Cyber Attacks, Threats, and Vulnerabilities
New York Times and Twitter UK stumble to their feet after 'spooky' Syrian Electronic Army hack (ITProPortal) The New York Times came back online after a hack of Internet registrar MelbourneIT allowed the Syrian Electronic Army to compromise the newspaper's website. The site was still experiencing intermittent connection issues, though. For those unable to access NYTimes.com, the paper is also publishing stories on news.nytco.com. In a blog post explaining the hack, Matthew Prince, CEO of security firm CloudFlare, categorised it as a "very spooky attack" since "MelbourneIT is known for having higher security than most registrars"
Phishing email grants hackers access to DNS records of major websites (SC Magazine) A phishing attack, one of the most common and oldest cyber tricks in the book, enabled hackers to hijack and modify the DNS records for several domains on Tuesday, including The New York Times, Twitter and the Huffington Post UK on Tuesday. Representatives of the impacted entities have said their systems are now operating normally, and there are no lingering or long-term effects. In fact, the companies were not even the ones targeted by the attackers, who claimed to be the Syrian Electronic Army, a band of pro-Assad hacktivists responsible for a number of IT takedowns in recent months
NYT/Twitter Hacks Show DNS Is Not Broken, But Domain Registrars Might Be (TrendLabs Security Intelligence Blog) The recent attacks on New York Times, Twitter and others while DNS-related, were not the result of a weakness in the DNS at all. They resulted from weaknesses in domain registrar infrastructure. The DNS components related to this event performed exactly as they were designed and instructed to do
SEA takedowns of international communications websites like True Caller and Viber endanger privacy of millions (CIOL) According to FireEye today, as Western intervention in the Syrian conflict is fast approaching, the phenomenon of the world's patriotic hackers continues to grow, with the pro-government Syrian Electronic Army believed responsible for attacks on Twitter and the New York Times
After Twitter, NY Times hacks, top Internet brands remain at risk (CSO) The Syrian Electronic Army hit multiple targets this week, including Twitter and the New York Times. While the victims have recovered for the most part, many popular brands remain at risk
Banks Vulnerable to Same Type of Attack That Hit Times Website (Americn Banker) Banks have good reason to pay attention to the cyberattack that hit the New York Times, Twitter and Huffington Post websites yesterday and apparently resumed on the Times site today — they are vulnerable to the same type of assault
Analysis: Syria, aided by Iran, could strike back at U.S. in cyberspace (Irish Times) If the United States attacks Syria, it will be the first time it strikes a country that is capable of waging retaliatory cyberspace attacks on American targets. The risk is heightened by Syria's alliance with Iran, which has built up its cyber capability in the past three years, and already gives the country technical and other support. If Iran stood with Syria in any fray with the United States that would significantly increase the cyber threat, security experts said
Syria, Iran armed for cyberwar with U.S. (Washington Times) Syria and its ally Iran have been building cyberattack capabilities for years and soon might have a chance to use their skills in a hot war for the first time. Former U.S. officials and cybersecurity scholars say Syria has a demonstrated cyberattack capability and could retaliate against anticipated Western military strikes against Syria for its suspected chemical weapons attack against civilians in the country's 2-year-old civil war
NY Times Caught In Syrian Hacker Attack (InformationWeek) Hacks amount to "warning shots," threatening more widespread cyberattacks should the U.S. and allies launch military campaign against Syria, warns security expert
Spear phishing led to DNS attack against the New York Times, others (PCWorld) The cyberattack that resulted in nytimes.com and some other high-profile websites being inaccessible to a large number of users Tuesday started with a targeted phishing attack against a reseller for Melbourne IT, an Australian domain registrar and IT services company
Twitter disruption affects users across the UAE (Emirates 24/7) The disruption occurred hours after major media companies around the world lost control of their websites in an online attack
Who Built the Syrian Electronic Army? (Krebs on Security) A hacking group calling itself the Syrian Electronic Army (SEA) has been getting an unusual amount of press lately, most recently after hijacking the Web sites of The New York Times and The Washington Post, among others. But surprisingly little light has been shed on the individuals behind these headline-grabbing attacks. Beginning today, I'll be taking a closer look at this organization, starting with one of the group's core architects
Is This 19-Year-Old the Leader of the Syrian Electronic Army? (Motherboard) Is This 19-Year-Old the Leader of the Syrian Electronic Army
Two Syrian Electronic Army Members Unmasked, Hackers Say Information Is False (Softpedia) Security expert Brian Krebs and Vice Motherboard have published articles claiming to have found the real identities of two Syrian Electronic Army hackers. However, the hackers are denying that the information is accurate
Hacker points Syrian telecom website to AT&T, T-Mobile (ComputerWorld) The website of a Syrian telecommunications provider redirected to AT&T's website and then T-Mobile's on Wednesday, an apparent prank by a hacker who has been probing the country's Internet infrastructure for several days
Hackers target ISRO,BARC, ECIL, and Tata servers (Economic Times) The website of the Electronics Corporation of India Ltd (ECIL) was hacked and documents involving the Bhabha Atomic Research Centre (BARC) and Indian Space Research Organization (ISRO) were leaked by an online hacker on Saturday. They also claimed to have hacked Tata MotorsBSE 2.60 % site
Alamo Colleges fend off cyber attack (San Antonio Express) The Alamo Colleges shut down several computer systems Wednesday to protect them from a cyber attack, officials said. The community college district
Secure Google Docs email results in mailbox compromise (Naked Security) As cloud services become more pervasive criminals continue to try and convince corporate users to surrender their identities. Google Docs is the latest target, look out
Kelihos Relying on CBL Blacklists to Evaluate New Bots (Threatpost) The Kelihos botnet is leveraging legitimate security services such as composite blocking lists (CBLs) to test the reliability of victim IP addresses before using them to push spam and malware
Suspect Sendori software (Internet Storm Center) Reader Kevin wrote in to alert us of an interesting discovery regarding Sendori. Kevin stated that two of his clients were treated to malware via the auto-update system for Sendori. In particular, they had grabbed Sendori-Client-Win32/2.0.15 from 54.230.5.180 which is truly an IP attributed to Sendori via lookup results. Sendori's reputation is already a bit sketchy; search results for Sendori give immediate pause but this download in particular goes beyond the pale. With claims that "As of October 2012, Sendori has over 1,000,000 active users" this download is alarming and indicates something else is likely afoot with Sendori's site and/or updater process
Snapchat names, aliases and phone numbers obtainable via Android and iOS APIs, say researchers (ZDNet) According to a Snapchat Security Advisory published by Australian researchers, Snapchat names, aliases and phone numbers can be discovered and harvested via the Snapchat Android and iOS API even if an account is private
Unpatched Mac bug gives attackers "super user" status by going back in time (Ars Technica) Researchers have made it easier to exploit a five-month-old security flaw that allows penetration testers and less-ethical hackers to gain nearly unfettered "root" access to Macs over which they already have limited control. The authentication bypass vulnerability was reported in March and resides in a Unix component known as sudo
Facebook Hijacked to Spread Chrome, Firefox Browser Malware (Infosecurity Magazine) Facebook is being used to spread malware again, this time through messages claiming to be from friends wanting to share videos. The "video link" of course opens a door for hackers to hijack users' Facebook accounts and web browsers
RODECAP spam scripts analysed (Blog de Seguridad de INTECO) After reading the abuse.ch post about the RODECAP botnet, we could get some samples of the scripts used by the botnet to send spam. From abuse.ch, sent us a dump of the communication from a RODECAP sample, so we started the analysis using the PCAP received and our scripts
New Malware Needs its Mouth Washed Out with Soap (Infosecurity Magazine) Most malware has a nasty disposition, hence the "mal" part of the word, and hackers have been known to build in very special messages that display mocking phrases to victims like "ha ha ha!" or "better luck next time," and so on. But hackers have now elevated trash-talking to the next level, with a bug that swears like a sailor
Simulated Attacks Show C–Level Executives Can Make Easy Targets for Spear-Phishers (Cyveillance) Wombat Security Technologies recently talked to Security Week about the on-going problem with executives falling for spear-phishing attacks. Wombat, which specializes in testing a company's vulnerability to phishing attacks, noted that executives are often the first to fall prey to attackers when it comes to clicking links and providing login data
Cybercriminals Use Aggressive Social Engineering Tactics Against French Organizations (Softpedia) Earlier this year, Symantec revealed the existence of a sophisticated cybercriminal operation that targeted European organizations, particularly ones from France. Now, experts are providing more details on the attacks which continue to this day
Reverse-Engineering Renders Dropbox Vulnerable (Silicon Angle) Dropbox might be the most widely used cloud storage and sharing service in the world, with over 25 million users and adding about 200 million files daily, but its security is constantly being questioned, and not just because of the NSA
ybercrime–friendly underground traffic exchanges help facilitate fraudulent and malicious activity — part two (Webroot Threat Blog) The list of monetization tactics a cybercriminal can take advantage of, once they manage to hijack a huge portion of Web traffic, is virtually limitless and is entirely based on his experience within the cybercrime ecosystem
Java Native Layer Exploits Going Up (TrendLabs Security Intelligence Blog) Recently, security researchers disclosed two Java native layer exploits (CVE-2013-2465 and CVE-2013-2471). This caused us too look into native layer exploits more closely, as they have been becoming more common this year. At this year's Pwn2Own competition at CanSecWest, Joshua Drake showed CVE-2013-1491, which was exploitable on Java 7 running on Windows 8. CVE-2013-1493 has become a popular vulnerability to target in exploits kits such as Blackhole
Security Patches, Mitigations, and Software Updates
Twitter Updates Android, iOS And Web With New Conversation View, Abuse Reporting (TechCrunch) Twitter has just released an update for iOS, Android and the web application with a brand new interface for conversations, as well as enhanced sharing and abuse reporting capabilities. According to the official blog post, the idea is to make it easier to follow and discover conversations
Opera 16 Fixes Bugs, Improves HTML5 Performance (Threatpost) Opera has pushed out version 16 of its eponymous browser this week, complete with what it's calling "tons of bug fixes" and improved performance
Google to Implement 5–Year Limit on Digital Certificates (Infosecurity Magazine) Compromised digital certificates have been a weak link in a few high-profile security incidents of late, prompting a discussion on how to more adequately lock them down. For its part, Google is planning to cap certificate validity at 60 months
Office 2003 soon to lose support too (ZDNet) It's not just Windows XP that reaches support end of life next April on Patch Tuesday, but Office 2003 as well. This was an extremely popular version of Office, and running it without security patches will be dangerous
Cyber Trends
Data controllers failing to encrypt sensitive data, warns ICO (V3) The Information Commissioner's Office (ICO) has criticised businesses for failing to adequately protect information they hold, claiming a lack of knowledge about encryption technologies is causing many to mishandle sensitive data
Struggling With Attack Detection And Analysis (Dark Reading) New survey shows organizations don't know when they've been attacked and can't easily determine scope of attacks. Enterprises are increasingly finding it harder to detect attacks in a timely fashion or quickly determine the scope of attacks when they are discovered. A new survey out this week shows that while the majority of organizations seem confident in their ability to quickly analyze and respond to security alerts, many have a hard time finding attacks in real-time or even being sure they've experienced an attack
Growing Trend In Fraud, Identity Theft Being Camouflaged By DDoS Attacks, Cyber Security Company Says (HS Today) Calling it a "high risk factor," Prolexic, a firm that provides Distributed Denial of Service (DDoS) protection, said Wednesday it is sharing "attack signatures and details that are helpful to detect and stop DDoS attacks from the Drive DDoS toolkit, an attack tool often used as a source of distraction while criminals break into customer accounts at finance firms and e-Commerce businesses."
Social engineering: Study finds Americans willingly open malicious emails (CSO) A recent study shows that 30 percent of Americans will open emails, even when they know the message is malicious. These types of stats are an attacker's dream, but are they realistic
How cyber-risk savvy are you? (ABA Banking Journal) With all-the-time connectivity, comes all-the-time risk. Cyber insurance, which covers a form of 21st century peril, has emerged as a "must have" for banks. It is directly related to electronic banking, the internet, and being connected 7x24x365
Secure email is dead (IT World) As any married couple will tell you, trust is the most precious commodity. And, once it's gone, its almost impossible to get back. That maxim is just as applicable to the technology world when it comes to security and privacy. That's why a giant brick and mortar retailer like TJX can lose the credit card information belonging to tens of millions of customers and barely miss a beat, while a firm like the Dutch certificate authority DigiNotar (part of the U.S. based firm Vasco Data Security Intl.) can lose a few hundred certificates and be forced out of business. Put simply: when your business is trust, and there's a breach of that trust, you're out of busines
Cybersecurity queries surge in wake of Snowden claim (FreeNewsPos) Inquiries about tightening cybersecurity from local companies have "surged" since the Edward Snowden incident, consultants said yesterday at the region's first international conference on cybercrime and computer forensics
Marketplace
Tor usage up by more than 100% in August (The Register) Secure network usage spikes worldwide, reasons unknown. The privacy-enhancing Tor network has seen its total number of users per day more than double in the last month, reaching the highest levels since the project first began compiling usage statistics
Tor usage doubles in wake of secure email shutdowns, arrival of PirateBrowser (InfoWorld) The prying eyes of the U.S. government is good for the Tor anonymity network, which has seen its usage spike in recent weeks
Symantec Nominates Two New Board Members (Wall Street Journal) Major General Suzanne Vautrinot, retiring commander of the 24th Air Force, the Air Force Service Component of the United States Cyber Command; and -- Anita
KEYW gets USD75m advanced cyber training contract (MENAFN) KEYW Corp. KEYW said it has received a prime contract to provide advanced cyber training content development, delivery, and lifecycle support to a US based customer
Will Greifeld survive at Nasdaq? (FierceFinance) There's no denying that Robert Greifeld, the CEO of Nasdaq, is under pressure right now. Technology malfunctions have severely undermined its public reputation. The inability to find a merger partner has raised brows, leading to talk of missed opportunities. And the decision not to communicate more quickly about the recent 3-hour outage was thoroughly lambasted by many, perhaps most memorably by James Cramer, who went on something of rant
Products, Services, and Solutions
StrikeForce Technologies Inc.'s GuardedID Keystroke Encryption Patent Granted (Dark Reading) StrikeForce Technologies, Inc. (SFOR.OB), a company that specializes in Cyber Security for the prevention of Data Breaches, announced today that it has received an official Notice of Allowance from the United States Patent Office stating that their patent application "Methods and apparatus for securing keystrokes from being intercepted between the keyboard and a browser" has been allowed for issuance and a patent
Xceedium extends security capabilities to VMware vShield and vCloud (Help Net Security) Xceedium is extending Xsuite's security and audit capabilities to VMware vShield and vCloud. Customers using VMware's software-defined datacenter tools and its Private Cloud and Hybrid Cloud environments
HP releases Fortify Static Code Analyzer 4.0 (Help Net Security) HP announced Fortify Static Code Analyzer (SCA) 4.0, delivering a new approach that enables organizations to assess the security of software up to 10 times faster than previous versions of the solution
Vir2us Launches Automation Technology to Empower Firms Adopting "Bring Your Own Device" (BYOD) Strategies to Realize Dramatic Cost Reductions (MarketWatch) Over 60% of companies have implemented or are planning some implementation of BYOD. The reasons for this trend are improved mobility, communication and creativity and innovation, according to CIO Magazine(1Aug2013) which recently published the results of a survey of over 500 companies about their BYOD plans and experience. California based Vir2us is realizing success with IT service providers and companies that are looking to BYOD strategies and outsourcing to solve the rising cost and complexities of IT
VM–to–VM Traffic No Longer a Security Blind Spot (RSA Blog) VMware has done much to change the way IT operates the data center. For each of the last 10 years at VMworld, VMware always seems to unveil a new way it is taking another giant leap toward the realization of the total virtual data center
VMware's virtualization quest could shake up data storage, too (ComputerWorld) The jam-packed VMworld show this week in San Francisco has been VMware's launchpad for flights deeper into storage, an area that the company says is due for more virtualization
Technologies, Techniques, and Standards
Security Think Tank: Physical security should be replicated in cyber world (Computer Weekly) Snooping on a person or company is not new, it is just that the internet age has brought an added dimension: the cyber thief. The old techniques of safeguarding one's possessions - and that includes information and intellectual property (IP) - are still valid
Baking Better Security into Software Development (Infosecurity Magazine) The infosecurity industry is largely reactive in nature — it reacts to threats against information. Those threats typically use software flaws as an entry point. It follows that if software flaws can be minimized, security costs can be reduced
3 types of DNS attacks and how to deal with them (InfoWorld) The Syrian Electronic Army altered the DNS records used by the New York Times, Twitter, and others. Here are three ways such attacks can be mitigated
New protection mechanism prevents mobile cross-app content stealing (Help Net Security) A group of researchers from Indiana University and Microsoft Research have recently published a paper detailing the risk of cross-origin attacks on two of the most popular mobile operating systems today - iOS and Android - and have introduced an origin-based protection mechanism of their own design
Some Tips for Smartphone Security (Syracuse New Times) Or maybe it's because of all the publicity surrounding the National Security Agency and PRISM. Whatever caused it, people are more aware of and concerned
Research and Development
Video: How quantum cryptography works (InfoWorld) According to InfoWorld's Roger Grimes, quantum cryptography is the last, best defense when it comes to security. Computers are becoming so powerful that they can break traditional cryptography, which relied on complex math to work. Once quantum computing comes into play, it's game over for conventional cryptography. Thus, quantum computing begats quantum cryptography. But how does quantum cryptography work, exactly
'Drawing a secure cryptographic code can be done in principle' (The Hindu) Quantum cryptography is considered extremely secure as it builds on the sensitive properties of quantum light. Prof. Charles Bennett of IBM Research, U.S., explained to Shubashree Desikan the basics of quantum cryptography, security and hacking. Prof. Bennett, along with Prof. Gilles Brassard, University of Montreal, Canada, discovered the BB84 protocol, which is the cornerstone of quantum cryptography. He was in Chennai to attend the Asian Quantum Information Science - 2013 conference
Academia
NSA recognizes cyber education at WPAFB (Dayton Business Journal) The Center for Cyberspace Research at Wright-Patterson Air Force Base just got a big boost from the NSA
CDFAE (DC3) The National Centers of Digital Forensics Academic Excellence (CDFAE) program has been developed to foster the digital forensics field and encourages growth in supporting the National Initiative Cybersecurity Education (NICE) framework
Legislation, Policy, and Regulation
How New Zealand banned software patents without violating international law (Quartz) What do you do when you're a small country with a technology industry convinced that innovation requires the banning of software patents, but you've signed an international treaty that in theory obliges you to make software patentable? If you're New Zealand, you simply declare, in a historic and long-debated bit of just-passed legislation, that software isn't an invention in the first place
Obama's surveillance board packed with insiders (Politico) President Barack Obama pledged he'd appoint "outside experts" to review the country's surveillance practices, but he's since tapped largely insiders for the key posts. The group, formed to examine the policies and procedures at the National Security Agency as it tracks terrorism suspects' digital communications, is composed mostly of Washington types, many with connections to the very intelligence establishment they're now tasked with scrutinizing in the wake of Edward Snowden's leaks
Should the U.S. Protect Companies Against Hackers? (BLoomberg) Bob Stasio of Ronin Analytics disucsses the threat of retaliation against private companies for actions related to United States policy and whether the government should be involved in protecting companies' networks. He speaks on Bloomberg Television's "Market Makers"
Litigation, Investigation, and Law Enforcement
French prosecutor opens probe into NSA surveillance program (Washington Post) French prosecutors have confirmed that they are conducting a preliminary investigation into whether the U.S. National Security Agency violated French
Snowden impersonated NSA officials, sources say (NBC News) Edward Snowden accessed some secret national security documents by assuming the electronic identities of top NSA officials, said intelligence sources. "Every day, they are learning how brilliant [Snowden] was," said a former U.S. official with knowledge of the case. "This is why you don't hire brilliant people for jobs like this. You hire smart people. Brilliant people get you in trouble"
Background Check of National Security Agency Leaker Found to be Inadequate (ESR News) A federal review of the most recent background check conducted on former National Security Agency (NSA) contractor Edward Snowden has found that the
Firm That Vetted Snowden Defends Its Work (Wall Street Journal) The private company that conducted the last background check of former National Security Agency contractor Edward Snowden said it was the federal government's responsibility to catch any problems with its 2011 investigation of the man who has said he leaked top-secret documents
FISA Court Rolls Over, Plays Dead (Forbes) A newly declassified opinion shows FISA court "oversight" in the face of egregious, unconstitutional and potentially criminal government misconduct means nothing
Metadata is a proxy for content, argues Princeton professor in ACLU lawsuit against bulk metadata collection (FierceGovIT) Obama administration assurances that only transactional records and not the content of Americans' phone calls are being monitored by the National Security Agency overlooks the revealing potency of those records, says a Princeton computer science professor and a former Federal Communications Commission technology adviser
U.S. Secret Service: Five Retailer Breaches Are Linked (Storefront Backtalk) If it seems like this spring and summer have seen a rash of supermarket-chain security breaches, it turns out there's a reason. Five recent cyberattacks against smaller retail chains all appear to have come from the same overseas criminal gang, according to the U.S. Secret Service. That includes the breach at Schnuck Markets that netted thieves as many as 2.4 million card numbers, four other breaches at chains a Secret Service spokesman declined to name, and a collection of retailers in Kentucky and Indiana who all shared the same local reseller who provided the POS remote-access software that thieves exploited
How "cell tower dumps" caught the High Country Bandits—and why it matters (Ars Technica) Fishing expeditions can pay dividends—but do they need a warrant
City of London police commissioner hits back at cyber–crime critics (ComputerWorldUK) Earlier this month the Police Commissioner for the City of London, Adrian Leppard, wrote an open letter to The Times in which he painted a distinctly positive view of cyber-crime protection in the UK. In response, Computerworld UK sourced the views of cyber-security experts and published a story - 'London Police Commissioner's cyber-crime open letter laughed at by industry - that grabbed the attention of Leppard himself
Agreeing to a BYOD policy could land an employee in jail (FierceMobileIT) By agreeing to a BYOD policy, employees could be dragged into civil or criminal litigation, warns Michael Kassner, a freelance writer and information security consultant. Employees could be required to give up their personal device to the courts or even have all of the data on the device searched, with possible legal ramifications for the owner, noted Kassner
Who owns IP in a BYOD environment? (FierceMobileIT) While BYOD has helped improve productivity for workers and provided IT flexibility for companies, it has also raised a number of sticking issues around privacy, legal liability and intellectual property ownership. When an employee creates content on a personally owned device, can the company claim ownership of that content? The answer, of course, is—it depends
AWS disputes GAO bid protest favoring IBM in CIA cloud computing contract (FierceGovIT) Amazon Web Services is challenging in the Court of Federal Claims the Government Accountability Office's June bid protest decision overturning its win of a CIA cloud services contract worth up to $600 million over 4 years, with additional options