Individuals at Risk
Identity Theft
IRS chief: assume your identity has been stolen: You’ve been told privacy is dead? It’s actually worse than that. Your identity has been reanimated as a zombie and it could be roaming about trying to do things without your consent. NakedSecurity, October 19, 2017
Study finds Californians most vulnerable to identity theft, fraud: Californians are hurt more by identity theft and fraud than residents of any other state, according to a newly released WalletHub study. SacramentoBee, October 18, 2017
Equifax gets a John Oliver roasting. Says Freeze Your Credit. [Video. Adult Language]: Comedian John Oliver on his HBO show “Last Week Tonight” lambasted Equifax and its response to a massive cybersecurity breach in which the personal data of 145.5 million Americans was compromised. TheHill, October 16, 2017
Cyber Defense
To Protect Children From Identity Theft, Parents Must Be Proactive: Picture a 5-year-old’s Social Security card. For identity thieves who get their hands on it, that number could be used to apply for credit cards, rent a home or get government benefits, among other uses, according to the Federal Trade Commission. And it could be years before parents discover their children’s information has been misused. NPR, October 18, 2017
Cyber Warning
Locky Ransomware Spam Infects via Microsoft Office: Attackers wielding Locky ransomware have a new trick up their sleeves: the ability to infect PCs via malicious Microsoft Word documents by using an application-linking feature built into Windows. BankInfoSecurity, October 20, 2017
Kid’s safety threatened by critical security & privacy flaws in kids’ smartwatches, report finds: Has Santa Claus, the Tooth Fairy or the agnostic Birthday Gnome ever gifted your tot a smartwatch? NakedSecurity, October 19, 2017
Cyber Warning — WiFi
KRACK Vulnerability: What You Need To Know: This week security researchers announced a newly discovered vulnerability dubbed KRACK, which affects several common security protocols for Wi-Fi, including WPA (Wireless Protected Access) and WPA2. This is a bad vulnerability in that it likely affects billions of devices, many of which are hard to patch and will remain vulnerable for a long time. Yet in light of the sometimes overblown media coverage, it’s important to keep the impact of KRACK in perspective: KRACK does not affect HTTPS traffic, and KRACK’s discovery does not mean all Wi-Fi networks are under attack. For most people, the sanest thing to do is simply continue using wireless Internet access. Electronic Frontier Foundation, October 19, 2017
What You Should Know About the ‘KRACK’ WiFi Security Weakness: Researchers this week published information about a newfound, serious weakness in WPA2 — the security standard that protects all modern Wi-Fi networks. What follows is a short rundown on what exactly is at stake here, who’s most at-risk from this vulnerability, and what organizations and individuals can do about it. KrebsOnSecurity, October 16, 2017
How to Defend Against the KRACK Vulnerability: It was announced (Monday, 16 October, 2017) that the globally used WPA2 Wi-Fi security protocol has been broken. This standard is the most commonly used security standard used by Wi-Fi networks around the world. The attack targets (and breaks) the 4-way handshake that establishes the use of the unique encryption keys for that session. The attack is called KRACK by it’s author Mathy Vanhoef. The security community is still learning the details and understanding it’s impact, so if you can hold off on communicating about it, we would recommend it until everyone has a more complete picture. Long story short, no need to panic. However, if you need to communicate something, here are some basics. SANS, October 16, 2017
Serious flaw in WPA2 protocol lets attackers intercept passwords and much more: Researchers have disclosed a serious weakness in the WPA2 protocol that allows attackers within range of vulnerable device or access point to intercept passwords, e-mails, and other data presumed to be encrypted, and in some cases, to inject ransomware or other malicious content into a website a client is visiting. ars technica, October 16, 2017
Information Security Management in the Organization
Information Security Management and Governance
PwC Report: 5 steps leaders can take to improve cybersecurity in their organization: Nearly half of companies do not have an overall information security strategy, according to a new report from PwC. Here’s how leaders can step up cybersecurity measures. TechRepublic, October 18, 2017
Cyber Awareness
10 Social Engineering Attacks Your End Users Need to Know About: It’s Cybersecurity Awareness Month. Make sure your users are briefed on these 10 attacker techniques that are often overlooked. DarkReading, October 19, 2017
Survey shows most workers misunderstand cybersecurity: How to improve awareness in your organization. A 2017 report from Wombat Security revealed that most US workers don’t understand concepts like ransomware and Wi-Fi security. These tips will help you improve user cybersecurity awareness. TechRepublic, October 19, 2017
Cyber Warning
Millions of high-security crypto keys crippled by newly discovered flaw: Factorization weakness lets attackers impersonate key holders and decrypt their data. ars technica, October 16, 2017
Cyber Defense
How to Talk to the C-Suite about Malware Trends: There is no simple answer to the question ‘Are we protected against the latest brand-name malware attack?’ But there is a smart one. DarkReading, October 20, 2017
Cybersecurity Lessons from Petya and WannaCry to Better Protect the Network: On May 12th, 2017, the first case of WannaCry ransomware was discovered and within a day, over 230,000 machines were estimated to have been infected in more than 150 countries. The scale and speed of this attack left the industry stunned. ITSP Magazine, October 2017
To be effective, infosec pros need to help IT understand the ‘why’ behind the checklists: Let’s face it, in the CyberSecurity profession, we like to learn things the hard way. When the term computer security first came about, it was in reaction to events occurring and not necessarily by design. Someone broke into a network/computer system and the boss pointed a finger at the first person outside his/her door and said go fix it, make it stop. With that, the first computer security pro was born; born out of necessity. ITSP Magazine, October 2017
Cyber Law
Employees Sue Home Health Provider After Phishing Breach: A class action lawsuit claims that thousands of employees of a home healthcare services firm were harmed by the disclosure of their personal information in a breach earlier this year involving a business email compromise scam. Earlier, regulators fined the company for another breach. BankInfoSecurity, October 19, 2017
Cybersecurity in Society
Cyber Privacy
Microsoft and Justice Department Will Square Off in Supreme Court Over Critical Privacy Case: The US Supreme Court has agreed to hear arguments in a critical case over data privacy, the outcome of which will likely determine how easily law enforcement can gain access to information stored in tech companies’ overseas data centers. Microsoft will go head-to-head with the Justice Department, arguing that the agency cannot use a warrant to collect emails held in Microsoft’s Ireland data center. GIZMODO, October 16, 2017
Cyber Defense
LA Chief Information Security Officer Timothy Lee Among ‘Top 17 State & Local Cybersecurity Leaders to Watch’: I am currently the chief information security officer (CISO) at the City of Los Angeles. I am responsible for overall cybersecurity strategies, policies and initiatives for America’s second largest city. I established and chaired the city’s Cyber Intrusion Command Center and founded the cybersecurity public-private partnership organization LA Cyber Lab. I implemented and direct the city’s first Integrated Security Operations Center (ISOC), which won several awards including the Center for Digital Government’s Cybersecurity Leadership and Innovation Award. Prior to this position, I served as the CISO at the Port of Los Angeles, where I established and managed the port’s cybersecurity program. I concurrently served as network and communication manager responsible for ensuring the support and delivery of the Port’s voice and data communication networks. I have a total of 20 years of experience in the information security, network and telecommunication field. I have an MBA degree and professional certifications in CISSP and PMP. I am a recipient of the 2016 StateScoop 50 Award and I have spoken at several conferences. StateScoop, October 21, 2017
Cyber Freedom
Wary of Hackers, States Move to Upgrade Voting Systems: WASHINGTON — State election officials, worried about the integrity of their voting systems, are pressing to make them more secure ahead of next year’s midterm elections. The New York Times, October 14, 2017
Cyber Law
What Cybersecurity Standard Will a Judge Use in Equifax Breach Suits?: Those affected by data breaches now have increasing opportunities to take their claims to court. Last month, in northern California’s federal district court, Judge Lucy Koh upheld the right of victims to sue Yahoo for massive breaches between 2013 and 2016. Victims of the Equifax hack, which impacted millions more than initially reported, are filing dozens of lawsuits. And in another ruling last month, Koh upheld a class of health insurance company Anthem’s data breach victims right to sue for a recently revealed second breach—shortly after Anthem was ordered to pay $115 million to victims and credit-monitors after the first incident. LawFare, October 20, 2017
Financial Cyber Security
Overlay Technique from Brazilian Banking Trojans Making Resurgence: New analysis says heavy reliance on overlays and manual remote execution of transactions being combined with more advanced features of traditional banking Trojans. DarkReading, October 20, 2017
Secure the Village
FBI to DDoS Victims: Please Come Forward: Have you been the victim of a distributed denial-of-service attack? If so, the FBI wants you to please come forward. BankInfoSecurity, October 19, 2017
Cyber Miscellany
Brian Krebs Given Prestigious ISSA’s ‘President’s Award’: KrebsOnSecurity was honored this month with the 2017 President’s Award for Public Service from the Information Systems Security Association, a nonprofit organization for cybersecurity professionals. The award recognizes an individual’s contribution to the information security profession in the area of public service. KrebsOnSecurity, October 16, 2017