CI Security

IT Security News Blast – 10-29-2019

Be Prepared: Planning for Risk Assessment and Emergency Response Requirements Under America’s Water Infrastructure Act

Section 2013 of AWIA, through an amendment to the Safe Drinking Water Act (SDWA), introduced a new requirement for every public water system that serves more than 3,300 people to conduct a Risk and Resilience Assessment (RRA) and prepare (or revise) an Emergency Response Plan (ERP). [...] AWIA also requires utilities to evaluate the security of electronic, computer and automated systems and financial infrastructure in response to rising cybersecurity threats. ERPs need to focus on more than merely being able to respond. They must include risk mitigation actions such as alternative source water, interconnections, redundancy improvements, asset hardening, and physical and cybersecurity countermeasures if and as justified through assessment.


The Ransomware Superhero of Normal, Illinois

Local departments lack the resources to solve cybercrime, and the ransoms demanded have often been below the threshold that triggers federal investigations. Security researchers like Gillespie have done their best to fill the gap. There are almost 800 known types of ransomware, and Gillespie, mostly by himself but sometimes collaborating with other ransomware hunters, has cracked more than 100 of them. Hundreds of thousands of victims have downloaded his decryption tools for free, potentially saving them from paying hundreds of millions of dollars in ransom.


Mastercard taps biometrics and behavioral analytics in new product suite for healthcare partners

Among the cybersecurity products in the suite, Mastercard Identity Check leverages the latest EMV 3-D Secure authentication standards, and supports plug and play biometrics, including face, voice, and fingerprint recognition, according to the company website. The technology supports all card-not-present channels, to enable secure payments on any device. The NuDetect solution provides continuous verification with behavioral biometrics based on hundreds of anonymized user data points.


HITRUST® Releases Version 9.3 of the HITRUST CSF® Incorporating New Privacy and Security Standards

For those interested in commenting on the latest draft guidance on how HITRUST CSF controls map to the NIST Cybersecurity Framework version 1.1 Core Subcategories as an Informative Reference, see the NIST Cybersecurity Framework Informative Reference Catalog Website at Looking forward to the next major release of the HITRUST CSF v10, which has a targeted release date of Q4 2020, HITRUST is preparing to evolve the framework to be even more complete, efficient, and intuitive.


UniCredit reveals data breach exposing 3 million customer records

In total, roughly three million records were exposed, revealing the names, telephone numbers, email addresses, and cities where clients were registered. While UniCredit caters to an international client base, each record related to an Italian customer. [...] Therefore, those involved in the breach have lost Personally Identifiable Information (PII) which can be used in social engineering campaigns and potentially contribute to identity theft, but the chance of unauthorized transactions caused by the data leak is slim.


IT Security Leaders, Board Members Need to Accept More Responsibility for Cybersecurity Risk

The picture that emerges from these survey results is that C-Suite executives and board members simply are not accepting any form of substantial responsibility for cyber risk within the enterprise. As a result, IT security issues are essentially compartmentalized within one or two departments, and senior leadership and other enterprise leaders are simply not aware of what’s happening, or how exposed the company’s data assets and mission-critical processes might really be. This sends the message that IT security is not important.


City of Johannesburg has until 5pm to pay ransom demand - or personal data of citizens will be released

According to local reports, the cyber criminals cracked the website on Thursday and threatened to release the financial and personal data of millions of citizens online unless they are paid four bitcoins (over $30,000) by the deadline today. "All your servers and data have been hacked," hackers said in ransom note, according to several city employees. "We have dozens of back doors inside your city. We have control of everything in your city. We also compromised all passwords and sensitive data such as finance and personal population information," they further wrote.


Hill plans this week: Banking regulator cyber disclosures, FTC online scam tools

The House Financial Services Committee is scheduled to mark up an expanded bill (H.R. 4458) that would require banking regulators to report annually to Congress on what they’ve done to improve cybersecurity internally, in the industry they oversee and among third-party service providers. The original legislation only ordered a report from the Board of Governors of the Federal Reserve System. An amendment the panel will consider would add the Comptroller of the Currency, the Federal Deposit Insurance Corp. and the National Credit Union Administration.


Cost, Security Questions Arise After Voting Machine Approval

“There is a remarkable consensus among experts, including the Blue Ribbon Commission on Pennsylvania’s Election Security, that paper ballots (deposited in optical scanners) are the most secure option for voters,” Deluzio said. A U.S. Senate Select Committee on Intelligence reached that conclusion while investigating Russian interference in the 2016 election. Later, the National Academies of Science, Engineering and Medicine weighed in with the same conclusion.


Russia’s Long and Mostly Unsuccessful History of Election Interference

We have known for decades that when it comes to foreign interference efforts, campaigns are the front-line—the first targeted, and the first to know. And for decades, the campaigns’ refusals have stopped interference efforts in their tracks. As we already know, hostile regimes such as Russia successfully injected themselves into the 2016 election—without asking permission—coaxing armed white supremacists onto the street, stealing internal emails and planting fake news stories, and creating some of the most popular social media feeds during the election. And Russia is almost certainly gaming out how to reprise its efforts in 2020.


The Cybersecurity 202: This company wants Democrats to tackle political disinformation with counterterrorism strategy [Subscription]

Hougland received Defense Advanced Research Projects Agency funding during the Obama administration to work on tools to analyze what kind of social media posts had the highest likelihood of undercutting terrorist propaganda so the U.S. government could deploy them. [...] Hougland says his company can help identify the users who were exposed to disinformation — and then bombard them with counter-messaging. For instance, if the Democratic National Committee wanted to respond to President Trump's debunked conspiracy theory that the party had a hidden server in Ukraine hosting evidence related to the 2016 hack, Main Street One would coordinate a response so social users also get factual information.


Imagine the US was just hit with a cyberattack. What happens next?

We asked them to consider hypothetical scenarios, including the one on the opposite page in which unknown hackers have accessed the computers, networks, and hardware of gas pipelines in New England. The potential consequences would range from espionage and intellectual-property theft to more devastating attacks that could leave Boston without power or, in the worst case, cause fires and life-threatening damage. What happens next—and whether it escalates into a real cyberwar—depends on who is on the attack, what their goals are, and how the US responds.


Microsoft says Russia-linked hackers target sports organizations

At least 16 national and international sporting and anti-doping organizations across three continents were targeted in the attacks which began on Sept. 16, according to the company. [...] Security firm CrowdStrike has said the group may be associated with the Russian military intelligence agency GRU. Microsoft said Strontium reportedly released medical records and emails taken from sporting organizations and anti-doping officials in 2016 and 2018, resulting in an indictment in a federal court in the United States in 2018.


Why did Microsoft fund an Israeli firm that surveils West Bank Palestinians?

According to five sources familiar with the matter, AnyVision’s technology powers a secret military surveillance project throughout the West Bank. One source said the project is nicknamed "Google Ayosh," where "Ayosh" means occupied Palestinian territories and "Google" denotes the technology’s ability to search for people. [...] The surveillance project was so successful that AnyVision won the country’s top defense prize in 2018. During the presentation, Israel’s defense minister lauded the company — without using its name — for preventing “hundreds of terror attacks” using “large amounts of data.”


New study finds that Texas is more at risk for cyber privacy concerns than other states

Ranking 23rd in the Comparetech study, Texas fell short in areas such as social media privacy, security of insurance data, third-party sharing of data, and disclosure of what types of data companies collect about consumers. "Texas still has a long way to go in protecting its residents' privacy, particularly when it comes to how companies and government entities can collect, use, and share personal data," says Paul Bischoff, a privacy advocate with Comparetech. During Texas' 2019 legislative session, one comprehensive measure aimed at tightening online privacy laws, the Texas Consumer Privacy Act, failed to reach the governor's desk.


Five months after returning rental car, man still has remote control

"All it took was me downloading the app and entering the VIN, then confirming connectivity through the infotainment system," Sinclair said late last week. "There MIGHT be a way to disassociate my phone from the car itself, but that hasn't happened yet, and it's crazy to put the onus on renters to have to do that. I have had no problems at all and have even unlocked the doors and started the engine when I could see that the vehicle was in the Missoula airport rental car parking lot."

Below are a video and image Sinclair took documenting his control of the vehicle.


Pwn2Own Adds Industrial Control Systems to Hacking Contest

The decision to have ICS Pwn2Own at S4 was mutual, says Dale Petersen, founder of S4 Events and Digital Bond. When he approached Trend Micro's Zero-Day Initiative (ZDI) back in the spring to propose bringing ICS Pwn2Own to S4x20, they had already been thinking about it. In 2018, ZDI purchased 224% more zero-day vulnerabilities in ICS software compared with the previous year, demonstrating a growing need to research bugs in industrial control software.


Cybercriminals Impersonate Russian APT ‘Fancy Bear’ to Launch DDoS Attacks

The group, which appears to actually own a DDoS botnet, is asking victims for payments of two Bitcoin. On Monday morning, one Bitcoin was selling for about $9,300. The attacks also demonstrate that the group is doing its research when it comes to victims, according to the report. Rather than attack victim websites, the group is going after back-end servers, which aren’t usually protected by DDoS mitigation systems and thus have a good chance at causing system downtime, the report noted.


Remember that competition for non-hoodie hacker pics? Here's their best entries

Open Ideo, an American graphic design biz, ran an event co-sponsored by the Hewlett Foundation aimed at developing new imagery for infosec news. Rather than filling image slots with stereotypical pics of the type you all love to hate, they were hoping to get something a bit more inspiring and uplifting. A few are good. But some of the published submissions look more like corporate report covers than something we'd elevate to the hallowed homepage of El Reg. Tellingly, only one journalist sat on the six-strong panel of judges.

You are receiving this email because you are subscribed to receive the IT Security Daily Blast email from Michael Hamilton, Founder, President, and CISO of CI Security, formerly Critical Informatics.

Archived articles are available at

CI Security and the CI Security logo are the trademarks of CI Security, Inc. All other brand names, trademarks, service marks, and copyrights are the property of their respective owners.

© 2019 CI Security. All rights reserved.

CI Security
245 4th St, Suite 405  Bremerton, WA 98337
About Us   |   CI News   |   Contact Us

Add this Email to Your Address Book

Update Your Preferences   |   Unsubscribe from the Daily Blast