Security Roundup: Issue 1

Welcome to the security roundup, a collection of security news for the week in a curated (and hopefully easy-to-read) format:

In the News

WikiLeaks releases Marble source code, used by the CIA to hide the source of malware it deployed: Marble source code released on wikileaks. (Betanews)
WikiLeaks holds tech companies' feet to the fire before helping with zero days revealed in CIA leaks: Potential zero day vulnabilties to a number of popular hardware and software. Assessment so far is that number of attacks are outdated or have already been patched. (Betanews)
Apple says it has already fixed CIA's Mac and iPhone hacks revealed by WikiLeaks: Alleged Mac and iPhone vulnerabilties have been fixed (Betanews)
Despite Apple denial, hackers prove stolen iCloud data is real: It wouldn't be a bad idea to change your iCloud password and enable 2-factor authentication asap, regardless of whether this data was stolen (BGR)
Congress Removes FCC Privacy Protections on Your Internet Usage: Your internet search history may be up for sale. (Bruce Schneier)
Trump Extends Obama's EO for Sanctioning Hackers: EO for sanctioning hackers has been extended for another year. (Dark Reading)
US Border Policy Shifts May Drive Changes in Laptop Security: New travel restrictions will likely force more businesses to enforce stronger laptop security measures...or start to enforce what is written in security policies. (Dark Reading)
LASTPASS PASSWORD MANAGER SUFFERS ‘MAJOR’ SECURITY PROBLEM: LastPass has a major architectural problem that cannot be easily remedied. Either avoid using it or enable 2-factor everywhere and do not use the browser extension. (Independent)
Why I Always Tug on the ATM: ATM Skimmers exist and can steal your card data. Make sure you trust an ATM before sticking your card in there! (Krebs On Security)
The Cost of launching a DDoS attack: DDoS attacks are offered as a service, cost ~$25/hour and offer the attackers running them margins as high as 95%! (Securelist)
Threat Landscape for Industrial Automation Systems, H2 2016: Industrial systems, like IoT devices, are just as prone to attack (Securelist)
Google is fighting with Symantec over encrypting the internet: Google accuses Symantec of poor security practices when it comes to issuing SSL certs. Announcement made that Chrome is lowering the amount of trust placed in certificates issued by Symantec. (TechCrunch)
Samsung Galaxy S8's Facial Unlocking Feature Can Be Fooled With A Photo: Samsung Galaxy S8 facial recognition can be bypased with a photo. (The Hacker News)
Apple iOS 10.3 Fixes Safari Flaw Used in JavaScript-based Ransomware Campaign: iOS Safari browser patched to fix ransomware exploit (The Hacker News)
Threatpost News Wrap, March 31, 2017: Microsoft IIS zero day, new Mirai variant, broadband privacy ruling (Threatpost)
NEW MIRAI VARIANT CARRIES OUT 54-HOUR DDOS ATTACKS: The potent Mirai botnet released in February is back and even more potent (Threatpost)
NUKEBOT BANKING TROJAN SOURCE CODE LEAKED ONLINE BY AUTHOR: New banking trojan released. (Threatpost)
Attackers Targeting FTP Servers to Access Patient Health Data, Warns FBI: FBI released and alert to healthcare industry that criminal actors are targeting anonymous FTP servers to access PHI (TripWire)

Security Awareness

Security Orchestration and Incident Response: Automation works great for the aspects of security we are certain about (antivirus, installing patches, authentication). Humans are still needed to deal with the uncertainty of incident response. Cyberdefense technology should focus on getting the right information to the right people at the right time. (Bruce Schneier)
Internet's Security Woes are Not All Technical: Security is more than just potentially ineffective security products--businesses need to better incentivize security and reduce code where it's necessary (Dark Reading)
NIST’s cybersecurity framework is changing -- what you should know: Version 1.1 of the cybersecurity framework is out. Main highlights: measuring performance and maturity of cybersecurity programs and how those metrics can be correlated to business objectives and outcomes, supply chain risk management (how do you perform vetting of companies, people, and products in supply chain), improvements on identity and access management (GCN)
Insider Attacks: Humans are the weakest link in security. A comprehensive survey focused on insider threats. (Haystax)
Post-FCC Privacy Rules, Should You VPN?: VPNs can be useful in protecting your privacy online, but there are caveats. Click on the link to learn more about selecting the right VPN provider (Krebs On Security)
Division Between IT and IoT Hurts Cybersecurity: Momentum gaining for birdging IT security with the inadequate security concerns that plague IoT devices (MeriTalk)
Americans and Cybersecurity: Most Americans don't trust the government yet fail to practice good cyber hygiene practices in their own lives (PEW)
Hacker Tracker: Cyber Knowledge Lags, Fighting Dirty Bitcoins, And Ignoring Ransom Demands: Most people don't understand the shortcomings of technology. Additional regulations against seedier side of bitcoin. Best defense against ransomware is having a adequate backup and restore strategy. (PYMNTS.com)
Detecting Threats Against The Internet of Things: In depth look at threats, vulnerabilities, attacks, and intrusion detection as it applies to IoT devices (SANS)
The Mistakes of Smart Medicine: Overview of major security vulnabilities facing smart medicine. Article concludes with practical security recommendations. (Securelist)
5 Signs Your Cybersecurity Awareness Program Is Paying Off: To be effective cybersecurity must be incorporated into your corporate culture. (TripWire)

Tools of the Trade

SOC-as-a-Service: All the Benefits of a Security Operations Center Without the High Costs of a DIY Solution: With its short time to implement and relative low cost, SOC-as-a-service is a viable solution for midsize companies that don't have the resources to create their own inhouse SOC (SANS)
How Security Products are Tested – Part 1: Independent testing is the best way to evaluate how effective a security solution is. Overview of testing methodologies. (Securelist)

Welcome to the security roundup, a collection of security news for the week in a curated (and hopefully easy-to-read) format:

In the News

WikiLeaks releases Marble source code, used by the CIA to hide the source of malware it deployed: Marble source code released on wikileaks. (Betanews)
WikiLeaks holds tech companies' feet to the fire before helping with zero days revealed in CIA leaks: Potential zero day vulnabilties to a number of popular hardware and software. Assessment so far is that number of attacks are outdated or have already been patched. (Betanews)
Apple says it has already fixed CIA's Mac and iPhone hacks revealed by WikiLeaks: Alleged Mac and iPhone vulnerabilties have been fixed (Betanews)
Despite Apple denial, hackers prove stolen iCloud data is real: It wouldn't be a bad idea to change your iCloud password and enable 2-factor authentication asap, regardless of whether this data was stolen (BGR)
Congress Removes FCC Privacy Protections on Your Internet Usage: Your internet search history may be up for sale. (Bruce Schneier)
Trump Extends Obama's EO for Sanctioning Hackers: EO for sanctioning hackers has been extended for another year. (Dark Reading)
US Border Policy Shifts May Drive Changes in Laptop Security: New travel restrictions will likely force more businesses to enforce stronger laptop security measures...or start to enforce what is written in security policies. (Dark Reading)
LASTPASS PASSWORD MANAGER SUFFERS ‘MAJOR’ SECURITY PROBLEM: LastPass has a major architectural problem that cannot be easily remedied. Either avoid using it or enable 2-factor everywhere and do not use the browser extension. (Independent)
Why I Always Tug on the ATM: ATM Skimmers exist and can steal your card data. Make sure you trust an ATM before sticking your card in there! (Krebs On Security)
The Cost of launching a DDoS attack: DDoS attacks are offered as a service, cost ~$25/hour and offer the attackers running them margins as high as 95%! (Securelist)
Threat Landscape for Industrial Automation Systems, H2 2016: Industrial systems, like IoT devices, are just as prone to attack (Securelist)
Google is fighting with Symantec over encrypting the internet: Google accuses Symantec of poor security practices when it comes to issuing SSL certs. Announcement made that Chrome is lowering the amount of trust placed in certificates issued by Symantec. (TechCrunch)
Samsung Galaxy S8's Facial Unlocking Feature Can Be Fooled With A Photo: Samsung Galaxy S8 facial recognition can be bypased with a photo. (The Hacker News)
Apple iOS 10.3 Fixes Safari Flaw Used in JavaScript-based Ransomware Campaign: iOS Safari browser patched to fix ransomware exploit (The Hacker News)
Threatpost News Wrap, March 31, 2017: Microsoft IIS zero day, new Mirai variant, broadband privacy ruling (Threatpost)
NEW MIRAI VARIANT CARRIES OUT 54-HOUR DDOS ATTACKS: The potent Mirai botnet released in February is back and even more potent (Threatpost)
NUKEBOT BANKING TROJAN SOURCE CODE LEAKED ONLINE BY AUTHOR: New banking trojan released. (Threatpost)
Attackers Targeting FTP Servers to Access Patient Health Data, Warns FBI: FBI released and alert to healthcare industry that criminal actors are targeting anonymous FTP servers to access PHI (TripWire)

Security Awareness

Security Orchestration and Incident Response: Automation works great for the aspects of security we are certain about (antivirus, installing patches, authentication). Humans are still needed to deal with the uncertainty of incident response. Cyberdefense technology should focus on getting the right information to the right people at the right time. (Bruce Schneier)
Internet's Security Woes are Not All Technical: Security is more than just potentially ineffective security products--businesses need to better incentivize security and reduce code where it's necessary (Dark Reading)
NIST’s cybersecurity framework is changing -- what you should know: Version 1.1 of the cybersecurity framework is out. Main highlights: measuring performance and maturity of cybersecurity programs and how those metrics can be correlated to business objectives and outcomes, supply chain risk management (how do you perform vetting of companies, people, and products in supply chain), improvements on identity and access management (GCN)
Insider Attacks: Humans are the weakest link in security. A comprehensive survey focused on insider threats. (Haystax)
Post-FCC Privacy Rules, Should You VPN?: VPNs can be useful in protecting your privacy online, but there are caveats. Click on the link to learn more about selecting the right VPN provider (Krebs On Security)
Division Between IT and IoT Hurts Cybersecurity: Momentum gaining for birdging IT security with the inadequate security concerns that plague IoT devices (MeriTalk)
Americans and Cybersecurity: Most Americans don't trust the government yet fail to practice good cyber hygiene practices in their own lives (PEW)
Hacker Tracker: Cyber Knowledge Lags, Fighting Dirty Bitcoins, And Ignoring Ransom Demands: Most people don't understand the shortcomings of technology. Additional regulations against seedier side of bitcoin. Best defense against ransomware is having a adequate backup and restore strategy. (PYMNTS.com)
Detecting Threats Against The Internet of Things: In depth look at threats, vulnerabilities, attacks, and intrusion detection as it applies to IoT devices (SANS)
The Mistakes of Smart Medicine: Overview of major security vulnabilities facing smart medicine. Article concludes with practical security recommendations. (Securelist)
5 Signs Your Cybersecurity Awareness Program Is Paying Off: To be effective cybersecurity must be incorporated into your corporate culture. (TripWire)

Tools of the Trade

SOC-as-a-Service: All the Benefits of a Security Operations Center Without the High Costs of a DIY Solution: With its short time to implement and relative low cost, SOC-as-a-service is a viable solution for midsize companies that don't have the resources to create their own inhouse SOC (SANS)
How Security Products are Tested – Part 1: Independent testing is the best way to evaluate how effective a security solution is. Overview of testing methodologies. (Securelist)

Security Roundup: Issue 1

In the News

Security Awareness

Tools of the Trade

Resource Details

About This Resource

Security Roundup: Issue 1

In the News

Security Awareness

Tools of the Trade

Resource Details

About This Resource