Cyber Attacks, Threats, and Vulnerabilities
Chinese Hackers Pursue Key Data on U.S. Workers (New York Times) Chinese hackers in March broke into the computer networks of the United States government agency that houses the personal information of all federal employees, according to senior American officials. They appeared to be targeting the files on tens of thousands of employees who have applied for top-secret security clearances
Deep Panda — three years of attacks to defend China's oil interests (SC Magazine) Attack vectors demonstrate the sophistication of malware available to cyber-criminals globally, says CheckPoint MD Keith Bird
Hackers threaten 'Israhell' cyber-attack over Gaza (Times of Israel) Israel already faces a million cyber-attacks a day; things might get worse before they get better, say experts
@ISIS Is #Winning (Foreign Policy) Why is a barbaric medieval caliphate so much better at social media than Washington?
Pakistan's major political Party "PPP" website hacked. (HackRead) The official website of Pakistan's major political party "Pakistan People's Party" was hacked
Anonymous Norway claim massive cyber-attack on Norwegian banks (Digital Journal) A massive cyber-attack was launched Tuesday, simultaneously affecting many of the top banks and financial institutions in Norway. Dubbed the country's biggest-ever network attack, responsibility has already been claimed by Anonymous Norway
Indian government agency issues fake Google certificates (ZDNet) Some systems trusted the fake certificates, some didn't, but Google moved quickly to tell others to revoke them
Google catches India with fake certificates (Help Net Security) As the world becomes more dependent, and some might say blindly so, on digital certificates it's only natural that attackers will seek to circumvent this trust. Whether because the Indian government was complicit or a victim of hacking in the issuance of certificates that impersonated Google, the result is the same — individuals, businesses, and even many governments placed blind trust in digital certificates and as such we're all the victims
Crypto certificates impersonating Google and Yahoo pose threat to Windows users (Ars Technica) OS currently has no reliable way to detect bogus credentials released into the wild
Campaign targeting user credentials discovered after five years (CSO) The low-signal campaign has operated undetected for years
BrutPOS Botnet Compromises insecure RDP Servers at Point-of-Sale Systems (Hacker News) Cyber criminals are infecting thousands of computers around the world with malware and are utilizing those compromised machines to break into Point-of-Sale (PoS) terminals using brute-force techniques, and the attackers have already compromised 60 PoS terminals by brute-force attacks against poorly-secured connections to guess remote administration credentials, say researchers from FireEye
BrutPOS Botnet Targets Retail's Low-Hanging Fruit (Dark Reading) FireEye discovers a botnet that's going after point-of-sale systems showing bad passwords and other basic security no-nos
Evolving Zeus malware used in targeted email attacks (ZDNet) New strains of the malevolent Zeus malware have been discovered using the Windows 'PIF' file extension to steal information from compromised computer systems
Blackshades RAT analysis finds key to popularity (CSO) Security vendor Akamai dissects notortious Blackshades toolkit and it rich in features for the nontechnical criminal
Blackshades RAT is a Serious Threat (Akamai Blogs) Akamai's Prolexic Security Engineering & Research Team (PLXsert) is warning companies of stealth surveillance and computer hijacking attacks by the Blackshades Remote Administration Tool (RAT) crimeware kit
Vulnerability in AVG security toolbar puts IE users at risk (PCWorld) Implementation issues with AVG Secure Search, a browser toolbar from antivirus vendor AVG Technologies that's supposed to protect users from malicious websites, could have allowed remote attackers to execute malicious code on computers
DHS Releases Hundreds of Documents on Wrong Aurora Project (Threatpost) In response to a Freedom of Information Act request for information about the Operation Aurora attack on Google and other organizations in 2009 the Department of Homeland Security released hundreds of pages of documents related not to that attack campaign, but to the Aurora project run at Idaho National Lab years earlier in which engineers destroyed a generator with a cyber attack as a demonstration
Google Aurora vs ICS Aurora — an industry and DHS debacle (Control Global) This is actually two blogs in one. The first is about DHS releasing critical information they weren't even asked for. The second is about the lack of progress on addressing a subject that DHS made public
Cyber criminals imitate FIFA website for phishing: Kaspersky (Economic Times) Trying to cash in on the ongoing football World Cup frenzy, cyber criminals have come up with a webpage that imitates the original FIFA website, which has been designed for phishing activities, according to Russian cyber security solutions provider Kaspersky
Android Data Wipe Leaves Personal Data (InformationWeek) Factory reset tool on Android smartphones does not remove all photos, emails, chats, and other personal data, says security firm
The new plague: Computer viruses that extort you (News4Jax) Ransomware locks you out of your files until you pay up
Security Patches, Mitigations, and Software Updates
Buffer Overflow Vulnerabilities in Yokogawa ICS Gear Patched (Threatpost) Vulnerabilities in production control system software used in manufacturing, energy and other critical industries worldwide have been patched by the vendor, an advisory from the Industrial Control System Cyber Emergency Response Team said
Cyber Trends
Firms braced for more cyber attacks as sloppy practices continue (Microscope) Customers are braced for more cyber attacks but are continuing to make fundamental mistakes in regards to caring for their data according to the latest insights into the industry
Hospitals mining credit card data to predict and control patient behavior (FierceBigData) Say hello to new risk scores. Yes, credit behavior is taking on a whole new meaning. Credit behavior is no longer only predicting your risk as a borrower, but additionally your risk as a health liability on society and to health providers
Marketplace
In Fog Of Cyberwar, US Tech Is Caught In Crossfire (Dark Reading) Distrust of the US intelligence community is eroding consumer confidence and hampering US technology firms on the global stage at a time when the sector should be showing unprecedented growth
WatchGuard leads the way in key security markets (TechDay) WatchGuard Technologies has been identified as a leader in three categories of Unified Threat Management and Next Generation Firewall, cementing the company's position within the industry
Leidos Awarded Contract By Wichita Airport Authority (Wall Street Journal) Leidos (NYSE: LDOS), a national security, health, and engineering solutions company, was awarded a prime contract by the Wichita Airport Authority to install and integrate IT/communications systems for the new airport terminal at Wichita Mid-Continent Airport, now known as the Dwight D. Eisenhower National Airport. The single-award firm, fixed-price (FFP) contract has a 10-month period of performance and a total contract value of approximately $10 million. Work will be performed in Wichita, Kan
CERDEC Supports U.S. Army Effort to Modernize Crypto Devices (SIGNAL) CERDEC's Space and Terrestrial Communications Directorate engineers integrate modern protective equipment into an active circuit while simultaneously pulling out the legacy hardware. One by one, U.S. Army engineers are updating legacy cryptographic equipment in an effort to catch up, and then keep pace, with 21st century technological advances already made to the service's tactical networks
KnowBe4 Acts on Security Threat Concerns with Ransomware Warranty (Insurance News Net) In response to a recent study done on IT professionals, KnowBe4 CEO Stu Sjouwerman announced an extension of the company's offer to pay any customer's cyber ransom with Bitcoin if they are hit after stepping through KnowBe4's security awareness training. Our 300+ sample study shows 88% of IT professionals expect ransomware to grow the rest of this year. The proliferation of ransomware attacks include a shift from PCs to mobile devices and can add up to dire consequences for organizations with BYOD
Products, Services, and Solutions
Tufin security orchestration puts spotlight on policies (TechTarget) Tufin Technologies introduced an upgraded version of its security orchestration platform that gives administrators a unified, easy-to-digest display of network segments and their associated security policies
Technologies, Techniques, and Standards
Is encryption the prescription for smartphone-based medical care? (FierceMobileIT) I came across an interesting survey about mobile healthcare. It seems that most smartphone users want to communicate with their doctors using their smart device
Big Data security mistakes, tips and tricks (Help Net Security) In this interview, Mark Cusack, Chief Architect at RainStor, talks about the main challenges of handling petabyte-scale volumes of data, illustrates the most obvious mistakes that companies make with their Big Data projects and offers advice to organizations about to welcome Big Data into their cloud storage environments
Titan: Enabling Low Overhead and Multi-faceted Network Fingerprinting of a Bot (SysNet) Botnets are an evolutionary form of malware, unique in requiring network connectivity for herding by a botmaster that allows coordinated attacks as well as dynamic evasion from detection. Thus, the most interesting features of a bot relate to its rapidly evolving network behavior. The few academic and commercial malware observation systems that exist, however, are either proprietary or have large cost and management overhead. Moreover, the network behavior of bots changes considerably under different operational contexts. We first identify these various contexts that can impact its fingerprint. We then present Titan: a system that generates faithful network fingerprints by recreating all these contexts and stressing the bot with different network settings and host interactions. This effort includes a semi-automated and tunable containment policy to prevent bot proliferation. Most importantly, Titan has low cost overhead as a minimal setup requires just two machines, while the provision of a user-friendly web interface reduces the setup and management overhead
How to Block Automated Scanners from Scanning your Site (Acunetix) This blog post describes how to block automated scanners from scanning your website. This should work with any modern web scanner parsing robots.txt (all popular web scanners do this)
6 Things That Stink About SSL (Dark Reading) Users might not care to trust the very mechanism that's supposed to provide online trust
User Education Key in Fighting Mobile Malware (eSecurity Planet) Train users to read and heed mobile application permissions, says McAfee Labs
Design and Innovation
In defense of techno-panics: Why a little worry can be a good thing (IT World) We're not endorsing full-on freakouts about every exciting new technology. But sometimes a little pushback can be a good thing
Research and Development
Locking Down The Chip (Semiconductor Engineering) The push toward securing chips is complicated by the amount of third-party IP that is being used inside of today's complex SoCs. This has cast new light on the potential for on-chip networks to also function in securing signals that flow through those networks
US lawmaker asks FTC to probe implications of Facebook 'big data' experiment (CSO) A U.S. senator has asked the Federal Trade Commission to scrutinize the use of big data by Facebook and other Internet companies, following a controversy over a Facebook experiment on some of its users
What would make you quit Facebook? Here's what you said… (Naked Security) Last week we asked our readers to take a poll about Facebook's controversial social experiment on thousands of unknowing users
Academia
Academia's Cyber Awakening (Hacksurfer) Academia is finally starting to really invest in cybersecurity as an option of course study for many students at the undergraduate and graduate levels. Schools like Carnegie Mellon, University of Southern California, Duke, and several others are creating programs and adding courses to their existing curricula
Narus and Politecnico di Torino Announce New Cyber Innovation Center (IT Business Net) Narus, Inc., a subsidiary of Boeing NYSE:BA and leader in big data analytics for cybersecurity solutions, and the Politecnico di Torino, one of the most recognized research universities in Italy, announced a new Cyber Innovation Center. Located on the prestigious engineering university's campus, the new center will focus on advanced cybersecurity research projects and prototyping of technologies that help identify and resolve cyber threats. Leveraging the expertise of local talent, the new center will also foster advanced science, technology, engineering and math (STEM) education while generating new technologies that will be integrated into Narus products
Penn State's Security and Risk Analysis program receives NSA designation (Penn State News) From allegations of Chinese hackers stealing American companies' trade secrets to a security breach at Target that compromised the personal and financial data of millions of customers, the United States is dealing with increasingly sinister security and privacy threats. To combat the onslaught of cybercrime, the government is in dire need of robust cybersecurity tools and practices, as well as individuals who are qualified to develop and execute them
Legislation, Policy, and Regulation
Joint Statement by the Office of the Director of National Intelligence and the Department of Justice on Court-ordered Legal Surveillance of U.S. Persons (IC on the Record) It is entirely false that U.S. intelligence agencies conduct electronic surveillance of political, religious or activist figures solely because they disagree with public policies or criticize the government, or for exercising constitutional rights
China, U.S. say committed to managing differences (Reuters via Yahoo! News) China and the United States need to manage their differences, the leaders of both countries said on Wednesday at the start of annual talks expected to focus on cyber-security, maritime disputes, the Chinese currency and an investment treaty
Review aimed at framework for cyber stability plows familiar ground (Inside Cybersecurity) A yearlong State Department study effort to craft a "framework for international cyber stability" has produced a draft report endorsing ongoing work on international norms of behavior for cyberspace and urging industry involvement, though the document fails to break much new ground
NSA efforts to gather data by weakening cybersecurity are self-defeating, experts say (FierceGovernmentIT) The National Security Agency's attempts to enhance U.S. security through the massive collection of personal computer and communications data has actually had the opposite effect, a panel of industry experts maintained
The Era of the Unfettered Surveillance State (Valdosta Today) On Sunday, the Washington Post released a bombshell stemming from a four-month long investigation by The Post, finding that "ordinary Internet users, American and non-American alike, far outnumber legally targeted foreigners in the communications intercepted by the National Security Agency from U.S. digital networks"
UK Fast Tracks Emergency Surveillance Law (TechCrunch) The UK government has confirmed it will introduce emergency legislation next Monday that will require Internet and phone companies to keep records of customer metadata
UK's emergency data retention law: Balancing security and fundamental rights is a tricky business (TNW) The UK's Prime Minister David Cameron and Deputy Prime Minister Nick Clegg have just wrapped up a press conference explaining why emergency security legislation had to be put into place to ensure that ISPs and other communications providers continued to keep records of users' activity for up to 12 months
Azerbaijan's Electronic Safety Centre joins APWG (Azernews) The Azerbaijani Centre of Electronic Safety under the Communications and High Technologies Ministry has become member of the Anti-Phishing Working Group (APWG). The membership will create opportunities for successful continuation of Azerbaijani electronic safety policy on the international arena
Final deadline: Register your UAE Sim card now or lose it forever (Emirates 24/7) All mobile subscribers of the UAE's two telecom operators, etisalat and du, who have not re-registered their Sim cards with their respective service providers will have their numbers deactivated from July 16
Army Leaders Defend Flawed Intelligence System (Boston.com) Gen. John Campbell, the army's vice chief of staff and nominee to lead U.S. forces in Afghanistan, cited his son's experiences as a soldier there to answer a senator's tough questions last year about a troubled intelligence technology system
Instagram's ambiguous takedown highlights the challenge for foreign apps in China (Quartz) Another day, another foreign app blocked in the world's biggest mobile market
Litigation, Investigation, and Law Enforcement
Researcher: I Was Suspended For Finding Flaws In FireEye Security Kit (Forbes) A security researcher's life is one filled with with awful nadirs and dizzying zeniths. In uncovering weaknesses in other people's kit, damaging the reputation of the affected manufacturer but making the web that little bit safer, they risk being torn apart by interested parties or exalted by the security community for doing a good job. Yesterday, one thought he'd lost his job simply because he posted information on the internet about vulnerabilities in security technologies made by FireEye, one of the hottest names in the malware defence industry
Newly Released Foreign Intelligence Surveillance Court Primary Orders Related to Collection and Use of Telephony Metadata (IC on the Record) Following a declassification review by the Executive Branch, the Department of Justice released on July 8, 2014, in redacted form, three primary orders issued by the Foreign Intelligence Surveillance Court in 2009. These orders authorized the National Security Agency's collection and use of telephony metadata under Section 501 of the Foreign Intelligence Surveillance Act
New Verizon Transparency Report Shows Large Government Appetite for Location, Content Data (Threatpost) Verizon said in a new transparency report that though the number of some kinds of orders dropped — including wiretap orders and warrants — others rose, including general orders and pen register and trap and trace orders, and the company received nearly 150,000 total orders in the first half of 2014
Target to Seek Lawsuit Dismissals (Data Breach Today) Target Corp. has requested that a U.S. district court halt the discovery process for class action lawsuits stemming from its December 2013 data breach until the court can consider its forthcoming motions to dismiss most of the suits
Google lawsuit highlights why every business needs to manage its online presence (Naked Security) Long before the internet was born, the secret to running a successful business was, according to my business tutor, primarily about location, location, location
Vermont Attorney General Fines Local Business For Failing To Notify Consumers Of Security Breach (Office of Inadequate Security) Shelburne Country Store in Shelburne, Vermont will pay a $3,000 civil penalty for failing to inform 721 internet buyers of a security breach of their credit card information. In late 2013, the company's website was hacked and credit card information stolen. Upon being informed of the breach in January 2014, the company quickly fixed the problem, but did not notify consumers until it was contacted by the Attorney General's Office
Microsoft drops case that severed DNS hosting for millions of No-IP nodes (Ars Technica) No-IP didn't knowingly harbor botnet operators targeted in takedown, MS declares
Judge denies Silk Road's demands to dismiss criminal prosecution (Ars Technica) Ross Ulbricht claimed he couldn't have laundered money, as Bitcoin isn't money
Germany Just Kicked Out The CIA Chief In Berlin (Business Insider) Germany has asked the top U.S. spy in the country to leave, according to multiple reports
Germany investigates second U.S. spy case (USA Today) Germany is investigating a second case of a German allegedly spying for the United States. The country is already outraged over allegations that the National Security Agency (NSA) carried out mass surveillance of both politicians and voters
Motorola devices could be banned in Germany after it loses patent fight (ZDNet) A local court in the country has found that some Moto handsets infringe a manufacturing process
Lawyer: Snowden asks to extend stay in Russia (Seattle Times) Former National Security Agency contractor Edward Snowden has applied to extend his stay in Russia, his lawyer said Wednesday
Jill Abramson Talks Obama Secrecy and Her New York Times Firing (Daily Beast) Two months after her abrupt exit from the Gray Lady, the former executive editor delivered a speech about how different Obama is from Bush — and why she was dismissed from her post
Glenn Greenwald on Why the Latest Snowden Leak Matters (Wired) After weeks of broadcasting his intention to "name names" and publish the identities of specific Americans targeted by the NSA and FBI for surveillance, journalist Glenn Greenwald finally made good on his promise