tricks: Emerging Technologies and Russia’s Global Tool Kit
Present-day Russian cyber and influence campaigns are capable of doing a lot of damage—even if they can also sometimes be quite clumsy or fail to advance Russian strategic objectives. At the same time, Russia's operators are likely to remain highly technically capable and to make their mark by being operationally aggressive rather than by pioneering major technological advances.
https://carnegieendowment.org/2021/04/29/new-tools-old-tricks-emerging-technologies-and-russia-s-global-tool-kit-pub-84437
 
Researchers Uncover Stealthy Linux Malware That Went Undetected for 3 Years
The findings come from an analysis of a malware sample it detected on March 25, although early versions appear to have been uploaded to VirusTotal as early as May 2018. A total of four samples have been found to date on the database, all of which remain undetected by most anti-malware engines. As of writing, only seven security vendors flag the latest version of the malware as malicious.
https://thehackernews.com/2021/04/researchers-uncover-stealthy-linux.html
 
'BadAlloc' Flaws Could Threaten IoT and OT Devices: Microsoft
Microsoft today disclosed more than 25 critical memory allocation vulnerabilities in Internet of Things (IoT) and operational technology (OT) devices that could enable an attacker to bypass security controls and execute malicious code or cause a system to crash in industrial, medical, and enterprise networks.
https://www.darkreading.com/vulnerabilities-and-threats/badalloc-flaws-could-threaten-iot-and-ot-devices-microsoft/d/d-id/1340860
 
The IRS Wants Help Hacking Cryptocurrency Hardware Wallets
The security of hardware wallets presents a problem for investigators. The document states that agencies may be in possession of a hardware wallet as part of a case, but may not be able to access it if the suspect does not comply. [...] That's why the IRS wants researchers and contractors to come forward with solutions to hack into hardware wallets. Crucially, the IRS does not want a one-off solution, but tools that it can reliably use in multiple cases going forward.
https://www.vice.com/en/article/k78a53/the-irs-wants-help-hacking-cryptocurrency-hardware-wallets

You are receiving this email because you are subscribed to receive the IT Security Daily Blast email from Michael Hamilton, Founder, President, and CISO of CI Security, formerly Critical Informatics.

Archived articles are available at https://ci.security/news/daily-news.

CI Security and the CI Security logo are the trademarks of CI Security, Inc. All other brand names, trademarks, service marks, and copyrights are the property of their respective owners.

© 2020 CI Security. All rights reserved.


 

CI Security

245 4th St, Suite 405  Bremerton, WA   98337

About Us   |   CI Security News   |   Contact Us 


We host NEVER BORING free security awareness training every other Friday.
Register and/or send your colleagues and friends. Let's educate users together! 

Add this Email to Your Address Book





unsubscribe