Saturday, May 13, 2017

This is a big one, people.  Remember, this is old software.  Interesting that this appears to be an offensive weapon.  I wonder if ISIS grabbed a copy?  I’m going to recommend that we raise tuition in the Computer Security program.  (And I want a raise!) 
Stolen U.S. spy agency tool used to launch global cyberattack
A global cyberattack leveraging hacking tools widely believed by researchers to have been developed by the U.S. National Security Agency hit international shipper FedEx, disrupted Britain’s health system and infected computers in nearly 100 countries on Friday.
Cyber extortionists tricked victims into opening malicious malware attachments to spam emails that appeared to contain invoices, job offers, security warnings and other legitimate files.
The ransomware encrypted data on the computers, demanding payments of $300 to $600 to restore access.  Security researchers said they observed some victims paying via the digital currency bitcoin, though they did not know what percent had given in to the extortionists.
Researchers with security software maker Avast said they had observed 57,000 infections in 99 countries with Russia, Ukraine and Taiwan the top targets.
The most disruptive attacks were reported in Britain, where hospitals and clinics were forced to turn away patients after losing access to computers.

(Related)
'Accidental hero' finds kill switch to stop spread of ransomware cyber-attack
   The switch was hardcoded into the malware in case the creator wanted to stop it spreading.  This involved a very long nonsensical domain name that the malware makes a request to – just as if it was looking up any website – and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading.
“I saw it wasn’t registered and thought, ‘I think I’ll have that’,” he is reported as saying.  The purchase cost him $10.69.  Immediately, the domain name was registering thousands of connections every second.

(Related)
Everything you need to know about the WannaCry / Wcry / WannaCrypt ransomware

(Related).  Microsoft fixes.
Customer Guidance for WannaCrypt attacks
   This blog spells out the steps every individual and business should take to stay protected.  Additionally, we are taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003.  Customers running Windows 10 were not targeted by the attack today.


To encourage my Computer Security students.  (and depress Security managers) 
Cybersecurity market research: Top 15 statistics for 2017
1.      Global cybersecurity spending is predicted to exceed $1 trillion cumulatively over the next five years, from 2017 to 2021.
2.      Cybercrime damage costs are predicted to reach $6 trillion globally by 2021, up from $3 trillion in 2015.
3.      There are 1 million cybersecurity job openings in 2017, and that is projected to exceed 1.5 million by 2019.
4.      The cybersecurity unemployment rate remains at zero percent in 2017 (same as 2016). 
5.      The security awareness training market is predicted to reach $10 billion annually by 2027.
6.      Global healthcare cybersecurity spending is predicted to exceed $65 billion cumulatively over the next five years, from 2017 to 2021.
7.      Ransomware attacks on healthcare organizations are predicted to quadruple by 2020.
8.      300 billion passwords will require cyber protection by 2021.
9.      Wi-Fi and mobile devices are predicted to account for nearly 80 percent of IP traffic by 2025.
10.  Zero-day exploits will rise from one-per-week in 2015 to one-per-day by 2021.
11.  111 billion lines of new software code will be created - and needs to be secured - in 2017.
12.  4 billion people are expected to be online - and need cyber protection - by 2020, up from 2 billion plus last year
13.  By the end of 2017, all DoD contractors — about 160,000 or so — will have to meet regulations (DFARS 252.204-7012) which require prime contractors and their subs to employ adequate security.
14.  Nearly half of all cyber-attacks are committed against small businesses
15.  65 percent of respondents to a poll say black-hat hackers are more experienced than white-hats.


Another view of threats.
U.S. Intelligence Community Highlights Cyber Risks in Worldwide Threat Assessment
   Cyber adversaries, warns the Worldwide Threat Assessment of the US Intelligence Community (PDF), "are becoming more adept at using cyberspace to threaten our interests and advance their own, and despite improving cyber defenses, nearly all information, communication networks, and systems will be at risk for years."


What predicts crime?  Would an AI do better?
Mick Dumke and Frank Main report:
As Chicago endured a devastating surge in gun violence last summer, scores of people with long rap sheets stood atop the Chicago Police Department’s secret watch list, newly obtained records show.
One of the men had been arrested 12 times for violent crimes, all before turning 20.  He’d also been charged with illegal gun possession.  Two others each had been arrested eight times for violent crimes and caught three times with guns.  Another man had been busted three times for illegal guns, racked up four arrests for violent offenses and been shot twice.
Read more on Chicago Sun-Times.


Another question: What should you specify in your warrant?
You had to know I’d do a follow-up on the story where a Minnesota judge issued a search warrant for anyone who Googled a victim’s name in an entire US town.
Did law enforcement’s strategy work?  We don’t yet know.
Miguel Otárola reports that once the search was narrowed, there was only one record produced by Google from the search.  That’s a far, far cry from the concerns at the time that the search would scoop up too many people’s records, but Google says the limited outcome was precisely because they fought to limit/narrow the search.
Neither Google nor Edina officials explained how the search was specified or what information was turned over to police.  As of Friday, no arrest had been made in the case, Edina spokeswoman Jennifer Bennerotte said, but she declined to comment on the investigation.
Read more on the Star Tribune.


Curiosity about a verdict?
Alyssa Rege reports:
A Washington couple filed a second lawsuit against Seattle-based Virginia Mason Medical Center, alleging the institution failed to provide information about multiple privacy breaches involving their medical and financial records, according to K-5 News.
Matthew and Sarah Hipps, MD, previously sued VMMC in 2013.


Perhaps too big to fail but not too big to flail. 
Wells Fargo bogus accounts balloon to 3.5 million: lawyers
   The new estimate was provided in a filing late Thursday night in the federal court in San Francisco, and is 1.4 million accounts higher than previously reported by federal regulators, in what became a national scandal.
Keller Rohrback, a law firm for the plaintiff customers, said the higher estimate reflects "public information, negotiations, and confirmatory discovery."
   Nonetheless, it could complicate Wells Fargo's ability to win approval for the settlement, which has drawn opposition from some customers and lawyers who consider it too small.
   Garrison's firm said in a filing the accord underestimated the potential maximum damages by at least 50 percent, and did not properly address whether Wells Fargo committed identity theft by using customers' personal data to open accounts.


This is such a major management failure that I suspect we’ll see it in a Dilbert cartoon.  Note: This is not just for Air Force One.  All aircraft need this procedure.  Why were untrained mechanics working on any plane?   
Boeing mechanics caused $4 million in damage to Air Force One's oxygen system
Mechanics from Boeing contaminated the oxygen system on a presidential Air Force One aircraft last April, according to an accident investigation board report released Tuesday.
The contamination to the VC-25A — one of two planes that is known as Air Force One when it carries the president — required $4 million in repairs, which Boeing paid for, the March 6 report said.  Had it not been corrected, such contamination could have increased the risk of a fire.
The report said that three Boeing mechanics at a plant in Port San Antonio, Texas, used a contaminated regulator and contaminated tools, parts and components while checking the oxygen system for leaks during regular depot maintenance between April 1 and 10, 2016.  They also used an unauthorized cleaning procedure while unsuccessfully trying to sanitize the parts, the report said.
To avoid the chances of a fire breaking out, only "oxygen-clean" tools and components — items that have been cleaned in a specific way to remove any residue that could react when coming into contact with oxygen — can be used on the plane's oxygen system, according to the report.


For my student entrepreneurs: Think of this as Khan Academy, but with stuff to sell.
NBCUniversal spent around $230 million to buy the video tutorial site Craftsy
It turns out content and commerce can be a valuable mix.
Earlier this week, NBCUniversal announced the acquisition of Craftsy, a Denver-based startup that sells videos of crafts classes, as well as craft supplies and kits.


God bless all who conduct such studies!  I may need to change my diet.  What is it called when you ONLY eat cheese and drink wine? 
Wine and cheese make you smart and healthy, according to new studies
A recent study challenges some of the health concerns around cheese and dairy: Mainly that they are fatty and lead to potential heart attacks or strokes.  The researchers, using previous studies and data found on these dairy products, found cheese doesn’t increase the risk of heart attacks and strokes.  It is important to note, however, that the study was funded in part by three dairy organizations, which obviously have a vested interest in positive results.  The Global Dairy Platform, Dairy Research Institute and the Dairy Australia (even though the paper says they had no role in study design or data collection and analysis).
And red wine, in moderation, can help your heart and your brain, according to a recent study published in the journal Frontiers in Nutrition.  Contrary to previous findings, such as one Swedish report from 2014, cheese, as well as other dairy products like milk and yogurt, may not be more dangerous to your health.


Dilbert suggests a new version of the Turing test!

No comments: