FYI - After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts - O2 confirms online thefts using stolen 2FA SMS codes - Experts have been warning for years about security blunders in the Signaling System 7 protocol – the magic glue used by cellphone networks to communicate with each other. http://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/

Several New Players With No Prior Cyber Espionage Experience Jump Into the Hacking Game - Russian state hackers get the headlines, but nations across the globe are pouring money into cyber espionage units, a development, security experts say, that is allowing smaller nations to close the espionage gap without the satellites or tech muscle of big nations. http://www.govtech.com/security/Several-New-Players-With-No-Prior-Cyber-Espionage-Experience-Jump-Into-the-Hacking-Game.html

Flagging Treacherous Ground: Converting Security Liabilities into Assets - New school security awareness training has become an integral part of the layered security posture developed by many organizations large and small. https://www.scmagazine.com/flagging-treacherous-ground-converting-security-liabilities-into-assets/article/652222/

BEC scammers picked off $5B, FBI says - Business E-mail Compromise (BEC) scams have now raked in a total of $5 billion, according to the Federal Bureau of Investigation (FBI). https://www.scmagazine.com/bec-scammers-picked-off-5b-fbi-says/article/655452/

Oakland PD accused of misleading judge for stingray use - An Oakland, Calif.-based defense attorney is accusing the local police department of deliberately misleading a judge who signed an order used to justify the use of two stingrays in order to locate her client. https://www.scmagazine.com/lawyer-accuses-oakland-pd-of-deliberately-misleading-judge-on-stingray-use/article/655566/

BEC scammers picked off $5B, FBI says - Business E-mail Compromise (BEC) scams have now raked in a total of $5 billion, according to the Federal Bureau of Investigation (FBI). https://www.scmagazine.com/bec-scammers-picked-off-5b-fbi-says/article/655452/

New Dems Urge OPM to Hire More Cyber Pros Without 4-Year Degrees - A trio of moderate congressional Democrats pushed the Office of Personnel Management this week to update its hiring practices to open up more federal jobs to cybersecurity workers without 4-year degrees. http://www.nextgov.com/cybersecurity/2017/05/new-dems-urge-opm-hire-more-cyber-pros-without-4-year-degrees/137616/

Yahoo! bug bounty hits $2 million payout mark - Yahoo's three-year-old bug bounty program has paid out more than $2 million to bug hunters with the most recent important find taking place in April when a vulnerability in Flickr was revealed. https://www.scmagazine.com/yahoo-bug-bounty-hits-2-million-payout-mark/article/656387/

FTC launches cybersecurity site for small businesses - The Federal Trade Commission (FTC) has launched a new website where small businesses can receive tips and advice on cybersecurity issues. https://www.scmagazine.com/ftc-launches-cybersecurity-site-for-small-businesses/article/656367/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Data from 500,000 pediatric patients spotted for sale - Approximately 500,000 pediatric medical records -- many from doctors' offices that didn't know they had been breached -- were spotted for sale on the dark web. https://www.scmagazine.com/500000-pediatric-records-for-sale-on-dark-web-from-unknown-sources/article/655099/

Massive Google Docs phishing attack targeted credentials, permissions - A fast moving, but widespread phishing attack targeting Google Gmail and Docs users hit yesterday affecting an unknown number of victims with the likely goal of stealing login credentials and millions of additional email addresses that could be used for a future phishing campaign. https://www.scmagazine.com/massive-google-docs-phishing-attack-targeted-credentials-permissions/article/654938/

Attackers sabotage HandBrake's download for Macs to deliver Proton RAT - The developers of open-source digital video file transcoder HandBrake have advised Mac-based users that they may be infected with a malicious backdoor after an attacker replaced a HandBrake installation package with a variant of the Proton remote access trojan malware. https://www.scmagazine.com/attackers-sabotage-handbrakes-download-for-macs-to-deliver-proton-rat/article/655722/

Breach of U.K.'s Debenhams site impacts 26K - The Flowers website of Debenhams, the U.K.'s largest department store chain (in outlet numbers), was hit with a breach. https://www.scmagazine.com/breach-of-uks-debenhams-site-impacts-26k/article/655725/

Breach at Sabre Corp.’s Hospitality Unit - Breaches involving major players in the hospitality industry continue to pile up. Today, travel industry giant Sabre Corp. disclosed what could be a significant breach of payment and customer data tied to bookings processed through a reservations system that serves more than 32,000 hotels and other lodging establishments. http://krebsonsecurity.com/2017/05/breach-at-sabre-corp-s-hospitality-unit/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
 
 Sound Practices to Help Maintain the Privacy of Customer E-Banking Information
 
 1. Banks should employ appropriate cryptographic techniques, specific protocols or other security controls to ensure the confidentiality of customer e-banking data.
 
 2. Banks should develop appropriate procedures and controls to periodically assess its customer security infrastructure and protocols for e-banking.
 
 3. Banks should ensure that its third-party service providers have confidentiality and privacy policies that are consistent with their own.
 
 4. Banks should take appropriate steps to inform e-banking customers about the confidentiality and privacy of their information. These steps may include:
 
 a)   Informing customers of the bank's privacy policy, possibly on the bank's website. Clear, concise language in such statements is essential to assure that the customer fully understands the privacy policy. Lengthy legal descriptions, while accurate, are likely to go unread by the majority of customers.
 
 b)   Instructing customers on the need to protect their passwords, personal identification numbers (PINs) and other banking and/or personal data. 
 
 c)   Providing customers with information regarding the general security of their personal computer, including the benefits of using virus protection software, physical access controls and personal firewalls for static Internet connections.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  ELECTRONIC AND PAPER - BASED MEDIA HANDLING
  
  Sensitive information is frequently contained on media such as paper documents, output reports, back-up tapes, disks, cassettes, optical storage, test data, and system documentation. Protection of that data requires protection of the media. The theft, destruction, or Information Security other loss of the media could result in the exposure of corporate secrets, breaches in customer confidentiality, alteration of data, and the disruption of business activities. The policies and procedures necessary to protect media may need revision as new data storage technologies are contemplated for use and new methods of attack are developed. The sensitivity of the data (as reflected in the data classification) dictates the extent of procedures and controls required. Many institutions find it easier to store and dispose of all media consistently without having to segregate out the most sensitive information. This approach also can help reduce the likelihood that someone could infer sensitive information by aggregating a large amount of less sensitive information. Management must address three components to secure media properly: handling and storage, disposal, and transit.
  
  HANDLING AND STORAGE
  
  IT management should ensure secure storage of media from unauthorized access. Controls could include physical and environmental controls including fire and flood protection, limited access (e.g., physical locks, keypad, passwords, biometrics), labeling, and logged access. Management should establish access controls to limit access to media, while ensuring all employees have authorization to access the minimum level of data required to perform their responsibilities. More sensitive media like system documentation, application source code, and production transaction data should have more extensive controls to guard against alteration (e.g., integrity checkers, cryptographic hashes). Furthermore, policies should minimize the distribution of sensitive media, including the printouts of sensitive information. Periodically, the security staff, audit staff, and data owners should review authorization levels and distribution lists to ensure they remain appropriate and current.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Section III. Operational Controls - Chapter 10
 
 10.3 Contractor Access Considerations
 
 Many federal agencies as well as private organizations use contractors and consultants to assist with computer processing. Contractors are often used for shorter periods of time than regular employees. This factor may change the cost-effectiveness of conducting screening. The often higher turnover among contractor personnel generates additional costs for security programs in terms of user administration.
 
 10.4 Public Access Considerations
 
 Many federal agencies have begun to design, develop, and implement public access systems for electronic dissemination of information to the public. Some systems provide electronic interaction by allowing the public to send information to the government (e.g., electronic tax filing) as well as to receive it. When systems are made available for access by the public (or a large or significant subset thereof), additional security issues arise due to: (1) increased threats against public access systems and (2) the difficulty of security administration.
 
 While many computer systems have been victims of hacker attacks, public access systems are well known and have published phone numbers and network access IDs. In addition, a successful attack could result in a lot of publicity. For these reasons, public access systems are subject to a greater threat from hacker attacks on the confidentiality, availability, and integrity of information processed by a system. In general, it is safe to say that when a system is made available for public access, the risk to the system increases -- and often the constraints on its use are tightened.
 
 Besides increased risk of hackers, public access systems can be subject to insider malice. For example, an unscrupulous user, such as a disgruntled employee, may try to introduce errors into data files intended for distribution in order to embarrass or discredit the organization. Attacks on public access systems could have a substantial impact on the organization's reputation and the level of public confidence due to the high visibility of public access systems. Other security problems may arise from unintentional actions by untrained users.
 
 In systems without public access, there are procedures for enrolling users that often involve some user training and frequently require the signing of forms acknowledging user responsibilities. In addition, user profiles can be created and sophisticated audit mechanisms can be developed to detect unusual activity by a user. In public access systems, users are often anonymous. This can complicate system security administration.
 
 In most systems without public access, users are typically a mix of known employees or contractors. In this case, imperfectly implemented access control schemes may be tolerated. However, when opening up a system to public access, additional precautions may be necessary because of the increased threats.