Individuals at Risk
Identity Theft
Yahoo Says Hackers Stole Data on 500 Million Users in 2014: SAN FRANCISCO — Yahoo announced on Thursday that the account information of at least 500 million users was stolen by hackers two years ago, in the biggest known intrusion of one company’s computer network. The New York Times, September 22, 2016
Cyber Privacy
Free Tools to Keep Those Creepy Online Ads From Watching You: SAY you’re doing a web search on something like the flu. The next thing you know, an ad for a flu remedy pops up on your web browser, or your video streaming service starts playing a commercial for Tylenol. The New York Times, February 18, 2016
Cyber Warning
Hand-Delivered Hacking: Malicious USBs Left in Mailboxes: LONDON — Julien Ascoet was already suspicious when he pulled the plain white envelope from his mailbox this past July. The New York Times, September 22, 2016
Cyber Danger
iPhone Hackers Say Apple Weakened Backup Security With iOS 10: Professional iPhone hackers say that Apple AAPL -1.72% has dropped the ball on password security with its latest iPhone operating system, making the task of cracking the logins for backups stored on a Mac or PC considerably easier. Forbes, September 23, 2016
Cyber Update
Firefox fixes hard to spot certificate pinning failure: A recently fixed security vulnerability that affected both the Firefox and Tor browsers had a highly unusual characteristic that caused it to threaten users only during temporary windows of time that could last anywhere from two days to more than a month. ars technica, September 21, 2016
Cyber Defense
How to Protect Yourself After the Yahoo Attack: Yahoo said on Thursday that hackers in 2014 stole the account information of at least 500 million users, including names, email addresses, telephone numbers, birth dates, passwords and, in some cases, security questions. The New York Times, September 23, 2016
2FA – One of the best things you can do to protect yourself from hackers: Two-factor authentication: Learn these words well and you’ll feel better when giant hacks splatter passwords and email addresses all over the dark web. Mashable, September 22, 2016
Information Security Management in the Organization
Information Security Governance
Three Recent Insider Crime Cases Spotlight Security Management Challenges: Three recent criminal cases involving hospital insiders who allegedly committed a variety of fraud, identity theft or egregious privacy violations that victimized patients highlight just how difficult it is to mitigate insider threats. Healthcare InfoSecurity, September 23, 2016
Yahoo’s Titanic Data Breach Highlights Risk to M&A: Yahoo alerted the world on Thursday to what may well be the largest known breach of user information amid an acquisition by Verizon, one of the biggest U.S. corporations. Fortune, September 23, 2016
Coping with increasingly sophisticated capabilities of cybercrime syndicates: Cyberspace has become a progressively attractive hunting ground for criminals, activists and terrorists motivated to make money, get noticed, cause disruption or even bring down corporations and governments through online attacks. The technical capabilities and reach of cybercriminals are now equal to those of many governments and organizations. In the next few years, these capabilities will extend far beyond those of their victims. As a result, the ability of current control mechanisms to protect organizations is likely to diminish, exposing them to greater impact. SecurityInfoWatch, September 22, 2016
7 Factors That Make Security Organizations More Effective: (ISC)2 members have plenty of technical chops, but IANS research found they need to focus more on how infosec aligns with the business. Dark Reading, September 22, 2016
Cybersecurity’s weakest link: humans: There is a common thread that connects the hack into the sluicegate controllers of the Bowman Avenue dam in Rye, New York; the breach that compromised 20 million federal employee records at the Office of Personnel Management; and the recent spate of “ransomware” attacks that in three months this year have already cost us over US$200 million: they were all due to successful “spearphishing” attacks. The Conversation, May 5, 2016
Cyber Update
Cisco plugs two Cloud Services Platform system compromise flaws: Cisco has patched two serious vulnerabilities in Cisco Cloud Services Platform 2100, both of which could allow a remote attacker to execute arbitrary code on a targeted system. HelpNetSecurity, September 22, 2016
Cyber Defense
Organizational strategies and personal tactics for defending your phone : Mobile devices are one of the weakest links in corporate security. Executives are wrestling with managing a proliferation of devices, protecting data, securing networks, and training employees to take security seriously. In our Tech Pro Research survey of chief information officers, technology executives, and IT employees, 45% of respondents saw mobile devices as the weak spot in their company’s defenses. (Employee data was cited by 37%, followed by wireless access of networks at 34% and bring-your-own-device efforts at 29%.) Harvard Business Review, September 22, 2016
Cyber Lawsuit
Vendor sued after investment fund client loses $6 million in BEC scam: A lawsuit filed on Friday by Tillage Commodities Fund alleges that SS&C Technology showed an egregious lack of diligence and care, when they fell for an email scam that ultimately led to hackers in China looting $5.9 million. Victim says fund administrator ignored internal policies and even assisted scammers by fixing errors. CSO, September 19, 2016
Cyber Law
Yahoo Could Face Legal Trouble Over Delay in Disclosing Hack: It’s been a day since Yahoo confirmed a massive data breach, and still there are more questions than answers. We still don’t know who carried out the hack that compromised more than 500 million accounts, or precisely what the hackers obtained. Fortune, September 23, 2016
Sixth Circuit Rules That Theft of PII from Insurance Company Results in Article III Standing: In its recent decision in Galaria v. Nationwide Mut. Ins. Co., no. 15-3386 (6th Cir. Sept. 12, 2016). Co., No. 15-3386 (6th Cir. Sept. 12, 2016), a divided Sixth Circuit panel held that plaintiffs had standing to assert claims arising from hackers’ alleged theft of data containing plaintiffs’ sensitive personal data, including dates of birth and Social Security numbers. In so ruling, the court became the latest to hold that hackers’ targeted theft of personal identifying information (“PII”), standing alone, creates a substantial risk of harm that is sufficient to satisfy the concrete injury requirement for standing under Article III of the United States Constitution. National Law Review, September 16, 2016
Cyber Security in Society
National Cyber Security
Cybersecurity is threatening America’s military supremacy: The sparsely populated Spratly Islands, a collection of hundreds of islands and reefs spread over roughly 165,000 square miles in the South China Sea, are very quickly becoming the center of one of the most contentious international disputes between world powers since the fall of the Soviet Union. TechCrunch, September 21, 2016
Cyber Attack
KrebsOnSecurity Hit With Record DDoS: On Tuesday evening, KrebsOnSecurity.com was the target of an extremely large and unusual distributed denial-of-service (DDoS) attack designed to knock the site offline. The attack did not succeed thanks to the hard work of the engineers at Akamai, the company that protects my site from such digital sieges. But according to Akamai, it was nearly double the size of the largest attack they’d seen previously, and was among the biggest assaults the Internet has ever witnessed. Krebs on Security, September 21, 2016
DDoS Mitigation Firm Has History of Hijacks: Last week, KrebsOnSecurity detailed how BackConnect Inc. — a company that defends victims against large-scale distributed denial-of-service (DDoS) attacks — admitted to hijacking hundreds of Internet addresses from a European Internet service provider in order to glean information about attackers who were targeting BackConnect. According to an exhaustive analysis of historic Internet records, BackConnect appears to have a history of such “hacking back” activity. Krebs on Security, September 20, 2016
Cyber Politics
Homeland Security increases focus on cybersecurity at the polls: Department of Homeland Security officials may not expect malicious hackers to sway November’s election, but the agency is offering more protections to help states secure voting systems. Yahoo, September 23, 2016
Key lawmakers accuse Russia of campaign to disrupt U.S. election: Two senior Democratic lawmakers with access to classified intelligence on Thursday accused Russia of “making a serious and concerted effort to influence the U.S. election,” a charge that appeared aimed at putting pressure on the Obama administration to confront Moscow. The Washington Post, September 22, 2016
Powell leakers strike again with alleged White House staffer emails, Michelle Obama passport: The hacker website that leaked Colin Powell’s politically embarrassing emails struck again Thursday, this time releasing what appears to be the personal emails of a White House staffer working with Hillary Clinton’s campaign — and what purports to be an image of Michelle Obama’s passport. Politico, September 22, 2016
Financial Cyber Security
SWIFT Announces Fraud Pattern Detection Controls: To help financial institutions better spot attempted fraud, the SWIFT interbank messaging network plans to begin offering voluntary “daily validation reports” to customers in December. BankInfoSecurity, September 20, 2016
Critical Infrastructure
FAA Advisory Body Recommends Cybersecurity Measures: WASHINGTON—U.S. aviation authorities on Thursday took the strongest formal action yet to combat potential cyberthreats to planes in the air as well as on the ground. The Wall Street Journal, September 22, 2016
Internet of Things
Tesla Patches Cars Against Wi-Fi ‘Braking’ Attack: Electric car manufacturer Tesla has updated its firmware after researchers in China demonstrated how they could remotely turn on the windshield wipers, open the trunk and apply the brakes in brand-new Model S sedans. GovInfoSecurity, September 21, 2016
How A Few Words To Siri Unlocked A Man’s Front Door And Exposed A Major Security Flaw In Apple’s HomeKit: A month ago, Marcus, a 31-year-old man living in Springfield, Missouri, decided to go all in on the smart home. A diehard fan of the Apple AAPL -1.72% ecosystem, he began outfitting his house with gadgets certified as “Works with Apple HomeKit,” Apple’s proprietary communication standard for controlling third-party smart home devices with iOS and its intelligent voice assistant, Siri. By the end of his shopping spree, he had 30 Philips Hue LED light bulbs, two Ecobee thermostats (along with eight temperature sensors situated throughout his house) and an August Smart Lock. He was also several thousand dollars poorer. Forbes, September 21, 2016
Secure the Village
RANSOMWARE VICTIMS URGED TO REPORT INFECTIONS TO FEDERAL LAW ENFORCEMENT: The FBI urges victims to report ransomware incidents to federal law enforcement to help us gain a more comprehensive view of the current threat and its impact on U.S. victims. FBI, September 15, 2016
Cyber Event
Secure Coding Class for the Web: The major cause of application insecurity is the lack of secure software development practices. This highly intensive and interactive course provides essential application security training for web application, webservice and mobile software developers and architects. The class features a combination of lecture, security testing demonstration and code review. Event Date: October 17-21
THIRD ANNUAL LOS ANGELES CYBER SECURITY SUMMIT 2016-SILICON BEACH: Cyber attacks on corporations, governmental agencies and individuals are becoming increasingly widespread and regular, as well as more complex. In honor of National Cyber Security Awareness Month, LMU is once again hosting The Third Annual Cybersecurity Summit that brings together government officials, private business executives and cybersecurity experts to discuss the current and emerging threats that exist in today’s sophisticated cyber environment, and the technological advancements being made to countermeasure and manage these risks. Event Date: October 22, 2016
The post Cyber Security News of the Week, September 25, 2016 appeared first on Citadel Information Group.