Risk Radar Free Cyber Security Newsletter – Jan. 19, 2016

A proposed bill in New York would force Apple to allow backdoor access to user data, or be fined
The title should say all smart phones, but what do you expect from 9to5 Mac. The ignorance of what the state of New York is asking is breathtaking. Putting in a “secure” backdoor on smart phone user date is no easy task, I say closer to impossible to do.  One staff member agrees with Tim Cook, there should be no backdoor on smart phone user data. What do you think?
Sandworm Team and the Ukrainian Power Authority Attacks
As a huge Dune fan I am not liking the Sandworm reference. iSIGHT Partners (with an update from SANS ICS) give a good breakdown of the SCADA attacks that took place in the Ukraine by the Sandworm Team. SCADA attacks take place regularly but you don’t often hear about it.  Worse, many can’t really understand on a personal or tactical level what SCADA impacts – but it does like power, water, and other critical infrastructure.
ShmooCon: LastPass design elements create perfect Phishing opportunity
ShmooCon has just finished up, people will be recovering from the last day festivities on Monday to be sure. There was an interesting attack against LastPass shown at ShmooCon by Sean Cassidy of Praesidio. It is a Phishing attack that fools the user to re-input their login credentials. It even tries to subvert two-factor authentication if the user has it enabled. LastPass has worked with Praesidio to minimize the issue, but LastPass says it is not a vulnerability in LastPass. Cassidy thinks LastPass needs to do more to fix the problem. He has released LostPass, a tool that demonstrates the attack.
OpenSSH 7.1p2 released with security fix for CVE-2016-0777
The good thing is this bug is not as bad as the 2014 Heartbleed vulnerability. This bug has some similarities to Heartbleed but this one needs a vulnerable end user to connect to a maliciously configured server. If you use an OpenSSH client I would update ASAP.
Ransomware a Threat to Cloud Services, Too
Cloud storage is so convenient and easy to use. Brian Krebs covers a company’s dealing with a ransomware attack that locked up all their cloud data. The steps the company took to recover from the attack are interesting. Any person or company that has data they value should have a plan to minimize a ransomware attack and recovery if the attack happens.
Security firm sued for filing “woefully inadequate” forensics report
This is an interesting situation for InfoSec companies to think about. You have one InfoSec company assessing that the first InfoSec company to work on the data breach did subpar work. Apparently the data breach was still active while the first InfoSec company was working on the data breach. The company that suffered the data breach has sued the first InfoSec company.