For the past several weeks an intelligence-gathering campaign has been using fake LinkedIn recruiter profiles to map out the professional networks of IT security experts, researchers from F-Secure have discovered.LinkedIn can be a great tool to establish new professional relationships and discover job opportunities. However, accepting connection requests from unknown people is a double-edged sword that can put both employees and the companies they work for at risk.There are multiple cases where attackers have used fake LinkedIn profiles to gather sensitive information about organizations and their employees. Knowing who is the manager of a particular department in a company or who is a member of the organization's IT staff can be very useful in planning targeted attacks.To read this article in full or to leave a comment, please click here
Microsoft is planning to bring its internal tool for running hackathons to the public next year, starting by allowing a few select colleges to test drive it at their own events.
It's part of a plan by the company's Garage division to help other organizations get better at handling the administrative side of organizing marathon hack sessions like the three-day-long bonanza Microsoft held in July as part of its Oneweek employee team-building session. Known inside Microsoft as the "Hackathon interactive project site," it was built to help 13,000 employees and interns work on 1,700 projects during the Oneweek hackathon.To read this article in full or to leave a comment, please click here
The Ashley Madison breach has been a Christmas-in-August present for spammers and scammers of all kinds, and your company could be the next target.
Here are some scams to watch out for.
Phishing
There is a significant amount of spam related to the Ashley Madison attack.
According to Trend Micro, the most recent Ashley Madison-related phishing campaign offers a link to the "Ashley Madison Client List" but instead infects the user's computer with banking malware, or locks up files until the user pays one Bitcoin, or approximately $235.
"Companies should block all Ashley Madison related emails at the email gateway and use URL filtering for all inbound emails for those bulletproof hosts which are disseminating this crimewave," said Tom Kellermann, chief cybersecurity officer at Irving, Tex.-based Trend Micro Inc.To read this article in full or to leave a comment, please click here
A new study from Microsoft researchers warns that many types of databases used for electronic medical records are vulnerable to leaking information despite the use of encryption.The paper, due to be presented at the ACM Conference on Computer and Communications Security next month, shows how sensitive medical information on patients could be pilfered using four different attacks.Researchers discovered the sex, race, age and admission information, among other data, using real patient records from 200 U.S. hospitals.In the light of increasing cyberattacks against the health care industry, the researchers recommended that the systems they studied "should not be used in the context of" electronic medical records.To read this article in full or to leave a comment, please click here
The US Court of Appeals has ruled that the FTC mandate to protect consumers against fraudulent, deceptive and unfair business practices extends to oversight of corporate cybersecurity efforts -- and lapses. But security experts are split about whether the decision will help improve enterprise security.
"It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information," said Federal Trade Commission Chairwoman Edith Ramirez in a statement.
Specifically, last week's decision allowed the FTC to take action against Wyndham Hotels and Resorts for failing to reasonably protect consumers' personal information between 2008 and 2010, when hackers broke in three times and stole more than 600,000 bank card numbers.To read this article in full or to leave a comment, please click here
As the criminal infrastructure that supports cyber attacks grows more efficient to speed up development of new threats CISOs need to constantly learn new skills to keep their businesses and their jobs safe, according to Cisco’s head of security solutions.They have to have solid knowledge of network security, but also have to be able to communicate well, develop in-house security talent and stay on top of how the threat landscape is changing, says James Mobley, Cisco vice president of security solutions and former CEO of security consulting firm Neohapsis, which Cisco bought last year.+More on Network World: FBI: Major business e-mail scam blasts 270% increase since 2015+To read this article in full or to leave a comment, please click here
New versions of a highly persistent adware program called Shopperz use a cunning technique to make DNS (Domain Name System) hijacking harder to detect and fix.Shopperz, also known as Groover, injects ads into users' Web traffic through methods researchers consider malicious and deceptive.In addition to installing extensions in Internet Explorer and Firefox, the program creates Windows services to make it harder for users to remove those add-ons. One service is configured to run even in Safe Mode, a Windows boot option often used to clean malware.Moreover, Shopperz creates a rogue Layered Service Provider (LSP) in Windows's network stack that allows it to inject ads into Web traffic regardless of the browser used.To read this article in full or to leave a comment, please click here
I started to review the recently published Black Hat Attendee Survey. This study primarily focused on the concerns of practitioners, including how they actually spent their times and the losses that they incurred.
In another article, I will try to compare those concerns with the actual conference content. For now though, the most notable statistic is the prominence of awareness related concerns, as a pain point for security professionals.
Clearly, the news media and study after study indicate that attackers target poor awareness on the part of end users and administrators. It has been reported that spearphishing was behind the Sony and TV5Monde attacks. The Sony results are well known. The TV5Monde attack was originally credited to ISIS sympathizers and the fact that TV5Monde actually televised many of their passwords while broadcasting an interview from their studios. Passwords were written on a white board in the background. Whether the attack was the result of televised passwords or spearphishing, it is still a result of user actions.To read this article in full or to leave a comment, please click here
Everyone seems to think that there’s a lack of qualified security professionals, and that the reason is that there aren’t enough people entering the field with the required skills. There is a fallacy behind that thinking, though. People think that security is a stand-alone discipline, but it is actually a discipline within the computer field. Treating it otherwise is a mistake.Most of the people who have been in the security profession for more than a decade, including me, entered the field without a cybersecurity degree. We might have certifications, but we don’t claim that those certs are the source of any expertise we may have.My own experience is not atypical. In all of my years of working, as an employee or contractor, for the National Security Agency and other military and intelligence agencies, I never performed specifically what would be considered security work.To read this article in full or to leave a comment, please click here
Despite the negative and wide spread publicity around baby monitor hacks, sadly you shouldn’t expect an end to baby cam hacker stories any time soon. Today Rapid7 publicly disclosed 10 new vulnerabilities in baby monitors made by nine different manufacturers. On a grading scale, eight of the 10 Internet-connected baby monitors scored an “F” and one received a “D” grade.If you were curious about some redactions in the slides during Mark Stanislav’s “The Hand that Rocks the Cradle: Hacking IOT Baby Monitors” presentation at Def Con’s IOT Village, it was due to several new vulnerabilities he uncovered. Stanislav and Tod Beardsley have published a hacking IOT case study on baby monitors (pdf).To read this article in full or to leave a comment, please click here
Disturbing reports in recent years of hackers hijacking baby monitors and screaming at children have creeped out parents, but these incidents apparently haven't spooked makers of these devices.A security analysis of nine baby monitors from different manufacturers revealed serious vulnerabilities and design flaws that could allow hackers to hijack their video feeds or take full control of the devices.The tests were performed by researchers from security firm Rapid7 during the first half of this year and the results were released Tuesday in a white paper. On a scale from A to F that rated their security functionality and implementation, eight of the devices received an F and one a D.To read this article in full or to leave a comment, please click here
Little known fact: Yesterday was the 30th anniversary of Bob Ballard’s discovery of the RMS Titanic, several hundred miles off the coast of Newfoundland Canada. I’ve recently done some research into the ship, its builders, and its ultimate fate and believe that lessons learned from Titanic may be useful for the cybersecurity community at large. The Titanic tragedy teaches us of:
The dangers of technology hubris. The Titanic was designed with the latest technology at the time to withstand severe storms in the north Atlantic. Because of this, the shipbuilders at Harland and Wolff decided to market the ship as “unsinkable.” Likewise, our industry has this absolute love affair with technology. I’m constantly briefed on the latest and greatest prevention or detection engine designed to withstand anything hackers can throw at it. Like the “unsinkable” Titanic, this is nothing but hot air. Bad guys will find ways around all of our defenses over time. Strong security demands people, process, and technology so the industry love affair with technology alone is counterproductive and leaves us susceptible to a sea of cybersecurity icebergs.
The need for organizational coordination. There were two inquiries into the Titanic disaster, one in the U.S. Continue reading
Check Point is upgrading its sandboxing technology so it catches attacks earlier in the process and makes it harder for adversaries to evade detection.Called SandBlast, the new software monitors CPU activity looking for anomalies that indicate that attackers are using sophisticated methods that would go unnoticed with traditional sandboxing technology, according to Nathan Shuchami, head of threat prevention sales for Check Point.Traditional sandboxes, including Check Point’s, determine whether files are legitimate by opening them in a virtual environment to see what they do. To get past the sandboxes attackers have devised evasion techniques, such as delaying execution until the sandbox has given up or lying dormant until the machine it’s trying to infect reboots.To read this article in full or to leave a comment, please click here
The information security skills gap may have become a huge issue for Chief Security Offices (CSOs) and Chief Information Security Officers (CISOs), but there are a number of ways InfoSec teams can work around the shortage so to protect their networks and stay ahead of the attackers.
Outsourcing staff
When people think of outsourcing, they often think of outsourcing services. A company may, for example, choose to outsource its accounting, customer management, or recruitment.
However, it’s worth noting that you can also outsource talent and this is a poignant note for an understaffed and under-skilled security industry.To read this article in full or to leave a comment, please click here