Sunday, April 03, 2016

Cybersecurity News for the Week of April 3, 2016





Individuals at Risk

Identity Theft

IRS Commissioner Details Growing Problem Of Taxpayer Identity Theft: NPR’s Audie Cornish speaks with IRS Commissioner John Koskinen about the state of e-tax hacks. NPR, March 30, 2016

Cyber Danger

PayPal vulnerability allowed attackers to send fraudulent emails: The flaw, now patched, could be exploited to send malicious emails from the PayPal platform. ZDNet, March 31, 2016

Cyber Defense

5 things you should know about two-factor authentication: One of the best pieces of security advice any computer expert can give you is to enable two-factor authentication for websites that support it. With password breaches so common nowadays, it could be the one thing that keeps hackers from stealing your identity online. Here are five points to help you understand this technology. InfoWorld, March 31, 2016
A Practical Encryption Guide; What it is. How it’s Used. Law Enforcement Challenges: Encryption keeps some of your most vital data safe. It protects your credit card information from being stolen by anyone eavesdropping on your Internet traffic when you make purchases online. It’s also used to keep medical information secure, protect free speech, and defend against surveillance. Increasingly, encryption is becoming widely available by default on consumer devices like smartphones. But law enforcement and intelligence agencies say this trend of strong security on consumer devices has consequences: Encryption is hindering their investigations of criminals and terrorists. The Christian Science Monitor, April 1, 2016

Information Security Management in the Organization

Cyber Security Management in the C Suite

New survey: 90% of executives said they aren’t prepared for cyberattacks; 40% don’t feel personally responsible: More than 90 percent of corporate executives said they cannot read a cybersecurity report and are not prepared to handle a major attack, according to a new survey. More distressing is that 40 percent of executives said they don’t feel responsible for the repercussions of hackings, said Dave Damato, chief security officer at Tanium, which commissioned the survey with the Nasdaq. CNBC, April 1, 2016
FBI Offers Guidance to Business to Defend Against Costly Ransomware Attacks: Ransomware is such a serious cybersecurity concern that the Federal Bureau of Investigation has issued new guidance and yet another alert about the threat. BankInfoSecurity, March 31, 2016 (See also Citadel’s Blog Business E-mail Compromise: Don’t Be a Victim.)
Expert panel discusses information security management challenges and solutions: “Passive defence is not enough. If we’re going to have a really lasting impact on this issue then we need to make it much harder—and the consequences much more severe—for cyber criminals to exploit the vulnerabilities that will always be there.” Prospect Magazine, March 30, 2016

Cyber Crime

Maryland hospital group hit by ransomware launched from within: Baltimore’s Union Memorial Hospital is the epicenter of a malware attack upon its parent organization, MedStar. Data at Union Memorial and other MedStar hospitals in Maryland have been encrypted by ransomware spread across the network, and the operators of the malware are offering a bulk deal: 45 bitcoins (about $18,500) for the keys to unlock all the affected systems. ars technica, March 31, 2016
Toy Giant Mattel Narrowly Escapes Business Email Compromise Phishing Scam: Los Angeles-based toy manufacturer Mattel was recently caught up in a phishing scam which saw the firm almost hand over the tidy sum of $3 million to Chinese cyber-criminals. InfoSecurity, March 30, 2016
At Least 50 Big-Name Law Firms Fall Victim To Hackers: Wall Street-savvy hackers are behind a data breach that involves a who’s-who of New York City legal firms. Federal investigators are looking into the breach that included Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP, both high-profile New York-based law firms. ThreatPost, March 30, 2016

Cyber Warning

New Ransomware Puts 200,000 Retail Websites Running Magento at Risk: New ransomware called KimcilWare is targeting websites running the Magento ecommerce platform, used by the likes of Vizio, Olympus and Nike. ThreatPost, April 1, 2016

Cyber Defense

Raising The Stakes For Application Security: Why, if we already know most everything we need to know about exploited vulnerabilities in software, do hacks keep happening? DarkReading, April 1, 2016
Bitdefender releases FREE crypto-vaccine for popular ransomware infections: The free tool can be used to protect systems locked by CTB-Locker, Locky and TeslaCrypt. ZDNet, March 31, 2016
Block Tor traffic as CloudFlare says 94% of Tor traffic is “per se malicious”: More than ever, websites are blocking users of the anonymizing Tor network or degrading the services they receive. Data published today by Web security company CloudFlare suggests why that is. ars technica, March 30, 2015

 Cyber Lawsuit

Cancer Chain Faces Lawsuits After Breach Compromised 2.2m Customer Records: At least seven class-action lawsuits have been filed against 21st Century Oncology, which recently reported a hacker attack that compromised the data of 2.2 million individuals. BankInfoSecurity, March 31, 2016

Cyber Security in Society

Cyber Privacy

EUROPEAN UNION INFORMATION SECURITY AGENCY DIRECTOR OPPOSES ENCRYPTION BACKDOORS: Another terror attack, and yet more calls from governments to weaken encryption. Bloomberg BNA, April 1, 2016
BRITISH AUTHORITIES DEMAND ENCRYPTION KEYS IN CASE WITH “HUGE IMPLICATIONS”: BRITISH AUTHORITIES are attempting to force a man accused of hacking the U.S. government to hand over his encryption keys in a case that campaigners believe could have ramifications for journalists and activists. TheIntercept, April 1, 2016
Amnesty International: Encryption is a Human Rights Issue: Defending encryption is a human rights issue, according to a new Amnesty International report. The report calls on nation-states to promote the use of encryption tools as part of their international human rights obligations to protect the privacy of their populations. EFF, March 31, 2016
Apple’s New Challenge: Learning How the U.S. Cracked Its iPhone: SAN FRANCISCO — Now that the United States government has cracked open an iPhone that belonged to a gunman in the San Bernardino, Calif., mass shooting without Apple’s help, the tech company is under pressure to find and fix the flaw. New York Times, March 29, 2016
U.S. Says It Has Unlocked iPhone Without Apple: SAN FRANCISCO — The Justice Department said on Monday that it had found a way to unlock an iPhone without help from Apple, allowing the agency to withdraw its legal effort to compel the tech company to assist in a mass-shooting investigation. The New York Times, March 28, 2016

Cyber Underworld

Cybercriminals from Russia & Brazil collaborate to make malware more dangerous: Kaspersky researchers say Russian and Brazilian cybercriminals are trading tools and techniques to target their respective local victims. ZDNet, March 31, 2016
Cybercrime Tools: A Black Market Price List From The Dark Web: What does it cost for malware, stolen identities and other tools of the cybercriminal trade? Probably less than you think. Dark Reading, March 30, 2016

National Cyber Security

5 ways government cybersecurity is changing in 2016: The landscape of cyber threats is dominated by criminals, nations and hackers seeking to exploit vulnerabilities. In February 2016, the Obama Administration rolled-out several initiatives as part of a Cybersecurity National Action Plan—the goal being to move from defense to resiliency. Bloomberg Government, March 31, 2016

Cyber Politics

Arizona Secretary of State Confirms Election Fraud Happened in State Primary: Arizona’s Secretary of State has confirmed that election fraud took place in the Arizona primary on March 22. US Uncut, March 30, 2016

Cyber Law

FTC Breach-Related Actions Could Influence Other Agencies: The FTC has been imposing steeper penalties against companies that expose sensitive consumer information, such as payment card data. Plus, the commission recently requested that several qualified security assessors, or QSAs, provide details about the ways they assess compliance with the Payment Card Industry Data Security Standard (see Could FTC Play Bigger Role in Card Security?). BankInfoSecurity, March 30, 2016

Cyber Law Enforcement

FBI Seeks to Protect Methods Used to Hack Tor Network: As Apple’s attorneys mull over their legal options for having the FBI explain how it hacked Syed Farook’s iPhone, a separate case playing out involving the security service and the anonymity software Tor may have a hand in predicting the outcome. ThreatPost, April 1, 2016
FBI already called in to unlock another murder case iPhone: In the recent FBI-versus-Apple court case (you know which one we mean), the US judiciary ordered Apple to cook up an iPhone backdoor to sidestep the very security it had baked into the iPhone in the first place. NakedSecurity, March 31, 2016
US used tactic from Apple encryption fight in 60 other phone-unlocking cases: The US government has used the same legal tactic it deployed in its encryption fight with Apple in more than 60 other phone-unlocking cases, according to a tally by a privacy watchdog, including other iPhones and devices running Google’s Android operating system. The Guardian, March 30, 2016

Healthcare Cyber Security

Healthcare data breaches spiked in 2015, surpassed previous years, BakerHostetler says: The rate of security incident disclosures in 2015 surpassed those of 2014, according to the second annual BakerHostetler Security Incident Response report. What’s more, healthcare tops the list for frequency of data breaches. HealthcareITNews, March 31, 2016

Internet of Things (In)securities

Vulnerability in popular door controllers allow hackers to easily unlock secure doors: Doors that provide access into secure areas in airports, hospitals, government facilities and other organizations can easily be opened by hackers due to a vulnerability into a popular brand of networked door controllers. PCWorld, April 1, 2016

Secure the Village

Security Analogies Project Increases Information Security Understanding by Drawing Parallels: The aim of the Security Analogies Project is to help spread the message of information security and its importance in the modern world. By drawing parallels between what people already know, or find interesting and how these relate to information security, the industry can increase understanding and support across the whole of society. As for me, I find that the world of aviation lends itself to many information security analogies. CSO, March 31, 2016

Jeff Snyder’s, SecurityRecruiter.comJeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810's Security Recruiter Blog