Cyber Security News of the Week, December 25, 2016

Cyber Security News of the Week, December 25, 2016

Individuals at Risk

Identity Theft

What the technical words in breach disclosure letters mean: When companies tell you your data was stolen, it’s not always clear what really happened. Here’s what the terms mean. CNet, December 21, 2016

Cyber Privacy

Clever Facebook Hack Reveals Private Email Address of Any User: Christmas came early for Facebook bug bounty hunter Tommy DeVoss who was paid $5,000 this week for discovering a security vulnerability that allowed him to view the private email addresses of any Facebook user. ThreatPost, December 23, 2016

Worried About the Privacy of Your Messages? Download Signal: BY the time you finish reading this column, you would be foolish not to download the messaging app Signal onto your smartphone and computer. The New York Times, December 7, 2016

Cyber Warning

Dallas NBC5 Demonstrates How Hackers Can Steal Your Identity When Using Public Wi-Fi: When there’s downtime, let’s face it, we get online. And although there are free Wi-Fi hotspots just about everywhere, hackers are using those to access your personal information. NBCDFW, December 23, 2016

Cyber Defense

Groupon fraud lesson: Different passwords for different websites: A number of Groupon users have seen hundreds of pounds stolen, as hackers snap up expensive goods using their accounts. The first sign of unapproved activity popped up earlier this month, with Groupon account holders receiving confirmation emails for products they hadn’t purchased. IT security experts from Varonis, Alert Logic, NSFOCUS,, Lieberman Software and ESET commented below. InformationSecurityBuzz, December 23, 2016

Before You Pay that Ransomware Demand…: A decade ago, if a desktop computer got infected with malware the chief symptom probably was an intrusive browser toolbar of some kind. Five years ago you were more likely to get whacked by a banking trojan that stole all your passwords and credit card numbers. These days if your mobile or desktop computer is infected what gets installed is likely to be “ransomware” — malicious software that locks your most prized documents, songs and pictures with strong encryption and then requires you to pay for a key to unlock the files. KrebsOnSecurity, December 22, 2016

Information Security Management in the Organization

Information Security Management and Governance

ESG and ISSA publish management research “Through the Eyes of Cyber Security Professionals.”: By now, everyone in our industry has provided 2017 cybersecurity predictions, and I’m no exception. I participated in a 2017 infosec forecast webcast with industry guru Bruce Schneier, and ESG also published a video where I exchanged cybersecurity prophecies with my colleague Doug Cahill. NetworkWorld, December 22, 2016

Vendor Risk Management: Health Insurer Blames IT Vendor for Breach Affecting 400,000 Individuals: Community Health Plan of Washington, a not-for-profit insurance company, says a security vulnerability on the computer network of a business associate that provides it with technical services resulted in a breach affecting nearly 400,000 individuals. GovInfoSecurity, December 22, 2016

Survey Finds Considerable Improvement Opportunities in Vendor Risk Management Programs: Findings suggest increased regulatory scrutiny is contributing to program growth and maturity. InformationSecurityBuzz, December 21, 2016

Cyber Defense

Here is Your Cybersecurity Budget. Spend It Wisely: I know, in reading the headline it seems obvious doesn’t it? But that’s just it. Sometimes the obvious isn’t so obvious. It seems that many businesses believe they are protected because they have a security person, IT supports that person, they have firewalls, they get an annual penetration test, and they “fix” things the test finds. Sounds about right? ITSP Magazine, December 21, 2016

Cyber Security in Society

National Cyber Security

Obama Signs Bill Elevating Cybercom to Full Command: President Barack Obama signed Friday the National Defense Authorization Act, legislation that includes a provision he opposes to leave the leader of the newly-elevated U.S. Cyber Command as the head of the National Security Agency as well. BankInfoSecurity, December 23, 2016

Crowdstrike Ties DNC Hackers to Ukrainian Artillery Hack: The same family of malware that was used to hack into U.S. Democratic National Committee systems has also been found infecting an Android app used by artillery units defending eastern Ukraine after Russia invaded Crimea in 2014, according to the cybersecurity firm Crowdstrike. BankInfoSecurity, December 22, 2016

Cybersecurity firm finds evidence that Russian military unit was behind DNC hack: A cybersecurity firm has uncovered strong proof of the tie between the group that hacked the Democratic National Committee and Russia’s military intelligence arm — the primary agency behind the Kremlin’s interference in the 2016 election. The Washington Post, December 22, 2016

Stewart Baker Interviews Matthew Green, Johns Hopkins InfoSec Institute: Fresh off a redeye from Israel, I interview Matthew Green of the Johns Hopkins Information Security Institute. Security news from the internet of things grows ever grimmer, we agree, but I get off the bus when Matt and the EFF try to solve the problem with free speech law. Steptoe Cyberblog, December 19, 2016

Russia and Cyber Operations: Challenges and Opportunities for the Next U.S. Administration: Summary: Russian cyber operations against the United States aim to both collect information and develop offensive capabilities against future targets. Washington must strengthen its defenses in response. Carnegie Endowment for International peace, December 13, 2016

Cyber Crime

Russian Cyberforgers Steal Millions a Day With Fake Sites: SAN FRANCISCO — In a twist on the peddling of fake news to real people, researchers say a Russian cyberforgery ring has created more than half a million fake internet users and 250,000 fake websites to trick advertisers into collectively paying as much as $5 million a day for video ads that are never watched. The New York Times, December 20, 2016

Report: $3-5M in Ad Fraud Daily from ‘Methbot’: New research suggests that an elaborate cybercrime ring is responsible for stealing between $3 million and $5 million worth of revenue from online publishers and video advertising networks each day. Experts say the scam relies on a vast network of cloaked Internet addresses, rented data centers, phony Web sites and fake users made to look like real people watching short ad segments online. KrebsOnSecurity, December 20, 2016

Cyber Privacy

European Union Information Security Advisory Argues Against Mandating Encryption Backdoors: More and more entities involved in government work are coming out in support of encryption. (Unfortunately, many governments are still periodically entertaining backdoor legislation…) While recognizing the limits it places on law enforcement and surveillance agencies, they’re not quite willing to sacrifice the security of everyone to make work easier for certain areas of the government. TechDirt, December 21, 2016

Congressional report sides with privacy advocates against backdoors in encryption debate: The U.S. is better off supporting strong encryption that trying to weaken it, according to a new congressional report that stands at odds with the FBI’s push to install backdoors into tech products. PCWorld, December 20, 2016

Cyber Defense

More Than 50% Of Biggest Holiday Retailers May Not Be PCI-Compliant: SecurityScorecard warns while the industry has made progress, many are still not covering the basics of security. DarkReading, December 22, 2016

Apple drops requirement for apps to use HTTPS by 2017: One of the initiatives Apple trumpeted at its 2016 WorldWide Developer Conference was a requirement for all iOS and OS X apps in its Store to use adopt App Transport Security as of December 31st 2016. TheRegister, December 23, 2016

NTIA Report Goes Inside The Vulnerability Disclosure Ecosystem: Report released by NTIA stakeholders offers new information on how organizations respond to security vulnerabilities – and what researchers think. DarkReading, December 22, 2016

Know Your Enemy

TIME Person of the Year Runner Up: Hackers: Hackers have a bad name everywhere, it seems, except in Silicon Valley, founded as it was on the virtues of creatively overcoming technical limits by any means. This tradition produced the likes of Bill Gates, Steve Wozniak and Mark Zuckerberg, who, on the eve of Facebook’s initial public offering four years ago, lamented the “unfairly negative connotation” of the word. Hacking, he wrote, “just means building something quickly or testing the boundaries of what can be done. Like most things, it can be used for good or bad.” Time, December 20, 2016

How cybercriminals use domain-generating algorithms to stay one step ahead of defenders: Cybercriminals use domain-generating algorithms to prevent their servers from being blacklisted or taken down. DarkReading, December 21, 2016

Playing the blame game: Breaking down cybersecurity attribution: Attributing the adversary behind a cyber attack ranks as perhaps the hardest challenge in all of cyber security, well beyond securing networks from intrusions, for the simple reason that bits are simply bits and do not belong to any single person. In other words, I can flawlessly copy any digital content including malware and other attack exploits and re-use it without leaving behind my personal fingerprints. Furthermore, I can leverage existing infrastructure or other people’s machines I’ve compromised to run my attacks from someone you might be inclined to blame for political reasons to exploit the confirmation bias people inherently have. HelpNetSecurity, December 19, 2016

Cyber Law

Art Dealer Sues Berkshire Bank Over $1,000,000 Cyber Fraud: Berkshire Bank was the alleged target of an increasingly common type of cyberheist this fall that bilked a longtime customer out of more than $1 million, according to a lawsuit filed this week. Boston Globe, December 22, 2016

Governors Recommend Aligning State Privacy Laws with HIPAA: The National Governors Association, in a new road map for improving nationwide secure health data exchange, proposes that states attempt to better align their privacy laws to the federal HIPAA Privacy Rule to help remove legal barriers. HealthCareInfo Security, December 20, 2016

Ashley Madison Settles FTC, State Charges From 2015 Data Breach That Exposed Info on 36 Million Users: The operators of the Toronto-based dating site have agreed to settle Federal Trade Commission and state charges that they deceived consumers and failed to protect 36 million users’ account and profile information in relation to a massive July 2015 data breach of their network. The site has members from over 46 countries. FTC, December 14, 2016

The post Cyber Security News of the Week, December 25, 2016 appeared first on Citadel Information Group.