Cyber Security News of the Week, May 28, 2017

Cyber Security News of the Week, May 28, 2017

Individuals at Risk

Cyber Fraud

Google Just Killed What Might Be The Biggest Android Ad Fraud Ever: Google has thrown more than 40 apps out of its Play store after it emerged they were quietly forcing Android users to click on ads. As the apps been downloaded as many as 36 million times, security researchers said it appeared to be the biggest ever case of ad fraud perpetrated via Google Play and probably the most successful malware in terms of installs from the official store. Forbes, May 26, 2017

Cyber Danger

Hackers deploy new attack targeting media player processing of subtitles: Check Point researchers revealed a new attack vector which threatens millions of users worldwide – attack by subtitles. By crafting malicious subtitle files, which are then downloaded by a victim’s media player, attackers can take complete control over any type of device via vulnerabilities found in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time and We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years. CheckPoint, May 23, 2017

Information Security Management in the Organization

Information Security Management and Governance

To Guard Against Cybercrime: Follow the Money. Train Staff. Patch Systems: Email attacks are cheap, easy, low risk, and high reward. No wonder a “malicious email is the cyber spy’s favored way in.” An email security breach could impact your organization’s revenue and reputation. Protecting yourself from a breach can be daunting, given how many emails pass through your organization each week. HRB, May 26, 2017

HBR’s ‘Why Cybersecurity Is So Hard?’ Demonstrates Need to Change Culture. Distrust & Caution: After nearly 20 years of trying and billions of dollars in investment, why are organizations are still struggling with cybersecurity? In fact, the problem seems to be getting worse, not better. Answering this question requires moving beyond a purely technical examination of cybersecurity. It’s true that the technical challenges are very real; we don’t know how to write bug-free code, for example. But if you look at the challenge more broadly, even if we resolved the technical issues, cybersecurity would remain a hard problem for three reasons. HBR, May 22, 2017

Analyzing trade-offs between security and marketing. No easy answers.: A few weeks back, HR and financial management firm sent a security advisory to customers warning that crooks were sending targeted malware phishing attacks at customers. At the same time, Workday is publishing on its site a list of more than 800 companies that use its services, making it relatively simple for attackers to chose their targets. This post examines whether it makes sense for software-as-a-service (SaaS) companies to publish lists of their customers when those customers are actively under siege from phishers impersonating the SaaS provider. KrebsOnSecurity, May 22, 2017

Cyber Defense

Why Understanding And Control Should Be Key Parts Of Your Cybersecurity Portfolio: Lately, I’ve been paying particular attention to the concept of having a cybersecurity portfolio. It’s a view that looks at the need for enterprise-grade cybersecurity from a viewpoint akin to a savvy investment strategy: you want diversified investments, spread across a variety of assets to maximize your return. In the case of your finances, that might mean a healthy mix of higher risk investments along with consistently performing mutual funds. For cybersecurity, it means not putting all your proverbial eggs in the basket of prevention or detection, but having a balanced security spend that allows you to prevent, detect, respond, and remediate threats. The foundation of this idea is that there is no perfect perimeter security. Threats will get in and so you must have mechanisms to limit their reach and counteract them. Forbes, May 26, 2017

10 things an organization can do to protect the network against ransomware: The risk of malware infection may be inevitable–but that doesn’t mean you can’t take steps to protect your Windows computers from attack. Here are 10 measures that will help minimize the threat. TechRepublic, May 24, 2017

Cyber Update

Samba: Patch Critical Bug Now, US-CERT Warns: In the wake of WannaCry, there’s a critical, newly announced flaw in a protocol based on the Windows server message block – SMB – that security experts are warning could also be exploited via mass attacks, and potentially by a worm designed to exploit the bug. BankInfoSecurity, May 25, 2017

MiTM and remote code vulnerabilities found in Trend Micro ServerProtect: Researchers from Core Security discovered multiple vulnerabilities in the web-based management console of Trend Micro ServerProtect. SCMagazine, May 24, 2017

Cyber Security in Society

Secure the Village

Citadel’s Stan Stahl talks w Larry Marino about creating a cybersecurity-aware culture. Distrust & Caution!: Stan Stahl, President Citadel Information Group and Secure the Village – a non-profit helping executives understand Cyber Security – speaks with Larry Marino on Sunday Morning Newsmakers. A ransomware program called WannaCry has shut down more than 75,000 computers across 99 countries, including a string of hospitals in the United Kingdom. Sunday Morning News Makers, May 21, 2017

Cyber Crime

Chipotle says ‘most’ of its restaurants were infected with credit card stealing malware: Chipotle Mexican Grill today announced that it has identified the malware that was responsible for the credit card hack earlier this year. Alongside the news, it also released a new tool to help customers check whether the restaurant they visited was involved. When pressed by The Verge, Chipotle did not disclose the exact numbers of restaurants affected, but said “most” locations nationwide may have been involved. The Verge, May 26, 2017

Disney CEO reports that hackers did not steal Pirates of the Caribbean 5: Earlier this month, reports surfaced that hackers stole Disney’s upcoming film Pirates of the Caribbean: Dead Men Tell No Tales, threatening to release the film online if a demand for ransom wasn’t met. Speaking to Yahoo Finance, Disney CEO Bob Iger said that the company had not been hacked, and that the threat was a fake. The Verge, May 25, 2017

Cyber Privacy

Private Eye Allegedly Used Leaky Goverment Tool in Bid to Find Tax Data on Trump: In March 2017, KrebsOnSecurity warned that thieves who perpetrate tax refund fraud with the U.S. Internal Revenue Service were leveraging a widely-used online student loan tool to find critical data on consumers that allows them to claim huge refunds with the IRS in someone else’s name. This week, it emerged that a Louisiana-based private investigator is being charged with using the same online tool to glean tax data on then-presidential candidate Donald J. Trump. KrebsOnSecurity, May 22, 2017

Know Your Enemy

Trump’s Dumps: New Site Sells Stolen Credit Cards. ‘Making Dumps Great Again’: It’s not uncommon for crooks who peddle stolen credit cards to seize on iconic American figures of wealth and power in the digital advertisements for their shops that run incessantly on various cybercrime forums. Exhibit A: McDumpals, a hugely popular carding site that borrows the Ronald McDonald character from McDonald’s and caters to bulk buyers. Exhibit B: Uncle Sam’s dumps shop, which wants YOU! to buy American. Today, we’ll look at an up-and-coming stolen credit card shop called Trump’s-Dumps, which invokes the 45th president’s likeness and promises to make credit card fraud great again. KrebsOnSecurity, May 26, 2017

National Cyber Security

UK Government vows cyber encryption crackdown after Manchester suicide bombing: Theresa May is expected to signal a new crackdown on encrypted messaging apps after the deaths of 22 people in the Manchester attack. The Independent, May 26, 2017

How the Trump Budget Would Fund Cybersecurity: The Donald Trump administration, in its proposed fiscal year 2018 budget, outlines steps it contends would strengthen the U.S. federal government’s information systems, even as it would cut some cybersecurity spending at specific agencies. BankInfoSecurity, May 24, 2017

Who Are the Shadow Brokers that are leaking NSA secrets?: In 2013, a mysterious group of hackers that calls itself the Shadow Brokers stole a few disks full of National Security Agency secrets. Since last summer, they’ve been dumping these secrets on the internet. They have publicly embarrassed the NSA and damaged its intelligence-gathering capabilities, while at the same time have put sophisticated cyberweapons in the hands of anyone who wants them. They have exposed major vulnerabilities in Cisco routers, Microsoft Windows, and Linux mail servers, forcing those companies and their customers to scramble. And they gave the authors of the WannaCry ransomware the exploit they needed to infect hundreds of thousands of computer worldwide this month. Schneier On Security, May 23, 2017

Stewart Baker with Cyber Policy Initiative’s Tim Maurer: Episode 164 features Stewart Baker’s startling change of heart on the question of cyberspace norms. Credit goes to our interview guest, Tim Maurer, Fellow and co-director of the Cyber Policy Initiative at the Carnegie Endowment for International Peace. And perhaps as well to Brian Egan, former Legal Adviser to the State Department and now a partner at Steptoe. Tim and Brian talk about Tim’s view and that of his colleagues, George Perkovich and Ariel Levite, at Carnegie that the world is ripe for an enforceable norm against hacking to corrupt financial data in the banking system. Remarkably, I agree with them, though not before casting aspersions on the United Nations and the State Department. Steptoe Cyberblog, May 15, 2017

Cyber Law

Target Reaches $18.5 Million Breach Settlement with States: Target has reached a record settlement agreement with many states’ attorneys general over its 2013 data breach. The breach resulted in 41 million customers’ payment card details being compromised and contact information for more than 60 million customers being exposed. BankInfoSecurity, May 24, 2017

Court Holds Forensic Investigator’s Report is Protected from Disclosure: Third-party forensic investigations performed at the direction of counsel are part-and-parcel of virtually every data breach. There has been little case law, however, directly addressing the extent to which the attorney-client privilege and/or work product doctrine protects those forensic investigations from disclosure. Last week, the Central District of California held that, under the specific facts at issue, that information is indeed protected by at least the attorney work product doctrine. Alston & Bird, May 23, 2017

HIPAA Exposed Patient Records: Earlier this month, KrebsOnSecurity featured a story about a basic security flaw in the Web site of medical diagnostics firm True Health Group that let anyone who was logged in to the site view all other patient records. In that story I mentioned True Health was one of three major healthcare providers with similar website problems, and that the other two providers didn’t even require a login to view all patient records. Today we’ll examine a flaw that was just fixed by Molina Healthcare, a Fortune 500 company that until recently was exposing countless patient medical claims to the entire Internet without requiring any authentication. KrebsOnSecurity, May 25, 2017

Cyber Medical

Pacemaker Ecosystem Fails its Cybersecurity Checkup: Pacemakers continue to be the front line of medical device security debates after a research paper published this week described a frightening list of cybersecurity issues plaguing devices built by leading manufacturers, including a lack of authentication and encryption, and the use of third-party software libraries ravaged by thousands of vulnerabilities. ThreatPost, May 26, 2017

Synopsys And Ponemon Study Highlights Critical Security Deficiencies In Medical Devices: Survey of Medical Device Manufacturers and Healthcare Delivery Organisations Reveals Industry’s Lack of Confidence and Alignment in Securing Medical Devices InformationSecurityBuzz, May 26, 2017

U.S. Hospitals Not Immune to Crippling Cyber Attacks: Hospitals and medical devices in the U.S. are extremely vulnerable to the type of massive cyber attack that tore through more than 150 countries Friday, and some health care providers here may have already been—or soon will be—hit, cybersecurity analysts warn. Scientific American, May 15, 2017

Internet of Things

What Happens When Your Car Gets Hacked?: As devastating as the latest widespread ransomware attacks have been, it’s a problem with a solution. If your copy of Windows is relatively current and you’ve kept it updated, your laptop is immune. It’s only older unpatched systems on your computer that are vulnerable. The New York Times, May 19, 2017

Cyber Education

Securing Today’s Online Kids: The number of ways children today can go online and interact with others is staggering. From new social media apps and games to schools issuing Chromebooks, kids’ social lives and futures depend on their ability to make the most of technology. As parents, we want to make sure they do so in a safe and secure manner. SANS, May 2017

Cyber Disinformation

Russian Hackers Are Using ‘Tainted’ Leaks to Sow Disinformation: Over the past year, the Kremlin’s strategy of weaponizing leaks to meddle with democracies around the world has become increasingly clear, first in the US and more recently in France. But a new report by a group of security researchers digs into another layer of those so-called influence operations: how Russian hackers alter documents within those releases of hacked material, planting disinformation alongside legitimate leaks. Wired, May 25, 2017

The post Cyber Security News of the Week, May 28, 2017 appeared first on Citadel Information Group.

from Citadel Information Group
via Citadel Information Group