Sunday, February 28, 2016

Cybersecurity News for the Week of February 28, 2016






Cyber Crime

Who really hacked Sony? Cybersecurity researchers say they finally know: A group they’ve dubbed “Lazarus Group” is well organized and tied to numerous other attacks on governments, banks, and military institutions in the US and South Korea since 2009. Christian Science Monitor, February 24, 2016

Cyber Attack

Breached Credit Union Comes Out of its Shell: Notifying people and companies about data breaches often can be a frustrating and thankless job. Despite my best efforts, sometimes a breach victim I’m alerting will come away convinced that I am not an investigative journalist but instead a scammer. This happened most recently this week, when I told a California credit union that its online banking site was compromised and apparently had been for nearly two months. KrebsOnSecurity, February 25, 2016

Financial Cyber Security

MasterCard’s ‘Selfie’ App Aims to Replace Passwords: To boost security and eliminate the need for passwords, MasterCard plans to roll out later this year a facial biometrics app for authentication of online purchases. But some security and financial fraud experts warn that biometrics technology is not foolproof and should only be deployed as part of a layered authentication approach. BankInfoSecurity, February 25, 2016

Cyber Privacy

House IT Panel Chairman: Don’t Weaken Encryption: As the debate intensifies over Apple’s refusal to help the FBI crack the iPhone password of one of the San Bernardino shooters, the chairman of a House panel that oversees government cybersecurity says Congress should not rush to enact any law that would require technology companies to weaken encryption. BankInfoSecurity, February 25, 2016
Breach of millions of kids’ images and messages sparks disclosure spat at uKnowKids: The bad news: millions of messages and images of 1,700 kids were exposed by a site that – ironically! – helps parents babysit their offsprings’ mobile chats, social media doings and locations. NakedSecurity, February 25, 2016
Apple Defiant as FBI iPhone Deadline Approaches: Apple has until tomorrow to either help law enforcement unlock a suspected terrorist’s iPhone or formally challenge a court order demanding that the company do so. For the past week CEO Tim Cook has made it clear that Apple has no intention of giving in to what the FBI has positioned as a technological compromise. The case has since become more about setting legal precedents between tech companies and law enforcement than about overcoming technological hurdles. Right now there is no federal law requiring companies to maintain a key to unlock the encryption used on their devices. ScientificAmerican, February 25, 2016
Microsoft Throws Its Full Support Behind Apple In iPhone Encryption Case: A number of companies quickly came to Apple’s defense when the FBI sent its attack dogs to force the company to provide access to a passcode-locked iPhone 5c. Those tech giants included Google, Facebook and Twitter, but conspicuously missing was Microsoft. Sure, we heard from Microsoft co-founder Bill Gates, but his commentary was far from a ringing endorsement for Apple’s actions. HotHardware, February 25, 2016
Apple Goes to Court, and F.B.I. Presses Congress to Settle iPhone Privacy Fight: SAN FRANCISCO — The legal wrangling over a federal court order requiring Apple to help law enforcement break into an iPhone intensified Thursday, with the company filing its formal response and asking the court to drop its demand. The New York Times, February 25, 2016
Cook: Apple Wanted More Discussions with Feds: Apple CEO Tim Cook says he would have liked to have had more discussions with the federal government before authorities sought a court order to compel Apple to help the FBI break into the iPhone used by one of the San Bernardino shooters. BankInfoSecurity, February 24, 2016
Apple Is Said to Be Trying to Make It Harder to Hack iPhones: WASHINGTON — Apple engineers have begun developing new security measures that would make it impossible for the government to break into a locked iPhone using methods similar to those now at the center of a court fight in California, according to people close to the company and security experts. The New York Times, February 24, 2016
Bill Gates Weighs In on Encryption Battle Between Apple, FBI: Microsoft co-founder Bill Gates is wading into Apple’s encryption battle with federal authorities, offering a different take than many of his Silicon Valley counterparts. ABC, February 23, 2016
The Lowdown on the Apple-FBI Showdown: Many readers have asked for a primer summarizing the privacy and security issues at stake in the the dispute between Apple and the U.S. Justice Department, which last week convinced a judge in California to order Apple to unlock an iPhone used by one of assailants in the recent San Bernardino massacres. I don’t have much original reporting to contribute on this important debate, but I’m visiting it here because it’s a complex topic that deserves the broadest possible public scrutiny. KrebsOnSecurity, February 22, 2016

Cyber Fraud

US: Computer Breach Bigger Than First Thought; 700K Victims: WASHINGTON — The IRS said Friday that the number of taxpayers whose tax information may have been stolen by computer hackers now exceeds 700,000 — more than double the agency’s previous estimate. The New York Times, February 26, 2016
Malware and skimmers, explosions and hammers: How attackers go after ATMs: What was the best way to steal cash from an ATM in 2015? Skimming still remains king, but a survey of 87 members of the ATM Industry Association (ATMIA) says that card trapping and transaction reversal fraud are on the rise around the world. ars technica, February 25, 2016

Cyber Warning

Malicious websites exploit Silverlight bug that can pwn Macs and Windows: Malicious websites are exploiting a recently fixed vulnerability in Microsoft’s Silverlight application framework to perform drive-by malware attacks on vulnerable visitor devices, a security researcher has determined. ars technica, February 25, 2016
Phishing Attacks Increase Tech Sophistication, Focus On Financial Fraud: With a prevalence of free, feature-rich phishing kits and multi-million dollar profits from business email compromise attacks, no wonder phishing’s so popular. DarkReading, February 25, 2016
Dell to Customers: Report ‘Service Tag’ Scams: Computer maker Dell is asking for help in an ongoing probe into the source of customer information that appears to have somehow landed in the laps of fraudsters posing as Dell computer support technicians. KrebsOnSecurity readers continue to report being called by scammers posing as Dell support personnel who offer “proof” that they’re with Dell by rattling off the unique Dell “service tag” code printed on each Dell customer’s PC or laptop, as well as information from any previous (legitimate) service issues the customer may have had with Dell. KrebsOnSecurity, February 19, 2016

Cyber Security Management – C Suite

Breach Stats: Improving From Abysmal To Just Awful: Breach response times and volumes decreased significantly last year, but overall numbers still look ugly. DarkReading, February 25, 2016
Cybercrime Increases, but Companies Are Unprepared: Online crime is a fast-growing threat to companies, but two new surveys show executives are not taking enough steps to protect sensitive data. US News & World Report, February 25, 2016
Social engineering confirmed as top information security threat: Cyber attackers shifted away from automated exploits in 2015 and instead tricked people into doing the dirty work, Proofpoint researchers found. ComputerWeekly, February 23, 2016

National Cyber Security

Steptoe Cyberlaw Podcast – Interview with Glenn Gerstell: What is the most surprising discovery a law firm partner makes when he jumps to the National Security Agency? I direct that and other questions at Glenn Gerstell, who has just finished six months in the job as General Counsel at the National Security Agency. Steptoe Cyberblog, February 23, 2016
Steptoe Cyberlaw Podcast – Interview with David Kris: We devote episode 100 to “section 702” intelligence – the highly productive counterterrorism program that collects data on foreigners from data stored on US servers. What’s remarkable about the program is its roots: President Bush’s decision to ignore the clear language of FISA and implement collection without judicial approval. That decision has now been ratified by Congress – and will be ratified again in 2017 when the authority for it ends. But what does it say about the future of intelligence under law that our most productive innovation in intelligence only came about because the law was broken? Our guest for the episode, David Kris, thinks that President Bush might have been able to persuade Congress to approve the program in 2001 if he’d asked. David may be right; he is a former Assistant Attorney General for National Security, the coauthor of the premier sourcebook on intelligence under law, “National Security Investigations & Prosecutions,” and the General Counsel of Intellectual Ventures. But what I find surprising is how little attention has been paid to the question. How about it? Is George Bush to FISA what Abraham Lincoln was to habeas corpus? Steptoe Cyberblog, February 8, 2016

Internet of Things

Nissan Disables LEAF’s Remote Telematics System After ‘Profoundly Trivial’ Hack: All that is needed to gain access to any LEAF’s telematics system is the car’s VIN, researcher says. DarkReading, February 25, 2016
Nissan Disables Its Smartphone App After Hackers Use It to Control Leaf Electric Car: As cars get more connected, the risk of their becoming vulnerable to hackers increases exponentially. And it looks like Nissan has learned that lesson the hard way. Yahoo, February 25, 2016
WHAT THE WHITE HOUSE CYBERSECURITY PLAN SAYS ABOUT THE INTERNET OF THINGS: The White House’s new national action plan on cybersecurity, released earlier this month includes a nod to the so-called smart home — and the vulnerabilities that could accompany an increasingly connected network of sensors, devices and appliances. NextGov, February 18, 2016

Jeff Snyder’s, SecurityRecruiter.comJeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810's Security Recruiter Blog