NTSC Technology Security Roundup

Weekly News Roundup: September 25, 2017

NTSC Publishes Op-Ed in The Hill

Titled “The time is now for Congress to act on a national data breach notification law,” NTSC Executive Director Patrick Gaul penned an op-ed for The Hill that makes the case for this long overdue law. He concludes the editorial by saying, “Over the next several weeks and months, I anticipate several bills will be introduced in the Senate and House to establish a national data breach notification standard. While Congress debates the merits of the various proposals, I would like to offer our expertise. As an objective third party with no specific industry affiliation, NTSC can bring together CISOs from various industries and support Congress’ efforts to bring a national data breach notification law into fruition to the benefit of consumers across the nation.”

Senators Warren and Schatz Introduce Freedom from Equifax Exploitation (FREE) Act

On September 15, United States Senators Elizabeth Warren (D-Mass.) and Brian Schatz (D-Hawaii) introduced the Freedom from Equifax Exploitation (FREE) Act that aims to give control over credit and personal information back to consumers. According to a press release, “The Freedom from Equifax Exploitation Act […] [creates] a federal requirement for credit reporting agencies to freeze (as well as temporarily or permanently unfreeze) access to credit files at a consumer's request and at no cost.” The bill would also prevent credit reporting agencies from profiting off of consumers' information during a freeze, enhance fraud alert protections, and provide the opportunity for consumers to receive an additional free credit report following the Equifax data breach.

SEC Software Vulnerability May Have Led to “Illicit Gain Through Trading”

In a statement, the SEC said, “In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading. Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information.” The New York Times pointed out that the US General Accountability Office (GAO) “in July released a 27-page report that found deficiencies in the S.E.C.’s information systems that ‘limited the effectiveness of the S.E.C’s controls for protecting confidentiality, integrity and availability.’ It also found that the S.E.C. did not always encrypt information and had failed to fully implement recommendations from the G.A.O. that would help detect intrusion.”

NSA and CYBERCOM May Each Get Their Own Leader Soon

After US Cyber Command was elevated to the status of Unified Combatant Command back in August, it still shares a leader (Admiral Mike Rogers) with the National Security Agency from which US Cyber Command split. Federal News Radio reports that there are talks about each organization having its own leader to represent this split. According to Federal News Radio, Admiral Rogers said the following at an Air Force Association Conference on Tuesday: “We have got to be open to the idea that we are continually evolving in this [cyber] construct. Look how fast it’s gone in literally just over 10 years. We went from a functional component aligned against a combatant command … to now let’s go to a combatant commander. I think now the next question in this evolution is ‘Does that alignment still make sense as we’ve evolved a very traditional operational force?’”

Webroot Report Indicates Nearly 1.5 Million New Phishing Sites Are Created Each Month

According to the September 2017 Webroot Quarterly Threat Trends Report, 1.385 million new, unique phishing sites are created each month, with a high of 2.3 million sites created in May. The data shows that today’s phishing attacks are highly targeted, sophisticated, hard to detect, and difficult for users to avoid. The latest phishing sites employ realistic web pages that are almost impossible to find using web crawlers, and they trick victims into providing personal and business information. Webroot says, “Phishing continues to be one of the most common, widespread security threats faced by both businesses and consumers. Phishing is the number 1 cause of breaches in the world, with an average of more than 46,000 new phishing sites created per day.”

Researchers Show HVAC Systems Vulnerable to Malware Attacks

In what should be a concern to anyone using air-gapped networks (especially when used in protecting critical infrastructure), researchers at the Cyber Security Research Center at the Ben-Gurion University of the Negev in Israel discovered that HVAC systems are vulnerable to a specific kind of malware attack. According to Bleeping Computer, “This type of attack scenario — codenamed HVACKer by its creators — relies on custom-built malware that is capable of interacting with a computer’s thermal sensors to read temperature variations and convert these fluctuations into zeros and ones — binary code. The malware, already installed on a computer on an isolated network with no Internet access, reads the temperature variations created by the HVAC system and converts the received thermal signals into malicious operations.”