Japan to Probe IoT Devices and Then Prod Users to Smarten Up


Editor’s Picks

Starting today, Japan’s National Institute of Information and Communications Technology (NICT) will begin testing the security of Internet-connected devices that belong to citizens and businesses. Without notifying owners, the agency will use default credentials to try to log in to possibly millions of gadgets across the country as part of a nationwide cybersecurity experiment due to end in 2022. 

Hackers Use Compromised Banks As Starting Points For Phishing Attacks

In a report released today and shared with Bleeping Computer, international security company Group-IB specialized in preventing cyberattacks describes a so called cross-border domino-effect that can lead to spreading an infection beyond the initial target. The report is based on information from incident response work conducted in 2018 by the company’s team of computer forensics experts. 

Failure to Plan: 3 Unexpected Security Challenges That Undermine Your CISO

The role of a chief information security officer (CISO) can never be categorized as low-stress. After all, the responsibility for safeguarding all that corporate, customer and employee data, along with intellectual property, is so vast and the pressure so immense that many decide (or are asked) to walk away within just two years of accepting the job. Further, considering that cyberthreats are a continually evolving phenomenon, CISOs are likely to feel as though their entire role is a moving target.

New IoT Standard

The ETSI Technical Committee on Cybersecurity (TC CYBER) has just released ETSI TS 103 645, a standard for cybersecurity in the Internet of Things, which will help to create baseline security standard for IT devices. 

Cybercrime is focusing on accountants

Our experts have found that cybercriminals are actively focusing on SMBs, and giving particular attention to accountants. Their choice is quite logical — they’re seeking direct access to finances. The most recent manifestation of this trend is a spike in Trojan activity: specifically, from Buhtrap and RTM. They have different functions and ways of spreading, but the same purpose — to steal money from the accounts of businesses.

Calling Into Question the CVSS

For almost 15 years now, companies have been using the Common Vulnerability Scoring System (CVSS) to determine the criticality of security vulnerabilities. Ten is the highest score, meaning the most severe, while zero is the lowest. Over time, the CVSS has become something of a de facto industry standard used by most major vendors as well as the National Vulnerability Database (NVD).

Why Daimler moved its big data platform to the cloud

Like virtually every big enterprise company, a few years ago, the German auto giant Daimler decided to invest in its own on-premises data centers. And while those aren’t going away anytime soon, the company today announced that it has successfully moved its on-premises big data platform to Microsoft’s Azure cloud. This new platform, which the company calls eXtollo, is Daimler’s first major service to run outside of its own data centers, though it’ll probably not be the last.

Proposed Bill Would Force Arizonians To Pay $250 To Have Their DNA Added To a Database

technology_dude writes: One by one, thresholds are being crossed where the collection and storage of personal data is accepted as routine. Being recorded by cameras at business locations, in public transportation, in schools, churches, and every other place imaginable. Recent headlines include “Singapore Airlines

having cameras built into the seat back of personal entertainment systems

Chinese And Iranian Hackers Renew Their Attacks On U.S. Companies

It has been reported today by the New York Times that businesses and government agencies in the United States have been targeted in aggressive attacks by Iranian and Chinese hackers who security experts believe have been energised by President Trump’s withdrawal from the Iran nuclear deal last year and his trade conflicts with China. Recent Iranian attacks on American banks, businesses and government agencies have been more extensive than previously reported. Dozens of corporations and multiple United States agencies have been hit, according to seven people briefed on the episodes who were not authorised to discuss them publicly.

More Russian language malspam pushing Shade (Troldesh) ransomware, (Wed, Feb 20th)


Russian language spam pushing Shade ransomware (also known as Troldesh ransomware) has remained active since my previous ISC diary about it on 2018-11-29.  However, sometime in February 2019, this malicious spam (malspam) has altered its tactics slightly. Instead of a zip archive directly attached to the malspam, recent emails have attached PDF files with links to download the zip archive.  Otherwise, this infection activity remains relatively unchanged.

92 Million MyHeritage Genealogy Accounts Breached. Now What?

The bad news is that previously 92 million MyHeritage user accounts were compromised. The recent cyberattack on the MyHeritage DNA and genealogy testing company compromised about 92 million user accounts, which makes this breach one of the largest known data breaches in the world. MyHeritage, based in Israel, has maintained that no genetic data was stolen during the cyberattack. Given the accelerating velocity of these cyberattacks and their overall success, we are seeing a rapidly increasing risk to the security of DNA data. DNA data is incredibly valuable and incredibly personal. Our DNA encoding is the most private data that we will ever possess and the ultimate definition of who we are. More than a fingerprint or a retinal scan, let alone a password or cell phone number, this data defines who you are at the most intimate and complete level. The potential scale of the misuse of this data is without measure. We worry about protecting data like credit cards, social security numbers, passwords, and more, but these don’t compare with the potential future value of your DNA encoding, let alone the harm it could do in the wrong hands. The attackers obtained emails and hashed passwords. Hashed passwords are absolutely not safe if stolen – these hashed passwords are still highly vulnerable to a dictionary attack, where the attacker runs a hash function against the top 100,000 most popular passwords and computes the hash function against all of them. Then all they need do is compare these calculated values to the list stolen from MyHeritage. A smart cyberattacker could be working diligently, even now, to map the hashed values to real passwords and break the accounts. Companies like 23andME offer FDA-approved DNA services that can identify genetic health risks. For example, 23andME tests can provide information about BRCA1, the human tumor suppressor gene. If you have a positive test result which shows a mutation in the breast cancer genes (BRCA1, BRCA2), you might be at higher risk of developing breast or ovarian cancer compared to the population that doesn’t have the mutated gene, though it is not guaranteed that you will develop cancer. There are also tests for celiac disease, Alzheimer’s disease, Parkinson’s disease, thrombophilia, G6PD anemia, and more. Can you imagine the interest in your genetic data to the less scrupulous health insurance companies worldwide? Would they deny you insurance? Consider also that this information, like other stolen data, would likely be up for sale on the Dark Web, where almost anyone could acquire it. The unscrupulous insurance company may be the least of your worries. Once stolen, who else could acquire it and what would they do with it? In the U.S., the Health Insurance Portability and Accountability Act (HIPAA) normally protect your personal health information (PII) data. Unfortunately, the HIPAA regulation has a loophole in it with respect to the protection of DNA data. Patient data can be shared if, and only if, it has been anonymized. This means that identifying characteristics have been scrubbed from the data. This 1996 regulation did not anticipate the advent of genetic testing and was not written to protect against the release of genetic data specifically. Many of the genetic testing companies have already sold this data, claiming that it has been sufficiently anonymized. The devil is in the details around anonymization and exactly how it was implemented. The biggest fallacy in all of this is the belief that anonymized DNA data is adequately protected. Several scientists have been able to deduce the identity of people behind anonymous samples of DNA found in public research and university databases. There needs to be additional legislation specifically pertaining to protecting human DNA data and appropriate uses. The 1996 HIPAA regulation likely needs a specific amendment to address and protect this incredibly valuable data, recognizing that this data should not be released, under any circumstances or conditions. Further, as the MyHeritage attack has shown us, we need to aggressively protect this information in any form using hardened cyber defense technology like Zero Trust end-to-end encryption. Legislation, regulation, and the most careful cyber hygiene need to be applied in liberal doses and on the fastest timeline possible. Protecting customer data is more important than ever. New best practices such as the use of Zero Trust end-to-end encryption, cloud access security brokers (CASB+), and 2-factor authentication are required for data and threat protection as well as the barrage of new compliance regulations. To find out more about our CASB+ platform please check out https://www.ciphercloud.com/casb. You can learn more about our end-to-end Zero Trust encryption via https://www.ciphercloud.com/active-encryption. Or sign up for a CASB+ trial today!

Phishing Campaign Spoofs United Nations and Multiple Other Organizations

Anomali Labs researchers recently discovered a phishing site masquerading as a login page for the United Nations (UN) Unite Unity, a single sign-on (SSO) application used by UN staff. When visitors attempt to login into the fraudulent page, their browser is redirected to an invitation for a film viewing at the Poland Embassy in Pyongyang dated September 2018. Further analysis of the threat actor’s infrastructure uncovered a broader phishing campaign targeting several email providers, financial institutions, and a payment card provider. We expect to see malicious actors continue to target the United Nations staff as well as the listed brands and their users with faux login pages designed to pilfer their user credentials for resale on criminal forums and marketplaces and in the case of financial accounts to steal payment card information.