Information Security – Data Breach

Cybersecurity Needs More Than Just Technical Experts

by

Cybersecurity Needs More Than Just Technical Experts.
Demand for cybersecurity personnel is ever increasing, and cyber teams could benefit from a broad range of skills beyond the typical technical employees, according to experts who spoke at New America’s Embracing Innovation and Diversity in Cybersecurity event on Aug. 11.
“Cyber, really, there’s a lot of technical work to be done, but there’s a lot of work on the policy, and even on the legal, side,” said Debora Plunkett, principal at Plunkett Associates and former director of Information Assurance at the National Security Agency.
“Take a risk, be willing to pick somebody who doesn’t look like you.
Be willing to give somebody an opportunity who has perhaps demonstrated academic accomplishment but has not had the opportunity to apply that in the workplace.” According to Randi Kieffer, vice president of Cybersecurity Audit at Capital One and former deputy director of the National Cybersecurity Communications and Integration Center, communication is a critical and often overlooked skill for cybersecurity teams.
“Without the mission, there is no cyber.” She encouraged students in traditionally noncyber fields to consider how their skills might transfer to an IT team.
“If you’re in a field that seems unrelated, I’d challenge you to figure out where that link is and what value you can bring,” said Kieffer.
“When I speak about diversity, I’m looking for skills, both technically and those soft skills that I want to balance out my team.” “You have to challenge yourself sometimes to get out of your comfort zones to take the chance to do something different,” agreed Mihoko Matsubara, chief security officer for Japan at Palo Alto Networks.
Kieffer, who has worked on both government and industry teams, said that the Federal government offers employees the unique ability to move into positions outside their original field.
I didn’t have to take a pay cut, I didn’t have to go back to school.” Samara Moore, director of Cyber Strategy and Engagement at Exelon and former director for Cybersecurity Critical Infrastructure on the White House National Security Staff, said that she encounters many adults midcareer who are interested in changing over to cyber.

State AGs Reach Settlement with Nationwide Over 2012 Data Breach

by

On August 9, 2017, attorneys general representing 32 states and the District of Columbia announced a settlement with Nationwide Mutual Insurance Co. and its unit Allied Property & Casualty (collectively, “Nationwide”) to resolve the states’ investigation into the company’s 2012 data breach.
Under the terms of the Assurance of Voluntary Compliance (“AVC”), found here, Nationwide will pay $5 million to the states.
After the data were exfiltrated, Nationwide addressed the software vulnerability by applying a software patch that was not previously applied, according to the AVC.
Nationwide collected this personal information to provide insurance quotes to consumers applying for insurance, according to Attorney General Bondi.
Other breaches often have involved payment card information, which is typically considered less sensitive because consumers can be issued new credit and debit cards.
Second, the settlement demonstrates the states’ continued interest in investigating data breaches and establishing comprehensive cybersecurity standards.
State attorneys general are interested not only in monetary payment, but also in requiring companies to take steps to strengthen its security practices.
As a result, companies that collect and store personal information should closely monitor these AVCs to ensure that they have proper security controls in place.
Florida was a “lead state in the investigation,” according to Attorney General Bondi’s office.
The other AG offices participating are those of Alaska, Arizona, Arkansas, Connecticut, Hawaii, Illinois, Indiana, Iowa, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Mississippi, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, North Dakota, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington and the District of Columbia.

New Disdain Exploit Kit Sold on Underground Hacking Forums

by

New Disdain Exploit Kit Sold on Underground Hacking Forums.
Spotted by Peruvian security researcher David Montenegro, the exploit kit — named Disdain — is available for rent on a daily, weekly, or monthly basis.
The pricing points are smaller than fellow Nebula EK, which is priced at $100, $600, and $2,000.
Below are the exploit kit’s main features: *Domain Rotator *RSA Key exchange for Exploits *Panel server is untraceable from Payload server *Geolocation available *Browser & IP tracking *Scan domain To be a good exploit kit, Disdain has to provide “exploits” that renters can use to infect users.
Disdain’s author has a bad reputation The Disdain ad was first spotted last week.
Currently, there is no malvertising campaign or botnet redirecting traffic to any Disdain “landing page,” according to a security researcher who spoke with Bleeping Computer about Disdain but did not want to reveal his name.
One reason why we haven’t seen any active campaign might be that Disdain’s author — Cehceny — is currently banned and marked as a “ripper” (scammer) on at least one major underground hacking forum.
Exploit kit market in shambles If criminal groups are willing to look past Cehceny’s bad reputation, rent and deploy Disdain in malvertising campaigns, then Disdain will become one of the very few new exploits kits that has entered the market this year.
The exploit kit market has been on a downward spiral for the past 16 months.
This year, we’ve seen new players such as Sundown-Pirate, and a few other EKs that have survived only a few months.

Microsoft PowerPoint exploit used to bypass antivirus and spread malware

by

Cyber attackers are exploiting a vulnerability to evade antivirus detection and deliver malware via Microsoft PowerPoint.
As with many hacking campaigns, this attack begins with a spear-phishing email.
The message purports to be from a cable manufacturing provider and mainly targets organisations in the electronics manufacturing industry.
The sender’s address is disguised to look like a message from a business partner and the email appears to relate to an order request, with an attachment purportedly contatining shipping information.
However, the attachment is useless to the receiver, containing a malicious PowerPoint show that when opened simply displays the text ‘CVE-2017-8570’, the reference of a different Microsoft Office vulnerability to the one used in this attack.
The malicious file triggers an exploit for the CVE-2017-0199 vulnerability, which initialises the infection process and results in malicious code being run using the PowerPoint Show animations feature, which downloads a file logo document if successful.
This downloaded logo.doc contains XML and JavaScript code, which runs PowerShell to execute a file called ‘RATMAN.EXE’, a Trojanised version of the Remcos remote access tool, which then connects to a command and control server.
Ultimately, it can give the attacker almost full control over the infected machine without the owner being aware.
Researchers note that the sample behind this attack uses NET protector, which includes several protections and obfuscations to make it more difficult for researchers to reverse engineer.
Nonetheless, users need to remain alert to the risks posed by legitimate looking phishing emails.

Maryland Leader For Cyber Security, With New Range Center

by

Maryland Leader For Cyber Security, With New Range Center.
BALTIMORE (WJZ) — A first of its kind cyber security system in the entire country is ready to go in Baltimore.
Officials say the move paves the way for Maryland to lead in cyber security.
Trying to tackle cyber crimes takes special skills, now being taught here in Baltimore.
The new $250,000 Baltimore cyber range gives teams hands-on training in real-world scenarios to keep pace with the number of growing online security threats.
“We feel are the highest levels of cyber security types to better address the threats in real time,” says Bruce Spector, with Electronic Technology Associates.
The special training is critical to public and private companies.
Experts say the training taught will help companies, consumers, credit cards and more, when hackers strike.
“We are the first cyber bit system here in this country.
Governor Larry Hogan announced the creation of the center during a trade mission to Israel last summer.

Hackers are forcing Hollywood to reevaluate its cybersecurity

by

And now, HBO.
Last week, as HBO investigated a cyberattack on its own systems, an unaired episode of its hit show “Game of Thrones” appeared online following an unrelated breach at a pay-TV partner in India.
“The security of the third-party vendor is what you’re relying on.” HBO is still investigating how hackers broke into its computer system.
They stole episodes of Larry David’s “Curb Your Enthusiasm” and “Ballers,” a person familiar with the matter said at the time.
A stolen movie that appears online before appearing in theaters loses 19 percent of its box-office revenue on average compared with films that are pirated after they’re released, according to a study by professors at University of Maryland and Carnegie Mellon University.
People may not be willing to subscribe to Netflix or HBO if they can watch their favorite shows and movies online for free.
What’s more, the wave of attacks is forcing media executives to confront a thorny question: Should they pay ransoms to hackers to get their content back?
In April, Netflix refused to pay a hacker who stole unreleased episodes of “Orange Is the New Black.” Larson Studios, which worked with Netflix, told Variety it paid the ransom, about $50,000, in bitcoin.
Larson Studios didn’t respond to a request for comment, while a Netflix official said only that the company is “constantly working to improve our security.” In another high profile case this year, hackers threatened to leak a stolen copy of Disney’s new “Pirates of the Caribbean” if the company didn’t pay a ransom.
Michael Lynton, former chief executive officer of Sony Entertainment, started transferring emails off his computer every 10 days.

MalwareTech’s arrest sheds light on the complex culture of the hacking world

by

But in August, the person behind that nickname, Marcus Hutchins, was arrested on federal charges of writing and distributing a different malware attack first spotted back in 2014.
Although the term may have originated at MIT, young people interested in computer technology were tinkering across the country.
It is also this tinkering that allows hackers to find vulnerabilities in computers and software.
What separates these three groups is not their actions — all three groups find weaknesses and tell someone else about them – but their motives.
To hackers, whether someone is doing something wrong depends on what hat or hats he is wearing.
Is hacking a crime?
But Hutchins’ white hat job is to find vulnerabilities.
It’s a crime to sell malware with the intent to further someone else’s crime.” Kerr’s comments suggest a third explanation — that Hutchins may have been wearing a gray hat, creating malware for a criminal to use.
Kevin Mitnick served five years in prison for various types of hacking.
And Mustafa Al-Bassam was once a member of the infamous LulzSec hacking group that hacked into the CIA and Sony.

Conservatives Must Regulate Google And All of Silicon Valley Into Submission

by

Conservatives Must Regulate Google And All of Silicon Valley Into Submission.
That means Republicans at both the federal and the state level need to rein in the skinny-jeaned fascist social justice warriors who control Silicon Valley – and, to a growing extent, our society – through the kind of crushing regulation of these private business that we conservatives used to oppose.
They violated the most important of the old rules – they chose a side.
See, what leftists do not get is that principles are part of systems.
If you decide you don’t want to play your part in the system, you shouldn’t be shocked when the other participants make the same decision.
And that’s why conservatives now need to savagely regulate companies like Google, Facebook, and Twitter.
Yeah, I know that heavily regulating private businesses is not “free enterprise,” but I don’t care.
And the great part is that enforcing it doesn’t need to be a government thing.
Then they would know how conservatives in Silicon Valley feel.
We liked the old system, but you tech twerps decided to change it.

How long can the U.S. keep hackers at bay and the lights on?

by

And as attempts to infiltrate computer networks that control the grid and other industrial systems escalate, cybersecurity experts and some government officials are increasingly concerned that a large-scale, well-financed and coordinated cyberattack is coming, risking the sort of widespread blackouts that hit Ukraine in 2015 after hackers broke into the systems of three power plants.
Last year, members of DHS’ Industrial Control Systems Cyber Emergency Response Team recorded 290 cases of hackers gaining access to systems at everything from power plants to telecommunications systems.
The U.S. grid is widely described as considerably more advanced those in Eastern Europe, but some of those same security failures in Ukraine could very well be found here, said Homeland Security’s Bristow, who was part of the team that traveled to Ukraine.
But whether members of Congress of either party would go so far as advocate for the federal government to dictate cybersecurity standards on the power grid remains a sensitive topic, raising the prospect of an expansion of federal powers, which many state governments, including Texas, are bucking. “(Utilities) want to have security, and privately they’ll admit it’s good to have standards.
But, they added, just as utilities improve defenses, hackers come up with new and ever more complex means of attacks.
Lately, Shenoi, the University of Tulsa professor, said he’s thinking about smart meters, the digital electric meters installed at tens of millions of homes and buildings across the country over the past decade.
They save the utility sending out crews to read meters, but also give hackers new and numerous avenues of attack, Shenoi said.
Such a scenario has long been taken seriously by the federal government.
During the cyberattack on the Ukraine, one of the saving graces was utilities were still digitizing control systems.

Book review: “The Darkening Web: The War for Cyberspace” by Alexander Klimburg

by

Book review: “The Darkening Web: The War for Cyberspace” by Alexander Klimburg.
In 2014, 61 percent of the 1,600 experts polled by the Pew Research Center stated that a major cyberattack causing significant harm to a nation or nations was likely to occur within the next decade.
In “The Darkening Web,” Klimburg provides an extraordinarily informative and accessible examination of the threats to physical infrastructure, privacy and the free flow of information posed by the struggle for control of cyberspace.
Seeking to break what they perceive as the cyber dominance of the United States (where the internet was born), Klimburg indicates, authoritarian governments have increased attacks on infrastructure, industrial espionage and “informational effects” on their citizens, as well as their enemies.
Klimburg describes Russia’s cyberattacks on the infrastructure of Estonia, Georgia and Ukraine.
He documents Russian dissemination of fake news — and the hacking of America’s Democratic Party emails in 2016.
And Klimburg notes how Russian President Vladimir Putin has used revelations about the Stuxnet virus (that disabled Iran’s nuclear program) and Edward Snowden’s disclosure of National Security Agency operations to charge the United States with cyber hypocrisy.
For a limited time, get a digital subscription for just $3.95 a month.
Bad behavior will intensify, Klimburg warns, if the plan, introduced by Russia and China, to establish national sovereignty over the internet, is adopted.
He envisions a role for the United Nations in the first two domains and recommends a “multi-stakeholder” approach to governance, with participation by government officials, the private sector and members of civil society.