Cyber Security News of the Week, September 11, 2016

Cyber Security News of the Week, September 11, 2016

Individuals at Risk

Identity Theft

Regulators Slam Wells Fargo for Identity Theft: For years, some Wells Fargo employees subscribed the bank’s customers to products they didn’t request, and that practice has now triggered $185 million in fines. BankInfoSecurity, September 9, 2016

Cyber Privacy

Location Privacy: The Purview of the Rich and Indigent: I’d just finished parking my car in the covered garage at Reagan National Airport just across the river from Washington, D.C. when I noticed a dark green minivan slowly creeping through the row behind me. The vehicle caught my attention because its driver didn’t appear to be looking for an open spot. What’s more, the van had what looked like two cameras perched atop its roof — one of each side, both pointed down and slightly off to the side. KrebsOnSecurity, September 5, 2016

Cyber Danger

Ransomware prevalent in cloud-based malware: Cloud-based filesharing, collaboration and social networking applications are ransomware delivery vehicles, according to a report released today. CSO, September 8, 2016

Cyber Warning

Consumer Protection Agency Urges Galaxy Note 7 Owners to Stop Using Phones: The fallout over the potential for Samsung Galaxy Note 7 smartphones to catch fire is intensifying. The New York Times, September 10, 2016

Two critical bugs and more malicious apps make for a bad week for Android: Google releases fixes for newer devices and ejects apps following reports. ars technica, September 9, 2016

Cyber Update

Google patches 57 Android vulnerabilities, attempts to resolve Mediaserver attacks: Google released patches for 57 security vulnerabilities affecting Android devices. Eight of the flaws were issued a “critical” rating. September’s updates are bundled into three “security patch level strings” in an effort to ease the process for Android device manufacturers to apply updates across their devices. SCMagazine, September 7, 2016

Cyber Defense

CHROME TO LABEL SOME HTTP SITES ‘NOT SECURE’: Chrome users who navigate to some HTTP sites will be notified, starting in January, they’re on a site that isn’t secure. ThreatPost, September 8, 2016

The Limits of SMS for 2-Factor Authentication:
A recent ping from a reader reminded me that I’ve been meaning to blog about the security limitations of using cell phone text messages for two-factor authentication online. The reader’s daughter had received a text message claiming to be from Google, warning that her Gmail account had been locked because someone in India had tried to access her account. The young woman was advised to expect a 6-digit verification code to be sent to her and to reply to the scammer’s message with that code. KrebsOnSecurity, September 7, 2016

Information Security Management in the Organization

Information Security Governance

Report: Despite growing security threats, CXOs struggle to find cybersecurity professionals: According to a new survey, 40% of tech leaders say external security threats are the biggest worry for their company, but that they lack skilled cybersecurity workers. TechRepublic, September 8, 2016

HR a Target for Cyber-Crime, Must Defend Itself:  The human resources department is a target for cyber-crime because it controls employees’ personal information, so it must take an active role in its own defense, consultants say. BNA, September 7, 2016

How Ransomware Became a Billion-Dollar Nightmare for Businesses: In recent months, a proliferation of ransomware attacks has affected everyone from personal-computer and smart-phone owners to hospitals and police departments. An attack works like this: A virus arrives and encrypts a company’s data; then a message appears demanding a fee of hundreds or thousands of dollars. If the ransom is paid in time, the information is restored. “At the heart of this new business model for cybercrime is the fact that individuals and businesses, not retailers and banks, are the ones footing the bill for data breaches,” Josephine Wolff noted in The Atlantic back in June. The Atlantic, September 3, 2016

Cyber Awareness

Beyond The Phish Report 2016: Phishing continues to be a large and growing problem for organizations of all sizes. As pioneers in the use of simulated phishing attacks, Wombat Security, strongly recommends organizations make anti-phishing education the foundation of their security awareness and training programs. However, it’s also recommended to think beyond the phish to assess and educate end users about the many cybersecurity threats that are prevalent (and emerging) in today’s marketplace. Risky behaviors like lax data protection, oversharing on social media and improper use of WiFi are all dangers in their own right – and could be considering contributing factors to the ever-growing phishing problem. InformationSecurityBuzz, September 9, 2016

Cyber Warning

Cryptomining malware on NAS servers – is one of them yours?: SophosLabs has just released a report on a new way that crooks are distributing a strain of malware that makes money by “borrowing” your computer to mine a new sort of cryptocurrency. NakedSecurity, September 8, 2016

Cyber Defense

The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations: The advancing capabilities of organized hacker groups and cyber adversaries create an increasing global threat to information systems. The rising threat levels place more demands on security personnel and network administrators to protect information systems. Protecting the network infrastructure is critical to preserve the confidentiality, integrity, and availability of communication and services across an enterprise. US-CERT, September 6, 2016

 Cyber Update

WORDPRESS UPDATE RESOLVES XSS, PATH TRAVERSAL VULNERABILITIES: The update addresses two separate security issues, a cross-site scripting vulnerability and a path traversal vulnerability. ThreatPost, September 8, 2016

Cyber Security in Society

 Know Your Enemey

Israeli Online Attack Service ‘vDOS’ Earned $600,000 in Two Years: vDOS — a “booter” service that has earned in excess of $600,000 over the past two years helping customers coordinate more than 150,000 so-called distributed denial-of-service (DDoS) attacks designed to knock Web sites offline — has been massively hacked, spilling secrets about tens of thousands of paying customers and their targets. ThreatPost, September 9, 2016

National Cyber Security

How America’s 911 emergency response system can be hacked: Critical to the success of the 911 emergency phone system, which has saved countless lives since it was first implemented in 1968, is its ability to quickly route calls to emergency responders closest to a caller. The Washington Post, September 9, 2016

Obama Names Retired Air Force General as First Federal CISO: President Obama has named Gregory Touhill, a retired Air Force brigadier general, as the U.S. federal government’s first chief information security officer. BankInfoSecurity, September 9, 2016

Congressional Report Slams OPM on Data Breach: The massive data breach at the U.S. Office of Personnel Management (OPM) that exposed background investigations and fingerprint data on millions of Americans was the result of a cascading series of cybersecurity blunders from the agency’s senior leadership on down to the outdated technology used to secure the sensitive data, according to a lengthy report released today by a key government oversight panel. KrebsOnSecurity, September 7, 2016

Gen. Michael Hayden Gives an Update on the Cyberwar: Former head of the CIA and NSA says government moves to protect cyberspace are too little, too late. The Wall Street Journal, February 2,

Cyber Politics

How Russian hacking has tied US government in knots: Washington (CNN)Whatever Vladimir Putin’s goal is in a year-long campaign of apparent cyberattacks against the US political system, the Russian leader has accomplished this much: tying the US government in knots over what to do about it. CNN, September 9, 2016

Can cybersecurity save the Novemeber elections?: The Federal Bureau of Investigation’s disclosure earlier this month that foreign hackers had infiltrated voter registration systems in Illinois and Arizona came as no surprise to some cybersecurity experts. CSO, September 6, 2016

U.S. investigating potential covert Russian plan to disrupt November elections: U.S. intelligence and law enforcement agencies are investigating what they see as a broad covert Russian operation in the United States to sow public distrust in the upcoming presidential election and in U.S. political institutions, intelligence and congressional officials said. The Washington Post, September 5, 2016

Financial Cyber Security

FinCEN Issues Advisory on Email Compromise Fraud, including Red Flag Warnings: With email compromise schemes — in which criminals fraudulently persuade individuals and companies to transfer funds — on the rise, the Financial Crimes Enforcement Network issued an advisory to financial institutions today to help them identify and prevent these frauds. The advisory covered business email compromises, in which criminals target a business customer of a bank, and email account compromises, which are targeted at personal bank accounts. The hallmark of these frauds is that they hack or spoof email accounts to take advantage of employees’ or financial institutions’ trust in existing customer relationships. ABA, September 6, 2016

Internet of Things

IoT Trust Framework Provides Guidance to Manufacturers to Strengthen IoT Security: There are ways to improve security in IoT devices – and it all starts with IoT manufacturers. DarkReading, September 9, 2016

Cyber Research

A Chip-Scale Source for Quantum Random Number Generators: Taking advantage of technology developed to manipulate light on chips, a team based in Spain and Italy has created an integrated circuit that can be used to generate true random numbers by taking advantage of the thoroughly unpredictable nature of quantum mechanics. IEEE Spectrum, September 8, 2016

Cyber Sunshine

Researcher scams fake tech support scammer, infects scammer’s PC with Locky ransomware: While the big security news was happening in Las Vegas at conferences, security researcher Ivan Kwiatkowski’s story was too funny to pass up—at least if you loathe scareware scams. NetworkWorld, August 8, 2016

Two men charged with hacking CIA director and other high-ranking officials: “Crackas with Attitude” members accused of posing as Verizon and FBI support personnel. ars technica, September 8, 2016

Cyber Miscellany

St. Jude Sues Hedge Fund and Cybersecurity Firm That Teamed Up to Short-Sell Device Maker: The cybersecurity firm behind a short-seller’s campaign against St. Jude Medical, a major manufacturer of pacemakers, has a curious operating history. The New York Times, September 9, 2016


The post Cyber Security News of the Week, September 11, 2016 appeared first on Citadel Information Group.