Monday, December 14, 2015

Cybersecurity News and Education for the Week of December 13, 2015






Financial Cyber Security

The Role of Phony Returns in Gift Card Fraud: On any given day, there are thousands of gift cards from top retailers for sale online that can be had for a fraction of their face value. Some of these are exactly what they appear to be: legitimate gift cards sold through third-party sites that specialize in reselling used or unwanted cards. But many of the more steeply discounted gift cards for sale online are in fact the product of merchandise return fraud, meaning consumers who purchase them unwittingly help thieves rob the stores that issued the cards. KrebsOnSecurity, December 10, 2015
North American Banks See Cybercrime As Biggest Risk: While fears about macroeconomic climate remain the single biggest risk factor for banks globally, for bankers in North America and the U.K. the threat from ever more sophisticated cyberattacks ranks above regulation, political interference and credit risk as the No. 1 threat to the industry. IBTimes, December 8, 2015

Cyber Warning

Malware Hides, Except When It Shouts: Two new malware reports – one from security researchers at technology giant Cisco, another from cybersecurity firm FireEye – demonstrate how developers continue to refine their malicious code to maximize its information-stealing and extortion potential. BankInfoSecurity, December 11, 2015
WP Engine breached, forces users to change their passwords: Popular WordPress-specific hosting provider WP Engine has apparently suffered a data breach, and is forcing their customers to change their passwords. Help Net Security, December 11, 2015
Spy Banker Trojan Being Hosted On Google Cloud: The Spy Banker Trojan is spreading through Brazil through the help of Google and Facebook, according to researchers at ZScaler ThreatLabZ. DarkReading, December 10, 2015
“Nemesis” malware hijacks PC’s boot process to gain stealth, persistence: Malware targeting banks, payment card processors, and other financial services has found an effective way to remain largely undetected as it plucks sensitive card data out of computer memory. It hijacks the computer’s boot-up routine in a way that allows highly intrusive code to run even before the Windows operating system loads. ars technica, December 7, 2015

Cyber Security Management – Cyber Defense

Internet DNS servers withstand huge DDoS attack: DNS is short for Domain Name System, the online service that converts server names into network numbers. NakedSecurity, December 10, 2015
When Ethical Hacking Can’t Compete: Companies are paying “white hat” hackers to probe their cybersecurity systems for weaknesses—but some say that so far, they aren’t paying enough. The Atlantic, December 8, 2015
IT Regulatory Compliance as the Next Big Focus for Cloud Vendors: Back in October 2014, Defense Information Systems Agency (DISA) submitted a public request for information, calling for the assessment of the marketplace’s ability to “provide cloud ecosystems and services in two integration models that place vendor cloud services on DoD networks for use by the DoD community and mission partner.” CloudTweaks, December 8, 2015

Cyber Security Management – Cyber Update

GOOGLE UPDATES CHROME, EXTENDS SAFE BROWSING TO CHROME FOR ANDROID: Google yesterday released an update for the Chrome browser that patches seven vulnerabilities and also updates Adobe Flash Player. It also announced that Google Safe Browsing has been extended to Chrome for Android. ThreatPost, December 9, 2015
Adobe, Microsoft Each Plug 70+ Security Holes: Adobe and Microsoft today independently issued software updates to plug critical security holes in their software. Adobe released a patch that fixes a whopping 78 security vulnerabilities in its Flash Player software. Microsoft pushed a dozen patch bundles to address at least 71 flaws in various versions of the Windows operating system and associated software. KrebsOnSecurity, December 8, 2015

Secure the Village

Steptoe Cyberlaw Podcast – Interview with Ellen Nakashima and Tony Cole: Did China’s PLA really stop hacking US companies for commercial secrets? And does it matter? In episode 92, we ask those questions and more of two experts on the topic ‒ Washington Post reporter Ellen Nakashima, who has broken many stories on PLA hacking, and Tony Cole, the Global Government CTO with FireEye, who has fought off his share of PLA hackers. SteptoeCyberblog, December 9, 2015
Microsoft CEO takes a collaborative approach to cybersecurity: Microsoft CEO Nadella talks of company’s role in an ‘ecosystem,’ saying partnerships and top-to-bottom protection and detection critical to battle emerging security threats. CIO, November 23, 2015

National Cyber Security

Obama Hints at Renewed Pressure on Encryption, Clinton Waves Off First Amendment: President Obama and Hillary Clinton made statements on Sunday indicating that the post-San Bernardino focus on rooting out radicalized individuals is going to lead to heightened pressure on social media sites and tech companies that provide unbreakable end-to-end encryption. TheIntercept, December 7, 2015

Cyber Underworld

When Undercover Credit Card Buys Go Bad: I recently heard from a source in law enforcement who had a peculiar problem. The source investigates cybercrime, and he was reaching out for advice after trying but failing to conduct undercover buys of stolen credit cards from a well-known underground card market. Turns out, the cybercrime bazaar’s own security system triggered a “pig alert” and brazenly flagged the fed’s transactions as an undercover purchase placed by a law enforcement officer. KrebsOnSecurity, December 7, 2015
Prototype Nation: The Chinese Cybercriminal Underground in 2015: By the end of 2013, the Chinese cybercrime underground was a very busy economy, with peddled wares that not only targeted PCs, but mobile devices as well—making it its most prolific segment. We also saw cybercriminals abusing popular Web services such as the instant-messaging app (IM), QQ, to communicate with peers. TrendMicro, November 23, 2015
Banks Have a Harder Time Blending Among Fraudsters: There are many potential buyers of stolen bank account data, including the banks themselves. But fraudsters are increasingly reluctant to sell their data back to its original owner. PaymentsSource, November 6, 2015

Cyber Sunshine

Sextortion Scheme: Former U.S. Official Pleads Guilty: A former U.S. State Department employee has admitted in court that he masterminded an online sexual extortion – or sextortion – scheme that targeted victims around the world, beginning with phishing attacks designed to trick would-be victims into sharing the passwords to their online accounts. BankInfoSecurity, December 10, 2015's Security Recruiter Blog