Individuals at Risk
Cyber Update
Patch Tuesday, 2016 U.S. Election Edition: Let’s get this out of the way up front: Having “2016 election” in the headline above is probably the only reason anyone might read this story today. It remains unclear whether Republicans and Democrats can patch things up after a bruising and divisive election, but thanks to a special Election Day Patch Tuesday hundreds of millions of Adobe and Microsoft users have some more immediate patching to do. KrebsOnSecurity, November 9, 2016
Cyber Defense
Whatsapp starts rolling out two-factor authentication: Whatsapp is one of the biggest messaging services out there, so it’s a little surprising that it hasn’t supported two-factor authentication. That is, until now — as noted by Android Police, people using the beta version of Whatsapp are starting to see the option to turn on this extra security measure. engadget, November 11, 2016
Google stops AdSense attack that forced banking trojan on Android phones: Google has shut down an operation that combined malicious AdSense advertisements with a zero-day attack exploiting Chrome for Android to force devices to download banking fraud malware. ars technica, November 8, 2016
Information Security Management in the Organization
Information Security Governance
New NIST guide helps small businesses improve cybersecurity: Small-business owners may think that they are too small to be victims of cyber hackers, but Pat Toth knows otherwise. Toth leads outreach efforts to small businesses on cybersecurity at the National Institute of Standards and Technology (NIST) and understands the challenges these businesses face in protecting their data and systems. Phys.org, November 11, 2016
Cyber Awareness
IT must do more to help users understand their critical role in cyberdefense: Despite investment in cyber security, employees are still putting organisations at risk, according to new research from Databarracks. Information Security Buzz, November 11, 2016
Cyber Warning
Hackers Disclose Easily Exploitable Flaws in Microsoft Edge and VMware: At the Power of Community security conference that is being held in Seoul, Thursday was the day the security community was waiting for as it was the PwnFest 2-16 event day. At then event JungHoon “Lokihardt” Lee, a security researcher from South Korea and Beijing-based security firm Qihoo 360’s team revealed the two different ways with which hackers could exploit vulnerabilities in Microsoft Edge browser. The teams used the browser that ran on Red Stone1, which is the 64-bit version of Windows 10 Anniversary Edition. HackRead, November 11, 2016
Cyber Defense
SMBs risk data security by using free cloud storage: SMBs risk data security if they use free cloud storage, but nearly 25% still do, despite warnings from industry experts. In addition, new findings reveal that 11% of SMBs are storing banking information and 14% are storing medical records in free cloud storage, according to a survey of 293 SMBs by Clutch. HelpNetSecurity, November 11, 2016
Bridging the Gulf Between the IT and Security Teams : AUSTIN, Texas—The tales of a fundamental disconnect between the IT staff in many companies and the security staff in those same companies abound. eWeek, November 5, 2016
The Five Step Ransomware Defense Playbook: Over the past three years, ransomware has jumped into the spotlight of the cyber threat landscape; in fact the FBI estimates that $1 billion in losses will be incurred in 2016 from ransomware alone. Until recently, most ransomware attacks were opportunistic, targeting individual users’ or small businesses’ computers, and demanding just a few hundred dollars for an individual PC. ITSP Magazine, November 3, 2016
Cyber Law
Court Grants LabMD a ‘Stay’ of FTC Consent Order: A federal court of appeals has granted a temporary “stay,” or delay, in implementing the Federal Trade Commission’s consent order against LabMD. The move comes as the now-shuttered cancer testing laboratory pursues its appeal of the FTC’s July ruling in the longstanding dispute over the lab’s information security practices. HealthCare InfoSecurity, November 11, 2016
YAHOO TELLS SEC IT KNEW ABOUT DATA BREACH IN 2014: Yahoo fessed up in its latest SEC filing that it knew in 2014 that attackers were on its network and stole information from 500 million accounts. ThreatPost, November 10, 2016
Cyber Career
Grace Hopper 2016: Blazing New Trails for Diversity: If you are a computer scientist, you have either attended or heard of the Grace Hopper conference. Every year, tens of thousands of attendees come to “the world’s largest gathering of women technologists” to celebrate the best female minds in computing and their contributions to the field. ITSP Magazine, November 10, 2016
Making the transition from military technology to information security: Cybersecurity is a community of people who love technology and there is room for everyone. Some of us enjoy coding and creating new software, applications, cloud platforms or 3-D worlds – the possibilities are endless. Some of us in the community love to build things and are fascinated by how technology, in its many forms, can be intertwined to build networks as small as a server and a couple of desktops or as massive as international entities made of up thousands of endpoints that span the globe. Then there are some of us who have a passion to protect what is created, we love researching how our networks can be breached or how enterprises were compromised by malicious intruders. ITSP Magazine, November 9, 2016
There Is No Standard Career In Cybersecurity. However…: There is no standard career in cybersecurity. However, people generally work in one of three areas. First, building and/or running an information security program; this could be in a public or private company, or government entity. Second, for service providers, including professional services companies (such as Deloitte, E&Y, KPMG, PwC, etc.), advising clients in the first group as well as Value Added Resellers (VARs) that commonly provide selling combined with advisory services (such as Optiv). Third, for security vendors, companies like Symantec and Cisco, building and/or selling the products needed to protect data and systems. ITSP Magazine, November 1, 2016
Cybersecurity in Society
Cyber Attack
Russian ‘Dukes’ of Hackers Pounce on Trump Win: Less than six hours after Donald Trump became the presumptive president-elect of the United States, a Russian hacker gang perhaps best known for breaking into computer networks at the Democratic National Committee launched a volley of targeted phishing campaigns against American political think-tanks and non-government organizations (NGOs). KrebsOnSecurity, November 10, 2016
Hackers Use DDoS Attack To Cut Heat To Apartments: Residents of two apartment buildings in Lappeenranta, a city of around 60,000 people in eastern Finland, were literally left in the cold this weekend. The environmental control systems in their buildings stopped working, and it wasn’t because of a blackout. It was actually a DDoS attack that took them down. Forbes, November 7, 2016
National Cyber Security
Here’s Trump’s plan to stop hackers: The incoming Trump administration wants to audit the security of the federal government’s computer systems — a massive undertaking — and strengthen the hacking division of the U.S. military. CNN, November 11, 2016
Russian Hackers Target Think Tanks In Post-Election Attacks: According to security firm Volexity, staff at several U.S. political think tanks and numerous non-government organizations (NGOs) are the targets of a sophisticated new phishing campaign. Forbes, November 11, 2016
Essays: American Elections Will Be Hacked. Will We Be Ready?: It’s over. The voting went smoothly. As of the time of writing, there are no serious fraud allegations, nor credible evidence that anyone hacked the voting rolls or voting machines. And most important, the results are not in doubt. Schneier On Security, November 9, 2016
Cyber Defense
Facebook is buying up stolen passwords on the black market: Facebook shops for passwords sold on the online black market, buying up credentials from crooks to sniff out which ones its users are reusing, Chief Security Officer Alex Stamos said at the Web Summit in Lisbon on Wednesday. NakedSecurity, November 11, 2016
Sharing Threat Intel: Easier Said Than Done: For cyber intelligence-sharing to work, organizations need two things: to trust each other and better processes to collect, exchange, and act on information quickly. DarkReading, November 11, 2016
Why Browser Vendors Chose to Distrust 2 Certificate Authorities: A foundational element of the Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate system is that browser vendors need to trust the certificate authorities that issue certificates. eWeek, November 2, 2016
Cyber Gov
Who Gets Credit for Discovering a Government Hack? Was CyTech Stiffed After Diagnosing OPM breach?: On April 21, 2015, Ben Cotton visited the U.S. Office of Personnel Management in downtown Washington to pitch his small cybersecurity company, CyTech Services. He loaded proprietary diagnostic software onto five servers running on OPM’s network. Uh-oh, the chief executive told his hosts, “you’ve got a big problem here.” Bloomberg, October 28, 2016
Financial Cyber Security
Crypto Currency Use Seen Limited by Cybersecurity Concerns: Some economists believe we are making strides toward becoming a cashless society. But taking the wider view, the role of cash is changing as new kinds of cryptocurrencies such as bitcoin and Ethereum are becoming more popular, offering consumers more choices in terms of credit and payments. Whether cash continues to be king will hinge on the perception of cybersecurity and how it evolves with these alternative currencies. SecurityIntelligence, November 10, 2016
Tesco Bank: Raid on 20,000 Accounts Fuels Cybercrime Fears in U.K: Tesco Bank, owned by Britain’s biggest retailer Tesco, halted all online transactions on Monday after money was stolen from 20,000 accounts in the country’s first such cyber heist. Fortune, November 7, 2016
Internet of Things
The perfect cybercrime: selling fake followers to fake people: Hackers are recruting the internet of things into a botnet. But this time they’re not trying to take down the internet, just using them to make fake social media accounts – which they can sell to online narcissists to make an easy buck. New Scientist, November 11, 2016
Russian Banks Hit By IoT DDoS Attack: Five Russian banks have been under intermittent cyber-attack for two days, said the country’s banking regulator. BBC, November 10, 2016
Your WiFi-Connected Thermostat Can Take Down the Whole Internet. We Need New Regulations: Late last month, popular websites like Twitter, Pinterest, Reddit and PayPal went down for most of a day. The distributed denial-of-service attack that caused the outages, and the vulnerabilities that made the attack possible, was as much a failure of market and policy as it was of technology. If we want to secure our increasingly computerized and connected world, we need more government involvement in the security of the “Internet of Things” and increased regulation of what are now critical and life-threatening technologies. It’s no longer a question of if, it’s a question of when. Schneier On Security, November 3, 2016
Cyber Research
MIT students and others teaching IBM Watson about cybersecurity: Enterprise IT risks are growing seemingly faster than security professionals can keep up. Enter artificial intelligence as their latest defense mechanism. TechRepublic, November 11, 2016
The post Cybersecurity News of the Week, November 13, 2016 appeared first on Citadel Information Group.