Cyber Attacks, Threats, and Vulnerabilities
Analysis: Islamic State strengthens ties with Boko Haram (BBC) The Islamic State (IS) has released a new video, eulogising Nigeria's Boko Haram, in the latest sign of closer ties between the two militant groups
Arts Website Recovers From Cyber Attack (KSAL) The website of a Topeka arts districts has been restored after it was hacked
Report: To Aid Combat, Russia Wages Cyberwar Against Ukraine (NPR) The rules of War 2.0 (or 3.0) are murky. Experts and pundits say that cyberwarfare is happening. And it makes sense. But it's been very hard to prove
Lookingglass Cyber Threat Intelligence Group Links Russia to Cyber Espionage Campaign Targeting Ukrainian Government and Military Officials (Lookingglass) Report findings provide fully documented cases and timeline showing cyber warfare and espionage being used in coordination with Russian military activities
Did monkey videos help Russian hackers access President Obama's email? (Fortune) Silly viral videos may have helped cyber intruders get hold of more than just the president's private itinerary, reports say
How Google saw the DDoS attack against Github and GreatFire (Help Net Security) The recent DDoS attacks aimed at GreatFire, a website that exposes China's internet censorship efforts and helps users get access to their mirror-sites, and GitHub, the world's largest code hosting service, have been linked to the Great Cannon, an attack tool co-located with the Great Firewall of China
WordPress vulnerable to yet another, still to be patched XSS flaw (Help Net Security) The latest WordPress version (4.2, released on Thursday) and several earlier ones are vulnerable to a stored cross-site scripting (XSS) vulnerability that can be exploited to inject JavaScript in WordPress comments
Details on WordPress Zero Day Disclosed (Threatpost) WordPress security issues have for the most part involved a vulnerable plug-in, but a Finnish researcher has disclosed some details on a zero-day vulnerability he discovered in the WordPress 4.2 and earlier core engine that could lead to remote code execution on the webserver
Android zero-day opens phones up to drive-by-downloads (SC Magazine) A new zero-day flaw affecting all versions of Google's Android operating system could be exploited by hackers looking to steal data or take control of the mobile device
Inside the Zeroaccess Trojan (Dark Matters) The Zeroaccess trojan (Maxx++, Sierief, Crimeware) has affected millions of computers worldwide, and it is the number one cause of cyber click fraud and Bitcoin mining on the Internet
Account Breach Leads Sendgrid to Reset All Customer Passwords (Tripwire: the State of Security) Sendgrid, a company that specializes in transactional email delivery services, is asking all its customers to reset their passwords following an account breach
Zombie apps haunt BYOD workplaces (CSO) Around 3 million apps on employee smartphones are actually dead, removed from their respective app stores and no longer supported
TRAI leaked Over Million Email Addresses; Anonymous India takes Revenge (Hacker News) The official website of the Telecom Regulatory Authority of India (TRAI) has been allegedly hacked just hours after the site exposed more than 1 Million email addresses of users who spoke in support of Net Neutrality.
Hackers hijack Tesla's website, Twitter account and email — but how? (Hot for Security) Tesla Motors is famous for its high performance, gadget-filled, electric cars — but that doesn't necessarily mean that it's a master of all technology
School falls victim to 'malicious' cyber attack (Derby Telegraph) A school believes a pupil may be responsible for a "malicious cyber attack" of its internal computer system
This Hacker has Implanted a Chip in his Body to Exploit your Android Phone (Tripwire: the State of Security) Plenty of people these days are prepared to augment their bodies with face furniture, piercings, rings and tattoos. But would you implant a chip in your hand to show how easy it is to exploit an Android phone?
Why this guy is teaching people how to write malware for Macs (Business Insider) Patrick Wardles says he "drinks the Apple juice." At the same time, the director of research at Synack recently gave a presentation at the elite Infiltrate hacking conference in Miami detailing "exactly how to practically create elegant, bad@ss OS X malware"
Google blushes over Google Maps showing Android icon urinating on Apple icon (Naked Security) As of Monday, all was well in Pakistan's Ayub National Park, at least as far as Google Maps was concerned, which was showing it as a verdant green swath of pixels
Security Patches, Mitigations, and Software Updates
WordPress 4.2.1 Security Release (WordPress) WordPress 4.2.1 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately
WordPress promises patch for zero-day "within hours" (CSO) WordPress statement hints at no prior notice on disclosure, contrary to researcher claims
Cyber Trends
How the Internet of Things is reshaping the future of security (CSO) The emerging model of the Internet of Things (IoT) is rapidly changing the way organisations think about IT security — but IoT's unique characteristics are also likely to send ripples through conventional security architectures by forcing a fundamental rethink about how corporate data is managed and protected
Successful POS attacks are the result of poor security, researchers find (Help Net Security) Most data breaches involving payment card information — and there have been too many in the last two years — can be traced back to a lack of implementation of security measures
Cyber security chiefs urging companies to protect against basic cyber attacks (Treasury Insider) The cyber security industry experts attending the RSA conference in San Francisco this week have been urging companies to protect against basic cyber-attacks on their company, rather than attempting to prevent threats from nation-state backed hackers
Cyber Scammers 'Phishing' More for Corporates — ProofPoint (Spamfighter News) Cybercriminals are progressively targeting business houses in their attacks than mere consumers, said security firm ProofPoint in a study recently
Only one-quarter of federal agency IT officials polled say their network data is protected in transit (FierceGovernmentIT) About 26 percent of federal agency IT decision makers polled believe the data transmitted across their networks are fully protected, according to one major finding in a new industry-sponsored survey released last week
Big data can help counter cyber attacks, says report (Out-Law) Businesses that have improved their cyber security defences in the past two years have been more likely to turn to new security technologies than companies whose security performance has remained "static", a report by Accenture has found
Marketplace
Anti-virus product caught cheating by independent testing agency (Graham Cluley) AV-Comparatives, one of the world's leading independent testers of anti-virus products, says that it has uncovered that at least one product isn't playing by the rules
FireEye Is Worth A Second Look (Seeking Alpha) FireEye fell out favor with investors in 2014 due to repeatedly lowballing its revenue guidance and its expanding losses. The company has, however, managed to maintain strong top line growth. The market appears to appreciate this fact and has bid up the company's shares this year. FireEye is making the right moves to maintain strong growth and is therefore a good investment
Fortinet: A Premier Cybersecurity Firm (Seeking Alpha) Fortinet had an amazing first quarter, beating on several key metrics such as revenue and operating margins. Fortinet's accelerating growth in large deals is perhaps one of the most promising aspects of the company's business. Fortinet's highly integrated model should increase the company's brand value, as such an integrated platform saves on time and improves overall security. Despite Fortinet's dominant market position, the increasing pace of cybersecurity obsolescence is a very real threat to the company
One of Silicon Valley's fastest-growing companies was just acquired (Silicon Valley Business Journal) Loqate, which provides location-based intelligence and data, has been acquired by GBGroup, an identity intelligence firm from the United Kingdom
Raytheon forming cyber-security JV; launches new products (UPI) A new cyber-security company is being formed as a joint venture of Raytheon and Websense, with an investment by Raytheon of more than $1 billion
Accuvant-FishNet CMO Dishes On Hiring Spree, Global Expansion And The Future Of Optiv Security (CRN) The merger of Accuvant and FishNet Security — and the upcoming name change to Optiv Security — are just the first of many changes planned for the $1.5 billion security solution provider
G DATA verstärkt Engagement auf US-Markt (Pressebox) Andrew Hayter als Security Evangelist neuer Ansprechpartner für Medien, Security-Community und Kunden
FBI Readies Multimillion Contract for Cyber Expertise (Nextgov) Finding the right workforce talent is never easy, but it's a particularly challenging feat for the Federal Bureau of Investigation, which frequently requires subject matter experts with high clearances and diverse skill sets
The Chinese Hackers Who Are Actually Not Trying to Hack You (Motherboard) Last month, Lu Juhui and Jun Mao opened their laptops in a nondescript conference room in Vancouver, and a 30-minute countdown timer was started. A few keyboard taps and one minute later the pair had hacked Adobe Reader, the PDF viewing software, and earned $22,500 apiece. They sat wondering what to do for the next 29 minutes
Foreground Security Names Jeffrey B. Mauro Director of Operations (Nasdaq) Foreground Security, a cutting-edge cyber security consulting firm that offers an advanced set of cyber hunting and analytics capabilities, today announced it has named Jeffrey B. Mauro as its Director of Operations
Products, Services, and Solutions
Cylance Wins Excellence Award for Best Emerging Technology at 2015 SC Awards (Marketwired via Digital Journal) Cylance, the first cybersecurity company to provide next-generation antivirus protection that stops malware from executing by analyzing the DNA of files for known and unknown threats, won Best Emerging Technology at the 2015 SC Awards
Hadoop 'faces a make-or-break year,' say analysts (FierceBigData) Executives at Paxata, a maker of self-service data preparation products, say several trends are affecting how organizations are now performing data preparation and choosing big data projects. If the trends they see are correct, the year ahead is going to get interesting fast. One example: they think Hadoop is "facing a make-or-break year"
Fee-fi-fo-fum, do I want Google to sniff my network traffic, all of it? (Naked Security) Google is getting a lot of publicity for a business venture called Project Fi
US hospitals to treat medical device malware with AC power probes (Register) 'WattsUpDoc' is a stethoscope that detects viruses in sealed-box medicomputers
Technologies, Techniques, and Standards
6 Ways to Protect U.S. Grid from Cyber Attacks (Wall Street Journal) The electrical grid remains alarmingly vulnerable to a variety of cyber threats
New Utility Decrypts Data Lost to TeslaCrypt Ransomware (Threatpost) Crypto-ransomware variants have enterprises on edge because of the threat of irreversibly damaged files. Some organizations, including most recently the Tewksbury, Ma., police department have gone as far as to pay hundreds of dollars in ransom for the recovery key
Cloud Security Certification Launched (GovInfoSecurity) Designed to measure advanced competence
Legal Issues with Cloud Forensics (Forensic Magazine) Unfortunately, many companies have entered the cloud without first checking the weather. Cloud services have skyrocketed primarily because they're cheaper and more convenient than the alternative. What happens if the cloud gets stormy, you suffer a breach, and you find yourself in the position of having to conduct digital forensics?
Data Sanitization: Part 1 (Forensic Magazine) Consider the following scenario which likely happens to tens of thousands of individuals each day
Cybersecurity Issues — Is Continuous Monitoring Enough? (Tripwire: the State of Security) Continuous monitoring is poised to do for information security what cloud deployment did for global productivity
How responsible are employees for data breaches and how do you stop them? (CSO) Data breaches have very quickly climbed the information security agenda and that includes the data breach threat posed by employees and IT professionals
Is your enterprise breach-proof? (Financial Express) Do you think your work related data is safe and beyond the reach of hackers? Do the news headlines on frequent breaches, hacks and heists worry you?
Interop: Understand Your Attackers For Better Network Defense (Dark Reading) Knowing who will target you is key in network security prioritization
Browser anonymity and security (stacksmash3r) I decided to write a little tutorial centered around my browser setup. I use two different profiles, a general one that isn't as hardcore as my security one that I use when I am investigating exploit kits and malware control panels
Design and Innovation
Opinion: If predictive algorithms craft the best e-mails, we're all in big trouble (Christian Science Monitor Passcode) The new Crystal app creates profiles 'for every person with an online presence' so its users can craft the ideal e-mail for every recipient. That's not only troubling for privacy, but also threatens to strip individuality out of our digital dialogue
Research and Development
NIST seeks CDM trial (FCW) What: A National Institute of Standards and Technology "sources sought" notice seeks information on vendors that can help the agency test a proven risk-scoring methodology that would lead to a long-term, real-time continuous monitoring program
Academia
Champlain College Awarded for Best Cybersecurity Higher Education Program (Forensic Magazine) Champlain College has been recognized for the second time as winner of the Professional Award for Best Cybersecurity Higher Education Program at the 2015 SC Awards. The award was presented during the 2015 SC Awards Gala held in San Francisco
Legislation, Policy, and Regulation
Former NSA Chief: Israel, Iran Among World's Best in Cyber-Warfare (Agemeiner) Archenemies Israel and Iran have some of the best cyber-warfare capabilities in the world, former National Security Agency chief General Keith Alexander said
Exclusive: Navy's cyber warriors in technological arms race with Israel's foes (Jerusalem Post) "From our perspective, the threat is always lurking on our perimeters — these are 'borders' made up of cables," says a senior navy source
How China Uses its Cyber Power for Internal Security (Diplomat) This is the first in a series of 5 articles discussing IT as a means to solidify Communist Party rule in the country
US ensnared in China's digital crackdown (The Hill) Chinese President Xi Jinping is spearheading a crackdown on the flow of digital information in a campaign that could reshape the cybersecurity relationship between China and the U.S
Top U.S. officials test new concept of cyberdefense (EnergyWire) The U.S. military is changing its approach to cyberspace in ways that could reverberate across the control networks all Americans rely on to deliver water, electricity and other critical services
Preparing for Warfare in Cyberspace (New York Times) The Pentagon's new 33-page cybersecurity strategy is an important evolution in how America proposes to address a top national security threat. It is intended to warn adversaries — especially China, Russia, Iran and North Korea — that the United States is prepared to retaliate, if necessary, against cyberattacks and is developing the weapons to do so
Editorial: Carter Charts New Cyber Path (DefenseNews) US Defense Secretary Ash Carter's new cyber strategy and push to harness the power of Silicon Valley are key and welcome steps to improving the cyber security of the United States and its allies
A Cybersecurity Turf War at Home and Abroad (Roll Call) The House passed not one, but two, bills last week to provide immunity from consumer lawsuits to companies that share with each other, and with the government, information about cyber-threats and attacks on their networks
Lynch vows cyber focus at DOJ (The Hill) Cybersecurity got prominent mention during Attorney General Loretta Lynch's swearing-in ceremony on Monday
Litigation, Investigation, and Law Enforcement
DOJ close to issuing sanctions over hacking (The Hill) Hackers could be facing new sanctions from the U.S. government in at attempt to prevent cyber crime
Court Says Cyber Forensics Covered by Legal Privilege (JDSupra) The Middle District of Tennessee recently issued a key decision in the ongoing Genesco, Inc. v. Visa U.S.A., Inc. data breach litigation. The court denied discovery requests by Visa for analyses, reports, and communications made by two cybersecurity firms Genesco retained after it suffered a data breach on grounds that those materials were protected by the attorney-client privileged and work product doctrine. The decision is crucially important for two reasons
Companies target each other in data breach disputes (Business Insurance) Get a handle on cyber risks pre-emptively when making deals with business partners to help mitigate commercial liability disputes, says data security attorney Mitzi L. Hill of Taylor English Duma L.L.P
DHS audits find sensitive material left unsecured in work areas, passwords revealed (FierceHomelandSecurity) A third-party audit of several agencies and offices within the Homeland Security Department found that some personnel improperly divulged passwords or left sensitive documents unattended in their workspaces in violation of certain policies