Cyber Security News of the Week, June 18, 2017

Cyber Security News of the Week, June 18, 2017

Individuals at Risk

Cyber Update

Microsoft, Adobe Ship Critical Fixes: Microsoft today released security updates to fix almost a hundred flaws in its various Windows operating systems and related software. One bug is so serious that Microsoft is issuing patches for it on Windows XP and other operating systems the company no longer officially supports. Separately, Adobe has pushed critical updates for its Flash and Shockwave players, two programs most users would probably be better off without. KrebsOnSecurity, June 13, 2017

Cyber Defense

Victims of Jaff and EncrypTile ransomware: New decryptors can get your files back: Ransomware victims can take advantage of two new tools released by security firms that can recover data for free. As a result, victims won’t even have to consider whether they should pay criminals a ransom in an attempt to recover their forcibly encrypted data. BankInfoSecurity, June 15, 2017

Cyber Warning

New Android malware Xavier quietly steals your data: Trend Micro has discovered a new Trojan malware that is pretty nasty. The security analysts identified the malware as “ANDROIDOS_XAVIER.AXM” or Xavier for short. It is an ad library that quietly sends user data to a remote server. What makes it so nasty is the methods it uses to cover its tracks and disguise its activities. Techspot, June 16, 2017

Login-stealing phishing sites targeting Android users conceal their evil with lots of hyphens in URL: Researchers at PhishLabs recently spotted a trend emerging in malicious websites presented to customers: mobile-focused phishing attacks that attempt to conceal the true domain they were served from by padding the subdomain address with enough hyphens to push the actual source of the page outside the address box on mobile browsers. ars technica, June 15, 2017

Information Security Management in the Organization

Cyber Warning

Fileless malware targeting US restaurants undetected by anti-virus programs: Researchers have detected a brazen attack on restaurants across the United States that uses a relatively new technique to keep its malware undetected by virtually all antivirus products on the market. ars technica, June 14, 2017

Cyber Defense

Three Key Factors in Building a Strong Application Security Program: Organizations need to put more time, resources, and care into building and implementing their application security programs. In a recent survey we conducted of 28 large, mostly North American financial institutions, 75% of respondents stated that they regarded application security as a high or critical priority.. DarkReading, June 16, 2017

Cyber Career

Lack of Experience Biggest Obstacle for InfoSec Career: A majority of wanna-be infosec professionals find they need more experience to be a contender to enter this career, according to a recent Tripwire poll. DarkReading, June 16, 2017

Want a career in cybersecurity? Here are 10 jobs to explore: There are currently 1 million open cybersecurity jobs worldwide. Here are 10 different career options to investigate in the field. TechRepublic, June 15, 2017

Cyber Security in Society

Cyber Crime

Credit Card Breach at Buckle Stores: The Buckle Inc., a clothier that operates more than 450 stores in 44 U.S. states, disclosed Friday that its retail locations were hit by malicious software designed to steal customer credit card data. The disclosure came hours after KrebsOnSecurity contacted the company regarding reports from sources in the financial sector about a possible breach at the retailer. KrebsOnSecurity, June 17, 2017

Canadian Mining & Casino Industries Extortion Victims of Newly Identified Cybercrime Gang, FIN10: Previously unknown threat actor has extracted hundreds of thousands of dollars from Canadian companies in a vicious cyberattack campaign that dates back to 2013, FireEye says. DarkReading, June 16, 2017

Cyber Privacy

Backlash emerges against changed ISP privacy rules as states & some in Congress fight back: Since Congress voted to prevent the implementation of new ISP privacy protections there has been a committed and sometimes loud call for new rules. The fear is, without adequate safeguards in place, ISPs will be free to build detailed customer profiles that include names, addresses and online activities. That data can then be sold to, or used by, an advertiser without the user’s consent. ThreatPost, June 16, 2017

Cyber Attack

WannaCry severely flawed, made little money for hackers. Was it released prematurely?: Coding and implementation mistakes made by the WannaCry developers may have spared a good chunk of the world some grief on May 12, but they also lend credence to the theory that the ransomware wasn’t contained properly and spread before it was meant to be unleashed. ThreatPost, June 16, 2017

Cyber Defense

Essential Security Hygiene for a Technology Craving Society: For almost 30 years, I’ve had the privilege to defend some of the most important critical infrastructure organizations in the communications, critical manufacturing, information technology, and financial services sectors that touch people’s daily lives in some way. ITSP Magazine, June 2016

Raising Security Awareness Essential for a Technology Craving Society: Even if you’re not a big fan of government being too heavily involved, think about food safety. When you go to a restaurant, you know that the Department of Health has assessed it by their grading report, which is posted in the front window, and if you go to a restaurant that has failed, you’ll know it because they’ll be closed. If you look at public health and safety on a larger scale, there are global organizations like the Center of Disease Control that support worldwide health needs. ITSP Magazine, June 2016

Know Your Enemy

Inside a Porn-Pimping Spam Botnet: For several months I’ve been poking at a decent-sized spam botnet that appears to be used mainly for promoting adult dating sites. Having hit a wall in my research, I decided it might be good to publish what I’ve unearthed so far to see if this dovetails with any other research out there. KrebsOnSecurity, June 15, 2017

National Cyber Security

Wikileaks Alleges Years of CIA D-Link and Linksys Router Hacking Via ‘Cherry Blossom’ Program: Wikileaks released details of what it claims is a CIA-developed wireless router hacking program targeting home wireless routers and business wireless networks. The program is called Cherry Blossom and leverages custom router firmware called FlyTrap, according to the organization’s latest leak posted Thursday. ThreatPost, June 16, 2017

North Korea’s Sloppy, Chaotic Cyberattacks Also Make Perfect Sense: North Korea is arguably the least-understood nation on the planet. And that also applies to its state-sponsored hackers whose global cyberattacks have been almost as erratic and inscrutable as the government they work for. They hide behind strange front groups and fake extortion schemes. They steal tens of millions of dollars, a kind of digital profiteering more common among organized criminals than government cyberspies. And they’re now believed to have launched WannaCry, the ransomware that sparked an indiscriminate global crisis, with almost no apparent benefit to themselves. Wired, June 16, 2017

US Government issues detailed advisory, warns of North Korean Hacking: The U.S. government on Wednesday issued its most direct and technically detailed advisory about North Korea’s hacking activity to date, warning that the country continues to target U.S. media, aerospace, financial and critical infrastructure sectors. BankInfoSecurity, June 15, 2017

Georgia election system found rife with vulnerabilities weeks before crucial special election: To understand why many computer scientists and voting rights advocates don’t trust the security of many US election systems, consider the experience of Georgia-based researcher Logan Lamb. Last August, after the FBI reported hackers were probing voter registration systems in more than a dozen states, Lamb decided to assess the security of voting systems in his state. What he found should make you very concerned about the integrity of the Georgia election system. ars technica, June 14, 2017

US Cybersecurity in Need of Rapid Repair, Senators Told: Cybersecurity in the United States is in a severe state of disrepair, leaving the country vulnerable to attack from hacking groups backed by its opponents, two witnesses testified in a Senate subcommittee hearing Tuesday. Rollcall, June 14, 2017

Washington Post reports NSA has linked the WannaCry computer worm to North Korea: The National Security Agency has linked the North Korean government to the creation of the WannaCry computer worm that affected more than 300,000 people in some 150 countries last month, according to U.S. intelligence officials. The Washington Post, June 14, 2017

Russian Cyber Hacks on U.S. Electoral System Far Wider Than Previously Known: Russia’s cyberattack on the U.S. electoral system before Donald Trump’s election was far more widespread than has been publicly revealed, including incursions into voter databases and software systems in almost twice as many states as previously reported. Bloomberg, June 13, 2017

Trump-Comey Feud Eclipses a Warning on Russia: ‘They Will Be Back’: WASHINGTON — Lost in the showdown between President Trump and James B. Comey that played out this past week was a chilling threat to the United States. Mr. Comey, the former director of the F.B.I., testified that the Russians had not only intervened in last year’s election, but would try to do it again. The New York Times, June 10, 2017

Stewart Baker Discusses Online Censorship w NY Times David Sanger: Episode 168 features the Tinkers-to-Evers-to-Chance of global censorship, as Filipino contractors earning minimum wage delete posts in order to satisfy US tech companies who are trying to satisfy European governments. In addition to Maury Shenk, our panel of interlocutors includes David Sanger, Chief Washington Correspondent for the New York Times, and Karen Eltis, Professor of Law at the University of Ottawa. Even if you think that reducing Islamic extremist proselytizing on line is a good idea, I conclude, that’s not likely to be where the debate over online content ends up. Indeed, even today, controls on hate speech are aimed more at tweets that sound like President Trump than at extremist recruiting. Bottom line: no matter how you slice it, the first amendment is in deep trouble. Steptoe Cyberblog, June 5, 2017

Cyber Medical

Now doctors need to be hackers, too: As far as anyone knows, there hasn’t been a real-life hack attack on someone’s pacemaker. Which is surprising. Security researchers have shown us that it’s a very real possibility. Even the FTC has been urging connected-medical-device makers to adopt security best practices, with multiple 2017 reports stressing the issue. engadget, June 16, 2017

Cybersecurity for healthcare a “public health concern,” task force says: A federal task force called healthcare cybersecurity a “public health concern” that needs “immediate and aggressive attention,” and said increased digital connectivity places a greater responsibility on healthcare organizations to secure their equipment and patient data. HealthITPulse, June 16, 2017

Critical Infrastructure

Cyber crime: a ticking time bomb for municipalities & muni bond market: A rise in cyber attacks on U.S. public sector targets so far has had little impact in the $3.8 trillion municipal debt market, but interested parties are started to take notice of the possible financial risks associated with an attack. Reuters, June 14, 2017

‘Crash Override’: The Malware That Took Down a Power Grid: At midnight, a week before last Christmas, hackers struck an electric transmission station north of the city of Kiev, blacking out a portion of the Ukrainian capital equivalent to a fifth of its total power capacity. The outage lasted about an hour—hardly a catastrophe. But now cybersecurity researchers have found disturbing evidence that the blackout may have only been a dry run. The hackers appear to have been testing the most evolved specimen of grid-sabotaging malware ever observed in the wild. Wired, June 12, 2017

Cyber Education

Girl Scouts to add a cybersecurity badge in partnership with Palo Alto Networks.: Your favorite cookie sellers are in training to become white hat hackers. Fortune, June 16, 2017

Internet of Things

IoTs Pose A Threat To Anything And Everyone Connected: A primer on challenges & defenses: Loosely defined, the Internet of Things (IoT) refers to the general idea of things that are readable, recognizable, locatable, addressable, and/or controllable via the Internet. It encompasses devices, sensors, people, data, and machines. As broad as the definition of IoT are the cybersecurity challenges that pose a threat to anything and everyone connected. A well thought out risk-management security posture for the evolving cybersecurity threats to IoT is an imperative. ITSP Magazine, June 2017

Cyber Sunshine

Engineer Sentenced to Prison for Hacking Utility, Disabling Water Meter-Readers: A Pennsylvania man is sentenced to more than a year in prison after hacking into a remote water meter reading system run by his former employer. Dark Reading, June 16, 2017

 

The post Cyber Security News of the Week, June 18, 2017 appeared first on Citadel Information Group.

from Citadel Information Group
via Citadel Information Group