Cyber Attacks, Threats, and Vulnerabilities
Spammers exploit open redirects on US government websites (Naked Security) Would you trust a URL which ends with .gov? US government websites have been left with egg on their faces, after spammers exploited sloppily coded redirect code to redirect gullible internet users into visiting "make money fast" websites
Mobile Privacy Apps Can Also Be Used for Spying, Experts Warn (Softpedia) Smartphone users have a lot of options when it comes to protecting their privacy. They can utilize all sorts of applications that can hide conversations, SMS messages and other incriminatory evidence which in many cases can represent the cause of conflict between spouses and business partners. However, many of these apps can be utilized not only for protection, but also for spying on others
Wrong response to zero day attacks exposes serious risks (Infosec Island) Recent revelations on Flame case raise the question on the efficiency of "zero day vulnerabilities", software bugs that hackers exploit to avoid security defenses of target systems. The real problem when we talk about zero-day is related to the duration of the period in which hackers exploit the vulnerability before world wide security community respond applying needed countermeasures. I desire to share with you the results related to an interesting study of a couple of researchers, Leyla Bilge and Tudor Dumitras from Symantec Research Labs, titled "Before We Knew It…An Empirical Study of Zero-Day Attacks In The Real World"
How Hotmail lets down its users security-wise compared to Gmail and Yahoo (Naked Security) Hotmail lets down its over 350 million users when it comes to security, by not giving them an easy way to tell if their account has been accessed by unauthorised third parties
HackRF Jawbreaker Could Bring Low-Cost Wireless Hacking to the Masses (Threatpost) Generations of hobbyists hardware hackers have spent countless hours messing with piles of radio gear, happily tinkering away in garages and basements looking for new ways to connect to people around the world. Now, a researcher has put together a new radio called HackRF that is a kind of all-in-one hacker's dream with functionality to intercept and reverse-engineer traffic
Report: Service Offers Cheap Access to Hacked Servers (Threatpost) An online service that sells fairly cheap access to compromised corporate machines creates a pay-to-play scenario for criminals seeking access to the networks of high-profile organizations, according to a Krebs on Security report
Cisco machine gets listed by blackhat org that rents out hacked PCs (Ars Technica) PC with poor RDP password—username, password: "Cisco"—one of 17,000 available to rent
FireHost Q3 Web Application Report -- XSS Attacks Lead Pack As Most Frequent Attack Type (Dark Reading) FireHost categorizes four attack types, in particular, as representing the most serious threat. Secure cloud hosting company, FireHost, has today announced the findings of its latest web application attack report, which provides statistical analysis of the 15 million cyber-attacks blocked by its servers in the US and Europe during Q3 2012. The report looks at attacks on the web applications, databases and websites of FireHost's customers between July and September, and offers an impression of the current internet security climate as a whole
Increase in drive-by attacks and infected emails (Help Net Security) In August and September 2012, the research team from Eleven, a German email security provider, recorded a significant increase in malware sent via email.
Trend Micro's Q3 threat report: Mobile malware surged from 30K to 175K (ZDNet) Bottom line: Trend Micro reps said the reality of the number of cyber threats over the last quarter have far surpassed the estimations of "even the world's most renowned threat technologists." Specifically, Trend Micro said that malware targeting
North Korea Improves Cyber Warfare Capacity, U.S. Says (Bloomberg.com) North Koreas government has a significant cyber warfare capability that it continues to improve, the top U.S. commander on the Korean peninsula said
Security Patches, Mitigations, and Software Updates
Researcher Develops Patch for Java Zero-Day, Puts Pressure on Oracle to Deliver its Fix (Threatpost) A security researcher has submitted to Oracle a patch he said took him 30 minutes to produce that would repair a zero-day vulnerability currently exposed in Java SE. He hopes his actions will spur Oracle to issue an out-of-band patch for the sandbox-escape vulnerability, rather than wait for the February 2013 Critical Patch Update as Oracle earlier said it would
Cyber Trends
Over half of Brits have fallen victim to cyber crime, but most haven't changed their online behaviour (Naked Security) One in five Brits are too embarrassed to report cyber crime, or even tell anyone. 56% of adults in the UK have suffered from cyber crime, according to a recent survey by getsafeonline.org. But that doesn't seem to have changed their online behaviour, with nearly three quarters of them not having changed the way they use the internet
A Stuxnet Future? Yes, Offensive Cyber-Warfare is Already Here (ISN) As US Secretary of Defense Leon Panetta warned in front of the Senate Armed Services Committee in June 2011; "the next Pearl Harbor we confront could very well be a cyber-attack that cripples our power systems, our grid, our security systems, our
Mobile operators spending big on DPI (Mobile Europe) The service provider deep packet inspection (DPI) market is forecast by Infonetics Research to grow at a 34% compound annual growth rate from 2011 to 2016, driven by the increased use of DPI in wireless networks
Privacy worries impeding the cloud (CenterBeam) Neal Ziring, the National Security Agency's technical director of the Information Assurance Directorate, told Network World that awareness is key. Employees and officials must know the practice and policy of business security at all times to keep
Smartphones Not Required – Mobile Money On Feature Phones Is Hot In Emerging Markets (TechCrunch) Mobile money is a big deal in emerging markets. When a farmer can simply SMS payment for a cow or two people can transact business by swapping airtime, that changes the entire dynamics of an economy. So it's little surprise that some research just out today indicates how big the market is going to be. And it's all done on plain old feature phones
The mobile payments experiment: Can you go one month without a wallet? (IT World) Wired's Christina Bonnington spent a brave month living off an iPhone 5 and a Galaxy Nexus, no plastic or cash allowed. Here's what we learned from her experience
Mobile payments: A solution in search of a problem? (CNet) There's been a lot of hype around mobile payments over the past year, but the No. 1 problem that the mobile payments market faces is adoption. Consumers simply don't see a reason to replace their cash or plastic with a phone. And yet one company after another is clamoring to get into the market
Mikko Hypponen: Stuxnet and Flame Are Like James Bond (Softpedia) F-Secures Chief Research Officer Mikko Hypponen has had an interesting interview with Dutch website Tweakers on topics such as digital wars and cybercrime. In the interview, the expert shares some insight not only on cyber wars, but also on the actors that run them. The computer security field keeps changing
Marketplace
IDF tech geniuses move from the keyboard to the battlefield (Haaretz) An IDF course for cyber-defense in…yo develop Israeli high-tech giants like Check Point Software Technologies
Why Nigeria needs greater online security awareness – CheckPoint exec (BusinessDay) With Nigeria's business community exposed to sophisticated cyber attacks due…Justice Anyai, technical manager for Check Point Software Technologies in
No plan to license third UAE telecoms company (Emirates 24/7) Phone tariffs of Etisalat, du reasonable: TRA. The idea of launching a third company to provide telecommunications services in the UAE is not on the table, said Majid Sultan Al Mesmar, Deputy Director-General of the Telecom Regulatory Authority (TRA)
Report: Over Half of Job Losses Due to Sequestration Would Come From Small Businesses (ExecutiveBiz) If sequestration occurs, 52% of all job losses will come from small businesses, a study previously covered on ExecutiveBiz has forecast. A KansasCity.com article details the struggles of a number of small business owners suffering from recession, and dreading the thought of lost federal business while highlighting aspects of that study
Phone Becomes Mobile Device Of Choice For U.S. Immigration And Customs Enforcement (TechCrunch) The U.S. Immigration & Customs Enforcement (ICE) office, part of the Department of Homeland Security, recently revealed that it will be adopting iOS devices from a variety of service providers for its 17,676 users. It's a win for Apple in terms of landing a sizeable government client, but also a significant vote of confidence for the overall security of iOS as a mobile platform
Booz Allen to Cease BlackBerry Procurement, Opting to Buy iPhones, Android Smartphones (The New New Internet) Booz Allen Hamilton Inc. will begin providing its 25,000 staff with Apple iPhones or Android-based smartphones in the coming months, Bloomberg announced. The plan will effectively end the consulting firm's partnership with Blackberry maker, Research in Motion Ltd
Dept. of Veterans Affairs spent millions on PC software it couldn't use (Ars Technica) Encryption software mandated after 2006 laptop theft
iEHR aims to be agile and open (Fierce Government IT) Agile techniques have gained importance as the Defense and Veterans Affairs departments try to quickly launch the integrated electronic health record, or iEHR. With more than 100 scrum teams working at once, it's a lot to coordinate, said Barclay Butler, director of the DoD-VA interagency program office
CMS looks to NSTIC for identity management (Fierce Government IT) The Centers for Medicare and Medicaid Services wants to move away from providing credentials and instead leverage the National Strategy for Trusted Identities in Cyberspace, or NSTIC, according to CMS Chief Information Officer Tony Trenkle
DOE labs help CMS manage healthcare data (Fierce Government IT) The Centers for Medicare and Medicaid Services has more data and must facilitate its use with a broader array of partners thanks to initiatives mandated by the Patient Protection and Affordable Care Act (P.L. 111-148). By the end of 2015 Medicare claims data will almost double and Medicaid claims data will triple, "that's not counting the quality and counter data that we have," said CMS Chief Information Officer Tony Trenkle Oct. 18 at the AFCEA Bethesda Health IT Day in Bethesda, Md
After snagging $4.6B contract, Lockheed plans 'cyber kill chain' for Global Information Grid (Defense News) The Defense Department's day-to-day operations are linked in a vast, international in-house data communications network called the Global Information Grid. Seven million people — uniformed members of the armed forces as well as civilians — rely on it to exchange classified and unclassified information on personnel, vehicles, weapons and surveillance systems. Now, in a coup coming in tight economic times, Lockheed Martin has taken over the multibillion-dollar contract to manage and upgrade the system
Mellanox Forms Unit To Boost U.S. Government Business (Investor's Business Daily) Mellanox Technologies (MLNX), a maker of high-speed interconnect products for data centers and computer networks, said Monday that it's created a new unit called Mellanox Federal Systems that will drive business development with all U.S. federal agencies and the federal integrator market
ICF International Wins Contract to Improve DHS State-Urban Fusion Centers (ExecutiveBiz) ICF International has been chosen by the Department of Homeland Security to maintain and improve the agency's fusion centers for state and urban area networks, the company announced today. ICF said the one-year base and four option years contract has a potential value of $18.1 million
Raytheon Closes Wireless Cyber Buy, Looks to Access Emerging Markets (Govconwire) In the company's 11th cybersecurity-related acquisition in the past six years, Raytheon Co. (NYSE: RTN) has bought a South Carolina-based technology developer as it looks to expand its ability to provide defense, intelligence and commercial customers with wireless services. The Waltham, Mass.-based contractor did not disclose the terms of the deal and said it will not affect total sales or earnings per share through its 2013 fiscal year. Teligy Co. specializes in "transitioning prototype and proof of concept cyber products into deployable solutions," according to Raytheon's announcement, and will work to grow Raytheon's wireless, reverse engineering and vulnerability analysis offerings
One-, two-star flag assignments announced (Navy Times) Navy leadership announced the following flag officer assignments today. Rear Adm. (lower half) Sean Filipowski will be assigned as the director of intelligence, J2, U.S. Cyber Command in Fort Meade, Md. He is currently serving as the deputy director of operations, J3, U.S. Cyber Command in Fort Meade
Catapult Appoints Fred Haggard VP, Will Lead Kickstand Integration (Govconwire) Catapult Technology Ltd. has appointed Fred Haggard vice president for technology and management solutions, according to a Washington Technology article. Haggard will report to David Lyons, Catapult's chief technology officer and executive vice president, and is expected to manage the integration of Kickstand into Catapult. Both companies are owned by DC Capital Partners
Products, Services, and Solutions
Army's Anti-IED System Gets A PR Push (Washington Times) The Army has hired private firms to help improve a $2.5 billion intelligence analytical processor used in Afghanistan by troops who have given it poor reviews in identifying the enemy and deadly buried explosives
Analysis of 15 million cyber attacks (Help Net Security) A new web application attack report by FireHost offers an impression of the current internet security climate and provides statistical analysis of 15 million cyber attacks blocked in the US and Europe
First application firewall for Google Apps (Help Net Security) CloudLock launched CloudLock Apps Firewall, which helps enterprises discover, classify and enable trusted third party mobile and web apps that require access to users' Google Apps accounts and data
Verdasys launches Digital Guardian 6.1 (Help Net Security) Verdasys announced Digital Guardian 6.1, an information protection platform that integrates compliance, insider threat prevention and cyber threat prevention. The release also includes an enterprise
Self-configuring UTM security appliance from WatchGuard (Help Net Security) WatchGuard Technologies announced that it is the first UTM security appliance vendor to offer a firewall that configures itself. The company is adding a new cloud-based configuration utility
STARHUB LTD : StarHub Unveils Government Public Cloud Services (4-traders) To stay at the forefront of cloud security, StarHub has joined the Cloud Security Alliance, the world's leading platform for promoting cloud security awareness and practices. StarHub is committed to adopting the best practices for managing and
Sharing But With Privacy In Mind: Mozilla Launches Social API For Firefox, Facebook Messenger First Service To Integrate For Beta Testing (TechCrunch) Interesting development today in the browser wars, with the latest battlefield being who is best positioned to guard users' privacy. Mozilla today announced that it has started to test new social functionality inside its Firefox internet browser — a foray into sharing and social activity, it says, with user privacy in mind. The first service to join the Social API platform for testing is Facebook
Bill Gates: "Windows 8 Is Key To Where Personal Computing Is Going" (TechCrunch) Microsoft co-founder and current chairman Bill Gates recently sat down with the editor of Microsoft's own Next blog Steve Clayton to talk about Windows 8, Windows Phone 8 and the Surface tablet. Unsurprisingly, Gates was pretty upbeat about all of the company's upcoming product and argued that "Windows 8 is key to where personal computing is going"
Welcome To The Beta: Windows 8 Will Succeed, Despite All The FUD (TechCrunch) Microsoft is already screwing it up. Microsoft can't win. Windows 8 is sunk. Seriously: to read the headlines this last week you'd think Microsoft wasn't still one of the premier tech manufacturers in the world. While I would agree that it faces a number of challenges, both from Apple and its own OEM partners, Windows 8 will thud into the landscape with more a bang and much less than a whimper
Forrester: Windows 8 Will Just "Stop The Shrinking" – Won't Take Hold Until 2014 (TechCrunch) Forrester Research analyst Frank Gillett predicts that Microsoft's Windows 8 will get off to a slow start in 2013, but will take hold in 2014. Windows 8, Gillett argues, will keep Microsoft relevant on the PC, but it will remain "simply a contender in tablets, and a distant third in smartphones." Windows 8, he says, will "simply stop the shrinking," but it won't be a fix
For Business, Windows 8 Can Wait (Wired Business) While it remains to be seen whether consumers will be lining up to buy Windows 8, one thing is clear – most businesses, large and small, aren't going to bother
Prolexic Releases Online DDoS Downtime Calculator (Dark Reading) Calculator takes into consideration many DDoS attack variables that affect revenue
WatchGuard Creates Self-Configuring UTM Security Appliance (Dark Reading) RapidDeploy eliminates need for IT security professionals to preconfigure devices or travel to site for installation
Technologies, Techniques, and Standards
Five Habits Of Companies That Catch Insiders (Dark Reading) A survey of 40 companies that have successfully dealt with insider threats shows that the solution is less technology and more psychology
Cyber Security Awareness Month - Day 22: Connectors (Internet Storm Center) Over the years, I collected quite a number of "standard" connectors/cables and interfaces. This is certainly an area where standards seem to be proliferating quickly. To stick with our theme of security and security awareness, I would like to focus on a couple of popular standards and particular outline security aspects of the standard. First of all, pretty much all peripherals connected to a system require drivers to interact with the device. These device drivers frequently are part of the kernel and a vulnerability in the device driver will lead to a system compromise. I don't think the full potential of this class of vulnerabilities has been realized yet, but there have certainly been some notable exploits that were based on these vulnerabilities. Even simple devices like VGA monitors do send some data to the system, and could potentially be used to exploit vulnerabilities (I am not aware of a VGA vulnerability)
Why Patch Management is Vital to Your Business Network Security (Infosec Island) If your business has any IT resources at all and is connected to the Internet, its not a question of if you will suffer a security incident; its just a matter of when. Just how bad such an incident will be comes down to your patch management strategy. Patch management is critical in any size company, from the sole proprietorship to the international enterprise, and keeping up with the patching on every single server and workstation on your network is the most effective thing you can do to minimize your exposure to the threats facing your network
5 Ways to Make Your Browser More Secure (eSecurity Planet) Installing antivirus software is a good starting point for protecting data while surfing the Web -- but it's only a start. Here are five ways to make browsing sessions more secure. While installing antivirus software is a good start to safe Internet browsing, it's only a start. There is much more you can do to help protect yourself when browsing the Web than merely installing antivirus
How much do you know on search engines? Quis Custodiet Ipsos Custodes? (SecurityAffairs) Every day billions of people submit an unimaginable number of queries through Internet search engines. These powerful instruments have profoundly changed the users perception of web content. Before search engine popularity, web portals, like DMOZ Open Directory Project
Design and Innovation
Dust Off That Science: Marblar Wants To Bring The Crowd To Tech Transfer (And Change The World) (TechCrunch) A few months back, I was pitched over Skype by the CEO and co-founder of a startup building a platform that was going to realise the "true potential" of science. "Okay," I said, "but have you got anything you can actually show me?" "Not yet but I still think TechCrunch readers will want to hear about us," he replied, before proceeding to tell me how to do my job
Academia
Auditor General Jack Wagner to Speak at Pittsburgh Safe Schools Conference (Sacramento Bee) Wednesday's interactive teleconference will focus on anti-bullying awareness and new developments in cyber security. Participants will include the FBI, WQED multimedia, documentary film producers, and the Department of Homeland Security. The event will
In Recognition Of Its Efforts In Fighting Cybercrime, Facebook Donates $250,000 To University Of Alabama Using Money Acquired From Spammers (TechCrunch) Facebook has donated $250,000 to the Center for Information Assurance and Joint Forensics Research at the University of Alabama at Birmingham, in recognition of its efforts in tracking down the creators of the social media botnet Koobface and other spammers. The donation, in fact, comes from money Facebook recovered from spammers around the world. The center says it will be using the grant to
Legislation, Policy, and Regulation
Possible 'Patch' For Policy On Protecting Government Agency Systems (Dark Reading) CSIS report due tomorrow will recommend revising a longtime OMB policy with 'continuous monitoring' of government systems and networks
Dutch government to let law enforcement hack foreign computers (ComputerWorldUk) The Dutch government wants to give law enforcement authorities the power to hack into computers, including those located in other countries, for the purpose of discovering and gathering evidence during cybercrime investigations. In a letter that was sent to the lower house of the Dutch parliament last week, the Dutch Minister of Security and Justice Ivo Opstelten outlined the government's plan to draft a bill in upcoming months that would provide law enforcement authorities with new investigative powers on the internet
Japan & India strengthen cyber-security cooperation (Infosecurity Magazine) During a meeting to exchange views on regional and international security, including maritime, cyber and outer-space security, India and Japan have agreed to kick off the India-Japan Cyber Security Dialogue, starting with an early meeting in the coming
Retired OMB IT Chiefs Urge Federal Cyber Policy Rewrite (Nextgov) Veteran White House information technology leaders going back to the Nixon administration on Tuesday are expected to press the Obama administration to overhaul federal cybersecurity policy now, without legislation, according to a report reviewed by Nextgov
GOP Legislators Question HITECH Merits - Senators Demand Meeting With Regulators (Government Information Security) Four Republican senators have joined four congressmen in questioning the value of the HITECH Act's electronic health record incentive program, which is providing billions to hospitals and physicians who make meaningful use of EHRs. For example, they question whether EHRs enable billing fraud and if the program's requirements for interoperabity and secure data exchange are tough enough. Senators Tom Coburn, R-Okla., John Thune, R-S.D., Richard Burr, R-N.C., and Pat Roberts, R-Kan., are requesting that officials at the Department of Health and Human Services meet by Oct. 26 with the Senate Finance Committee and the Senate Health, Education, Labor and Pension Committee to address their concerns
SASC report too blunt an instrument to address Accumulo (Fierce Government IT) Language in the Senate Armed Service Committee's fiscal 2013 national defense authorization bill report regarding Defense Department utilization of an open source NoSQL database may have unintentional bad side effects
Litigation, Investigation, and Law Enforcement
Online Analytics Firm Settles Suit Over Unstoppable User Tracking (Wired Threat Level) KISSmetrics, an online analytics company, agreed to pay more than $500,000 to lawyers to settle accusations that its sneaky tracking technologies violated hacking laws. The two users who sued get $5,000
Huawei gear is secure, say U.S. network service providers (Computer World) Responding to a congressional report warning U.S. businesses not to buy equipment from Huawei Technologies or ZTE, three U.S.-based telecommunications companies that use Huawei products said they take strong precautions to safeguard their networks. The report, by the House Permanent Select Committee on Intelligence, said the possibility that the two Chinese companies have ties to the Chinese government raises the prospect that China is using their gear to conduct electronic espionage. After the report was issued, three Huawei customers -- Clearwire, Cricket Communications and Level 3 Communications -- defended their choices
Mirror Group faces allegations of phone hacking (Telegraph) The claims relate to Mirror Group Newspapers, which also publishes the Sunday People and the Sunday Mirror. Mr Erikssons claim is believed to relate to the Daily Mirror during a period when Piers Morgan was editor. Mr Morgan has repeatedly denied any role in phone hacking
Will the Apocalypse Arrive Online? (Huffington Post) How Fear of Cyber Attack Could Take Down Your Liberties and the Constitution. First the financial system collapses and it's impossible to access one's money. Then the power and water systems stop functioning. Within days, society has begun to break down. In the cities, mothers and fathers roam the streets, foraging for food. The country finds itself fractured and fragmented -- hardly recognizable
Former CIA officer in leaks case expected to plead guilty to a single charge (Washington Post) Experts on leaks crimes said the government will probably regard a plea from Kiriakou as a significant victory given the collapse of previous leaks cases, including the attempted prosecution of a former National Security Agency executive, Thomas Drake
A Mixed Message for National Security Whistleblowers (Huffington Post) While an official at the National Security Agency, Drake became concerned that the agency's use of a computer program to search through Americans' electronic communications was wasteful and illegal. He scrupulously followed official whistleblowing
Microsoft concludes Russian programmer didn't operate Kelihos botnet (Help Net Security) Following the settling of the Nitol botnet lawsuit earlier this month, Microsoft has announced on Friday that it has reached a settlement with Russian software programmer Andrey N. Sabelnikov, who was