CYBER NEWS TIDBITS FOR YOU - SEPTEMBER 2015

Welcome to Cyber News Tidbits 4​U​ !

Here are updated news compilations from the Cyber Security Community

Topic headers (+++):

1 – Security news you can likely use (re: management / opportunity items)

2 – Other items of general FYI / FYSA level interest

3 – Threats / bad news stuff / etc.. 

and…

4 – SD/SoCAL items of interest / opportunities   (send me your SD meetings!) 


Another periodic cyber security news gram / digest / tidbits,

Arranged in a top down, “likely” interest level…with more short snippets, fewer threats and only a few local events (at the very bottom)

Feedback is always welcome tooas is sending me articles to sharecyber information sharing in action!

http://www.linkedin.com/in/mikedavissd

http://www.sciap.org/blog1/wp-content/uploads/CISO-Fundamentals.pdf

(all links  have been checked out… though you may need to cut & paste into your browser).


September 27

+ Credit Cards Migrating To EMV Technology: Why The Change?

The U.S. is prepping up for a nationwide migration to EMV technology which is set to revolutionize the way consumers and merchants use a credit card. The process would require banks to issue new credit cards with an embedded microchip which experts believe would help in fighting against fraud and enhance the banking security.

http://www.techtimes.com/articles/86691/20150922/credit-cards-migrating-to-emv-technology-why-the-change.htm

 

+ FBI in Internet of Things Cybersecurity Warning

The Federal Bureau of Investigation (FBI) has been forced to issue a public service announcement warning US citizens and businesses of the cybersecurity dangers of the internet of things (IoT). The Feds argued that a combination of “deficient security capabilities” inside the devices themselves, a lack of consumer awareness, and difficulties with patching could all be exploited by cyber-criminals.

http://www.infosecurity-magazine.com/news/fbi-in-internet-of-things-cyber/

 

+ Study names the five most hackable vehicles

A study released by a forensic consultancy has singled out the top five vehicles most susceptible to hacking. The results of the study, by PT&C|LWG Forensic Consulting Services, were based on published research by hackers, vehicle recall information and media reports. The most hackable list includes the 2014 Jeep Cherokee, the 2014 Infiniti Q50, the 2015 Cadillac Escalade, the 2010 and 2014 Toyota Prius and the 2014 Ford Fusion.

http://www.computerworld.com/article/2983799/telematics/study-names-the-five-most-hackable-vehicles.html

 

+  Google and Academic Researchers Study of Fighting Cybercrime

Researchers from Google and from six universities have conducted a study of a vast array of cybercrime data with the goal of developing strategies that have the potential to disrupt the supply chain upon which cybercrime depends. Rather than focusing only on the technical aspects of security, the study recommends tactics that make the costs of operating a cybercrime operation prohibitive. The study also recommends that tech companies collaborate with academics.

http://www.wired.com/2015/09/google-offers-3-lessons-crippling-online-crime-economy/

http://googleonlinesecurity.blogspot.com/2015/09/new-research-underground-market-fueling.html

+ ABA Says Law Firm Breaches are Rising

Breaches of systems at US law firms are increasing, according to the American Bar Association’s (ABA’s) 2015 Legal Technology Survey. The most significant increases were observed at firms with 100 or more lawyers. Just five percent of respondents said the breaches they experienced required them to notify clients, and just three percent said they experienced breaches that compromised client data.

https://bol.bna.com/aba-survey-data-breaches-rising-at-large-firms/

http://www.americanbar.org/groups/departments_offices/legal_technology_resources/publications.html

 

+Focus on Security Operating Systems and Firmware

The US government’s response to recent colossal data breaches has been to use more secure log-ons to protect data. Lawmakers are pushing for legislation that would ease threat information sharing between the public and private sector. Former CIA CISO Robert Bigman thinks the US may be focusing on the wrong areas. Speaking at the Billington Cybersecurity Summit last week, Bigman noted that those the country views as cyberthreats are concerned that the US will “get [its] act together on how to secure firmware and operating systems.”

http://www.nextgov.com/cybersecurity/2015/09/some-legacy-it-government-so-old-its-indefensible-official-says/121709/?oref=ng-channelriver

 

+ 10 cutting-edge security threats

These 10 threats, bugs, and vulnerabilities serve as reminders that computer security goes well beyond the PC…

http://www.csoonline.com/article/2985867/vulnerabilities/10-cutting-edge-security-threats.html

Crack the car,  Malware in the BIOS,  Malware that uses high frequency sound,  BadUSB, a prospective malware distributor could modify the firmware on the flash drive ( and provide a shock),  WireLurker takes aim at Macs, iPhones,  malware could potentially run on a PC’s graphics processor,  connected home devices contain issues that could allow an attacker to compromise your privacy or security… and others..

+ Six cybersecurity questions every CEO should ask

At Boston forum, Raytheon’s top exec gives tips to start the cyber conversation…

http://www.raytheoncyber.com/news/feature/cybersecurity_business.html

How is the company managing risk?

Is everybody on board?

How secure are acquired companies?

How does the company protect personal information?

How much Internet traffic data does the company keep?

How does the company train employees?

 

+ China Tries to Extract Pledge of Compliance From U.S. Tech Firms

The Chinese government, which has long used its country’s vast market as leverage over American technology companies, is now asking some of those firms to directly pledge their commitment to contentious policies that could require them to turn user data and intellectual property over to the government.

http://www.nytimes.com/2015/09/17/technology/china-tries-to-extract-pledge-of-compliance-from-us-tech-firms.html?ref=technology&_r=0

 

+ Be careful in putting your cybertrust in Google, Microsoft and Apple

We have the natural tendency to believe that our data is safe with one of the “tech giants” — after all, they are the leaders in the field. But is that trust warranted?…

http://www.csoonline.com/article/2985904/data-protection/be-careful-in-putting-your-cybertrust-in-google-microsoft-and-apple.html

 

+ Insider Threats Responsible for 43% of Data Breaches

Among companies experiencing data breaches (and that is to say, a majority), internal actors were responsible for 43% of data loss, half of which was intentional, and half accidental…

http://www.infosecurity-magazine.com/news/insider-threats-reponsible-for-43/

 

+ Could this ex-NSA hotshot protect your email from hacking?

Will Ackerly was a tech whiz who grew concerned by the agency’s widespread snooping. He left and launched what just may be the best technology to shield your data from cyber-criminals — and government spying…

http://fortune.com/2015/09/24/will-ackerly-virtru-ex-nsa-anti-hacker/

 

+ Social media can quickly take down your business if not monitored

Cyber intrusions have dominated news and media headlines the past few years…

http://darkmatters.norsecorp.com/2015/09/24/social-media-can-quickly-take-down-your-business-if-not-monitored/

 

+ A New Defense for Navy Ships: Protection from Cyberattacks

U.S. Navy is developing the Resilient Hull, Mechanical, and Electrical Security (RHIMES) system, a cyber protection system designed to make its shipboard mechanical and electrical control systems resilient to cyber attacks.

http://phys.org/news/2015-09-defense-navy-ships-cyber.html

 

+  Feds Seek a Cyberattack Forecaster

Federal intelligence services are seeking a developer to create software that can predict cyber threats before they emerge.

http://www.washingtonexaminer.com/feds-seek-a-cyberattack-forecaster/article/2572088

 

+ Kaspersky And FireEye Security Products Cracked By Researchers

it is your software that is shown to be vulnerable and open to exploit — which is exactly what has happened to Kaspersky Lab and FireEye, two of the best known cybersecurity companies in the world.

www.ibtimes.com/kaspersky-fireeye-security-products-cracked-researchers-2085291

 

2  +++++++

 

+ Prepare to Get Hit Warns FBI Cybercrime Boss

Speaking at Cloudsec London 2015, FBI supervisory special agent Timothy Wallach warned that tackling cybercrime would be an inevitability for all companies.“ There’s an assumption among companies that ‘it won’t happen to me’,” began Wallach, who manages the FBI Seattle Division’s Cyber Task Force. But that attitude, he cautioned, was long outdated, with the frequency and magnitude of data breaches across the world indicating that no company is safe.

http://www.infosecurity-magazine.com/news/fbi-highlights-cybercrime/

 

+ Microsoft Partners With NATO On EU Cybersecurity

At NATO’s annual cyber conference on Monday, Microsoft announced the signing of a Government Security Program (GSP) agreement with the NATO Communications and Information Agency (NCI Agency), a new step in a 12-year cybersecurity relationship between the two. The GSP was designed by Microsoft to help governments evaluate and protect existing systems, as well as to build and maintain more secure infrastructure, Microsoft said.

http://www.securityweek.com/microsoft-partners-nato-eu-cybersecurity

 

+ Popular Mobile Travel Apps Have Critical Security Issues: Report

Developers of mobile travel applications are more focused on features that boost the user experience than on ensuring increased security for their programs and customer data, a recent report from Bluebox Security reveals. According to the mobile security company, even the top 10 most popular mobile travel apps lack proper security, and all of the analyzed programs include critical flaws. The issues impact applications designed for popular mobile platforms including Android and iOS.

http://www.securityweek.com/popular-mobile-travel-apps-have-critical-security-issues-report

 

+Working Group Considers Ways to Access Encrypted Data

An Obama administration working group has come up with four possible approaches that tech companies could implement that would allow law enforcement to access encrypted data. Each of the methods could be implemented, but each also has shortcomings.

http://apps.washingtonpost.com/g/documents/world/read-the-obama-administrations-draft-paper-on-technical-options-for-the-encryption-debate/1753/

 

+ NSA Director Agrees that Encryption Key Copies Increase Likelihood of Breaches

During a Senate Intelligence Committee hearing on Thursday, September 24, NSA director Admiral Michael Rogers acknowledged that if the government holds encryption keys, there is a significantly higher risk of data breaches. Rogers was responding to a question from Senator Ron Wyden (D-Oregon).

http://venturebeat.com/2015/09/24/nsa-director-just-admitted-that-government-copies-of-encryption-keys-are-a-security-risk/

 

+ Microsoft Word Intruder gets down to business: Operation Pony Express 

a malware toolkit that uses Microsoft Word as its delivery vehicle…The idea is to package malware inside a Word document in such a way that the file looks innocent, with no macros (Word program code)… The infection kit, known as Microsoft Word Intruder (MWI),

https://nakedsecurity.sophos.com/2015/09/25/microsoft-word-intruder-gets-down-to-business-operation-pony-express/

 

+ FTC v. Wyndham: ‘Naughty 9’ Security Fails to Avoid

The Federal Trade Commission’s fair trade suit against Wyndham hotels offers insight into the brave new world of cybersecurity regulation of consumer data…

http://www.darkreading.com/attacks-breaches/ftc-v-wyndham-naughty-9-security-fails-to-avoid-/a/d-id/1322340?

Failed to employ “readily available” protections,     Stored sensitive payment card data in clear, readable text (i.e. unencrypted);       Failed to remedy “known security vulnerabilities” caused by using out-of-date operating systems, and failing to patch properly;         Used easily obtainable default log-in credentials on devices connected to the corporate network;        Failed to require complex passwords for access to the corporate network;        Failed to maintain an accurate hardware inventory of devices connected to the corporate network;        Failed to employ reasonable measures to detect and prevent unauthorized access to its computer network or to conduct security investigations;        Failed to follow proper incident response procedures;        Failed to adequately restrict third-party access to the corporate network “such as by restricting connections to specified IP addresses, or granting temporary or limited access”

+ Engineers, Ethics, and the VW Scandal

Volkswagen’s installation of a software “defeat device” in 11 million Volkswagen and Audi diesel vehicles sold worldwide has led to a massive vehicle recall in the United States and an official apology from the company’s now-ex CEO…

http://spectrum.ieee.org/cars-that-think/at-work/education/vw-scandal-shocking-but-not-surprising-ethicists-say

 

+ Healthcare sector 340% more prone to IT security threats

Cyber criminals are targeting healthcare organizations because of the rocketing black market value of personal medical data, says Raytheon Websense…

http://www.computerweekly.com/news/4500254005/Healthcare-sector-340-more-prone-to-IT-security-threats

Healthcare Organizations Twice As Likely To Experience Data Theft

Bad guys very willing to invest in attacking medical data, but healthcare not very willing to invest in defending it.

http://www.darkreading.com/risk/healthcare-organizations-twice-as-likely-to-experience-data-theft/d/d-id/1322312

 

+ The Secret Sauce to Fighting Cyber Attacks

As the war against cybercriminals and their devastating attacks wages on, a new weapon in the fight has emerged to help merchants better protect themselves and the privacy of their consumers: data…

http://www.pymnts.com/news/2015/the-secret-sauce-to-fighting-cyber-attacks/

 

+ The Top 10 Tips for Building an Effective Security Dashboard

Today, enterprises must grapple with a panoply of numerous and highly sophisticated threats…  We asked industry experts for their tips on what they recommend a powerful dashboard must have.

http://www.tripwire.com/state-of-security/risk-based-security-for-executives/connecting-security-to-the-business/the-top-10-tips-for-building-an-effective-security-dashboard/

 

+ Pentagon Designing Cyber ‘Scorecard’ to Stay Ahead of Hackers

The U.S. Defense Department is building a massive, electronic system to provide an overview of the vulnerabilities of the military’s computer networks, weapons systems, and installations, and help officials prioritize how to fix them.

http://www.thefiscaltimes.com/latestnews/2015/09/17/US-Cyber-Command-designing-system-stay-ahead-hackers

 

3  +++++++

+ 5.6 Million Sets of Fingerprints Stolen in OPM Breach

Office of Personnel Management (OPM) now says that more fingerprint data were stolen than was first acknowledged. In an official statement, OPM press secretary Sam Shumach announced that the fingerprints of as many as 5.6 people were compromised. That figure was initially estimated to be 1.1 million. A working group will be established to determine how the stolen data might be used in future attacks and what steps can be taken to prevent those attacks.

https://www.washingtonpost.com/news/the-switch/wp/2015/09/23/opm-now-says-more-than-five-million-fingerprints-compromised-in-breaches/

https://www.opm.gov/news/releases/2015/09/cyber-statement-923/

 

+ Kovter malware upgraded with Poweliks features

The security team at Symantec reported in a security response blog post that a new variant of Kovter malware is incorporating some characteristics of the Poweliks malware that broke onto the scene back in 2015. Tricks employed by Poweliks, which made a name for itself by being the first persistent, fileless, registry-based malware, are now being used by Kovter, which has been in the wild since 2013 and has continually evolved.

http://www.scmagazine.com/kovter-malware-upgraded-with-poweliks-features/article/440711/

 

+ Thousands of iOS apps infected by XcodeGhost

The impact of iOS app developers unknowingly using a rogue version of the Xcode development tool is turning out to be greater than initially thought: early reports listed just 39 apps that had been trojanized with the tool, but security researchers have since identified thousands more.

http://www.computerworld.com/article/2985540/apple-ios/thousands-of-ios-apps-infected-by-xcodeghost.html

 

+ iOS 9 hack lets strangers access photos and contacts from a locked iPhone

A hacker has found a new and relatively simple method to bypass a locked iOS device (could be an iPhone, iPad or iPod Touch) running Apple’s latest iOS 9 operating system that could allow you to access the device’s photos and contacts in 30 seconds or less, even if it’s passcode and/or Touch ID enabled. All you need to bypass the device’s passcode is Apple’s personal assistant Siri.

http://www.telegraph.co.uk/technology/apple/iphone/11887252/iOS-9-hack-allows-strangers-to-access-photos-and-contacts-from-a-locked-iPhone.-Heres-how-to-protect-yourself.html

 

+ New malware infects ATMs, dispenses cash on command

Security researchers have discovered a new malware program that infects automated teller machines (ATMs) and allows attackers to extract cash on command. The program is dubbed GreenDispenser and was detected in Mexico. However, it’s only a matter of time until similar attacks are adopted by cybercriminals in other countries, researchers from security firm Proofpoint said in a blog post.

http://www.computerworld.com/article/2985860/malware-vulnerabilities/new-malware-infects-atms-dispenses-cash-on-command.html

 

+ Attackers install highly persistent malware implants on Cisco routers

Replacing router firmware with poisoned versions is no longer just a theoretical risk. Researchers from Mandiant have detected a real-world attack that has installed rogue firmware on business routers in four countries. The router implant, dubbed SYNful Knock, provides attackers with highly privileged backdoor access to the affected devices and persists even across reboots.

http://www.computerworld.com/article/2984088/security/attackers-install-highly-persistent-malware-implants-on-cisco-routers.html

 

China-based Cyber Attacks On US Military Are ‘Advanced, Persistent And Ongoing’

A high-level hacking group dubbed Iron Tiger has been observed stealing trillions of bytes of confidential data from the United States government, US defense contractors and related companies in the United States and abroad.

+ Chinese promotion company hijacks Android devices around the world

A Chinese mobile app promotion company has created malicious adware that allows them to gain complete control of users’ Android devices…

http://www.net-security.org/malware_news.php?id=3110

 

+ Ransomware Risk from Over 140 Million Websites

Around 142 million legitimate websites could be serving up ransomware to their unwitting users due to out-of-date software, according to a new study.

www.scmagazineuk.com/ransomware-risk-from-over-140-million-websites-researcher-warns/article/437202/

 

+ Android 5 Bug Allows Attackers to Easily Unlock Password-Protected Devices

If you own a mobile device running any Android 5 version but the very last (v5.1.1) and you use a password to lock your device, you will want to update your OS or switch to a PIN or a pattern-based lockscreen.

http://www.net-security.org/secworld.php?id=18858

 

+  No Patches Available for Flaws in Cisco Security Appliances

Cisco has revealed the existence of denial-of-service (DoS) vulnerabilities in several of its security products. Customers are advised to apply workarounds since software updates are not available for most of the issues.

http://www.securityweek.com/no-patches-available-flaws-cisco-security-appliances

 

—-  Global  Cyber events:

https://heimdalsecurity.com/blog/44-relevant-cyber-security-conferences-around-the-world/

http://thecyberwire.com/events.html

 

September 7

–Pentagon teams up with Apple, Boeing to develop wearable tech

U.S. Defense Secretary Ash Carter awarded $75 million on Friday to help a consortium of high-tech firms and researchers develop electronic systems packed with sensors flexible enough to be worn by soldiers or molded onto the skin of a plane. Carter said funding for the Obama administration’s newest manufacturing institute would go to the FlexTech Alliance, a consortium of 162 companies, universities and other groups, from Boeing (BA.N), Apple (AAPL.O) and Harvard, to Advantest Akron Polymer Systems and Kalamazoo Valley Community College..

http://www.reuters.com/article/2015/08/28/us-usa-defense-tech-idUSKCN0QX12D20150828

 

–DoD implements stricter cyber incident oversights, cloud computing guidelines

The Defense Department Wednesday initiated two sets of policies to enforce stricter guidelines when dealing with about 10,000 contractors the department trusts with offsite cyber information.  One part of the interim rule, called “Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services,” will amend the DFARS to include mandates passed in recent Defense funding bills for stricter contractor reporting rules on cyber incidents. According to the issuance, this is part of a greater effort to streamline contractor incident reports..

http://www.fiercegovernmentit.com/story/dod-implements-stricter-cyber-incident-oversights-cloud-computing-guideline/2015-08-27

 

–FTC has power to police cyber security: appeals court

A U.S. appeals court said the Federal Trade Commission has authority to regulate corporate cyber security, and may pursue a lawsuit accusing hotel operator Wyndham Worldwide Corp of failing to properly safeguard consumers’ information. The 3-0 decision by the 3rd U.S. Circuit Court of Appeals in Philadelphia on Monday upheld an April 2014 lower court ruling allowing the case to go forward.

http://www.reuters.com/article/2015/08/24/us-wyndham-ftc-cybersecurity-idUSKCN0QT1UP20150824

 

–Why industry groups are wary of stronger FTC cybersecurity oversight

With a federal appeals court this week reaffirming the Federal Trade Commission’s regulatory authority of data security practices, the question now becomes: Just how powerful will the agency become in overseeing matters of privacy and cybersecurity?  Congress is already considering several bills that could expand the role of the FTC to police corporate cybersecurity, and President Obama’s draft Consumer Privacy Bill of Rights Act would also give the agency more power over industry.

http://www.csmonitor.com/World/Passcode/2015/0828/Why-industry-groups-are-wary-of-stronger-FTC-cybersecurity-oversight

 

–State Dept. Wants Cybersecurity Playbooks

The US State Department is seeking information from industry experts to develop cybersecurity playbooks – “to clearly guide both offensive cyber operations and responses to cyberattacks.” The agency is offering a one-year paid contract for playbooks “suitable to provide clear direction and guidance for actionable information security operation activities.” Proposals will be accepted until September 11, 2015.  (see FBO RFI link below)

http://www.nextgov.com/cybersecurity/2015/09/state-department-wants-compile-cybersecurity-playbooks/120251/?oref=ng-channeltopstory

https://www.fbo.gov/index?s=opportunity&mode=form&tab=core&id=3d261056605769776902aa83210a9d81&_cview=0

[Note The most important characteristic of a playbook – – in fact the one thing that determines its value – is a set of reliable and measurable indicators of performance on a key success factor. IOW if the playbook works, what is the measurable security improvement that we get.  Substantial amounts of money have been wasted paying federal contractors to deliver their “methodologies” when they have no reliable evidence that the implementation actually reduces risk.]

 

–New cybersecurity mantra: “If you can’t protect it, don’t collect it”

Black Hat is the somewhat more corporate sibling of the annual DEF CON hacker convention, which follows Black Hat. Since my first visit to both conferences in 2002, I’ve kept tabs on the themes expressed by computer security practitioners. This year I heard a new refrain: “If you can’t protect it, don’t collect it”…

http://www.brookings.edu/blogs/techtank/posts/2015/09/03-bejtlich-black-hat-cybersecurity-conference

https://newmatilda.com/2015/03/26/if-you-cant-protect-it-dont-collect-it-metadata-privacy-and-police

 

–5 Growing Cyber-Security Epicenters Around the World

The recent hack of Ashley Madison reminds us just how vulnerable society is to cyber attacks. Big companies such as Target, Home Depot, Michaels, P.F. Chang’s and JP Morgan fell victim to data breaches in 2014, and the attacks have continued this year…

http://www.entrepreneur.com/article/250024

Silicon Valley,   Israel, New York City,  Boston, and London!

 

–The Art Of Deception: New Class Of Security Startups Use Decoys

As companies continue to get hammered by breaches, a clear gap in the effectiveness of many security portfolios becomes more evident with each attack. However, a new category of emerging security startups say they have the answer and are disrupting the threat detection space with what they call “deception” technology…

http://www.crn.com/news/security/300077992/the-art-of-deception-new-class-of-security-startups-use-decoys-to-disrupt-a-hackers-movement.htm

 

–DoD’s top secret smartphone expected in the fall

Government agencies have made significant strides in incorporating smartphones and tablets into their offices and missions, even at the Defense Department. But the caveat always has been that those devices could only be used for non-classified purposes. That’s changing…  the Defense Mobile Classified Capability-Secret (DMCC-S) is fully operational

http://www.c4isrnet.com/story/military-tech/mobile/2015/09/03/pentagon-top-secret-smartphone-expected-in-fall/71648428/

 

–91% of cyberattacks begin with spear phishing email

http://www.techworld.com/news/security/91-of-cyberattacks-begin-with-spear-phishing-email-3413574/?

So what to “DO” about it? —    Stamp out corporate phishing impacts using your existing cyber suite!

https://www.linkedin.com/pulse/stamp-out-corporate-phishing-impacts-using-your-existing-mike-davis

 

–OPM (Mis)Spends $133M on Credit Monitoring

Krebs is right on… his “credit freeze” approach is THE way to go for all of us… data breach aside.   After all, you already have all the credit sources you need… house. . Bank.. credit card..  SO stop All new attempts to start new ones from anywhere.. “unfreeze” as needed,  then redo it..

http://krebsonsecurity.com/2015/09/opm-misspends-133m-on-credit-monitoring/

–Securing Yourself in the Wake of OPM, Anthem, and Target

https://www.linkedin.com/pulse/securing-yourself-yes-you-wake-opm-anthem-target-norm-laudermilch

 

–20 Questions for your Cyber-Coverage Insurance

https://www.linkedin.com/pulse/20-questions-when-your-vendors-cyber-coverage-matters-jon-neiditz

VERY SOLID list of questions… use these!!!

–You Need an Innovation Strategy

https://hbr.org/2015/06/you-need-an-innovation-strategy

https://www.linkedin.com/pulse/assembling-your-innovation-advisory-board-jeff-degraff

 

–10 Critical Corporate Cyber Security Risks – A Data Driven List

https://heimdalsecurity.com/blog/10-critical-corporate-cyber-security-risks-a-data-driven-list/

Great top 10 list….  Blend these in with doing the SANS top 20 critical IA controls!

 

–The Biggest Security Threats We’ll Face in 2015

http://www.wired.com/2015/01/security-predictions-2015/

Nation state attacks, extortion,  data destruction,  breaches continue (bank and 3rd party), critical infrastructure,

 

–A Security Wake Up Call for Chief Information Officers

http://www.tripwire.com/state-of-security/featured/a-security-wake-up-call-for-chief-information-officers/

 

–Study of CEOs Reveals Alarming CyberSecurity Trends | Inc.com

http://www.inc.com/joseph-steinberg/study-of-ceos-reveals-alarming-cybersecurity-trends.html

SO — What Every Company’s Board Must Know About Cybersecurity

http://www.cfjblaw.com/companys-board-cybersecurity/?elq_mid=35760&elq_cid=1094517

 

–On a scale of one to 10, the risks law firms are facing are an 11

http://www.privacycomplianceconsulting.com/9-7-15-on-a-scale-of-one-to-10-the-risks-law-firms-are-facing-are-an-11

 

–Verizon DBIR App for Splunk Provides Actionable Security Intelligence for Enterprises

http://www.marketwatch.com/story/verizon-dbir-app-for-splunk-provides-actionable-security-intelligence-for-enterprises-2015-09-01

 

2  +++++++

–CEOs Failing to Grasp Information Security Risk

Despite a continuing string of high-profile information security breaches, many organizations’ leadership teams still have a very poor understanding of their own susceptibility to similar failures, asserts a research note from leading analyst Ovum.  In his frank analysis of the security sector, Ovum’s chief analyst for enterprise IT Tim Jennings believes that most businesses will have the appropriate security solutions in place, and can point to malware detection, firewalls, email security measures, identity and access management, security intelligence, and any number of other elements designed to militate against attack.

http://www.infosecurity-magazine.com/news/ceos-failing-to-grasp-full-u/

 

–Shadow IT Feeds ‘Man in the Cloud’ Attacks

Shadow IT — the use of unauthorized online services by company employees — is a concern of cyberwarriors charged with defending business systems against network attacks. There’s new evidence that those concerns are justified. A new attack vector on business systems leverages the synchronization features of services like Dropbox and Google Drive to perform malicious mischief, according to a report Imperva released earlier this month at the Black Hat Conference in Las Vegas.  The “Man in the Cloud” attack, as it’s called, involves making a simple change in configuration settings to turn services into a devastating criminal tool not detected easily using common security measures, the report explains.

http://www.technewsworld.com/story/82425.html

 

–US Parents Concerned About Student Data Security

Some 87% of US parents are concerned about student data privacy and security in America’s K-12 schools, according to a survey by The Future of Privacy Forum. American parents worry that their child’s electronic education records could be hacked or stolen, the study shows. Consequently, 85% of parents said that their willingness to support the use of student data and technology in education must be coupled with efforts to ensure security.

http://www.hotforsecurity.com/blog/us-parents-concerned-about-student-data-security-12598.html

 

–Symantec expands to IoT protection as part of new strategy

As Symantec prepares to become a pure information security firm again by spinning off its storage division, it has added protection for the internet of things (IoT) to its product portfolio. The move is part of a strategy to simplify the task of information security professionals in defending businesses against increasingly sophisticated threats across fixed, mobile and cloud environments.

http://www.computerweekly.com/news/4500252281/Symantec-expands-to-IoT-protection-as-part-of-new-strategy

 

–Alibaba adds artificial intelligence capability to its cloud offerings

Alibaba’s cloud computing business is hoping to attract enterprise customers with a new artificial intelligence service designed for data mining and analysis. On Tuesday, the Chinese e-commerce giant announced DT PAI, a platform designed to comb through a client’s data and analyze it for useful information. The service could help companies find key trends within their customer data, or even recommend goods to users, according to Alibaba.

http://www.computerworld.com/article/2975303/cloud-computing/alibaba-adds-artificial-intelligence-capability-to-its-cloud-offerings.html

 

–Latest security flaw to destroy all business? ‘Sanity check’ your cybercrime statistics

The difficulty telling fact from fiction in cybercrime news has been getting worse over the past few years. For decision makers, this means a “sanity check” on reported stats should be in your everyday toolkit…

http://www.zdnet.com/article/sanity-check-your-cybercrime-statistics/

Hackonomics: A First-of-Its-Kind Economic Analysis of the Cyber Black Markets

http://forums.juniper.net/t5/Security-Now/Hackonomics-A-First-of-Its-Kind-Economic-Analysis-of-the-Cyber/ba-p/234262

 

–6 ways to become more resilient to cyber-security threats

http://www.cgma.org/magazine/news/pages/cyber-security-threats-201512943.aspx

they are:  Prioritize data / information,  OST / threat intel,  Security policies and monitoring them,  test all key controls,  update the board, C-suite and line managers periodically,  share information (similiar sector security officers, ISAC, etc)

 

–Self-Hacking: Corporations Start Thinking Like Criminals

How do companies defend their assets against cybercriminals?  (aka, ethical hacker for the company good)

https://securityintelligence.com/news/self-hacking-corporations-start-thinking-like-criminals/

Warning! Seagate Wireless Hard Drives Have a Secret Backdoor for Hackers

http://thehackernews.com/2015/09/seagate-wireless-harddrives.html?m=1

 

–Hands Off! NIST Helps Bring Contactless Fingerprint Technology to Market

Quickly moving through security checkpoints by showing your hand to a scanner seems straight out of science fiction, but the National Institute of Standards and Technology (NIST) is working with industry to bring fast, touchless fingerprint readers out of the lab and into the marketplace…

http://www.nist.gov/itl/iad/20150903fingerprint.cfm

 

–Demand for jobs high in cyber security (great statistics)

http://mobile.philly.com/business/?wss=/philly/business&id=321826661&

 

–Black Hat 2015 attendees concerned about endpoint risks

http://www.scmagazine.com/critical-infrastructure-windows-10-security-on-minds-of-security-pros/article/432901/

 

–Back To Basics: 10 Security Best Practices

http://www.darkreading.com/operations/back-to-basics-10-security-best-practices/a/d-id/1322053

 

–OUR article on

–Stealing Data By ‘Living Off The Land’

Hackers latest tactic involves a malware-free attack using a company’s own system credentials and admin tools to gain access…

http://www.darkreading.com/analytics/stealing-data-by-living-off-the-land/d/d-id/1322063?

 

–Advanced Threat Detection Buying Guide

Advanced threat detection offers a more proactive approach to enterprise security than traditional perimeter defenses…

http://www.esecurityplanet.com/network-security/advanced-threat-detection-buying-guide-1.html

 

–Bridging the Gap in Third-Party Breaches (vendor risk management!)

https://www.linkedin.com/pulse/bridging-gap-third-party-breaches-garrett-chumley

 

–Ashley Madison Breach: 6 Essential Lessons

http://www.databreachtoday.com/ashley-madison-breach-6-essential-lessons-a-8503?rf=2015-09-01-edbt

You know these!!!  Identify, Safeguard Sensitive Data,   Secure Passwords,   Collect / Store Less Data,

Honor Promises / appropriate due diligence to protect data,   Secure the Supply Chain, and

Talk to Customers (have the communications channel open before a breach!)

 

–Why a Vendor Scorecard Is Just One Piece of the Risk Management Pie

https://www.linkedin.com/pulse/why-vendor-scorecard-just-one-piece-risk-management-pie-james-cisa

Vendor scorecard:

http://blog.evantix.com/using-a-vendor-scorecard-in-the-banking-industry-how-it-saves-big-dollars

 

3  +++++++

–Scanner identifies thousands of malicious Android apps on Google Play, other markets

A team of researchers have created an app vetting scanner referred to as “MassVet,” and they used it to identify more than 127,000 potentially harmful applications (PHA) in more than 30 Android markets – including Google Play.  In their whitepaper, “Finding Unknown Malice in 10 Seconds: Mass Vetting for New Threats at the Google-Play Scale,” the researchers explained how they used MassVet to evaluate more than 1.2 million Android apps from 33 app markets around the world.

http://www.scmagazine.com/scanner-identifies-thousands-of-malicious-android-apps-on-google-play-other-markets/article/435387/

 

–Unmanaged Apple Devices ‘a Liability’ for Corporations

Lack of encryption and weak or shared passwords on Apple devices in the workplace are exposing sensitive corporate and customer information says research from identity protection specialist Centrify Corporation. The survey of 2,249 US workers, conducted by Dimensional Research, found fundamentally that while people widely use Apple devices for work, lack of security and management of those devices are opening up companies to significant liabilities.

http://www.infosecurity-magazine.com/news/unmanaged-apple-liability/

 

–DDoS Attacks Rising and Getting More Targeted

Verisign’s latest quarterly DDoS Trends Report, looking at the three months to June 2015, has found a noticeable rise in distributed denial of service (DDoS) attacks, with finance, and especially Bitcoin, a particular focus.Verisign also noted a continued upward trend in the number of attacks in Q2 and mitigated 34% more attacks in the first half of 2015 than in the first half of 2014. IT services/cloud/SaaS customers experienced the largest volume of attacks in Q2, representing over a third of all attacks.

http://www.infosecurity-magazine.com/news/ddos-attacks-rising-a/

 

–Tor Increasingly Used by Malicious Actors: IBM

The Tor network, created with support from the U.S. government, is often used by journalists, activists, and whistleblowers to protect their identities and their communications. However, the anonymity network is also utilized by intelligence operatives, cybercriminals and other malicious actors. The use of Tor for malicious purposes has increased over the past period with millions of malicious events originating from Tor exit nodes every year. According to IBM, roughly 180,000 malicious events originated from United States exit nodes between January 1 and May 10, 2015.

http://www.securityweek.com/tor-increasingly-used-malicious-actors-ibm

 

–Android Ransomware Communicates Through XMPP

Ransomware called Simplocker targets Android devices by pretending to be a legitimate version of Flash or of a video player in app stores. The malware encrypts the smartphone’s contents. Some victims get a message telling them they must pay the NSA a fine if they want their files back. Simplocker uses Extensible Messaging and Presence Protocol (XMPP) to communicate with its creators; because the communication looks like normal instant messaging traffic, it is more difficult for security tools to detect.

http://arstechnica.com/security/2015/09/android-ransomware-uses-xmpp-chat-to-call-home-and-claims-its-from-nsa/

 

–Baby Monitors May Be Vulnerable to Hackers, Report Finds

Baby monitors offer the convenience of live-streaming videos of children straight to their parents’ smartphones and tablets. But a new report warns that the children’s parents might not be the only ones watching. The report, released Wednesday by tech security firm Rapid7, put nine different Internet-connected baby monitors to the test. Of the nine kinds of baby monitors tested, one received a grade “D” and the other eight monitors received grades of “F.”

http://abcnews.go.com/Lifestyle/baby-monitors-vulnerable-hackers-report-finds/story?id=33503396

 

–Could hackers take down a city?

https://www.washingtonpost.com/news/the-switch/wp/2015/08/18/could-hackers-take-down-a-city/?wpmm=1&wpisrc=nl_tech

 

–Minimize Your Exposure to Hackers: Steps to Protect Your Mobile Device

http://inpublicsafety.com/2015/08/minimize-your-exposure-to-hackers-steps-to-protect-your-mobile-device/

See what ZAP has to say about your favorite mobile app!

http://zap.zscaler.com/

 

Hacking For Cause: Today’s Growing Cyber Security Trend

http://techcrunch.com/2015/08/08/hacking-for-cause-todays-growing-cyber-security-trend/

 

–WHO is an Insider Threat?  Some decent views / points!

https://www.lancope.com/blog/who-insider-threat

 

–The 7 ‘Most Common’ RATS In Use Today

https://www.linkedin.com/pulse/7-most-common-rats-use-today-mayur-agnihotri?trk=hp-feed-article-title-like

 

—-  Global  Cyber events:

https://www.secureworldexpo.com/

https://heimdalsecurity.com/blog/44-relevant-cyber-security-conferences-around-the-world/

http://thecyberwire.com/events.html

 

Comments are closed.