Security Headlines

The Security News can be sent directly to you.  As a citizen, you can receive security information relating to consumer products and as a technology community member, you can receive additional technical information.

Subscribe


Malware/Phishing

Why It's Still A Bad Idea to Post or Trash Your Airline Boarding Pass
August 24, 2017
Being careless with your boarding pass could jeopardize your privacy or even cause trip disruptions down the road.
Source: Krebs On Security
https://krebsonsecurity.com/2017/08/why-its-still-a-bad-idea-to-post-or-trash-your-airline-boarding-pass/ 

Don’t Want Your SMSs Stolen? Don’t Download These Android Apps
July 27, 2017
It’s normal for Android apps to download plugins. It’s not so normal when one of those plugins tries to steal your SMS messages.
Source: Sophos
https://nakedsecurity.sophos.com/2017/07/27/dont-want-your-smss-stolen-dont-download-these-android-apps/ 

Android Malware That Snoops On Your Phone
July 21, 2017
Android users have a new strain of malware that sits in the background of infected devices.
Source: Sophos
https://nakedsecurity.sophos.com/2017/07/21/watch-out-for-the-android-malware-that-snoops-on-your-phone/

Germany Says Cyber Threat Greater Than Expected, More Firms Affected
July 7, 2017
Germany's BSI federal cyber agency said that the threat posed to German firms by recent cyber attacks launched via a Ukrainian auditing software was greater than expected, and some German firms had seen production halted for over a week.
Source: Reuters
http://www.reuters.com/article/us-cyber-attack-ukraine-germany-idUSKBN19S1EU 


Security News

Russian Hackers Feel the Heat
August 25, 2017
Alexander Vinnik one of seven Russians arrested or indicted on U.S. cyber crime charges this year. On average, just two Russian cyber criminals were extradited to the United States each year between 2010 and the start of 2017.
Source: Reuters
http://www.reuters.com/article/us-russia-cyber-idUSKCN1B50LY

Voter Registration Data from 9 States Available for Sale on Dark Web
July 24, 2017
Over 40 million voter records from nine different states being traded in an underground forum for stolen credit card data and login credentials.
Source: Dark Reading
http://www.darkreading.com/attacks-breaches/voter-registration-data-from-9-states-available-for-sale-on-dark-web/d/d-id/1329451 

Start With Security – and Stick With It
July 28, 2017
When it comes to data security, what’s reasonable will depend on the size and nature of your business and the kind of data you deal with. But certain principles apply across the board: Don’t collect sensitive information you don’t need. Protect the information you maintain. And train your staff to carry out your policies.
Source: Federal Trade Commission
https://www.ftc.gov/news-events/blogs/business-blog/2017/07/start-security-stick-it 

Kansas Department of Commerce Breach
July 20, 2017
A breach of a Kansas Department of Commerce system exposed more than 5 million Social Security numbers.
Source: The Hill
http://thehill.com/policy/cybersecurity/343028-kansas-breach-exposed-over-5-million-social-security-numbers-report 

University of Iowa Data Breach
July 12, 2017
University of Iowa Health Care (UIHC) discovered that protected health information for 5,300 patients was inadvertently saved in unencrypted files that were posted online through an application development site. 
Source: The Gazette
http://www.thegazette.com/subject/news/education/higher-education/university-of-iowa-health-care-warns-thousands-of-patient-data-breach-20170711 

Russians  Are Suspects in Nuclear Site Hackings
July 7, 2017
Hackers working for a foreign government recently breached at least a dozen U.S. power plants, including the Wolf Creek nuclear facility in Kansas, according to current and former U.S. officials, sparking concerns the attackers were searching for vulnerabilities in the electrical grid.
Source: Bloomberg
https://www.bloomberg.com/news/articles/2017-07-07/russians-are-said-to-be-suspects-in-hacks-involving-nuclear-site

Indiana Health Coverage Program (IHCP) Data Breach
July 5, 2017
Medicaid recipients may have been victims of a data breach when an internet hyperlink made patient information accessible between February and May of this year.
Source: WOWO
https://www.wowo.com/possible-data-breach-medicaid-patients/  


Software\Hardware

Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-004
August 16, 2017
Drupal 8.3.7 is a maintenance release which contain fixes for security vulnerabilities.
Source: Drupal
https://www.drupal.org/SA-CORE-2017-004

MIcrosoft Office\Outlook Vulnerability
July 28, 2017
Multiple vulnerabilities have been discovered in Microsoft Office and Outlook.
Source: Microsoft
https://support.office.com/en-us/article/Outlook-known-issues-in-the-June-2017-security-updates-3f6dbffd-8505-492d-b19f-b3b89369ed9b?ui=en-US&rs=en-US&ad=US&fromAR=1 

Vulnerabilities in Apple Products
July 19, 2017
Multiple vulnerabilities have been discovered in watchOS, iOS, tvOS, macOS, iCloud for Windows, and iTunes for Windows and Safari, the most severe of which could allow for arbitrary code execution
Source: Apple
https://support.apple.com/en-us/HT201222 

Cisco WebEx Browser Extension Remote Code Execution Vulnerability
July 17, 2017
A vulnerability in Cisco WebEx browser extensions for Google Chrome and Mozilla Firefox could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system.
Source: Cisco
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170717-webex 

Samba Security Update
July 12, 2017
Security update released for all version of Samba from 4.0.0 onwards.
Source: Samba.org
https://www.samba.org/samba/security/CVE-2017-11103.html 

Adobe Flash Update
July 11, 2017
Adobe has released security updates for Adobe Flash Player.
Source: Adobe
https://helpx.adobe.com/security/products/flash-player/apsb17-21.html 

SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software
July 6, 2017
The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE Software contains multiple vulnerabilities that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload.
Source: Cisco
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170629-snmp 

SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software
July 6, 2017
The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE Software contains multiple vulnerabilities that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload.
Source: Cisco
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170629-snmp 


Research

The Internet of Things (IoT) Promises New Benefits And Risks: A Systematic Analysis of Adoption Dynamics of IoT Products
August 23, 2017
The rush to adopt products on the Internet of Things (IoT) before securing them will make them attractive to cyber criminals and vulnerable to cyber-incidents
Source: Massachusetts Institute of Technology
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3022111 

Enhanced Assessments and Guidance Are Needed to Address Security Risks in DOD
July 27, 2017
The Internet of Things (IoT) is the set of Internet-capable devices, such as wearable fitness devices and smartphones, that interact with the physical environment and typically contain elements for sensing, communicating, processing, and actuating. Even as the IoT creates many benefits, it is important to acknowledge its emerging security implications
Source: Government Accountability Office
http://www.gao.gov/products/GAO-17-668 

6thSense: A Context-aware Sensor-based Attack Detector for Smart Devices
June 2017
Sensors (e.g., light, gyroscope, accelerometer) and sensing enabled applications on a smart device make the applications more user-friendly and efficient. However, the current permission-based sensor management systems of smart devices only focus on certain sensors and any App can get access to other sensors by just accessing the generic sensor API. In this way, attackers can exploit these sensors in numerous ways: they can extract or leak users’ sensitive information, transfer malware, or record or steal sensitive information from other nearby devices
Source: Florida International University
https://arxiv.org/abs/1706.10220

Report On Improving Cybersecurity In The Health Care Industry
June 2017
The Health Care Industry Cybersecurity Task Force has released its report to Congress.
Source: US Department of Health and Human Services
https://www.phe.gov/Preparedness/planning/CyberTF/Documents/report2017.pdf 


Information Crime

Iowa Computer Programmer Gets 25 Years for Lottery Scam
August 22, 2017
A former lottery computer programmer who admitted to rigging computers to enable him to pick winning numbers was sentenced to up to 25 years in prison.
Source: ABC News
http://abcnews.go.com/US/wireStory/iowa-computer-programmer-25-years-lottery-scam-49360920 

Anti-theft Law Results in Huge Drop in Stolen Phones
July 27, 2017
San Francisco’s district attorney says that a California state law mandating "theft-deterring technological solutions" for smartphones has resulted in a precipitous drop in such robberies.
Source: San Francisco District Attorney
http://sfdistrictattorney.org/anniversary-landmark-legislation-coincides-continuing-decline-violent-smartphone-robberies 

Russian Sentenced In U.S. To Five Years Prison For 'Citadel' Malware
July 19, 2017
A Russian man who U.S. prosecutors say played a role in developing the sophisticated malware known as "Citadel" used to steal personal financial information from thousands of computers worldwide was sentenced to five years in prison.
Source: Reuters
http://www.reuters.com/article/usa-cybersecurity-citadel-idUSKBN1A42GW 

Russian-Born Cybercriminal Sentenced to Over Nine Years in Prison
July 10, 2017
A nearly decade-long member of several elite Russian-speaking cybercrime forums was sentenced to 110 months in prison for running a sophisticated scheme to steal and traffic sensitive personal and financial information in the online criminal underground.
Source: US Attorney’s Office Eastern District of Virginia
https://www.justice.gov/usao-edva/pr/russian-born-cybercriminal-sentenced-over-nine-years-prison 

Hacker Who Aided Russian Intelligence Is Sentenced to 2 Years
July 6, 2017
Moscow City Court sentenced Vladimir Anikeyev, the head of a hacking group that the authorities cracked down on last winter, to two years in a penal colony.
Source: New York Times
https://www.nytimes.com/2017/07/06/world/europe/vladimir-anikeyev-russia-hacking.html 

Printed from the Information Security Office website on February 19, 2018 at 4:18am.