Hacktivists continue to push against Israeli assets to protest fighting in Gaza. A Turkish hacker makes his protest against a UN organization, hacking the subdomain of the United Nations Civil Society Participation.
Sucuri warns that vulnerabilities in the MailPoet WordPress plug-in are being massively exploited, and that sites running Joomla and Magneto are affected as well. Some 50,000 sites are said to be affected. MailPoet is the entry point, but the exploit can and has spread by cross contamination to sites that haven't enabled the plug-in.
Facebook scams grow more dangerous, and now lead to exploit kits. For example, the recent "Mom Makes $8,000/Month From Home" grift takes the unwary to a third-party site with an iframe for the Nuclear exploit kit. The visiting device is scanned, and then, when a vulnerability is found, the Ascesso Trojan is installed.
Canvas fingerprinting, the hard-to-block tracking technology discovered on pornographic and political sites, continues to draw scrutiny from security and privacy analysts.
Huawei's E355 modem is vulnerable, US-CERT reports, to cross-scripting attacks.
Hackers break into a European Central Bank database in an extortion attempt.
Daimler agrees: yes, cars are in principle vulnerable to cyber attack.
A study on the cyber-crime-as-a-service economy finds its impact very large, exceeding $400B in losses worldwide annually.
The EU mulls sanctions against Russia, working through (1) mistrust of US surveillance and (2) European dependence on Russian energy.
The US charges six for hacking StubHub. A Dutch court rules that country's intelligence services may receive NSA-collected bulk data.
Today's issue includes events affecting Canada, China, European Union, Germany, Israel, Italy, Netherlands, Palestinian Territories, Russia, South Africa, Spain, Turkey, Ukraine, United Kingdom, United States.
MailPoet Vulnerability Exploited in the Wild — Breaking Thousands of WordPress Sites(Sucuri Blog) A few weeks ago we found and disclosed a serious vulnerability on the MailPoet WordPress Plugin. We urged everyone to upgrade their sites immediately due to the severity of the issue. The vulnerability allowed an attacker to inject anything they wanted on the site, which could be used for malware injections, defacement, spam and many more nefarious acts
Facebook scams now lead to exploit kits(Help Net Security) The Facebook scam is a familiar phenomenon to every user of the popular social network, and most of them have fallen for it at one time or another as it only takes a moment of distraction to click on an interesting link
US warns of Huawei WiFi modem XSS security threat(V3) The US Computer Emergency Response Team (CERT) has issued a warning alerting businesses of a flaw in Huawei's popular E355 wireless broadband modem that could be leveraged by hackers to mount cross-site scripting attacks
How Hackers Hid a Money-Mining Botnet in Amazon's Cloud(Wired) Hackers have long used malware to enslave armies of unwitting PCs, but security researchers Rob Ragan and Oscar Salazar had a different thought: Why steal computing power from innocent victims when there's so much free processing power out there for the taking?
Pay-to-Prey: The Reality of Cybercrime-as-a-Service Economics(McAfee Blog Central) Last month the Center for Strategic and International Studies (CSIS) released "Net Losses — Estimating the Global Cost of Cybercrime," a McAfee-sponsored report stating that the economic impact of cybercrime exceeds $400 billion worldwide, costing around 200,000 jobs in the U.S., 150,000 jobs in the European Union, and anywhere between 15 to 20 percent of the $3 trillion Internet economy
Firms turn blind-eye to BYOD policy(FierceMobileIT) Close to half of organizations either don't have a mobile device policy at all or have not fully implemented the policy they have in place, according to a survey of 1,100 IT security pros who are members of the LinkedIn Information Security Community
Study Reveals Top BYOD Security Concerns(Newsfactor Business Report) Second Annual BYOD & Mobile Security Study Reveals Exploits Entering Organizations via Mobile Devices is a Top BYOD Security Concern in 2014 — Independent Research Study Conducted by LinkedIn Information Security Community Finds more than Half of 1,100 Respondents Identify Malware Protection as a Key Requirement for Mobile Security
Global DDOS Attacks Skyrocket in Q2(CBR) Average DDoS attack bandwidth rose by 72%. The number of Distributed Denial of Service (DDoS) attacks across the globe rose by 22% during the second quarter of 2014, the latest Prolexic Global DDoS Attack Report revealed
If it's connected, it's vulnerable: Know the risks.(GCN) Additionally, systems must be hardened, not just patched; unnecessary services and applications must be removed, and remaining software configured appropriately. So many systems built for the IoT either on the device side or on the cloud side are based on multipurpose operating systems and are left with many features running that unnecessarily expose risk. And, most critically, the use of the data should be monitored with a privileged user monitoring and insider threat tools
Cyber-Crime: Coming to a Law Firm Near You(Willis Wire) Cyber-crime is a growing problem and is considered to be more profitable than the drugs trade. Small and medium sized firms are being targeted by cyber-criminals because they consider their systems to be unsophisticated and the information stored valuable, but this does not mean that larger firms are any less vulnerable. Due to the subtlety of cyber-criminals firms may be unaware that they have been the subject of an attack
Ex-Cyber Spy's Message to Board Members: You're Not OK(Wall Street Journal) In his new role as CEO of Darktrace, a cyber-security firm based in Cambridge, U.K., Andrew France OBE is meeting a lot of anxious board members at some of the biggest firms in the U.K. and abroad. The cost of cyber crime to the global economy is around $445 billion annually, with the U.K. alone losing $11.4 billion during 2013, according cyber security company McAfee
EMC Earnings Preview: Stagnating Core Business Could Lead To VMware, Pivotal Spin-Offs(Forbes) EMC is scheduled to announce its Q2 earnings on July 23. The company posted mixed results in the first quarter, with net revenues growing by less than 2% year-on-year to $5.48 billion. EMC?s information infrastructure product sales, which include storage products, RSA security and content management software, declined by almost 7% year-over-year to $2.4 billion. The company witnessed significant top line growth from VMware (+16%) and Pivotal (+40%)
ThreatTrack Security Selected by CRN as a 2014 Emerging Vendor(BroadwayWorld) ThreatTrack Security a leader in malware protection solutions that identify, stop and remediate advanced threats, targeted attacks and other sophisticated malware designed to evade traditional cyber defenses today announced that it has been named a 2014 Emerging Vendor by CRN, a top news source for solution providers and the IT channel. The annual Emerging Vendors list identifies up-and-coming technology vendors that have introduced innovative new products, creating opportunities for channel partners in North America to create high-margin, cutting-edge solutions for their customers. Now in its second year as an independent company, ThreatTrack Security continues to expand its operations and solutions portfolio to better serve the most pressing cybersecurity needs of organizations of all sizes across the globe
Former PayPal Security Expert Joins Synack to Drive the Power of Crowd Security Intelligence(Broadway World) Synack Inc., a startup that created the industry's first enterprise-caliber system to safely and effectively crowdsource security testing, announced today that Gus Anagnos, the former PayPal executive responsible for developing and leading the PayPal Bug Bounty Program, joined the company as VP of Strategy and Business Operations. Gus brings over 18 years of invaluable experience working in information security and enterprise risk to Synack. Gus will be driving the overall business strategy and working closely with customers to provide a thorough understanding of the current security landscape and offer new ideas, tools and services to ensure customers are aware of the latest threats and how to best protect against them
All is not so rosy at Silicon Roundabout(London Evening Standard) Poor Ed Vaizey. He's only been in the newly created post of Minister for Culture and Digital Industries for a week, and already he?s having to deal with a fire in the server room
Products, Services, and Solutions
NetIQ Further Delivers on "Identity-Powered" Security with Sentinel 7.2 and Change Guardian 4.1(Broadway World) NetIQ today announced the latest versions of its NetIQ Sentinel Security Information and Event Management (SIEM)and NetIQ Change Guardian privileged user activity monitoring solutions. As organizations begin to integrate more sources of identity data into their overall security and breach prevention strategies, these solutions comprehensively monitor privileged user activity to reduce the risk of data breach in an increasingly perimeter-less IT environment
LogRhythm identifies retail cyber attacks(ITWire) Security company LogRhythm has announced a new set of product features to identify early indicators of cyber-attacks on the payment processing chains of retail organisations
RSA Updates Web Threat Detection(VAR Guy) RSA unveiled the latest version of its Web Threat Detection software this week, which will allow users to monitor and stop cyberthreats in real time
Bitdefender Internet Security 2015(PC Magazine) Bitdefender Internet Security 2015 includes all the components you'd expect, plus some welcome bonus features, and all of its parts are consistently effective. It's definitely a good choice
Splunk upgrades App for Enterprise Security(GSN) San Francisco, CA-based Splunk, a provider of a software platform for real-time operational intelligence, has announced the general availability of version 3.1 of the Splunk App for Enterprise Security. Splunk has introduced a new risk scoring framework in the Splunk App for Enterprise Security to enable easier, faster threat detection and containment by empowering users to assign risk scores to any data
Cryptography Research and Entropic Sign License Agreement for DPA Countermeasures to Secure Next Generation Content(Wall Street Journal) Cryptography Research, the security division of Rambus (NASDAQ:RMBS), and Entropic (NASDAQ:ENTR), a world leader in semiconductor solutions for the connected home, today announced they have signed a patent license agreement allowing for the use of the Cryptography Research side-channel attack countermeasures in Entropic's integrated circuits. The Cryptography Research patented technology will protect Entropic's set-top box system-on-a-chip (SoC) products against differential power analysis (DPA) and related attacks. This agreement builds on the previous agreement between the two companies with Entropic already licensing the Cryptography Research CryptoFirewall™ tamper-resistant core for set-top boxes
AnonCoin Review(Cryptocoin News) AnonCoin is today's Random Coin of the Day. AnonCoin launched on June 6, 2013, and is currently the only coin to support the I2P darknet. The coin team is currently working on a "ZeroCoin" implementation to allow for cryptographic anonymity in transactions
Georgia Tech Unveils 'BlackForest' Open Source Intelligence Gathering System(SecurityWeek) Coordinating distributed denial-of-service attacks, displaying new malware code, offering advice about network break-ins and posting stolen information — these are just a few of the online activities of cyber-criminals. Fortunately, activities like these can provide cyber-security specialists with advance warning of pending attacks and information about what hackers and other bad actors are planning
Technologies, Techniques, and Standards
Mobile Workers: 'I Want My BlackBerry Back'(CIO) The leading smartphones weren't designed with business implications in mind. One of the results: When IT gets access to popular smartphones, it gets access to everything. These privacy concerns are leading many users to ask for their BlackBerry back
The psychology of phishing(Help Net Security) Phishing emails are without a doubt one of the biggest security issues consumers and businesses face today. Cybercriminals no longer send out thousands of emails at random hoping to get a handful of hits, today they create highly targeted phishing emails which are tailored to suit their recipients
Phishermen Around the World Agree: Lawyers Are Mighty Tasty(Absio) Law firms are frequent targets of phishing attacks for four reasons. First, they tend to have valuable data. Second, their email addresses are usually on the firm website. Third, many use social media, so their personal and business relationships are in public view. Fourth, many lawyers may not recognize a phishing attack or even know what a phishing email is if they saw one
Just Released — The Phishing Planning Kit(SANS Institute) One of the biggest challenges with an effective phishing program is not the technology you use, but how you communicate and implement your phishing program. To assist you in getting the most out of your phishing program we have put together the Phishing Planning Kit. Based on the feedback and input of numerous security awareness officers, this kit walks you through step-by-step how to implement an effectively phishing program that your employees will actually like. In addition we include lessons learned such as how often you should do your phishing emails, who to target, what type of phishing emails you should use, what to do with violators, and what to report and to whom
Cyber Security Challenges: How Do Retailers Protect the Bottom Line?(IBM Security Intelligence) Target. Adobe. AOL. eBay. What do they have in common? Big companies that have been the victims of big security breaches over the last year. In the case of online auction site eBay, over 145 million records were compromised, while Target dealt with upwards of 70 million breaches. While the rise of e-commerce and cloud data storage have proven to be a boon for consumers, a host of compliance and security challenges have emerged. How do retailers protect their bottom lines?
In search of better email encryption(Marketplace) Since the Snowden revelations, it has become clear that email as a basic internet protocol is essentially insecure, and other options — texting, messaging apps, and the like — are not much better
Windows Previous Versions against ransomware(Internet Storm Center) One of the cool features that Microsoft actually added in Windows Vista is the ability to recover previous versions of files and folders. This is part of the VSS (Volume Shadow Copy Service) which allows automatic creation of backup copies on the system. Most users virtually meet this service when they are installing new software, when a restore point is created that allows a user to easily revert the operating system back to the original state, if something goes wrong
Bugcrowd Releases Open Source Vulnerability Disclosure Framework(Threatpost) The problems that come from doing security research on modern Web applications and other software aren't just challenging for researchers, but also for the companies on the receiving end of their advisories. Companies unaccustomed to dealing with researchers can find themselves in a difficult position, trying to figure out the clearest path forward
Design and Innovation
The Server Needs To Die To Save The Internet(TechCrunch) Do we have the Internet we deserve? There's an argument to say that yes, we absolutely do. Given web users' general reluctance to pay for content. We are of course, paying. Just not with cold hard cash, but with our privacy — as digital business models rely on gathering and selling intel on their users to make the money to pay (the investors who paid) for the free service
Human misidentification in Turing tests(Journal of Experimental & Theoretical Artificial Intelligence) This paper presents some important issues on misidentification of human interlocutors in text-based communication during practical Turing tests. The study here presents transcripts in which human judges succumbed to theconfederate effect, misidentifying hidden human foils for machines. An attempt is made to assess the reasons for this. The practical Turing tests in question were held on 23 June 2012 at Bletchley Park, England. A selection of actual full transcripts from the tests is shown and an analysis is given in each case. As a result of these tests, conclusions are drawn with regard to the sort of strategies which can perhaps lead to erroneous conclusions when one is involved as an interrogator. Such results also serve to indicate conversational directions to avoid for those machine designers who wish to create a conversational entity that performs well on the Turing test
Reflections on the Tenth Anniversary of The 9/11 Commission Report(Bipartisan Policy Center) Ten years ago today, as members of the National Commission on Terrorist Attacks Upon the United States, we issued The 9/11 Commission Report, the official account of the horrific attacks of September 11, 2001. A decade later, we have reconvened, as private citizens, to reflect on the changes of the past ten years and the emerging threats we face as a country. In recent months, we have spoken
with some of the country's most senior current and recently retired national security leaders…Cyber readiness lags far behind the threat
White House, senators near deal on surveillance reform(Washington Post) The Obama administration and key U.S. senators are close to a deal on legislation that aims to end the National Security Agency's collection of millions of Americans' phone call logs for counterterrorism purposes
Feds: Hackers Ran Concert Ticket Racket(Krebs on Security) A Russian man detained in Spain is facing extradition to the United States on charges of running an international cyber crime ring that allegedly stole more than $10 million in electronic tickets from e-tickets vendor StubHub
Dutch spy agencies can receive NSA data, court rules(PC World) Dutch intelligence services can receive bulk data that might have been obtained by the U.S. National Security Agency (NSA) through mass data interception programs, even though collecting data that way is illegal for the Dutch services, the Hague District Court ruled Wednesday
DOJ alleges Symantec submitted false claims on software contract(FierceGovernmentIT) The Justice Department said July 22 that it has intervened in a whistleblower lawsuit against Symantec Corp., alleging the company "knowingly" submitted false claims on a General Services Administration software contract that involved hundreds of millions of dollars
Hackers inside Chinese military steal U.S. corporate trade secrets(ComputerWorld) In May, a grand jury in the Western District of Pennsylvania indicted five members of the Chinese military on charges of hacking and economic espionage, according to a May 19 U.S. Department of Justice media release. Per the same release, the targets were six U.S. enterprises operating in the solar products, nuclear power, and metals industries. The attacks began as early as 2006 and were carried out over many years and into this year, according to the same release
We All Got Trolled(Medium) Supporters of Internet freedom rallied around weev before he went to prison. But now that the hacker is out, he's douchier — and maybe scarier — than ever
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
NOPcon Security Conference(Istanbul, Turkey, September 16, 2014) NOPcon is a non-profit hacker conference. It is the only geek-friendly conference without sales pitches in Turkey. The conference aims to learn and exchange ideas and experiences between security researchers,...
Hack-in-the-Box Malaysia(Kuala Lumpur, Malaysia, October 13 - 16, 2014) HITBSecConf or the Hack In The Box Security Conference is an annual must attend event in the calendars of security researchers and professionals around the world. Held annually in Kuala Lumpur, Malaysia...
BSidesVienna(Vienna, Austria, November 22, 2014) BSidesVienna will open it's doors again in 2014. Be part of it and stay tuned
ICISSP 2015(Angers, Loire Valley, France, February 9 - 11, 2015) The International Conference on Information Systems Security and Privacy aims at creating a meeting point of researchers and practitioners that address security and privacy challenges that concern information...
Black Hat USA 2014(, January 1, 1970) Black Hat USA is the show that sets the benchmark for all other security conferences. As Black Hat returns for its 17th year to Las Vegas, we bring together the brightest in the world for six days of learning,...
4th Annual Cyber Security Training Forum(Colorado Springs, Colorado, USA, August 5 - 6, 2014) The Information Systems Security Association (ISSA) — Colorado Springs Chapter and FBC, Inc. will co-host the 4th Annual Cyber Security Training Forum (CSTF). CSTF is set to convene from Tuesday August...
BSidesLV 2014(Las Vegas, Nevada, USA, August 5 - 6, 2014) We have an amazing array of speakers each year, covering topics such as Penetration Testing, Forensics, Incident Response, Risk, and everything in between. We have a Lockpick Village, the Squirrels in...
Passwords14(Las Vegas, Nevada, USA, August 5 - 6, 2014) Passwords is the first and only conference of its kind, where leading researchers, password crackers, and experts in password security from around the globe gather in order to better understand the challenges...
DEF CON 22(Las Vegas, Nevada, USA, August 7 - 10, 2014) The annual hacker conference, with speakers, panels, and contests. Visit the site and penetrate to the schedules and announcements.
South Africa Banking and ICT Summit(Lusaka, Zambia, August 8, 2014) The South Africa Banking and ICT Summit is the exclusive platform to meet industry thought leaders and decision makers, discover leading edge products and services and discuss innovative strategies to...
SANS Cyber Defense Summit and Training(Nashville, Tennessee, USA, August 13 - 20, 2014) The SANS Institute's Cyber Defense Summit will be paired with intensive pre-summit hands-on information security training (August 13-18). This event marks the first time that SANS will conduct a training...
AFCEA Technology & Cyber Day(Tinker AFB, Oklahoma, USA, August 21, 2014) The Armed Forces Communications & Electronics Association (AFCEA) — Oklahoma City Chapter will once again host the 10th Annual Information Technology & Cyber Security Day at Tinker AFB. This is the only...
Resilience Week(Denver, Colorado, USA, August 19 - 21, 2014) Symposia dedicated to promising research in resilient systems that will protect critical cyber-physical infrastructures from unexpected and malicious threats—securing our way of life.
The Hackers Conference(New Delhi, India, August 30, 2014) The Hackers Conference is an unique event, where the best of minds in the hacking world, leaders in the information security industry and the cyber community along with policymakers and government representatives...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.