Cybersecurity News of the Week of, September 24, 2017

Cyber Security News



from our friends at Citadel Information Group


Individuals at Risk

Identity Theft

Why didn’t Equifax protect your data? Because corporations have all the power: When the credit-reporting agency Equifax announced this month that hackers had accessed the accounts of 143 million of its customers — over 40 percent of the population of the United States — it was another example of how little power consumers have over their own money and personal information. Indeed, it unfolded in a familiar way: Equifax isn’t communicating with its customers, and no one can make it. The Washington Post, September 21, 2017

Experian Site Can Give Anyone Your Credit Freeze PIN: An alert reader recently pointed my attention to a free online service offered by big-three credit bureau Experian that allows anyone to request the personal identification number (PIN) needed to unlock a consumer credit file that was previously frozen at Experian. KrebsOnSecurity, September 21, 2017

Equifax, the Credit Reporting Industry, and What Congress Should Do Next: Even for the experts, the recent data breach at Equifax was staggering. The data that undergirds the credit records of 143 million consumers was compromised. Social Security numbers, dates of birth, and drivers’ license records are used to authenticate identity. It is not difficult to change a credit card number, but changing Social Security numbers and birth dates is a whole different matter. Data breaches are on the rise in the United States. It’s time for Congress to act. Why does this require action by Congress? There are at least five major reasons that the private sector cannot handle this issue on its own. Harvard Business Review, September 20, 2017

Equifax Breach: Setting the Record Straight: Bloomberg published a story this week citing three unnamed sources who told the publication that Equifax experienced a breach earlier this year which predated the intrusion that the big-three credit bureau announced on Sept. 7. To be clear, this earlier breach at Equifax is not a new finding and has been a matter of public record for months. Furthermore, it was first reported on this Web site in May 2017. KrebsOnSecurity, September 20, 2017

Someone Made a Fake Equifax Site. Then Equifax Linked to It: People create fake versions of big companies’ websites all the time, usually for phishing purposes. But the companies do not usually link to them by mistake. The New York Times, September 20, 2017

Equifax Suffered a Hack Almost Five Months Earlier Than the Date It Disclosed: Equifax Inc. learned about a major breach of its computer systems in March — almost five months before the date it has publicly disclosed, according to three people familiar with the situation. Bloomberg, September 18, 2017

New evidence raises doubts about executives’ handling of the Equifax breach: New evidence calls into question Equifax’s handling of the breach reported last week, which compromised 143 million user details including Social Security numbers, birthdates, and addresses. The Verge, September 19, 2017

The learned helplessness of Equifax: Is there a formal name for the fallacy of assuming that the status quo is sane? Such a name would become more useful with each passing year. There are a shocking number of examples, but I give you, as a perfect, vivid, front-of-mind example, the credit rating system of the United States of America, as exemplified by that radioactive disaster of a company called Equifax. TechCrunch, September 17, 2017

Equifax Should Be a Public Utility: Credit bureaus have little incentive to take hackers seriously. Only government oversight can change that. Harvard Business Review, September 15, 2017

Cyber Privacy

Motel 6 to revamp privacy, data sharing policies after Phoenix locations send guest info to ICE: Motel 6 employees in the Phoenix area who voluntarily and routinely handed guest registers to ICE officials without the benefit of a warrant may not have run afoul of the company’s privacy policy, but the hotel chain said it would take steps to shut down or prevent similar operations at its other properties nationwide. SC Magazine, September 18, 2017

Cyber Update

iOS 11 Update includes Patches for Eight Vulnerabilities: iOS 11 is out today and along with a new look and feel on the iPad especially comes a handful of patches for the Apple mobile OS. ThreatPost, September 19, 2017

Cyber Warning

iOS 11’s Control Center may say Bluetooth, Wi-Fi are off, but that’s just not true: Apple has made changes in iOS 11 that push its devices towards Wi-Fi and Bluetooth being enabled by default, which may make users more vulnerable to attacks. ZDNet, September 21, 2017

Hackers are locking people out of their MacBooks – here’s how to stay safe: Hackers using stolen iCloud credentials have been able to use Apple’ Find My Device features to remotely lock down computers and demand Bitcoin ransoms from affected users. However, that doesn’t mean Apple’s iCloud was hacked. Instead, hackers are likely trying their luck with some of the many available username and password combinations that resulted from recently publicized hacks. BGR, September 21, 2017

This is why you shouldn’t use texts for two-factor authentication: For a long time, security experts have warned that text messages are vulnerable to hijacking — and this morning, they showed what it looks like in practice. A demonstration video posted by Positive Technologies (and first reported by Forbes) shows how easy it is to hack into a bitcoin wallet by intercepting text messages in transit. The Verge, September 18, 2017

Critical Bluetooth flaw could put nearly every connected device at risk of cyberattack: The vulnerability, discovered by Armis Labs, is an airborne attack targeting Android, iOS, Windows, and Linux devices. It would allow hackers to take complete control of the device. TechRepublic, September 13, 2017

Information Security Management in the Organization

Cyber Warning

Hackers hid malware in CCleaner software: Hackers have successfully breached CCleaner’s security to inject malware into the app and distribute it to millions of users. Security researchers at Cisco Talos discovered that download servers used by Avast (the company that owns CCleaner) were compromised to distribute malware inside CCleaner. “For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner,” says the Talos team. TheVerge, September 18, 2017

CEOs beware: Your email address is spoofed most often for cyberattacks: A recent Trend Micro report identified that CEOs and managers are most likely to have their email spoofed, while CFOs are the biggest targets of these attacks. TechRepublic, September 12, 2017

Cyber Defense

Where Do Security Vulnerabilities Come From?: There are three major causes: code quality, complexity, and trusted data inputs. DarkReading, September 22, 2017

Cyber Law

Canada’s Tough New Breach Reporting Regulations: Canada had been lagging behind the U.S. and some other nations in terms of breach notification regulations, but now it’s catching up, says attorney Imran Ahmad, who explains new requirements that are coming into effect. BankInfoSecurity, September 21, 2017

Cybersecurity in Society

Cyber Crime

Report: SMBs paid $301M to ransomware hackers last year: About 5% of SMBs fell victim to ransomware attacks in the past year, leading to financial strain from downtime and data loss, according to a new survey from Datto. TechRepublic, September 21, 2017

Know Your Enemy

Low-cost tools making cybercrime more accessible: SecureWorks: A report from the security vendor has said the increasing affordability of cybercrime tools is providing budding criminals with a low barrier of entry into the game. ZDNet, September 19, 2017

Cyber Freedom

Feds Share More Details w States re Russian Election Hacking; Establish Coordinating Council: One of the public’s unanswered questions about Russia’s attempts to break into election systems last year was which states were targeted. On Friday, states found out. NPR, September 22, 2017

Facebook to Turn Over Russian-Linked Ads to Congress: WASHINGTON — Under growing pressure from Congress and the public to reveal more about the spread of covert Russian propaganda on Facebook, the company said on Thursday that it was turning over more than 3,000 Russia-linked ads to congressional committees investigating the Kremlin’s influence operation during the 2016 presidential campaign. The New York Times, September 21, 2017

Political campaigns prep for battle with hackers: Candidates are quizzing prospective campaign managers on anti-hacking plans. Democratic committees like the Democratic Congressional Campaign Committee, which was breached last year, have switched internally from email to encrypted messaging apps. And both parties are feverishly trying to spread advice and best practices to new campaigns before they become targets. Politico, September 19, 2017

Facebook hands over ads, account info to Mueller: After special counsel Robert Mueller produced a search warrant, Facebook handed over records associated with fake accounts that purchased and planted $100,000 worth of ads on behalf of Russian interests to influence the 2016 U.S. presidential election. SC Media, September 18, 2017

Financial Cyber Security

SEC Hack Threatens a Bedrock of U.S. Capitalism: Transparency: The U.S. Securities and Exchange Commission hails its database of company filings as an innovation that’s dramatically boosted corporate transparency. But a hack that led to the theft of market-moving secrets is the latest sign that technology also brings dangers the SEC is struggling to combat. Bloomberg, September 22, 2017

Cyber Research

Malware Steals Data From Air-Gapped Network via Security Cameras: Proof-of-concept malware called aIR-Jumper can be used to defeat air-gapped network protections and send data in and out of a targeted network. The technique uses security cameras and infrared LED lights that can blink back and forth to each other transmitting data that has been converted into data streams. ThreatPost, September 20, 2017

SecureTheVillage Calendar

SecureTheVillage: San Fernando Valley-East (Pasadena / Glendale) Cybersecurity Roundtable: The San Fernando Valley-East (Pasadena / Glendale) Cybersecurity Roundtable is designed to support communication and collaboration between C-Suite executives, IT managers, and cybersecurity experts. The San Fernando Valley-East Roundtable is intended for both for-profit and nonprofit organizations. The Roundtable functions as a cross-organizational “learning community” committed to working together to better protect our community from cybercrime. September 28, 7:30 -10AM. Datastream, Glendale.

Glendale Tech Week: SecureTheVillage and Citadel President Stan Stahl will join Louie Sadd, Datastream Managing Partner and SecureTheVillage Leadership Council member, and other cybersecurity panelists. October 12, 10:00 – 11:00, Glendale Central Library.

SecureTheVillage: Cybersecure Los Angeles 2017 — Get Cyber Prepared: SecureTheVillage joins UCLA Extension for its first cybersecurity conference. Learn from leading information security professionals and law enforcement, including: information security providers, cyber-insurance, financial services, law, the FBI, LA County District Attorney’s Office, and more. Leave with SecureTheVillage’s Information Security Management and Leadership ResourceKit: A practical guide for implementing an information security management and leadership program in your organization. October 19, 9:00 – 2:00, UCLA Extension, Figueroa Courtyard

The post Cybersecurity News of the Week, September 24, 2017 appeared first on Citadel Information Group.

Jeff Snyder's, SecuirtyRecruiter.comSecurity Recruiter Blog, 719.686.8810