FYI - 17-Year-Old Hacks the Air Force for the Biggest Bug Bounty - Foreign and domestic hackers probed hundreds of security holes in critical Air Force networks for weeks in late spring, and the Pentagon knew all about it. But instead of getting punished, the hackers got paid. http://www.nextgov.com/cybersecurity/2017/08/17-year-old-hacks-air-force-biggest-bug-bounty/140153/

44% of sampled websites fail password protection assessment - An analysis of 48 popular websites determined that 46 percent of consumer services sites and 36 percent of enterprise or business services sites had "dangerously lax" password policies that failed to enforce even some of the most basic security requirements. https://www.scmagazine.com/44-of-sampled-websites-fail-password-protection-assessment/article/680847/

Despite concerns over cyber diplomacy, State works to align internal efforts - With all of the rising concerns about the future of cyber diplomacy at the State Department, there is new hope that the agency is finally getting its internal IT security processes aligned to be more effective. https://federalnewsradio.com/reporters-notebook/2017/08/despite-concerns-over-cyber-diplomacy-state-works-to-align-internal-efforts/

Army standardizes IT components, software across 400 units - The Army has begun an ambitious effort to implement a common set of software and hardware standards across more than 400 different units in order to maximize interoperability and combat efficiency, service officials said. https://defensesystems.com/articles/2017/08/11/army-software.aspx

State Dept. new Cyber and Technology Security directorate falls under diplomatic security - After saying it would shutter and fold the Office of the Coordinator for Cyber Issues into the Bureau of Economic and Business Affairs, raising concerns that cybersecurity would be on a backburner, the State Department has confirmed that it established a Cyber and Technology Security (CTS) directorate last May 28. https://www.scmagazine.com/state-dept-new-cyber-and-technology-security-directorate-falls-under-diplomatic-security/article/681836/

Russian cybercriminals using VOIP services to bypass fraud verifications - Flashpoint researchers spotted Russian speaking cybercriminals using Voice over Internet Protocol (VOIP) services to bypass phone call transaction verifications. https://www.scmagazine.com/cybercriminals-using-voip-services-to-bypass-transaction-authentication/article/682142/

Get rich or die tryin' Nigerian cybercriminal hits 4,000 companies worldwide - A lone Nigerian cybercriminal has been on a crime spree so broad and wide ranging that it puts Bonnie and Clyde's Depression-era interstate crime wave to shame. https://www.scmagazine.com/get-rich-or-die-tryin-nigerian-cybercriminal-hits-4000-companies-worldwide/article/682312/

Web application attacks accounted for 73% of all incidents says report - Web application attacks accounted for 73 percent of all incidents and pure public cloud installations experienced the fewest security incidents in recent industry report. https://www.scmagazine.com/web-application-attacks-accounted-for-73-of-all-incidents-says-report/article/682294/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Ukrainian postal service hit by 48-hour cyber-attack - Ukraine's national postal service has been hit by a two-day-long cyber-attack targeting its online system that tracks parcels. http://www.bbc.com/news/technology-40886418

World of Warcraft, Overwatch, Hearthstone and other games hit by DDoS - Games company Blizzard Entertainment reported on Aug. 13 that a DDoS attack hit its game servers for World of Warcraft, Overwatch, Hearthstone and other titles. https://www.scmagazine.com/world-of-warcraft-overwatch-hearthstone-and-other-games-hit-by-ddos/article/681691/

Mandiant breach hackers claim to dump FireEye data - The threat actors who two weeks ago targeted FireEye subsidiary Mandiant, leaking data stolen from an analyst working for the firm, are now claiming to have leaked FireEye documents for a second time. https://www.scmagazine.com/fireeye-data-allegedly-leaked-after-mandiant-breach/article/681711/

Lazarus Group tied to new phishing campaign targeting defense industry workers - The suspected North Korean APT collective known as the Lazarus Group appears to be targeting individuals associated with U.S. defense contractors, including prospective employees, with phishing emails that display fake job listings and companies' internal policies. https://www.scmagazine.com/lazarus-group-tied-to-new-phishing-campaign-targeting-defense-industry-workers/article/681701/

Spyware found in more than 1,000 apps in Google Play store - Android Apps on the Google Play Store have been discovered to harbour spyware originally created by an Iraqi developer. Surveillance malware records audio and steals data from users. https://www.scmagazine.com/spyware-found-in-more-than-1000-apps-in-google-play-store/article/681697/

Hackers release Curb Your Enthusiasm, other HBO programming - HBO is refusing to comment on the latest programming dump that included upcoming episodes of Larry David's Curb Your Enthusiasm, Ballers, Insecure and The Deuce. https://www.scmagazine.com/hackers-release-curb-your-enthusiasm-other-hbo-programming/article/681532/

Almost 5,000 The Daniel Drake Center for Post-Acute Care patient records exposed - The Daniel Drake Center (DDC) for Post-Acute Care, which is part of the University of California's health system, reported patient information was accessed and viewed by an unauthorized employee over a two-year period. https://www.scmagazine.com/almost-5000-the-daniel-drake-center-for-post-acute-care-patient-records-exposed/article/681834/

Brute force attack on Scottish Parliament's email system - Yesterday members of the Scottish Parliament in Holyrood were notified that hackers were trying to crack their email passwords and they were advised to update their passwords. https://www.scmagazine.com/brute-force-attack-on-scottish-parliaments-email-system/article/682293/

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents  (Part 1 of 5)
 
 BACKGROUND
 
 Web-site spoofing is a method of creating fraudulent Web sites that look similar, if not identical, to an actual site, such as that of a bank.  Customers are typically directed to these spoofed Web sites through phishing schemes or pharming techniques.  Once at the spoofed Web site, the customers are enticed to enter information such as their Internet banking username and password, credit card information, or other information that could enable a criminal to use the customers' accounts to commit fraud or steal the customers' identities.  Spoofing exposes a bank to strategic, operational, and reputational risks; jeopardizes the privacy of bank customers; and exposes banks and their customers to the risk of financial fraud.
 
 PROCEDURES TO ADDRESS SPOOFING
 
 Banks can mitigate the risks of Web-site spoofing by implementing the identification and response procedures discussed in this bulletin.  A bank also can help minimize the impact of a spoofing incident by assigning certain bank employees responsibility for responding to such incidents and training them in the steps necessary to respond effectively.  If a bank's Internet activities are outsourced, the bank can address spoofing risks by ensuring that its contracts with its technology service providers stipulate appropriate procedures for detecting and reporting spoofing incidents, and that the service provider's process for responding to such incidents is integrated with the bank's own internal procedures.
 
 Banks can improve the effectiveness of their response procedures by establishing contacts with the Federal Bureau of Investigation (FBI) and local law enforcement authorities in advance of any spoofing incident.  These contacts should involve the appropriate departments and officials responsible for investigating computer security incidents.  Effective procedures should also include appropriate time frames to seek law enforcement involvement, taking note of the nature and type of information and resources that may be available to the bank, as well as the ability of law enforcement authorities to act rapidly to protect the bank and its customers.
 
 Additionally, banks can use customer education programs to mitigate some of the risks associated with spoofing attacks. Education efforts can include statement stuffers and Web-site alerts explaining various Internet-related scams, including the use of fraudulent e-mails and Web-sites in phishing attacks.  In addition, because the attacks can exploit vulnerabilities in Web browsers and/or operating systems, banks should consider reminding their customers of the importance of safe computing practices.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 INTRUSION DETECTION AND RESPONSE
 
 INTRUSION RESPONSE  (Part 2 of 2)
 
 Successful implementation of any response policy and procedure requires the assignment of responsibilities and training. Some organizations formalize the response organization with the creation of a computer security incident response team (CSIRT). The CSIRT is typically tasked with performing, coordinating, and supporting responses to security incidents. Due to the wide range of non-technical issues that are posed by an intrusion, typical CSIRT membership includes individuals with a wide range of backgrounds and expertise, from many different areas within the institution. Those areas include management, legal, public relations, as well as information technology. Other organizations may outsource some of the CSIRT functions, such as forensic examinations. When CSIRT functions are outsourced, institutions should ensure that their institution's policies are followed by the service provider and confidentiality of data and systems are maintained.
 
 Institutions can assess best the adequacy of their preparations through testing.
 
 While containment strategies between institutions can vary, they typically contain the following broad elements:
 
 ! Isolation of compromised systems, or enhanced monitoring of intruder activities;
 ! Search for additional compromised systems;
 ! Collection and preservation of evidence; and
 ! Communication with effected parties, the primary regulator, and law enforcement.
 Restoration strategies should address the following:
 ! Elimination of an intruder's means of access;
 ! Restoration of systems, programs and data to known good state;
 ! Filing of a Suspicious Activity Report (Guidelines for filing are included in individual agency guidance); and
 ! Communication with effected parties.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 12 - COMPUTER SECURITY INCIDENT HANDLING
 
 12.1 Benefits of an Incident Handling Capability
 
 The primary benefits of an incident handling capability are containing and repairing damage from incidents, and preventing future damage. In addition, there are less obvious side benefits related to establishing an incident handling capability.
 
 12.1.1 Containing and Repairing Damage from Incidents
 
 When left unchecked, malicious software can significantly harm an organization's computing, depending on the technology and its connectivity. An incident handling capability provides a way for users to report incidents and the appropriate response and assistance to be provided to aid in recovery. Technical capabilities (e.g., trained personnel and virus identification software) are prepositioned, ready to be used as necessary. Moreover, the organization will have already made important contacts with other supportive sources (e.g., legal, technical, and managerial) to aid in containment and recovery efforts.
 
 Without an incident handling capability, certain responses -- although well intentioned -- can actually make matters worse. In some cases, individuals have unknowingly infected anti-virus software with viruses and then spread them to other systems. When viruses spread to local area networks (LANs), most or all of the connected computers can be infected within hours. Moreover, uncoordinated efforts to rid LANs of viruses can prevent their eradication.
 
 Many organizations use large LANs internally and also connect to public networks, such as the Internet. By doing so, organizations increase their exposure to threats from intruder activity, especially if the organization has a high profile (e.g., perhaps it is involved in a controversial program). An incident handling capability can provide enormous benefits by responding quickly to suspicious activity and coordinating incident handling with responsible offices and individuals, as necessary. Intruder activity, whether hackers or malicious code, can often affect many systems located at many different network sites; thus, handling the incidents can be logistically complex and can require information from outside the organization. By planning ahead, such contacts can be preestablished and the speed of response improved, thereby containing and minimizing damage. Other organizations may have already dealt with similar situations and may have very useful guidance to offer in speeding recovery and minimizing damage.
 
 Some organizations suffer repeated outbreaks of viruses because the viruses are never completely eradicated. For example suppose two LANs, Personnel and Budget, are connected, and a virus has spread within each. The administrators of each LAN detect the virus and decide to eliminate it on their LAN. The Personnel LAN administrator first eradicates the virus, but since the Budget LAN is not yet virus-free, the Personnel LAN is reinfected. Somewhat later, the Budget LAN administrator eradicates the virus. However, the virus reinfects the Budget LAN from the Personnel LAN. Both administrators may think all is well, but both are reinfected. An incident handling capability allows organizations to address recovery and containment of such incidents in a skilled, coordinated manner.