Sunday, September 27, 2015

Cyber Security News and Education for the Week of September 27, 2015


Identity Theft
Hackers Took Fingerprints of 5.6 Million U.S. Workers, Government Says: WASHINGTON — Just a day before the arrival of President Xi Jinping here for a meeting with President Obama that will be focused heavily on limiting cyberespionage, the Office of Personnel Management said Wednesday that the hackers who stole security dossiers from the agency also got the fingerprints of 5.6 million federal employees. The New York Times, September 23, 2015
Cyber Threat
Porn sites hit by malware hidden in adverts: Security firm Malwarebytes says a campaign of malware hidden inside online ads which hit search engine Yahoo earlier this year has now also appeared on adult websites. BBC, September 25, 2015
Cyber Warning
How hackers can access iPhone contacts and photos without a password: iPhone users have yet another screenlock bypass vulnerability to watch out for, according to a new video demonstration that shows how the bug can be exploited to gain unauthorized access to photos and contacts. ars technica, September 25, 2015
Advanced malware gets into Google Play store twice, possibly 1M downloads: Within the past month, malware disguised as an Android game twice made its way into the Google Play store and each time had between 100,000 and 500,000 downloads – making for a potential total infection rate of one million users. SCMagazine, September 21, 2015
Malware implants on Cisco routers revealed to be more widespread: Attackers have installed malicious firmware on nearly 200 Cisco routers used by businesses from over 30 countries, according to Internet scans performed by cyber crime fighters at the Shadowserver Foundation. InfoWorld, September 21, 2015
Cyber Security Management
Inside Target Corp., Days After 2013 Breach: In December 2013, just days after a data breach exposed 40 million customer debit and credit card accounts, Target Corp. hired security experts at Verizon to probe its networks for weaknesses. The results of that confidential investigation — until now never publicly revealed — confirm what pundits have long suspected: Once inside Target’s network, there was nothing to stop attackers from gaining direct and complete access to every single cash register in every Target store. KrebsOnSecurity, September 21, 2015
Cyber Security Management – Cyber Defense
Worldwide information security spending to grow almost 4.7% in 2015, says Gartner: Worldwide spending on information security will reach US$75.4 billion in 2015, an increase of 4.7% over 2014, according to the latest forecast from Gartner. The increase in spending is being driven by government initiatives, increased legislation and high-profile data breaches. Security testing, IT outsourcing, and identity and access management present the biggest growth opportunities for technology providers. DigiTimes, September 23, 2015
Apple pulls infected Chinese apps from iTunes App Store: Following a major attack on the iTunes App Store, Apple is removing dozens of popular apps that had been infected by malware. CNN, September 21, 2015
Cyber Security Management – Cyber Update
Adobe Flash Patch, Plus Shockwave Shocker: Adobe has released a critical software update to fix nearly two-dozen security holes in its Flash Player browser plugin. Separately, I want to take a moment to encourage users who have Adobe Shockwave Player installed to finally junk this program; turns out Shockwave — which comes with its own version of Flash — is still many versions behind in bundling the latest Flash fixes. KrebsOnSecurity, September 21, 2015
Cyber Awareness
DHS infosec chief: We should pull clearance of feds who fail phish test: In the wake of the Office of Personnel Management hack this year, which reportedly took advantage of a phishing attack to steal credentials used to gain access to highly sensitive personnel records, US federal agencies have been increasing their security training and employee testing around phishing. In addition to the employee awareness campaign launched by the National Counterintelligence and Security Center, more agencies are using security auditing tools that simulate phishing attacks against employees to test whether the employees abide by their information security training. Those who fall for phishing tests are generally either required to take a security refresher class or at worst are publicly called out for their errors in agency e-mails. ars technica, September 21, 2015
Fake femme fatale shows social network risks: Hundreds of people in the information security, military and intelligence fields recently found themselves with egg on their faces after sharing personal information with a fictitious Navy cyberthreat analyst named “Robin Sage,” whose profile on prominent social networking sites was created by a security researcher to illustrate the risks of social networking. Computerworld, July 22, 2010
Secure the Village
Curbing the For-Profit Cybercrime Food Chain: Security specialists need to change the game and shift gears, researchers argue – instead of focusing on protecting their users and systems, they should narrow their sights on trying to shake up cybercrime’s seedy underbelly. ThreatPost, September 25, 2015
Google’s Three Tips for Sabotaging the Cybercrime Economy: WITH HACKERS AND the security research community constantly finding new ways to break every piece of software that touches the Internet, it’s easy to get lost in the endless cycle of hacks and patches and hacks. But one team of Googlers and academic researchers has stepped back from that cycle to take a broader view of the maelstrom of scams, fraud and theft online. The result is a portrait of the digital underworld that goes beyond the traditional idea of corporate security to sketch the entire supply chain of online crime from hacking accounts to cashing out—focusing on where that chain can be weakened or snapped. Wired, September 24, 2015
Second Annual Los Angeles Cybersecurity Summit 2015-Silicon Beach: In honor of national cyber security awareness month the second annual Los Angeles Cybersecurity Summit brings together government officials, private business executives and cybersecurity experts to discuss the current and emerging threats that exist in today’s sophisticated cyber environment. Cyber attacks on corporations, governmental agencies and individuals are becoming increasingly widespread and regular, as well as more complex. The goal of this summit to bring together leading experts in Cyber Security to discuss the technological advancements being made to countermeasure and manage these risks. IEEE, Event Date/Location: October 10, 2015, Loyola Marymount Univiersity
National Cyber Security
US and China in urgent talks on cybersecurity deal, says report: The United States and China have been engaged in urgent negotiations in recent weeks on a cybersecurity deal and may announce an agreement when the Chinese president Xi Jinping arrives in Washington on Thursday, according to reports. The Guardian, September 19, 2015
Cyber Underworld
Bidding for Breaches, Redefining Targeted Attacks: A growing community of private and highly-vetted cybercrime forums is redefining the very meaning of “targeted attacks.” These bid-and-ask forums match crooks who are looking for access to specific data, resources or systems within major corporations with hired muscle who are up to the task or who already have access to those resources. KrebsOnSecurity, September 23, 2015
Cyber Research
A Tricky Path to Quantum-Safe Encryption: On August 11, the National Security Agency updated an obscure page on its website with an announcement that it plans to shift the encryption of government and military data away from current cryptographic schemes to new ones, yet to be determined, that can resist an attack by quantum computers. QuantumMagazine, September 8, 2015
Cyber Law
Steptoe Cyberlaw Podcast, Episode #81: An Interview with Margie Gilbert: Episode 81 features China in the Bull Shop, as the White House prepares for President Xi’s visit and what could be ugly talks on cyber issues. Our guest commentator, Margie Gilbert, is a network security professional with service at NSA, CIA, ODNI, Congress, and the NSC. Now at Team Cymru, she’s able to offer a career’s worth of perspective on how three Presidents have tried to remedy the country’s unpreparedness for network intrusions. Lawfare, Septemner 23, 2015
Cyber Insurance
Insurance and education should be weapons in fight against cyber-crime: The majority of businesses do not have cyber security insurance, with many not even aware such protection exists – and even those that do have insurance in place may find themselves at a loss if they don’t have the correct cover. The solution may be to mandate more data sharing and raise public awareness, according to speakers at a roundtable organised by software security company Kaspersky Lab. BankingTechnology, September 21, 2015
Cyber Misc
Volkswagen and the Era of Cheating Software: FOR the past six years, Volkswagen has been advertising a lie: “top-notch clean diesel” cars — fuel efficient, powerful and compliant with emissions standards for pollutants. It turns out the cars weren’t so clean. They were cheating. The New York Times, September 24, 2015's Security Recruiter Blog