Cyber Security News of the Week, October 30, 2016

Cyber Security News of the Week, October 30, 2016


SecureTheVillage launches weekly podcast:Whether you’re a business leader or a private citizen, SecureTheVillage’s Cybersecurity News of the Week gives you important up-to-date information you need regarding cybercrime, cyber privacy and information security. … Join SecureTheVillage’s founder, Dr. Stan Stahl and podcast host Jim Goyjer as they discuss current cybersecurity news. … Based on Citadel Information Group’s award-winning blog, SecureTheVillage’s Cybersecurity News of the Week cuts through the technical jargon, keeping you informed in easy to understand language on cybersecurity issues that are interesting, solutions oriented and actionable by anyone.


Citadel News of Week Listed #1 in CreditDonkey’s “Best Computer Security Blogs 2016”: Citadel Information’s blog keeps its readers abreast of the latest cybersecurity news affecting consumers, businesses and our nation’s cyber-defense capabilities, including attacks, scams, breaches, defense tactics, software patches and more with their frequent news roundups. CreditDonkey, September 26, 2016

Individuals at Risk

Identity Theft

OCC reveals major information security breach by ex-employee affecting 10,000 people’s PII: The top U.S. banking regulator revealed Friday that a former employee downloaded thousands of files from the agency’s servers without authorization nearly a year ago and that the agency has not yet been able to recover those files. HousingWire, October 28, 2016

Cyber Privacy

The latest WikiLeaks revelations included a reminder that there are revealing things that just can’t be encrypted: As we say goodbye to privacy, some people are putting their faith in encryption. But there’s only so much that encryption can do. ITWorld, October 28, 2016

Broadband Providers Will Need Permission to Collect Private Data: WASHINGTON — Federal officials approved broad new privacy rules on Thursday that prevent companies like AT&T and Comcast from collecting and giving out digital information about individuals — such as the websites they visited and the apps they used — in a move that creates landmark protections for internet users. The New York Times, October 28, 2016

Cyber Warning

Search engine results increasingly poisoned with malicious links: Malware threats in search results are getting worse despite the best efforts of Google and other vendors. TheRegister, October 28, 2016

Cyber Danger

New critical Windows vulnerability a reminder: Do Not Open Unexpected Email Attachments: Researchers from security outfit enSilo have uncovered a new code injection technique that can be leveraged against all Windows versions without triggering current security solutions. HelpNetSecurity, October 28, 2016

Cyber Update

APPLE PATCHES ITUNES, ICLOUD FOR WINDOWS, XCODE SERVER: Apple’s iTunes and iCloud software for Windows PCs received updates on Thursday for vulnerabilities that could allow for the disclosure of personal information and arbitrary code execution. In addition to the Windows fixes, Apple also alerted Mac and iOS app developers to nearly a dozen security issues tied to its Xcode Server platform. ThreatPost, October 28, 2016

Cyber Defense

MICROSOFT EXTENDS MALICIOUS MACRO PROTECTION TO OFFICE 2013: Microsoft is combating a surge in macro-based malware with a new feature that allows system administrators to configure Office 2013 to block Word, Excel, and PowerPoint macros. The capability had previously been introduced in March by Microsoft for its Office 2016 software. ThreatPost, October 27, 2016

Information Security Management in the Organization

Information Security Governance

Obsession with regulatory compliance doesn’t guarantee good cybersecurity, says SC Congress Panel: Companies should spend less time worrying about meeting the minimal requirements for cybersecurity regulation compliance, and instead concentrate on how to protect their most sensitive data and operations. And if they followed that rule of thumb, government compliance would naturally follow suit, according to a panel of experts speaking today at SC Congress Chicago. SCMagazine, October 28, 2016

Biggest mistake executives make is treating cybersecurity solely as a technology matter for IT departments, says KPMG InfoSec Practice Leader: I discuss cybersecurity with hundreds of executives every year. The biggest mistake I see is companies treating cybersecurity solely as a technology matter for IT departments to solve. But it’s not. It’s an enterprise-wide opportunity that’s critically important. Harvard Business Review, October 25, 2016

Cyber Update

CISCO PATCHES CRITICAL VULNERABILITY IN FACILITY EVENTS RESPONSE SYSTEM: Cisco Systems issued a security bulletin Wednesday for a critical vulnerability found in its IP Interoperability and Collaboration System (IPICS). The feature is a key part of a mechanism used by Cisco to facilitate emergency responses for “facility events.” ThreatPost, October 27, 2016

Cyber Defense

Questions Every CIO Should Ask the Cybersecurity Leader: Part 3: Ultimately, cybersecurity must ensure that there are proper and effective controls in place to protect an orgainzation’s sensitive business assets, especially the data that differentiates and sustains the business. Over the past two decades, however, the industry has been influenced by both a mistaken belief and an unfortunate reality. SecurityIntelligence, October 28, 2016

IBM Trusteer incorporates biometric “Cognitive Fraud Detection” to block financial fraud : Can your financial institution’s fraud detection system learn, reason and adapt to new and emerging cyberthreats? Can it identify fraudulent behavior within your account simply by analyzing interactions and patterns? In this day and age, people can access their bank accounts anywhere, anytime. We need strong, agile and efficient fraud detection systems to keep financial institutions and their customers safe. SecurityIntelligence, October 27, 2016

Are the Days of “Booter” Services Numbered?: It may soon become easier for Internet service providers to anticipate and block certain types of online assaults launched by Web-based attack-for-hire services known as “booter” or “stresser” services, new research released today suggests. KrebsOnSecurity, October 27, 2016

Heightened DDoS Threat Posed by Mirai and Other Botnets: Internet of Things (IoT)—an emerging network of devices (e.g., printers, routers, video cameras, smart TVs) that connect to one another via the Internet, often automatically sending and receiving data. US-CERT, October 14, 2016

Cyber Law

Device Makers Face Legal Trouble Over Internet of Things Attack: Who should be held responsible for last week’s security breach that took out parts of the Internet? [SecureTheVillage Leadership Council Member Michael Zweiback is quoted.] Fortune, October 25, 2016

Who’s Responsible When Your DVR Launches a Cyberattack?: On Friday, millions of connected devices—webcams, routers, DVRs—banded together to attack a fundamental cornerstone of the internet’s infrastructure. It happened suddenly, without the knowledge of the gadgets’ owners, and it kept going for hours. [SecureTheVillage Leadership Council Member Michael Zweiback is quoted.] The Atlantic, October 25, 2016

Cyber Security in Society

Cyber Attack

DYN DDOS COULD HAVE TOPPED 1 TBPS. Perpetrators Believed To be “Script Kiddies: As more time passes, researchers are getting insight into the size and structure of the DDoS attack against DNS provider Dyn last week, and the capabilities of the Mirai botnet. ThreatPost, October 27, 2016

Botnet Army of ‘Up to 100,000’ IoT Devices Disrupted Dyn: The malware-infected internet of things army that disrupted domain name server provider Dyn was composed of, at most, 100,000 devices. BankInfoSecurity, October 27, 2016

DDoS Attacks Also Slammed Singapore ISP’s DNS Services: The massive attack against U.S.-based domain name server provider Dyn isn’t the only such disruption launched by internet of things devices that’s been seen in recent days. BankInfoSecurity, October 27, 2016

National Cyber Security

Ahead of elections, states reject federal help to combat hackers: CBS News has found that 11 states – including the battlegrounds of New Hampshire and Michigan – have not accepted the Department of Homeland Security’s help to try and bolster the cyberdefenses of their voter registration systems. CBS, October 28, 2016

Hacked Emails of High-Ranking Advisor to Putin Shows Russian Plans to Destabilize Ukraine: Recently a cache of 2,337 e-mails from the office of a high-ranking advisor to Russian president Vladimir Putin was dumped on the Internet after purportedly being obtained by a Ukrainian hacking group calling itself CyberHunta. The cache shows that the Putin government communicated with separatist forces in Eastern Ukraine, receiving lists of casualties and expense reports while even apparently approving government members of the self-proclaimed Donetsk People’s Republic. And if one particular document is to be believed, the Putin government was formulating plans to destabilize the Ukrainian government as early as next month in order to force an end to the standoff over the region, known as Donbass. ars technica, October 27, 2016

Cyber Politics

Clinton. Trump. Cybersecurity Poster Children? Where they stand on the issues: The major party Presidential candidates, which both have experienced the aftermath of hacks and poor security practices of their own, could serve as ‘poster children’ and advocate for better cybersecurity, experts say. DarkReading, October 27, 2016

Critical Infrastructure

Is cybersecurity for smart cities being dangerously underestimated? Wi-Fi? Traffic? IoT?: As governments around the globe barrel headlong into the smart city wave, cybersecurity experts are raising the alarm about the proliferation of unsecured technology. This is from a recent Trustwave study that surveyed 203 information security experts working with local and state governments in the U.S. ReadWrite, October 27, 2016

Internet of Things

In test, fake web toaster compromised in less than 1 hour: Last week, a massive chain of hacked computers simultaneously dropped what they were doing and blasted terabytes of junk data to a set of key servers, temporarily shutting down access to popular sites in the eastern U.S. and beyond. Unlike previous attacks, many of these compromised computers weren’t sitting on someone’s desk, or tucked away in a laptop case—they were instead the cheap processors soldered into web-connected devices, from security cameras to video recorders. A DVR could have helped bring down Twitter. The Atlantic, October 28, 2016

Hackers find vulnerability to take full control of – and even crash – consumer drones: This week at the PacSec security conference in Tokyo, researchers unveiled a new device that is capable of fully commandeering radio-controlled drones by exploiting a vulnerability in the frequency-hopping systems drone makers use to obfuscate and protect their radio communication. While the device isn’t available for sale, other hackers may soon find the vulnerability too, Ars Technica reports. reCode, October 28, 2016

Why the Next Denial of Service Attack Could Be Against Your Car: We haven’t seen the last of the car hacks, says Charlie Miller, the security researcher who in 2014 helped show that hackers can take control of certain models of cars, messing with brakes and steering and other systems while the cars are in motion. IEEE Spectrum, October 28, 2016

Feds Propose Voluntary Automotive Cybersecurity Standards: Stopping well short of issuing regulations, the U.S. federal government is proposing voluntary cybersecurity guidelines aimed at getting carmakers and their suppliers to secure computers and electronics in automobiles. BankInfoSecurity, October 26, 2016

Senator Prods Federal Agencies on IoT Mess: The co-founder of the newly launched Senate Cybersecurity Caucus is pushing federal agencies for possible solutions and responses to the security threat from insecure “Internet of Things” (IoT) devices, such as the network of hacked security cameras and digital video recorders that were reportedly used to help bring about last Friday’s major Internet outages. KrebsOnSecurity, October 25, 2016

IoT Device Maker Vows Product Recall, Legal Action Against Western Accusers: A Chinese electronics firm pegged by experts as responsible for making many of the components leveraged in last week’s massive attack that disrupted Twitter and dozens of popular Web sites has vowed to recall some of its vulnerable products, even as it threatened legal action against this publication and others for allegedly tarnishing the company’s brand. KrebsOnSecurity, October 24, 2016

Cyber Enforcement

DOJ publically releases memo providing cybercrime guidance to prosecutors: The Department of Justice has just released a two-year-old policy document that provides guidance to prosecutors on what triggers an investigation or arrest under the Computer Fraud and Abuse Act. The release is raising questions, however, about why DOJ kept the policy under wraps until recent litigation prompted the release. FCW, October 28, 2016

FBI Offers Online Cyber Training for Law Enforcement First Responders: Since the advent of the Internet and, more recently, the proliferation of technological gadgets—like cell phones, laptops, tablets, game consoles, even wearable technology—criminals of all kinds are increasingly leaving behind a trail of digital evidence when committing their crimes. FBI, October 19, 2016

Cyber Research

Google teaches “AIs” to invent their own crypto and avoid eavesdropping: Google Brain has created two artificial intelligences that evolved their own cryptographic algorithm to protect their messages from a third AI, which was trying to evolve its own method to crack the AI-generated crypto. The study was a success: the first two AIs learnt how to communicate securely from scratch. ars technica, October 28, 2016

Cyber Sunshine

US charges 61 In India phone fraud call center scam that cheated 15,000 out of $250 million: Authorities file charges against 61 in a phone fraud that cheated 15,000 out of $250 million via identity theft and impersonation. DarkReading, October 28, 2016

Celeb nude photo thief Ryan Collins sentenced to 18 months in jail: Ryan Collins – one of the Celebgate nude-photo thieves who phished Apple and Gmail account logins from the likes of Jennifer Lawrence, Rihanna and Avril Lavigne – has been sentenced to 18 months in prison. NakedSecurity, October 28, 2016

Hacker Caught Attempting To Steal $1.5 Million From US Financial Institution: Defendant faces charges of wire scam and hacking of government website attempting to steal $1.5 million. DarkReading, October 28, 2016


The post Cyber Security News of the Week, October 30, 2016 appeared first on Citadel Information Group.