Monday, May 01, 2017

Cyber Security News of the Week, April 30, 2017



CYBERSECURITY NEWS

FROM OUR FRIENDS AT CITADEL INFORMATION GROUP


Individuals at Risk

Cyber Warning

New Android vulnerability found. Millions of phones discovered at risk from hackers: All is not well in Google Play. A group of researchers has determined that hundreds of apps in the store have a gaping security hole that potentially allows hackers to implant malware and steal data from millions of Android smartphones. Mashable, April 28, 2017
Network management vulnerability exposes home cable modems to hacking: Hundreds of thousands of internet gateway devices around the world, primarily residential cable modems, are vulnerable to hacking because of a serious weakness in their Simple Network Management Protocol implementation. PCWorld, April 28, 2017
Stealthy Mac malware spies on encrypted browser traffic: Researchers found a new malware program for macOS that is digitally signed and installs a fake root certificate to perform man-in-the-middle attacks. PCWorld, APpril 28, 2017
Blind Trust in Email Could Cost You Your Home — Real Estate Fraud: The process of buying or selling a home can be extremely stressful and complex, but imagine the stress that would boil up if — at settlement — your money was wired to scammers in another country instead of to the settlement firm or escrow company. Here’s the story about a phishing email that cost a couple their home and left them scrambling for months to recover hundreds of thousands in cash that went missing. KrebsOnSecurity, April 27, 2017

Information Security Management in the Organization

Information Security Management and Governance

Ransomware Payout Doesn’t Pay Off as Fewer than 50% of Victims Who Pay Get Their Files Back: About 40% of small- and midsized businesses hit with ransomware paid their attackers, but less than half got their information back. DarkReading, April 28, 2017
CISOs, Board Members Have Widely Divergent Views on Cybersecurity: Boards often want a lot more business-relevant reporting than CISOs provide, Focal Point Data Risk study shows. DarkReading, April 18, 2017
Security Starts With People: Know Who They Are, Know What They Do: Each day, in every corporation, school, government organization and nonprofit, people are generating great value for the economy by creating, manipulating and interacting with precious information. In fact, much of the value in today’s economy is created and stored digitally, from intellectual property, trade secrets and customer lists to the actual dollars they generate. At the same time, cybercriminals are engineering complex breaches to access and steal that information. SecurityIntelligence, November 29, 2016

Cyber Warning

Fileless malware attacks continue to grow. Often undetectable by anti-virus programs: Endpoint woes grow as fileless attacks grow in prevalence and file-based attacks remain largely undetected by AV engines. DarkReading, April 28, 2017
IT service providers being targeted in attack campaign: US-CERT has released an alert warning about a sophisticated attack campaign using multiple malware implants and targeting organizations in the IT, Energy, Healthcare and Public Health, Communications, and Critical Manufacturing sectors. HelpNetSecurity, April 28, 2017

Cyber Defense

New Symantec Report: Cybercriminals using simple phishing attacks to break into corporate networks: For the past month, WikiLeaks has regularly released secret CIA documents that reveal the breadth of the agency’s hacking tools. Some seem lifted straight from a spy thriller, like a tool that can turn internet-connected TVs into covert listening devices. The same could be said for complex state-on-state cyberattacks, like the worm that caused Iranian nuclear centrifuges to malfunction in 2009, or electronic strikes sabotaged North Korean missile launches. The Atlantic, April 28, 2017
Ransomware, Cyberespionage Dominate Verizon DBIR. Train Staff. Patch Systems. Run Pen Tests. Use 2FA: Ransomware dominated malware-related data breaches investigated by Verizon last year, appearing in 71 percent of cases, according to the annual Verizon Data Breach Investigations Report (DBIR) released Thursday. ThreatPost, April 27, 2017
Is a cybersecurity skills gap putting your company at risk?: Most large companies have spent decades under-spending on information and cybersecurity, says David Foote, partner and chief analyst at the research and analysis firm Foote Partners. That fact, combined with the skills shortage for cybersecurity experts can create some real vulnerabilities for both large and small organizations. The Enterprisers Project, April 27, 2017

Cyber Security in Society

Cyber Crime

‘Ransomware’ attack locks down law firm’s files for three months: PROVIDENCE, R.I. — An unknown person or group held a Providence law firm captive for months by encrypting its files and then demanding $25,000 in ransom paid in anonymous cyber currency to restore access, according to a lawsuit filed in U.S. District Court. Providence Journal, April 28, 2016
Exclusive: Facebook and Google Were Victims of $100M Payment Scam. Suspect Arrested: When the Justice Department announced the arrest last month of a man who allegedly swindled more than $100 million from two U.S. tech giants, the news came wrapped in a mystery. The agency didn’t say who was robbed, and nor did it identify the Asian supplier the crook impersonated to pull off the scheme. Fortune, April 27, 2017

Cyber Privacy

Lawsuit: Fox News group hacked, surveilled, and stalked ex-host Andrea Tantaros: Comparing their actions to the plot this season on the Showtime series Homeland, an attorney for former Fox News host Andrea Tantaros has filed a complaint in federal court against Fox News, current and former Fox executives, Peter Snyder and his financial firm Disruptor Inc., and 50 “John Doe” defendants. The suit alleges that collective participated in a hacking and surveillance campaign against her. ars technica, April 27, 2017

Cyber Defense

N.S.A. Halts Collection of Americans’ Emails About Foreign Targets: WASHINGTON — The National Security Agency said Friday that it had halted one of the most disputed practices of its warrantless surveillance program, ending a once-secret form of wiretapping that dates to the Bush administration’s post-Sept. 11 expansion of national security powers. The New York Times, April 28, 2017
Will fileless malware push the antivirus industry into oblivion?: The death of antivirus has been prophesied for years now, but the AV industry is still alive and kicking. SentinelOne, though, believes that in-memory resident attacks, i.e. fileless malware, just might be the thing that pushes it into oblivion. HelpNetSecurity, April 28, 2017
Facebook adding information warfare to its fight against malware, fraud, and fake news: Facebook’s security team doesn’t disagree with the US Director of National Intelligence’s conclusion that Russia tried to sway the US Presidential election. ZDNet, April 28, 2017

National Cyber Security

Russian-controlled telecom hijacks Visa, MasterCard, other fin’l services Internet traffic: On Wednesday, large chunks of network traffic belonging to MasterCard, Visa, and more than two dozen other financial services companies were briefly routed through a Russian government-controlled telecom under unexplained circumstances that renew lingering questions about the trust and reliability of some of the most sensitive Internet communications. ars technica, April 27, 2017
Senate Puts U.S. at Risk: Staffers’ ID cards lack security. Remote access doesn’t require 2FA: When Congress held hearings following the breach of the systems of the Office of Personnel Management (OPM) in 2015, one of the issues that caused great consternation among lawmakers was that the OPM had failed to implement two-factor authentication for employees, particularly when using virtual private networks. Federal information security standards in place at the time called for strong user authentication for any federal information system, but the OPM hadn’t figured out how to implement two-factor authentication principles—something users know (a password), plus something they have (which, in government, is typically a “smartcard” ID with digital authentication keys programmed onto a chip). ars technica, April 26, 2017
Russian Hackers Who Targeted Clinton Appear to Attack France’s Macron: The campaign of the French presidential candidate Emmanuel Macron has been targeted by what appear to be the same Russian operatives responsible for hacks of Democratic campaign officials before last year’s American presidential election, a cybersecurity firm warns in a new report. The New York Times, April 24, 2017

Internet of Things

Unknown vigilante is putting a huge amount of work into infecting – and then securing – IoT devices: Last week, Ars introduced readers to Hajime, the vigilante botnet that infects IoT devices before blackhats can hijack them. A technical analysis published Wednesday reveals for the first time just how much technical acumen went into designing and building the renegade network, which just may be the Internet’s most advanced IoT botnet. ars technica, April 26, 2017
What Does the Future Hold for IoT Device Manufacturers?: Statista, one of the leading statistics companies on the Internet, shows the number of internet connected devices (Internet of Things; IoT) growth worldwide from 2012 to 2020. In 2012, the number of connected devices worldwide reached 8.7 billion. The number of connected devices worldwide is projected to be 50.1 billion by 2020. ITSP Magazine, April 2017

Cyber Enforcement

Police around the world collaborate to fight global-scale cybercrime: From 2009 to 2016, a cybercrime network called Avalanche grew into one of the world’s most sophisticated criminal syndicates. It resembled an international conglomerate, staffed by corporate executives, advertising salespeople and customer service representatives. GCN, April 28, 2017

Cyber Sunshine

Interpol Sweep Uncovers Malware Infections Throughout Asia: Interpol, working with numerous countries and security vendors, says it has identified 270 websites across Asia – including some government portals – infected with malware that have been used for a variety of cyberattacks. BankInfoSecurity, April 27, 2017
UK Man Gets 2 Years in Jail for Running DDoS Attack-for-Hire Service: A 20-year-old man from the United Kingdom was sentenced to two years in prison today after admitting to operating and selling access to “Titanium Stresser,” a simple-to-use service that let paying customers launch crippling online attacks against Web sites and individual Internet users. KrebsOnSecurity, April 25, 2017
The Backstory Behind Carder Kingpin Roman Seleznev’s Record 27 Year Prison Sentence: Roman Seleznev, a 32-year-old Russian cybercriminal and prolific credit card thief, was sentenced Friday to 27 years in federal prison. That is a record punishment for hacking violations in the United States and by all accounts one designed to send a message to criminal hackers everywhere. But a close review of the case suggests that Seleznev’s record sentence was severe in large part because the evidence against him was substantial and yet he declined to cooperate with prosecutors prior to his trial. KrebsOnSecurity, April 24, 2017
U.S. Court Sentences Multimillionaire Russian Hacker to a Record-Setting 27 Years: Roman Seleznev made more than $17 million selling stolen credit card numbers. INC, April 24, 2017

Cyber Education

Educating for a Responsible and Innovative Digital Future: I live on the thin strip of coastline just south of San Francisco, separated by only a narrow range of coastal mountains from the heart of Silicon Valley. For students in this area, computer programming and robotics are part of the new compulsory subjects that used to be “reading, ‘riting, and ‘rithmetic”. Like volunteering in a community service project, participating in a robotics competition has become commonplace and almost expected of competitive college applicants. ITSP Magazine, April 2017

Jeff Snyder’s, SecurityRecruiter.com, Jeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810




SecurityRecruiter.com's Security Recruiter Blog