Cyber Attacks, Threats, and Vulnerabilities
Fraud Experts Raise Concerns That Cap One Hacker Targeted Other Firms (PYMNTS.com) Krebs On Security is reporting that the alleged Capital One hacker may have also targeted and stolen data from other corporations. The website named Paige Thompson, nicknamed Erratic, as the alleged hacker and detailed how she would go on messaging service Slack in a group with other supposed hackers. Krebs on Security joined the group […]
Vodafone, Ford said to be also affected by Capital One hack (TechCrunch) The data breach at Capital One may be the “tip of the iceberg” and may affect other major companies, according to security researchers. Israeli security firm CyberInt said Vodafone, Ford, Michigan State University and the Ohio Department of Transportation may have also fallen victim to …
Amazon: No evidence companies named in leaked Capital One files were breached (Computing) Ford and UniCredit among the companies named in files leaked by Capital One hacker Paige Thompson
FBI Examining Possible Data Breaches Related to Capital One (Wall Street Journal) The Federal Bureau of Investigation is examining whether the hacker charged with stealing data on millions of Capital One customers from an Amazon cloud service successfully hit other targets.
Capital One Breach Does Not Mean the Cloud is Insecure (Decipher) Financial services organizations and many other enterprises have hesitated to go all in the cloud, citing concerns about depending on a third-party to protect the data, and the Capital One breach may encapsulate their fears. But the fact is, the cloud provides security benefits, so long as proper controls are put in place.
Capital One data breach: What's the cost of data hacks for customers and businesses? (USA TODAY) The Capital One 2019 data breach is the latest example of how vulnerable consumer and business data is.
Unsecured Database Exposes Security Risks in Honda's Network (BleepingComputer) A publicly accessible ElasticSearch database exposed a huge trove of information on the global internal network of automotive giant Honda, showcasing potential security vulnerabilities and including detailed information about the CEO's computer.
Logins Stolen From Admin-Backdoored Club Penguin Rewritten Site (BleepingComputer) A disgruntled administrator left in a kids' gaming website a backdoor that enabled hackers to steal login data for a little over 4 million accounts.
iMessage bug could have allowed attackers to read data from any iPhone (Naked Security) Google’s Project Zero has unveiled details of a bug in Apple’s iMessage that lets attackers read data from an iPhone without any user interaction.
Where Bots Go On Summer Vacation (PerimeterX Bot Defender) Bots are impacting our everyday lives, now competing with us on our vacation searches. Online travel sites need to take into account bot traffic to provide accurate pricing and stay competitive. As bots continue to mimic human behavior, bot mitigation should top of mind for travel websites.
Enterprise software transmits terabytes of data to vendors without customers' knowledge (Computing) In one case, a software package sent data to an IP address flagged for hosting malicious programmes
Enterprise Software May Transmit Data Without Your Knowledge (BleepingComputer) A cyber analytics firm has discovered several instances of enterprise software that collected and sent information home without prior authorization, a behavior which could lead to exposure of sensitive enterprise data.
Researchers Replace IP Camera Feed With Fake Footage (SecurityWeek) Security researchers have demonstrated an attack on an IP camera that results in fake replay footage being displayed to security operators.
SanDisk SSD Dashboard Vulnerabilities: CVE-2019-13466 & CVE-2019-13467 (Trustwave) While recently upgrading my laptop with a new Solid State Drive (SSD), I installed a management utility that is used for SanDisk SSDs. A quick examination revealed a some potentially dangerous vulnerabilities in it. Now that these issues have gone through our responsible disclosure program and have been patched, we can discuss the details.
‘Urgent/11’ flaws affect 200 million devices – from routers to elevators (Naked Security) There are 11 security flaws affecting VxWorks: “the most widely used operating system you may never have heard about”.
Cyberattacks on connected cars could gridlock entire cities (Naked Security) It would require taking over and stranding 20% of a city’s cars to freeze traffic, and only 10% to impede ambulances, physicists calculate.
Report warns of possible mass casualties from automotive cyberattacks (Detroit Free Press) A consumer group warns of dire consequences if the threat of cyberattacks against vehicles is not addressed. An
Bulletproof Proxies Highlight the Evolving Cybercriminal Infrastructure (BusinessWire) Bulletproof Proxies Highlight Evolving Cybercriminal Infrastructure; Cequence Security’s New CQ Prime Threat Research Team Publishes Inaugural Report
Scam Alert: No, WhatsApp isn’t giving you 1,000GB free data (Mobile Indian) A message is making the rounds on WhatsApp claiming to offer 1,000GB of data for free as part of WhatsApp’s tenth anniversary.
Georgia hit with malware yet again (Naked Security) The Department of Public Safety says it won’t pay, but given the umpteen times the state’s agencies have been hit, somebody’s not listening.
School tax bill mailings delayed again; aftermath of cyber attack (Citizens Voice) School property tax bills for Luzerne County school districts will not be mailed this week, as planned, but should be issued by Aug. 19, county officials announced Tuesday. The delay stems from ongoing problems with the county’s assessment database, which
Security Patches, Mitigations, and Software Updates
Google Pay to now send SMS alerts for secure transactions (LiveMint) Google Pay comes equipped with several of Google's security infrastructure including scam protections.Google Pay will send alerts to highlight that approving the request will deduct money from their bank accounts
Cyber Trends
Deloitte Cyber and Dragos Share Top Cyber Risks for IoT Devices (Deloitte United States) Deloitte Cyber and Dragos team to share the top cyber risks organizations face with IoT environments. Poll results reveal standards on cybersecurity and security-by-design approach are needed across industries.
Phishing and Credential Stuffing Attacks Remain Top Threat to Financial Services Organizations and Customers (Akamai) Latest State of The Internet / Security Report Observes 3.5 Billion Malicious Login Attempts Targeting the Financial Services Sector
Dragos Oil and Gas Threat Perspective Summary (Dragos) The oil and gas industry is a valuable target for adversaries seeking to exploit industrial control systems (ICS) environments. As the number of attacks against
Study Confirms Less Than 20% Always Read Terms of Service (Home of internet privacy) A new study by ExpressVPN reveals that more than 80% of consumers don’t always read the ToS when creating new accounts on websites.
The Evolution of Security in 5G (5G Americas) A "Slice" of Mobile Threats
Netwrix Survey: Lack of Budgets for Cloud Security Initiatives Slows Down Cloud Adoption for Government (PR Newswire) Netwrix, a vendor of information security and governance software, today released findings from the 2019 Netwrix...
Banking malware grows 50% while cryptominers decline – Check Point (Security Brief) The report’s findings are based on data drawn from Check Point’s between January and June 2019, highlighting the key tactics cyber-criminals are using to attack businesses.
Ponemon Institute Reveals Security Teams Spend Approximately 25 Percent of Their Time Chasing False Positives; Response Times Stymied by Legacy Tools (Exabeam) Research indicates an urgent need for newer SIEM technologies that increase SOC analyst productivity and improve security effectiveness[...]
We must do more to sift fact from fiction (Times) What’s true and what isn’t — and how much harm untruth can do in the public realm — is one of the great problems of our time. Last year the government identified the propagation of fake or...
Marketplace
Intel says it's been selling products to Huawei and has applied for licenses to sell more (CNBC) Intel CEO Bob Swan told CNBC that the company has applied for a license to sell "general purpose compute" products to Huawei. The Chinese firm is on a blacklist that requires American companies to get special permission to sell to Huawei.
Huawei and its U.S. Suppliers Increase Spending on Lobbyists in Face of Trade Deadline (MapLight) An executive order banning U.S. companies from dealing with Chinese telecom giant Huawei Technologies spurred the company and its U.S. suppliers to boost their lobbying expenditures by more than 20 percent during the first half of the year.
Cybersecurity training is up, but a hiring gap remains (HR Dive) Cybersecurity jobs pay 16% more on average than other IT jobs, but take 20% longer to fill, according to Burning Glass Technologies.
Prevailion Secures $10M Series A Investment Led By AllegisCyber (Dark Reading) Previous Investor DataTribe Participates in Funding; Prevailion's Time To Action Technology Provides Breakthrough In Cyber Defense
ForgeRock Expands Leadership Team with Key Appointments (West) Adds Russ Kirby as New Chief Information Security Officer and James Ross as ANZ Managing Director
IronNet Cybersecurity Appoints Scott Alridge as General Counsel (PR Newswire) IronNet Cybersecurity announced today that it has appointed Scott Alridge as Chief Legal Officer (CLO) reporting to...
Products, Services, and Solutions
ImageWare® Systems Launches New Intelligent Anti-Spoofing System for Strengthened Identity Proofing and User Authentication (West) Biointellic™ secures user access to corporate resources while mitigating data breaches
Digital Defense, Inc. Introduces Frontline Insight™ Featuring On-Demand Peer Analysis of Security Risk Metrics (Yahoo) Digital Defense clients can now pull information to not only help further reduce security risk, but also help determine how best to evolve information security programs to perform in an optimal fashion ...
ThreatQuotient Expands Global Footprint Through New Partnerships (BusinessWire) New partnerships with global distributors Ectacom, Nihon Cornet and StarLink complement ThreatQuotient's growing international presence.
Elastic Stack 7.3.0 Released (BusinessWire) Elastic N.V. (NYSE: ESTC) (“Elastic”), the company behind Elasticsearch and the Elastic Stack, is thrilled to announce that version 7.3 of the Elastic
ReversingLabs Titanium Platform Finds Destructive Objects Existing Security Investments Miss (Yahoo) ReversingLabs, a leading provider of enterprise-scale file analysis, threat hunting, and malware intelligence solutions, today unveiled its.
Datarisk Canada Launches First Website Firewall with Automatic Malware Removal and Privacy Compliance (Yahoo) Recent data breaches at Desjardins, Equifax and now Capital One have reached an unprecedented total of almost 9 million individual records in Canada,.
NSS Labs Initiates Group Test Coverage of the Cloud Workload Protection (CWP) Market (NSS Labs, Inc.) NSS Labs, Inc., a global leader and trusted source for independent, third-party cybersecurity product testing, today announced that it is developing a Cloud Workload Protection Group Test (CWP)
Capsule8 Announces Industry’s First Cloud Investigations • Capsule8 (Capsule8) Capsule8 Protect now solves production security’s data warehousing problem BROOKLYN, New York – August 1, 2019 – Capsule8 today announced Investigations, new functionality that adds full endpoint detection and response … Read of "Capsule8 Announces Industry’s First Cloud Investigations"
Bandura Cyber Increases Performance and Capacity in Next-Generation Threat Intelligence Gateway (BusinessWire) Bandura Cyber today announced the next generation of its market leading Bandura Cyber Threat Intelligence Gateway (TIG).
Technologies, Techniques, and Standards
Data breaches like Capital One show the need for 'zero trust,' says CEO of cloud firm Akamai (CNBC) Akamai Technologies CEO Tom Leighton says there's more need than ever for what he calls "zero trust" solutions for enterprise cloud security.
How to Combat the ‘Accidental Insider’ in Your Organization (Media & Entertainment Services Alliance) Contending with outside security threats to your organization is challenging, but dealing with the “accidental insider” — an attacker not necessarily moti
Cognitions of a Cybercriminal (Carbon Black) Introducing the Cognitive Attack Loop and the 3 Phases of Cybercriminal Behavior.
Cyber Kill Chain Reimagined: Industry Veteran Proposes "Cognitive Attack Loop" (SecurityWeek) Tom Kellermann agues that defenders need to recognize the new reality and to start thinking about a modern persistent cognitive attack loop rather than a linear attack chain.
Hunting Threats on Twitter: How Social Media can be Used to Gather Actionable Threat Intelligence (Trend Micro) Social media is a content-rich platform many enterprises use, but how can InfoSec professionals and security teams use it to gather threat intelligence that they can use to protect their organizations?
Essential Guide to Business Email Compromise (Area 1 Security) BEC phish don’t attack an actual email account, but merely spoofs an identity. This is enough to get past email authentication defenses such as DMARC
Assessing the efficiency of phishing filters employed by email service providers (Help Net Security) Technology companies could be doing much more to improve phishing detection and protect individuals and organizations form phishing scams.
Surge teams help integrate NASA mission cyber priorities with CDM | Federal News Network (Federal News Network) NASA’s Willie Crenshaw said teams of employees are educating mission areas about the cyber initiative and learning about new priorities.
Lessons from Special Operations Command: Cyber training for the multidomain force (C4ISRNET) Cyber Command needs to support efforts to encourage interoperability between their cyber mission forces and conventional war fighters through its training processes.
12 Global Data Protection Trends Keeping CEOs More Secure (Protegrity) As cybersecurity breaches increase in frequency and severity year on year, CEO’s could soon serve prison terms if an employee from his or her
Research and Development
How MIT's Fiat Cryptography might make the web more secure (CSO Online) By automating the writing of cryptographic algorithms, Fiat Cryptography can remove errors, produce more secure code, and boost performance.
Cryptographic ICE Cube tests orbital cybersecurity protocols aboard the ISS (TechCrunch) Encryption in space can be tricky. Even if you do everything right, a cosmic ray might come along and flip a bit, sabotaging the whole secure protocol. If you can't radiation-harden the computer, what can you do? European Space Agency researchers are testing two solutions right now in an experiment…
US Defense Department to Employ Blockchain for Communications and Monitoring (AllStocks Network) The research arm of the United States Department of Defense (DoD) revealed on Monday that it is currently exploring blockchain technology for some security
‘Emotion detection’ AI is a $20 billion industry. New research says it can’t do what it claims. (Washington Post) Artificial intelligence advanced by such companies as IBM and Microsoft is still no match for humans.
Academia
Cyber Security Services and Academy (Evolve Security) Evolve Security is a dedicated cyber security services firm that focuses on delivering real and measurable improvements to corporate security posture. Evolve Security provides Application Security, Penetration Testing, and a Security Training Academy that is world ranked.
Quick Take: UNLV Earns Federal Designation for Cyber Defense Education (University of Nevada, Las Vegas) Engineering professor Juyeon Jo on what it means, and how it’s helping UNLV researchers and educators stay a step ahead in booming field.
Iowa State’s information assurance program ranked in top five (Iowa State University College of Engineering) Iowa State University’s information assurance program, led by University Professor Doug Jacobson and hosted by the Department of Electrical and Computer Engineering (ECpE), has been ranked as one of the nation’s top Master’s in Information Assurance and Security degree programs on TheBestSchools.org for 2019.
Legislation, Policy, and Regulation
From the iPhone to Huawei: The new geopolitics of technology (Brookings) Instead of a “clash of civilizations,” we could be in for a “clash of automations.”
Cold War in Cyberspace (Transitions Online) Western military hackers have penetrated Russian targets, from tech giants to the nationwide power grid, reports say.
4 tasks facing the next director of intelligence (C4ISRNET) The Intelligence Authorization Act lays out several priorities Congress has for whomever replaces Dan Coats as director of national intelligence.
How the Army will approach cyber 10 years from now (Fifth Domain) The Army Cyber Institute looks at what may be major cyber issues in the future.
Here’s how AG Barr is going to get encryption 'backdoors' (Engadget) AG Barr: Tech companies must make encryption backdoors
What it means to live in a surveillance society (The Daily Star) If you said pre-2013...that the most private moments of your lives were being watched and recorded...people would call you a conspiracy theorist.” – Edward Snowden
Rand Paul says Trump intel pick has 'worrisome' record on surveillance (TheHill) Sen. Rand Paul (R-Ky.) on Wednesday expressed misgivings about President Trump’s nominee to serve as director of national intelligence, Rep. John Ratcliffe (R-Texas), calling his record on surveillance “very worrisome.”
Navy nominee vows his ‘full attention’ to cybersecurity (Fifth Domain) Vice Adm. Michael Gilday told senators he wants to improve partnerships with small companies, among other priorities.
Can agency cyber evaluations be improved? (Federal Times) Some agency CIOs think the FITARA scorecard isn't grading their cybersecurity posture fairly.
Litigation, Investigation, and Law Enforcement
The US military spent $33 million on tech known to be vulnerable to Chinese cyberespionage (Quartz) The list includes computers banned for use by State Department employees since 2006.
Cisco to pay $8.6 million fine for selling government hackable surveillance technology (Washington Post) The company allegedly did not fix the security weakness despite four years of warnings.
Cisco whistleblower gets first False Claims payout over cybersecurity (Reuters) Cisco Systems Inc has agreed to settle a whistleblower’s claim that it improperl...
Second Circuit Affirms Dismissal of Suit Against Facebook Over Hamas Attacks (New York Law Journal) The litigation was brought by a series of people who were either victims of attacks by Hamas and its supporters in Israel, or represented the estate of someone killed in an attack.
Perspective | The stubborn, misguided myth that Internet platforms must be ‘neutral’ (Washington Post) Critics claim that the law requires sites like Facebook and Twitter to be politically neutral. That’s not what the law says — if it did, no one would like the results.
Everything Cops Say About Amazon's Ring Is Scripted or Approved by Ring (Gizmodo) Amazon’s home security company Ring has garnered enormous control over the ways in which its law enforcement partners are allowed to portray its products, going as far as to review and even author statements attributed to police in the press, according to emails and documents obtained by Gizmodo.
Trump orders Navy to rescind awards given to prosecutors who lost case against Eddie Gallagher (Task & Purpose) President Donald Trump is ordering the Secretary of the Navy and Chief of Naval Operations to rescind awards given to prosecutors who were "ridiculously" awarded Navy Achievement Medals after losing the case against former SEAL Chief Eddie Gallagher
Equifax breach settlement: You're not getting that $125. Here's why. (USA TODAY) Equifax told consumers it can't pay the full $125 to those who filed a claim instead of taking the free credit monitoring.