Sunday, December 06, 2015

Cybersecurity News and Education for the Week of December 6, 2015





Cyber Attack

Paris climate summit: hackers leak login details of more than 1,000 officials: Hackers have leaked the private login details of nearly 1,415 officials at the UN climate talks in Paris in an apparent act of protest against arrests of activists in the city. The Guardian, December 3, 2015

Financial Cyber Security

Target Reaches Settlement with Banks: Target Corp. has reached a proposed $39.4 million settlement with a group of banking institutions that sued the retailer over fraud losses and expenses suffered as a result of Target’s December 2013 data breach. BankInfoSecurity, December 2, 2015

Cyber Privacy

VTech hack: US and Hong Kong to investigate as 6.4m children exposed: Toymaker VTech will be investigated by several US states after a hack that exposed the private data of 6.4 million children, including photos and addresses. The Guardian, December 2, 2015

Identity Theft

OPM Breach: Credit Monitoring vs. Freeze: Many readers wrote in this past week to say they’d finally been officially notified that their fingerprints, background checks, Social Security numbers, and other sensitive information was jeopardized in the massive data breach discovered this year at the Office of Personnel Management (OPM). Almost as many complained that the OPM’s response — the offering of free credit monitoring services for up to three years — won’t work if readers have taken my advice and enacted a “security freeze” on one’s credit file with the major credit bureaus. This post is an attempt to explain what’s going on here. KrebsOnSecurity, December 2, 2015

Cyber Warning

New attack campaign against SMBs uses a botnet to deliver PoS malware: A group of sophisticated attackers are repurposing penetration testing tools to break into the networks of small and medium-size businesses worldwide with the goal of infecting point-of-sale systems with malware. CSO, December 3, 2015
Dell support software leaks system information: IT giant Dell is shipping computers with support software that leaks extensive amounts of information about the systems it is preloaded on, researchers have found. iTnews, December 3, 2015
Cisco Patches WebEx App for Android, Warns of Unpatched Flaws: Cisco has been busy the last two days pushing out a patch and security advisories for a number of its products, including a fix for a remotely exploitable vulnerability in its WebEx Meetings mobile application for Android. Threatpost, December 2, 2015
Could Hello Barbie become the plaything of hackers? Turns out toys are vulnerable, too: Mattel’s chatty doll could give up sensitive information, while a hacker has already swiped children’s pictures and personal info from toymaker VTech. Experts say Internet-connected toys are rife

Cyber Security Management – Cyber Defense

Into the Breach: Why ‘Self Detection’ Leads To Faster Recovery: When an organization can identify network and system intrusions in their early phases it takes the advantage away from its adversaries. Here’s how. DarkReading, December 2, 2015
How Hackers Are Using Fake LinkedIn Profiles to Steal Your Information: The LinkedIn request seemed ordinary enough. A technology journalist named “Jenifer Lawrence” had asked to connect to me. I clicked OK without thinking. Then I took a closer look at her profile. Yahoo, December 2, 2015
DHS Giving Firms Free Penetration Tests: The U.S. Department of Homeland Security (DHS) has been quietly launching stealthy cyber attacks against a range of private U.S. companies — mostly banks and energy firms. These digital intrusion attempts, commissioned in advance by the private sector targets themselves, are part of a little-known program at DHS designed to help “critical infrastructure” companies shore up their computer and network defenses against real-world adversaries. And it’s all free of charge (well, on the U.S. taxpayer’s dime). KrebsOnSecurity, December 1, 2015

Secure the Village

Cybersecurity is a team sport, but it’s no game: We can all do something to address the growing cybersecurity challenge. Individual users, small departments and large agencies alike can take steps to improve our individual and collective cybersecurity posture. GCN, December 3, 2015
Find a Security Vulnerability, Get a Reward: Announcing EFF’s Security Vulnerability Disclosure Program: At EFF we put security and privacy first. This means working hard at keeping our members and site visitors safe, as well as the people who use the software we develop. We also dedicate staff time to advising security researchers, maintaining resources like our Coders’ Rights Project, and helping groups like Facebook improve their bug reporting policies. Electronic Frontier Foundation, December 3, 2015
Steptoe Cyberlaw Podcast – Interview with Jason Healey: Is the internet really worth it? Our guest for episode 91, Jason Healey of the Atlantic Council and Columbia University, recaps a study finding that, even with a worst-case Clockwork Orange Internet, the economic benefits of networking still outweigh the losses from security failures – though the closer we get to the worst case, the more likely we are to get Leviathan Internet, where the inherently controlling aspects of the network are embraced by governments around the world. Stewart Baker, Steptoe & Johnson, December 1, 2015
Steptoe Cyberlaw Podcast – Interview with Charlie Savage: Our guest for episode 90 is Charlie Savage, New York Times reporter, talking about Power Wars, his monumental new book on the law and politics of terrorism in the Obama (and Bush) administrations. I pronounce it superb, deeply informative, and fairly unbiased, “for a New York Times reporter.” With that, the fat is in the fire, and Charlie and I trade views – and occasional barbs – about how the Bush and Obama administrations handled the surveillance issues that arose after 9/11. Stewart Baker, Steptoe & Johnson, November 24, 2015

Cyber Government

GAO: IRS financial IT security needs more oversight: The Government Accountability Office says the IRS spent way too much time manually making up for system failures, while also ignoring basic password safeguards. fedscoop, November 12, 2015
Federal Spending on Information Security to Reach $11 Billion by 2020, According to Deltek Report: HERNDON, Va.–(BUSINESS WIRE)–According to a new report from Deltek, federal information security spending is projected to increase over 5% per year while overall federal spending on information technology remains flat. Deltek’s new GovWin IQ report, Federal Information Security Market, 2015-2020, forecasts the federal demand for vendor-furnished information security products and services will increase from $8.6 billion in FY 2015 to $11.0 billion in 2020. As agencies struggle to stay ahead of the cybersecurity threats, more and more of their IT spend is being devoted to cybersecurity, reaching over 10% of IT spend by 2020. BusinessWire, December 1, 2015

Critical Infrastructure

House energy bill boosts cybersecurity for electric grid: A Republican-backed bill overhauling federal energy policy that passed the House on Thursday includes several significant provisions aimed at defending the nation’s power supply against cyberattacks. TheHill, December 3, 2015

Cyber Law

International Law and the UN GGE Report on Information Security: The international community recently took an important step toward establishing global norms of behavior in cyberspace with the publication of the UN’s outcome report from its 2014/2015 Group of Governmental Experts (GGE) on Information Security. The report reflects the consensus of 20 governmental experts who discussed measures to promote stability and conflict prevention in cyberspace. Mandated by the General Assembly, the GGE met for discussions over the course of one year to arrive at the recommendations contained in the report. JustSecurity, December 2, 2015
Hackers Could Take Control Of Your Car, But You Can’t Sue Carmakers For That Risk: Cars contain millions of lines of software code, which makes them tempting targets for hackers. Further, with the increased automation of cars, we face growing risks that malicious hackers will remotely take control of cars and cause significant personal or property damage. Ideally, car manufacturers would be actively combating this risk, but news reports instead regularly point out their failings to design secure software car. Nevertheless, a recent court ruled that buyers can’t sue car manufacturers for hackable software…at least, not until there’s some tragedy. Forbes, December 2, 2015

Cyber Misc

Venture capitalists flock to cybersecurity information-sharing platforms: Arlington cybersecurity start-up ThreatConnect said Tuesday that it has raised $16 million from investors, led by the corporate venture capital arm of SAP’s North American subsidiary in Rockville. The next morning just down the road in Sterling, Va., a similarly-named start-up called ThreatQuotient said it raised $10.2 million, led by prolific technology investor New Enterprise Associates. A few weeks ago Arlington-based Trustar announced a $2 million in seed funding. Washington Post, December 2, 2015

Cyber Sunshine

Feds: Silk Road accomplice nabbed in Thailand: Federal prosecutors Friday announced the arrest of a Canadian citizen on charges he was a key accomplice to convicted Silk Road darknet mastermind Ross Ulbricht. USA Today, December 4, 2015
CRTC uses anti-spam powers to take down Toronto-based malware server: TORONTO — The CRTC has issued its first warrant under the federal government’s anti-spam legislation to take down a Toronto-based malware server in an attempt to disrupt an international network of infected computers. CTVNews, December 3, 2015's Security Recruiter Blog