Sunday, January 24, 2016

Cybersecurity News and Cybersecurity Education for the Week of January 24, 2016





Cyber Crime

Cyber Hit on China-Owned Boeing Supplier Sends Stock Down 19%: Cyberfraud sent shares of Austria’s FACC AGto their steepest drop since the supplier of parts to Boeing Co.and Airbus Group SE began trading in 2014. The company put damages at 50 million euros ($55 million) — one of biggest losses after a hacking event for its size. January 20, 2016

Cyber Attack

Irish government websites hit by widening DDoS attacks: A number of Irish government-related and public sector websites were knocked offline by an apparent DDoS attack on Friday morning. The Register, January 22, 2016
Ukraine energy utilities attacked again with open source Trojan backdoor: Battered Ukrainian electricity utilities are being targeted with backdoors in attacks possibly linked to those fingered for recent blackouts. The Register, January 21, 2016

Financial Cyber Security

‘Asacub’ Trojan Converted To Mobile Banking Weapon: In a sign of the times, what was once a routine data-stealing tool has evolved into a dangerous mobile banking threat. DarkReading, January 21, 2016

Identity Theft

Why your health data isn’t as secure as it should be: Your health status is perhaps the most intimate information anyone could know about you, so it should be your decision whether you share or keep your medical records private. January 22, 2016
A Jump Start for a National Patient ID?: Matching all the right records from multiple sources to the right patient has long been a challenge for healthcare organizations because of the lack of a widely used patient identifier. Mismatching is becoming an even bigger patient safety and privacy concern as more electronic health information is exchanged. GovInfoSecurity, January 20, 2016
The Lowdown on Freezing Your Kid’s Credit: A story in a national news source earlier this month about freezing your child’s credit file to preempt ID thieves prompted many readers to erroneously conclude that all states allow this as of 2016. The truth is that some states let parents create a file for their child and then freeze it, while many states have no laws on the matter. Here’s a short primer on the current situation, with the availability of credit freezes (a.k.a “security freeze”) for minors by state and by credit bureau. KrebsOnSecurity, January 20, 2016

Cyber Warning

Secret SSH backdoor in Fortinet hardware found in more products: A recently identified backdoor in hardware sold by security company Fortinet has been found in several new products, many that were running current software, the company warned this week. ars technica, January 22, 2016
Unknown attackers are infecting home routers via dating sites: Damballa researchers have spotted an active campaign aimed at infecting as many home routers possible with a worm. Help Net Security, January 22, 2016
LastPass Phishing Attack Lets Hackers Get All Your Passwords: Password managers are great, and using one on a daily basis is probably the number one thing you can do to lessen your chances of getting seriously owned. But that doesn’t mean they’re perfect, and small software flaws combined with good old-fashioned social engineering can go a long way. Motherboard, January 16, 2016

Cyber Security Management

A Strategy Map for Security Leaders: Information Security’s Value to the Organization: The first row of our strategy map for security leaders is about the question that security professionals seem to struggle with the most: What value do you provide? SecurityIntelligence, January 20, 2016
A Strategy Map for Security Leaders: Applying the Balanced Scorecard Framework to Information Security: Like the leaders of any other business function, CISOs need a strategy. We’re not talking about a specific plan to mitigate some specific threat or vulnerability. We’re talking about a strategy map for the organization’s information security team: what value it provides, who it provides value for, what capabilities this requires, how much these capabilities cost and how the necessary resources will be allocated and organized over time. SecurityIntelligence, January 13, 2016

Cyber Security Management – Cyber Defense

The Apple App Store Incident: Trouble in Paradise?: Apple’s App Store and development ecosystem is often described as a walled garden, due to its closed developer ecosystem and stringent security. Since 2008, Apple’s approach has been reasonably successful in preventing malicious iOS apps from making their way into the store and onto users’ iPhones and iPads. But a very public incident in September 2015 highlighted a weakness in Apple’s security model that may spell trouble in the future. DarkReading, January 22, 2016

Cyber Security Management – Cyber Update

Apple Fixes Cookie Theft Bug in iOS 9.2.1: When Apple pushed out iOS 9.2.1 earlier this week, it fixed a nasty bug that lingered in the wild for nearly three years and could have let an attacker steal cookies and impersonate victims. ThreatPost, January 21, 2016
Oracle releases a record 248 patches: Oracle admins will be busy: The company issued 248 patches on Tuesday, its largest-ever release, according to one security vendor. ComputerWorld, January 19, 2016

National Cyber Security

Media devices sold to feds have hidden backdoor with sniffing functions: A company that supplies audio-visual and building control equipment to the US Army, the White House, and other security-conscious organizations built a deliberately concealed backdoor into dozens of its products that could possibly be used to hack or spy on users, security researchers said. ars technica, January 21, 2016
Steptoe Cyberlaw Podcast – Interview with John Lynch: Back for a rematch, John Lynch and I return to the “hackback” debate in episode 97, with Jim Lewis of CSIS providing color commentary. John Lynch is the head of the Justice Department’s computer crime section. We find more common ground than might be expected but plenty of conflict as well. I suggest that Sheriff Arpaio in Arizona may soon be dressing hackers in pink while deputizing backhackers, while Jim Lewis focuses on the risk of adverse foreign government reactions. We also consider when it’s lawful to use “web beacons” and whether trusted security professionals should be given more leeway to take action outside their customers’ networks. In response to suggestions that those who break into hacker hop points might be sued by the third parties who nominally own those hop points, I suggest that those parties could face counterclaims for negligence. We close with a surprisingly undogmatic discussion of Justice Department “no-action letters” for computer security practitioners considering novel forms of active defense. Steptoe Cyberblog, January 21, 2016
Steptoe Cyberlaw Podcast – Interview with Senator Tom Cotton: How do you graduate as a conservative with two Harvard degrees? We learn this and much more from Sen. Tom Cotton (R-AR), our guest for episode 96 . We dive deep with the Senator on the 215 metadata program and its USA FREEDOM Act replacement. We ask what the future holds for the 702 program, one of the most important counterterrorism programs and just entering yet another round of jockeying over renewal; Sen. Cotton has already come out in favor of making the program permanent. To round things out, Sen. Cotton assesses the risks of Going Dark for our intelligence community and the difficulties that the Safe Harbor negotiations pose for US intelligence. Steptoe Cyberblog, January 12, 2016

Internet of Things

IoT security in the spotlight at PrivacyCon: Security in the Internet of Things (IoT) was in the spotlight last week at PrivacyCon. NakedSecurity, January 22, 2016
More Than Half of Businesses Will Embrace IoT Technologies: By 2020, more than half of major new business processes and systems will incorporate some element of the Internet of Things (IoT), according to Gartner Inc. Information Management, January 21, 2016

Cyber Law

No Safe Harbor Is Coming — CISA Made Sure Of It: It’s time to take your data classification procedures more seriously. If not, that helpful information-sharing you did in the US could cost you hefty fines for privacy violations in the European Union. DarkReading, January 22, 2016
Facebook’s Friend Finder found unlawful by Germany’s highest court: In its younger days, a fear spread through Facelandia: friend requests were popping up, from people who Facebook said had suggested friendships but who protested that in actuality, they’d done nothing of the kind. NakedSecurity, January 22, 2016
Breach Investigations: Who’s Accountable?: Caveat emptor. No organization that suspects it’s suffered a data breach ever wants to hear those words, while they’re desperately seeking third-party digital forensic experts to help them investigate – and if necessary mitigate and lock down – their networks and systems. BankInfoSecurity, January 20, 2016

Cyber Insurance

Firm Sues Cyber Insurer Over $480K Loss: A Texas manufacturing firm is suing its cyber insurance provider for refusing to cover a $480,000 loss following an email scam that impersonated the firm’s chief executive. KrebsOnSecurity, January 18, 2016

Cyber Sunshine

Guy Who Tried to Frame Me In Heroin Plot Pleads Guilty to Cybercrime Charges: A Ukrainian man who tried to frame me for heroin possession has pleaded guilty to multiple cybercrime charges in U.S. federal court, including credit card theft and hacking into more than 13,000 computers. KrebsOnSecurity, January 20, 2016's Security Recruiter Blog