Monday, June 20, 2016

Cybersecurity News for the Week of June 19, 2016



Individuals at Risk

Cyber Privacy

There Is No Such Thing as Private Data: Just a few years after social media began to permeate students’ high-school experiences, the terrifying rumors began to spread: a liberal arts college that rescinded an admissions offer after coming across a misguided Facebook post; competitive applicants that send “anonymous tips” to admissions committees with links to photos from a rival’s weekend shenanigans. The Atlantic, June 16, 2016

Cyber Danger

Research shows 50% of ads on free livestreaming websites are malicious: Millions of people use free livestreaming websites to watch sports and other live events online, but this comes with a considerable security risk. Researchers from KU Leuven-iMinds and Stony Brook University have found that viewers are often exposed to malware infections, personal data theft, and scams. HelpNetSecurity, June 17, 2016

Cyber Update

Kill Flash now. Or patch these 36 vulnerabilities. Your choice: Adobe has released an update for Flash that addresses three dozen CVE-listed vulnerabilities. TheRegister, June 16, 2016
Microsoft Patches Dozens of Security Holes: Microsoft today released updates to address more than three dozen security holes in Windows and related software. Meanwhile, Adobe — which normally releases fixes for its ubiquitous Flash Player alongside Microsoft’s monthly Patch Tuesday cycle — said it’s putting off today’s expected Flash patch until the end of this week so it can address an unpatched Flash vulnerability that already is being exploited in active attacks. KrebsOnSecurity, June 14, 2016

Information Security Management in the Organization

Cyber Security Management – C Suite

Security Strategy: Business Alignment, Defense-in-Depth & Phased Approach: Business alignment, defense-in-depth and a phased approach are three principles to follow when building out a solid security program. DarkReading, June 17, 2016

Cyber Awareness

Users are first line of defense against new Microsoft Office attacks #JustSayNo: Attackers have rekindled their love affair with Windows macros over the last few years, using the series of automated Office commands as an attack vector to spread malware. And while hackers will surely continue to use macros, at least until the technique becomes ineffective, new research suggests they may be shifting gears and beginning to use another proprietary Microsoft technology to deliver threats. ThreatPost, June 16, 2016

Cyber Warning

Cisco’s small business Wi-Fi routers open to attack, no patch available: Security researcher Samuel Huntley has discovered four vulnerabilities in Cisco’s RV range of small business Wi-Fi routers, the worst of which could allow an unauthenticated, remote attacker to execute arbitrary code as root on a targeted system. HelpNetSecurity, June 16, 2016
New Ransomware Attack Locks Androids, incl Smart TVs: Security researchers have spotted an updated strain of ransomware that’s designed to infect and lock Android devices, including mobile phones, tablets as well as smart TVs (see Why ‘Smart’ Devices May Not Be Secure). BankInfoSecurity, June 14, 2016

Cyber Defense

Gartner Predicts Top Ten InfoSec Technologies: Analyst group Gartner has identified the top ten technologies it believes are shaping the information security industry in 2016, and what impact they will have on the companies operating within it. InfoSecurity, June 15, 2016
Why you need to test backups! 12 years of data – 100,000 records – lost: The database of the Air Force’s Automated Case Tracking System (ACTS)—which is used by the Air Force Inspector General’s Office to manage investigations into complaints from whistleblowers of waste, fraud, and abuse; Freedom Of Information Act requests; and congressional inquiries—has become corrupted, rendering over 100,000 case files dating back to 2004 unreadable. And because of the way the database was backed up, an Air Force spokesperson said that neither the service nor Lockheed Martin—the contractor that operates the ATCS system for the Air Force—can recover the data. ars technica, June 14, 2016

Cyber Insurance

Cyber insurance is changing the way we look at risk: If, or more accurately, when your company is hit by a cyber attack, do you have what you need to recover? Do you know what kind of losses you can afford to absorb in your bottom line? How do you manage your risks? Have you thought about whether you need cyber insurance? TechCrunch, June 13, 2016
Cyber Insurance: Is It Worth It?: Just days after a federal appellate court supported a community bank’s claims that its $485,000 account-takeover loss should be covered by insurance, a federal district court in Arizona ruled that restaurant chain P.F. Chang’s China Bistro should not be reimbursed by its cyber insurer for fees it paid to its merchant services provider related to its 2013 card breach. BankInfoSecurity, June 7, 2016

Cyber Security in Society

Cyber Attack

Smut shaming: Anonymous fights Islamic State… with porn: Elements of the Anonymous hacking collective have switched tactics in a campaign against supporters of the self-style Islamic State by attempting to shame and humiliate jihadists by adding pornographic images to their social media profiles. TheRegister, June 16, 2016

Cyber Espionage

“Guccifer” leak of DNC Trump research has a Russian’s fingerprints on it: We still don’t know who he is or whether he works for the Russian government, but one thing is for sure: Guccifer 2.0—the nom de guerre of the person claiming he hacked the Democratic National Committee and published hundreds of pages that appeared to prove it—left behind fingerprints implicating a Russian-speaking person with a nostalgia for the country’s lost Soviet era. ars technica, June 16, 2016
Russian government hackers penetrated DNC, stole opposition research on Trump: Russian government hackers penetrated the computer network of the Democratic National Committee and gained access to the entire database of opposition research on GOP presidential candidate Donald Trump, according to committee officials and security experts who responded to the breach. The Washington Post, June 14, 2016

Cyber Underworld

For sale: 70k hacked government and corporate servers—for as little as $6 apiece: Underscoring the flourishing world of for-profit hacking, researchers have uncovered a thriving marketplace that sells access to more than 70,000 previously compromised servers, in some cases for as little as $6 apiece. ars technica, June 15, 2016

National Cyber Security

NATO Officially Declares Cyberspace A Domain For War: The North Atlantic Trade Organization (NATO) has officially declared cyberspace a warfare domain and said cyberattack on any of its allies will be tackled collectively. This was announced at a meeting by NATO secretary general Jens Stoltenberg, reports Infosecurity. DarkReading, June 17, 2016
Inside the Slow Workings of the U.S.-China Cybersecurity Agreement: Getting the world’s two largest powers to work together on a subject as touchy as cybersecurity was always bound to be difficult. The Wall Street Journal, June 15, 2016
South Korea thwarted massive cyberattack by North targeting 140,000 government and private systems: North Korea-based hackers breached more than 140,000 computers of South Korean government agencies and firms, and allegedly planted malicious software in the systems. The hack, which was intended to lay the ground for an overall massive cyberattack has been thwarted, authorities in Seoul said. IBTimes, June 13, 2016
NSA interested in exploiting internet-connected medical devices, spying on IoT: The NSA is eyeing IoT and internet-connected medical devices for possible exploits so it can remotely monitor targets via their biomedical and other smart devices. ComputerWorld, June 13, 2016

Cyber Vulnerability

Researchers use phone system vulnerability to hijack Facebook account: Positive Technologies researchers have demonstrated that knowing a user’s phone number and how to exploit a vulnerability in the SS7 network is enough to hijack that user’s Facebook account. HelpNetSecurity, June 16, 2016

Cyber Law

FTC Ruling in Data Security Battle with LabMD Delayed until July 28: The messy legal drama between the Federal Trade Commission and cancer testing laboratory LabMD over a data security dispute has been stretched out to last a little longer. The FTC has extended its deadline for making a ruling on whether it will affirm or overturn an “initial decision” last year by a FTC administrative law judge to dismiss the FTC’s case against LabMD. HealthInfoSecurity, June 17, 2016

Financial Cyber Security

ATM Insert Skimmers In Action: KrebsOnSecurity has featured several recent posts on “insert skimmers,” ATM skimming devices made to fit snugly and invisibly inside a cash machine’s card acceptance slot. I’m revisiting the subject again because I’ve recently acquired how-to videos produced by two different insert skimmer peddlers, and these silent movies show a great deal more than words can tell about how insert skimmers do their dirty work. KrebsOnSecurity, June 13, 2016

Cyber Standard

NIST Plans Cybersecurity Framework Update: The National Institute of Standards and Technology plans to update its 2-year-old cybersecurity framework late next year, says Matt Barrett, program manager. BankInfoSecurity, June 7, 2016

Internet of Things

White hat hacker finds WiFi flaws in mobile app for popular auto; Mitsubishi working on fix: White hat hacker finds WiFi flaws in mobile app for popular auto; Mitsubishi working on fix. DarkReading, June 17, 2016

Cyber Sunshine

FBI Raids Spammer Outed by KrebsOnSecurity: Michael A. Persaud, a California man profiled in a Nov. 2014 KrebsOnSecurity story about a junk email artist currently flagged by anti-spam activists as one of the world’s Top 10 Worst Spammers, was reportedly raided by the FBI in connection with a federal spam investigation. KrebsOnSecurity, June 16, 2016

Secure the Village

Final CISA Guidance for Cybersecurity Information Sharing Published: On June 15, 2016, the U.S. Department of Homeland Security (“DHS”) and Department of Justice issued Final Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government (“Final Procedures”) that provide information on how DHS will implement the Cybersecurity Information Sharing Act of 2015 (“CISA”). The Final Procedures were accompanied by Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities Under the Cybersecurity Information Sharing Act of 2015 (“Guidance”). These documents represent finalized versions of interim guidance and procedures which, as we have previously reported, were issued in February. DataProtectionReport, June 17, 2016

Cyber Miscellany

Preliminary Agreement Reached On Airline Cybersecurity: A team comprising government and aviation experts has arrived at a preliminary agreement on proposals to improve cybersecurity in the airline industry, reports The Wall Street Journal (WSJ) quoting people close to the matter. Recommendations are expected to include installing alert systems in cockpits to warn against compromise of critical safety networks. DarkReading, June 14, 2016

Jeff Snyder’s, SecurityRecruiter.comJeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810's Security Recruiter Blog