Sunday, May 08, 2016

Cybersecurity News for the Week of May 8, 2016




Individuals at Risk

Identity Theft

272 million email addresses stolen from major email services including Google, Yahoo, Microsoft: Hundreds of millions of hacked user names and passwords for email accounts and other websites are being traded in Russia’s criminal underworld, a security expert told Reuters. Reuters, May 5, 2016
Fraudsters Steal Tax, Salary Data From ADP: Identity thieves stole tax and salary data from payroll giant ADP by registering accounts in the names of employees at more than a dozen customer firms, KrebsOnSecurity has learned. ADP says the incidents occurred because the victim companies all mistakenly published sensitive ADP account information online that made those firms easy targets for tax fraudsters. KrebsOnSecurity, May 3, 2016
Report: 57M fed, military Social Security numbers stolen since 2005: The government isn’t the hardest hit sector when it comes to cyberattacks but federal and military organizations have been getting hammered for years, according to a recent report from the Identity Theft Resource Center (ITRC) and IDT911. Federal Times, April 13, 2016

Cyber Privacy

Warrantless searches surge as online privacy dwindles: The government’s use of warrantless searches and secret requests for information is exploding, and recent court actions have greatly expanded the reach of legal searches. The digital age is presenting challenges to our Fourth and Fifth Amendment constitutional rights in ways the Founding Fathers could never have foreseen. Infoworld, May 6, 2016
You Can’t Escape Data Surveillance In America: In America, surveillance has always played an outsized role in the relationship between creditors and debtors. In the 19th century, credit bureaus pioneered mass-surveillance techniques. Today the American debtor faces remote kill switches in their devices, GPS tracking on their leased cars, and surreptitious webcam recordings from their rent-to-own laptops. And where our buying and borrowing habits were once tracked by shopkeepers, our computers score our creditworthiness without us knowing. The Atlantic, April 29, 2016

Cyber Danger

New Firefox versions will make you activate all new add-ons – except Flash – the hacker favorite: Mozilla is excluding Flash from a more general clamp-down on the enablement of browser add-ons with the latest edition of Firefox. TheRegister, May 6, 2016
PWNEDLIST SHUTDOWN UNRELATED TO RECENT VULNERABILITY: PwnedList, an online service that allows subscribers to monitor whether their credentials have been leaked in data breaches, said on Thursday that its decision to shut down has nothing to do with a serious vulnerability that exposed its collection of 866 million compromised credentials. ThreatPost, May 6, 2016
Ransomware grifters offer to donate proceeds of crime to charity: Ransomware crooks are offering to donate ransom fees to a children’s charity. Security experts dismiss the promise as “psychological manipulation” from unscrupulous crooks. TheRegister, May 6, 2016
No fix in sight for critical Qualcomm security bug that leaves many Android phones open to attack: For the past five years, a vulnerability in many Android phones has left users’ text messages, call histories, and possibly other sensitive data open to snooping, security researchers said Thursday. ars technica, May 5, 2016
Users at Facebook & other social media sites at risk from critical image-processing vulnerability: A large number of websites are vulnerable to a simple attack that allows hackers to execute malicious code hidden inside booby-trapped images. ars technica, May 4, 2016
Web repository of 866 million stolen usernames & passwords hacked: Last week, I learned about a vulnerability that exposed all 866 million account credentials harvested by, a service designed to help companies track public password breaches that may create security problems for their users. The vulnerability has since been fixed, but this simple security flaw may have inadvertently exacerbated countless breaches by preserving the data lost in them and then providing free access to one of the Internet’s largest collections of compromised credentials. KrebsOnSecurity, May 2, 2016

Cyber Update

Pre-loaded software lets hackers take over your Lenovo PC – Update Now: A new flaw has been discovered that’s allowing hackers to access your computer through software that comes pre-installed on Windows 7, Windows 8, Windows 8.1 and Windows 10. KimKomando, May 6, 2016

Information Security Management in the Organization

Cyber Security Management – C Suite

Ransomware is now the biggest cybersecurity threat: Ransomware has replaced advanced persistent threat (APT) network attacks as the most problematic cyberthreat — and early indications suggest that they’ll be the main problem for 2016 as a whole, cybersecurity researchers from Kaspersky Lab have warned. ZDNet, May 6, 2016
Why Cyber Crime is Targeted at Small Businesses: Mega-corporations get most of the publicity when it comes to cybercrime and hacking. But new information shows nearly half of all cybercrime targets small business, giving the cyber crooks access to huge amounts of cash and information. SmallBizTrends, May 5, 2016
DIARY OF A RANSOMWARE VICTIM: For online casinos, business begins to peak as gamblers punch out of work and belly-up to virtual blackjack tables. But on this Tuesday in February at 5p.m., the odds were not in the house’s favor. That’s when this virtual casino—with tens of millions of dollars in virtual transaction data, thousands of user profiles and millions invested in computer infrastructure—was hit with ransomware that risked turning a thriving business into an encrypted crime scene. ThreatPost, May 5, 2016
Verizon’s 2016 Data Breach Investigations Report finds cybercriminals are exploiting human nature: Cybercriminals are continuing to exploit human nature as they rely on familiar attack patterns such as phishing, and increase their reliance on ransomware, where data is encrypted and a ransom is demanded, finds the Verizon 2016 Data Breach Investigations Report. PR Newswire, April 27, 2016

Cyber Crime

Crooks Go Deep With ‘Deep Insert’ Skimmers: ATM maker NCR Corp. says it is seeing a rapid rise in reports of what it calls “deep insert skimmers,” wafer-thin fraud devices made to be hidden inside of the card acceptance slot on a cash machine. KrebsOnSecurity, May 5, 2016

Cyber Warning

FBI Says Incidents of Ransomware on the Rise; Provides Defensive Guidelines: Hospitals, school districts, state and local governments, law enforcement agencies, small businesses, large businesses—these are just some of the entities impacted recently by ransomware, an insidious type of malware that encrypts, or locks, valuable digital files and demands a ransom to release them. FBI, April 29, 2016

Cyber Defense

The 10 Worst Vulnerabilities of The Last 10 Years: From the thousands of vulns that software vendors disclosed over the past 10 years, a few stand out for being a lot scarier than the rest. DarkReading, May 6, 2016
Microsoft publishes Security Intelligence Report, including cloud data for the first time: Microsoft has published its latest biannual Security Intelligence Report (SIR), covering the second half of 2015. The SIR “analyzes the threat landscape of exploits, vulnerabilities, and malware using data from Internet services and over 600 million computers worldwide.” Neowin, May 5, 2016
Software-defined networking (SDN) to strengthen security in age of mobile, cloud, and IoT: LAS VEGAS – Interop 2016 – Network security as we know it ultimately will operate hand in hand with software-defined networking (SDN) and virtualization, security experts here said. DarkReading, May 5, 2016
Microsoft to retire support for SHA1 certificates in the next 4 months: Microsoft plans to retire support for TLS certificates signed by the SHA1 hashing algorithm in the next four months, an acceleration brought on by new research showing it was even more prone to cryptographic collisions than previously thought. ars technica, May 4, 2016
Aging and bloated OpenSSL is purged of 2 high-severity bugs – Update Now: Maintainers of the OpenSSL cryptographic library have patched high-severity holes that could make it possible for attackers to decrypt login credentials or execute malicious code on Web servers. ars technica, May 3, 2016

Cyber Security in Society

 Cyber Underworld

Criminals Peddling Affordable AlphaLocker Ransomware-as-a-Service for $49: It’s rare a week goes by now without a new strain of ransomware making headlines. Researchers described one of the latest earlier this week, a relatively affordable ransomware-as-a-service named AlphaLocker. ThreatPost, May 5, 2016

Cyber Readiness

Top U.S Computer Science Undergrad Programs Flunk Cybersecurity: Students can graduate from any one of the top 10 U.S. computer science programs without taking a single course on cybersecurity. Forbes, April 14, 2016

Financial Cyber Security

Anonymous Threatens Bank DDoS Disruptions: After earlier this year declaring “total war” against U.S. Republican presidential candidate Donald Trump, the hacktivist group Anonymous is now threatening global banks with 30 days of distributed denial-of-service attack disruptions. BankInfoSecurity, May 6, 2016
Qatar National Bank Confirms Large Data Leak, Downplays Damage: Following a massive data leak, Qatar National Bank has confirmed that its systems may have been hacked. A group with Turkish ties has claimed credit for the attack and reportedly threatened to release information from a second bank hack. BankInfoSecurity, May 4, 2016
Hackers’ $81 Million Sneak Attack on World Banking: Tens of millions of dollars siphoned from the Federal Reserve Bank of New York. A shadowy set of casinos in the Philippines. A large bank in Bangladesh with creaky technology. An unknown — and perhaps uncatchable — group of anonymous thieves with sophisticated hacking skills. The New York Times, April 30, 2016

Internet of Things

Connected Cars: Strategies For Reducing The Ever-Expanding Risk: The best way automakers can keep customers safe and mitigate threats to their own enterprise is to first hack themselves. DarkReading, May 6, 2016
Flaws in Samsung’s ‘Smart’ Home Let Hackers Unlock Doors and Set Off Fire Alarm: A smoke detector that sends you a text alert when your house is on fire seems like a good idea. An internet-connected door lock with a PIN that can be programmed from your smartphone sounds convenient, too. But when a piece of malware can trigger that fire alarm at four in the morning or unlock your front door for a stranger, your “smart home” suddenly seems pretty dumb. Wired, May 2, 2016

Cyber Sunshine

Feds arrest suspected cybercriminals accused in $1.35M theft from Oil company:
When officials at Penneco Oil Co. in Delmont learned three years ago that the company’s bank accounts had been hacked and some $1.35 million was stolen, they feared the thieves would never be caught because they live in Eastern Europe. TribLive, May 6, 2016
10-year-old gets $10,000 bounty for finding Instagram vulnerability: A 10-year-old schoolboy from Finland has become the youngest recipient of a £7,000 ($10,000) award under Facebook’s bug bounty program, after he found a vulnerability that allowed anyone to delete comments on Instagram simply by planting malicious code into the photo-sharing app. ars technica, May 4, 2016

Cyber Miscellany

Panama Papers’ Source Explains Motivation Behind Leak: The source who leaked confidential information included in the so-called Panama Papers has come forward to explain why the documents were released and that more information could come. ABC News, May 6, 2016

Jeff Snyder’s, SecurityRecruiter.comJeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810's Security Recruiter Blog