skip navigation

More signal. Less noise.

Looking for an introduction to AI for security professionals?

Your wait is over. A new book is out from the Cylance data science team, covering artificial intelligence and machine learning techniques in practical situations to improve the security professional’s ability to thrive in a data driven world. Whether you are reviewing logs or analyzing malware, being able to derive meaningful results and improve productivity is key. Order your free copy today.

Daily briefing.

Today's news continues to be dominated by the Meltdown and Spectre bugs. Contrary to early reports, essentially all platforms are affected, not just those running on Intel processors. Most major vendors, including Microsoft, Intel, and Google, have fixes out, and others, including Apple, will release theirs soon. These can be expected to exhibit the usual fraction of unintended and unexpected consequences: Microsoft's Windows 10 update, for example, is reported to interfere with the functioning of some (not all) anti-virus products. The fixes will also generally have the effect of slowing down many processes. Individual and business Internet users will probably see this manifested in the cloud services they use.

In November Intel's CEO, Brian Krzanich, sold the maximum number of shares permitted under company bylaws. This was after Intel was notified of Meltdown and Spectre, but before the vulnerabilities were publicly disclosed. Intel says this was a mere coincidence, as indeed it may well be, but the industry press (notably TechCrunch and Ars Technica) is taking note.

India's Aadhaar national biometric identification database is said to have been breached, with access to its data for sale on the Dark Web for under $10. Aadhaar has had its security issues before, but this latest appears close to a complete compromise, affecting more than a billion people.

The cryptocurrency mania continues, as observers goggle in disbelief at the more bullish projections. Criminals are also affected by the speculative market in Bitcoin: rapid appreciation and volatility are driving them to alternative alt currencies.

Notes.

Today's issue includes events affecting European Union, India, Russia, United Kingdom, United States.

Your cyber security posture is right of boom.

Whether you're focused on IT or national security, exploits and data loss incidents put your mission at risk. Your current tools assess and analyze content after it's breached your network - they all work right of boom. It's only a matter of time until boom happens to you. Don't let it. getleftofboom.com

In today's podcast we hear from our partners at Accenture, as Justin Harvey shares his outlook on 2018. Our guest,  Dinah Davis from Code Like a Girl and Arctic Wolf Networks, talks about conferences, trade shows, and the value of diverse panels.

Cyber Attacks, Threats, and Vulnerabilities

Mozilla Confirms Web-Based Execution Vector for Meltdown and Spectre Attacks (BleepingComputer) Mozilla has officially confirmed that the recently disclosed Meltdown and Spectre CPU flaws can be exploited via web content such as JavaScript files in order to extract information from users visiting a web page.

Spectre and Meltdown: What You Need to Know Right Now (SANS Internet Storm Center) By now, you've heard about the processor vulnerabilities affecting almost every processor in common use today; those vulnerabilities are called Meltdown and Spectre.

What You Need to Do Because of Flaws in Computer Chips (New York Times) Hackers can exploit two major security flaws in microprocessors running virtually all machines on Earth. What do you do now?

Spectre and Meltdown chip flaws pose big issues for businesses (CNNMoney) Spectre and Meltdown, two flaws in the basic building blocks of billions of computing devices, are haunting the internet.

Meltdown and Spectre Flaws in Intel CPUs: Collateral Damage to OS & Cloud Services Unavoidable (HackRead) Meltdown and Spectre flaws are impacting almost all Intel CPUs and to solve the issue tech giants have started to address these flaws.

Hackers could guess your computer password unless you take action immediately (Metro) Update your devices immediately or you could end up in a world of pain

Critical computer flaws set up security challenge in Washington (TheHill) Two critical vulnerabilities that affect modern computer processing chips are about to become a huge headache for governments worldwide.

Apple says Meltdown and Spectre flaws affect ‘all Mac systems and iOS devices,’ but not for long (TechCrunch) Apple isn't immune to Meltdown and Spectre, the major bugs in basic computing architecture that were announced yesterday to widespread amazement and horror...

Google: Almost All CPUs Since 1995 Vulnerable To "Meltdown" And "Spectre" Flaws (BleepingComputer) Google has just published details on two vulnerabilities named Meltdown and Spectre that in the company's assessment affect "every processor [released] since 1995."

That Intel chip problem? It's now a far worse security issue (Silicon Valley Business Journal) Google researchers on Wednesday confirmed that they had uncovered a set of major security flaws in devices containing chips from Intel Corp., Advanced Micro Devices and ARM Holdings — potentially affecting virtually every computer and smart phone on the planet.

Intel blasts 'incorrect' reports over its chip security issues (CRN) Vendor giant claims its 'products are the most secure in the world' after accusations of security problems in chips

Meltdown and Spectre: Data theft hardware bugs affect most modern CPUs (Help Net Security) Meltdown and Spectre are two separate attacks that can result in exploitation of different issues affecting most CPUs in use today.

Understanding Those Alarming Computer Chip Security Holes: 'Meltdown' and 'Spectre' (Fortune) The vulnerabilities affect almost every computer—and some have no available fixes.

Almost Every Computer and Smartphone Has a Big Security Flaw (Money) Here's what you need to know

What steps can you take to prevent hackers from gaining access? (NBC News) The technology industry is scrambling to fix a massive security flaw found in hardware contained on almost every computer in the world.

India’s national ID database is reportedly accessible for less than $10 (TechCrunch) The nightmare is a reality in India. Reports from the country suggest that the government's national ID system -- Aadhaar, which holds personal data belonging..

Zero-Day Vulnerabilities in Dell EMC Data Protection Suite Family Products Disclosed by Digital Defense, Inc. Researchers (GlobeNewswire News Room) Digital Defense, Inc., a leading security technology and services provider today announced that its Vulnerability Research Team (VRT) uncovered three previously undisclosed vulnerabilities within Dell EMC Data Protection Suite Family products. Combining the three identified vulnerabilities, full compromise of the affected system is possible by modifying the configuration file.

What Would Really Happen If Russia Attacked Undersea Internet Cables (WIRED) The world’s internet infrastructure is vulnerable, but snipping a couple of lines is the least of your concerns.

Google Apps Script Vulnerability Exposes Malware Risks (eWEEK) Security firm Proofpoint discloses a mechanism by which Google Apps Scripts can be used to deliver malware.

Google Apps Script vulnerability could lead SaaS apps to download malware (TechRepublic) Hackers are leveraging Software as a Service platforms including Google Drive to download malware to victims, according to Proofpoint.

Free Phishing Kits Come With A Cost For Beginner Cybercriminals (Tom's Hardware) Imperva released a detailed report into the backstacking world of phishing kit providers and users.

Search engine shenanigans: Malwarebytes mentions aren’t what they seem (Security Boulevard) Hunting for information on Malwarebytes, including blog posts or researcher names on Google's search engine? Be wary of websites stuffed with keywords designed to send you into an ad blizzard. Categories: Cybercrime Social engineering Tags: adadsadvertsredirectsearch engine (Read more...) The post Search engine shenanigans: Malwarebytes mentions aren’t what they seem appeared first on Malwarebytes Labs.

InfoShot: Most blacklisted mobile apps (IDG Connect) WhatsApp, Pokémon Go, WinZip, and Wild Crocodile Simulator are amongst the most blacklisted mobile apps within the enterprise, according to a new report.

New Adware Discovered in 22 Apps in Google Play (Dark Reading) The 'LightsOut' adware is found is flashlight and utility apps, which have been downloaded between 1.5 million to 7.5 million times.

PyCryptoMiner ropes Linux machines into Monero-mining botnet (Help Net Security) A Linux-based botnet that has been mostly flying under the radar has earned its master at least 158 Monero (currently valued around $63,000).

Huawei router vulnerability exploited, most are unlikely to be patched (SC Media UK) An amateur hacker who titled himself 'Nexus Zeta' has managed to exploit the Huawei home router HG532 by finding the information on online forums.

Quick Heal spots malware that imitates Indian banks’ apps (The Financial Express) Quick Heal Security Labs has spotted an Android banking Trojan that imitates more than 232 apps including those offered by Indian banks.

Why are cyber-criminals dumping Bitcoin? (SC Media UK) Cyber-crime players are not stupid, which is probably why they are dumping Bitcoin and going with the smart(er) money...

Security Patches, Mitigations, and Software Updates

Vendors Share Patch Updates on Spectre and Meltdown Mitigation Efforts (Threatpost) Intel, Amazon, ARM, Microsoft and others have shared patch updates to keep customers informed on their mitigation efforts to protect against the far reaching Spectre and Meltdown vulnerabilities impacting computers, servers and mobile devices worldwide. 

Meltdown and Spectre: Here’s what Intel, Apple, Microsoft, others are doing about it (Ars Technica) Intel, Microsoft, ARM, and others have responded. We dig in.

Intel reveals 'comprehensive' threat mitigation response to Spectre and Meltdown vulnerabilities (CRN Australia) Includes operating system and firmware updates coming within weeks.

Intel issues updates to protect systems from Spectre and Meltdown (Help Net Security) Intel is issuing updates for all types of Intel-based computer systems - including personal computers and servers - that render those systems immune from Spectre and Meltdown.

Intel patch hampers performance of AWS EC2 servers (Computing) AWS customers complain of server slowdowns following implementation of Meltdown patch

UPDATE 1-Apple to issue fix for iPhones, Macs at risk from 'Spectre' chip flaw (Reuters) (Adds timing details and quotes from experts)

Browser makers move to mitigate risk of Spectre browser attacks (Help Net Security) Mozilla, Google, Microsoft and Apple have pushed out or announced updates that mitigate the risk of Spectre browser attacks.

AWS, Google and Microsoft respond to 'Meltdown' and 'Spectre' chip flaw (CRN Australia) Cloud giants work on updates to their platforms.

Meltdown & Spectre: Microsoft releases emergency patches (CSO Online) Two major vulnerabilities in processors — Meltdown and Spectre — affect most modern systems. Security advisories and patches are being issued.

Microsoft patches Windows to cool off Intel's Meltdown – wait, antivirus? Slow your roll (Register) Check your anti-malware tool unless you like BSoDs

Here's what every Chrome user should do in the wake of #Spectre (Mashable) It's an easy step to take.

Google’s Mitigations Against CPU Speculative Execution Attack Methods (Google Help) This document lists affected Google products and their current status of mitigation against CPU speculative execution attack methods. Mitigation Status refers to our mitigation for currently known vectors for exploiting the flaw described in CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754.

Site Isolation (The Chromium Projects) Home of the Chromium Open Source Project

Charring, melting laptop batteries cause HP to issue voluntary recall (Ars Technica) The company will replace the battery for free and send a technician to do so.

Cyber Trends

2018 IT Security Outlook: Attacks and Threats Get More Sophisticated (eSecurity Planet) 2018 will bring more high-profile data breaches, with attacks and threats getting increasingly sophisticated. We outline 10 security trends to watch.

Marketplace

Threatcare Secures $1.4 Million in Seed Funding Led by Moonshots Capital to Scale Proactive Cyber Defense Platform (Daily Telescope) Companies today must think like the attacker and anticipate threats before they happen.

Louisville-based Swimlane raises $1.35 million (BizWest) Swimlane LLC, a Louisville-based software company, has raised $1.35 million in capital. The funding comes from an equity offering, according to a Form D filed Dec. 29 with the Securities and Exchange Commission. Swimlane did not respond to a request for more information. Swimlane produces an automated security platform that allows companies to automatically respond to cyber attacks and to automate tasks. In December 2016, Swimlane raised about $3 million in another equity offering.

Cybersecurity remains essential as KPMG buys identity security business (Mergers and Aqusitions) This is KPMG’s second acquisition in the cybersecurity space since the firm's purchase of assets from Qubera in 2014.

Newton tech company buys New Jersey security software unit (Charlotte Business Journal) A Catawba County security software company is on the acquisition trail again.

Crypto Craze! A $10 Trillion Bull Case, Seriously? (Barron's) One man's speculative mania is another's digital treasure.

Cryptanalysis: Bitcoin arbitrage a big draw, but pitfalls seem bigger (The Financial Express) The spawning of bitcoin exchanges is throwing up big opportunities for arbitrage in prices, of no less than 10-13%.

Happy Birthday Bitcoin, and Don’t Forget About Cypherpunks - Keiser (Cointelegraph) As the world celebrates the ninth birthday of Bitcoin’s genesis block, Max Keiser reminds us to be mindful of the 40-year history of cryptography.

Two promoted at KPMG cyber security practice (Economia) KPMG UK’s cyber security practice has promoted former civil servant David Ferbrache to chief technology officer and Matthew Martindale to partner.

Products, Services, and Solutions

Gemalto launches a new contactless credit card with a fingerprint reader (ZDNet) The new biometric-powered contactless cards use fingerprint recognition to authenticate the cardholder, in an effort to cut down on in-store fraud.

ERPScan Releases a Guideline on How to Make SAP Systems GDPR Compliant (PRNewswire) ERPScan, the most credible company providing business application...

ConsentCheq LiveStart Gives Enterprises Rapid 'Pain Relief' for GDPR Consent Management (PRNewswire) Today, PrivacyCheq announced the immediate availability of ConsentCheq...

Technologies, Techniques, and Standards

After security disasters, banks using SWIFT messaging platform face new regulations in 2018 (TechRepublic) Banking organizations using the SWIFT global messaging platform face some new requirements in 2018. Here are the details, and how they'll affect business.

The Evolution of Corporate Authentication (Infosecurity Magazine) While it’s easy to feel overconfident if you’ve been lucky enough to avoid this type of problem, complacency can harm your business.

Design and Innovation

Who the Hell Is This 'Crypto-Genius?' (Motherboard) James Altucher is the man behind the stare.

Artificial Intelligence to listen for suicidal thoughts on social media (Naked Security) Individuals won’t be identified. Nor will intervention be attempted. The aim is, rather, to proactively spot regional trends.

Facebook ditches fake news flag, admits it was making things worse (Naked Security) The red flag was waving in the faces of bullishly entrenched, deeply held beliefs, so instead Facebook is just going to give “more context.”

I Spent a Week Living With Chatbots—Did All That Self-Help Help? (WIRED) While self-help as a genre can feel limited, a new class of digital counselors can feel impossible to ignore.

Mark Zuckerberg is right to explore the potential of the blockchain for Facebook (TechCrunch) In what is Mark Zuckerberg's now-traditional New Year speech, the Facebook supremo pledged to fix the social network's many problems which bubbled up in 2017...

Legislation, Policy, and Regulation

A bipartisan group of US senators has a plan to secure future elections (Futurism) “We must act now to fortify our election system against attacks by foreign powers...”

Critics worry as Trump voter probe goes to Homeland Security (Arizona Daily Star) Voting rights advocates and some state election officials cheered President Donald Trump's announcement that he was disbanding his election fraud commission, but their celebration could be

FCC issues final version of order eliminating net neutrality rules (TechCrunch) The FCC has released the final text of the order it voted on last month that is set to undo the net neutrality rules established in 2015. This is the text..

The FCC Says Consumer Backlash Will Protect Net Neutrality (Motherboard) As opposed to, you know, the rules it just gutted.

“Vote out” congresspeople who won’t back net neutrality, advocates say (Ars Technica) “If they don’t vote for net neutrality, let’s vote them out,” new campaign says.

Litigation, Investigation, and Law Enforcement

After Meltdown and Spectre revelation, questions arise about timing of Intel CEO’s stock sales (TechCrunch) The timing of Intel CEO Brian Krzanich’s large sale of shares in November is raising questions because a Securities and Exchange Commission filing appeared..

Intel CEO sold all the stock he could after Intel learned of security bug (Ars Technica) Intel claims sale was unrelated, but he planned sale after researchers disclosed bugs.

Wauchos may finally be coming to an end with a little help from ESET (WeLiveSecurity) We interviewed an ESET researcher who helped to disrupt Wauchos at the end of last year to find out what happens next with the infamous malware family.

Online retailers warn of significant losses, as chargeback loophole proves unstoppable (Computing) High-end retailers have warned that they are losing significant revenue to fraud, with card companies, payment acquirers and the government all seemingly unwilling to help

Social media namer and shamer charged (Naked Security) Sometimes, if not most times, silence on social media is golden.

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Newly Noted Events

European Cybersecurity Forum – CYBERSEC Brussels (Brussels, Belgium, February 27, 2018) CYBERSEC Forum is an unique opportunity to meet and discuss the current issues of cyber disruption and ever-changing landscape of cybersecurity related threats. Our mission is to foster the building of...

Cyber:Secured Forum (Denver, Colorado, USA, June 4 - 6, 2018) Cyber:Secured Forum will feature in-depth content on cybersecurity trends and best practices as related to the delivery of physical security systems and other integrated systems. Content is being collaboratively...

4th European Cybersecurity Forum – CYBERSEC (Krakow, Poland, October 8 - 9, 2018) CYBERSEC Forum is an unique opportunity to meet and discuss the current issues of cyber disruption and ever-changing landscape of cybersecurity related threats. Our mission is to foster the building of...

Upcoming Events

International Conference on Cyber Security: Forging Global Alliances for Cyber Resilience (New York, New York, USA, January 8 - 11, 2018) The Federal Bureau of Investigation and Fordham University will host the Seventh International Conference on Cyber Security (ICCS 2018) on January 8-11, 2018, in New York City. ICCS is held every eighteen...

2018 Leadership Conference (Arlington, Virginia, USA, January 17 - 19, 2018) We invite you to join us for this unique opportunity to share information, participate in leadership training, collaborate on solutions to common problems, and network with peers from around the globe.

CYBERTACOS (Arlington, Virginia, USA, January 24, 2018) CYBERTACOS is back and becoming one of the DC metro area’s biggest cybersecurity networking events! Register today and join us for networking, food and drinks. This event includes a 45-minute meet the...

Connected Medical Device & IOT Security Summit (Baltimore, Maryland, USA, January 25 - 26, 2018) The Summit will offer practical solutions to many of the daunting security challenges facing medical device and connected health technology companies, healthcare providers, payers and patients. The program...

CyberUSA (San Antonio, Texas, USA, January 29 - 30, 2018) The CyberUSA Conference will be held in San Antonio, TX at the Henry B. Gonzalez Convention Center on Tuesday, January 30, 2018. A welcome reception will be held on the evening of Monday, January 29, 2018.

Women in Data Protection, Securing Medical Devices and Health Records (Washington, DC, USA, February 9, 2018) Join some of the top cyber and privacy professionals as they talk about the landscape of the medical device and electronic health records market. They will also talk about the dangers to patients' health...

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.