NTSC Blog

Weekly News Roundup: August 13, 2018

DHS Secretary Kirstjen Nielsen Urges Private Sector Collaboration as Cyberthreats Grow More Serious

Department of Homeland Security Secretary Kirstjen Nielsen penned a commentary for CNBC urging “collective defense” and more collaboration with the private sector to fend off cyberattacks. According to Nielsen, “[We] aren't ‘connecting the dots’ quickly enough. Between government and the private sector, we have the data needed to disrupt, prevent and mitigate cyberattacks. But we aren't sharing fast enough or collaborating deeply enough to keep cyberattacks from spreading or to prevent them in the first place.” Nielsen said that’s why the DHS announced the National Risk Management Center on July 31 to “provide the private sector with a one-stop-shop to access programs from all departments and agencies and coordinate defenses against cyber threats that can affect all sectors.”

PII from 26.5 Million Comcast Customers Exposed

In another massive data breach, Comcast exposed the PII of 26.5 million customers through security vulnerabilities in its online customer portal. While Comcast patched the vulnerabilities, Social Security numbers and clues to someone’s home address were still exposed. According to Buzzfeed News, “One of the flaws could be exploited by going to an ‘in-home authentication’ page where customers can pay their bills without signing in. […] After learning of the vulnerability, Comcast disabled in-home authentication. Now, customers need to manually input personal information to verify their accounts.” The second vulnerability involved “a sign-up page through the website for Comcast’s Authorized Dealers (sales agents stationed at non-Comcast retail locations) [that] revealed the last four digits of customers’ Social Security numbers. […] Because the login page did not limit the number of attempts, hackers could use a program that runs until the correct Social Security number is inputted into the form.”

Major Security Flaws Reported Across Multiple Industries

If increasing sophisticated cyberattacks isn’t enough of a wakeup call to improve cyber hygiene, then perhaps research on the vulnerability of specific industries will help spur further action. A few reports last week offered sobering overviews of three industries:

• Security flaws in mobile point-of-sale systems spell money trouble: According to CNET, “Three [popular point-of-sale readers] had a flaw that could've let a dishonest merchant change what customers see on the screen. That meant the device could show that a transaction failed when it really didn't and prompt customers to pay twice. The vulnerability opened up various possibilities for merchants to steal from customers.”
• Phones at all major US carriers filled with vulnerabilities, say researchers: Reported in Fifth Domain, “Research funded by the Department of Homeland Security has found a ‘slew’ of vulnerabilities in mobile devices offered by the four major U.S. cell phone carriers, including loopholes that may allow a hacker to gain access to a user’s data, emails, [and] text messages without the owner’s knowledge.”
• Health records “put at risk by security bugs”: Reported by the BBC, “Health records of almost 100 million patients worldwide were put at risk by security issues with a popular patient management system, researchers say.”

Smart Cities Vulnerable to Cyberattacks

While the DHS warns the United States about potential attacks on critical infrastructure and the need for “collective defense,” researchers are also uncovering serious flaws through tests on smart cities. Security Intelligence reported on research by Threatcare and IBM X-Force Red that “found 17 zero-day vulnerabilities in four smart city systems — eight of which are critical in severity. While we were prepared to dig deep to find vulnerabilities, our initial testing yielded some of the most common security issues, such as default passwords, authentication bypass and SQL injections, making us realize that smart cities are already exposed to old-school threats that should not be part of any smart environment.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

• Juniper Research: Cybersecurity Breaches to Result in Over 146 Billion Records Being Stolen by 2023: A new report by Juniper Research found that over 33 billion records will be stolen by cybercriminals in 2023 alone, an increase of 175% over the 12 billion records expected to be compromised in 2018, resulting in a cumulative loss of over 146 billion records for the whole period.
• Lack of Hardened Benchmarks Leads to Poor Cyber Hygiene: Reported in Infosecurity Magazine, “A new survey finds that nearly two-thirds of organizations are not practicing good cyber hygiene habits as they have no established benchmarks for implementing security controls.”
• ProofPoint Warns Of Bank Trojans: A Massive Threat Executives May Overlook: Reported in PYMNTS.com, “In its latest quarterly report, cybersecurity firm ProofPoint emphasized the continued reign of the bank Trojan — a strategy that accounted for 42 percent of the attacks analyzed by ProofPoint for the year’s second quarter. Compare that to ransomware, which made up just 11 percent.”
• Is the hype around AI deceiving cybersecurity professionals?: Reported in Silicon Republic, “A global survey from Eset found 75 percent of IT decision-makers believe AI will solve their cybersecurity challenges. […] In the US, it is more likely for IT professionals to consider AI and ML as a panacea to solve all of their cybersecurity issues. 82 percent of US respondents said this while in the UK and Germany the figures were much lower at 67 percent and 66 percent, respectively.”
• Threatlist: Financial Services Firms Lag in Patching Habits: Reported in Threatpost, “Almost half (45 percent) of financial services firms in a recent survey have reported a data breach in the last two years – with many of those attacks being completely avoidable if known vulnerabilities were patched.”
• Cyber report details tricks used by hackers to target critical infrastructure: Reported in The Hill, “A cybersecurity firm says it uncovered the methods and tools hackers use to target critical infrastructure organizations, activity it observed by creating a website that masqueraded as a major electricity provider. […] ‘Just two days after the honeypot went live, attackers had discovered it, prepared the asset for sale on the dark Web and sold it to another criminal entity who was also interested in [industrial control system] environments,’ according to the report.”
• Research: More than 56% of all cryptocurrency crime happens in the US: Reported in The Next Web, “International cybersecurity firm Group-IB has shown that the number of compromised accounts has risen 369 percent since 2017. Data shared with Hard Fork shows that a staggering third of all victims were located in the US.”