CyberNews: Top of the news (12 Feb 2019)

Credit Unions Targeted in Spear Phishing Campaign(February 8, 2019)

 A spear phishing attack targeted anti-money laundering officers at the credit unions around the US. The USA Patriot Act requires that all US financial institutions appoint a minimum of two Bank Secrecy Act (BSA) contacts whose responsibility it is to report suspicious financial transactions that could indicate money laundering. On January 30, 2019, credit union BSA officers began receiving email messages spoofed to appear to be coming from BSA officers at other credit unions. The messages asked the recipients to open a PDF attachment that purportedly contained information about a suspicious transaction. A link within the attachment led to a malicious site. BSA officers at other financial institutions, not just credit unions, have reported receiving similar spoofed messages. It is not clear yet where the attackers obtained the list of BSA officers.
 Editor’s Note

[Hoelzer]
FINCEN and NCUA, two of the few holders of this composite list, are both claiming that they’ve checked their systems and they aren’t breached. When there are only a handful of places in the world where the composite document exists and it’s been exposed the reality is that either an insider is selling information or you’re breached and your detection systems aren’t telling you the right things. Inadequate detection is extremely common and something I’ve long worked to help techies communicate up the chain and continue to work to teach techies how to overcome, but it takes real effort and training, not another “magic box”.

[Neely]
BSA Contact information is held by the NCUA who are now actively investigating how this information was released. The Credit Union community is small enough that many BSA officers already know each other so these messages contain attachments from known contacts. Credit Unions are already training their staff to be on guard for content from unknown contacts through phishing exercises. Mitigation for this sort of attack is reliant on endpoint and perimeter protections.
Read more in:
– krebsonsecurity.com
: Phishers Target Anti-Money Laundering Officers at U.S. Credit Unions

Switzerland Invites eVoting System Pen Testing(February 10, 2019)

 Starting later this month, Switzerland’s government will allow researchers and security companies to pen test its electronic voting system. Participants need to sign up prior to the start of the pen test period, which runs from February 25-March 24.
 Read more in:
– www.onlinevote-pit.ch
: Public Intrusion Test (PIT)
– www.zdnet.com: Swiss government invites hackers to pen-test its e-voting system
Federal Appeals Court Allows Lawsuits Challenging Georgia (US) Voting Machines to Proceed(February 8, 2019)

 A federal appeals court in the US state of Georgia is allowing two lawsuits challenging the state’s use of electronic voting machines to move forward. The lawsuits challenge the use of the machines that do not create a paper trail. The “three-judge panel of the 11th U.S. Court of Appeals did not rule on the merits of the case but rejected arguments that state officials have immunity from the suits.”
 Read more in:
– www.nytimes.com
: Court: Suits Challenging Georgia Voting Machines Can Proceed
Sponsored LinksJoin BTB Security as they share a simple decision matrix that can be used in #security buying scenarios, featuring SANS Dave Shackleford. https://www.sans.org/info/210455

New Blog Post: Traditional network controls are blind to commonly deployed attacks. It’s time to rethink network security. Read more here: https://www.sans.org/info/210460

What does it take to establish a successful security operations program? Take the 2019 SANS SOC Survey and enter for a chance to win a $400 Amazon gift cardhttps://www.sans.org/info/210465
  The Rest of the Week’s News
Smarter GDPR – You Are Invited: February 14th, 2019 at 1:00 PM EST The European General Data Protection Regulation (GDPR) has now been in effect for nearly a year, and lawyer-driven blizzards of emails and web site warnings have generated many myths about documentary compliance. A more effective approach is to use GDPR as a lever to help drive needed improvements in data security and user privacy. Join NewsBites editors Brian HonanJohn PescatoreGal Shpantzer, and Mark Weatherford in a how-to webinar focusing on real-world examples of pitfalls to avoid and the promising practices to follow to make actual improvements in overall security as your organization addresses GDPR compliance.

Register: www.sans.orgDispelling GDPR Myths: Avoid the Compliance Trap, Make Real Security/Privacy Gains
Rotational Cyber Workforce Act Would Let Specialists Bring Skills to Other Agencies(February 7, 8, & 11, 2019)

 The Federal Rotational Cyber Workforce Act would allow cyber specialists from federal government agencies to bring their expertise to other agencies. Specialists would spend no more than one year at another agency. The program aims to help federal cybersecurity specialists “develop multiagency and policy expertise on cyber threats.”
 Editor’s Note

[Pescatore]
I started my security career at NSA doing 6-month rotating internships in different groups – great way to go early in a career. The same concept, applied to more experienced security folks, helping pass on “What Works” kind of guidance to smaller agencies sounds like a good idea. I don’t know why legislation is required to make this happen in government but it is worth a try.

[Neely]
This already happens informally today. It works best when there is parity of threat models and cyber capabilities.
Read more in:
– fcw.com
: Senators reintroduce rotational cyber workforce bill
– www.nextgov.com: Lawmakers Propose a Rotational Program for Federal Cyber Workers
– www.meritalk.com: Cyber Workforce Bill Reintroduced

Bill Would Establish Public/Private Cybersecurity Specialist Employee Exchange(February 11, 2019)
 The Cyber Security Exchange Act would bring cyber experts from private companies and academia to work at federal agencies for up to two years, and would provide for federal workers to work in the private sector as well.
 Editor’s Note

[Neely]
This allows better understanding of issues from a different perspective as well as teaching new skills in problem solving due to both the difference in budget and threat model. When we’ve loaned DOE employees to private companies the best results have come when the exchange is accompanied with well-defined expectations and deliverables.
Read more in:
– thehill.com
: Bipartisan bill would create public-private cyber workforce exchange

Estonia’s Volunteer Cyber Force(February 11, 2019)

 Estonia has a volunteer cyber defense force to help protect the country’s computer systems. The group, which comprises roughly 2,600 individuals, came into being after the 2007 cyberattacks that targeted Estonian government, financial, and other computer systems. The unit was formally established in 2011. The Estonian volunteer force is officially part of the Defence League, Estonia’s national guard. Latvia has established a similar organization, and Maryland’s National Guard digital forces have trained with the Estonian volunteer group.
 Read more in:
– www.bloomberg.com
: One of Russia’s Neighbors Has Security Lessons for the Rest of Us

Bill Would Establish Election Cyber Threat Information Sharing Program(February 6, 2019)

 Two US Senators have reintroduced legislation that would establish a program at the State Department to share elections cyber threat information with other countries. The Global Electoral Exchange Program would help other countries adopt best practices for elections cybersecurity and also help fight misinformation campaigns and voter suppression.
 Read more in:
– www.nextgov.com
: Lawmakers Push for the State Department to Help Secure Foreign Elections
– www.nextgov.com: Global Electoral Exchange Act of 2019 (PDF)
Australian Parliament Network User Passwords Reset Following Unspecified Security Incident(February 8, 2019)

 Australia’s Department of Parliamentary Services (DPS) reset all user passwords for accounts with access to Australia’s Parliamentary network following an unspecified incident that occurred late last week. DPS and other government agencies are investigating the incident.
 Editor’s Note

[Northcutt]
The consensus among security experts is that passwords should be long — a minimum of 12 characters. And if there is a way to include 2FA by all means, do so.
Read more in:
– www.theregister.co.uk
: Big trouble Down Under as Australian MPs told to reset their passwords amid hack attack fears
– www.zdnet.com: Australian government computing network reset following security ‘incident’
– parlinfo.aph.gov.au: Statement by the Presiding Officers – Parliamentary Computing Network
Public-Private Partnership Guidelines for Protecting Patient Data(February 8, 2019)

 A public-private healthcare group partnership has published a four-volume guide to protecting patients and patients’ information in the digital age. The first volume “discusses the current cybersecurity threats facing the health care industry [and] sets forth a call to action for the health care industry… with the goal of raising general awareness of the issue.” The second and third “technical” volumes address cybersecurity practices for small and medium-to-large healthcare organizations. The fourth volume comprises supplemental references and resources.
 Read more in:
– federalnewsnetwork.com
: Industry, gov’t groups publish cyber guide to protecting patients’ information
– www.phe.gov: Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (PDF)
Anti-Deepfake Video Tool(February 11, 2019)
 A new tool aims to help detect when video footage has been compromised by deepfake manipulation. The tool, which runs in the background on recording devices, generates regular, periodic hashes of the data which are then recorded to a public blockchain. 
 Editor’s Note

[Williams]
Research on video manipulation, including Deepfake, is needed, but this tool is not worth getting excited about in the short term. While the approach has some possible use cases, they don’t meet the most immediate Deepfake detection needs. It’s the equivalent of saying you’ve created software for detecting syslog manipulation when the “detection mechanism” is comparing the current log to hashes of the logs taken previously.
Read more in:
– www.wired.com
: A New Tool Protects Videos From Deepfakes and Tampering
Another Week, Another WordPress Flaw(February 11, 2019)

 A flaw in the Simple Social Buttons WordPress plug-in could be exploited to take control of vulnerable sites. Users are urged to update Simple Social Buttons to version 2.0.22, which was released on Friday, February 8. The plug-in has been installed on more than 40,000 WordPress websites.
 Editor’s Note

[Williams]
While this is certainly an issue only on WordPress websites, calling this plugin a “WordPress flaw” is like calling a vulnerability in a third party app a “Windows flaw” because of where the software was installed. Wording matters and this particular wording is somewhat ambiguous. That said, update now because this is relatively easy to exploit, and successful exploitation allows attackers access to the underlying server hosting WordPress.

[Neely]
This is an application design flaw which exists in both the free and paid versions of the plugin. While you’re checking to make sure the plugin is updated, also make sure that your site has been updated to PHP 7.
Read more in:
– www.zdnet.com
: WordPress plugin flaw lets you take over entire sites
Texas State Legislator Introduces Bill to Ban Mobile Service Throttling in Disaster Areas(February 11, 2019)

 A legislator in the Texas House of Representatives has introduced a bill that would prohibit wireless carriers from throttling mobile Internet service access in disaster areas. The bill would prohibit throttling in disaster areas for everyone, not just for first responders. The bill appears to be a response to the situation in California last fall when Verizon throttled service to first responders who were fighting wildfires.
 Read more in:
– arstechnica.com
: Texas lawmaker wants to ban mobile throttling in disaster areas
– capitol.texas.gov: An Act relating to mobile Internet service access in an area subject to a declared state of disaster.
Advertisements


Categories: Cyber news, Cyber Security

Tags:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.