Individuals at Risk
Apple Removes Popular Mac Anti-Adware App From App Store After Researchers Discover It ‘Surreptitiously Steals’ Your Browsing History: Researchers allege the developers of Adware Doctor, the 4th highest ranking paid app in the Mac App Store, have found a way to bypass Apple restrictions and collect sensitive user data. Motherboard, September 7, 2018
In a Few Days, Credit Freezes Will Be Fee-Free. If you’ve not yet frozen your credit, do it September 21: Later this month, all of the three major consumer credit bureaus will be required to offer free credit freezes to all Americans and their dependents. Maybe you’ve been holding off freezing your credit file because your home state currently charges a fee for placing or thawing a credit freeze, or because you believe it’s just not worth the hassle. If that accurately describes your views on the matter, this post may well change your mind. KrebsOnSecurity, September 10, 2018
FragmentSmack vulnerability also affects Windows, but Microsoft patched it. FragmentStack drives CPU usage through roof, jamming servers bombarded with malformed IP packets. Just the ideal vulnerability for DDoS attacks on Windows serves: Microsoft has fixed this week a vulnerability that can cause Windows systems to become unresponsive with 100% CPU utilization when bombarded with malformed IPv4 or IPv6 packets. ZDNet, September 14, 2018
Reminder to aggressively patch and update as Report shows two billion devices still vulnerable to Blueborne flaws a year after discovery: Countless devices are still vulnerable to the set of Bluetooth-based security flaws 12 months after being made public. ZDNet, September 13, 2018
Patch Tuesday, September 2018 Edition: Adobe and Microsoft today each released patches to fix serious security holes in their software. Adobe pushed out a new version of its beleaguered Flash Player browser plugin. Redmond issued updates to address at least 61 distinct vulnerabilities in Microsoft Windows and related programs, including several flaws that were publicly detailed prior to today and one “zero-day” bug in Windows that is already being actively exploited by attackers. KrebsOnSecurity, September 11, 2018
BlackBerry Massively Steps Up Security Efforts to Address Threat Storm: BlackBerry continues to execute on their pivot to become a software, services, and device security firm. This doesn’t mean they don’t still have interesting smartphones, their licensed Key2 phone is arguably one of the most impressive secure phones currently in market. But the company’s focus is on securing the ecosystem and no firm is likely better positioned to get this done than BlackBerry. This week the firm had several interesting announcements but, perhaps, the most interesting was their new intelligent security system named Spark. Techspective, September 14, 2018
Microsoft gives Office 365 apps greater malware protection: No matter how careful you are, you’ll still find malware everywhere, even in the Office 365 apps. Though not necessarily something new, bad-acting parties have often buried malware in scrips and macros in Microsoft Word and Powerpoint. That is exactly why Microsoft announced that Office 365 client applications now integrate with Antimalware Scan Interface. ONMSFT, September 14, 2018
Cyber Warning — Benjamin Franklin: Distrust and caution are the parents of security.
Almost half of US cellphone calls will be scams by next year, says report: The percentage of scam calls in US mobile traffic increased from 3.7 percent last year to 29.2 percent this year, and it’s predicted to rise to 44.6 percent in 2019. Many of us are already conditioned to ignore phone calls from unknown numbers. A new study seems to validate that M.O. CNet, September 14, 2018
Kraken Cryptor Ransomware Masquerading as SuperAntiSpyware Security Program: The Kraken Cryptor Ransomware is a newer ransomware that was released in August 2018. A new version, called Kraken Cryptor 1.5, was recently released that is masquerading as the legitimate SuperAntiSpyware anti-malware program in order to trick users into installing it. BleepingComputer, September 14, 2018
Hackers spoofing Internet addresses, luring surfers to fake websites to steal credentials & plant malware. Spoofed email addresses being used in phishing campaigns. It is easier than ever to get waylaid on the Internet, diverted to dangerous territory where scam artistes await with traps baited for the unsuspecting user. The Star, September 10, 2018
Information Security Management in the Organization
Information Security Management and Governance
How Small and Mid-Sized Entities Can Protect Themselves from a Cybersecurity Breach. Information security with an audit perspective from the Financial Management and Controllership Editorial Team at Thomson Reuters: A cybersecurity breach at a major corporation has taken place. How many times have we read about this in recent years? Thomson Reuters, September 2018
New Gartner Report Recommends a Vulnerability Management Process Based on Weaponization and Asset Value: Analyst firm Gartner recently published a report titled, “Implement a Risk-Based Approach to Vulnerability Management.” It focused on a risk-based approach for a vulnerability management process and includes several statements and recommendations that our X-Force Red team strongly supports. Some of them include: SecurityIntelligence, September 13, 2018
Why You Need a Digital Vendor Risk Management Plan: Five Weakest Links in Cybersecurity That Target the Supply Chain: Third-party breaches have become an epidemic as cybercriminals target the weakest link. Organizations such as BestBuy, Sears, Delta and even NYU Medical Center are just a few that have felt the impact of cyberattacks through third-party vendors. ThreatPost, September 13, 2018
Using the same exploit as WannaCry and some known tools, the Monero mining worm continues: In May of 2017, the WannaCry attack—a file-encrypting ransomware knock-off attributed by the US to North Korea—raised the urgency of patching vulnerabilities in the Windows operating system that had been exposed by a leak of National Security Agency exploits. WannaCry leveraged an exploit called EternalBlue, software that leveraged Windows’ Server Message Block (SMB) network file sharing protocol to move across networks, wreaking havoc as it spread quickly across affected networks. ars technica, September 14, 2018
Secure The Human
If It Seems Even A Little Bit Fishy, It’s Probably Phishy. Simple Tips To Avoid Phishing And Phone Scams: It’s hard out there for a fish. Anglers are coming at you with their tackle box full of flashy lures. You’re swimming along, enjoying the scenery, and all of a sudden there’s a tasty-looking tidbit to grab. Do you go for it, or is it a trick? ITSP, September 7, 2018
Cybersecurity in Society
Europe Catches GDPR Breach Notification Fever: Less than four months after GDPR enforcement began, Europe has arguably entered – if at times screaming and stumbling – into the modern data breach notification era. BankInfoSecurity, September 14, 2018
Three years later, Let’s Encrypt has issued over 380 million HTTPS certificates: The free-to-use nonprofit was founded in 2014 in part by the Electronic Frontier Foundation and is backed by Akamai, Google, Facebook, Mozilla and more. Three years ago Friday, it issued its first certificate. TechCrunch, September 14, 2018
Know Your Enemy
Hackers getting malware past antivirus products would seem to be a Herculean task, requiring the development of new, never before seen custom malware. If you thought this, you’d be wrong. New Cylance report shows how it’s done: You’d think that life would be pretty hard for threat actors these days, given the plethora of security companies out there feeding insatiable, ever-growing blacklists of malware that track millions upon millions of payload fingerprints. ThreatVector, September 12, 2018
Georgians waiting to hear if they will have to switch to paper ballots as Federal Judge’s ruling on Georgia election security lawsuit is imminent: ATLANTA (WJBF) – A ruling from a federal judge on whether Georgia will have to switch to paper ballots is imminent. I reported Thursday on this week’s court’s proceedings, but as recording is not allowed in federal court, I also sat down with the plaintiff’s to hear them make their case. WJBF, September 14, 2018
AI-generated fake videos may be a security threat, lawmakers warn: Are AI-generated fake videos a potential threat to US national security? Fox, September 14, 2018
Crypto Crowdfunding Terrorists: Marketplace For Jihadist Crowdfunding Found on Dark Web: As bizarre as it sounds, a marketplace for crowdfunding paramilitary mujahideen, those engaged in jihad, has been discovered on the dark web. CCN, September 13, 2018
In Cyberwar, there are no rules. Why the world desperately needs digital Geneva Conventions. And why the U.S. needs to update it’s 30 year old cybersecurity laws: In 1984, a science fiction movie starring an up-and-coming Austrian-American actor took the box office by storm. A cybernetic organism is sent back in time to seek out and kill the mother of a great war hero to prevent his subsequent birth. The cyborg scans a phone book page and begins methodically killing all women named Sarah Connor in the Los Angeles area, starting at the top of the list. ForiegnPolicy, September 12, 2018
Click Here to Kill Everybody. Stewart Baker interviews Bruce Schneier about his new book: We are fully back from our August hiatus, and leading off a series of great interviews, I talk with Bruce Schneier about his new book, Click Here to Kill Everybody: Security and Survival in a Hyper-Connected World. Bruce is an internationally renowned technologist, privacy and security commentator, and someone I respect a lot more than I agree with. But his latest book opens new common ground between us, and we both foresee a darker future for a world that has digitally connected things that can kill people without figuring out a way to secure them. Breaking with Silicon Valley consensus, we see security regulation in the Valley’s future, despite all the well-known downsides that regulation will bring. We also find plenty of room for disagreement on topics like encryption policy and attribution. Steptoe Cyberblog, September 10, 2018
Internet neutrality feud between FCC and CA intensified Friday after hostile remarks by FCC Commish Ajit Pai generates response from CA State Senator Scott Wiener accusing the FCC of being bought and paid for by the telecom industry: The feud between federal Republican officials and the architects of California’s recently passed (but as of yet unsigned) net neutrality legislation intensified Friday, with State Senator Scott Wiener, the bill’s principal author, accusing the FCC of being bought and paid for by the telecom industry. Gizmodo, September 14, 2018
Internet of Things
Tesla Model 3 Stolen From Mall of America Using Only a Smartphone: With cars becoming more connected than ever, cybersecurity is a hot-button topic that extends past your computer screen and into your car. Using a bit of technology, an alleged car thief was able to get his hands on a Model 3 at the Mall of America and drive away without needing a key. The alleged crime was reportedly committed via smartphone. TheDrive, September 14, 2018
Romanian Hacker ‘Guccifer’ to Be Extradited to US. Guccifer is a key participant in Russian misinformation campaign regarding hack of DNC: Taxi Driver Turned Hacker Is Serving 7-Year Prison Sentence in His Home Country. BankInfoSecurity, September 13, 2018
Cryptography after the Aliens Land: Quantum computing is a new way of computing—one that could allow humankind to perform computations that are simply impossible using today’s computing technologies. It allows for very fast searching, something that would break some of the encryption algorithms we use today. And it allows us to easily factor large numbers, something that would break the RSA cryptosystem for any key length. Schneier on Security, September 2018
Webinar: Managing Security of the IT Infrastructure. October 4 @ 10:00 am – 11:00 am.
Financial Services Cybersecurity Roundtable. October 12 @ 8:00 am – 10:00 am.
Cybersecure LA 2018 … Define! Develop! Deliver! October 25 @ 8:00 am – 3:30 pm. Cybersecure LA 2018 … a joint presentation of SecureTheVillage and Pepperdine Graziadio Business School. Define your Cyber Risks | Develop an Action Plan | Deliver a Stronger Cyber Risk Posture. REGISTER NOW.
Webinar: Getting Cyber-Prepared: Incident Response & Business Continuity. November 1 @ 10:00 am – 11:00 am.
Webinar: Third-Party Security Management. December 6 @ 10:00 am -11:00 am
Financial Services Cybersecurity Roundtable. December 14 @ 8:00 am – 10:00 am