|
Mozilla and ThingsCon Launch IoT Security Certification Mark
For a product to achieve certification, it has to be evaluated by neutral ThingsCon experts based on the following five criteria:
· Privacy & Data Practices: Is the product designed using state-of-the-art data practices and respectful of user rights?
· Transparency: Is it made clear to users what the device does and how data might be used?
· Security: Is it designed and built using state-of-the-art security practices and safeguards?
· Stability: How robust is the device and how long of a life cycle can a consumer reasonably expect?
· Openness: How open are both the device and the manufacturer’s processes? Is open data used or generated?
https://securitytoday.com/articles/2018/12/07/mozilla-and-thingscon-launch-iot-security-certification-mark.aspx
Up to 10,000 city of Topeka customers possibly affected in potential cyber-attack
The breach occurred between Oct. 31 and Dec. 7 and would affect any city utilities customer who made a one-time payment or set up autopay during that time. E-checks and customers who set up autopay before Oct. 31 won’t be affected, the city said. Central Square has turned over the information to a forensics investigator to confirm the potential breach of the city’s utility payment system.
https://www.cjonline.com/news/20181210/up-to-10000-city-of-topeka-customers-possibly-affected-in-potential-cyber-attack
Reduce Employee Email Risk by Taking Decisions Away from Users
“The way to look at it is: How do we ensure employees meet best practices in securing personal data, especially in healthcare?” [...] Bower noted that to get there, organizations need to think about the user as the perimeter of the business, as they’re processing and handing information. “The first step is to classify information: essentially tagging the information so that it can be treated according to the risk it contains, like HIPAA patient data,” said Bower. “You can’t expect users to make that decision themselves. You need automation tools to guide users though that process.”
https://healthitsecurity.com/news/reduce-employee-email-risk-by-taking-decisions-away-from-users
Premarket Device Cybersecurity: Health Canada Issues Draft Guidance
The US Food and Drug Administration (FDA) issued premarket draft guidance for medical devices containing cyber risks in October. Both the Canadian and US regulators are active participants in the International Medical Device Regulators Forum (IMDRF), which recently agreed to pick up cybersecurity as a new work item. [...] Health Canada stressed that “manufacturers should consider cybersecurity when designing their medical device.”
https://www.raps.org/news-and-articles/news-articles/2018/12/premarket-device-cybersecurity-health-canada-issu
Holiday Shopping for Cybercriminals: The Value of Digital Identity
Some fraudsters actually buy stolen credentials in bulk and then take the time to check the validity of account credentials across multiple websites with the help of automated tools. This practice is often referred to as credential stuffing. Relying on the fact that most consumers reuse the same username and password combination across multiple sites, fraudsters are able to gain access to other accounts the victim may hold. These “verified” accounts can then be sold at a premium price.
https://securityboulevard.com/2018/12/holiday-shopping-for-cybercriminals-the-value-of-digital-identity/
GDPR: 8,000 Data Breach Reports Filed So Far in UK
"It's just over six months since the new law came into effect across Europe, bringing with it greater accountability, transparency and consumer control. As anticipated, I am seeing more of everything in the U.K.," she said. That includes "more complaints from the public - from 9,000 to 19,000 in a comparable six-month period - complaints about subject access, data portability and data security," she said. "All of our frontline services have jumped by at least 100 percent."
https://www.bankinfosecurity.com/gdpr-8000-data-breach-reports-filed-so-far-in-uk-a-11828
House Oversight panel releases Equifax breach investigation report today
Two major factors allowed the breach to happen, the report states. First, there were big gaps between IT policy development and operation due to the company's structure, a situation that allowed 300 security certificates to expire, including one that had been expired for 19 months and prevented Equifax from monitoring encrypted network traffic. It also led to an unpatched critical Apache Struts vulnerability that left systems at risk for 145 days — and the company knew it had trouble with patch management operating on an "honor system.”
https://www.politico.com/newsletters/morning-cybersecurity/2018/12/10/house-oversight-panel-releases-equifax-breach-investigation-report-today-448791
Warner: Lack of clarity on offensive cyber ‘downright dangerous’
“Failing to articulate a clear set of expectations about when and where we will respond to cyber attacks is not just bad policy, it’s downright dangerous,” he said during an address at the Center for a New American Security on Friday. Warner said his concerns extend not just to discrete attacks that aim to shut down critical infrastructure, destroy data or steal information, but more complex and ongoing information operations. These include the attacks intelligence agencies believe Russia engaged in to interfere with the 2016 election.
https://federalnewsnetwork.com/cybersecurity-2017/2018/12/warner-lack-of-clarity-on-offensive-cyber-downright-dangerous/
Russia Launched Cyber Attacks Against Ukraine Before Ship Seizures, Firm Says
Russian government-affiliated actors launched coordinated cyber attacks against Ukrainian government and military targets before and during the attack and seizure of Ukrainian ships and sailors on November 25, a private intelligence firm announced this week. The attacks appeared to be aimed at stealing information that would have been relevant to planning the operation, according to Stealthcare, a cyber threat intelligence group. If so, the revelation challenges Russia’s already widely-disputed claim that Ukraine initiated the crisis.
https://www.nextgov.com/cybersecurity/2018/12/russia-launched-cyber-attacks-against-ukraine-ship-seizures-firm-says/153387/
US deputy defense secretary: A look at missiles, space and cyber in next year’s national strategy
In the coming year we will also move to rapidly integrate the disparate cyber efforts throughout the department and operationalize our cyber strategy while building on our recent experiences with advanced authorities. Through the newly created Protecting Critical Technology Task Force, we will strengthen cyber protection of our defense-industrial base. In parallel, we will scale artificial intelligence throughout the department and expand joint force advantages through the Joint Artificial Intelligence Center, established this past year.
https://www.defensenews.com/outlook/2018/12/10/us-deputy-defense-secretary-a-look-at-missiles-space-and-cyber-in-next-years-national-strategy/
DHS S&T Awards $1.14M for New Cyber Data Privacy Tools
“S&T is developing solutions to ensure the government end-user’s data privacy is protected and consistent with outlined laws, policies and mission.” The Data Privacy project, provides the Department’s operational components and other stakeholders with the R&D expertise and resources needed to enhance the privacy of their critical data. The project focuses specifically, on privacy risks related to connected sensor devices and platforms, mobile computing, automation and autonomous systems and the delivery of digital services.
https://americansecuritytoday.com/dhs-st-awards-1-14m-for-new-cyber-data-privacy-tools/
Some apps pass personally identifiable location data to as many as 40 companies
A lengthy NY Times feature provides some stark illustrations of the extent to which potentially-identifiable location data is being captured, shared and retained by both iOS and Android apps, threatening user privacy. The paper was able to identify specific individuals from some location patterns, and found that one iOS app was passing exact location data to a total of 40 different companies[.] Location data is supposed to be anonymous, not tied to any specific individual, and used only to analyze overall patterns. But the paper found that it was possible to track location movements with enough precision to identify individual people – and to learn an alarming amount about them.
https://9to5mac.com/2018/12/10/location-data/
With new director, Tor seeks new funding sources and international growth
There is some urgency to Tor’s fundraising. The organization has long been a target of criticism from the law enforcement community, which believes the service facilitates criminal activity. Additionally, security practitioners question whether a government-funded service can live up to the promise of providing anonymity. While Bagueros says the Trump administration has yet to cut funding, other public officials have indicated such an option is not off the table.
https://www.cyberscoop.com/tor-funding-isabela-bagueros-december-2018/
DanaBot Trojan Expands Attacks
The change in direction of the DanaBot shows that attacks that started in banking are moving beyond banking. Attacks such as Marriot, British Airways and Newegg were for private information and on the black market, this private information is valuable. Private information helps criminals open new accounts and appear legitimate. The more private information that is stolen, the more difficult it will be for organizations to protect themselves from fraudulent accounts.
https://www.informationsecuritybuzz.com/expert-comments/danabot-trojan-expands-attacks/
European banks bleed millions from physical cyber attacks through devices like the Raspberry Pi
Posing as job seekers, couriers and inspectors, the cyber criminals used three types of device to connect to a bank's network and syphon data. Netbooks, Raspberry Pi devices and Bash Bunnies - a special tool for carrying out USB attacks - were all used after access to the building was gained, according to Kaspersky Lab. The clandestine devices were simply plugged in and left, only to be controlled remotely via GPRS, 3G or LTE by the attackers. Meeting rooms were a common target as tables often have multiple communications and data transfer-related sockets to facilitate presentations, which can be accessed and exploited easily for ill-gotten gain.
https://www.itpro.co.uk/security/32540/european-banks-bleed-millions-from-physical-cyber-attacks-through-devices-like-the
You’ve been hacked: The psychology of disinformation and how to protect yourself
Social media provide fertile ground in which insider knowledge takes root, and—as we all know—falsehoods (especially partial truths masquerading as whole truths) spread like invasive weeds. Some of these falsehoods are deliberately seeded by ideologues, propagandists, disinformation specialists; others spring up naturally from the constant shift and flow and recombination of information in the human ideosphere. Once seeded, all viral bullshit exploits weaknesses in how the human mind determines what’s real.
https://www.alternet.org/youve-been-hacked-psychology-disinformation-and-how-protect-yourself
Shadow digital bazaar: stolen personal ID
So much stolen data is available on the dark web, people shouldn’t worry whether their information has been swiped, said Elvis Chan, a supervisory special agent with the Federal Bureau of Investigation who investigates cyber intrusions. “Every American person should assume all of their data is out there,” he said. The pipeline for personal information has made it cheap and easy to get. The asking price for a single piece of data, such as a credit-card number, webmail password or Social Security number can be just a few dollars.
https://www.wsj.com/articles/what-happens-to-your-data-after-a-hack-1544367600
Linux.org defaced via DNS hijack
The defacement page was changed a few times, but it included an obscene picture, racial slurs, and a protest against the new Linux kernel developer code of conduct. It also showed links and redirected users to a Twitter account (@kitlol5) believed to be operated by the hacker. [...] Linux.org operators revealed that the hacker had broken into their Network Solutions account and pointed the DNS for the linux.org domain to their own CloudFlare account. They highlighted that the actual servers hosting Linux.org and user data were not accessed by the attacker.
https://www.securityweek.com/linuxorg-defaced-dns-hijack
Stolen valor meets fake news: Facebook trolls targeting vets
But the fake Vietnam Veterans of America was posting bad information, putting new dates on old news stories and twisting facts in an apparent attempt to stir up fear among readers. That led Goldsmith to embark on a 15-month cyber investigation into social media trolls targeting the military community from Ukraine, Bulgaria, the Philippines and more than two-dozen other countries. “This is something that is really dangerous, and the fake news that the White House needs to be concentrated on is the fake news that foreign entities are pushing into the veterans community to tear America apart,” said Goldsmith, an Army veteran.
https://rebootcamp.militarytimes.com/news/transition/2018/12/07/stolen-valor-meets-fake-news-facebook-trolls-targeting-vets/
10 cyber security trends to look out for in 2019
· Cyber security regulations improvement
· Data theft turning into data manipulation
· Demand will continue to rise for security skills
· Cyber security and Internet of Things (IoT)
· Attackers will continue to target consumer devices
· Attackers will become bolder, more commercial less traceable
· Attackers will get smarter
· Breaches will get more complicated and harder to beat
· Cyber risk insurance will become more common
· New job titles appearing – CCO (chief cybercrime officer)
https://www.information-age.com/10-cyber-security-trends-look-2019-123463680/
|
