Cyber Attacks, Threats, and Vulnerabilities
Vietnam ministry cyber-attack: confirmed (Thanh Nién News) The website of Vietnamese Ministry of Natural Resources and Environment (MONRE) was attacked recently, but its confidential information remains untouched, a senior official has said
MONRE claims malware damage minimal (VietNamNet Bridge) The Ministry of Natural Resources and the Environment (MONRE) has denied assertions that its database on the East Sea was stolen by hackers
Beijing Behind Cyber Attacks on Hong Kong Poll? (New Tang Dynasty) June 22, Hong Kong movement for democracy's referendum, faced the second largest cyber attack in history. While the public suspect the 'herder' behind the attack, Hong Kong Internet security experts analyzed, 40% of the attacks came from Chinese-funded institutions. Referendum organizers believe that the Communist regime was directing the attack
A Security Awareness Success Story (CIO) The recent Syrian Electronic Army attacks against IDG demonstrate that good security awareness works, say Ira Winkler and Samantha Manke
PayPal Responds to Report of Security Key Vulnerability (eCommerce Bytes) Researchers at a security firm discovered a vulnerability in PayPal's two-factor authentication (2FA) - what PayPal calls the Security Key mechanism. However, as the Guardian newspaper reported, attackers would need a PayPal user's username and password to compromise accounts, but said "the vulnerability in PayPal Security Key would have made life far easier for hackers looking to steal PayPal users' funds"
PayPal security 'shoddy,' Two-Factor Authentication bypassed (Tweaktown) PayPal two-factor authentication website problems give criminals the ability to access accounts, send money
Patched Code Execution Bug Affects Most Android Users (Threatpost) A serious code-execution vulnerability in Android 4.3 and earlier was patched in KitKat, the latest version of the operating system. Researchers at IBM this week disclosed the nature of the vulnerability, which was privately disclosed to the Android Security Team in September and patched last November
Pangu exploits enterprise certificate to jailbreak iOS devices (FierceITSecurity) The Pangu iOS jailbreaking tool uses an Apple enterprise certificate to jailbreak and possibly gain control of devices running iOS 7.1 or higher, warns Lacoon Mobile Security in a blog
New iOS jailbreak could become sinister (IDG via CSO Salted Hash) A new jailbreak for Apple's iOS software that uses confidential information intended only for security researchers could develop into a more sinister attack, according to security analysts
This Mobile Malware Earns Money by Asking You to Download Another App (CBR) Worm breakout in North America may be indication of emerging trend. A mobile worm that earns its authors money by encouraging users to download legitimate software has been discovered in North America by security firm AdaptiveMobile
'Havex' malware strikes industrial sector via watering hole attacks (SC Magazine) "Havex," malware previously targeting organizations in the energy sector, has recently been used to carry out industrial espionage against a number of companies in Europe, a security company revealed
As Stuxnet Anniversary Approaches, New SCADA Attack Is Discovered (Dark Reading) F-Secure has unearthed a new attack against industrial control systems that goes after European targets, using rare infection vectors
Hackers found controlling malware and botnets from the cloud (NetworkWorld) Along with all that cloud traffic coming into your business may be some malware
Banks, payment services and social networks most targeted by phishing kits (SC Magazine) Financial institutions, ePayment and money transfer services, and social networks are the top three targets of phishing kits, respectively, according to PhishLabs
Asia Beware: Ransomware is Traveling East (ComputerWorld) In late May this year, Microsoft came out with a security report that made a bold declaration: deception is now the favourite tactic of cybercriminals
The Year Extortion Went Mainstream (Krebs on Security) The year 2014 may well go down in the history books as the year that extortion attacks went mainstream. Fueled largely by the emergence of the anonymous online currency Bitcoin, these modern-day shakedowns are blurring the lines between online and offline fraud, and giving novice computer users a crash course in modern-day cybercrime
How Much Money Do Cybercriminals Earn? (Kaspersky Lab) When you read about hundreds of thousands of viruses that appear each day, you may wonder, who puts so much effort in development of this malware and why. The answer is simple — they are criminals and they do it because it is very, very profitable. Our researchers have discovered an Internet server being used for controlling the attack targeted at users of a large European bank. Log files from this server show that in just one week criminals stole more than 500,000 Euros from a bank's clients and transferred these funds to accounts, controlled by thieves
What's next: Advanced Evasion Techniques (Help Net Security) Advanced evasion techniques, or AETs, are delivery mechanisms used to disguise advanced persistent threats (APTs) and permit them to slip through network security undetected
A security threat most companies don't know about (TechPageOne) Windows servers require constant monitoring or automated add-ons to secure networks
US airports compromised during major APT hacking campaign, says CIS (CSO) APT hackers successful compromised the networks of two US airport networks in the summer of 2013 as part of a major campaign targeting dozens of others, a report from public sector security non-profit the Center for Internet Security (CIS) has revealed
Microsoft computer scheme resurfaces (KUSA) Security experts say that thieves are ramping up criminal activity along the Font Range, and that we may be seeing a new scam in our area very soon
Revenge porn hits two high profile boyfriends where it hurts (Naked Security) On Monday morning, one of Twitter's political sides exploded with revelations that a troll had leaked screen captures of a text message exchange and email, all of which suggested an extramarital affair between former NSA analyst John Schindler and a conservative Twitter user named Lesley
Security Patches, Mitigations, and Software Updates
Twenty-year-old vulnerability in LZO finally patched (CSO) LZO is a compression algorithm that touches almost everything
Decades-Old Vulnerability Threatens 'Internet Of Things' (Dark Reading) A newly discovered bug in the pervasive LZO algorithm has generated a wave of patching of open-source tools such as the Linux kernel this week
Cyber Trends
Cooperation Key to Security in the Cyber Domain (Digital Journal) In cybersecurity, the motto is partner or perish, leaders at AFCEA International Cyber Symposium agree
Airport breach a sign for IT industry to think security, not money (CSO) Time for the nation's best technology minds to start building better security for critical infrastructure, expert says
Gartner Identifies the Top 10 Technologies for Information Security in 2014 (FierceITSecurity) Gartner, Inc. today highlighted the top 10 technologies for information security and their implications for security organizations in 2014. Analysts presented their findings during the Gartner Security & Risk Management Summit, being held here through June 26
The unlocked backdoor to healthcare data (Help Net Security) The majority of healthcare vendors lack minimum security, which is illuminated by the fact that more than 58% scoring in the "D" grade range for their culture of security
Cloud Security: Think Today's Reality, Not Yesterday's Policy (Dark Reading) SaaS, BYOD, and mobility are inseparable, yet time and time again companies attempt to compartmentalize the three when they make a move to the cloud. That's a big mistake
Study: Cybersecurity problems won't be solved with a permanent solution any time soon (FierceGovernmentIT) Don't expect a decisive and lasting solution to cybersecurity problems in the near future, according to one finding in a recently published report by the National Research Council
How old are today's networks? (Help Net Security) The percentage of aging and obsolete devices in today's corporate networks around the globe is at its highest in six years, signaling that the global financial crisis of recent years may still have a lingering effect today, according to Dimension Data
Why A Secured Network Is Like The Human Body (Dark Reading) It's time to throw away the analogies about building fortresses and perimeter defenses and start to approach InfoSec with the same standard of care we use for public health
IT Managers Are Overconfident About Insider Breaches (eSecurity Planet) While 63 percent think it's easy to govern access rights, 42 percent admit they aren't able to monitor or prevent insider breaches
Marketplace
CACI eyes the market for more acquisitions (Washington Business Journal) It's been about seven months since CACI International Inc. borrowed $800 million to fund its Six3 acquisition. Now it's counting how much is leftover for its next deal
IBM, Lenovo Tackle Security Worries on Server Deal (Wall Street Journal) International Business Machines Corp. and Lenovo Group Ltd. are grappling with ways to resolve U.S. security concerns over IBM's proposed $2.3 billion sale of its computer-servers business to the Chinese company. The deal, struck in January, remains in limbo as the U.S. government investigates security issues around IBM's x86 servers, which are used in the nation's communications networks and in data centers that support the
German government terminates Verizon contract over NSA snooping fears (ComputerWeekly) The German government is to end a contract for internet services with US-based telecoms firm Verizon over concerns of snooping by the US National Security Agency (NSA)
Palo Alto expands RI presence (Jakarta Post) California-based network security firm Palo Alto Networks is expanding its presence in Indonesia to profit from the growing demand for cyber security, not only among business entities but also government institutions
Defense intelligence officials struggle with mobile pilots (Defense Systems) The military services aren't the only organizations in the Defense Department trying to figure out how to use mobile systems and wireless connectivity — intelligence community members such as the Defense Intelligence Agency are also trying to find solutions
What is ex-NSA spyboss selling for $1m a month, asks US congressman (The Register) Former snoop Gen Alexander's security consultancy under the microscope
Dell Focuses On Security (InformationWeek) Dell made a flurry of security-minded announcements this week, highlighted by improvements to its Dropbox for Business integration
Products, Services, and Solutions
A look at Interflow, Microsoft's threat information exchange platform (Help Net Security) In the last few years, there has been one constant call from almost all participants in the information security community: the call for cooperation. But that is easier said then done — you need to make collaboration mutually beneficial and, above all, easy
Legal Hackers Tackle Revenge Porn and Parolee Reentry (Law Technology News) Projects include an app that helps parolees discretely access information about drug tests
VASCO Passes Record Milestone: Sells 200 Millionth Authenticator (Vasco News) DIGIPASS is the number one authentication solution used by banks worldwide to combat fraud and account takeover
Bugcrowd Announces New Flex Bounty Security Testing Program (IT Business Net) Company also issues first-ever report on the economics of bug bounties
M2Mi Announces Support for OASIS MQTT and the NIST Cybersecurity Framework (Digital Journal) Machine-to-Machine Intelligence (M2Mi) Corporation, provider of M2M Intelligence®, the essential platform for the M2M & Internet of Things economy, today announced support for the recently published OASIS MQTT and the NIST Cybersecurity framework
EE pre-loads Lookout software on Android devices (Telecompaper) EE has partnered with mobile security company Lookout to pre-load the Lookout Mobile Security app on EE Android smartphones and tablets
FireMon Named Best Security Solution in GTRA's GOVTek Awards Program (MarketWatch) FireMon, the industry leader in proactive security intelligence solutions, today announced that it was named Best Security Solution in the Government Technology Research Alliance's (GTRA) GOVTek Executive Government Technology Awards program
XL Group launches Brazil cyber liability coverage (BNAmericas) The product includes professional indemnity coverage for IT firms
Technologies, Techniques, and Standards
Oil & Natural Gas Industry Forms ISAC (Dark Reading) New ONG-ISAC joins existing Information Sharing and Analysis Centers for electricity, water, and other critical infrastructure sectors
When is it a Breach? (securitycurrent) One of the most difficult decisions a CISO has to make is the one that says the organization suffered a data breach
Not All Malware is Created Equally (BankInfoSecurity) Not all malware strains pose equal threats to an organization. So, how does one distinguish the most dangerous forms? Through layered security controls, says Julian Waits, CEO of ThreatTrack Security
Community Banks Gear Up Against Cyber Security Threats (PYMNTS) In a bid to protect banks from the ever-growing cyber security threats, the Federal Institutions Examination Council (FFIEC) has launched a new program to assess the security readiness of 500 community banks against cyber attacks
Research and Development
Cryptographic Proof Paves Way for Nuke-Free World (Sci-Tech Today) A mathematical trick designed by cryptographers could be a key tool in nuclear disarmament. The question was, can you authenticate something without revealing anything about it? After all, nobody wants a foreign inspector seeing how a warhead is made. Mathematicians tinkering with zero-knowledge proofs may have found the answer
Legislation, Policy, and Regulation
German Official: U.S. Spying 'Biggest Strain' in Relations Since Iraq War (Wired) As U.S. and German officials meet this week to discuss privacy and security in the cyber realm, a German official is calling recent revelations of NSA spying on his country the "biggest strain in bilateral relations with the U.S." since the controversy surrounding the 2003 invasion of Iraq
Head of Britain's MI6 spy agency to step down (AP via KTVL CBS News 10) Wanted: Spymaster. Discretion an asset. Britain's MI6 intelligence agency announced Thursday that director John Sawers will leave in November at the end of his five-year term. MI6 says the recruitment process for Sawers' successor will begin soon
Information Security: Additional Oversight Needed to Improve Programs at Small Agencies (GAO) The six small agencies GAO reviewed have made mixed progress in implementing elements of information security and privacy programs as required by the Federal Information Security Management Act of 2002, the Privacy Act of 1974, the E-Government Act of 2002, and Office of Management and Budget (OMB) guidance
Senate panel passes procurement, cyber reform bills (Federal Times) The Senate Homeland Security and Governmental Affairs Committee passed several bills June 25 that would reform agency IT spending and IT project management — and save the government money, according to proponents
The Tech Trends Making Government Smarter (Forbes) The public sector is often the last to adopt big tech trends. Change tends to arrive slowly in government, especially in organizations without much dedicated IT staff. Unfortunately, that can mean missing out on the cost savings and civic engagement new technologies offer
Two new squadrons coming to Scott (AdvantageNEWS) U.S. Rep. Bill Enyart (D-Illinois) announced the addition of two new cyberprotection squadrons at Scott Air Force Base
South Texas base gets expanded cybersecurity role (AP via the Bryan-College Station Eagle) A South Texas military installation and affiliated agencies will add more than 1,100 personnel as part of increased cybersecurity duty
We don't need net neutrality; we need competition (Ars Technica) Op-ed: "Unbundled access" actually works
Litigation, Investigation, and Law Enforcement
SCOTUS Rules That Cellphone Searches Require Warrants (IEEE Spectrum) In a unanimous ruling yesterday the Supreme Court ruled that a police officer must obtain a warrant to search a cell phone. This will likely apply to computer and tablet searches as well, and acknowledges that a phone these days is far more like a file cabinet in a home, which historically cannot searched without a warrant, than a wallet, which can
Why the Supreme Court May Finally Protect Your Privacy in the Cloud (Wired) When the Supreme Court ruled yesterday in the case of Riley v. California, it definitively told the government to keep its warrantless fingers off your cell phone. But as the full impact of that opinion has rippled through the privacy community, some SCOTUS-watchers say it could also signal a shift in how the Court sees the privacy of data in general — not just when it's stored on your physical handset, but also when it's kept somewhere far more vulnerable: in the servers of faraway Internet and phone companies
Massachusetts Supreme Court Rules Defendant Must Decrypt Data (Threatpost) Encryption software has been enjoying a prolonged day in the sun for about the last year. Thanks to the revelations of Edward Snowden about the NSA's seemingly limitless capabilities, security experts have been pounding the drum about the importance of encrypting not just data in transit, but information stored on laptops, phones and portable drives. But the Massachusetts Supreme Judicial Court put a dent in that armor on Wednesday, ruling that a criminal defendant could be compelled to decrypt the contents of his laptops
Facebook Search Warrant Disclosure Reveals Scope of Government Requests (TechCrunch) Facebook announced Thursday it's been pushing back against a bulk set of search warrants requesting private data from its user accounts since last summer
NSA Whistleblowers to Testify Before German Parliamentary Committee in July (Dissenter) National Security Agency whistleblowers Thomas Drake and William Binney will testify before a German parliamentary committee on July 3. They both will give testimony as part of an inquiry into details of NSA surveillance in Germany, which have been revealed through news stories based upon documents from NSA whistleblower Edward Snowden
Google is trolling the EU with passive-aggressive disclaimers on search results (Quartz) If you try to search Google for content that falls afoul of copyright laws, Google transparently and openly tells you that some results have been removed. Here's a notice from a search for "Games of Thrones download"