Sunday, October 25, 2015

Cybersecurity News and Education for the Week of October 25, 2015





Cyber Crime

Nothing Classified or Hip in C.I.A. Director’s Hacked Email: WASHINGTON — For John O. Brennan, the director of the C.I.A., perhaps the worst part of the attack on his private email account was the revelation that until very recently, he used an AOL account. The New York Times, October 20, 2015
Teen Who Hacked CIA Director’s Email Tells How He Did It: A HACKER WHO claims to have broken into the AOL account of CIA Director John Brennan says he obtained access by posing as a Verizon worker to trick another employee into revealing the spy chief’s personal information. Wired, October 19, 2015
This American Oil Company Lost $3.5 Million To ‘Evil Corp’ Hackers But Came Out On Top: It was the Friday before Labor Day 2012. The executive team of Penneco Oil, a small Pittsburgh company, were lunching at the Atria’s Restaurant and Tavern – your typical off-highway American eatery, candy-striped awning, red brick and white plaster facade, a dimly-lit, cosy interior – when hundreds of emails started flooding into the inbox of treasurer Matthew Jacobs. Forbes, October 16, 2015
Consumer Alert: Debit card fraud at Walmart discovered in 16 states: Criminals cashing out compromised debit cards, avoiding detection until it’s too late by staying below a $50.00 price point. CSO, October 12, 2015

Cyber Attack

TalkTalk cyberattack: who, what and why?: The cyberattack on British broadband supplier TalkTalk this week raises a host of questions over who could be behind it and what their aims are. Reuters, October 23, 2015

Cyber Privacy

White House Endorses Cyberse­cur­ity Bill, Bucking Privacy Groups: The Obama ad­min­is­tra­tion on Thursday en­dorsed a cy­ber­se­cur­ity bill that will get a vote next week in the Sen­ate. GovernmentExecutive, October 23, 2015
Former White House Advisor: Marry Infosec To Economics: Melissa Hathaway, former cybersecurity policy advisor to the White House, says the security and economy agendas should go hand-in-hand, and Western nations’ use of surveillance technology is ‘alarming.’ DarkReading, October 19, 2015
Google, Facebook, Microsoft and buddies stick a bomb under hated CISA cyber-law: Some of the biggest names in the tech industry have issued a public protest against the proposed Cybersecurity Information Sharing Act (CISA) working through US Congress. The Register, October 16, 2015

Identity Theft

IRS will share tax-filing info to fight identity theft: When taxpayers hear that their tax information will be shared, they generally freak out, and with good reason. Almost daily we learn of some hacking incident in which personal data is obtained and then used to steal the victims’ financial identities. BankRate, October 22, 2015
IRS plans to look at IP addresses, passwords and other online glitches: As tax identity theft and fraud continue to spiral upwards, the IRS and key industry players are trying to develop new technolgies and techniques to slow the swindle juggernaught down. NetworkWorld, October 20, 2015

Cyber Warning

Western Digital encrypted external hard drives have flaws that can expose data: The hardware-based encryption built into popular Western Digital external hard disk drives has flaws that could allow attackers to recover data without knowing the user password. PCWorld, October 21, 2015
Fake Google Chrome Browser Malware ‘eFast’ Deletes Legit Browser & Serves Ads: Here’s How To Remove It: A new adware malware disguising itself as a Google browser look-alike has begun plaguing some unsuspecting Internet users. The malware dubbed ‘eFast’ makes it’s way on to users’ computers as part of a bundle when they attempt to download legitimate software online. iDigitalTimes, October 20, 2015
Amazon Downplays Cloud Breach Threat: As security professionals weigh the pros and cons of cloud-based services, researchers at Worcester Polytechnic Institute claim they’ve spotted a potential data breach issue involving Amazon Web Services – and by extension other cloud services, both public and private. BankInfoSecurity, October 12, 2015

Cyber Security Management

What Cybersecurity Questions Are Boards Asking CISOs?: “Increasingly, cybersecurity is becoming a top-of-mind issue for most CEOs and boards, and they are becoming more preemptive in evaluating cybersecurity risk exposure as an enterprisewide risk management issue, not limiting it to an IT concern.” – Deloitte’s “Cybersecurity: The changing role of audit committee and internal audit” SecurityIntellegence, October 23, 2015
Why Corporate Boards Are Picking Women to Fill Cybersecurity Posts: Earlier this year, American International Group Inc. added Linda Mills to its board, attracted partly by her expertise in cybersecurity. In February, Wells Fargo & Co. selected Suzanne Vautrinot for its board for similar reasons. Before that, Walgreens Boots Alliance Inc. picked Janice Babiak. Bloomberg, October 22, 2015
On the hunt for merger or acquisition? Make sure your target is secure: Given numerous examples of catastrophic security risks from third-party relationships, the merger and acquisition industry needs to get caught up. CSO, October 22, 2015
How do you translate data security information to the board?: Today, data security is an executive and even a board-level issue. But the majority of senior executives aren’t tech savvy to the point of understanding security. This makes the job of the CISO and CIO quite difficult, but it need not be. Information Age, October 22, 2015
CIOs reporting directly to CFOs can create massive cybersecurity headaches: Many companies need technology upgrades but are “starving” for the cash necessary to upgrade critical systems. That’s the message from the author of a new study sponsored by the Georgia Tech Information Security Center. BusinessInsider, October 21, 2015

Cyber Security Management – Cyber Defense

As sites move to SHA2 encryption, millions face HTTPS lock-out: “We’re about to leave a whole chunk of the internet in the past,” as millions of people remain dependent on old, insecure, but widely-used encryption. ZDNet, October 23, 2015

Cyber Security Management – Cyber Update

WordPress blogger patch foot-drag nag: You’re tempting hackers: Misconfigured and unpatched WordPress sites are causing a rash of problems both to themselves and the wider internet. In fact, this ever-present internet security threat has flared up again over the last week because of several new issues. TheRegister, October 20, 2015

Secure the Village

Information security experts show bank clients why vigilance against fraud needs to come from customers too: First Commercial Bank of Huntsville welcomed customers for some food, some mingling, and some education Tuesday. WHNT, October 20, 2015

National Cyber Security

Steptoe Cyberlaw Podcast, Episode #85: An Interview with General Michael Hayden: Want to see cyber attribution and deterrence in action? In August, a hacker pulled the names of US military personnel and others out of a corporate network and passed them to ISIL. British jihadist Junaid Hussain exulted when ISIL released the names. “They have us on their ‘hit list,’ and we have them on ours too…,” he tweeted. On the whole, I’d rather be on theirs. Two weeks after his tweet, Hussain was killed in a US airstrike, and two months after that, the hacker was arrested in Malaysia (subscription required) on a US warrant. Lawfare, October 21, 2015
How the NSA broke encryption on trillions of secure connections: Some Edward Snowden leaks have revealed that the NSA and other intelligence agencies can break encryption barriers for mass surveillance purposes. It has been theorized that a flaw in encryption used by many Internet services lets the spy agency decrypt HTTPS, SSH, and VPN traffic, and a new paper seems to prove that. BGR, October 20, 2015
Analysis: Fed cybersecurity spend quintupled from FY2011 to FY2014: The federal government’s cybersecurity spend increased five-fold over a recent three-year period, with a large portion dedicated to offensive cyber capabilities, according to numbers crunched by a public sector business analytics firm. fedscoop, October 19, 2015
China still trying to hack U.S. firms despite Xi’s vow to refrain, analysts say: Chinese government hackers have attempted in the past few weeks to penetrate the networks of U.S. companies to steal their secrets despite a pledge by China’s president that they would not do so, according to private researchers. The Washington Post, October 19, 2015

Cyber Underworld

IBM Runs World’s Worst Spam-Hosting ISP?: This author has long sought to shame Web hosting and Internet service providers who fail to take the necessary steps to keep spammers, scammers and other online ne’er-do-wells off their networks. Typically, the companies on the receiving end of this criticism are little-known Internet firms. But according to anti-spam activists, the title of the Internet’s most spam-friendly provider recently has passed to networks managed by IBM — one of the more recognizable and trusted names in technology and security. KrebsOnSecurity, October 21, 2015


Sony’s Settlement With Employees Over Hacked Data Worth More Than $5.5 Million: Sony Pictures will be paying somewhere in the neighborhood of $5.5 million to $8 million to resolve a class action lawsuit over a large hack attack last winter that left the personal information of employees and ex-employees vulnerable. The details of the settlement were revealed in court papers on Monday night. Hollywood Reporter, October 20, 2015

Cyber Insurance

Can Cyber Liability Coverage Fully Protect You From Hackers?: All the news you hear about business security hacks comes from the big companies—remember the Target breach from late 2013 and the Home Depot hack a year later? So what does that mean about safety for a smaller business?, October 19, 2015

Cyber Misc

Don’t Be Fooled by Fake Online Reviews Part II: In July I wrote about the dangers of blindly trusting online reviews, especially for high-dollar services like moving companies. That piece told the story of Full Service Van Lines, a moving company that had mostly five-star reviews online but whose owners and operators had a long and very public history of losing or destroying their customers’ stuff and generally taking months to actually ship what few damaged goods it delivered. Last week, federal regulators shut the company down. KrebsOnSecurity, October 19, 2015

Cyber Sunshine

Dridex Malware Campaign Disrupted: An international law enforcement operation – spearheaded by the U.S. Federal Bureau of Investigation and Britain’s National Crime Agency – has disrupted the notorious Dridex banking malware, which has been tied to at least $40 million in losses worldwide. The U.S. Department of Justice also reports that a suspected Dridex ringleader has been arrested in Cyprus and that it is seeking his extradition. BankInfoSecurity, October 14, 2015's Security Recruiter Blog