Monday, February 27, 2017

Cyber Security News of the Week, February 26, 2017


 

CYBERSECURITY NEWS

FROM OUR FRIENDS AT CITADEL INFORMATION GROUP


Individuals at Risk

Identity Theft

Tips to stay safe as survey claims taxpayers shrug off ID fraud warnings even as attacks rise: Pity the IRS. It’s been strenuously warning us about increased tax fraud all month. A big chunk of taxpayers have responded by yawning. Naked Security, February 24, 2017
Accenture Study: One in four U.S. consumers have had their personal medical information stolen: The Accenture study also finds that half of these victims were subject to medical identity theft and on average had to pay $2,500 in out-of-pocket costs per incident. HealthcareITNews, February 20, 2017

Cyber Privacy

Researchers show how to identify people by correlating twitter posts with web-surfing habits: If you weren’t already worried about the privacy dangers of online ad tracking, now would be a good time to start. Researchers have found a way to de-anonymise web surfing records, putting a recent US privacy ruling in jeopardy. Naked Security, February 24, 2017

Cyber Warning

Chrome hackers use ‘missing fonts’ to get you to install money-making malware on your computer: A new scam and malware campaign targeting Google Chrome users is claiming to help fix “missing fonts.” The popup window claims a new font must be installed for websites to load correctly. Clicking OK downloads money-making malware. Digital Journal, February 23, 2017

Cyber Update

Microsoft releases Adobe Flash Player fix, but doesn’t patch 2 zero-day exploits: After canceling Patch Tuesday for the first time ever, Microsoft releases a Flash patch. Fixes for the 2 vulnerabilities with public exploit code will wait until March. NetworkWorld, February 23, 2017
February Updates from Adobe, Microsoft: A handful of readers have inquired as to the whereabouts of Microsoft‘s usual monthly patches for Windows and related software. Microsoft opted to delay releasing any updates until next month, even though there is a zero-day vulnerability in Windows going around. However, Adobe did push out updates this week as per usual to fix critical issues in its Flash Player software. KrebsOnSecurity, February 19, 2017

Cyber Defense

iPhone Security Strategies Outlined in Krebs’ Story “iPhone Robbers Try to iPhish Victims”: In another strange tale from the kinetic-attack-meets-cyberattack department, earlier this week I heard from a loyal reader in Brazil whose wife was recently mugged by three robbers who nabbed her iPhone. Not long after the husband texted the stolen phone — offering to buy back the locked device — he soon began receiving text messages stating the phone had been found. All he had to do to begin the process of retrieving the device was click the texted link and log in to the phishing page mimicking Apple’s site. KrebsOnSecurity, February 24, 2017

Information Security Management in the Organization

Information Security Management and Governance

Survey of pen testers identifies valuable countermeasures for improving security: If you want to know about which cyber defenses are most effective and which are a waste of money and resources, ask a hacker. And that’s just what Nuix researchers did. HelpNetSecurity, February 24, 2017
The Best of RSA Conference 2017: One cannot deny RSA Conference’s role in the global information security industry. No other single gathering serves every stakeholder – from CISOs to practitioners, from Fortune 100 to Main Street – with such unlimited potential for making connections with security professionals from all walks of life. BankInfoSecurity, February 24, 2017
Risk of hiring unqualified information security professionals rises as unemployment falls to 0: With virtually no unemployment in the field, recruiters need to look beyond certifications when vetting cybersecurity experts. WorkForce, February 23, 2017
Yahoo breach costs it $350 million (7%) in sale to Verizon: After its disclosures about massive security breaches, Yahoo apparently wasn’t worth the original $4.83 billion price tag. CNet, February 21, 2017

Cyber Awareness

Email vigilance vital. Kaspersky study says half of all phishing attacks designed to steal money: Kaspersky Lab released their analysis of the financial threat landscape in 2016, finding that almost half of all phishing attacks registered in 2016 by Kaspersky Lab’s heuristic detection technologies were aimed at stealing their victim’s money. Robert Capps, VP of Business Development at NuData Security commented below. Information Security Buzz, February 24, 2017

Cyber Warning

Most penetration testers can hack a company in less than 12 hours, new survey claims: A Nuix study of DEFCON pen testers shows that the usual security controls are of little use against a determined intruder. Dark Reading, February 23, 2017
Cloudflare warns customers 5.5 million websites may have leaked highly sensitive info Service used by 5.5 million websites may have leaked passwords and authentication tokens. ars technica, February 23, 2017
IT vendor breach puts corporate customers at risk. Krebs’ says notification ‘lamest he’s seen:’ Amid the hustle and bustle of the RSA Security Conference in San Francisco last week, researchers at RSA released a startling report that received very little press coverage relative to its overall importance. The report detailed a malware campaign that piggybacked on a popular piece of software used by system administrators at some of the nation’s largest companies. Incredibly, the report did not name the affected software, and the vendor in question has apparently chosen to bury its breach disclosure. This post is an attempt to remedy that. KrebsOnSecurity, February 21, 2017

Cyber Defense

How to add two-factor authentication to your WordPress site: If you employ WordPress for your personal or company sites, you owe it to yourself to set up two-factor authentication. Here’s how. TechRepublic, February 24, 2017

Cyber Law

Managing Compliance with Cybersecurity Regulations Gets More Demanding: As more government agencies get involved with creating cybersecurity regulations, security professionals will need to monitor new laws and understand which apply to their industry and whether some overlap or conflict. Increased enforcement from different agencies can mean significant consequences even if breaches are avoided. Security Intelligence, February 24, 2017

Cyber Talent

Road Map To A $200,000 Cybersecurity Job: Looking to get ahead in cybersecurity? Here are four areas to keep in mind as you make a five-year career plan. Dark Reading, February 24, 2017

Cyber Security in Society

Know Your Enemy

F-Secure identifies Russia as source of majority illicit cyber activity, incl ransomware: Honeypot research from F-Secure shows majority of illicit online activity coming from IP addresses in Russia – also where ransomware is a hot commodity. Dark Reading, February 23, 2017
A guided tour of the cybercrime underground: One of the strange features of cybercrime is how much of it is public. BBC, February 23, 2017
Krebs documents reasons a cybercriminal wants to hack your PC: A few years back, when I was a reporter at The Washington Post, I put together a chart listing the various ways that miscreants can monetize hacked PCs. The project was designed to explain simply and visually to the sort of computer user who can’t begin to fathom why miscreants would want to hack into his PC. “I don’t bank online, I don’t store sensitive information on my machine! I only use it to check email. What could hackers possibly want with this hunk of junk?,” are all common refrains from this type of user. KrebsOnSecurity, October 15, 2012

National Cyber Security

Should we codify in law government responsibility to release vulnerabilities information?: The U.S. government’s role in vulnerability disclosures is a vital part of our national security and should be codified in law, said a group of policy experts at a panel discussion last week at the RSA Conference. The panelists argued that the government’s current process of vulnerability use and disclosure, called Vulnerability Equities Process (VEP), is voluntary and should be protected by law. ThreatPost, February 23, 2017
Stewart Baker interviews four CISO’s at RSA: Uber, Google & Barclay’s Bank: In this episode, Stewart Baker goes to RSA and interviews the people that everyone at RSA is hoping to sell to – CISOs. In particular, John “Four” Flynn of Uber, Heather Adkins of Google, and Troels Oerting of Barclays Bank. We ask them what trends at RSA give them hope for the future, which make them weep, what’s truly new in cybersecurity, and what kind of help they would like from government. Steptoe Cyberblog, February 23, 2017

Cyber Defense

Apple removes Supermicro servers from data center after finding infected firmware in servers: A mid-2016 security incident led to Apple purging its data centers of servers built by Supermicro, including returning recently purchased systems, according to a report by The Information. Malware-infected firmware was reportedly detected in an internal development environment for Apple’s App Store, as well as some production servers handling queries through Apple’s Siri service. ars technica, February 24, 2017
Browsers removing support for weak hash function SHA-1 as researchers successfully attack it: The Secure Hash Algorithm-1 – aka SHA-1 – legacy cryptographic hash function has fallen. BankInfoSecurity, February 23, 2017

Cyber Danger

Nearly 4500 WiFi Clients connect to Rogue Access Point in experiment at RSA Conference 2017: The security of open Wi-Fi hotspots has been a subject of great concern for years. But, would you believe that we were overwhelmingly successful using Wi-Fi attacks dating back twelve years on the RSA Conference show floor in San Francisco? Either we are really good at getting lucky with old tools, or there is a serious Wi-Fi security pandemic out there. HelpNetSecurity, February 24, 2017

Financial Cyber Security

Online lenders targeted in cyber fraud attacks. Survey estimates $10 billion in 2016 losses: The latest quarterly ThreatMetrix Cybercrime Report shows 1 million cyberattacks targeted online lending transactions throughout 2016, causing estimated losses of more than $10 billion. CIO, February 24, 2017

Critical Infrastructure

Cybersecurity of the power grid: A growing risk management challenge: Called the “largest interconnected machine,” the U.S. electricity grid is a complex digital and physical system crucial to life and commerce in this country. Today, it is made up of more than 7,000 power plants, 55,000 substations, 160,000 miles of high-voltage transmission lines and millions of miles of low-voltage distribution lines. This web of generators, substations and power lines is organized into three major interconnections, operated by 66 balancing authorities and 3,000 different utilities. That’s a lot of power and many possible vulnerabilities. GCN, February 24, 2017

Internet of Things

The dangers will only increase as we connect devices to the Internet. Essay: Botnets of Things Botnets have existed for at least a decade. As early as 2000, hackers were breaking into computers over the Internet and controlling them en masse from centralized systems. Among other things, the hackers used the combined computing power of these botnets to launch distributed denial-of-service attacks, which flood websites with traffic to take them down. Schneier on Security, March 2017

Cyber Sunshine

Florida Man Convicted of Child Porn Pleads Guilty To Clinton Foundation Hack Attempts: Timothy Sedlak of Florida has pleaded guilty to the charge of attempting to gain unauthorized access to the network of the charitable organization run by the Clintons, allegedly making 390,000 unsuccessful tries to hack its server, reports Reuters, quoting prosecutors. This comes in the wake of a 42-year jail term handed down separately to Sedlak by Orlando court for producing and possessing child pornography. Dark Reading, February 24, 2017
Suspect Arrested In Connection With Mirai Botnet: A 29-year-old man was arrested by British police at a London airport on Wednesday in connection with the November 2016 hack of about one million Deutsche Telekom’s customers, reports DataBreachToday. The arrest was made on behalf of Federal Criminal Police Office of Germany and unconfirmed reports say it could be in relation to Mirai botnet attacks. Dark Reading, February 24, 2017

Cyber Miscellany

20 Cybersecurity Startups To Watch In 2017: In spite of a slowdown in the overall funding activity from venture capital firms in 2016, the cybersecurity market continued to raise money at full steam. Last year saw the market break records in terms of funding deals, with Q3 tallying up to be the most active quarter for deals in cybersecurity in the last five years, according to CBInsights. Dark Reading, February 24, 2017
Google uses machine learning to create troll-spotting tool to clean up comments: Toxic comments, how do we detest thee? Let me count the ways. Naked Security, February 24, 2017

Jeff Snyder’s, SecurityRecruiter.com, Jeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810



SecurityRecruiter.com's Security Recruiter Blog