Monday, June 22, 2015

Cyber Security News and Education for the Week of June 21, 2015





Cyber Attack

Attackers Stole Certificate From Foxconn to Hack Kaspersky With Duqu 2.0: THE NATION-STATE MALWARE used to hack the Russian security firm Kaspersky Lab, as well as hotels associated with Iranian nuclear negotiations, used a digital certificate stolen from one of the world’s top electronics makers: Foxconn. Wired, June 15, 2015

Identity Theft

OPM’s Database for Sale? Nope, It Came from Another US .Gov: A database supposedly from a sample of information stolen in the much publicized hack at the Office of Personnel Management (OPM) has been making the rounds in the cybercrime underground, with some ne’er-do-wells even offering to sell it as part of a larger package. But a review of the information made available as a teaser indicates that the database is instead a list of users stolen from a different government agency —, also known as Federal Prison Industries. KrebsOnSecurity, June 18, 2015
Officials: Chinese had access to U.S. security clearance data for one year: The recently disclosed breach of the Office of Personnel Management’s security-clearance computer system took place a year ago, giving Chinese government intruders access to sensitive data for a year, according to new information. WashingtonPost, June 18, 2015
Catching Up on the OPM Breach: I heard from many readers last week who were curious why I had not weighed in on the massive (and apparently still unfolding) data breach at the U.S. Office of Personnel Management (OPM). Turns out, the easiest way for a reporter to make sure everything hits the fan from a cybersecurity perspective is to take a two week vacation to the other end of the world. What follows is a timeline that helped me get my head on straight about the events that preceded this breach, followed by some analysis and links to other perspectives on the matter. KrebsOnSecurity, June 15, 2015
Stan Stahl discusses OPM breach & talks prevention on Sunday Morning Newsmakers: Featuring Dr Stahl — Stan Stahl, President and CEO of Citadel Information Systems – Stahl says the recent announcement of the hacking of personnel records at the Federal Office Personnel Management raises troubling questions. Larry Marino, Sunday Morning Newsmakers, AM870, June 14, 2015

Cyber Privacy

WikiLeaks Unloads Second Batch Of Sony Files Into Its Database: It seems like Sony just can’t catch a break. On Thursday, WikiLeaks added 276,394 more private documents, emails and financial files, leaked from the embattled tech and media giant, into its database. TechCrunch, June 19, 2015
Major Carriers AT&T, Verizon Continue to Lag in EFF Privacy Report: While many companies have made strides when it comes to how they handle transparency and government requests post-Snowden, major telecoms such as AT&T and Verizon continue to lag behind. ThreatPost, June 18, 2015

Financial Cyber Security

Phone Scams Rise 30% as Bank Fraud Goes Low-Tech: Asking people in different corners of banking about the most important trends in fraud is like discussing an elephant with the eight blind men in the famous parable. They concentrate on the most immediate threats, but none has the full picture. AmericanBanker, June 17, 2015

Cyber Warning

Serious OS X and iOS flaws let hackers steal keychain, 1Password contents: Late Friday afternoon, Apple officials released the following statement: “Earlier this week we implemented a server-side app security update that secures app data and blocks apps with sandbox configuration issues from the Mac App Store. We have additional fixes in progress and are working with the researchers to investigate the claims in their paper.” ars technica, June 19, 2015
600 million Samsung Galaxy phones exposed to hackers: Every Samsung Galaxy device — from the S3 to the latest S6 — has a significant flaw that lets in hackers, researchers have discovered. CNN, June 17, 2015
Password Manager LastPass Warns of Breach: LastPass, a company that offers users a way to centrally manage all of their passwords online with a single master password, disclosed Monday that intruders had broken into its databases and made off with user email addresses and password reminders, among other data. KrebsOnSecurity, June 16, 2015
LastPass Password Manager Acknowledges Breach: LastPass, the online password manager, announced Monday in a blog post that its network was breached and that hackers made off with user email addresses, password reminders and encrypted master passwords. The New York Times, June 15, 2015

Cyber Security Management

Cybersecurity Industry Blame Game at RSA Conference: Contrary to tradeshow presentations, the industry has not failed cybersecurity professionals as many speakers insinuated. NetworkWorld, June 16, 2015

Cyber Security Management – Cyber Update

Critical Drupal vulnerability patched — update your website now: The Drupal Security Team has released a critical software update for the Drupal Content Management System (CMS). NakedSecurity, June 19, 2015

National Cyber Security

Officials say security lapses left system open to hackers: WASHINGTON — Years of fundamental cybersecurity lapses left the government’s personnel agency wide open to a pair of hacks that have exposed the private information about nearly every federal employee, along with detailed personal histories of millions with security clearances, officials acknowledged to Congress. PBS, June 17, 2015
Feds on ’30-day sprint’ to better cybersecurity: As news of the full scope of the breach of Office of Management and Budget systems emerges, Federal CIO Tony Scott launched a government-wide Cybersecurity Sprint on June 12, giving agencies 30 days to shore up their systems. FederalTimes, June 15, 2015
Britain pulls out spies as Russia, China crack Snowden files – report: Britain has pulled out agents from live operations in “hostile countries” after Russia and China cracked top-secret information contained in files leaked by former U.S. National Security Agency contractor Edward Snowden, the Sunday Times reported. Reuters, June 14, 2015

Cyber Espionage

Houston Astros’ Breach A ‘Wake-Up Call’ On Industrial Cyber Espionage: The St. Louis Cardinals’ alleged breach of the Astros’ proprietary database raises concern over the possibility of US companies hacking their rivals for intel. DarkReading, June 18, 2015
Cardinals Investigated for Hacking Into Astros’ Database: WASHINGTON — Front-office personnel for the St. Louis Cardinals, one of the most successful teams in baseball over the past two decades, are under investigation by the F.B.I. and Justice Department prosecutors, accused of hacking into an internal network of the Houston Astros to steal closely guarded information about players. The New York Times, June 16, 2015

Cyber Underworld

Brazil’s Cybercrime Free-For-All: Many Scams And Little Punishment: Brazil can boast many superlatives: the biggest country in South America, which is home to the the world’s biggest rain forest, which is home to the world’s biggest snake. NPR, June 17, 2015

Cyber Career

Cybrary and WIT partner to help women advance in cybersecurity: A new partnership between IT MOOC platform Cybrary and Women in Technology aims to address two major challenges faced by IT organizations today: a shortage of cybersecurity professionals and a lack of women in technology. CIO, June 17, 2015

Cyber Misc

How you can profit from cybercrime – legally: There’s a good chance that at least one company or government agency you do business with has been hacked in the past two years. Information security stocks to consider. CNN, June 16, 2015's Security Recruiter Blog