Citadel On Security
Kimberly Pease Honored as Cybersecurity Professional of the Year by Los Angeles Business Journal: The Los Angeles Business Journal has awarded its Cybersecurity Professional of the Year Award to Kimberly Pease, Citadel Information Group Vice President and Co-Founder, for her leadership helping users understand the vital role they play in securing information. PRLOG, March 29, 2017
Individuals at Risk
Identity Theft
Why I Always Tug on the ATM: Once you understand how easy and common it is for thieves to attach “skimming” devices to ATMs and other machines that accept debit and credit cards, it’s difficult not to closely inspect and even tug on the machines before using them. Several readers who are in the habit of doing just that recently shared images of skimmers they discovered after gently pulling on various parts of a cash machine they were about to use. KrebsOnSecurity, March 31, 2017
New York Attorney General Announces Record Number of Data Breach Notices in 2016: On March 21, 2017, New York Attorney General (NYAG) Eric T. Schneiderman announced that his office had received a record breaking 1,282 data breach notices to his office affecting 1.6 million New York residents during 2016. Compared to 2015, these figures represent a 60 percent increase in the number of notices and a 300 percent increase in the number of New York residents affected. These research figures build on the NYAG’s 2014 report “Information Exposed: Historical Examination of Data Security in New York State,” which analyzed eight years of security breach statistics in New York from 2006 to 2013. Alston&Bird, March 22, 2017
Cyber Privacy
How to Hide Online Better Than the Director of the FBI: Until yesterday, FBI chief James Comey seemed like a pretty savvy internet user. The guy knows that you’re supposed to cover your webcam with tape to hide from the NSA and WhatsApp is a fantastic way to communicate securely—even if he hates you for using it. But when the numbnuts set out to make a series of secret social profiles online, he elected to use the name of a 20th century theologian known almost exclusively to theology students and political figures trying to sound smart. Gizmodo, March 31, 2017
EU to Tech Companies: Weaken Encryption. If Encryption is Outlawed, Only Outlaws Will Use Encryption: The European Commission is planning to force technology vendors to undermine end-to-end encryption in products and services to satisfy growing demands from national politicians and headline writers. InfoSecurity Magazine, March 31, 2017
Post-FCC Privacy Rules, Should You VPN?: Many readers are understandably concerned about recent moves by the U.S. Congress that would roll back privacy rules barring broadband Internet service providers (ISPs) from sharing or selling customer browsing history, among other personal data. Some are concerned enough by this development that they’re looking at obfuscating all of their online browsing by paying for a subscription to a virtual private networking (VPN) service. This piece is intended to serve as a guidepost for those contemplating such a move. KrebsOnSecurity, March 31, 2017
What the Repeal of Online Privacy Protections Means for You: Congress on Tuesday moved to dismantle online privacy rules created during the Obama era. The rules, which were scheduled to take effect this year, would have required internet providers to get permission before collecting and selling a customer’s online information, including browsing activities. The New York Times, March 29, 2017
Protecting Your Digital Life in 8 Easy Steps: There are more reasons than ever to understand how to protect your personal information. The New York Times, November 16, 2016
Stephen Colbert on the Repeal of Online Privacy Protections: Stephen doesn’t recall any Americans marching in support of abolishing internet privacy. But if they did… victory! The Late Show with Stephen Colbert, March 30, 2017
Cyber Warning
‘Can You Hear Me?’ Scam Hooks Victims With a Single Word: Don’t pick up the phone to answer calls from unknown numbers. Instead, let them go to voicemail. BankInfoSecurity, March 31, 2017
LastPass warns users to exercise caution while it fixes ‘major’ vulnerability: Password manager security flaw found by researcher from Google, prompting fears sophisticated hackers might be able to exploit it. The Guardian, March 30, 2017
Skype users hit by ransomware through in-app malicious ads: Users have complained that ads served through Microsoft’s Skype app are serving malicious downloads, which if opened, can trigger ransomware. ZD Net, March 30, 2017
Cyber Update
iOS 10.3 Fixes Safari Bug Cybercriminals Used to Blackmail Porn-Viewers: Ransomware scammers have been exploiting a flaw in Apple’s Mobile Safari browser in a campaign to extort fees from uninformed users. The scammers particularly target those who viewed porn or other controversial content. Apple patched the vulnerability on Monday with the release of iOS version 10.3. ars technica, March 27, 2017
Information Security Management in the Organization
Information Security Management and Governance
Cybersecurity Programs and the FTC – Staying out of Harm’s Way: Robert Braun, Partner at JMBM and SecureTheVillage Leadership Council. While there is no nationwide cybersecurity program, the Federal Trade Commission has brought more than 50 actions claiming that the cybersecurity practices of a variety of companies in a variety of industries. While these actions have primarily been administrative and resulted in settlements, and the specifics of each order apply only to the company affected, these actions are instructive as to what the FTC expects of cybersecurity programs. A byproduct of the FTC’s actions is a guide to companies to create better privacy and security policies and programs. While these cases don’t necessarily identify how to run “gold-standard” programs, they identify what the FTC expects as minimum standards for efforts to protect data. Cybersecurity Lawyer Forum, March 28, 2017
Cyber Defense
Book Review: Data Breach Preparation and Response: Despite the fact that only one author is named on the book’s cover, this is a book that’s been compiled with the help of five other experts in several fields: crisis and risk management, technology law, cyber threat analysis and forensics, and cyber insurance. HelpNetSercurity, March 31, 2017
Customized Malware: Confronting an Invisible Threat: Hackers are gaining entry to networks through a targeted approach. It takes a rigorous defense to keep them out. DarkReading, March 31, 2017
10 ways to improve cybersecurity: A friend asked me to list all of the cybersecurity things that bug me and what he should be diligent about regarding user security. We talked about access control lists, MAC layer spoofing, and a bunch of other topics and why they mattered. You should come up with a list of head-desk things. NetworkWorld, March 28, 2017
Cyber Security in Society
Cyber Attack
Open-source developers targeted in sophisticated malware attack: For the past few months, developers who publish their code on GitHub have been targeted in an attack campaign that uses a little-known but potent cyberespionage malware. PCWorld, March 30, 2017
Know Your Enemy
New online bank theft attacks expected as banking Trojan source code published: The source code for a new Trojan program that targets banking services has been published online, offering an easy way for unskilled cybercriminals to launch potent malware attacks against users. CSO, March 29, 2017
National Cyber Security
Cause of DNC Breach Said to Be Untrained Staff Who Fell for Russian Phishing Attack: US intelligence agents are pretty sure the Russian government authorized the DNC hacks and leaked Hillary Clinton’s emails. While the country continues to deny its involvement, security firm SecureWorks found evidence that it has been targeting Clinton even before the elections began. Apparently, a group of hackers (known by the names APT28, Sofacy and Fancy Bear) working for Russian military intelligence sent 19,315 malicious links to 6,730 people from March 2015 to May 2016. Their targets included Clinton, her campaign chairman John Podesta, her staff, known critics of the Russian government, members of the US military and diplomats around the world. engadget, March 31, 2017
America’s Current Approach to Cybersecurity Misses Most Important Element: The People: Cybersecurity has transformed what is actually a people problem with a technology component into its exact opposite. … It’s almost impossible these days to avoid media coverage of Russia’s role in hacking the 2016 election. So it was in 2015, when news broke that Chinese hackers had breached the United States Office of Personnel Management. Likewise for big cyberattacks in 2014 (Sony Pictures, Home Depot) and the year before that (Target). For the public, it’s usually these kinds of incidents that come to mind when they hear the term “cybersecurity.” They are complex and costly, and cast doubt on the trustworthiness of our major institutions — from government to banks to the electric grid. … Yet multiple surveys show that Americans tend to ignore even the most basic security measures with their own digital devices. Pacific Standard, March 30, 2017
Stewart Baker Interviews Cyber Threat Alliance President, Michael Daniel: Our interview is with Michael Daniel, former Special Assistant to the President and Cybersecurity Coordinator at the White House and current President of the Cyber Threat Alliance. We ask Michael how the new guys are doing in his job, what he most regrets not getting done, why we didn’t float thumb drives filled with “The Interview” into North Korea on balloons, and any number of other politically incorrect questions. His answers are considerably more nuanced. Steptoe Cyberblog, March 27, 2017
Puzzling out TSA’s Laptop Travel Ban: On Monday, the TSA announced a peculiar new security measure to take effect within 96 hours. Passengers flying into the US on foreign airlines from eight Muslim countries would be prohibited from carrying aboard any electronics larger than a smartphone. They would have to be checked and put into the cargo hold. And now the UK is following suit. Schneier on Security, March 22, 2017
Cyber Law
Italy Proposes Astonishingly Sensible Rules To Regulate Government Hacking Using Trojans: As Techdirt has just reported, even though encryption is becoming more widespread, it’s not still not much of a problem for law enforcement agencies, despite some claims to the contrary. However, governments around the world are certainly not sitting back waiting for it to become an issue before acting. Many have already put in place legal frameworks that allow them to obtain information even when encryption is used, predominantly by hacking into a suspect’s computer or mobile phone. In the US, this has been achieved with controversial changes to Rule 41; in the UK, the Snooper’s Charter gives the government there almost unlimited powers to conduct what it coyly calls “equipment interference.” techdirt, February 17, 2017
Cyber Enforcement
UN Cybersecurity Repository: The world’s largest cybercrime library: The UN Cybersecurity Repository is a massive index of cyber-criminal case law and lessons learned used to train law enforcement officers, prosecutors, and judges. TechRepublic, March 31, 2017
Should law enforcement be given backdoor access to encrypted messaging apps: Interview with Michael Zweibach, Partner at Alston & Bird and Member of SecureTheVillage Leadership Council. [Interview begins at minute 25:00 of video.] Bloomberg Technology, March 27, 2017
Cyber Sunshine
Alleged vDOS Owners Poised to Stand Trial: Police in Israel are recommending that the state attorney’s office indict and prosecute two 18-year-olds suspected of operating vDOS, until recently the most popular attack service for knocking Web sites offline. KrebsOnSecurity, March 27, 2017
Secure the Village
CA State IT Leaders Meet to Identify Steps for Improving California State Cybersecurity: California is one of the most oft-threatened cybersecurity targets in the world, according to Eli Owen, deputy commander of the State Threat Assessment Center at California’s Office of Emergency Services. GovTech, March 31, 2017
North Hollywood High sends 3 teams to national cybersecurity competition!!! CONGRATULATIONS!!!!!:Five Southern California high school teams are among the finalists in a national competition to defeat cyber hacking that will take place in Baltimore starting Monday. SCPR, March 31, 2017
The post Cyber Security News of the Week, April 2, 2017 appeared first on Citadel Information Group.
from Citadel Information Group
via Citadel Information Group