Cyber Weekly Roundup – April 20, 2018

Weekly Roundup

Cyber Weekly Roundup – April 20, 2018

By Colby Proffitt

1.) Casino Gets Hacked Through Its Internet-Connected Fish Tank Thermometer (April 15, 2018)

https://thehackernews.com/2018/04/iot-hacking-thermometer.html

Summary: Internet-connected technology, also known as the Internet of Things (IoT), is now part of daily life, with smart assistants like Siri and Alexa to cars, watches, toasters, fridges, thermostats, lights, and the list goes on and on.

But of much greater concern, enterprises are unable to secure each and every device on their network, giving cybercriminals hold on their network hostage with just one insecure device.

Since IoT is a double-edged sword, it not only poses huge risks to enterprises worldwide but also has the potential to severely disrupt other organizations, or the Internet itself.

Why it matters: The creativity continues with IoT attacks, but this one should make it clear – anything connected to the internet can be hacked. As this article points out, because IoT devices are commonplace, so are IoT attacks, which, much like ransomware attacks, are becoming routine. And, many IoT devices are connected to the cloud, which calls into question the overall security of the cloud.

2.) Could Russia and West be heading for cyber-war? (April 16, 2018)

http://www.bbc.com/news/technology-43788114

Summary: The latest warning of Russian intrusions is another sign that cyber-space is becoming one of the focal points for growing tension between Russia and the West. But so far, much of the talk about cyber-war remains hypothetical rather than real.

Why it matters: While most would agree that war is no longer solely waged in the air, on land, and at sea – it’s also waged in cyberspace – it’s not yet clear what the longer term implications of the new front will be. Will nation-state attacks be tolerated, or will retaliation ensue? Will retaliation be viewed as justice? Will retaliation remain in the form of a cyber attack, or will it occur in the form of traditional warfare? Just as questions such as these are endless, so too are the possibilities. The U.S. must ensure that not only are its cyber capabilities ahead of those of our enemies, but that our traditional means of both defense and offense are operationally sound and prepared to withstand potentially debilitating cyber attacks.

3.) Command and control: A fight for the future of government hacking (April 11, 2018)

https://www.cyberscoop.com/us-cyber-command-nsa-government-hacking-operations-fight/

Summary: Following years of effort and billions of dollars’ worth of research and planning, the nation finally has a fully operational force of cyberwarriors at U.S. Cyber Command. Yet, as those troops confront adversaries around the world, there’s uncertainty across government about how to best make use of them.

Why it matters: Related to the topic above, this article offers an in-depth look at where U.S. cyber authority currently resides, and where it may be shifting in the future. To date, cyber operations have focused on collecting intel; however, many U.S. adversaries are both collecting intel and leveraging it for attacks. Traditionally, the military and intel agencies have slightly different approaches to getting the job done – as this article points out, the military is typically more focused on getting rapid results, while the intel community has a vested interest in longer-term gains. The best solution is likely a hybrid approach – one that would mean an increase in cyber offense via the military, with continued strategic intel operations. Key for success, of course, is communication between all agencies and branches to ensure the right enemies are targeted. Check out this clip from NCIS to get a better understanding of why it’s important to deconflict the warzone.

4.) Senate passes DHS bug bounty bill (April 19, 2018)

https://fcw.com/articles/2018/04/19/dhs-bug-bounty-senate.aspx?s=fcwdaily_200418

Summary: The Department of Homeland Security is one step closer to launching a bug bounty pilot. The Senate passed legislation April 17 that compels DHS to establish a bug bounty program.  Sponsored by Sens. Maggie Hassan (D-N.H.), Rob Portman (R-Ohio), Claire McCaskill (D-Mo.) and Kamala Harris (D-Calif.), the bill was introduced last year and authorizes $250,000 for DHS to contract with an outside organization to run the program, which would pay security researchers for finding undiscovered flaws and vulnerabilities in DHS systems and software.

Why it matters: Slowly but surely, more agencies are getting onboard with bug bounty programs as part of overall modernization efforts and improved cyber practices. Looking at the cost, compared to the overall return on investment, these programs are a great way to incentivize users while improving the overall cyber posture of your organization.

5.) ‘iTunes Wi-Fi Sync’ Feature Could Let Attackers Hijack Your iPhone, iPad Remotely (April 18, 2018)

https://thehackernews.com/2018/04/iphone-itunes-wifi-sync.html

Summary: Be careful while plugging your iPhone into a friend’s laptop for a quick charge or sharing selected files. Researchers at Symantec have issued a security warning for iPhone and iPad users about a new attack, which they named “TrustJacking,” that could allow someone you trust to remotely take persistent control of, and extract data from your Apple device.

Why it matters: Remember when people used to say that Apple products couldn’t be hacked? Well, they were wrong then and they’re still wrong today. While Apple has come a long way in terms of simplifying messages to end users, those same users are just as impatient as they ever were – and the average user will simply click through any warning messages that popup in order to get to the apps and features they need. So, while Apple and other manufacturers are trying to make their devices more secure, and at least prompt users to consider security, the onus still ultimately falls to the impatient end users.