Sunday, March 06, 2016

Cybersecurity News for the Week of March 6, 2016




Cyber Crime

Pirates hack into shipping company’s servers to identify booty: When the terms “pirate” and “hacker” are used in the same sentence, usually it’s a reference to someone breaking digital rights management on software. But that wasn’t the case in an incident detailed in the recently released Verizon Data Breach Digest report, unveiled this week at the RSA security conference. Verizon’s RISK security response team was called in by a global shipping company that had been the victim of high-seas piracy aided by a network intrusion. ars technica, March 3, 2016
Credit Unions Feeling Pinch in Wendy’s Breach: A number of credit unions say they have experienced an unusually high level of debit card fraud from the breach at nationwide fast food chain Wendy’s, and that the losses so far eclipse those that came in the wake of huge card breaches at Target and Home Depot. KrebsOnSecurity, March 2, 2016
Verizon releases first-ever data breach digest with security case studies: Verizon is known for its huge annual Data Breach Investigations Report, but this morning it released a less data-heavy digest organized by case study. CSO, March 1, 2016

Financial Cyber Security

Weak Bank Password Policies Leave 350 Million Vulnerable, Say Researchers: Should passwords that protect your financial data be less secure than the ones used to lock up selfies, cat videos and tweets swapped on social networks? ThreatPost, March 3, 2016

Cyber Privacy

Microsoft’s top lawyer defends encryption and Apple; Argues people can’t be kept safe in the real world if they aren’t safe online: Microsoft’s top lawyer delivered a very powerful keynote speech at the recent RSA 2016 security conference on online security and the need for encryption, transparency and trust, while also offering a full throated defense of Apple in its fight with the FBI. NetworkWorkd, March 4, 2016
How the FBI will lose its iPhone fight, thanks to ‘West Coast Law’: The vast majority of it has centered on the rights and the wrongs, about the loss of privacy, and of the precedent that breaking one iPhone would create. The Register, March 4, 2016
Sparks fly over Apple v. FBI dispute at major cybersecurity gathering (+video): SAN FRANCISCO — It was all anyone seemed to want to talk about. Whether inside the vast exhibit halls or at the after parties at this year’s RSA Conference, just about everyone had something to say about the legal dispute between Apple and the FBI. CSMonitor, March 4, 2016
Amazon Quietly Removes Encryption Support from its Gadgets: While Apple is fighting the FBI in court over encryption, Amazon quietly disabled the option to use encryption to protect data on its Android-powered devices. Motherboard, March 3, 2016
Cryptography Pioneers Win Turing Award: SAN FRANCISCO — In 1970, a Stanford artificial intelligence researcher named John McCarthy returned from a conference in Bordeaux, France, where he had presented a paper on the possibility of a “Home Information Terminal.” The New York Times, March 1, 2016

Cyber Fraud

Thieves Nab IRS PINs to Hijack Tax Refunds: Last year, KrebsOnSecurity warned that the Internal Revenue Service‘s (IRS) solution for helping victims of tax refund fraud avoid being victimized two years in a row was vulnerable to compromise by identity thieves. According to a story shared by one reader, the crooks are well aware of this security weakness and are using it to revisit tax refund fraud on at least some victims two years running — despite the IRS’s added ID theft protections. KrebsOnSecurity, March 1, 2016

Identity Theft

How to Avoid Being a Victim of Tax-Time Identity Theft: Tax-time identity theft is a growing problem in the U.S., and has the potential to cause you a headache and tie up your tax refund well into the summer months or beyond. USNews and World Report, March 3, 2016

Cyber Warning

Triada trojan on Android devices “complex as Windows malware”: A new Trojan targeting Android devices has been found to be a risk to around 60 per cent of Android devices. SCMagazine, March 4, 2016
It’s 2016, so why is the world still falling for Office macro malware?: In the late 1990s, Microsoft Office macros were a favorite vehicle for surreptitiously installing malware on the computers of unsuspecting targets. Microsoft eventually disabled the automated scripts by default, a setting that forced attackers to look for new infection methods. Remotely exploiting security bugs in Internet Explorer, Adobe Flash, and other widely used software soon came into favor. ars technica, March 4, 2016
New attack steals secret crypto keys from Android and iOS phones: Researchers have devised an attack on Android and iOS devices that successfully steals cryptographic keys used to protect Bitcoin wallets, Apple Pay accounts, and other high-value assets. ars technica, March 3, 2016

Cyber Security Management – C Suite

Businesses are still scared of reporting cyberattacks to the police: Report suggests organisations, be it because of embarrassment or ignorance, aren’t seeking help from the authorities when they’re victims of cybercrime. ZDNet, March 3, 2016

Cyber Security Management – Cyber Defense

Protection Is Necessary, But Not Sufficient: It’s time to move the conversation beyond malware and point defenses and onto dealing with breaches in their entirety. DarkReading, March 4, 2016
Why Marrying Infosec & Info Governance Boosts Security Capabilities: In today’s data centric world, security pros need to know where sensitive data is supposed to be, not just where it actually is now. DarkReading, March 4, 2016
7 Attack Trends Making Security Pros Sweat: A look at the most dangerous threats and what to expect for the rest of 2016. DarkReading, March 3, 2016
Cisco Nexus 3000 Series and 3500 Platform Switches Insecure Default Credentials Vulnerability: A vulnerability in Cisco NX-OS Software running on Cisco Nexus 3000 Series Switches and Cisco Nexus 3500 Platform Switches could allow an unauthenticated, remote attacker to log in to the device with the privileges of the root user with bash shell access. Cisco, March 2, 2016

Secure the Village

Opinion: Cybersecurity needs less talk, more action: As this year’s RSA Conference, the world’s largest cybersecurity gathering, comes to an end, it’s time for the digital security industry to start sharing threat intelligence information in earnest and training the next generation of cybersecurity workers. CSMonitor, March 4, 2016

National Cyber Security

Steptoe Cyberlaw Podcast – Hostfull II: Due to technical difficulties, the interview for the 103rd episode will be released as a separate post next week. In the news roundup, we explore Apple’s brief against providing additional assistance to the FBI in its investigation of the San Bernardino killings. Michael Vatis finds good and bad in the brief – some entirely plausible arguments about burden mixed with implausible ones aimed more at the public than at the magistrate judge. I suggest that the burden argument may be weaker than it seems, both because the costs can be spread over many requests for assistance and because the accounting of work to be done feels “as padded as a no-bid government contract offer.” Which, now that the FBI has offered to pay Apple’s costs, is pretty much exactly what it is. Steptoe Cyberblog, March 2, 2016
White House Officials Soften Approach at RSA Conference: SAN FRANCISCO — Attorney General Loretta E. Lynch joined a parade of Obama administration officials to tech’s home turf on Tuesday. Their message: National security depends on the industry’s cooperation. The New York Times, March 1, 2016

Cyber Underworld

RSAC16: Cyber criminals are hiding in plain sight, says RSA report: Cyber criminals are using social media as a communication and sales channel, not just for reconnaissance and phishing, an RSA study has revealed. ComputerWorld, March 4, 2016

Cyber Sunshine

Feds go after online payment firm for deceptive cybersecurity: Federal regulators on Thursday sent a major signal to financial technology companies, settling charges against an online payment firm for deceiving customers about data security. The Hill, March 3, 2016
Turkish mastermind of $55m ATM card hacking spree pleads guilty: Ercan Findikoglu has admitted his role in three cyberattacks which netted a criminal gang $55 million in a matter of hours. ZDNet, March 3, 2016

Jeff Snyder’s, SecurityRecruiter.comJeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810's Security Recruiter Blog