Sunday, July 24, 2016

Cybersecurity News for the Week of July 24, 2016

CYBERSECURITY NEWS

FROM OUR FRIENDS AT CITADEL INFORMATION GROUP


Individuals at Risk

Cyber Privacy

Hackers penetrate Illinois voter registration database: SPRINGFIELD — The Illinois State Board of Elections’ online voter registration system remained down Thursday afternoon in the wake of a cyberattack last week. NWI.com, Julu 22, 2016

Cyber Danger

Victims of Tinder safe dating scam can lose a lot of money: Users of Tinder, the massively popular location-based dating app, are being targeted with a clever scam that may make them lose over a $100 per month. HelpNetSecurity, July 22, 2016

Cyber Update

GOOGLE FIXES 48 BUGS, SANDBOX ESCAPE, IN CHROME: Google has patched a high-risk vulnerability in its Chrome browser that allows an attacker to escape the Chrome sandbox. ThreatPost, July 21, 2016
Update now: Macs and iPhones have a Stagefright-style bug!: Remember Stagefright? Stagefright was one of 2015’s most newsworthy BWAINs (Bugs with an Impressive Name): a security hole, or more accurately a cluster of holes, in Android’s libstagefright multimedia software component. NakedSecurity, July 20, 2016

Cyber Defense

FIREFOX TO BLOCK FLASH IN AUGUST, DISABLE IN 2017: Starting next year, Firefox users who navigate to pages that contain Flash will be asked for their consent before activating the plugin. The move, long expected, comes as developers seek to curb usage of Flash in everyday web browsing. ThreatPost, July 21, 2016

Information Security Management in the Organization

Information Security Management and Governance

Majority Of Companies Say Trade Secrets Likely Compromised, Says New Ponemon Study: About 60 percent of companies in a survey by Ponemon and Kilpatrick Townsend say at least some of their trade secrets are likely in the hands of rivals. DarkReading, July 21, 2016
The Information Security Leader: Four Fundamental Questions for Risk Analysis: To get to the heart of any matter, you need to ask the right questions. Over the last few years, information security professionals are finally coming around to appreciate that “Are we secure?” is not the right question to ask in a risk analysis. SecurityIntellegence, July 19, 2016
Cyber Security: A Failure of Imagination by CEOs: Nearly a third of CEOs in KPMG’s latest global survey identified cyber security as the issue having the biggest impact on their companies today—and only half (49 percent) say they are fully prepared for a cyber event. The Atlantic, July 2016

Cyber Warning

Ransomware gangs offer stepped-up customer service; show willingness to negotiate: Three out of four ransomware criminal gangs are willing to negotiate the shakedown price. And all the operators of file encrypting ransomware scams will give victims more time to pay up. TheRegister, July 21, 2016
Criminals package banking malware inside legitimate software tool’s installation Program: A criminal gang recently found an effective way to spread malware that drains online bank accounts. According to a blog post published Monday, they bundled the malicious executable inside a file that installed a legitimate administrative tool available for download. ars technica, July 18, 2016

Cyber Defense

Preventing Breaches Involving Personal Email: A recently reported health data breach in Colorado offers a reminder that organizations must take precautions to prevent and detect data leakage involving current and former employees inappropriately using personal email. HealthCare InfoSecurity, July 21, 2016
Tools & Training To ‘Hack Yourself’ Into Better Security: How to teach your blue team to think like the red team when your network is under attack and time is your most valuable asset. DarkReading, July 21, 2016
Wave of business websites hijacked to deliver crypto-ransomware: If you’ve visited the do-it-yourself project site of Dunlop Adhesives, the official tourism site for Guatemala, or a number of other legitimate (or in some cases, marginally legitimate) websites, you may have gotten more than the information you were looking for. These sites are redirecting visitors to a malicious website that attempts to install CryptXXX—a strain of cryptographic ransomware first discovered in April. ars technica, July 19, 2016
Most companies still can’t spot incoming cyberattacks: More than three quarters of organisations vulnerable to hackers due to lack of cybersecurity staff or tools, says report. ZDNet, July 18, 2016

Cyber Security in Society

Cyber Crime

Owner & Directors at UK infosec company confess to hacking rival reseller; Sentencing in September: Five men working at UK-based IT security reseller Quadsys confessed today to hacking into a rival’s database. TheRegister, July 21, 2016
Cici’s Pizza: Card Breach at 130+ Locations: Cici’s Pizza, a Coppell, Texas-based fast-casual restaurant chain, today acknowledged a credit card breach at more than 135 locations. The disclosure comes more than a month after KrebsOnSecurity first broke the news of the intrusion, offering readers a sneak peak inside the sprawling cybercrime machine that thieves used to siphon card data from Cici’s customers in real-time. KrebsOnSecurity, July 19, 2016

Cyber Underworld

Canadian Man Behind Popular ‘Orcus RAT’: Far too many otherwise intelligent and talented software developers these days apparently think they can get away with writing, selling and supporting malicious software and then couching their commerce as a purely legitimate enterprise. Here’s the story of how I learned the real-life identity of Canadian man who’s laboring under that same illusion as proprietor of one of the most popular and affordable tools for hacking into someone else’s computer. KrebsOnSecurity, July 21, 2016
Carbanak Gang Tied to Russian Security Firm?: Among the more plunderous cybercrime gangs is a group known as “Carbanak,” Eastern European hackers blamed for stealing more than a billion dollars from banks. Today we’ll examine some compelling clues that point to a connection between the Carbanak gang’s staging grounds and a Russian security firm that claims to work with some of the world’s largest brands in cybersecurity. KrebsOnSecurity, July 18, 2016

National Cyber Security

Microsoft leads effort to re-write arms control pact to reflect infosec realities: Microsoft and a team of concerned engineers from across the security sector have joined forces to suggest a major re-write of the arms control pact the Wassenaar Arrangement, as they fear the document’s terms are a threat to the information security industry. TheRegister, July 21, 2016

Cyber Politics

Delegates oblivious to security risk during WiFi experiment at Republican National Convention site: Avast security researchers conducted a Wi-Fi hack experiment at various locations around the Republican National Convention site in Cleveland to demonstrate how risky it can be to connect to public Wi-Fi. HelpNetSecurity, July 22, 2016
Wikileaks posts nearly 20,000 hacked DNC emails online: Wikileaks posted a massive trove of internal Democratic National Committee emails online Friday, in what the organization dubbed the first of a new “Hillary Leaks” series. The Washington Post, July 22, 2016

Cyber Law

France Data Protection Watchdog Claims Windows 10 Privacy, Security Controls Out of Compliance w Laws: France’s data protection watchdog has slammed Microsoft Windows 10 for collecting excessive amounts of personal data and failing to use strong security controls. Under the country’s data protection laws, Microsoft may now face up to $1.7 million in fines. BankInfoSecurity, July 21, 2016
EFF FILES LAWSUIT CHALLENGING DMCA’S RESTRICTIONS ON SECURITY RESEARCHERS: The Electronic Frontier Foundation filed a lawsuit Thursday against the U.S. Government over a provision within the Digital Millennium Copyright Act that it says impinges on free speech and hobbles security researchers ability to do their job. ThreatPost, July 21, 2016

Critical Infrastructure

UK rail network hit by multiple cyber attacks last year: The UK railway network was the victim of at least four major cyber attacks in the last 12 months, according to a private security company that works with the network. The Telegraph, July 12, 2016

Internet of Things

Auto Industry ISAC Releases Best Practices For Connected Vehicle Cybersecurity: Goal is to provide car manufactures with guidelines for protecting modern vehicles against emerging cyber threats. DarkReading, July 21, 2016
Tesla’s data collection may help it deflect Autopilot liability: The large volume of data Tesla Motors Inc collects from its cars on the road has armed it with information to publicly counter, and possibly legally defend, claims about the safety of its Autopilot driving-assist software, according to lawyers familiar with such cases. Reuters, July 20, 2016

Cyber Enforcement

Apple, Facebook and Coinbase provided data to finger alleged pirate king: The United States case against alleged Kickass Torrents (KAT) boss Artem Vaulin is built on data obtained from Apple, Facebook and Coinbase. TheRegister, July 22, 2016

Cyber Sunshine

Baseball exec gets 46 months in prison after hacking into rival team’s computer: A former executive for the St. Louis Cardinals baseball team, Christopher Correa, was sentenced Monday to 46 months in prison. In 2013, he successfully guessed a password to access an online database for confidential data held by another baseball team, the Houston Astros. ars technica, July 18, 2016

Secure the Village

UK Police: Combat cybercrime w national awareness campaign on scale of seatbelt & drunk-driving: Police chiefs have called for a national campaign against online fraud and other cybercrime on the scale of last century’s seatbelt and drink-driving campaigns in the wake of figures showing that one in 10 adults have been victims of such offences in the past year. The Guardian, July 21, 2016
This All-Star Team Plans to Jumpstart 100 Cybersecurity Companies in 3 Years: Chris Lynch has been known to rail against startup accelerators.The co-founder and general partner at Cambridge, Mass., venture capital firm Accomplice and former CEO of Vertica, a big data company that sold to HP HPQ 0.79% in 2011, says he has a better mechanism to jumpstart startups: Investment syndicates. The idea is to have experienced entrepreneurs invest in early stage companies through platforms like AngelList, a website that connects entrepreneurs, startups, and angel investors. (Accomplice backs AngelList, by the way.) Fortune, June 27, 2016

Jeff Snyder’s, SecurityRecruiter.comJeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810



SecurityRecruiter.com's Security Recruiter Blog