The claimed ISIS doxing of US service members increasingly looks like so much gasconade — the Pentagon thinks it's mostly hooey.
Google continues to have a difficult week: MWR Labs exposes an Android sandbox escape vulnerability, and Exodus Intelligence demonstrates that Stagefright patching is at best incomplete. Google is expected to issue fixes as soon as possible.
The Internet Storm Center describes Adwind, a remote access Trojan delivered as the payload in botnet-served spam. Adwind appears to require user interaction for activation.
Windows 10 continues to worry users concerned about their privacy.
The Russian CyberVor mob may be back — at least, someone posing as CyberVor seems to have gained access to University of Miami networks.
The "OwnStar" car hack is said to be effective against BMWs and Mercedes as well as Chryslers.
Apple updates OS X Server, iOS, Safari, and Yosemite. Dropbox moves to two-factor authentication.
The electrical power sector remains bedeviled by thumb-drive-delivered malware.
Oracle's stern words about reverse engineering to hunt bugs reverberate. Bug bounties are well-known, and HP's Zero Day Initiative tells eSecurity Planet how they legitimately buy vulnerabilities.
Enterprises that hold a lot of customer data — law firms, government agencies, etc. — are increasingly skittish about the risk to which those data expose them. The cyber insurance market gropes toward ways of transferring some of that risk. Post-breach litigation is a growing problem: class-action suits are now the norm.
The US National Institute of Standards and Technology (NIST) invites comment on a draft report of international cyber standards.
Today's issue includes events affecting China, Iran, Iraq, Israel, Lebanon, Russia, Syria, United Arab Emirates, United Kingdom, United States.
Security researchers find flaws in Ethernet switches(Drives & Controls) Cyber-security researchers in the US say that they have found security flaws in industrial Ethernet switches and gateways which could be used to attack industrial control systems in industries ranging from manufacturing to power generation. They have found vulnerabilities in four makes of Ethernet switch, but say that similar problems could exist in other devices
Zero Day in Android's Google Admin App Can Bypass Sandbox(Threatpost) The Android security team at Google is having a busy month. First the Stagefright vulnerabilities surfaced last month just before Black Hat and now researchers at MWR Labs have released information on an unpatched vulnerability that allows an attacker to bypass the Android sandbox
Stagefright Patch Incomplete Leaving Android Devices Still Exposed(Threatpost) Google today released to open source a new patch for the infamous Stagefright vulnerability found in 950 million Android devices after researchers at Exodus Intelligence discovered the original patch was incomplete and Android devices remain exposed to attack
XSS flaw put Salesforce accounts at risk of hijacking(Tripwire: the State of Security) Security researchers have found a cross-site scripting (XSS) vulnerability on the Salesforce website, that could be exploited by malicious hackers to conduct phishing attacks and hijack the accounts of users
Adwind: another payload for botnet-based malspam(Internet Storm Center) Since mid-July 2015, I've noticed an increase in malicious spam (malspam) caught by my employer's spam filters with java archive (.jar file) attachments. These .jar files are most often identified as Adwind. Adwind is a Java-based remote access tool (RAT) used by malware authors to infect computers with backdoor access. There's no vulnerability involved. To infect a Windows computer, the user has to execute the malware by double-clicking on the .jar file
Windows 10 might be spying on you even after you tell it to stop(BGR) One of the main concerns with Microsoft's Windows 10 platform concerns privacy. The operating system has various features that need to access your private data to work properly. At the same time, Microsoft wants to deliver you better Bing search results and ads. In its defense, the company makes it clear in its terms of service that it's tracking you, and there are ways to stop all the tracking without compromising your Windows 10 experience. But what if the privacy-infringing settings you thought you just turned off aren't off?
The Dark Side of Steganography(IEEE Spectrum) The complicated mess of code in image, voice, video and even electrocardiogram data provide the perfect carrier for hidden messages. At the Network Security Group at Warsaw University of Technology, in Poland, Wojciech Mazurczyk disguises data the same way cybercriminals do in order to beat them at their own game
Ten scary hacks I saw at Black Hat and DEF CON(CSO) Security researchers and hackers gathered in Las Vegas over the past week to show off and learn about the latest vulnerabilities that affect devices and software that the world relies on every day. Black Hat and DEF CON, the world's top security conferences, did not disappoint
Clarifying the Hype Around Auto Cyber Threats(Huffington Post) I, like most Americans, have a love affair with the automobile. Give me an unlimited budget and I will quickly exceed it, purchasing pretty much every available car, truck and SUV on the market
Iranian hackers broke into what they thought was a Chevron gas pump — but it was a honeypot(Fusion) In the last few years, the so-called "Internet of Things" has gotten a reputation as "the Internet of Things That Can Be Hacked." This year alone, security researchers have hacked baby monitors, skateboards, rifles, and a Jeep — making it undriveable while it was going 70 miles per hour on a highway. One hacker possibly even hacked an airplane while it was in flight
How to stop pervy pics popping up on your iPhone(We Live Security) In the old days, if a dirty old man wanted to shock and frighten a young woman he might lurk down a forest path, dressed only in a grubby raincoat, and flash his unmentionables at her before making his cowardly escape
Advanced Targeting — The Name of the Game(PhishLabs Blog) Business email compromise (BEC), spear phishing, and social engineering aren't just buzz words that have gained popularity in the security industry. These tactics have recently been employed by cybercriminals to get around the plethora of security controls deployed to protect organizations. Account takeover has evolved from using malware to compromise credentials and remotely using the victim's computer, to using social engineering schemes over email to fool legitimate users into performing wire transfers, such as the recent BEC attack on Ubiquiti that nearly cost the organization $46.7 million
Security Patches, Mitigations, and Software Updates
LG, Motorola Detail Security Updates Following Android Stagefright Vulnerability(Gadgets.am) After the discovery of Stagefright vulnerability, Google and Samsung announced they would provide security patches to the Galaxy and Nexus range of mobile devices about once every month, starting with the Stagefright patch. Now, LG and Motorola are the latest to join the two firms confirming that they would too be taking the vulnerability seriously, and LG, besides issuing a patch, also says it will boost its security update frequency to a monthly basis
HP on Legal Hacking and the Law(eSecurity Planet) HP's Zero Day Initiative buys a lot of security vulnerabilities from researchers — so how does it stay within the bounds of the law?
Ways to Engage Executives in Cyber Risk(Wall Street Journal) A survey of retail executives shows many retailers making progress toward strengthening their cyber risk management programs, though they, along with their peers in other industries, could still benefit from improved governance and engagement with business leaders.More business executives are starting to recognize that accountability for cyber risk cannot rest solely with the IT organization. The many high-profile breaches in recent years have shown business leaders that efforts to prevent, detect, respond to and recover from cyber incidents require the collective wisdom and authority of executives across a range of functions
Stock Price May Not Tell the Whole Story About Security Breaches(IBM Security Intelligence) Data security breaches are larger and more spectacular than ever before. Just in the last year, companies suffering from major hacks have ranged from retailers and financial firms to entertainment conglomerates. The data stolen ran the gamut from tens of millions of customer accounts — complete with credit card information — to embarrassing remarks about celebrities in what were intended to be private email messages
3 stocks that make money on corporate cybercrime fear: UBS(Business News Network) Corporate spending on cybersecurity is on the rise as criminals find increasingly sophisticated methods to exploit vulnerable IT infrastructure. While the threat of cybercrime presents an ever-present risk to shareholders, investors in companies developing new and innovative ways of combating online threats are cashing in on the fear of getting hacked
Air Force seeks insider threat monitoring system(FierceGovernmentIT) The Air Force is seeking commercial information technology to help it better monitor its networks for insider threats. The product will be a key component to the development of its Insider Threat Program, according to a solicitation posted by the service Aug. 11
Comparing the top database security tools(TechTarget) Expert Ed Tittel examines the strengths and weaknesses of top-rated database security tools — from database activity monitoring to transparent database encryption — to help enterprises make the right purchasing decision
Interagency Report Advocates Support for International Cybersecurity Standardization(NIST Information Technology Laboratory) A new draft report by an interagency working group lays out objectives and recommendations for enhancing the U.S. government's coordination and participation in the development and use of international standards for cybersecurity. The report recommends the government make greater effort to coordinate the participation of its employees in international cybersecurity standards development to promote the cybersecurity and resiliency of U.S. information and communications systems and supporting infrastructures. These efforts should include increased training, collaborating with private industry and working to minimize risks to privacy
Responding in the 'golden hour' of a cyber attack(Security InfoWatch) User behavior analytics can help with detection of potential data breaches. By using custom algorithms, the divergence in behaviors between a normal user using her credentials and an attacker using the same credentials can be determined
The Anatomy of a Cyber Attack: Prevention, Response and Postmortem (Part 5 of 6)(Privacy Compliance & Data Security) This blog post is the fifth entry of a six series discussing the best practices relating to cyber security. The previous post discussed the important steps that a business should take to preserve evidence and information once a cyberattack has been identified. This post will discuss the individuals and organizations that should be notified once a cyberattack occurs. The four most important groups to contact are (1) individuals within the business, (2) law enforcement officials, (3) The Department of Homeland Security, and (4) other possible victim
The Security Of Devices Connected To The Internet Of Things Keeps Degrading(iTechPost) According to reports, the security of devices connected to the Internet of Things degrades over time. The connected home devices might come securely enough when you buy them off the shell, but this situation would not last for long. Tech firms have warned that the Internet of Things security is not strong enough
Uncovering the Truth about Six Big Data Security Analytics Myths(IT Business Edge) Cyber threats are becoming extremely sophisticated, as evidenced by the many high-profile breaches over the last few years. Organizations are confronting a new reality where they must accept that they are likely to be impacted, despite their best attempts to keep these threats out altogether. They need quicker and better ways to discover, investigate and remediate these threats. Marrying Big Data with machine learning can help address this challenge by providing security professionals with the Big Data security analytics (BDSA) they need to thwart the bad guys
Are Your Trade Secrets Safe?(Employment Law Navigator) A few years back, we had a client — a manufacturing business — that decided to sue an ex-employee for stealing its trade secrets. Our client had developed a process that was unique. Using this process, it was able to manufacture certain products in a very fast and cost-effective way, keeping its prices lower and its profits higher than its competition. The ex-employee went to work for a competitor and, according to our client, shared his knowledge of the secret process with his new employer
Design and Innovation
The Noise Around You Could Strengthen Your Passwords(Wired) Last year after nude photos apparently stolen from various celebrities' iCloud accounts began circulating on Reddit, Apple responded by telling people to enable a feature called "two-factor authentication"
Georgia Regents getting serious about cyber(Atlanta Business Journal) The University System of Georgia should step up efforts to train students for jobs in cybersecurity, an administrator with Georgia Regents University (GRU) told members of the system's Board of Regents Wednesday
Legislation, Policy, and Regulation
A Foreign Diplomat Just Taught America How to Win the War of Ideas(War on the Rocks) It is conventional wisdom in Washington that the United States is losing the "war of ideas" to the Islamic State, Hamas, Hezbollah, Iran, al Qaeda, and even the Taliban. All those forces of entropy and intolerance that practice and support terrorism are somehow proving superior at messaging to the country with Madison Avenue advertising, Silicon Valley innovation, Hollywood image-making, the 24-hour news cycle, and permanent political campaigning
GOP senator: Kerry 'downplaying' foreign cyber threat(The Hill) Sen. Ben Sasse (R-Neb.) is accusing Secretary of State John Kerry of downplaying the seriousness of overseas cyberattacks, a day after Kerry acknowledged Chinese and Russian spies are "very likely" reading his emails
Federal CFO: Getting Ahead of Emerging Cyberthreats(Wall Street Journal) Some of the biggest adversaries in the cyber ecosystem are well-funded organized crime and nation-states operating on a global scale. These threat actors are increasingly targeting financial information and using sophisticated technologies to breach networks undetected, says Mike Marshall, a Deloitte Advisory director at Deloitte & Touche LLP, where he supports the Federal National Security Sector practice. He describes considerations for what federal CFOs can do to help protect their agency's financial data from cyber thieves; how to employ a proactive, outside-looking-in approach to network security; and measure ROI on their cybersecurity investment
Army Reserve Pursuing Partnerships with Silicon Valley(National Defense) In April, Defense Secretary Ash Carter announced a new initiative to encourage the Defense Department and Silicon Valley to work more closely together. Reservists are now playing a key role putting this effort together, a senior Army official said Aug. 13.
Managing post-data breach litigation just got harder(Lexology) Data breaches are messy stuff, no doubt about that. They consume a huge amount of corporate resources, damage a company's goodwill and can cost a lot of money. No real news there. And while the technological challenges in preventing, and responding to, data breaches are ever-changing — fueling the booming cybersecurity industry — the corporate response to a data breach is fairly standardized. Basic steps include (not necessarily in this order)
Scandal Exposes Hillary's Disregard For Security(Investor's Business Daily) Scandal: Thanks to the State Department's release of Hillary Clinton emails, we now know she was more interested in how to permanently delete her emails than in protecting highly classified national security secrets
Cyberheist Victim Trades Smokes for Cash(KredsOnSecurity) Earlier this month, KrebsOnSecurity featured the exclusive story of a Russian organized cybercrime gang that stole more than $100 million from small to mid-sized businesses with the help of phantom corporations on the border with China. Today, we'll look at the stranger-than-fiction true tale of an American firm that lost $197,000 in a remarkably similar 2013 cyberheist, only to later recover most of the money after allegedly plying Chinese authorities with a carton of cigarettes and a hefty bounty for their trouble
Baseball Hacking Scandal? It's Just Business as Usual(Corporate Counsel) Sports fans look at their favorite professional teams and see athletes. Hackers look at sports teams and see data. So, when news broke in June that the U.S. Department of Justice is investigating the St. Louis Cardinals' front-office personnel for allegedly hacking into an internal network of the Houston Astros, attorneys who deal with trade secret theft were hardly surprised
Brooklyn man pleads guilty to aiding terrorists, prosecutors say(Newsday) An Albanian national and Brooklyn resident who pleaded guilty to aiding terrorists bent on attacking the United States has been sentenced to 16 years in prison, federal prosecutors said, but they added that the defendant will likely appeal the government's use of the most critical evidence against him
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
USENIX Security(Washington, D.C., USA, August 12 - 14, 2015) The USENIX Security Symposium reunites researchers, practitioners, system administrators, system programmers, and others specialists interested in the latest advances in the security and privacy of computer...
5th Annual Cyber Security Training & Technology Forum (CSTTF)(Colorado Springs, Colorado, USA, August 19 - 20, 2015) The Information Systems Security Association (ISSA) Colorado Springs Chapter and FBC, Inc. will once again co-host the 5th Annual Cyber Security Training & Technology Forum (CSTTF). CSTTF 2015 will bring...
Decepticon 2015(Cambridge, England, UK, August 24 - 26, 2015) Decepticon brings together researchers and practitioners in the detection and prevention of deception. Previously, deception research has been fragmented across conferences in many different disciplines,...
AFCEA OKC Technology & Cyber Security Day(Oklahoma City, Oklahoma, USA, August 27, 2015) FBC and the Armed Forces Communications & Electronics Association (AFCEA) Oklahoma City Chapter will be partnering once again to host the annual Technology Day & "Scholarship" Golf Tournament at Tinker...
Power Grid Cyber Security Exchange 2015(San Diego, California, USA, August 30 - September 1, 2015) The Power Grid Cyber Security Exchange will take a deep dive into the cyber security strategies, innovative approaches and strategic planning necessary to balance the competing priorities of today's technology...
2015 HTCIA International Conference & Training Expo(Orlando, Florida, USA, August 30 - September 2, 2015) Bringing together experts from all over the world to share their latest research and techniques related to cybersecurity, incident response and computer forensics
ICFP 2015(Vancouver, British Columbia, Canada, August 31 - September 2, 2015) ICFP 2015 provides a forum for researchers and developers to hear about the latest work on the design, implementations, principles, and uses of functional programming. The conference covers the entire...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.