Individuals at Risk
Identity Theft
Lax Equifax security culture ignored warning entire database was exposed on Internet: Last year, a security researcher alerted Equifax that anyone could have stolen the personal data of all Americans. The company failed to heed the warning. MotherBoard, October 26, 2017
Equifax under FCA in UK investigation over data breach: The Financial Conduct Authority has launched an investigation into the US credit checking company Equifax, which had the data of almost 700,000 Britons stolen in a catastrophic data breach earlier this year. The Telegraph, October 24, 2017
Cyber Privacy
Dating apps have major security vulnerabilities that could expose users’ private information: Singles looking for love using mobile dating apps could be putting their device security at risk, experts have warned. BetaNews, October 27, 2017
Googler proves any iPhone app with camera permission can secretly record you: This is pretty disturbing. Google engineer Felix Krause has detailed an alarming privacy setting in Apple’s iOS that enables iPhone apps with camera permission to surreptitiously take photos and videos of you – without your knowledge. The Next Web, October 25, 2017
Cyber Update
Security flaw in LG IoT software left home appliances vulnerable: LG has updated its software security after researchers found flaw that left dishwashers, washing machines, air conditioners, and even a robot vacuum cleaner accessible by hackers. ZDNet, October 26, 2017
Cyber Defense
WPA2 Design Flaw. KRACK Happens: How Bad Is The Vulnerability? What To Do?: After rumors hit the wire over the weekend (possibly even Friday night), Dan Goodin for ArsTechnica broke a story about a flaw in the core Wi-Fi Protected Access II (WPA2) protocol that allows bad actors within physical range of a vulnerable device to intercept and read passwords and, as a consequence, intercept and read information crossing the Wi-Fi channel. Sample information could be e-mails, files shared, and other data transferred to and from a variety of online (a.k.a. “cloud”) services. ITSP Magazine, October 2016
Cyber Warning
Online ads redirecting browsers to malicious landing pages hosting the Terror exploit kit: Security experts are warning some “Quit Smoking” and “20 Minute Fat Loss” ads online are delivering more than sales pitches. According to researchers at Zscaler, ads are redirecting browsers to malicious landing pages hosting the Terror exploit kit. ThreatPost, October 25, 2017
Dell Lost Control of Key Customer Support Domain for a Month in 2017: A Web site set up by PC maker Dell Inc. to help customers recover from malicious software and other computer maladies may have been hijacked for a few weeks this summer by people who specialize in deploying said malware, KrebsOnSecurity has learned. KrebsOnSecurity, October 24, 2017
Fake Cryptocurrency Trading Apps Harvest Credentials and Steal Cash: Hackers are targeting users of the cryptocurrency exchange Poloniex, with two credential-stealing apps that masquerade as official mobile apps for the service. InfoSecurity Magazine, October 23, 2017
Eltima Software’s Elmedia Player and Folx Said to Be Infected With Malware: Mac owners who have recently downloaded Elmedia Player or Folx from Eltima Software may have unwittingly installed malware on their machines, reports ZDNet. MacRumors, October 20, 2017
Information Security Management in the Organization
Information Security Management and Governance
Most SMBs insufficiently concerned about their business being hacked, says Paychex survey: America’s small business owners may want to consider placing a greater emphasis on cyber awareness and best practices year-round. According to a new survey by Paychex, 68 percent of small business owners are not worried about their business being hacked. HelpNetSecurity, October 27, 2017
Cybersecurity is now top concern in third-party risk management: While concerns about third-party risk remain high – particularly regarding cyber security – 58% of organizations ranked their programs as maturing or advanced, according to NAVEX Global. HelpNetSecurity, October 27, 2017
Facebook is struggling to meet the burden of securing itself, security chief says: Facebook is Struggling to live up to the responsibility it faces for adequately securing the vast amount of personal information it amasses, the social network’s top security executive said in a leaked phone call with company employees. ars technica, October 19, 2017
Cyber Defense
Strong Authentication Still Elusive for Businesses: Businesses are continuing to rely on passwords, and those that are implementing additional authentication factors are choosing outdated options like static questions and SMS codes that leave them vulnerable to data breaches. InfoSecurity Magazine, October 25, 2017
Cybersecurity in Society
Cyber Attack
Postmortem Finds NHS ‘Could Have Prevented’ WannaCry: The National Health Service in England should have been able to block the “unsophisticated” WannaCry ransomware outbreak that hit the world in May, government auditors say. But the failure of so many NHS trusts and organizations to block WannaCry means that unless substantial cybersecurity improvements get made, the NHS will remain easy pickings for online attackers (see British Security Services Tie North Korea to WannaCry). BankInfoSecurity, October 27, 2017
EternalRomance Exploit Found in Bad Rabbit Ransomware: One day after clear ties were established between the Bad Rabbit ransomware attacks and this summer’s NotPetya outbreak, researchers at Cisco today strengthened that bond disclosing that the leaked NSA exploit EternalRomance was used to spread the malware on compromised networks. ThreatPost, October 26, 2017
BadRabbit Attack Appeared To Be Months In Planning: Repeat question from this year’s NotPetya outbreak: Who’s gunning for Ukraine and how many organizations in other countries will be caught in the crossfire? BankInfoSecurity October 27, 2017
Cyber Warning
Hackers target security researchers with malware-laden document: State-backed hackers are trying to deliver malware to people interested in cybersecurity, using malicious documents about a real conference as a lure. ZDNet, October 23, 2017
APT28: A complex Mac virus that may signal the shape of tomorrow’s malware: Macs are the go-to device for professionals and high-level officials the world over. Beautifully designed, extremely optimized for performance, and tagged with a price that reflects a premium product, Macs are more than a tool – they are a statement. In keeping with this reputation, you would not expect malware designed for Macs to be the run-of-the-mill, easy-to-block creations we see on other platforms. Advanced Mac threats cost a fortune to develop— but when they hit the designated target, it’s jackpot for the cyber-criminals. MacWorld, October 17, 2017
Reaper: Calm Before the IoT Security Storm?: It’s been just over a year since the world witnessed some of the world’s top online Web sites being taken down for much of the day by “Mirai,” a zombie malware strain that enslaved “Internet of Things” (IoT) devices such as wireless routers, security cameras and digital video recorders for use in large-scale online attacks. KrebsOnSecurity, October 23, 2017
Know Your Enemy
Dark Web Marketplaces’ New Home: Mobile Messaging Apps: Telegram, Discord, Whatsapp grow in popularity as criminals look for more alternatives to fly under the radar. DarKReading, October 26, 2017
Cyber Privacy
Bermuda law firm warns rich clients of Panama Papers-style data breach: 120-year-old law firm admits that it’s been busted and sensitive documents spilled to investigative journalists. Computing, October 26, 2017
Cyber Freedom
Georgia E-voting Server Wiped Clean after Lawsuit Challenges Reliability & 6th District Race Outcome: (APN) ATLANTA — A new revelation has sent shockwaves statewide and may be the final nail in the coffin of Georgia’s faith-based electronic voting regime. Atlanta Progressive News, October 27, 2017
Twitter bans ads from RT and Sputnik over election interference: Twitter has announced that it will stop taking advertising from all accounts owned by RT and Sputnik, effective immediately as US lawmakers continue to investigate the impact of foreign-sponsored fake news on the 2016 election. The Guardian, October 26 ,2017
Massive 30-state voter registration database has major security flaws. Info on 100 million exposed: For several years, a nationwide voter-fraud prevention coalition has been using poor security methods in sending and storing millions of voter registration records, according to an advocacy group’s examination of official emails pertaining to the program. CyberScoop, October 24, 2017
Cybersecurity essential to protecting our economy, democracy, and way of life, says Google exec: In November 2014, the Guardians of Peace — a group affiliated with the North Korean government — hacked Sony Pictures because the studio was planning to release “The Interview,” a movie they felt insulted their CNN, October 20, 2017
Financial Cybersecurity
Unpatched Bugs Rampant on Mobile Devices in Financial Services Firms: More than a quarter of mobile devices used by financial services employees carry known vulnerabilities, according to a recent report. DarkReading, October 23, 2017
North Korean hackers suspected of targeting Nepali bank SWIFT codes: Cybercriminals used stolen SWIFT codes to transfer money from multiple Nepali banks on Oct. 19, 2017. SC Magazine, October 23, 2017
Cyber Medical
Hackers Can Exploit Zoom Latitude Medical Device to Access Patient Information, Feds Advise: (TNS) — The Department of Homeland Security said a medical device from Boston Scientific called the Zoom Latitude programmer, used by doctors to communicate with implanted pacemakers and defibrillators, can be exploited by computer hackers to give out patients’ personal health information. GovTech, October 26, 2017
Critical Infrastructure
Hackers are attacking power companies, stealing critical data: Here’s how they are doing it: Attackers are particularly interested in industrial control systems — and they’re still at it right now. ZDNet, October 23, 2017