Current US-Computer Emergency Readiness Team (CERT) Vulnerability Summary.

Archives of US-CERT Vulnerability Bulletins.

Cybersecurity News

This digest of cybersecurity news is curated by the Internet Security Alliance and Direct Computer Resources (DCR). DCR has been an ISA Board Member since 2008.

Four methods hackers use to steal data from air-gapped computers

ZD Net, November 20 — Researchers have devised numerous ways to extract data from computer systems by developing covert channels. These channels fall into four general groups: • Electromagnetic (the earliest attack vector). • Acoustic (beyond speakers, modulated fan and disk drive noise can be used). • Thermal (very low speeds possible). • Optical (a hot area, where speeds up to 4k bps have been demonstrated). Electromagnetic (EM) channels range from eavesdropping on the EM radiation from the memory bus, to leakage from USB ports and cables. EM was the first channel widely explored and used, and has made EM shielding a common preventative measure. Acoustic channels have become popular with the advent of hackable smartphones whose microphones can pick up audio signals that humans can't differentiate from background hum. The latest area is the use of ultrasonic sounds, whose higher frequencies are both inaudible and offer greater bandwidth. Thermal hacks have been demonstrated, but with bandwidth measured in a few tens of bits per second over a short distance. It isn't clear that thermal transmission will ever find a practical covert use. ... Read More.

DDoS Attack Attempts Doubled in 6 Months

DARKReading, November 20 — A rise in DDoS hire-for services and unsecured IoT devices is driving a sharp increase in the average number of daily DDoS attack attempts. Organizations encounter an average of eight DDoS attack attempts per day, up from four attempts a day at the start of the year, according to a newly published Corero Network Security report that tracks DDoS trends from Q2-Q3 2017. "The growing availability of DDoS-for-hire services is causing an explosion of attacks," said Ashley Stephenson, CEO of Corero. Corero's report also points to botnets such as the Reaper, which were able to leverage the rise in unsecured IoT devices as weapons for larger DDoS attacks. The report also cites a return of Ransom Denial of Service (RDoS) threats in the third quarter. ... Read More.

Key Windows 10 defense is 'worthless' and bug dates back to Windows 8

ZD Net, November 20 — Microsoft has been telling users to upgrade to Windows 10 because of its superior in-built defenses against attacks, compared with Windows 7. That advice would be true if it properly implemented the defense known as Address Space Layout Randomization (ASLR). ASLR is used by Android, Windows, Linux, iOS and macOS to prevent attacks that rely on code executing at predictable memory locations by loading programs at random addresses. It's been used by Microsoft since Windows Vista to counter memory-based attacks. However, Microsoft introduced an error in Windows 8 when implementing a feature known as Force ASLR or system-wide mandatory ASLR. This feature is meant to randomize executables even if an application hasn't enabled support for ASLR. It can be switched on through Microsoft's Enhanced Mitigation Experience Toolkit (EMET). As of the Windows 10 Fall Creators Update, EMET became part of Windows Defender Exploit Guard (WDEG). ... Read More.

PCI and HIPAA Compliance Comparison

HIPAA Journal, November 20 — For organizations in healthcare-related industries, who both have access to PHI and accept credit card payments, a PCI and HIPAA compliance comparison can help find overlaps and similarities in their compliance obligations. These overlaps and similarities can assist organizations with their risk assessments in order to avoid duplication and better mitigate the risk of a data breach. In this comparison between PCI compliance and HIPAA compliance, we have used the PCI Data Security Standard v3.2 as our reference. Readers are advised to review the PCI Security Standards website periodically for updates to the Data Security Standard that may affect the accuracy of this PCI and HIPAA compliance comparison. The Payment Card Industry Data Security Standard (PCI DSS) applies to any organization that accepts credit card payments, or that stores, processes or transmits cardholder data and/or sensitive authentication data. Similarly, the Healthcare Insurance Portability and Accountability Act (HIPAA) applies to any organization that creates, stores, processes or transmits Protected Health Information. As will be demonstrated in our PCI and HIPAA compliance comparison, there are many similarities between the PCI DSS and the physical, technical and administrative safeguards of the HIPAA Security Rule. In fact, by complying with some of the PCI compliance requirements (i.e. the encryption of data), organizations will automatically be complying with the encryption requirements within HIPAA. ... Read More.

Linus Torvalds: 'I don't trust security people to do sane things'

ZD Net, November 20 — Linus Torvalds has offered his thoughts on Linux security approaches, branding some security professionals as "f*cking morons" for focusing on process-killing rather than debugging. Torvalds, the creator and principal developer of the Linux kernel, does not often pull his punches when it comes to the kernel's behaviors and security. The engineer carried on the tradition over the weekend, as Google Pixel developer Kees Cook submitted a pull request for hardened usercopy changes for v4.15-rc1, which according to Cook, narrows areas of memory "that can be copied to/from userspace in the face of usercopy bugs by adding explicit whitelisting for slab cache regions." "This has lived in -next [sic] for quite some time without major problems, but there were some late-discovered missing whitelists, so a fallback mode was added just to make sure we don't break anything," Cook said. "I expect to remove the fallback mode in a release or two." In response, Torvalds said these kinds of pull requests "can be very painful" as time must be spent examining them as they touch core elements. ... Read More.

Suspected Phishing Attack on UPMC Susquehanna Exposes 1,200 Patients’ PHI

HIPAA Journal, November 20 — UPMC Susquehanna, a network of hospitals and medical centers in Williamsport, Wellsboro, and Muncy in Pennsylvania, has announced that the protected health information of 1,200 patients has potentially been accessed by unauthorized individuals. Access to patient information is believed to have been gained after an employee responded to a phishing email. While details of the breach date have not been released, UPMC Susquehanna says it discovered the breach on September 21, when an employee reported suspicious activity on their computer. An investigation was launched, which revealed unauthorized individuals had gained access to that individual’s device. It is not known whether the attacker viewed, stole, or misused any patient information, but the possibility of data access and misuse could not be ruled out. The information potentially accessed includes names, contact information, dates of birth, and Social Security numbers. ... Read More.

How many must be killed in the Internet of Deadly Things train wrecks?

ZD Net, November 20 — Safety and security standards for the Internet of Things (IoT) can't come soon enough for Phil Kernick, founder and chief technology officer of information security consultancy CQR. "I'm radical in this area," Kernick told journalists in Sydney last week. "If you look at any industry that's new, it goes unregulated until it gets to the point where it's crazy, and then government steps in and regulates it. "In the 70s, with the car industry in the US, it was exactly that," he said. Kernick was referring to the dramatic changes in the US automotive industry that followed, eventually, the publication in 1965 of political activist Ralph Nader's book Unsafe at Any Speed. Nader's work eventually led to the mandatory fitting of seat belts, designing the bodies of cars to reduce injury to pedestrians, and even measures to reduce air pollution. The industry resisted these changes, of course, because in the 1960s it was making a bundle as affluent Americans bought the latest in mass-produced automotive fashions. General Motors even launched a campaign of harassment and intimidation against Nader. ... Read More.

Pricing of Goods and Services on the Deep & Dark Web

IT Security Guru, November 20 — The Deep & Dark Web facilitates an expansive and dynamic underground economy shaped by the diverse skills and motivations of a wide range of adversaries. The forums and marketplaces where illicit goods and services are exchanged have come to play an influential role in today’s cyber and physical threat landscape by providing access to the means to carry out various attacks and schemes. The availability of illicit goods and services on the Deep & Dark Web enables a more efficient and democratised cybercriminal underground where adversaries can pay other actors to fill gaps in their own capabilities. To provide defenders with enhanced context surrounding the current state of the underground economy, Flashpoint analysts gathered observational research to provide pricing examples for the following goods and services: ... Read More.

Bankwest sends broker site to the public cloud with AWS Lambda

ZD Net, November 20 — Bankwest has revealed the security gateway for its Broker Portal is running wholly in the Amazon Web Services (AWS) public cloud. Launched in July, the bank's new "one-stop-shop" allows brokers to track the real-time status and other information on current home loan applications, as well as the monitoring of existing loans. The Commonwealth Bank of Australia-owned organisation touted the move to Lambda as one providing "higher degrees of automation", with Bankwest engineering manager Chris Dorrington commenting the shift to the cloud has also seen a greater investment in security and risk control features. "The serverless architecture is part of a shift towards automated preventative and corrective controls. These levels of automation strengthen our risk management overall," Dorrington said in a statement. "A mantra of ours is 'compliance as code' — from the provisioning of development environments to the continual testing of the cloud infrastructure, we're able to continuously prove compliance with our security model." ... Read More.

Fraudster Tied to 'The Dark Overlord' Jailed for 3 Years

BankInfo Security, November 20 — A British man who was initially arrested on suspicion of hacking English socialite Pippa Middleton's iCloud account has been sentenced to serve a three-year prison sentence after he pleaded guilty to a number of unrelated fraud and blackmail offenses. Nathan Wyatt, 36, of Wellingborough, England, appeared at Southwark Crown Court on Sept. 14, where he pleaded guilty to 20 counts of fraud by false representation, two counts of blackmail and one count of possession of an identity document with intent to deceive. His offenses included using malware to steal files from a British law firm then trying to ransom them back for €10,000 ($12,000) in bitcoins. His ransom demand was signed "The Dark Overlords," Britain's Daily Mail reports, in apparent reference to the extortion shakedown gang known as "The Dark Overlord." At Southwark Crown Court on Friday, Judge Martin Griffiths sentenced Wyatt to serve a three-year sentence. "A rather more skeptical mind would say there was a great deal more to this behavior than there is in these counts," the judge told Wyatt during the sentencing hearing, the Daily Mail reports. "I consider this was a sophisticated piece of offending by you." ... Read More.

Your biggest threat is inside your organisation and probably didn't mean it

ZD Net, November 20 — It doesn't have a super-sexy moniker like KRACK or Heartbleed, but the spectre of the insider threat looms large for organisations, and has done so for as long as electricity, silicon, and computing have been paired up to store information. While it's easy to imagine a disgruntled, unhappy employee becoming a malicious actor within an organisation, and dumping the family jewels out of spite, it is much more likely that a well-intentioned employee did something they really shouldn't have. In recent times, it seems as though a spate of data leakage has occurred due to the discovery of data left sitting on world-viewable servers. For instance, Accenture left its keys to the kingdom exposed on four servers, Verizon had 14 million subscriber records sitting unprotected on Amazon S3, and even Australia's national broadcaster, ABC, was found wanting last week when it revealed to have had customer details and 1,800 daily MySQL database backups exposed. ... Read More.

We're Still Not Ready for GDPR? What is Wrong With Us?

DARKReading, November 17 — The canary in the coalmine died 12 years ago, the law went into effect 19 months ago, but many organizations still won't be ready for the new privacy regulations when enforcement begins in May. If you've been comforting yourself with the thought "I'm sure there will be a grace period for the General Data Protection Regulation," think again, pal, because this is the grace period, and it's almost over. May 25, 2018 enforcement actions for GDPR begin, many if not most of us aren't ready, and we really have no good excuse. Two out of every five respondents to a new survey released last week by Thales stated that they don't believe they'll be fully prepared for GDPR when enforcement actions kick in, specifically 38% of respondents in the UK, 44% in Germany, and 35% in the US. Other recent surveys turn up similar results. Aside from the fact that GDPR officially went into effect in 2016, why is this privacy law and the controls it requests coming as such a surprise? We should have seen this coming from 10 miles and 12 years away. My first warning came one month after I started covering cybersecurity: the ChoicePoint breach, which occurred in 2004 but wasn't revealed until February 2005. The personally identifiable information — including name, address, and Social Security number — of 163,000 people was exposed when data broker ChoicePoint (since purchased by Lexis Nexis) sold it to phony businesses set up by an alleged crime ring. Roughly 800 people became victims of identity theft as a result of the incident. ChoicePoint first only notified affected individuals covered under California's young data breach notification law; then later informed victims in other, yet-uncovered states. The Federal Trade Commission fined the company $10 million, plus an additional $5 million to establish a fund for victims. ... Read More.

Amazon: We're fixing flaw that leaves Key security camera open to Wi-Fi jamming

ZD Net, November 17 — Amazon is rushing out a fix for a flaw in the security camera that monitors couriers delivering parcels into the homes of Key customers. Amazon Key is the recently launched service that allows Amazon couriers to place goods inside Prime customers' homes. The service works alongside Amazon's new Cloud Cam security camera, a smart door lock and the Key app that remotely unlocks the door and displays a live video feed. But, as Wired reports, Seattle-based security firm Rhino Security Labs has discovered a flaw in the procedure that would allow a devious courier to freeze the camera. That ability undermines the key component that gives customers peace of mind when letting a stranger into an unattended house. The attack can be launched within Wi-Fi range, which is exactly where a hacker courier would be positioned. Using a computer, the attacker sends a volley of 'deauthorization' packets to the target Cloud Cam, which stops it from using an access point as it attempts to reauthenticate. It's a well-known technique for Wi-Fi jamming and is not specific to Cloud Cam. Though the Amazon camera is offline, it continues to display the last frame the camera captured when it was connected, leaving the home owner unaware that the view in their app is not live. ... Read More.

ID card security: Spain is facing chaos over chip crypto flaws

ZD Net, November 17 — When security researchers discovered last month that secure hardware made by Germany's Infineon Technologies was not so secure after all, it was clear that there would be major implications. There are a lot of smartcards and other devices out there with Infineon's chips in them, and the 'ROCA' flaw in Infineon's key pair-generation algorithm made it possible for someone to discover a target's private key just by knowing what their public key was. Now, in an analogous situation to that recently experienced in Estonia, Spain seems to be having a tough — and arguably more chaotic — time dealing with the implications for its national identity smartcards. Estonia's big security flaw only affected around 760,000 cards, although Estonians genuinely use their cards for a great variety of public and private services. Against that figure, there are around 60 million identity smartcards in Spain. However, according to an El País article, Spaniards were only using theirs in 0.02 percent of public-service engagements when surveyed a few years back. ... Read More.

Tips to Protect the DNS from Data Exfiltration

DARKReading, November 17 — The noise of IT staff scrambling to patch system vulnerabilities is a CISO's worst fear — it's the sign that someone somewhere could potentially infiltrate the network. The recent Equifax breach is a reminder that the loss of sensitive data has become too commonplace. Personal records, thought to be under lock and key, are being siphoned out of businesses, and most companies aren't aware until it is too late. Yahoo, Target, Home Depot, and Anthem are a few of the notable recent victims. In July, hackers even seized the latest episodes of Game of Thrones from HBO. The most insidious path for criminals to mine data is via the Domain Name System (DNS). The DNS protocol is manipulated to act as a "file transfer" protocol and by default is seen as legitimate. Most businesses don't even know that data is being exfiltrated until it is too late. A recent DNS threat report from EfficientIP revealed that 25% of organizations in the US experienced data exfiltration via DNS, and of those, 25% had customer information or intellectual property stolen. The average time to discover a breach was more than 140 days. Considering that hackers can silently drain about 18,000 credit card numbers per minute via DNS, that's a customer database many times over. In addition, businesses aren't installing the required patches on their DNS servers, either (86% applied only half of what is necessary, according to our report), which makes sense in the case of Equifax, where apparently only one employee was responsible for patches. ... Read More.

Shedding light on the Deep & Dark Web: Bringing risk intelligence to bear for business benefit

IT Security Guru, November 17 — Beyond the accessible surface of the open web, anonymous users exchange illegal goods and plan criminal activities away from prying eyes. Known as the Deep & Dark Web, these covert regions of the Internet are unindexed by search engines and far greater in volume than the open web. Here, among the forum chatter of cybercriminals and other adversaries, emerging threats and business risks frequently take shape. Shedding light on these secretive communities and the topics discussed within them offers a significant advantage to corporations seeking to combat threats and get one step ahead of adversaries. Before we delve into the murky world of cybercrime, it’s worth distinguishing between the Deep Web and the Dark Web. The Deep Web simply refers to areas of the Internet that are not indexed by search engines. This includes perfectly legal sites protected by passwords, firewalls, and/or paywalls. Online banking systems and private social media profiles are example of sites where user privacy is protected for entirely legitimate reasons. For authorised users, accessing these sections of the Deep Web requires nothing more than a standard Internet browser and the ability to enter the requisite login credentials. ... Read More.

Florida Blue Data Breach Impacts 939 Individuals

HIPAA Journal — Blue Cross and Blue Shield of Florida, dba Florida Blue, has announced that the personally identifiable information of a limited number of insurance applicants has been exposed online. Florida Blue was alerted to the exposure of patient data in late August and immediately launched an investigation. Florida Blue reports that the investigation revealed 475 insurance applications had been backed up to the cloud by an unaffiliated insurance agent, Real Time Health Quotes (RTHQ). The data backup included agency files and copies of health, dental, and life insurance applications from 2009 to 2014. Those files were left vulnerable as an unsecured cloud server was used to store the backup files. Consequently, those files could have been accessed by the public via the Internet. While data access and theft of personally identifiable information remains a possibility, Florida Blue has received no reports that any of the exposed information has been used for malicious purposes. The files contained information such as the names of applicants, dates of birth, demographic information, medical histories, Social Security numbers, and limited banking and payment information. Following the discovery that information had been left unsecured, RTHQ took steps to address the vulnerability and the information is no longer accessible by unauthorized individuals. ... Read More.

Kaspersky Blames NSA Analyst For U.S. Intel Leak

Data Breach Today, November 17 — Kaspersky Lab says it "inadvertently" scooped up classified U.S. documents and code from a U.S. National Security Agency analyst's home computer, but suggested it wasn't the conduit by which the material ended up in Russian hands. The anti-virus company has been under intense pressure after reports in early October that its systems may have been co-opted by Russian intelligence agencies and used to hunt for secret U.S. cyber espionage projects. The controversy centers on the computer of an NSA analyst who violated procedures for handling classified information, taking it home and copying it to his computer, which had Kaspersky's software installed. In a Thursday blog, the company deflected the blame to the NSA analyst, who also erred by installing a pirated copy of Microsoft Office that contained malware. ... Read More.

Australian Broadcasting Corporation confirms S3 data leak

ZD Net, November 17 — The Australian Broadcasting Corporation (ABC) has accidentally leaked sensitive data from at least two unsecured Amazon Web Services (AWS) S3 repositories, according to Kromtech Security Center. The government-backed broadcaster has confirmed in a statement that it was notified of the data leak on November 16, and said its technology teams acted promptly to solve the issue. Kromtech CIO Bob Diachenko wrote in a blog post that the security firm discovered a "trove of data" connected to ABC Commercial — the broadcaster's commercial arm that looks after the marketing and retailing of ABC products and services worldwide — after conducting an online search of poorly set up cloud computing sites. Exposed data included information regarding "production services and stock files that should not have been publicly available online," according to Diachenko. ... Read More.

Boxes of Medical Records Stolen from New Jersey Medical Practice

HIPAA Journal, November 17 — Otolaryngology Associates of Central Jersey is alerting patients to a breach of their protected health information, following a burglary at an off-site storage facility in East Brunswick, NJ. The thieves took 13 boxes of paper medical records from the facility, which included information such as names, addresses, health insurance account numbers, birth dates, dates of military service, and the names of treating physicians. A limited number of driver’s license numbers and Social Security numbers were also included in the stolen records. The burglary was quickly identified and law enforcement was notified. An internal investigation was launched, and steps were taken to reduce the likelihood of similar breaches occurring in the future. The medical records were being stored in accordance with state and federal laws, and related to past patients that had received treatment at either of Otolaryngology Associates of Central Jersey’s two facilities in East Brunswick and Franklin townships. All affected individuals have now been notified of the breach. ... Read More.

October 2017 Healthcare Data Breaches

HIPAA Journal, November 16 — In October 2017, there were 27 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights. Those data breaches resulted in the theft/exposure of 71,377 patient and plan member records. October saw a significant fall in the number of reported breaches compared to September, and a major fall in the number of records exposed. October saw a major reduction in the number of breached records, with the monthly total almost 85% lower than September and almost 88% lower than the average number of records breached over the preceding three months. Healthcare providers were the worst hit in October with 19 reported data breaches. There were six data breaches reported by health plans and at least two incidents involved business associates of HIPAA-covered entities. October 2017 healthcare data breaches by covered entity type. Unauthorized access/disclosures were the biggest causes of healthcare data breaches in October. There were 14 breaches reported involving unauthorized access/disclosures, 8 hacking incidents, four cases of theft, and one unencrypted laptop computer was lost. ... Read More.

Tennessee city still not recovered from ransomware attack

SC Magazine, November 16 — The City of Spring Hill, Tenn. is still suffering from the effects of a ransomware attack that struck the municipality in early November when government officials refused to pay the $250,000 ransom demanded by the cybercriminals. The attack has essentially stopped the city from being able to conduct many of its usual functions as its IT department attempts to rebuild the database from backed up files. The attack has locked city workers out of their email accounts, and residents are unable to make online payments, use payment cards to pay utility bills and court fines, or conduct any other business transaction. Instead, the city is asking that payments be made by check, and then either dropped off or mailed. ... Read More.