Sunday, May 29, 2016

Cybersecurity News for the Week of May 29, 2016


CYBERSECURITY NEWS


FROM OUR FRIENDS AT CITADEL INFORMATION GROUP


Individuals at Risk

Cyber Privacy

Scott Walker’s campaign is selling donors’ email addresses: Are you one of the people who ponied up money to support the US presidential campaign of Wisconsin Gov. Scott Walker? Sorry his bid went belly-up. As disappointing as that must be, here’s a bit of salt for the wound: he’s selling your email address. Naked Security, May 27, 2016

Cyber Danger

AMAZON USERS TARGETS OF MASSIVE LOCKY SPEAR-PHISHING CAMPAIGN: Amazon customers were targeted in a massive spear phishing campaign where recipients received Microsoft Word documents with a macro that triggered downloads of the Locky ransomware. Researchers at Comodo Threat Research Labs say it is one of the largest spam ransomware campaigns this year. ThreatPost, May 26, 2016

Cyber Defense

Make your cloud safer: How you can use two-factor authentication to protect cloud services: Two-factor authentication is no longer an optional feature. If you use modern cloud services, this extra layer of security can dramatically reduce the risk of a hostile takeover. Here’s how to get started. ZDNet, May 27, 2016
Troy Hunt: The Delicate Balance in Data Breach Reporting: Troy Hunt’s free breach-notification service, Have I Been Pwned?, logs tens of thousands of visits per day, particularly if there’s been a major data breach making news headlines. His service enables people to discover if their email address – and by extension access credentials – have been compromised via breaches small and large, including leaks involving Adobe Systems (152 million credentials exposed), the Ashley Madison extramarital dating site (31 million credentials) and most recently, LinkedIn (164 million credentials). BankInfoSecurity, May 27, 2016
Microsoft will no longer let you use ‘12345’ as your password: The golden age of passwords is coming to a close. Mashable, May 26, 2016
Why you need different passwords for different sites: E-commerce sites face an ongoing fraud battle: Their login forms are constantly hit by bots using stolen credentials to try to take over accounts. BankInfoSecurity, May 26, 2016

Information Security Management in the Organization

Cyber Crime

Cybercrime Hit Businesses Hardest in 2015, says FBI Cybercrime Report: Businesses were hit hardest by inbox-based scams in 2015 that robbed U.S. companies of $263 million. The numbers come from the FBI’s recently released 2015 Internet Crime Report that tallies the types of cybercrimes hitting U.S. business and individuals the hardest. According to the FBI, its Internet Crime Complaint Center (IC3) received 288,012 complaints last year with total losses of $1.07 billion. Threatpost, May 27, 2016
FBI Cybercrime Report: Business Email Compromise & Ransomware: The FBI recently released its annual data dump from the Internet Crime Complaint Center (IC3), which offers up the consolidated information gleaned from a year’s worth of criminal complaints made to the agency from within the U.S. and worldwide. The 2015 Internet Crime Report data offers some insight into the types of complaints made to law enforcement and at least a glimpse into the scope of Internet crime affecting citizens and businesses. DarkReading, May 27, 2016

Cyber Warning

ZCryptor ransomware spreads via removable drives: The newly spotted ZCryptor ransomware has also the ability to spread like a worm, Microsoft warns. HelpNetSecurity, May 27, 2016
Business Email Compromise: How Big Is the Problem?: The business of executive email hacking is booming. Wedging themselves deeply inside company email systems, fraudsters are stealing hundreds of millions of dollars by impersonating key personnel and initiating large wire transfers. BankInfoSecurity, May 26, 2016
Beware of keystroke loggers disguised as USB phone chargers, FBI warns: FBI officials are warning private industry partners to be on the lookout for highly stealthy keystroke loggers that surreptitiously sniff passwords and other input typed into wireless keyboards. ars technica. May 23, 2016

Cyber Security in Society

Cyber Attack

Major DNS provider hit by mysterious, focused DDoS attack: Unknown attackers have been directing an ever-changing army of bots in a distributed denial of service (DDoS) attack against NS1, a major DNS and traffic management provider, for over a week. While the company has essentially shunted off much of the attack traffic, NS1 experienced some interruptions in service early last week. And the attackers have also gone after partners of NS1, interrupting service to the company’s website and other services not tied to the DNS and traffic-management platform. While it’s clear that the attack is targeting NS1 in particular and not one of the company’s customers, there’s no indication of who is behind the attacks or why they are being carried out. ars technica, May 25, 2016

National Cyber Security

Cybersecurity: the case for a European approach: The EU objective of developing a cyber ‘soft’ power privileging defence, resilience and civil society, sharply contrasts with national cybersecurity policies developed both inside and outside Europe. openDemocracy, May 27, 2016
Enhancing National Cybersecurity Requires Surrendering the Crypto War: On Monday, Paul Rosenzweig suggested a number of areas in which the recently formed Commission on Enhancing National Cybersecurity should focus in charting the US government’s path forward. While I agree the government must rethink strategic policy choices, Rosenzweig is putting the cart before the horse. Before we can construct an effective long-term policy agenda, the government must first repair a number of critical relationships. LawFare, May 27, 2016
Did the Clinton Email Server Have an Internet-Based Printer?: The Associated Press today points to a remarkable footnote in a recent State Department inspector general report on the Hillary Clinton email scandal: The mail was managed from the vanity domain “clintonemail.com.” But here’s a potentially more explosive finding: A review of the historic domain registration records for that domain indicates that whoever built the private email server for the Clintons also had the not-so-bright idea of connecting it to an Internet-based printer. KrebsOnSecurity, May 26, 2016

Cyber Politics

Where The 2016 Candidates Stand On Cybersecurity And Civil Liberties: While Trump wants to strengthen the government’s surveillance and cyberattack capabilities, the Democrats have fought for civil liberties. FastCompany, May 23, 2016

Financial Cyber Security

North Korea Linked to Digital Attacks on Global Banks: Security researchers have tied the recent spate of digital breaches on Asian banks to North Korea, in what they say appears to be the first known case of a nation using digital attacks for financial gain. The New York Times, May 26, 2016
Swift Hack Probe Expands to Up to a Dozen Banks Beyond Bangladesh: Investigators are examining possible computer breaches at as many as 12 banks linked to Swift’s global payments network that have irregularities similar to those in the theft of $81 million from the Bangladesh central bank, according to a person familiar with the probe. Bloomberg, May 26, 2016
Japan ATM scam using fraudulent cards nets $12.7m: Cash worth 1.4bn yen ($13m; £8.8m) has been taken from cash machines in Japan using credit cards created with data stolen from a South African bank. BBC, May 23, 2016

Critical Infrastructure

ICS-CERT warns about vulnerable SCADA system that can’t be updated: A web-based SCADA system deployed mainly in the US energy sector sports vulnerabilities that may allow attackers to perform configuration changes and administrative operations remotely. What’s worse is that these holes can’t be plugged because the device has nowhere to put an update. HelpNetSecurity, May 27, 2016

Cyber Enforcement

JUDGE TOSSES EVIDENCE GATHERED BY FBI’S TOR EXPLOIT: The FBI’s refusal to share details about a network investigative technique it used to gather evidence against a Vancouver teacher charged with possession of child pornography has forced a federal judge’s hand to exclude the evidence from trial. ThreatPost, May 27, 2016

Jeff Snyder’s, SecurityRecruiter.comJeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810


SecurityRecruiter.com's Security Recruiter Blog