In the News

	In the News

This section features topical, current news items of interest to the international security community. These articles and highlights are selected from various popular science and security magazines, newspapers, and online sources.

US News     

“Americans are Getting Freaked Out About Doing Stuff on the Internet,” NBC News, 16 May 2016. [Online].
A new study from the National Telecommunications and Information Administration claims that 45 percent of households have refrained from using online banking, making online transactions, or posting on social media over concerns such as privacy, identity theft, and being hacked. These concerns however, are not unjustified as roughly 20 percent of people were the victim of an online breach in the past year. The NTIA said they will continue working toward better cybersecurity and online protection for Americans.
See: http://www.nbcnews.com/tech/security/americans-are-getting-freaked-out-about-doing-stuff-internet-n574661

“Hayden: Political Culture Limits Government’s Ability to Protect IT Systems,” GCN, 31 May 2016. [Online]. A year after the massive OPM breach, former NSA and CIA director Michael Hayden reiterated the need for US citizens and government to make headway in the “cybersecurity conversation,” citing the current political climate surrounding security issues as a cause of shortcomings in the government’s ability to defend its sensitive data.
See: https://gcn.com/articles/2016/05/31/cyber-debate.aspx?admgarea=TC_SecCybersSec

“Two Men Plead Guilty in U.S. to Hacking, Spamming Scheme,” Reuters, 2 June 2016. [Online].
Tomas Chmielarz and Devin McArthur pleaded guilty to charges including conspiracy to commit fraud. They were originally arrested in December after raking in over $2 Million from their illicit activities. The activities included writing software to bypass spam filters, hacking into email servers, and exploiting vulnerabilities in corporate sites.
See: http://www.reuters.com/article/us-usa-cyber-pleas-idUSKCN0YO2TQ

“U.S. Lawmakers Probe Fed Cyber Breaches, Cite ‘Serious Concerns,’ ” Reuters, 03 June 2016. [Online]. Prompted by reports of numerous cyber breaches at the US central bank, the House Committee on Science, Space, and Technology conducted an investigation into the Federal Reserve’s cyber security practices. In a letter to the Federal Reserve Chair Janet Yellen regarding the investigation, the Committee noted that the central bank’s practices regarding sensitive information were concerning.
See: http://www.reuters.com/article/us-usa-fed-cyber-exclusive-idUSKCN0YP281

“Celebrity Cybersecurity Consultants Protect Stars from Hackers,” Los Angeles Times, 4 June 2016. [Online].
Celebrities have been known to employ drivers, chefs, and even personal shoppers but it seems that some are adding a cybersecurity expert to that list. Following a number of data breaches in Hollywood, it seems some stars decided to take preventative measures to save themselves from potential problems in the future.
See:http://www.latimes.com/business/technology/la-fi-tn-celebrity-cybersecurity-20160601-snap-story.html

“Researchers Demo How to Build Nearly Invisible Backdoor in Computer Chips,” Dark Reading, 06 June 2016. [Online]. University of Michigan researchers have demonstrated a proof-of-concept attack in which a tiny portion of malicious hardware is activated by a specific set of events on the processor it is embedded in. Hardware-based attacks, though very difficult to detect, require access to the design and manufacturing of the chip to insert the malicious hardware.
See: http://www.darkreading.com/threat-intelligence/researchers-demo-how-to-build-nearly-invisible-backdoor-in-computer-chips/d/d-id/1325786

“Facebook Founder Zuckerberg’s Social Media Accounts Restored After Alleged Hack,” Reuters, 6 June 2016. [Online].
Mark Zuckerberg’s Pinterest and Twitter accounts were compromised. The Twitter account which has had no activity in over four years mysteriously sent out a message claiming to have found the password in a “LinkedIn Database.” The hacker claimed that Zuckerberg was using the password “dadada.” Both hacked accounts have since been recovered and secured.
See: http://www.reuters.com/article/us-facebook-cyber-idUSKCN0YS1RM

“Yet another car can be hacked – this time it’s the Mitsubishi Outlander hybrid,” The Guardian, 06 June 2016. [Online]. An investigation led by security researcher Ken Munro found that the Mitsubishi Outlander hybrid car is vulnerable to hacking through a Wi-Fi connection that allows the car to communicate with smartphone apps. Hackers would be able to disable the car alarm, control lights, and even track the vehicle’s location. Munro has speculated that the vulnerability is the result of cost-cutting by Mitsubishi, which has now issued a recall of at least 100,000 vehicles.
See: https://www.theguardian.com/technology/2016/jun/06/mitsubishi-outlander-car-hacked-security

“NFL Claims Twitter Hack After Tweets Falsely Report Roger Goodell is Dead,” USA Today, 7 June 2016. [Online].
A tweet was sent out from the verified NFL Twitter account reading, “We regret to inform our fans that our commissioner, Roger Goodell, has passed away. He was 57.” An NFL spokesperson quickly assured fans that Goodell was alive and well and confirmed that their Twitter account had been stolen. It has since been recovered.
See: http://www.usatoday.com/story/sports/nfl/2016/06/07/nfl-twitter-hack-roger-goodell/85553466/

“IRS chooses security over accessibility,” FCW, 07 June 2016. [Online]. The IRS has revamped and relaunched its Get Transcript tool, following the theft of taxpayer data in 2015. IRS commissioner John Koskinen admitted that while it is more secure, this came at the cost of accessibility. More advanced forms of authentication, such as multi-factor authentication via text messages, could make it more difficult for some taxpayers to use the service.
See: https://fcw.com/articles/2016/06/07/noble-irs-security.aspx

“Update: Hackers could have changed Facebook Messenger chat logs,” Computerworld, 09 June 2016. [Online]. Security researcher Roman Zaikin has discovered a security flaw in Facebook’s chat feature that would allow a person to change the contents of past conversations. Though it has since been fixed, the flaw would have allowed for a plethora of malicious activities, such as spreading malicious links, or falsifying information used in the courtroom.
See: http://www.computerworld.com/article/3080949/security/hackers-could-have-changed-facebook-messenger-chat-logs.html

“Hackers could easily cause drones to ignore human controllers, or crash,” Homeland Security News Wire, 09 June 2016. [Online]. Johns Hopkins researchers recently demonstrated security vulnerabilities in small unmanned aerial vehicles, causing them to fall from the sky on command. The soaring popularity of these camera-equipped “drones“ has led to concerns over their lack of security. Though widely used by hobbyists, drones are used increasingly in professional applications. According to the researchers, their security is (as with other emerging technologies) treated as an afterthought.
See: http://www.homelandsecuritynewswire.com/dr20160609-hackers-could-easily-cause-drones-to-ignore-human-controllers-or-crash

“Missouri builds security awareness with bite-size training,” GCN, 10 June 2016. [Online]. Missouri has adopted a new, more engaging approach to train over 40,000 state employees in security practices. Instead of annual training, employees have to complete monthly 10-minute exercises that use engaging teaching techniques to train them in using good security practices. Additionally, the results of the exercises provide managers with a variety of metrics that can be used to track progress in certain topics and by specific users, or groups of users.
See: https://gcn.com/articles/2016/06/10/security-training.aspx?admgarea=TC_SecCybersSec

“NFLPA Hires Cybersecurity Firm to Help Secure Social Media Accounts,” Bleacher Report, 10 June 2016. [Online].
The National Football League Players Association hired K2 Intelligence to help protect their athletes’ social media accounts. Players and their family members will have the opportunity to receive in-person training to learn best practices for securing themselves on the internet. The announcement of this new partnership comes just days after the official NFL Twitter account was hacked.
See: http://bleacherreport.com/articles/2645527-nflpa-hires-cybersecurity-firm-to-help-secure-social-media-accounts

“NIST to refine Cybersecurity Framework After Comments from Stakeholders,” Homeland Security News Wire, 13 June 2016. [Online]. The National Institute of Standards and Technology (NIST) announced that it will update its Cybersecurity Framework following a period of collecting feedback from users. The Framework was initially released in early 2014 as “voluntary cybersecurity guidance” to aid in keeping critical infrastructure secure. The updated draft is expected by early 2017.
See: http://www.homelandsecuritynewswire.com/dr20160613-nist-to-refine-cybersecurity-framework-after-comments-from-stakeholders

“To hack ISIS, Pentagon learns from 2007 surge in Iraq,” FCW, 13 June 2016. [Online]. Defense Secretary Ash Carter noted the “unprecedented” cyber capabilities of ISIS, which are now being combated with a US cyber campaign that “is like never before.” Using experience from the cyber war with al-Qaeda, along with new technology, this campaign seeks to demoralize ISIS and prevent them from using cyber space to operate and spread their ideology.
See: https://fcw.com/articles/2016/06/13/hack-isis-lyngaas.aspx

“Russian Hackers Penetrate Democratic National Committee, Steal Trump Research,” NPR, 14 June 2016. [Online]. Security firm CrowdStrike has determined that two distinct groups of Russian hackers have been infiltrating the Democratic National Committee’s computer network for the past year, monitoring communications and stealing data. The breach follows the trend of recent politically-motivated hacking, which plagued candidates for the previous two presidential elections.
See: http://www.npr.org/2016/06/14/482029912/russian-hackers-penetrate-democratic-national-committee-steal-trump-research

“FBI: Business Phishing Attacks Net Cyber Thieves $3.1 Billion,” Information Week, 15 June 2016. [Online]. The FBI has issued an alert about business email compromise (BEC) scams, which cyber criminals have used with increasing success over the past 18 months. By studying their victims, criminals learn to impersonate high-level executives of companies and then employ one of several scenarios to trick employees into transferring money to the thief. Such scams have cost companies $3.1 billion since January 2015.
See: http://www.informationweek.com/government/cybersecurity/fbi-business-phishing-attacks-net-cyber-thieves-$31-billion/d/d-id/1325929?

“Teen hacks Pentagon websites, gets thanked for finding ‘bugs,’ ” Reuters, 17 June 2016. [Online]. Secretary of Defense Ash Carter praised high schooler David Dworken for finding six vulnerabilities as part of a bug-bounty-type project, “Hack the Pentagon,” designed to find flaws in Defense Department websites. Programs like this are becoming attractive as comparatively cheap ways to tap into the talent of young “white-hats.” See: http://www.reuters.com/article/us-usa-pentagon-cyber-idUSKCN0Z32IU

“Senate votes down proposal to expand FBI surveillance powers,” Reuters, 22 June 2016. [Online]. In the wake of the shooting at Pulse night club, legislation that would expand the FBI’s ability to access internet records from telecommunication and tech companies was rejected by the US Senate. The legislation would have broadened the type of communications media accessible through so-called National Security Letters which do not require a warrant, while limiting accessible information to email time stamps, emails’ senders/recipients, and other metadata — not the actual content of the messages.
See: http://www.reuters.com/article/us-cyber-fbi-emails-idUSKCN0Z8160

“Voter Database with 154 Million Records Leaked Online,” InfoSecurity Magazine, 23 June 2016. [Online]. A massive database of personal information from 154 million American voters was recently uncovered. Security researcher Chris Vickery was able to follow a trail of clues to a data brokerage company, which promptly took down the database after Vickery brought it to their attention. Proper encryption and cyber security practices should be a top priority for political organizations that hold sensitive data.
See: http://www.infosecurity-magazine.com/news/voter-database-with154-million/

“9.2 Million More US Healthcare Records Go Up for Sale on the Dark Web,” InfoSecurity Magazine, 29 June 2016. [Online]. A collection of sensitive healthcare information from over 9.2 million Americans has gone up for sale on a Dark Web market with a price tag of 750 Bitcoins (approx. $477,000), and allegedly contains personal information such as names, SSNs, addresses, and phone numbers. This breach is one of many recent successful attacks on the healthcare industry that highlights the need for better IT security practices in the healthcare community.
See: http://www.infosecurity-magazine.com/news/92-million-us-healthcare-records/

International News 

“Google’s Abacus May Count Out Passwords,” Tech News World, 24 May 2016. [Online].
Google is testing a new API that could potentially make passwords obsolete. Project Abacus is an API that uses sensors in a device to create a “trust score” based off factors including location, typing and voice patterns, and facial recognition. Google said that they will be testing Abacus through several financial institutions beginning in June. Privacy is sure to be a concern because of the amount of personal information that will need to be verified for Abacus to work, but if users are trusting enough, Abacus looks promising for security.
See: http://www.technewsworld.com/story/83543.html

“AFCEA and NATO communications agency kick off joint conference on Euro-Atlantic security,” Government Security News, 07 June 2016. [Online]. In response to instability and growing cyber threats in southern and eastern Europe, the NATO Communications and Information (NCI) Agency/AFCEA International conference will be held in Estonia from June 7th through 9th. The conference hopes to encourage cooperation between government, military, and industry in “building resilience through secure command, control, communications, computers, intelligence, surveillance and reconnaissance (C4ISR).”
See: http://gsnmagazine.com/node/46627?c=cyber_security

“Bangladesh Bank Hack: New York Federal Reserve ‘Missed Red Flags’ Before $101m Cyberheist,” International Business Times, 7 June 2016. [Online].
Before the staggering $101 million heist, the Federal Reserve reportedly turned down as many as 35 other transfer requests believed to have been made by the hackers. Later that day, the requests were updated and then passed through the system. At this time, the money has still not been found.
See: http://www.ibtimes.co.uk/bangladesh-bank-hack-new-york-federal-reserve-missed-red-flags-before-101m-cyberheist-1564122

“Cisco: Ransomware is the Supervillain of Cybersecurity and None of Our PCs Will Be Safe,” International Business Times, 7 June 2016. [Online].
At Infosec Europe, Cisco called ransomware the most lucrative form of cybercrime yet. Previously, only individuals had been targeted by ransomware, but as of late, criminals are targeting businesses more and more because they can demand more money. Recently, according to Modern Healthcare.com, Hollywood Presbyterian Medical Center in Los Angeles paid out $17,000 in bitcoins to have its systems returned.
See: http://www.ibtimes.co.uk/cisco-ransomware-supervillain-cybersecurity-none-our-pcs-will-be-safe-again-1564094

“University of Calgary Pays $20,000 to Restore Systems After Ransomware Attack,” Security Week, 8 June 2016. [Online].
The University of Calgary was the latest victim of a ransomware attack. The university was forced to pay $20,000 CAD to regain control of its systems and files. Authorities are currently investigating the attack, and the university says their IT department is working to take care of the problem. The school’s Vice President of Finance and Services says that the decryption keys are currently being analyzed but such a task can be quite lengthy.
See: http://www.securityweek.com/university-calgary-pays-20000-restore-systems-after-ransomware-attack

“Finland’s F-Secure Lays Code ‘Honeypots’ to Catch Cybercriminals,” Forbes, 10 June 2016. [Online]. Finnish firm F-Secure claims to have a “more holistic approach to security,” in the form of a service that uses varied strategies to detect and hamper attempted breaches. The system deliberately misleads attackers with “honeypots,” or false leads, giving security professionals the ability to monitor and evaluate the attacker.
See: http://www.forbes.com/sites/adrianbridgwater/2016/06/10/finlands-f-secure-lays-code-honeypots-to-catch-cybercriminals/?ss=Security#6d6b0da274c2

“North Korean Hackers Steal F-15 Design,” FCW, 13 June 2016. [Online]. “Wing designs” of the Boeing F-15 fighter jets are allegedly part of the over 40,000 documents stolen from South Korean Defense firms by the newly-discovered North Korean hacking campaign. This specific attack, which began in 2014, is consistent with North Korea’s trend in using cyber warfare to assert international power.
See: https://fcw.com/articles/2016/06/13/north-korea-f15-lyngaas.aspx

“Machine learning could help companies react faster to ransomware,” Computerworld, 13 June 2016. [Online]. In response to the rise of ransomware, behavior analytics researchers are looking towards machine learning algorithms as a means to detect and halt early-stage ransomware infections. By comparing real-time activity to known behavior profiles of legitimate users, such software can raise a red flag and halt ransomware before it spreads throughout a network.
See: http://www.computerworld.com/article/3083105/security/machine-learning-could-help-companies-react-faster-to-ransomware.html

“U.S. sees progress in latest cyber talks with China,” Reuters, 14 June 2016. [Online]. Recent sessions of cyber security talks between the U.S. and China have yielded progress in reconciling the two nations’ disagreements of international cyber policy, according to a U.S. official. Leaders from both sides have shown interest in moving away from cyber theft and warfare, and towards building information sharing mechanisms and other means of cooperation.
See: http://www.reuters.com/article/us-china-usa-cyber-idUSKCN0Z00DN

“Hackers Make Off with over 40 Million Passwords from 1,000 Sites,” Motherboard, 14 June 2016. [Online]. Data breach notification site LeakedSource has warned that a set of “nearly 45 million records from over 1100 websites and communities” have been stolen. All of the communities affected run on a platform provided by Canadian company VerticalScope, which claims that the stolen data is limited to usernames, userids, email addresses, and encrypted passwords. Since many of the passwords used the now weak MD5 encryption algorithm, about 33 million of the passwords have been successfully cracked.
See: http://motherboard.vice.com/read/hackers-make-off-with-over-40-million-passwords-from-1000-sites

“Vacationing Security Consultant Finds Stealthy ATM Card Skimmer,” Motherboard, 24 June 2016. [Online]. Cybersecurity consultant Benjamin Tedesco inadvertently demonstrated the need for cyber security awareness when he stumbled upon an ATM skimmer while on vacation in Austria. In response to efforts by banks to deter such devices, criminals have designed increasingly sophisticated and hard-to-detect devices to steal payment card information.
See: http://motherboard.vice.com/read/vacationing-security-consultant-finds-stealthy-atm-card-skimmer

“What Brexit Will Mean For International Data Sharing,” Forbes, 24 June 2016. [Online]. Though seen as a way to free the UK from red tape imposed by the European Union, the so-called “Brexit” could have serious negative consequences for the digital industry, which makes up around 10 percent of Britain’s GDP. Information sharing and rules regarding the transfer of personal data will be further complicated by the EU’s General Data Protection Regulation (GDPR).
See: http://www.forbes.com/sites/emmawoollacott/2016/06/24/what-brexit-will-mean-for-international-data-sharing/?ss=Security#124ca8c573fe

“China moves closer to adopting controversial cybersecurity law,” Reuters, 27 June 2016. [Online]. The Chinese government is working on a draft of a cybersecurity law that would formalize and specify the government’s powers in control over internet traffic and data. The Chinese government’s tight control over the internet has caused tension with both foreign economic partners and human rights activists.
See: http://www.reuters.com/article/us-china-cyber-lawmaking-idUSKCN0ZD1E4

“Bangladesh central bank ends FireEye investigation into cyber heist,” Reuters, 27 June 2016. [Online]. Four months after being hired by Bangladesh Bank to conduct an investigation into February’s breach, FireEye was denied a request for 570 additional hours of work. The hackers, who transferred an astonishing $81 million from Bangladesh Bank, have yet to be identified.
See: http://www.reuters.com/article/us-cyber-heist-bangladesh-idUSKCN0ZD0WL

“Uber Flaws Expose Rider Information,” InfoSecurity Magazine, 27 June 2016. [Online]. Portuguese white-hats have discovered eight vulnerabilities in the mobile app for the popular transportation service Uber. The hackers noted that the vulnerabilities could be used to harvest personal data from riders and drivers, create bogus coupons, and create fake driver profiles. This is not the first time that Uber, which is currently patching the issues, has run into issues with security.
See: http://www.infosecurity-magazine.com/news/uber-flaws-expose-rider-information/

(ID#: 16-11365)

Note:

Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to news@scienceofsecurity.net for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.