What you need to know for your personal cyber security life…
Number twenty-nine in a series of semi-regular daily current and topical computer threats that may affect your online, or even offline, digital and real life. Why cyber-security on SurvivalRing? Because EVERYTHING you do in your life everyday now is a part of the cyber world…even your offline plans. So, be aware, and pay attention. The bad guys WILL eventually get around to YOU…personally…so be prepared for it, by staying in the informational loop.
# # #
HEADLINES…for this issue…
- New Firm Pitches Cybersecur
ity for Less Well-Heele d
- Law Firms Are Pressed on Security for Data
- How will Windows XP end of support affect health IT security?
- Feds want an expanded ability to hack criminal suspects’ computers
- Patch management flubs facilitate cybercrime
- How do the FBI and Secret Service know your network has been breached before you do?
- The good hacker: the wonderful life and strange death of Barnaby Jack
New Firm Pitches Cybersecur
ity for Less Well-Heele d
- By DANNY YADRON
- The Wall Street Journal
- March 27, 2014
Last week, we wrote about military contractors pitching banks and energy companies on big-ticket anti-hacking technology — not something everyone can afford.
Now some big-name former Washington officials are backing a new cybersecurity company that seeks to help less-well-heeled clients. Vectra, run by two former Juniper Networks executives, uses an approach en vogue: Identifying hackers already in the system rather than trying to keep them out.
The technology plays on what has become a cliche in computer-security circles: All companies have been hacked, some just don’t know it yet.
The goal is to help a company figure out which cyberattacks are an annoyance and which could make them the next Target, where hackers last year stole 40 million credit and debit card numbers.
“For the average IT organization that doesn’t have the depth of resources or the budget — which is really the heart of business at the end of the day — what are they going to do?” Vectra CEO Hitesh Sheth said. “Are they going to buy extremely expensive services?”
Vectra, which came out of “stealth mode” Wednesday, is backed by Khosla Ventures and others. Advisers include the consulting firm of former Secretary of State Condoleezza Rice, and former Department of Homeland Security official Jane Holl Lute.
# # #
Law Firms Are Pressed on Security for Data
- By MATTHEW GOLDSTEIN
- The New York Times
- MARCH 26, 2014
A growing number of big corporate clients are demanding that their law firms take more steps to guard against online intrusions that could compromise sensitive information as global concerns about hacker threats mount.
Wall Street banks are pressing outside law firms to demonstrate that their computer systems are employing top-tier technologies to detect and deter attacks from hackers bent on getting their hands on corporate secrets either for their own use or sale to others, said people briefed on the matter who spoke on the condition of anonymity. Some financial institutions are asking law firms to fill out lengthy 60-page questionnaires detailing their cybersecurity measures, while others are doing on-site inspections.
Other companies are asking law firms to stop putting files on portable thumb drives, emailing them to nonsecure iPads or working on computers linked to a shared network in countries like China and Russia where hacking is prevalent, said the people briefed on the matter. In some cases, banks and companies are threatening to withhold legal work from law firms that balk at the increased scrutiny or requesting that firms add insurance coverage for data breaches to their malpractice policies.
“It is forcing the law firms to clean up their acts,” said Daniel B. Garrie, executive managing partner with Law & Forensics, a computer security consulting firm that specializes in working with law firms. “When people say, ‘We won’t pay you money because your security stinks,’ that carries weight.”
# # #
How will Windows XP end of support affect health IT security?
- By Patrick Ouellette
- Health IT Security
- March 27, 2014
As is the case with most pending vendor support deadlines, the upcoming end of Microsoft Windows XP support on April 8, 2014 has been a polarizing topic in the enterprise and healthcare spaces. There are some organizations that may be unaware that Microsoft will no longer be providing security patches and others that are building Fort Knox 2.0 because of the XP end of support.
However, a few IT security professionals within healthcare organizations told HealthITSecurity.com that they believe the biggest impact will likely be on smaller healthcare organizations. The reality for these organizations is that they must account for projects such as ICD-10 or Meaningful Use and upgrading their XP machines may go on the back-burner out of necessity. Without the proper funding and IT security talent available to some providers, these security concerns become that much more difficult to manage.
Stephen Person, Network & Security Engineer at North Valley Hospital and HealthCare Information Security and Privacy Practitioner (HCISPP) said he guarantees that many organizations are looking at the end-of-life of Windows XP.
# # #
Feds want an expanded ability to hack criminal suspects’ computers
- By Cyrus Farivar
- Ars Technica
- March 27, 2014
The United States Department of Justice wants to broaden its ability to hack criminal suspects’ computers according to a new legal proposal that was first published by the Wall Street Journal on Thursday.
If passed as currently drafted, federal authorities would gain an expanded ability to conduct “remote access” under a warrant against a target computer whose location is unknown or outside of a given judicial district. It would also apply in cases where that computer is part of a larger network of computers spread across multiple judicial districts. In the United States, federal warrants are issued by judges who serve one of the 94 federal judicial districts and are typically only valid for that particular jurisdiction.
The 402-page document entitled “Advisory Committee on Criminal Rules” is scheduled to be discussed at an upcoming Department of Justice (DOJ) meeting next month in New Orleans.
Federal agents have been known to use such tactics in past and ongoing cases: a Colorado federal magistrate judge approved sending malware to a suspect’s known e-mail address in 2012. But similar techniques have been rejected by other judges on Fourth Amendment grounds. If this rule revision were to be approved, it would standardize and expand federal agents’ ability to surveil a suspect and to exfiltrate data from a target computer regardless of where it is.
# # #
Patch management flubs facilitate cybercrime
By Ellen Messmer
March 27, 2014
Failures in patch management of vulnerable systems have been a key enabler of cybercrime, according to the conclusions reached in Solutionary’s annual Global Threat Intelligence Report out today, saying it sees botnet attacks as the biggest single threat.
The managed security services provider, now part of NTT, compiled a year’s worth of scans of customers’ networks gathered through 139,000 network devices, such as intrusion-detections systems, firewall and routers, and analyzed about 300 million events, along with 3 trillion collected logs associated with attacks. Solutionary says it relies on several types of vendor products for these scans, including Qualys, Nessus, Saint, Rapid7, nCircle and Retina.
Solutionary also looked at the latest exploit kits used by hackers, which include exploits from as far back as 2006. Solutionary found that half of the vulnerability scans it did on NTT customers last year were first identified and assigned CVE numbers between 2004 and 2011.
“That is, half of the exploitable vulnerabilities we identified have been publicly known for at least two years, yet they remain open for an attacker to find and exploit,” Solutionary said in its Global Threat Intelligence Report. “The data indicates many organizations today are unaware, lack the capability, or don’t perceive the importance of addressing these vulnerabilities in a timely manner.”
# # #
How do the FBI and Secret Service know your network has been breached before you do?
- By Ellen Messmer
- Network World
- March 26, 2014
Knock, knock! Secret Service here. “Is this your customer payment card data?”
By all accounts, many of the massive data breaches in the news these days are first revealed to the victims by law enforcement, the Secret Service and Federal Bureau of Investigation (FBI). But how do the agencies figure it out before the companies know they have been breached, especially given the millions companies spend on security and their intense focus on compliance?
The agencies do the one thing companies don’t do. They attack the problem from the other end by looking for evidence that a crime has been committed. Agents go undercover in criminal forums where stolen payment cards, customer data and propriety information are sold. They monitor suspects and sometimes get court permission to break into password-protected enclaves where cyber-criminals lurk. They have informants, they do interviews with people already incarcerated for cybercrime, and they see clues in the massive data dumps of information stolen from companies whose networks have been breached.
# # #
The good hacker: the wonderful life and strange death of Barnaby Jack
- By Donna Chisholm
- March 18, 2014
From schoolboy dropout to world-famous hacker, Auckland-born Barnaby Jack lived hard and died young. On the way, he changed the technological world.
The Jagermeister shot glasses are piling up along with the stories in the outside bar of Galbraith’s in Mt Eden Rd. It’s a stormswept Sunday in January, the six-month anniversary of the death of Barnaby Jack. A dozen of his friends are here to remember him in a pub he loved.
Tonight, to them, he’s “Barnes”, their mate, not Barnaby Jack, the man the world knew as the elite hacker who could make ATM machines spew money, insulin pumps inject a lethal dose and heart pacemakers explode at a single command from a laptop — all stunts he pulled not to make trouble, or money, but to make the technology safer and more secure. In the infamously geeky community of computer hackers, Barnaby Jack was a rock star. The man who could party all night and brush his teeth in the carpark on the way to a flawless presentation at 9am.
It’s the first time they’ve gathered since the publication of an American medical examiner’s report on January 4 put months of bullshit internet conspiracy theories to rest. How the mad stories flourished in that charged atmosphere after the suicide just months before of activist and fellow hacker Aaron Swartz, and the car-crash death of investigative journalist Michael Hastings.
But, no, Barnaby Jack wasn’t murdered to derail the presentation of his latest research. And no, government officials hadn’t spirited him away to work on secret projects. The truth was ineffably sadder. On a Thursday afternoon, alone in bed in his comfortable top-floor apartment, opposite The Ritz in San Francisco’s Nob Hill, Barnes died of an accidental overdose of heroin, cocaine and prescription medicines.
There are no judgments here among his friends who gather under a fug of cigarette smoke on the old wooden bench seats outside Galbraith’s, where Barnes used to sit. The stories about him are warm and funny, to be told with a drink, about a guy who loved a drink. Many drinks. A guy who, when asked if he wanted another, would reply, “We’re not here to fuck spiders.”
# # #
# # #