CyberOmaha Weekly – Mar 2, 2018

Welcome to CyberOmaha Weekly, a weekly roundup of security news collected from around the Internet.  Please send news tips and suggestions to cybersecurityed@mccneb.edu

Application Security

2/27/2018: In-the-Wild DDoSes Use New Way to Achieve Unthinkable Sizes

Hackers have found a way to amplify distributed denial-of-service attacks by an unprecedented 51,000 times their original strength in a development that whitehats say could lead to new record-setting assaults that take out websites and Internet infrastructure. More… (via ArsTechnica)

3/2/2018: A Secure Development Approach Pays Off

Software security shouldn’t be an afterthought. That’s why the secure software development life cycle deserves a fresh look. More… (via DarkReading)

Operating System Security

2/15/2018: This Indian Text Will Crash ANY iPhone!

EverythingApplePro demonstrates how sending a specific Telugu character to an iPhone, iPad, or Mac user can cause the receiving device to crash. Apple addressed the issue in updates (tvOS 11.2.6, watchOS 4.2.3, iOS 11.2.6, macOS High Sierra 10.13.3) on February 19, 2018 – Apple advises users to apply the update.

3/1/2018: Microsoft Lobs Skylake Spectre Microcode Fixes Out Through Its Windows

Microsoft is pushing out another round of security updates to mitigate data-leaking Spectre side-channel vulnerabilities in modern Intel x64 chips. More… (via The Register)

The Web

2/23/2018:  L.A. Time Website Injected with Monero Cryptocurrency Mining Script

The cryptojacking attack appears to have persisted for weeks before being addressed, as it was configured to not max out CPU usage. Hackers injected it through an unsecured AWS S3 bucket. More… (via Tech Republic)

2/26/2018: E-Mail Leaves an Evidence Trail

If you’re going to commit an illegal act, it’s best not to discuss it in e-mail. It’s also best to Google tech instructions rather than asking someone else to do it. More… (via Schneier on Security)

2/27/2018: Memcached Servers Being Exploited in Huge DDoS Attacks

Multiple vendors this week say they have seen a recent spike in UDP attacks coming in via port 11211. More… (via DarkReading)

3/1/2018: 23k HTTPS Certs Will Be Axes in Next 23 hours After Private Keys Leak

Customers of HTTPS certificate reseller Trustico are reeling after being told their website security certs – as many as 23,000 – will be rendered useless within the next 24 hours. More… (The Register)

IoT

2/23/2018: ‘OMG’: New Mirai Variant Converts IoT Devices into Proxy Servers

The latest iteration of Mirai is dubbed “OMG,” and turns infected IoT devices into proxy servers while also retaining the original malware’s DDoS attack capabilities. More … (via DarkReading)

3/1/2018: Securing the Web of Wearables

Why security for the Internet of Things demands that businesses revamp their software development lifecycle. More… (via DarkReading)

Personal Privacy & Security

1/28/2018: Registered at SSA.GOV? Good for You, But Keep Your Guard Up

An older article but given that it’s tax season, good tips for keeping your personal information safe. According to the article, “even if you are not yet drawing benefits from the agency — because identity thieves have been registering accounts in peoples’ names and siphoning retirement and/or disability funds. This is the story of a Midwest couple that took all the right precautions and still got hit by ID thieves who impersonated them to the SSA directly over the phone.” More… (via KrebsOnSecurity)

2/06/2018: Would You Have Spotted This Skimmer?

When you realize how easy it is for thieves to compromise an ATM or credit card terminal with skimming devices, it’s difficult not to inspect or even pull on these machines when you’re forced to use them personally — half expecting something will come detached. For those unfamiliar with the stealth of these skimming devices and the thieves who install them, read on. More… (via KrebsOnSecurity)

2/13/2018: IRS Urges Taxpayers to Watch Out for Erroneous Refunds; Beware of Fake Calls to Return Money to a Collection Agency

The Internal Revenue Service today warned taxpayers of a quickly growing scam involving erroneous tax refunds being deposited into their bank accounts. The IRS also offered a step-by-step explanation for how to return the funds and avoid being scammed. More… (via IRS.gov)

2/21/2018: FBI Warns of Increase in W-2 Phishing Campaigns

Beginning in January 2017, IRS’s Online Fraud Detection & Prevention (OFDP), which monitors for suspected IRS-related phishing emails, observed an increase in reports of compromised or spoofed emails requesting W-2 information. Sometimes these requests were followed by or combined with a request for an unauthorized wire transfer. More… (via IC3.gov)

2/22/2018: Chase ‘Glitch’ Exposed Customer Accounts

Multiple Chase.com customers have reported logging in to their bank accounts, only to be presented with another customer’s bank account details. Chase has acknowledged the incident, saying it was caused by an internal “glitch” Wednesday evening that did not involve any kind of hacking attempt or cyber attack. More… (via KrebsOnSecurity)

2/22/2018: Shopping for a VPN App? Read This.

You probably know by now that using your mobile device on the public Wi-Fi network of your local coffee shop or airport poses some risk. Public networks are not very secure – or, well, private – which makes it easy for others to intercept your data. So, what can you do to keep your mobile data private and secure while out and about? Some consumers have started using Virtual Private Network (VPN) apps to shield the information on their mobile devices from prying eyes on public networks. Before you download a VPN app, you should know that there are benefits and risks.  More… (via FTC.gov)

2/27/2018: Tips for Using Peer-to-Peer Payment Systems and Apps

Online peer-to-peer, or P2P, payment systems let you send money to people quickly. I’ve used them to collect money from the parents on my daughter’s soccer team and to send money to my brothers when we’ve bought a gift for a friend. Personally, I almost always know where my phone is, but I can’t say the same for my checkbook. More… (via FTC.gov)

General

2/20/2018: The Emerging Link Between Well-Being and Cyber Security

When you think of important employee wellness benefits, cyber security services should be top of mind, given the epidemic of data breaches in recent years. More… (via Employee Benefit Advisor)

2/23/2018: Visa: EMV Cards Drove 70% Decline in Fraud

Visa reports, “For merchants who have completed the [EMV] chip upgrade, counterfeit fraud dollars dropped 70% in September 2017 compared to December 2017.” More… (via Visa.com)

3/1/2018: The top Frauds of 2017

The numbers are in, the counts have been made, and today the FTC announced what we heard from you during 2017. Here are some highlights. More… (via FTC.gov)

3/1/2018: Major Data Breach at Marine Forces Reserve Impacts Thousands

The personal information of thousands of Marines, sailors and civilians, including bank account numbers, was compromised in a major data spillage emanating from U.S. Marine Corps Forces Reserve. More… (via Marine Corps Times)

###