Personal Cybersecurity #41: Daily news

What you need to know for your personal cyber security life…

Number forty-one in a series of semi-regular daily current and topical computer threats that may affect your online, or even offline, digital and real life. Why cyber-security on SurvivalRing? Because EVERYTHING you do in your life everyday is a part of the cyber world…even your offline plans. So, be aware, and pay attention. The bad guys WILL eventually get around to YOU…personally…so be prepared for it, by staying in the informational loop.

And, just so you know, I’ve got 31 years of IT experience, and my day job is with the State of Wyoming as an Information Specialist. I believe an informed prepper is a BETTER prepper. Information is the life blood of being prepared. Learn more with every article in this continuing series. Please ask questions if you want to learn more…I’m here to help.

evil inside

# # #

HEADLINES…for this issue…14 articles

  • DDoS attacks knock Feedly offline for second day running
  • FCC will push network providers on cybersecurity, Wheeler says
  • Bank of England receives ‘7 or 8 cyber attacks a week’, says CISO
  • Fake Dot-Gov Webmail Used in Phishing Scam to Hack EPA and Census Staff
  • China computer congress to highlight information security
  • How did the RCMP crack BlackBerry‘s security?
  • The $10 Million Deductible – Why the cyberinsurance industry is a mess
  • UK finance industry launches cyber security framework
  • Annual cost of cybercrime hits near $400 billion
  • Banks: Credit Card Breach at P.F. Chang’s
  • 2nd China Army Unit Implicated in Online Spying
  • Women in InfoSec: Building Bonds & New Solution
  • 14-year-old code crackers hack Winnipeg ATM
  • Why New Macs Are DHS’ Key to Malware That Targets PCs

# # #

DDoS attacks knock Feedly offline for second day running

  • By Gregg Keizer
  • Computerworld
  • June 12, 2014

RSS aggregator Feedly today went dark for the second time in two days as another wave of distributed-denial-of service (DDoS) attacks knocked it offline.

At approximately 10:30 a.m. ET (7:30 a.m. PT), Feedly acknowledged that it had again been targeted by cyber criminals, who seem bent on crippling the RSS provider.

“The ops team has reviewed the attacks and is working on building a second line of defense to neutralize this second attack,” said company officials, including Edwin Khodabakchian, Feedly CEO, in a brief status update on the firm’s blog.

After a four-hour outage, Feedly was restored at 2:30 p.m. ET, 11:30 a.m. PT.


# # #

FCC will push network providers on cybersecurity, Wheeler says

  • By Grant Gross
  • IDG News Service
  • June 12, 2014

The U.S. Federal Communications Commission is threatening to step in with regulations if network providers don’t improve cybersecurity.

The FCC will take steps to encourage cybersecurity in the coming months, acting first as a promotor of company-led initiatives instead of a regulator, in keeping with its congressionally defined mission to promote the national defense and public safety, FCC Chairman Tom Wheeler said. But if that doesn’t lead to improvements, the agency is prepared to act.

“The challenge is that this private sector-led effort must be more dynamic than traditional regulation and more measurably effective than blindly trusting the market or voluntary best practices to defend our country,” Wheeler said during a speech at the American Enterprise Institute for Public Policy Research. “We believe there is a new regulatory paradigm where the commission relies on industry and the market first while preserving other options if that approach is unsuccessful.”

Echoing the current debate over the FCC’s authority to enforce net neutrality rules, Wheeler promised that the agency will push network operators to improve cybersecurity even as those companies move more of their traffic from the more heavily regulated analog telephone network to more lightly regulated Internet Protocol-based networks.


# # #

Bank of England receives ‘7 or 8 cyber attacks a week’, says CISO

  • By Matthew Finnegan
  • Computerworld UK
  • 12 June 14

The Bank of England is fending off regular attempts to hack its into systems each week, with hactivists and nation states the most common culprits.

“We get on average around eight incidents a week, and we are a central bank that is pretty small in number – around 4,000 people,” said Don Randall MBE, chief information security officer at the Bank of England, speaking at the Institute of Risk Management’s Cyber Risk 2014 Summit. “To date, none of these have caused any major harm – but they [cyber criminals] are definitely looking at it.”

The weekly attacks include two or three denial of service attempts on average, some of which go through a service provider, as well as malware attacks such as spearphishing.

According to Randall, the majority of attacks are believed to be from hacktivists and nation states, rather than criminals attempting to hack systems for financial gain, which are more likely to target the UK’s retail banks.


 # # #

Fake Dot-Gov Webmail Used in Phishing Scam to Hack EPA and Census Staff

  • By Aliya Sternstein
  • June 12, 2014

A Nigerian man has admitted to compromising the email accounts of federal employees to order agency office products that he then sold on the black market, according to newly filed court papers.

Abiodun Adejohn and conspirators cheated government supply vendors out of almost $1 million worth of goods through the scheme.

The hackers broke into the accounts through a series of impersonations targeting Environmental Protection Agency and Census Bureau staff. First, they sent the employees “phishing” emails purporting to be from government agencies that contained links to seemingly legit agency webmail login pages. But the webpages actually stole usernames and passwords the employees entered.

Many federal agencies are vulnerable to this type of mimicry because of poor cyber hygiene, according to a report released Wednesday. Analysts at the Online Trust Alliance found that many federal webpages and email addresses are missing encryption and verification protections that could prevent phishing scams.


 # # #

China computer congress to highlight information security

  • By Bai Yang
  • Xinhua
  • 06-12-2014

BEIJING, June 11 (Xinhua) — The 2014 China National Computer Congress(CNCC) will focus on information security issues, the China Computer Federation announced on Wednesday.

The annual congress, from Oct. 23 to 25, will be held in Zhengzhou, provincial capital of central China’s Henan. It will discuss information security challenges in the “big data” era and explore solutions, according to the federation.

Forums related to Internet finance, digital medical care and wearable and cloud computing will be organized on the sidelines.

An exhibition featuring scientific achievements will also be held during the three-day event, which has attracted registrations from IT enterprises, colleges and universities, research institutes and publishers, the organizer said.

The congress will offer a platform for college students to demonstrate their creative designs and attract investment.

The CNCC is an academic conference sponsored by the China Computer Federation since 2003. It discusses the latest breakthroughs in computer and IT fields, forecasts development trends, and presents key academic achievements and latest applications.

 # # #

How did the RCMP crack BlackBerry‘s security?

BlackBerry Ltd. has long held that its BlackBerry devices are among the most secure in the world, but it turns out the platform isn’t as bulletproof as many had been led to believe.

On Thursday, Royal Canadian Mounted Police revealed the results of Project Clemenza, which it began in 2010. During the course of its investigation, the federal police force says, it intercepted more than a million private messages sent using BlackBerry’s PIN-to-PIN messaging, which led police to identify suspects in a series of violent crimes that included arson, forcible confinement and drug trafficking.

Personal Identification Number (PIN)-to-PIN messages are not the company’s popular BlackBerry Messenger service (BBM,) which the company still contends is ironclad when it comes to keeping messages secure. PIN-to-PIN allows BlackBerry users to send email directly to one another, keeping it from going out into the Internet where it could be spied on by prying eyes.

PIN-to-PIN messages are encrypted with what is known as Triple Data Encryption Standard (DES) encryption technology, which is among the best in the world. However, BlackBerry devices use what is known as a global cryptographic key to decode all of the messages sent to its devices. By faking, or “spoofing”, the PIN of the receiving BlackBerry device and utilizing the global cryptographic key, all messages sent to that device can be viewed by an eavesdropper.


 # # #

The $10 Million Deductible – Why the cyberinsurance industry is a mess

  • By Josephine Wolff
  • June 12, 2014

Do you still shop at Target? There’s been controversy over how much of an impact the massive breach of 40 million credit and debit card numbers in late 2013 had on the company’s shareholders and customers. And that controversy speaks to a larger cybersecurity problem plaguing industry today: the difficulty of assessing the impact and costs of these sorts of security breaches and the challenges that presents when it comes to trying to buy and sell cyberinsurance. Yes, that’s a real thing—and a great business to be in, at the moment, if you can figure out how to develop accurate actuarial models, that is.

A recent New York Times article touted cyberinsurance as the “fastest-growing niche in the [insurance] industry today.” Nicole Perlroth and Elizabeth Harris report: “[A]fter the breach at Target, its profit was cut nearly in half—down 46 percent over the same period the year before—in large part because the breach scared away its customers.” These enormous costs to brand reputation make it difficult for companies to get as much cyber risk coverage as they want, and the demand is only growing. The Times cites statistics showing a 21 percent increase in demand for cyberinsurance policies from 2012 to 2013, with total premiums reaching $1.3 billion last year and individual companies able to acquire a maximum of roughly $300 million in coverage.

At the time of its breach, Target had only $100 million in coverage, with a $10 million deductible, and had been turned away by at least one insurer when it tried to acquire more cyberinsurance, Perlroth and Harris report. They suggest that this coverage may fall well short of the massive losses incurred by the company when it saw its profits nearly halved.

But their piece comes less than a month after Eric Chemi argued exactly the opposite about the impact of Target’s security breach in a piece for Bloomberg Businessweek titled “Investors Couldn’t Care Less About Data Breaches.” He wrote:


 # # #

UK finance industry launches cyber security framework

  • By Warwick Ashford
  • 10 June 2014

The UK finance industry has launched a cyber security framework for sharing detailed threat intelligence, testing cyber security and benchmarking financial service providers.

The CBEST framework was developed by the Council of Registered Ethical Security Testers (Crest) in collaboration with the Bank of England, Her Majesty’s Treasury and the Financial Conduct Authority (FCA).

The framework is the first of its kind to be led by any of the world’s central banks and comes less than a week after the government officially launched its Cyber Essentials Scheme, also supported by Crest.

Crest provides internationally recognised certifications for organisations and individuals providing penetration testing, cyber incident response and security architecture services.


 # # #

Annual cost of cybercrime hits near $400 billion

  • By Ellen Messmer
  • NetworkWorld
  • June 9, 2014

An estimate of the global cost of cybercrime — losses from cyber-espionage theft of intellectual property, plus all types of personal and financial data stolen and dealing with the fallout — is being tabbed at least $400 billion annually, according to the report published today by the Center for Strategic and International Studies.

In its report “Net Losses: Estimating the Global Cost of Cybercrime,” Washington, D.C.-based think tank CSIS claims the countries hit most are the United States, China and Germany based on their overall national wealth in Gross Domestic Product (GDP). Those three countries together are estimated to have suffered $200 billion in cybercrime losses on an annual basis. CSIS acknowledges there’s going to be debate over how to calculate the cost of cybercrime the way it broadly defines it. But CSIS, whose research draws largely from the work of economists, argues it could not be lower than $375 billion and the maximum could actually be $575 billion.

“Even the smallest of these figures is more than the national income of most countries and governments and companies underestimate how much risk they face from cybercrime and how quickly this risk can grow,” the report says.

By coincidence, the CSIS report on the cost of cybercrime comes in the wake of the U.S. Department of Justice crime charges related to alleged cybercrime operations in China and Eastern Europe that are accused of stealing millions of dollars from U.S. businesses through either theft of trade secrets or outright financial fraud.


 # # #

Banks: Credit Card Breach at P.F. Chang’s

  • By Brian Krebs
  • Krebs on Security
  • June 10, 2014

Nationwide chain P.F. Chang’s China Bistro said today that it is investigating claims of a data breach involving credit and debit card data reportedly stolen from restaurant locations nationwide.

On June 9, thousands of newly-stolen credit and debit cards went up for sale on rescator[dot]so, an underground store best known for selling tens of millions of cards stolen in the Target breach. Several banks contacted by KrebsOnSecurity said they acquired from this new batch multiple cards that were previously issued to customers, and found that all had been used at P.F. Chang’s locations between the beginning of March 2014 and May 19, 2014.

Contacted about the banks’ claims, the Scottsdale, Arizona-based restaurant chain said it has not yet been able to confirm a card breach, but that the company “has been in communications with law enforcement authorities and banks to investigate the source.”

“P.F. Chang’s takes these matters very seriously and is currently investigating the situation, working with the authorities to learn more,” the company said in an emailed statement. “We will provide an update as soon as we have additional information.”


 # # #

2nd China Army Unit Implicated in Online Spying

  • By Nicole Perlroth
  • The New York Times
  • June 9, 2014

SAN FRANCISCO — The email attachment looked like a brochure for a yoga studio in Toulouse, France, the center of the European aerospace industry. But once it was opened, it allowed hackers to sidestep their victim’s network security and steal closely guarded satellite technology.

The fake yoga brochure was one of many clever come-ons used by a stealth Chinese military unit for hacking, said researchers at CrowdStrike, an Irvine, Calif., security company. Their targets were the networks of European, American and Japanese government entities, military contractors and research companies in the space and satellite industry, systematically broken into for seven years.

Just weeks after the Justice Department indicted five members of the Chinese army, accusing them of online attacks on United States corporations, a new report from CrowdStrike, released on Monday, offers more evidence of the breadth and ambition of China’s campaign to steal trade and military secrets from foreign victims.

The report, parts of which The New York Times was able to corroborate independently, ties attacks against dozens of public and private sector organizations back to a group of Shanghai-based hackers whom CrowdStrike called Putter Panda because they often targeted golf-playing conference attendees. The National Security Agency and its partners have identified the hackers as Unit 61486, according to interviews with a half-dozen current and former American officials.


 # # #

Women in InfoSec: Building Bonds & New Solution

  • By Lysa Myers
  • Dark Reading
  • 6/9/2014

Learning, camaraderie, and fighting the good fight are just three reasons these women are trailblazing careers in InfoSec.

There have been a lot of articles lately, suggesting a variety of ways to get young women involved in tech. Some of these ideas sound like fantastic and creative ways to make the true appeal of a career in tech more broadly tempting. Some of them…. well, not so much. It got me thinking: What was it that actually drew women who have careers in InfoSec into this industry?

As a woman working in InfoSec for over a decade and a half, I’ve had the pleasure of becoming good friends with a number of other women in the field. It has occurred to me over the years how similar many of our stories are, both in terms of what attracted us to this industry, and of what we like and dislike about it now that we’re here.

For all of us, a career in security was not something we had planned; it was simply something we fell into and found it fit our skillset nicely. Each of us had an interest in computers long before joining this industry.

“For as long as I can remember my father preached that computers were the way of the future. I think I was writing programs and reporting defects in other people’s code long before I learned how to write in cursive,” one of my female colleagues told me. “By the time I was an adult, looking for flaws was second nature. Once I was given a chance to dabble in security I found I loved playing in that space as the ‘flaws’ were much more interesting.”


 # # #

14-year-old code crackers hack Winnipeg ATM

  • By Doug Lunney
  • QMI Agency
  • June 8, 2014

WINNIPEG — A couple of 14-year-old computer whizzes have the Bank of Montreal upgrading its security after the teens hacked an ATM machine.

Matthew Hewlett and Caleb Turon, both Grade 9 students, found an old ATM operators manual online that showed how to get into the machine’s operator mode.

On Wednesday over their lunch hour, they went to the BMO’s ATM at the Safeway on Grant Avenue to see if they could get into the system.

“We thought it would be fun to try it, but we were not expecting it to work,” Hewlett said. “When it did, it asked for a password.”

Hewlett and Turon were even more shocked when their first random guess at the six-digit password worked. They used a common default password. The boys then immediately went to the BMO Charleswood Centre branch on Grant Avenue to notify them.


 # # #

Why New Macs Are DHS’ Key to Malware That Targets PCs

  • By Rebecca Carroll
  • June 9, 2014

A federal office that analyzes malicious code and compromised computers says it needs new MacPros with specialized software to analyze malware designed to undermine Windows-based systems.

The vast majority of malware is written for PCs, explained the Homeland Security Department, justifying its requirement for buying name-brand computers for analysts in the Security Operations Center. “The host operating system should be something other than the operating system the malware was designed to exploit to avoid the potential for compromising the base OS and possibly spreading to other analysis machines sharing the network,” the agency said.

The center’s analysts will run corrupted code on the Macs inside a sandbox — an isolated virtual environment in which programmers can conduct tests, the agency said. If they receive Mac-based malware, the Mac will be required to analyze it dynamically.

The Security Operations Center needs the computers for its new offices at DHS headquarters on the grounds of a hospital in Southeast Washington. The center is currently using computers and software licenses that belong to Customs and Border Protection, where they will stay after the move.


 # # #


Updated: June 14, 2014 — 6:29 pm

The Author

Rich Fleetwood

Rich is the founder of SurvivalRing, now in it's 24th year, author of multimedia CDs and DVDs, loves the outdoors, his family, his geeky skill-set, and lives in rural southern Wyoming, just below the continental divide (long story, that...). Always ready to help others, he shares what he learns on multiple blogs, many social sites, and more. With a background in preparedness and survival skills, training with county, state, and national organizations, and skills in all areas of media and on air experience in live radio and television, Rich is always thinking about the "big picture", when it comes to helping individuals and families prepare for life's little surprises.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.