Sunday, May 17, 2015

Cyber Security News and Education for the Week of May 17, 2015





ISSA-LA 7th Annual Information Security Summit

ISSA-LA Seventh Annual Information Security Summit at the Los Angeles Convention Center.
The Summit on June 4, 2015.
  • Keynotes from Bruce Schneier and Dave Kennedy
  • Summit Tracks include Security Management. AppSec. Digital Forensics. Emerging Issues and Technology.
  • Special Forums: The Executive Forum for Board, C-Suite and Trusted Advisors. Healthcare Privacy and Security Forum. CISO Executive Forum.
Summit Training on June 5, 2015.
  • IT Security Management Bootcamp for IT Professionals with Ed Pagett and Mikhael Felker
  • Secure Coding Boot Camp with Jim Manico
  • Build Your Own Cyber Range with Kevin Cardwell

Cyber Crime

Hackers steal money from Starbucks mobile customers using linked credit cards: The 16 million Starbucks customers who use the company’s mobile payment service may want to strengthen their log-in credentials and reconsider using the auto-load feature. GeekWire, May 11, 2015
Hackers infiltrated security contractor using third-party flaw: Hackers used flaws in a third-party software program to gain access to U.S. Investigations Services (USIS), the government’s main security clearance contractor. The Hill, May 11, 2015

Cyber Privacy

House Votes to End N.S.A.’s Bulk Phone Data Collection: WASHINGTON — The House on Wednesday overwhelmingly approved legislation to end the federal government’s bulk collection of phone records, exerting enormous pressure on Senator Mitch McConnell of Kentucky, the Senate majority leader, who insists that dragnet sweeps continue in defiance of many of those in his Republican Party. The New York Times, May 13, 2015
How hackers built software to steal naked photos from hundreds of women automatically: Two men in the US are facing up to 15 years in federal prison in connection to the development of a piece of software that was able to automatically hack into the private online photo albums of women and steal their naked photos. BusinessInsider, May 13, 2015
Google admits Hangouts doesn’t use end-to-end encryption, conversations can be wiretapped: Following a Reddit AMA on government surveillance, Google has admitted that while it does encrypt Hangouts conversations, it does not use end-to-end encryption, meaning the company itself can tap into those sessions when it receives a government court order requiring it to do so. This contrasts with the end-to-end encryption used by some services, like Apple’s FaceTime, which cannot be tapped even by the company offering the service. 9to5Google, May 12, 2015
Digital Me: The Right to Privacy vs. the Public Good: What is the right balance between privacy and security? Should tech companies be required to unlock data? And does the “right to be forgotten” amount to censorship? Video recording of Panel Discussion at The Milken Institute Global Conference 2015 with Citadel’s Dr. Stan Stahl in his role as Chief Information Security Officer,; Susan Herman, President, American Civil Liberties Union; Michelle Finneran Dennedy, Vice President and Chief Privacy Officer, Intel Security; Susan Graham, Pehong Chen Distinguished Professor of Electrical Engineering and Computer Science Emerita, University of California, Berkeley; Dennis Kneale, Moderator. Milken Institute, April 29, 2015

Cyber Attack:

Chinese hackers hid malware attack controls in Microsoft TechNet comments:  Microsoft has taken steps to stop a China-based hacking group from using its TechNet website as part of its attack infrastructure, according to security vendor FireEye. The group, which FireEye calls APT (advanced persistent threat) 17, is well-known for attacks against defense contractors, law firms, U.S. government agencies and technology and mining companies. PC World, May 15, 2015

Financial Cyber Security

Thieves Stole Her Money, but Not Her Debit Card: The Haggler fears debit cards. They have a direct line to your bank account, which means that a fraudster could drain your savings in a busy afternoon. You would find out only after you visited an A.T.M. and it snickered when you tried to withdraw $20. The New York Times, May 9, 2015

Cyber Warning

A few ‘GTA V’ mods are installing malware on PCs: While you’ve been busy enjoying guns that fire cars, piloting flying saucers or swimming ’round a flooded Los Santos thanks to mods for the PC version of GTA V something darker’s lurked beneath the surface. GTAForums user aboutseven noticed that a C# compiler was running in the background on his or her computer and traced it back to a file dubbed “Fade.exe.” Upon further inspection she or he spotted that it was using internet access. Turns out it was a keylogger. Process of elimination deduced that “Noclip,” which allows you to examine the insides of objects freely, and “Angry Planes,” which spawns incredibly, well, angry, planes that attack you with kamikaze-like fury, were the culprits behind the malware infection.  Engadget, May 15, 2015
Knock, Knock: New Ransomware Breaks In for Bitcoins: Last week, two new ransomware threats surfaced. SC Magazine reported that one was found by security firm Symantec and the other by a security researcher from cloud services provider Rackspace. Both leverage the same basic idea: Encrypt user data and then demand money to unlock the files without damage. Security Intelligence, May 14, 2015
Security Vulnerability Discovered In Millions Of Business Computer Systems — Here’s What You Need To Know: This morning a computer security researcher revealed his discovery of a new, severe software vulnerability that potentially impacts millions of businesses; business owners and IT departments need to be aware of the relevant issue and take action to protect themselves. Forbes, May 13, 2015
Tinba Malware Watches Mouse Movements, Screen Activity to Avoid Sandbox Detection: IT security programs would probably be much worse than they are without sandboxes, which isolate programs to prevent them from being infected by hackers. A recent analysis of the Tinba malware, however, indicated that cybercriminals are getting better at monitoring users’ every movement to evade sandboxes entirely. Security Intelligence, May 13, 2015
Stealthy Linux GPU malware can also hide in Windows PCs, maybe Macs: A team of anonymous developers who recently created a Linux rootkit that runs on graphics cards has released a new proof-of-concept malware program that does the same on Windows. A Mac OS X implementation is also in the works. PCWorld, May 11, 2015

Cyber Security Management

Sony Hack Aftermath: How Hollywood Is Getting Tough on Cybersecurity: The cyber-attack that crippled Sony Pictures Entertainment may have occurred way back in December, but the reverberations are still being felt across the entertainment industry. A new normal is setting in according to panelists assembled Thursday in Los Angeles at the Hollywood IT Summit. Citadel’s Doctor Stan Stahl moderated the panel that included Jonathan Chow, Chief Security Officer, Live Nation Entertainment; Bryan Ellenburg, Security Consultant, Content Delivery & Security Association (CDSA); Sean Flynn, Chief Technology Officer, Marvel Studios and Sean Cordero of the Cloud Security AllinaceVariety, May 14, 2015
A message from Penn State President Barron on cybersecurity: Today (May 15), University leadership announced that our College of Engineering has been the target of two highly sophisticated cyberattacks. In a coordinated and deliberate response by Penn State, the college’s computer network has been disconnected from the Internet and a large-scale operation to securely recover all systems is underway. Our experts expect the network to be back up and running in several days. Penn State News, May 15, 2015

Cyber Security Management – Cyber Update

Firefox 38 Fixes 13 Flaws, Ships With DRM Support: Mozilla has fixed 13 security flaws in Firefox 38, including five critical vulnerabilities. The new version of the browser also includes a feature that enables the use of DRM-enabled video content in Firefox, a decision that comes with some controversy. ThreatPost, May 14, 2015
Adobe, Microsoft Push Critical Security Fixes: Microsoft today issued 13 patch bundles to fix roughly four dozen security vulnerabilities in Windows and associated software. Separately, Adobe pushed updates to fix a slew of critical flaws in its Flash Player and Adobe Air software, as well as patches to fix holes in Adobe Reader and Acrobat. KrebsOnSecurity, May 12, 2015

Securing the Village

More than 1,000 companies join IBM in the battle against cybercrime: Last month IBM launched its X-Force Exchange opening up access to threat intelligence data to help in the fight against cybercrime. With 80 percent of cyber attacks now coming from organized gangs it’s important that the good guys get organized too. IBM has announced today that more than 1,000 organizations across 16 industries are participating in the new threat intelligence community. Betanews, May 15, 2015
ISSA-LA Holds 7th Annual Cybercrime Information Security Summit: The Los Angeles Chapter of the Information Systems Security Association (ISSA-LA) will hold its Seventh Annual Information Security Summiton June 4 – 5, 2015 at the Los Angeles Convention Center. The Summit theme, The Growing Cyber Threat: Protect Your Business, reflects the reality that cybercrime impacts the financial health of all our organizations: businesses, government agencies, healthcare, schools, nonprofits, and others. The Summit will highlight emerging solutions to the challenges of cybercrime. DarkReading, April 21, 2015

National Cyber Security

Cybersecurity is a team sport: The United States Department of Defense released a new cyber strategy on April 23, revealing how the US views cybersecurity in the post-Snowden era. One trend is immediately clear: The strategic use of cyberspace to pursue political goals and seek geostrategic advantage is rapidly increasing in today’s world.
It is high time for Europe to emulate the US’s new cyber strategy. Politico, May 14, 2015
An Obama Plan to Stop Foreign Hackers Has Mixed Results: Two years ago, the Obama administration announced a new strategy to curb online espionage. The New York Times, May 10, 2015

Critical Infrastructure

What if a Cybersecurity Attack Shut Down Our Ports?: It’s easy to forget when you’re on dry land that 90 percent of the world’s goods are shipped on boats. While we worry about the cybersecurity of power grids and nuclear missile silos, most of us have never thought about whether the container ships and ports that bring us our clothes, electronics, food—everything—are secured against digital threats. Slate, May 11, 2015

Cyber Underworld

Owner of Anonymous Hackers-for-Hire Site Steps Forward: He calls himself an ethical hacker who helps companies and individuals fight back against the bad guys operating online. Over the years, Charles Tendell also has emerged as a commentator in the news media about the threat posed by overseas hackers and is a former co-host of an online radio show about security. The New York Times, May 12, 2015
9 things you can hire a hacker to do and how much it will (generally) cost: The underbelly of the web is vast and scary. Knowing the right search terms can lead down a rabbit hole of illicit offerings. BusinessInsider, May 8, 2015

Cyber Survey

CPAs select security as top technology priority: Securing the information technology environment once again ranks as the top technology priority for U.S. CPAs. Journal of Accounting, April 16, 2015

Cyber Misc

Who’s Scanning Your Network? (A: Everyone): Not long ago I heard from a reader who wanted advice on how to stop someone from scanning his home network, or at least recommendations about to whom he should report the person doing the scanning. I couldn’t believe that people actually still cared about scanning, and I told him as much: These days there are countless entities — some benign and research-oriented, and some less benign — that are continuously mapping and cataloging virtually every device that’s put online. KrebsOnSecurity, May 10, 2015's Security Recruiter Blog