News Desk

Curated cybersecurity news and updates from CI Security™.

Get your cybersecurity briefing, curated by Mike Hamilton.

Mike Hamilton, founder and CISO of CI Security, has decades of experience in the Information Security industry. In that time, he has developed a keen eye for IT news that affects how security professionals approach their jobs and the news that will have meaningful impacts on daily life.

Every weekday, Mike curates the top news stories in cybersecurity, including the latest breaches, security alerts, and industry developments. Readers describe the news blast as their go-to morning source for the latest in InfoSec.

Sign up for the Daily Blast and get it delivered early weekday mornings, just in time for your first cup of coffee.

Get curated cybersecurity news delivered to your inbox.




Latest Cybersecurity News Blast

CI Security

IT Security News Blast – 1-17-2020

Critical Windows 10 vulnerability used to Rickroll the NSA and Github

Researcher Saleem Rashid on Wednesday tweeted images of the video "Never Gonna Give You Up," by 1980s heart-throb Rick Astley, playing on Github.com and NSA.gov. The digital sleight of hand is known as Rickrolling and is often used as a humorous and benign way to demonstrate serious security flaws. In this case, Rashid's exploit causes both the Edge and Chrome browsers to spoof the HTTPS verified websites of Github and the National Security Agency.

https://arstechnica.com/information-technology/2020/01/researcher-develops-working-exploit-for-critical-windows-10-vulnerability/

 

U.S. Army Hacked By 52 Hackers In Five Weeks

There were in excess of 60 publicly accessible U.S. Army online assets that could be targeted by the hackers during the five-week challenge window. These included the army.mil and goarmy.com web domains and the Arlington Cemetery website. The 52 hackers, from countries including the U.S., Canada, Germany and Romania, reported a total of 146 validated vulnerabilities in all.

https://www.forbes.com/sites/daveywinder/2020/01/16/us-army-hacked-by-52-hackers-in-five-weeksheres-why/#65649d6c1669

 

More Health Quest Patients Added to 2018 Phishing Attack Victims

For the additional patients, both former and current, the compromised data varied by individual and could include dates of birth, Social Security numbers, Medicare Health Insurance Claim Numbers, driver’s licenses, treatment, dates of service, provider names, diagnoses, health insurance plan member and group numbers, financial account information with PINs or security codes, and payment card data.

https://healthitsecurity.com/news/more-health-quest-patients-added-to-2018-phishing-attack-victims

 

2019 in Review: Data Breach Statistics and Trends

As if healthcare bills weren’t high enough, the past year saw more medical care disrupted and patients exposed to medical identity theft (we explain how it works in this post) than ever before. Part of this development was due to the resurgence of targeted ransomware attacks against hospitals, medical practices, and nursing homes across the nation. Also to blame are third-party vendor breaches and phishing, which caused some of the most massive healthcare data breaches of the past year[.]

https://securityboulevard.com/2020/01/2019-in-review-data-breach-statistics-and-trends/

 

New York Bank Cyber Rule Deadline Signals Enforcement Risk

The state Department of Financial Services’ April 15 deadline is a reminder to financial firms that they have the next three months to bolster their systems before it’s too late to avoid fines under the first-in-the-nation state cybersecurity rules, attorneys said. There likely will be “a significant increase” in enforcement after the deadline[.] State enforcers are “staffing up” ahead of the deadline, he said.

https://news.bloomberglaw.com/privacy-and-data-security/new-york-bank-cyber-rule-deadline-signals-enforcement-risk

 

Cyber Daily: Financial Regulators to Bore Into Cloud Agreements at Banks, Brokers

Concerns about cloud security prompt more scrutiny from financial regulators. U.S. financial regulators put banks and brokers on notice that a key part of compliance audits will be the scrutiny of how these firms control the information they store in the cloud. Regardless of any arrangements that divide responsibility between cloud users and providers, regulators [...] said at a Financial Industry Regulatory Authority conference Tuesday that they consider the companies themselves liable for any breaches.

https://www.wsj.com/articles/cyber-daily-financial-regulators-to-bore-into-cloud-agreements-at-banks-brokers-11579183622

 

Defense Contractors to Face Added Costs With Cybersecurity Audit

The Defense Department plans to release the standards at the end of January as it rushes toward requiring new universal auditing of contractors’ cyber safeguards by this summer. The military’s vast commercial supply chain, especially smaller vendors, has emerged as a critical national security weakness. [...] A total of about 300,000 contractors large and small will be subject to the cyber auditing and certification, which the department has dubbed the Cybersecurity Maturity Model Certification, or CMMC.

https://about.bgov.com/news/defense-contractors-to-face-added-costs-with-cybersecurity-audit/

 

DHS Bulletin to Hazardous Chemical Sector: Beef Up Cyber, Physical Security at Facilities

The Chemical Security Insights bulletin from the Cybersecurity and Infrastructure Security Agency, “Enhancing Chemical Security During Heightened Geopolitical Tensions,” urges all “facilities with chemicals of interest (COI)—whether tiered or untiered under the Chemical Facility Anti-Terrorism Standards (CFATS) program—to consider enhanced security measures to decrease the likelihood of a successful attack.”

https://www.hstoday.us/subject-matter-areas/infrastructure-security/dhs-bulletin-to-hazardous-chemical-sector-beef-up-cyber-physical-security-at-facilities/

 

Ukrainian authorities ask FBI for help investigating Russian hack on Burisma

Ukraine’s Ministry of Internal Affairs on Thursday announced that the country’s cyber police had started "criminal proceedings" around the recent hacking of gas company Burisma, and noted that authorities were seeking the assistance of the FBI in pursuing the case. The ministry wrote in a statement that criminal proceedings had been launched, and that “persons involved in committing this criminal offense are being identified.”

https://thehill.com/policy/cybersecurity/478607-ukrainian-authorities-ask-fbi-for-help-in-investigating-russian-hack-on

 

Expect the unexpected from Iran

What should we expect, if not consistency? Although it’s possible that Iranian leaders will continue the “slow burn” of adversarial efforts (e.g., dealing with the U.S. as if it were a proverbial “boiling frog”), it is doubtful. That’s not to say that they will end attacks against Americans. There may be a temporary de-escalation, but I do not believe they will abandon their war against us.

https://thehill.com/opinion/national-security/478199-expect-the-unexpected-from-iran

 

US military families receiving ‘menacing’ messages: ‘Leave the Middle East. Go back to your country’

“If you like your life and you want to see your family again, pack up your stuff right now and leave the Middle East,” the message read. “Go back to your country. You and your terrorist clown president brought nothing but terrorism. You fools underestimate the power of Iran. The recent attack on your [expletive] bases was just a little taste of our power[.]"

https://foxwilmington.com/headlines/us-military-families-receiving-menacing-messages-leave-the-middle-east-go-back-to-your-country/

 

Congress wrestles with deterring China ― beyond nukes

The Pentagon should also find a means to temporarily interrupt China’s ability to target U.S. ships, McDevitt said ― likely through jamming or some sort of anti-satellite warfare. “China is becoming as dependent as we are on space, cyber networks, and so without their ability to surveil the open ocean, they can’t use their anti-ship ballistic missiles; they don’t know where to vector their diesel submarine; they don’t know where to launch their land-based aircraft,” McDevitt said.

https://www.defensenews.com/congress/2020/01/16/congress-wrestles-with-deterring-chinabeyond-nukes/

 

Election officials should expand audit targets, think tank says

State election officials should audit not just ballots but also “registration databases, physical and cybersecurity procedures, ballot reconciliation protocols, and resource allocation tools,” the Bipartisan Policy Center said in a report published this morning. The document, a product of BPC’s elections task force, made 21 recommendations that went beyond election security measures.

https://www.politico.com/newsletters/morning-cybersecurity/2020/01/16/election-officials-should-expand-audit-targets-think-tank-says-784453

 

App firms, adtech industry in firing line over possible GDPR violations

According to a report called “Out of Control: How Consumers Are Exploited by the Online Advertising Industry,” released Tuesday by the Norwegian Consumer Council (NCC), app developers are sharing highly personal information with adtech firms as part of their business model, despite the risk of violating tough privacy rules, the prospect of being hit with hefty fines, and the possibility of losing consumer trust and damaging their brands. It has filed complaints under the GDPR against six of the worst offenders, including Twitter.

https://www.complianceweek.com/data-privacy/app-firms-adtech-industry-in-firing-line-over-possible-gdpr-violations/28316.article

 

More than 600 million users installed Android 'fleeceware' apps from the Play Store

The term fleeceware is a recent addition to the cyber-security jargon. It was coined by UK cyber-security firm Sophos last September following an investigation that discovered a new type of financial fraud on the official Google Play Store. It refers to apps that abuse the ability for Android apps to run trial periods before a payment is charged to the user's account.

https://www.zdnet.com/article/more-than-600-million-users-installed-android-fleeceware-apps-from-the-play-store/

 

A Practical Guide to Zero-Trust Security

This all makes sense in theory, but what does implementing zero trust look like in practical terms? When talking to customers about steps they can take to build a zero-trust security architecture, I focus on five main pillars – device trust, user trust, transport/session trust, application trust and data trust. Let’s take a closer look at each of these pillars and the underlying technology required to establish trust in each one.

https://threatpost.com/practical-guide-zero-trust-security/151912/

 

Another reason to hurry with Windows server patches: A new RDP vulnerability

These two separate bugs, identified as CVE-2020-0609 and CVE-2020-0610, are rated as more dangerous than the crypto bug by Microsoft because, while they're not yet exploited, they could be used to remotely execute code on targeted RDP servers before the gateway even attempts to authenticate them. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," the Microsoft Security Response Center summary of both vulnerabilities warned.

https://arstechnica.com/information-technology/2020/01/another-reason-to-hurry-with-windows-server-patches-a-new-rdp-vulnerability/

 

What do Brit biz consultants and X-rated cam stars have in common? Wide open... AWS S3 buckets on public internet

The second info trove the team uncovered puts the "exposure" in data exposure. That instance, also a misconfigured S3 bucket, contained nearly 20GB belonging to the subtly-named adult cam network PussyCash. According to VPNmentor's crew, within that archive was 875,000 records containing the personal information of 4,000 of the site's saucy performers. These include scans of documents that prove the model's age, things like ID cards, birth certificates, and passport scans. Also included were performer release forms and profile information.

https://www.theregister.co.uk/2020/01/15/open_s3_buckets/



You are receiving this email because you are subscribed to receive the IT Security Daily Blast email from Michael Hamilton, Founder, President, and CISO of CI Security, formerly Critical Informatics.

Archived articles are available at https://ci.security/news/daily-news.

CI Security and the CI Security logo are the trademarks of CI Security, Inc. All other brand names, trademarks, service marks, and copyrights are the property of their respective owners.

© 2019 CI Security. All rights reserved.

CI Security
245 4th St, Suite 405  Bremerton, WA 98337
About Us   |   CI News   |   Contact Us

Add this Email to Your Address Book

Update Your Preferences   |   Unsubscribe from the Daily Blast

Real people hunt for threats, investigate events, and respond with incident action plans.

Contact us Request a demo