Individuals at Risk
Cyber Privacy
People Are Praising Pope Francis for Taking Cybersecurity Very Seriously: He has 10.2 million followers on Twitter, opened an Instagram account last year, has met with tech executives, sold his old iPad for a good price, and addressed mankind’s pervasive use of gadgets in his teachings. Fortune, January 5, 2017
Cyber Update
Google Patches Android Custom Boot Mode Vulnerability: A high-risk Android custom boot mode vulnerability was one of many bugs patched by Google as part of its January Android Security Bulletin released earlier this week. On Thursday, the IBM security team that discovered the vulnerability disclosed details about the flaw which leaves Nexus 6 and P6 model handsets open to denial of service and elevation of privilege attacks. ThreatPost, January 6, 2017
Cyber Warning
Tech Support Scammers Targeting Mac Users with DoS attacks: The IT security firm has revealed that scammers are targeting Apple‘s Mac users with a new kind of malware that hijacks its Mail App and Safari browser to conduct denial of service (DOS) attacks. HackReed, January 6, 2017
Cyber Defense
Top 5 Free Encryption Messaging Apps: This year saw an increase in the level of security for some major messaging services, including Facebook Messenger and WhatsApp. Yahoo, December 30, 2016
Information Security Management in the Organization
Information Security Management and Governance
Strong Cybersecurity Talent in Short Supply in Face of Rising Demand: Can armies of interns close the cybersecurity skills gap? asked a Fast Company story in September of 2016. Not likely. In the U.S., and internationally, there’s not enough cybersecurity grads — or computer science grads with cyber credits. In the U.S., students can graduate from some of the top computer science programs with little to no cybersecurity courses. CSO, January 6, 2017
Cyber Warning
Cyber Criminals Using Twitter To Snatch Bank Info From Unsuspecting Customers: Cyber criminals are waiting for banks to have online technical difficulties and then step in to target bank customers who complain about technical problems online. Using fake Twitter accounts that look just like the banks, they trick customers into handing over their banking credentials. Robert Capps, VP of Business Development at NuData Security commented below. InformationSecurityBuzz, January 7, 2017
Hackers Target Schools With Ransomware By Mimicking Department Of Education: Following the news that hackers are sending ransomware-infected emails directly, to head teachers after posing as officials from the Department of Education. The cyber criminals have been gaining email addresses by calling schools and offering exam guidance or mental health assessments. The ransom is believed to be up to £8,000. Fraser Kyne, EMEA CTO at Bromium commented below. InformationSecurityBuzz, January 7, 2017
KillDisk Ransomware Gets Update. Encrypts files, demands ransom & leaves Linux systems unbootable: Disk-wiping malware known as KillDisk, which has previously been used in hack attacks tied to espionage operations, has been given an update. Now, the malware works on Linux as well as Windows systems and also includes the ability to encrypt files, demand a bitcoin ransom and leave Linux systems unbootable. BankInfoSecurity, January 6, 2017
Cardless ATM” Fraud Danger As Cyber Criminals Use Stolen Passwords: Some financial institutions are now offering so-called “cardless ATM” transactions that allow customers to withdraw cash using nothing more than their mobile phones. But as the following story illustrates, this new technology also creates an avenue for thieves to quickly and quietly convert stolen customer bank account usernames and passwords into cold hard cash. Worse still, fraudulent cardless ATM withdrawals may prove more difficult for customers to dispute because they place the victim at the scene of the crime. KrebsOnSecurity, January 5, 2017
Cyber Danger
4 information security threats that will dominate 2017: The Information Security Forum (ISF), a global, independent information security body that focuses on cyber security and information risk management, forecasts businesses will face four key global security threats in 2017. Supercharged connectivity and the IoT will bring unmanaged risks. Crime syndicates will take quantum leap with crime-as-a-service. New regulations will bring compliance risks. Brand reputation and trust will be a target.
Cyber Defense
Class Breaks – What They Are and the Magnitude of Their Danger: There’s a concept from computer security known as a class break. It’s a particular security vulnerability that breaks not just one system, but an entire class of systems. Examples might be a vulnerability in a particular operating system that allows an attacker to take remote control of every computer that runs on that system’s software. Or a vulnerability in Internet-enabled digital video recorders and webcams that allow an attacker to recruit those devices into a massive botnet. Schneier on Security, December 30, 2016
Cyber Security in Society
National Cyber Security
Intelligence Agency Report Attributing Breach of DNC to Russia: “Assessing Russian Activities and Intentions in Recent US Elections” is a declassified version of a highly classified assessment that has been provided to the President and to recipients approved by the President. Office of the Director of National Intelligence, January 6, 2017
What Intelligence Agencies Concluded About the Russian Attack on the U.S. Election: The office of the director of national intelligence on Friday released a long-awaited unclassified version of its report for President Obama on what the intelligence agencies said was a multifaceted attempt to influence the 2016 presidential election. The report included only the agencies’ conclusions, not the actual intelligence or technical information on which they were based. The New York Times, January 6, 2017
Why Proving the Source of a Cyberattack is So Damn Difficult: President Barack Obama’s public accusation of Russia as the source of the hacks in the US presidential election and the leaking of sensitive emails through WikiLeaks and other sources has opened up a debate on what constitutes sufficient evidence to attribute an attack in cyberspace. The answer is both complicated and inherently tied up in political considerations. Schneier on Security, January 5, 2017
White House fails to make case that Russian hackers tampered with election: Talk about disappointments. The US government’s much-anticipated analysis of Russian-sponsored hacking operations provides almost none of the promised evidence linking them to breaches that the Obama administration claims were orchestrated in an attempt to interfere with the 2017 presidential election. ars technica, December 30, 2016
Krebs Opines on the DNC Hack … and Other Cyber Incidents: Over the past few days, several longtime readers have asked why I haven’t written about two stories that have consumed the news media of late: The alleged Russian hacking attacks against the U.S. Democratic National Committee (DNC) and, more recently, the discovery of malware on a laptop at a Vermont power utility that has been attributed to Russian hacker groups. KrebsOnSecurity, January 3, 2017
Task Force Issues ‘From Awareness to Action: A Cybersecurity Agenda for the 45th President: A task force co-chaired by two U.S. lawmakers and a former federal CIO is issuing a 34-page report recommending a cybersecurity agenda for the incoming Trump administration. The report recommends the new administration jettison outdated ways the federal government tackles cybersecurity, noting: “Once-powerful ideas have been transformed into clichés.” BankInfoSecurity, January 4, 2017
DHS Designates Election Facilities as Critical Infrastructure, Ups Cybersecurity Assistance: The U.S. Department of Homeland Security Friday designated U.S. election infrastructure as critical, widening the options the government has to protect voting machines from cyberattacks. Voice of America, January 7, 2017
DHS head: Nation’s cybersecurity has improved, but work remains: An exit memo authored by Secretary of Homeland Security Jeh C. Johnson outlined a number of DHS cybersecurity accomplishments achieved during the Obama administration but warned that “more work remains to be done.” CIODive, January 6, 2017
How Hackers Could Jam 911 Emergency Calls: It’s not often that any one of us needs to dial 911, but we know how important it is for it to work when one needs it. It is critical that 911 services always be available—both for the practicality of responding to emergencies, and to give people peace of mind. But a new type of attack has emerged that can knock out 911 access—our research explains how these attacks occur as a result of the system’s vulnerabilities. We show how these attacks can create extremely serious repercussions for public safety. FastCompany, January 6, 2017
Stewart Baker Cyberlaw Podcast – News Roundup: We start 2017 the way we ended 2017, mocking the left/lib bias of stories about intercept law. Remember the European Court of Justice decision that undermined the UK’s new Investigatory Powers Act and struck down bulk data retention laws around Europe? Yeah, well, not so much. Maury Shenk walks us through the decision and explains that it allows bulk data retention to continue for “serious” crime, which is really the heart of the matter. Steptoe Cyberblog, January 3, 2017
Cyber Law
FTC Charges D-Link With Unsecure Routers And IP Cameras: Federal Trade Commission voices concerns in US district court that D-Link products had put consumers’ privacy at risk. DarkReading, January 6, 2017
Cyber Standard
Integrate Cyber Security Into Product Life Cycle Says FDA to Medical Devices Manufacturers: Protecting medical devices from ever-shifting cybersecurity threats requires an all-out, lifecycle approach that begins with early product development and extends throughout the product’s lifespan. FDA, December 27, 2016
Critical Infrastructure
Fixing Critical Infrastructure Means Securing The IT Systems That Support It: IT security can mean the difference between life and death, just as much as a well-designed bridge. DarkReading, January 6, 2017
Hacker threats to smart power grids: Europe is investing in power grids that save consumers money and easily handle surges from wind and solar sources — features critical to curbing climate change and cutting the Continent’s reliance on coal. But these electricity networks of the future also create big risks. Politico, January 4, 2017
Internet of Things
Bosch at CES 2017 puts focus on airtight end-to-end cybersecurity for next generation of connected cars: Cars are already computerized out the wazoo, but the next generation of connected cars will present plenty of opportunities for digital malcontents to compromise car systems. Bosch, a supplier for a wide variety of automakers, thinks it has solutions to this problem at its CES 2017 stand. CNet, January 6, 2017
The FTC’s Internet of Things (IoT) Challenge: One of the biggest cybersecurity stories of 2017 was the surge in online attacks caused by poorly-secured “Internet of Things” (IoT) devices such as Internet routers, security cameras, digital video recorders (DVRs) and smart appliances. Many readers here have commented with ideas about how to counter vulnerabilities caused by out-of-date software in IoT devices, so why not pitch your idea for money? Who knows, you could win up to $25,000 in a new contest put on by the U.S. Federal Trade Commission (FTC). KrebsOnSecurity, January 4, 2017
The post Cyber Security News of the Week, January 8, 2017 appeared first on Citadel Information Group.