Allegations surface of a Pakistani government cyber campaign directed against Indian targets.
Kaspersky continues to admire the Equation Group's work, today marveling at its stealth.
Also from Kaspersky comes a description of "Podec," an Android Trojan that can induce CAPTCHA to pass it as a human. Podec is crimeware: it subscribes its victims to unwanted premium services.
IBM's X-Force discovers a remotely exploitable vulnerability in Dropbox SDK for Android.
A researcher at Sakurity releases a proof-of-concept exploit that uses cross-site request forgery to hijack Facebook logins. The researcher disclosed the flaw in January, and chides Facebook for not having addressed it then. Facebook declined to do so, reports say, because it was unwilling to disrupt compatibility with sites that use the login feature.
Vulnerabilities in Nextep point-of-sale systems are said to show the importance of updating or replacing legacy systems.
Microsoft's Patch Tuesday fixes addressed, as expected, FREAK and universal cross-site-scripting vulnerabilities. More surprising is a patch for the .LNK vulnerability — a hole Stuxnet exploited — which had been thought fixed by updates in 2010. Microsoft is also teaming with Lenovo to mop up Superfish contamination in Lenovo devices.
Yahoo patches its eCommerce services.
Experts worry, again, about the greatly expanded attack surface the Internet-of-things and its associated "smart cities" present. (Kaspersky is in a particularly apocalyptic mood.)
Cyber insurance providers and their customers continue to grope toward improved risk assessment.
Bain Capital buys Blue Coat, and PayPal confirms its acquisition of CyActive.
State Department emails and "homebrew servers" raise eyebrows.
Today's issue includes events affecting Australia, India, Israel, Democratic Peoples Republic of Korea, Isle of Man, New Zealand, Pakistan, United States.
The CyberWire will be offering special coverage of SINET's ITSEF conference in Mountain View, California, next week. We'll be live-tweeting from the event, and our editor will be moderating a panel on emerging trends in cyber attack.
DroppedIn: Remotely Exploitable Vulnerability in the Dropbox SDK for Android(IBM Security Intelligence) The IBM X-Force Application Security Research Team has discovered a vulnerability in the Dropbox SDK for Android (CVE-2014-8889) which allows attackers to connect applications on mobile devices to a Dropbox account controlled by the attacker without the victim's knowledge or authorization
8 Android Security Concerns That Should Scare IT(InformationWeek) Even though mobile operating systems such as Android are superior to PCs when it comes to protecting against security threats, there still are several concerns that IT should beware
Operating System Vulnerabilities, Exploits and Insecurity(We Live Security) Hands up who believes that OS X and iOS are the most vulnerable operating systems in use today? Well, I find it a bit hard to believe, too, even though I've had a lot of hate-mail over the years for pointing out that Apple's operating systems are not invulnerable
Bulletin (SB15-069) Vulnerability Summary for the Week of March 2, 2015(US-CERT) The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information
Security Patches, Mitigations, and Software Updates
Microsoft and Lenovo work on cleaning up 60,000 Superfish infected PCs(Win Beta) In the wake of Superfish, there seems to be a BP oil spill-like taint on the Lenovo brand in the eyes of many consumers. Trust was lost, images were tarnished and the MacBook-toting crowd began their chants of superiority. Unfortunately, Lenovo didn't just ruin their name alone, as with most things that go wrong with PCs (usually driver related), Microsoft was run through the ringer for this as well. Questions of whether or not Microsoft's licensing policies lead to this sort of OEM greed or should Microsoft have built a better system to avoid this type of tampering, etc
IoT, new tech pose challenges, rewards in defense(San Diego Source) The Internet of Things promises to bring enormous opportunities to the security and defense fields, but serious risks accompany every benefit as increasing the available tools also increases the threat
No Application Is Invulnerable, Now What?(Trend Micro Simply Security) Looking back at 2014, we see an abundance of vulnerabilities in Adobe Acrobat, Java, Windows, and others. The steady stream of disclosures came as a shock to no one
The Deep Web: Shutdowns, New Sites, New Tools(TrendLabs Security Intelligence Blog) 2014 was a year in flux for the Deep Web. We briefly discussed this in our annual security roundup, but this is a topic worth exploring in some detail
Most SMBs are Unaware of Cyber-insurance(Infosecurity Magazine) In a business environment that seems chronically susceptible to breaches, purchasing cyber-risk insurance may sound like common sense. Yet despite the historic increase in data breaches in 2014, a new survey has revealed that more than two-thirds (67%) of small and medium-sized businesses (SMBs) are not aware that dedicated cyber-insurance even exists
Observations From Advisen Cyber Risk Conference March 3rd in San Francisco(Infosec Island) Advisen provides information, analytics, research, and events for the insurance industry and reaches more than 150,000 commercial insurance and risk professionals at 8,000 organizations worldwide. There were approximately 150 attendees at the Conference from insurance companies, brokers, and consultants. The following were my observations
Cybersecurity stocks sell off; FBN remains bullish(Seeking Alpha) Security tech plays, several of which were huge gainers in February, have been hard hit (HACK -2.6%) amid a market selloff. Major decliners include FireEye (FEYE -4%), CyberArk (CYBR -6.6%), Proofpoint (PFPT -4.7%), and Vasco (VDSI -5.5%). Imperva is off sharply after announcing a 3M-share offering
Bain to buy Blue Coat for about $2.4 billion(Reuters) Bain Capital LLC will acquire Blue Coat Systems Inc from fellow private equity firm Thoma Bravo LLC in a deal that the network security company said on Tuesday would value it at about $2.4 billion, including debt
Startup Spotlight: GuruCul's Risk Analytics(eSecurity Planet) Data breaches occur when identity is compromised or misused, which is why GuruCul focuses on identifying anomalous behavior that can point to identity issues
Cyber pay bump: Put your security clearance to work(Military Times) Conventional wisdom holds that your security clearance lands you a bigger paycheck in the cybersecurity world. While this is true statistically, it may not be true for you. In cyber, clearance doesn't automatically mean more money
Cloudflare Aims to Defeat Massive DDOS Attacks with Virtual DNS(Threatpost) DDoS attacks have been a persistent problem for the the better part of 20 years, and as ISPs and enterprises have adjusted their defenses, attackers have adapted their tactics. One of the more effective tools in the attackers? arsenal now is the use of botnets to generate massive numbers of DNS queries for a target site, a technique that can be quite difficult to defend against
Cryptsoft collaborates with Intel on key management approach(PRNewswire) Cryptsoft, the preferred OEM provider of technology to the enterprise key management security market today announced a collaboration with Intel focussed on standards based encryption key management using OASIS Key Management Interoperability Protocol (KMIP) conformant technology
Cyber-risk May Take a Bite Out of Apple Watch(Infosecurity Magazine) Apple has unveiled the Apple Watch — a smart wearable that will function as a Mac-on-the-wrist. It has tech-heads excited, but security researchers warn that consumers should be careful of the potential cyber-risks that the gadget's on-board connectivity represents
Technologies, Techniques, and Standards
10 Ways to Leave Cybercriminals in the Dust(Pymnts) Cybercrime is on the rise, as are its associated fraud rings that are now more immune than ever to the multitude of fraud prevention tactics out there. But is there a way to fight the criminals' intelligence with even more sophisticated intelligence?
Hack yourself first: How we can take the fight to the black hats(Help Net Security) The Internet has increased the interconnectivity of everyone and everything on the globe. From healthcare to commerce, public services and beyond, being connected has enriched our quality of life like never before. But it's also exposed businesses and consumers alike to unprecedented levels of risk
IT Disaster or Data Breach?: 7 Must-Do Steps(Information Management) It's no secret 2014 was a notable year for enterprise IT crises, and it's safe to say 2015 will have its fair share of scares as well. Unfortunately, data breaches aren't the half of it — system and service outages can be equally (if not more) devastating to enterprises. While major IT disruptions are damaging, preserving customer trust and confidence afterward is the next challenge organizations must perfect
How CIOs can create a culture of security awareness(FierceCIO) Numerous studies have agreed that IT security is the top concern among CIOs this year, especially with the topic rising to discussions among top boards of directors. That makes it critical that CIOs be able to communicate security risk at the executive level, and obtain buy-in for security investment
Security, Know Thine Enemy(SecurityWeek) Security professionals must know the categories of threats an enterprise faces and how to respond to each
An Audit Versus an Assessment(Infosec Island) A lot of people are always calling their PCI assessment an audit. However, certified public accountants (CPA) would tell them that there is a vast difference between the two
Guest Post: Is the Sony Hack the Dawn of Cyber Deterrence?(Council on Foreign Relations) In the confines of national security, deterrence is the act of preventing another party from taking action out of fear of the consequences. In the attack against Sony Pictures Entertainment, North Korea failed in deterring Sony from releasing the movie "The Interview," and the United States failed in deterring North Korea from attacking Sony. Why? In cyberspace, the rules of the game are different. States are not deterred and regard cyberattacks as consequence-free because adversaries have not paid a price for the attacks. That changed with the Obama's unprecedented actions against North Korea and may herald the dawn of cyber deterrence
Cyber Regulators Emphasize Process Over Products(Forbes) It has been called "the most important cybersecurity case you've never heard of," and now it's getting a second life. The core issue in the dispute between the Federal Trade Commission (FTC) and Wyndham Worldwide WYN -1.74% Corporation is whether the FTC has the authority to enforce data security standards in the US commercial sector. Last April a federal judge ruled in favor of the FTC, but Wyndham has appealed. The 3rd Circuit Court of Appeals heard oral arguments earlier this month, and regardless of how that court rules, that decision is also likely to be appealed
ACLU: Snowden proved NSA Internet spying harms Americans(AP via KLTV) The American Civil Liberties Union and other groups sued the National Security Agency and the Justice Department on Tuesday, challenging the government's practice of collecting personal information from vast amounts of data harvested directly from the Internet's infrastructure
Government to Drop Charges in Federal Employee Hacking Case(AP via ABC News) A National Weather Service employee accused of illegally accessing a restricted federal computer database containing information about the nation's dams, stealing information and lying to federal investigators will have charges against her dismissed if a judge approves the prosecution's request
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
Newly Noted Events
Conference on Cyber Defence in Europe(Berlin, Germany, March 25 - 26, 2015) The conference aims to address these and other issues of cyber defense in a broad audience of policy-makers, senior officials and experts from EU institutions and Member States, representatives of industry...
Black Hat USA(Las Vegas, Nevada, USA, August 1 - 6, 2015) Black Hat — built by and for the global InfoSec community — returns to Las Vegas for its 18th year. This six day event begins with four days of intense Trainings for security practitioners...
Defcon 23(Las Vegas, Nevada, USA, August 4 - 7, 2015) DEF CON has been a part of the hacker community for over two decades. See the organization's website for more information
BSides Augusta 2015(Augusta, Georgia, USA, September 12, 2015) Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of...
Annual Privacy Forum 2015(Luxemburg, October 7 - 8, 2015) The distributed implementation of networks and services offers the opportunity for new Privacy Enhancing Technologies (PETs) that could support users' needs while safeguarding their personal data. Although...
OISC: Ohio Information Security Conference(Dayton, Ohio, USA, March 11, 2015) Technology First invites you to participate in the 12th Annual Ohio Information Security Conference Wednesday, March 11, at the Sinclair Community College Ponitz Center in Dayton, Ohio. The conference...
RiSK Conference 2015(Lasko, Slovenia, March 11 - 12, 2015) In recent years RISK conference has become one of the leading events on computer security in the Adriatic region and is attended by engineering as well as executive staff of companies from the region.
B-Sides Vancouver(Vaqncouver, British Columbia, Canada, March 16 - 17, 2015) The third annual Security B-Sides Vancouver is an information security conference that will be held March 16th and 17th. We love to see brand new speakers, seasoned speakers, and everyone in between
Insider Threat 2015 Summit(Monterey, California, USA, March 16 - 17, 2015) The Insider Threat 2015 Summit is about bringing Government and Industry organizations and their cybersecurity leaders together in order to better understand the type of threats that may impact their infrastructure...
2015 North Dakota Cyber Security Conference(Fargo, North Dakota, USA, March 17, 2015) The North Dakota Cyber Security Conference brings together community members from academia, government and industry to share strategies, best practices and innovative solutions to address today's challenges...
Philadelphia SecureWorld(Philadelphia, Pennsylvania, USA, March 18 - 19, 2015) Join your fellow security professional for affordable, high-quality cybersecurity training and education at a regional conference near you. Earn CPE credits while learning from nationally recognized industry...
2015 Cyber Security Summit(McLean, Virginia, USA, March 19, 2015) During Congressman Mike Rogers' "The Code War in America" talk at the June 2013 POC breakfast, he challenged all of us to "recognize that every day U.S. businesses are targeted by governments like China...
BSides Salt Lake City(Salt Lake City, Utah, USA, March 20 - 21, 2015) BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.