Individuals at Risk
Cyber Update
WordPress 4.7.2 Update Fixes XSS, SQL Injection Bugs: Developers with WordPress fixed three security issues this week, including a cross-site scripting and a SQL injection vulnerability, with the latest version of the CMS. ThreatPost, January 27, 2017
Cyber Warning
Remote attackers can force Samsung Galaxy devices into never-ending reboot loop: A single SMS can force Samsung Galaxy devices into a crash and reboot loop, and leave the owner with no other option than to reset it to factory settings and lose all data stored on it. HelpNetSecurity, January 27, 2017
Fake Netflix app infecting Android users with data-stealing malware: Android users need to be wary as a fake app that can steal precious data is on the prowl. TechTimes, January 27, 2017
Hackers launch major attack against PayPal users: Hackers have launched a major attack against PayPal users that’s meant to trick the company’s customers into providing information that could end up costing them money and their identity. San Diego Union Tribune, January 27, 2017
Cyber Defense
7 Ways To Protect Your Private Cellphone Data From Hackers: With so many scary headlines about data breaches and ID theft hitting the news cycle, you’ve probably loaded your home computer with antivirus software, installed a firewall and created strong password protection. Forbes, January 27, 2017
Gmail will block JavaScript attachments – a common source of malware – after February 13: Starting Feb. 13, Google will no longer allow JavaScript attachments on its Gmail service, killing one of the main methods of malware distribution over the past two years. CIO, January 27, 2017
Debate over value of 3rd-party antivirus solutions: Former Firefox developer Robert O’Callahan, now a free agent and safe from the PR tentacles of his corporate overlord, says that antivirus software is terrible, AV vendors are terrible, and that you should uninstall your antivirus software immediately—unless you use Microsoft’s Windows Defender, which is apparently okay. ars technica, January 27, 2017
Facebook Offers USB Security Key Authentication in Move to Strengthen Access Security: Facebook is giving privacy-minded users looking to fortify their accounts yet another layer of security. ThreatPost, January 26, 2017
Nearly 200 critical vulnerabilities found in 11 Trend Micro products: Trend Micro is one of the biggest names in cybersecurity, an $120 billion industry that promises to deflect a significant chunk of attacks hitting customers. But Trend and many of its peers are themselves creating software vulnerable to hacks, as proven by two researchers who’ve found and reported more than 200 flaws across the Japanese company’s suite of products since July 29 last year. Forbes, January 25, 2017
Information Security Management in the Organization
Information Security Management and Governance
SMB’s still largely unprepared for ransomware attack according to new Ponemon report: The St. Louis Public Library (SLPL) system has become the latest to recover from a ransomware attack without paying a dime in ransom money, even as a new survey shows that organizations overall continue to be more inclined to pay up than not in a similar situation. DarkReading, January 26, 2017
Vendor security challenges illustrated in HIPAA BAA world as vendors reluctant to accept risk: Like any compliance program, a robust program for managing Business Associates (“BA”) isn’t something you should find and copy from the Internet or create through simply attending seminars and conferences – yet many programs today are developed by smart people who begin their indoctrination in just these ways. InsideCounsel, January 20, 2017
Cybercriminals stealing sensitive client data from law firms. Time to check your counsel’s security?: In a case of “cyber meets securities fraud,” the United States Attorney’s Office for the Southern District of New York (“SDNY”) recently indicted three foreign nationals on charges of insider trading, wire fraud, and computer hacking for allegedly trading on information they stole from the computer networks of two major New York law firms.1 A parallel enforcement action brought by the Securities and Exchange Commission – its first time bringing civil charges based on the hacking of a law firm’s computer network – alleges insider trading and other violations of the Securities Exchange Act of 1934.2 The case is a wake-up call that hackers are becoming more creative both in their choice of victims and in how they use the information they steal, requiring companies to reconsider what type of data is prone to hacking and whether their security protocols are sufficient to detect and prevent it. It is also a reminder to certain federal and state regulated entities that they may soon have to comply with new cybersecurity rules requiring robust policies and procedures governing how confidential data and computer networks are handled and protected. National Law Review, January 18, 2017
Cyber Warning
Phishers’ new social engineering trick: PDF attachments with malicious links: It is – or it should be – a well known fact that attackers occasionally email potential victims with PDF attachments containing malware or exploit code. HelpNetSecurity, January 27, 2017
Cyber Defense
Microsoft spends $1B annually on cybersecurity R&D as cyber attacks increase 30-fold in last years: Microsoft plans to continue investing more than $1 billion annually on cybersecurity R&D in the coming years, according to Bharat Shah, vice president of security at Microsoft, speaking to Reuters at Microsoft’s BlueHat cybersecurity conference in Tel Aviv this week. CIODIve, January 27, 2017
Cyber Talent
Pay for experts to rise as cybercrime ‘to cost $6tn a year by 2021’: IT security is one of those odd industries: everybody wishes it were not necessary, but accepts it has to be there. This is why, if you’re a specialist in it, your skills are going to become increasingly prized in 2017. Recruitment consultancy Robert Walters is therefore predicting a payrise for specialists in security and analytics. NakedSecurity, January 27, 2017
Cyber Security in Society
Cyber Attack
Hackers target campaign website of chair of California Legislature’s LGBT caucus: SACRAMENTO, Calif. (AP) — Hackers have targeted the California Legislature’s LGBT caucus chairman by interfering with his campaign website. DailyProgress, January 27, 2017
Lloyds Bank Hit with Massive DDoS Attack in Ransomware Bid A group of at least two hackers has tried to extort a ransom payment from the Lloyds Banking Group according to a copy of an email the hackers sent to a high-ranking executive. BleepingComputer, January 23, 2017
Know Your Enemy
The Dark Web Marketplace: A Shopping Center for Attackers: Security threats are constantly evolving, and cybercriminals are quick to adopt new technologies. They even developed their own sophisticated ecosystem. Security Intelligence, January 27, 2017
Ripper.cc Helps Cyber Criminals Avoid Getting Scammed by Other Cyber Criminals: Crooks lurking around the Internet’s underbelly have created a service called Ripper.cc, a database of known and proven fraudsters. BleepingComputer, January 25, 2017
National Cyber Security
Russia arrests 3 for treason. Russian press connects them to election hacks of AZ & IL: WASHINGTON — Ever since American intelligence agencies accused Russia of trying to influence the American election, there have been questions about the proof they had to support the accusation. The New York Times, January 27, 2017
Trump said to prepare Executive Order to review US cybersecurity capabilities & vulnerabilities: President Trump is reportedly preparing to issue an executive order calling for a review of the nation’s cybersecurity capabilities and vulnerabilities. BankInfoSecurity, January 27, 2017
Stewart Baker Interviewa Harvard Law Prof Jack Goldsmith, co-founder of Lawfare: Our guest interview is with Jack Goldsmith, Shattuck Professor of Law at Harvard and co-founder of Lawfare. We explore his contrarian view of how to deal with Russian hacking, which leads to me praising (or defaming, take your pick) him as a Herman Kahn for cyberconflict. Except what’s unthinkable in this case are his ideas for negotiating, not fighting, with the Russians. Steptoe Cyberblog, January 24, 2017
Cyber Law
Trump Executive Order may keep U.S. businesses from legally transferring EU citizens’ PII to US servers: European officials are asking the United States if the EU-U.S. deal for sharing individuals’ personal information among businesses – dubbed the Privacy Shield – should be considered null and void as a result of an executive order issued by President Donald Trump. BankInfoSecurity, January 27, 2017
Microsoft Prevails in Case Involving Stored Emails: Microsoft has prevailed after a U.S. appeals court reaffirmed the company does not have to turn over emails that are stored overseas to federal authorities investigating a crime. The closely watched case explored the territorial boundaries of U.S. law in the cloud computing age. BankInfoSecurity, January 25, 2017
FTC Staff Releases Report on Cross-Device Tracking: The Federal Trade Commission (FTC) recently released its staff report on Cross-Device Tracking. Alston&Bird, January 2017
Financial Cyber Security
ATM ‘Shimmers’ Target Chip-Based Cards: Several readers have called attention to warnings coming out of Canada about a supposedly new form of card skimming called “shimming” that targets chip-based credit and debit cards. Shimming attacks are not new (KrebsOnSecurity first wrote about them in August 2015), but they are likely to become more common as a greater number of banks in the United States shift to issuing chip-based cards. Here’s a brief primer on shimming attacks, and why they succeed. KrebsOnSecurity, January 27, 2017
Dridex Returns With Windows UAC Bypass Method: After a six-month hiatus, the Dridex banking malware is back and targeting large financial institutions in the U.K with a new technique that can bypass Windows User Account Control (UAC). ThreatPost, January 27, 2017
Card-Not-Present Fraud Picking Up In US: Card-not-present (CNP) fraud is increasing as cyber thieves are showing they are quite able to use both technology and stolen payment card data to defraud retailers around the world. PYMNTS, January 18, 2017
Cyber Standard
Bipartisan legislation introduced in House to identify/develop car cybersecurity best practices: A bipartisan bill was introduced in the House of Representatives on Wednesday with a major focus on automotive cybersecurity. The Security and Privacy in Your Car Study Act of 2017 (SPY Car Study Act, for short) is co-sponsored by Reps. Joe Wilson (R-SC) and Ted Lieu (D-CA). ars technica, January 25, 2017
Cyber Sunshine
Celebgate hacker who stole nude photos gets nine months in jail: Edward Majerczyk, 29, pleaded guilty in September to prying open more than 300 iCloud and Gmail accounts – at least 30 of them belonging to Hollywood glitterati – and ripping off what the US Attorney’s Office demurely refers to as his victims’ “sensitive and private photographs and videos”. NakedSecurity, January 27, 2017
Organized cybercrime gang brought down by international police cooperation, says Europol: Five members of an international organised cybercrime group have been arrested and three of them convicted so far as a result of a investigation by law enforcement agencies from Europe and Asia. ZDNet, January 27, 2017
Site that sold access to 3.1 billion passwords vanishes after reported raid: LeakedSource, a legally and ethically questionable website that sold access to a database of more than 3.1 billion compromised account passwords, has disappeared amid an unconfirmed report that its operator was raided by law enforcement officers. ars technica, January 26, 2017
The post Cyber Security News of the Week, January 29, 2017 appeared first on Citadel Information Group.