Individuals at Risk
Identity Theft
Identity fraud rises 16% to record high: The number of identity fraud victims increased by sixteen percent (rising to 15.4 million U.S. consumers) in the last year, according to Javelin Strategy & Research. Their study found that despite the efforts of the industry, fraudsters successfully adapted to net two million more victims this year with the amount fraudsters took rising by nearly one billion dollars to $16 billion. HelpNetSecurity, February 2, 2017
Cyber Warning
A New Farmville-Facebook-PayPal Triple Combo Phishing Scam: Farmville was once the most played game on Facebook, with over 80 million players worldwide, but although its popularity has declined significantly since then, it still has over 30 million followers. So, it’s not at all surprising that cybercriminals have chosen this group as their phishing target. Information Security Buzz, February 3, 2017
Information Security Management in the Organization
Information Security Management and Governance
Cisco 2016 survey says 1/3 of breached organizations reported a revenue loss of over 20%: Companies need to implement strategic cybersecurity processes to stay better protected against the increasing threat of cyberattacks, a new survey has suggested. WeLiveSecurity, February 2, 2017
Organizations still struggle to integrate information security mgmt into their risk mgmt strategy: Organizations struggling with risk management are more concerned about brand damage than cyberattacks, new Ponemon study shows. DarkReading, February 2, 2017
Cisco 2017 Cybersecurity Report Offers Recommendations for Meeting Evolving Cybercrime Threat: I’m proud to announce the Cisco 2017 Annual Cybersecurity Report (ACR) available for download today. Now in its 10th year, this report delivers analysis on the evolving threats and trends from 2016, insights from a survey of more than 2900 security professionals worldwide, as well as guidance on how to be more secure in 2017 and beyond. David Ulevitch, head of Cisco’s Security Business Group, and I share report highlights in this video. Cisco, January 31, 2017
Cyber Awareness
Defining the Security Awareness Maturity Model: Last week we introduced the Security Awareness Maturity Model. Established in 2011, this maturity model enables organizations to identify where their security awareness program is currently at, where a qualified leader can take it and the path how to get there. Below we describe each stage of the maturity model. As you go through each stage, identify where your organization is currently at and where you want to go short term and long term. SANS, March 8, 2016
Cyber Warning
IRS Issues “Urgent Alert” of New Scam Blending CEO Fraud & W-2 Phishing: Most regular readers here are familiar with CEO fraud — e-mail scams in which the attacker spoofs the boss and tricks an employee at the organization into wiring funds to the fraudster. Loyal readers also have heard an earful about W-2 phishing, in which crooks impersonate the boss and request a copy of all employee tax forms. According to a new “urgent alert” issued by the U.S. Internal Revenue Service, scammers are now combining both schemes and targeting a far broader range of organizations than ever before. KrebsOnSecurity, February 2, 2017
Hackers are seeking out company insiders on the black market: If you’re the CEO of a company, here’s another threat you need to worry about: hackers trying to recruit your employees for insider-related crimes. PC World, February 2, 2017
Cyber Update
WordPress silently fixes dangerous code injection vulnerability: Developers of the widely used WordPress content management system released an update last week, but intentionally delayed announcing that the patch addressed a severe vulnerability. PCWorld, February 2, 2017
Cyber Talent
Rise of the ‘accidental’ cybersecurity professional: To fill cybersecurity job shortages, a number of people, especially women, are entering the field from other careers. Here’s why they might be able to help your company. TechRepublic, February 1, 2017
Cyber Security in Society
Cyber Crime
Hackers hold hotel’s keys hostage for bitcoin ransom: A European luxury hotel is going back to the basics, replacing its electronic key cards with lock and key. And with good reason. CNN, January 30, 2017
Cyber Attack
Police lose vital criminal evidence after refusing to pay $4,000 following ransomware attack: A suburban Dallas police department saw eight years’ worth of digital evidence, including material for at least one active criminal case, frozen after a ransomware attack, another example of the continuing havoc caused by file-encrypting malware. BankInfoSecurity, February 2, 2017
More than dozen radio stations that ignored major vulnerability hacked. Start playing anti-Trump song: A certain model of Low Power FM radio transmitter with known vulnerabilities has been targeted in a new wave of radio-station hacks this week. Armed with an exploit that was known all the way back in April 2016, hackers have commandeered terrestrial radio stations—and in apparent unity, the hackers all decided to broadcast the YG and Nipsey Hussle song “Fuck Donald Trump.” ars techncia, February 2, 2017
Cyber Defense
UK Cybersecurity Director claims Security firms ‘overstate hackers’ abilities to boost sales’: Computer security companies have been accused of “massively” exaggerating the abilities of malicious hackers. BBC, February 3, 2017
How Google fought back against a crippling IoT-powered botnet and won: OAKLAND, Calif.—In September, KrebsOnSecurity—arguably the Internet’s most intrepid source of security news—was on the receiving end of some of the biggest distributed denial-of-service attacks ever recorded. The site soon went dark after Akamai said it would no longer provide the site with free protection, and no other DDoS mitigation services came forward to volunteer their services. A Google-operated service called Project Shield ultimately brought KrebsOnSecurity back online and has been protecting the site ever since. ars technica, February 2, 2017
Cyber Law
17M Target Breach Deal Imperiled by Conflict Over Class Representation: Target Corp.’s $17 million class settlement to resolve consumer claims over a 2013 data breach is in jeopardy as the Eighth Circuit says an alleged conflict of interest needs another look ( In re Target Corp. Customer Data Sec. Breach Litig. (Sciaroni v. Target Corp.) , 2017 BL 29235, 8th Cir., No. 15-3090, 2/1/17 ). BNA, February 3, 2017
Analysis of $3.2 Million HIPAA fine after investigation finds longstanding failures to comply w HIPAA: Federal HIPAA enforcers smacked a Texas pediatric hospital with a whopping $3.2 million civil monetary penalty after investigating breaches involving unencrypted mobile devices and uncovering longstanding failures to comply with HIPAA. HealthCare InfoSecurity, February 2, 2017
EFF Goes to Court to hold Ethiopia Liable for Spying on Americans: Can foreign governments spy on Americans in America with impunity? That was the question in front of the U.S. Court of Appeals for the District of Columbia Circuit Thursday, when EFF, human rights lawyer Scott Gilmore, and the law firms of Jones Day and Robins Kaplan went to court in Kidane v. Ethiopia. EFF, February 2, 2017
Know Your Enemy
Fraudsters shop for W2s, Tax Data on the Dark Web: The 2016 tax season is now in full swing in the United States, which means scammers are once again assembling vast dossiers of personal data and preparing to file fraudulent tax refund requests on behalf of millions of Americans. But for those lazy identity thieves who can’t be bothered to phish or steal the needed data, there is now another option: Buying stolen W-2 tax forms from other crooks who have phished the documents wholesale from corporations. KrebsOnSecurity, January 31, 2017
National Cyber Security
UK Defense Secy warns Russian hackers targeting critical infrastructure & democracy: Russia has used hacking and misinformation to disrupt critical infrastructure and the democratic processes of Western nations, according the UK’s defence secretary. ZDNet, February 3, 2017
Stewart Baker & Corin Stone, Exec Director of the National Security Agency: Our guest for episode 148 of the podcast is Corin Stone, the Executive Director of the National Security Agency. Corin handles some tough questions – should the new team dump PPD-28, how is morale at the agency after the Snowden and Shadowbroker leaks, and will fully separating Cyber Command from NSA mean new turf fights? I give Corin plenty of free advice and, more usefully, our first in-person award of the coveted Steptoe Cyberlaw Podcast coffee mug. Steptoe Cyberblog, January 31, 2017
DC police surveillance cameras said to have been infected with ransomware before inauguration: Networked digital video recorders have been harnessed for all sorts of ill intent over the past few months, including use in a botnet that disrupted large swaths of the Internet. But a different sort of malware hit the DVRs used by the District of Columbia’s closed-circuit television (CCTV) surveillance system just one week before Inauguration Day. The Washington Post reports that 70 percent of the DVR systems used by the surveillance network were infected with ransomware, rendering them inoperable for four days and crippling the city’s ability to monitor public spaces. ars technica, January 30, 2017
A Shakeup in Russia’s Top Cybercrime Unit as 3 Arrested for Treason: A chief criticism I heard from readers of my book, Spam Nation: The Inside Story of Organized Cybercrime, was that it dealt primarily with petty crooks involved in petty crimes, while ignoring more substantive security issues like government surveillance and cyber war. But now it appears that the chief antagonist of Spam Nation is at the dead center of an international scandal involving the hacking of U.S. state electoral boards in Arizona and Illinois, the sacking of Russia’s top cybercrime investigators, and the slow but steady leak of unflattering data on some of Russia’s most powerful politicians. KrebsOnSecurity, January 28, 2017
Financial Cyber Security
Study shows banks struggle so cybersecurity doesn’t impact customer experience: How do you tell if a legitimate customer or a fraudster is signing into your online banking platform? How do you know if the authentication measures your organization is using are effective? How important is it to your organization to provide a seamless customer experience while maintaining adequate security controls? SecurityIntellignece, February 2, 2017
Internet of Things
Is IoT Security an Oxymoron?: Last year’s cyberattack against internet provider Dyn was something of a milestone. For the first time in a large-scale campaign, the attackers didn’t go directly at their target’s servers. Instead, they pressed Mirai malware into service. This malware automatically discovers Internet of Things (IoT) devices and leverages poor IoT security, allowing the attackers to link about 100,000 of these ill-secured devices into a centrally controlled botnet. They then launched a highly successful distributed denial-of-service (DDoS) attack against Dyn’s servers. SecurityIntelligence, February 2, 2017
Kaspersky researchers identify 292 hour DDoS attack from unsecured IoT as 80 countries targeted in quarter: Kaspersky researchers spotted a record setting 292 hour-long (12.2 day) DDoS attack in Q4 2016, significantly beating the previous quarter’s maximum attack, which lasted 184 hours (7.7 days) days. And poorly secured internet of things (IoT) may be to blame. SCMagazine, February 2, 2017
Click Here to Kill Everyone: Last year, on October 21, your digital video recorder — or at least a DVR like yours — knocked Twitter off the internet. Someone used your DVR, along with millions of insecure webcams, routers, and other connected devices, to launch an attack that started a chain reaction, resulting in Twitter, Reddit, Netflix, and many sites going off the internet. You probably didn’t realize that your DVR had that kind of power. But it does. Schneier on Security, January 27, 2017
Secure the Village
Study shows more victims need to come forward to get better more reliable cybercrime statistics: If your business was hit by a cyber-attack, would you report it to your CEO or Board of Directors? Would you report it to law enforcement? According to the Office of National Statistics, there were an estimated two million cybercrimes in the 12 months running up to March 2016. InfoSecurity, February 2, 2017
The post Cyber Security News of the Week, February 5, 2017 appeared first on Citadel Information Group.