Home

Cyber Research

Cyber News

Cyber Info

Contact

April, 2017

 

 

 

NEWS-UPDATE
ISSUE

89

 

 In this issue

 

 

*         Private sector's National Cybersecurity Strategy Contributions Lacking

*         To win the Cybersecurity War, we Need to Teach kids how to Hack

*         Researchers claim China trying to hack South Korea missile defense efforts

*         What motivates Youngsters to get into Cybercrime?

*         Latest Cyber Security NewsLatest Cyber Security News

 

about the Cyber Security News update

The Cyber News Update is an activity of the Cyber Research Center - Industrial Control Systems and intended to reach out to all Cyber Security Professionals interested in industrial / critical infrastructure threats, protection & resilience. For more information visit the CRC-ICS website at www.crc-ics.net or www.cyber-research-center.net

 

Private sector's National Cybersecurity Strategy Contributions Lacking

April 14, 2017

 

 

The private sector operates much of U.S. critical infrastructure, but is it doing enough to further national cybersecurity strategy efforts designed to protect these assets?

The U.S. government has been very public about its concern for national cybersecurity. There have been grandiose speeches, presidential declarations and several attempts by the legislature to pass new cybersecurity laws. But the problem with America's national cybersecurity strategy is bigger than one-off hacks or data thefts. Crimes perpetrated by the likes of Edward Snowden, Chelsea Manning and the individual(s) who committed the alleged leak of the CIA's highly sensitive cyber warfare tools have resulted in mind-blowing losses.

Beyond those headline grabbers is a problem that gets less attention but poses a significant risk to critical national assets: the fact that private sector businesses operate -- but do not adequately protect -- a vast majority of the nation's critical infrastructure and data.

The federal government, and even the largest private sector enterprises, spend billions on cybersecurity investment but fail to extend those efforts into the SMBs that do much of the legwork. Laws are passed that promise to protect sensitive government information and "critical" systems, but the regulations are fine-tuned to work for the business community, effectively neutering enforcement mechanisms. Until there are real ramifications for cybersecurity failures in government and private sector entities that support the government, we will continue to see national security erode.

Private companies should be responsible for the public interest and implement precautions to minimize security failures that potentially undermine national defense.

Consider, for example, the fallout from a 2013 report that found designs for some of the most sensitive, advanced U.S. weapons systems were hacked by a foreign country. Although it is a serious issue that those weapons systems are now compromised and have likely been duplicated by at least one foreign military, there is no sign of any punishment for the private companies that allowed the theft in the first place. In fact, the companies and their subcontractors that made the stolen systems will ultimately benefit from the espionage: There are a limited number of prime contractors that can perform this work, so the companies from which the systems were stolen will most likely build any replacement systems, if they have not already done so. There is no evidence that the contractors have lost work or otherwise paid for their failure. Until the cost of failure is higher than implementing real security technology, we will continue to see poor choices that lead us to cybersecurity failure.

More info http://searchcompliance.techtarget.com/opinion/Private-sectors-national-cybersecurity-strategy-contributions-lacking

To win the Cybersecurity War, we Need to Teach kids how to Hack

April 13, 2017

 

If you ask kids right now what they want to be when they grow up, you probably won’t hear “hacker.” But hackers are absolutely essential to protecting cyberspace from computer criminals. We need to teach kids how to hack.

Hackers are computer security experts who want to make systems more secure. Hacking requires curiosity, computer security skills, and a special mindset for figuring out what criminals will do before they actually do it. Make no mistake: there are those who exploit cyberspace to their own ends. But those are not hackers. They are criminals.

There is a critical national shortage of hackers, and it’s because we’re failing to attract students early on to the field. More than four in five organizations lack sufficient computer security skills within their organization to protect themselves, according to a recent study by Intel. That means four in five organizations that want to secure their computers simply cannot find the talent to do so.

Talent at the government level looks just as bleak. Tony Scott, the former U.S. chief information officer, said there were more than 10,000 openings in the federal government for cyber professionals. This as the government sustained dozens of cyberattacks last year.

At Carnegie Mellon University, we believe in teaching hacking by doing. We have organized hacking events, called “Capture the Flag” contests, to promote ethical hacking skills and teach the hacking mindset.

Anyone can learn to hack. If you go to picoCTF.com, you can join more than 17,000 students as they learn hacking this year. Learning hacking, like anything, is a path. Anyone can start, and the more you practice the better you get. Overall, CMU has reached more than 57,000 students through these events since 2013. Many picoCTF hackers didn’t know what computer security was before playing. Some discovered a talent they never knew they had and went on to study cybersecurity in college.

There are three things we need to do to meet the critical shortfall of computer security experts. First, we need to promote hacking at the K-12 level. Think about it: teenagers are picking passwords, agreeing to privacy policies, and sharing information online. Cybersecurity and privacy education are as essential as basic math today.

Second, we need a national push to build effective cybersecurity education programs. CMU has over 50 courses in cybersecurity, but we are just one university and we’re at the end of the education pipeline. We need to introduce kids to cybersecurity and privacy earlier in their education by developing K-12 curriculum that teachers can use in the classroom.

Third, we need to recognize that hackers are valuable. They find vulnerabilities in order to make systems more secure. They do this by developing a unique mindset — the hacker mentality — of learning to think differently, being curious, and always experimenting. And those who practice their skills become artists at figuring out creative solutions that prevent criminals from succeeding.

As the old adage goes: “Our children are our future.” Given today’s cyber threats, we need to embrace hacking as an essential skill for kids to learn in order to keep this country safe in the future.

David Brumley is director of CyLab Security and Privacy Institute and professor of computer and electrical engineering at Carnegie Mellon University. He received the Presidential Early Career Award for Scientists and Engineers from the Obama administration.

Read more http://thehill.com/blogs/pundits-blog/technology/328702-to-win-on-cybersecurity-we-need-to-teach-kids-how-to-hack

Researchers claim China trying to hack South Korea missile defense efforts

April 21, 2017.

Enlarge / South Korea is deploying Lockheed Martin's THAAD missile defense system, and that's sparked the ire of the Chinese government, as well as military and "hacktivist" hacking groups, according to FireEye.

 

Chinese government officials have been very vocal in their opposition to the deployment of the Terminal High-Altitude Air Defense (THAAD) system in South Korea, raising concerns that the anti-ballistic missile system's sensitive radar sensors could be used for espionage. And according to researchers at the information security firm FireEye, Chinese hackers have transformed objection to action by targeting South Korean military, government, and defense industry networks with an increasing number of cyberattacks. Those attacks included a denial of service attack against the website of South Korea's Ministry of Foreign Affairs, which the South Korean government says originated from China.

FireEye's director of cyber-espionage analysis John Hultquist told the Wall Street Journal that FireEye had detected a surge in attacks against South Korean targets from China since February, when South Korea announced it would deploy THAAD in response to North Korean missile tests. The espionage attempts have focused on organizations associated with the THAAD deployment. They have included "spear-phishing" e-mails carrying attachments loaded with malware along with "watering hole" attacks that put exploit code to download malware onto websites frequented by military, government, and defense industry officials.

FireEye claims to have found evidence that the attacks were staged by two groups connected to the Chinese military. One, dubbed Tonto Team by FireEye, operates from the same region of China as previous North Korean hacking operations. The other is known among threat researchers as APT10, or "Stone Panda"—the same group believed to be behind recent espionage efforts against US companies lobbying the Trump administration on global trade. These groups have also been joined in attacks by two "patriotic hacking" groups not directly tied to the Chinese government, Hultquist told the Journal—including one calling itself "Denounce Lotte Group" targeting the South Korean conglomerate Lotte. Lotte made the THAAD deployment possible through a land swap with the South Korean government.

More Info https://arstechnica.com/security/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/

 

 

 

What motivates Youngsters to get into Cybercrime?

April 21, 2017.

A UK National Crime Agency report, which is based on debriefs with offenders and those on the fringes of criminality, explores why young people assessed as unlikely to commit more traditional crimes get involved in cyber crime.

Motives and opportunities

 

It emphasises that financial gain is not necessarily a priority for young offenders. Instead, the sense of accomplishment at completing a challenge, and proving oneself to peers in order to increase online reputations are the main motivations for those involved in cyber criminality.

During his debrief, Subject 7, who was jailed for Computer Misuse Act and fraud offences, told officers, “…it made me popular, I enjoyed the feeling… I looked up to those users with the best reputations”.

The report identifies that some offenders begin by participating in gaming cheat websites and “modding” (game modification) forums before progressing to criminal hacking forums.

The assessment notes that off-the-shelf tools such as DDOS-for-hire services and Remote Access Trojans (RATs) are available with step by step tutorials at little to no cost to the user, making the skills barrier for entry into cyber crime lower than it has ever been.

It also highlights that whilst there is no socio-demographic bias, with people across the country from different backgrounds among offenders, the average age of cyber criminals is significantly younger than other crime types. In 2015, the average age of suspects in NCA cyber crime investigations was 17 years old, compared to 37 in NCA drugs cases and 39 in NCA economic crime cases.

Diverting youngsters towards a more positive path

Many offenders see criminal hacking as a victimless crime, and consider the risk of being caught as low.

Subject 1, a member of a hacking collective who sold DDoS tools and Botnet services, told officers that a warning from law enforcement would have made him stop his activities.

The report also identifies education and opportunities to use skills positively as helpful in steering potential offenders towards a future career in cyber security.

“The aim of this assessment has been to understand the pathways offenders take, and identify the most effective intervention points to divert them towards a more positive path,” Richard Jones, Head of the National Cyber Crime Unit’s Prevent team, noted.

“That can be as simple as highlighting opportunities in coding and programming, or jobs in the gaming and cyber industries, which still give them the sense of accomplishment and respect they are seeking.”

Read more: https://www.helpnetsecurity.com/2017/04/21/youngsters-cybercrime-motivation/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A%20HelpNetSecurity%20%28Help%20Net%20Security%29

Latest Cyber Security News

Individuals at Risk

Cyber Privacy

Cybersecurity for the People: How to Protect Your Privacy at a Protest: Planning on going to a protest? You might not be aware that just by showing up, you can open yourself up to certain privacy risks — police often spy on protesters, and the smartphones they carry, and no matter how peaceful the demonstration, there’s always a chance that you could get detained or arrested, and your devices could get searched. Watch this video for tips on how to prepare your phone before you go to a protest, how to safely communicate with your friends and document the event, and what to do if you get detained or arrested. TheIntercept, April 21, 2017

Surveillance Self-Defense. Tips & Tools for Safer Online Communications. Electronic Frontier Fdtn: Modern technology has given those in power new abilities to eavesdrop and collect data on innocent people. Surveillance Self-Defense is EFF’s guide to defending yourself and your friends from surveillance by using secure technology and developing careful practices. Electronic Frontier Foundation

Privacy tools, apps, and resources from San Jose Public Library: Check out these privacy tools, apps, and resources to start managing your online activities and identities today. San Jose Public Library

Cyber Update

Patch Windows Now! Shadow Brokers release Windows exploits stolen from Equation Group: Warning: Drop everything and patch all the Windows things now. BankInfoSecurity, April 21, 2017

Google Fixes Unicode Phishing Vulnerability in Chrome 58, Firefox Users Must Implement Workaround: Google fixed a handful of issues when it released the latest version of its browser, Chrome 58, on Wednesday, including a vulnerability that could have made it easier for an attacker to carry out a phishing attack with Unicode domains. ThreatPost, April 20, 2017

Cyber Warning

Linksys works to patch 26 Linksys router models after multiple security holes discovered: Do home router makers devote enough resources to finding security vulnerabilities in their products before they ship? NakedSecurity, April 21, 2017

Several malicious apps discovered on Google Play: An often repeated piece of advice given to users of mobile devices says that they should stick to well-reputed, official app stores if they want to avoid malware. HelpNetSecurity, April 21, 2017

Information Security Management in the Organization

Information Security Management and Governance

Information security key to digital era sharing-based business models: Security will become increasingly important as industries seek to collaborate and use each other’s capabilities to enable new business models, with the banking sector leading the way. ComputerWeekly, April 21, 2017

C-Suite Leadership and Cultural Practices for Meeting Cybersecurity Challenges: Of course cybersecurity is critical today – yet many organizations view it as a huge expenditure that slows the flow of business and frustrates employees, users and customers alike. C-level executives need to be aware of how their organizations’ security measures affect the flow of business. At its best, cybersecurity infrastructure runs quietly in the background, unnoticed. TechZone 360, April 21, 2017

Cybersecurity skills shortage threatens the mid-market: Organizations with 100 to 999 employees remain understaffed and under-skilled in cybersecurity—and an easy mark for hackers. NetworkWorld, April 21, 2017

How to Hire Your Next CISO: One of the most critical hires of any IT-related job is usually the chief information security officer (CISO) or chief information officer (CIO). But the decision to hire these executives is one CEOs and boards of directors typically do not want to make. This decision is often made during a crisis of some kind. It could result from a knee-jerk reaction to a major security breach or a new CEO’s desire to clean house and set a new strategic path. SecurityIntelligence, April 20, 2017

Cyber Awareness

Another study shows users continue to lack understanding of when / how to share confidential data: Today’s workforce is caught between two imperatives: be productive and efficient on the job and maintain the security of company data. HelpNetSecurity, April 21, 2017

Cyber Warning

Top-ranked programming Web tutorials introduce vulnerabilities into software: Researchers from several German universities have checked the PHP codebases of over 64,000 projects on GitHub, and found 117 vulnerabilities that they believe have been introduced through the use of code from popular but insufficiently reviewed tutorials. HelpNetSecurity, April 21, 2017

Exploits Targeting Corporate Users Surged Nearly 30% In 2016: At same time, number of attacks targeting software vulnerabilities in systems used by consumers declined over 20%, Kaspersky Lab says in new report. DarkReading, April 21, 2017

PwC: IT Service Providers and MSPs Targeted by Advanced Chinese Hackers. Customers at Risk: Since late 2016, PwC UK and BAE Systems have been assisting victims of a new cyber espionage campaign conducted by a China-based threat actor. We assess this threat actor to almost certainly be the same as the threat actor widely known within the security community as ‘APT10’. The campaign, which we refer to as Operation Cloud Hopper, has targeted managed IT service providers (MSPs), allowing APT10 unprecedented potential access to the intellectual property and sensitive data of those MSPs and their clients globally. A number of Japanese organisations have also been directly targeted in a separate, simultaneous campaign by the same actor. PWC, April 2017

Cyber Defense

Museum thefts provide valuable lessons for information security teams: Earlier this week, Ira Winkler wrote What security practitioners can learn from the United’s failures. He astutely noted that organizations should learn from failure, and ideally the failure of others. I’ll take his lead and provide another learning opportunity for information security professionals. CSO, April 21, 2017

The 5 Best Defenses Against Ransomware Are Aggressive Offenses: Ransomware is big money. In fact, according to the Federal Bureau of Investigation, ransomware attackers collected more than $209 million from victims in the first three months of 2016 alone. This is up dramatically [Note: Opens PDF] from $24 million for all of 2015. And if there is one thing history can teach us, it’s that big money drives innovation. So, it’s logical to predict that as ransomware evolves, so too will its sophistication. ITSP Magazine, April 21, 2017

Beyond Tabletop Exercises: Running a Data Breach Drill: You spent valuable time and resources crafting a cybersecurity breach action plan. You’ve assembled a multidisciplinary response team. You’ve identified who is responsible for what, and what decision-tree will go into effect. The plan has been circulated. You’ve even engaged a separate law firm that will be on call in the event of a breach. You’ve done the same with a PR firm, a private investigator and data breach hit squad. Robert Braun, SecureTheVillage Leadership Council, Cybersecurity Lawyer Forum, Jeffer Mangels Butler & Mitchell, April 20, 2017

Cyber Insurance

Cyber Threats Have Evolved. How About Your Insurance?: In 2017 organizations communicate at the speed of light in an effort to reduce friction points with clients while providing a user experience in step with the evolution of technology. The use of computers has made conducting business fast, efficient, and often more cost effective but it has also opened organizations up to new threats at an unprecedented level. There are no shortage of cyber horror stories experienced by organizations of all sizes highlighting the harm a data breach can inflict upon the two things that matter most which are profitability and reputation. From a ransomware attack against a public utility in Michigan to countless W-2 business email compromise scams targeting a variety of industries, no organization can escape the borderless span of the internet. Security professionals are aware that the threat landscape has evolved but the $7M question remains; has the approach to cyber liability insurance? ITSP Magazine, April 20, 2017

Cyber Career

When You Give, You Get. The Power of Mentoring, Elena Elkin, WISP Peer-to-Peer Mentoring Program: Did you know that the word “mentoring” originates from the ancient Greek language? Mentor was the name of a character in Homer’s Odyssey. When Odysseus, King of Ithaca, fights in the Trojan War, he entrusts his son Telemachus to an old man and a loyal advisor called Mentor. After the war, a grown Telemachus goes to search for his father. Athena, Goddess of War and patroness of the arts, assumes the form of Mentor and accompanies Telemachus on his difficult quest until he and his father are reunited. ITSP Magazine, April 20, 2017

Information security professionalism requires both credentialing and codes of professional practice: Cyber and information security literature – including accompanying reader’s comments – continuously debate the merits of professional certification for cyber and information security professionals. CSO, April 19, 2017

Application Security

Best Practices for Securing Open Source Code: Attackers see open source components as an obvious target because there’s so much information on how to exploit them. These best practices will help keep you safer. DarkReading, April 21, 2017

Secure Application Development: The Hidden Dangers of Component Vulnerabilities: Dangerous flaws in open source components and dependencies lurk within most applications today. DarkReading, April 21, 2017

Cyber Security in Society

Cyber Crime

InterContinental Hotel Chain Breach Expands: In December 2016, KrebsOnSecurity broke the news that fraud experts at various banks were seeing a pattern suggesting a widespread credit card breach across some 5,000 hotels worldwide owned by InterContinental Hotels Group (IHG). In February, IHG acknowledged a breach but said it appeared to involve only a dozen properties. Now, IHG has released data showing that cash registers at more than 1,000 of its properties were compromised with malicious software designed to siphon customer debit and credit card data. KrebsOnSecurity, April 18, 2017

Cyber Privacy

Infrastructure Vulnerabilities Make Surveillance Easy: Weakness in digital communications systems allows security to be bypassed, leaving users at risk of being spied on. Schneier on Security, April 11, 2017

Know Your Enemy

UK study identifies factors that motivate youngsters to get into cybercrime: A UK National Crime Agency report, which is based on debriefs with offenders and those on the fringes of criminality, explores why young people assessed as unlikely to commit more traditional crimes get involved in cyber crime. HelpNetSecurity, April 21, 2017

Tracing Spam: Diet Pills from Beltway Bandits: Reading junk spam messages isn’t exactly my idea of a good time, but sometimes fun can be had when you take a moment to check who really sent the email. Here’s the simple story of how a recent spam email advertising celebrity “diet pills” was traced back to a Washington, D.C.-area defense contractor that builds tactical communications systems for the U.S. military and intelligence communities. KrebsOnSecurity, April 19, 2017

National Cyber Security

FireEye researchers allege China trying to hack South Korea missile defense efforts: Chinese government officials have been very vocal in their opposition to the deployment of the Terminal High-Altitude Air Defense (THAAD) system in South Korea, raising concerns that the anti-ballistic missile system’s sensitive radar sensors could be used for espionage. And according to researchers at the information security firm FireEye, Chinese hackers have transformed objection to action by targeting South Korean military, government, and defense industry networks with an increasing number of cyberattacks. Those attacks included a denial of service attack against the website of South Korea’s Ministry of Foreign Affairs, which the South Korean government says originated from China. ars technica, April 21, 2017

Major Leak Suggests NSA Was Deep in Middle East Banking System: FOR EIGHT MONTHS, the hacker group known as Shadow Brokers has trickled out an intermittent drip of highly classified NSA data. Now, just when it seemed like that trove of secrets might be exhausted, the group has spilled a new batch. The latest dump appears to show that the NSA has penetrated deep into the finance infrastructure of the Middle East—a revelation that could create new scandals for the world’s most well-resourced spy agency. Wired, April 14, 2017

To win the cybersecurity war, we need to teach our kids cybersecurity: If you ask kids right now what they want to be when they grow up, you probably won’t hear “hacker.” But hackers are absolutely essential to protecting cyberspace from computer criminals. We need to teach kids how to hack. TheHill, April 13, 2017

Microsoft: Foreign Surveillance Requests Under FISA Up Sharply in 2016. Highest Since 2011: Microsoft Corp (MSFT.O) said on Thursday it had received at least a thousand surveillance requests from the U.S. government that sought user content for foreign intelligence purposes during the first half of 2016. Reuters, April 13, 2017

Wikileaks releases a how to hack Windows guide from CIA dump: As a continuing part of its Vault7 series of leaked documents, the leaks site Wikileaks has released a new cache of 27 documents allegedly belonging to the US Intelligence agency the CIA. TechWorm, April 11, 2017

Stewart Baker with Nick Weaver, Berkeley’s Int’l Computer Science Institute: Our guest interview is with Nick Weaver, of Berkeley’s International Computer Science Institute. It covers the latest dumps of hacker tools, the vulnerability equities process, the so-bad-you-want-to-cover-your-eyes story of Juniper and the Dual_EC hacks, and ends with a tour of recent computer security disasters, from the capture of a bank’s entire online presence, to the pwning of Dallas’s emergency sirens, and a successful campaign to compromise the outsourcing firms that supply IT to small and medium sized businesses. Steptoe Cyberblog, April 11, 2017

Russian News Falsely Links Arrested Spammer Pyotr Levashov to Russian Meddling in U.S. Election: Over the past several days, many Western news media outlets have predictably devoured thinly-sourced reporting from a Russian publication that the arrest last week of a Russian spam kingpin in Spain was related to hacking attacks linked to last year’s U.S. election. While there is scant evidence that the spammer’s arrest had anything to do with the election, the success of that narrative is a sterling example of how the Kremlin’s propaganda machine is adept at manufacturing fake news, undermining public trust in the media, and distracting attention away from the real story. KrebsOnSecurity, April 11, 2017

DHS head: North Korea more of a cyber threat: Homeland Security Secretary John Kelly said he’s more concerned about North Korea launching a cyber attack on the U.S. than any direct military action. TheHill, April 4, 2017

Critical Infrastructure

Smart cities can be vulnerable: That Dallas emergency siren hack is a warning of things to come: Though relatively benign, a recent hack of a major city’s safety infrastructure should give mayors reason to worry. Salon, April 14, 2017

HIPAA

Cybercrime in the medical device sector: We don’t like it when things go wrong. We expect security as standard. From our bank accounts to online shopping, we put faith in our passwords, and hope they make the services we use as difficult to hack as possible. Medical Plastics News, April 21, 2017

Cyber Ethics

Cybersecurity Startup Uses Actual Hospital Data in Demos. Called “Unbelievably grossly negligent.”: Billion-dollar cybersecurity startup Tanium has acknowledged failing to thoroughly anonymize network information for a California hospital that appeared in live product demonstrations and online videos. BankInfoSecurity, April 20, 2017

Cyber Miscellany

Six Movies/Shows When Hollywood Got Cybersecurity Right: Hollywood has struggled to portray cybersecurity in a realistic and engaging way. Here are films and TV shows where it succeeded. Dark Reading, April 20, 2017

 

Home

Cyber ReseArch

Cyber News

Cyber info

 

The content of this CRC-ICS Cyber News Update is provided for information purposes only. No claim is made as to the accuracy or authenticity of the content of this news update or incorporated into it by reference. No responsibility is taken for any information or services which may appear on any linked websites. The information provided is for individual expert use only.

 

 

Founded in 2015, the Cyber Research Center - Industrial Control Systems is a not for profit research & information sharing research center working on the future state of Physical & Cyber Protection and Resilience. CRC-ICS goals are to inform industries / critical infrastructures about the fast changing threats they are facing and the measures, controls and techniques that can be implemented to be prepared to deal with these cyber threats.

 

 

Cyber Research Center - Industrial Control Systems. 2017

www.crc-ics.net or www.cyber-research-center.net