Sunday, November 22, 2015

Cybersecurity News and Education for the Week of November 22, 2015





Cyber Crime

Starwood Hotels Warns of Credit Card Breach: Starwood Hotels & Resorts Worldwide today warned that malware designed to help cyber thieves steal credit and debit card data was found on point-of-sale cash registers at some of the company’s hotels in North America. The disclosure makes Starwood just the latest in a recent string of hotel chains to acknowledge credit card breach investigations, and comes days after the company announced its acquisition by Marriott International. KrebsOnSecurity, November 20, 2015

Cyber Privacy

Chipotle Serves Up Chips, Guac & HR Email: The restaurant chain Chipotle Mexican Grill seems pretty good at churning out huge numbers of huge burritos, but the company may need to revisit some basic corporate cybersecurity concepts. For starters, Chipotle’s human resources department has been replying to new job applicants using the domain “” — a Web site name that the company has never owned or controlled. KrebsOnSecurity, November 16, 2015

Identity Theft

Report: Everyone Should Get a Security Freeze: This author has frequently urged readers to place a security freeze on their credit files as a means of proactively preventing identity theft. Now, a major consumer advocacy group is recommending the same: The U.S. Public Interest Research Group (US-PIRG) recently issued a call for all consumers to request credit file freezes before becoming victims of ID theft. KrebsOnSecurity, November 18, 2015
GAO: Taxpayer Data at Increased Risk: A government audit of Internal Revenue Service financial statements reveals deficiencies in internal information security controls, including missing security updates, insufficient audit trails and monitoring for certain key systems, and the use of weak passwords. GovInfoSecurity, November 16, 2015

Cyber Warning

​Dyre banking malware: Windows 10 and Edge browser now targets: Microsoft confirms the nasty, credential-stealing malware Dyre has been updated to target Windows 10 and its Edge browser. ZDNet, November 19, 2015
BitLocker encryption can be defeated with trivial Windows authentication bypass: Companies relying on Microsoft BitLocker to encrypt the drives of their employees’ computers should install the latest Windows patches immediately. A researcher disclosed a trivial Windows authentication bypass, fixed earlier this week, that puts data on BitLocker-encrypted drives at risk. PCWorld, November 13, 2015

Cyber Security Management

Poor org structure led to weak info security at State: An audit of the State Department’s information security posture found critical deficiencies in the agency’s risk management framework and monitoring programs, stemming largely from a problematic organizational structure. FederalTimes, November 20, 2015
Cybersecurity Sector’s Biggest Challenge (It’s Not The Hackers): The security certification and industry body (ISC)2 predicts that 6 million security professionals will be needed by both the public and private sectors by 2019. Unfortunately, only 4.5 million of those experts will have the necessary qualifications, The Financial Times reported Wednesday (Nov. 18)., November 20, 2015
The State of Cyber Insurance: All this year I’ve been researching the burgeoning cyber insurance market. Admittedly, this is a bit of a detour from covering endpoint security, network security, and security analytics, but cyber insurance is becoming an increasingly important puzzle piece in any organization’s risk mitigation strategy, so it’s worth paying attention to. NetworkWorld, November 16, 2015

Cyber Security Management – Cyber Defense

LinkedIn patches serious persistent XSS vulnerability: A persistent cross-site scripting (XSS) vulnerability impacting recruitment network LinkedIn has been fixed within hours of being reported. ZDNet, November 20, 2015
Recent Email Phishing Campaigns – Mitigation and Response Recommendations: Between June and July 2015, the United States Computer Emergency Readiness Team (US-CERT) received reports of multiple, ongoing and likely evolving, email-based phishing campaigns targeting U.S. Government agencies and private sector organizations. This alert provides general and phishing-specific mitigation strategies and countermeasures. US-Cert, August 1, 2015

Cyber Security Management – Cyber Update

VMware warns of info leaks flowing from Apache-Adobe mess: VMware has warned users of its vCenter, vCloud Director and Horizon products that they need to patch a flaw in Flex BlazeDS. TheRegister, November 19, 2015

National Cyber Security

Homeland Security Running Hundreds of Sensitive, Top Secret Databases Vulnerable to Attacks: The Department of Homeland Security is running hundreds of sensitive and top secret databases without the proper authorization, leaving the agency unsure if it can “protect sensitive information” from cyber attacks. FreeBeacon, November 19, 2015
ISIS’ OPSEC Manual Reveals How It Handles Cybersecurity: IN THE WAKE of the Paris attacks, US government officials have been vocal in their condemnation of encryption, suggesting that US companies like Apple and Google have blood on their hands for refusing to give intelligence and law enforcement agencies backdoors to unlock customer phones and decrypt protected communications. But news reports of the Paris attacks have revealed that at least some of the time, the terrorists behind the attacks didn’t bother to use encryption while communicating, allowing authorities to intercept and read their messages. Wired, November 19, 2015
Anonymous’s Cyber War with ISIS Could Compromise Terrorism Intelligence: As French police scoured Paris and surrounding areas in search of those responsible for Friday’s terrorist attacks on the French capital, a group of cyber activists took aim at the Islamic State’s online presence. The computer-hacker federation known as Anonymous claims to have disabled at least 5,500 pro-ISIS Twitter accounts and exposed thousands of the terror group’s supporters who use the social media site. ScientificAmericam, Novemeber 19, 2015
Telegram encrypted messaging service cracks down on ISIS broadcasts: In the wake of revelations that groups affiliated with the Islamic State were using the Telegram messaging service to communicate and spread propaganda materials, the nonprofit organization running the service announced that it had moved to block terror-related content from being spread through its servers. ars technica, November 18, 2015
Paris Terror Attacks Stoke Encryption Debate: U.S. state and federal law enforcement officials appear poised to tap into public concern over the terror attacks in France last week to garner support for proposals that would fundamentally weaken the security of encryption technology used by U.S. corporations and citizens. Here’s a closer look at what’s going on, and why readers should be tuned in and asking questions. KrebsOnSecurity, November 17, 2015
Encrypted Messaging Apps Face New Scrutiny Over Possible Role in Paris Attacks: WASHINGTON — American and French officials say there is still no definitive evidence to back up their presumption that the terrorists who massacred 129 people in Paris used new, difficult-to-crack encryption technologies to organize the plot. The New York Times, November 16, 2015

Cyber Underworld

Exploit Kit Explosion Will Keep Victims Off Kilter: Exploit kit activity is on a massive upswing as figures from a new report out today from Infoblox and IID show that the command and control infrastructure behind these kits mushroomed last quarter. DarkReading, November 18, 2015

Cyber Law

Steptoe Cyberlaw Podcast, Episode #89: An Interview with Mark Shuttleworth: The NSA metadata program that is set to expire in two weeks was designed to provide early warning of a terror attack planned in a foreign safe haven and carried out inside the United States. Those are some of the most deadly terror attacks we’ve seen, from 9/11 to Mumbai. And now Paris. Lawfare, November 18, 2015
Steptoe Cyberlaw Podcast, Episode #88: An Interview with Adam Kozy and Johannes Gilger. Where the hell are the FTC, Silicon Valley, and CDT when human rights and privacy are on the line? If the United States announced that it had been installing malware on 2% of all the laptops that crossed US borders, the lawsuits would be flying thick and fast, and every company in Silicon Valley would be rolling out technical measures to defeat the intrusion. But when China injects malware into 2% of all the computers whose queries cross into Chinese territory, no one says boo. Lawfare, November 12, 2015

Cyber Insurance

CNA Denies Cyber Insurance Claim: Cyber security, and cyber insurance, have dominated the industry headlines for several years now, but even as companies, brokers and insurers work to develop these products, there has been a dearth of case law interpreting key provisions. This is beginning to change as disputes arise and make through way through the judicial system. Privacy & Security Matters, May 19, 2015

Cyber Sunshine

Cyber thief who stole nude images for revenge porn king gets 2 years: $250 for nude images stolen from “6 guys and 6 girls”: that’s the kind of fee that Charles “Gary” Evens charged revenge porn king Hunter Moore. NakedSecurity, November 18, 2015's Security Recruiter Blog