Monday, August 24, 2015

Cyber Security News and Education for the Week of August 23, 2015






Cyber Quote of the Week

The truth of the matter is that over 99% of cyber attacks fail if defenders have implemented basic security measures … the success of intruders is usually traceable to endpoints in the network that weren’t configured to the latest security standards, or users who weren’t adequately trained.  The most sophisticated firewalls in the world aren’t going to save you if you’re dumb enough to open an email from Nigeria congratulating you on the inheritance that awaits transmittal of your banking information.  Loren Thompson, Military Cybersecurity: Evolution Is The Only Business Model That Makes Sense, Forbes

Cyber Crime

Hackers hit University of Virginia: The University of Virginia’s network is back online after a cyberattack forced a weekend shutdown of the school’s servers. TheHill, August 17, 2015

Cyber Privacy

The Ashley Madison Data Dump, Explained: The release of stolen data from Ashley Madison, a dating website marketed at would-be adulterers, promises to roil the marital lives of its members. The New York Times, August 19, 2015
Was the Ashley Madison Database Leaked?: Many news sites and blogs are reporting that the data stolen last month from 37 million users of — a site that facilitates cheating and extramarital affairs — has finally been posted online for the world to see. In the past 48 hours, several huge dumps of data claiming to be the actual AshleyMadison database have turned up online. But there are precious few details in them that would allow one to verify these claims, and the company itself says it so far sees no indication that the files are legitimate. KrebsOnSecurity, August 18, 2015
Network flaw allows hackers to intercept calls and track location of ‘billions': BILLIONS OF MOBILE PHONE USERS are at risk from a signalling flaw that allows hackers to intercept all voice calls and track locations. The Inquirer, August 17, 2015

Identity Theft

IRS: 330K Taxpayers Hit by ‘Get Transcript’ Scam: The Internal Revenue Service (IRS) disclosed today that identity thieves abused a feature on the agency’s Web site to pull sensitive data on more than 330,000 potential victims as part of a scheme to file fraudulent tax refund requests. The new figure is far larger than the number of Americans the IRS said were potentially impacted when it first acknowledged the vulnerability in May 2015 — two months after KrebsOnSecurity first raised alarms about the weakness. KrebsOnSecurity, August 17, 2015

Cyber Threat

Consumers may be the big losers when companies hide cybersecurity problems: A group of security researchers were prepping for a major reveal in 2013: They planned to disclose at a D.C. cybersecurity conference how a security flaw in luxury vehicles could let bad guys break in without keys and start the cars. The Washington Post, August 18, 2015

Cyber Warning

Vulnerability in enterprise-managed iOS devices puts business data at risk: A vulnerability in the iOS sandbox for third party applications, like those installed by companies on their employees’ devices, can expose sensitive configuration settings and credentials. PCWorld, August 20, 2015
Microsoft Pushing Emergency Fix for Windows Internet Explorer Vulnerability: Need-to-know information for Windows PC owners: Microsoft has pushed an emergency update to Internet Explorer to address a recently discovered vulnerability (CVE-2015-2502) currently being exploited to install malware on and gain unauthorized access to computers. The update is rated critical for home users of Internet Explorer versions 7 through 11. Techlicious, August 19, 2015
Another serious vulnerability found in Android’s media processing service: The Android service that processes multimedia files has been the source of several vulnerabilities recently, including a new one that could give rogue applications access to sensitive permissions. CIO, August 18, 2015
New OS X 10.10.5 Privilege Escalation Vulnerability Discovered: Just days after Apple patched the DYLD_PRINT_TO_FILE security hole with the release of OS X 10.10.5, a developer has found a similar unpatched exploit that could allow attackers to gain root-level access to a Mac. MacRumors, August 17, 2015
Your torrent client could help hackers hijack your computer: When you use a torrent client, you take your chances. Even if it’s just the ever-so-mild chance of running afoul of some sort of copyright regime, torrent traffic is rarely totally legally kosher. Yet a new study from an international team of security researchers has concluded that some of the world’s most popular torrent clients can open you up to a completely different sort of legal problem: one in which your computer is made part of a criminal attack without your consent. ExtremeTech, August 17, 2015
Vulnerability identified in Google Admin app, remains unpatched: The Google Admin application – which allows users to manage their Google for Work accounts from their Android devices – contains an unpatched vulnerability that can be exploited to read data from any file within the Google Admin sandbox. SC Magazine, August 17, 2015
PSA: Your Android phone may still have Stagefright vulnerability even if it was patched: The Stagefright scare isn’t over, folks. The Android bug, which would allow a devious hacker to take full control of your phone by sending you a message, has been in the news heavily in recent weeks, and it prompted a quick response by Google, carriers and OEMs to get devices patched up ASAP. The patches have been rolling in like a vicious storm. Phandroid, August 17, 2015
New OS X 10.10.5 Privilege Escalation Vulnerability Discovered: Just days after Apple patched the DYLD_PRINT_TO_FILE security hole with the release of OS X 10.10.5, a developer has found a similar unpatched exploit that could allow attackers to gain root-level access to a Mac. MacRumors, August 17, 2015

Cyber Security Management

Companies hope cybersecurity experts in the boardroom can counter hacks: The board of directors at construction and engineering company Parsons Corp. needed to fill a seat two years ago. LA Times, August 16, 2015

Cyber Security Management – Cyber Defense

Keeping Your WordPress Site Safe From Hackers: Being popular isn’t all it’s cracked up to be. A tree full of fruits is sure to get its share of stones thrown at it. Take Microsoft Windows for example. The operating system is on a gazillion computers so now Windows and its apps are the target of thousands of viruses and other malware. The same is true with the popular content management system WordPress, which is now used by millions of websites because of its ease of use and flexibility. MovieTechGeeks, August 20, 2015

Cyber Security Management – Cyber Update

Microsoft patches up IE flaw that gives hackers access to your PC: Microsoft has issued a critical update to patch up an Internet Explorer hole that can give hackers access to your system. Hackers could create websites capable of exploiting the zero-day vulnerability — discovered by Google researcher Clement Lecigne — and get you to click on the URL via email or instant messenger. They will then get the same user rights you have, making the flaw more dangerous if you have administrative access or if you’re handling a server or a workstation. With admin powers, intruders can remotely install applications and steal your data. Engadget, August 18, 2015

Cyber Security Management – Cyber Awareness

How hackers tempt you to open THAT email: There’s a lot IT pros get wrong about social engineering, but let’s start with what we get right. We know that social engineering is one of the most powerful tools used by attackers today. In fact, it’s probably at the root of every major breach of the past year. TheNextWeb, August 21, 2015

Secure the Village

Sharing Cyber Intelligence To Fight Cyber Crime And Fraud-as-a-Service (FaaS): Wired reported earlier this week that hackers posted a “data dump, 9.7 gigabytes in size… to the dark web using an Onion address accessible only through the Tor browser.” The data included names, passwords, addresses, profile descriptions and several years of credit card data for 32 million users of Ashley Madison, a social network billing itself as the premier site for married individuals seeking partners for affairs. Forbes, August 20, 2015
Wake Up Call: Cyber Data-Sharing Available to Law Firms: • A legal information-sharing group called The Legal Services Information Sharing and Analysis Organization will announce on Wednesday that law firms have access to a platform that allows them to share data on cybersecurity threats anonymously. Bloomberg, August 19, 2015
FireEye, Europol tag team on cybercrime detection: FireEye and Europol have announced plans to share threat knowledge on cybercrime in order to detect threats early and better keep European citizens out of harm’s way. ZDNet, August 17, 2015
How to Combat the Global Cybercrime Wave (Op-Ed): Today, economic reliance on the internet is all-encompassing. With 40 percent of the world population now online, there is hardly an industry that has not been dramatically transformed and empowered by the communication and business opportunities created. But the very thing that has been such a powerful engine of global economic growth is now threatening to undermine it. Dmitri Alperovitch, CrowdStrike, LiveScience, August 14, 2015

National Cyber Security

Steptoe Cyberlaw Podcast, Episode #78: The Atlantic Council Panel: I know, I know, we promised that the Cyberlaw Podcast would go on hiatus for the month of August. But we also hinted that there might be a bonus episode. And here it is, a stimulating panel discussion with Dmitri Alperovitch, Harvey Rishikof, and me, sponsored by the Atlantic Council and moderated by Melanie Teplinsky. The topic is whether the United States should abandon its longstanding policy of refusing to steal the commercial secrets of foreigners to help American companies compete. The discussion is lively, with plenty of disagreements and an audience vote at the start and finish of the discussion to gauge how persuasive we were. Enjoy! LawFare, August 12, 2015

Cyber Research

Quantum computing breakthrough renews concerns of cybersecurity apocalypse: A new breakthrough in quantum computing could speed up the already ultra-powerful tech. With it, though, comes the exacerbated potential for a ‘crypto-apocalypse’ where existing computer security fails. NetworkWorld, August 21, 2015

Cyber Law

The GitHub attack, part 1: Making international cyber law the ugly way: Over the past few years, the US government has invested heavily in trying to create international norms for cyberspace. We’ve endlessly cajoled other nations to agree on broad principles about internet freedom and how the law of war applies to cyberconflicts. Progress has been slow, especially with countries that might actually face us in a cyberwar. But the bigger problem with the US effort is simple: Real international law is not made by talking. It’s made by doing. The Washington Post, August 16, 2015

Cyber Misc

How Not to Start an Encryption Company: Probably the quickest way for a security company to prompt an overwhelmingly hostile response from the security research community is to claim that its products and services are “unbreakable” by hackers. The second-fastest way to achieve that outcome is to have that statement come from an encryption company CEO who served several years in federal prison for his role in running a $210 million Ponzi scheme. Here’s the story of a company that managed to accomplish both at the same time and is now trying to learn from (and survive) the experience. KrebsOnSecurity, August 18, 2015
Kaspersky: Freemasons coded fake malware in the Bermuda Triangle: Eugene Kaspersky has taken to his blog to make another stinging rebuttal of a Reuters report that alleged the company that bears his name deliberately sabotaged rival antivirus packages. The Register, August 17, 2015
Volkswagen hid a car hacking flaw for two years: Researchers just revealed that technology used in 126 types of cars makes them easier to steal, and that Volkswagen went to court two years ago to keep their discovery a secret. CNN, August 14, 2015

Cyber Sunshine

Stress-Testing the Booter Services, Financially: The past few years have witnessed a rapid proliferation of cheap, Web-based services that troublemakers can hire to knock virtually any person or site offline for hours on end. Such services succeed partly because they’ve enabled users to pay for attacks with PayPal. But a collaborative effort by PayPal and security researchers has made it far more difficult for these services to transact with their would-be customers. KrebsOnSecurity, August 17, 2015's Security Recruiter Blog