IT Security News Blast 1-23-2017

Survey Says 66% Of Consumers Won’t Work With Breached Companies

Of the more than 9,000 consumers surveyed, 66% say they will not work with companies that were breached. Around 80% use social media, even though 59% are aware of its risks. Some 87% use online banking, while 34% say they are aware of the risk. The study also found that financial data breach has impacted 21% of the respondents, with 36% of them blaming the breach on the website, and 27% on the breached company.

http://www.darkreading.com/attacks-breaches/survey-says-66–of-consumers-wont-work-with-breached-companies/d/d-id/1327919

Is your manufacturing company practicing proactive cybersecurity?

Hackers’ intentions can vary when targeting the industry, but they are typically financially-motivated, state-sponsored attacks, which occur when government-funded organizations break into a network to steal intellectual property (IP) and trade secrets. These groups are some of the most sophisticated hackers, using a high level of expertise when targeting companies. They seek extremely valuable IP to further the betterment of the people in their country, or perhaps more commonly, for financial gain.

http://www.manufacturingglobal.com/technology/1105/Is-your-manufacturing-company-practicing-proactive-cybersecurity

Retailers largely lack on-site security and IT expertise

  • More than two-thirds (66.7 percent) of respondents report being challenged by growing complexity in past application deployments
  • Nearly one-quarter (23.5 percent) of survey respondents have zero IT or security staffers on site at the average retail location
  • Point of sale (POS), payment authorization and payroll systems were the most commonly deployed applications, according to respondents
  • Surprisingly, just ten percent or respondents with 1,000 or more locations cited inability to scale as a challenge in past application deployments.

https://www.helpnetsecurity.com/2017/01/19/retailer-security/

What Matters More to Your Workforce than Money

One of the most striking results we’ve found is that, across all income levels, the top predictor of workplace satisfaction is not pay: It is the culture and values of the organization, followed closely by the quality of senior leadership and the career opportunities at the company. Among the six workplace factors we examined, compensation and benefits were consistently rated among the least important factors of workplace happiness.

https://hbr.org/2017/01/what-matters-more-to-your-workforce-than-money

Is Your Website a Sitting Duck for Hackers?

How likely is it that you could be hacked? According to an Identity Fraud Study released by Javelin Strategy & Research, 13.1 million U.S. consumers had money stolen from them via identity theft and cybercrime in 2015. Another Identity theft report cites 781 data breaches in 2015. Hackers and cybercriminals are out there looking for weak security. So, how can you help protect yourself, your customers, and your data and make sure your website isn’t a sitting duck for hackers?

https://hackernoon.com/is-your-website-a-sitting-duck-for-hackers-4534ef6569ea#.svejyne6p

What a data breach means to your business

“Every business has information that is confidential in relation to the privacy obligations that apply, for example, employment records. This might be information about people’s sick leave and the reasons for it and other personal information, so maintaining its confidentiality is a serious matter.” He says that accounting practices are at particular risk, given the sensitivity of the data they hold.

https://intheblack.com/articles/2017/01/18/what-a-data-breach-means-to-your-business

Majority of SOCs are below optimal maturity levels

A SOC that is well-defined, subjectively evaluated and flexible is recommended for the modern enterprise to effectively monitor existing and emerging threats. However, 82 percent of SOCs are failing to meet this criteria and falling below the optimal maturity level. While this is a 3 percent improvement year-over-year, the majority of organizations are still struggling with a lack of skilled resources, as well as implementing and documenting the most effective processes.

https://www.helpnetsecurity.com/2017/01/18/soc-maturity-levels/

Trustwave Report Shows Enterprises Can’t Hire Enough Security Staff

The report concluded that it is becoming increasingly difficult for organizations to find talented IT security staff. Even if an organization is able to find staff, 35 percent of survey respondents indicated that retaining IT security staff is a major challenge. The staffing issue is further complicated when existing staff lack essential skills, with 40 percent of respondents admitting their organizations have inadequate skills sets to deal with evolving and emerging security risks.

http://www.eweek.com/security/slideshows/trustwave-report-shows-enterprises-cant-hire-enough-security-staff.html

Russian Hackers Will Try ‘Again and Again,’ Warns Samantha Power

“It would be deeply naive and deeply negligent to think that those who have discovered vulnerabilities in our system would not try to exploit them again and again,” said Power, referring to the intelligence community’s assessments that the Kremlin targeted the Democratic National Committee, or DNC, to leak stolen information and influence the outcome of the 2016 presidential election.

http://www.defenseone.com/threats/2017/01/russia-hackers-will-try-again-and-again-warns-samantha-power/134647/

Patch and security management take 8 hours per month for most companies

However, while 37.2% report spending fewer than 8 hours a month on patching, 29.6% spend more than 16 hours a month, and 14% spend more than 48! This amounts to a day and a half on average for most organisations, which is far from efficient. Finally, 54.7% of companies grant full administrative rights to their employees, making their systems more vulnerable to malware. This approach increases risk in the event of a malware attack, since there is no way to limit the damage by restricting user rights to infected devices.

https://www.helpnetsecurity.com/2017/01/17/patching/

Overseas cyber attackers targeted Lloyds

The attack, which involved swamping a website with traffic in an attempt to disable it, affected Lloyds and its Halifax and Bank of Scotland brands, leaving many customers temporarily unable to use services such as checking their balance or sending payments. No customers suffered a financial loss. TSB, which was carved out of Lloyds in 2013 but still uses its technology platform, was also hit.

https://www.ft.com/content/50318b28-e098-11e6-9645-c9357a75844a

DOJ: Microsoft isn’t harmed when it can’t tell users what data we want

As of now, Microsoft says, when the government presents it with legal demands for user data held in online storage, those court orders often come with a gag order that has no end date—which it claims is a breach of the First and Fourth Amendments. The company compares this policy to older government attempts to access purely analog information (such as paper documents in a file cabinet), where the “government had to give notice when it sought private information and communications, except in the rarest of circumstances.”

http://arstechnica.com/tech-policy/2017/01/doj-microsoft-isnt-harmed-when-it-cant-tell-users-what-data-we-want/

Protected US military server poked via army recruitment website

Beads of sweat must have surely run down the face of one hacker who, while trying to score a bug bounty, inadvertently infiltrated an “internal US Department of Defence website that requires special credentials to access.” The unnamed hacker used exploited a pair of vulnerabilities to gain access to the US Army network via an unpatched website and a misconfigured proxy. The starting point, goarmy.com, paved the way to an open proxy and into the normally access-controlled internal DoD server.

http://www.theregister.co.uk/2017/01/23/us_army_bug_bounty/

In Transition: White House Cybersecurity Policy

[In] November, he pledged that on Day 1 of his presidency, he’d ask the Defense Department and the chairman of the Joint Chiefs of Staff “to develop a comprehensive plan to protect America’s vital infrastructure from cyberattacks and all other forms of attacks.” Such an approach would diverge from the Obama administration’s policy of placing the Department of Homeland Security, a civilian agency, in the lead to protect the nation’s critical infrastructure, which is mostly owned and operated by private companies. “Statutorily, that job belongs to Homeland Security,” former NSA and CIA Director Michael Hayden said at a Wall Street Journal forum last month.

http://www.bankinfosecurity.com/blogs/in-transition-white-house-cybersecurity-policy-p-2376

Giuliani as Trump’s cybersecurity adviser is an unfunny joke

All his talk of hackers as permanent criminals spreading cancer has no doubt bolstered the beliefs of conservatives in Trump’s extreme right pocket, who didn’t need help imagining pedophiles and lawless balaclava-wearing basement dwellers (or Asians in faraway hives). Like most things we’ve seen come out of Trump’s surreal fright show, Giuliani’s working hard to encourage that people and press wallow in these manipulative, lurid fantasies.

https://www.engadget.com/2017/01/20/giuliani-as-cybersecurity-adviser-not-funny/

FCC to be led by Ajit Pai, staunch opponent of consumer protection rules

Pai consistently opposed consumer protection regulations during the three-year chairmanship of Democrat Tom Wheeler, who left the FCC today. Pai opposed net neutrality rules and, after Trump’s victory, said those rules’ “days are numbered.” He also opposed lower rate caps for inmate calling, rules designed to give TV consumers cheaper alternatives to rented set-top boxes, rules that protect the privacy of ISP customers, an update to the 31-year-old Lifeline phone subsidy program to help poor people buy Internet service, a speed increase in the FCC’s broadband standard, an investigation of AT&T and Verizon charging competitors for data cap exemptions, and preemption of state laws that restrict expansion of municipal broadband.

http://arstechnica.com/tech-policy/2017/01/fcc-to-be-led-by-ajit-pai-staunch-opponent-of-consumer-protection-rules/

Mozilla wants infosec activism to be the next green movement

The prototype report details rising breaches affecting healthcare and medical industries but largely serves as a pulpit from which the browser baron and enemy of surveillance can preach privacy. Mozilla Foundation executive director Mark Surman explains, in a post dubbed “Calling all citizens of the internet”, that the web has changed from a digital permaculture in the 1990s to a place where blind users wander about under the gaze of hackers and intelligence agencies.

http://www.theregister.co.uk/2017/01/23/mozilla_internet_health_report/

Radio Station Transmission Hacked with F*** Donald Trump Song

A popular, non-profit radio station in Louisville “Crescent Hill Radio WCHQ 100.9 FM” posted on Facebook that hackers hijacked their station on Friday afternoon and an anti-trump song was broadcast on it instead of regular transmission. The Facebook post appeared on the radio station’s page at 2:30 pm on Friday. The post read: “OK, not funny. Someone has hacked into out transmitter tower, and the FM was playing a mp3 clip repeatedly of %$^# Donald Trump.” Gary Sampson, the WCHQ program director, says that the song that was broadcast was sung by rap artists YG & Nipsey Hussle. The song was titled “FDT (F*** Donald Trump).”

https://www.hackread.com/radio-station-hacked-with-f-donald-trump-song/

BBC, NYT Twitter accounts hacked; posts fake news about Trump and Putin

On Sunday morning, a tweet was posted from the New York Times’ Twitter account @NYTvideo, which read: “BREAKING: leaked statement from Vladimir Putin says: Russia will attack the United States with Missiles.” @NYTvideo is the Video page of The New York Times with more than 259,000 followers which is quite less than the main Twitter account of NYT that has 33m followers. The same day, BBC’s Northampton Twitter account with 40,000 followers posted a tweet about US President Donald Trump being shot: “Breaking News: President Trump is injured in the arm by gunfire #Inauguration.”

https://www.hackread.com/bbc-nyt-twitter-accounts-hacked/

Over 199,500 Websites Are Still Vulnerable to Heartbleed OpenSSL Bug

Heartbleed (CVE-2014-0160) was a serious bug in the OpenSSL’s implementation of the TLS/DTLS heartbeat extension that allowed attackers to read portions of the affected server’s memory, potentially revealing users data that the server isn’t intended to reveal. According to Shodan CEO John Matherly, about 199,500 services remain exploitable by the Heartbleed vulnerability due to unpatched OpenSSL instances. The countries most affected by Heartbleed still remain the United States, followed by Korea, China, Germany, France, Russian Federation, United Kingdom, India Brazil and Italy.

http://thehackernews.com/2017/01/heartbleed-openssl-vulnerability.html