Cyber Crime
FBI: Businesses Lost $215M to Email Scams: It’s time once again to update my Value of a Hacked Email Account graphic: According to a recent alert from the FBI, cyber thieves stole nearly $215 million from businesses in the last 14 months using a scam that starts when business executives or employees have their email accounts hijacked. KrebsOnSecurity, January 15, 2015
Cyber Attack
The Internet of Dangerous Things: Distributed denial-of-service (DDoS) attacks designed to silence end users and sideline Web sites grew with alarming frequency and size last year, according to new data released this week. Those findings dovetail quite closely with the attack patterns seen against this Web site over the past year. KrebsOnSecurity, January 29, 2015
Cyber Privacy
Is Your Data Safe at Healthcare.gov?: If you’re concerned about online privacy, you’ve likely read a lot about what happens to the information you enter into sites like Facebook or Google. But now another website is generating privacy worries: Healthcare.gov. The New York Times, January 23, 2015
Brit Proves Google’s Eric Schmidt Totally Wrong: Super Cookies Can Track Users Even When In Incognito Mode: It was either ignorance or disingenuousness. Or it could have just been a stupid mistake. In mid-December, Google GOOGL +4.85% chairman Eric Schmidt gave some unsound advice during an interview at the Cato CATO -2.97% Institute in Washington D.C, upon being quizzed about the potential for his employer to pass on information to intelligence agencies. “If you’re concerned, for whatever reason, you do not wish to be tracked by federal and state authorities, my strong recommendation is to use [Google Chrome’s] incognito mode, and that’s what people do,” he said. Many a facepalm was landed soon after his comments were transmitted to the wider world over Twitter. Forbes, January 5, 2015
Financial Cyber Security
Choice Escrow Fraud Case Settled: The long legal battle between Choice Escrow and Land Title LLC and Mississippi-based BancorpSouth over a $440,000 account takeover case dating back to 2010 is finally over. BankInfoSecurity, September 10, 2014
Account Takeover: Utility Sues Bank: A Tennessee utility has sued its bank after a $327,000 account takeover incident. This new case shows why institutions must go above and beyond when it comes to detecting and thwarting fraud losses. BankInfoSecurity, August 14, 2014
Fed Issues New Study of Payments Fraud: Congress, banking regulators and the payments industry have spent the past six months debating the strengths and weaknesses within the payments infrastructure (see Retail Breaches: Congress Wants Answers). BankInfoSecurity, August 11, 2014
Identity Theft
Medical identity theft: Why you should worry: A woman we’ll call “Jane” found herself listed as the mother of a baby whose drug-addicted birth mother abandoned the child at the hospital and stole Jane’s health insurance information. The ensuing nightmare scenario — in which Jane was threatened with the removal of her real children from her home and faced financial and legal hardships — is an extreme example of the danger of medical identity theft. Bankrate, January 30, 2015
Cyber Warning
Beware: Porn-Based Malware Is Sweeping Across Facebook: Don’t click any porn links on Facebook. Just don’t. It’s a good rule of thumb, but there’s an extra good reason right now. There’s a troubling type of porn-based malware that’s apparently infected over 110,000 Facebook users in two days. And you could get the same Click Transmitted Disease. Gizmodo, January 30, 2015
Cracking Dildos And Dollies: Hackers Expose Vulnerabilities In Connected Toys: For whatever reason, someone thought it wise to manufacture sex toys that connect to the internet. To Ken Munro, who heads up security firm Pen Test Partners, this has provided an opportunity to flex his own penetration prowess. Of the digital, not the physical, kind. Forbes, January 30, 2015
Scary ‘Ghost’ vulnerability leaves Linux systems vulnerable to possession: A fault in a widely used component of most Linux distributions could allow an attacker to take remote control of a system after merely sending a malicious email. PCWorld, January 28, 2015
Malware makers try to cash in with fake YouTube views: Programmers of malware software have found a new way of making their exploits pay: A newly-discovered scam downloads malware to unsuspecting users’ computers and then makes those machines watch YouTube videos to cash in on the video service’s partner program. The malware, dubbed Trojan.Tubrosa, was able to generate more than two million views for videos uploaded by the malware makers, according to security researchers at Symantec. GigaOm, January 26, 2015
Google leaves most Android users exposed to hackers: An executive confirms Google has no plans to fix a security hole in the default browser for older versions of Android, which around 60 percent of all Android users rely on. CNet, January 24, 2015
‘Masquerading’: New Wire Fraud Scheme: A new impersonation scheme is taking aim at business executives to perpetuate ACH and wire fraud, says Bank of the West’s David Pollino, who explains steps institutions should take now to protect their customers. BankInfoSecurity, July 28, 2014
Cyber Security Management
How The Skills Shortage Is Killing Defense in Depth: It used to be easy to sell specialized security gizmos but these days when a point product gets pitched to a CSO, the response is likely “looks nifty, but I don’t have the staff to deploy it.” DarkReading, January 30. 2015
CLBR #168: Stan Stahl Returns to Discuss the State of Cyber Security from Sony to DC to Sacto: Stan Stahl returns for the 7th Time to give us an update of the state of cyber security today from Sony to Washington and even Sacramento where he is part of the Cyber Security Task Force. CyberLawRadio, January 28, 2015
Cyber Security Management – Cyber Defense
Google Paid Over $1.5 Million In Bug Bounties In 2014: Google last year doled out more than $1.5 million to security researchers who rooted out vulnerabilities in its open-source software and web services. DarkReading, January 30, 2015
Cyber Security Management – Cyber Update
Yet Another Emergency Flash Player Patch: For the second time in a week, Adobe has issued an emergency update to fix a critical security flaw that crooks are actively exploiting in its Flash Player software. Updates are available for Flash Player on Windows and Mac OS X.KrebsOnSecurity, January 27, 2015
Securing the Village
Pointing the Finger: President Obama mentioned cybersecurity only briefly during last week’s State of the Union. The four vague sentences tucked in between discussions of Iran and Ebola touched on a variety of different issues and didn’t offer many clues as to how the president plans to ensure that no one can “shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids.” But in the buildup to the address, the White House made much of its new cybersecurity initiatives. Those proposals offer a glimpse into the administration’s perspective on one of the more divisive areas of computer security policy: defender liability. Slate, January 26, 2015
California must lead on cybersecurity: No state has more at stake on cybersecurity than California. From Hollywood’s intellectual property to the Central Valley’s water reserves to Silicon Valley’s cloud services, the Golden State is at singular risk. But, as the world’s innovation capital, California also has a unique opportunity to advance cybersecurity. Sacramento Bee, January 25, 2015
Cybersecurity Non-Profits Should Be America’s Secret Weapon in Obama’s Cyberwar Plan: It is inevitable that the United States government will fund a cyberwarfare capability, as discussed in President Obama’s State of the Union Address. Other nations have already begun preparing for cyberwarfare, and the United States is no exception. With the number of cyberattacks growing and their impact widening in the last three years, President Obama is wisely looking for ways to fortify cybersecurity in the United States. Forbes, January 25, 2015
Cyber Underworld
Spreading the Disease and Selling the Cure: When Karim Rattani isn’t manning the till at the local Subway franchise in his adopted hometown of Cartersville, Ga., he’s usually tinkering with code. The 21-year-old Pakistani native is the lead programmer for two very different yet complementary online services: One lets people launch powerful attacks that can knock Web sites, businesses and other targets offline for hours at a time; the other is a Web hosting service designed to help companies weather such assaults. KrebsOnSecurity, January 26, 2015
National Cyber Security
Steptoe Cyberlaw Podcast, Episode #51: A Debate with Thomas Rid and Jeffrey Carr: Episode 51 of the podcast features a debate on attributing cyberattacks. Our two guests, Thomas Rid and Jeffrey Carr, disagree sharply about how and how well recent cyberattacks can be attributed. Thomas Rid is a Professor of Security Studies at King’s College London and the author of Cyber War Will Not Take Place as well as a recent paper on how attribution should be done. Jeffrey Carr, the founder and CEO of Taia Global, remains profoundly skeptical about the accuracy of most attribution efforts in recent years. Lawfare, January 28, 2015
The Next Step in the Cybersecurity Plan: Speaking at the National Cybersecurity and Communications Integration Center in Arlington, Virginia, Obama said since much of the nation’s critical infrastructure – financial systems, power grids, pipelines, health care systems – runs on networks connected to the Internet, cybersecurity is a matter of public safety and of public health. US Defense Department, January 28, 2015
Source code reveals link between NSA and Regin cyberespionage malware: Keylogging malware that may have been used by the NSA shares signficant portions of code with a component of Regin, a sophisticated platform that has been used to spy on businesses, government institutions and private individuals for years. PCWorld, January 27, 2015