Individuals at Risk
Cyber Danger
Breaches Drive Consumer Stress over Cybersecurity: As major data breaches make headlines, consumers are increasingly worried about cyberattacks, password management, and data security. DarkReading, May 2, 2018
Cyber Update
Adobe Acrobat vulnerability can compromise you with just a click. Update now!: A flaw in the popular Acrobat DC document reader could let hackers into your computer, researchers from Cisco Talos revealed Tuesday. There’s a fix out for the vulnerability already. CNET, May 15, 2018
Cyber Defense
How to Deal With mshelper, the Latest Mac Malware: It’s been a long time since Apple could claim its computers were really virus-free. Even mighty Mac owners have to keep an eye out for the latest vulnerabilities and malware, just like everyone else, and there’s some new malicious Mac software making the rounds that you should know about. LifeHacker, May 18, 2018
Google will force Android OEMs to push out security patches regularly: Android P, the ninth major version of the widely-used mobile OS, is expected to be released later this year. HelpNetSecurity, May 18, 2018
The Cybersecurity 202: Security community has its own encryption debate after discovery of new flaw: Security experts are at odds over how to respond to new research showing hackers could decrypt emails that were supposed to be protected by a popular encryption tool known as PGP, or Pretty Good Privacy. The Washington Post, May 15, 2018
Cyber Warning
One Year After WannaCry: A Fundamentally Changed Threat Landscape: It’s been one year this week since the ransomware known as WannaCry infected more than 200,000 machines in 150 countries, causing billions of dollars in damages and grinding global business to a halt. The speed and scale of the attack – helped along by leaked National Security Agency hacking tools – was obviously notable, but it’s WannaCry’s legacy that resonates today. The cyber-landscape has fundamentally changed, with threat actors increasing almost exponentially in their capabilities, sophistication and ambition. ThreatPost, May 17, 2018
New Vega Stealer malware seizes payment info from Chrome and Firefox: New malware designed to steal financial data and passwords from Chrome and Firefox has been discovered by researchers. TrustedReviews, May 15, 2018
Attention PGP Users: New Vulnerabilities Require You To Take Action Now: A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages. EFF, May 13, 2018
Essays: Banning Chinese Phones Won’t Fix Security Problems with Our Electronic Supply Chain: Earlier this month, the Pentagon stopped selling phones made by the Chinese companies ZTE and Huawei on military bases because they might be used to spy on their users. Schneier On Security, May 8, 2018
Cyber Education
Fast-Growing Startup Cybrary Helps Bring Cybersecurity Training to the Masses: When DC Inno last checked in with online cybersecurity training company Cybrary in 2015, it was just celebrating its debut and unveiling a program to help teach D.C.-based Iraqi refugees cybersecurity techniques. DCINNO, May 18, 2018
Information Security Management in the Organization
Information Security Management and Governance
Cybersecurity from the Top: I was 20 years old, fresh out of college and had my first real job as a security system technician. It was a great opportunity and I was extremely excited to do what it took to succeed. I had a bit of anxiety about one part of the role – climbing heights to install and service security devices. In those days, we were not provided any fall safety equipment. We worked on ladders, used scissor lifts and repaired rooftop cameras without a second thought – just boots and tools. I vividly remember one incident, when a coworker asked me to hold him by his pants belt as he stepped outside the scissor lift at 35-feet above the ground. We were lucky there was never an injury – I wasn’t educated or trained in safety and neither was my employer. SecurityInfoWatch, May 17, 2018
Cybersecurity And The Board’s Responsibilities — ‘What’s Reasonable Has Changed’: Michael Yaeger focuses his practice on white collar criminal defense and investigations, securities enforcement, internal investigations, accounting fraud, cybercrime/cybersecurity and data security matters, as well as related civil litigation. Yaeger also leads internal investigation and cybercrime-related representations for financial services companies and provides guidance on drafting written information security plans and incident response plans for investment advisers. Forbes, April 19, 2018
Cyber Defense
Enterprise vulnerability management as effective as ‘random chance’: New research suggests that predictive models could pave the way for more efficient cybersecurity remediation strategies. ZDNet, May 15, 2018
What is cyber resilience? Building cybersecurity shock absorbers for the enterprise: Sure, you’ve prepared for attacks and breaches, but how well can core business processes function when a crisis hits? CSO, May 7, 2018
Cyber Insurance
The Insurance Industry: An Important Part of the Fight against Cybercrime: The steep uptake in cybercrime has given rise to a new breed of specialist firms offering more than just a policy for indemnity. CBR, May 18, 2018
S.C. governor signs insurer cyber security into law: South Carolina became the first state to have a cyber security law requiring insurers to establish a “strong and aggressive” program to protect companies and their consumers from a data breach, with Gov. Henry McMaster’s signing of legislation this week, according to the state insurance department. Business Insurance, May 11, 2018
Cyber Talent
What Stops Millennials From Pursuing Cybersecurity Career?: It’s been widely reported that the global cybersecurity talent shortage is projected to reach 1.8 million unfilled roles by 2020. In the meantime, the talent shortage causes open cybersecurity jobs to often take months or even years to fill, while cybercriminals capitalize on short-staffed businesses. Fueling the widening gap are perception challenges about careers in cybersecurity, negligible information about the field, lack of access to early instruction and mentoring, and unrealistic recruiting requirements. CXOToday, May 18, 2018
Cybersecurity in Society
Cyber Crime
T-Mobile Employee Made Unauthorized ‘SIM Swap’ to Steal Instagram Account: T-Mobile is investigating a retail store employee who allegedly made unauthorized changes to a subscriber’s account in an elaborate scheme to steal the customer’s three-letter Instagram username. The modifications, which could have let the rogue employee empty bank accounts associated with the targeted T-Mobile subscriber, were made even though the victim customer already had taken steps recommended by the mobile carrier to help minimize the risks of account takeover. Here’s what happened, and some tips on how you can protect yourself from a similar fate. KrebsOnSecurity, May 18, 2018
Cyber Privacy
Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site: LocationSmart, a U.S. based company that acts as an aggregator of real-time data about the precise location of mobile phone devices, has been leaking this information to anyone via a buggy component of its Web site — without the need for any password or other form of authentication or authorization — KrebsOnSecurity has learned. The company took the vulnerable service offline early this afternoon after being contacted by KrebsOnSecurity, which verified that it could be used to reveal the location of any AT&T, Sprint, T-Mobile or Verizon phone in the United States to an accuracy of within a few hundred yards. KrebsOnSecurity, May 17, 2018
Know Your Enemy
Inside the Takedown of a Notorious Malware Clearinghouse: Most antivirus scanners play a classic cat and mouse game: They work by checking software against a frequently updated list of potential threats. In response, a whole industry has built up to help occlude and conceal hacking tools. That includes services that automate the process of checking all sorts of tools, from malware to malicious URLs, against dozens of defense scanners to see if they would get blocked. The feedback helps bad actors know what to tweak further, and what’s ready to use. Wired, May 16, 2018
Cyber Freedom
The Cybersecurity 202: Google wants to help political groups fight these cheap but disruptive cyberattacks: With midterm elections on the horizon, policymakers in Washington are fixated on preventing the kind of sophisticated cyberattacks and highly targeted influence operations that rocked the 2016 presidential election. The Washington Post, May 17, 2018
Homeland Security unveils new cyber security strategy amid threats: Washington – (Reuters) – The U.S. Department of Homeland Security on Tuesday unveiled a new national strategy for addressing the growing number of cyber security risks as it works to assess them and reduce vulnerabilities. Reuters, May 15, 2018
National Cybersecurity
White House Eliminates Cybersecurity Coordinator Role: The White House eliminated the position of cybersecurity coordinator on the National Security Council on Tuesday, doing away with a post central to developing policy to defend against increasingly sophisticated digital attacks and the use of offensive cyber weapons. The New York Times, May 15, 2018
‘Much work to do and no time to waste’ in cybercrime fight, says UN chief: The UN body focusing on crime prevention and criminal justice, opened its annual session in Vienna on Monday, calling for a more integrated global response to continuing and emerging challenges, including cybercrime. UN News, May 14, 2018
Financial Cybersecurity
Mexico central bank says hackers siphoned $15 million from five companies: Mexico’s central bank said on Wednesday that a cyber attack had sucked around 300 million pesos ($15.33 million) in fraudulent transfers from five companies, but it was unclear how much thieves had managed to pull out in cash. Reuters, May 15, 2018
Detecting Cloned Cards at the ATM, Register: Much of the fraud involving counterfeit credit, ATM debit and retail gift cards relies on the ability of thieves to use cheap, widely available hardware to encode stolen data onto any card’s magnetic stripe. But new research suggests retailers and ATM operators could reliably detect counterfeit cards using a simple technology that flags cards which appear to have been altered by such tools. KrebsOnSecurity, May 14, 2018
Critical Infrastructure
DOE Lays Out How Power Sector Could Win the Cybersecurity Battle in Newly Released Strategy: Cybersecurity threats are outpacing the energy sector’s “best defenses,” and costs of preventing and responding to cyber incidents are straining company efforts to protect critical infrastructure, the Department of Energy (DOE) warned as it released a comprehensive five-year cybersecurity strategy for the industry. Power, May 17, 2018