Monday, September 26, 2016

Meet Dan: He Acquired Career Coaching from Jeff Snyder at Jeff Snyder C...



Sunday, September 25, 2016

Cybersecurity Vulnerability and Patch Report for the Week of September 25, 2016

CYBERSECURITY VULNERABILITY

AND PATCH REPORT

FROM OUR FRIENDS AT CITADEL INFORMATION GROUP

Important Security Updates

Apple iOS: Apple has released version 10.0.2 of its iOS to fix at least 1 vulnerability reported in previous versions. Updates are available through the device or through Apple’s website.
Apple macOS Server: Apple has released updates for macOS Server 5.2 for macOS Sierra v10.12 and later to fix at least 2 vulnerabilities, some of which are highly critical, reported in previous versions. Updates are available from Apple’s website.
Apple macOS Sierra: Apple has released updates for OS X to fix at least 65 vulnerabilities, some of which are highly critical, reported in previous versions. Update to macOS Sierra version 10.12. Updates are available from Apple’s website.
Apple Safari: Apple has released updates for Safari 10 for OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12 to fix at least 21 highly critical vulnerabilities. Updates are available from Apple’s website.
Dropbox: Dropbox has released version 10.4.26 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel’s warning below]
iCloud for Windows: Apple has released updates for iCloud for Windows 6.0. Updates are available from Apple’s website.
Mozilla Firefox: Mozilla has released 49.0. Updates are available within the browser or from Mozilla’s website.
Opera: Opera has released version 40.0.2308.54. Updates are available from within the browser or from Opera’s website.
Skype: Skype has released Skype 7.28.0.101. Updates are available from the program or Skype’s website.

Current Software Versions

Adobe Flash 23.0.0.162
Adobe Reader DC 2015.017.20050
Dropbox 10.4.26 [Citadel warns against relying on security of Dropbox or other cloud-based file exchange systems. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the master Dropbox [or other] password be at least 15 characters long and different from other passwords.]
Firefox 49.0 [Windows]
Google Chrome 53.0.2785.116
Internet Explorer 11.0.10240.16384
Java SE 8 Update 101 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
Microsoft Edge 38.14393
QuickTime 7.7.9 [Citadel recommends removing QuickTime. On April 14, US-CERT advised Microsoft Windows users to remove QuickTime. This followed a report in ars technica that Apple has no plans to update the Windows app despite at least two reliable QuickTime vulnerabilities that threaten Windows users who still have the program installed.]
Safari 9.1.3 [Mac OS X Mavericks, Yosemite, El Capitan]
Skype 7.28.0.101

For Your IT Department

Cisco Multiple Products: Cisco reports patched vulnerabilities in its Cisco APIC software, IOS and IOS XE Software, Prime Home, Cloud Services Platform 2100 version 2.0, Firepower Management Center and FireSIGHT System software.  Apply updates.  Cisco also reports an unpatched vulnerability in its Cisco Email Security Appliance. There is a workaround available.  Cisco also reports an unpatched vulnerability in its Cisco IOS and IOS XE Software (Command Injection Vulnerability). There are no workarounds available. Additional details are available at Cisco’s website.
Novell Open Enterprise Server:  Novell has released an updates to fix multiple vulnerabilities in its Open Enterprise Server versions 11.2 and 2015 (OES 11 SP2 and OES 2015).  For version 11.2 apply patches oes11sp2-apache2-mod_nss-10973, oes11sp2-java-1_6_0-ibm-10995 and oes11sp2-mysql-10999. For version 2015 apply patches oes2015-apache2-mod_nss-10974, oes2015-java-1_6_0-ibm-10996 and oes2015-mysql-11000.  Additional details are available at Novell’s website.
OpenSSL: OpenSSL has released versions 1.0.1u, 1.0.2i and 1.1.0a to fix at least 14 vulnerabilities, some of which are highly critical, reported in previous versions. Updates are available at OpenSSL’s website.
TeamViewer: TeamViewer has released version 11.0.66595. Updates are available from TeamViewer’s website.
*******************
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2016 Citadel Information Group. All rights reserved.

 

Jeff Snyder’s, SecurityRecruiter.comJeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810



Cyber Security News of the Week, September 25, 2016

 

CYBERSECURITY NEWS

FROM OUR FRIENDS AT CITADEL INFORMATION GROUP

  

Individuals at Risk

Identity Theft

Yahoo Says Hackers Stole Data on 500 Million Users in 2014: SAN FRANCISCO — Yahoo announced on Thursday that the account information of at least 500 million users was stolen by hackers two years ago, in the biggest known intrusion of one company’s computer network. The New York Times, September 22, 2016

Cyber Privacy

Free Tools to Keep Those Creepy Online Ads From Watching You: SAY you’re doing a web search on something like the flu. The next thing you know, an ad for a flu remedy pops up on your web browser, or your video streaming service starts playing a commercial for Tylenol. The New York Times, February 18, 2016

Cyber Warning

Hand-Delivered Hacking: Malicious USBs Left in Mailboxes: LONDON — Julien Ascoet was already suspicious when he pulled the plain white envelope from his mailbox this past July. The New York Times, September 22, 2016

Cyber Danger

iPhone Hackers Say Apple Weakened Backup Security With iOS 10: Professional iPhone hackers say that Apple AAPL -1.72% has dropped the ball on password security with its latest iPhone operating system, making the task of cracking the logins for backups stored on a Mac or PC considerably easier. Forbes, September 23, 2016

Cyber Update

Firefox fixes hard to spot certificate pinning failure: A recently fixed security vulnerability that affected both the Firefox and Tor browsers had a highly unusual characteristic that caused it to threaten users only during temporary windows of time that could last anywhere from two days to more than a month. ars technica, September 21, 2016

Cyber Defense

How to Protect Yourself After the Yahoo Attack: Yahoo said on Thursday that hackers in 2014 stole the account information of at least 500 million users, including names, email addresses, telephone numbers, birth dates, passwords and, in some cases, security questions. The New York Times, September 23, 2016
2FA – One of the best things you can do to protect yourself from hackers: Two-factor authentication: Learn these words well and you’ll feel better when giant hacks splatter passwords and email addresses all over the dark web. Mashable, September 22, 2016

Information Security Management in the Organization

Information Security Governance

Three Recent Insider Crime Cases Spotlight Security Management Challenges: Three recent criminal cases involving hospital insiders who allegedly committed a variety of fraud, identity theft or egregious privacy violations that victimized patients highlight just how difficult it is to mitigate insider threats. Healthcare InfoSecurity, September 23, 2016
Yahoo’s Titanic Data Breach Highlights Risk to M&A: Yahoo alerted the world on Thursday to what may well be the largest known breach of user information amid an acquisition by Verizon, one of the biggest U.S. corporations. Fortune, September 23, 2016
Coping with increasingly sophisticated capabilities of cybercrime syndicates: Cyberspace has become a progressively attractive hunting ground for criminals, activists and terrorists motivated to make money, get noticed, cause disruption or even bring down corporations and governments through online attacks. The technical capabilities and reach of cybercriminals are now equal to those of many governments and organizations. In the next few years, these capabilities will extend far beyond those of their victims. As a result, the ability of current control mechanisms to protect organizations is likely to diminish, exposing them to greater impact. SecurityInfoWatch, September 22, 2016
7 Factors That Make Security Organizations More Effective: (ISC)2 members have plenty of technical chops, but IANS research found they need to focus more on how infosec aligns with the business. Dark Reading, September 22, 2016
Cybersecurity’s weakest link: humans: There is a common thread that connects the hack into the sluicegate controllers of the Bowman Avenue dam in Rye, New York; the breach that compromised 20 million federal employee records at the Office of Personnel Management; and the recent spate of “ransomware” attacks that in three months this year have already cost us over US$200 million: they were all due to successful “spearphishing” attacks. The Conversation, May 5, 2016

Cyber Update

Cisco plugs two Cloud Services Platform system compromise flaws: Cisco has patched two serious vulnerabilities in Cisco Cloud Services Platform 2100, both of which could allow a remote attacker to execute arbitrary code on a targeted system. HelpNetSecurity, September 22, 2016

Cyber Defense

Organizational strategies and personal tactics for defending your phone : Mobile devices are one of the weakest links in corporate security. Executives are wrestling with managing a proliferation of devices, protecting data, securing networks, and training employees to take security seriously. In our Tech Pro Research survey of chief information officers, technology executives, and IT employees, 45% of respondents saw mobile devices as the weak spot in their company’s defenses. (Employee data was cited by 37%, followed by wireless access of networks at 34% and bring-your-own-device efforts at 29%.) Harvard Business Review, September 22, 2016

Cyber Lawsuit

Vendor sued after investment fund client loses $6 million in BEC scam: A lawsuit filed on Friday by Tillage Commodities Fund alleges that SS&C Technology showed an egregious lack of diligence and care, when they fell for an email scam that ultimately led to hackers in China looting $5.9 million. Victim says fund administrator ignored internal policies and even assisted scammers by fixing errors. CSO, September 19, 2016

Cyber Law

Yahoo Could Face Legal Trouble Over Delay in Disclosing Hack: It’s been a day since Yahoo confirmed a massive data breach, and still there are more questions than answers. We still don’t know who carried out the hack that compromised more than 500 million accounts, or precisely what the hackers obtained. Fortune, September 23, 2016
Sixth Circuit Rules That Theft of PII from Insurance Company Results in Article III Standing: In its recent decision in Galaria v. Nationwide Mut. Ins. Co., no. 15-3386 (6th Cir. Sept. 12, 2016). Co., No. 15-3386 (6th Cir. Sept. 12, 2016), a divided Sixth Circuit panel held that plaintiffs had standing to assert claims arising from hackers’ alleged theft of data containing plaintiffs’ sensitive personal data, including dates of birth and Social Security numbers. In so ruling, the court became the latest to hold that hackers’ targeted theft of personal identifying information (“PII”), standing alone, creates a substantial risk of harm that is sufficient to satisfy the concrete injury requirement for standing under Article III of the United States Constitution. National Law Review, September 16, 2016

Cyber Security in Society

National Cyber Security

Cybersecurity is threatening America’s military supremacy: The sparsely populated Spratly Islands, a collection of hundreds of islands and reefs spread over roughly 165,000 square miles in the South China Sea, are very quickly becoming the center of one of the most contentious international disputes between world powers since the fall of the Soviet Union. TechCrunch, September 21, 2016

Cyber Attack

KrebsOnSecurity Hit With Record DDoS: On Tuesday evening, KrebsOnSecurity.com was the target of an extremely large and unusual distributed denial-of-service (DDoS) attack designed to knock the site offline. The attack did not succeed thanks to the hard work of the engineers at Akamai, the company that protects my site from such digital sieges. But according to Akamai, it was nearly double the size of the largest attack they’d seen previously, and was among the biggest assaults the Internet has ever witnessed. Krebs on Security, September 21, 2016
DDoS Mitigation Firm Has History of Hijacks: Last week, KrebsOnSecurity detailed how BackConnect Inc. — a company that defends victims against large-scale distributed denial-of-service (DDoS) attacks — admitted to hijacking hundreds of Internet addresses from a European Internet service provider in order to glean information about attackers who were targeting BackConnect. According to an exhaustive analysis of historic Internet records, BackConnect appears to have a history of such “hacking back” activity. Krebs on Security, September 20, 2016

Cyber Politics

Homeland Security increases focus on cybersecurity at the polls: Department of Homeland Security officials may not expect malicious hackers to sway November’s election, but the agency is offering more protections to help states secure voting systems. Yahoo, September 23, 2016
Key lawmakers accuse Russia of campaign to disrupt U.S. election: Two senior Democratic lawmakers with access to classified intelligence on Thursday accused Russia of “making a serious and concerted effort to influence the U.S. election,” a charge that appeared aimed at putting pressure on the Obama administration to confront Moscow. The Washington Post, September 22, 2016
Powell leakers strike again with alleged White House staffer emails, Michelle Obama passport: The hacker website that leaked Colin Powell’s politically embarrassing emails struck again Thursday, this time releasing what appears to be the personal emails of a White House staffer working with Hillary Clinton’s campaign — and what purports to be an image of Michelle Obama’s passport. Politico, September 22, 2016

Financial Cyber Security

SWIFT Announces Fraud Pattern Detection Controls: To help financial institutions better spot attempted fraud, the SWIFT interbank messaging network plans to begin offering voluntary “daily validation reports” to customers in December. BankInfoSecurity, September 20, 2016

Critical Infrastructure

FAA Advisory Body Recommends Cybersecurity Measures: WASHINGTON—U.S. aviation authorities on Thursday took the strongest formal action yet to combat potential cyberthreats to planes in the air as well as on the ground. The Wall Street Journal, September 22, 2016

Internet of Things

Tesla Patches Cars Against Wi-Fi ‘Braking’ Attack: Electric car manufacturer Tesla has updated its firmware after researchers in China demonstrated how they could remotely turn on the windshield wipers, open the trunk and apply the brakes in brand-new Model S sedans. GovInfoSecurity, September 21, 2016
How A Few Words To Siri Unlocked A Man’s Front Door And Exposed A Major Security Flaw In Apple’s HomeKit: A month ago, Marcus, a 31-year-old man living in Springfield, Missouri, decided to go all in on the smart home. A diehard fan of the Apple AAPL -1.72% ecosystem, he began outfitting his house with gadgets certified as “Works with Apple HomeKit,” Apple’s proprietary communication standard for controlling third-party smart home devices with iOS and its intelligent voice assistant, Siri. By the end of his shopping spree, he had 30 Philips Hue LED light bulbs, two Ecobee thermostats (along with eight temperature sensors situated throughout his house) and an August Smart Lock. He was also several thousand dollars poorer. Forbes, September 21, 2016

Secure the Village

RANSOMWARE VICTIMS URGED TO REPORT INFECTIONS TO FEDERAL LAW ENFORCEMENT: The FBI urges victims to report ransomware incidents to federal law enforcement to help us gain a more comprehensive view of the current threat and its impact on U.S. victims. FBI, September 15, 2016

Cyber Event

Secure Coding Class for the Web: The major cause of application insecurity is the lack of secure software development practices. This highly intensive and interactive course provides essential application security training for web application, webservice and mobile software developers and architects. The class features a combination of lecture, security testing demonstration and code review. Event Date: October 17-21
THIRD ANNUAL LOS ANGELES CYBER SECURITY SUMMIT 2016-SILICON BEACH: Cyber attacks on corporations, governmental agencies and individuals are becoming increasingly widespread and regular, as well as more complex. In honor of National Cyber Security Awareness Month, LMU is once again hosting The Third Annual Cybersecurity Summit that brings together government officials, private business executives and cybersecurity experts to discuss the current and emerging threats that exist in today’s sophisticated cyber environment, and the technological advancements being made to countermeasure and manage these risks. Event Date: October 22, 2016

Jeff Snyder’s, SecurityRecruiter.comJeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810


a

Sunday, September 18, 2016

Cybersecurity Vulnerability and Patch Report for the Week of September 18, 2016

 

CYBERSECURITY VULNERABILITY

AND PATCH REPORT

FROM OUR FRIENDS AT CITADEL INFORMATION GROUP

Important Security Updates

Adobe Flash Player: Adobe has released version 23.0.0.162 to fix at least 26 vulnerabilities. Updates are available from Adobe’s website. Updates are also available for Adobe AIR.
Apple iOS: Apple has released version 10.0.1 of its iOS to fix at least 1 vulnerability reported in previous versions. Updates are available through the device or through Apple’s website.
Apple iTunes: Apple has released version 12.5.1 (64-bit and 32-bit) of iTunes. Updates are available from Apple’s website.
Apple OS X El Capitan: Apple has released updates for OS X El Capitan XCode 8 to fix at least 2 vulnerabilities, some of which are highly critical, reported in previous versions. Update XCode8 otool. Updates are available from Apple’s website.
Apple Watch OS: Apple has released OS 3 for its Apple Watch. Updates are available from the iPhone; open the Watch app and tap through My Watch > General > Software Update or from Apple’s website.
Dropbox: Dropbox has released version 10.4.25 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel’s warning below]
Google Chrome: Google has released Google Chrome version 53.0.2785.116. Updates are available from within the browser or from Google Chrome’s website.
Microsoft Patch Tuesday: Microsoft’s Patch Tuesday released 14 updates to address at least 50 vulnerabilities, some of which are highly critical within Windows operating systems, Internet Explorer, Edge, Office, and other Microsoft products. Additional information is available at Microsoft’s website.
Piriform CCleaner: Piriform has released version 5.22.5724 for CCleaner. Updates are available from Piriform’s website.
ZoneAlarm Free: ZoneAlarm has released version 15.0.123.17051 of its free firewall. Updates are available from ZoneAlarm’s website.

Current Software Versions

Adobe Flash 23.0.0.162
Adobe Reader DC 2015.017.20050
Dropbox 10.4.25 [Citadel warns against relying on security of Dropbox or other cloud-based file exchange systems. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the master Dropbox [or other] password be at least 15 characters long and different from other passwords.]
Firefox 48.0.2 [Windows]
Google Chrome 53.0.2785.116
Internet Explorer 11.0.10240.16384
Java SE 8 Update 101 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
Microsoft Edge 38.14393
QuickTime 7.7.9 [Citadel recommends removing QuickTime. On April 14, US-CERT advised Microsoft Windows users to remove QuickTime. This followed a report in ars technica that Apple has no plans to update the Windows app despite at least two reliable QuickTime vulnerabilities that threaten Windows users who still have the program installed.]
Safari 9.1.3 [Mac OS X Mavericks, Yosemite, El Capitan]
Skype 7.27.0.101

For Your IT Department

Cisco Multiple Products: Cisco reports patched vulnerabilities in its Cisco IOS and IOS XE Software, Fog Director for IOx, WebEx Meetings Server version 2.6, and IOS XR Software for NCS 6000 Series Devices.  Apply updates.  Cisco also reports unpatched vulnerabilities in its Cisco IOS XR for Carrier Routing System, Unified Computing System (UCS) Manager, UCS 6200 Series Fabric Interconnects, Web Security Appliance and Cisco IOS, IOS XE and IOS XR Software. There are no workarounds available. Additional details are available at Cisco’s website.
Novell Open Enterprise Server:  Novell has released an update to fix multiple vulnerabilities in its Open Enterprise Server versions 11.2 and 2015 (OES 11 SP2 and OES 2015).  For version 11.2 apply patch oes11sp2-java-1_7_0-ibm-10993.  For version 2015 apply patch oes2015-java-1_7_0-ibm-10994.  Additional details are available at Novell’s website.
VMWare:  VMWare has released updates for its ESXi, Workstation, Fusion, and Tools. Apply updates.  Additional details are available at VMWare’s website.
*******************
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2016 Citadel Information Group. All rights reserved.

 


Jeff Snyder’s, SecurityRecruiter.comJeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810

Cyber Security News of the Week, September 18, 2016


CYBERSECURITY NEWS

FROM OUR FRIENDS AT CITADEL INFORMATION GROUP


Individuals at Risk

Identity Theft

Identity Theft: How To Protect Yourself Or Resolve It: Identity theft impacts more than 17 million consumers every year, and consumers over 50 can be particularly vulnerable. This year is on track to exceed the 780 data breaches of 2015, according to the Identity Theft Resource Center. But there are a few key ways to protect yourself from becoming an identity theft victim and taking action if your identity is stolen. Forbes, September 14, 2016

Cyber Privacy

Russian Hackers Get Bolder in Anti-Doping Agency Attack: NOT SO LONG ago, the world learned about Russian cyberespionage attacks only when embarrassed government officials admitted they’d discovered the hackers silently lurking in their systems. Today, the same intruders seem to announce themselves on Facebook, via Twitter, and even on their own website covered in bear-themed clip art and gifs. Wired, September 14, 2016
Simone Biles and Williams Sisters Latest Target of Russian Hackers: Russian hackers — possibly the same group that compromised the Democratic National Committee’s computer servers — have made top American athletes their latest target. The New York Times, September 14, 2016

Cyber Danger

Attack Leverages Windows Safe Mode Tools Used for Support: Researchers warn the Windows diagnostic feature Safe Mode can be used as a remote attack vector by hackers who already have access to a compromised PC or server. The method of attack is unusual, researchers said, and places attention on the diagnostic tool used to fix PC problems and remove security threats. ThreatPost, September 15, 2016
NEVERQUEST TROJAN GETS BIG SUMMER UPDATE: The once prolific banking Trojan Neverquest received a major code revamp over the summer and is now armed with modifications that can more adeptly hijack a victim’s PC, inject code into webpages and steal credentials. The update represents a significant enough change to the malware that researchers have dubbed the latest samples Neverquest2. ThreatPost, September 15, 2016

Information Security Management in the Organization

Information Security Governance

Kaspersky Lab Survey Shows Real Business Loss From Cyber-Attacks Now $861K Per Security Incident: On average, a single cybersecurity incident now costs large businesses $861,000, while small and medium businesses (SMB) end up paying $86,500. Most alarmingly, the cost of recovery significantly increases depending on the time of discovery. SMBs tend to pay 44 per cent more to recover from an attack discovered a week or more after the initial breach, compared to attacks spotted within one day. Enterprises pay a 27 per cent premium in the same circumstances. These are the main findings of Kaspersky Lab’s report “Measuring the Financial Impact of IT Security on Businesses” based on the 2016 Corporate IT Security Risks survey. InformationSecurityBuzz, September 15, 2016
Cybersecurity Is Every Executive’s Job: All companies connected to the internet are vulnerable to cyber attacks. And the potential losses are significant. Retail giant Target, for example, estimated its losses from a 2013 data breach at more than $250 million. What’s more, according to a recent survey conducted for BAE Systems of 300 managers in the financial services, insurance, and IT/tech industries in the U.S., 85% of respondents listed reputational damage as the most prominent result of a data breach, with 74% citing legal liability as the second largest concern. Harvard Business Review, September 13, 2016

Cyber Warning

MySQL vulnerability disclosed, status of patches uncertain: Oracle’s lack of response to security researchers raises more questions after a zero-day MySQL vulnerability was reported, though patches may have already been released. SearchSecurity, September 15, 2016
Ransomware Getting More Targeted, Expensive: I shared a meal not long ago with a source who works at a financial services company. The subject of ransomware came up and he told me that a server in his company had recently been infected with a particularly nasty strain that spread to several systems before the outbreak was quarantined. He said the folks in finance didn’t bat an eyelash when asked to authorize several payments of $600 to satisfy the Bitcoin ransom demanded by the intruders: After all, my source confessed, the data on one of the infected systems was worth millions — possibly tens of millions — of dollars, but for whatever reason the company didn’t have backups of it. KrebsOnSecurity, September 15, 2016
Secret Service Warns of ‘Periscope’ Skimmers: The U.S. Secret Service is warning banks and ATM owners about a new technological advance in cash machine skimming known as “periscope skimming,” which involves a specialized skimming probe that connects directly to the ATM’s internal circuit board to steal card data. KrebsOnSecurity, September 13, 2016
Thousands of Seagate NAS boxes host cryptocurrency mining malware: Thousands of publicly accessible FTP servers, including many from Seagate network-attached storage devices, are being used by criminals to host cryptocurrency mining malware. ComputerWorld, September 12, 2016

Cyber Defense

The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations: The advancing capabilities of organized hacker groups and cyber adversaries create an increasing global threat to information systems. The rising threat levels place more demands on security personnel and network administrators to protect information systems. Protecting the network infrastructure is critical to preserve the confidentiality, integrity, and availability of communication and services across an enterprise. US-CERT, September 6, 2016

Cyber Update

CISCO PATCHES CRITICAL WEBEX MEETINGS SERVER VULNERABILITY: Cisco warned customers of 12 vulnerabilities across its product line this week, including a critical vulnerability in the software that powers its conferencing product, WebEx Meetings Server. ThreatPost, September 15, 2016
Adobe, Microsoft Push Critical Updates: Adobe and Microsoft on Tuesday each issued updates to fix multiple critical security vulnerabilities in their software. Adobe pushed a patch that addresses 29 security holes in its widely-used Flash Player browser plug-in. Microsoft released some 14 patch bundles to correct at least 50 flaws in Windows and associated software, including a zero-day bug in Internet Explorer. KrebsOnSecurity, September 14, 2016

Cyber Security in Society

Know Your Enemy

Cybercrime-as-a-Service Economy: Stronger Than Ever: Police estimate that just 100 to 200 people may be powering the “cybercrime-as-a-service” ecosystem by developing the attack code and services that enable criminals who lack technical acumen to pay for their cybercrime will to be accomplished. BankInfoSecurity, September 14, 2016

National Cyber Security

White House Said Mulling Legal Action Against Russian Hackers: The White House is trying to build a legal case against Russian hackers it believes are behind recent leaks aimed at disrupting the U.S. presidential election, while Congress is eyeing sanctions as a remedy, media reports says. RadioFreeEurope, Sepember 16, 2016
Powell emails were leaked on a site linked to the Russian government: Donald Trump is “a national disgrace and an international pariah” who gave voice to a “racist” movement to question President Obama’s citizenship, former secretary of state Colin L. Powell tapped on his keyboard. The Washington Post, September 14, 2016
Hackers, Organizational Doxing, and Data Forgeries: In the past few years, the devastating effects of hackers breaking into an organization’s network, stealing confidential data, and publishing everything have been made clear. It happened to the Democratic National Committee, to Sony, to the National Security Agency, to the cyber-arms weapons manufacturer Hacking Team, to the online adultery site Ashley Madison, and to the Panamanian tax-evasion law firm Mossack Fonseca. The Atlantic, September 13, 2016

Cyber Vulnerability

Researcher Finds Critical Vulnerabilities in Hollywood Screener System: A prominent security researcher has discovered serious vulnerabilities in a system that allows awards voters to watch the latest movie screeners online. Chris Vickery, who previously gained access to the ‘World-Check’ terror, crime and sanctions database, informed TF of his discovery last month after an unsecured database was left open to the public. TorrentFreak, September 9, 2016

Cyber Politics

Sowing Doubt Is Seen as Prime Danger in Hacking Voting System: WASHINGTON — Russian hackers would not be able to change the outcome of the United States presidential election, the nation’s most senior intelligence and law enforcement officials have assured Congress and the White House in recent weeks. The New York Times, September 15, 2016
New batch of leaked Colin Powell e-mails lambasts Trump and Clinton: Add former US Secretary of State Colin Powell to the list of high-ranking Washington insiders whose leaked e-mails are rankling their peers with just weeks to go before the US presidential election. ars technica, September 14, 2016
New Documents Released From Hack of Democratic Party: A hacker who American intelligence officials believe has ties to the Russian government made public on Tuesday a second batch of documents suspected of having been stolen from the Democratic National Committee’s computer system, leaving the organization rushing to contain damage or embarrassment less than two months before the presidential election. The New York Times, September 14, 2016

Financial Cyber Security

New York plans cyber rules for banks, insurers to set a floor for cybersecurity standards: Because every major financial institution on the planet operates in New York, the state regulations will effectively form a global floor for cybersecurity standards. FedScoop, September 14, 2016
How EMV is fueling an e-commerce fraud frenzy: The rollout of EMV-enabled credit and debit cards is driving a sharp decline in brick-and-mortar transaction fraud. But now fraudsters have a different target: online retailers. RetailDive, September 14, 2016

HIPAA

OCR Announces Business Associate Audits Coming Soon: The Department of Health and Human Services is gearing up to kick off in October its first-ever round of HIPAA compliance audits of business associates. And the agency is also developing a variety of new guidance aimed at helping healthcare organizations deal with a surge in cyber threats. HealthCareInfoSecurity, September 15, 2016

Critical Infrastructure

Someone Is Learning How to Take Down the Internet: Over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the Internet. These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down. We don’t know who is doing this, but it feels like a large nation state. China or Russia would be my first guesses. Schneier on Security, September 13, 2016

Internet of Things

Volkswagen is founding a new cybersecurity firm to prevent car hacking: As cars become more computerized, they’re also facing a greater risk of being hacked. That’s why Volkswagen is founding a new cyber security company devoted to protecting next-generation vehicles. PCWorld, September 14, 2016

Secure the Village

Uber, Dropbox, Other Tech Leaders Team Up To Boost Vendor Security: Tech companies – including Uber, Dropbox, Twitter, and Docker – have joined forces to create the Vendor Security Alliance, which aims to vet vendor security practices. DarkReading, September 16, 2016

Cyber Sunshine

Alleged vDOS Proprietors Arrested in Israel: Two young Israeli men alleged to be the co-owners of a popular online attack-for-hire service were reportedly arrested in Israel on Thursday. The pair were arrested around the same time that KrebsOnSecurity published a story naming them as the masterminds behind a service that can be hired to knock Web sites and Internet users offline with powerful blasts of junk data. KrebsOnSecurity, September 10, 2016

Cyber Event

Secure Coding Class for the Web: The major cause of application insecurity is the lack of secure software development practices. This highly intensive and interactive course provides essential application security training for web application, webservice and mobile software developers and architects. The class features a combination of lecture, security testing demonstration and code review. Event Date: October 17-21
THIRD ANNUAL LOS ANGELES CYBER SECURITY SUMMIT 2016-SILICON BEACH: Cyber attacks on corporations, governmental agencies and individuals are becoming increasingly widespread and regular, as well as more complex. In honor of National Cyber Security Awareness Month, LMU is once again hosting The Third Annual Cybersecurity Summit that brings together government officials, private business executives and cybersecurity experts to discuss the current and emerging threats that exist in today’s sophisticated cyber environment, and the technological advancements being made to countermeasure and manage these risks. Event Date: October 22, 2016

Jeff Snyder’s, SecurityRecruiter.comJeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810

SecurityRecruiter.com's Security Recruiter Blog