Monday, April 11, 2016

Cybersecurity News for the Week of April 10, 2016


 

CYBERSECURITY NEWS 

 

FROM OUR FRIENDS AT CITADEL INFORMATION GROUP


Individuals at Risk

Identity Theft

National Childbirth Trust, US Office of Child Support Breached: A pair of data breaches is impacting parents and parents-to-be on both sides of the pond. InfoSecurity, April 8, 2016
Customers of Online Payroll Mgmt Company Victimized by Tax Fraud. Management Negligence?: Online payroll management firm Greenshades.com is an object lesson in how not to do authentication. Until very recently, the company allowed corporate payroll administrators to access employee payroll data online using nothing more than an employee’s date of birth and Social Security number. That is, until criminals discovered this and began mass-filing fraudulent tax refund requests with the IRS on large swaths of employees at firms that use the company’s services. KrebsOnSecurity, April 6, 2016
Hack Brief: Turkey Breach Spills Info on More Than Half Its Citizens: THE NATION OF Turkey has been reeling from terrorist bombings in its biggest cities, a teeming refugee crisis, and a president who wants to rewrite its constitution to give himself more power. Now, in the midst of those calamities, it’s also been hit with what appears to be an enormous data breach, one that affects the majority of the country’s citizens. Wired, April 5, 2016

Cyber Update

Adobe Patches Flash Player Zero-Day Threat: Adobe Systems this week rushed out an emergency patch to plug a security hole in its widely-installed Flash Player software, warning that the vulnerability is already being exploited in active attacks. KrebsOnSecurity, April 8, 2016
LATEST FLASH ZERO DAY BEING USED TO PUSH RANSOMWARE: Exploits for a zero-day vulnerability in Adobe Flash Player are being aggressively distributed in two exploit kits. The zero day, meanwhile, was patched by Adobe in an emergency update released Thursday night. ThreatPost, April 7, 2016

Cyber Danger

Top Firefox extensions can hide silent malware using easy pre-fab tool: Black Hat Asia The most popular Firefox extensions with millions of active users are open to attacks that can quietly compromise machines and pass Mozilla’s automated and human security tests. TheRegister, April 4, 2016

Information Security Management in the Organization

Cyber Security Management – C Suite

Taking on the Cybersecurity Challenge: 225 Business & IT Leaders – Free Exec Summary: More than ever, information security is—or should be—top of mind for business and IT leaders in every industry worldwide. This exclusive collection of original content takes a multifaceted look at preventing, detecting, and effectively responding to cybersecurity breaches.Want to know what 225 business and IT leaders have to say about their security concerns, practices, and experiences? Download this free executive summary of highlights from the recent Cybersecurity Challenges, Risks, Trends, and Impact Survey, which was conducted by MIT Technology Review Custom in partnership with Hewlett Packard Enterprise Security Services and FireEye Inc. MIT Technology Review, March 14, 2016

Cyber Warning — CEO Fraud

FBI Reports Businesses Lost $2.3 Billion to CEO Email Scams: The U.S. Federal Bureau of Investigation (FBI) this week warned about a “dramatic” increase in so-called “CEO fraud,” e-mail scams in which the attacker spoofs a message from the boss and tricks someone at the organization into wiring funds to the fraudsters. The FBI estimates these scams have cost organizations more than $2.3 billion in losses over the past three years. KrebsOnSecurity, April 7, 2016 … See Citadel Blog Business E-mail Compromise: Don’t Be a Victim.

Cyber Awareness

Management must train staff in good security practices: People are still plugging in USB sticks scattered around parking lots, a new study has confirmed. NakedSecurity, April 8, 2016

Cyber Crime

Banking Industry Sources: Trump Hotels Breached Again: Banking industry sources tell KrebsOnSecurity that the Trump Hotel Collection — a string of luxury properties tied to business magnate and Republican presidential candidate Donald Trump — appears to be dealing with another breach of its credit card systems. If confirmed, this would be the second such breach at the Trump properties in less than a year. KrebsOnSecurity, Aprul 4, 2016

Cyber Security in Society

Cyber Privacy

The California Bill to Undermine Smartphone Encryption Actually Got Worse: State lawmakers recently introduced some misguided changes to California’s Assembly Bill 1681, which would require that manufacturers and operating system providers be able to decrypt smartphones sold in the state. On first glance, the amendment to A.B. 1681 might seem to address some of EFF’s previous criticisms, but the new version actually makes an already bad bill even worse. EFF has signed on to a new letter in opposition to the bill, and you can still join our action calling on lawmakers to vote against it. Electronic Frontier Foundation, April 8, 2016
Forget Apple vs. the FBI: WhatsApp Just Switched on Encryption for a Billion People: FOR MOST OF the past six weeks, the biggest story out of Silicon Valley was Apple’s battle with the FBI over a federal order to unlock the iPhone of a mass shooter. The company’s refusal touched off a searing debate over privacy and security in the digital age. But this morning, at a small office in Mountain View, California, three guys made the scope of that enormous debate look kinda small. Wired, April 5, 2016

Cyber Crime

Millions stolen when lotteries rigged by security chief: Prosecutors say they have unearthed forensic evidence that shows how a former computer security official for a US state lottery association let him rig drawings worth millions of dollars across five states using unauthorized code that tampered with a random number generator used to pick winning tickets. ars technica, April 7, 2016

Cyber Election Fraud

Costa Rica launches investigation after reports hacker ‘rigged’ 2014 election: Costa Rica is to investigate whether hackers interfered with its 2014 elections. TheRegsiter, April 8, 2016
Andrés Sepúlveda tells how he rigged elections throughout Latin America for almost a decade: It was just before midnight when Enrique Peña Nieto declared victory as the newly elected president of Mexico. Peña Nieto was a lawyer and a millionaire, from a family of mayors and governors. His wife was a telenovela star. He beamed as he was showered with red, green, and white confetti at the Mexico City headquarters of the Institutional Revolutionary Party, or PRI, which had ruled for more than 70 years before being forced out in 2000. Returning the party to power on that night in July 2012, Peña Nieto vowed to tame drug violence, fight corruption, and open a more transparent era in Mexican politics. Bloomberg, March 31, 2016

Cyber Law

Sony Breach Settlement: A Good Deal?: A court has approved the settlement of a class-action lawsuit filed against Sony Pictures Entertainment on behalf of current and former employees in the wake of the company’s massive 2014 breach that U.S. officials blamed on North Korea. BankInfoSecurity, April 8, 2016
State AGs Upping Ante on Information Data Incidents – Expect Increased Enforcement Actions: State attorneys general (AGs) continue to emerge as major regulators of privacy, and increasingly, with respect to compromises of health-related data. Lexology, April 7, 2016

Cyber Underworld

Dell’s 2016 Underground Hacker Marketplace Report – It’s a good time to be a bad guy: Customer service is the motto. Hackers are now extending their service hours, guaranteeing their work, and expanding their offerings to keep customers coming back. Dell, 2016

Cyber Law Enforcement

5 Ways Cyber Experts Think the FBI Might Have Hacked the San Bernardino iPhone: Last week, the FBI announced that it had, with the help of a third party, successfully broken into the passcode-protected iPhone 5C owned by San Bernardino shooter Syed Farook. It’s not clear yet whether the FBI found any information useful to its investigation, but the hack brought at least a temporary reprieve to the very public battle between Apple and the FBI over encryption and privacy rights. IEEE Spectrum, April 5, 2016

Healthcare

GAO Report: 3 State Health Exchanges Vulnerable to Hackers: Health insurance websites established under Obamacare in California, Kentucky, and Vermont contain substantial cyber security vulnerabilities, leaving the personal data of individuals enrolled in those states vulnerable to hackers, according to the Government Accountability Office. The Washington Free Beacon, April 8, 2016
Why Healthcare Information Is Still Way Too Easy to Hack: HIPAA’s HITECH Act and the Omnibus Rule were enacted to prevent data breaches in healthcare; however, cyber-attacks against healthcare providers continue to rise. Business.com, March 31, 2016

Critical Infrastructure

NASA loosens leash on potential cybersecurity breakthrough: Last week, I asked whether NASA was “slow rolling” a cybersecurity breakthrough called Gryphon X. It’s a proposal from Ames Research Center that many in the cybersecurity community believe could help secure critical infrastructure in a more active and proactive way, and also push the space agency back toward the front of the innovation pack. FederalNewsRadio, April 4, 2016

Secure the Village

UL launches Cybersecurity Assurance Program: NORTHBROOK, Ill.—UL today announced its new Cybersecurity Assurance Program, a standard by which companies can have their products tested and verified by UL for guard against well-known cyber risks. SecuritySystemsNews, April 5, 2016

The Panama Papers — Special Report

Cyberattacks: Panama Papers Show Why Law Firms Are Under Fire: Ask hackers why they attack law firms, and their reply – to riff on bank robber Willie Sutton’s famous quip – would no doubt be: “Because that’s where the secrets are.” BankInfoSecurity, April 7, 2016
The security flaws at the heart of the Panama Papers show “astonishing disregard” for information security: The law firm at the centre of the Panama Papers hack has shown an “astonishing” disregard for security, according to experts. While its website Mossack Fonseca claims its Client Information Portal provides a “secure online account,” the facts are quite different. Its client portal was last updated in August 2013. The version of Drupal used by the portal has at least 25 vulnerabilities, including a high-risk SQL injection vulnerability that allows anyone to remotely execute arbitrary commands. Areas of the portal’s backend can also be accessed by guessing the URL structure, a security researcher noted. Amongst other lapses, Mossack Fonseca has failed to update its Outlook Web Access login since 2009. Wired, April 6, 2016
How Reporters Pulled Off the Panama Papers, the Biggest Leak in Whistleblower History: WHEN DANIEL ELLSBERG photocopied and leaked the Pentagon Papers to the New York Times in 1971, those 7,000 pages of top secret Vietnam War documents represented what was then the biggest whistleblower leak in history—a couple dozen megabytes if it were contained in a modern text file. Almost four decades later, WikiLeaks in 2010 published Cablegate, a world-shaking, 1.73 gigabyte collection of classified State Department communications that was almost a hundred times bigger. Wired, April 4, 2016
CPI’s ICIJ unit has huge impact with Panama Papers: Network effects (where services become more valuable the more people use them) are some of the most powerful factors in technology and no more so in the case of the Panama Papers, the huge investigation unleashed by the International Consortium of Investigative Journalists (ICIJ) and its partners. The Center for Public Integrity, April 4, 2016
Giant Data Leak of Law Firm Records Shows Putin Allies & Other Politicos in Crime & Corruption: A massive leak of documents exposes the offshore holdings of 12 current and former world leaders and reveals how associates of Russian President Vladimir Putin secretly shuffled as much as $2 billion through banks and shadow companies. ICIJ – Panama Papers, April 3, 2016

Jeff Snyder’s, SecurityRecruiter.comJeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810



SecurityRecruiter.com's Security Recruiter Blog