Monday, August 10, 2015

Cyber Security News and Education for the Week of August 10, 2015





Cyber Crime

Tech Firm Ubiquiti Suffers $46M Cyberheist: Networking firm Ubiquiti Networks Inc. disclosed this week that cyber thieves recently stole $46.7 million using an increasingly common scam in which crooks spoof communications from executives at the victim firm in a bid to initiate unauthorized international wire transfers. KrebsOnSecurity, August 8, 2015

Cyber Attack

Attack on Sabre reportedly conducted by Anthem, OPM hackers: Travel industry software maker Sabre is the latest company said to have been hit by the same hackers who recently attacked U.S. health insurer Anthem and the U.S. Office of Personnel Management (OPM), while American Airlines has been investigating its own systems for evidence of a similar breach. PCWorld, August 7, 2015

Cyber Privacy

Ashley Madison hack proves we’re dating in the dark when it comes to online security: Millions of Australians have online dating profiles, but it is unclear how secure some of their most intimate data is. ABC, July 26, 2015

Identity Theft

How Identity Theft Sticks You With Hospital Bills: Kathleen Meiners was puzzled when a note arrived last year thanking her son Bill for visiting Centerpoint Medical Center in Independence, Mo. Soon, bills arrived from the hospital for a leg-injury treatment. The Wall Street Journal, August 7, 2015
MEDICAL PRIVACY UNDER THREAT IN THE AGE OF BIG DATA: “I didn’t understand the issue of medical privacy. It sounded abstract,” says Deanna Fei, author of the new book Girl in Glass, which covers the premature birth of her daughter Mila and an ensuing storm over medical privacy and ethics. Now she says firmly, “This is an issue of civil rights and social justice. Without the right to medical privacy, ordinary Americans can’t keep information from being used against them.” The Intercept, August 6, 2015
OPM won a cybersecurity award. For ‘most epic FAIL:’ LAS VEGAS — The Office of Personal Management won a cybersecurity award Wednesday night. But it was for “most epic FAIL.” The Washington Post, August 6, 2015
The Most Dangerous Identity Theft Threat: Last weekend, TheUpshot published the most dangerous identity theft threat: the non-expert’s tendency to underestimate the magnitude of problem. The piece in question argued that the consequences of most identity theft have been exaggerated (by identity theft experts like me), and that, “only a tiny number of people exposed by leaks end up paying any costs.” HuffingtonPost, August 4, 2015
Personal health information in the wrong hands can be painful: No wonder PHI is an attractive target for cyber criminals. It is relatively easy to get, and it gives them all the advantages of a stolen identity. And it is tough for defenders to protect data that is meant to be widely, and quickly, shared. CSO, July 31, 2015

Cyber Warning

Risk of Data Loss From Non-Jailbroken iOS Devices Real, Security Firm says: Data from the Hacking Team reveals actively used exploit for breaking into and stealing data from registered iOS systems, FireEye says. DarkReading, August 7, 2015
Blekey Device Breaks RFID Physical Access Controls: LAS VEGAS – A device the size of a quarter that can be installed in 60 seconds on a proximity card reader could potentially be used to break physical access controls in 80 percent of deployments. ThreatPost, August 6, 2015
​Android flaw lets hackers spy on you with your own phone: Researchers at Check Point Software Technologies have identified a vulnerability in Android phones that could let hackers take over devices remotely, steal personal data and even turn phones into spying devices. CBSNews, August 6, 2015
Windows patches can be intercepted and injected with malware: Researchers say Windows machines that fetch updates from an enterprise update server not configured to use encryption are vulnerable to an injection attack. ZDNet, August 6, 2015
Manipulating WSUS to Own Enterprises: LAS VEGAS – Windows Server Update Services (WSUS) is your friend, if you run an enterprise IT shop, because it facilitates the download and distribution of security patches, service pack installations and hardware driver updates among others. ThreatPost, August 6, 2015
Hackers Exploit ‘Flash’ Vulnerability in Yahoo Ads: For seven days, hackers used Yahoo’s ad network to send malicious bits of code to computers that visit Yahoo’s collection of heavily trafficked websites, the company said on Monday. The New York Times, August 3, 2015

Cyber Security Management

Social engineering scams: How hackers are stealing from your clients: As businesses and insurers become more educated about the new threats posed by cyber thieves and hackers, both sides are engaging in an escalating battle. “Some insureds have described fighting cyber risks as an arms race,” explains Bill Jennings, an underwriter for Beazley Insurance Co., Inc., which focuses on writing a number of specialty insurance products in the U.S. PropertyCasualty360, August 7, 2015
Labor Department Ignores Years Of Cybersecurity Warnings: Another federal agency has been ignoring years of watchdog warnings to strengthen its cybersecurity measures to keep hackers from gaining access to sensitive personal and official information and data. DailyCaller, August 4, 2015
Why every CIO needs a cybersecurity attorney: Distinguishing the technical experts from those responsible for legal obligations and risks will help companies develop better breach response plans. Understanding the role of an external cybersecurity firm will only help. CIO, August 4, 2015

Cyber Awareness

Why we should all care about cyber crime: In today’s world, the reality is that all individuals and organisations connected to the internet are vulnerable to cyber attack. The number, type and sophistication of attacks continues to grow, as the threat report published last month by the Australian Cyber Security Centre (ACSC) points out., August 5, 2015

Cyber Vulnerabiliy

Hackers target internet address bug to disrupt sites: Hackers are exploiting a serious flaw in the internet’s architecture, according to a security firm. BBC, August 4, 2015

National Cyber Security

Black Hat: Nothing magical about nation-state malware: In the wake of several high-profile breaches of government networks — from the exfiltration of Office of Personnel Management data on tens of millions of federal employees to the intrusion into the White House’s unclassified network — concerns over nation-state sponsored malware is on the rise. FederalTimes, August 7, 2015
U.S. suspects Russia in hack of Pentagon computer network: U.S. military officials said Thursday that they suspect Russian hackers infiltrated an unclassified Pentagon e-mail system used by employees of the Joint Chiefs of Staff, the latest in a series of state-sponsored attacks on sensitive U.S. government computer networks. The Washington Post, August 6, 2015
The Legal Problems with Cyber War Are Much Bigger Than You Think: Much of the unchartered territory begins with questions of what it takes to trigger self-defense in cyberspace, and what does it mean for a nation-state to have ‘effective control’ of a hacker? DefenseOne, August 5, 2015

Critical Infrastructure

Defending Industrial Ethernet Switches Is Not Easy, But Doable: Attacks and vulnerabilities against ICS and SCADA can be detected and monitored if operational folks know their network infrastructure. DarkReading, August 6, 2015
Why Cyber-Physical Hackers Have It Harder Than You: Before you pout about having to learn a new infosec application, remember you don’t need to also know physics, chemistry, engineering and how to make a pipeline explosion look like an accident. DarkReading, August 6, 2015
Here’s the scary new target hackers are going after: Familiar with the refrain “Hack the Planet”? Well, security researchers have made that phrase more literal. Fortune, August 4, 2015

Cyber Underworld

Inside the $100M ‘Business Club’ Crime Gang: New research into a notorious Eastern European organized cybercrime gang accused of stealing more than $100 million from banks and businesses worldwide provides an unprecedented, behind-the-scenes look at an exclusive “business club” that dabbled in cyber espionage and worked closely with phantom Chinese firms on Russia’s far eastern border. KrebsOnSecurity, August 5, 2015
Chinese VPN Service as Attack Platform?: Hardly a week goes by without a news story about state-sponsored Chinese cyberspies breaking into Fortune 500 companies to steal intellectual property, personal data and other invaluable assets. Now, researchers say they’ve unearthed evidence that some of the same Chinese hackers also have been selling access to compromised computers within those companies to help perpetrate future breaches. KrebsOnSecurity, August 4, 2015

Cyber Research

Researchers Create First Firmware Worm That Attacks Macs: THE COMMON WISDOM when it comes to PCs and Apple computers is that the latter are much more secure. Particularly when it comes to firmware, people have assumed that Apple systems are locked down in ways that PCs aren’t. Wired, August 3, 2015

Cyber Law

Why the FTC is showing up at hackers’ biggest conferences: LAS VEGAS — The Federal Trade Commission, the de facto federal watchdog for consumers’ privacy and data security, knows it needs help. The Washinton Post, August 7, 2015
Internet firms to be subject to new cybersecurity rules in EU: Internet firms such as Cisco (CSCO.O), Google (GOOGL.O) and Amazon (AMZN.O) will be subject to a new EU cybersecurity law forcing them to adopt tough security measures and possibly report serious breaches to national authorities, according to a document seen by Reuters. Reuterts, August 6, 2015
‘Right to be forgotten’ laws in Europe may erase data beyond its borders: Google has refuted demands by the French government to apply last year’s ruling by a European high court that required search engines grant the right to be forgotten to all its domains – even those outside the continent. CSMonitor, August 6, 2015
Cybersecurity Bill Is Latest to Be Delayed in Senate: WASHINGTON — The Senate headed into its August recess on Wednesday without voting on a cybersecurity bill, adding it to a contentious to-do list for September that includes a push to disapprove the Iran nuclear deal and a spending fight mired in abortion politics. August 5, 2015
This ’80s-era criminal hacking law scares cybersecurity researchers: LAS VEGAS — Since it was instituted in the 1980s, the Computer Fraud and Abuse Act has been the government’s primary tool for going after malicious hackers. But it’s also has drawn the ire of cybersecurity researchers who fear the law is too broad — and potentially criminalizes some of the things they do to help make systems safer. Washington Post, August 5, 2015

Cyber Misc

Tesla’s Response to Hacked Car Offers a Road Map for Fast Fixes: Cybersecurity researchers on Friday are publicizing software flaws in the Tesla Model S that could allow remote hackers to shut down a moving car’s engine. Bloomberg, August 7, 2015's Security Recruiter Blog