Sunday, August 14, 2016

Cyber Security News of the Week, August 14, 2016

CYBERSECURITY NEWS

FROM OUR FRIENDS AT CITADEL INFORMATION GROUP



Individuals at Risk

Cyber Update

Got Microsoft? Time to Patch Your Windows: Microsoft churned out a bunch of software updates today fix some serious security problems with Windows and other Microsoft products like Internet Explorer (IE), Edge and Office. If you use Microsoft, here are some details about what needs fixing. KrebsOnSecurity, August 9, 2016

Cyber Danger

Road Warriors: Beware of ‘Video Jacking’: A little-known feature of many modern smartphones is their ability to duplicate video on the device’s screen so that it also shows up on a much larger display — like a TV. However, new research shows that this feature may quietly expose users to a simple and cheap new form of digital eavesdropping. KrebsOnSecurity, August 11, 2016

Cyber Defense

SMS or authenticator app – which is better for two-factor authentication?: In the comments of one of our recent two-factor authentication (2FA) articles, we received a question about whether it was better to use an SMS (text message) code as your second factor of authentication, or to use a dedicated authenticator app to generate the code. Naked Security, August 12, 2016
Gmail to provide security alerts in bid to make email safer: Starting this week, we’re introducing two new security warnings in Gmail to help you keep your email safer. Google Apps, August 10, 2016

Information Security Management in the Organization

Information Security Governance

Cybersecurity skills crisis adds to cyber risk: Cybersecurity staffing continues to be a problem, a new report has found. Intel Security says a massive 82 percent of IT professionals that it surveyed are battling a shortage in workers specializing in cybersecurity. Network World, August 12, 2016
Security, Privacy, Risk: Think Convergence for Faster Response, Lower Costs: Security leadership has come a long way since the days when the CIO – and later CSO or CISO – was required to just be an information security or “cyber” expert. Running a security department now requires not just technical acumen but also business acumen. But the best organizations take it even further, by creating converged programs, says Roland Cloutier, CSO of Roseland, NJ-based global business outsourcing services provider ADP. BankInfoSecurity, August 12, 2016
A RISK-DRIVEN APPROACH TO SECURITY, FROM CHECK BOXES TO RISK MANAGEMENT FRAMEWORKS: Most industries are under regulatory pressure, so they take a compliance-driven approach to security to meet minimum requirements. But compliance requirements are often static and prescriptive, according to security executives. Compliance gives organizations a false sense of security that can be misleading, and it provides only a one-time snapshot. Security Intelligence, August 12, 2016
Gartner Says Worldwide Information Security Spending Will Grow 8% to $81B in 2016: Worldwide spending on information security products and services will reach $81.6 billion in 2016, an increase of 7.9 per cent over 2015, according to Gartner, Inc. Consulting and IT outsourcing are currently the largest categories of spending on information security. Until the end of 2020, the highest growth is expected to come from security testing, IT outsourcing and data loss prevention (DLP). IT Security Guru, August 11, 2016
Security Portfolios: A Different Approach To Leadership: In a recent column, I introduced the idea of cybersecurity portfolios, and today I want to talk more about how to use them. Essentially, a “cyber portfolio” or a “controls portfolio” is a way to model the state of your security based on the investments you’re making. This is analogous to how your financial portfolio is a model of your financial investments. DarkReading, August 11, 2016

Cyber Warning

Beware of browser hijacker that comes bundled with legitimate software: Lavians, a “small software vendor team,” is packaging its offerings with a variant of browser-hijacking malware Bing.vc. HelpNetSecurity, August 12, 2016
Data Breach At Oracle’s MICROS Point-of-Sale Division: A Russian organized cybercrime group known for hacking into banks and retailers appears to have breached hundreds of computer systems at software giant Oracle Corp., KrebsOnSecurity has learned. More alarmingly, the attackers have compromised a customer support portal for companies using Oracle’s MICROS point-of-sale credit card payment systems. KrebsOnSecurity, August 8, 2016

Cyber Defense

USBFILTER: Packet-level firewall for blocking USB-based threats: The problem of planted malicious USB devices is compounded by the fact that, no matter what, users will rarely stop to think and ultimately choose not to insert them because they don’t know what could be on them. Curiosity gets the better of them, and, according to recent research by Google’s Elie Bursztein, some of them want to discover to whom the stick belongs to and return it. HelpNetSecurity, August 12, 2016
Use HTTPS to block hijacking vulnerability: Computer scientists have discovered a serious Internet vulnerability that allows attackers to terminate connections between virtually any two parties and, if the connections aren’t encrypted, inject malicious code or content into the parties’ communications. ars technica, August 10, 2016

Cyber Update

IPv6 router bug: Juniper spins out hotfix to thwart DDoS attacks: Juniper Networks has found and mostly patched a flaw in the way the firmware on its routers process IPv6 traffic, which allowed malicious users to simulate Direct Denial of Service attacks. ars technica, August 9, 2016

Cyber Security in Society

Cyber Privacy

Microsoft’s Mistaken Leak of Secure Boot Key Illustrates Risk of Encryption Backdoors: Opponents of the government’s constant talk about intentional backdoors and exceptional access finally may have their case study as to why it’s such a bad idea. ThreatPost, August 11, 2016

Cyber Attack

Hackers Attack Olympics World Anti-Doping Agency, Court of Arbitration for Sport: Two organizations that handle drug use by Olympic athletes say they were targeted by hackers. The Daily Dot, August 12, 2016

Cyber Espionage

Espionage Malware Penetrates Air-Gapped Networks: Security researchers are warning that they’ve discovered a highly advanced and targeted cyber-espionage campaign that appears to have been running since 2011, and which remains active. The APT malware used by the group behind the campaign is remarkable in part not only for having remained undetected for so long, but also for its ability to exfiltrate data from air-gapped networks using multiple techniques, including by piggybacking on network protocols, researchers say. BankInfoSecurity, August 9, 2016

Know Your Enemy

I’m completely paranoid after week at #BlackHat #DefCon: I was somewhere around the Paris Hotel on the edge of the Las Vegas Strip when the paranoia began to take hold. BusinessInsider, August 12, 2016
Financial cyber attacks increase as malware writers join forces: Financial malware attacks increased 16% in the second quarter of the year, driven by collaboration between the developers of two banking Trojans in the top the financial malware threats, says Kaspersky Lab. ComputerWeekly, August 12, 2016
DIY bank account raiding trojan kit touted in dark web dive bars: Cybercrooks are touting a new DIY financial crime kit that lets you roll your own ZeuS-like software nasty. TheRegister, August 12, 2016

Cyber Law

Fighting for Jurisdiction Post-Breach: In today’s environment, federal and state regulators come at breached companies from all angles, with requests for investigative information, breach response plans and fines. Attorney Deborah Gersh, co-chair of the healthcare practice at law firm Ropes & Gray LLP, says it’s easy for organizations to become overwhelmed when numerous regulators demand answers simultaneously in the wake of a breach. By having well-defined breach response plans in place before an incident, however, organizations can streamline their procedures to ensure compliance without damaging their reputations. BankInfoSecurity, August 10, 2016
FTC Overturns Administrative Law Judge’s LabMD Ruling on Appeal: The Federal Trade Commission (FTC), on July 29, 2016, vacated Chief Administrative Law Judge D. Michael Chappell’s Initial Decision dismissing the FTC’s data security complaint against medical testing company, LabMD, Inc. (“LabMD”). LabMD was the first litigated data security action before the FTC. The National Law Review, August 4, 2016

Cyber Gov

OPM Taps DoD IT Leader as New CIO: The U.S. Office of Personnel Management – besmirched by a 2015 breach that exposed the personal information of 21.5 million individuals – turns to the military for its new chief information officer. BankInfoSecurity, BankInfoSecurity, August 10, 2016

Cyber Politics

Hacker Releases More Democratic Party Documents: WASHINGTON — A hacker believed to be tied to the Russian intelligence services made public another set of internal Democratic Party documents on Friday, including the personal cellphone numbers and email addresses of nearly 200 lawmakers. The New York Times, August 12, 2016
DNC announces formation of cybersecurity board in email hack’s aftermath: The Democratic National Committee has assembled a cybersecurity advisory board in the wake of the hack attack that resulted in thousands of internal party emails being leaked online, Politico reported Thursday. WashingtonTimes, August 12, 2016
Democratic, GOP leaders got a secret briefing on DNC hack last year: Top Congressional leaders were briefed a year ago on the Russian hack of the Democratic National Committee but were sworn to secrecy by intelligence officials. ars technica, August 12, 2016
Hack of Democrats’ Accounts Was Wider Than Believed, Officials Say: WASHINGTON — A Russian cyberattack that targeted Democratic politicians was bigger than it first appeared and breached the private email accounts of more than 100 party officials and groups, officials with knowledge of the case said Wednesday. The New York Times, August 10, 2016
How to Hack an Election in 7 Minutes: When Princeton professor Andrew Appel decided to hack into a voting machine, he didn’t try to mimic the Russian attackers who hacked into the Democratic National Committee’s database last month. He didn’t write malicious code, or linger near a polling place where the machines can go unguarded for days. Politico, August 5, 2016
America’s Electronic Voting Machines Are Scarily Easy Targets: THIS WEEK, GOP presidential candidate Donald Trump openly speculated that this election would be “rigged.” Last month, Russia decided to take an active role in our election. There’s no basis for questioning the results of a vote that’s still months away. But the interference and aspersions do merit a fresh look at the woeful state of our outdated, insecure electronic voting machines. Wired, August 2, 2016

Internet of Things

A New Wireless Hack Can Unlock 100 Million Volkswagens: IN 2013, WHEN University of Birmingham computer scientist Flavio Garcia and a team of researchers were preparing to reveal a vulnerability that allowed them to start the ignition of millions of Volkswagen cars and drive them off without a key, they were hit with a lawsuit that delayed the publication of their research for two years. But that experience doesn’t seem to have deterred Garcia and his colleagues from probing more of VW’s flaws: Now, a year after that hack was finally publicized, Garcia and a new team of researchers are back with another paper that shows how Volkswagen left not only its ignition vulnerable but the keyless entry system that unlocks the vehicle’s doors, too. And this time, they say, the flaw applies to practically every car Volkswagen has sold since 1995. Wired, August 10, 2016
FDA Addresses Medical Device Cybersecurity Modifications: New Food and Drug Administration draft guidance aims to alleviate a common topic of confusion in the healthcare sector: whether medical device makers need to submit for FDA review the modifications manufacturers make that affect cybersecurity in existing products. HealthInfoSecurity, August 9, 2016

Cyber Research

New chip cards subject to fraud: Security researchers are eager to poke holes in the chip-embedded credit and debit cards that have arrived in Americans’ mailboxes over the last year and a half. Although the cards have been in use for a decade around the world, more brains trying to break things are bound to come up with new and inventive hacks. And at last week’s Black Hat security conference in Las Vegas, two presentations demonstrated potential threats to the security of chip cards. The first involved fooling point-of-sale (POS) systems into thinking that a chip card is a magnetic stripe card with no chip, and the second involved stealing the temporary, dynamic number generated by a chip card and using it in a very brief window of time to request money from a hacked ATM. ars technica, August 11, 2016
Robot Hackers Could Be the Future of Cybersecurity: A dozen years ago the Defense Advanced Research Projects Agency (DARPA) held its first “grand challenge” to see if autonomous automobiles could cross a 240-kilometer stretch of the Mojave Desert on their own. Mechanical problems and mishaps ended the race before any of the competitors had gone more than 12 kilometers. DARPA, the U.S. Department of Defense’s research arm, is looking for a better outcome Thursday in its inaugural Cyber Grand Challenge, where seven autonomous computers battle one another in what the agency claims is the “world’s first all-machine hacking tournament.” Scientific American, August 4, 2016

Cyber Miscellany

Airlines Need Core Software Rewrite to Avoid Future Outages Like Delta’s: Airlines will likely suffer more disruptions like the one that grounded about 2,000 Delta DAL -0.95% flights this week because major carriers have not invested enough to overhaul reservations systems based on technology dating to the 1960s, airline industry and technology experts told Reuters. Fortune, August 12, 2016

Individuals at Risk

Cyber Update

Got Microsoft? Time to Patch Your Windows: Microsoft churned out a bunch of software updates today fix some serious security problems with Windows and other Microsoft products like Internet Explorer (IE), Edge and Office. If you use Microsoft, here are some details about what needs fixing. KrebsOnSecurity, August 9, 2016

Cyber Danger

Road Warriors: Beware of ‘Video Jacking’: A little-known feature of many modern smartphones is their ability to duplicate video on the device’s screen so that it also shows up on a much larger display — like a TV. However, new research shows that this feature may quietly expose users to a simple and cheap new form of digital eavesdropping. KrebsOnSecurity, August 11, 2016

Cyber Defense

SMS or authenticator app – which is better for two-factor authentication?: In the comments of one of our recent two-factor authentication (2FA) articles, we received a question about whether it was better to use an SMS (text message) code as your second factor of authentication, or to use a dedicated authenticator app to generate the code. Naked Security, August 12, 2016
Gmail to provide security alerts in bid to make email safer: Starting this week, we’re introducing two new security warnings in Gmail to help you keep your email safer. Google Apps, August 10, 2016

Information Security Management in the Organization

Information Security Governance

Cybersecurity skills crisis adds to cyber risk: Cybersecurity staffing continues to be a problem, a new report has found. Intel Security says a massive 82 percent of IT professionals that it surveyed are battling a shortage in workers specializing in cybersecurity. Network World, August 12, 2016
Security, Privacy, Risk: Think Convergence for Faster Response, Lower Costs: Security leadership has come a long way since the days when the CIO – and later CSO or CISO – was required to just be an information security or “cyber” expert. Running a security department now requires not just technical acumen but also business acumen. But the best organizations take it even further, by creating converged programs, says Roland Cloutier, CSO of Roseland, NJ-based global business outsourcing services provider ADP. BankInfoSecurity, August 12, 2016
A RISK-DRIVEN APPROACH TO SECURITY, FROM CHECK BOXES TO RISK MANAGEMENT FRAMEWORKS: Most industries are under regulatory pressure, so they take a compliance-driven approach to security to meet minimum requirements. But compliance requirements are often static and prescriptive, according to security executives. Compliance gives organizations a false sense of security that can be misleading, and it provides only a one-time snapshot. Security Intelligence, August 12, 2016
Gartner Says Worldwide Information Security Spending Will Grow 8% to $81B in 2016: Worldwide spending on information security products and services will reach $81.6 billion in 2016, an increase of 7.9 per cent over 2015, according to Gartner, Inc. Consulting and IT outsourcing are currently the largest categories of spending on information security. Until the end of 2020, the highest growth is expected to come from security testing, IT outsourcing and data loss prevention (DLP). IT Security Guru, August 11, 2016
Security Portfolios: A Different Approach To Leadership: In a recent column, I introduced the idea of cybersecurity portfolios, and today I want to talk more about how to use them. Essentially, a “cyber portfolio” or a “controls portfolio” is a way to model the state of your security based on the investments you’re making. This is analogous to how your financial portfolio is a model of your financial investments. DarkReading, August 11, 2016

Cyber Warning

Beware of browser hijacker that comes bundled with legitimate software: Lavians, a “small software vendor team,” is packaging its offerings with a variant of browser-hijacking malware Bing.vc. HelpNetSecurity, August 12, 2016
Data Breach At Oracle’s MICROS Point-of-Sale Division: A Russian organized cybercrime group known for hacking into banks and retailers appears to have breached hundreds of computer systems at software giant Oracle Corp., KrebsOnSecurity has learned. More alarmingly, the attackers have compromised a customer support portal for companies using Oracle’s MICROS point-of-sale credit card payment systems. KrebsOnSecurity, August 8, 2016

Cyber Defense

USBFILTER: Packet-level firewall for blocking USB-based threats: The problem of planted malicious USB devices is compounded by the fact that, no matter what, users will rarely stop to think and ultimately choose not to insert them because they don’t know what could be on them. Curiosity gets the better of them, and, according to recent research by Google’s Elie Bursztein, some of them want to discover to whom the stick belongs to and return it. HelpNetSecurity, August 12, 2016
Use HTTPS to block hijacking vulnerability: Computer scientists have discovered a serious Internet vulnerability that allows attackers to terminate connections between virtually any two parties and, if the connections aren’t encrypted, inject malicious code or content into the parties’ communications. ars technica, August 10, 2016

Cyber Update

IPv6 router bug: Juniper spins out hotfix to thwart DDoS attacks: Juniper Networks has found and mostly patched a flaw in the way the firmware on its routers process IPv6 traffic, which allowed malicious users to simulate Direct Denial of Service attacks. ars technica, August 9, 2016

Cyber Security in Society

Cyber Privacy

Microsoft’s Mistaken Leak of Secure Boot Key Illustrates Risk of Encryption Backdoors: Opponents of the government’s constant talk about intentional backdoors and exceptional access finally may have their case study as to why it’s such a bad idea. ThreatPost, August 11, 2016

Cyber Attack

Hackers Attack Olympics World Anti-Doping Agency, Court of Arbitration for Sport: Two organizations that handle drug use by Olympic athletes say they were targeted by hackers. The Daily Dot, August 12, 2016

Cyber Espionage

Espionage Malware Penetrates Air-Gapped Networks: Security researchers are warning that they’ve discovered a highly advanced and targeted cyber-espionage campaign that appears to have been running since 2011, and which remains active. The APT malware used by the group behind the campaign is remarkable in part not only for having remained undetected for so long, but also for its ability to exfiltrate data from air-gapped networks using multiple techniques, including by piggybacking on network protocols, researchers say. BankInfoSecurity, August 9, 2016

Know Your Enemy

I’m completely paranoid after week at #BlackHat #DefCon: I was somewhere around the Paris Hotel on the edge of the Las Vegas Strip when the paranoia began to take hold. BusinessInsider, August 12, 2016
Financial cyber attacks increase as malware writers join forces: Financial malware attacks increased 16% in the second quarter of the year, driven by collaboration between the developers of two banking Trojans in the top the financial malware threats, says Kaspersky Lab. ComputerWeekly, August 12, 2016
DIY bank account raiding trojan kit touted in dark web dive bars: Cybercrooks are touting a new DIY financial crime kit that lets you roll your own ZeuS-like software nasty. TheRegister, August 12, 2016

Cyber Law

Fighting for Jurisdiction Post-Breach: In today’s environment, federal and state regulators come at breached companies from all angles, with requests for investigative information, breach response plans and fines. Attorney Deborah Gersh, co-chair of the healthcare practice at law firm Ropes & Gray LLP, says it’s easy for organizations to become overwhelmed when numerous regulators demand answers simultaneously in the wake of a breach. By having well-defined breach response plans in place before an incident, however, organizations can streamline their procedures to ensure compliance without damaging their reputations. BankInfoSecurity, August 10, 2016
FTC Overturns Administrative Law Judge’s LabMD Ruling on Appeal: The Federal Trade Commission (FTC), on July 29, 2016, vacated Chief Administrative Law Judge D. Michael Chappell’s Initial Decision dismissing the FTC’s data security complaint against medical testing company, LabMD, Inc. (“LabMD”). LabMD was the first litigated data security action before the FTC. The National Law Review, August 4, 2016

Cyber Gov

OPM Taps DoD IT Leader as New CIO: The U.S. Office of Personnel Management – besmirched by a 2015 breach that exposed the personal information of 21.5 million individuals – turns to the military for its new chief information officer. BankInfoSecurity, BankInfoSecurity, August 10, 2016

Cyber Politics

Hacker Releases More Democratic Party Documents: WASHINGTON — A hacker believed to be tied to the Russian intelligence services made public another set of internal Democratic Party documents on Friday, including the personal cellphone numbers and email addresses of nearly 200 lawmakers. The New York Times, August 12, 2016
DNC announces formation of cybersecurity board in email hack’s aftermath: The Democratic National Committee has assembled a cybersecurity advisory board in the wake of the hack attack that resulted in thousands of internal party emails being leaked online, Politico reported Thursday. WashingtonTimes, August 12, 2016
Democratic, GOP leaders got a secret briefing on DNC hack last year: Top Congressional leaders were briefed a year ago on the Russian hack of the Democratic National Committee but were sworn to secrecy by intelligence officials. ars technica, August 12, 2016
Hack of Democrats’ Accounts Was Wider Than Believed, Officials Say: WASHINGTON — A Russian cyberattack that targeted Democratic politicians was bigger than it first appeared and breached the private email accounts of more than 100 party officials and groups, officials with knowledge of the case said Wednesday. The New York Times, August 10, 2016
How to Hack an Election in 7 Minutes: When Princeton professor Andrew Appel decided to hack into a voting machine, he didn’t try to mimic the Russian attackers who hacked into the Democratic National Committee’s database last month. He didn’t write malicious code, or linger near a polling place where the machines can go unguarded for days. Politico, August 5, 2016
America’s Electronic Voting Machines Are Scarily Easy Targets: THIS WEEK, GOP presidential candidate Donald Trump openly speculated that this election would be “rigged.” Last month, Russia decided to take an active role in our election. There’s no basis for questioning the results of a vote that’s still months away. But the interference and aspersions do merit a fresh look at the woeful state of our outdated, insecure electronic voting machines. Wired, August 2, 2016

Internet of Things

A New Wireless Hack Can Unlock 100 Million Volkswagens: IN 2013, WHEN University of Birmingham computer scientist Flavio Garcia and a team of researchers were preparing to reveal a vulnerability that allowed them to start the ignition of millions of Volkswagen cars and drive them off without a key, they were hit with a lawsuit that delayed the publication of their research for two years. But that experience doesn’t seem to have deterred Garcia and his colleagues from probing more of VW’s flaws: Now, a year after that hack was finally publicized, Garcia and a new team of researchers are back with another paper that shows how Volkswagen left not only its ignition vulnerable but the keyless entry system that unlocks the vehicle’s doors, too. And this time, they say, the flaw applies to practically every car Volkswagen has sold since 1995. Wired, August 10, 2016
FDA Addresses Medical Device Cybersecurity Modifications: New Food and Drug Administration draft guidance aims to alleviate a common topic of confusion in the healthcare sector: whether medical device makers need to submit for FDA review the modifications manufacturers make that affect cybersecurity in existing products. HealthInfoSecurity, August 9, 2016

Cyber Research

New chip cards subject to fraud: Security researchers are eager to poke holes in the chip-embedded credit and debit cards that have arrived in Americans’ mailboxes over the last year and a half. Although the cards have been in use for a decade around the world, more brains trying to break things are bound to come up with new and inventive hacks. And at last week’s Black Hat security conference in Las Vegas, two presentations demonstrated potential threats to the security of chip cards. The first involved fooling point-of-sale (POS) systems into thinking that a chip card is a magnetic stripe card with no chip, and the second involved stealing the temporary, dynamic number generated by a chip card and using it in a very brief window of time to request money from a hacked ATM. ars technica, August 11, 2016
Robot Hackers Could Be the Future of Cybersecurity: A dozen years ago the Defense Advanced Research Projects Agency (DARPA) held its first “grand challenge” to see if autonomous automobiles could cross a 240-kilometer stretch of the Mojave Desert on their own. Mechanical problems and mishaps ended the race before any of the competitors had gone more than 12 kilometers. DARPA, the U.S. Department of Defense’s research arm, is looking for a better outcome Thursday in its inaugural Cyber Grand Challenge, where seven autonomous computers battle one another in what the agency claims is the “world’s first all-machine hacking tournament.” Scientific American, August 4, 2016

Cyber Miscellany

Airlines Need Core Software Rewrite to Avoid Future Outages Like Delta’s: Airlines will likely suffer more disruptions like the one that grounded about 2,000 Delta DAL -0.95% flights this week because major carriers have not invested enough to overhaul reservations systems based on technology dating to the 1960s, airline industry and technology experts told Reuters. Fortune, August 12, 2016

Jeff Snyder’s, SecurityRecruiter.comJeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810



SecurityRecruiter.com's Security Recruiter Blog