Monday, April 25, 2016

Cybersecurity News for the Week of April 24, 2016



Individuals at Risk

Cyber Privacy

700 Million People Just Got Encryption That Congress Can’t Touch: Last month, WhatsApp, the hugely popular messaging service that Facebook owns, made end-to-end encryption the default for its 1 billion users. On Tuesday, Viber said it will do the same for the 700 million people who use it. Wired, April 20, 2016
Hackers only need your phone number to eavesdrop on calls, read texts, track you: 60 Minutes showed how hackers only needed a congressman’s phone number to record his calls and track his location. The congressman said people at intelligence agencies, who are aware of the SS7 flaw and abuse it, should be fired. Computerworld, April 18, 2016
How hackers eavesdropped on a US Congressman using only his phone number: A US Congressman has learned first-hand just how vulnerable cellphones are to eavesdropping and geographic tracking after hackers were able to record his calls and monitor his movements using nothing more than the public ten-digit phone number associated with the handset he used. ars technica, April 18, 2016

Cyber Danger

US-CERT to Windows Users: Dump Apple Quicktime: Microsoft Windows users who still have Apple Quicktime installed should ditch the program now that Apple has stopped shipping security updates for it, warns the Department of Homeland Security‘s U.S. Computer Emergency Readiness Team (US-CERT). The advice came just as researchers are reporting two new critical security holes in Quicktime that likely won’t be patched. KrebsOnSecurity, April 18, 2016

Cyber Defense

Report Says PlayStation Network to Get Two-Factor Authentication: Sony plans to add two-factor authentication to its PlayStation Network. PC Magazine, April 21, 2016

Information Security Management in the Organization

Cyber Security Management – C Suite

Information Security Culture: It’s Time to Upgrade to 2.0: Information security requires an approach that involves people, process and technology. But, while we have made great strides in technological advancements in information security, security culture for many organizations remains in a state of stasis. InfoSecurity, April 22, 2016
Collaboration & Inclusiveness Keys to Success, Part 1 – IBM Inst for Business Value: A 2016 report from the IBM Institute for Business Value, “Securing the C-Suite: Cybersecurity Perspectives from the Boardroom and C-Suite” provides valuable insights about the dynamics within the C-suite — insight that anyone in the role of chief information officer (CIO) or chief information security officer (CISO) cannot afford to miss. IBM surveyed more than 700 executives from 28 countries across 18 different industries that occupied nine different roles in the C-suite. SecurityIntellegence, April 5, 2016
Collaboration & Inclusiveness Keys to Success, Part 2 – IBM Inst for Business Value: A 2013 IBM report titled “Exploring the Inner Circle: Insights From the Global C-Suite Study” found that the top-performing organizations all had one quality that set them apart from their peers: collaboration. Top leadership’s view is that “the ability to collaborate is the most important factor” and that “how the members of the C-suite collaborate is as significant as the extent to which they collaborate.” SecurityIntellegence, April 12, 2016
Collaboration & Inclusiveness Keys to Success, Part 3 – IBM Inst for Business Value: Chief executive officers (CEOs) are under intense pressure from all sides. From an economic perspective, areas that were once the domain of a few favored organizations are now ripe for disruption by newcomers. Indeed, according to IBM’s “Redefining Competition: Insights From the Global C-suite Study – The CEO Perspective,” CEOs believe technology is the chief external influence on their enterprises. More specifically, cybersecurity issues have crashed into the C-suite and the boardroom, and top leadership is under the spotlight when it comes to achieving an acceptable cyber posture. SecurityIntelligence, April 19, 2016

Cyber Awareness

Staff Awareness Vital as Law Enforcement, Government Agencies See Phishing as Main Cyber Risk: In a meeting held in New York, representatives of law enforcement and governments from the US and the UK met to agree on a joint plan to tackle cyber threats, and their top priority for the foreseeable future will be phishing attacks. Softpedia, April 21, 2016
Staff Weak Link as Malware Attacks More Frequent, Harder To Fight: The newest Ponemon State of the Endpoint Report found enterprises struggling to enforce endpoint security and to manage their biggest threat: Employees. InformationWeek, April 21, 2016
Staff spoofed to wire money as whaling emerges as major cybersecurity threat: Fraudsters are using legitimate executive names and email addresses to dupe unsuspecting employees to wire money or sensitive documents to their accounts. The CTO of the Boston Celtics, for one, is fighting back. CIO, April 21, 2016

Cyber Defense

The Problem With Patching: 7 Top Complaints: Is your security team suffering from patching fatigue? Check out these tips and eliminate critical vulnerabilities in your IT environment. DarkReading, April 22, 2016
Bypass the Windows AppLocker bouncer with a tweet-size command: Video If you’re relying on Microsoft’s AppLocker to lock down your office or school Windows PCs, then you should check this out. A security researcher says he’s found a way to potentially bypass the operating system’s software whitelist and launch arbitrary scripts. TheRegister, April 22, 2016
DDoS Attacks: Know Your Enemy: Distributed-denial-of-service (DDoS) attacks are more frequent today than they’ve ever been, according to the latest report by Verisign. In the final quarter of 2015, DDoS attacks globally rose by 85% compared with the previous year – and 15% on the previous quarter alone. Not only that – they’re also getting more dangerous, deploying higher volumes of packets than ever before. InformationSecurity, April 20, 2016

Cyber Security in Society

National Cyber Security

U.S. Ratchets Up Cyber Attacks on ISIS: Military hackers are disrupting ISIS’s encrypted chats, implanting viruses in terrorists’ computers, and mining the machines to launch real-world strikes. TheDailyBeast, April 17, 2016

Cyber Law Enforcement

FBI paid at least $1.3M for zero-day to get into San Bernardino iPhone: FBI Director James Comey suggested to a conference in London that his agency paid more than $1.3 million to gray-hat hackers who were able to unlock the iPhone 5C that was used by Syed Farook Rizwan, the dead terrorist who masterminded the attack in San Bernardino, California, in December 2015. ars technica, April 21, 2016

Cyber Lawsuit

Attorney sued after BEC fraud costs couple $1.9m: A Manhattan couple wired a $1.9 million deposit for their new co-op but learned that the messages from an AOL e-mail account hid a crucial detail: They got conned. The Real Deal, April 19, 2016

Financial Cyber Security

‘ATM skimming increased five-fold from 2014 to 2015 while ‘Black Box’ ATM Attacks Loom as Growing Threat: Although skimming attacks remain the No. 1 ATM fraud concern in the United States, so-called “black box” attacks loom as a growing threat. BankInfoSecurity, April 20, 2016
Giant Food Requires Cash for Gift Cards, Reloadables & Prepaid Debit Cards: Citing a recent and large increase in credit card fraud, Washington, DC-area grocer Giant Food says it will no longer allow customers to use credit cards when purchasing gift cards and reloadable or prepaid debit cards. KrebsOnSecurity, April 20, 2016

Cyber Security in Healthcare

NY Presbyterian Hospital Slapped With Second HIPAA Fine: For the second time in two years, federal regulators have slapped New York Presbyterian Hospital with a multi-million dollar penalty as part of a HIPAA settlement. HealthInfoSecurity, April 21, 2016
Lack of Business Associate Agreement Costs Clinic $750,000: A North Carolina orthopedic clinic will pay a $750,000 penalty as part of a breach-related settlement involving the release of 17,300 X-ray films containing protected health information to a vendor without having a business associate agreement in place, as required under HIPAA. HealthInfoSecurity, April 20, 2016

Critical Infrastructure

Upgrade Coming to Grid Cybersecurity in U.S.: The hackers who unplugged 225,000 people from the Ukrainian electricity grid in December—the first confirmed cyber-takedown of a power system—have lent credence to calls by cybersecurity experts for greater vigilance by utilities. “It’s really brought the whole thing to a head and made people aware that this isn’t just chatter about the sky falling,” says Eric Byres, a security consultant who commercialized one of the first firewalls for industrial control systems. IEEE Spectrum, April 20, 2016

Cyber Underworld

Cybercrime Gang Tied to 20 Million Stolen Cards: A previously unknown cybercrime group has hacked into numerous organizations in the retail and hospitality sectors to steal an estimated 20 million payment cards, collectively worth an estimated $400 million via underground cybercrime forum sales, according to the cybersecurity firm FireEye. BankInfoSecurity, April 21, 2016
Criminals in the cloud: How malware-as-a-service is becoming the tool of choice for crooks: Rather than selling their malware as a one-off, virus writers are offering access to the latest exploit kits via on-demand services. ZDNet, April 21, 2016
How One Cybercrime Gang Is Ratcheting Up PoS Attacks: With magnetic-stripe payment card transactions gradually starting to disappear in the US, cybercriminals have been on a tear with PoS attacks against retail and hospitality targets that haven’t yet adopted EMV card payment, FireEye researchers say. DarkReading, April 20, 2016

Cyber Sunshine

SpyEye Makers Get 24 Years in Prison: Two hackers convicted of making and selling the infamous SpyEye botnet creation kit were sentenced in Georgia today to a combined 24 years in prison for helping to infect hundreds of thousands of computers with malware and stealing millions from unsuspecting victims. KrebsOnSecurity, April 20, 2016

Jeff Snyder’s, SecurityRecruiter.comJeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810's Security Recruiter Blog