Saturday, August 06, 2016

One of the downside risks of “pushing” updates? 
PoS Trojan Bypasses Account Control Posing as Microsoft App
A newly discovered PoS (Point-of-Sale) malware can bypass computer defenses such as User Account Control (UAC) by posing as a legitimate Microsoft application, Doctor Web researchers have discovered.
   Upon infection, the Trojan performs a series of checks to determine whether on the targeted system runs any program that could hinder its activity.  It looks for any copies of itself, as well as for virtual machines, emulators, and debuggers, and terminates itself if any of these is found.
Otherwise, the malware runs itself and attempts to gain administrator privileges by tricking the default system defenses.  In the User Account Control (UAC) warning triggered by the malware, however, the user is informed that the running application is called WMI Commandline Utility (wmic.exe) and is developed by Microsoft.

My Computer Security students should find this confusing. 
Insurers working to fill cyberinsurance data gaps
Insurance companies typically have decades of data, if not more, on which to base their risk estimates.
That's not the case with cyber risk, however.  There's very little historical data available, the data is not complete, and the threat landscape doesn't just change year by year, but day by day.  There isn't even a standard set of definitions that everyone can agree on.
   One of the first problems when it comes to buying cyberinsurance is that nobody knows exactly what it means.  Corporate financial officers, security managers, and insurance brokers have different understanding of risk, for example.

According to a recent cyberinsurance survey by the SANS Institute, only 30 percent of underwriters and 38 percent of information security professionals believe that they speak the same language.  
   For example, one policy might refer to a "privacy breach," another to a "data breach", and a third to "network security wrongful acts."
"Is a privacy breach the same thing as a privacy wrongful act?" he asked.  "Is a data breach the same as a network security wrongful act?"
"And a lot of the language hasn't been tested in court yet," he added.
   In a recent survey the company conducted, only 10 percent of IT experts said they believed that their cyber coverage was completely up to date, and of those who had cyber insurance, and only 43 percent were confident that it covered business email compromise fraud.  There was a similar lack of confidence about new social engineering attacks.
"Almost half -- 45 percent -- of firms are clueless as to whether their cyberinsurance policy is up to date for covering these types of threats," Malone said.

“We use that code to identify our VIP passengers, not for security.” 
Hacker uses fake boarding pass to get into every airline lounge for free
   The security flaw was discovered by Przemek Jaroszewski, the head of Poland’s Computer Emergency Response Team.  He discovered that lounge access is coded into the QR code of an electronic boarding pass, but not verified by any central database.
   The hack hasn’t been tested in North America, so it’s possible that it would be defeated by more stringent checks.  The TSA told Wired that lounge security is the responsibility of the airlines, and is nothing to do with the more general security apparatus.

Another form of intimidation?  Actions short of war? 
Cyber Espionage Targets Interests in South China Sea
A cyber espionage campaign has been discovered apparently targeting participants in the recent Permanent Court of Arbitration case brought by the Philippines against China over Chinese claims of sovereignty in the South China Sea.
   The cyber espionage campaign was discovered by F-Secure.  It named it NanHaiShu, and has today published an analysis of the methodology and malware involved.   
   One thing is certain -- Chinese feelings in the South China Sea run deep.  Soon after after the ruling it commenced a major wargames exercise with, according to ZeroHedge, "some 300 ships, dozens of fighter planes, and involved troops that are responsible for coastal defense radars, communications, and electronic warfare defense."

Are we about to retaliate? 
Obama prepares to boost U.S. military's cyber role: sources
   Under the plan being considered at the White House, the officials said, U.S. Cyber Command would become what the military calls a "unified command" equal to combat branches of the military such as the Central and Pacific Commands.
Cyber Command would be separated from the National Security Agency, a spy agency responsible for electronic eavesdropping, the officials said.  That would give Cyber Command leaders a larger voice in arguing for the use of both offensive and defensive cyber tools in future conflicts.

Perspective.  If Pokémon is eating batteries, what Apps are neglected? 
Pokémon Go drives a surge in smartphone backup battery sales
Early on in the Pokémon Go hype cycle, there were signs that players were driving a significant uptick in sales of backup batteries, like the Mophie units you may be familiar with that offer USB connections for topping up mobile devices while you’re away from an outlet.  Now, research from analytics firm NPD Group goes beyond early anecdotal evidence to show that in fact, unit sales across the portable power pack segment saw a 101 percent spike in the two weeks spanning July 10 and July 23, as compared to the same period last year.

Another week older but no wiser.
Hack Education Weekly News
   Denver District Judge Michael Martinez has ordered a halt to a Douglas County program that allowed parents to use vouchers to send their children to private schools.
   Atlanta Public Schools debut new police force,” WSB-TV reports.  Every school will have a dedicated police force, which as Tressie McMillan Cottom quips, is more than have AP classes.
   Also via Inside Higher Ed: “A prominent technology think tank wants the federal government to encourage the use of standardized assessments to measure postsecondary knowledge and skills, with an approach that would separate learning from credentialing and challenge the dominance of traditional college degrees.”

No comments: