Baltimore Doubles Up on Cyber-Insurance Following Ransomware Attack

Baltimore Doubles Up on Cyber-Insurance Following Ransomware Attack

Five months on from a ransomware attack that brought the city to its knees, Baltimore has purchased cyber-insurance for the first time.



On May 7, Baltimore became the second US city to fall victim to a new strain of ransomware called RobbinHood. The attack took all the city’s servers offline with the exception of essential services. As a result, real estate transactions were suspended, water billing was disrupted, and city employees were unable to access key documents and email. 



While Baltimore’s mayor, Bernard C. “Jack” Young, won praise for not paying hackers the $76,000 ransom they demanded to decrypt the files affected by the attack, the city now faces a massive recovery bill. So far, the attack is estimated to have cost the city $18m in direct costs and lost or delayed revenue, and the figure is expected to rise. 



In a bid to protect itself from future threats, on Wednesday Baltimore approved not one but two cyber-insurance policies, each of which offers $10m in liability coverage and has a $1m deductible. 



After a competitive bidding process involving 17 different carriers, Baltimore opted to purchase a plan from Chubb Insurance costing $500,103 in premiums and a second plan from AXA XL Insurance for $335,000. Each policy will provide the city with coverage against cyber-attacks for a period of one year. 



Lester Davis, a spokesman for Mayor Young, said: “The city is going to reassess every year. They will have to go through this process again when the terms are nearing maturity.”



Mayor Young said that having cyber-insurance did not dictate how Baltimore would respond to future cyber-attacks. 



Asked whether the city was more likely to pay hackers now that it had coverage, Young said: “I would talk to my team and decide that way.”



Frank Johnson, who was Baltimore’s chief information officer at the time of the attack, stepped down permanently from the role earlier this month after being placed on unpaid leave in September. Todd Carter, who was acting as interim CIO for the city, has now taken on the CIO position full time. 


Source: Infosecurity
Baltimore Doubles Up on Cyber-Insurance Following Ransomware Attack

CenturyLink Customer Data Exposed

Customer names, addresses, email addresses, and phone numbers were left open on a MongoDB server for 10 months, researchers report.
Source: DarkReading
CenturyLink Customer Data Exposed

Glitching: The Hardware Attack that can Disrupt Secure Software

Glitching (or fault-injection) attacks aren’t easy (yet). But get ready, because as the IoT grows, these attacks will be a big reason that hardware security should be part of your cybersecurity planning.
Source: DarkReading
Glitching: The Hardware Attack that can Disrupt Secure Software

SOC Puppet: Dark Reading Caption Contest Winners

Social engineering, SOC analysts, and Sock puns. And the winners are:
Source: DarkReading
SOC Puppet: Dark Reading Caption Contest Winners

CVE-2019-16919

Harbor API has a Broken Access Control vulnerability. The vulnerability allows project administrators to use the Harbor API to create a robot account with unauthorized push and/or pull access permissions to a project they don’t have access or control for. The Harbor API did not enforce the proper project permissions and project scope on the API request to create a new robot account.
Source: NIST
CVE-2019-16919

UK Government Announces Major New Cybersecurity Partnerships

UK Government Announces Major New Cybersecurity Partnerships

The UK government has revealed it is working with chip-maker Arm on a £36m initiative to make more secure processors.



Although details are few and far between at this stage, the government claimed that the project could help to protect more UK businesses from remote cyber-attacks and breaches, while boosting new business opportunities and productivity.



According to the government’s own data, around 60% of mid-sized and 61% of large businesses in the UK have suffered a cyber-attack or breach over the past year.



The Arm tie-up is part of the government’s Digital Security by Design initiative, also backed by Microsoft and Google.



“Achieving truly robust security for a world of a trillion connected devices requires a radical shift in how technology companies approach cyber-threats. Research into new ways of building inherently more cyber-resilient chip platforms is critical,” explained Arm chief architect, Richard Grisenthwaite.



“Our first step is to create prototype hardware, the Morello Board, as a real-world test platform for prototype architecture developed by Arm that uses the University of Cambridge’s CHERI protection model. It will enable industry and academic partners to assess the security benefits of foundational new technologies we’re making significant investments in.”



Alongside this push, the government announced a further £18m through its Strategic Priorities Fund, designed to help tackle online fraud, privacy abuses and misinformation online.



The government also announced six new “prosperity partnerships” — a £40m project designed to bring public and private sector bodies together with academia to develop emerging technologies. On board so far are Jaguar Land Rover, Eli Lilly and Company, Toshiba Research Europe, Microsoft, M Squared Lasers, Siemens and Nikon.



The first partnership, announced today, is between Toshiba Research Europe, University of Bristol, GCHQ and Roke Manor Research and will aim to develop more resilient wireless networks to tackle financial extortion, terrorism and destructive attacks.



“Secure Wireless Agile Networks (SWAN) and the wider Prosperity Partnership initiatives bring together a cadre of engineers from industry, government and academia with invaluable commercial insights and in-depth technical skills capable of delivering holistic solutions for a productive, healthy, resilient and connected nation,” said professor Mark Beach of the University of Bristol.



“This UKRI scheme uniquely brings together partnerships who are ideally positioned to deliver technology for the wider benefits of society.”


Source: Infosecurity
UK Government Announces Major New Cybersecurity Partnerships

New US Privacy Bill Would Intro Jail Time for CEOs

New US Privacy Bill Would Intro Jail Time for CEOs

A US senator has introduced a new privacy bill which he claims goes further than the EU’s GDPR, introducing prison sentences for culpable CEOs.



Introduced by Ron Wyden, the Mind Your Own Business Act would create a national “Do Not Track” system enabling consumers to stop companies from tracking them online, selling or sharing their data, or targeting ads based on personal information.



Like the GDPR, it would issue maximum fines of up to 4% of annual revenue to non-compliant firms, but unlike the EU law, could also levy 10-20 year criminal sentences for executives who knowingly lie to the FTC.



“Mark Zuckerberg won’t take Americans’ privacy seriously unless he feels personal consequences. A slap on the wrist from the FTC won’t do the job, so under my bill he’d face jail time for lying to the government,” Wyden said.



“I spent the past year listening to experts and strengthening the protections in my bill. It is based on three basic ideas: consumers must be able to control their own private information, companies must provide vastly more transparency about how they use and share our data, and corporate executives need to be held personally responsible when they lie about protecting our personal information.”



Other provisions in the bill include: the levying of new tax penalties on CEOs who lie about privacy protections; a requirement for firms to conduct privacy assessments on the algorithms that process consumer data; and the establishing of new privacy and cybersecurity standards.



However, it’s unlikely the legislation will become law. In the meantime, states are enacting their pwn privacy laws, with California leading the way.


Source: Infosecurity
New US Privacy Bill Would Intro Jail Time for CEOs

CVE-2019-17513

An issue was discovered in Ratpack before 1.7.5. Due to a misuse of the Netty library class DefaultHttpHeaders, there is no validation that headers lack HTTP control characters. Thus, if untrusted data is used to construct HTTP headers with Ratpack, HTTP Response Splitting can occur.
Source: NIST
CVE-2019-17513

CVE-2019-8223

Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
Source: NIST
CVE-2019-8223

CVE-2019-8224

Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
Source: NIST
CVE-2019-8224