Monday, March 28, 2016

Cybersecurity News for the Week of March 27, 2016






 Individuals at Risk

Identity Theft

Facebook’s testing a feature that alerts you if someone’s impersonating you: Facebook’s real-name policy requires people “to provide the name they use in real life; that way, you always know who you’re connecting with.” NakedSecurity, March 25, 2016
White Hat Hackers Hit 12 American Hospitals To Prove Patient Life ‘Extremely Vulnerable’: A two-year research project into the security of 12 hospitals and a variety of medical technologies has concluded that patient health is “extremely vulnerable” to digital attacks. Forbes, February 23, 2016

Cyber Update

GOOGLE FIXES FOUR CRITICAL VULNERABILITIES IN LATEST CHROME BUILD: Google pushed out the latest version of Chrome Thursday afternoon, fixing five issues, four of them critical. ThreatPost, March 25, 2016
EMERGENCY JAVA PATCH RE-ISSUED FOR 2013 VULNERABILITY: Oracle yesterday released an emergency patch for a Java vulnerability that was improperly patched in 2013. ThreatPost, March 24, 2016
Google rushes out emergency fix for Android rooting exploit but most phones remain at risk: Google rushes out emergency fix for Android rooting exploit but most phones remain at risk. ZDNet, March 21, 2016

Cyber Danger

OS X ZERO DAY BYPASSES NATIVE SIP PROTECTION: System Integrity Protection (SIP) was implemented in OS X El Capitan and imposes limitations on what actions that Mac computers’ root accounts can take against protected paths of the operating system. ThreatPost, March 25, 2016

Cyber Fraud

Phishing Victims Muddle Tax Fraud Fight: Many U.S. citizens are bound to experience delays in getting their tax returns processed this year, thanks largely to more stringent controls enacted by Uncle Sam and the states to block fraudulent tax refund requests filed by identity thieves. A steady drip of corporate data breaches involving phished employee W-2 information is adding to the backlog, as is an apparent mass adoption by ID thieves of professional tax services for processing large numbers of phony refund requests. KrebsOnSecurity, March 24, 2016

Information Security Management in the Organization

Cyber Crime

7 Iranians Indicted for DDoS Attacks Against U.S. Banks: The Justice Department has unsealed indictments against seven Iranians – allegedly working on behalf of the Iranian government, including the Iranian Revolutionary Guard Corps, a branch of Iran’s armed forces – who are suspected of conducting distributed denial-of-service attacks against dozens of American banks as well as attempting to seize control of Bowman Dam outside New York City. BankInfoSecurity, March 24, 2016
Crooks Steal, Sell Verizon Enterprise Customer Data: Verizon Enterprise Solutions, a B2B unit of the telecommunications giant that gets called in to help Fortune 500’s respond to some of the world’s largest data breaches, is reeling from its own data breach involving the theft and resale of customer data, KrebsOnSecurity has learned. March 24, 2016
Ransomware plagues Kentucky hospital, forces total system shutdown: In yet another large-scale ransomware attack, Henderson, Kentucky-based Methodist Hospital has announced an “internal state of emergency,” according to Krebs on Security, after numerous files on its computer systems were savaged by encryption. The way ransomware works, all of the documents involved will be held for ransom, awaiting the hospital’s payment, hence the name. DigitalTrends, March 23, 2016
Hospital Declares ‘Internal State of Emergency’ After Ransomware Infection: A Kentucky hospital says it is operating in an “internal state of emergency” after a ransomware attack rattled around inside its networks, encrypting files on computer systems and holding the data on them hostage unless and until the hospital pays up. KrebsOnSecurity, March 22, 2016
2 more Southland hospitals attacked by hackers using ransomware: Two more Southern California hospitals have been attacked by hackers who infiltrated their computer systems with ransomware and demanded payment to unlock the data, officials said. LA Times, March 22, 2016
Breach Report 2016 | State of California – Department of Justice – Kamala D. Harris Attorney General: The California Constitution guarantees every Californian the “inalienable right” to privacy. To ensure that protection, California has been on the cutting edge, adopting the strongest and most sophisticated consumer privacy laws in the United States. But California’s fast-changing economy requires our constant vigilance to ensure that privacy and security protections keep pace with innovation and new threats. Each day, millions of Californians log on to the internet to conduct business, do homework, purchase goods and services, control devices in their homes, play games, and connect with loved ones. Technology such as smartphones, the “internet of things,” wearable devices, and big data are transforming our lives at a rapid pace, while exponentially increasing the amount of personal information that is collected, used, and shared. At the same time, with data becoming more ubiquitous and valuable, the black market for stolen information also continues to expand, increasing the likelihood of hacking by cyber criminals. CALIFORNIA DATA BREACH REPORT, February 2016

Cyber Defense

8 tips for preventing ransomware: Chances are you know someone, or some organization, who has suffered a ransomware attack – it could be your local police department, a small business, big hospital, or someone in your family. NakedSecurity, March 24, 2016
MICROSOFT DEPLOYS MACRO BLOCKING FEATURE IN OFFICE TO CURB MALWARE: If it ain’t broke, don’t fix it. If there’s one thing the recent surge in threats using macros to spread malware has shown, it’s that the vector is clearly working for attackers. ThreatPost, March 24, 2016
What Adele’s Photo Hack Says About Cybersecurity: Bank robbery and medical information theft have moved to the Internet, so it is disappointing but not surprising that criminal invasions of personal privacy have followed suit. British pop star Adele just fell victim to a targeted breach of her private pregnancy photos, echoing the theft of hundreds of sensitive celebrity photos in 2014, including nude photos of Jennifer Lawrence and photos of Harry Styles and Kendall Jenner vacationing in St. Barts. Fortune, March 24, 2016
Advanced Persistent Bot activity on the rise: Bad bots are used by fraudsters and are the key culprits behind web scraping, brute force attacks, competitive data mining, online fraud, account hijacking, data theft, unauthorized vulnerability scans, spam, man-in-the-middle attacks, digital ad fraud, and downtime. HelpNetSecurity, March 24, 2016

Cyber Security Management – C Suite

Ransomware Attacks Surge; So Now What?: Ransomware attacks against hospitals and other organizations are becoming commonplace this year, with at least five incidents revealed in recent weeks. BankInfoSecurity, March 23, 2016

Cyber Awareness

Even security experts fail to spot phishing emails, finds report: An online phishing quiz conducted by Intel Security found that 97 percent of people failed to correctly identify all of the sample emails in the test. SCMagazine, May 19, 2015

Cyber Insurance

Cyber Insurance: Why is Growth Stymied?: A dearth of actuarial data stymies the growth of the cyber insurance market, industry experts told Congress at a March 22 hearing. BankInfoSecurity, March 22, 2016

Cyber Security in Society

Cyber Privacy

Gmail’s encryption warning spurs 25 percent increase in encrypted inbound emails: Google’s efforts to keep users safe might be forcing other email providers to make better security decisions. In February, the company started flagging unencrypted emails, allowing Gmail users to know whether they’re sending emails to, or receiving emails from, providers that don’t support TLS encryption. Since then, the amount of inbound mail sent over an encrypted connection to Gmail users has increased by 25 percent, Google explained in a blog post released today. TheVerge, March 24, 2016
iOS forensics expert’s theory: FBI will hack shooter’s phone by mirroring storage: Jonathan Zdziarski, a leading independent Apple iOS security researcher and forensics expert, has a theory about the FBI’s newly discovered potential route into the iPhone 5C used by San Bernardino shooter Syed Farook. In a blog post, Zdziarski wrote that the technique the FBI is planning to use to get around having to compel Apple to help bypass the phone’s security is likely a method called NAND mirroring—a hardware-based approach that, while effective, is far from the “golden key” software the FBI had sought. ars technica, March 23, 2016
F.B.I. Clash With Apple Loosed a Torrent of Possible Ways to Hack an iPhone: SAN FRANCISCO — For weeks, the United States government has said that the only way to open an iPhone used by a gunman in a mass shooting was to get Apple’s help, a position that set off a clash between the technology giant and law enforcement. The New York Times, March 23, 2016

Cyber Attack

Certified Ethical Hacker website caught spreading crypto ransomware: For the past four days, including during the hour that this post was being prepared on Thursday morning, a major security certification organization has been spreading TeslaCrypt malware—despite repeated warnings from outside researchers. ars technica, March 24, 2016

Financial Cyber Security

Banks failing with password management, but why?: A recent study shows some terrifying results: banks in the U.S. often have less secure password policies in place than do social media websites. Specifically, the study found that 35 percent of the test group appear to have a significant weakness in their password policies used by their customers to access their accounts and manage their money. HelpNetSecurity, March 25, 2016
Small banks face the greatest risk from hackers: Cyberattacks on the country’s largest banks, from JPMorgan Chase & Co. to Bank of America Corp., grab the headlines. But the Federal Reserve Bank of Boston and other regulators worry that smaller banks, with less robust cybersecurity, provide easier targets for criminals, terrorists, and foreign states seeking to infiltrate the US financial system. BostonGlobe, March 24, 2016
Bank password policies are often substandard, study finds: A study of 17 major US banks shows that six of them have weak password handling and that their password procedures are weaker than most social websites. HelpNetSecurity, March 4, 2016

Critical Infrastructure

Water treatment plant hacked, chemical mix changed for tap supplies: Hackers infiltrated a water utility’s control system and changed the levels of chemicals being used to treat tap water, we’re told. TheRegister, March 24, 2016
The Most Vulnerable Ransomware Targets Are the Institutions We Rely On Most: Earlier this month a Los Angeles hospital became yet another victim of ransomware—a type of cyber attack where hackers encrypt data on individuals’ or institutions’ computers and demand a ransom to unlock the information. A few weeks later the Los Angeles County Department of Health Services reportedly suffered a similar fate. These are just two cases in a rising tide of ransomware hacks, and experts predict the problem is only going to get worse. Unfortunately, it turns out that some of easiest ransomware attack targets are the critical establishments that we rely on most. Scientific American, March 23, 2016

Jeff Snyder’s, SecurityRecruiter.comJeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810's Security Recruiter Blog