Baltimore: the latest from Cybersecurity Risk Management 360
"An Executive's Guide to a Comprehensive Cybersecurity Risk Strategy" (The CyberWire) The way forward to better board-level and C-suite awareness and understanding of cyber security risk
Cyber Attacks, Threats, and Vulnerabilities
Anonymous Conducts Usual DDoS Attacks on Israel for #OpIsrael (Hack Read) The first attacks in connection with #OpIsrael occurred in 2013, wherein some divisions of the Anonymous hackers mutually launched multiple organized cyber-attacks against Israeli websites on the eve of the Holocaust Remembrance Day, on April 8
Experts: Annual 'Anonymous' cyber-attack effort largely unsophisticated, unsuccessful. (Jerusalem Post) Private Israeli websites faced a number of largely unsophisticated cyber-attacks on Thursday, following an annual call by the Anonymous hacking network to target Israeli sites on April 7
Anonymous’ ‘Hack Israel Day’ Could Impact the Entire World (re/code) Israel was hit by a massive cyber offensive today. But unlike other attacks (APTs, criminal campaigns, etc.) to hit the nation, this one has been announced in advance
Panama Papers breach was the result of lax security practices? (Help Net Security) News items based on the so-called “Panama Papers,” a set of 11.5 million documents leaked from the networks of Panama-based law firm Mossack Fonseca, keep popping up, but it’s still unknown who the person behind the leak is and how he or she managed to get ahold of the documents
Will The Panama Papers Make All Law Firms A Bigger Target? (Threat Brief) The massive haul of data from the Mossack Fonseca Panama Papers breach includes over 2.6 terabytes of data, the largest known breach in hacking history
Mac Adware OSX.Pirrit Unleashes Ad Overload, For Now (Threatpost) Researchers discovered a Mac OS X variant of the Windows-based Pirrit adware that creates a proxy server on infected Mac computers and injects ads into webpages. According to researchers at Boston-based Cybereason Labs, the adware, dubbed OSX.Pirrit, is mostly benign, serving up just ads, but has the potential to morph into something more sinister
Linux botnet attacks increase in scale (ZDNet) Linux-targeting malware family is a "high" risk, warn security researchers
New application level attack bodes ill for hybrid DDoS protection (Help Net Security) Imperva has recently witnessed a new type of DDoS attack they believe might become a go-to for cyber criminals looking to take sites and services down
135 million Arris modems vulnerable to reboot attacks (Graham Cluley) No password required
After Tax Fraud Spike, Payroll Firm Greenshades Ditches SSN/DOB Logins (KrebsOnSecurity) Online payroll management firm Greenshades.com is an object lesson in how not to do authentication
Latest tax-related data breach could affect employees and their children (CSO) Construction firm says employees and their children could be affected by security incident on tax vendor's network
Researchers release PoC exploit code to bypass broken IBM security patch (ZDNet) Broken patches for security issues are simply not enough
Kaspersky delves deep into Locky threat, which has spread to 114 countries (SC Magazine) A thorough analysis of the ransomware Locky by Kaspersky Lab has yielded a series of highly detailed insights on the pernicious software, according the company's Securelist blog post
The latest Flash zero-day was used to spread Cerber ransomware (PCWorld) Adobe plans to patch the flaw on Thursday
OK, panic—newly evolved ransomware is bad news for everyone (Ars Technica) Crypto-ransomware has turned every network intrusion into a potential payday
Ransomware, hospital hacking present growing cybersecurity threats (KOMO News) As MedStar Health worked toward restoring its major information technology systems after a massive cyberattack this week, cybersecurity experts say the incident may be the latest example of a much larger threat that could put patients across the country at risk
Victims paid more than $24 million to ransomware criminals in 2015 — and that's just the beginning (Business Insider via Yahoo! News) The US Departments of Justice (DOJ) and Homeland Security (DHS) last week provided new insights into the impact of ransomware and cyberattacks on public institutions and the public
Homeland Security's Ransomware Tip: Not Paying is the Only Current Solution (Inverse) Ransomware seems to be the trending method of cyber attack in 2016: Apple users have been hit, U.S. agencies have been targeted, and a California hospital last month paid $17,000 in ransom fees after malicious software shut down its computer systems. The style of online attack has become such a problem, in fact, that there’s now an international effort to deliver public guidance on the topic
Cyber fraudsters reap billions through email wire-transfer scams (Reuters via Business Insurance) Businesses have lost billions of dollars to fast-growing scams where fraudsters impersonate company executives in emails that order staff to transfer to accounts controlled by criminals, according to the U.S. Federal Bureau of Investigation
Dell Secureworks reports on economic upheaval in the hacker black market (SC Magazine) A new report from Dell Secureworks has highlighted new fluctuations in the hacker underground
The Global Cyber Crime Underground: What Are They and What Do They Sell? (Cyveillance) Cyber crime is projected to cost the global economy an astounding $445 billion. To put that amount into perspective, Russia’s national budget for 2014 was $440 billion
Overnight Healthcare: Watchdog finds security flaws in state ObamaCare exchanges (The Hill) A federal watchdog has found security flaws in state-run ObamaCare exchanges in California, Kentucky and Vermont, potentially putting millions of customers' data at risk
Covered California Website At Risk For Cyber Attack, Feds Say (CBS San Francisco) Federal investigators say the website for Covered California is at risk for a cyber-attack
FBI Quietly Admits to Multi-Year APT Attack, Sensitive Data Stolen (Threatpost) The FBI issued a rare bulletin admitting that a group named Advanced Persistent Threat 6 (APT6) hacked into US government computer systems as far back as 2011 and for years stole sensitive data
Who owns corporate data? Employees think they can just take it (Help Net Security) A third of all employees believe they own – or share ownership of – the corporate data they work on, with half thinking they can take the data with them when they leave, according to Veriato
Almost half of dropped USB sticks will get plugged in (Naked Security) People are still plugging in USB sticks scattered around parking lots, a new study has confirmed
Security Patches, Mitigations, and Software Updates
Security updates available for Adobe Flash Player (Adobe Security Bulletin) Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and ChromeOS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of reports that CVE-2016-1019 is being actively exploited on systems running Windows 10 and earlier with Flash Player version 20.0.0.306 and earlier. Please refer to APSA16-01 for details
Have Adobe Flash? Update now against actively-exploited zero-day flaw (Graham Cluley) Emergency security update released as ransomware attacks launched
Killing a Zero-Day in the Egg: Adobe CVE-2016-1019 (Proofpoint) On April 2, 2016, Proofpoint researchers discovered that the Magnitude exploit kit (EK) [1] was successfully exploiting Adobe Flash version 20.0.0.306
Juniper Releases Update for ScreenOS (US-CERT) Juniper has released ScreenOS version 6.3.0r22 to address issues with encryption methods used in prior versions
Pro-face Clears GP-Pro EX HMI Holes (ISS Source) Pro-face created a module to mitigate one information disclosure and two buffer overflow vulnerabilities along with a hard-coded credentials hole in its GP-Pro EX HMI software, according to a report on ICS-CERT
Cyber Trends
For Legal, More Pitfalls than Praise In Panama Papers ‘Ethical Hacking’ (Legaltech News) Deemed the biggest breach in history, the Panama Papers shines a spotlight on the rise of many law firms’ unpreparedness and susceptibility to ethical hacking
Privacy takes center stage in security discussions after years of being kept in the background (Cisco Blogs) With the International Association of Privacy Professionals gathering this week to discuss evolving regulatory requirements and rising customer expectations, there’s no better time to talk about privacy
1 in 5 enterprises admit of mobile data breach resulting from BYOD (Economic Times CIO) Data leakage threat more prevalent than ever as employees look to access sensitive corporate information on mobile devices outside corporate network
Tripwire Study: Energy Sector Sees Dramatic Rise in Successful Cyber Attacks (BusinessWire) Tripwire, Inc., a leading global provider of endpoint detection and response, security and compliance solutions, today announced the results of a study conducted for Tripwire by Dimensional Research
Reports find high security risks among policies for third-party vendors (SC Magazine) Two recent reports highlight the security and privacy threats posed by third-party vendors. The reports examine company's procedures for handling third-party vendor permissions and the ability of companies to track these vendors' activities
Organisations Are Shifting Their Cybersecurity Strategies From Reactive To Agile (RealWire) End users are now the most vulnerable point of entry into an organisation forcing them to shift away from fear-based to opportunity-based cybersecurity
Sifting suspicious user behavior to find real threats (GCN) Although only a fraction of all cyber activities are suspicious, pinpointing the problem is still a daunting task, a new report found
Marketplace
KEYW awarded $152M contract for cyber training (Captial Gazette) Hanover-based KEYW Corporation will be paid $152 million over five years to provide cyber training to a U.S.-based customer, the company announced this week
BRIEF-KEYW holding announces intent for sale of Hexis Commercial Cyber Solutions Business (Reuters) Keyw outlines new strategic growth plan at analyst & investor day. Announces that it has executed letters of intent for sale of its Hexis commercial cyber solutions business
Here's What Dell and EMC Corp. Are Selling off as Acquisition Nears (AustinInno) Dell and EMC Corp. are shrinking their corporate footprints as they prepare for a merger in the second half of 2016
Meet Zerodium, the company that pays $1 million for Apple hacks (CNN Money) There's a vibrant underground market for tools to hack you, but one company is making offers out in the open
Is It Time to Dump Palo Alto Networks? (Guru Focus) Given the steep rise in Palo Alto Networks' share price, investors can consider booking profits
10 Top Tech Companies Poised For Massive Layoffs (InformationWeek) Tech workers across the nation may witness a massive pink slip parade this year, should one Wall Street analyst's prediction of more than 260,000 tech layoffs in 2016 come true. Here's at a look at the top 10 companies on his list and why they are there
French military upgrades telecommunication networks (C4ISR & Networks) Thales has been awarded two contracts to upgrade the French Ministry of Defense's data and telephony infrastructure networks
Tresys Welcomes Kemper as SVP of Business Development and Sales (BusinessWire) Tresys Technology, a global leader in cyber defense, announced today that Jackson Kemper III has joined the company as senior vice president of business development and sales
Amid FBI Scrutiny, 5 Cyber Execs Join a Maryland Encryption Firm (DC Inno) Bethesda, Md.-based cybersecurity firm KoolSpan, a 13-year-old tech company that specializes in providing encrypted communications to enterprise customers, is welcoming a new batch of board members
Products, Services, and Solutions
Hexadite Adds Industry-First Mac and Linux Coverage to Intelligent Security Orchestration and Automation Platform (BusinessWire) Expanded OS support confirms commitment to automating incident response on every device
Dispel targets enterprises with broader privacy-as-a-service offering (FierceITSecurity) Dispel announced Thursday that it has broadened access to its privacy-as-a-service offering to Android devices and Linux operating systems with an eye toward the enterprise market
Technologies, Techniques, and Standards
An Overlooked Insider Threat? Many Fear Vendor-Related Breach: Survey (Legaltech News) As companies increasingly rely on vendors, many fail to take security concerns into account when allowing external access to their networks
Is Your Administrator a Cyber Security Weak Point? (FIN Alternatives) Last year will go down as the one in which cybersecurity made it to the top of the priority list for hedge funds
Don’t let embarrassment about a data breach cost you even more (Computer World) Cyberthieves prey on human nature for even more profit
Panama Papers and security best practices (FierceITSecurity) Well, the Panama Papers breach has certainly been in the news
Defenders Need to Embrace Offensive Security Skillsets (Threatpost) Defense may win football championships, but it gets steamrolled in computer security arenas
5 ways to become a smaller target for ransomware hackers (News & Advance) Hacking for ransom is on the rise — on pace to beat out last year's figures — and hits people where it hurts, locking them out of files, photos and critical records until they pay hackers a bounty to restore their access
Security Features Nobody Implements (Internet Storm Center) "Nobody" may be wording it a bit strong. But adoption of these security features is certainly not taking off. If you can think of any features I forgot, then please comment
Securing apps: scan code for vulnerabilities or rewrite from scratch? (CSO) How to remedy the epidemic of security incidents that result from exploits against defects in software
Inconsistent API Security Puts App Economy At Risk (Dark Reading) Better ownership and accountability needed in security APIs, report finds
Design and Innovation
In recent test, blockchain brings transparency to notorious credit default swaps (Ars Technica) Big banks partnered with data and software providers to try out blockchain
Biometrics Offers The ‘Perfect Balance’ Of Security And Usability (TechWeek Europt) Biometrics technology has been around for a while, now it’s time to utilise it properly, Intelligent Environments CTO tells TechWeekEurope
SDN Could Anchor Security for IoT, Federal Network Modernization (SIGNAL) Government conversations related to safeguarding cyberspace spin around policy as much as technology, particularly when it comes to sluggish efforts to modernize networks
Research and Development
Solving Google reCAPTCHAs – without using humans (Naked Security) Three security researchers from Columbia University in New York recently published a paper with a rather dramatic sounding title: ✔︎ I’m not a human: Breaking the Google reCAPTCHA
I’m not a human: Breaking the Google reCAPTCHA (Black Hat Asia 2016) Since their inception, captchas have been widely used for preventing fraudsters from performing illicit actions
Legislation, Policy, and Regulation
EU-US Privacy Shield may not pass muster, according to leaked extract (Ars Technica) EU data authorities might go to court if Commission forges ahead anyway
Can this video parody get Brits to care about online privacy? (TechCrunch) After John Oliver used humor to tackle the U.S. surveillance reform debate last year, to try to get Americans to care about online privacy
For Japan, Panama Papers are tool to skewer China (USA Today) The names of major public figures in Japan have been conspicuously absent from documents — the so-called Panama Papers — related to a growing international tax haven scandal, but that doesn’t mean the issue is being ignored in the world’s third-largest economy
China's Psychological War on Taiwan (National Interest) The uncertainty surrounding the cross-strait policy of Taiwan’s newly elected president, Tsai Ing-wen, has produced a great deal of unease and concern in Beijing
U.S. Adds China’s Internet Controls to List of Trade Barriers (New York Times) China’s notorious online controls have long been criticized as censorship by human rights groups, businesses, Chinese Internet users and others. Now they have earned a new label from the American government: trade barrier
Rogers’ nightmare: weaponization of cyber by terrorists (Defense Systems) While non-state actors today are not on par with nation states as far as cyber capabilities are concerned, terrorist groups, criminals, hackers and the like could possess destructive capabilities enjoyed by a small circle of nations in the not-so-distant future
Exclusive: White House declines to support encryption legislation - sources (Reuters) The White House is declining to offer public support for draft legislation that would empower judges to require technology companies such as Apple Inc to help law enforcement crack encrypted data, sources familiar with the discussions said
Opposition mounts to NSA’s data-sharing plans (The Hill) Civil liberties and government transparency groups are rallying to oppose a new plan that would allow the National Security Agency (NSA) to share more of the information that it collects about people’s communications and activity on the Internet with other federal agencies
Senator Markey wants government informed of aviation cyber attacks (Reuters) A U.S. senator on Thursday introduced legislation calling for airlines and aircraft manufacturers to disclose cyber security incidents to federal authorities, saying the aviation system lacks sufficient standards and oversight
Clapper takes extraordinary step of asking intel chiefs to lead document classification review () In a recent memo, National Intelligence Director James Clapper took the extraordinary step of asking intelligence directors to be more active in the process of reviewing their classification guidance and removing obsolete security requirements every five years
Hack the Pentagon an Olive Branch to Security Researchers (Threatpost) Lisa Wiswell’s phone rang off the hook last summer in the throes of the OPM hack. But she wasn’t just answering questions from those whose security clearance and personal data disappeared into the Chinese ether; there were also hackers on the other end of the line offering their help
Litigation, Investigation, and Law Enforcement
FBI debates sharing iPhone hacking details with Apple (CBS News) The FBI has not decided whether to share details with Apple about how the bureau hacked into an iPhone linked to a California terrorism investigation, FBI Director James Comey says
German police arrest international cyber ring suspect (Reuters) Police investigating a ring of global cyber criminals arrested the 22-year-old main suspect in Germany and carried out raids across several countries, prosecutors in the west German city of Koblenz said on Wednesday
European anti-terror efforts hobbled by lack of trust, shared intelligence (McClatchy) There’s no European equivalent of FBI that investigates cases across borders
First on CNN: Top U.S. intel official: Europe not taking advantage of terror tracking tools (CNN) A top U.S. counterterrorism official in charge of ensuring terrorists do not make it into the United States said European countries can do more to screen terrorists because they don't take full advantage of tools the U.S. has offered in the fight against terrorism
Mumblehard takedown ends army of Linux servers from spamming (We LIve Security) One year after the release of the technical analysis of the Mumblehard Linux botnet, we are pleased to report that it is no longer active. ESET, in cooperation with the Cyber Police of Ukraine and CyS Centrum LLC, have taken down the Mumblehard botnet, stopping all its spamming activities since February 29th, 2016
Mumblehard spam-spewing botnet floored (Register) Single point of failure key in takedown
Israelis arrested on suspicion of spying on Romanian anti-corruption prosecutor (Israel Hayom) Four Israelis, at least two of them former Mossad agents, are under investigation for spying on and intimidating Romanian anti-corruption prosecutor Laura Codruta Kovesi • Private Israeli intelligence company Black Cube reportedly hired to spy on Kovesi
Neutered random number generator let man rig million dollar lotteries (Ars Technica) RNG bypass code allowed security chief to know winning numbers in advance
Millions of child support records stolen, D.C. officials want answers (CSO) Two people have been arrested, but the stolen drives are still missing
Vengeful Hacker Risks Ten Years in Prison for DDoSing Security Firm's Website (Softpedia) A man from Oklahoma City is risking ten years in prison after harassing a security researcher that helped law enforcement catch and send to jail a fellow member of his hacking crew
