Sunday, February 14, 2016

Cybersecurity News and Education for the Week of February 14, 2016

 


FROM OUR FRIENDS AT CITADEL INFORMATION GROUP


Cyber Crime

PBX phone system hacking nets crooks $50 million over four years: A bloke has admitted laundering millions of dollars for hackers who ripped off US companies by hacking into their telephone systems. The Register, February 12, 2016
Fraudsters Tap Kohl’s Cash for Cold Cash: Scam artists have been using hacked accounts from retailer Kohls.com to order high-priced, bulky merchandise that is then shipped to the victim’s home. While the crooks don’t get the stolen merchandise, the unauthorized purchases rack up valuable credits called “Kohl’s cash” that the thieves quickly redeem at Kohl’s locations for items that can be resold for cash or returned for gift cards. KrebsOnSecurity, February 11, 2016
CryptoWall Ransomware Gang Extorts $330,000: Over a three-month period in 2015, a single cybercrime gang managed to earn at least $330,000 in bitcoins thanks to an estimated 670 victims paying attackers’ ransom demand to decrypt their ransomware-infected systems. BankInfoSecurity, February 10, 2016
Hacker dumps data on 10K DHS employees, threatens FBI next: An unknown hacker on Sunday posted the details of almost 10,000 Department of Homeland Security (DHS) employees online, which he claimed to obtain by hacking the Justice Department. TheHill, February 8, 2016

Financial Cyber Security

Should Banks Expect New Cybersecurity Guidance?: How will federal banking regulators respond to growing criticism of the Cybersecurity Assessment Tool issued by the Federal Financial Institutions Examination Council? BankInfoSecurity, February 12, 2016
Skimmers Hijack ATM Network Cables: If you have ever walked up to an ATM to withdraw cash only to decide against it after noticing a telephone or ethernet cord snaking from behind the machine to a jack in the wall, your paranoia may not have been misplaced: ATM maker NCR is warning about skimming attacks that involve keypad overlays, hidden cameras and skimming devices plugged into the ATM network cables to intercept customer card data. KrebsOnSecurity, February 9, 2016
Business Email Fraud: Who’s Liable?: In May, 2014, Texas-based manufacturing firm AFGlobal Corp. was hit by a business email compromise attack that resulted in fraud losses of $480,000. BankInfoSecurity, February 8, 2016
Cybercrime Gangs Blend Cyber Espionage And Old-School Hacks In Bank Heists: ‘Metel,’GCMAN,’ and Carbanak’s comeback highlight how cybercriminals are now going after bank users and systems with cyber espoinage-type tools and tactics. DarkReading, February 8, 2016
Banks to FFIEC: Cyber Tool is Flawed: Banking institutions and associations that have demanded the Federal Financial Institutions Examination Council make significant changes to the Cybersecurity Assessment Tool are now anxiously waiting for the council to take action. BankInfoSecurity, January 26, 2016

Cyber Privacy

Government-mandated crypto backdoors are pointless, says report: If you needed another confirmation that government-mandated backdoors in US encryption products would only serve to damage US companies’ competitiveness without actually bringing much benefit to the country’s security, you only need to look at a recent report by security researchers Bruce Schneier, Kathleen Seidel, and Saranya Vijayakumar. HelpNetSecurity, February 12, 2016

Identity Theft

IRS website attack nets e-filing credentials for 101,000 taxpayers: The US Internal Revenue Service was the target of a malware attack that netted electronic tax-return credentials for 101,000 social security numbers, the agency disclosed Tuesday. ars technica, February 10, 2016

Cyber Warning

A look into the current state of mobile security: A quarter of all mobile apps have at least one high risk security flaw, 35 percent of communications sent by mobile devices are unencrypted, and the average mobile device connects to 160 unique servers each day, according to a new NowSecure report. HelpNetSecurity, February 12, 2016
Netflix-themed phishing, malware supply black market with stolen credentials: As the Netflix movie streaming service spreads all over the world, the number of users rises, as well as the number of those who wish to use it but don’t want to pay for it or want to pay less than the set price. With such a wide (and widening) pool of potential targets, it’s no wonder that some cyber crooks are opting to concentrate on them. HelpNetSecurity, February 12, 2016
Beware of Airbnb-themed phishing schemes: Airbnb-themed phishing scams do not crop up often, but customers of the service should be aware of the possibility of getting their login credentials stolen and misused. HelpNetSecurity, February 12, 2016

Cyber Security Management – C-Suite

Perceptions Of IT Security Risk Changing In Business Ranks: Business leaders increasingly see IT security risk as huge, but policy making and visibility still lag. DarkReading, February 12, 2016
Survey: 65% of Businesses Expect to Suffer an Information Security Breach: A new report by NTT Security found that organizations expect costs associated with a data breach would include legal fees, compensation to customers, third party resources and fines or compliance costs. SecuritySales, February 10, 2016

Cyber Security Management – Cyber Defense

Gmail to warn you if your friends aren’t using secure e-mail:Google has confirmed a number of changes to Gmail with the arrival of two new features that will let you know if the people you’re corresponding with aren’t hip with TLS encryption. ars technica, February 10, 2016

Cyber Security Management – Cyber Update

Critical Fixes Issued for Windows, Java, Flash: Microsoft Windows users and those with Adobe Flash Player or Java installed, it’s time to update again! Microsoft released 13 updates to address some three dozen unique security vulnerabilities. Adobe issued security fixes for its Flash Player software that plugs at least 22 security holes in the widely-used browser component. Meanwhile, Oracle issued an unscheduled security fix for Java, its second security update for Java in as many weeks. KrebsOnSecurity, February 10, 2016

National Cyber Security

Government Must Prepare for When Quantum Computers Can Crack Its Encryption: US lawmakers including Senator John McCain and Ted Lieu are attempting to undermine technology companies’ efforts to encrypt everyone’s communications, citing dangers to law enforcement. But that debate may be moot: Computers are getting so powerful that they will eventually be able to break any encryption. Vice, February 12, 2016
Protecting U.S. Innovation From Cyberthreats: More than any other nation, America is defined by the spirit of innovation, and our dominance in the digital world gives us a competitive advantage in the global economy. However, our advantage is threatened by foreign governments, criminals and lone actors who are targeting our computer networks, stealing trade secrets from American companies and violating the privacy of the American people. Wall Street Journal, February 9, 2016

Critical Infrastructure

Power Grid Honeypot Puts Face on Attacks: TENERIFE, Spain –The rhetoric around hacking the power grid would have you believe it’s a relatively mundane practice. Policymakers, intelligence agencies and vendors, for example, spread the word gleefully, leaning on scenarios such as state-sponsored hackers shutting off the lights in the dead of winter as a scare tactic to glean budget and influence. ThreatPost, February 9, 2016

Internet of Things

IoT’s Day of Reckoning on the Horizon: TENERIFE, Spain–When it comes to the internet of things, it isn’t Wi-Fi that scares Chris Rouland, it’s the whole wireless spectrum, constantly being updated with new and poorly secured protocols. ThreatPost, February 8, 2016
IoT Reality: Smart Devices, Dumb Defaults: Before purchasing an “Internet of things” (IoT) device — a thermostat, camera or appliance made to be remotely accessed and/or controlled over the Internet — consider whether you can realistically care for and feed the security needs of yet another IoT thing. KRebsOnSecurity, February 8, 2016

Cyber Underworld

Evidence Suggests the Sony Hackers Are Alive and Well and Still Hacking: TENERIFE, SPAIN—THE MASSIVE hack against Sony in late 2014 was sudden and loud. The perpetrators made themselves known four days before Thanksgiving with a red skull emblazoned on computer screens company-wide and an ominous warning that they were about to spill Sony secrets. Wired, February 12, 2016
Dark Web Suppliers and Organized Cybercrime Gigs: IBM X-Force researchers closely follow the activity and fraud methods of banking Trojans in the wild. In one of their recent findings, the team uncovered an interesting link between an underground webinjection vendor and three well-known cybercrime groups: the operators of the Ramnit, CoreBot and ZeusVM banking Trojans. SecurityIntelligence, February 11, 2016

Cyber Law

House bill would kill state, local bills that aim to weaken smartphone crypto: On Wednesday, Rep. Ted Lieu (D-Calif.) and Rep. Blake Farenthold (R-Tex.) introduced a new bill in Congress that attempts to halt state-level efforts that would weaken encryption. ars technica, February 10, 2016
The EU-US Privacy Shield: What to Expect Next: On February 2, the potential replacement to the invalidated Safe Harbor data transfer mechanism, the EU-US Privacy Shield, was announced by the European Commission and the US Department of Commerce, as we covered here. However, while organizations and representatives on both sides of the Atlantic welcomed the conclusion of the negotiations on Tuesday, the true substance of the Privacy Shield is yet to come. ArentFox, February 8, 2016

Cyber Misc

The Malware Museum Shows Just How Cute the Internet Was in the ’80s and ’90s: When it comes to cybersecurity, we spend so much time talking about the future of Internet threats—how terrifying and destructive they could become, what we should do about them, why they’re getting more dangerous every day—that it can be easy to forget about their past. Enter the Malware Museum, a site launched last week by Jason Scott with help from Mikko Hypponen through the Internet Archive. It attempts to re-create and commemorate some highlights from the library of malicious programs distributed in the 1980s and 1990s, when computer-based threats were still in their infancy. Slate, February 12, 2016

Cyber Sunshine

UK Police Arrest Suspect Over CIA Director’s Email Hack: Police in the United Kingdom have arrested a teenager on suspicion of having perpetrated a series of high-profile hack attacks, pranks and data breaches using the names “Cracka” and “DotGovs,” against senior White House officials, as well as CIA Director John Brennan. GovInfoSecurity, February 12, 2016

 Jeff Snyder’s, SecurityRecruiter.comJeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810

SecurityRecruiter.com's Security Recruiter Blog