Monday, April 18, 2016

Cyber Security News of the Week, April 17, 2016




Individuals at Risk

Cyber Update
Update iOS Now as New Threat Can Auto-Brick Apple Devices: If you use an Apple iPhone, iPad or other iDevice, now would be an excellent time to ensure that the machine is running the latest version of Apple’s mobile operating system — version 9.3.1. Failing to do so could expose your devices to automated threats capable of rendering them unresponsive and perhaps forever useless. KrebsOnSecurity, April 12, 2016

Adobe Patches Flash Player Zero-Day Threat: Adobe Systems this week rushed out an emergency patch to plug a security hole in its widely-installed Flash Player software, warning that the vulnerability is already being exploited in active attacks. KrebsOnSecurity, April 8, 2016

‘Badlock’ Bug Tops Microsoft Patch Batch: Microsoft released fixes on Tuesday to plug critical security holes in Windows and other software. The company issued 13 patches to tackle dozens of vulnerabilities, including a much-hyped “Badlock” file-sharing bug that appears ripe for exploitation. Also, Adobe updated its Flash Player release to address at least two-dozen flaws — in addition to the zero-day vulnerability Adobe patched last week.KrebsOnSecurity, April 13, 2016

Cyber Warning
Remove QuickTime for Windows; Apple stops patching despite 2 active vulnerabilities: The Windows app hasn’t received an update since January, and security researchers from Trend Micro said it won’t receive any security fixes in the future. In a blog post published Thursday, the researchers went on to say they know of at least two reliable QuickTime vulnerabilities that threaten Windows users who still have the program installed. ars technica, April 14 2016
Information Security Management in the Organization
Cyber Security Management – C Suite
ITIL best practices the ultimate backstop for cybersecurity, research CEO says: Healthcare and other entities that want to be well positioned against cybersecurity threats must know what resources they have, how those are configured, and tightly control any changes, IT Process Institute chief executive Scott Alldridge said. HealthcareITNews, April 15, 2016

Information Security is all about Operational Risk Management, says UBS CISO:Information security is all about operational risk management, according to chief privacy and information security officer at UBS Wealth Management Dennis Dickstein. Infosecurity Magazine, April 15, 2016

Phishing Defense Training Increasingly Important as Cybercriminal Exploits Defeat Technology: The number of attacks that exploited previously unknown software vulnerabilities more than doubled in 2015 as hackers raced against security defenders to find effective ways to infect end users with malware, according to a recently released report. ars technica, April 13, 2016

Cyber Warning
Don’t Use Short URLs for Access to Sharepoint & Other Sensitive Information Repositories:URL shorteners are convenient, but for a long time gave security practitioners anxiety because it was difficult to determine where the shortened address was taking you.ThreatPost, April 15, 2016

Ransomware Alert: Prevent and mitigate ransomware attacks: In early 2016, destructive ransomware variants such as Locky and Samas were observed infecting computers belonging to individuals and businesses, which included healthcare facilities and hospitals worldwide. Ransomware is a type of malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it. US-CERT, March 31, 2016

Cyber Defense
‘Threat Hunting’ On The Rise: Rather than wait for the adversary to strike, many enterprises are going out actively looking for them. DarkReading, April 14, 2016

Experts crack Petya ransomware, enable hard-drive decryption for free: Security experts have devised a method that allows users to recover data from computers infected with the Petya ransomware program without paying money to cybercriminals. ComputerWorld, April 11, 2016

Cyber Update
VMware plugs critical information-leaking hole: VMware has plugged a critical security issue in the VMware Client Integration Plugin, which could allow for a Man in the Middle attack or web session hijacking in case the user of the vSphere Web Client visits a malicious website.HelpNetSecurity, April 15, 2016

Cyber Security in Society
Cyber Privacy
Microsoft sues US government over gag orders: To hell with lying back gagged when the Feds come looking for its customers’ data, and to hell with the passive act of putting out warrant canaries to flag when it’s happening: Microsoft is now on the offensive.NakedSecurity, April 15, 2016

Facebook’s working on auto-tagging us in videos: Has anybody ever captured your image as you lunged at them, screaming “STOP THE TAGGING MADNESS!!”? NakedSecurity, April 15, 2016

Apple, FBI set to resume encryption fight at House hearing: The encryption battle between Apple and the FBI is moving from the courtroom to Congress next week. CNet, April 14, 2016

National Cyber Security
Cybersecurity Commission Includes Former Heads of NSA, NIST: Keith Alexander, former National Security Agency director, and Patrick Gallagher, who once headed the National Institute of Standards and Technology, will join Ajay Banga, chief executive of MasterCard, on the new Commission on Enhancing National Cybersecurity. BankInfoSecurity, April 14, 2016

Who Gets to Define Hacking?: On March 11, 2013, Thomas Donilon, President Obama’s national-security adviser, gave a speech at the Asia Society on Manhattan’s Upper East Side. Much of it was boilerplate: a recitation of the administration’s policy of “rebalancing its global posture” away from the battles of the Middle East and toward the “dynamic” region of Asia-Pacific as a force for growth and prosperity. But about two-thirds of the way through the speech, Donilon broke new diplomatic ground. After listing a couple of “challenges” facing U.S.-China relations, he said, “Another such issue is cybersecurity,” adding that Chinese aggression in this realm had “moved to the forefront of our agenda.”The Atlantic, April 6, 2016

Cyber Gov
California Lawmakers Urge Gov. Jerry Brown to Bolster State’s Cybersecurity Readiness:Frustrated that California’s cybersecurity readiness suffers from “underlying systemic issues,” two Assembly lawmakers have urged Gov. Jerry Brown to rethink how the state prepares for a potential cyberattack. GovTech, April 15, 2016

Cyber Law Enforcement
Canadian Police Have Had BlackBerry’s Global Decryption Key Since 2010: A high-level surveillance probe of Montreal’s criminal underworld shows that Canada’s federal policing agency has had a global encryption key for BlackBerry devices since 2010. Vice, April 14, 2016

F.B.I. Used Hacking Software Decade Before iPhone Fight: WASHINGTON — In early 2003, F.B.I. agents hit a roadblock in a secret investigation, called Operation Trail Mix. For months, agents had been intercepting phone calls and emails belonging to members of an animal welfare group that was believed to be sabotaging operations of a company that was using animals to test drugs. But encryption software had made the emails unreadable. The New York Times, April 13, 2016

Critical Infrastructure
Feds push stronger cyber protections at nuclear sites: The federal government is moving to impose new cybersecurity requirements on nuclear facilities. The Hill, April 11, 2016

DHS and FBI Warns of Cyber Threat to Electric Grid: The unclassified briefings are titled “Ukraine Cyber Attack: Implications for U.S. Stakeholders,” and are based on work with the Ukrainian government in the aftermath of the Dec. 23 cyber attack against the Ukrainian power infrastructure. FreeBeacon, April 8, 2016

Financial Cyber Security
US bank customers targeted by Halfbreed trojan: A new piece of malware has been linked to thefts of $4m from more than 24 American and Canadian banks in just a few days.TheRegister, April 15, 2016

Old IT Project Raises New Concerns for 1,400 Organizations: A recently discovered data security incident at the American College of Cardiology, which potentially affected nearly 98,000 patients at 1,400 medical institutions, points to the need to refrain from using real patient data in test environments, as well as the importance of properly securing those environments. Healthcare InfoSecurity, April 14, 2016

Internet of Things
Surveillance cameras sold on Amazon infected with malware: Security researcher Mike Olsen has warned that some products sold through the Amazon marketplace are habouring a dark secret — malware. ZDNet, April 11, 2016

Cyber Miscellany
Meet the $100 million cybersecurity startups: A dozen cybersecurity startups have each raised $100 million or more in funding since 2014, according to Dow Jones VentureSource — a database that reports on companies globally who receive venture capital and private equity funding. CSO, April 15, 2016

Cyber Sunshine
‘Blackhole’ Exploit Kit Author Gets 7 Years: A Moscow court this week convicted and sentenced seven hackers for breaking into countless online bank accounts — including “Paunch,” the nickname used by the author of the infamous “Blackhole” exploit kit. Once an extremely popular crimeware-as-a-service offering, Blackhole was for several years responsible for a large percentage of malware infections and stolen banking credentials, and likely contributed to tens of millions of dollars stolen from small to mid-sized businesses over several years. KrebsOnSecurity, April 14, 2016

Jeff Snyder’s, SecurityRecruiter.comJeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810's Security Recruiter Blog