Individuals at Risk
Cyber Privacy
Airline passenger details easy prey for hackers, say researchers: The worldwide system used to coordinate travel bookings between airlines, travel agents, and price comparison websites is hopelessly insecure, according to researchers. The Guardian, December 30, 2016
Nevada Medical Marijuana Data Breach Highlights Need For Industry Information Security: News broke yesterday that over 11,000 people had their personally identifiable information breached after a State of Nevada medical marijuana database was hacked. Application information was compromised, including applicants’ name, social security number, race, address, and citizenship information. The State of Nevada has come out saying that no patient information was part of the breach. Weed News, December 29, 2016
The Year Encryption Won: Between the revelations of mega-hacks of Yahoo and others, Russia’s meddling in the US electoral system, and the recent spike in ransomware, it’s easy to look at 2016 as a bleak year for security. It wasn’t all so, though. In fact, the last 12 months have seen significant strides in one of the most important aspects of personal security of all: encryption. Wired, December 23, 2016
EU court slams indiscriminate data collection, opening challenge to British cyber law: The law requires telecommunications companies to store the web and message history of Britons for the government to access. But Europe’s highest court ruled such a law is unjustifiable in a democratic society. Christian Science Monitor, December 21, 2016
Cyber Update
PHPMailer, SwiftMailer Updates Resolve Critical Remote Code Execution Vulnerabilities: Critical remote code execution vulnerabilities in two different libraries used to send emails via PHP were patched this week. ThreatPost, December 29, 2016
Information Security Management in the Organization
Cyber Awareness
Mitigating internal risk: Three steps to educate employees: IT security is usually focused on how to prevent outsiders with malicious intent from causing harm to your IT systems and data. While this is a valid concern, people within organizations who simply do not understand the consequences of their everyday habits and behavior on company computers pose an equivalent if not greater risk. HelpNetSecurity, December 20, 2016
Information Security Professional
5 Great ‘Starter’ Cybersecurity Certifications: Looking for a career change in the new year? There’s no better time to consider a career in cybersecurity: U.S. businesses and government agencies are spending billions of dollars each year to protect their data and assets from malicious attacks, with Forbes reporting that $170 billion will be spent worldwide by 2020. BusinessNewsDaily, December 28, 2016
Cyber Law
Op-ed: Five unexpected lessons from the Ashley Madison breach: On December 14, 2016, the Federal Trade Commission settled a complaint with the company running the adult finder site Ashley Madison over the 2015 data breach that exposed the personal data of more than 36 million users and highlighted the site’s unfair and deceptive practices. ars technica, December 29, 2016
New York Financial Services Regulator Issues Revisions to Proposed Cybersecurity Regulation: Today, the New York Department of Financial Services (DFS) released a revised version of the proposed cybersecurity regulations that it first issued in September. According to a press release issued by DFS Superintendent Vullo, the new version of the proposed rules will be finalized following a 30-day notice and public comment period. Alston & Bird, December 26, 2016
Cyber Security in Society
Cyber Crime
Topps Customer Database Potentially Breached by Hackers: The Topps Now program has been a brilliant way for collectors to get cards of the day’s top stories. However, that platform also became a target for hackers, as customer information may have been compromised. Fox Sports, December 30, 2016
Cornell breached in 2014 by what it believes were Government-Sponsored hackers: When two Cornell network administrators began a routine investigation into why a University website had rebooted, they had no idea they would be handing their passwords over to a hacking group sponsored by a foreign government possibly seeking “revenge” against the United States. CornelSun, December 29, 2016
Holiday Inn Parent IHG Probes Breach Claims: InterContinental Hotels Group (IHG), the parent company for more than 5,000 hotels worldwide including Holiday Inn, says it is investigating claims of a possible credit card breach at some U.S. locations. KrebsOnSecurity, December 28, 2016
Miami Beach ‘Still Reeling’ From $3.6 Million Bank Fraud: MIAMI BEACH — City Commissioner Kristen Rosen Gonzalez is still shell shocked after being informed by the city manager last week that $3.6 million of taxpayer funds had been siphoned out of an online account at SunTrust Bank. She said that officials are not ruling out the possibility of legal action against the bank. Miami Beach Patch, December 27, 2016
Cyber Attack
Ukrainian Power Grid Blackout May Have Been Cyber Attack: Reports emerging this week in Ukraine suggest that a blackout affecting the country’s national power company, Ukrenergo, may have been the result of a hack attack. BankInfoSecurity, December 23, 2016
Know Your Enemy
KillDisk Disk-Wiping Malware Adds Ransomware Component: A malware family previously used to sabotage computers by deleting and rewriting files has added a ransomware component, now encrypting files and demanding a huge ransom. BleepingComputer, December 29, 2016
Playing the blame game: Breaking down cybersecurity attribution: Attributing the adversary behind a cyber attack ranks as perhaps the hardest challenge in all of cyber security, well beyond securing networks from intrusions, for the simple reason that bits are simply bits and do not belong to any single person. In other words, I can flawlessly copy any digital content including malware and other attack exploits and re-use it without leaving behind my personal fingerprints. Furthermore, I can leverage existing infrastructure or other people’s machines I’ve compromised to run my attacks from someone you might be inclined to blame for political reasons to exploit the confirmation bias people inherently have. HelpNetSecurity, December 19, 2016
National Cyber Security
Obama Strikes Back at Russia for Election Hacking: WASHINGTON — President Obama struck back at Russia on Thursday for its efforts to influence the 2016 election, ejecting 35 suspected Russian intelligence operatives from the United States and imposing sanctions on Russia’s two leading intelligence services. The New York Times, December 29, 2016
How Russia Recruited Elite Hackers for Its Cyberwar: MOSCOW — Aleksandr B. Vyarya thought his job was to defend people from cyberattacks until, he says, his government approached him with a request to do the opposite. The New York Times, December 29, 2016
Following the Links From Russian
Hackers to the U.S. Election: The Obama administration announced sanctions on Thursday against Russia and released a report that stated that the Russian government deployed computer hackers to attack the Democratic Party’s computers. The New York Times, December 29, 2016
DHS and FBI Report on Russian Hacking of DNC to Influence Election: The F.B.I. and Department of Homeland Security released a report on Thursday detailing the ways that Russia acted to influence the American election through cyberespionage. The New York Times, December 29, 2016
Internet of Things
Drones, IoT influencing information security regulations: Calls are growing louder for information security regulations to target consumer-centric technology such as the IoT and drones, but legislating their use could prove difficult. SearchCompliance, December 2016
Cyber Enforcement
Police ask: “Alexa, did you witness a murder?”: In November of 2015, former Georgia police officer Victor Collins was found dead in a backyard hot tub at the Bentonville, Arkansas, home of acquaintance James Andrew Bates. Bates claimed it was an accidental drowning when he contacted police at 9:30am, claiming he had gone to bed and left Collins and another man behind in the tub. But Bentonville Police investigators determined that Collins had died after a fight, while being strangled and held underwater—and that Bates was the only person at the scene at the time. Now investigators have reportedly served a search warrant to Amazon in hopes of getting testimony from a possible witness: the Amazon Echo that was streaming music near the hot tub when they arrived at the scene. ars technica, December 28, 2016
Cyber Stupid
GOP rep: Russia ‘did what the media should have done’ if info accurate: Rep. Trent Franks (R-Ariz.) on Thursday appeared to praise the publication of Democratic emails, believed to be stolen by Russian operatives, on WikiLeaks. The Hill, December 29, 2016
Cyber Sunshine
Online Bank Fraud Hacker Arrested After Failing to Cover Tracks: Memo to would-be cybercriminals: Want to move stolen money internationally to bank accounts that you control? Need to route funds to a few money mules to get it laundered? Don’t do it from a system tied to an IP address registered to your home. BankInfoSecurity, December 21, 2016
Cyber Miscellany
Congrats Brian!!!Happy Seventh Birthday to KrebsOnSecurity!: Hard to believe it’s time to celebrate another go ’round the Sun for KrebsOnSecurity! Today marks exactly seven years since I left The Washington Post and started this here solo thing. And what a remarkable year 2016 has been! KrebsOnSecurity, December 29, 2016
Wave of cybersecurity breaches is no surprise to expert exposing online crime: Brian Krebs does not use heroin, but sometimes people send it to him anyway. The 43-year-old Alabama native writes Krebs on Security, a one-man operation focused on digital crime. His encyclopedic knowledge of the subject and his network of contacts has made his blog essential reading for anyone interested in cybercrime and a coveted lecturer at some of the biggest companies in the world. It has also made him some dangerous enemies – hence the heroin, meant as a sinister, silencing message. The Guardian, December 23, 2016
The post Cyber Security News of the Week, January 1, 2017 appeared first on Citadel Information Group.