Monday, April 10, 2017

Cyber Security News of the Week, April 9, 2017


CYBERSECURITY NEWS

FROM OUR FRIENDS AT CITADEL INFORMATION GROUP


Individuals at Risk

Identity Theft

IRS’ Students Financial Aid Tool hacked. Personal data of 100,000 compromised: The Internal Revenue Service (IRS) has said that personal data of nearly 100,000 taxpayers may have been compromised by a breach of its tool to apply for student financial aid, The Chronicle of Higher Education reports. The Free Application for Federal Student Aid (FAFSA) tool was taken offline in March after discovery of suspicious activity, and will be operational only in October. DarkReading, April 7, 2017

Cyber Privacy

Looking for a VPN? Buyer Beware!: To be sure that your online browsing is protected and your data is secure, you have to be able to trust the VPN service of your choice. But, as a research into Android VPN clients has recently shown, there are not a lot of them that deserve that trust. HelpNetSecurity, April 7, 2017
Snoops May Soon Be Able to Buy Your Browsing History. Thank the US Congress: Think about all of the websites you visit every day. Now imagine if the likes of Time Warner, AT&T and Verizon collected all of your browsing history and sold it on to the highest bidder. That’s what will probably happen if Congress has its way. Schneier on Security, March 30, 2017
How to set up a VPN in 10 minutes for free (and why you urgently need one): Soon every mistake you’ve ever made online will not only be available to your internet service provider (ISP) — it will be available to any corporation or foreign government who wants to see those mistakes. freeCodeCamp, March 27, 2017

Cyber Warning

Android devices can be fatally hacked by malicious Wi-Fi networks. iPhone users update to 10.3.1.: A broad array of Android phones are vulnerable to attacks that use booby-trapped Wi-Fi signals to achieve full device takeover, a researcher has demonstrated. Ars Technica, April 5, 2017

Cyber Update

Apple releases iOS 10.3.1 for iPhone, iPad: Apple says the small update includes bug fixes and improved security. ZDNet, April 3, 2017

Cyber Defense

No More Ransom Initiative Adds 15 New Decryption Tools As Record Number Of Partners Join Global Initiative: Nine months after the launch of the No More Ransom (NMR) project, more law enforcement and private partners have joined the initiative, allowing more victims of ransomware to get their files back without paying the criminals. InformationSecurityBuzz, April 7, 2017

Information Security Management in the Organization

Information Security Management and Governance

What C-level leaders need to know about cybersecurity: CEOs, board members need to bone up on cybersecurity and not leave those matters to CIOs, analyst says. Techworld, April 8, 2017
Can Cyber Situational Awareness Prevent the Next Black Swan Cyber Event?: In modern parlance, the phrase “black swan,” as espoused by the famous intellectual personality Nassim Nicholas Taleb in his famous book “The Black Swan: The Impact of The Highly Improbable,” refers to an event that comes as a surprise, leaves a major impact and, in the absence of cyber situational awareness, can be rationalized only with the help of hindsight. SecurityIntelligence, April 7, 2017
Signs That You’re About to Suffer a Security Breach: Do you ever get those thoughts in the back of your mind that somehow, at some point, your organization is going to experience a security breach? I know that’s the kind of stuff that tends to keep chief information security officers (CISOs) and other security leaders up at night. The thing is, much of these thoughts are just that — thoughts. SecurityIntelligence, April 5, 2017
The Goal of Security is Good Enough: The security community is well trained at selecting which controls mitigate which risk. Unfortunately, that is only part of the equation, where we often fail is also determining the cost or impact of those controls. By impact I’m not just talking about the $$$ to purchase a solution, but the cost to maintain those controls, the impact due to lost productivity or employee time, and even the damage to your culture (ever wonder why people hate the security team?). Believe it or not, organizations do not exist to be secure, they exist to get something done. As such, perfect security is not our goal, good enough is our goal. And good enough means not just risk mitigation, but taking impact into account. Here are two recent examples I ran into where our community gets “Good Enough” wrong. SANS, April 4, 2017
These Are 10 Cybersecurity Myths That Must Be Busted: Cybersecurity was huge in 2016. From ransomware to weaponized Internet of Things (IoT) devices to foreign hacking of elections – last year saw it all. But many of these threats aren’t new and will never really go away. Over the last 25 years, one of the most valuable things I’ve learned in attending conferences and talking to cybersecurity experts around the world is that one of the greatest weapons we have to prevent cyber attacks is our own mindset. Forbes, April 4, 2017
What is (EU) 2016/679 and Why US Companies Should Care – A LOT – About It?: (EU) 2016/679 is the ‘General Data Protection Regulation” or GDPR. GDPR is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU). ITSP, April 2017

Cyber Warning

New malware permanently destroying poorly secured IoT devices running Telnet w default password: Researchers have uncovered a rash of ongoing attacks designed to damage routers and other Internet-connected appliances so badly that they become effectively inoperable. ars technica, April 6, 2017
Researcher Warns SIEMs Are Weak Link In Network Security Chain: MIAMI—Security information and event management (SIEM) solutions are supposed to boost security, but researchers say the network analysis tools are ripe attack targets. ThreatPost, April 7, 2017

Cyber Defense

Are You Managing the New Shadow IT: Custom Data Center Applications?: If you think you’ve finally gotten control of unsanctioned user apps, think again. The next wave of rogue apps is on its way from your data center to the cloud. DarkReading, April 7, 2017
Data security and the cloud: Earn trust by putting your customers in control: Data is one of the most valuable assets a modern business holds. When a company decides to move to the cloud, data security and privacy become a natural and top concern for management. NetworkWorld, April 7, 2017

InfoSec Tech

Lessons Netflix Learned from the April 21st AWS Outage: On Thursday, April 21st, Amazon experienced a large outage in AWS US-East which they describe here. This outage was highly publicized because it took down or severely hampered a number of popular websites that depend on AWS for hosting. Our post below describes our experience at Netflix with the outage, and what we’ve learned from it. Netflix, April 29, 2011

Cyber Security in Society

Cyber Crime

Gamestop.com Investigating Possible Breach: Video game giant GameStop Corp. [NSYE: GME] says it is investigating reports that hackers may have siphoned credit card and customer data from its website — gamestop.com. The company acknowledged the investigation after being contacted by KrebsOnSecurity. KrebsOnSecurity, April 7, 2017
How Hackers Hijacked a Bank’s Entire Online Operation: The traditional model of hacking a bank isn’t so different from the old-fashioned method of robbing one. Thieves get in, get the goods, and get out. But one enterprising group of hackers targeting a Brazilian bank seems to have taken a more comprehensive and devious approach: One weekend afternoon, they rerouted all of the bank’s online customers to perfectly reconstructed fakes of the bank’s properties, where the marks obediently handed over their account information. Wired, April 4, 2017

Cyber Privacy

The U.S. government has withdrawn its request ordering Twitter to identify a Trump critic: The legal battle between Twitter and the U.S. government ended Friday as the Department of Homeland Security withdrew its demand that the tech company release information to identify an account holder whose tweets have been critical of President Trump. THe Washington Post, April 7, 2017
Computer Hackers Again Gain Access to Athletes’ Private Medical Records: Track and field’s global governing body — the sports organization that has most forcefully disciplined Russia for state-sponsored doping — said on Monday that its computer network had been compromised by the same Russian cyberespionage group that American intelligence officials have tied to a broad effort to influence the United States presidential election. The hackers were able to gain access to athletes’ private medical records, the track and field body said. The New York Times, April 3, 2017

Cyber Defense

Threat intelligence sharing challenges: Understand the context of cyber events: A new McAfee report details the challenges facing threat intelligence sharing efforts. The growing complexity of the technology environment is a very important driver for sharing threat intelligence. HelpNetSecurity, April 7, 2017

Know Your Enemy

Self-Proclaimed ‘Nuclear Bot’ Author Weighs U.S. Job Offer: The author of a banking Trojan called Nuclear Bot — a teenager living in France — recently released the source code for his creation just months after the malware began showing up for sale in cybercrime forums. Now the young man’s father is trying to convince him not to act on a job offer in the United States, fearing it may be a trap set by law enforcement agents. KrebsOnSecurity, April 6, 2017

National Cyber Security

China Threat Actor APT10 Ramps Up Cyber Espionage Activity Against Foreign Trade Council: Customers of managed security service providers, website of US trade lobby group targeted in separate campaigns. DarkReading, April 6, 2017
N.Korea Hacks into Secret S. Korea – U.S. War Plans: North Korean hackers seem to have managed to access a secret war masterplan by South Korea and the U.S. in a cyberattack last September, sources here said Monday. The Chosun Ilbo, April 4, 2017
New details emerge about 2014 Russian hack of the State Department: Over a 24-hour period, top U.S. cyber defenders engaged in a pitched battle with Russian hackers who had breached the unclassified State Department computer system and displayed an unprecedented level of aggression that experts warn is likely to be turned against the private sector. The Washington Post, April 3, 2017

Cyber Law

Senate Bill Directs NIST to Help Small Businesses Build Cyberdefenses: Legislation aimed to provide a set of tools, best practices and guidance to help small businesses protect their digital assets is heading to the U.S. Senate. BankInfoSecurity, April 5, 2017
When is a programmer criminally responsible for the actions of his users?: “He built a piece of software. That tool was pirated and abused by hackers. Now the feds want him to pay for the computer crooks’ crimes.” KrebsOnSecurity, April 4, 2017

Jeff Snyder’s, SecurityRecruiter.com, Jeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810


SecurityRecruiter.com's Security Recruiter Blog