Vanessa Marin

The article I read is about the rising tension between China and the US and what the cybersecurity front had to do with this. From the US’s perspective, China is the “leading suspect” in the largest breach of government-help personal data in US history, stealing 22 million people’ data from the US Office of Personal Management (OPM). The article goes into how the US pushes back harder against cyber theft of company data and trade secrets.

“It is far more firm and that’s the line that the U.S. is trying to draw — ‘It’s okay to spy on governments, everybody does that. It’s not okay to spy on company secrets’,” Washington Post Beijing bureau chief Simon Denyer tells me in the latest episode of CNN’s “On China.”

Companies, across all industries, are often targeted for trade secrets, business plans, marketing plans, product design, scheduled releases, etc. Chinese, US, and many of the world’s countries have companies that are also targeted. Apparently a set of world “road rules” is a lofty goal and a US/China cyber agreement is not likely anytime soon.

http://www.cnn.com/2015/08/26/asia/china-cybersecurity-stout/index.html

The article I found is about the danger of the apps we download on our phone and how they can be the source of data leakage. This article is specifically related to android users and the fact that unofficial app downloaded from third party can have spywares which gather user’s contacts; precise location, including latitude, longitude, network ID, and location area code; free internal and external memory and more.
The spyware can cause long-term damage by giving other people access to users’ online accounts, bank information and more.
Users should be aware of these malicious apps and act accordingly.

http://www.infosecurity-magazine.com/news/malicious-apps-found-in-google/

Synopsis of “Microsoft Patches Zero-Day Flaw Used by Malvertising Gangs”

The software giant, Microsoft, has once again found itself in the news about it’s software vulnerabilities and delayed response to patching up the vulnerabilities in its software, like IE versions 9 to 11, Office, Exchange Server and more.

The article specifically talk about a zero-day vulnerability that was exploited by a Malvertising firm for over two years. The significance of this event was that it was a non-critical or low-level bug but threat actors were able to exploit and used it to serve malvertising campaigns to over 5 million users a day. Malvertising is the use of internet advertisement to spread malware. The vulnerability existed in Microsoft Internet Explorer/Edge and the attackers used steganography, hiding attack code in plain sight like a image file , to spread the malware.

So if you are a Windows user, please make sure you run your updates.

Source: http://www.databreachtoday.com/microsoft-patches-zero-day-flaw-used-by-malvertising-gangs-a-9398

New regulation proposed by the Governor to protect New York State from Cyberattacks:

The regulation requires banks, insurance companies, and other financial services institutions regulated by the State Department of Financial Services to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry. This forces the financial services industry to have an obligation to protect its customers and to have necessary safety measures and its system to be up to date and have sufficient protection.

The regulated entities will be held responsible and must certify compliance annually with this regulation.

Source: http://www.securitymagazine.com/articles/87438-new-york-proposes-cybersecurity-regulations-for-banks

Seagate faced with class-action lawsuit following whaling scam

According to the article found on IT Governance USA’s webpage, Seagate, the computer hardware manufacturer, is now facing a class-action lawsuit due to a “whaling scam”. The article states that over 10,000 employees of the company had information leaked which included W-2 forms and personally identifiable information (PII). As most of us know, PII is information that can tie to a specific individual and W-2’s includes that information such as Name, Social Security Number, and Address. However, how the information was leaked is very interesting. Again, as most of us know, a phishing scam is when a “bad guy” tries to obtain sensitive information from another individual through deception. Very similar to a phishing scam, is a whaling scam, which is a phishing scam directly targeted at high level officials. In the case of Seagate, the whaling scam was targeted at the CEO who believed the email was legitimate and provided the requested W-2 forms of his 10,000 subordinates. This is a clear cut example of why education and training to identify phishing scams is highly important even to someone like the CEO. While the incident happened earlier in the year, the employees are now seeking legal matters to remediate the negligence of the CEO.

Article: http://www.itgovernanceusa.com/blog/seagate-faced-with-class-action-lawsuit-following-whaling-scam/

News: “Data-Stealing Malicious Apps Found in Google Play Store.”

According to this article, people today usually underestimate the impact of malicious Apps on smart phone, which has potential risk to steal users’ personal information include some sensitive data like the passwords and credit card numbers. Researchers from Lookout’s Security Research and Response team identified four apps available in Google’s app store can steal huge amounts of personal data from its users. The data includes the users’ contracts, phone number, email address, and the network ID. The researchers also point out that the unofficial android apps usually have potential safety risks, the smart phone users should notice that and keep it in mind that not only PCs have malicious software and data leak problems, smart phone today also needs to be protected or the attackers can easily steal personal identify information from those unknown apps.

Source: http://www.infosecurity-magazine.com/news/malicious-apps-found-in-google/

https://www.cnet.com/roadshow/news/ford-could-replace-your-key-fob-with-radio-button-passcodes/

This article is addresses vehicle theft and how wireless keys aren’t secured enough to prevent a car from being stolen. Ford’s idea is to add an extra layer of security to get the car into gear by using random user designed codes. It allows the owner of the car to create a sequence of codes, so it can include the brakes, radio button, etc. It’s a great idea to add this extra set of security and as the report says, we may not see it in place ever but it’s certainly worth a look. It’s harder to guess the sequence than it is copying a wireless key fob.

“cyber-breach of government data is often regarded as fair game.”

This statement made me boil a bit. They should say that to the 22 million previous, current, and prospective federal employees who have ALL of their information compromised (financial records, fingerprints, SSN, medical records). Basically their whole life were in the data that has hacked from OPM. It is not OKAY, to say it’s okay to steal government data, when it affects its citizens. A good number of that personal information is for high ranking military and federal employees that could be used for who knows what. They should do more to protect its information rather than saying its ok.

The article I read this week was titled “Amazon Implements Password Reset after Credentials Leaked Online.” This articled talked about that recently, a couple websites leaked customer email addresses and passwords online. So Amazon sent to Amazon customers emails to let them reset their passwords. The reason is that password re-use is rampant, and a customer may use one same password for all different online accounts. Amazon said that they take their customer’s security and privacy seriously, even the leaked list of email addresses and passwords were not Amazon-related. Amazon resent a temporary password to Amazon account for these whose email addresses and passwords were on the list online.

The article also introduced a way to set password, because the longer and more complex the password, the safer it will be, said by Darran Rolls, CTO at SailPoint. One example from the article, “Mary had a little lamb its fleece was white as snow 987654”, becomes “MhalLifwwaS98754”. In addition, the password should be at a minimum of 12 characters and it should avoid using dictionary words.

I think Amazon did a great way because: 1) it helped its customers secure accounts safety; 2) it wins customer satisfaction; 3) it prevents Amazon accounts leaking and stealing by hackers, so it avoids troubles itself. Amazon well managed the risk and reduced the possibilities of risks.

Source from: http://www.infosecurity-magazine.com/news/amazon-implements-password-reset/

In addition, Temple requires everyone to re-set his password every 6 month(I guess). and the requirement for that is:
Your password must contain:

One uppercase letter
One lowercase letter
One number
8 to 15 characters long

so the example will be TUowlsr#1

Data-Stealing Malicious Apps Found in Google Play Store
http://www.infosecurity-magazine.com/news/malicious-apps-found-in-google/

Researchers from Lookout’s Security Research & Response team identified a piece of spyware hiding in four apps available in Google’s official app store. The spyware has been dubbed Overseer, and is capable of stealing “significant amounts” of personal data from users.
The spyware will lead to long-term damage through giving other people access to users’ online accounts, bank information and personal information. This may lead to the crime.

Great article Alex!

I just read it, and wow I am definitely going to be taking this into account when I download apps. You can reduce your risk of downloading an outright malicious app to almost zero by acquiring apps only from your operating system maker’s app store.

Alex,

One issue with Android phones, and google software is that it is “Open Source”. Which means the code is made public and can be modified by anyone. This means, a person can create a “flashlight” app for the android and hide malicious code within the application and you would never know.

This is why Apple is so successful at security with their apps because a developer must submit the code to Apple for verification and approval. The Google process is much less restrictive.

Cry Ransomware uses UDP, Google Maps, Imgur

A dubbed Cry pretends to come from The Central Security Treatment Organization (CSTO), a fake organization which encrypts a victim’s files and then appends the .cry extension to encrypted files claiming ransom of 1.1 bitcoins ($625) to access them. What is unique in this new threat is the ability to track victim using Google maps API using nearby wireless SSIDs. It also tracks information like victim’s Windows version, installed service pack, Windows bit-type, username, computer name, and CPU type, then sends these details via UDP to 4096 different IP addresses to c2(Command and Control Server) and hosts this information on public sites like Imgur.com, Pastee.org.
The victim’s information is uploaded along with a list of encrypted files to public sites by compiling all details in a fake PNG image file and the ransomware broadcasts the filename over UDP to inform the C&C server.
The malware was also observed creating a backup of certain shortcuts on the victim’s desktop and saving them in a folder called old_shortcuts, though the purpose of this folder is yet unknown.
The attack also uses vssadmin delete shadows to delete shadows files. It also posts random notes on victim’s computer displaying unique ID and payment information to Tor site.
The attack also has a feature where victim can communicate with the malware to get a sampled copy of decrypted files to trust to further decrypt all files and pay the amount.
In some cases, they were unable to decrypt files and hence victims are advised not to pay.

Russian Hackers Leak Simone Biles, Serena Williams Medical Records

A Russian APT group known as Fancy Bear has leaked confidential medical information for US Olympic gymnastics star Simone Biles as well as Serena Williams.
The documents don’t show that the athletes “doped”. They do suggest Biles has ADHD and takes medication for that, and that Williams was treated with CORTICO steroids for injuries.
I think all the athletes will use some sort of medicines to help them. But it is hard to define which medicines are absolutely needed to be restricted. Russian athletes were all denied to join the Rio Olympics because of “doping”. However, I don’t think all of them are doped. It was very pity that they didn’t compete at all.
The U.S. Anti-Doping agency explained for the documents, “The TUE application process is through and designed to balance the need to provide athletes access to critical medication while protecting the rights of clean athletes to compete on a level playing field”. I am not familiar with medicines but I hope athletes can compete without using any kind of medicine in order to make the competition fair.
Fancy Bear also indicated that it will release confidential records from other national Olympic teams.

Links: http://www.infosecurity-magazine.com/news/russian-hackers-leak-simone-biles/

My weekly news post is about a video that relates Wells Fargo fraud. As we talked about it last week, Wells Fargo was fined $190 million because of 1.5 million fake accounts created by multitude employees. Out of the $190 million fine only $5 million will go to the victims.

The company fired more than 5,000 employees and said they will invest in training and improve their control. The outrageous thing is that nobody is going to jail. A fraud has been committed and no one is being held responsible for it. This kind of fraud should result up to 15 years in prison.

Plus, the fine represent only 3% of Wells Fargo revenue ($5.6 billion) in the second quarter of 2016. The government should be stricter, otherwise other banks will do the same knowing the punishment won’t be hard.

Right! I don’t know how they are saying that it is just accepted that government data is “fair game”. A couple years ago, I would have guessed that Government data would have been harder to steal that corporate company data. It doesn’t make sense that it is not because the government should have the best security, technology, infrastructure, ect.

This is interesting. I know Apple has more of a process for getting apps “accepted” into their app store. I wonder if it is largely due to security reasons. Stories like this may cause Androids app approval process to become more of a process. Very interesting article.

http://www.technewsworld.com/story/83866.html

The article I read goes into detail about how the FBI has begun investigations into the cyberattacks on the electronic election infrastructures in Illinois and Arizona. The first attack in June led to the illegal download of personal information of 200,000 Illinois voters. However, this second attack, hackers were able to penetrate the systems in Arizona but failed to download voter information.

The article goes into further explanation, stating that the vulnerabilities within the voter registration, has been an issue for years. Secretary of Homeland Security, Jeh Johnson hosted a conference call with top state election officials to discuss the cybersecurity issue and the need to protect voting infrastructures.
“DHS has planned to launch a Voting Infrastructure Cybersecurity Action Campaign, Johnson said during the call, enlisting experts of all levels from the government and private sector”.

It’s a really useful article, because I’m a Windows user. Indeed, the IE explorer usually has a lot of internet advertisement, and sometime I miss clicked the image and went to another page or downloaded unknown software. But actually, I didn’t update my IE explorer, instead, I use other explorers like Google Chrome or Firefox.

Drone hacking Threat

Insurance giant Allianz has warned that the increasing volume of drones in the sky can lead to cyber security threat, potentially resulting in loss of life.

Unmanned aircraft system (UAS) are expanding rapidly from their original use in military and are set to become a part of multi billion dollar business.

The prospect of hackers may take remote control of a drone “causing a crash in the air or on the ground resulting in material damage and loss of life.

The term ‘spoofing’ refers to attempts to take control of a UAS via hacking the radio signal and sending commands to the aircraft from another control station. This is a very real risk for UAS since they are controlled by radio or Wi-Fi signals. Companies which claim to sell devices to specifically bring down or take control of UAS can be found online.

There’s also a risk of data loss from the UAS if a hacker manages to intercept the signal, or hack the company gathering the data.

The article I read and would like to share with the class is about the US government mistakenly granting citizenship to 800 immigrants from countries of concern to national security or with high rates of immigration fraud. It was found that the immigrants had used different names or birthdates to apply for citizenship and these discrepancies weren’t caught as the immigrant’s biometric information was missing from the government databases.
The gap was due to older paper-based records never being linked to the fingerprint databases. The US government has known about this information gap since atleast 2008 when 206 immigrants were identified who had used different biographical information to apply for citizenship.
Granting citizenship mistakenly to someone who has been deported has severe implications as US citizens can apply for and receive security clearances and be employed in security-sensitive jobs. There has been multiple such cases where a number of such immigrant-turned-citizens have obtained aviation licenses or transportation worker credentials and one is also a law enforcement officer. The Auditors have recommended that all of the outstanding cases be reviewed and their biometric information be added to the government’s database besides creating a system to evaluate each of the cases of immigrants who were improperly granted citizenship. The DHS has accepted the recommendations and stated that the agency is in the process of implementing the required changes.

Source : https://www.yahoo.com/news/more-800-immigrants-mistakenly-granted-citizenship-130452164–politics.html

Tech giants team up to improve internet security

Major tech companies such as Twitter, Dropbox and Uber have joined forces and launched the Vendor Security Alliance (VSA), a coalition whose goal is to improve internet security. VSA’s goal is to streamline the evaluation process for vendors through a standardized cyber security evaluation to assess security and compliance practices. The evaluation include a set of questionnaire updated yearly to determine if a vendor has all the appropriate security controls in place. The questionnaire will be evaluated, audited and scored by an independent third party auditor. The vendors who participate in this evaluation will receive a score rating measuring their cybersecurity risk level, including procedure, policies, privacy, data security and vulnerability management. The vendors can then use their score to when seeking to offer their services to any business in the VSA without having to go through further audits.

http://www.securityweek.com/tech-giants-team-improve-internet-security

The article I read is about malicious apps exists on Google app store. Researches from lookout security identified a piece of spyware hiding in four apps available in Google’s official app store. This spyware is able to steal personal data from users including name, phone number, email, and times contacted; precise location, including latitude, longitude, network ID, and location area code; free internal and external memory; Device IMEI, IMSI, MCC, MNC, phone type, network operator, device and Android information.
This spyware targets foreign travelers, who are using app to find their embassy when they are abroad. Most recently, Kaspersky researchers found a rogue app disguised as a Pokemon Go guide. That app was capable of installing and uninstalling apps and displaying adverts.

Google has removed the apps from the Google Play Store. However, didn’t release any details of how many downloads the apps had, or how many devices were potentially affected.

http://www.infosecurity-magazine.com/news/malicious-apps-found-in-google/

Nice point Alexandra.

For certain operating systems and applications of those operating systems are allowed to use app’s internal data.Applications should not be able to communicate with other applications to use the internal data. The user must be notified when the application needs to use internal data from another application.
The fault also is with Original Equipment Manufacturer (OEMs). The group states that “the bottleneck for the delivery of updates in the Android ecosystem rests with the manufacturers, who fail to provide updates to fix critical vulnerabilities.

Hi Fangzhou,

This is a great example to show that most people today underestimate the potential risk of malicious installed on smartphone. Unlike Apple’s Appstore, the google play store is open for any app developer without a serious vulnerability check before publishing on the store for users to download. I actually had the experience where my personal information was stolen by an unofficial application I downloaded from the google play store. We mostly don’t have risk controls or protections such as firewall stalled on our phones.

Hi Said,

I agree that the fine for a large corporate firm is not deterrent at all and should be stricter because it is only 3% of its revenue and doesn’t hurt them. Wells Fargo will face the challenge of improving its risk controls and set up strict policies and procedures from the top management.

Malicious Pokémon Go App Targeting Android Discovered

The Pokemon Go app is very popular since it first published. This article talks about an app, called Guide for Pokémon Go, can seize root access rights on Android devices and use that power to install and uninstall apps and display unwanted adverts. It has been downloaded over 500,000 times, and infected over 6,000 Android smartphones. And now it’s been removed by Google.

What happened was the “interesting features” of the app enables it to bypass detection once on a device. Instead of running as soon as it’s downloaded, the app waits for the user to install or uninstall another application and then runs checks to see if it’s on a real device or a virtual machine. After connecting with its command server and uploading details of the infected device, including country, language, device model and OS version, the Trojan will wait for a response. Only if it hears back will it proceed with further requests and the downloading, installation and implementation of additional malware modules.”

I think everyone should be aware of what types of application they download from the app store. They should read the reviews and check the creditability of the app developers before downloading the app.

http://www.infosecurity-magazine.com/news/malicious-pokmon-go-app-targeting/

Biometrics a Hit with UK Consumers

The article I read for this week is about nearly two out of three UK consumers favor to use biometrics to authenticate payments, with fingerprint scans the most popular method. The credit card giant polled around 2000 consumers in the UK as part of a Europe-wide Biometrics Payment study. According to the study, research has shown trust in biometrics appears to have grown over the past 12-24 months, with banks (85%), payment networks (81%), global online brands (70%), and smartphone companies (64%) all being trusted to offer these types of authentication method. However, there is another interview done on 1000 people about their attitudes to biometrics. More than half (51%) said they wouldn’t use the technology, either because they don’t trust it (29%) or they don’t understand it (22%). On the other side, only a third (36%) said they’d consider it while 13% claimed they already use biometrics. What surprised me is the age group least likely to migrate to the new authentication tech appeared to be between the age of 18 to 24.

My personal thought on this article is I would support it because as mentioned in the article biometrics introduce better fraud detection, better identity management, better audit trails, and better internal controls. I agree with it, everyone has his or her unique finger print so I think it’s safer than the chip or using the pin because those information can be leaked very easily. The main concern or what holding up the process of implementing this biometrics is how does the government able to prove to the consumers that it is using the latest security measures and looking after consumer data. I am actually very excited to see how does this biometric fingerprint payment method turns out.

Source:http://www.infosecurity-magazine.com/news/biometrics-a-hit-with-uk-consumers/

“Cyence Raises $40M to Help Insurers Assess Cyber Risk”

The article I chose for this week is about a new firm established to help insurance companies assess cyber risk. Cyber insurance premiums are projected to grow to $7.5 billion annually by 2020 from $2.5 billion in 2015. While this growth is an opportunity for insurers, it also a large risk because there is very little data to use for models. Cyber Risks also evolve rapidly as opposed to a hurricanes or auto data. Accurate models require large, accurate, and reliable data to forecast losses.

Insurers have trillions of dollars of exposures in buildings and other physical structures which are now vulnerable to a cyber attack. Cyence is hiring experienced professionals in technology and insurance to build a comprehensive data set and eventually an insurance model for cyber risks. Many current cyber insurance models focus on data breaches and identity theft and aggressively limit the insurer’s exposure. As more companies compete and the market continues to grow, more property will be insured against cyber risks. More data will allow insurance companies to offer more insurance with comparative premiums.

http://www.wsj.com/articles/cyence-raises-40m-to-help-insurers-assess-cyber-risk-1473334200

“The Department of Transportation just issued a comprehensive policy on self-driving cars”
Autonomous Vehicles (AV) are an emerging industry where many manufacturers think they will have decent capabilities by 2020. The Department of Transportation (DoT) has decided to not lag behind the times and release an intial framework for how they think laws and regulations with AVs will work. The proposed policy has four main categories.

First is keeping the vehicle safe. Cars are already at risk of cyber attacks so when they work all on their own it will be an even more dangerous risk as they can be stolen by reprogramming the destination point. The regulations spell out that data should be collected for analysis later similar to airplane black boxes. It is important to also consider who is allowed to make decisions that affect life and death situations if that is allowed to be automated. Companies will have to consider where liability and risk for accidents lie with.

The rest of the guideline groups 2, 3, and 4 focus on state governments, existing regulations, and requests for new regulatory powers by the DoT. One of these powers is considering overriding a manufacturer with pre-market approval needed. DoT also wants to be able to inspect software updates before they go out as mistakes there could have cascading effects across the country.

Car and transportation companies are going to have to adapt to how the new logistics of travel will work in the future.

http://www.vox.com/2016/9/19/12966680/department-of-transportation-automated-vehicles

I thought I posted the link to my story. It is an interview on NPR, speaking about the athletes and other United States figures being hacked by Russian lead groups.

http://www.npr.org/2016/09/18/494451644/growing-list-of-american-politicians-athletes-subject-to-russian-hacking

Wow that is scary. I am sure that this is life or death for drone companies. I would imagine they would stop producing drones if drone companies can not up their cyber security game. Too risky to put human’s lives in danger if hacking into a drone is that easy.

This article goes into explanation about the massive hacks that have been happening via Dark Net to huge companies. A few of these heavy hitters that fell victimized include: Apple, DropBox, Uber, McDonald’s, Ebay, etc. As many of 85 companies have been targeted by these “Russian hackers”.

The article goes into further details that there is no knowledge regarding the identities of the perpetrators and no links have been established foreign governments. Yet, if the information that was seized by these hackers are valuable; they elude that we can expect to see these stolen credentials for sale on the dark web.

Source:https://www.hackread.com/dark-net-russian-hackers-hit-us-firms/

“Can your device survive a USB power surge attack? 95% of all devices with USB ports can’t” ­ usbkill.com.

The Hong Kong based company developed USB Kill 2.0 for the companies to test their systems against devastating USB power surge attacks that are capable of killing its host almost instantly. There are strict data security policies followed by companies to lock down ports to prevent data leak or infiltration, but such ports are unprotected against an electrical attack like this.

How does it work: When plugged in, the USB Kill 2.0 quickly charges its capacitors using the USB supply and then discharges.

“The USB stick discharges 200 volts DC power over the data lines of the host machine and this charge-and-discharge cycle is repeated several numbers of times in just one second, until the USB Kill stick is removed.”

Here is the video demonstration of how it works: https://www.youtube.com/watch?v=3hbuhFwFsDU

This can be useful for whistleblowers, activist and cybercriminal who don’t want their data to fall in the hands of law enforcement.

This looks like a mechanical attack, and it will interesting to see how the security professionals are going to mitigate such risk.

Source: http://www.zdnet.com/article/now-you-can-buy-a-usb-stick-that-destroys-laptops/

The article I read is about how President Barack Obama is set to sign the most substantial piece of cyber security legislation in years. You have heard the “information sharing” topic in the news often. This bill will solve the info sharing issue and is designed to give companies legal cover to share data about cyber attacks with each other and with the government. The legislation would protect those companies from being sued for sharing that information, for example from antitrust claims. The idea of the bill is that cyber attackers use the same techniques and tactics repeatedly on a wide range of targets. Therefore, allowing those organizations to communicate what they see and how they block it with each other, then, would give companies defending their computer networks an upper hand against hacks.

http://www.cnn.com/2015/12/18/politics/cybersecurity-house-senate-omnibus/index.html

IDENTITY THEFT

Regulators Slam Wells Fargo for Identity Theft

For years’ wells Fargo employees subscribed the bank’s customers to products they didn’t request and this has now triggered a fine of $185 million in fines.
The bank allowed its employees to access customer’s personal information to subscribe them for products such as credit cards that generated revenue for the bank as well as commissions for salesperson. Reports say that around 2 million bank deposits and credit cards were opened without customer’s knowledge.
This represents one of the LARGEST INCIDENT OF ORGANIZED IDENTITY THEFT ever recorded.
PRODUCT PUSHING
The bank boasted that its customers held an average of six different Wells Fargo products but as a part of its “Gr-eight” initiative, pushed for salespeople to increase the average to eight which was unattainable.
To achieve the goal, the employees used tactics such as “PINNING”, which involved bank employees to enroll customers without their knowledge into online banking and bill paying products. Employees generated ATM’s for dummy accounts and assigned pin numbers usually “0000” to the cards for which they received compensation.
To do this employee filled fake email id’s such as 1234@wellsfargo.com which endured that the customers were unaware of signed up to a new product.
For some cases employees also used “simulated funding” where they withdrew money from the authorized accounts to pad unauthorized fee generating deposit accounts that customer did not know existed.
Wells Fargo must now retain an independent consultant to review its sales practices, review training procedures and create a compliance plan.

SOURCE: http://www.databreachtoday.com/regulators-slam-wells-fargo-for-identity-theft-a-9388

This article explains the growing threat of ransomware, as well as the “5 Things Partners Need to Know about Ransomware. The 5 things being: How Big Is The Problem?, Who Are The Targets?, How To Know If You’ve Been Hit, What To Do In The Event Of A Hit and Partners Can Prepare Their Clients.

Lately, many companies have fallen victim to this ever increasing threat. Ransomware is explained as a type of malware that when successfully used, it renders the accessibility to the company’s important data, in exchange for a ransom amount. Recently, this strategic tool has become a very profitable industry for hackers. According to the 2016 Verizon Data Breach Investigations Report, “ransomware represented the biggest jump in crimeware, with 148 reported incidents in 2015 out of a total 348 incidents”.

Stephen Cobb, a senior security researcher at San Diego-based Internet security vendor ESET, stated, “Ransomware doesn’t discriminate when it comes to business targets”. The first indication of a ransomware attack is the inability to access data or receiving a request from hackers. Unfortunately, it’s a little too late, by then the malware has already began. Conversely, Cobb stated, the first step should be contacting the IT department, to alert them. Secondly, he recommends, that the “users unplug their machines and disconnect them from the network to prevent the message from spreading to other devices”. Lastly, “there are steps that partners can take to protect their clients from the impacts of a ransomware attack”, Cobb states. His multi-level approach, begins with user education about ransomware and protection. He then, reveals by “keeping systems up to date with patching, limits vulnerabilities that the ransomware can exploit”. To conclude, Cobb says it is crucial to make sure resilient backup and recovery systems are in place, as well as a reaction plan to combat those technologies in the event of an incident.

Source: http://www.itbestofbreed.com/slide-shows/5-things-partners-need-know-about-ransomware

Kaspersky Lab Presents the First Cybersecurity Index
Read more at:
http://economictimes.indiatimes.com/articleshow/54170898.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst
http://www.securitymagazine.com/articles/87428-kaspersky-lab-presents-first-cybersecurity-index

Kasperky is launching its first Cybersecurity Index which is first global index to measure the current cyber threat levels faced by internet users. It has three key indicators:
1. The concerned indicator: which shows the ratio of people who know that they are exposed to cyber threats
2. The affected indicator: which shows the no. of people affected during the effected timeframe.
3. The protected indicator: which shows the no. of people who have installed security solutions on devices both phone and computers.

According to the first survey taken in August 2016 among 21 countries across the globe the cybersecurity index shows as 21-29-60 meaning 21 % are aware of the threat, 29% are the victims and 60 have security solutions installed.

The index was created to draw the attention of users/media to the issue of cybercrime and importance of cybersecurity

Yelp Launches Public Bug Bounty

Yelp is well known as search engine for local business, restaurant and hospitality reviews and tips. Starting today, the door will open to researchers and bug-hunters who are invited to participate in Yelp’s public bug bounty. The company has, for two years, participated in a private bounty program with HackerOne. On September 6,2016, the program goes public, and it’s fairly expansive with a number of areas of its infrastructure in scope, including its desktop site, mobile application and public API. Yelp said the payouts will go as high as $15,000, with a minimum bounty of $100. Bounty participants are urged to seek out mobile-specific vulnerabilities on both IOS and Android apps platforms. Bug bounty programs are a sign that everything under it is mature and in shape, you can’t launch unless you have architectural reviews, a SDLC and other critical processes in place. Organizations think they have it, but don’t really know until they try it out, said by HackerOne CTO Alex Rice.

Many organizations started to invite people to attack their system and find out the vulnerabilities in order to protect their system which is a very smart decision. In the past, most hackers were individuals instead of an official group or business. They had skills but they didn’t know where to show it. So they attacked lots of system just for fun or showing off, but those companies which were attacked could go bankrupting. Today is different, organizations encourage and invite individuals to come and help them to find defect of their systems.

Links: https://threatpost.com/yelp-launches-public-bug-bounty/120369/

Researchers have said that US 911 emergency phone system vulnerable to DDoS attacks, They have found a way to disable the service across an entire state for an extended period.

The researchers claim that they have found a way to disable the emergency system across entire state by using TDos attack(Telephony denial of service). The emergency infrastructure in 911 depends on routing the calls to public safety answering points. Hackers can cause mobile phones to call 911 and clog the line and prevent the legitimate users from doing so.

This is basically because of the Federal Communications Commission (FCC) regulation which states that all calls has to be forwarded to PSAP. This is an excellent example that the IT systems and its regulations has to be updated on a regular basis and the threats have to identified soon and necessary action has to be taken at appropriate time.

Source: http://www.ibtimes.co.uk/us-911-emergency-phone-system-vulnerable-ddos-attacks-say-researchers-1580674

This is interesting. I never knew that sharing information about cyber attacks were sue-able. This is definitely a step in the right direction towards combating the same enemy. But it also makes me wonder, what if the cyber attack came from a competitor?

Binu,

Very interesting article. It didn’t really ever strike me that even 911 service is exposed to an attack like TDOS. It surely pose a big threat to the critical infrastructure of the country (if i may). And, I strongly agree: With time and evolution taking place in technology and the environment, systems should be updated as well.

“A new hacker money-making strategy: Betting against insecure companies on Wall Street”

The article discusses a cyber security research firm named MedSec that found a flaw in a medical device from St. Judes Medical and then partnered with a financial firm to release the results publicly. MedSec received a portion of the profits from short selling St. Jude’s stock instead of disclosing the vulnerabilities to St. Judes. The vulnerabilities concern a heart implant and could allow an unauthorized user to speed up the pace to dangerous levels, or quickly drain the batteries. Typically research firms share their findings with the companies to fix the vulnerabilities before they are released publicly, preventing hackers from exploiting them. MedSec contends that the revenue will help support the time intensive research required to discover flaws. Critics worry that publicly disclosing vulnerabilities before they are fixed will allow hackers to exploit them before they are fixed.

https://www.washingtonpost.com/news/the-switch/wp/2016/09/01/a-new-hacker-money-making-strategy-betting-against-insecure-companies-on-wall-street/

The article I read this week is called “Google to Shame Unencrypted Websites,” written by Tara Seals from Infosecurity magazine. The article talked about that Google Chrome, a web browser, will start “shaming” unencrypted websites beginning in January. It will mark HTTP login pages as “not secure” in a window next to the address bar, using a red triangle indicator.

Chrome indicates that when someone loads a website over HTTP, other people on the network can look at or modify the site before it gets to you.

So how do people do for now?
A substantial portion of web traffic has transitioned to HTTPS, and more than half of Chrome desktop page loads now served over HTTPS.

However, many organizations and companies still blindly trust all encrypted traffic. So hope more and more users pay attention to those sites and reduce cyber-attacks.

In addition, HTTP stands for Hypertext Transfer Protocol, and HTTPS stands for Hyper Transfer Protocol Secure, Instead of acting as its own application layer protocol, it uses separate protocols called SSL(Secure Sockets Layer) and TLS( Transport Layer Security).

http://www.infosecurity-magazine.com/news/google-to-shame-unencrypted/
https://blog.easynews.com/http-vs-https-whats-the-difference/

DARPA Cyber Grand Challenge (CGC)

Back in 2013, the Defense Advanced Research Projects Agency (DARPA) hosted a worldwide competition to develop the world’s first autonomous bung-hunting machine with a $2 million dollar first place prize. Three years later, Aug 6. 2016, seven finalists presented their prototypes to DARPA and all seven team received awards and DARPA is on it’s way to preventing Zero Day attacks.

The final competition resulted in the machines being able to author 421 replacement binaries that was more secure than the original and 650 unique proofs of vulnerability. According to DARPA CGC Program Manager Mike Walker, the machines were able to detect Zero day attacks and respond to the attack immediately.

The CGC winner were challenged to a “capture-the-flag,” where the team is given a network full of weaknesses, with some of the best competitors at DEFCON 24. The team must simultaneously patch their network to defend from attacks while also developing breaches for the opposing team’s network. Unfortunately, the CGC winner took last place in the competition. Although Mayhem, CGC winner machine, has not meet it’s maturity, it has opened a new door for predictive cyber defense.

You can read more here: http://www.defense.gov/News/Article/Article/906931/three-teams-earn-prizes-in-darpa-cyber-grand-challenge

REPORT OUT ABOUT THE WORST CYBER ATTACK ON A FEDERAL AGENCY

A breach that occurred first in 2014 and which was detected only in April 2015 at the Office of Personnel Management, a Federal Agency points to poor security control processes followed in the agency. This was the worst cyber attack on a federal agency in recent history. As many as 22 million federal employees’ private records were said to have been exposed.

Investigation into the breach found that the agency management was lax about following safety measures w.r.t cybersecurity and that there were a number of known vulnerabilities that were left unfixed way before the breach occurred in 2014. Even when the initial breach was identified, the agency focused only on containing the attack and not fixing the vulnerabilities. While the agency focused on containing the initial breach, another group of hackers stole millions of highly personal background check records.

Source : https://krebsonsecurity.com/2016/09/congressional-report-slams-opm-on-data-breach/

The US Gets Its First Cyber Security Chief

Last Thursday, the White House named a retired brigadier general as the government’s first federal cyber security chief. In fact, General Gregory Touhill will be the first Chief Information Security Officer (CISO) of the United States of America. His job will be to protect government networks and critical infrastructure from cyber threats. President Obama announced the new position in February and proposed a budget of $19 billion to the Congress for cyber security across the US.

With the multitude breaches against the government and the private sector these past year, the Obama administration has decided to make cyber security a top priority. Most recently, the US intelligence officials have suspected Russia for the state election system breaches. They think Russia was trying to interfere with the US presidential election.

General Touhill is currently a deputy assistant secretary for cyber security and communications at the Department of Homeland Security, and will begin his new role later this month.

Source: http://www.thefiscaltimes.com/2016/09/08/US-Gets-Its-First-Cyber-Security-Chief

EU Enacts New Law To Improve Critical Infrastructure Cyber Security

According to the article found on Security Magazine’s website, the European Union has enacted a new law named the EU Network and Information Security (NIS) directive. This law is one of the first of its kind for the EU and aims to improve cyber security around critical infrastructure. The NIS directive requires each country to identify key infrastructure which can include services such as energy, transportation, banking, health, drinking water supply, and even cloud services. These services will need to comply with this new IT infrastructure framework which will be required by all member nations. The goal of this initiative is to create a baseline cyber security standard across the EU and use this as a way to collaborate among the different countries. On top of this, each country will have to establish a “Computer Security Incident Response Teams to handle incidents and risks, discuss cross-border security issues and identify coordinated responses”.

It seems that as cyber security issues continue to arise, governments around the world are looking to step up their cyber security practices to mitigate these cyber risks. One can look at Said’s post which states that the United States has just hired its first CISO and proposed a budget of $19 billion to Congress for cyber security across the United States. Since the EU is extremely connected much similar to the states within the United States, this directive not only allows for collaboration but now each nation is responsible to address the cyber risks that can affect them all. With both the EU and United States taking measures to make sure that they protect their key infrastructure from any cyber threats, hopefully this could result less cyber-attacks.

http://www.securitymagazine.com/articles/87389-eu-enacts-new-law-to-improve-critical-infrastructure-cybersecurity

Security from the Ground Up: The Need for Data Classification

The article I found is about data classification and its importance within an organization. This article emphasizes the fact that when talking about data breaches we too often think about external threats and focus on firewalls, encryption and network monitoring as best tools to secure data. However, the biggest data threats are the threats from within, caused by employees who constantly use data sharing tool such as email or social media without even knowing the negative consequences. Most of the time, employees do not know the value of the data they are sharing. It is important to familiarize them with correct policy procedures and properly train and inform them. The idea is not to install technologies to protect data and expect employees to use them. We all know that too much security can be tedious and employees can definitely get around it unless they know the value of the data they are sharing. In this optic the articles mention data classification a goo security tool. Indeed “When data is classified, organizations can raise security awareness, prevent data loss and comply with records management regulations. By classifying data, employees will be aware of the information they are handling and thus adopt a more careful behavior

In sum, the idea of data classification is to keeps security top of mind for employees as they classify every piece of data they handle.

http://www.infosecurity-magazine.com/opinions/security-ground-data-classification/

12th Sept 2016

Patch management, yet again proved to be most important preventive control!

Dawid Golunski, a researcher has found many vulnerabilities in exiting MySql version. One of the most critical vulnerability is the zero day vulnerability, an attack the IT industry dreads about. The vulnerability is tracked as CVE-2016-6662, which can be targeted by running arbitrary code using the root privileges.

How is the vulnerability exploited?
A web interface like phpAdmin can be used to alone with SQL injection to authenticate to MySql server without direct connection.

How many systems are affected?
The MySql versions 5.5,5.6,5.7 are all exploitable. Linux security models are not enough to protect from this attack.

Is this true?
Dawid Golunski has submitted proof of concept code to Oracle.

Does it affect you?
The patches released by PerconaDB and MariaDB developers were made available in public repositories, potentially allowing malicious actors to start exploiting the weakness.

What is the solution?
Oracle must dispatch patches to close this vulnerability.

Source {http://www.securityweek.com/critical-mysql-zero-day-exposes-servers-attacks}

“The Ransomware Dilemma: Is Paying Up a Good Idea?”

With the booming development in smart phone industry, personal smart phone is becoming a new approach for attackers to earn money through the ransomware. Different from PC users, smart phone users usually underestimate the importance of protecting themselves from ransomware, some of them don’t even know what the ransomware is. If someone download the ransomware to his phone, then the operation system of the smart phone will be locked, and only the attackers know the code or password to unlock the phone. But if the smart phone user wants to recover his phone, in most cases he has to pay the attackers. What people should really do is preventive control the risk and don’t click in those fishing website or download ransomware.

Source: http://www.securitymagazine.com/articles/87431-the-ransomware-dilemma-is-paying-up-a-good-idea

Rightly pointed out Alexandra. Employees unknowingly can do certain things which can be a big challenge. Especially while transferring data.
I think solution like Data Loss Presentation software can be used and will prove beneficial in highlighting if any sensitive data is being sent outside organization.

That is huge. Exploiting vulnerabilities at the cost of someones life is a biggest threat that humans can experience.After reading your article did some research myself and I am shocked as attack on medical devices has been number one threat in 2016!

Hackers are exploiting vulnerabilities to deploy ransomware. Let alone devices like pacemakers, insulin pumps, think about attacks on surgical robots! All of this has put out human life at stake.

Earlier this year, the FDA issued a letter warning hospitals and patients that a pump commonly used to ration out proper dosing of medicine in IVs could be vulnerable to attack.

source – http://www.popsci.com/hackers-could-soon-hold-your-life-ransom-by-hijacking-your-medical-devices

Indeed, identity theft is a serious problem. The article mentioned the bank allowed the employees to access customer’s personal information, which is a potential risk to cause data leak. Actually, my best friend lost over 6K USD couple months ago because someone steal his personal information and use his credit card purchase in different websites. Therefore, I think this article has a good point.

“Companies more concerned with private data than with hackers”

As information security has became a priority, business concerned more on the loss of private data(47%) than the disruption of hackers(26%). The employee misuse the new technology(7%) has become a new and growing threat.

Nowadays employer focus more on the employee’s data security education, but still have 20% of the employer still have no awareness to educate their employee on data security.

http://www.securitymagazine.com/articles/87427-companies-more-concerned-with-private-data-loss-than-with-hackers

2.5 Million Possibly Impacted by New Malware in Google Play

2 Malwares managed to slip through Google Bouncer and made available via Google Play. The two malwares were disguised as apps as well as embedded in many top rated apps in the store. The first malware called CallJam was designed to make fraudulent phone calls through the allure of free in-game currency. The second malware called DressCode creates a botnet of infected device, most probably to generate ad clicks and false traffic.

http://www.securityweek.com/25-million-possibly-impacted-new-malware-google-play

“Millions of iOS Users Install Adware From Third-Party App Store”

The article I’m interested in is about adware on iOS. Even though Apple has a rigorous verification process in place to ensure that malicious applications are not published on its official app store, millions of iOS users still can’t free from malicious apps which would not only display ads, but also consume victims’ mobile data traffic and expose their personal information.

The loophole is: Apple allows organizations to create and distribute in-house apps that are signed using an enterprise certificate. so once the enterprise certificate is misused, and then developers released malicious apps on a Third-party app store, those adware can easily escape from control, For example, On a Vietnam-based HiStore, experts discovered a adware-laden Pokemon GO app that had been downloaded more than 10 million times.

In order to cope with this situation, the company is quick to revoke misused certificates, however, the adware developers could also quickly replace the revoked certificates – experts found more than five certificates being used in 15-day.

From the view of preventive controls, Apple could evaluate and reassess their policies where loopholes exist to prevent re-occurrence. From the view of customers, well, don’t download apps from third-part store.

Source: http://www.securityweek.com/millions-ios-users-install-adware-third-party-app-store

Creating a Culture of Data Safety Through Classification

This article explains the importance of data classification in implementing security solutions. As we all know the weakest link in security chain in employees and this article emphasizes on the importance of creating a security-focused work culture. Data classification is one solution that helps organizations to enforce security policies, educate and remind users about data security and empower employees to take responsibility for data security.
Data classification can help everyone in an organization, not just the IT team; take part in the security of their data and of their reputation.

http://www.securitymagazine.com/articles/87287-creating-a-culture-of-data-safety-through-classification

Ming,

Nicely pointed to preventive controls ! Try to not download malicious apps from third-part store is the way that can help mitigating the risk.

That’s a great point. I would argue that there are cyber cases where competitors would absolute attack a competitor for information. Also, in some cases, the competitor happens to be an international entity. I have read about other foreign governments attempting to steal latest designs on US government equipment and assets. Great point and definitely something interesting to think about both domestic competitors in the US and international competitors around the world.

Uber reportedly invested $500 million to build a better mapping system

The article I read is about Uber reported its plan to invest $500 million to build a better mapping system. In addition, Uber hired Microsoft engineers to support its map work. I was glad to hear about this news because I take Uber very often, especially when Uber launched the Uber Pool service. So I am actually very excited to test out this new uber experience.
The goal of this investment is to improve core elements of the Uber experience. The street imagery captured by the mapping cars will have a better ideal pick-up and drop-off points and the best routes for riders and drivers.
Nevertheless, Uber also benefits from mapping to collect data by drivers driving to different locations globally. Combine with the data Uber will gathering with its expanded mapping system, I believe it’s a win-win strategy for Uber and it definitely worth of the investment.

Source :

Uber reportedly invested $500 million to build a better mapping system

Are the actions that MedSec and the financial firm partnership took legal? I would assume not. Definitely a scary thought. I would be curious to know the amount of cyber attacks that are taken for financial gain. I would also assume that it would be a large number of the total attacks per year. I think with the ability to release things to the public anonymously, this is tough to track and correct. I see issues/stories like this increasing the need for cyber strategies and investments.

I’ve read that it is more difficult for developers to release apps on iOS than Google Play which can be both frustrating but also beneficial from a security perspective. Google approves apps much faster than Apple, but they are more prone to security risks.

Security is one of the main reasons why I have kept my iPhone. Not that there aren’t any issues with iPhones, but it does generally have better security than Andriod devices. Most Android phones do not have the latest OS because every manufacturer and carrier must release it themselves, as opposed to Apple which can release updates at will. I’ve always worried about a security flaw being discovered and having to wait a year to receive an update to fix it.

Last week on Bloomberg radio 1130AM, John McAfee, the creator of McAfee security products went on the air to talk about new innovation in the security arena. He is a CEO for MGT Capital Investments, an investment firm working on numerous futuristic technological products. On exciting claim he has made was how he believes his product will eliminate the ‘cloud’. But this isn’t what I am posting. I am posting about another product in the company portfolio. It is a pro-active security application.

He explained, Malware can only be detected after it has been installed on a device, and may take months to detect or you may not detect it at all and find out on the news that your company information has been breached. His new product will pro-actively monitor areas of the system used by hackers. He has hired some of the world’s best hackers to create a strategy to target the people they once identified as.

You can see the entire interview on Bloomberg radio, but wanted to share a quick 2 minute video about his take on U.S. Cyber security, and how he talks about a 15 year old child hacking into the FBI database.

http://www.bloomberg.com/news/videos/2016-09-07/john-mcafee-u-s-is-not-no-1-in-cybersecurity

The article is “Say Goodbye to Passwords, and Hello to Security Keys”
http://www.infosecurity-magazine.com/news/say-goodbye-passwords-hello/

If somebody’s personal device can recognize its user, and authenticate them securely to a remote resource, passwords can become a thing of the past. These were the words of Google’s Christiaan Brand speaking at the Gartner Security & Risk Management Summit in London this week. Security keys were specifically designed to address the issues with one-time password-based two-step verification.
For Brand, this comes down to three main hurdles that are yet to be fully addressed across the industry:
Does it work for mobile? How do we deploy at scale? What if the key is lost?

I referred to this last week in the News section…

Very scary situation. The government has recently contacted the people affected and provided them a risk response to identity theft. It takes some effort and costs money for the individual! I am sure it costs money on both ends (meaning those affected and the US government).

I find this very interesting and I think this is proof that EVERYONE ( from small-large businesses, individuals, etc)needs to invest in their cyber infrastructure and strategy.

The article talks about the important nature of data is driving laws and regulations, and security controls. Business enterprise spectrum is now faced with the challenge of how to classify data.

To implement an effective data management program
¥ Improving enterprise awareness around the importance of data classification
¥ Abandoning outdated or realistic classification schemes in order to adopt less complex ones
¥ Clarifying organizational roles and responsibilities while simultaneously removing those that have been tailored to individuals
¥ Focus on identifying and classifying data, not data sets.
¥ Adopt and implement a dynamic classification model.

A company must either build these competencies in-house or work with a trusted third party to move through these steps in terms of the awareness of data classification.

Source:
Is Data Classification a Bridge Too Far?
http://news.sys-con.com/node/3896295

For the legality, it is possible to argue that this is not insider information. It is close to a “short and distort” but that has the intent that the rumor they spread is false while in this case the flaw is true. We are also not dealing with pure financial information as the information doesn’t guarantee a rise or fall in the stock, although it often would send it down. What if someone wanted to short Apple after hearing they removed headphone jacks from their signature item? It doesn’t seem like the SEC has done anything to Muddy Waters (the financial firm) yet but they are within their rights to try the case even if it fails.

I wish the article went more into the guts of these systems. The tone is almost of a battlebots competition more than of a game of chess. It is hard to tell if they are coding brand new services from scratch or if they already know what a secure framework is supposed to look like in general then working from there to make new code. I’m sure the competition is not a good spectator sport as it would look mostly like The Matrix code flying across screens as they’re written in the short timespan of the rounds.
I do like that technology is increasing its role in assisting experts. Bug hunting is tedious work; large companies often place bounties on their bugs instead of troubling their own developers hoping the wisdom of the masses would figure them out. Maybe coding software will have these as their back-end one day nudging you to more secure coding.