What you need to know for your personal cyber security life…
Eleventh in a series of semi-regular daily current and topical computer threats that may affect your online, or even offline, digital and real life. Why cybersecurity on SurvivalRing? Because EVERYTHING you do in your life everyday is a part of the cyber world…even your offline plans. So, be aware, and pay attention. The bad guys WILL eventually get around to YOU…personally.
# # #
That NBC story 100% fraudulent
- By Robert Graham
- Errata Security
- February 06, 2014
Yesterday (Feb 5 2014) NBC News ran a story claiming that if you bring your mobile phone or laptop to the Sochi Olympics, it’ll immediately be hacked the moment you turn it on. The story was fabricated. The technical details relate to going to the Olympics in cyberspace (visiting websites), not going to there in person and using their local WiFi.
The story shows Richard Engel “getting hacked” while in a cafe at Sochi.
1. It is wrong in every respect.
2. They aren’t in Sochi, but in Moscow, 1007 miles away. The “hack” happens because of the websites they visit (Olympic themed websites), not their physical location. The results would’ve been the same in America.
3. The phone didn’t “get” hacked; Richard Engel initiated the download of a hostile Android app onto his phone.
I had expected the story to be about the situation with WiFi in Sochi, such as man-in-the-middle attacks inserting the Blackhole toolkit into web pages exploiting the latest Flash 0day. But the story was nothing of the sort.
# # #
Texas Hospital Discloses Huge Breach
- By David F Carr
St. Joseph Health System has confirmed a security breach affecting the records of up to 405,000 past and current patients, as well as employees and employees’ beneficiaries.
St. Joseph says it believed the attack occurred between Dec. 16 and 18, when one of its computer servers was hacked, and that the exposure ended on the 18th when the attack was discovered and the server was shut down. The health system hired national security and computer forensic experts to investigate. The ongoing investigation suggests the attackers may have gained access to records including names, Social Security numbers, dates of birth, and possibly addresses, as well as the medical information of patients and bank account data for employees.
If substantiated, this would be one of the largest healthcare data breaches ever reported, and the largest by an individual health system. The largest, according to US Department of Health and Human Services data, involved 780,000 records in a 2012 incident at the Utah Department of Health and 475,000 records in a 2008 report from the Puerto Rico Department of Health. Since both of these are government agencies, the St. Joseph breach could potentially have the biggest loss of patient data reported by an individual hospital.
So far, the damage done is a matter of speculation.
# # #
Israeli start-up claims it may be able to stop all viruses
- By David Shamah
- The Times of Israel
- February 6, 2014
An Israeli start-up claims it may be able to put an end to the viruses, malware, and trojan horses that cost the world economy hundreds of billions of dollars a year. Not only does Cyactive say it can stop viruses that are already “in the wild,” currently causing damage, but according to CEO & Co-Founder, Liran Tancman, it can beat them most of them even before they are invented.
The secret? Viruses are overwhelmingly evolutionary, not revolutionary. “Much of the code found in even major attacks is reused over and over again in new attacks,” Tancman said. “There has actually never been a virus that did not draw substantially on malware that was already in existence.”
Especially today, when hacking has become such a lucrative worldwide business, hackers need to produce. They don’t have time to reinvent the wheel; nor do they have to as things stand, said Tancman. “The problem is that cyber-security is reactive, not proactive. A company will spend hundreds of thousands or millions of dollars to secure themselves against a major malware variant, fighting off a specific attack.” But getting around those defenses is easy for a hacker. “All they have to do is insert some changes in their malware code, and they are in the clear. For $150, a cybercriminal can hire a hacker to do $25 million of damage, and then do it again a few months later, making very minor changes to their malware code.”
Tancman, a former head of Cyber-strategy in an elite IDF intelligence unit with a decade of experience in Israel’s intelligence corps, has been thinking about this phenomenon for a long time — and has developed what he believes can become the solution to all malware and viruses, present and future. “If we can develop defenses against the core of the malware, the 98% of the code that is just a variant of existing malware, we could end virus attacks for good,” Tracman said.
# # #
75 Percent of Pentagon Contractor
s Adjusted Security After Snowden Leaks
- By Aliya Sternstein
- February 5, 2014
Leaks of national secrets by former federal contractor Edward Snowden drove 75 percent of U.S. defense company executives to adjust information security procedures, mostly by increasing employee training and going on high alert for deviant behavior, according to a new study.
The poll of information technology managers was conducted last month by market research firm Opinion Matters on behalf of consultancy ThreatTrack.
Most of the 100 contractors surveyed are taking a manual approach to the crackdown on data seepage, rather than using automated mechanisms to block personnel from disclosing information, according to the study’s data points.
Among businesses with an IT budget of more than $10 million, 44 percent are restricting user access. Of the firms storing or accessing confidential information for the government, 34 percent have scaled back system administrator privileges. Sixty percent of the companies in those same two categories are subjecting employees to more cyber awareness education.
# # #
Where Did You Learn About Cybersecur
ity — or Did You?
- By Carolyn Mathas
- EE Times
I just noticed the results of a report commissioned by the Institution of Engineering and Technology (IET) called “Using Open Source Intelligence to Improve ICS & SCADA Security.” The report suggests that information that engineers place on social media, in blogs, and in papers is sufficient to mount cyberattacks. In this case, the attacks involved utilities. However, it shouldn’t matter what industry is front and center — only that this may be a side door in.
The basis for the IET’s concern was a survey of 250 small and midsized enterprises. Half were aware of the government’s Cyber Security Strategy, and just 14% said cyberthreats were “the highest priority.”
I have a question: How have you been trained/warned/advised regarding the use of social media, written papers, articles, blogs, etc. and how they relate to security? This report concentrated on the UK, but life isn’t that much different on this side of the pond.
Did you receive any university-level training regarding the role of the individual in security breaches? Was this a part of the new-hire training at your company? What did you learn, and where did you learn it, as to how much information is too much? Maybe this is covered in nondisclosure agreements you sign upon corporate entry as part of an HR exercise?