Sunday, March 20, 2016

Cybersecurity News for the Week of March 20, 2016





Individuals at Risk

Identity Theft

How To Guard Against Tax-Related Identity Theft: Identity theft is one of the fastest growing crimes in America. Lurking in the shadows of the World Wide Web, unscrupulous identity thieves strike without regard for boundaries, leaving victims feeling violated, helpless, and often penniless. This type of financial crime wreaks havoc on one’s credit where the task of repairing it can be daunting, time consuming, and expensive. As the use of technology increases, those engaged in this illicit behavior are finding an ever-expanding and fertile field of dreams, albeit, at the expense of their victims. Forbes, March 17, 2016

Cyber Danger

Watch Out Gamers: Steam Stealer malware is up and running: According to the researchers at Kaspersky Lab (pdf), Steam Stealer has provided a happy hunting ground for all malicious hackers. The low cost of Steam Stealer makes it accessible for more and more hackers. It requires as little as 3$ to get the rights of Steam credentials. Just 7$ more will earn you complete user guide with source code. Generally, the cost of such malicious tools starts from around 500$ but surprisingly the highest cost of Steam Stealer does not accede 30$. Moreover, it is simple and easy enough to operate this malware application. Hackread, March 18, 2016
Millions Of Samsung, LG and HTC Phones at risk from Stagefright variant named ‘Metaphor’: Millions of Android users are at risk of a new Metaphor exploit that can take over Samsung, LG and HTC phones in under 20 seconds. The hack gives attackers access to the targeted phones including the ability to inject malware and take control over key smartphone functions. ThreatPost, March 17, 2016
Android Trojan Targets Customers of 20 Major Banks: ESET experts warn of Android banking malware that can steal credentials – and even bypass two-factor authentication. InformationSecurityBuzz, March 16, 2016

Information Security Management in the Organization

Cyber Crime

Hackers steal customer & employee information from several Canadian casinos: Hackers have stolen customer and employee information from one of the biggest casinos in Canada in the latest in several cyber attacks in recent weeks., March 18, 2016
Thieves Phish Moneytree Employee Tax Data: Payday lending firm Moneytree is the latest company to alert current and former employees that their tax data — including Social Security numbers, salary and address information — was accidentally handed over directly to scam artists. KrebsOnSecurity, March 16, 2016

Cyber Warning

New email phishing campaign attempting to steal money via Business Email Compromise: A new email-based attack campaign is targeting key employees from companies in the U.S., Middle East and Asia with the goal of compromising their computers and email accounts. ComputerWorld, March 17, 2016 [For defensive measures, see Citadel blog Business E-mail Compromise: Don’t Be a Victim, February 3, 2016]
Ads on major websites being subverted to install ransomware on user computers: Web domains including The New York Times, BBC, AOL and MSN became victims of the campaign, designed to spread the Angler exploit kit. ZDNet, March 16, 2016

Cyber Law

Appeals Court affirms dismissal of healthcare data breach case against FCA Healthcare: The US Court of Appeals for the Sixth District affirmed a district court’s dismissal of a healthcare data breach case that alleged there had been False Claims Act (FCA) violations. HealthITSecurity, March 18, 2016
Research Institute Breach Results in $3.9 Million Sanction: Federal regulators have smacked a New York-based medical research institute with a $3.9 million penalty following a breach involving the theft of an unencrypted laptop containing data about several thousand patients and participants in a research project. HealthCareInfo Security, March 17, 2016
St. Joseph Health System on hook for $28M after data breach affects 32,000 patients: Although most breach-related class action lawsuits fail, the recent $28 million settlement of a suit stemming from a data breach at St. Joseph Health System in California illustrates that egregious breaches can have serious financial consequences. BankInfoSecurity, March 16, 2016

Cyber Defense

FreeBSD needs upgrading as critical bug patched: Sysadmins need to upgrade networking kit and web servers following the discovery of a critical bug in FreeBSD. TheRegister, March 18, 2016
NIST issues new guidance for remote access in era of smartphones & BYOD: Imagine the worst. That’s what revised guidance from the National Institute of Standards and Technology advises as organizations allow employees, contractors and business partners to access critical information systems from outside the enterprise, especially with smartphones and other mobile devices, often owned by individuals. BankInfoSecurity, March 17, 2016
To bypass code-signing checks, malware gang steals lots of certificates: There are lots of ways to ensure the success of an advanced hacking operation. For a gang called Suckfly, one of the keys is having plenty of stolen code-signing certificates on hand to give its custom malware the appearance of legitimacy. ars technica, March 16, 2016
Time to rethink mandatory password changes: Data security is a process that evolves over time as new threats emerge and new countermeasures are developed. The FTC’s longstanding advice to companies has been to conduct risk assessments, taking into account factors such as the sensitivity of information they collect and the availability of low-cost measures to mitigate risks. The FTC has also advised companies to keep abreast of security research and advice affecting their sector, as that advice may change. What was reasonable in 2006 may not be reasonable in 2016. This blog post provides a case study of why keeping up with security advice is important. It explores some age-old security advice that research suggests may not be providing as much protection as people previously thought. Federal Trade Comission, March 2, 2016

Cyber Career

Security Certifications: The Alphabet Soup of the Information Security Profession: Today’s information security professional has never been in greater demand. Employers hunt for the best in hopes of luring them away from their current position. Oftentimes, the individual being sought has no idea that he or she is on another entity’s radar until a recruiter makes contact. SecurityIntelligence, March 14, 2016

Cyber Security in Society

Cyber Privacy

Apple Encryption Engineers, if Ordered to Unlock iPhone, Might Resist: SAN FRANCISCO — If the F.B.I. wins its court fight to force Apple’s help in unlocking an iPhone, the agency may run into yet another roadblock: Apple’s engineers. The New York Times, March 17, 2016
Former cyber czar says NSA could crack the San Bernadino shooter’s phone: Another former national security official has spoken out forcefully against the FBI’s quest to get Apple to write code to unlock the iPhone 5c used by San Bernardino mass shooter Syed Farook. Richard Clarke served as the National Security Council’s chief counter-terrorism advisor to three presidents (George H.W. Bush, Bill Clinton, and George W. Bush) before becoming George W. Bush’s special advisor on cybersecurity. He told National Public Radio’s David Greene today that “encryption and privacy are larger issues than fighting terrorism,” taking issue with the FBI’s attempts to compel Apple’s assistance. ars technica, March 14, 2016
Can John Oliver Get Americans to Care About Encryption?: It’s not every day that cryptography comes up during one of the U.S.’s most popular late-night shows. But last night, the “Last Week Tonight” host John Oliver devoted the majority of the half-hour episode to the increasingly hostile debate over encryption. The Atlantic, March 14, 2016

Cyber Attack

Anonymous Just Made Good on Its Promise to Hack Donald Trump: Earlier this week the hacker group Anonymous declared “total war” on GOP frontrunner Donald Trump, calling his behavior “deeply disturbing.” Fortune, March 18, 2016

Government Cyber Security

Spammers using misconfigured state govt computers & trust in .gov to send spam: Spammers are abusing ill-configured U.S. dot-gov domains and link shorteners to promote spammy sites that are hidden behind short links ending in””. KrebsOnSecurity, March 17, 2016

Internet of Things

FBI Internet Crime Complaint Center (IC3) Reports Motor Vehicles Increasingly Vulnerable to Remote Exploits: As previously reported by the media in and after July 2015, security researchers evaluating automotive cybersecurity were able to demonstrate remote exploits of motor vehicles. The analysis demonstrated the researchers could gain significant control over vehicle functions remotely by exploiting wireless communications vulnerabilities. While the identified vulnerabilities have been addressed, it is important that consumers and manufacturers are aware of the possible threats and how an attacker may seek to remotely exploit vulnerabilities in the future. Third party aftermarket devices with Internet or cellular access plugged into diagnostics ports could also introduce wireless vulnerabilities., March 17, 2016

Secure the Village

DHS launches two-way threat sharing system for public-private collaboration: The Department of Homeland Security (DHS) has declared itself officially ready to exchange cybersecurity intelligence with private industries and other organizations using an automated threat-sharing system, under the terms of the Cybersecurity Act of 2015. SCMagazine, March 18, 2016

Cyber Miscellany

Steptoe Cyberlaw Podcast – Stewart Baker Interviews Robin Weisman and Peter Van Valkenburgh: Doing our best to avoid turning this into the Applelaw podcast, episode 105 begins with Maury Shenk unpacking the new US-EU Privacy Shield details. His take: more hassles for companies accused of noncompliance, more detailed privacy disclosures and compliance obligations for most members, and a modicum of pain for the intelligence community, but it’s still basically the same framework as the Safe Harbor. Steptoe Cyberblog, March 16, 2016
Steptoe Cyberlaw Podcast – Stewart Baker Interviews Jim Lewis: Live from RSA, it’s episode 104, with special guest Jim Lewis, CSIS’s renowned cybersecurity expert and Steptoe’s own Alan Cohn. We do an extended news roundup before an RSA audience that yields several good questions for the panel. We had invited Bruce Sewell, Apple’s General Counsel, to participate, but he didn’t show. So we felt no constraint as we alternately criticized and mocked Apple’s legal arguments for not providing assistance to the FBI in gaining access to the San Bernardino terrorist’s phone. We review the bidding on encryption on Capitol Hill and observe that the anti-regulatory forces have lost ground as a result of the fight Apple has picked. That leads into a discussion of China’s backdoors into the iPhone and Baidu’s role in compromising users of its products. Steptoe Cyberblog, March 7, 2016

Jeff Snyder’s, SecurityRecruiter.comJeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810's Security Recruiter Blog