Monday, October 12, 2015

Cyber Security News and Education for the Week of October 11, 2015





Cyber Quote of the Week

“Findings show companies that invest in adequate resources, employ certified or expert staff and appoint a high-level security leader have cyber crime costs that are lower than companies that have not implemented these practices,” Larry Ponemon, Ponemon Institute, Cost Of Cybercrime Reaches $15 Million Annually Per Org

Cyber Crime

Dow Jones: We were hacked, client data exposed: Dow Jones said Friday that hackers breached its system and possibly stole payment information for some former and current subscribers. CNBC, October 9, 2015
Trump Hotel Collection Confirms Card Breach: The Trump Hotel Collection, a string of luxury hotel properties tied to business magnate and Republican presidential candidate Donald Trump, said last week that a year-long breach of its credit card system may have resulted in the theft of cards used at the hotels. The acknowledgement comes roughly three months after this author first reported that multiple financial institutions suspected the hotels were compromised. KrebsOnSecurity, October 5, 2015

Cyber Attack

Inside The Hunt For The Uber Hacker: As many as 50,000 drivers’ names and license numbers were illegally downloaded — and the trail might lead to rival app Lyft. Huffington Post, October 8, 2015

Cyber Privacy

Where Do Major Tech Companies Stand on Encryption?: here’s a major battle brewing over encryption right now.Law enforcement agencies are trying to demand “backdoors” to our sensitive data and communications, while civil liberties groups are fighting back through a new campaign called SaveCrypto. And President Obama seems to be trying to find a middle ground, eschewing legal mandates but continuing to informally pressure companies to provide unencrypted access to data. Electronic Frontier Foundation, October 9, 2015
What’s in a Boarding Pass Barcode? A Lot: The next time you’re thinking of throwing away a used boarding pass with a barcode on it, consider tossing the boarding pass into a document shredder instead. Two-dimensional barcodes and QR codes can hold a great deal of information, and the codes printed on airline boarding passes may allow someone to discover more about you, your future travel plans, and your frequent flyer account. KrebsOnSecurity, October 6, 2015

Identity Theft

US Consumers More Worried About Cyber Risks Than Their Physical Safety: Cyberthreats among the biggest worries of consumers, new Travelers Consumer Risk Index shows. DarkReading, October 7, 2015

Cyber Warning

New Moker Rat Bypasses Detection: Researchers warned Tuesday the latest APT to make the rounds features a remote access Trojan that can effectively mitigate security measures on machines and grant the attacker full access to the system. ThreatPost, October 9, 2015
Disclosed Netgear Router Vulnerability Under Attack: A vulnerability in Netgear routers, already disclosed by two sets of researchers at different security companies, has been publicly exploited. ThreatPost, October 8, 2015
‘Evil’ Kemoge Serves Androids Ads And Rootkits: Malware is wrapped into a wide variety of legitimate apps on third-party stores and one on Google Play. DarkReading, October 7, 2015
DDoS Warnings: Emerging Threats Pack a Punch: By all measures, distributed denial-of-service attacks remain not just alive and well, but are growing more severe. The latest example of the staying – and disruptive – power of DDoS attacks comes with researchers at Akamai Technologies warning that a botnet comprised of Linux systems infected with XOR DDoS malware has been launching DDoS attacks that have reached a blistering 150 Gbps. While that speed doesn’t set any records, it nevertheless represents a large enough packet storm to disrupt many websites. BankInfoSecurity, October 1, 2015

Cyber Security Management

Addressing the Information Security Skills Gap in Partnership With Academia: The cybersecurity industry is booming — but there aren’t enough skilled workers to go around. “More than 209,000 cybersecurity jobs in the U.S. are unfilled, and postings are up 74 percent over the past five years,” stated a Peninsula Press analysis of the data published by the U.S. Bureau of Labor Statistics (BLS). Security Intellegence, October 9, 2015
Uber Finally Fixed a Bug that Let Hackers Keep Control of Hacked Accounts: Uber just fixed a major security issue that allowed hackers to maintain access to compromised accounts even after the victim had changed his or her password. Motherboard, October 9, 2015
At Experian, Security Attrition Amid Acquisitions: T-Mobile disclosed last week that some 15 million customers had their Social Security numbers and other personal data stolen thanks to a breach at Experian, the largest of the big American consumer credit bureaus. But this actually wasn’t the first time that a hacking incident at Experian exposed sensitive T-Mobile customer data, and that previous breach may hold important clues about what went wrong more recently. KrebsOnSecurity, October 8, 2015
Cost Of Cybercrime Reaches $15 Million Annually Per Org: Ponemon Institute study details annual costs incurred by organizations with over 1,000 employees. DarkReading, October 6, 2015
10 Steps to Mitigate A Data Breach Before It Happens: Many of the clients that we advise are nervous about data protection, cyber issues, and the privacy of their customers and employees. Who can blame them? Every day we read news about another privacy breach. Some of the companies that we counsel are light years ahead – talking coding strategies and testing for vulnerabilities – while others are trying to determine how to be compliant and implement internal protocols in response to a breach. Arent Fox, October 5, 2015

Cyber Security Management – Cyber Defense

Report: Apple Yanks Insecure Apps, Including Ad Blocker: Apple has reportedly removed several apps from the App Store amidst concern that they can view encrypted traffic. PCMagazine, October 9, 2015
iPhone Malware Is Hitting China. Let’s Not Be Next: APPLE’S IOS HAS had a good run in terms of security. For more than eight years it’s been wildly popular and yet virtually malware-free, long enough to easily earn the title of the world’s most secure consumer operating system. Now that title has a new, growing asterisk: China. Wired, October 6, 2015

Cyber Security Management – Cyber Update

Adobe to Patch Reader and Acrobat Next Week: Adobe is expected next week to patch critical vulnerabilities in Acrobat and Reader. ThreatPost, October 8, 2015
Google Patches Stagefright 2 Android Vulnerability: Google is fixing newly announced flaws in its Android mobile OS. The company issued patches for 19 vulnerabilities, including the Stagefright 2 flaw. eWeek, October 6, 2015

National Cyber Security

In a first, Chinese hackers are arrested at the behest of the U.S. government: The Chinese government has quietly arrested a handful of hackers at the urging of the U.S. government — an unprecedented step to defuse tensions with Washington at a time when the Obama administration has threatened economic sanctions. The Washington Post, October 9, 2015
Clinton server faced hacking from China, South Korea and Germany: Hillary Clinton’s private email server containing tens of thousands of messages from her tenure as secretary of state — including more than 400 now considered classified — was the subject of hacking attempts from China, South Korea and Germany after she stepped down in 2013, according to Congressional investigators. Politico, October 8, 2015
Former NSA Directors Coming Out Strongly *Against* Backdooring Encryption: Earlier this summer, we were taken a bit by surprise when both former NSA/CIA boss Michael Hayden, along with former DHS boss Michael Chertoff, came out fairly strongly against backdooring encryption at a time when their counterparts still in the government seemed to be leaning in the other direction and have been pushing proposals to mandate backdoors. And it appears they’re not backing down. Hayden has now doubled down with further statements against backdooring encryption, according to Lorenzo Franceschi-Bicchierai at Vice’s Motherboard. TechDirt, October 7, 2015
Agencies Need to Correct Weaknesses and Fully Implement Security Programs: Persistent weaknesses at 24 federal agencies illustrate the challenges they face in effectively applying information security policies and practices. Most agencies continue to have weaknesses in (1) limiting, preventing, and detecting inappropriate access to computer resources; (2) managing the configuration of software and hardware; (3) segregating duties to ensure that a single individual does not have control over all key aspects of a computer-related operation; (4) planning for continuity of operations in the event of a disaster or disruption; and (5) implementing agency-wide security management programs that are critical to identifying control deficiencies, resolving problems, and managing risks on an ongoing basis (see fig.). These deficiencies place critical information and information systems used to support the operations, assets, and personnel of federal agencies at risk, and can impair agencies’ efforts to fully implement effective information security programs. In prior reports, GAO and inspectors general have made hundreds of recommendations to agencies to address deficiencies in their information security controls and weaknesses in their programs, but many of these recommendations remain unimplemented. Government Accountability Office, September 29, 2015

Cyber Espionage

Report: Iran-based hackers spy using fake LinkedIn profiles: A group of suspected Iranian hackers are using a sophisticated network of fake LinkedIn profiles to spy on unsuspecting targets worldwide — including the U.S. — according to a new report. CNN, October 7, 2014
Chinese Hackers Breached LoopPay, Whose Tech Is Central to Samsung Pay: WASHINGTON — Months before its technology became the centerpiece of Samsung’s new mobile payment system, LoopPay, a small Massachusetts subsidiary of the South Korean electronics giant, was the target of a sophisticated attack by a group of government-affiliated Chinese hackers. The New York Times, October 7, 2015

Cyber Law

The US Bids Farewell to the Comforts of the Safe Harbor: Many companies have facilitated the transfer of personal information from the European Union and the European Economic Area to the United States by complying with the US–EU (and/or US-Swiss) Safe Harbor Framework run by the US Department of Commerce. The program has been in effect since the year 2000 and has served as a means to comply with the EU data protection requirements and permit trans-Atlantic data transfer. However, as of October 6, 2015, the framework is invalid. Co-Authored by Michael Zweiback, Secure the Village Advisory Board memberArentFox, October 9, 2015
Data Transfer Pact Between U.S. and Europe Is Ruled Invalid: Europe’s highest court on Tuesday struck down an international agreement that allowed companies to move digital information like people’s web search histories and social media updates between the European Union and the United States. The decision left the international operations of companies like Google and Facebook in a sort of legal limbo even as their services continued working as usual. The New York Times, October 7, 2015

Cyber Misc

Vigilante Team White hackers admit to infecting 300,000 devices: Team White hackers have taken credit for infecting more than 300,000 devices with the Wifatch malware designed to harden security, but experts still question the team’s vigilante actions. SearchSecurity, October 9, 2015
Digital businesses affecting information security, says Gartner: More than 20% of enterpris:s will have digital risk services devoted to protecting business initiatives used within the Internet of Things by 2017. ITBrief, October 8, 2015
Steptoe Cyberlaw Podcast, Episode #83: An Interview with Bruce Schneier at “Privacy. Security. Risk. 2015”: Bruce Schneier joins Stewart Baker and Alan Cohn for an episode recorded live in front of an audience of security and privacy professionals. Appearing at the conference Privacy. Security. Risk. 2015., sponsored by the IAPP and the Cloud Security Alliance, Bruce Schneier talks through recent developments in law and technology. Lawfare, October 5, 2015
A View Emerges of Business Technology’s Future as the Personalization of the Machine: Last week, the heads of two of America’s biggest companies said almost the same thing about what personalized technology would mean to the future of business. The New York Times, October 4, 2015

Cyber Sunshine

Angler Ransomware Campaign Disrupted: A cybercrime ring that employed the Angler Exploit Kit to earn an estimated $34 million per year from ransomware infections alone has been disrupted by security researchers at Cisco’s Talos security intelligence and research group. BankInfoSecurity, October 7, 2015's Security Recruiter Blog