Cyber Security News of the Week, August 28, 2016

Cyber Security News of the Week, August 28, 2016

Individuals at Risk

Cyber Privacy

Why you should think twice before posting that picture on social media: Posting and sharing photos online seems innocuous, but you could be inadvertently leaking sensitive business and personal information, according to experts. CNBC, August 15, 2016

Cyber Warning

Cyber thieves increasingly hack into consumer bank accounts through customers’ mobile phones: Cyberthieves have a new way to hack into consumer bank accounts: mobile phones. The Wall Street Journal, August 26, 2016

SpyNote malware another illustration why Android apps should only be installed from official store: On a semi-regular basis, I receive emails from users who have Android devices that show all the signs of being infected by malware. Without fail and without question, I quickly discover the user installed an application from a third-party, untrusted source. TechRepublic, August 25, 2016

Apple and Netflix customers are being targeted in a fake invoice e-mail scam duping them into handing over their bank details: Apple customers are being targeted in a series of new scams involving invoices containing fake iTunes, App Store or Netflix purchases. ThisIsMoney, August 23, 2016

Cyber Danger

Man dies after wife’s cell phone is highjacked preventing her from calling 911: Identity thieves have perfected a scam in which they impersonate existing customers at retail mobile phone stores, pay a small cash deposit on pricey new phones, and then charge the rest to the victim’s account. In most cases, switching on the new phones causes the victim account owner’s phone(s) to go dead. This is the story of a Pennsylvania man who allegedly died of a heart attack because his wife’s phone was switched off by ID thieves and she was temporarily unable to call for help. KrebsOnSecurity, August 23, 2016

Cyber Defense

How to opt out of WhatsApp sharing your phone number with Facebook: Nearly two and a half years after Facebook acquired WhatsApp, and despite Whatsapp CEO Jan Koum saying at the time of the acquisition that user privacy wouldn’t suffer, the services are about to get a little bit friendlier with their data sharing. NakedSecurity, August 26, 2016

United Airlines Sets Low Bar on Customer Access Security: United Airlines has rolled out a series of updates to its Web site that the company claims will help beef up the security of customer accounts. But at first glance, the core changes — moving from a 4-digit PINs to password and requiring customers to pick five different security questions and answers — may seem like a security playbook copied from Yahoo.com, circa 2009. Here’s a closer look at what’s changed in how United authenticates customers, and hopefully a bit of insight into what the nation’s fourth-largest airline is trying to accomplish with its new system. KrebsOnSecurity, August 24, 2016

Cyber Update

EMERGENCY IOS UPDATE PATCHES ZERO DAYS USED BY GOVERNMENT SPYWARE: Apple rushed an emergency iOS update today after the discovery of three zero-day vulnerabilities used by governments to spy on the activities of human rights activists and journalists. ThreatPost, August 25, 2016

Information Security Management in the Organization

Cyber Warning

Mandiant reports Asian businesses take 17 months to notice hacker in system vs 4 months in US: Organisations across the Asia Pacific are terrible at information security, a Mandiant report contests. TheRegister, August 25, 2016

Cyber Defense

The current state of privileged access management practices: There’s a widening gulf between organizations that adhere to best practices for privileged access management, according to BeyondTrust. HelpNetSecurity, August 26, 2016

Mozilla launches free website security scanning service: In order to help webmasters better protect their websites and users, Mozilla has built an online scanner that can check if web servers have the best security settings in place. CSO Online, August 26, 2016

Five account management practices to help deter cyber attacks: Whether they identify as white hats, black hats or something in-between, a majority of hackers agree that no password is safe from them — or the government for that matter. Regardless of where they sit with respect to the law, hackers mostly agree that five key security measures can make it a lot harder to penetrate enterprise networks. CIO, August 26, 2016

NSA Equation Group Hacking Tool Dump: 5 Lessons for Defenders: The recent dump of attack tools linked to the Equation Group, which is widely believed to be tied to the U.S. National Security Agency and its Tailored Access Operations team, has triggered despair in technology circles (see NSA Pwned Cisco VPNs for 11 Years). BankInfoSecurity, August 24, 2016

Cyber Update

Cisco Patches ASA Devices Against leaked Equation Group attack tools EXTRABACON: Cisco has begun releasing software updates for its Adaptive Security Appliance devices to patch a zero-day flaw that was revealed via leaked Equation Group attack tools. Cisco ASA devices provide anti-virus, firewall, intrusion prevention and virtual private network capabilities. BankInfoSecurity, August 24, 2016

Cyber Security in Society

Cyber Crime

Customer payment card data stolen as POS malware infects Millennium & Noble House hotel chains: Two hotel chains are warning that they’ve suffered point-of-sale malware infections that compromised customers’ payment card data. Both say they were alerted to related card fraud by the U.S. Secret Service and that they’re now assisting law enforcement agencies’ investigations. BankInfoSecurtiy, August 26, 2016

Hotel Data Breach: Credit and Debit Card Data Stolen From 20 Hotels: The criminals appear to have taken names, payment card account numbers, card expiration dates and verification codes. Westwood Patch, August 16, 2016

Cyber Privacy

Hackers attack site of Ghostbusters star Leslie Jones, post racist abuse: Leslie Jones, the black comedian who starred in the recent all-female remake of Ghostbusters, has been forced to take her website down after hackers seemingly took control, posted racist abuse, personal information, and what were apparently nude pictures stolen from the actor’s iCloud account. ars technica, August 25, 2016

Cyber Attack

Inside the March 2013 Attack That ‘Almost Broke the Internet’: In March 2013, a coalition of spammers and spam-friendly hosting firms pooled their resources to launch what would become the largest distributed denial-of-service (DDoS) attack the Internet had ever witnessed. The assault briefly knocked offline the world’s largest anti-spam organization, and caused a great deal of collateral damage to innocent bystanders in the process. Here’s a never-before-seen look at how that attack unfolded, and a rare glimpse into the shadowy cybercrime forces that orchestrated it. KrebsOnSecurity, August 26, 2016

FBI investigating Russian hack of New York Times reporters, others: (CNN)Hackers thought to be working for Russian intelligence have carried out a series of cyber breaches targeting reporters at The New York Times and other US news organizations, according to US officials briefed on the matter. CNN, August 23, 2016

Know Your Enemy

Failed attempt to hack iPhone of human rights lawyer exposes a secretive hacking group: What do we know about the curious, secretive NSO Group? Very little – but after this week, an awful lot more than we did before. BBC, August 26, 2016

Following Bitcoin ransoms reveals billion dollar cyber-crime: Are we about to witness a ransomware unicorn? According to Mikko Hypponen, chief research officer of Finnish F-Secure, we are. But there’s a caveat. SCMagazine, August 25, 2016

National Cyber Security

HackerOne helps Pentagon strengthen cybersecurity by helping hackers breach the Pentagon: It took a cohort of freelance hackers just 13 minutes to break into Pentagon websites, said Mårten Mickos, CEO of Silicon Valley-based bug bounty firm HackerOne, in a Reddit AMA on Thursday. Fedscoop, August 26, 2016

Massive cyber breach exposes 22,000 pages of top secret data about Indian submarine Scorpène: All hell broke loose for the Indian Navy and Defence Ministry on Wednesday when over 22,000 pages of top secret data on the capabilities of six highly advanced Scorpène submarines being built for the Indian Navy in Mumbai in collaboration with French company DCNS were leaked. FirstPost, August 25, 2016

Cyber Law

FRANCE, GERMANY CALL FOR EUROPEAN DECRYPTION LAW: The United States is months removed from this spring’s Apple vs. FBI debacle, but the debate around encryption is just beginning to play out in Europe. ThreatPost, August 25, 2016

Financial Cyber Security

25% of bank data breaches are caused by lost phones and laptops; only 20% by hacking: One in four breaches (25.3 per cent) in the US financial services sector over recent years were due to lost or stolen devices, according to a new study. TheRegister, August 25, 2016

HIPAA

Healthcare Hacker Attack Victim Tally Soars with 8 million new consumer victims in last few weeks: Hacker attacks recently added to the Department of Health and Human Services’ Office for Civil Rights “wall of shame” tally of major health data breaches affected a total of more than 8 million victims. HealthCareInfoSecurity, August 25, 2016

Internet of Things

The biggest threat facing connected autonomous vehicles is cybersecurity: Connected, autonomous vehicles are around the corner. Many of the most innovative and deep-pocketed companies in the world are racing to bring them to market — and for good reason: the economic and social gains they will generate will be tremendous. TechCrunch, August 25, 2016

Kudos to unusual IoT manufacturer for fixing security holes: In a shocking development, smart lock manufacturer August has been caught promptly patching security holes discovered in its product. TheRegister, August 25, 2016

Cyber Research

Apple files patent app enabling iPhones to grab a thief’s photo and fingerprint when stolen: Apple may be working on anti-theft technology to protect iPhones that would covertly snap a photo of (what the device assumes is potentially) the thief, capture their fingerprint, shoot some video and/or record audio. NakedSecurity, August 26, 2016

Keystroke Snooping with 97% Accuracy Using Only WiFi Router & Laptop: A group of academic researchers have figured out how to use off-the-shelf computer equipment and a standard Wi-Fi connection to sniff out keystrokes coming from someone typing on a keyboard nearby. The keystroke recognition technology, called WiKey, isn’t perfect, but is impressive with a reported 97.5 percent accuracy under a controlled environment. ThreatPost, August 25, 2016

Cyber Miscellany

Muddying the waters of infosec: Cyber upstart, investors short medical biz St. Jude – then reveal bugs: A team of security researchers tipped off an investment firm about software vulnerabilities in life-preserving medical equipment in order to profit from the fallout. TheRegister, August 26, 2016

St. Jude Denies Report Its Heart Devices Are Vulnerable to Cyberattacks: St. Jude Medical Inc. on Friday denied allegations made by a research firm that its pacemakers and other heart devices were vulnerable to hacking and other cybersecurity threats. The Wall Street Journal, August 26, 2016

Trading in stock of medical device paused after hackers team with short seller: Trading in the stock of medical device manufacturer St. Jude Medical was halted Friday afternoon after a dramatic drop in its value. That drop was triggered by news of alleged vulnerabilities in the company’s cardiac care devices. The vulnerability was disclosed not in a report by the company but by security researchers partnered with Muddy Waters Capital, an investment firm that had “shorted” St. Jude’s stock on the information in order to profit from a drop in the stock’s value. ars technica, August 26, 2016

The post Cyber Security News of the Week, August 28, 2016 appeared first on Citadel Information Group.