Cyber Security News of the Week, March 26, 2017

Cyber Security News of the Week, March 26, 2017

Individuals at Risk

Identity Theft

America’s JobLink Suffers Security Breach. PII of job seekers from 10 states compromised: A third-party hacker exploited a flaw in America’s JobLink application code to access the information of job seekers from 10 states. DarkReading, March 24, 2017

Silicon Valley Firm Coupa Hit by W-2 Fraudsters: Silicon valley firm Coupa on March 6 fell victim to a phishing attack that resulted in sensitive details for all of its 2016 employees falling into a fraudster’s hands. BankInfoSecurity, March 23, 2017

Student Aid Tool Held Key for Tax Fraudsters: Citing concerns over criminal activity and fraud, the U.S. Internal Revenue Service (IRS) has disabled an automated tool on its Web site that was used to help students and their families apply for federal financial aid. The removal of the tool has created unexpected hurdles for many families hoping to qualify for financial aid, but the action also eliminated a key source of data that fraudsters could use to conduct tax refund fraud. KrebsOnSecurity, March 21, 2017

Cyber Warning

Apple Extortion Attempt by Hackers Likely a Bluff. Backup Anyway – Just in Case. And It’s Free: An unknown hacking group is attempting to extract a $75,000 ransom from Apple, threatening to remotely wipe millions of devices using stolen account credentials unless the technology giant pays up by April 7. But there are doubts over the claims. BankInfoSecurity, March 23, 2017

Backup iPhones, iPads as Hackers attempt to extort Apple with threat to remotely wipe devices: Hackers are allegedly trying to extort Apple by holding its customer’s data for ransom, with threats to reset a number of supposedly compromised iCloud accounts and remotely wiping connected iPhones and iPads if they are not paid. AppleInsider, March 22, 2017

eBay Asks Users to Downgrade Security: Last week, KrebsOnSecurity received an email from eBay. The company wanted me to switch from using a hardware key fob when logging into eBay to receiving a one-time code sent via text message. I found it remarkable that eBay, which at one time was well ahead of most e-commerce companies in providing more robust online authentication options, is now essentially trying to downgrade my login experience to a less-secure option. KrebsOnSecurity, March 22, 2017

Cyber Defense

Google warns journalists & others of suspected attacks from government-backed hackers: Google wants to reassure users about the warnings it issues about government-backed hackers. Recode, March 24, 2017

Instagram Adds Two-Factor Authentication: Instagram became the latest in a long line of services over the years to offer users two-factor authentication this week. ThreatPost, March 24, 2017

Phishing 101 at the School of Hard Knocks Leads to 2FA Adoption: A recent, massive spike in sophisticated and successful phishing attacks is prompting many universities to speed up timetables for deploying mandatory two-factor authentication (2FA) — requiring a one-time code in addition to a password — for access to student and faculty services online. This is the story of one university that accelerated plans to require 2FA after witnessing nearly twice as many phishing victims in the first two-and-half months of this year than it saw in all of 2015. KrebsOnSecurity, March 24, 2017

List of websites and whether or not they support Two-Factor Authentication – 2FA

Time for Password Expiration to Die: Per Thorsheim, Cormac Herley, I and many others are trying to kill password expiration. Password expiration is a great example of where security professionals fail by focusing on just the mitigation part, forgetting about cost. Here’s why I feel we need to kill password expiration. SANS, March 23, 2017

Information Security Management in the Organization

Information Security Management and Governance

Keep Calm and… Here Is a List of Alarming Cybersecurity Statistics … Some May Even Be Accurate!: 2016 was an alarming year for tallying increases in data breaches and analyzing the sophistication of cybersecurity attacks and threats. It is clear that companies and individuals are playing games of catch up from a growing array of cyber adversaries. The following links are compiled from recent statistics pulled from a variety of articles and blogs. As we head deeper into 2017 and plan to defend our PCs, smartphones, and networks, it is worth taking note to prepare for the potential cybersecurity implications in our changing digital landscape. ITSP Magazine, March 24, 2017

Professional Service Firms Ignore Cybersecurity at Their Peril, Robert Braun, #STV Leadership Council: The Big Data deluge – A businessman tries to crunch the numbers at his desk.pngCybersecurity horror stories tend to focus on government agencies, retail outlets, health care institutions, and other companies serving consumers. But business professionals such as lawyers, accountants and business managers are increasingly at risk of attack, and may be less prepared to handle a cyber assault. Cybersecurity Lawyer Forum, March 21, 2017

Cyber Warning

Tax preparers are prime cybercrime targets: Preparers are a special target for cybercriminals, a security expert told tax professionals during a recent webinar on cyber-security. AccountingToday, March 23, 2017

Cyber Defense

Why Continuous Vulnerability Assessment Is Essential: A continuous vulnerability assessment program should be baseline security requirement for all organizations, says Richard Bussiere, principal architect, APAC, at Tenable Network Security. BankInfoSecurity, March 24, 2017

Top Blockchain Security Challenges You Should Think About: Blockchain has become a focus of global attention this year as banks around the world seek to understand and harness its disruptive potential. 2016 has truly been the year where industry has been exploring how to use blockchains across a variety of internal and client facing issues. However, leading into 2017 the focus will move from “how to use a blockchain” to “how to secure a blockchain.” Security Intelligence Webinar

Cyber Insurance

Intro to Cyber Insurance: 7 Questions to Ask: Buying a cyber insurance policy can be complex and difficult. Make sure you’re asking these questions as you navigate the process. Dark Reading, March 24, 2017

Cyber Security in Society

Cyber Privacy

Privacy Advocates Vow to Fight Rollback of Broadband Privacy Rules: Privacy advocates are vowing to fight a potential rollback of the Federal Communications Commission’s broadband privacy rules after the Senate voted Thursday 50-48 to pass a joint resolution dismantling protections. ThreatPost, March 24, 2017

FCC’s Pending ISP Privacy Regulation in Jeopardy After Senate Vote: An Obama-era regulation, which has yet to take effect, that aims to strengthen consumers’ online privacy may be derailed. The Senate has voted along party lines to quash the rule that the Federal Communications Commission issued in October. BankInfoSecurity, March 24, 2017

It’s time for a Cybersecurity Bill of Rights: Your TV might be recording your conversations. Your email could be hacked. More and more of your personal data is being mined every day. Data breaches have become commonplace. Even your child’s doll might invite a stranger into your house. The Hill, March 22, 2017

How To Fight for Your Rights and Privacy Online: The future looks grim for digital privacy and the open Internet in the United States. Even before President Trump took office, Standing Rock water protectors were targeted, while streaming protest actions on social-media and activist networks experienced routine surveillance by police forces across the country. But this administration has signaled a troubling intention to further empower the surveillance state, as well as to deepen its collusion with powerful corporate interests—a terrifying prospect given the already-robust apparatus established under NSA programs like XKeyscore and PRISM (not to mention the revelations by Wikileaks last week of the terrifying extent to which the CIA uses smart technologies to spy). The number of people having their phone searched at the border has skyrocketed, with some visitors reporting that their Facebook profiles were screened for political beliefs. Members of the Trump administration have even reportedly suggested making visitors from certain countries “disclose all websites and social media sites they visit” before entering the United States. Congress is also making some disturbing moves, such as attempting to roll back key privacy protections implemented by the FCC under the Obama administration. The Nation, March 17, 2017

Cyber Awareness

Cybersecurity – It takes the village to secure the village. Why everyone needs to be involved: It’s almost impossible these days to avoid media coverage of Russia’s role in hacking the 2016 election. So it was in 2015, when news broke that Chinese hackers had breached the U.S. Office of Personnel Management. Likewise for big cyberattacks the year in 2014 (Sony Pictures, Home Depot) and the year before that (Target). For the public, it’s usually these kinds of incidents that come to mind when they hear the term “cybersecurity.” They are complex and costly, and cast doubt on the trustworthiness of our major institutions—from government to banks to the electric grid. Slate, March 24, 2017

Pew Research Center Survey: Public Knowledge About Cybersecurity Grossly Inadequate to Meet Threat: In an increasingly digital world, an individual’s personal data can be as valuable – and as vulnerable – to potential wrongdoers as any other possession. Despite the risk-reducing impact of good cybersecurity habits and the prevalence of cyberattacks on institutions and individuals alike, a Pew Research Center survey finds that many Americans are unclear about some key cybersecurity topics, terms and concepts. A majority of online adults can identify a strong password when they see one and recognize the dangers of using public Wi-Fi. However, many struggle with more technical cybersecurity concepts, such as how to identify true two-factor authentication or determine if a webpage they are using is encrypted. Pew Research Center, March 22, 2017

Take this Cybersecurity Knowledge Quiz from Pew Research Center. Test your cybersecurity knowledge: Test your knowledge on cybersecurity topics and terms by taking our 10-question quiz. Then see how you did in comparison with a nationally representative group of 1,055 randomly selected adult internet users surveyed online between June 17 and June 27, 2016. The survey was conducted by the GfK Group using KnowledgePanel. Pew Research Center

Cyber Defense

Google Chrome to force replacement of 30K mis-issued security certificates from Symantec-owned CAs: In a severe rebuke of one of the biggest suppliers of HTTPS credentials, Google Chrome developers announced plans to drastically restrict transport layer security certificates sold by Symantec-owned issuers following the discovery they have allegedly mis-issued more than 30,000 certificates. ars technica, March 24, 2017

Critical Infrastructure

Hackers increase attacks on energy sector computers: Reports released this past week by U.S. security officials and private cybersecurity researchers suggest hacking of energy facility computers is on the rise, and happens far more often than the public assumes. Houston Chronicle, March 24, 2017

Cyber Enforcement

Prosecutors access data from locked phones of 100 Trump protesters: Federal prosecutors are creating a cloud-based database full of personal data extracted from the locked phones of Trump protesters arrested on Inauguration day. Sophos, March 24, 2017

Encryption Workarounds for Law Enforcement Investigations, Orin S. Kerr, Bruce Schneier: The widespread use of encryption has triggered a new step in many criminal investigations: the encryption workaround. We define an encryption workaround as any lawful government effort to reveal an unencrypted version of a target’s data that has been concealed by encryption. This essay provides an overview of encryption workarounds. It begins with a taxonomy of the different ways investigators might try to bypass encryption schemes. We classify six kinds of workarounds: find the key, guess the key, compel the key, exploit a flaw in the encryption software, access plaintext while the device is in use, and locate another plaintext copy. For each approach, we consider the practical, technological, and legal hurdles raised by its use. SSRN, March 22, 2017

Cyber Research

Sandia Testing Intrusion Detection Tool to Id Malicious Network Patterns 100x Faster than Now: Neuromorphic Data Microscope can spot malicious patterns in network traffic 100 times faster than current tool, lab claims. DarkReading, March 24, 2017

The post Cyber Security News of the Week, March 26, 2017 appeared first on Citadel Information Group.

from Citadel Information Group
via Citadel Information Group