Cyber Attacks, Threats, and Vulnerabilities
Syrian Electronic Army hacks Online Newspaper The Daily Dot, removes article (HackRead) The Syrian Electronic Army has hacked into the official website of an Online Newspaper The Daily Dot and removed an article related to their latest Mobile Messaging Service Tango.me hack. Background: On 22nd July 2013, Curt Hopkins of The Daily Dot had posted an article along with a caricature of Syrian President Bashar al-Assad. The hackers then requested the newspaper for removing the image making fun of
Tango down! Chat app millions ransacked by pro–Assad hacktivists (The Register) And handed straight to the Syrian govt, we're told. Hacktivists loyal to Syria's president Bashar al-Assad claim to have extracted 1.5TB of sensitive data from chat app Tango
UAE under Egyptian cyber-attack (The North Africa Post) Officials of United Arab Emirates Telecoms Authority have claimed that they have dealt with a cyber-attack originating from Egypt against government websites. Officials linked the attack to the support rendered by the United Arab Emirates
SIM Card Hack A Wakeup Call (Dark Reading) A researcher has discovered major flaws in some SIM cards that could pave the way for more targeted attacks against mobile device users. Famed encryption researcher Karsten Nohl of Security Research Labs will show at Black Hat USA next week how he was able to hack some SIM cards in mobile phones by cracking the Data Encryption Standard (DES) keys used for over-the-air updates. The vulnerability in the DES authentication, as well as another flaw Nohl found in the cards' virtual machine or sandbox feature, could affect millions of SIM cards
70's Cryptography Causing Security Catastrophy (SiliconANGLE TV) Welcome to NewsDesk on SiliconANGLE TV for Monday July 22, 2013. If your identity has been stolen, your phone may have been an accomplice to the crime. Joining us now to explain more is SiliconANGLE Contributing Editor John Casaretto
Hijacking SIM Cards through Over-the-Air Updates (Symantec) We all know that mobile phones have been the focus of cybercriminals for a while now. But Trojanized mobile applications are only one attack scenario. Some problems lie even deeper in your phone. Karsten Nohl, a German researcher who has done a lot of work with GSM networks and mobile phones in the past, has found a critical vulnerability connected to mobile phones
SIM flaw boosts mobile data container argument (CSO) With 40-year-old encryption find on Subscriber Identification Module cards, researcher says at least 500 million phones may be vulnerable. The discovery of 40-year-old encryption standards in the SIM cards in possibly hundred of millions of mobile phones bolsters the argument for isolating corporate data in devices
Mobe SIM crypto hijack threatens millions: Here's HOW IT WORKS (The Register) You'll kick yourself when you know how. Analysis A German researcher reckons he can take control of your phone's SIM card and hijack the handset by cracking the encryption on the device. But he's not alone: network operators have long been able to do just that, and a careful look at how that's possible makes the long-standing security of GSM phone networks all the more remarkable
Fact or Fiction: Your Smartphone and Tablet Are Vulnerable to Hackers (Scientific American) Stories of high-profile attacks on Internet-connected mobile devices are hard to come by, but it may not always be this way. Personal computers have been subject to cyber attacks from the moment we began connecting them to the Internet. Nowadays, malicious software lurking in spam and on Web pages is kept at bay only through effort and expense. So why don't we have the same security problem with our smartphones and tablets, which are essentially variations on the PC
Ubuntu Forums Remain Down After Password Breach (Threatpost) Ubuntu Forums remain down today after a breach of their password database was reported over the weekend. All 1.8 million users' information was accessed
Ubuntu Forums hacker won't publish stolen passwords (Help Net Security) The Ubuntu Forums are still down following this weekend's breach claimed by a hacker that goes by the online handle "Sputn1k_", and there is no news on when they will be back online
Combat Arms players, beware of free NX generators (Help Net Security) Players of the popular Combat Arms first-person shooter are being targeted by online crooks via the in-game chat system, warns Chris Boyd
Deceptive 'Media Player Update' ads expose users to the rogue 'Video Downloader/Bundlore' Potentially Unwanted Application (PUA) (Webroot Threat Blog) Our sensors continue picking up deceptive advertisements that expose gullible and socially engineered users to privacy-invading applications and toolbars, most commonly known as Potentially Unwanted Applications (PUAs)
Phantom apps appear in Chinese fanbois' iTunes accounts (The Register) Chinternet a-flutter with speculation and conspiracy theories. Chinese fanbois are reporting that mobile apps they didn't buy have started appearing in their iTunes accounts, leading to speculation an app promotion company may be illegally accessing accounts
[OVH] Security incident (OVH.com) A few days ago, we discovered that the security of our internal network at our offices in Roubaix had been compromised. After internal investigations, it appeared that a hacker was able to obtain access to an email account of one of our system administrators. With this email access, they was able to gain access to the internal VPN of another employee. Then with this VPN access, they were able to compromise the access of one of the system administrators who handles the the internal backoffice
Another Facebook hack exposes primary email address [of] Facebook users (The Hackernews) Last week we explained a critical vulnerability in Facebook that discloses the primary email address of Facbook user. Later the bug was patched by Facebook Security Team
Philippines Navy website hacked by Pr3 H4ck3r (E Hacking News) A Hacker with handle "Pr3 H4ck3r" from Philippine Cyber Army has claimed to have hacked into the database of the Navy website
Royal Baby: Exclusive Pics! — Don't Fall for It (Infosecurity Magazine) When Kate Middleton, the Duchess of Cambridge, went into labor with the child who recently became third in line for the throne of England, the event immediately had millions of royal-watchers riveted – and, apparently, plenty of spammers ready to leverage the vast amount of public interest in everything from the sex of the baby to "secret pictures" of the new arrival
St. Mary's Bank Suffers Security Breach (eSecurity Planet) Malware found on an employee's computer may have captured customer data. New Hampshire's St. Mary's Bank recently began notifying 115,775 customers that malware found on an employee's computer may have captured sensitive information, including customer names, addresses, Social Security numbers, account information and transcaction records
How Digital Certificates are Used and Misused (Lenny Zeltser) Online communication and data sharing practices rely heavily on digital certificates to encrypt data as well as authenticate systems and people. There have been many discussions about the cracks starting to develop in the certificate-based Public Key Infrastructure (PKI) on the web. Let's consider how the certs are typically used and misused to prepare for exploring ways in which the certificate ecosystem can be strengthened
How to spot and avoid Facebook 'Like' scams (C/NET) When you click or press the Like button, you may be disclosing more about yourself than you imagine. You may also be contributing to the bank accounts of Internet scammers
Network Solutions' June "Snafu" — Why Heads Should Roll (Security Week) If you are the domain manager for a major enterprise and are still using a consumer-grade registrar for your company's main domain names, you should lose your job. Period
Cyber Trends
Stock exchange cyber attacks aimed at market disruption, rather than financial gain, according to survey (Out-Law) Cyber attacks on global stock exchanges and financial markets are usually designed to disrupt markets, rather than for immediate financial gain, a new report has found
Indonesia Joins China as Cyber-Attack Powerhouse (Businessweek) Indonesia isn't known as an epicenter for hacking, but the Southeast Asian country was the source of 21 percent of the world's cyber-attack traffic in the first quarter of this year, according to a report by Akamai Technologies to be published later
US more prolific source of cyber-attacks than China, says new report (ITProPortal) The report does not make good reading for the US, though Imperva was keen to point out the difficulty in country-attribution for cyber-attacks
My Editorial: Q3 issue: Lost For Words (Infosecurity Magazine) Seven years reporting on this industry has left me amused, and sometimes strangely comforted, by the over-use of clichés by the industry's professionals. More recently, however, the exposure has frustrated me and left me asking why, in an industry dominated by intelligent people, we can't be more innovative and creative with our communications
Why must political chiefs keep pushing the cyberwar alert button? (Naked Security) "There is a cyberwar going on", according to the UN's telecoms boss Hamadoun Toure. Cyber terrorism is capable of causing "mass destruction", says former director of the FBI Louis Freeh
Study: Cloud Computing Security Still Immature (Midsize Insider) The article points out that the Cloud Security Alliance is such an example, offering a checklist to help IT pros consider whether cloud security services are appropriate for their company. Security should not be an afterthought with the cloud
Fear of prosecution hampers security research (SC Magazine) As Black Hat and DefCon near, there's a noticeable "chill" in the air due to recent, aggressive legal action taken against security researchers. And the biggest loser of all may be the public. A few months ago, Matthew Green was asked to advise a small team of undergraduate students who were investigating possible security vulnerabilities in a state's toll collection system
CSIS Releases Study Linking Cybercrime To Job Loss (Dark Reading) McAfee-sponsored report quantifies economic impact of cybercrime. McAfee announced today that it has sponsored a first-of-its-kind report quantifying the economic impact of cybercrime. After years of guesswork and innumerable attempts to quantify the costly effects of cybercrime on the U.S. and world economies, McAfee engaged one of the world's preeminent international policy institutions for defense and security, the Center for Strategic and International Studies (CSIS), to build an economic model and methodology to accurately estimate these losses, which can be extended worldwide. "Estimating the Cost of Cybercrime and Cyber Espionage" posits a $100 billion annual loss to the U.S. economy and as many as 508,000 U.S. jobs lost as a result of malicious cyber activity
Trillion-dollar global hacking damages estimate called exaggerated (Reuters) A $1 trillion estimate of the global cost of hacking cited by President Barack Obama and other top officials is a gross exaggeration, according to a new study commissioned by the company responsible for the earlier approximation. A preliminary report being released Monday by the Center for Strategic and International Studies and underwritten by Intel Corp's (INTC.O) security software arm McAfee implicitly acknowledges that McAfee's previous figure could be triple the real number
Is Software Quality Going To Hell In A Shopping Basket? (Forbes) When I was a CIO back in the day, I'd get into frequent debates with my peers. One philosophical question: "Is it better for new software to be on-time and buggy, or late and bug-free?" To me the answer was a no-brainer. No one remembers if you were a bit late, but everyone remembers a buggy start. Here it is, twelve years later, and I'm feeling really old fashioned. Whether delivered late, early or on time, software just seems to always be buggy. Not just new software - but even seemingly minor updates. And not just small bugs either. We're talking major glaring holes. It has been a problem for a long time, and what Facebook calls "The Hacker Way" has only exacerbated the problem
Under Attack: the Threat from Cyberspace (F-Secure) "There are now three certainties in life -- there's death, there's taxes and there's a foreign intelligence service on your system." —MI5's Head of Cyber. BBC Radio 4 recently aired a very interesting series on cyber espionage, theft, and war
Escalating Cyber Security Threats Mean Rise of the CISO (American Banker) Tom Sanzone has a curriculum vitae few in the bank technology sphere can rival. CAO of Merrill Lynch. CIO of Credit Suisse. CIO for the Corporate and Investment Bank, the Private Client Group, and the Global Transaction Services business at Citigroup. Managing director and head of global application development at Salomon Brother
Morozov and the Internet's Great Failure (Slashdot) When you learn that Evgeny Morozov's previous book was called The Net Delusion: The Dark Side of Internet Freedom, you quickly realize that his new book, To Save Everything, Click Here, isn't likely to be an ode to the utopian wonder of the Web. And indeed it isn't
The Bring-Your-Own-Device Dilemma (IEEE Spectrum) Employees and businesses seek to balance privacy and security. The smartphone revolution opened the floodgates to the BYOD (bring your own device) trend among workers. Carrying two devices is cumbersome, and many people simply preferred to use their new devices over corporate-issued phones or laptops. IT departments might have been able to brush this off, except that many of the early iPhone (and later, Android) adopters sat in executive offices. Now BYOD has spread around the world, creating a host of new challenges for IT departments concerning security, device management, and support costs
E-shopkeepers stabbed with SQL needles 'twice' as much as other sites (The Register) US number-one source of injection attacks, says security biz. Retailers suffer twice as many SQL injection attacks on their systems as other industries, according to a new study by data-centre security firm Imperva, which claims the ferocity of web-based assaults is growing
Marketplace
Cisco to buy security software maker Sourcefire for $2.7 billion (Reuters) Cisco Systems Inc said it will buy software maker Sourcefire Inc for about $2.7 billion (1.7 billion pounds) to increase its network security services. Cisco will pay $76 per share for the company, a premium of 28.6 percent over its closing price on Monday of $59.08
DuckDuckGo, PRISM, and the new business of privacy (VentureBeat) One the most valuable things in the world right now is your data. For Facebook and Google, your data is a window into your soul, your interests, and your buying habits. It's how they can convince advertisers that giving them money makes sense. It's how they've gotten rich
Venture Funds Invest in Electronic Spying Startups (Wall Street Journal) The string of revelations about America's surveillance apparatus by former National Security Agency contractor Edward Snowden has cast a spotlight on the growing number of American companies involved in electronic spycraft
Michael Dell Faces Biggest Week Of His Career (InformationWeek) This week could alter the course of Michael Dell's legacy, as investors consider his $24.4 billion offer to take the company private. Throughout his career, Dell CEO Michael Dell has overcome many challenges. He famously launched the company, once the world's biggest PC maker, from his college dorm room, for example. Along the way, he became one of the world's richest people
Northrop Grumman taps new sector VP of business development (Washington Technology) Kondrotis comes to Northrop Grumman having served in executive business development roles at CACI International and in General Dynamics Information Technology's Intelligence Solutions division. She has also worked at Lockheed Martin in business
Products, Services, and Solutions
Apricorn unveils FIPS 140-2 encrypted USB 3.0 drive (Help Net Security) Apricorn debuted its Aegis Padlock Fortress, a secure drive designed specifically for the stringent requirements of the Government, Military and Healthcare. The first USB 3.0 hardware encrypted
BAE, Bayshore Networks Grow Cybersecurity Partnership (Executive Biz) BAE Systems has agreed to resell and distribute several Bayshore Networks firewall products under an expanded partnership aimed to help customers protect networks from cyber attacks
Technologies, Techniques, and Standards
Getting Physical At Black Hat (Dark Reading) Researchers offer up work on breaking into buildings by hacking alarm key pad sensors and key card access control systems
Tripwire Announces New Version Of TRIPWIRE Log Center Solution (Dark Readin) Tripwire Log Center solution is powered by the Tripwire VIA agent. Tripwire, Inc., a leading global provider of risk based security and compliance management solutions, today announced the availability of the Tripwire Log Center TLC™ 7.0 featuring the first phase of integration with IP360™, as well as Tripwire's new VIA™ Agent, advanced log intelligence, and enhanced correlation analytics designed to improve log intelligence
Integrating Vulnerability Management Into The Application Devleopment Process (Dark Reading) App developers often fail to do proper vulnerability scanning. Here are some ways to plug those holes
MaskMe: Finally a way to use the web without surrendering all your personal info (VentureBeat) Here's an obvious reality about privacy breaches: Companies can't lose data that they don't have. Taking advantage of this realization is privacy company Abine, which has officially announced MaskMe, an ambitious browser extension that gives users the privacy-protecting power of disposable e-mail addresses, phone numbers, and even credit card numbers
Securing Critical Infrastructure Through Information Sharing (Tripwire) In this panel discussion industry experts investigate the possible sources and application of the knowledge needed to secure critical infrastructure. Questions the panel will ponder include
The Fallacy of Targeted Attacks, Advanced Threats and Sandboxing-based Technologies (Damballa) Over the last few months, mainly due to my new role in Damballa, I had the tremendous opportunity to visit, meet and hold extensive discussions with people in the security field. These people varied from sales representatives and operational security practitioners, to executives in large companies. I've realized with great sadness (to be perfectly honest) a great level of misconception around the detection or even prevention of targeted attacks and advanced threats
Australian Securities Exchange goes to Cyberwar on Cyber crime (Cyberwarzone) The Australian Securities Exchange has undertaken its own ''war games'', simulating cyber-attacks as part of efforts over the past year to shore-up defences against a growing threat
5 Benefits Of Cloud Computing You Aren't Likely To See In A Sales Brochure (Forbes) Cost savings… elasticity… scalability… load "bursting"… storage on demand… These are the advertised benefits of cloud computing, and they certainly help make for a solid business case for using either third-party services or a virtualized data center
Children as adversaries in technologically-enhanced homes (Help Net Security) You might sometimes consider your child an adversary when it prevents you from sleeping enough hours or having a sit-down meal without interruptions, but Microsoft researcher Stuart Schechter uses the same unexpected word for describing the effect of children's natural tendency to "hack" technology made for adult use
Tactics for Responding to Cyber Attacks - Squeezing Your Cyber Response-Curve: Part 1 (CircleID) Many cyber attacks against companies today go unreported, and more still are undetected. This poses a critical threat to organizations that are striving to innovate, maximize efficiency and compete in a connected world. Timing and context are everything. The faster a company identifies a problem, and the faster and deeper it is understood and its relevance to the business, the more effectively the company can respond. We call this squeezing the cyber response curve. This two-part post will discuss the current state of cyber threats, what the cyber response curve is and its impact your organization and how you can effectively squeeze this curve to improve attack response
Will CSOs become CROs in the future? (CSO) Is the chief security officer title destined to evolve into one that is about more than just security? Many CSOs have seen their responsibilities morph from defending an organization, to calculating an organization's risk profile as well
Top IaaS Security Requirements To Consider (NetworkComputing.com) "The security requirements for using Infrastructure as-a-Service are essentially the same as they would be for using your own data center," Dave Cullinane, chairman of the Cloud Security Alliance board, told Network Computing. "You should evaluate
Design and Innovation
World's Biggest Data Breaches (Information is Beautiful) Selected losses greater than 30,000 records
Research and Development
Laser–wielding boffins develop ETERNAL MEMORY from quartz (The Register) Crystal-based storage tech could kill the need for backups
MIT researchers teach TCP new tricks with software named Remy (NetworkWorld) Remy automatically generates congestion-control algorithms for dramatically improved speeds and lower latency. Network World - A sophisticated piece of software called Remy can be used to manage network communications with unprecedented precision, creating new protocols and controls on the fly in order to wring maximum efficiency out of a network
Academia
6 Colleges and Universities That Are Fighting Against Cyber Attacks (US News and World Report) Universities across the country are becoming proactive in fighting cyber crime as the number and sophistication of the attacks grow
Legislation, Policy, and Regulation
Are You Reading My Emails? Former State Dept. Official Asks the NSA. (Daily Beast) What happens when a former top-level State Department official asks the government to reveal if it's reading his communications? John Kael Weston on his adventures in our national-security state
Germany to Probe Secret Service Ties with NSA (SecurityWeek) German Chancellor Angela Merkel's government Monday announced a probe into ties between its secret services and US agencies whose sweeping online surveillance was revealed by fugitive intelligence analyst Edward Snowden
Spying Scandal Piles Pressure on Merkel Over Extent of NSA Links (Businessweek) German Chancellor Angela Merkel came under renewed pressure over the trans-Atlantic surveillance scandal after a report that German intelligence cooperated closely with the U.S. National Security Agency. Germany's BND Federal Intelligence Service, led
US Surveillance, Syria At Issue On Defense Bill (Associated Press) Limits on secret U.S. surveillance programs and President Barack Obama's push to help Syrian rebels were in dispute as the House weighed legislation to fund the nation's military. The House planned to begin debate Tuesday on the $598.3 billion defense spending bill for the fiscal year beginning Oct. 1, and late Monday the House Rules Committee voted to allow votes on the contentious issues
DHS approps slightly higher under Senate committee than House (FierceHomelandSecurity) Senate Appropriations Committee funding for the Homeland Security Department would be greater by about $334.16 million than the amount the House approved June 6 in that chamber's version of the DHS fiscal 2014 spending bill--although a large amount of that difference comes from the overseas spending for the Coast Guard, which the House would fund through the Navy
House and Senate appropriations committees differ significantly on NIST spending (FierceGovIT) The House and Senate Appropriations committees have marked up versions of a fiscal 2014 spending bill with significantly different levels of funding for the National Institute of Standards and Technology
Grants and rate increases top tier incentives for cybersecurity framework adoption, says DHS (FierceGovIT) Among the incentives under consideration for private sector adoption of the framework called for by President Obama's February cybersecurity executive order are federal grants and giving permission for rate increases in price-regulated industries
White House considering cybersecurity incentives (Politico) The Obama administration has weighed whether to back tax breaks, insurance perks and other legal benefits for businesses that make meaningful improvements to their digital defenses
The key to cleaning up the internet is tackling the darknets, not letting censorship in by the back door (ZDNet) The UK government's proposals for blocking search terms for illegal content aren't only badly thought through, they're dangerous. The latest proposals to lock down the UK internet in the name of preventing child pornography are at best a misunderstanding of how the dark side of the internet works, and at worst a basis for a censorship infrastructure that could make the Great Firewall of China look like a leaky sieve
The Ever-Evolving Cyber Laws (Insurance Journal) There is a wide array of state, federal, and international laws requiring individuals and entities that gather, use and secure "personal" or "protected" information to report, and/or "notice," when this type of information is accessed or acquired without authorization. The original motivator behind these laws is that this type of information, when in the hands of the wrong person, can be used to commit fraud. The goal is to provide affected individuals, and the government or consumer agencies they may turn to for assistance, with notice of the data security incident so that they may take steps to protect themselves
Litigation, Investigation, and Law Enforcement
Chinese hacker to help defend Western companies (Yahoo News) A leading Chinese hacker who used to attack American targets in the name of patriotism is now sharing his skills with Western multinational firms. Cyber security has become a major diplomatic sticking point between the world's superpowers, and a cyber war between China and the US is escalating. The US has come under fire after former spy Edward Snowden revealed a vast US surveillance program that also targeted Hong Kong and the Chinese mainland. Earlier, US security experts had identified a specialist hacking unit within the People's Liberation Army honing in on their institutions. China is now calling for a global anti-hacking agreement, but one of the biggest threats still comes from those working outside the system. Hacker Laoying, meaning Eagle, is seen as something of a godfather by his peer
U.S. Army Sergeant Admits Data Theft (eSecurity Planet) Ammie Brothers faces up to five years in prison. Ammie Brothers, 29, of Columbus, Ga., recently pled guilty to unlawfully obtaining personal information from the U.S. Army's Army Knowledge Online system
Normal humans — aka "non-celebrities" — are telling Big Brother to go stick his head in a sack (Naked Security) Sweet and Maxwell, a legal publisher in the UK, says that privacy actions against police, hospitals and security services in the UK are up 22% over last year