Sunday, January 10, 2016

Cybersecurity News and Cybersecurity Education for the Week of January 10, 2016





Cyber Crime

Account Takeovers Fueling ‘Warranty Fraud’: Cybercrime takes many forms, but one of the more insidious and perhaps less obvious manifestations is warranty fraud. This scheme involves con artists who assume the identity of a consumer, complain that a given product has ceased to operate as expected, and demand that the retailer replace the article in question. Such claims turn into a loss for targeted merchants when the scammer hacks an unwitting customer’s account and replaces the customer’s email address with his own address and demands that the retailer ship him a brand new device. KrebsOnSecurity, January 6, 2016

Cyber Fraud

Fraudsters Automate Russian Dating Scams: Virtually every aspect of cybercrime has been made into a service or plug-and-play product. That includes dating scams — among the oldest and most common of online swindles. Recently, I had a chance to review a package of dating scam emails, instructions, pictures, videos and love letter templates that are sold to scammers in the underground, and was struck by how commoditized this type of fraud has become. KrebsOnSecurity, January 4, 2016

Cyber Warning

Forbes forces readers to turn off ad blockers, promptly serves malware: For the past few weeks, has been forcing visitors to disable ad blockers if they want to read its content. Visitors to the site with Adblock or uBlock enabled are told they must disable it if they wish to see any Forbes content. Thanks to Forbes’ interstitial ad and quote of the day, Google caching doesn’t capture data properly, either. ExtremeTech, January 8, 2016
More Google Play apps infected with Brain Test malware: Lookout: Google has removed more than a dozen malware-infected apps from its Google Play Store as a result of an investigation by cybersecurity company Lookout. ZDNet, January 8, 2016
‘Spymel’ Is Latest Example Of Attackers Using Signed Malware: What was once reserved for targeted attacks is being increasingly used to distribute common crimeware payloads says Zscaler. DarkReading, January 8, 2016
Time Warner Cable Urges 320,000 Customers to Change Passwords: Roughly 320,000 Time Warner Cable customers are being told to change their email passwords this week after the company announced Wednesday that hackers may have gained access to them. ThreatPost, January 7, 2016
Meet Ransom32: The first JavaScript ransomware: Software as a service (or SaaS) is a relatively new model of how a lot of software companies are conducting their business today – often to great success. So it comes as no surprise that malware writers and cyber crooks are attempting to adopt this model for their own nefarious purposes. In the past year a whole bunch of these “Ransomware as a Service” campaigns appeared, like for example Tox, Fakben or Radamant. Today we want to spotlight the newest of these campaigns. Emsisoft, January 1, 2016

Cyber Security Management

Overcoming stubborn execs for security sake: Even with the greater awareness for strong security within organizations—and the high-profile hacks that have contributed to that increased awareness—security executives still encounter significant hurdles in doing their jobs to protect data and systems. CSO, January 7, 2016
CFTC Adopts Proposed Cybersecurity Regulations: On Wednesday, December 16, 2015, the Commodity Futures Trading Commission (CFTC or Commission) approved for publication two proposed rules to amend existing regulations addressing cybersecurity. The proposed rules would establish testing obligations and safeguards for the automated systems used by designated contract markets (DCMs), swap execution facilities (SEFs), swap data repositories (SDRs) (the Exchange Proposal), and derivatives clearing organizations (DCOs) (the Clearing Proposal and, together, the Proposals).1 Steptoe Cyberblog, January 5, 2016
Cybersecurity and the Twenty-First Century Board of Directors: It’s concerning that some board experts are balking about the newly proposed Cybersecurity Disclosure Act of 2015 that would require publicly traded companies to disclose, in their investor filings with the U.S. Securities and Exchange Commission (SEC), whether any member of their board of directors is a cybersecurity expert. Rather than object to this recommendation, one would imagine that on the eve of 2016, boards of directors that don’t already have cybersecurity experts would tremble, and that their investors would run for the hills. Huffington Post, December 31, 2015

Cyber Security Management – Cyber Defense

DDoS: 4 Attack Trends to Watch in 2016: Distributed denial-of-service attacks are growing in volume and frequency, striking a wide variety of industries and businesses. But many organizations remain ill-prepared to mitigate DDoS risks. BankInfoSecurity, January 8, 2016

Cyber Security Management – Cyber Update

Older IE Versions Losing Security Support on Tuesday: Anxiety was high around April 8, 2014 when Microsoft officially closed the door on security support for Windows XP. Many envisioned black hats worldwide stockpiling exploits waiting for the day when XP machines would be left permanently exposed. ThreatPost, January 8, 2016

Secure the Village

The year in review for Cyber Security: Larry Marino interviews Citadel’s Dr. Stan Stahl. Top Hacks, hot issues, from the recent glitch that got a campaign staffer in trouble when it allowed one candidate’s team to look into the files of another’s. Sunday Morning Newsmakers with Larry Marino, January 3, 2016

Cyber Government

Oversight head: Hackers would hit mother lode at Education Department: House Oversight Committee Chairman Jason Chaffetz (R-Utah) is warning that a hack on the Department of Education would dwarf last year’s massive breach at the Office of Personnel Management. TheHill, January 8, 2016

National Cyber Security

Russian Hackers Behind Attack on Ukraine’s Power Grid, Researchers Claim: The alleged cyber-attack that led to a temporary outage of the Ukrainian power grid was likely perpetuated by Russian hackers, according to US researchers. GlobalVoices, January 8, 2016
Ukrainian blackout caused by hackers that attacked media company, researchers say: A power blackout in Ukraine over Christmas and a destructive cyberattack on a major Ukrainian media company were caused by the same malware from the same major hacking group, known as Sandworm, according to security researchers at Symantec. TheGuardian, January 7, 2016

Critical Infrastructure

Lessons Learned About Critical Infrastructure: What’s Good Enough?: Over the past decade, oil and gas companies have invested significant resources in security management, but there are sizable challenges ahead in people and processes. DarkReading, January 8, 2016

Internet of Things

GM Asks Friendly Hackers to Report Its Cars’ Security Flaws: AS AUTOMOTIVE CYBERSECURITY has become an increasingly heated concern, security researchers and auto giants have been locked in an uneasy standoff. Now one Detroit mega-carmaker has taken a first baby step toward cooperating with friendly car hackers, asking for their help in identifying and fixing its vehicles’ security bugs. Wired, January 8, 2016
EZCast TV streaming stick leaves home networks vulnerable to attack: Check Point researchers have discovered a vulnerability in the EZCast TV streaming stick that enables hackers to take full control of home networks. HelpNetSecurity, January 8, 2016

Cyber Law

Uber Settles Over Data Breach: Any U.S. organization that delays issuing a data breach notification to victims risks having its information security policies get reviewed – and potentially overhauled – by state regulators, not to mention being fined. BankInfoSecurity, January 8, 2016
OFAC Issues Cyber-Related Sanctions Regulations: On December 31, 2015, the US Treasury Department, Office of Foreign Assets Control (OFAC) issued the Cyber-Related Sanctions Regulations (CRSR), 31 C.F.R. Part 578. The CRSR formally implement the sanctions set forth in Executive Order (EO) 13694 of April 1, 2015 and are effective immediately. Steptoe, January 7, 2016

Cyber Misc

Steptoe Cyberlaw Podcast – Interview with Nick Weaver: We’re back from hiatus with a boatload of news and a cautiously libertarian technologist guest in Nick Weaver of the International Computer Science Institute in Berkeley. To start Episode 95 of the podcast, Michael Vatis and I plumb the meaning of the Cyber Security Act’s passage. The big news? Apparently Santa is real, state laws prohibiting employer access to social media credentials may have been preempted, at least a bit, and ISPs just got new authority to monitor traffic to find bits that threaten other people. Now if we could just find something useful to do with the defensive measures provision … Steptoe Cyberblog, January 5, 2016

Cyber Sunshine

Hackers are sad because video games are too hard to crack: “In two years time I’m afraid there will be no free games to play in the world.” Mashable, January 8, 2016's Security Recruiter Blog