Spotted via HackerNews, Slashdot, /r/netsec, O’Reilly Security Newsletter, Twitter; via security bloggers including Krebs on Security, Troy Hunt; from classmates; and elsewhere.
Events and Conferences
USENIX Engima 2017 is going on now.
Empire Hacking: Tuesday, February 7, 2017 @ 6:00PM
OWASP NY/NJ: Wednesday, February 8, 2017 @ 11:00AM. Legal issues, changes in PCI DSS 3.2, and more.
Legal and Politics
Assessing the Draft Cyber Executive Order: not officially released as scheduled, not sure the status.
Access Controls
New Facebook security features: Security Key for safer logins with a touch and Improving account security with delegated recovery
Encryption
HTTPS adoption has reached the tipping point: “HTTPS adoption has now reached the moment of critical mass where it’s gathering enough momentum that it will very shortly become “the norm” rather than the exception it so frequently was in the past.”
How Etsy Manages HTTPS and SSL Certificates for Custom Domains on Pattern
[cryptkeeper] Sets the same password “p” for everything independently of user input.
Application Security
Vulnerability Rewards Program: 2016 Year in Review: $3,000,000 paid out in 2016
Other
ATM ‘Shimmers’ Target Chip-Based Cards: “The reason shimmers exist at all is that some banks have apparently not correctly implemented the chip card standard, known as EMV (short for Europay, Mastercard and Visa).” What?! I didn’t know this was a thing.
Disable Your Antivirus Software (Except Microsoft’s) - What else to do about all these vulnerabilities in security products?!
Check Your Backups Day! - an excellent idea.
From Classmates
Russian Central Bank Hack & Wider Implications
Dec 2016 – Hacker(s) stole more than $31MM from correspondent accounts at the Russian Central Bank, and accounts in commercial banks over the course of 2016
- Hackers broke into accounts faking client’s credentials
- Bank provided few details, but did state they recovered some of the funds (Transfers were frozen.)
- N. Korea is a “suspect” due to rare piece of code, based on the way it is structured and functions which is similar to code used in previous attacks, e.g. Sony
- Latest in a string of high-profile heists
Unknown cyber criminals stole over $100MM from Bangladesh’s central bank that it had deposited at the New York Fed in Feb 2016.
- Law enforcement are hunting for criminals who stole the money using fraudulent wire-transfer request sent over the SWIFT (network that enables financial institutions worldwide to send and receive information about financial transactions in a secure, standardized and reliable environment) bank messaging network.
- Symantec researchers have concluded that the global banking systems has been under attack from a sophisticated group dubbed “Lazarus”, which has been linked to N. Korea
Banks at a recent meeting of President Obama’s Commission on Enhancing Cybersecurity expressed frustrating at fighting hackers.
- Larger Banks are spending millions on protection, however, hackers are still getting in, often through small Banks, Vendors etc.
- Institutions are only as strong as the weakest link, and there is calls for wider industry to strengthen so as to come in line with the large institutions.
- Will be a challenge for smaller Banks, Vendors due to cost
- Increased need for real-time information sharing (e.g. FS-ISAC); calls to automate sharing with US Intelligence agencies and American corporations
- Comes with privacy concerns
- New Government to take up the discussion
Ref:
- CNN: http://money.cnn.com/2016/05/18/technology/hackers-smaller-banks/?iid=EL
- Reuters: http://www.reuters.com/article/russia-cenbank-cyberattack-idUSL1N1DX18S
- Wall Street Journal: https://www.wsj.com/articles/hackers-steal-31-million-from-accounts-at-russian-central-bank-1480701080