Cyber Security News of the Week, July 31, 2016

Cyber Security News of the Week, July 31, 2016

Individuals at Risk

Cyber Fraud

Dark Patterns are designed to trick you (and they’re all over the Web): It happens to the best of us. After looking closely at a bank statement or cable bill, suddenly a small, unrecognizable charge appears. Fine print sleuthing soon provides the answer—somehow, you accidentally signed up for a service. Whether it was an unnoticed pre-marked checkbox or an offhanded verbal agreement at the end of a long phone call, now a charge arrives each month because naturally the promotion has ended. If the possibility of a refund exists, it’ll be found at the end of 45 minutes of holding music or a week’s worth of angry e-mails. ars technica, July 28, 2016

Cyber Update

LASTPASS PATCHES ORMANDY REMOTE COMPROMISE FLAW: LastPass has patched a vulnerability in its Firefox add-on found by Google Project Zero researcher Tavis Ormandy that allows attackers complete remote compromise of the password manager. ThreatPost, July 28, 2016

Amazon Silk browser ignored SSL searches, failing to protect your privacy: The Kindle browser may have been built with performance in mind, but seems to have fallen short when it comes to security. ZDNet, July 25, 2016

Cyber Defense

New Portal Offers Decryption Tools For Some Ransomware Victims: Nomoreransom.org, a joint initiative between Europol, the Dutch National Police, Kaspersky Lab and Intel Security, offers help in getting encrypted data back. DarkReading, July 25, 2016

Information Security Management in the Organization

Information Security Governance

5 Takeaways From Cisco’s Big Cybersecurity Report: Companies still use outdated technology, and hackers are using abandoned websites for their schemes: Fortune, July 29, 2016

The Information Security Leader: Three Persistent Challenges for CISOs: In the movie “Indiana Jones and the Last Crusade,” Indiana Jones and his father, Professor Henry Jones, must overcome three cryptic challenges to finally come face-to-face with the Holy Grail. The keys to meeting these challenges involve a disparate set of skills: humility, intelligence, commitment and, ultimately, the ability to make a well-informed, risk-based decision. SecurityIntellegence, July 26, 2016

Cyber Warning

Cybercriminals Using Genuine PayPal Emails to Spread Banking Malware: PayPal like other financial institutions is a favorite target of scammers, crooks and cyber criminals. Recently there has been an increase in PayPal related phishing scams but now researchers have also identified criminal elements using PayPal’s legitimate emails to spread dangerous Chthonic banking trojan. HackRead, July 30, 2016

Android fraud Trojan – SpyNote – free to Cybercriminals: A builder for the capable SpyNote Android remote access trojan (RAT) is being freely distributed on several underground hacker forums. HelpNetSecurity, July 29, 2016

NEW TROJAN SPYNOTE INSTALLS BACKDOOR ON ANDROID DEVICES: A new Android Trojan called SpyNote has been identified by researchers who warn that attacks are forthcoming. ThreatPost, July 29, 2016

Multiple Major Security Products Open To Big Vulns Via ‘Hooking Engines’: The momentum’s been growing the last few years for the security community to turn its microscope inward as security researchers start to dig in earnest for serious vulnerabilities within security products. That’ll be reflected in several talks at Black Hat USA in Las Vegas next week — including research from enSilo that takes a thorough look at six different common security issues stemming from faulty implementation of code hooking and injections techniques. Dark Reading, July 28, 2016

‘Cute’ ransomware strain that hides in Google Docs could attack users from any cloud-based system: A new strain of ransomware has been discovered on GitHub that uses Google Docs as a launch platform for command-and-control malware. Dubbed ‘cuteRansomware’, the module has been found to use Google’s own security to bypass the victim’s firewalls, leaving the attacker free to encrypt the end-user’s files at will. IBTimes, July 15, 2016

Cyber Defense

Virtually all business cloud apps lack enterprise grade security: Blue Coat Systems analyzed apps for their ability to provide compliance, data protection, security controls and more. Of the 15,000 apps analyzed, it was revealed that 99 percent do not provide sufficient security, compliance controls and features to effectively protect enterprise data in the cloud. HelpNetSecurity, July 29, 2016

Information Security Professional

GOOGLE DETAILS LINUX KERNEL DEFENSES, NEW AND OLD: Developers with Android’s Security Team peeled back some of the layers on the mobile operating system this week; describing the lengths Google goes to protect the Linux kernel. Threatpost, July 28, 2016

How to Roll Your Own Threat Intelligence Team: A lot of hard work needs to go into effectively implementing an intelligence-driven security model. It starts with five critical factors. DarkReading, July 25, 2016

Black Hat — Def Con Conferences

Cybersecurity expert tips for attending the DEF CON hacker convention: Thousands of hackers, cybersecurity experts, federal agents, and others will descend upon Las Vegas next week for what are always interesting conferences — with talks on everything from hacking cars to airline boarding passes. TechInsider, July 29, 2016

Cyber Security in Society

Cyber Crime

North Korea blamed for massive South Korea data breach affecting 10 million internet shoppers: Authorities in South Korea on Thursday said Kim Jong-un’s government compromised the personal data of more than 10 million online shoppers by hacking the website of an internet shopping mall. The Washington Times, July 28, 2016

Kimpton Hotels Probes Card Breach Claims: Kimpton Hotels, a boutique hotel brand that includes 62 properties across the United States, said today it is investigating reports of a credit card breach at multiple locations. KrebsOnSecurity, July 26, 2016

Cyber Underworld

PETYA SABOTAGES RIVAL RANSOMWARE CHIMERA, LEAKS 3500 DECRYPTION KEYS: There is no honor among thieves, as the saying goes, and that includes ransomware crooks. In an apparent move to sabotage a ransomware competitor, the authors of the Mischa and Petya ransomware-as-a-service leaked 3,500 decryption keys for its competitor Chimera ransomware. ThreatPost, July 28, 2016

National Cyber Security

In a major cyber-hack, whom do you call? The White House spells it out: NEW YORK — President Obama approved a new directive Tuesday that spells out for the first time in writing how the government handles significant cyber-incidents. The Washington Post, July 28, 2016

FBI Investigates Possible Russian Hack Of Democratic Congressional Campaign Committee: The FBI is investigating a cyber intrusion at the Democratic Congressional Campaign Committee (DCCC) that may be related to an earlier hack at the Democratic National Committee, said four sources familiar with the matter on Thursday.. HuffingtonPost, July 28, 2016

Cyber-Experts Say Russia Hacked the Democratic National Committee: Is the Kremlin trying to throw the U.S. presidential election to Donald Trump? It sounds like something out of a spy novel. But many cybersecurity experts, as well as the Hillary Clinton campaign, are now saying the Russians are responsible for last month’s hack of the Democratic National Committee. Bloomberg, July 25, 2016

Hackers are putting U.S. election at risk: Bruce Schneier: Russia has attacked the U.S. in cyberspace in an attempt to influence our national election, many experts have concluded. We need to take this national security threat seriously and both respond and defend, despite the partisan nature of this particular attack.  CNN, July 28, 2016

By November, Russian hackers could target voting machines: Bruce Schneier: If Russia really is responsible, there’s no reason political interference would end with the DNC emails. The Washington Post, July 27, 2016

Trump’s hacking comment rattles the cybersecurity industry: Donald Trump’s muddled stance on hacking has disturbed security experts at time when the tech industry is looking for clarity on the U.S.’s cyber policy. CSO, July 29, 2016

Critics blast Trump calls for Russia to locate missing Hillary Clinton e-mails: In comments that appeared to condone the hacking of sensitive US correspondence, Republican presidential nominee Donald Trump on Wednesday said he hoped Russia locates missing e-mails sent by Hillary Clinton when she was US secretary of state. ars technica, July 27, 2016

Financial Cyber Security

Would You Use This ATM? One basic tenet of computer security is this: If you can’t vouch for a networked thing’s physical security, you cannot also vouch for its cybersecurity. That’s because in most cases, networked things really aren’t designed to foil a skilled and determined attacker who can physically connect his own devices. So you can imagine my shock and horror seeing a Cisco switch and wireless antenna sitting exposed atop of an ATM out in front of a bustling grocery store in my hometown of Northern Virginia. KrebsOnSecurity, July 28, 2016

Internet of Things

A hacker’s dream come true?: There’s a lot more to the web than the cat-video-laden sites we normally see. In fact, according to most sources, the web that we can typically get to via our browser of choice represents only a small fraction of what’s out there. HelpNetSecurity, July 29, 2016

Multiple Flaws In Osram IoT Lightbulbs: Security researchers have discovered nine separate vulnerabilities in internet-connected lightbulbs made by Osram, four of which remain unpatched. The flaws include the app storing an unencrypted copy of the user’s wifi password and allowing the attacker to turn the lightbulbs on and off without permission. There are also flaws in the ZigBee hub device which relays commands to the lightbulbs. Security Experts commented below. InformationSecuirtyBuzz, July 29, 2016

The post Cyber Security News of the Week, July 31, 2016 appeared first on Citadel Information Group.