Cyber Attacks, Threats, and Vulnerabilities
Hackers target Israeli Govt, claim leaking login details in support of Palestine (HackRead) Hackers from around the world are targeting Israeli government against the ongoing bombing over Gaza Strip, Palestine
Anonymous hacks Israeli Galilee Development Authority website for Palestine (HackRead) Anonymous hacker AnonGhost has hacked and defaced the official website of Galilee Development Authority, which is directly under the Israeli ministry of Rural development authority
China accused of global zero-day attack on shipping firms (SC Magazine) A suspected Chinese government cyber-attack called 'Zombie Zero' has been targeting shipping, logistics and manufacturing companies worldwide, according to US security research firm TrapX
Why were this company's computers attacked millions of times this year? Algae. (Washington Post) About 16 months ago, a Florida-based biofuel company called Algenol noticed that its Internet service was slowing down. In checking that out, Jack Voth, Algenol's information technology chief, stumbled on something odd: a telnet connection to its videoconference camera from an Internet Protocol address in China, a country where Algenol has never sought to do business
China Labels iPhone a Security Threat (Wall Street Journal) China's influential state broadcaster on Friday called a location-tracking function offered by Apple Inc. AAPL +0.78%'s iPhone a "national security concern," in the latest sign of a backlash in the country against U.S. technology firms
Apple responds to China's claim iPhone is a 'national security threat' (CSO) Apple's rebuttal against claims iPhone is a national security threat
No likely data breach from reported Chinese hacking: US (AFP via Yahoo! News) The personal data of thousands of US government workers was not compromised in a recently reported cyber attack, officials say, amid fresh allegations that Chinese hackers accessed computers housing employee information
Adobe Flash: The most INSECURE program on a UK user's PC (The Register) XML a weak spot, but nothing's as dire as Adobe player
Lack of Certificate Pinning Exposes Encrypted iOS Gmail App Communication (Threatpost) Google's Gmail application for iOS fails to perform a task called certificate pinning, which could expose the users of affected devices to man-in-the-middle attacks capable of monitoring encrypted email communications
Google denies report of Gmail security risk on Apple iOS (CSO) Google says the 'pinning' technique Lacoon Mobile Security says should be in Gmail would not protect users
Beware Keyloggers at Hotel Business Centers (Krebs on Security) The U.S. Secret Service is advising the hospitality industry to inspect computers made available to guests in hotel business centers, warning that crooks have been compromising hotel business center PCs with keystroke-logging malware in a bid to steal personal and financial data from guests
Attack Campaign Targets Facebook, Dropbox User Credentials (Dark Reading) The goal of the attackers is not fully clear but the credential theft could set up sophisticated targeted attackers
"Gameover" malware returns from the dead… (Naked Security) In early June 2014, international law enforcement agencies combined to carry out a hugely successful action called Operation Tovar against the cybercrime group behind the malware family known variously as Gameover, Gameover Zeus or GOZ
Gameover Zeus Trojan Returns (BankInfoSecurity) Gameover Zeus appears to have returned, just one month after an international law enforcement operation targeted the malware in a high-profile takedown operation
CryptoLocker's delivery platform remains operational (CSO) A new report from BitDefender warns that the content delivery network used by CryptoLocker is still up and running, and while it isn't serving the ransomware that made it famous, it's still a vital communications channel for various other threats
After takedown efforts, Cryptolocker fate still "undetermined," firm says (SC Magazine) Bitdefender Labs, the security company that discovered Cryptolocker ransomware, says the fate of the malware is "undetermined," despite continuous takedown efforts
Microsoft revokes trust in certificate authority operated by the Indian government (IT World) A security breach at India's National Informatics Centre resulted in at least 45 rogue digital certificates for Google and Yahoo domains
The Vice in the Device #2 (Cyactive) With the number of new mobile malware growing by 167 percent over the past year, and mobile phones taking an ever increasing part in people's daily lives, a number of major new mobile malware were discovered lately, reusing code and methods from earlier malware
LastPass Sadly Downplays Pair of Year-Old Vulnerabilities (NoVA Infosec) On Friday our favorite password manager LastPass published a nonchalant blog post about two vulnerabilities discovered by researcher Zhiwei Li last year
Security Patches, Mitigations, and Software Updates
LibreSSL ships first portable version, now up to 48% less huge! (Naked Security) Just under three months ago, we wrote about a coding project called LibreSSL
Cyber Trends
Hacking Gets Physical: Utilities At Risk For Cyber Attacks (Forbes) Imagine this: Your city has been out of electricity for a full day because the power grid is being held ransom by an international group of hackers, demanding money before electricity will be restored. While this might sound like the plot of a dystopian novel, Dr. Larry Ponemon, founder of the Ponemon Institute, says this kind of attack on an electrical grid or water system could be in our future if critical infrastructure sectors don't improve their security systems
Study: Most Critical Infrastructure Firms Have Been Breached (Dark Reading) A new Ponemon Institute study finds 70% of critical infrastructure companies have been hit by security breaches in the last year, but cyber security programs are still a low priority
Managing Cyber Risk: Job #1 for Directors and General Counsel (FTI Journal) Each year, FTI Consulting and NYSE Governance Services survey public company directors and general counsel about the legal and governance issues that concern them the most
Cyber attacks target teleco industry (Business Tech) Kaspersky Lab has found that targeted cyber attacks are on the rise year-over-year, and also identified the business sectors most likely to be targeted
Businesses will experience cyber-attacks: Deloitte report outlines top threats for seven industries and provides tips to understand greatest risk (Trend) Advanced Persistent Threats have become a reality for all organizations that depend on digital technology
Exploring the BYOD security dynamic (Help Net Security) Webroot examined the use and security of personal mobile devices in the work environment from both the employee and employer perspectives
Empowered Millennials expect BYOD (Help Net Security) New data finds that Millennials — the new generation of workers born between the early 1980s and the early 2000s — are highly dedicated to their jobs and often times work well beyond normal business hours. Yet they remain fiercely independent in their work habits — craving greater freedom and flexibility to work whenever and wherever they feel most productive
Businesses are deprioritizing information security (Help Net Security) Businesses are deprioritizing information security and decreasing their investment in the destruction of confidential information, according to Shred-it
Japan rushes to thwart cyber onslaught (The Age) Shortly after the alert sounded at 9.10pm, Yahoo Japan Corp.'s risk team knew it had a problem. More than 20 million usernames and passwords belonging to its customers were being dumped into a file, primed to be stolen
Marketplace
Insurers struggle to get grip on burgeoning cyber risk market (Reuters via the Chicago Tribune) Insurers are eagerly eyeing exponential growth in the tiny cyber coverage market but their lack of experience and skills handling hackers and data breaches may keep their ambitions in check
Cyber crime still evolving, many breaches uninsured: Crawford & Company (Canadian Underwriter) Crawford & Company has released a white paper meant to help insurance companies and adjusters better understand the current cyber risk environment and how insurers are addressing a risk that continues to be a global threat to millions of commercial enterprises and consumers
IoT creating plethora of new jobs in IT cybersecurity (TechRepublic) The complexity and sheer number of Internet of Things devices will require more IT security professionals, creating new job opportunities for those in the field
Closing the Back Door — Responding to the Whisper Campaign (Trend Micro: Simply Security) The Information Technology (IT) industry is a huge economic driver for the world economy. Purchasing products and solutions are based not only on superior technology, but also whether you have trust and confidence in a vendor
Security approval gives Samsung access to Australian government market (CSO) Media reports may have suggested that that Samsung was going to give up on its Knox security platform, but the Common Criteria approval of its flagship Galaxy S5 smartphone is likely to give the platform new momentum as the company pushes into the lucrative Australian government market
The Return Of FireEye (FEYE) (Seeking Alpha) FireEye Inc. (FEYE) provides IT security software for corporations and government entities to detect, remove, and prevent cyber-attacks. With a virtual-based platform, FireEye products can protect against threats in real time, and prevent threats from materializing in the first place. In short, this company is a hacker''s worst nightmare. Since its IPO, FEYE has had a somewhat rocky ride, evidenced by the graph below
GCR names new information, cyber security manager (Financial News) GCR Inc. said that Andre Allen will spearhead GCR's cyber security practice to deliver cost-effective cyber security solutions, with a primary focus on the Aviation industry''
Products, Services, and Solutions
Silent Circle Challenges Skype, Telecoms With Encrypted Calling (InformationWeek) Blackphone maker's affordable encrypted calls could appeal to security-conscious businesses
ARM, Quarri ink Web security deal (ITWeb) African security management provider African Risk Mitigation (ARM) has signed a distribution agreement with Quarri Technologies, a Web information security software company that empowers organisations to keep their sensitive data secure, to distribute its Web and browser security solutions
eScan Internet Security Features (Streetwise Tech) eScan Internet Security has been designed to protect homes and businesses from threats, viruses, malware, worms, spyware and Trojan horses from destroying their system
Technologies, Techniques, and Standards
Securing the virtual environment (Help Net Security) So you have you a shiny new virtual environment up and running. You may have virtualised all your servers, so that your business-critical databases, CRM systems, ERP applications and email all reside in a virtual environment. It has been a long project, but now it is complete and you are experiencing the operational, performance and cost gains. Stop! Think! Have you covered all the bases? Have you thought about security?
Firewall Policies: How to Build a Better Policy (Fortinet Blog) As networks become more advanced, so do the demands placed upon your firewall. As such, it is equally important to know how to make a firewall policy work, and to make it work well
The Internet of Things: How do you "on-board" devices? (Internet Storm Center) Certified pre-pw0ned devices are nothing new. We talked years ago about USB picture frames that came with malware pre-installed. But for the most part, the malware was added to the device accidentally, or for example by customers who later returned the device just to have it resold without adequately resetting/wiping the device
Heuristic Scanning and Sandbox Protection: Best of Both Worlds (TrendLabs Security Intelligence Blog) We have been dealing with targeted attacks and know that there is no single technology that can practicably defend an organization's network against these high-impact campaigns. This is sad, true, but it does mean there are ways to harness security technologies like sandboxing and heuristic scanning so that they work together to protect as a stronger whole
Egress Filtering? What — do we have a bird problem? (Internet Storm Center) One of the major tools that we have in our arsenal to control malware is outbound filtering at firewalls and other network "choke points"
Strategic Security: Begin With The End In Mind (Dark Reading) The trouble with traditional infosec methodology is that it doesn't show us how to implement a strategic security plan in the real world
Design and Innovation
Google changing Chrome malware, phishing warnings (ZDNet) New designs for interstitial warning pages for malware and phishing sites detected by Google Safe Browsing are simpler
Research and Development
Army Issues RFI on Biometrics Research and Development Work (Executive Gov) The U.S. Army is seeking information on potential vendors that can perform biometrics-related research, development and implementation work for the Intelligence and Information Warfare Directorate of the Communications Electronics Research and Development Engineering Center
Welcome to the era of social network tyranny (Quartz) Amid growing calls for formal investigations into Facebook's disturbing mood manipulation research, media scholar Jay Rosen has a reminder for journalists, editors, and personal social media users alike: "Facebook has all the power. You have almost none"
Academia
DSU Develops Cyber Security Camp For High School Students (Yankton Daily Press and Dakotan) Next summer will bring a new kind of camp to South Dakota, one that not only features the time honored traditions of meeting new friends and staying up all night, but teaches campers the basics of cyber security. Dakota State was recently awarded a $100,000 grant from the National Science Foundation (NSF) to develop and host a cyber security camp July 20-25, 2014, for students entering grades 10-12
New York Gets Another Learn To Code Academy (TechCrunch) New York is getting a new tech skills training academy. The twist it that the just launched academy is being created by a dev studio drawing on their existing expertise making apps for others to teach budding entrepreneurs the web development skills they're going to need to turn their big idea into a big business. At a price, of course
PA Cyber Charter School announces plans for $5.7 million expansion (Trib Live) As school districts statewide continue cutting, Pennsylvania's largest cyber school announced plans for widespread expansion, including at least 80 new teachers and a $5.7 million building project in downtown Midland in Beaver County
Legislation, Policy, and Regulation
Cyber operation centres to be set up for threat management: Arun Jaitley (Economic Times) Cyber Operation Centres will be set up for threat management and mitigation as part of efforts to protect defence networks from cyber attacks, Defence Minister Arun Jaitley told the Lok Sabha today
Big Brother is Watching: Policing of the Future is Here Today Says Morgan Marquis-Boire (International Business Times) "There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time." This is a quote from George Orwell's dystopian novel Ninteen Eighty-Four which was publised 65 years ago. On Tuesday the UK government will fast-track legislation through parliament in order to safeguard the security of the country and its people — according to David Cameron at least
Edward Snowden Attacks British Emergency Surveillance Laws (NDTV) Fugitive US intelligence expert Edward Snowden attacked British plans for emergency laws to allow police and security services greater access to Internet and phone data on Sunday
NIOC Bahrain holds change of command (DVIDS) Navy Information Operations Command (NIOC) Bahrain held a change of command ceremony July 7 at the Naval Support Activity Bahrain Chapel
Litigation, Investigation, and Law Enforcement
Spiegel: Intel agency suspected in alleged phone hacks of MPs (Deutsche Welle) Two German parliamentarians suspect that their phones were tapped by an intelligence agency, according to Der Spiegel. The allegations come amid a diplomatic row between Berlin and Washington over US espionage
Feds: Chinese businessman hacked into Boeing computers systems for data on military projects (Fox Business) U.S. authorities have charged a Chinese businessman with hacking into the computer systems of U.S. companies with large defense contracts, including Boeing, to steal data on military projects, including some of the latest fighter jets, officials said Friday
Liberty in security bodies law bid (Belfast Telegraph) A civil liberties campaign group says it has taken legal action against Government intelligence services because it believes its private communications have been "interfered with" in breach of human rights legislation
BAE reversal came after Homeland Security came calling (CNBC) BAE Systems' inaccurate claim of stopping a major cyberattack against a large hedge fund got the attention of the U.S. Department of Homeland Security, CNBC has learned
Ethical concerns raised by workers at Canadian spy agency (Globe and Mail) Employees at Canada's fast-growing electronic spy service are sounding alarms about possible misuse of funds, conflicts of interest and financial mismanagement
Albanian hacker pleads guilty in US$14m global bank fraud (Channel News Asia) An Albanian hacker who was part of an international cyber-attack conspiracy that stole US$14 million from ATM machines all over the world pleaded guilty in New York to bank fraud