Cyber Attacks, Threats, and Vulnerabilities
Second Pro-Government Hacking Group 'Syrian Malware Team' Uncovered (Infosecurity Magazine) Security researchers have spotted what they believe to be a second pro-al Assad hacking group, dubbed the Syrian Malware Team, using a .NET RAT to attack targets
North Korea using foreign bases to launch cyberattacks, says HP (Tehcworld via CSO) There's a reason the DPRK's attacks come through China
Banks: Credit Card Breach at Home Depot (Krebs on Security) Multiple banks say they are seeing evidence that Home Depot stores may be the source of a massive new batch of stolen credit and debit cards that went on sale this morning in the cybercrime underground. Home Depot says that it is working with banks and law enforcement agencies to investigate reports of suspicious activity
Home Depot Investigating Potentially Massive Credit Card Breach (TechCrunch) Did you just get your credit card replaced after the Great Target Fiasco of 2013? Don't get too used to that new card. It's starting to look like it's that time again
Home Depot breach could potentially be as big as Target's (ITWorld) In what could turn out to be another huge data breach, Home Depot on Tuesday confirmed that it is investigating a potential compromise of credit card and debit card data belonging to an unspecified number of customers
Home Depot Breach: Time to Value of Black Market Cards Changes as Banks and Retailers Improve Detection (Easy Solutions Blog) With the latest retail breach at Home Depot, attention has again turned to credit card black markets, the clearinghouses that sell these stolen cards to the highest bidder. These are no fly-by-night operation. In fact, the largest of these markets have some sophisticated features that any e-commerce site would tout, including integrated Bitcoin funding, good customer support, good commerce features
Home Depot Shares Drop After Chain Investigates Data Breach (Bloomberg) Home Depot Inc. (HD), the largest home-improvement chain, fell as much as 3.4 percent in New York trading after saying it was working with banks and law enforcement to investigate a possible data breach
Apple Says It Is "Actively Investigating" Celeb Photo Hack (Re/code) Apple said Monday it was "actively investigating" the violation of several of its iCloud accounts in which revealing photos and videos of prominent Hollywood actresses were taken and posted all over the Web
Apple Not Hacked In Celebrity Nude Photo Breaches (Dark Reading) 'Very targeted attack' on celebrities' Apple usernames, passwords, security questions — iCloud, Find My iPhone not breached, Apple says
Apple denies iCloud/Find my iPhone breach, says 'very targeted attack' hit certain celebrities (9 to 5 Mac) Apple has responded to this week's hackings of celebrity iCloud accounts, which resulted in postings of private photographs
Mystery Surrounds "iCloud Hack" as Naked Celebrity Photos Leak (Intego) You would have had to have been sleeping under a rock for the last day or two not to have seen the headlines about female celebrities whose naked selfie photographs have somehow slipped out onto the internet
Did Jennifer Lawrence's Naked Photos Leak Out Because She Told the Truth? Lying Can Protect your iCloud Account (Intego) The private nude photos of 100 female celebrities, including Oscar-winning actress Jennifer Lawrence, have been distributed across the Internet – and now we're beginning to find out more about how it might have happened
This could be the iCloud flaw that led to celebrity photos being leaked (Update: Apple is investigating) (NextWeb) An alleged breach in Apple's iCloud service may be to blame for countless leaks of private celebrity photos this week
The Police Tool That Pervs Use to Steal Nude Pics From Apple's iCloud (Wired) As nude celebrity photos spilled onto the web over the weekend, blame for the scandal has rotated from the scumbag hackers who stole the images to a researcher who released a tool used to crack victims' iCloud passwords to Apple, whose security flaws may have made that cracking exploit possible in the first place
Apple's iCloud breach: It's not just about naked photos (FierceITSecurity) While practically all of the coverage about the possible breach of iCloud, has been about the disclosure of naked celebrity photos, the security issues with iCloud also pose a risk to data stored in in the cloud service
What does alleged iCloud hack mean for Federal agencies? (Nextgov) Most federal agency employees with iPhones probably don't have to worry about hackers ogling naked photos of them saved in Applets iCloud backup system
4chan, The Weekend of Nude Celebrity Selfies, and How to Protect Your Personal Info (Webroot Threat Blog) What do celebrities (mostly young and female), 4chan, hackers, Bitcoin, and iCloud have in common?
The Celebrity Photo Hacks Couldn't Have Come at a Worse Time for Apple (Wired) The media crush will soon descend on Cupertino, California, as Apple prepares to announce what will surely be its newest iPhone, quite probably its latest laptops, and possibly its first smartwatch. When the new devices arrive next week, they'll be tied together with an Apple operating system more dependent on the company's cloud services than ever before. And as the world saw over the weekend, those cloud services might be about as secure as leaving your front door key under the mat
Beware of scams following the celebrity nude photo news (Help Net Security) As the FBI confirmed that they are investigating the leaking of nude photographs (some real, some fake) of a hundred female celebrities, the hunt for the person(s?) behind it is also on online, as 4chan users are trying to ferret out the identity of the leaker
JPMorgan Hackers Came In the Front Door — in June. Two Months of Mayhem (Bloomberg) Hackers burrowed into the databanks of JPMorgan Chase & Co. and deftly dodged one of the world's largest arrays of sophisticated detection systems for months
Attacks Mostly Undetected Until Too Late (GERC Daily) At JPMorgan Chase it looks like the attackers took advantage of a vulnerability in one of the customer facing apps that the bank uses to provide service to its customers
Former NSA Chief Says JPMorgan Hack May Be a Warning (Bloomberg) Hackers who stole gigabytes of data from JPMorgan Chase & Co. may have been trying to send a message that U.S. financial institutions can be disrupted, the former director of the National Security Agency said
Namecheap accounts brute-forced by CyberVor gang? (Help Net Security) California-based domain registrar and web hosting firm Namecheap has been targeted by hackers, the company's VP of hosting Matt Russell warned on Monday, and said that the attackers are using username and password data gathered from third party sites to brute-force their way into their customers' accounts
IN DEPTH: The green hacking threat (Recharge) A collective of Eastern European hackers known as Dragonfly was last year found to have infiltrated the computer systems of hundreds of energy companies, including renewables firms, across the US and Western Europe in a programme of espionage that "bears the hallmarks of state-sponsored operation", according to digital security firm Symantec
New BlackPOS variant masquerades as AV service (Help Net Security) Before the Backoff point-of-sale malware received deserved attention, the main player in the PoS malware field was BlackPOS (or Kaptoxa), the memory-scraping malware that was used in the Target breach
Hackers make drive-by download attacks stealthier with fileless infections (IDG via CSO) New attacks with the Angler exploit kit inject code directly in browser processes without leaving files on disk, a researcher found
New botnet research from Prolexic Research Team (CSO) The IptabLes/IptabLex DDoS botnet
Slow on the Draw — Industrial Organizations Hit by Well Known Malware and Methods (Cyactive) The past week saw the publication of two attacks on industrial organizations. Though such attacks occur all the time, what makes these important to notice is that the organizations were hit by variants of very well known malware, using well known methods of infection
Who is putting up 'interceptor' cell towers? The mystery deepens (Venture Beat) Mysterious "interceptor" cell towers in the USA are grabbing phone calls — but they're not part of the phone networks. And, two experts told VentureBeat today, the towers don't appear to be projects of the National Security Agency (NSA)
Security Patches, Mitigations, and Software Updates
Mozilla Releases Security Updates for Firefox and Thunderbird (US-CERT) The Mozilla Foundation has released security updates to address multiple vulnerabilities in Firefox and Thunderbird. Exploitation of these vulnerabilities may allow an attacker to cause an exploitable crash or execute arbitrary code
Latest Firefox adds protection against rogue SSL certificates (ComputerWorld) Firefox 32 has implemented certificate key pinning
Cyber Trends
Cyber-crime awareness increasing beyond CTOs amid regulatory scrutiny (COOConnect) Awareness of cyber-crime at fund managers is moving beyond chief technology officers (CTOs) and IT personnel with a growing number of portfolio managers and other senior executives taking a growing interest
Don't Be Surprised by a Cyber Attack: Prepare, Respond, Recover (Wall Street and Tech) Cyber attacks have become inevitable, but companies that prepare for how to respond can "shrink the problem" and minimize the impact of any security breach
Over 90% Of Cloud Services Used In Healthcare Pose Medium To High Security Risk (Forbes) According to cloud security vendor Skyhigh Networks, more than 13% of cloud services used in healthcare are high-risk and 77% are medium-risk
Medical identity theft: How the health care industry is failing us (Fortune) Unlike the financial services industry, health care companies lack measures to adequately prevent identity theft, even as they continue to digitize medical records and other sensitive information
93% of Companies Breached Says FireEye & KPMG Study (VPN Creative) FireEye and KPMG have conducted a study analyzing cyber security threats impacting firms in Sweden, which found that 93 percent of the monitored organizations were breached
Marketplace
Cyberinsurance: A breach savior for healthcare providers, but read the fine print (FierceEMR) Cyberinsurance can be instrumental in weathering a security breach of a provider's electronic health record system, but purchasers should review policies carefully since they vary widely, according to attorney Scott Godes, with Barnes & Thornburg in the District of Columbia
AVG To Buy Family-Focused Mobile Security Company, Location Labs, In Deal Worth Up To $220M (TechCrunch) Mobile security company Location Labs is being acquired by online security firm AVG in a deal worth up to $220 million. AVG said today it will pay around $140 million initially to buy Location Labs, plus up to an additional $80 million in cash consideration over the next two years, based on certain performance metrics and milestones being met
LinkedIn Reviewing China Censorship Policy (Bloomberg) LinkedIn Corp. (LNKD) expanded into China this year, adopting policies in line with the country's censorship rules. Now the world's largest professional social-networking company is saying it may have gone too far
Top 25 US Bank Selects Easy Solutions for Fraud Prevention (Business Wire) Easy Solutions®, the Total Fraud Protection® company, today announced that one of the country's largest banks, a Fortune 200 firm with over $100 Billion in assets, has selected Easy Solutions to provide fraud prevention services across its customer base
Dave McClure headed to cyber firm Veris Group (FedScoop) Months after announcing his departure from the General Services Administration, Dave McClure is set to join Virginia-based cybersecurity provider Veris Group as chief strategist
Booz Allen Appoints Technology Executive Gretchen W. McClain to its Board of Directors (TWST) Booz Allen Hamilton Holding Corporation (NYSE:BAH), the parent company of consulting firm Booz Allen Hamilton Inc., has appointed Gretchen W. McClain to its Board of Directors, effective September 2, 2014
Products, Services, and Solutions
AT&T launches government-specific cloud storage offering (ZDNet) The communications company said the security-heavy storage offering helps ease the cloud migration process for federal agencies
SAIC debuts tiered cybersecurity solution (GCN) Because no single vendor can offer an end-to-end security solution, Science Applications International Corp. teamed with leading cybersecurity vendors to develop CyberSecurity Edge, an adaptive solution that the company said offers advanced data security and protects government customers from hackers, viruses and malware
Multi-port firewalls for industrial network applications (Pro Security Zone) Firewall update supports SHDSL connections providing more options for industrial control system network managers
New 'Sound Wallet' Stores Your Private Keys on Vinyl (CoinDesk) For digital currency users looking to secure their e-fortune, one project is offering a new way to store private keys: on vinyl
DomainTools® Forges Industry Partnerships to Bring Powerful Turnkey Solutions to Security Threat Investigators (PRWeb) Integrations with Mandiant, Cyber Squared Inc. and Malformity Labs provide security analysts with more powerful threat intelligence and cybercrime investigation solutions
A10 Networks and Webroot Partner to Extend Web Classification to A10 Thunder ADCs (Technuter) A10 Networks, a technology provider in application networking, and Webroot, the market leader in cloud-based, real-time Internet threat detection, announced that A10 will integrate the Webroot BrightCloud Web Classification Service into the A10 Thunder Application Delivery Controller (ADC) product line, improving performance, efficacy and compliance of SSL traffic decryption
Tox: Open-source, P2P Skype alternative (Help Net Security) If you like the convenience of Skype, but you are worried about government surveillance and don't trust Microsoft to keep you safe against it, Tox might be just the thing for you
The Open Source Tool That Lets You Send Encrypted Emails to Anyone (Wired) In the wake of the mass NSA surveillance scandal sparked by whistleblower Edward Snowden, all sorts of hackers, academics, startups, and major corporations are working to build tools that let us more easily secure our email messages and other online communications
Tests compare Mac OS X anti-malware products (ZDNet) The Mac malware situation is a much lower-pressure one than that on Windows, so many products perform very well. But it's still worth comparing them, so AV-TEST.org tests 18 products, both free and paid
Technologies, Techniques, and Standards
How PCI DSS 3.0 impacts business owners (Help Net Security) If your business processes, transmits, or stores credit card data, you are subject to the Payment Card Industry Data Security Standards (PCI DSS). PCI DSS 3.0 went into effect in 2014, and introduced new rules and a clarified direction for the guidelines. Among the most important things for a merchant to know about the PCI DSS is that it's constantly evolving, so staying current is an important responsibility
"Contactless" HCE Payments Promise Simplicity But Is It Secure? (Dark Reading) Host Card Emulation is a powerful and flexible technology, but like most software-dependent solutions, it can be hacked and exploited
Free Tool Fights Advanced Evasion Techniques (eSecurity Planet) AETs are designed to evade next generation firewalls. A free tool can help security admins identify potential weaknesses in firewalls
Pinpoint — Tool to Find Malicious Objects (SecTechno) Many online website host malwares or link to a malicious file without their knowledge. Normally this may takes some time to find out the compromised files. Pinpoint is a tool that you can use to scan and identify the infected files. The tool will list all external javascripts, javascript redirects or any iFrame on the targeted website
Federal Network Security: 4 Easy Steps to Get the Basics Right (Nextgov) In federal IT, it's easy to want to focus on protecting your organization from the next big security threat
Google Dorking: Feds Warn Against Malicious Cyber Actors (Search Engine Watch) The Department of Homeland Security, the FBI, and the National Counterterrorism Center have issued a warning against the perils of "Google dorking," or the practice of utilizing a detailed set of search parameters to locate sensitive information or other website vulnerabilities
Microsoft's explanation of cloud outage praised by customers (FierceCIO) Microsoft has gained some praises for its candid post-mortem evaluation of a recent outage of its Visual Studio Online service
What is 'private browsing' and does it offer full protection (Bitdefender) Private, anonymous or incognito browsing is a mode offered by most browsers that disables several standard features that track your browsing habits and store your browsing data. Enabling private browsing blocks websites from placing cookies on your computer
How to Keep Fraud Threats From Ruining Your Mobile Banking (TheStreet) With 28% of U.S. adults using their smartphones and tablets to conduct banking transactions and 60% calling access to mobile banking either "important" or "very important" in choosing banks, according to AlixPartners, there's a growing risk of consumer financial fraud
Research and Development
Wanted By DHS: Breakout Ideas On Domestic Cybersecurity (InformationWeek) Department of Homeland Security plans to fund cyber defense research efforts to develop pragmatic tools that can be deployed quickly, says Forrester
Academia
Carnegie Mellon Receives $5.6M NSF Grant for Cybersecurity Education (Insurance News Net) The National Science Foundation (NSF) has awarded Carnegie Mellon University a $5.6 million grant through the CyberCorps Scholarship for Service (SFS), a federal program that aims to strengthen the workforce charged with protecting the nation's critical information infrastructure
Skyscape Cloud Services Supports Cyber Security Challenge UK (Realwire) Leading provider of assured cloud services to the UK public sector is sponsoring and providing infrastructure services to bolster the national pool of cyber security skills
Pinecrest Students to Participate in Cyber Defense Competition (The Pilot) Pinecrest High School students will soon put their science skills to the test when they compete in the seventh season of the Air Force Association's CyberPatriot National Youth Cyber Defense Competition
Legislation, Policy, and Regulation
Exploit a flaw or go to war? NATO's cyber battle rules raise more questions than they answer (ZDNet) The world's largest military alliance is getting serious about digital attacks, but the reality is much more complicated than the policy suggests
NATO and an "e-SOS" for cyberattacks (Washington Post) Back in 2010, my colleague Duncan Hollis and I wrote a short op-ed for the National Law Journal sketching out the idea that international law should recognize a "duty to assist" — similar to the duty, under maritime law, to respond immediately upon receiving a "SOS" from another vessel — countries that have been the subject of a systematic and sustained "cyber-attack"
Locking Russia out of Swift "unlikely and complicated", says analyst (ComputerWeekly) Locking Russia out of the Society for Worldwide Interbank Financial Telecommunication (Swift) would be "incredibly complicated and unlikely", an analyst has warned
The heat is on in the West's proxy war with Moscow (Quartz) No one knows where the brinksmanship between Russia and the West is going or will end. Brutal combat in Ukraine is the latest trigger-point, with increasing military, financial and diplomatic threats on both sides
North Korea cyber warfare capabilities exposed (ZDNet) A new HP report suggests the reclusive country's cyber warfare capabilities are rapidly making North Korea a credible threat to Western systems
Iran Unfetters Cellphones, and the Pictures Start Flowing (New York Times) Some days ago, Mahdi Taghizadeh did something he never thought he would — at least, not in Iran.
Colombia sends officials to Estonia for cyber defense training (Colombia Reports) Colombian officials from different government forces will travel to Estonia to receive training in cyber security, the defense minister revealed Tuesday
Gerhard Schindler: Germany's Spymaster (OZY) He's something like Germany's Agent 001: Gerhard Schindler, 61 years old, parachutist, lieutenant colonel in the reserve, anti-terror specialist. Years as a top official in the German Ministry of the Interior, responsible for internal security. An edgy character, tanned, not particularly tall, bald, firm handshake, intense gaze
Brandis warns against future Snowdens and Mannings (ZDNet) Australian government agencies will be required to implement stringent new security policies, to monitor public servants in order to protect the government against the 'insidious enemy' of the 'trusted insiders' leaking sensitive information to the public
MasterCard-backed biometric ID system launched in Nigeria (Ars Technica) Country is trying to consolidate citizens' records and get them to the bank
Bipartisan study on grid security renews call for legislation, cites gaps in Obama order (Inside Cybersecurity) The findings of an ambitious study on securing the electricity grid led by former White House and homeland security officials include a call for action on cybersecurity legislation, while highlighting the shortcomings of the Obama administration's efforts to protect critical infrastructure from cyber attacks yet expressing general support for those initiatives
Smartphone 'Kill Switch' Law: Who Gets to Shut Off Devices? (Nextgov) California passed a law this week that, depending on who you believe, will bring about either a drastic drop in violent crime or an increased risk of terrorism
Breaching Bad: New Cyber Security Regs for Defense Contractors (JD Supra) Defense contractors with access to classified information will soon be required to quickly notify Defense Department (DOD) officials if the company's computer network or information system is successfully penetrated in a cyber-attack
Litigation, Investigation, and Law Enforcement
Expert international cybercrime taskforce tackles online crime (Help Net Security) Hosted at the European Cybercrime Centre (EC3) at Europol, the Joint Cybercrime Action Taskforce (J-CAT), which is being piloted for six months, will coordinate international investigations with partners working side-by-side to take action against key cybercrime threats and top targets, such as underground forums and malware, including banking Trojans
First US appeals court hears argument to shut down NSA database (Ars Technica) Second Circuit judges ask: What did Congress know, and when did they know it?
Did Brennan dodge a bullet? (The Hill) CIA Director John Brennan might have dodged a bullet over his agency's potentially unconstitutional snooping on the Senate, but critics insist his reprieve is only temporary
The John Walker Spy Ring and The U.S. Navy's Biggest Betrayal (USNI) Notorious spy John Walker died on Aug. 28, 2014. The following is a story outlining Walker's spy ring from the June 2010 issue of U.S. Naval Institute's Naval History Magazine with the original title: The Navy's Biggest Betrayal
Leaked nude celebrity photos: When a cybercrime becomes a sex crime (Washington Post) It's not the tech jargon of online privacy breaches. And it's not the hand-wringing associated with Wikileaks