Sunday, March 13, 2016

Cybersecurity News for the Week of March 13, 2016




Cyber Crime

Hackers Target Anti-DDoS Firm Staminus: Staminus Communications Inc., a California-based Internet hosting provider that specializes in protecting customers from massive “distributed denial of service” (DDoS) attacks aimed at knocking sites offline, has itself apparently been massively hacked. Staminus’s entire network was down for more than 20 hours until Thursday evening, leaving customers to vent their rage on the company’s Facebook and Twitter pages. In the midst of the outage, someone posted online download links for what appear to be Staminus’s customer credentials, support tickets, credit card numbers and other sensitive data. KrebsOnSecurity, March 11, 2016
After an easy breach, hackers leave “TIPS WHEN RUNNING A SECURITY COMPANY”: A Web security company’s systems are offline this morning after an apparent intrusion into the company’s network. The servers and routers of Staminus Communications—a Newport Beach, California-based hosting and distributed denial of service (DDoS) protection company—went offline at 8am Eastern Time on Thursday in what a representative described in a Twitter post as “a rare event [that] cascaded across multiple routers in a system wide event, making our backbone unavailable.” ars technica, March 11, 2016
Typo thwarts hackers in $1 billion cyber heist on Bangladesh central bank: It was just a few letters off: Someone misspelled “foundation” as “fandation” on an online payment transfer request. The Washington Post, March 11, 2016
Bangladesh Loses $100 Million, Allegedly to Chinese Hackers: The Bangladesh central bank says it is working to recover some $100 million allegedly stolen by Chinese hackers from an account at the Federal Reserve Bank of New York. ABC, March 9, 2016
Malware-flingers check out credit card data from Rosen Hotels: US chain Rosen Hotels & Resorts has become the latest to confirm a malware-based breach of its payment processing systems. TheRegister, March 9, 2016

Cyber Privacy

WhatsApp Encryption Immune to Gov’t Wiretap Orders? WASHINGTON — While the Justice Department wages a public fight with Apple over access to a locked iPhone, government officials are privately debating how to resolve a prolonged standoff with another technology company, WhatsApp, over access to its popular instant messaging application, officials and others involved in the case said.New York Times, March 12, 2016
Obama, at South by Southwest, Calls for Law Enforcement Access in Encryption Fight: AUSTIN, Tex. — President Obama said Friday that law enforcement must be legally able to collect information from smartphones and other electronic devices, making clear, despite disagreement within his administration, that he opposes the stance on encryption taken by technology companies like Apple. The New York Times, March 11, 2016
If your ISP is selling info about you, that has to be opt-in, says FCC boss: FCC chairman Tom Wheeler has proposed new rules that would bring ISPs in line with general data privacy laws and give citizens the right to opt out of their personal information being shared commercially. TheRegister, March 11, 2016
Feds Counter Apple’s Arguments Over iPhone ‘Backdoor’: In a filing rebutting Apple’s appeal of a court order requiring the company to help the FBI unlock the iPhone used by a shooter in the San Bernardino massacre, the Justice Department says Apple’s rhetoric is “false” and “corrosive” to the institution that safeguards Americans’ liberties and rights. BankInfoSecurity, March 10, 2016
How to securely back up your iPhone or iPad with encryption via iTunes: In light of Apple’s encryption fight, it’s been noted the company can decrypt some data from an iCloud backup. Knowing this, security-conscious users may opt instead for locally-stored encrypted backups of their iPhone and iPad — a simple process through iTunes on both Mac and PC. AppleInsider, March 9, 2016

Cyber Fraud

IRS Disables Hacked PIN Tool: The U.S. Internal Revenue Service says it’s temporarily deactivated an online security feature after it discovered that it was being abused by identity thieves attempting to profit from tax return fraud. BankInfoSecurity, March 9, 2016

Identity Theft

Seagate Phish Exposes All Employee W-2’s: Email scam artists last week tricked an employee at data storage giant Seagate Technology into giving away W-2 tax documents on all current and past employees, KrebsOnSecurity has learned. W-2 forms contain employee Social Security numbers, salaries and other personal data, and are highly prized by thieves involved in filing phony tax refund requests with the Internal Revenue Service (IRS) and the states. KrebsOnSecurity, March 6, 2016

Cyber Warning

Ransomware, the Newest Cybersecurity Threat, Explained: Mac computers were hit with ransomware this weekend, which was the first time an Apple product had been affected by this type of malware. Time, March 11, 2016
Botched Java patch leaves millions vulnerable to 30-month-old attack: A botched security fix released for the Java software framework 30 months ago has left millions of users vulnerable to attacks that Oracle had claimed were no longer possible, a security researcher said. ars techica, March 11, 2016
Marcher Trojan Morphs, Now Targets Porn Sites: In the security world where Trojans remake themselves more often than a fading Hollywood actor, the Marcher Trojan is no exception. The 3-year-old Marcher has found new relevance targeting Android users visiting porn sites, according to a report from security firm Zscaler. ThreatPost, March 11, 2016
Locky Ransomware Spreading in Massive Spam Attack: Researchers are tracking a massive spam campaign pelting inboxes with Locky ransomware downloaders in the form of JavaScript attachments. The huge spike, reported by security firm Trustwave, represents an extraordinary uptick in the attempted distribution of the Locky ransomware. ThreatPost, March 10, 2016
Android Malware Leaves Mobile Banking Users Vulnerable: New details from ESET researchers, a Slovakia-based company, suggests that there is a new strain of Android malware that has the ability to compromise mobile banking users’ login credentials., March 9, 2016

Cyber Update

Flash zero-day prompts emergency update from Adobe: Just two days after this month’s Adobe Patch Tuesday, the company published an emergency fix for Flash. NakedSecurity, March 11, 2016
Flash Player Update Patches 18 Remote Code Execution Flaws: Adobe today released a new version of Flash Player that patches 18 vulnerabilities, all of which can result in remote code execution attacks. ThreatPost, March 10, 2016
Samsung Windows Laptop Owners Urged To Download Fix To MitM Vulnerability: Samsung laptop owners are being urged to update their Windows PCs after the discovery of a vulnerability that can allow remote attackers to download files onto a targeted system and gain complete control over the laptop. ThreatPost, March 9, 2016
Adobe, Microsoft Push Critical Updates: Microsoft today pushed out 13 security updates to fix at least 39 separate vulnerabilities in its various Windows operating systems and software. Five of the updates fix flaws that allow hackers or malware to break into vulnerable systems without any help from the user, save for perhaps visiting a hacked Web site. KrebsOnSecurity, March 8, 2016

Cyber Security Management – Cyber Insurance

Average Breach Falls Below Cyber Insurance Policy Deductible, Study Shows: New report shines light on what cyber insurance can and can’t do for enterprises that suffer data breaches. DarkReading, March 10, 2016

Cyber Security Management – Cyber Defense

Cloud Security Fundamentals: There are a lot of security myths about cloud security needed to be clarified. One is that a lot of people think that as soon as they give something to the cloud, they do not have to worry about compliance with security. That is absolutely not correct. If you are a business, your clients are looking at you for security. Whether you go to the cloud or you do it internally using your private infrastructure, that doesn’t change your responsibility in terms of who owns compliance to security. There needs to be a very clear demarcation line. InformationSecurity Buzz, March 9, 2016

National Cyber Security

U.S. to Blame Iran for Cyber Attack on Small NY Dam: Sources: WASHINGTON — The Obama administration is planning to publicly blame Iranian hackers for a 2013 cyber attack against a small dam in New York state, three sources familiar with the matter told Reuters. The New York Times, March 10, 2016
Why sensible criminals choose cybercrime: This week the former Head of MI5, Jonathan Evans, claimed that cybercrime constituted “the biggest and likeliest threat” to the British economy. Speaking at a Prospect event entitled Cybercrime and cyberattack—the threat to our financial system, to an audience at The City of London’s Guildhall on 1st March, Evans said that it was “now easier to attack banks cybernetically than physically.” ProsptecMagazine, March 8, 2016
Competing Interests on Encryption Divide Top Obama Officials: WASHINGTON — The intensifying legal battle over encryption between Apple and the Justice Department has all but obscured another more subtle division, the one inside the Obama administration itself. The New York Times, March 5, 2016

Cyber Politics

Presidential Candidates Get Graded On Their Cybersecurity Stances: Trump, Clinton, Sanders, Cruz, Rubio, Kasich, are all unified when it comes to blaming China — but no one gets higher than a “C” average grade in any category. DarkReading, March 10, 2016

Cyber Law

How Will Home Depot Consumer Settlement Affect Banks?: Home Depot’s $19.5 million settlement with consumers affected by the retailer’s 2014 payments breach is unlikely to have much impact on a pending class-action suit filed by banking institutions against the big box retailer in May 2015 to recoup breach-related expenses (see Why Banks Sued Home Depot). BankInfoSecurity, March 8, 2016

Secure the Village

Encryption project issues 1 million free digital certificates in three months: Let’s Encrypt, an organization set up to encourage broader use of encryption on the Web, has distributed 1 million free digital certificates in just three months. PCWorld, March 9, 2016

Cyber Career

Combating the cybersecurity job crunch: There is a looming crisis in information security that will necessitate that businesses change how they manage their security efforts. TechCrunch, March 7, 2016

Cyber Misc

Man jams “annoying” fellow commuters’ phone signals, gets charged with felony: A Chicago man has been accused of jamming his fellow train passengers’ “annoying” phone signals as part of a morning ritual that lasted months before he was caught with his contraband, five-antenna jammer on Tuesday. NakedSecurity, March 11, 2016
Worldwide Cybersecurity Spending Increasing To $170 Billion By 2020: The Wall Street Journal Venture Capital Dispatch is the latest to cite research from Gartner, Inc. which reports the world-wide cybersecurity market topped $75 billion in 2015. Forbes, March 9, 2016

Jeff Snyder’s, SecurityRecruiter.comJeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810's Security Recruiter Blog