Sunday, March 12, 2017

Cyber Security News of the Week, March 12, 2017


 

CYBERSECURITY NEWS

FROM OUR FRIENDS AT CITADEL INFORMATION GROUP


Individuals at Risk

Cyber Privacy

How to Keep Your Private Conversations Private for Real: A decade ago, I wrote about the death of ephemeral conversation. As computers were becoming ubiquitous, some unintended changes happened, too: Before computers, what we said disappeared once we’d said it. Neither face-to-face conversations nor telephone conversations were routinely recorded. A permanent communication was something different and special; we called it correspondence. Schneier on Security, March 7, 2017
New Strategies for Securing Our Private Lives: I recently wrote an essay reflecting on the reality that nearly anyone with a life online is today subject to being hacked and having anything private become public. Jonathan Zittrain, LawFare Blog, October 24, 2016

Cyber Update

Google Chrome 57 Browser Update Patches ‘High’ Severity Flaws: Google released an updated version of its Chrome browser on Thursday to fix nine high-severity vulnerabilities that if exploited could allow adversaries to take control of targeted systems. As part of the update, Google thanked nearly two dozen bug hunters with bug bounty payments totaling $38,000. ThreatPost, March 10, 2017

Cyber Defense

9 cybersecurity tips for the mildly paranoid (plus 4 for the truly anxious): So it looks as if the CIA could potentially break into most smart phone or computer networks, at least according to the stolen documents released by WikiLeaks on Tuesday. USA Today, March 9, 2017
With C.I.A. Hacking Revelations, The Most Important Thing to Protect Your Devices is Always Update: WikiLeaks this week published a trove of documents that appears to detail how the Central Intelligence Agency successfully hacked a wide variety of tech products, including iPhones, Android devices, Wi-Fi routers and Samsung televisions. The New York Times, March 8, 2017

Cyber Warning

Malware found pre-installed on 38 Android phones used by 2 companies: A commercial malware scanner used by businesses has recently detected an outbreak of malware that came preinstalled on more than three dozen Android devices. ars technica, March 10, 2017
Caveat Emptor as “confidential” messenger service said to lack basic security controls: A pair of damning advisories independently published Wednesday raise serious questions about the security assurances of Confide, a messaging app that’s billed as providing “battle tested, military grade” end-to-end encryption and is reportedly being used by individuals inside the US government. ars technica, March 9, 2017

Information Security Management in the Organization

Information Security Management and Governance

San Diego CISO Gary Hayslip on strategies for defending against next wave of cybersecurity threats: With a sprawling sensor network to be deployed soon, scads of systems and 1.3 million residents depending on service, San Diego is bracing for the next wave of cybersecurity threats. StateSchoop, March 10, 2017
Exploring The Gap Between Cybersecurity Perception And Reality Shows SMB Need for Security Partners: Most company executives and security professionals have a reasonable understanding of cybersecurity. Even if they don’t fully understand the mechanics under the hood, they at least realize that there is a vast and aggressive threat landscape out there, and that their networks are under virtually constant siege from attackers. When you ask how they feel about their security, though, and how confident they are in their ability to successfully detect and block attacks, the response shows a startling disconnect between reality and their perception. Forbes, March 9, 2017

Cyber Defense

Fin’l Inst Survey Demonstrates Need for Stronger Application Security Management: New study shows banks all have policies in place, but lack metrics and good third-party software controls. Dark Reading, March 10, 2017
Nine Security Tips That Go Outside the Box: The great challenge of security is that you are not only battling Murphy’s Law — the universal tendency of things to go wrong — but also shrewd and malicious attackers who are looking for an edge. Rather than constantly changing strategies to match these evolving threats, many security pros could benefit from finding a few simple methods that can stand the test of time and help prevent a breach. Security Intelligence, March 2, 2017

Cyber Update

IT Depts Must Update Apache Struts 2. Under Active Attack: Apache Struts 2 installations are being targeted – and hacked in large numbers – by attackers who are exploiting a zero-day flaw in the platform to remotely execute code, security researchers warn. ThreatPost, March 9, 2017

Cyber Law

Credit union sues Eddie Bauer for failing to prevent data breach: A credit union has sued Eddie Bauer, alleging that the Bellevue clothing retailer failed to take adequate steps to protect against a hack that swiped the credit-card information of customers last year. The Seatlle Times, March 9, 2017

Cyber Security in Society

Cyber Crime

Payments Giant Verifone Investigating Breach: Credit and debit card payments giant Verifone [NYSE: PAY] is investigating a breach of its internal computer networks that appears to have impacted a number of companies running its point-of-sale solutions, according to sources. Verifone says the extent of the breach was limited to its corporate network and that its payment services network was not impacted. KrebsOnSecurity, March 7, 2017

Cyber Freedom

FBI Director Says Growing Encryption Use Hinders Basic Crime Investigations: FBI Director James Comey on Wednesday again called for an “adult conversation” about encryption, saying its growing use is making it increasingly hard for law enforcement officials to investigate crimes. Consumer Reports, March 8, 2017

National Cyber Security

Dutch Gov’t Under Cyber Attack from Russian Hackers in Attempt to Influence Upcoming Election: The Dutch government, like its German and French counterparts, fears that Russia is trying to influence the upcoming election through hacking schemes and by spreading fake news. Thessa Lageman reports. DW, March 10, 2017
WikiLeaks Reveal Demonstrates Encryption Apps’ Vulnerabilities: The CIA can hack into smartphones and read messages as they’re being typed on encrypted messaging apps. David Greene talks to Moxie Marlinspike, founder of the encrypted messaging app Signal. NPR, March 10, 2017
What the CIA WikiLeaks Dump Tells Us: Encryption Works: NEW YORK — If the tech industry is drawing one lesson from the latest WikiLeaks disclosures, it’s that data-scrambling, The New York Times, March 10, 2017
WikiLeaks: We’ll Work With Software Makers on Zero-Days: When WikiLeaks on Tuesday dumped thousands of files documenting hacking tools used by the U.S. Central Intelligence Agency, many feared WikiLeaks would soon publish a trove of so-called “zero days,” the actual computer code that the CIA uses to exploit previously unknown flaws in a range of software and hardware products used by consumers and businesses. But on Thursday, WikiLeaks editor-in-chief Julian Assange promised that his organization would work with hardware and software vendors to fix the security weaknesses prior to releasing additional details about the flaws. KrebsOnSecurity, March 9, 2017
WikiLeaks Dumps Docs on CIA’s Hacking Tools: WikiLeaks on Tuesday dropped one of its most explosive word bombs ever: A secret trove of documents apparently stolen from the U.S. Central Intelligence Agency (CIA) detailing methods of hacking everything from smart phones and TVs to compromising Internet routers and computers. KrebsOnSecurity is still digesting much of this fascinating data cache, but here are some first impressions based on what I’ve seen so far. KrebsOnSecurity, March 8, 2017
CIA docs provide coding tips and practices for hackers: There are thousands of files in WikiLeaks’ dump of data from the Central Intelligence Agency’s Engineering Development Group (EDG). This organization within the CIA’s Center for Cyber Intelligence is responsible for creating the tools used to hack into digital devices around the world in support of the CIA’s mission. The leaked documents come from an Atlassian Confluence server used by the EDG’s developers to track and document their projects. ars technica, March 8, 2017
Stewart Baker talks to Matt Tait about Russia’s cyberespionage operations – Steptoe Cyberlaw: In this episode, Matt Tait, aka @PwnAllTheThings, takes us on a tour of Russia’s cyberoperations. Ever wonder why there are three big Russian intel agencies but only two that have nicknames in cybersecurity research? Matt has the answer to this and all your other Russian cyberespionage questions. Steptoe Cybersecurity Blog, March 6, 2017

Critical Infrastructure

FCC putting users at increased risk as it weakens telecom cybersecurity regulations: The ideological goal of “light touch regulation” as proposed by the new head of the US FCC has hit a barrier: cybersecurity. TheRegister, March 10, 2017

Cyber Research

Rand publishes first-ever study of 0-days. Time from discovery to exploit often less than a month: It takes less than a month for most zero-day exploits to be developed, and about a quarter of those previously unknown and unpatched vulnerabilities will go undiscovered and undisclosed to the vendor for an average of 9.5 years. And the odds two hackers will find the same zero day are slim. ThreatPost, March 10, 2017

Jeff Snyder’s, SecurityRecruiter.com, Jeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810



SecurityRecruiter.com's Security Recruiter Blog