Individuals at Risk
Cyber Privacy
White House releases sensitive personal information of voters worried about their sensitive personal information: The White House on Thursday made public a trove of emails it received from voters offering comment on its Election Integrity Commission. The commission drew widespread criticism when it emerged into public view by asking for personal information, including addresses, partial social security numbers and party affiliation, on every voter in the country. The Washington Post, July 14, 2017
Cyber Update
Adobe, Microsoft Push Critical Security Fixes: It’s Patch Tuesday, again. That is, if you run Microsoft Windows or Adobe products. Microsoft issued a dozen patch bundles to fix at least 54 security flaws in Windows and associated software. Separately, Adobe’s got a new version of its Flash Player available that addresses at least three vulnerabilities. KrebsOnSecurity, July 11, 2017
Cyber Warning
macOS users beware: A new and nearly undetectable malware is on the rise: Often thought of as impenetrable, macOS is falling prey to a sneaky malware that’s stealing bank credentials, bypassing Gatekeeper, and disabling attempts to remove it. Find out more here. TechRepublic, July 14, 2017
Watch out for this money stealing macOS malware which mimics your online bank: OSX Dok now attempts to steal money from Apple Mac users — and could be being prepared for use in further attacks. ZDNet, July 14, 2017
Information Security Management in the Organization
Information Security Management and Governance
Beyond Breach Notification: Ever since California adopted the nation’s first breach notification law in 2002, companies that have suffered a data breach have focused on whether and how to notify their customers, employees and others of the nature and extent of the breach. California’s law has been amended multiple times, and has been followed by breach notification laws in almost every state, as well as the notification requirements under the Health Insurance Portability and Accountability Act (“HIPPA”). As these laws developed, a tandem requirement has emerged: the obligation to take reasonable steps to protect data, and companies are, increasingly focused on taking steps to ensure the security of their data. Robert Braun, SecureTheVillage Leadership Council, Jeffer Mangels Butler & Mitchell Cybersecurity Lawyer Forum, July 7, 2017
Cyber Awareness
How to Avoid Being the Weakest Link in Your Company’s Information Security: When you think of hackers, you probably think of some spy movie where they come down from the ceiling to steal a computer off of a desk and then whisk it away to their laboratory where they input lines of code to crack the encryption. In reality, hacking is often as simple as learning about a user and then guessing their password or even asking them for it: a process called social engineering. INC, July 13, 2017
Why your company needs clear security policies: A cautionary tale: An IT employee was recently almost fired for storing documents on Dropbox. Here’s how the employee and the company could have prevented that situation. TechRepublic, July 13, 2017
Using Feedback Loops to Enhance End User Security: The security world abounds with case studies demonstrating that end users are a weak point within the organization. End users are constantly bombarded by phishing attacks, are notorious for using weak account credentials and are preyed on by malware relying on the user to introduce malicious software into an environment. All of these examples may lead to significant damage to the organization and negative headlines. SecurityIntellegicen, August 9, 2017
Cyber Warning
Darkweb Hackers Begin Offering Functional Mac Malware and Ransomware as a Service: With the popularity of both ransomware and the creation of macOS malware on the rise with hackers, Apple users face a growing number of threats. It now appears that others have turned their attention to the creation of new malware to spy on Mac users — but these programmers have gone a step further. Rather than developing a tool and deploying it personally, they have taken to the dark web to offer their products for sale. Known respectively as MacSpy and MacRansom, the hackers provide the malware to users while operating a centralized web portal. The authors’ continued involvement is why this threat is often called malware- or “ransomware-as-a-service.” SecureMac, June 29, 2017
Cyber Defense
To update or not to update: There is no question: Updating software has become one of the many keys to data security. Jack Wallen explains why the excuses for failing to update must become a thing of the past. TechRepublic, July 13, 2017
IT is NOT Cybersecurity: Having IT isn’t enough anymore, businesses need a separate security team also. Policemen and firefighters are a good examples of this, both of them will help you in your time of need, but each of them has very specific training for specific functions. CSO, July 11, 2017
Cyber Security in Society
Cyber Crime
Half-Year Roundup: The Top Five Data Breaches of 2017 — So Far: Data breaches aren’t slowing down. If anything, they’re set to break last year’s record pace. As noted by 24/7 Wall Street, the 758 breaches reported this year mark nearly a 30 percent increase from 2016. If cybercriminals keep it up, the total number of attacks could break 1,500 by the end of 2017. SecurityIntelligence, July 13, 2017
Self-Service Food Kiosk Vendor Avanti Hacked: Avanti Markets, a company whose self-service payment kiosks sit beside shelves of snacks and drinks in thousands of corporate breakrooms across America, has suffered of breach of its internal networks in which hackers were able to push malicious software out to those payment devices, the company has acknowledged. The breach may have jeopardized customer credit card accounts as well as biometric data, Avanti warned. KrebsOnSecurity, July 8, 2017
Cyber Espionage
Vault 7 reports new WikiLeaks dump details CIA’s Android SMS snooping malware: Since launching its Vault 7 project in March, WikiLeaks has dumped documents outlining the CIA’s efforts to exploit Microsoft and Apple technology. In this week’s latest release, it focuses on malware called HighRise, which the agency used to target Android devices. Naked Security, July 14, 2017
Know Your Enemy
With this $7 malware, anyone can be a hacker for cheap: Proofpoint security researchers examined the Ovidiy Stealer malware, which steals credentials and operates primarily in Russian-speaking regions. TechRepublic, July 14, 2017
National Cyber Security
Private Email of Top U.S. Russia Intelligence Official Hacked: On Tuesday morning, a hacker going by the name Johnnie Walker sent a group email to an unknown number of recipients claiming to have a trove of emails from the private account of a U.S. intelligence official. Foriegn Policy, July 14, 2017
Governors ask Congress to create cybersecurity committee: The leadership of the National Governors Association, including incoming chairman Gov. Brian Sandoval, repeated a plea to Congress on Friday to create a national committee to address cybersecurity threats. Las Vegas Review Journal, July 14, 2017
States Pledge to Meet Cyber Threats; Publish Resource Guide: National Governors Association (NGA) Chair Virginia Gov. Terry McAuliffe kicked off the 2017 NGA Summer Meeting with a discussion on how states continue to develop strategies to thwart cyber threats. Dark Reading, July 14, 2017
Stewart Baker interviews DSB’s Jim Miller re cyber conflict & deterrence: In this episode, we interview Jim Miller, co-chair of a Defense Science Board panel that reported on how the US is postured for cyberconflict and the importance of deterrence. The short answer: deterring cyberconflict is important because our strategic cyberconflict posture sucks. The DSB report is thoughtful, detailed, and troubling. Jim Miller manages to convey its message with grace, good humor, and clarity. Steptoe Cyberblog, July 10, 2017
Stewart Baker interviews ex-NSA Deputy Director Richard Ledgett: Today we deliver the second half of our bifurcated holiday podcast with an interview of Richard Ledgett, recently retired from his tour as NSA’s deputy director. We cover much recent history, from Putin’s election adventurism to questions about whether NSA can keep control of the cyberweapons it develops. Along the way, Rick talks about the difference between CIA and NSA approaches to hacking, the rise of NSA as an intelligence analysis force, the growing effort to keep Kaspersky products out of sensitive systems, and the divergence among intel agencies about whether Putin’s attack on the American election was intended mainly to hurt Hillary Clinton or to help Donald Trump. Steptoe Cyberblog, July 5, 2017
Financial Cyber Security
Thieves Used Infrared to Pull Data from ATM ‘Insert Skimmers’: A greater number of ATM skimming incidents now involve so-called “insert skimmers,” wafer-thin fraud devices made to fit snugly and invisibly inside a cash machine’s card acceptance slot. New evidence suggests that at least some of these insert skimmers — which record card data and store it on a tiny embedded flash drive — are equipped with technology allowing them to transmit stolen card data wirelessly via infrared, the same communications technology that powers a TV remote control. KrebsOnSecurity, July 13, 2017
HIPAA
HIPAA: Five Steps to Ensuring Your Risk Assessment Complies with OCR Guidelines: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and healthcare technology have changed significantly over the past 20 years. Covered entities and their business associates face an ever-evolving risk environment in which they must protect electronic protected health information (ePHI). Although healthcare security budgets may increase this year, the cost of implementing and maintaining adequate security controls to protect an entity’s ePHI far exceeds what is often budgeted. As a result, some ePHI may be under-protected and vulnerable to data breach. A long-term, consistent and cost-conscious approach to HIPAA compliance is needed. healthcare informatics, July 14, 2017
Critical Infrastructure
Your Guide to Russia’s Infrastructure Hacking Teams: Since reports first surfaced that hackers targeted more than a dozen American energy utilities, including a Kansas nuclear power plant, the cybersecurity community has dug into the surrounding evidence to determine the culprits. Without knowing the perpetrators, the campaign lends itself to a broad range of possibilities: a profit-seeking cybercriminal scheme, espionage, or the first steps of hacker-induced blackouts like the ones that have twice afflicted Ukraine in the last two years. WIRED, July 12, 2017
U.S. officials say Russian government hackers have penetrated energy and nuclear company business networks: Russian government hackers were behind recent cyber-intrusions into the business systems of U.S. nuclear power and other energy companies in what appears to be an effort to assess their networks, according to U.S. government officials. The Washington Post, July 8, 2017
Combating a Real Threat to Election Integrity: Russia’s meddling in the 2016 election may not have altered the outcome of any races, but it showed that America’s voting system is far more vulnerable to attack than most people realized. Whether the attackers are hostile nations like Russia (which could well try it again even though President Trump has raised the issue with President Vladimir Putin of Russia) or hostile groups like ISIS, the threat is very real. The New York Times, July 8, 2017
Internet of Things
The Threat From Weaponized IoT Devices: It’s Bigger Than You Think!: IoT devices, such as smart meters, smart watches and building automation systems, are prolific. You may think that compromised IoT devices pose a danger only to the devices’ owners — for example, it’s easy to understand the privacy violation of an attacker viewing a web camera feed without the owner’s permission. SecurityIntelligence, July 20, 2016
Cyber Sunshine
Darknet Marketplace AlphaBay Offline Following Raids: A joint law enforcement investigation involving the United States, Canada and Thailand appears to have resulted in the takedown of the world’s largest darknet marketplace, called AlphaBay. Meanwhile, one of its alleged operators has been found dead in a Bangkok jail cell. BankInfoSecurity, July 14, 2017
Cyber Miscellany
Pew Report: Whose job is it to keep us safe from online harassment?: A new report has found that 41% of Americans have personally experienced online harassment, 66% have seen it directed to others, and 62% consider it a major problem. Naked Security, July 14, 2017
The post Cyber Security News of the Week, July 16, 2017 appeared first on Citadel Information Group.
from Citadel Information Group
via Citadel Information Group