Sunday, May 24, 2015

Cyber Security News and Education for the Week of May 24, 2015






ISSA-LA 7th Annual Information Security Summit

ISSA-LA Seventh Annual Information Security Summit at the Los Angeles Convention Center.
The Summit on June 4, 2015.
  • Keynotes from Bruce Schneier and Dave Kennedy
  • Summit Tracks include Security Management. AppSec. Digital Forensics. Emerging Issues and Technology.
  • Special Forums: The Executive Forum for Board, C-Suite and Trusted Advisors. Healthcare Privacy and Security Forum. CISO Executive Forum.
Summit Training on June 5, 2015.
  • IT Security Management Bootcamp for IT Professionals with Ed Pagett and Mikhael Felker
  • Secure Coding Boot Camp with Jim Manico
  • Build Your Own Cyber Range with Kevin Cardwell

Cyber Crime

Cybercrime Cost Americans more than $800,000,000 Last Year:The Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) tallied 269,422 complaints in 2014, totaling $800,492,073 in losses, according to a new report. The center has received 3,175,611 complaints since its establishment in May 2000. Newsweek, May 21, 2015

Cyber Attack

St. Louis Federal Reserve Suffers DNS Breach: The St. Louis Federal Reserve today sent a message to those it serves alerting them that in late April 2015 attackers succeeded in hijacking the domain name servers for the institution. The attack redirected Web searches and queries for those seeking a variety of domains run by the government entity to a Web page set up by the attackers in an apparent bid by cybercrooks to hijack online communications of banks and other entities dealing with the regional Fed office. Krebs On Security, May 18, 2015

Identity Theft

Carefirst Blue Cross Breach Hits 1.1M: CareFirst BlueCross BlueShield on Wednesday said it had been hit with a data breach that compromised the personal information on approximately 1.1 million customers. There are indications that the same attack methods may have been used in this intrusion as with breaches at Anthem and Premera, incidents that collectively involved data on more than 90 million Americans. Krebs On Security, May 21, 2015

Cyber Privacy

mSpy Denies Breach, Even as Customers Confirm It: Last week, KrebsOnSecurity broke the news that sensitive data apparently stolen from hundreds of thousands of customers mobile spyware maker mSpy had been posted online. mSpy has since been quoted twice by other publications denying a breach of its systems. Meanwhile, this blog has since contacted multiple people whose data was published to the deep Web, all of whom confirmed they were active or former mSpy customers. Krebs On Security, May 20, 2015
Dating site hackers expose details of millions of users: Personal information relating to almost four million users of a worldwide online dating website has been leaked by hackers, according to Channel 4 News. Details of users’ sexual preferences – including whether they are gay or straight, and whether they are seeking extramarital affairs – has been compromised, along with email addresses, usernames, dates of birth, postcodes and the unique internet addresses of users’ computers. The Guardian, May 21, 2015
Tech Giants Urge Obama to Reject Policies That Weaken Encryption: SAN FRANCISCO — A collection of tech industry giants like Facebook, Google, Apple and Microsoft, as well as civil liberties organizations and Internet security experts, sent a letter to President Obama on Tuesday warning of the unintended consequences of any policy meant to weaken the encryption technologies that protect Internet communications. New York Times, May 19, 2015
Mobile Spy Software Maker mSpy Hacked, Customer Data Leaked: mSpy, the makers of a dubious software-as-a-service product that claims to help more than two million people spy on the mobile devices of their kids and partners, appears to have been massively hacked. Last week, a huge trove of data apparently stolen from the company’s servers was posted on the Deep Web, exposing countless emails, text messages, payment and location data on an undetermined number of mSpy “users.” Krebs On Security, May 14, 2015

Cyber Threats and Warnings

New Logjam Attack on Diffie-Hellman Threatens Security of Browsers, VPNs: Researchers have uncovered a flaw in the way that some servers handle the Diffie-Hellman key exchange, a bug that’s somewhat similar to the FREAK attack and threatens the security of many Web and mail servers. The bug affects all of the major browsers and any server that supports export-grade 512-bit Diffie-Hellman cryptography. Threat Post, May 20, 2015
Fake PayPal payment reversal notification leads to phishing: PayPal phishing attempts take many forms, and one of the most often used techniques is fake emails containing a warning and a prompt to act quickly. Help Net Security, May 19, 2015
“Failure in Parcel Delivery” Fake Email Drops Malware on USPS Customers’ PC: Please note that the email that appears to be sent by USPS informing that due to incorrect address the firm has failed to deliver a parcel to the recipient is actually a malicious message. If you click on the “Shipping Label” web link present in that email, it will instantly download and install a malware on your PC. HackRead, May 19, 2015

Cyber Security Management

Hiring contractors? 5 areas to check information security practices: Do you know how well your vendors, business associates and contracted third parties (who I will collectively call “contractors”) are protecting the information with which you’ve entrusted them to perform some sort of business activity? You need to know. Dell Power More, May 20, 2015
GCs’ Ability to Mitigate Cybersecurity Risks Remains Top Concern: Managing cybersecurity remains the biggest challenge for most general counsel, according to a new report. It surveyed 200 CEOs, board chairs and directors of NYSE-listed companies who consistently pointed to cybersecurity as the area where general counsel and law departments most need to improve. “Directors believe general counsel would most benefit from additional expertise in the areas of cybersecurity, social media, and crisis management,” the report found. Bloomberg BNA, May 19, 2015
HITS Panel Talks Sony Hack, Cyber Security (CDSA): CENTURY CITY, Calif. — When Sony Pictures was hit with one of the worst cyber attacks in Hollywood history in late November, hackers stole mountains of employee data, leaked high-quality versions of five Sony Pictures films and threatening violence if the studio allowed the comedy “The Interview” to be released as scheduled Christmas Day.It also put the rest of the industry on notice, and had them asking the question: could it happen to us too? [Dr. Stahl moderated this panel.] Content Delivery & Security Association, May 18, 2015
SANS Survey- Organizations Vulnerable to Exposure Through Unmanaged Mobile Workspaces: Last week, a study conducted by SANS and sponsored by IronKey was released. The study surveyed 330 IT and security professionals, and was conducted between January 2015 and April 2015. “The goal of the survey was to better understand the challenges of securing today’s mobile workforce and managing mobile workspaces,” the press release stated. Surf Watch, May 18, 2015
Taking A Security Program From Zero To Hero: Breaking the enigma of InfoSec into smaller bites is a proven method for building up an organization’s security capabilities. Here are six steps to get you started. Dark Reading, May 13, 2015

Cyber Security Management – Cyber Defense

Five precautions for avoiding malware when you download and install software: Roger Mccullough downloaded three separate programs, and Panda Anti-virus Pro found malware in all of them.Downloading a program—especially one from an obscure publisher without a positive reputation—is something of a leap of faith. It’s a bit like letting a total stranger into your home.But if you follow these five steps, you should be okay. PC World, May 21, 2015
How to prevent mobile malware in 3 easy steps: Looking only at the data provided by security firms, the world appears on the verge of a mobile malware apocalypse.The number of samples—which represent unique, but mostly automatically generated variants of malicious programs—exceeded 5 million in the third quarter of 2014, according to security firm McAfee. Using a different counting method, security firm Symantec classified a similar magnitude—1 million of the 6.3 million mobile apps it discovered—as malware in 2014. PC World, May 20, 2015

Securing the Village

Should hackers be tolerated to test public systems?: The purported veering of a jetliner caused by an onboard hacker points up a larger problem, experts say – airlines and other providers of services may be blind to the value such security researchers can offer in the name of public safety. While it’s far from clear that security researcher Chris Roberts actually did commandeer the avionics system of an airplane and force it to steer to one side, the story is prompting other security experts to call for better cooperation between white-hat hackers and industries whose infrastructures they probe. Network World, May 19, 2015
IACP Launches the Law Enforcement Cyber Center: Alexandria, VA – On May 18, 2015, the International Association of Chiefs of Police (IACP) officially launched the Law Enforcement Cyber Center — — at the 39th Annual Law Enforcement Information Management (LEIM) Conference in San Diego, California. Cyber crime is a global threat to the economic and physical security of all nations. Law enforcement organizations must be prepared to recognize and investigate these crimes. “Combating cyber crime is one of my top priorities as President, and I am proud that the launch of this Center is happening during my term,” said Chief Richard Beary, University of Central Florida, Orlando, Florida and IACP President. International Association of Chiefs of Police, May 18, 2015
ISSA-LA to hold premier Los Angeles information security event – Help Net Security: ISSA’s Seventh Annual Information Security Summit offers educational sessions presented by a world-class line up of keynote and featured presenters. This year’s Summit and training classes, which will take place June 4-5, 2015 at the Los Angeles Convention Center, will feature cutting-edge sessions, a wide variety of tracks, and more. Attendees will be provided with the opportunity to engage in thought provoking discussions, hear from industry leaders, have peer-to-peer conversations and network with some of the most interesting and influential people in the industry. Help Net Security, May 18, 2015
ISSA-LA Welcomes CEOWORLD as Media Diamond Sponsor of 7th Annual Information Security Summit: LOS ANGELES, CA–(Marketwired – May 14, 2015) – The Los Angeles Chapter of the Information Systems Security Association (ISSA-LA) is pleased to announce CEOWORLD Magazine as Media Diamond Sponsor of the Seventh Annual Information Security Summit on June 4 – 5, 2015 at the Los Angeles Convention Center. The Summit theme, The Growing Cyber Threat: Protect Your Business, reflects the reality that cybercrime impacts the financial health of all our organizations: businesses, government agencies, healthcare, schools, nonprofits, and others. CEOWORLD Magazine, May 14, 2015

National Cyber Security

New NSA documents reveal plans to deliver malware through the Google Play store: The NSA developed a plan to deliver malware through Google and Samsung app stores, according to newly published documents obtained by Edward Snowden and published by The Intercept. The documents details a program called IRRITANT HORN, which delivers malware by intercepting web traffic to and from mobile application servers. One slide details Samsung’s update protocol, while another pinpoints the Google Play servers in France, used to deliver updates to phones throughout northern Africa. The Verge, May 21, 2015

Cyber Misc

Security Firm Redefines APT: African Phishing Threat: A security firm made headlines earlier this month when it boasted it had thwarted plans by organized Russian cyber criminals to launch an attack against multiple US-based banks. But a closer look at the details behind that report suggests the actors in question were relatively unsophisticated Nigerian phishers who’d simply registered a bunch of new fake bank Web sites. Krebs On Security, May 20, 2015
House Oversight Committee releases report on cybersecurity firm Tiversa: The Illinois-based nonprofit HIV/AIDS clinic Open Door Clinic has been around since 1977, but the last few years have been pretty rough. In 2008, the clinic received a call from a cybersecurity firm called Tiversa informing Open Door that some of its files had been leaked online. Business Insider, May 19, 2015
United Airlines Will Reward Hackers With Up To A Million Frequent Flyer Miles: You don’t have to be a frequent flier to become a million-miler these days, at least on United Airlines.The aviation giant announced a new “bug bounty program” that will reward hackers who find vulnerabilities in its system. Depending on the severity, tech-savvy bounty hunters will be rewarded with 50,000, 250,000 or 1 million MileagePlus reward miles. Huffington Post, May 16, 2015's Security Recruiter Blog