Sunday, May 01, 2016

Cybersecurity News for the Week of May 1, 2016




Individuals at Risk

Cyber Privacy

US Presidential Primary Apps Leak Sensitive Data: As 2016’s presidential primaries have progressed, the number of presidential primary apps installed on mobile devices has grown considerably, becoming more prevalent than ever. And that’s a bit of a problem considering that most of them leak personal data about their users. InfoSecurity Magazine, April 25, 2016

Cyber Danger

Google Play infested with cash-stealing web apps: Security researcher Joshua Shilko says phishing apps targeting some of the world’s biggest payment services have slipped past screening and landed on Google Play. TheRegister, April 29, 2016
Irremovable bank data-stealing Android malware poses as Google Chrome update: A banking and personal information stealing mobile malware posing as a Google Chrome update for Android, and which can’t be removed from the infected device, has been spotted in the wild by cybersecurity researchers. ZDNet, April 29, 2016
Toymaker’s website pushes ransomware that holds visitors’ files hostage: The website belonging to Maisto International, a popular maker of remote-controlled toy vehicles, has been caught pushing ransomware that holds visitors’ files hostage until they pay a hefty fee. ars technica, April 28, 2016
Check your Spotify account: Users report unusual activity after credentials posted online: If you use the popular music streaming service Spotify, there is a chance you may be vulnerable after a report has surfaced that the emails, usernames, passwords and other details of hundreds of users were recently uploaded online. Financial Post, April 25, 2016

Cyber Update

Firefox: Mozilla patches critical flaws that let attackers execute malicious code: Mozilla has released Firefox 46 and patched several memory bugs that could let an attacker take control of a system. ZDNet, April 28, 2016

Information Security Management in the Organization

Cyber Security Management – C Suite

Verizon Data Breach Report: Phishing up considerably. Systems still not being patched: Verizon released a report on April 27 that found that cybercriminals are now focusing on exploiting “human nature” through phishing and ransomware. The 2016 Data Breach Investigations Report determined that the open rate of phishing messages has increased to 30 percent, up from 23 percent in 2015. Additionally, 13 percent of phishing message readers say they have clicked on malicious attachments and links. TechTimes, April 28, 2016

Cyber Crime

Hackers steal millions of Minecraft passwords: Hackers have stolen login data for more than seven million members of the Minecraft site Lifeboat. BBC, April 29, 2016
Hackers target Goldcorp Inc, release reams of private data online including payroll and passports: Goldcorp Inc. has fallen victim to a data breach by anonymous hackers who posted reams of the miner’s private information online. Financial Times, April 28, 2016
Qatar National Bank Suffers Massive Breach of Sensitive Internal Files: A massive collection of documents from Qatar National Bank, based in Doha, was leaked and posted online to the whistleblower site Cryptome on April 26. The leaked data, which totals 1.4 GBs, apparently includes internal corporate files and sensitive financial data for QNB’s customers. BankInfoSecurity, April 26, 2016

Cyber Warning

Hacker Group Exploits ‘Hot Patching’ In Windows To Cloak Cyber Espionage: Group called Platinum employs spear phishing and malicious use of hot patching to steal information from government agencies in Asia. DarkReading, April 28, 2016
Cisco Claims Tuto4PC Utilities Have Silently Installed 12M Backdoors: Security experts are warning PC users of scareware computer utilities published by the French firm Tuto4PC that secretly bundle adware and spyware. Cisco’s Talos security research team said several of the company’s utilities, including OneSoftPerDay and System Healer, contain Trojans that exhibit “malicious intent and behavior.” ThreatPost, April 27, 2016

Cyber Defense

Basic Cyber Protection At The Hotel On A Business Trip: As POS malware attacks on hotels increase and threat actors target executives, traveling for business puts company data at risk. DarkReading, April 28, 2016
OFFICE 365 VULNERABILITY EXPOSED ANY FEDERATED ACCOUNT: A severe vulnerability in the way Microsoft Office 365 handles federated identities via SAML put an attacker in position to have access to any account and data, including email messages and files stored in the cloud-based service. ThreatPost, April 28, 2016

Cyber Lawsuit

Credit Union Sues Wendy’s Claiming Breach Resulted from Failure to Implement Chip Technology [EMV]: In the aftermath of the settlement of banks’ post-breach lawsuit against Target, a financial institution is now suing Wendy’s seeking to recoup breach-related expenses. BankInfoSecurity, April 28, 2016

Cyber Insurance

Federal Court Rules Commercial General Liability (CGL) Insurance May Cover Data Breach: A federal appeals court in Virginia has upheld a lower federal court in ruling that a commercial general liability policy (CGL) may cover a data breach. In a case involving the publication of private medical records on the internet, the courts found that coverage included in a CGL for personal and advertising injury applied. InsuranceJournal, April 12, 2016

Cyber Security in Society

Cyber Privacy

PRIVACY ACTIVISTS CHEER PASSAGE OF EMAIL PRIVACY ACT, BRACE FOR SENATE BATTLE: In a vote of 419-0 on Wednesday, the U.S. House of Representatives passed the Email Privacy Act that would require the government to obtain a warrant in order to access digital communications stored in the cloud. Privacy advocates cheered the victory and said it was a win for U.S. citizens and companies. ThreatPost, April 28, 2016

National Cyber Security

As US drops “cyber bombs,” ISIS retools its own cyber army: The Islamic State has been deft in its use of the Internet as a communications tool. ISIS has long leveraged social media to spread propaganda and even coordinate targets for attacks, using an ever-shifting collection of social media accounts for recruitment and even to call for attacks on individuals ISIS leaders have designated as enemies. But the organization’s efforts to build a sophisticated internal “cyber army” to conduct information warfare against the US and other powers opposing it have thus far been fragmented and limited in their effectiveness—and more often than not they’ve been more propaganda than substance. ars technica, April 28, 2016
U.S. Cyberattacks Target ISIS in a New Line of Combat: LONDON — The United States has opened a new line of combat against the Islamic State, directing the military’s six-year-old Cyber Command for the first time to mount computer-network attacks that are now being used alongside more traditional weapons. The New York Times, April 24, 2016

Cyber Law

Suspect refuses to decrypt hard drives, is detained indefinitely: A former Philadelphia Police Department sergeant suspected of possessing child pornography has spent seven months in a detention center without being charged of any particular crime, Ars Techica reports. HelpNetSecurity, April 28, 2016

Financial Cyber Security

SWIFT system said to need revamping after Bangladesh hack: Security vendors are pushing for a more comprehensive revamp of the SWIFT international inter-bank financial transaction messaging system beyond a update prompted by an $81m hack against Bangladesh’s central bank. TheRegister, April 29, 2016
A Dramatic Rise in ATM Skimming Attacks: Skimming attacks on ATMs increased at an alarming rate last year for both American and European banks and their customers, according to recent stats collected by fraud trackers. The trend appears to be continuing into 2016, with outbreaks of skimming activity visiting a much broader swath of the United States than in years past. KrebsOnSecurity, April 29, 2016

Cyber Law Enforcement

US govt seeks to modify search warrant rules to let cops, Feds hack computers anywhere, anytime: On Thursday, the US Supreme Court approved a change to Rule 41 of the Federal Rules of Criminal Procedure. It sounds innocuous, but the effects will be felt around the world. The Register, April 29, 2016

Cyber Sunshine

Click-Fraud Kingpin Receives 7-Year Sentence: Cybercrime can pay very well. The challenge, of course, is staying out of jail long enough to spend one’s ill-gotten gains. BankInfoSecurity, April 28, 2016
Security experts shut down the dreaded Mumblehard botnet: Researchers and law enforcement in a joint effort shut down the Mumblehard botnet composed of more than 4000 Linux machines. CyberDefense Magazine, April 13, 2016

Cyber Miscellany

Dental Assn Mails Malware to Members: The American Dental Association (ADA) says it may have inadvertently mailed malware-laced USB thumb drives to thousands of dental offices nationwide. KrebsOnSecurity, April 28, 2016

Jeff Snyder’s, SecurityRecruiter.comJeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810's Security Recruiter Blog