Sunday, January 17, 2016

Cybersecurity News and Cybersecurity Education for the Week of January 17, 2016





Cyber Crime

Bitcoin Heist Steals Millions from Exchange: Cryptocurrency exchange Cryptsy, which trades bitcoins as well as more than 100 types of “altcoins” such as litecoin and namecoin, disclosed Jan. 15 that it was robbed in 2014. As a result of the breach, the exchange has now suspended all trades and says it will file for bankruptcy unless the stolen bitcoins are returned. BankInfoSecurity, January 15, 2016
Hyatt Card Breach Hit 250 Hotels in 50 Nations: If you stayed, ate or played at a Hyatt hotel between Aug. 13 and Dec. 8, 2015, there’s a good chance your credit or debit card data was stolen by unknown cyber thieves who infiltrated many of the hotel chain’s payment systems. Its its first disclosure about the scope of a breach acknowledged last month, Hyatt Hotels Corp. says the intrusion likely affected guests at 250 hotels in roughly 50 countries. KrebsOnSecurity, January 15, 2016

Financial Cyber Security

Will FFIEC Revamp Cyber Assessment Tool?: In :esponse to banking institutions’ requests for clarification of the Cybersecurity Assessment Tool, the Federal Financial Institutions Examination Council is taking a preliminary step that could lead to refinements. BankInfoSecurity, January 13, 2016

Cyber Privacy

Juniper drops NSA-developed code following new backdoor revelations: Juniper Networks, which last month made the startling announcement its NetScreen line of firewalls contained unauthorized code that can surreptitiously decrypt traffic sent through virtual private networks, said it will remove a National Security Agency-developed function widely suspected of also containing a backdoor for eavesdropping. ars technica, January 10, 2016

Cyber Fraud

Top 8 ways to fight mobile banking fraud: The ease and flexibility of digital and mobile banking is creating a revolution which is providing consumers with more ways to access their finances than ever before. Information Age, January 13, 2016

Cyber Warning

How malware developers could bypass Mac’s Gatekeeper without really trying: In September, Ars reported a drop-dead simple exploit that completely bypassed an OS X security feature known as Gatekeeper. Apple shipped a fix, but now the security researcher who discovered the original vulnerability said he found an equally obvious work-around. ars technica, January 15, 2016
Ransomware a Threat to Cloud Services, Too: Ransomware — malicious software that encrypts the victim’s files and holds them hostage unless and until the victim pays a ransom in Bitcoin — has emerged as a potent and increasingly common threat online. But many Internet users are unaware that ransomware also can just as easily seize control over files stored on cloud services. KrebsOnSecurity, January 14, 2016

Cyber Security Management – Cyber Update

Bug that can leak crypto keys just fixed in widely used OpenSSH: A critical bug that can leak secret cryptographic keys has just just been fixed in OpenSSH, one of the more widely used implementations of the secure shell (SSH) protocol. ars technica, January 14, 2016
Adobe, Microsoft Push Reader, Windows Fixes: Adobe and Microsoft each issued updates today to fix critical security problems with their software. Adobe’s patch tackles 17 flaws in its Acrobat and PDF Reader products. Microsoft released nine update bundles to plug at least 22 security holes in Windows and associated software. KrebsOnSecurity, January 12, 2016

Cyber Security Management – HIPAA

OUTLOOK 2016: Cybersecurity to Become Main IT Concern for Hospitals: Health-care organizations in 2016 will be focused on improving cybersecurity and preparing for changes to Medicare’s quality incentive programs, industry observers told Bloomberg BNA. BNA, January 15, 2016
Achieving HIPAA Compliance as a Business Associate: In 2009, the HITECH Act mandated that not only covered entities but also business associates would be subject to periodic audits as a means to ensure that both are complying with HIPAA Rules. The first phase of these audits, taking place between 2011 and 2012 and involving 115 covered entities, revealed abysmal results. Only 13 entities passed without any negative findings, and over 980 compliance issues were discovered. One-third of these violations were simply due to ignorance of HIPAA requirements. HIT Consultant, January 6, 2015

National Cyber Security

We keep too many hacks secret, says ex-NSA director: The United States keeps too many hacks secret, says the former director of the U.S. National Security Agency. CNN, January 14, 2016
Former Director Of NSA And CIA Says US Cybersecurity Policy MIA: MIAMI, FL — S4 2016 — Gen. Michael Hayden called for private industry, not the US government, to take the lead in protecting data and the power grid from attacks by nation-states or terror groups. Dark Reading, January 13, 2016

Critical Infrastructure

Malware ‘clearly’ behind Ukraine power outage, SANS utility expert says: It is ‘clear’ the power outages experienced in the Ukraine last December were caused by a series of network-centric attacks against multiple utilities, says SANS industrial control system expert Michael J. Assante. The Register, January 15, 2016
How Hackers Took Down a Power Grid: It was an unseasonably warm afternoon in Ukraine on Dec. 23 when the power suddenly went out for thousands of people in the capital, Kiev, and western parts of the country. While technicians struggled for several hours to turn the lights back on, frustrated customers got nothing but busy signals at their utilities’ call centers. Bloomberg, January 14, 2016
Successful Attacks On Oil And Gas Companies Increasing, Survey Shows: The rate of cyberattacks and the number of successful attacks against organizations in the oil and gas industries are both continuing to increase, even as the ability to detect and respond to them is dropping, a new survey sponsored by Tripwire shows. Dark Reading, January 14, 2016
Nuclear Facilities in 20 Countries May Be Easy Targets for Cyberattacks: WASHINGTON — Twenty nations with significant atomic stockpiles or nuclear power plants have no government regulations requiring minimal protection of those facilities against cyberattacks, according to a study by the Nuclear Threat Initiative. The New York Times, January 14, 2016
Nuclear Computers Especially Vulnerable as Cyber Attacks Rise, Watchdog Says: The nation’s unclassified nuclear computer systems are vulnerable to successful cyber attacks because “generic” security contracts don’t make it clear who’s responsible for keeping an eye on them, federal watchdogs said Tuesday. NBC, January 12, 2016

Internet of Things

INTERNET OF THINGS POSES OPPORTUNITIES FOR CYBER CRIME: As more businesses and homeowners use web-connected devices to enhance company efficiency or lifestyle conveniences, their connection to the Internet also increases the target space for malicious cyber actors. Similar to other computing devices, like computers or Smartphones, IoT devices also pose security risks to consumers. The FBI is warning companies and the general public to be aware of IoT vulnerabilities cybercriminals could exploit, and offers some tips on mitigating those cyber threats. FBI, September 10, 2015

Cyber Underworld

A Look Inside Cybercriminal Call Centers: Crooks who make a living via identity theft schemes, dating scams and other con games often run into trouble when presented with a phone-based challenge that requires them to demonstrate mastery of a language they don’t speak fluently. Enter the criminal call center, which allows scammers to outsource those calls to multi-lingual men and women who can be hired to close the deal. KrebsOnSecuirty, January 11, 2016's Security Recruiter Blog