CyberSecurity: The Rest of the Week’s News (Jan 7, 2019)

Attack Doubles Up on Malware (January 7, 2019)
 An attack that combines two known pieces of malware has been detected in the wild. The attack uses the Vidar data harvesting malware followed by GandCrab ransomware. Vidar has the ability to steal a wide variety of data, including passwords, documents, screenshots, stored 2FA information, and cryptocurrency wallets. Once Vidar has sent the information to a command-and-control server, Gandgrab encrypts the infected system and displays a ransom demand.
  Read more in:
: She will lock you out, livin’ la Vidar local: Enterprising crims breed ransomware, file thief into hybrid nasty
– Double trouble: Two-pronged cyber attack infects victims with data-stealing trojan malware and ransomware
– GandCrab Operators Use Vidar Infostealer as a Forerunner
– Cybercriminals double up using Vidar and GandCrab in single attacks

Australian Emergency Warning Network Data Breach (January 7 & 8, 2019)
The Queensland (Australia) Emergency Warning Network (EWN) has acknowledged that its system was breached by an unauthorized user who used stolen access credentials to send a message to subscribers. The message, which was sent via email, text, and landline, said “EWN has been hacked. Your personal data is not safe. Trying to fix the security issues.” When EWN became aware of the situation, they shut down the system.
  Editor’s Note

While it’s easy to ask why multi-factor authentication was not in place, a challenge with emergency alert systems is determining the appropriate level of authentication assurance to not only prevent unauthorized messages but also support operations during an actual emergency where services needed to support strong authentication may be offline, or known network or location points for users are unavailable, meaning the system will need to in-source any strong authentication solution.
Read more in:
: Emergency warning system compromised as hackers send text and email messages to thousands
– Emergency Warning Network confirms the breach
– Hacker Uses Australian Early Warning Network to Send Spam Alerts
The Case for In-House Defense Department Pen Testing (January 7, 2019)
  This opinion piece argues for the US Department of Defense (DOD) to conduct in-house penetration testing on its systems. Citing an October 2018 Government Accountability Office (GAO) report that examined cybersecurity issues related to DOD weapons systems, the author writes that “there’s no substitute for a formal, comprehensive and ongoing software assessment process that occurs before a system goes live and continues as long as the software is in use.”
  Editor’s Note

This is a standard security practice. Is the DOD really not internally pentesting/assessing its software prior to being put into production?
The value proposition of continuous assessment versus periodic testing needs to be examined. When it is baked into system and software lifecycle, execution requires in-place resources and services rather than waiting for the results of a bug-bounty or completion of an assessment contract, potentially reducing exploitation opportunities. This also means the concept of continuous remediation needs to be embraced.
Read more in:
: National security depends on in-house penetration testing

Microsoft Pulls Problematic Office 2010 Update (January 7, 2019)
  Microsoft has pulled a non-security update for Office 2010 because of reports that users who had installed it were unable to start Excel. The update was released on January 2, 2019, along with updates for Office 2013 and 2016. The majority of the reports are coming from Japan; the update includes changes to accommodate a new Japanese calendar era that will begin later this spring.
  Read more in:
: Microsoft pulls buggy Office 2010 January updates
– Microsoft Pulls Office 2010 January 2019 Updates After Excel Blunder
– January 2, 2019, update for Excel 2010 (KB4461627)

Passport Numbers Compromised in Marriott Breach Were Not Encrypted (January 4, 2019)
  Marriott has revised the numbers associated with the data breach it disclosed in late November 2018. Marriott now says that some of the compromised records were duplicates and puts the number of affected records at 383 million, down from 500 million. While the total number of compromised records is lower than initial reports suggested, Marriott did say that the five million or so passport numbers that were compromised were not encrypted.
  Editor’s Note

Encryption at rest is hard. If this passport data has to be shared with authorities in some countries or verified at check-in, then it will be difficult to come up with a meaningful encryption scheme. Tokenization may have been an option to limit the exposure of the data and may have helped to implement an encrypted data store for the data.

Credit reporting firm Experian reports that breached passport numbers fetch between $1,000 and $2,000 on cybercriminal online exchanges – the highest price of all identity data, more than complete medical records. In quantity, that would go down but 5 million stolen passport numbers are high value – Marriott should not have needed a complex risk analysis to decide either not to store those numbers online or to encrypt them if they did.
Read more in:
: 5M passports accessed in Marriott breach were unencrypted
– Marriott Concedes 5 Million Passport Numbers Lost to Hackers Were Not Encrypted
Pentagon Asks Advisory Board for List of Ethical Principles for Using AI in Warfare (January 4, 2019)
  Pentagon officials have given the Defense Innovation Board (DIB) the task of developing a list of ethical principles for the use of artificial intelligence (AI) in warfare. Current doctrine relies on a six-year-old document that requires a human to have the power to veto any decision made by an autonomous weapons system. DOD is seeking a framework for a broader policy to apply to predictive analytics and other areas in which AI may be used. The DIB plans to make its list public in June.
  Read more in:
: Pentagon Seeks a List of Ethical Principles for Using AI in War
– Department of Defense Directive: Autonomy in Weapon Systems (November 2012; revised May 2017) (PDF)
North Dakota Considering Statewide Cybersecurity Oversight (December 31, 2018, & January 4, 2019)
  State legislators in North Dakota have heard testimony on a bill that would give the state’s Information Technology Department (ITD) authority to “advise, oversee and regulate cybersecurity strategy” for state agencies and public institutions, including school districts, public colleges and universities, and cities and counties. A North Dakota ITD executive said that more than 400 entities that connect to the state’s network are currently responsible for their own cybersecurity. 
  Editor’s Note

Cybersecurity governance does *not* have to be centralized to be done successfully, but almost invariably it *does* have to mirror the IT governance style of the organization – mismatches in the two are good predictors of vulnerability. Since North Dakota is moving to centralized IT, it is also an opportunity to bake security into software development, procurement, and SOC/NOC process integration.

Beyond creating a common strategy, the state has an opportunity to provide enterprise (volume) licensing for those agencies and public institutions for common tools they may not otherwise be able to afford on their own. This has worked well in DOE and is the model behind the DHS CDM DEFEND offering.
Read more in:
: Bill looks to standardize North Dakota cybersecurity for public entities
– On cybersecurity, North Dakota wants to ‘change the conversation completely’

Categories: cyber hackers, Cyber news


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.