US officials report that Chinese cyber espionage operators have shifted their targets toward smaller, less prominent US agencies, like the Government Printing Office.
Aorato reports a flaw in Microsoft's widely used Active Directory. Microsoft says it's old news, and other observers think the vulnerability easily mitigated.
Not that you would do this, but Graham Cluley advises against spending time on naughty Japanese sites before banking online: NSFW sites in that country are distributing banking malware.
Gameover Zeus isn't quite back yet, but it can be expected to return once criminals reestablish the infrastructure to spread and control the malware.
Industrial espionage isn't confined to intelligence agencies. One group of cybermercenaries, PittyTiger (specializing in remote-access Trojans), hires itself out to ethically challenged companies interested in illicitly damaging their competitors.
Flash, Java, and LibreSSL are patched. Observers regard the Java patches as particularly important.
Government and private studies independently point out the vulnerability of the electrical power grid (the US grid, but the lessons are broadly applicable). The coming smart meters and grid are also expected to increase the system's attack surface before they increase its security.
Corporate general counsels place cyber risks among their top worries. The insurance industry continues to mature its assessment of cyber risk and its approach to covering it.
India begins a cyber security audit of its IT infrastructure. Russian intelligence services appear ready to swagger back into their long-shuttered Cuban SIGINT base. GCHQ's information operations attract more attention than the UK electronic intelligence agency would wish.
Today's issue includes events affecting Australia, Canada, China, Cuba, France, Germany, India, Ireland, Japan, Netherlands, Russia, United Kingdom, United States..
We begin our special coverage of SINET's Innovation Summit tomorrow. Watch for special issues and live tweets from the New York conference.
Targeted Attacks on French Company Exploit Multiple Word Vulnerabilities(McAfee Blog Central) Spear phishing email is a major worry to any organization. Messages that appear legitimate and specific fool us more often than random phishing attempts. Exploits that use patched vulnerabilities delivered via spear phishing email are one of the most successful combinations used by attackers to infiltrate targeted organizations and gain access to confidential information
PittyTiger APT group sells its services to companies(Help Net Security) APT attackers thought to be operating from China often seem financed by the government, but there are other groups that work for the highest bidder, which is usually a private sector company looking for information that will squash their competition
Amazon-hosted malware triples in 6 months(Help Net Security) Solutionary analyzed the threat landscape and identified the top 10 global ISPs and hosting providers that hosted malware out of more than 21,000 ISPs
Security Patches, Mitigations, and Software Updates
Adobe reports a security hole in Flash(Panda Security) Adobe has reported a vulnerability that affects users of Flash. It appears that this security hole could allow cyber-criminals to obtain users' personal data and take control of computers that are not updated with the latest version of Flash
Oracle Java: 20 new vulnerabilities patched(Internet Storm Center) Welcome to the n-th iteration of "patch now" for Java on Workstations. Oracle today published their quarterly patch bulletin, and Java SE is once again prominently featured. This Critical Patch Update (CPU) contains 20 new security fixes for Oracle Java SE. Most of the vulnerabilities are remotely exploitable without authentication, and CVSS scores of 10 and 9.3 indicate that they can be readily exploited, and lead to full compromise. Which means that keystroke loggers, ebanking trojans, etc, will soon follow
Oracle July 2014 CPU (patch bundle)(Internet Storm Center) In addition to the Java vulnerabilities that I covered earlier, there is at least one more vulnerability that warrants attention. CVE-2013-3751, a problem in the XML parser of Oracle Database
Java Update: Patch It or Pitch It(Krebs on Security) Oracle today released a security update for its Java platform that addresses at least 20 vulnerabilities in the software. Collectively, the bugs fixed in this update earned Oracle's "critical" rating, meaning they can be exploited over a network without the need for a username and password. In short, if you have Java installed it is time to patch it or pitch it
Securing the U.S. Electrical Grid(Center for the Study of the Presidency and Congress) Following the end of World War II, the Allied Strategic Bombing Survey — responsible for determining the damage inflicted by U.S. and Allied strategic bombing of German and Japanese industry — determined that the bombing campaign would have been more effective if it had targeted the German and Japanese electrical grid rather than urban and industrial centers
'Smart Meters' and 'Grids' Are Next Cybercrime Victims(Trend Micro IoE Insights) Every day, people live, work, and play with ease and comfort thanks to one easily overlooked resource: power. It is common for most to wake up to the wonders of indoor lighting, longer food shelf life, perfect room temperature, and connected devices. But what happens when these are taken away? Everyday life could get chaotic for the individual, and even more so once this disruption causes business costs to skyrocket and a city's services and operations fail
Critical Infrastructure: Security Preparedness and Maturity(Unisys) Ponemon Institute is pleased to present the results of the "Critical Infrastructure: Security Preparedness and Maturity" study, sponsored by Unisys. The purpose of this research is to learn how utility, oil and gas, alternate energy and manufacturing organizations are addressing cyber security threats. These industries have become a high profile target for security exploits. Moreover, it has been reported that if their industrial controls systems (ICS) and supervisory control and data acquisition (SCADA) systems were attacked the damage could be enormous
Report: Cybersecurity tops list of GC worries(Daily Record) A third of general counsel are not convinced their company is secure against hackers, and cybersecurity now tops the list of concerns for directors and general counsel, according to a recent study by FTI Consulting and Corporate Board Member magazine
Cyber risk landscape quickly evolving, need to prepare with appropriate coverage(Canadian Underwriter) The cyber risk landscape is evolving rapidly in many areas and those looking to address the risk through insurance should understand that certain policies generally do not provide coverage following an attack, cautions a new white paper released Monday by the Insurance Information Institute (III)
8 Expert Views on The State of Application Security & Developer Training(Security Innovation Europe) Application security is a consistent concern for organisations. Applications are the most common attack vector, yet only 11% of security managers believe their company's applications are secure. This lack of confidence is down to ad-hoc requirements, lack of a formal security process and a disjunction between executives and practitioners
Company Cyber Resilience or Cyber Attack: Choose One(Forbes) The conversation about cybersecurity in the private sector seems to have deepened this year. Is that your sense as well? It is. Some noteworthy events in the past few months have galvanized our attention
Information Exposed: Historical Examination of Data Breaches in New York State(State of New York Attorney General) Every day, New Yorkers share personal information with companies, government agencies, and other organizations, either out of necessity or simply for the sake of convenience. When we do, we trust these institutions to protect our sensitive data from unauthorized access. That
is why New York has a data breach notification law. If an unauthorized individual accesses your personal information, the institution that suffered the data breach must notify you, as well as my office, as soon as possible. An institution that fails to provide this notification is liable for damages and enhanced penalties
Why Australia is the No.1 DDoS target(Business Spectator) Organisations all over the world are increasingly experiencing disruptive cyber-attacks, especially Distributed Denial of Service (DDoS) attacks, but it has now become clear that Australia is being hit the hardest
Snowden and NSA: A Boon to the Privacy Business(Fiscal Times via Yahoo! News) It's been a little over a year since former defense contractor Edward Snowden exposed the NSA's sweeping surveillance program — with the latest revelations confirming that the federal government has been keeping tabs on everyday citizens' emails, phone calls and instant messages
Security High on Microsoft's 2015 Agenda(Channelnomics) Microsoft has added security to its list of top strategic priorities in the wake of the NSA scandal as it looks to reassure customers their data is safe
Quantum Computing IPO on the Horizon(IEEE Spectrum) Investors longing to own a piece of the quantum computing future could get their chance in the next several years. A stock market listing could be on the way for D-Wave Systems, the Canadian company that has built what it describes as the world's first commercial quantum computers
Trustwave Introduces Zero Malware Guarantee for New Managed Anti-Malware Service(Broadway World) Trustwave today announced a bold approach to malware protection with a zero malware guarantee for the company's recently introduced managed anti-malware service that protects businesses from web-based malware and zero-day threats. Trustwave also announced new features to the anti-malware service including big data-enabled threat intelligence that enables Trustwave experts to promptly flag risky behavior and gives businesses visibility into their own web browsing activities
Google Project Zero May Prove a Big Win for Security(Threapost) Billions of people — not to mention a decent portion of the world's economies — depend upon the Internet in a way that is both amazing and terrifying. We rely on the network in a way that perhaps we have never relied on anything in the course of human history. The Internet is a wonderful resource, but it's also brittle and vulnerable, and, unlike many of our other vital resources, no one has been tasked with protecting it. Google, however, has decided to shoulder some of that burden on its own
Arista Unveils Industry's First Leaf Switch With 100GbE Uplinks(Wall Street Journal) Arista Networks (NYSE: ANET) today announced the 7280E Series fixed leaf switches, along with monitoring and automation enhancements to Arista EOS(R), continuing the evolution of software driven cloud networking. This new family of switches with its ultra-deep packet buffers and 100GbE uplinks enhance application performance, while providing resiliency, programmability and visibility into the network
Wireless Live CD Alternative: ZeusGard(Krebs on Security) I've long recommended that small business owners and others concerned about malware-driven bank account takeovers consider adopting a "Live CD" solution, which is a free and relatively easy way of temporarily converting your Windows PC into a Linux operating system. The trouble with many of these Live CD solutions is that they require a CD player (something many laptops no longer have) — but more importantly — they don't play well with wireless access
Tenable Network Security Announces Pre-authorized Nessus Edition for Amazon Web Services(MarketWatch) Tenable Network Security, Inc., a leader in continuous network monitoring, today announced the availability of Nessus® Enterprise for Amazon Web Services (AWS) on AWS Marketplace. The new solution allows AWS developers and customers to scan their Amazon Machine Images (AMI) assets within the AWS Cloud for potential vulnerabilities, threats and compliance violations during development and before they are deployed into production for preauthorization
Email Grab v0.3.5 Released(ToolsWatch) Email Grab is a software project for Intelligence and Information Gathering. The aim is to look for valid email address of a company looking in the websites owned by it, on google, on pgp/gpg servers, whois and other resources
SSL Black List Aims to Publicize Certificates Associated with Malware(Threatpost) Malware and botnet operators are always adapting their tactics, trying to stay a step or two ahead of defensive technologies and techniques. One of the methods many attackers have adopted is using SSL to communicate with the infected machines they control, and a researcher has started a new initiative to track the certificates attackers use in these operations and publish them
Keeping the RATs out: an exercise in building IOCs — Part 1(Internet Storm Center) Reader Jake sent us an awesome bundle of RAT-related mayhem collected during performance of his duties while investigating the unfortunate and prolonged compromise of a company we'll fictitiously call Hazrat Supply. Guess what? The RAT that was plaguing the Hazrat Supply environment was proxying traffic back to a Chinese hosting company
Out in the Open: A Tool That Will Make It Easier to Abolish Email Entirely(Wired) Email is just about as old as networked computing itself. But 40 years later, the same basic technology still very much a part of our online lives — and for good reason: It's pretty darn useful. But email is also one of the most infuriating technologies we have, and one of these days, we're going to finally produce something that can make it obsolete
On eve of stadium opening, 49ers create $4 million STEM program for local students(San Francisco Business Times) Within days of the ribbon-cutting for their new, $1.3 billion new stadium, the 49ers will also cut the ribbon on a $4 million 49ers STEM Leadership Institute. The program, created in partnership with the Silicon Valley Education Foundation and the Santa Clara Unified School District, will take promising applicants who are rising seventh graders in the district and try to further spur their interest in the areas of science, technology, engineering and mathematics
CyberCamp reaches out to girls(Denton Record-Chronicle) A new camp is on the Texas Woman's University campus this week, teaching local high school students about cybersecurity and how to protect a system online
Cyber students face off at Louisiana Tech(News-Star) With the school year over, most high school teachers and students are enjoying a well-deserved summer vacation poolside, on beaches or in the mountains. However, more than 30 teachers and 90 students from high schools across the region spent the beginning of their summer break in the world of cyberspace at the seventh annual Cyber Discovery camp at Louisiana Tech University. This program was hosted by the Cyber Innovation Center's National Integrated Cyber Education Research Center implemented nationwide through a grant with the Department of Homeland Security
Legislation, Policy, and Regulation
Government orders security audit of IT infrastructure(Times of India) Alarmed at the rising cases of cyberattacks emanating from the web space of a host of nations, including Pakistan, China and the UAE, the Centre has ordered security auditing of the entire IT infrastructure of the central and the state governments
Have Intelligence Agencies Become Too Reliant on Technology?(Townhall) A newly leaked document stolen by former National Security Agency contractor Edward Snowden last year reveals that one of the NSA's partner agencies within the "Five Eyes" Anglo-intelligence network — Britain's Government Communications Headquarters (GCHQ), responsible for signals intelligence — dedicated vast resources to fooling around on the Internet, according to journalist Glenn Greenwald. The GCHQ has reportedly developed tools capable of playing with the results of online polls; sending out spoof emails and Microsoft Office documents that, once opened, can grab and transmit files and info from a user's computer; collecting data from public profiles on LinkedIn and other social-networking websites; and discreetly increasing website traffic and rankings
Capitol Hill joins business leaders in cybersecurity progress(The Hill) Last week, the Senate Select Committee on Intelligence passed legislation intended to help the U.S. Government and American companies thwart cybersecurity attacks, the Cyber Information Sharing Act (CISA). Should this legislation pass Congress and be signed into law, it would be a big step towards tightening our nation's security online
Finjan Holdings Applauds Bipartisan Movement of Cybersecurity Information Sharing Act(Wall Street Journal) Finjan Holdings, Inc. (NASDAQ: FNJN), a technology company committed to enabling innovation through the licensing of its intellectual property, applauds the continued bipartisan movement of the Cybersecurity Information Sharing Act (CISA), which was approved last week, on July 8, in the Senate. Designed to enhance the nation's cybersecurity measures, the CISA aims to promote information sharing about cyber threats in both the public and private sectors
Agencies reset after missing the mark on cybersecurity goals(Federal News Radio) Despite steps forward, agencies fell short of their 2014 targets for cybersecurity. The Obama administration is pushing chief information officers to focus on priorities of continuous monitoring, phishing and malware, and authorization processes for 2015, according to the newly released cross-agency priority goals
Cybersecurity Is A Top Priority For Governors(Homeland Security Today) A joint action plan for cybersecurity was approved last week by the Council of Governors, Department of Defense (DoD) and Department of Homeland Security (DHS) during the National Governors Association (NGA) 2014 Summer Meeting
Justice Department's New Crime Chief Targets Cyber Cases(Wall Street Furniture) International organized crime groups, lured by the prospect of thefts that can net hundreds of millions of dollars, increasingly are turning to cybercrime, said the new head of the Justice Department's criminal division
No-IP versus Microsoft: The Net Result(WindowITPro) Last week, I brought us all up to date on Microsoft's recent seizure of domains hosted by DNS provider, No-IP. If you remember, Microsoft secretly won a legal matter to take control over the domains in an effort to rid the electronic world of specific types of malware that had infected millions of computers over a year's time. No-IP took objection (obviously) to being back-doored by Microsoft and the legal system, suggesting that if someone had just contacted them about the issue, they could have handled it. Arguably, the company had a year or more to take care of it on its own, but nothing happened
Department of Justice Provides Update on Gameover Zeus and Cryptolocker Disruption(United States Department of Justice Office of Public Affairs) The Justice Department today filed a status report with the United States District Court for the Western District of Pennsylvania updating the court on the progress in disrupting the Gameover Zeus botnet and the malicious software known as Cryptolocker. The disruption began in late May, when the Justice Department implemented a series of Court-authorized measures to neutralize Gameover Zeus and Cryptolocker — two of the most sophisticated and destructive forms of malicious software in existence
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
2nd Annual Oil & Gas Cyber Security Conference(Houston, Texas, USA, July 15 - 17, 2014) This highly interactive, hands-on forum will break down each potential cyber threat specific to the oil and gas industry, as well as tackle key issues including managing communication between OT and IT...
Security Startup Speed Lunch DC(Washington, DC, USA, July 22, 2014) Our goal is to connect the most promising security startups in the world with decision-makers at aerospace, asset-management, banking, communications, defense, energy, healthcare, government, technology...
SHARE in Pittsburgh(Pittsburgh, Pennsylvania, USA, August 3 - 8, 2014) LEARN: Subject-matter experts and practitioners are on-hand at SHARE events to discuss major issues facing enterprise IT professionals today.
FOCUS: SHARE provides leading-edge technical education on a variety of topics. Whether you are an IT manager, IT architect, systems analyst, systems programmer or in IT support, SHARE offers focused sessions to benefit all job roles.
ENGAGE: At SHARE events, you will experience a wide variety of formal and informal networking opportunities that encourage valuable peer-to-peer interaction...
Passwords14(Las Vegas, Nevada, USA, August 5 - 6, 2014) Passwords is the first and only conference of its kind, where leading researchers, password crackers, and experts in password security from around the globe gather in order to better understand the challenges...
BSidesLV 2014(Las Vegas, Nevada, USA, August 5 - 6, 2014) We have an amazing array of speakers each year, covering topics such as Penetration Testing, Forensics, Incident Response, Risk, and everything in between. We have a Lockpick Village, the Squirrels in...
4th Annual Cyber Security Training Forum(Colorado Springs, Colorado, USA, August 5 - 6, 2014) The Information Systems Security Association (ISSA) — Colorado Springs Chapter and FBC, Inc. will co-host the 4th Annual Cyber Security Training Forum (CSTF). CSTF is set to convene from Tuesday August...
DEF CON 22(Las Vegas, Nevada, USA, August 7 - 10, 2014) The annual hacker conference, with speakers, panels, and contests. Visit the site and penetrate to the schedules and announcements.
South Africa Banking and ICT Summit(Lusaka, Zambia, August 8, 2014) The South Africa Banking and ICT Summit is the exclusive platform to meet industry thought leaders and decision makers, discover leading edge products and services and discuss innovative strategies to...
SANS Cyber Defense Summit and Training(Nashville, Tennessee, USA, August 13 - 20, 2014) The SANS Institute's Cyber Defense Summit will be paired with intensive pre-summit hands-on information security training (August 13-18). This event marks the first time that SANS will conduct a training...
Resilience Week(Denver, Colorado, USA, August 19 - 21, 2014) Symposia dedicated to promising research in resilient systems that will protect critical cyber-physical infrastructures from unexpected and malicious threats—securing our way of life.
AFCEA Technology & Cyber Day(Tinker AFB, Oklahoma, USA, August 21, 2014) The Armed Forces Communications & Electronics Association (AFCEA) — Oklahoma City Chapter will once again host the 10th Annual Information Technology & Cyber Security Day at Tinker AFB. This is the only...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.