Cyber Attacks, Threats, and Vulnerabilities
India on high alert as Al Qaeda launches local branch (The National) India ordered several provinces to be on increased alert on Thursday in response to Al Qaeda's launch of a new branch in the Indian subcontinent. In a video posted online, Al Qaeda leader Ayman Al Zawahri promised to spread Islamic rule and "raise the flag of jihad" across the Indian subcontinent
Al-Qaeda overshadowed by Islamic State's influence (USA TODAY) Al-Qaeda's call Thursday for a jihad (holy war) in India is the latest sign of how the terror group is battling to stay relevant in the face of the rival Islamic State's savage rampage in Iraq and Syria
Computers for Hire Send JPMorgan Data to Russia (Bloomberg) JPMorgan Chase & Co.'s own investigators have found clues that a global network of computers available for hire by sophisticated criminals was used to reroute data stolen from the bank to a major Russian city, according to people familiar with the probe
Chase Breach Investigation: Any Answers? (BankInfoSecurity) Even an unconfirmed incident can hurt bank's brand
Will Cyber Attack Halt Rally in Financial ETFs? (Zacks) After a stretch of rough trading, financial stocks showed a strong run-up in their prices last month primarily fuelled by a surge in banking stocks. This is because near-record bank profits in the second quarter, solid loan growth, steadily improving credit quality, litigation settlements, and heightened M&A and IPO activities spread optimism in the broad sector
Mounting evidence points towards Home Depot breach (Help Net Security) Still officially unconfirmed, a Home Depot hack looks increasingly likely to have happened
Home Depot breach a near certainty, yet Backoff remains a question (Ars Technica) Significant link found between retail locations and card owners' zip codes
Home Depot hires Symantec, FishNet to probe data breach (AP via the San Jose Mercury News) Home Depot says it's offering free identity protection services, including credit monitoring, to those customers who might be potentially hurt by a possible data breach at the home improvement chain
Feared Home Depot Breach Sparks More Interest in Backoff PoS Malware (Threatpost) Naturally, early speculation on the malware culprit behind the possible Home Depot data breach has leaned toward Backoff
Goodwill payment systems compromised (CSO) Just when you might have thought there wasn't anymore staying power in the parade of stories about point of sale systems being hacked we find that even Goodwill isn't immune
BackOff Not To Blame For Goodwill Breach (Dark Reading) Rawpos, a "very low risk" infostealer, is responsible for the compromise of roughly 868,000 credit cards
Apple CEO says iCloud security will be strengthened (IDG via CSO) Apple, still reeling from the nude celebrity photo incident, plans to soon strengthen security around its iCloud storage service, according to CEO Tim Cook in a news report Thursday
Alleged Hacker Behind Massive Leak Of Nude Celebrity Photos Says It Took 'Several Months' To Pull Off (Business Insider) A hacker who says he or she is responsible for uncovering nude photos of more than 100 celebrities including Jennifer Lawrence and Kate Upton says the mobile hit job was plotted by multiple people and took months to pull off
The Russian-made tool that grabs nude selfies from iCloud accounts (IDG via CSO) Elcomsoft said it is aware pirated copies of its Phone Password Breaker software are circulating in the underground
Celeb nude photos now being used as bait by Internet criminals (Ars Technica) Tweets with fake links to #JLaw photos revive oldest trick in Web malware book
Brazilian, U.S. Web Users Targeted by Router-Hacking Group (eWeek) Criminals use Javascript to brute-force guess a user's router password, change DNS settings and redirect victims to a banking scam
Hacker Breached HealthCare.gov Insurance Site (Wall Street Journal) A hacker broke into part of the HealthCare.gov insurance enrollment website in July and uploaded malicious software, according to federal officials. Investigators found no evidence that consumers' personal data were taken or viewed during the breach, federal officials said. The hacker appears only to have gained access to a server used to test code for HealthCare.gov, the officials said
Hacker breached HealthCare.gov website, planted malware on "ObamaCare" (Graham Cluley) The Wall Street Journal is reporting that a hacker managed to break into the US Government's HealthCare.gov health insurance comparison website in July, and managed to implant malware
Cyber-hoodlum tripped, fell, landed in Obama's Healthcare.gov server (The Register) That's exactly how it happened, honest, says US govt, and no medical records stolen
Configuration errors lead to HealthCare.gov breach (CSO) HHS confirms server breach, but says that personal information was not compromised
OS X version of Windows backdoor spotted (Help Net Security) A recently discovered backdoor aimed at Mac computers is likely wielded by a long-standing APT group that has previously been known to target US defense firms and organizations, electronics and engineering companies around the world, and non-government organizations with interests in Asia, say FireEye researchers
Forced to Adapt: XSLCmd Backdoor Now on OS X (FireEye Blog) FireEye Labs recently discovered a previously unknown variant of the APT backdoor XSLCmd — OSX.XSLCmd — which is designed to compromise Apple OS X systems. This backdoor shares a significant portion of its code with the Windows-based version of the XSLCmd backdoor that has been around since at least 2009
Analysis of Chinese MITM on Google (Netresec Blog) The Chinese are running a MITM attack on SSL encrypted traffic between Chinese universities and Google. We've performed technical analysis of the attack, on request from GreatFire[dot]org, and can confirm that it is a real SSL MITM against www.google[dot]com and that it is being performed from within China
Malware Bypasses Chrome Extension Security Feature (TrendLabs Security Intelligence Blog) Originally created to extend a browser's functionality, browser extensions have become yet another tool for cybercriminals' schemes. Earlier this year, Google has addressed the issue of malicious browser extensions by enforcing a policy that only allows installations if the extensions are hosted in the Chrome Web Store
TorrentLocker now targets UK with Royal Mail phishing (We Live Security) Three weeks ago, iSIGHT Partners discovered a new Ransomware encrypting victims' documents. They dubbed this new threat TorrentLocker. TorrentLocker propagates via spam messages containing a link to a phishing page where the user is asked to download and execute "package tracking information". In August, only Australians were targeted with fake Australian Post package-tracking page
Are rogue cell towers snooping on your calls? (Tripwire: State of Security) The number of calls made from cell phones every day is absurd. Let's just say it exceeds the population of every country where residents have access to cell phones and be done with it
Security experts weigh in on mystery cell-phone towers (WND) There's been an uproar this week following a Popular Science report that revealed the existence of more than a dozen cell phone-type towers across the United States for which no owner could be located or operator identified
Vulnerability numbers easing but Heartbleed still lingers: IBM (CSO) Despite a spate of high-profile security attacks, the number of new security vulnerabilities is expected to decline this year for the first time since 2011, according to the latest figures from IBM's X-Force managed security team
The roots of 'Anonymous,' the infamous online hacking community (PBS) As online hacking becomes more common, interest in the individuals and groups behind such cyber attacks rises. Hari Sreenivasan speaks with David Kushner of The New Yorker on the origins of one of the most infamous hacking groups, "Anonymous"
5 things you should know about email unsubscribe links before you click (Naked Security) We all get emails we don't want, and cleaning them up can be as easy as clicking 'unsubscribe' at the bottom of the email
Security Patches, Mitigations, and Software Updates
Microsoft Security Bulletin Advance Notification for September 2014 (Microsoft Security TechCenter) This is an advance notification of security bulletins that Microsoft is intending to release on September 9, 2014
Just 4 Bulletins Expected for September Patch Tuesday (Lumension) Microsoft will release 4 bulletins on Patch Tuesday next week; one rated as critical and the remaining three rated important. The light month is good news for otherwise very busy IT departments
Back-to-school Patch Tuesday: Critical updates for Internet Explorer, Adobe Reader (Register) Syadmins, brace yourselves
New Box Security Features Give Companies Far Greater Control Over Documents (TechCrunch) Box made its name being a user-focused company. Ease of use took priority over everything else, and while they've achieved a huge user base in this fashion, a big criticism of the company has been on the security side. It was never secure enough for some IT pros. A series of announcements today at the BoxWorks customer conference should go a long way towards alleviating those concerns
Why is Google sending insecure browsers back in time? (Naked Security) The Google search home page is famously simple and, well, famous
Cyber Trends
Are breaches inevitable? (Computerworld) Security managers have to do a lot more to stay a step ahead of determined hackers
Debate: Data in the cloud is more secure than on premises. (SC Magazine) Experts debate whether data in the cloud is more secure than data that's housed on an organization's premises
Cybersecurity technologies being developed, implemented to advance smart grid, new report says (FierceGovernmentIT) Technologies with built-in cybersecurity functions are in development and in some cases rolling out across the nation's electricity grid as it's being transformed into a smart grid, according to the Energy Department's new status report
The Security Implications of Wearables, Part 1 (TrendLabs Security Intelligence Blog) The Internet of Everything has given rise to new gadget categories in every electronics retailer shop. Smart wearables are rapidly becoming more commonplace than you think. While not everyone has Google Glass, you can bet that a lot of people have fitness trackers and even smart watches
Vulnerable "Smart" Devices Make an Internet of Insecure Things (IEEE Spectrum) According to recent research [PDF], 70 percent of Americans plan to own, in the next five years, at least one smart appliance like an internet-connected refrigerator or thermostat
Internet of Things a Potential Security Disaster (eSecurity Planet) Experts believe the Internet of Things will be highly insecure, at least in the early days
4 Hurdles To Securing The Internet Of Things (Dark Reading) Why locking down even the tiniest embedded devices is a tall order
Growing security threats put focus on CISO role (FierceCIO) This week Home Depot became the latest in the growing list of major organizations that are the apparent targets of cybercriminals. Indeed, cybercrime seems rampart and cyberdefenses appear woefully inadequate. Both of these place greater focus on the need for chief information security officers
Bitcoin, The Cryptography-based Currency Continues To Rely On Banks For Security (Forbes) Reddit's r/bitcoin is a popular forum where BTC enthusiasts shared news links and anti-establishment jokes. The site was so influential among the community that a recent book about Bitcoin called The Anatomy of a Money-like Informational Commodity discussed the viability of using the number of registered members of the forum as a way to gauge the market sentiment
One in Five Massachusetts Residents Breached in 2013 (Threatpost) Roughly one in five Massachusetts residents were affected by a data breach last year, according to numbers released today by the Commonwealth's Office of Consumer Affairs & Business Regulation
Marketplace
This has been a huge year for US IPOs, and it's just warming up (Quartz) Talk of the death of the IPO may be premature
Phoenix's BeyondTrust Software acquired by Veritas Capital (Phoenix Business Journal) BeyondTrust Software Inc., a Phoenix-based cyber security software provider, is being acquired by Veritas Capital for an undisclosed price
Pre-IPO Shareholders Of A10 Networks Could Be Eager To Sell At IPO Lockup Expiration (Seeking Alpha) September 16 will mark the end of the 180 day lockup period on ATEN that began with the application networking technologies firm's March 20 IPO
Construction of New CYBER/ISR Facility (FedBizOps) The 175th Wing, Maryland Air National Guard, located at Warfield Air National Guard Base, Baltimore, Maryland, intends to issue a Request for Proposal (RFP) to award a single firm fixed-price contract for Construction of a CYBER/ISR Facility
Twitter Taps HackerOne To Launch Its Bug Bounty Program (TechCrunch) Following security breaches that have shook confidence in many online services, Twitter today announced the launch of its bug bounty program that will pay security researchers for responsibly reporting threats through HackerOne, a bug bounty program provider. Twitter will pay a minimum of $140 per threat reported
Cyber Security Jobs: They're Secure, They Pay Well And There's Not Much Competition Right Now (redOrbit) If you're like a lot of students who are headed to college, you have no idea what your major should be. Your parents might have some suggestions, but of course, not everyone can be a doctor or a lawyer. One career track that’s hot right now is cyber security. You should expect some rigorous training, but once you're ready, you won't have a hard time finding a job. Plus, the jobs you'll find often pay well, and they're more in demand than many other private sector jobs
Products, Services, and Solutions
For Sale Soon: The World's First Google Glass Detector (Wired) Earlier this summer, Berlin-based artist and coder Julian Oliver released Glasshole.sh, a simple and free piece of software designed to detect Google Glass and boot it from any local Wi-Fi network. That DIY idea, says Oliver, was so popular among Glass's critics that he's now offering his cyborg-foiling hack to the masses in a much more polished form: an easy-to-use commercial product selling for less than $100
A10 Networks Expands DDoS Protection Appliance Range (CRN) The company has launched Thunder 3030S TPS, a dedicated DDoS protection appliance for medium-sized networks with 5-10 Gbps Internet connections
WhiteHat Security Partners with Tasktop to Provide Real-Time Integration with Application Lifecycle Management Tools (Insurance News Net) WhiteHat Security, the web security company, today announced it has partnered with Tasktop, the leader in Application Lifecycle Management (ALM) and software development tools integration, to OEM Tasktop Sync
Prelert Anomaly Detection Released for Big Data Analysis (Programmable Web) Prelert, the anomaly detection company, has announced the release of an Elasticsearch Connector to help developers quickly and easily deploy its machine learning-based Anomaly Detective® engine on their Elasticsearch ELK (Elasticsearch, Logstash, Kibana) stack
Technologies, Techniques, and Standards
Scared of brute force password attacks? Just 'GIVE UP' says Microsoft (Register) Choose simple password, reuse it, ignore password strength meter and pray
Hackers attack Namecheap accounts — are you still reusing passwords? (Hot for Security) Popular domain registrar and web-hosting provider Namecheap has announced that hackers launched a determined attack against its systems over the weekend, attempting to break into users' accounts
Don't get caught with your pants down: 9 ways to not be seen naked on the internet (PCR) The leaking of several Hollywood celebrities' nude photos onto the internet has sparked BitDefender into action — here are its top tips for not being seen naked online
When Authentication Fails, Back Up With Authorization Controls (Trustifier Webworld) I had a chance to meet Brian Shields, an intrusion threat analyst, when he came to Ottawa to participate on a panel discussion of APT at a local security event. Brian had been one of the Nortel investigators quite a few years ago, when it was revealed that much of their network had been breached, supposedly by adversaries from China. The theory that stolen Nortel IP used by a competitor contributed to their demise is fairly well known. After Nortel, Brian continued to investigate network breaches. He and the panel really painted a bleak picture. None of the panelists had any real answers when asked about how to stop "APT" — targeted attacks, outside of best practices, being vigilant, and trying to detect breaches as quickly as possible to contain damage
Phishing Safety: Is HTTPS Enough? (TrendLabs Security Intelligence Blog) It was recently reported that Google would improve the search ranking of HTTPS sites in their search engine. This may encourage website owners to switch from HTTP to HTTPS. Cybercriminals are also taking part in this switch. For example, we recently spotted a case where users searching for the secure version of a gaming site were instead led to a phishing site
Network vulnerabilities IT admins can use to protect their network (Help Net Security) Being able to adapt to change is one of the most important abilities in security today, mostly because attacks to defend against are able to do the same. The sophistication of current threats is mainly seen in their skill to adjust based on the weaknesses of the environment they are targeting
5 tips for security behavior management programs (Help Net Security) Security awareness has long been a point of frustration for information security professionals. While many organizations conduct awareness training of some kind, they have struggled to develop effective training, as posters and knick-knacks urging employees to change passwords frequently have failed to improve their security behavior
Design and Innovation
National Cyber Security Hall of Fame Announces Inductees for the Class of 2014 (National Cyber Security Hall of Fame) Mike Jacobs, Chairman of the selection process of the National Cyber Security Hall of Fame, released the names of 5 innovators who will be enshrined in the Hall of Fame on Thursday, October 30th at a gala at the Four Seasons in Baltimore, MD
Academia
Cyber Security Education: Remove The Limits (InformationWeek) Low-level technical and high-level strategic education must come together to achieve cyber security goals
UK Gov, Rolls-Royce and Teach First join forces for STEM (ComputerWeekly) The government has partnered with Rolls-Royce and Teach First to train 75 new science, technology, engineering and maths (STEM) teachers, announced by the Chancellor of the Exchequer, George Osborne, during his Great British Brands tour
Forum: Higher education a major key to defending U.S. cyberspace (Ames Tribune) Stronger cyber security education for both businesses and consumers could be the key to creating better data protection was the message that came from an Iowa State University symposium on Thursday
One in four Americans with college degrees shouldn't have bothered (Quartz) Roughly 25% of those with bachelor's degrees in the US derive no economic benefit from their diplomas
Reginald Hyde Joins University of Alabama Cyber Institute as Executive Director; Joe Benson Comments (Government Executive) Reginald Hyde, former Defense Department deputy undersecretary for intelligence and security, has joined the University of Alabama's Cyber Institute as executive director
Student benefits from special summer program (Southtown Star) While most college students put their studies on hold when they get a summer job, Illinois Wesleyan University student Tom Simmons was able to continue his academic pursuits and get paid this summer when he became a part of the Eckley Summer Scholar and Artist Program
Legislation, Policy, and Regulation
Holder, spy chief support Senate NSA reform bill (The Hill) Attorney General Eric Holder and Director of National Intelligence James Clapper are lending their support to the Senate's effort to rein in the National Security Agency, a boost for advocates of reform
NSA could learn from police officers' strategy (Milwaukee Journal-Sentinel) Throughout my 15 years in Wisconsin law enforcement, I've learned that the best weapon for fighting crime is good, old-fashioned investigative police work: identifying suspects, chasing down leads, collecting evidence to support those leads
Megan Smith named new Federal CTO, Alexander Macgillivray to assume deputy CTO role (ExecutiveGov) Megan Smith, most recently vice president of the Google X research arm, has been appointed to succeed Todd Park as federal chief technology officer and assistant to President Barack Obama
Colombian Officials to Fight Cybercrime in Eastern Europe (Latin Post) Nine government officials from Colombia are headed to Estonia to learn about cyber defense training, according to Colombia Reports
Litigation, Investigation, and Law Enforcement
Verizon to Pay Largest Ever Consumer Privacy Settlement (Threatpost) Verizon will pay the Federal Communications Commission $7.4 million as part of a settlement over the company's failure to adequately inform and obtain consent from customers before using their personal information to develop thousands of tailored marketing campaigns. Officials say this fine constitutes the largest consumer privacy settlement in FCC history
Google to pay $19,000,000 compensation for taking candy from kids (Naked Security) The US Federal Trade Commission (FTC), which looks after consumer rights in the US, has announced a settlement with Google
Finjan Provides Litigation Update — Proofpoint Motion To Stay Denied (MarketWatch) Finjan Holdings, Inc. FNJN, +0.00% a technology company committed to enabling innovation through the licensing of its intellectual property, today provides an update on the case Finjan, Inc. v. Proofpoint, Inc. et al., Case No. 5:13-cv-05808-BLF
Mass NSA Phone Metadata Collection in Federal Appeals Court Crosshairs (Reason) A trio of judges Tuesday heard the American Civil Liberties Union's challenge that the federal government's mass collection of telephone metadata is unconstitutional
Target says banks can't sue over massive data breach (FierceITSecurity) Target wants a Minnesota federal judge to throw out a consolidated class action lawsuit brought by banks over the retailer's massive data breach. Target argues that the bank plaintiffs cannot sue for negligence because they do not have a direct relationship with Target
FBI offers help to game developers suffering harassment, death threats (Ars Technica) There's been a swell of online harassment, and the authorities have noticed
Celebrity iCloud hacking turns into child abuse case over Maroney pictures (Guardian) Lawyers for US Olympic gymnast demand pictures removed from pornography website, claiming she was under 18 when photos were taken
Celebrity Hacker Could Face Lengthy Prison Sentence If Caught (National Cybersecurity) The person who leaked naked photos of about 100 female celebrities this past weekend, including the actress Jennifer Lawrence and the model Kate Upton, could face an array of criminal charges and dozens of years in prison if caught
Nude celeb selfies doxing prompts 4chan to change policy (Naked Security) 4chan, the slap-happy imageboard that's spawned or popularized internet memes such as Rickrolling and lolcats and more recently served as a launchpad for the doxing of 100 celebrities' nude selfies, has decided to revise its policies to deal with similar foul-ups
Coalition Asks Spyings Effect On Journalism (NetNewsCheck) The Reporters Committee for Freedom of the Press and a coalition of 24 news organizations have asked the Privacy and Civil Liberties Oversight Board to investigate whether national security surveillance programs are compromising journalists' attempts at newsgathering
National security reporter shared drafts with CIA press office, emails reveal (Russia Today) Emails released by The Intercept on Thursday between an American national security reporter and the Central Intelligence Agency's public affairs staff shows the existence of "a closely collaborative relationship," the news site reported
Bitcoin Exchange CEO Pleads Guilty to Enabling Silk Road Drug Deals (Wired) The former CEO of a top Bitcoin exchange and one of his customers pled guilty today in Manhattan on charges relating to operating an unlicensed money exchange that provided Bitcoins to customers buying illegal drugs on the Silk Road