Cyber Attacks, Threats, and Vulnerabilities
Dutch spy chief: Social media fueling terror "swarm" (CBS News) Terrorists have changed their management style, and it's making them harder to fight, a top European intelligence official told CBS News. Decisions once left to a top-down hierarchy are now made by the collective "swarm," a shift he said has been fueled by social media
Social Media's Very Arab Future (Defense One) The future of Twitter, YouTube and a variety of other social networks is going to look and sound a lot more Arabic in the years ahead, at least according to data on Twitter usage across the Arabic-speaking world. And if current trends continue, the emerging Arabic social media landscape will also be a lot more anti-American
Kiwis caught out by cyber attacks (3News) Kiwi customers of communications giant Spark have been unwittingly caught up in a cyber attack on Eastern European websites — possibly by clicking on a link promising pictures of naked celebrities
Russian cyber war linked to Spark crash (Stuff) Spark's big internet crash at the weekend was not about naked celebrities but linked to Russia's cyberwar on Ukraine and Western powers' sanctions on Moscow, security sources say
Home Depot Confirms Payment Card Data Breach (SecurityWeek) After days of speculation, Home Depot has confirmed it was victimized in data breach that compromised credit and debit cards at stores throughout the United States and Canada
Home Depot says, "Er, yes, we did have a breach actually" (Naked Security) Last week, we wrote about a possible data breach at Home Depot, the world's largest DIY chain
What you need to know about the Home Depot data breach (CSO) Home Depot has confirmed reports of a data breach impacting stores in the U.S. and Canada
These are the websites where hackers flip stolen credit card data after an attack (Quartz) The Home Depot data breach uncovered last week may be one of the largest cases of mass credit-card compromise ever. Data from every card used in a transaction at any US Home Depot store since late April or early May could be in the hands of hackers, who infiltrated company systems using malware similar to what was used in a 40 million-card theft from Target in December. The number of cards stolen from Home Depot is not known, but might exceed the Target total
In Wake of Confirmed Breach at Home Depot, Banks See Spike in PIN Debit Card Fraud (Krebs on Security) Nearly a week after this blog first reported signs that Home Depot was battling a major security incident, the company has acknowledged that it suffered a credit and debit card breach involving its U.S. and Canadian stores dating back to April 2014. Home Depot was quick to assure customers and banks that no debit card PIN data was compromised in the break-in. Nevertheless, multiple financial institutions contacted by this publication are reporting a steep increase over the past few days in fraudulent ATM withdrawals on customer accounts
Here We Go Again: From Target to Home Depot (Cyactive Blog) PoS malware keeps on compromising new retail targets. This time a BlackPoS variant stole troves of credit card information from the Home Depot retail chain stores
Salesforce users hit with malware-based targeted attack (Help Net Security) Late last Friday, global cloud-based CRM provider Salesforce has sent out a warning to its account administrators about its customers being targeted by the Dyreza malware
Why the HealthCare.gov breach matters (CSO) Core Security's Eric Cowperthwaite discusses the repercussions of a recent attack on a server used to test code for HealthCare.gov
'Kyle and Stan' Malvertising Network Targets Windows and Mac Users (Threatpost) A malvertising network that has been operating since at least May has been able to place malicious ads on a number of high-profile sites, including Amazon and YouTube and serves a unique piece of malware to each victim
No End In Sight For Ransomware (Dark Reading) The screenlocker Kovter, in particular, has shown sharp growth this year. It masquerades as a law enforcement authority and threatens police action if users don't pay up
California State University Reports Data Breach (Hacksurfer) California State University is notifying 6,036 individuals, mostly faculty and staff, of a data breach that occurred on August 23rd and has possibly compromised personal information including Social Security numbers
Alarm sounded over Peter Pan panto malware (IT Pro Portal) Phishing scam dupes victims over panto ticket claims
Security Patches, Mitigations, and Software Updates
OpenSSL warns vendors against using vulnerability info for marketing (IDG via CSO) Vulnerability information will be closely held until patches are ready, the OpenSSL Project said
Google will start gradually sunsetting SHA-1 (Help Net Security) Google has announced that it will begin the process of gradually sunsetting SHA-1 (as used in certificate signatures for HTTPS) with Chrome 39, which is due to be released in November
Cyber Trends
Exploit Kits: Cybercrime's Growth Industry (ThreatTrack Security) Cybercriminals have turned their attention away from exploiting Windows operating systems to pursuing the popular third-party applications installed on nearly every PC around the world. That is why patch management has become a critical layer in your malware defense
Tunnel vision: Train security as critical as planes and automobiles (CSO) In recent weeks you've heard a lot of discussion around the cyber risks to aircraft and automobiles
Kaspersky: Most Financial Services Firms Exposed to Cyber Threats (MSP Mentor) A new Kaspersky Lab survey shows 93 percent of financial services organizations were recently exposed to cyber threats
Unencrypted Laptop Thefts Expose Personal, Medical, Financial Data (eSecurity Planet) 'The benefits of encryption have been known for some time, but companies just aren't doing it,' says SafeNet chief strategy officer Tsion Gonen
The Security Implications of Wearables, Part 3 (TrendLabs Security Intelligence Blog) In the second post of this series, we discussed the first two types of attacks involving wearables. We will now proceed to the third type of attack, which can be considered the most damaging of the three
Where the Legal and Compliance Functions Intersect (Corporate Counsel) If your company has an in-house compliance function, where does it live? In about 40 percent of companies polled for a recent survey, the legal department owned compliance, while in another 24 percent the in-house lawyers shared the compliance responsibility
Managed Security Services: an internal issue with external consequences (IT Pro Portal) Managed Security Services (MSS) first rose to fame at the beginning of the 21st century with the promise of a flexible and personalised infrastructure, delivered with unparalleled expertise and knowledge. However, it has only been in the last couple of years that MSS has gotten the traction and attention it deserves as a service
Top Six IT Trends Impacting Business Networks (CircleID) For decades, IT followed business. Even the development of the World Wide Web didn't move this development much beyond the four walls of corporate offices — outside connections were essential but never informed the growth of business-critical technology
SMEs face increased risk of cyber attack (Cheddar Valley Gazette) Small and medium sized businesses can face costs of up to £65,000 as the result of a severe information security breach, according to the most recent Information Security Breaches Survey by the Department for Business, Innovation and Skills
Marketplace
Analysis: More Gaps Found In US Contracts Website (Defense News) Scathing as it was, the Government Accountability Office's (GAO's) recent report on the gaps and deficiencies of USAspending.gov left out a few things — problems that may give defense companies pause about relying too much on the government transparency website for business intelligence
General Dynamics to consolidate business units (C4ISR & Networks) General Dynamics is combining two units into one effective at the beginning of 2015, according to a company announcement today
Trustwave Opens a New Lab for 'Ethical Hacking' (TopTechNews) While the unethical hackers of the world look for security Relevant Products/Services vulnerabilities in everything from routers to PIN-pads, the ethical hackers at Trustwave try to beat them to the punch. The cyber-security firm officially opened its ethical hacking lab this summer at its Chicago headquarters
Is FireEye A Good Investment? (Seeking Alpha) The expansion strategy of the company will allow it to diversify its revenue base and grow its margins over the next few years
Google Hires Quantum Computing Expert John Martinis to Build New Hardware (IEEE Spectrum) Google recently unveiled its intention to build new quantum computing hardware
Products, Services, and Solutions
ISACA launches COBIT 5 online (Help Net Security) ISACA launched the online version of COBIT 5, a resource center to improve governance and management of enterprise IT. The new online platform helps increase the utility of the COBIT 5 framework, a business framework that helps manage information and technology risk, and the COBIT family of products
IBM And Intel Combine To Deliver Chip-Level Security (Forbes) There's a strange thing happening with Intel INTC +0.81% and its partners
WatchGuard Technologies' New Policy Map Provides 'X-Ray' Vision Into Firewall Configurations and Network Traffic (MarketWatch) WatchGuard® Technologies, a leader in integrated security platforms, today announced the industry's first interactive, integrated policy mapping capability for Unified Threat Management (UTM) and Next-Generation Firewall (NGFW) appliances
Nine out of the Top Ten Mobile Operator Groups Now Securing Their Networks with AdaptiveMobile (MarketWatch) AdaptiveMobile today announced that it is now present in nine out of the top ten mobile operator groups globally, protecting over 1 billion subscribers from mobile security threats
FireHost Fuses Security and Compliance in Unique Compliance-as-a-Service Offering (BusinessWire) To help businesses protect their data and exceed PCI, HIPAA, and other regulatory requirements, secure cloud leader FireHost has announced the most complete compliance-as-a-service (CaaS) offering, making the fast-growing company the only cloud provider in the industry to deliver such a service
Vocus enlists Black Lotus to boost security in A/NZ (ARN) Vocus is seeing a phenomenal increase in DDoS attacks
Riverbed SteelApp Traffic Manager 9.7 Expands Security and Adds Microsoft Azure Capabilities to Optimize Application and Data Performance Across the Hybrid Enterprise (BusinessWire) Riverbed adds new web application firewall capabilities to Riverbed SteelApp for fast integration in data centers and the cloud
Powerful, free Microsoft security tool protects before other tools can (Kim Kommando) Computer security is like a constant tug of war between software developers and hackers. Microsoft, for example, works hard to make Windows as secure as possible and hackers work hard to find problems the Microsoft hasn't fixed yet
Technologies, Techniques, and Standards
Threat filtering: Strategizing serious threat detection (ZDNet) Standardized procedure on threat filtering isn't working out so well; to avoid being a 'target' today's organization needs an updated threat strategy
Why Breach Detection Is Your New Must-Have, Cyber Security Tool (TechCrunch) Cyber attacks are all over the news, and it seems like no one is immune — Home Depot, Target, Adobe and eBay included. So why are CIOs still fighting cyber criminals with one hand tied behind their backs?
"Google Dorking" — Waking Up Web Admins Everywhere (TrendLabs Security Intelligence Blog) Last July, the US Department of Homeland Security warned of a new kind of criminal attack: "Google dorking". This refers to asking Google for things they have found via special search operators. Let's look closely and see what this is
Simulators Solving Cyber Training Challenges (Defense News) Soldiers on the battlefield, with bombs exploding nearby and rifle fire coming from somewhere in the middle distance, are in no position to learn how to use the computing and communications systems that their lives might depend on. The time for training — thoroughly — is long before their boots hit the dirt
Cyber attack simulation key to get top management buy-in (ComputerWeekly) Investment by top management is cyber security is vital, and plunging them into the middle of a cyber attack is the best way to get their attention, says Marco Gercke, director for the Cybercrime Research Institute
Cyber Defense: Four Lessons from the Field (Endgame) In cyberspace, as in more traditional domains, it’s essential to both understand your enemy as well as understand yourself
Design and Innovation
Crowdsourceing Competitions Encourage Malicious Behavior, Study Finds (Nextgov) Crowdsourcing competitions have fundamentally changed the way idea-sharing takes place online. Famous contests such as the 2012 Coca-Cola crowdsourced campaign for a new logo and Chicago History Museum's crowdsourced project for a new exhibit last year have created buzz around the practice
How not to do mobile strategy: Killing the skunk (CITEworld) Skunk works projects only work if you let them
Academia
Cyber Innovation Center receives $5M Department of Homeland Security grant (KTBS) Expands nation-wide roll-out of its education model to address national need for cyber work force
4 Good Digital Habits for a New School Year (Trend Micro Internet Safety for Kids and Families) As you make the transition from the leisurely pace of summer to the stressful balancing act of earlier bedtimes, new homework routines, and after-school activities, try to factor in how your kids' use of technology will change with it
Legislation, Policy, and Regulation
Wales Summit Declaration (NATO/OTAN) Issued by the Heads of State and Government participating in the meeting of the North Atlantic Council in Wales
Brushing Off Threats, E.U. Votes to Toughen Its Sanctions on Russia (New York Times) Unswayed by threats of retaliation from Moscow, including a possible ban on airlines from Europe flying over Russia, European leaders on Monday endorsed an expansion of economic sanctions against Russia, but backed off putting the new measures into effect immediately
Russian PM warns west against further sanctions (Guardian) Medvedev says Russia would respond 'asymmetrically' to new measures over Ukraine, possibly stopping flights in its airspace
Arab League issues proclamation on ISIS (CBS News) The Arab League agreed Monday to take urgent measures to combat extremists like the Islamic State of Iraq and Syria as one of its suicide bombers killed 16 people at a meeting of Sunni tribal fighters and security troops in Iraq
NSA reform bill is on hold. Should it include retroactive immunity for Snowden? (Washington Business Journal) A bill that would curtail the government's broad surveillance authority is unlikely to get a vote in Congress before November's elections, and even a vote in the lame-duck session is in doubt
Canada Wants to Regulate the Sale of Cyberweapons, But Hasn't Decided How (Motherboard) How can Canada prevent potential cyberweapons from being sold to malicious actors? Should the goal be to prevent the use of such tools against Canadians, to prevent human rights abuses abroad, or both?
Litigation, Investigation, and Law Enforcement
US Appeals Court hears arguments for shutting down NSA database and domestic surveillance (FierceBigData) Last week, a panel of three judges on the U.S. Court of Appeals for the 2nd Circuit heard arguments on the ACLU v. Clapper lawsuit against the U.S. government's domestic mass surveillance activities. This is the second of two such lawsuits filed against the government. The ACLU argues the surveillance violates the 4th Amendment while the federal government argued that the Patriot Act renders such activities lawful
FBI's account of locating Silk Road's server disputed by researchers (Help Net Security) The US government's explanation of how it managed to discover the location of the servers hosting Silk Road, the infamous online black market, is being disputed by a number of security researchers
FBI's Story of Finding Silk Road’s Server Sounds a Lot Like Hacking (Wired) To hear the FBI tell it, tracking down the secret server behind the billion-dollar drug market known as the Silk Road was as easy as knocking on a door
Home Depot Already Faces Breach Lawsuit (BankInfoSecurity) Although incident not yet confirmed, suit seeks damages
Security Clearance Contractor USIS Rebuffs Edward Snowden Attack (and More) (Roll Call) USIS, the biggest federal contractor for background checks for security clearances, had to be happy to get a U.S. Citizenship and Immigration Services contract worth $190 million recently, because the company had been on a bad news streak. All the contract seemed to do, though, was give ammunition to its critics — including a chorus of them from Capitol Hill — prompting USIS to issue a "myth vs. fact" declaration Monday
Data breach letters offer free credit monitoring (KOMO News) If you get a letter talking about "credit monitoring," don't throw it away. It's an effort to fight back against a cyber attack aimed at health care facilities. The letters are just hitting the mail, and because of they way they're written, some people are suspicious