Cyber Security News of the Week, October 9, 2016

Cyber Security News of the Week, October 9, 2016

Individuals at Risk

Cyber Privacy

Facebook enables encryption for mobile Messenger app’s 900M users Facebook this week said the roughly 900 million account holders who use its mobile Messenger app each month can now make their conversations illegible to eavesdroppers after it finished rolling out a feature that uses end-to-end encryption to protect private messages from prying eyes. The Washington Times, October 6, 2016

Passwords are cybersecurity weakest link says former Homeland Security chief Michael Chertoff: Last month’s news of the devastating breach at Yahoo stunned even the most seasoned security experts, given its impact on more than 500 million individuals. CNBC, October 6, 2016

Cyber Warning

Cybercriminals hacked Spotify’s Ad Server. Listeners got malware served up with with their ads: Small number of users may have been impacted by malvertising, digital music service admits. Dark Reading, October 7, 2016

Cyber Update

Android battles to fix the holes where the rain gets in: Google’s security mavens have been hard at work this month, patching an impressive 78 Android flaws in the firm’s latest update. NakedSecurity, October 7, 2016

Cyber Defense

‘Security fatigue’ leading computer users to more or less just give up: Do you use the same password for multiple sites? Do your eyes glaze over after sites like LinkedIn or Yahoo get massively hacked and, like clockwork, the security wonks come wagging their fingers at you for reusing your passwords? NakedSecurity, October 7, 2016

Information Security Management in the Organization

Information Security Governance

Focus on ‘compliance’ not ‘security management’ creates security gaps for cyber criminals to exploit: Hacker attacks continue to account for the vast majority of health data breach victims this year, according to the latest federal tally. HealthCareInfoSecurity, October 7, 2016

Cybersecurity becoming major IT spending driver as cybercrime impacts grow: As companies shift to digital technologies, they are investing more money in tools to protect their corporate networks and inviting CISOs to help plan and implement enterprise architecture. CIO, October 6, 2016

Cultivating a culture of information security critical to meeting Europe’s new data privacy regs GDPR: In an IT landscape increasingly vulnerable to cyber threats, organisations need to think about information security as an element that enables business and facilitates increased competitive advantage. Information Age, October 3, 2016

Cyber Awareness

Email that hacked AZ voter registration? Official: “Any normal person would have clicked on it:” The email that gave Russian hackers access to an Arizona registration base looked like it came from an employee, and any normal person would have clicked on it, Arizona Secretary of State Michele Reagan said Wednesday. CNBC, October 5, 2016

Cyber Warning

Point-of-Sale systems under attack in pre-holiday malware update: A smash and grab malware gang has updated its FastPoS point of sales hack app to plunder credit cards more efficiently ahead of the festive season. The Register, October 7, 2016

DDoS Risk Increases as Source Code for IoT Botnet ‘Mirai’ Released: The source code that powers the “Internet of Things” (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices. KrebsOnSecurity, October 1, 2016

Cyber Law

TalkTalk Slammed with Record Fine of £400,000 ($511,000) for multiple information security breaches: Britain’s privacy watchdog agency has slammed TalkTalk with a record fine of £400,000 ($511,000) for information security failings that allowed a hacker to steal customer data “with ease.” BankInfoSecurity, October 5, 2016

Donald Trump’s Hotel Chain to Pay Penalty Over Data Breaches: Donald J. Trump’s hotel chain agreed to pay a $50,000 penalty and revamp its data security policies after a couple of breaches exposed 70,000 credit card numbers and other personal information of its customers. The New York Times, September 25, 2016

Cyber Security in Society

Cyber Privacy

Yahoo Said to Have Aided U.S. Email Surveillance by Adapting Spam Filter: A system intended to scan emails for child pornography and spam helped Yahoo satisfy a secret court order requiring it to search for messages containing a computer “signature” tied to the communications of a state-sponsored terrorist organization, several people familiar with the matter said on Wednesday. The New York Times, October 5, 2016

Yahoo’s CISO resigned in 2015 over secret e-mail search tool ordered by feds: According to a new report by Reuters citing anonymous former employees, in 2015, Yahoo covertly built a secret “custom software program to search all of its customers’ incoming emails for specific information.” ars technica, October 4, 2016

Know Your Enemy

‘Money Mule’ Gangs Turn to Bitcoin ATMs: Fraudsters who hack corporate bank accounts typically launder stolen funds by making deposits from the hacked company into accounts owned by “money mules,” willing or unwitting dupes recruited through work-at-home job scams. The mules usually are then asked to withdraw the funds in cash and wire the money to the scammers. Increasingly, however, the mules are being instructed to remit the stolen money via Bitcoin ATMs. KrebsOnSecurity, September 29, 2016

National Cyber Security

Hacking: A thorny issue between Russia and the West: Russian hackers have been accused by the United States of carrying out a series of attacks against political organisations in order “to interfere with the US election”. BBC, October 8, 2016

Steptoe Cyberlaw Podcast – Interview w Ellen Nakashima, star Washington Post cyber reporter: In episode 132, our threepeat guest is Ellen Nakashima, star cyber reporter for the Washington Post. Markham Erickson and I talk to her about Vladimir Putin’s endless appetite for identifying ‒ and crossing ‒ American red lines, the costs and benefits of separating NSA from Cyber Command, and the chances of a pardon for Edward Snowden. Ellen also referees a sharp debate between me and Markham over the wisdom of changing Rule 41 to permit judges to approve search warrants for computers outside their district. Steptoe Cyberblog, October 7, 2016

How weak cybersecurity could disrupt the U.S. election: Election Day is still four weeks away but the integrity of the final outcome is under attack now by a pernicious combination of real weaknesses in U.S. cybersecurity and candidate-fueled charges about ballot tampering. Politico, October 7, 2016

U.S. government officially accuses Russia of hacking campaign to interfere with elections: The Obama administration on Friday officially accused Russia of attempting to interfere in the 2016 elections, including by hacking the computers of the Democratic National Committee and other political organizations. The Washington Post, October 7, 2016

NSA contractor charged with stealing top secret data: BOSTON — A federal contractor suspected in the leak of powerful National Security Agency hacking tools has been arrested and charged with stealing classified information from the U.S. government, according to court records and U.S. officials familiar with the case. The Washington Post, October 5, 2016

Cyber Politics

Researchers find fake data in DNCC – Clinton data dumps; also in Olympic anti-doping dumps: A pattern of mischaracterization, misrepresentation, and outright alteration of breached data has emerged in two of the latest headline-grabbing batches of hacked files. Investigators discovered that recently published data from anti-doping testing at the 2016 Olympics in Rio de Janeiro had been altered by parties connected to a Russia-based hacking group behind the breach, according to a report issued by the World Anti-Doping Agency (WADA) yesterday. ars technica, October 6, 2016

Internet of Things

We Need to Save the Internet from the Internet of Things: Brian Krebs is a popular reporter on the cybersecurity beat. He regularly exposes cybercriminals and their tactics, and consequently is regularly a target of their ire. Last month, he wrote about an online attack-for-hire service that resulted in the arrest of the two proprietors. In the aftermath, his site was taken down by a massive DDoS attack. Schneier on Security, October 6, 2016

Johnson & Johnson warns diabetic patients: Insulin pump vulnerable to hacking. Could cause overdose.: Johnson & Johnson is telling patients that it has learned of a security vulnerability in one of its insulin pumps that a hacker could exploit to overdose diabetic patients with insulin, though it describes the risk as low. Reuters, October 5, 2016

Poor security practices by IoT manufacturers open door to cyber attacks : As KrebsOnSecurity observed over the weekend, the source code that powers the “Internet of Things” (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released. Here’s a look at which devices are being targeted by this malware. KrebsOnSecurity, October 3, 2016

How hard is it to hack the average DVR? Sadly, not hard at all: A major battle is underway for control over hundreds of millions of network-connected digital video recorders, cameras, and other so-called Internet of Things devices. As Ars has chronicled over the past two weeks, hackers are corralling them into networks that are menacing the security news site KrebsOnSecurity and other Web destinations with some of the biggest distributed denial-of-service attacks ever recorded. ars technica, October 3, 2016

Cyber Enforcement

The FBI exploring legal & technical options to gain access to dead terrorist’s locked iPhone: WHEN THE FBI asked a court to force Apple to help crack the encrypted iPhone 5c of San Bernardino shooter Rizwan Farook in February, Bureau director James Comey assured the public that his agency’s intrusive demand was about one terrorist’s phone, not repeated access to iPhone owners’ secrets. But now eight months have passed, and the FBI has in its hands another locked iPhone that once belonged to another dead terrorist. Which means they may have laid the groundwork for another legal showdown with Apple. Wired, October 6, 2016

Cyber Sunshine

Feds Charge Two In Lizard Squad Investigation: The U.S. Justice Department has charged two 19-year-old men alleged to be core members of the hacking groups Lizard Squad and PoodleCorp. The pair are charged with credit card theft and operating so-called “booter”or “stresser” services that allowed paying customers to launch powerful attacks designed to knock Web sites offline. KrebsOnSecurity, October 6, 2016

Cyber Event

Secure Coding Class for the Web: The major cause of application insecurity is the lack of secure software development practices. This highly intensive and interactive course provides essential application security training for web application, webservice and mobile software developers and architects. The class features a combination of lecture, security testing demonstration and code review. Event Date: October 17-21

THIRD ANNUAL LOS ANGELES CYBER SECURITY SUMMIT 2016-SILICON BEACH: Cyber attacks on corporations, governmental agencies and individuals are becoming increasingly widespread and regular, as well as more complex. In honor of National Cyber Security Awareness Month, LMU is once again hosting The Third Annual Cybersecurity Summit that brings together government officials, private business executives and cybersecurity experts to discuss the current and emerging threats that exist in today’s sophisticated cyber environment, and the technological advancements being made to countermeasure and manage these risks. Event Date: October 22, 2016

The post Cyber Security News of the Week, October 9, 2016 appeared first on Citadel Information Group.