Cyber Attacks, Threats, and Vulnerabilities
Second China unit accused of cyber crime (Financial Times) A second Chinese military unit has been accused of cyber crime, just weeks after the US charged five Chinese officers with alleged economic espionage
Chinese military tied to prolific hacking group targeting US aerospace industry (Ars Technica) In operation since 2007, "Putter Panda" is latest group to be implicated by researchers
Chinese cyberspies targeting U.S, European defense, space sectors (CSO) Security vendor CrowdStrike identifies group with ties to the Chinese military targeting U.S. defense and European satellite and aerospace industries
The World's Cup's biggest corporate sponsors are already being ambushed (Quartz) FIFA, the organization behind the World Cup, will reap an estimated $1.6 billion from corporate sponsorships of the 2014 edition of the planet's biggest sporting event. In exchange for large sums of money, multinational corporations can market their association with the tournament in their own ads, and get their brands seen by the enormous audiences the tournament will attract. So expect to see the following logos on plenty of field-side billboards over the next few weeks
Phishing Sites Intensify World Cup Campaigns (TrendLabs Security Intelligence Blog) With the 2014 FIFA World Cup in Brazil about to kick off in less than a week, it should be no surprise that phishing sites have intensified their own spam campaigns targeting Brazilians as well
#NotGoingtoBrazil hits Twitter: a campaign against 2014 World Cup in Brazil (HackRead) Protests against the FIFA World Cup 2014 to be held in Brazil has now turned to Twitter to garner support against the World Cup expenditure of nearly US$11 billion, which could have been otherwise used to address the prevalent poverty and its related issues in Brazil, according to media reports
RSA researchers discover new alternative to Zeus (CSO) The modular Trojan is being offered to criminals as an alternative to Zeus
RIG Exploit Kit Pushing Cryptowall Ransomware (Threatpost) With Cryptolocker quite possibly on its way to becoming yesterday's ransomware news after the successful takedown of part of its distribution infrastructure, alternatives are already available
RIG Exploit Kit Strikes Oil (Cisco) In the last month we have observed high levels of traffic consistent with the new "RIG" exploit kit (EK), as identified by Kahu Security. This new EK reportedly began being advertised on criminal forums in April, which coincides with when we first began blocking this traffic on April 24th
'Red button' flaw leaves smart TVs open to cyber attack (The Telegraph) A flaw in the standard that governs how broadcast streams are combined with web technologies leaves smart TVs open to cyber attack
Kids with operator's manual alert bank officials: "We hacked your ATM" (Ars Technica) Bank of Montreal gets schooled by teens who accessed owner's manual online
How 14-Years-Old coders hacked the ATM Machine (Hackers News Bulletin) The smallest security researcher we reported here is 14-Years-Old and again the same age students hacked a Bank of Montreal ATM in WINNIPEG and informed the BANK about how they were able to do that
Social Engineering Watch: UPATRE Malware Abuses Dropbox Links (TrendLabs Security Intelligence Blog) Threats like UPATRE are continuously evolving as seen in the development of the techniques used so as to bypass security solutions. UPATRE malware are known downloaders of information stealers like ZeuS that typically spread via email attachments. We recently spotted several spam runs that use the popular file hosting service Dropbox. These use embedded links lead to the download of UPATRE malware variants. What is noteworthy in these spam attacks is that it is the first instance we saw TROJ_UPATRE being deployed via URL found in an email message
Cybercriminals Steal News Headlines for KULUOZ Spam Campaigns (TrendLabs Security Intelligence Blog) Last April, we reported a KULUOZ spam campaign using the South Korean ferry sinking tragedy, one that came hot at the heels of the actual event itself
iOS Malware Does Exist (Fortinet Blog) With our FortiGuard Labs reporting that 96.5% of all mobile malware is Android based it would be easy to see why someone might opt for an iPhone. But, users beware. Don't write off iOS as the secure alternative to Android just yet! Despite, Android malware being nearly an epidemic, or as Tim Cook referenced, "a toxic hellstew", iOS is not immune
Walgreens Acknowledges Insider Breach (eSecurity Planet) An undisclosed number of customers' names, birthdates and Social Security numbers may have been stolen by a former employee
After Heartbleed, We're Overreacting to Bugs That Aren't a Big Deal (Wired) Here's something else to blame on last April's Heartbleed security bug: It smeared the line between security holes that users can do something about, and those we can't. Getting that distinction right is going to be crucial as we weather a storm of vulnerabilities and hacks that shows no sign of abating
Security Patches, Mitigations, and Software Updates
Google to flag 'right to be forgotten' censored search results (Naked Security) Google may be forced to forget about you, but it just might stick a flag on the search results it's reluctantly expunged
iOS 8 Will Randomize Mac Addresses to Help Stop Tracking (Threatpost) Apple enthusiasts have been poring over the feature list for iOS 8, due out this fall, geeking out over the tighter integration among all iOS devices, the improved mail app and myriad other bells and whistles. But perhaps the most important change is a subtle one hidden beneath the covers that will help prevent much of the tracking of mobile devices that's done through WiFi hotspots
Cyber Trends
How Much Did Cybercrime Cost the World in 2013? (CBR) Cybercrime cost the global economy an estimated $445bn last year, up to a fifth of the value generated by the internet, says security firm McAfee
Upsurge In Hacking Makes Customer Data 'Toxic' To Retailers (Reuters via Business Insider) With hackers stealing tens of millions of customer details in recent months, firms across the globe are ratcheting up IT security and nervously wondering which of them is next
What data breaches teach us about the future of malware: Your own data could dupe you (PCWorld via MSN Tech & Gadgets) When a eBay suffered a massive data breach a few weeks ago, most of the attention revolved around the compromise of passwords and the vulnerabilities in the site's security. While those are legitimate concerns, they obscure the most glaringly weak link in the security chain: people
GAO: Maritime security plans don't address cyber threats (FierceHomelandSecurity) Maritime security plans at three high-risk U.S. ports do not address how to assess, manage and respond to cybersecurity threats, according to a Government Accountability Office assessment of their policies and plans
Banks warn Britain's financial system remains at high-risk of cyber (The Drum) The British Bankers' Association is to host a conference of financial institutions, as well as Interpol and Europol, the United Nations, Cabinet Office and Home Office tomorrow as part of efforts to shore up Britain's vulnerable financial system from attack by criminals and enemy states
Have today's privacy policies made us a society of liars? (Help Net Security) The importance of data privacy is becoming more and more prevalent: From major retailer breaches to identity and healthcare theft, the general public is growing more aware of the risk of data breaches and the importance of data privacy in all aspects of their online lives. In fact, a recent GfK survey of U.S. citizens found that 88 percent of respondents are concerned about the privacy of their personal data
Breakdown of traditional security models and strategies (Help Net Security) Increasing adoption of a more mobile, social, data-driven and consumer-like workplace is causing the breakdown of traditional security models and strategies, according to Gartner, Inc
XPocalypse, not now (ComputerWorld) Didn't hackers get the memo? They were supposed to be exploiting the unpatched Windows XP
The Link between Windows XP Users and Spam Volume (eSecurity Planet) Second quarter IBM X-Force Threat Intelligence report finds an uptick in spam volume
Marketplace
China-U.S. cyber spat risks corporate casualties (Reuters) China's security spat with the United States risks corporate casualties on both sides. The People's Republic has responded to U.S. allegations of cyber spying by targeting American tech companies. A continuing dispute could lead to blocked deals in the United States and lost sales in China. Though companies can try to ease concerns, it's hard for them to escape a political escalation
Microsoft, Qihoo 360 Sign Tie-up Deal (CRI) Microsoft and China's leading Internet security company Qihoo 360 on Monday signed a cooperation deal covering mobile Internet and artificial intelligence, underscoring the multinational's determination to further tap the Chinese market
MACH37™ Stars Mentor Network Begins Global Expansion Phase (Digital Journal) The MACH37™ Cyber Accelerator announced the expansion of its Stars Network with a global call for new members. The Stars Network includes successful cybersecurity entrepreneurs, domain experts, and industry thought leaders from throughout the United States. These mentors have committed to helping MACH37™ entrepreneurs validate their disruptive cybersecurity concepts and prepare their companies for investment
Microsoft founder Bill Gates sells off G4S shares (ComputerWorld) G4S is still recovering from an electronic monitoring scandal where it overcharged the UK government millions of pounds
DHS I&A workforce issues of significant concern, says GAO (FierceHomelandSecurity) The Homeland Security Department must address how it can develop and maintain a skilled workforce within the office of intelligence and analysis, says the Government Accountability Office
The new era of cyberinsurance (Examiner) Data breaches, work interruption and network damage along with the intangible losses to business reputation for security are among the issues facing businesses. Cyberinsurance has become a priority business expense in planning in the new era for cyber-attacks, according to The New York Times
Cyberattack Insurance a Challenge for Business (New York Times) Julia Roberts's smile is insured. So are Heidi Klum's legs, Daniel Craig's body and Jennifer Lopez's derrière. But the fastest-growing niche in the industry today is cyberinsurance
Cyber Insurance May Be Vital, But Not Widely Available (Live Insurance News) Retailers may need to begin taking cyber liability insurance more seriously. The world is becoming more digital and businesses are beginning to follow consumers into the digital space in order to better accommodate their needs. This means that a growing number of businesses are beginning to expose themselves to digital threats, and these businesses may not be equipped to handle these threats in their various forms. Businesses have yet to fully comprehend the risks that are inherent in digital world and as such are falling prey to malicious groups that would exploit sensitive information
Radware Receives Multi-Million Cyber-Attack Mitigation Contract From Global Cloud Provider (MarketWatch) Radware's attack mitigation system chosen to protect multiple datacenters in the U.S. and abroad
Products, Services, and Solutions
Lancope's StealthWatch Labs Conducts Advanced Research to Help Customers Fend Off Heartbleed and CryptoLocker Attacks (MarketWatch) Highly skilled research team provides tools for effective and continuous response to today's most damaging threats
Beepip unleashes email Snowden would be proud of (CoinTelegraph) When it comes to privacy, the shortcomings of email have been touted for years by various groups. Now an alternative seeks to use cryptography to decentralize private messaging over the internet
F-Secure releases one-click test for PCs infected by GameOver Zeus botnet (Beta News) Last week Microsoft boasted of aiding law enforcement in the take-down of the GameOver botnet, one of the leaders in the theft of banking information. However, Microsoft was not the only tech entity involved, and the death notice may have been a bit premature
Technologies, Techniques, and Standards
Kim Dotcom Can Encrypt Your Files. Why Can't Google? (Wired) On the one-year anniversary of Edward Snowden's first NSA document leaks, Bahaa Nasr spent the day in Beirut, teaching a roomful of Middle East activists how to thwart the kind of government-backed spying that Snowden so shockingly exposed
What you gonna do when they say good-bye? (FierceMobileIT) BYOD users could take more than their devices with them when they leave
NIST guidance helps agencies break from static IT system reauthorization cycle (FierceGovernmentIT) In a November 2013 memorandum, the Office and Management and Budget told agencies they could abandon a security reauthorization process required every three years in favor of ongoing authorization of information systems. Now, the National Institute of Standards and Technology is advising agencies on how exactly to make that transition
Supplemental Guidance on Ongoing Authorization Transitioning to Near Real-Time Risk Management (NIST, US Department of Commerce) Office of Management and Budget (OMB) Memorandum M-14-03, Enhancing the Security of Federal Information and Information Systems, stated that, "Our nation's security and economic prosperity depend on ensuring the confidentiality, integrity and availability of Federal information and information systems"and directs the National Institute of Standards and Technology (NIST) to publish guidance establishing a
process and criteria for federal agencies to conduct ongoing assessments and authorization
New cyber security award launched to protect businesses online (Blackmore Vale Magazine) A new government cyber security scheme, which shows businesses' consumers that measures are in place to defend against common cyber threats, has been launched
Five ways to avoid costly compliance risks (Help Net Security) When it comes to violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules, the stakes can be high. Recently, the New York Presbyterian Hospital and Columbia University agreed to settle, in the amount of $4.8 million, charges that they potentially failed to secure thousands of patients' electronic protected health information (ePHI) held on their network
In Praise Of Shadow IT (InformationWeek) 80% of those employed by enterprises larger than 1,000 people circumvent IT to use cloud-based tools, new research says. I say let them
Design and Innovation
German startup raises $2M for NSA-proof server (Help Net Security) A German startup has broken crowdfunding records as it managed to get pledges for 1.5 million Euros (around $2 million) in less than a few hours
Research and Development
"Turing Test" allegedly defeated — is it time to welcome your robot overlords? (Naked Security) I'm sure you have heard of, and indeed at some time faced up to and solved, a CAPTCHA
Academia
Drop out of college; earn a six-figure salary coding (ITWorld) A four year degree isn't the only path to a great development job — if you have the coding chops
Legislation, Policy, and Regulation
Chinese military responsible for some cyber attacks on U.S. federal systems, DoD says (FierceGovernmentIT) The Defense Department said some cyber attacks to federal and other global computer systems can be "attributable directly to the Chinese government and military," in its annual report to Congress
Annual Report to Congress: Military and Security Developments Involving the People's Republic of China 2014 (US Department of Defense) The People's Republic of China (PRC) continues to pursue a long-term, comprehensive military modernization program
China Slams Pentagon Report on Its Military: End This Annual 'Belly-Aching' (CNSNews) Criticizing the latest Department of Defense report on Chinese military developments, Beijing called the legally-mandated assessment to Congress "annual belly-aching" that should be abandoned
NSA Reform Bill Could Allow The Agency To Spy On More Phone Calls (Daily Caller) The major National Security Agency surveillance reform bill currently under consideration in the Senate could "potentially" allow for even more spying on Americans' phone calls, according to testimony from the upper chamber
Big tech walking fine line on data (Politico) A year after Edward Snowden shocked citizens with details of how much of their lives are being snapped up by the National Security Agency, tech giants have sounded alarms about the government's practices — but maintained near radio silence about their own data-collection efforts
Whitehall considers security shake-up (Government Computing) Untangling of security groups mooted to beef up and simplify oversight and governance
Jennifer Kerber to Lead GSA's Cloud Credential Program (ExecutiveGov) Jennifer Kerber, executive director of the nonprofit Government Transformation Initiative for a year, will join the General Services Administration's office of citizen services and innovative technologies to oversee its cloud credential program
Litigation, Investigation, and Law Enforcement
How Much Did Snowden Take? Not Even the NSA Really Knows (Newsweek) It was just over a year ago this week that former U.S. intelligence contractor Edward Snowden leaked a trove of secret National Security Agency documents detailing the agency's massive online spy program. What and how much Snowden took remains a mystery. On Tuesday, James Clapper, the director of National Intelligence, told The Washington Post that Snowden took less than the agency previously thought
Watchdog rebuffed on EPA data turns to NSA (Washington Times) A pro-business watchdog group sued the National Security Agency on Monday, demanding that the spy agency turn over metadata logs for some phones registered to top EPA officials in a pioneering legal maneuver that seeks to use the government's own secret data to check up on other agencies
Did Microsoft hand the NSA access to encrypted messages? (CFO World) In July last year, when the news broke that Microsoft had allegedly collaborated closely with US intelligence services to allow users' communications to be intercepted, it severely dented the image of the tech giant
To defeat encryption, feds deploy the subpoena (Ars Technica) Drop boxes, secured or not, are all the post-Snowden rage and ripe for subpoenas
NSA: Our systems are so complex we can't stop them from deleting data wanted for lawsuit (Washington Post) The National Security Agency recently used a novel argument for not holding onto information it collects about users online activity: it's too complex
Ransom-taking iPhone hackers busted by Russian authorities (Naked Security) The mystery of the ransom messages from "Oleg Pliss," and the iDevice locking attack that popped up in Australia and the US last month, appears to have been solved
Hacker Fined $8,000 for Government Cyber Attack (eSecurity Planet) Delson Moo Hiang Kng placed an offensive image on the website of the president of Singapore's official residence
Tax Preparer Gets Five Years for Identity Theft (eSecurity Planet) Louis Francois was also ordered to pay $355,000 in restitution