Gregory S. Senko

News:Poor Information Security Costs UK Organisations £2m In Fines. Organisations were fined £2,170,000 for 66 Data Protection Act (DPA) infringements between January and October this year and the biggest reason was poor information security. Online breaches and cyber attacks were the most severely punished by the ICO; companies were fined an average of £52,308 for these, whereas the penalty for losing a device or file was £35,000 on average.

It sounds like the same situation as TJX. Organizations always thought IS is costy, but they will pay it in another way.

link: http://www.misco.co.uk/blog/news/02508/poor-information-security-costs-uk-organisations-2-million-in-fines

This article talks about a clause in a defense bill that mandates government contractors to report on cyber attacks. If this bill is passed, certain contractors will be required to report on attack with details including :
1. Techniques were used in the cyber attack
2. A sample of any malicious software used in the hack
3. Summary of any compromised information

Companies are skeptical about this as the government could disclosure some or too much of the information, which could lead to lawsuits. My concern is, this clause seems specific to government contractors only. What about other companies who when compromised are unaware for years and could lead to a lot of their customer information being compromised?

I think this bill should encompass all companies handling “sensitive” and “confidential” information. The reporting clause would force companies to constantly monitor their network systems, and take all preventive measures to mitigate an attack. if there is no successful attack, there is nothing to report.

“Sony Pictures hack: Cybersecurity experts see parallels to N.Korean attacks”
The cybersecurity experts say they’ve found striking similarities between the code used in the hack of Sony Pictures Entertainment and the attacks blamed on NK which targeted South Korean companies and government agencies last year.
Speculation about a NK link to the Sony hacking has centered on that country’s angry denunciation of an upcoming Sony comedy film, in which two American journalists are sent to NK to assassinate its leader Kim Jong Un.
In another intriguing development, Trend Micro analysts found indications that the Sony malware was created by someone using Korean-language programming tools. The hackers routed the attack through servers in Thailand, Italy and other countries to disguise the true source.
http://www.syracuse.com/news/index.ssf/2014/12/experts_see_north_korean_parallels_in_major_sony_pictures_hack.html

http://www.securityweek.com/opendns-launches-partner-platform

OpenDNS Launches Partner Platform
OpenDNS is a company famous for its DNS service that adds a level of security by monitoring domain name requests. Recently it unveiled a new security platform and APIs(application programming interface) designed to enable security vendors to integrate with OpenDNS’s network and extend their threat protection through any device in any location.
The integration strengthens an enterprise’s protection by combining the partners’ security intelligence with OpenDNS’s capability to provide global threat enforcement.

My news for this week is about a new certificate authority called Let’s Encrypt supported by Mozilla. Let’s encrypt will provide free SSL/TLS certificates to website owners to encourage wide adoption of TLS. It will also automate certificate issuance, configuration and renewal processes to make the adoption process much easier. Additionally, the software Let’s Encrypt use will be open source. So anyone who doubts the certification process can inspect the software and find out the answer by themselves.
Link: http://www.infoworld.com/article/2848623/security/eff-mozilla-back-new-certificate-authority-that-will-offer-free-ssl-certificates.html

With such bad news circulating in the media in the last week or so, I found it rather humoring that North Korea decided to attack Sony Pictures for its upcoming film “The Interview” in which the film starts off with their Dear Leader’s face melting off – Raiders of the Lost Ark style. I guess they just hate Seth Rogen and James Franco, which is unfortunate. It’s alarming however, that the hackers were able to acquire a great deal of Sony’s confidential information, including contracts, account details, and employee information, and may be hellbent on leaking all of it if the face-melting scene is not removed.

Too bad Kim Jong Un doesn’t have an affinity for American films the way his father, Kim Jong Il, did, who supposedly had a massive collection of western films, ranging from cowboy Westerns to Japanese monster movies.

Sources:
http://www.vice.com/read/was-north-korea-behind-the-cyberattack-on-sony-1203?utm_source=vicefbus
http://motherboard.vice.com/read/sony-pictures-hack-is-the-latest-in-mega-malware-tradition-started-by-stuxnet

http://www.scmagazine.com/sony-breach-extends-to-deloitte/article/386548/

This article talks about the leaks at Sony. What I actually found interesting was that it also leaked salary information about Deloitte. This is a good example of the importance of not only having your own systems secure but the vendors and clients you work with as well.

http://english.alarabiya.net/en/media/digital/2014/12/02/Iran-hackers-target-airlines-energy-defense-companies-researchers.html

Over the past two years, Iranian hackers have targeted airlines, energy companies, and defense firms across the globe as increased awareness of Irans cyber capabilities are growing. Recently, nuclear plants and aerospace firms has also been targeted. Evidence has shown that the sophistication and scope of these attacks suggest that this group of attackers from Iran could be state backed. Although not too much physical damage has yet to be done, these red flags have made these hackers a big potential threat.

Google Cloud Platform Receives PCI-DSS Compliance Certification

http://www.securityweek.com/google-cloud-platform-receives-pci-dss-compliance-certification

The article discussed about Google cloud platform is compliant with the latest PCI DSS security standard to handle and process credit card payment information. This will enable customers to store, exchange and process credit card information. In addition, it will enable google to have more flexibility to offer customer more with less maintenance. Google is the first company to be benefit from the PCI DSS to its online payment service provider WePay.

Hack on Sony
The latest hack on Sony brings a lot of debate in regards to true attacker. A lot of sources blame North Korea for the attacks; it is a sort of repayment for upcoming new movie “Interview” that talks about North Korea and its leader. Most recent breach leaked details information such as: salary and medical information of more than 30,000 Deloitte employees. It also exposed unreleased scripts. But only 40 gigabits of 100 terabits have been release there might be more information on the way.

http://gizmodo.com/north-korea-no-we-didnt-hack-sony-1666246282

Facebook is adding a third antivirus engine to its service to help catch malicious content in the News Feed and messages sent by users. Facebook can detect on its servers if a device may be infected and warn users they should run an anti-malware scan

http://www.cio.com/article/2855374/facebook-bulks-up-defenses-with-a-third-antivirus-engine.html

SpoofedMe attacks exploit popular websites social login flaws

The researchers at IBM’s X Force security discovered a way to gain access to Web accounts by exploiting misconfiguration in some social login services.

The experts at IBM’s X Force discovered that it is possible to gain control of accounts at various websites, including Nasdaq.com, Slashdot.org, Crowdfunder.com and others by abusing LinkedIn’s social login mechanism.

For further information, please see link below:

SpoofedMe attacks exploit popular websites social login flaws

If anyone needs help finding a copy of the TJX case let me know by replying to this comment.

HSBC Turkey Hackers Grab Data from 2.7m Cards

HSBC Turkey has admitted it suffered a major card breach of 2.7 million accounts, but maintained that there was no need to reissue said cards because not enough information was stolen to commit identity fraud.

The bank said in an online FAQ that it discovered the incident over the past week, and that it affected card and linked account numbers, card expiry dates and cardholder names of its customers.

However, it said there is no evidence that other financial or personal information has been compromised and maintained the cards are secure and safe to use.

This is the link:

http://www.infosecurity-magazine.com/news/hsbc-turkey-hackers-grab-data/

400 Hackers are Defending NATO in a Massive Cyberwar Game

NATO is launching its largest ever cyber-defense exercise. Over 400 experts consisting of technical, government, and cyber experts from states within the alliance will be tested on their ability to rapidly share information about cyber incidents, and test the abilities of participating nations to coordinate a defense against a series of targeted incidents against a NATO mission network.

During the Wales NATO summit, it was agreed upon by member states that cyber-attacks can reach a point that threatens the prosperity, security, and stability of their countries as much as a conventional attack would. The cyberthreat NATO and its members face are not one-off attacks, but a daily reality in which constant international coordination and vigilance is necessary in order to combat the threat. This has become especially evident in the recently publicized cyber-espionage conflict between China and Canada, in which Chinese hackers had intensified their attacks on Canada’s National Research Council, a body that houses cutting edge research and development on aerospace, security technologies, mining industries, health, and astrophysics, to such a degree that the NRC had to shut down their computer networks to avoid intrusion.

The NATO exercises are also a response to the recent cyberattacks by Russian intelligence against NATO during the Wales Summit, in which Russian intelligence had spent nearly two years attempting to acquire information relating to how the US and its allies would respond to Russian moves in Ukraine, the Crimea, and elsewhere. Russian intelligence was able to hack the NATO networks using a zero-day exploit in Microsoft Windows.

Source:
http://motherboard.vice.com/read/nato-is-sharpening-its-cyber-war-defenses

http://www.washingtontimes.com/news/2014/nov/17/state-department-cyber-attack-prompts-shutdown-ema/

The State Department computer system fell victim to a cyber attack during recent weeks, according to U.S. officials who say the incident prompted a full shutdown of the department’s unclassified email system and occurred around the same time hackers penetrated systems at the White House.
Some news reports suggested the attack was consistent with state-sponsored hacking activities. But the administration has declined to confirm those reports in recent weeks. It was not immediately clear whether it is believed that the State Department and White House incidents were related.

The U.S Postal service reveals that their information system has been compromised and estimated 800,000 employees’ data is at risk. Personal information includes, name date of birth, social security numbers, addresses and dates of employment. The postal service noted that the employee data is even more valuable than the customer data because company store very sensitive information like social security and health care data of their employees. This kind of information could be used to forge against the service or other federal agencies

http://www.technewsworld.com/story/81378.html

My news for this week is about the “permacookies” Verizon and AT&T are using. The two companies use the permacookies to track users’ web browsing history and sell the information to advertisers. The permacookies is unlike regular cookies which you can delete easily. There is no way to remove the permacookis from users’ phones. The author recommends using Wi-Fi or VPN instead of Verizon or AT&T’s own networks to avoid leaving the permacookies. However, as we discussed in class, Wi-Fi and VPN can be easily manipulated by attackers to steal users’ data. So what can we do to protect our data from being tracked or stolen?
http://www.infoworld.com/article/2848460/internet/att-kills-the-permacookie-stops-tracking-customers-internet-usage-for-now.html

News: VA misses targets for fixing IT security risks.
The Department of Veterans Affairs did not pass its fiscal 2014 IT security audit, conducted by the agency inspector general’s office. The department’s fiscal 2013 security audit had cited 6,000 unresolved risks, and offered 30 recommendations to improve security. Warren stressed the balancing act between keeping systems up for the delivery of services and meeting audit requirements. The VA’s computer networks support between 1.2 million and 1.4 million devices, with multiple applications and services running on each device. That adds up to an environment with as many as 150 million potential targets that need to be scanned for vulnerabilities.
link: http://fcw.com/articles/2014/11/14/va-it-warren.aspx

Hackers Humiliate U.S. State Department.

The article talks that “the U.S. government may be thwarting thousands of daily attempts to penetrate its IT system” but with increasing in successful attacks bad guys are winning few battles. In the recent months many government departments such as U.S. National Oceanic and Atmospheric Administration, the U.S. Postal Service, and the U.S. Office of personnel Management has been breached and the government blamed on Russian and Chinese hackers for the breaches.

Link:
http://www.technewsworld.com/story/81371.html

The article i came through today is “State Department Targeted by Hackers in 4th Agency Computer Breach” the article talks about the incident happen in state department on Sunday. The State Department on Sunday became the fourth government agency to announce a breach of its computer systems in recent weeks, after an infiltration forced the agency to temporarily shut down its unclassified email system and public websites.The breach, which the agency said did not affect any of its classified systems, follows a similar one involving the unclassified computer systems of the White House last month, which also resulted in a temporary shutdown of its communications systems. There have been similar breaches at the United States Postal Service and the National Oceanic and Atmospheric Administration.

http://money.cnn.com/2014/11/20/technology/security/hacked-web-cameras-russia/index.html

I found this interesting article about how a group of Russian hackers took 4600 cameras and Web cams. They did it to show how vulnerable these cameras and security systems can be. The cameras were easily hacked default passwords were never changed.

SANS Assignment 6 and 7
An Overview of Cryptographic Hash Functions and Their Uses
Hash is only a one way function and it impossible to determine the input knowing only the output. The cryptographic hash creates a unique message digest for each message, if message changes, the also hash changes. This function help in detecting when message was altered and in determining the file integrity. Most used hash algorithms (SHA1 & MD5) are secure because only way to find collision is via brute force and it would require significant amount of computing power. Hashing has two significant advantages over encryption; it offers publically available verification method and also property know as ‘transient’ effect that ensures that message digest will maintain its integrity.
The Risks Involved With Open and Closed Public Key Infrastructure
Public Key Infrastructure is not a technology but a methods of deployment that support cooperation between elements such as: digital signature and certificate authorities. Essential elements of PKI include: encryption keys, digital certificates and hashing algorithms. The use of public and private key ensures confidentiality. Digital certificates handles data authentication because they are used to determine who sent particular message. Hashing algorithms ensures integrity and nonrepudiation.

In the news
Beefed up iPhone crypto will lead to a child dying, DOJ warned Apple execs

Recently I read an article that describes a fierce debate between Apple’s Executives and Department of Justice that was asserting that Apple’s devices strong encryption can lead to a death of child. The DOJ was arguing that encryption implemented on Apple’s devices will not allow to to retrieve potentially crucial evidence from suspects iPhones or iPads.The officials are also complaining that tech companies are adding default encryption to consumer electronics. ‘Apple’ argues that it strives to protect users’ information from governments that are less respectful of individual rights and implies that if government wants to get access to this kind of data, it should change the law and require all companies to follow such regulations.

http://arstechnica.com/tech-policy/2014/11/beefed-up-iphone-crypto-will-lead-to-a-child-dying-doj-warned-apple-execs/

According to a CyberArk report, the exploitation of privileged accounts occurs in almost every targeted attack. The primary reason why attacks are so hard to detect and stop because hackers are using privileged accounts. The report states privileged accounts enable attackers to have unrestricted access and ability to cover their tracks and transfer data. In addition, attackers can create fake users and blend in to regular network traffic. The CyberArk’s research indicated that organizations typically fail to keep track of all privileged accounts and underestimated the privileged account threat. “The research reveals many organizations are still mainly focused on preventing intrusions and malware infections, rather than finding and stopping attackers who are already inside,” said Mokady.

URL: http://www.computerweekly.com/news/2240234996/Cyber-attack-hallmarks-identified-in-cross-industry-report

This article talks about the 5 ways health data breaches are worse than financial data breaches. I found this interesting because Prof, Senko talks about how the health industry is “unsecure” yet the impact from such breaches are usually severe.
Link:http://www.govhealthit.com/news/5-ways-health-data-breaches-are-far-worse-financial-ones

“12 security problems that EMV and tokenization won’t solve”
On Nov. 1 of next year, merchants that aren’t ready to accept chip-based cards instead of the current magnetic-stripe cards will become liable for fraudulent transactions that today are covered by the credit card companies. It means that a lot of retailers will be switching to the new EMV and many will also roll out tokenization and end-to-end encryption. This will dramatically increase security in the area of retail payments, but there are still some likely bumps in the road in the journey to credit card security. Some of them would be: problems will happen during the transition period, chip-and-signature isn’t as secure as chip-and-PIN, tokenization and encryption aren’t requirement, fraud will move to online channels, criminal will broaden their sights and hackers will now focus their attention on cracking EMV.
http://www.csoonline.com/article/2849257/data-protection/12-security-problems-that-emv-and-tokenization-wont-solve.html

Windows phone 8.1 hacked. Just weeks after Microsoft announced a 19 year-old critical security hole existed in almost every version of windows OS, developer have discovered a vulnerability on the new phone using this vulnerability and it could be easily exploited.
http://goo.gl/KUV07B

My article this week is about a citadel variant, a data stealing malware. This malware was originally used for online banking credentials theft has evolved and now can be designed to target master passwords and authentication solutions. This is particularly dangerous because once the master password has been compromised, the whole system could be at risk.

http://www.scmagazine.com/data-stealing-malware-has-evolved/article/384552/

N.S.A. Phone Data Collection Could Go On, Even if a Law Expires
A provision of the Patriot Act was overlooked by lawmakers and administration officials will give President Obama a possible way to keep the National Security Agency’s bulk phone records program going indefinitely — even if Congress allows the law on which it is based to expire next year.

For further information, please see link below:

Vacca Readings:
IT security management should consist of blueprint, policies, procedures and processes to enable organizational structure and technology to protect an organization’s IT resources. The above mentioned are what ensures the CIA triad, confidentiality, integrity, and availability of IT resources.
The key to a successful ITSM implementation is to ensure one has strong and enforceable polices and procedures that senior management supports.

SANS Readings:
Cryptographic Hash Functions are often used with password because the Hash is only a one way function, thus making it impossible to find out what an end user keyed through their machine. This is done through the cryptographic hash algorithm which creates a unique message digest for each message. If and when an end user message changes, the hash changes with it. In order to ensure confidentiality, integrity, availability and non-repudiation, the use of public and private key would be recommend. Data authenticity is aided by Digital certificates

United States Postal Service Hacked
On Monday the media release the information that the USPS was hacked, leaking around 800,000 employee PII and also information on customers that contacted Service Customer Care Center via phone or e-mail between Jan. 1 and Aug. 16. The attack was discovered in mid-September and disclosed 2 months later because “communicating the breach immediately would have put the remediation actions in jeopardy…” Employee information involved names, Social Security numbers, addresses and other required info for ordinary job application. Some of the media suspect that China is behind this breach, as governmental agencies and governmental employee information are valuable to them and could be use in various of ways including: building inventory on U.S. persons for counterintelligence and recruitment purposes.

http://www.washingtonpost.com/blogs/federal-eye/wp/2014/11/10/china-suspected-of-breaching-u-s-postal-service-computer-networks/

SAN assignment 4 : When assessing vendor application quality, it is important to first establish goals and criteria of the process. Although the assessment process is complicated, the information gathered can be used to ensure that the vendor security selected is in line with business requirements.

SAN assignment 5: This talks about the risks surrounding coding and the steps developers can take to ensure that hackers cannot exploit it. By understanding the development environment of an application, coders will be able to identify the vulnerabilities involved and take steps to reduce risks at the application development stage.

Chapter 33&34: Security is complex and constantly evolving in the IT industry. When considering resources to be used for SAN, the resources should reflect the information stored on the network. Encryption -is a security tool used to protect information in an organization- can be used as a SAN protocol. There are logical (internal & external) and physical level threats associated with SAN and it is important to consider all of them.

My news for this week is about a malware called WireLurker targeting Apple users in China. Malicious codes are added to the legitimate IOS APPs in China’s third-party MAC OS app stores. Users’ MACs are infected if they download these APPs. What makes it worse is that if the infected Mac is connected to IPhone or IPad via USB, the IPhone or IPad will be infected too. Apple has blocked the identified APPs now. However, Apple still not sure how many people have been impacted.
Link: http://www.cnet.com/news/new-apple-focused-malware-uses-macs-to-infect-iphones/

News： Top UK information security threat is… paper?
From a survey of senior managers in over 1,000 North American and European businesses, it was established that just 15 per cent of companies had a team focused specifically on paper protection,though 85 per cent did have a team that managed both paper and information risk. PwC also found that two thirds of mid-sized companies in the UK regard the management of information on paper as a serious security risk – more than the number that fear external threats to digital content such as hacking and malware.
link: http://www.itproportal.com/2014/11/06/top-uk-information-security-threat-paper/

Reading: The assessment program should be organized into logical parts and summarized accordingly. It is important to be thorough in the assessment, but the key is to define the review criteria and goals before beginning the process.

A bug was discovered on Apple’s iOS that allows hackers to install a malware app on your phone. Once installed, the app can used to steal data off the phone, possibly including sensitive banking and email log-in information. FireEye discovered the loophole in July and privately told Apple about the bug. But last week, the first known campaign to exploit the vulnerability launched and the firm decided to go public.

Link:http://m.nydailynews.com/news/national/apple-masque-attack-bug-leaves-iphones-ipads-vulnerable-article-1.2006890#bmb=1

Hacker Lexicon: What Is a Zero Day ?

Zero day actually refers to two things—a zero-day vulnerability or a zero-day exploit.

Zero-day vulnerability refers to a security hole in software that is yet unknown to the software maker or to antivirus vendors. This means the vulnerability is also not yet publicly known, though it may already be known by attackers who are quietly exploiting it.

Zero-day exploit refers to code that attackers use to take advantage of a zero-day vulnerability. They use the exploit code to slip through the hole in the software and plant a virus, Trojan horse or other malware onto a computer or device. It’s similar to a thief slipping through a broken or unlocked window to get into a house.

The term “zero-day” refers to the number of days that the software vendor has known about the hole. The term apparently originated in the days of digital bulletin boards, or BBSs, when it referred to the number of days since a new software program had been released to the public. Zero day software was unreleased software and was highly coveted by hackers who wanted to be the first to obtain it.

More details at: http://www.wired.com/2014/11/what-is-a-zero-day/

Vacca

Chapter 33:Cyber forensics

Cyber forensics is increasingly found in the courtroom. Judges allow cyber-based evidence as it was no different from “traditional evidence” such as: documents, business books, films, etc. However analogies with more traditional evidential material were beginning to break down.

Chapter 34:Cyber forensics and incident response

Cyber forensics is a concept very linkd to incident response. Cyber forensics reduces the occurrence of security incidents by analyzing the incident to get the root cause and provide feedback to prevent incidents from happening again. Incident response needs an incident plan to be in place as well as a set of policies and procedures that support the mitigation activities.

“Foreign state suspected of breaching US Postal Service systems”
The USPS has suffered a major data breach that may have exposed the personal information of more than 800,000 employees, including the data on customers who contacted Postal Service Customer Care Center by telephone or email from January through August 16. The employees’ personal information exposed includes names, date of birth, SSN, addresses, date of employment and emergency contact. Security experts speculate that a persistent threat actor is behind the attack, several specialists hypothesized the involvement of a foreign government, like China or Russia. The attack was run by a “sophisticated actor” that was not interested in credit card fraud, neither to arrange large scale scam with stolen data. The FBI is leading the investigation on the attack.
Link: http://www.cyberdefensemagazine.com/foreign-state-suspected-of-breaching-us-postal-service-systems/

My article for this week is about “Masque Attacks”. This recently discovered attacks on IOS devices allows attackers to steal user personal and financial information by sweeping their app caches.These apps works off a vulnerability in third-party app stores that, when exploited, allows attackers to replace genuine apps downloaded from the App Store with their own malicious versions.

http://www.scmagazine.com/ios-attack-leverages-third-party-app-store-vulnerability/article/382461/

Researchers Shine Spotlight on OS X/iOS Masque Attack.

The article says that Masque Attack tricks victims into installing malicious apps from third-party app stores. The Masque attack is dangerous in enterprises that have BYOD policies and IT cannot distinguish fake apps from the original ones. Moreover, attackers use these attacks to bypass the app sandbox and get root privileges by attacking know IOS vulnerabilities.

Links:
http://www.technewsworld.com/story/81342.html

Readings

Chapter 33
The chapter talks about encryption, which used to protect the confidentiality of the information in the enterprise. “ To understand if and how an encryption solution should be deployed, administrators need to understand and assess the risks of unauthorized access and disclosure at each point of the information flow.”

The article I came across today is about “Cyber attacks trigger talk of ‘hacking back’” the article talks about the recent rash of cyber attacks on major U.S. companies has highlighted the scant options available to the victims, who often can do little more than hunker down, endure the bad publicity and harden their defenses in hopes of thwarting the next assault.

http://www.washingtonpost.com/business/technology/cyberattacks-trigger-talk-of-hacking-back/2014/10/09/6f0b7a24-4f02-11e4-8c24-487e92bc997b_story.html

I found this article really interesting because we talk about physical security in class and badges that prevent people from entering buildings; however, we never discussed extreme physical hacking. In Russia, people are actually blowing up ATMs instead of using skimmers because it is faster and convenient. A hacker can get the cash then and there instead of having to wait to sell the credit card numbers. These hackers basically take regular propane off a barbecue grill and pump it into the ATM and ignite it to get to the cash.

http://gizmodo.com/this-is-how-atms-get-hacked-in-russia-using-explosives-1658261388

HSBC Turkish said that it lost 2.7 million customer’s bank data in a cyber attack. This hack resulted in the theft of data on cards and related bank accounts. This breach is only limited to Turkey. No other branch has reported an attack. HSBC Turkey is working with different parties to investigate the leak. Turkish unit of HSBC had a lost of $18 million in the second quarter; however, they haven’t reported third quarter results. Government officials and security specialists have said that more needs to be done to prevent cyber-crime in the global financial systems and ultimately protect customers.

Link to article: http://goo.gl/HcvHV0

http://www.foxnews.com/politics/2014/11/10/postal-service-confirms-security-breach-chinese-govt-hackers-reportedly/

Recently the Postal Service confirmed a data breach and leaked personal information includes employees’ names, dates of birth, Social Security numbers, addresses, emergency contacts and other information.
Customers at local post offices or those using its website, usps.com, were not affected. However, people who used its call center may have had telephone numbers, email addresses and other information compromised.
While the breach mostly affected employees, the Postal Service said it “compromised call center data” for customers who reached out with an inquiry via phone or email between Jan. 1 and Aug. 16 of this year.

According to Kaspersky Lab, over the last four years malicious hackers have been using so-called the “DarkHotel” trick to steal data from company executives while they staying at luxury hotels in Asia. The hackers wait for victims to connect to the compromised hotel Wi-Fi network then trick them into downloading and installing a backdoor that pretends to be a legitimate software update like Google Toolbar, Adobe Flash, etc. The hackers’ goal is to steal sensitive corporate information or gaining access to a corporate networks.

http://www.cnet.com/news/darkhotel-hack-targets-executives-using-hotel-internet/

http://www.cnbc.com/id/102178391#.

This article emphasizes the problem of employees being the greatest threat to information security. It mainly focuses on the fact that employees who are either careless, lazy, or forgetful and make it easy for hackers to gain unauthorized information. The survey conducted showed that the finance industry most strongly about the lack of integrity and increase in availability of unauthorized information because of employees.

Readings: The fact that the process is being created is the first step but in order for it to be essential the requirements need to be detailed and thorough. With the requirements and expectations being thorough in defining the process it makes it easier to assess vendor applications and to see if it will bring the business value and if it aligns with the strategy of the organization.

Vacca Readings
Chapter 33, 34
With the wide acceptance of cyber forensics in businesses, Federal Judges have accepted similar cyber-based evidence on the basis that it was no different from forms of evidence. The underlying evidence were still documents, business books, weighing machines, calculating machines, films, and audio tapes, etc.
Well-documented incident response plan and process, and having an incident response team that is experienced in cyber forensics analysis. Besides having these important components, an organization needs to have strong policies and procedures that back them

SANS Assignments 4, 5
Vendor diligence extend to the application security to ensure the information that is stored and transferred by those systems are being adequately protected.
Organizations without good change management processes are doomed to have inefficient, ineffective and will miss targets and blow budgets; most importantly, with good change management process, one may introduce vulnerabilities to internal IT resources.

Facebook Supports Anonymity! ”
…Facebook has recently adopted and supported enhanced privacy by setting up base on the Tor Network. TOR network is one of most popular, free and untraceable networks on the net (as far as advertised).

The Tor Project is a service based on free software that enables anyone running the Tor client software to access Internet resources anonymously and, as far as is known, untraceable.

By Facebook having an address on the Tor Network, https://facebookcorewwwi.onion/, the company can provide a much better experience for users who wish to access the service anonymously … which really does seem odd but may be more about Facebook looking to new markets in countries such as China where avoiding censorship has become a national pastime.

To make Facebook more usable from Tor the company has modified some of the security and verification techniques they used which means that supporting Tor access wasn’t just a matter of having a .onion address.

Facebook supporting Tor is good for both services both in terms of popularizing Tor and making Facebook more privacy-friendly; we’ll have to wait and see what the unintended consequences turn out to be because you know they’ll turn up …
”

For further information on this article, please see link below.
http://www.networkworld.com/article/2842372/collaboration-social/facebook-does-the-unthinkable-supports-enhanced-privacy-by-setting-up-home-on-the-tor-network.html#tk.rss_all?utm_medium=twitter&utm_source=twitterfeed

http://www.infosecurity-magazine.com/magazine-features/the-cybersecurity-pipeline/

The Cybersecurity Pipeline
The article focuses on three areas within the cyber security industry pipeline, Demand in the industry, education and academic program, and a simple solution to establish a future cybersecurity pipeline
The articles describes what the colleges are offering in their cyber security program to the future cyber security professionals. In addition, it describes what the universities and program needs to do to prepare students in this ever changing security industry. One interesting fact according to Kevin Jones, head of Computer Science and deputy dean for the School of Informatics at City University London, college and university degree programs are not inherently structured in such a way to provide graduates with current expertise rapidly enough and with content that is fresh enough to meet today’s demand.

http://threatpost.com/google-working-on-tool-to-gather-stats-while-preserving-privacy/109119

Google is working on a new system that enables the company to collect randomized information about the way that users are affected by unwanted software on their machines, without gathering identifying data about the users. That is to say, RAPPORs allow the forest of client data to be studied, without permitting the possibility of looking at individual trees.

The system is known as RAPPOR (Randomized Aggregatable Privacy-Preserving Ordinal Response) and Google currently is testing it in Chrome. The company’s engineers are hoping to use RAPPOR to aggregate data on the problems affecting users while still preserving the privacy of each individual.

My news for this week is about a tool called Nogotofail released by Google this Tuesday. Nogotofail can be used to examine whether the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) opened by apps or devices are vulnerable to man-in-the-middle (MitM) attacks. Although SSL/TLS connections are always encrypted, it is vulnerable to man-in-the-middle attacks because of improper client configurations and unpatched vulnerabilities in libraries. Nogotofail can stimulate man-in-the-middle-attacks and use deep packet inspection to discover all SSL/TLS traffic.
Link: http://www.infoworld.com/article/2843756/security/google-releases-tool-to-test-apps-devices-for-ssltls-weaknesses.html
Key point: In terms of authenticity perceptions for email messages and web pages, employees can be tricked by narrative strength, third-party endorsements and glossy graphics.
Question: How to improve employees’ abilities to identify social engineering?

American Express to Implement Digital Tokens to Replace Cards

American Express has announced that it will implement payment tokenization for card transactions, which allows shoppers to use their smartphones as payment mechanisms, providing a granular defense to reduce the exposure of live credit and debit card data in vulnerable systems.

The service will replace traditional 16-digit credit card numbers with a digital token. After a consumer’s card and mobile wallet are registered for payment tokens from the service, instead of live data being presented at the checkout, the smartphone acts like a virtual credit card by emitting a payment token instead of physical card data to the card reader. The merchant point-of-sale (PoS) and IT systems never see live data during this type of transaction.

While the US is finally shifting away from vulnerable magnetic stripe cards to EMV cards and secure mobile payments like this, all three payment methods will be around a long time. Data security strategies must therefore cover risks across all of them.

This is the link:

http://www.infosecurity-magazine.com/news/amex-to-implement-digital-tokens/

My article for this week is about a phishing technique involving a proxy program. This technique involves tricking a user into thinking that he/she is actually browsing their real intended website, however instead they are viewing a proxy webpage that is designed to look similar until the user enters his/her information and passwords. This method is particularly tricky because of the amount of preparation work that has to be done beforehand.

http://www.scmagazine.com/researchers-observe-a-new-phishing-technique/article/381628/

news: Student hacker busted; date for 2,000 compromised. The student hacked a “cafeteria data file,” which had names, addresses, phone numbers, identification numbers, birth dates and Social Security numbers of 1,968 children. The incident was discovered Tuesday.The attack happened on a school-issued computer,

link: http://www.dailyitem.com/news/student-hacker-busted-date-for-compromised/article_1cd5d8c0-60b5-11e4-9a8e-8765e57f6d44.html

reading: The resources expended on protecting the SAN should reflect the value of the information stored on the SAN using a risk-based approach.

Researchers at Palo Alto Networks Company discovered a malware called WireLurker targeting users in China. The WireLurker has been infecting both iOS and Mac OS systems. According to Palo Alto Networks, 467 infected applications were downloaded over 356,104 times in the past six months. WireLurker can collect information from iOS devices like contacts, call logs and other sensitive information.

How this malware infecting users:

1) WireLurker had infected more than 400 applications designed for Apple’s Mac OS X operating system through the Maiyadi App store (a third-party Mac application store in China offers free applications)

2) Users download a WireLurker infected free application from Maiyadi store and installed it on their OS X computer

3) WireLurker infected Mac OS X computer then waits for an iOS device to be connected by a USB cable

4) Once an iOS device is connected to the infected machine, WireLurker rewriting existing apps on the iOS device. WireLurker can infect non-jailbroken iOS devices as well. The WireLurker used a digital certificate that Apple issues to enterprise developers to install apps that do not appear on the App Store.

Users should avoid connecting their iOS device with unknown computers or charging from untrusted or unknown sources.

Source:
http://www.pcworld.com/article/2844292/apple-mobile-devices-in-china-targeted-by-wirelurker-malware.html
http://bits.blogs.nytimes.com/2014/11/05/malicious-software-campaign-targets-apple-users-in-china/?_r=0

Islamic State Breaks through Rugby Website’s Defenses
On November 3rd, website of West Yorkshire team was breached and displayed pictures of war planes and injured people accompanied by message: “warplanes of making America”. The news also report that at some point the website was displaying: “I love you ISIS”. Breach of this website lead to displaying similar message on 60 other pages, as it is frequent to see that one person can oversee multiple accounts. If ‘host server’ gets hacked, hackers have the same access as this person, enabling them to do damage on a larger scale.
This attack was conducted by simple scanning tools that look for vulnerabilities (misconfiguration) or unpatched software weaknesses to determine the right victim. Later on the hackers use developed tools to launch the attack.

http://www.nextgov.com/cybersecurity/threatwatch/2014/11/breach/1709/

Flaw in Visa cards could ring up a very large fraud
Visa’s contactless payment cards will approve very large transaction in currencies other than the British pound due to a flaw in a protocol. Researcher found that the card would authorize a transaction up to 999,999.99 without a PIN if it was in a currency other than the pound. Criminals could turn a mobile phone into a point of sale terminal and pre-set a large amount of money to be transferred from a payment card even if it was in someone’s pocket. If an improvised point of sale device gets close enough to someone’s card in a wallet, the contact less card would approve an offline transaction in less than a second.
http://www.cio.com/article/2842994/flaw-in-visa-cards-could-ring-up-a-very-large-fraud.html

5 Ways To Reinforce Your Company’s Cybersecurity Program Today.

The article talks that every enterprise has some sort of digital security programs. It is essential that the enterprise reviewed and updated the digital security programs on timely basis. The five essential elements that the enterprise consider while evaluating their security program are as follows: Incident response plans, invest in network visibility, security standards enforcement, know the tactics of your adversaries, improve employee awareness. Further, the article says “proper training and collaboration on an enterprise security program can elevate the awareness of the organization against attacks” putting the solution in the appropriate hands would mitigate the overall damages of the enterprise.

http://www.forbes.com/sites/symantec/2014/11/03/5-ways-to-reinforce-your-companys-cybersecurity-program-today/

The article i read this week was about “Wells Fargo says cyber attack disrupting website” The bank’s online banking website was experiencing an unusually high volume of traffic that it believes stems from a denial-of-service cyber attack. Further, the spokeswomen said that vast majority of customers are not impacted and customer information remains safe.

http://www.reuters.com/article/2013/03/26/net-us-wellsfargo-website-attacks-idUSBRE92P14320130326

WireLurker has attacked more than 400 applications on ios devices in China via their Maiyadi App store. Users are being infected when they connect their iphones to a desktop that has already been infected. This is a huge problem because a cell phone could be affected even if it is NOT jailbroken.

http://bits.blogs.nytimes.com/2014/11/05/malicious-software-campaign-targets-apple-users-in-china/?_r=0

http://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/

This article speaks about stuxnet and how it was used to bring down Iranian nuclear progression. This is an excerpt from a book detailing what the virus actually did, how it was engineered, how long it took for each part to activate, as well as how third party’s played a pivotal role in unknowingly introducing stuxnet into the nuclear plants.

SANS Assignment #4 Assessing Vendor Application Security A Practical Way to Begin
The paper points out 7 steps to comprehensively assess vendor’s application; they include:
Well defined policies – High-level governance that clearly presents management expectation
General architecture of OS/Presentation/Data/Application
Network communications (Ports of communication) – understanding how the communication will be carried
File and directory review (Installation structure) – understanding the location of critical binaries, configuration files, scripts, databases, logs and metadata components to enable development of a security strategy
Authentication Methods
Authorization Methods
Auditing Methods
Each step should end with analysis based on policies, procedures and standards as functional requirements and technical implementation for each of the steps

SANS Assignment #5 Application Development Technology and Tools:Vulnerabilities and threat management with secure programming practices, a defense in-depth approach

Organization’s security has many aspects and many dimensions, hence, firewall do not provide enough protection. General approach to creating secure application include: understanding of application development environment and applying secure coding principles to application programs and making the best use of security infrastructure. By implementing these processes, (defense in-depth strategy) organization can mitigate the risks of common vulnerability exposures and better manage its data security.

Cybersecurity Firm IDs New Apple-Targeting Malware
http://abcnews.go.com/Technology/wireStory/cybersecurity-firm-ids-apple-targeting-malware-26727467

-This article is about the discovery of “WireLurker” being a malware that steals information from Chinese IOS systems through Apple devices connected to a computer through a USB cable. The malware monitors the devices that are being connected to the affected computer and has managed to spread through applications attainable through the App Store. Palto Alto made this discovery and has said that there has yet to be a particular motive found.

Reading: Vendors must be able to provide procedures and processes of how they authenticate and authorize users. Authenticate meaning verifying someone has the right to access and Authorization meaning only allowing someone to see what they have been approved to access. These methods are very important when considering an outside vendor to supply a system or software, since they will have your company’s confidential and private information.

After some email discussion with Professor Senko, I looked into asymmetric encryption and cryptography basics. As companies encrypt their information and data in some way or form, and hackers and cybercriminals are perpetually trying to break encryption we use, I figured it would be useful to look into the basics of how it all really works. The articles are written fairly “plain” English and easy to understand terminology.

Sources:

http://searchsecurity.techtarget.com/Understanding-encryption-and-cryptography-basics

http://searchsecurity.techtarget.com/definition/asymmetric-cryptography

http://searchsecurity.techtarget.com/definition/digital-signature

http://searchsecurity.techtarget.com/definition/digital-certificate

So secure chip-based credit and debit cards may not be the gold seal for securing plastic transactions…not anymore. Due to recent ‘Replay’ attacks which has been spoofing chip card charges. This is a new pattern of credit card fraud coming from Brazil. So far, reports have indicated that it has been targeting American financial institutions.

Most of the unauthorized charges were submitted through Visa and MasterCard’s networks as chip-enabled transactions. Interesting enough is that the banks that issued the cards have not even begun sending the customers to their chip-enabled cards.

For further information, please see link to article below.
http://krebsonsecurity.com/2014/10/replay-attacks-spoof-chip-card-charges/

Following are the readings for this week’s Network Security topic if you are using Vacca’s 2nd edition book.

2012, Vacca 2nd Edition:
===================

Chapter 5 Guarding Against Network Intrusions
Chapter 9 Unix and Linux Security
Chapter 10 Eliminating the Security Weakness of Linux and Unix Operating Systems
Chapter 11 Internet Security
Chapter 12 The Botnet Problem
Chapter 13 Intranet Security
Chapter 14 Local Area Network Security
Chapter 15 Wireless Network Security
Chapter 17 Cellular Network Security
Chapter 18 RFID Security

Article : FCC fines 2 phone companies $10 million over data breach

Two companies TerraCom and YourTel America posted private information (drivers license, social security number etc) of over 300,000 clients on the internet. They were immediately fined by FCC, after a reporter stumbled upon the information through a google search. I found this very interesting because we discussed HIPPA regulations last class. The question is, how effective is a fine in remedying such situations? The damage has already been done, those 300,000 customers have already been exposed and their identities compromised. It seems there is very little to help the victims of these situations.

link : http://www.androidauthority.com/fcc-fines-for-consumer-privacy-543849/

Arizona State Retirement System (ASRS) has potentially being breached. Nearly 44,000 retirees may have had their personal data compromised. The problem began in September when the system sent 2 unencrypted computer discs which contained people’s first and last name and their SSN of member enrolled in the dental plans to a benefits company. Those disks were never received by the vendor and ASRS hasn’t been able to find the discs. ASRS started to send emails and to apologize to the people affected. Now they are offering 12 months of services with AllClearIS to provide identity protection to its affected customers.

http://goo.gl/dDdwsO

link: http://www.securityweek.com/hackers-compromised-yahoo-servers-using-shellshock-bug
Two servers for Yahoo Games have recently been breached. A security flaw called Shellshock was then identified. However, when yahoo isolated impacted servers at this time and found user data wasn’t compromised. This breach jeopardizes every consumer that uses Yahoo! in any manner, from shopping to email, and even game playing. Millions of people visit Yahoo Games per day, and the games are Java-based. Shellshock can provide attackers full control of the compromised server, there are many things attackers can do, such as stealing user information, harvesting financial data, and infecting visitor computers with malware.

The Russian Epicenter of Cybercrime Ramps Up the Sophistication

This article talks about how the Russian high-tech crime market for 2014 is showing ever-increasing sophistication, with criminals creating shadow worlds of illegal activity, exploiting new financial theft techniques and incorporating mobile attacks more often.

The Russian market for stolen credit card information—arguably the epicenter of the data breach trend—has become much more structured in the last year, complete with wholesalers and online trading platforms.

Criminals can easily browse and purchase stolen credit-card information as if they were shopping on any mainstream e-commerce site.

In investigating a test sample, Group-IB found that all sampled cards were originally stolen from the retail chain Target, which famously suffered a security breach in the past year.

Bitcoin together with other cryptocurrencies also play a role as convenient tools for illegal transactions.

Shadow Internet shops selling goods such as stolen information, weapons and drugs have switched to using cryptocurrencies as their primary payment methods.

Russian hackers are also becoming more adept at reprogramming ATM machines to hand out the big bills: Either by physical access or infection of local networks, hackers are able to introduce malicious scripts to ATM software.

This is the link: http://www.infosecurity-magazine.com/news/the-russian-epicenter-of-cybercrime/

Key point: To achieve the security of Unix system, it is important to limit unauthorized users’ accesses via access control list and superusers’ privileges by controlling root accesses.
Question: The book says “different Unix variants or POSIX-like operating systems might implement different ACLs”. Does it mean ACL should be customized every time? Isn’t that inconvenient?

Congress to the FBI: There’s “Zero Chance” We’ll Force Apple to Decrypt Phones

In light of the recent revealing of the NSA and other federal agencies spying and collecting all sorts of data and information from us, I found it particularly interesting that Congress is unwilling to force companies like Google and Apple to decrypt their data. For once, its something I agree with Congress on. The FBI is claiming cyber criminals use encryption via Google and Apple to commit their crimes and that Google/Apple is hindering their ability to conduct investigations to catch these cyber-criminals.

Forcing businesses like Google and Apple to decrypt their data and report all of it would essentially force them to become informants for the state, much like East German citizens being forced to work for the Stasi (East German secret police – basically the CIA, NSA, FBI all rolled into one) during the Cold War.

I find Congress’ move especially surprising since they have been eroding our rights as citizens since September 11, 2001.

Source:
http://motherboard.vice.com/read/congress-to-the-fbi-theres-zero-chance-well-force-apple-to-decrypt-phones

News: Something happaned on me last weekend. I opened a link from my favorite. It opend and blinked, and none of the button on the page could be clicked. I knew I was hacked or the website had been hacked. So I closed the window and run my Mcfee. And it turned out to be a Trojan horses. But I am not confident with if my PC is “clean”.
question: How to protected ourself in this kind of situation for the personal computers that are may only portected by some antivirus software?

Key point: Digital identity lays the groundwork necessary to guarantee that the Internet infrastructure is strong enough to meet basic expectations for security and privacy. Information security concerns itself with the confidentiality, integrity, and availability of information systems and the information or data they contain and process.

In the news article
On October 25th, 2014 it was reported that due to insecure storage of customer sensitive and confidential information by firm Vcare, almost 305,000 customers were affected. The ‘breach’ occurred from September 2012 until late April 2013 and was detected in early 2013.Telecommunication companies that were using Vcare services, TerraCom Wireless and YourTel Wireless were fined $10 million in penalties.
Vcare was receiving confidential customer information from both companies and stored this information in clear text on unprotected website. The ‘breach’ was discovered by one of the journalist that utilized only ‘Google Search Engine’ as a tool to complete it.

http://www.nextgov.com/cybersecurity/threatwatch/2014/10/insider-attack-accidentally-leaked-credentials/1667/
http://www.theregister.co.uk/2014/10/25/fcc_nails_lowcost_telcos_for_epicly_bad_security/

Merchant Customer Exchange (MCX), the developer of the mobile payment system called CurrentC, is notifying some users that their email addresses have been stolen by hackers. MCX says the breach affects participants in the CurrentC pilot program and those who have expressed interest in the product. The company has advised impacted users to be on the lookout for phishing emails, and avoid clicking on links or attachments contained in suspicious messages.
http://www.securityweek.com/apple-pay-competitor-currentc-hacked

Staples May Be Next to Wear Data Breach Scarlet Letter.

The article talks that recently staples another retailer has fallen victim to a data breach. The consumer is scared by the news and according the survey, five percent of consumers decided not to return to a retailer that has hacked. Banks of the east coast noticed that fraudulent charges made at non-staples businesses, such as supermarkets and big-box retailers. During the investigation, it was found that the cash registers in some Staples locations were infected by card-stealing malware that assist thieves in creating counterfeit copies of the card.

http://www.technewsworld.com/story/81232.html

Key Point from the Readings (Vacca):
Networks are incredibly complex and can consist of many different components depending on its type, whether it is cellular, an intranet, WAN, or LAN. Due to their complexity, there are numerous risks associated with different networks and their components, and various methods and techniques cyber-criminals employ in order to breach them, whether it be brute force, social engineering, botnets, etc.

Question for the Class:
Because Linux/Unix code is typically open source, how do its benefits exceed the risk associated with “everyone” having access to your code? What steps to businesses and organizations take to secure their version of the open source code they use against hackers inserting malicious code without them knowing? Seems like a double-edged sword.

Securing networks and passwords has became significant for an organization because of frequently getting breach of networks. The article i read this week is about password “Passwords Not Going Away Any Time Soon” Article talks about biometric authentication and other password alternatives abound, traditional passwords.

http://www.esecurityplanet.com/network-security/passwords-not-going-away-any-time-soon.html

NSA Classification ECI = Exceptionally Controlled Information

This short article mentions that ECI is a classification above Top Secret.

I posted this news because it seemed interesting to me since we have talked about information classification in our classes.

ECI is for things that are so sensitive they’re basically not written down, like the names of companies whose cryptography has been deliberately weakened by the NSA, or the names of agents who have infiltrated foreign IT companies.

As part of the Intercept story on the NSA’s using agents to infiltrate foreign companies and networks, it published a list of ECI compartments. It’s just a list of code names and three-letter abbreviations, along with the group inside the NSA that is responsible for them. The descriptions of what they all mean would never be in a computer file.

This designation is why there have been no documents in the Snowden archive listing specific company names. They’re all referred to by these ECI code names.

This is the link:

https://www.schneier.com/blog/archives/2014/10/nsa_classificat.html

Key point: The September 11 terrorism attack results in various new laws, presidential directives and organizational actions. All of these are intended to secure the country and prepare for hazards in the future.
Question: According to the book, FBI encourages InfraGard members to exchange information. How is the information secured when being exchanged?

How would the original CISOs give advise to today’s security leads? So long to the days where script-kiddies deface your webpage…with today’s advanced persistent threats, CISOs will find themselves facing evolving, persistent threats from sophisticated crime syndicates, hacktivists, and larger scale state-sponsored attacks as well. Please see this informative article and webinar for more information; link is as follows:
http://www.careersinfosecurity.com/interviews/what-would-original-ciso-do-i-2472?popout=1&time=846

Title: Protecting information today for a secure future

The article describes the change in the IT environment comparing 1990s vs 2014. It explain the trend in IT how it has transformed from “locked down” to “visualization” approach , which it enable user to be constantly connected to the internet and each other. It describes the important of security in the visualization approach. In addition, it points out the importance of information protection what the company needs to do in order to create a new secure ecosystem.

http://www.scmagazine.com/protecting-information-today-for-a-secure-future/article/229625/

Keypoint: After terrorist attacks, Congress of US passed various new laws to make US secure and these laws call for deep organizational change to the executive branch of government.

Question: Is it secure enough to use VPN for communicating in a school like Temple University?

Key point form reading : The aftermath of 9/11 were comprehensive laws and regulations that contained detailed provisions to make the United States secure. Organizations were created to provide detailed recommendations on how to prevent such an attack from happening again. In essence, the united states created a disaster recovery plan.

Question: This is my first time hearing of a country basically creating a DRP, how would such a plan be tested?

news: Moscow and Beijing mull agreement on Information Security. Russia and CHina may sign a cooperation agreement on international information security in the near future, specifically on confidence-building measures and steps to prevent cyber incidents from growing into a full-scale conflict. So far, a similar agreement exists only between the US and Russia.

link: http://rbth.com/international/2014/10/21/press_digest_moscow_and_beijing_mull_agreement_on_information_s_40773.html

key point: The Internet exposes computer users to risks from a wide variety of possible attacks. Attack methods follow sequential steps analogous to physical attacks such as reconnaissance, compromise, and cover-up.

“US Cyber Security Medical Devices Insight”
The US Department of Homeland Security is investigating about two dozen cases of suspected cyber security flaws in medical devices and hospital equipment that officials fear could be exploited by hackers. The products under review include an infusion pump and implantable heart devices. The agency is concerned that malicious actors may try to gain control of the devices remotely and create problems such as instructing an infusion pump to overdose a patient with drugs, or forcing a heart implant to deliver a deadly jolt of electricity. This incident raise the need to conduct examination on all medical devices to make sure they meet security standards before they can be put on the hospital’s network.
http://www.reuters.com/article/2014/10/22/us-cybersecurity-medicaldevices-insight-idUSKCN0IB0DQ20141022

FBI warns US businesses of cyber attacks, blames Beijing.
The article says that, the US Federal Bureau of Investigation says that hackers believes to be backed by the Chinese government and have recently launched attacks on US companies. Josh Campbell an FBI spokesman says that steps should be taken to mitigated those attacks.

http://articles.economictimes.indiatimes.com/2014-10-16/news/55107360_1_cyber-attacks-chinese-embassy-chinese-government

Microsoft Vulnerability
Researches from Google and McAfee discovered vulnerability in the Microsoft system that can be exploited by malicious PowerPoint documents. Because the latest patch for Sandworm was not properly implemented, the hackers were able to discover new vulnerability.
Currently this kind of malicious attacks were performed by Russians against Ukrainian government and also by Chinese against Taiwanese government. The vulnerability enables hacker to takes almost full control of the PC (hackers will be able to have ‘victim’s’ power access).

http://www.theguardian.com/technology/2014/oct/23/china-cyber-attacks-taiwan-windows-microsoft

The article i read for this week is “Chinese Hackers Pursue Key Data on U.S. Workers” article talks about the hackers who broke in the computer network of United States Government agency that houses the personal information of all federal employees. They appeared to be targeting the files on tens of thousands of employees who have applied for top-secret security clearances.

A worm variant, identified as Koler, has been infecting various Android mobile devices. The worm queries a users database of contracts and then sends out its message to each person to duplicate itself. The interesting fact about this article is that it resembles a phishing attack, but is even more undetected because it is send through SMS text message rather than email.

http://www.scmagazine.com/worm-variant-of-android-ransomware-koler-spreads-via-sms/article/378785/

Vacca, Chapter 36 – Network Forensics
Network forensics is necessary to investigate crime, fraudulent activity, inappropriate behavior, incident reconstruction, audit compliance, and recovering from system damage. Handling data in a forensic matter allows an organization to reconstruct the events surrounding systems and networks, such as in the case of a cyber-attack that utilizes spoofing or a stepping-stone attack.

Article – What Every IT Auditor Should Know About Backup and Recovery
All organizations should develop an effective backup and recovery plan that allows an organization to continue its business function in the event of a pandemic event or disaster. The size and complexity of an organization determines how developed and complex testing and auditing of the BCP/DRP is.

Article – Disaster Recovery and Business Continuity Planning: Testing an Organization’s Plans
Since the attacks on September 11, 2001, DRP and BCP are no longer confined to restoration of centralized data centers. It is now an organization-wide effort, with planning, preparation, and testing to achieve a state of business continuity in which critical systems and networks are available no matter what happens.

Article in the News:
Automakers Working to Prevent Vehicle Cyber Terrorism
With the growing number of vehicles being wired to have WiFi and internet hotspots, the number of opportunities for hackers to exploit these new features in vehicles is increasing. Automakers must shift their standpoint on security from reactive to proactive in order to protect customers’ vehicles, data & information, and ultimately, their lives. While there is currently no know economic incentive to hack vehicles, this will ultimately change once hackers find a way to do so.

Question for the class:
Outside of recovering data or reconstructing the events around a cyber-attack or criminal/fraudulent activity, how else does network forensics factor into BCP/DRP?

Google launches two-step verification service that is based on a physical USB key (Security Key). Google is offering the Security key feature on all Google Account sites free but user needs to buy a compatible USB device from a U2F participating vendor. Currently, It only works with Chrome browser but security key will work everywhere FIDO U2F is supported. The Security Key ensures access via both your physical presence and your log in password. It also verifies the login site and only works after verifying the login site is not a fake site.

Site: http://googleonlinesecurity.blogspot.com/2014/10/strengthening-2-step-verification-with.html

http://www.scmagazine.com/worm-variant-of-android-ransomware-koler-spreads-via-sms/article/378785/

This article talks about new ransomware malware that is spread through text messages. “The worm system queries the database of the user’s contacts and cycles through them.”
Unlike other SMS worm techniques that involve sending repeated text messages, Worm.Koler will only once send the message to all contacts in the device’s address book. McDaid said it likely does this because the behavior is more natural and recipients will not be as suspicious. Clicking on the Bitly link brings users to a Dropbox page with a download for a ‘PhotoViewer’ app that, when installed, forces a ransom screen to pop up incessantly, the post indicates. The message states that the device has been locked up for containing illicit content and users must pay $300 via MoneyPak to ‘wave the accusations.’ If you are using an android phone be weary of this malware.

The article I read talks about hacking into your brain. It starts out by saying that you can send electrical signals to your brain to get more energy, improve your focus or even to calm you down. This could be a good thing and a scary thing for our future. Hackers or crackers are able to get into our technology without us knowing so one day it might be possible for a hacker to get into our brains and cause trouble. On the other hand this technology can be good for patients who need robotic prosthesis.

http://www.cnn.com/2014/10/22/tech/innovation/brain-stimulation-tech/index.html?hpt=te_t1

Article: U.S. government probes medical devices for possible cyber flaws

http://www.reuters.com/article/2014/10/22/us-cybersecurity-medicaldevices-insight-idUSKCN0IB0DQ20141022

This article talks about the government suspecting flaws in hospital equipment that could be vulnerable to hackers.Fears of these devices being corrupted has led to the investigation of possible flaws that could result in a patient being overly medicated and even delivering a deadly jolt of electricity to the heart. Medical devices that are used have internet connections, computer chips, and wireless technology, making them susceptible to hacks. This article is interesting because when you think about cyber security you think about mobile devices and PCs, not a machine used to treat patients and monitor heart beats.

LINK：http://www.securityweek.com/card-fraud-platform-mimics-human-behavior-avoid-detection

Cybercriminals have developed a piece of software called “Voxis Team that’s designed to help payment card fraudsters automate unauthorized charges to ensure that they make a profit before their activities are detected by fraud detection systems.
When they get their hands on stolen payment card data, cybercriminals open accounts with a payment gateway. They also set up fake websites to get the payment gateways to approve their accounts. Once they obtain a merchant account, they must quickly make transactions with the stolen cards before detected by anti-fraud systems.
The Voxis Platform helps increase the chances of having the fraudulent charges authorized by emulating human behavior and buying patterns.