Cyber Attacks, Threats, and Vulnerabilities
OceanLotus adopts public exploit code to abuse Microsoft Office software (ZDNet) APT32 is using a public exploit to abuse Office and compromise targeted systems.
Doomed Boeing Jets Lacked 2 Safety Features That Company Sold Only as Extras (NYTimes) Airlines had to pay more for two optional upgrades that could warn pilots about sensor malfunctions. Boeing now plans to make one of the features standard.
MyPillow, AmeriSleep websites were hit with hacks stealing credit card data (CNET) It’s a bed breach and beyond.
EU leaders to warn of cyber, fake news threat to May elections (Reuters) European Union leaders will sound the alarm this week over the threat of EU elec...
Cyberattacks: Europe gets ready to face crippling online assaults (ZDNet) Massive cyberattacks with real-world consequences are no longer unthinkable. Time to get prepared, says Europe.
Cyber Threats Are Emerging Faster Than DHS Can Address Them, Secretary Says (Nextgov.com) The agency needs industry to help it “innovate while under attack,” according to Kirstjen Nielsen.
Cyber-espionage warning: Russian hacking groups step up attacks ahead of European elections (ZDNet) Researchers at FireEye say Kremlin-backed hacking operations are attempting to target governments, media and political parties as elections approach.
Russian hackers are targeting European governments ahead of May election, cybersecurity firm says (CNBC) The findings are likely to fuel worries over the possibility that Russia may influence upcoming EU elections.
Immortal information stealer (Zscaler) Zscaler security research team came across new information-stealer malware called "Immortal" which is written in .NET and designed to steal sensitive information. In this blog, we provide an analysis of the data Immortal steals from browsers, the files it steals and what it does with the stolen data.
Researchers fret over Netflix interactive TV traffic snooping (Naked Security) No sooner has Netflix made an interactive TV show than people are already pulling apart its privacy implications.
Netanyahu says Iran has 'sensitive information' on rival, Tehran... (Reuters) Israeli Prime Minister Benjamin Netanyahu alleged on Wednesday that Iran could b...
Semmle Discovers Denial of Service (DoS) Vulnerability in Facebook Fizz (Semmle) Semmle announced today that it has found a critical denial of service (DoS) vulnerability in the Fizz project, Facebook’s open source implementation of the transport layer security (TLS) protocol.
Group-IB: hackers hit hard SEA and Singapore in 2018 (OODA Loop) Group-IB has released a new study that analyzes cybercrime activity in Southeast Asia, which the company describes as "one of the most actively attacked regions in the world." Last year, a total of 21 state-backed
Researchers Use UPnP Protocol to Unmask IPv6 Address (SecurityWeek) Security researchers were able to leverage properties of the Universal Plug and Play (UPnP) protocol to unmask the IPv6 address of specific IPv4 hosts.
Years-Long Phishing Campaign Targets Saudi Gov Agencies (Threatpost) The campaign, codenamed “Bad Tidings,” has sought out victims’ credentials with clever fake landing pages pretending to be the Saudi Arabian Ministry of Interior’s e-Service portal.
An Android Vulnerability Went Unfixed for Over Five Years (WIRED) Older Android devices—of which there are over 100 million still in use—will remain exposed.
Are you the weakest link in your own cybersecurity? Don’t take a quiz to find out. (Lexington Herald Leader) Social engineering lets cyber attacks use your own nature against you. Take a breath if you get a demand for info or money right now.
Man steals stingray, threatens to leak nudes (SC Media) In a twisted tale of cyberbullying and the theft, a man in Singapore was jailed after stealing a stingray and later threatening to leak his ex-girlfriends nude photos.
Rutland Regional Medical Center, Zoll reveal data breaches (SC Media) Two healthcare organizations suffered data breaches due to their email service resulting in more than 72,000 records being exposed.
Trickbot via fake Efax message using Squiblydoo, Active X, macro and abusing pastebin (My Online Security) We are seeing massive changes with the Trickbot delivery campaign overnight. I have only seen 1 mention on Twitter about this campaign and 1 on a private malware research mailing list, so it can’t be…
Hackers Exploit Urgency, Personalization in Phishing Attacks (HealthITSecurity) Barrcuda research finds that 70 percent of phishing emails attempt to establish rapport or a sense of urgency with victims, with more than a third of attacks using the subject line "Request."
Global threat group Fin7 returns with new SQLRat malware (ZDNet) Previously unseen malware and a new admin panel have been tied to the notorious group.
FIN7 Revisited: Inside Astra Panel and SQLRat Malware (Flashpoint) Despite the arrests of three prominent members of the FIN7 cybercrime gang beginning in January 2018, attacks targeting businesses and customer payment card information did not cease.
Could OpenAI's 'too dangerous to release' language model be used to mimic you online? Yes, says this chap: I built a bot to prove it (Register) Facebook convos used to train chat dopey doppelganger
1,600 Hotel Guests Secretly Live Streamed to 4,000+ Subscribers (BleepingComputer) Four individuals from South Korea were detained for secretly recording, live streaming, and selling spycam videos of 1600 motel guests between November 24 and March 2, with two of them being arrested and facing a maximum of five years in jail.
Google Photos Bug Exposed the Location & Time of Your Pictures (BleepingComputer) A vulnerability in the web version of Google Photos allowed websites to learn a user's location history based on the images they stored in the account.
Trump Is Right About Huawei (Slate Magazine) Unfortunately, no one will take him seriously.
Security Patches, Mitigations, and Software Updates
'Critical' Denial-of-Service Bug Patched in Facebook Fizz (Dark Reading) Researchers report a now-patched DoS vulnerability in Facebook Fizz, its open source implementation of the TLS protocol.
Mozilla's latest Firefox releases fix 22 vulnerabilities (SC Media) The Mozilla Foundation yesterday issued version 66 of Firefox and 60.6 of Firefox ESR, patching 22 vulnerabilities between them, five of them critical.
11 security patches released inCUJO Smart Firewall platform (SC Media) Cisco Talos researchers discovered 11 vulnerabilities in the CUJO Smart Firewall platform.
KB4493132 Update Notifies Windows 7 Users of End of Support Date (BleepingComputer) A new Windows 7 update called KB4493132 has been released and is used to display notifications that remind users that Windows 7 will reach its end of life starting on January 14th, 2020. These notifications contain a link that goes to a Microsoft page suggesting that users upgrade to Windows 10.
Cyber Trends
Trends in regulation, sector by sector. (The CyberWire) Iliana Peters, the former acting deputy director for health privacy at the Office for Civil Rights (OCR), agreed with Dr. Schneck’s point, made earlier in the day, that compliance doesn’t constitute security, but she believes that “nimble” regulations can be very useful.
The future of cyber in a pervasively connected world. (The CyberWire) John Forte, the Deputy Executive for Johns Hopkins University Applied Physics Laboratory’s Homeland Protection Mission Area, said that the role of the CISO will have to evolve in order to address the changing landscape of increasingly interconnected devices. He points to transportation, healthcare, buildings and cities, education, public safety as examples of sectors that are growing increasingly automated.
Marketplace
Canada’s cybersecurity firms keep turning to the U.S. for funding, leaving us without a homegrown leader (Financial Post) Innovation Nation: Securing funding here is challenging, so executives end up looking outward, which could leave Canada vulnerable in a cyber attack
Despite U.S. Pressure, Germany Refuses To Exclude Huawei's 5G Technology (NPR) The U.S. says it may stop sharing intelligence with Germany if it adopts Chinese firm Huawei's 5G technology. But the threats haven't swayed Germany, which says it can set its own security standards.
Forcepoint to Expand Cybersecurity and Cross Domain Technology Support with the FBI (PR Newswire) Global cybersecurity leader Forcepoint today announced the award of a 5-year Blanket Purchase Agreement (BPA) with the Federal Bureau of Investigation (FBI) which will greatly streamline acquisition and delivery of new Cybersecurity and Cross Domain Solutions capabilities.
The Battle for Cybersecurity Talent Must Include Retention Emphasis (Infosecurity Magazine) As companies compete over valuable cybersecurity professionals, retention becomes difficult
AT&T CEO says China's Huawei hinders carriers from shifting suppliers for 5G (Reuters) AT&T Inc Chief Executive Randall Stephenson said Wednesday that China’s Huawei Technologies Co Ltd is making it very difficult for European carriers to drop the company from its supply chain for next-generation 5G wireless service.
Google bans VPN ads in China (ZDNet) Google cites "local legal restrictions" as the cause for its Chinese VPN ads ban.
Nationally Recognized Global Privacy and Cybersecurity Partner Kristen (Virtual-Strategy Magazine) Morrison & Foerster, a leading global law firm, is pleased to announce that Kristen Mathews has joined the firm in the New York office as a partner.
Products, Services, and Solutions
GDPR PII exposure can now be securely reported via Open Bug Bounty (OpenBugBounty Blog) Open Bug Bounty community is growing: we have over 400 [fee free] bug bounty programs running now, and over 300,000 fixed security vulnerabilities. To facilitate further sustainable growth and to help website owners spot accidental exposure of personal data (PII) on their websites in a timely manner, we implemented a new type of non-intrusive submission – GDPR PII Exposure.
Microsoft Defender comes to the Mac (TechCrunch) Microsoft today announced that it is bringing its Microsoft Defender Advanced Threat Protection (ATP) to the Mac. Previously, this was a Windows solution for protecting the machines of Microsoft 365 subscribers and assets the IT admins that try to keep them safe. It was also previously called Windo…
New Kaspersky Endpoint Security provides better and automatic anomaly detection (Tempo) Kaspersky Lab has unveiled the next generation of its endpoint protection with new Kaspersky Endpoint Security for Business.
HP unveils AI-powered malware blocker Sure Sense (CRN Australia) As vendor expands scope of security software.
eCurrency Chooses nCipher to Accelerate Its Central Bank Digital Currency (CBDC) Solution (Business Wire) nCipher Security, the provider of trust, integrity and control for business critical information and applications, announces eCurrency is using nCiphe
Don't get the pitchforks yet, Apple devs: macOS third-party application clampdown probably not as bad as rumored (Register) The v10.15 will bring tighter security, the escape hatch should remain open for now
Flashpoint Introduces Innovative Approach for Use Case-Driven Intelligencee (Flashpoint) Flashpoint introduces a new use-case driven approach to our packaged solutions that allows organizations to more effectively consume and automate threat intelligence. These offereings support traditional cybersecurity and operations use cases, as well as fraud, insider threat, corporate security, and third-party risk.
Technologies, Techniques, and Standards
NIST pushes new encryption protocols for quantum, connected devices (FCW) The National Institute of Standards and Technology is inching closer to developing two new encryption standards to protect the federal government from new and emerging cybersecurity threats.
Toward a Framework for Misinformation Campaigns (Decipher) Researchers are developing a framework to analyze and describe misinformation campaigns, similar to the MITRE ATT&CK framework.
How to audit Windows Task Scheduler for cyber-attack activity (CSO Online) Two recently discovered Windows zero-day attacks underscore the importance of monitoring for unauthorized tasks.
Building a cybersecurity program with the NIST Cybersecurity Framework and CIS 20 Critical Security Controls. (The CyberWire) Many organizations lack a cybersecurity framework or standards to follow. Their security strategies are often outdated, if they have a strategy at all. They also struggle with due diligence programs for third-party vendors.
AT&T, Comcast successfully test SHAKEN/STIR protocol for fighting robocalls (ZDNet) AT&T and Comcast successfully test first SHAKEN/STIR-authenticated call between two different networks.
Research and Development
Monash Uni claims reputation-based blockchain capable of defending itself (ZDNet) The miner has their 'reputation' lowered to prevent malicious activity, the university says.
Legislation, Policy, and Regulation
How the White House just boosted America’s AI focus (Federal Times) The Trump administration is highlighting artificial intelligence as a top priority for government innovation efforts.
Here’s how DoD will invest in the cyber mission (Fifth Domain) Budget documents reveal plans for cyberwarrior training and operations platforms.
The Air Force wants to start a new $35M offensive cyber program (Fifth Domain) The project will support the Air Force's portion of Cyber Command's cyber teams.
Deputy first minister flags up importance of Scottish cyber resilience (PublicTechnology.net) Scottish deputy first minister John Swinney says the threat of a category one cyberattack is one of the few things capable of keeping him awake at night. Swinney, who has responsibility for Scotland’s cybersecurity, has good reason to be worried, with the head of the UK’s National Cyber Security Centre warning that a major cyberattack on the UK is almost inevitable.
The case for cyber regulation. (The CyberWire) Bob Anderson, former FBI Executive Assistant Director of the Criminal, Cyber, Response, and Services Branch, focused on the issue of encryption, explaining that the government needs to partner with the private sector to enforce the law while still ensuring the safety of citizens’ data.
The regulatory playing field. (The CyberWire) Dr. Phyllis Schneck, Managing Director of the Global Cyber Solutions practice at Promontory Financial Group, said that businesses need to focus on operational resilience rather than making compliance their only goal. “Compliance with regulation is not security,” Schneck said. While regulations can be a good start, they usually aren’t enough.
Russia doubles down on censorship with new 'fake news' and 'internet insults' law (Private Internet Access Blog) The Russian government has passed a new censorship law that allows it to target individuals and websites for such nondescript crimes as spreading “fake news” and “disrespecting” state symbols of figures – including Vladimir Putin. Specifically, Russia will be able to punish any person or site that “exhibits blatant disrespect for the society, government, official …
Nation-States Have Right to Hack Back, Survey Says (Infosecurity Magazine) Security professionals believe we are in the middle of cyber-war, according to Venafi survey.
Allowing Companies to Hack Back: Good Security or Vigilante Justice? (Information Technology & Innovation Foundation) Please join ITIF for a panel discussion on the viability and consequences of authorizing companies to “hack back” by allowing them to monitor attackers, disrupt ongoing attacks, and destroy stolen data.
Medical Device Risk Extends to Network, Apps, CHIME tells FDA (HealthITSecurity) CHIME tells the FDA that it should expand its definition of medical devices to include its full risk, such as the network, firewalls, apps, and other parts of the health IT ecosystem.
Inside GAO’s Plan to Make Congress More Tech-Savvy (Nextgov.com) The new Science and Technology Assessment and Analytics group aims to prep lawmakers for big decisions on artificial intelligence, privacy and 5G.
Our Skyborg (actual US govt program) will be just like IBM Watson, beams Air Force bod (Register) No joke, that's what they've genuinely named a 'fighter-like' military drone project
Tech Giants Will Brief Lawmakers on the Spread of Terrorist Content Online (Nextgov.com) Facebook, YouTube, Twitter and Microsoft will be asked about how the New Zealand shooter’s video spread so quickly.
How Is the EU’s Data Privacy Regulation Doing So Far? (Slate Magazine) It’s been almost a year since the GDPR went into effect. It’s been very successful in one regard, but largely failed in another.
White House Launches AI.gov (Nextgov.com) All of the federal government’s initiatives and resources around artificial intelligence can be accessed under one top-level domain.
Litigation, Investigation, and Law Enforcement
Cyber Crime Competes Against the Good Guys for Talent (TechNative) Cyber crime continues to stay one step ahead of cyber security practitioners, which has continued to give criminals the advantage in cyberspace.
She seemed like a normal Web-savvy teen. She was actually waging ‘e-jihad’ with ISIS hackers. (Washington Post) A recently filed criminal indictment offers a surprising snapshot of the Islamic State’s online “e-jihad” operation.
The Cybersecurity 202: Michael Cohen investigators relied on controversial cell-tracking device (Washington Post) The devices called Stingrays can collect information from any phone in a broad area.
FBI Sought to Use Michael Cohen’s Fingerprints and Face to Unlock Apple Devices (Slate Magazine) We’ve reached the biometrics stage of the Cohen case.
Neo-Nazis Bet Big on Bitcoin (And Lost) (Foreign Policy) How the far-right's failed cryptocurrency gamble became a bad joke for the Christchurch killer.
The Business of Organized Cybercrime: Rising Intergang Collaboration in 2018 (Security Intelligence) In 2018, IBM X-Force researchers observed organized cybercrime groups collaborating, rather than competing over turf or even attacking each other, for the first time.
UK regulator focuses on GDPR challenges faced by the adtech industry (cyber/data/privacy insights) On 6 March 2019, the UK data protection regulator, the Information Commissioner’s Office (ICO) convened an adtech fact-finding forum of industry stakeholders, aimed at developing its understanding …
FBI joining criminal investigation into certification of Boeing 737 MAX (The Seattle Times) The FBI is assisting a federal grand jury investigation, based in Washington, D.C., that is looking into the certification process that approved the safety of the new Boeing plane, two of which have crashed since October.
Lithuanian pleads guilty in U.S. to massive fraud against Google, Facebook (Reuters) A Lithuanian man on Wednesday pleaded guilty to U.S. charges that he helped orchestrate a scheme to defraud Facebook Inc and Alphabet Inc’s Google out of more than $100 million, federal prosecutors announced.
Lithuanian man pleads guilty to scamming Google and Facebook out of $123 million (ZDNet) Man posed as hardware vendor to trick Google and Facebook into sending payments to his bank accounts.
McAfee – the completely sane guy, not the biz – told to fork out $25m after 'torture, murder' of his Belize neighbor (Register) Good luck, says antivirus wildchild, I have no assets
New Zealand cops cuff alleged jackasses who shared mosque murder video, messages online (Register) Calls for global action against white nationalism and tech giants that spread its message