Sunday, June 28, 2015

Cyber Security News and Education for the Week of June 28, 2015





Cyber Crime

Hershey Park Investigates Card Fraud Pattern: Hershey Park, a popular resort and amusement park in Hershey, Pa. has hired a security firm to investigate reports from multiple financial institutions about a possible credit card breach, KrebsOnSecurity has learned. KrebsOnSecurity, June 24, 2015

Cyber Attack

Hackers Ground Polish LOT Airline Flights: The Polish national airline, LOT, announced on Sunday that they cancelled 10 flights as a result of the airline’s ground computer systems at Warsaw’s Okecie airport being subject to attack by hackers. The airline’s ground computer systems are used to manage the flight plans for the airline. LOT stated that no ongoing flights or other airport computer systems were affected and that flights already in the air or scheduled to land at Warsaw were not at risk. CSO, June 21, 2015

Cyber Privacy

NSA Has Reverse-Engineered Popular Consumer Anti-Virus Software In Order To Track Users: The NSA and its British counterpart the GCHQ have put extensive effort into hacking popular security software products to “track users and infiltrate networks,” according to the latest round of Snowden docs unearthed today by The Intercept. TechCrunch, June 22, 2015

Financial Cyber Security

Firms track Dyre’s rise to top financial malware threat: Dyre malware, which quickly emerged as one of the most prominent financial trojans following the Gameover Zeus botnet takedown last June, is still steadily making its mark in the underground market – and in victims’ accounts – prompting researchers to deem the threat a malicious tool successfully, though likely temporarily, filling the void of Zeus. SCMagazine, June 24, 2015
The next fraud wave: When banks cash the same check twice, you might have to pay: Can someone cash your check more than once? Yes, thanks to the intersection of very old and very new banking technology. Impossible until recently – payees formerly were required to hand paper checks over to banks during a deposit – some experts predict “double presentment” will be the source of a new fraud wave coming soon. And if you don’t know about it, even if you don’t use mobile banking, you might have to foot the bill. GeekWire, June 22, 2015

Identity Theft

The US agency plundered by Chinese hackers made one of the dumbest security moves possible: Contractors in Argentina and China were given “direct access to every row of data in every database” when they were hired by the Office of Personnel Management (OPM) to manage the personnel records of more than 14 million federal employees, a federal consultant told ArsTechnica. BusinessInsider, June 18, 2015
First on CNN: U.S. data hack may be 4 times larger than the government originally said: Washington (CNN)The personal data of an estimated 18 million current, former and prospective federal employees were affected by a cyber breach at the Office of Personnel Management – more than four times the 4.2 million the agency has publicly acknowledged. The number is expected to grow, according to U.S. officials briefed on the investigation. CNN, June 23, 2015
NO PATCH FOR INCOMPETENCE: OUR CYBERSECURITY PROBLEM HAS NOTHING TO DO WITH CYBERSECURITY: On Wednesday, June 17, Reuters reported tersely that the White House “continues to have confidence” in the beleaguered Office of Personnel Management (OPM) chief Katherine Archuleta. This came on the heels of new information that, among other things, the devastating OPM hack may have had something to do with OPM running high-end systems coded in a semi-obsolete programming language without built-in support for modern security practices. Or that OPM gave root system access (for those that don’t speak UNIX, root is privileged system access authority) to foreign contractors in China. No matter, the White House has “confidence” in the woman that ignored a direct warning from the Office of the Inspector General (OIG) cataloging key vulnerabilities in OPM systems, and who also happens to have worked as the national political director for President Obama’s re-election campaign. WarOnTheRocks, June 23, 2015
A New Early Warning of Identity Theft Is Proposed: The firms that control consumers’ credit reports need to do more to notify people if they may be the victims of identity theft, says Sen. Charles Schumer (D., N.Y.). Wall Street Journal, June 23, 2015

Cyber Warning

Samsung disables Windows Update, leaving laptops open to hackers: Samsung is disabling Windows Update on some of its computers, leaving users exposed to security holes and bugs according to an independent Microsoft support engineer. TheGuardian, June 24, 2015
“Free” Proxies Aren’t Necessarily Free: Netflix, Hulu and a host of other content streaming services block non-U.S. users from viewing their content. As a result, many people residing in or traveling outside of the United States seek to circumvent such restrictions by using services that advertise “free” and “open” Web proxies capable of routing browser traffic through U.S.-based computers and networks. Perhaps unsurprisingly, new research suggests that most of these “free” offerings are anything but, and actively seek to weaken browser security and privacy. KrebsOnSecurity, June 22, 2015

Cyber Security Management

Gap in cybersecurity knowledge creates challenges for organizations: A new survey from the Ponemon Institute and Fidelis Cybersecurity highlights some concerning data about the state of cybersecurity. Defining the Gap: The Cybersecurity Governance Survey shares the results of the study and finds a disturbing rift in cybersecurity knowledge between those who make decisions and manage the budgets and those who have to implement and manage the security measures. CSO, June 23, 2015

Cyber Security Management – Cyber Defense

A Month Without Adobe Flash Player: I’ve spent the better part of the last month running a little experiment to see how much I would miss Adobe‘s buggy and insecure Flash Player software if I removed it from my systems altogether. Turns out, not so much. KrebsOnSecurity, June 23, 2015

Cyber Security Management – Cyber Update

Emergency Patch for Adobe Flash Zero-Day: Adobe Systems Inc. today released an emergency update to fix a dangerous security hole in its widely-installed Flash Player browser plugin. The company warned that the vulnerability is already being exploited in targeted attacks, and urged users to update the program as quickly as possible. KrebsOnSecurity, June 23, 2015

Cyber Security Management – HIPAA

Healthcare cybersecurity primer outlines defensive strategies: A new primer on cybersecurity outlines the challenges that healthcare organizations face and steps they can take to defend themselves against cyberattacks. FierceHealthIT, June 22, 2015

National Cyber Security

Michael Hayden Says U.S. Is Easy Prey for Hackers: Few are as qualified to speak, or as outspoken, as retired Gen. Michael Hayden on the topic of cyberespionage. Gen. Hayden, after a career in the U.S. Air Force, became the only person to have served as director of both the National Security Agency and the Central Intelligence Agency. Today he is a principal at the Chertoff Group, a global advisory firm focused on security and risk management. The Wall Street Journal, June 21, 2015
Attack Gave Chinese Hackers Privileged Access to U.S. Systems: WASHINGTON — For more than five years, American intelligence agencies followed several groups of Chinese hackers who were systematically draining information from defense contractors, energy firms and electronics makers, their targets shifting to fit Beijing’s latest economic priorities. The New York Times, June 20, 2015

Cyber Underworld

Cybercrime: Much more organized: Cybercrime offers the potential for immense profits. So it is no surprise that the digital “mob” has moved into the space. According to some experts, there is no such thing as “disorganized cybercrime” any more. CSO, June 23, 2015
Why Is Fighting Cybercrime So Hard?: It’s tough to target the few hundred super hackers that experts believe are behind the majority of cyber attacks. eSecurityPlanet, June 22, 2015

Cyber Research

How encryption keys could be stolen by your lunch: Israel-based researchers said they’ve developed a cheaper and faster method to pull the encryption keys stored on a computer using an unlikely accomplice: pita bread. PCWorld, June 22, 2015

Cyber Survey

All industries fail cybersecurity, govt the worst: Most sectors failed industry-standard security tests of their Web and mobile applications, but the government failed the worst, a report by application security company Veracode found. CNBC, June 23, 2015

Cyber Sunshine

Europol takes down Ukrainian cyber-crime gang in joint operation: A major cyber-crime ring in the Ukraine has been taken down in a joint operation involving six different European countries plus Europol and Eurojust. SCMagazine, June 25, 2015
Feds Extradite ‘Most Wanted’ ATM Hacker: A Turkish man who has been accused of masterminding a string of ATM cash-out attacks dating back to 2008 – and stealing almost $55 million – has been extradited from Germany to face trial in the United States. CUInfoSecurity, June 24, 2015's Security Recruiter Blog