Sunday, February 07, 2016

Cybersecurity News and Cybersecurity Education for the Week of February 7, 2016





Cyber Crime

Neiman Marcus Reports New Breach: A recent breach of customer accounts at luxury retailer Neiman Marcus is, once again, putting the spotlight on the vulnerabilities created by relying only on usernames and passwords for online authentication. Until businesses and banking institutions start forcing consumers to use other types of authentication methods, such as biometrics, mobile verification codes and geo-location, merchants and banks can expect more hackers to breach customer accounts. BankInfoSecurity, February 4, 2016

Financial Cyber Security

Exclusive: Top cybercrime ring disrupted as authorities raid Moscow offices – sources: Russian authorities in November raided offices associated with a Moscow film distribution and production company as part of a crackdown on one of the world’s most notorious financial hacking operations, according to three sources with knowledge of the matter. Reuters, February 6, 2016
ATM Fraud Arrests: A Red Flag for Merchants: The arrests this week of seven men alleged linked to a skimming operation that targeted ATMs at retailers, including hotels and gas stations, is yet another indicator that U.S. merchants need to beef up the security of these devices. BankInfoSecurity, February 4, 2016

Cyber Privacy

Study: Law enforcement overstating risk of criminals ‘going dark’: The FBI and other officials are overstating their case when they warn that criminals are using encryption to “go dark,” according to a new study by the Berkman Center for Internet and Society at Harvard. TheHill, February 1, 2016

Cyber Fraud

Business E-mail Compromise: Don’t Be a Victim: What to Do: Implement very strong controls on wire transfers Assume all email or fax requests from a vendor to change bank accounts are fraudulent. Assume all email or fax requests from the company President or others are fraudulent. Assume all email or fax requests to set-up a new vendor are fraudulent. Pick up the phone, call the party in question and verify the request is legitimate. Citadel Information Group, February 3, 2016

Identity Theft

Perk Potential: Could Identity Theft Protection Become a Workplace Benefit?: Whether it’s credit card fraud, social media hijacking or corporate database breaches, identity theft is at the forefront of the threat matrix that law enforcement in the United States fights every day., February 5, 2016

Cyber Threat

Agriculture, Alternative Energy Could Be Chinese Hackers’ Next Targets: Perhaps Anthem and Premera breaches were not just about stealing PII, but about researching the ins and outs of Western healthcare systems, CrowdStrike’s annual global threat report says. DarkReading, February 3, 2016

Cyber Warning

Wildly Popular App Kik Offers Teenagers, and Predators, Anonymity: The allegations are beyond chilling: two Virginia Tech freshmen charged with the premeditated kidnapping and killing of a 13-year-old girl who, authorities say, communicated with her murderer online. The New York Times, February 5, 2016
iOS flaw lets hackers thwart lock screen passcode on iPhones and iPads: RESEARCHERS HAVE UNCOVERED an authentication bypass-sized hole in iPhones and iPads running iOS 8 and iOS 9. The Inquirer, February 5, 2016
Mysterious spike in WordPress hacks silently delivers ransomware to visitors: It’s still not clear how, but a disproportionately large number of websites that run on the WordPress content management system are being hacked to deliver crypto ransomware and other malicious software to unwitting end users. ars technica, February 4, 2016
eBay has no plans to fix “severe” bug that allows malware distribution : eBay has no plans to fix a “severe” vulnerability that allows attackers to use the company’s trusted website to distribute malicious code and phishing pages, researchers from security firm Check Point Software said. ars technica, February 3, 2016

Cyber Security Management

SCM Presents: The Information Security Challenge in the Cyber-Age: A video presentation by Dr. Stan Stahl, president of Citadel Information Group. Citadel Information Group. Sullivan Curtis Monroe, January 20, 2016

Cyber Security Management – Cyber Defense

Here’s How To Protect Against A Ransomware Attack: Recovering data encrypted by a ransomware attack is next to impossible, so prevention offers the better approach. DarkReading, February 4, 2016
Google declares war against deceptive download buttons: There’s likely no Internet user that hasn’t, at some point, been tricked into clicking on a deceptive “download,” “install,” or “update” button. HelpNetSecurity, February 4, 2016
Chrome picks up bonus security features on Windows 10: The Windows 10 November update (version 1511, build 10586) included a handful of new security features to provide protection against some security issues that have kept on popping up in Windows for a number of years. Google yesterday added source code support for these features to the Chrome browser, making Windows 10 the best version of Windows to use with Google’s browser. ars technica, February 4, 2016
Good Riddance to Oracle’s Java Plugin: Good news: Oracle says the next major version of its Java software will no longer plug directly into the user’s Web browser. This long overdue step should cut down dramatically on the number of computers infected with malicious software via opportunistic, so-called “drive-by” download attacks that exploit outdated Java plugins across countless browsers and multiple operating systems. KrebsOnSecurity, February 2, 2016
CSI: Cyber-Attack Scene Investigation–a Malware Whodunit: Cyber attacks against government agencies, infrastructure providers and other high-profile targets are regularly in the news, stirring talk of digital warfare and international sanctions. The forensic investigations that follow these hacks can reveal the method and magnitude of an attack. Pinpointing the culprit, however, is frustratingly more difficult, resulting in little more than vague accusations that the guilty parties (might be) working for a particular foreign government or cyber gang. Scientific American, January 28, 2016

Cyber Awareness

Bank Ads Teach Information Security Basics to Careless Public: A big part of cybersecurity is educating consumers about risky behaviors. Many security incidents involve a customer or employee clicking on something they shouldn’t, like a malicious email attachment or website, or exposing personal information to criminals. AmericanBanker, February 5, 2016
The #1 Riskiest Mobile Users Wear Suits: Business users top the rankings of those most likely to engage with risky apps and URLs on their smartphones and tablets. DarkReading, February 4, 2016

National Cyber Security

Custom Cybersecurity Platform Scours Social Media for Potential Threats During Super Bowl 50: The terrorist attacks in San Bernardino and Paris have prompted tech upgrades, including software provided as an application that public safety officials can use to send video, text and photos from their mobile phones. GovTech, February 5, 2016
Report outlines cyber activity from top U.S. adversaries: Cyber activity by other nation states, including potential adversaries of the United States, picked up considerably over the past year, as a new report from cyber intelligence firm CrowdStrike details. The firm recently released its 2015 Global Threat Report outlining the activity of criminals, hackers, non-state actors and nation states in cyberspace. DefenseSystems, Febraury 4, 2016
Steptoe Cyberlaw Podcast – Interview with Amit Ashkenazi: Our guest is Amit Ashkenazi, whom I interviewed while in Israel. Amit is Legal Advisor of The Israel National Cyber Bureau and a former general counsel to Israel’s data protection agency. Israel is drafting its own cybersecurity act, and we discuss what if anything that country can learn from the US debate – and what the US can learn from Israel’s cybersecurity experience. We explore the challenges Israel will face in trying to start a new cybersecurity agency, how Israel strikes the balance between security and privacy, the risks of using contractors to staff a new agency, the danger of stating agency authorities with too much specificity, and why the agency is likely to look more like DHS than the FBI. Stewart Baker, Steptoe Cyberblog, February 1, 2016
Feds’ primary network security weapon needs more bang: In the face of relenting network attacks and it seems that the government’s chief weapon for combatting the assault lacks some teeth. NetworkWorld, January 28, 2016
Steptoe Cyberlaw Podcast – Interview with John Lynch: Back for a rematch, John Lynch and I return to the “hackback” debate in episode 97, with Jim Lewis of CSIS providing color commentary. John Lynch is the head of the Justice Department’s computer crime section. We find more common ground than might be expected but plenty of conflict as well. I suggest that Sheriff Arpaio in Arizona may soon be dressing hackers in pink while deputizing backhackers, while Jim Lewis focuses on the risk of adverse foreign government reactions. We also consider when it’s lawful to use “web beacons” and whether trusted security professionals should be given more leeway to take action outside their customers’ networks. In response to suggestions that those who break into hacker hop points might be sued by the third parties who nominally own those hop points, I suggest that those parties could face counterclaims for negligence. We close with a surprisingly undogmatic discussion of Justice Department “no-action letters” for computer security practitioners considering novel forms of active defense. Stewart Baker, Steptoe Cyberblog, January 21, 2016

Cyber Law

Safe Harbor Data Gets a New ‘Privacy Shield’: This morning, the European Commission and US Department of Commerce agreed on a Safe Harbor replacement deal, rebranded as the EU-US Privacy Shield. The deal was first announced via Twitter by EU Justice Commissioner Vera Jourová, then detailed in a press conference in Strasbourg, France. ArentFox, February 2, 2016

Cyber Misc

Google plans to fight extremist propaganda with AdWords: Google and Facebook want to help in the fight against terrorism by doing what they do best – spreading messages through ads and likes. NakedSecurity, February 4, 2016
Sources: Security Firm Norse Corp. Imploding: Norse Corp., a Foster City, Calif. based cybersecurity firm that has attracted much attention from the news media and investors alike this past year, fired its chief executive officer this week amid a major shakeup that could spell the end of the company. The move comes just weeks after the company laid off almost 30 percent of its staff. KrebsOnSecurity, January 30, 2016's Security Recruiter Blog