[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions 😉
So onto the news:
RIGGING COMPROMISE – RIG EXPLOIT KIT
Exploit Kits are one of the biggest threats that affects users, both inside and outside the enterprise, as it indiscriminately compromises simply by visiting a web site, delivering a malicious payload.
One of the challenges with exploit kits is at any given time there are numerous kits active on the Internet.
RIG is one of these exploit kits that is always around delivering malicious payloads to unsuspecting users.
RIG first appeared in our telemetry back in November of 2013, back then we referred to it as Goon, today it’s known as RIG.
We started focusing on RIG and found some interesting data similar to what we found while analyzing Angler.
This post will discuss RIG, findings in the data, and what actions were taken as a result.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=fb4d16aa9d&e=20056c7556
Eight arrested in eastern Europe over ATM malware attacks
Europol has announced the takedown of an international criminal group believed to be behind a series of ATM malware attacks dating back to at least 2014.
Said to be one of the first operations of this type in Europe, it resulted in multiple house searches and arrests in Romania and the Republic of Moldova.
Using malware dubbed Tyupkin, the suspects were allegedly able to empty cash from ATM machines on demand following the successful installation of a trojan.
Called “ATM jackpotting”, the exploit allowed attackers to empty infected machines by issuing commands via the machine’s pin pad.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=5feffb1402&e=20056c7556
Trend Micro: Internet scum grab Let’s Encrypt certs to shield malware
Updated It was inevitable.
Trend Micro says it has spotted crooks abusing the free Let’s Encrypt certificate system to smuggle malware onto computers.
The security biz’s fraud bod Joseph Chen noticed the caper on December 21.
Folks in Japan visited a website that served up malware over encrypted HTTPS using a Let’s Encrypt-issued cert.
The site used the Angler Exploit Kit to infect their machines with the software nasty, which is designed to raid their online bank accounts.
The use of encryption shields the malware from network security scanners while in transit, and the certificate helps legitimize the malicious site.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d88818e8fa&e=20056c7556
Daimler selects OT to connect its cars securely
Daimler AG (Xetra:DAI.DE), a large producer of premium cars and a manufacturer of commercial vehicles, and Oberthur Technologies (OT), a provider of embedded security software products, services and solutions, announced on Wednesday a new partnership to connect Mercedes-Benz passenger cars with OT’s embedded remotely programmable SIM.
Reportedly, this disruptive embedded connectivity solution will be implemented in Daimler’s vehicles starting with the new Mercedes-Benz E-class from March 2016.
According to the companies, with OT’s automotive-graded eUICC called DIM DakOTa Auto and OT’s M-Connect solution, Daimler will simplify the integration and management of the Mobile Network Operator (MNO) subscriptions in the cars during their entire life cycle.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d6a9ecabd9&e=20056c7556
5 things hackers love to see you share on social media
To help you play it safe, here’s a list of things you should never share on social media.
1) Your Phone Number
2) Your Home Address
3) Your New Credit Card
4) Hacker-Targeted Hashtags
5) Where You’ve Checked In
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b196e334d7&e=20056c7556
Common pins an easy target for thieves and hackers
President of DataGenetics.com Nick Berry completed a study of almost 3.4 million leaked four digit passwords to discover what the most common and least common personal identification numbers were.
Unsurprisingly he found the most common was 1234, with 10.713 per cent of people using that number.
1111 came next with more than six per cent of people sticking to ones.
Other common codes included 0000, 1010, 6666 and 4321.
On the other end of the scale, 8086 was the least common PIN with only 25 occurrences in 3.4 million.
“NAB advises customers to help minimise fraud by keeping their PIN a secret,” spokeswoman Elise Huck said.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=0cc303cad0&e=20056c7556
Cyber security takes centre stage at Security & Counter Terror Expo 2016
David Thompson, Security & Counter Terror Expo Event Manager, said: “The threat posed by terrorists is now multi-faceted with groups utilising technology as a key weapon in their arsenal.
Targets are becoming more diverse, as are the methods employed by those that seek to do us harm.
Security & Counter Terror Expo will reflect these developments, showcasing cutting-edge technology while exploring the latest cyber security strategies.
The event has an increased focus on uniting domestic and international professionals, and will include a host of features that benefit those working in the public and private sectors.
Alongside the exhibition, leading figures will discuss the latest solutions and strategies at the Cyber Threat Intelligence Conference.
Presented by techUK, the representative body for the UK’s technology industry, the sessions will bring together all those who work to prevent cyber terrorism and crime.
Among the topics to be discussed will be an overview of global cyber security threats and how to mitigate against them.
Key speakers will include Chris Gibson, Director at CERT-UK; Richard Parris, Chairman and Chief Executive of Intercede; Prof.
Chris Hankin, Director at the Institute for Security Science and Technology; and representatives from the National Crime Agency’s National Cyber Crime Unit.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=97929d1eea&e=20056c7556
Figuring Out What Happened After a Data Breach
As management consultant Peter Drucker once said, the only thing that’s inevitable in the life of the leader is the crisis.
Once a security incident or confirmed breach unfolds, you’re in the spotlight.
It’s your testing time to see what you’re really made of.
Why not start working on making yourself look good today?
Applying this to security incidents and data breaches, you can step back and take a look at the bigger picture of what’s going on and what it’s going to take to resolve the challenge by asking the following questions:
• What has actually happened?
• How did it happen?
• What was impacted?
• Who/what information was involved?
• Who else needs to be on the response team?
• What are the next steps?
Figure out what the worst thing is that could happen, do everything within reason to make sure that it doesn’t happen and then have a plan to minimize the impact of any residual risks.
It’s really as simple as that.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=1dc165f693&e=20056c7556
Does a data breach really affect your firm’s reputation?
One thing is clear; a data breach is a PR and financial disaster.
Companies often spot the intrusion too late, and respond inadequately, resulting in falling (temporary) sales and journalist outrage.
It’s true to say that customer loyalty damage is done in the event of a breach, and that sales do take a nose-dive.
Target’s sales fell by 46 percent year-on-year in the fourth quarter of 2013 to $520 million (or 81 cents a share), while eBay (breached mid 2014) admitted declining user activity impacted its quarterly net revenue.
There are other financial costs to bear, including additional security (pen testers, consultants, security vendors, PRs and lawyers), litigation and fines by data protection authorities.
Reputational damage sees a differing of opinion, though.
InfoSec folk largely agree that breaches impact on the bottom line, but that – managed and responded to adequately – it can become business as usual (BAU).
Stock prices recover, and stake holders are appeased.
Data protection authorities can be held off at arm’s length.
Earlier this year, Ponemon Institute’s “The Aftermath of a Mega Data Breach: Consumer Sentiment,” revealed that data breaches was up there with poor customer service and environmental disasters for impacting brand reputation.
Elsewhere and the Forbes Insights report, ‘Fallout: The Reputational Impact of IT Risk’, indicated that 46 percent of organizations had suffered damage to their reputations and brand value as a result of a breach.
Another 19 percent of organizations suffered reputational and brand damage as a result of a third-party security breach or IT system failure.
“What C-levels want from a CISO is a risk metric and a value in terms of cost.
They want to understand exactly what their liability will be if such an event were to take place.
CISOs need to be able to give C-level execs a definitive answer on this, yet often it’s hard as asset registers are missing, digital footprints are unknown, risk models are complex and claim forms are dubious.
It’s clear then that breaches do result in damaged trust, to a degree brand reputation, and bottom line.
Target and JP Morgan pledged to spend additional $100 million and $500 million on security post-breach, while Target also had to pay back card issuers, and lost $236 million in breach-related costs ($90 million of which was offset by insurance).
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=4ab1f96f20&e=20056c7556
Higher fines for privacy breaches and data breach notification duty enter into force on 1 January 2016
Recently the Dutch Senate passed the bill on data breach notifications and sanctions.
This bill introduces higher fines for non-compliance with the Dutch Data Protection Act.
In addition, companies will be obliged to notify the Dutch Data Protection Authority (“DPA”) immediately of any data breach.
Depending on the exact circumstances, data subjects will also have to be notified if their data are compromised.
Non-compliance with privacy laws can lead to an administrative fine for each violation, the amount of which can be up to a maximum of EUR 810,000 or 10% of the company’s annual net turnover.
The new legislation will enter into force on 1 January 2016.
The new amendments to the Dutch Data Protection Act will allow the DPA to impose fines for the violation of a large number of general obligations (see the amended Article 66 of the Dutch Data Protection Act).
These fines vary from a minimum of EUR 20,250, for relatively minor violations, to a maximum of EUR 810,000, for deliberate or repeated violations.
For legal entities, the amount of the fine is not fixed: if the highest fine category is not sufficiently punitive, the violation can be sanctioned by a fine equal to 10% of the company’s annual net turnover.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6f62776c14&e=20056c7556
The secure GC: Data breach preparedness through auditing
When a data breach occurs, the immediate hours after are both chaotic and critical to an effective response.
Preparation is therefore essential.
One component of executing an effective breach response is a solid understanding of the contractual contours between contributing or impacted third parties.
Scouring a contract management system, or worse, a file cabinet of paper contracts to understand relevant third party relationships and obligations in the heat of a breach could therefore result in the organization spinning its wheels when it should be implementing its data breach response plan.
Auditing, extracting key provisions, and organizing those provisions before a breach occurs can therefore be a valuable tool in responding to an incident or full-scale data security crisis.
But, how can inside counsel be secure in her belief that she’s cataloged the most relevant provisions to a breach response.
Collecting and understanding the following provisions in third party agreements is a good starting point for preparedness when a breach occurs.
-Security-Related Service Responsibilities
-Governance
-Breach Notification Obligations
-Data Encryption Provisions
-Audit Provisions
-Insurance Coverage
-Expense Reimbursement
-Termination Rights
Controlling the chaos of a breach response is more than half the battle.
By taking the time to audit, consolidate, and organize the key contractual provisions with third parties related to data security management before a breach, inside counsel will take a significant step toward a successful data breach response.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=09f3d386d0&e=20056c7556
Samsung Portable SSD T3 offers increased data security and portability
Samsung announced the Samsung Portable SSD T3, a palm-sized, external SSD that offers multi-terabyte storage capacity.
Designed specifically for today’s mobile lifestyle, the Portable SSD T3 is compact, lightweight and durable.
The drive is smaller than an average business card and weighs a mere 50 grams approximately (less than two ounces), allowing users to easily carry large amounts of data with them anywhere.
The drive has a simple set-up process for users, with one user-set password.
The drive is equipped with AES 256-bit hardware encryption for the high level of security and protection across Windows, Mac and Android OS based devices.
Even if the drive should fall into the wrong hands, the data stored on it would be inaccessible.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=bd65430077&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=dca6476ccf)
** Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)