Sunday, November 06, 2016

Cyber Security News of the Week, November 6, 2016


 

 CYBERSECURITY NEWS

FROM OUR FRIENDS AT CITADEL INFORMATION GROUP

  

Individuals at Risk

Identity Theft

IRS and Security Summit partners expand identity theft safeguards for 2017: As the IRS, taxpayers, and tax practitioners get ready for the 2017 tax filing season, the IRS touted the successes that it and its Security Summit partners have had in reducing tax return identity theft during the 2016 filing season and described how it will expand its efforts in the fight for 2017 (IR-2016-144). Security Summit partners include state tax authorities, tax preparation businesses (including tax preparation software companies), and banks. Journal of Accountancy, November 3, 2016

Cyber Privacy

Encryption Policy in the Modern Age: A Not So Simple Debate: Stanford University researchers shared the fruits and frustrations of their efforts to clarify the government’s current practices around the encryption of electronic devices during a Crypto Policy Project event Nov. 2. GovernmentTechnology, November 3, 2016

Cyber Warning

PHONY ANDROID FLASH PLAYER INSTALLS BANKING MALWARE: Security researchers warn that a bogus Flash Player app aimed at Android mobile devices has surfaced and is luring victims to download and install banking malware that steals credit card information and can defeat two-factor identification schemes. ThreatPost. November 1, 2016

Cyber Update

Updated WeMo smart home devices patches Android phones spying vulnerability: If it isn’t routers, web cameras and maybe even printers feeding into the Mirai botnet – the malware that delivered the most powerful distributed denial of service (DDoS) attack in recent history – then it’s a home automation kit from WeMo that could have let attackers get at its Android app and spy on phones. NakedSecurity, November 3, 2016

Cyber Defense

Google’s Chrome to begin shaming websites not using https: IN A SHOW of hacker team spirit in August of last year, Parisa Tabriz ordered hoodies for the staff she leads at Google, a group devoted to the security of the company’s Chrome browser. The sweatshirts were emblazoned with the words “Department of Chromeland Security,” along with Chrome’s warning to users when they visit insecure websites that leave them open to surveillance or sabotage: a red padlock crossed out with an X. Wired, November 3, 2016

Information Security Management in the Organization

Information Security Management and Governance

Directors Focusing More on Cybersecurity — But Is It Enough?: Three-quarters of boards are more involved with cybersecurity than last year, but only a quarter share information externally after an attack. CFO, November 1, 2016
How to Mitigate the Threat of Ransomware: Unfortunately, ransomware attacks on corporate systems are becoming more common. Here’s how to manage the risk. CFO, August 31, 2016

Cyber Defense

Automate And Orchestrate Workflows For Better Security: Security automation has become a central goal for many organizations as they try to respond faster to more threats with limited resources. DarkReading, November 4, 2016

Cyber Awareness

Cyber Security Awareness Needs To Last Beyond October: The U.S. Department of Homeland Security (DHS) has designed October as National Cyber Security Awareness Month. But as we leave October, remember that data security is an ongoing challenge that requires continued vigilance not just from information system hacking, but also from employee error and other threats. Setting up a comprehensive training and awareness program is critical – and this outline can help you continue keeping your organization aware of cyber security throughout the year. The National Law Review, October 31, 2016

Cyber Warning

Ransomware Attacks Have More Than Doubled In Q3, Says New Kaspersky Report: Q3 cyber threat study by Kaspersky Lab says ransomware modifications have risen 3.5 times and newer countries are coming under attack. DarkReading, November 4, 2016
Outlook Web Access Two-Factor Authentication Bypass Discovered: Enterprises running Exchange Server have been operating under a false sense of security with regard to two-factor authentication implementations on Outlook Web Access (OWA) adding an extra layer of protection. ThreatPost, November 3, 2016

Cyber Law

Right To Facebook In The Constitution? North Carolina Cyberlaw Goes To The United States Supreme Court: The Supreme Court of the United States has just agreed to the hear Packingham v. United States. The grant of certiorari reflects the increasing integration of cyberlaw with mainstream constitutional litigation. Packingham, which we have previously analyzed, involved N.C.G.S. § 14-202.5, a North Carolina statute prohibits registered sex offenders from using websites available to minors. mondaq, November 3, 2016
Those Suing Anthem re Cyber Breach Seek Security Audit Documents: Plaintiffs suing Anthem Inc. in the wake of a cyberattack that exposed information on nearly 80 million individuals in 2015 want a court to open the door to revealing more of the results of audits of the insurer conducted by the U.S. Office of Personnel Management. BankInfoSecurity, November 3, 2016

Cyber Insurance

Cyber Insurance Purchasing Slowing After 6 Years of Fast Growth: The overall upward trend of organizations purchasing cyber insurance continued in 2016, however there are signs the market is slowing after six years of rapid growth. InsuranceJournal, November 1, 2016
Boards Push Insurers to Quantify Cyber Risks: Galvanized by recent cyber attacks against corporations, boards of directors are pushing their companies’ risk managers as well as the insurance industry to quantify cyber risks. The push for better predictive data on computer breaches stems from directors’ desire for clarity on how to either self-fund or transfer the risk to insurance companies. CFO, October 31, 2016
Cybersecurity Insurance Becoming a Must-Have: A new survey finds 80% of companies bought a stand-alone cybersecurity policy in 2016, suggesting such plans are quickly becoming the new norm. CFO, October 13, 2016

Cyber Career

How Businesses, Employees Can Navigate The Security Hiring Process: At Black Hat Europe 2016, security experts weigh in on how companies can build strong security teams, and how employees can educate themselves to meet business needs. DarkReading, November 4, 2016
NICE framework: Resource for a strong cybersecurity workforce: The U.S. Commerce Department’s National Institute of Standards and Technology (NIST) released a resource that will help U.S. employers more effectively identify, recruit, develop and maintain cybersecurity talent. HelpNetSecurity, November 4, 2016
Veterans Are A Valuable Cybersecurity Workforce. Why?: As a former United States Marine I believe veterans can be instrumental in helping to close the growing cybersecurity skills and people gap. My own story reveals how a military background can provide the perfect foundation for a successful career in infosec. ITSP Magazine, November 2, 2016

Cyber Security in Society

Cyber Attack

Did the Mirai Botnet Really Take Liberia Offline?: KrebsOnSecurity received many a missive over the past 24 hours from readers who wanted to know why I’d not written about widespread media reports that Mirai — a malware strain made from hacked “Internet of Things” (IoT) devices such as poorly secured routers and IP cameras — was used to knock the entire country of Liberia offline. The trouble is, as far as I can tell no such nationwide outage actually occurred. KrebsOnSecurity, November 4, 2016
Computer Virus Cripples UK Hospital System: Citing a computer virus outbreak, a hospital system in the United Kingdom has canceled all planned operations and diverted major trauma cases to neighboring facilities. The incident came as U.K. leaders detailed a national cyber security strategy that promises billions in cybersecurity spending, new special police units to pursue organized online gangs, and the possibility of retaliation for major attacks. KrebsOnSecurity, November 2, 2016
Lessons From the Dyn DDoS Attack: A week ago Friday, someone took down numerous popular websites in a massive distributed denial-of-service (DDoS) attack against the domain name provider Dyn. DDoS attacks are neither new nor sophisticated. The attacker sends a massive amount of traffic, causing the victim’s system to slow to a crawl and eventually crash. There are more or less clever variants, but basically, it’s a datapipe-size battle between attacker and victim. If the defender has a larger capacity to receive and process data, he or she will win. If the attacker can throw more data than the victim can process, he or she will win. Schneier On Security, November 1, 2016

Know Your Enemy

Inside HackForums’ rebellious cybercrime empire: If you woke up on Oct. 21 and wondered why portions of the internet were gone, the answer may run through HackForums.net. CyberScoop, October 21, 2016

National Cyber Security

What’s the biggest cyber threat on Election Day? (opinion): (CNN)Leading up to Election Day, there are renewed intelligence concerns of a possible terrorist attack planned by al Qaeda. CNN , November 4, 2016
U.S. Boosts Cyber Defenses for Election: Federal and state authorities are beefing up cyber defenses against potential electronic attacks on voting systems ahead of the U.S. elections on Nov. 8, but taking few new steps to guard against possible civil unrest or violence. Fortune, November 4, 2016
White House Readies to Fight Election Day Cyber Mayhem : The U.S. government believes hackers from Russia or elsewhere may try to undermine next week’s presidential election and is mounting an unprecedented effort to counter their cyber meddling, American officials told NBC News. NBC, November 3, 2016
Five Possible Hacks to Worry About Before Election Day: WASHINGTON — President Vladimir V. Putin of Russia dismisses the idea that he has the power to interfere with Tuesday’s election. “Does anyone seriously think that Russia can affect the choice of the American people?” he asked during a foreign policy conference last week in the resort city of Sochi. “What, is America a banana republic? America’s a great power. Correct me if I’m wrong.” The New York Times, November 4, 2016
Election hacking hype: A reality check from an information security specialist: Over the past several years, hacking and information security have emerged from the shadows to sit center stage among society’s most prominent topics today. We see information security (infosec) portrayed in pop culture, across headlines just about every day, and now even as a major point of discussion in the impending presidential election. GeekWire, November 1, 2016
E-Voting Refuses to Die Even Though It’s Neither Secure nor Secret: In theory, using the internet or e-mail to vote for the U.S. president sounds like a good idea. It would be easier than rushing to the nearest polling station before or after work, and it might pull in notoriously apathetic younger voters already living most of their lives via screens. But in reality these online channels have proved to be terribly insecure, plagued by cyber attacks and malicious software able to penetrate supposedly well-protected financial, medical and even military systems. Scientific American, October 31, 2016

Cyber Politics

A Russia-Linked Twitter Account Encourages Hackers To Monitor US Elections: In a series of tweets Friday morning, the Guccifer2.0 Twitter account claimed that Democrats would try to rig the elections, and invited hackers to help monitor the vote on November 8. BuzzFeedNews, November 4, 2016

Critical Infrastructure

WWW founder Tim Berners-Lee warns of data sabotage as cities become ‘smart’: Practically everybody loves open data, ie “data that anyone can access, use or share”. And nobody loves it more than Tim Berners-Lee, creator of the World Wide Web, and co-founder of the Open Data Institute (ODI). NakedSecurity, November 4, 2016

Internet of Things

The Internet of Trouble: Securing Vulnerable IoT Devices. Advice for Home Users: There are times when perception will coalesce around something that has been previously known, but not taken seriously. That is what happened recently with the distributed denial-of-service (DDoS) weaponization of the Internet of Things (IoT). Although government agencies have issued warnings about the potential problem of vulnerable IoT devices, nobody has ever really done anything about it. SecurityIntelligence, November 4, 2016
Many wireless “smart” devices have security flaws that let hackers spread malicious code through them: SAN FRANCISCO — The so-called Internet of Things, its proponents argue, offers many benefits: energy efficiency, technology so convenient it can anticipate what you want, even reduced congestion on the roads. The New York Times, November 3, 2016
StarHub DDoS Attack Raises IoT Security Concerns: Volume of Devices & Lack of Security Standards: Security experts are concerned that there may be millions of infected internet of things devices, given the intensity of recent distributed denial-of-service attacks such as the one that hit Singaporean ISP StarHub last week (see: DDoS Attacks Also Slammed Singapore ISP’s DNS Services). BankInfoSecurity, November 2, 2016
New, more-powerful IoT botnet infects 3,500 devices in 5 days: There’s a new, more powerful Internet-of-things botnet in town, and it has managed to infect almost 3,500 devices in just five days, according to a recently published report. ars technica, November 1, 2016
IoT Growing Faster Than the Ability to Defend It: With this year’s approaching holiday gift season the rapidly growing “Internet of Things” or IoT—which was exploited to help shut down parts of the Web this past Friday—is about to get a lot bigger, and fast. Christmas and Hanukkah wish lists are sure to be filled with smartwatches, fitness trackers, home-monitoring cameras and other wi-fi–connected gadgets that connect to the internet to upload photos, videos and workout details to the cloud. Unfortunately these devices are also vulnerable to viruses and other malicious software (malware) that can be used to turn them into virtual weapons without their owners’ consent or knowledge. Scientific American, October 26, 2016

Cyber Sunshine

Ne’er-Do-Well News and Cyber Justice: Way back in the last millennium when I was a lowly copy aide at The Washington Post, I pitched the Metro Section editor on an idea for new column: “And the Good News Is…” The editor laughed me out of her office. But I still think it’s a decent idea — particularly in the context of cybersecurity — to periodically highlight the good news when people allegedly responsible for spewing so much badness online are made to face justice. KrebsOnSecurity, November 4, 2016
UK Teen pleads guilty to creating DDoS tool used to make $385,000 in 1.7 million attacks: A 19-year-old UK teenager from Hertfordshire has pleaded guilty to creating and running the Titanium Stresser booter service, with which he launched 594 denial of service (DDoS) attacks. NakedSecurity, November 3, 2016

Jeff Snyder’s, SecurityRecruiter.com, Jeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810

SecurityRecruiter.com's Security Recruiter Blog