Cyber Attacks, Threats, and Vulnerabilities
The Unlikely Alliance of Hackers Fighting the Islamic State (Mashable) A motley crew of unlikely allies are taking on the Islamic State online, taunting them, taking down Twitter accounts and allegedly jamming the group's communications, among other things
'Scottish independence link' to ISIS Scots hostage (Scotsman) Islamic extremists are threatening to kill Scottish aid worker David Haines to help secure a Yes vote in the independence referendum, an intelligence expert has claimed
Clearsky detected Gholee malware — The Israel-Gaza Conflict Takes to the Cyber-Arena (Security Affairs) Experts at Clearsky detected the Gholee virus which was likely developed by highly qualified factors, which may even be related to Israel's long-time nemesis Iran
Researchers find data leaks in Instagram, Grindr, OoVoo and more (C/NET) Private messaging isn't so private, say University of New Haven researchers who found Android apps transmitting and storing unencrypted images, chats, screenshots and even passwords
Home Depot Breach Linked to Target's? (BankInfoSecurity) Experts say BlackPOS malware is likely common thread
BlackPOS v2: New variant or different family? (Nuix: Unstructured) Media outlets have been abuzz the past week or so about a supposedly new variant of the infamous BlackPOS malware family
Home Depot breach reveals how challenging it is to ward off data theft (Washington Post) As Home Depot scrambles to determine the scope and scale of a potentially massive breach of its customers' data, the retailer's troubles underscore the challenges facing retailers and card issuers attempting to gird themselves against cybercriminals
Phishing miscreants are THWARTING securo-sleuths with AES crypto (Register) Well, at least someone listened to Snowden about privacy
25 varieties of malware aimed at Mac OS X this year (Trusted Reviews) Apple's computers have traditionally been less plagued by malware than PCs, but now a security firm has warned that hackers are taking aim at the Cupertino company's computers with 25 varieties of malware
Warning as hackers target Apple's iCloud (BBC) Cyber-thieves are exploiting the furore around iCloud by launching a phishing campaign that seeks to steal Apple IDs
Hacked Celeb Pics Made Reddit Enough Cash to Run Its Servers for a Month (Wired) If you saw Kate Upton or Jennifer Lawrence naked last week, there's a good chance you saw them on the social news site Reddit
For $390 you can buy an illegal Harvard email account on China's biggest online marketplace (Quartz) A gas can full of snake bile, breast-milk soap, the head of Tom Cruise — those are just some of the odd things you can buy on Alibaba's Taobao, China's biggest consumer-to-consumer online marketplace. Add to that an fake or stolen university email addresses. In an investigation last week, IT security company Palo Alto Networks found email accounts from 42 universities for sale on Taobao, ranging from 0.98 yuan to 2,400 yuan ($0.16 to $390)
Personal data stores found leaking online (BBC) Thousands of Britons could be inadvertently sharing their digital secrets with anyone who knows where to click, suggests a BBC investigation
Research finds no large scale Heartbleed exploit attempts before vulnerability disclosure (Threatpost) In the days and weeks following the public disclosure of the OpenSSL Heartbleed vulnerability in April, security researchers and others wondered aloud whether there were some organizations — perhaps the NSA — that had known about the bug for some time and had been using it for targeted attacks. A definitive answer to that question may never come, but traffic data collected by researchers on several large networks shows no exploit attempts in the months leading up to the public disclosure
Heartbleed patch efforts ignored on thousands of websites (TechTarget) Data from McAfee shows many organizations have yet to fully patch the Heartbleed vulnerability, and as many as 300,000 websites remain at risk
Security Patches, Mitigations, and Software Updates
Patch Tuesday wrap-up, September 2014 - why even a single-bit data leak is worth fixing (Naked Security) Patch Tuesday for September 2014 is here, bringing us security fixes from Adobe and Microsoft
Microsoft Security Bulletin Summary for September 2014 (Microsoft Security TechCenter) This bulletin summary lists security bulletins released for September 2014
EMET, AV Disclosure Leak Plugged in IE (Threatpost) The Operation SnowMan espionage campaign, which targeted military intelligence earlier this year via an Internet Explorer zero day, exposed a weak spot in Microsoft's vulnerability management efforts. What was unique about the SnowMan operation is that it included a check as to whether the compromised computer was running Microsoft's Enhanced Mitigation Experience Toolkit (EMET), and if so, the attack would not execute
Cyber Trends
Banks Reacting Faster to Card Breaches (BankInfoSecurity) Post-breach fraud window closing, but problems persist. Suspicions about a possible data breach at Home Depot arose, as in past breaches, after a big batch of stolen payment cards surfaced on an underground marketplace, selling for about $50 each
Officials worry about 'cyber Fort Hood' (Politico) An official says a 'self-radicalized insider' in IT could cause significant harm. The most dangerous cybersecurity threat facing U.S. military and intelligence agencies might not be another Edward Snowden aiming to steal secrets, but rather a rogue IT administrator bent on destruction of critical infrastructure, a senior Intelligence official told POLITICO
WH Official: Cyber coverage will be a basic insurance policy by 2020 (Nextgov) By 2020, private firms will be buying cybersecurity insurance when they sign up for product liability coverage and other basic policies, a top White House cyber official said Monday
Is International Hacking an Act of War? (Willis Wire) Historians will tell you that, despite the bloodshed in the Middle East and Africa, we are currently in one of the most peaceful periods in human existence. However, this era of ostensible peace has us wondering what future war will look like. Recent events may have answered that question. American financial institutions, however, may not like the answer
What U.S. organizations should know about foreign state-sponsored cyberattacks (VentureBeat) In recent weeks, reports have surfaced about several cyberattacks that targeted patient health records, critical infrastructure intelligence, employee data and personal financial and credit card information
Apple iCloud Hack's Other Victim: Cloud Trust (InformationWeek) Our flash poll finds users feel more vulnerable about cloud security in general. No wonder: Apple's opening statement of indignation now sounds a little hollow
Study: 15 Million Devices Infected With Mobile Malware (Dark Reading) Sixty percent of the infected devices run Android
Information commissioner: 'apps are failing to respect user privacy' (Guardian) Most apps do not disclose what they do with users' information, says ICO report, while many 'leave users struggling to find basic privacy information'
Marketplace
How Many Contractors Run Fed IT? (GovInfoSecurity) Agency oversight of vendors makes answering that query hard
Is Apple endangering privacy to cut costs? (FierceITSecurity) As Apple prepares to launch two iPhone 6 versions and a rumored iWatch, some are questioning whether Cupertino's reputation for iron-clad security is deserved
HP showcases security software that look to detect infected and compromised computers (Networkworld) At its HP Protect Conference in Washington, D.C. this week, HP is taking the wraps off new security products that aim to detect infected and compromised machines as well as server-based software that makes use of so-called "run-time" self-protection to keep from getting infected in the first place
Watchful Software Closes Expansion Capital Round to Fuel Continued Growth (Bloomberg BusinessWeek) Watchful Software, a leading provider of data-centric information security solutions, announced today that it has received an equity investment from Hudson Fairfax Group, LP, a strategic investment firm with offices in New York, Washington, DC, and London specializing in business development, sales acceleration, and financial management of high growth companies in the cybersecurity sector
Your Network Is Already Hacked, But LightCyber May Be Able To Save You (TechCrunch) The Tel Aviv-based security startup LightCyber has some bad news for enterprises — their networks have already been compromised
CyberArk Advances Threat Analytics to Identify New Types of Malicious Privileged Behavior Across Systems and Users (Broadway World) CyberArk, the company securing the heart of the enterprise, today announced CyberArk Privileged Threat Analytics 2.0, an expert system for privileged account security intelligence. The expanded analytics includes new self-learning, behavior-based algorithms, enabling customers to detect attacks faster by pinpointing malicious privileged account activity previously hidden in the sheer volume of information collected by big data analytics solutions
FireEye Inc. (NASDAQ:FEYE) Revenues to be stretched with the Acquisition of Mandiant (BasicsMedia) FireEye Inc. (NASDAQ:FEYE) was surging on Monday trading session after its stock was upgraded by UBS AG (NYSE:UBS), from a 'Hold' rating, to a 'Buy.' In an interview on CNBC UBS Managing Director, Brent Thill, argued that the upgrade came at the back of the ongoing growth being experienced on the cyber solutions landscape
Meet The Company That Helped Twitter Launch Its Bug Bounty Program (Business Insider) Last week Twitter unveiled a brand new bug bounty program that pays security researchers (or hackers) to report vulnerabilities on its platform
Viscount Announces New Contract to Secure Sites for the U.S. Department of Homeland Security (Herald Online) Viscount Systems (OTCQB:VSYS), a leading provider of IT-based security software and services, today announced that it has been awarded additional contracts to secure U.S. Federal Government facilities in the state of New York for the Department of Homeland Security — United States Citizenship and Immigration Services (USCIS)
Federal agency to end contracts of background-check contractor USIS (AP via Stars and Stripes) The federal Office of Personnel Management plans to terminate its massive contracts with USIS, the major security clearance contractor that was targeted last month by a cyberattack, several officials said Tuesday. The computer network intrusion compromised the personal files of as many as 25,000 government workers
ForeScout bolsters European operations (Channel Pro) ForeScout adds key personnel in EMEA to meet demands for its network security platform
Guidance Software Appoints Ken Yearwood as Sales Director, Northern Europe (MarketWatch) Guidance Software, Inc. GUID, -2.81% the World Leader in Digital Investigations™, today announced the appointment of Ken Yearwood as sales director for Northern Europe
Invincea Adds Amit Yoran and Tim Belcher to Advisory Team (Consumer Electronics Net) RSA senior exec Yoran takes independent board seat; NetWitness co-founder Belcher joins as strategic advisor
Products, Services, and Solutions
Security questions you should ask about Apple Pay (CSO) While promising, the strength of Apple Pay security won't be fully known until it is tested by hackers and security pros
RSA Turns the Table on Cyber Attackers (MarketWatch) New RSA® Advanced Security Operation Center Solution arms security teams with new tools to help identify undetected threats that often result in data breaches
Bitcoin bank uses security to sway opinion on virtual currency (FierceITSecurity) Many Bitcoin enthusiasts believe the function behind the new tech is already superior to fiat currencies, and the reasons virtual currencies haven't taken over the world yet are perception based
Gemalto Unveils Mobile Payments Security Hub (Light Reading) Gemalto (Euronext NL0000400653 GTO), the world leader in digital security, today introduces its Allynis Trusted Services Hub, a turnkey business service that enables financial institutions, enterprises, transport operators and more generally all digital service providers to benefit from a single connection in order to securely deploy their value-added and mobile payment services across a comprehensive portfolio of smartphones and mobile networks around the world
IBM M5 x86 servers come with security and efficiency features (Infotech Lead) Enterprise IT vendor IBM said its M5 portfolio of x86 servers come with innovations in security and efficiency — targeting mission-critical applications
Lacoon Collaborates With AirWatch to Manage and Reduce the Risks iOS and Android Devices Pose to Enterprises (Sys-Con Media) Lacoon provides additional layers of security for customers through a platform to assess, detect and mitigate risk
Porticor, nScaled Combine DRaaS and Encryption (Channelnomics) Customers wary of ascending to the cloud because of security and business continuity concerns: Take heart — vendors appear to be working overtime to put out solutions aimed at assuaging your fears
Juniper expands threat intelligence for more effective network defense (CSO) You may have heard that two heads are better than one — the basic premise being that different perspectives bring more to the table and enable the combined team to make better, more effective decisions. The same thing is true when it comes to threat intelligence and network security, which is why Juniper Networks is expanding the capabilities of its Spotlight Secure platform
Cyber Threat Intelligence Feeds (The Cyber Threat) The discipline of cyber threat intelligence focuses on providing actionable information on adversaries. This information is becoming increasingly important to enterprise cyber defense. This importance has resulted in investment and creation of many new/innovative sources of information on threat actors. This brings challenges of its own. How do you know which source to turn to for what reason? And at an even higher level, how do you know which sources to even consider?
Technologies, Techniques, and Standards
ONC drops 2015 'voluntary' EHR certification criteria, revises 2014 edition (FierceEMR) The Office of the National Coordinator for Health IT has issued a new final rule that makes the 2014 edition of certification criteria more flexible and folds in some of the criteria that had been proposed in its 2015 voluntary edition of electronic health record certification criteria, which the agency has opted to abandon
Content Security Policy (CSP) is Growing Up (Internet Storm Center) We have talked here about Content Security Policy (CSP) in the past. CSP is trying to tackle a pretty difficult problem. When it comes to cross-site-scripting (XSS), the browser and the user is usually the victim, not so much the server that is susceptible to XSS. As a result, it makes a lot of sense to add protections to the browser to prevent XSS. This isn't easy, because the browser has no idea what Javascript (or other content) to expect from a particular site. Microsoft implemented a simple filter in IE 8 and later, matching content submitted by the user to content reflected back by the site, but this approach is quite limited
Have Microsoft's Update Problems Changed Your Patching Policies? (Windows IT Pro) At one time or another, we've all experienced the pains of patching Microsoft products. It sometimes seems to be a never ending battle to test, test, test again, roll out updates and still be nipped in the butt. And, even though it can't be helped, it's the IT Pros that get blamed and heaped on the responsibility of fixing blue screens and hardware and application problems brought on by poorly designed updates
Cyber-Target Categorization (Science 2.0) The purpose of this article is to present a framework and a method for cyber-target categorization. The framework contains factors, which influence on cyber targeting process and the presented categorization method provides an example, how cyber-targets could be categorized to support targeting decision making
How a large ISP fights DDoS attacks with a custom solution (Help Net Security) DDoS attacks are a growing problem. In July, Arbor Networks released global DDoS attack data derived from its ATLAS threat monitoring infrastructure that shows a surge in volumetric attacks in the first half of 2014 with over 100 attacks larger than 100GB/sec reported
How to Protect Yourself From Big Bank-Card Hacks (Wired) With hackers stealing millions of credit and debit card numbers with seeming impunity from Target, Home Depot, and other retailers lately, it might seem as if there's nothing the average consumer can do to protect themselves
How a DNS Sinkhole Can Protect Against Malware (Infosec Institute) The Domain Name Service (DNS) is an integral part of Internet access. It translates human-recognized domain names into computer-readable IP addresses in order to facilitate online communication and connection between devices
How to Use the Information-Seeking Mantra in Cyber Intelligence Dashboards (Recorded Future) In the previous post, we got a glimpse of two important contributions of Edward Tufte to the field of data visualization: chartjunk and sparkline charts. Today, we'll be looking at another data visualization guru whose work can have a profound impact on your cyber intelligence project. We'll be discussing Ben Shneiderman's information-seeking mantra
The 21 most common misconfigurations that will come back to haunt you! (GFI Blog) Have you ever heard the phrase "if it ain't broke, don't fix it"? If you have, then you know sometimes it is best just to leave it alone. But no sysadmin worth their Ethernet cable can resist poking at new things in an attempt to figure out how they work. It is how we all got to the level we are now, and how we will advance to the next level. Sometimes, however, poking at things with a sharp stick can get us into trouble, and this list describes the 21 most common misconfigurations that will come back to haunt you, because poking at things randomly means trouble if you don't pay attention to the outcome!
Building Trojan Hardware at Home (Ethical Hacking) Malware, Viruses and Trojan horse can destroy your computer and network; most of the time they are software based, but have you ever imagined that a hardware based trojan might also destroy or simply steal private information from your computer; consider a recent celebrity hack
Treading the Line Between Security & Productivity (Baseline) Baptist Health's security plan encompasses two key issues: making printers secure and making security easy to implement so it does not decrease productivity
Symantec conducts mock drill to check cyber readiness of companies (Economic Times) Forty IT security executives from over two dozen companies last week saw themselves cross over to the other side — the executives who protect a firm's security system were instead trying to break into a website
Research and Development
DARPA is after vulnerabilities in algorithms implemented in software (Help Net Security) The Defense Advanced Research Projects Agency (DARPA) is looking for new program analysis techniques and tools to enable analysts to identify vulnerabilities in algorithms implemented in software used by the US government, military, and economic entities, and has announced it will be accepting research proposals on the subject until October 28
Academia
There aren't enough teachers with coding skills (Marketplace) The looming shortage of coders and programmers in the tech industry has been well-documented. There are about a million (er, give or take) digital job openings predicted in the next decade, which has some schools mandating coding class. But where are the teachers?
Naval Academy works on accrediting cybersecurity major (AP via Stars and Stripes) A U.S. Naval Academy dean says he's hoping to have cybersecurity accredited as a major by 2016. No U.S. school currently has a cybersecurity degree accredited by a leading organization, and the academy hopes to be among the first
Southern Methodist University Cybersecurity Program Trains Tomorrow's Data Defenders (Government Technology) The university is one of 44 institutions that are designated by the NSA and Department of Homeland Security as a National Centers of Academic Excellence in Information Assurance/Cyber Defense
National Security Institute to open on Computer Science Technology Day (Statesman) Stony Brook University is starting a National Security Institute on campus as a result of grants from the NYSUNY 2020 vision plan. The university plans to hire six tenure-track faculty members for the cybersecurity-focused institute during the next few years, according to the university's website
Legislation, Policy, and Regulation
Who Will Defend Tomorrow's Digital Countries? (Atlantic) Estonia is offering virtual citizenship to millions. They will need real military protection
New U.S. cyber target: digital Russian strategic command (Flash Critic) Russia announced this week that it is upgrading its strategic missile forces with a fifth-generation automated digital command and control network that is a strategic target for U.S. cyber warriors
Intelligence Challenges Grow, Available
Resources Decline (SIGNAL) External threats and public revelations are only part
of the large menu of setbacks confronting the community
Tech industry groups ask Senate to 'swiftly pass' NSA curbs (Computerworld) The coalition of tech industry groups say the NSA's surveillance practices have led to an erosion of trust that was affecting their business abroad
Let's pass cybersecurity legislation (The Hill) A bipartisan group of members in Congress are advancing legislation on an issue that deserves all of our attention — cybersecurity
The Senate must act to protect Americans from cyber crime (The Hill) Cyber criminals stealing private celebrity photos is just the tip of the iceberg. On a daily basis, hackers threaten to devastate our nation's economy and security. But Senate Democrats don't seem to understand the magnitude of the problem. For more than a year, the Senate has refused to consider common-sense cybersecurity legislation passed by the House of Representatives with strong bipartisan support. Meanwhile, the threat is growing
MeriTalk: Gov't Adopting Cloud but Concerned over Data Stewardship (ExecutiveGov) MeriTalk has released the findings of a study underwritten by NetApp and Arrow indicating that federal agencies are looking to expand their use of cloud but many remain wary about its potential impact to operations
The Cyber-Terror Bank Bailout: They're Already Talking About It, and You May Be on the Hook (Bloomberg BusinessWeek) Bankers and U.S. officials have warned that cyber-terrorists will try to wreck the financial system's computer networks. What they aren't saying publicly is that taxpayers will probably have to cover much of the damage
Nancy Pelosi Presses FCC to Ban Internet 'Fast Lanes' (Nextgov) House Minority Leader Nancy Pelosi wants to give federal regulators sweeping new powers over Internet access
How Wednesday's 'Internet Slowdown' is supposed to work (Washington Post) Wednesday, forces aligned in favor of stronger net neutrality rules will rally under the banner of Internet Slowdown Day, the latest push to funnel the public's attention to the Federal Communication Commission's on-going rulemaking on open Internet principles and practices
Companies that sell network equipment to ISPs don't want net neutrality (Ars Technica) IBM, Cisco, Intel, and Sandvine ask US not to regulate broadband as a utility
Army activates its first cyber protection brigade (Army Times) The Army on Sept. 5 activated a new Cyber Protection Brigade — the first of its kind in the Army — at Fort Gordon, Georgia
The Positive Side of Cyber (SIGNAL) All too often, the topic of cyber presents a negative view of vulnerabilities and attacks, but cyber has a positive role to play in national defense, said Lt. Gen. Edward Cardon, USA, commanding general, U.S. Army Cyber Command
Litigation, Investigation, and Law Enforcement
Campaign Aims to Block Oil Revenues, Deny Extremists' Access to Global Financial System (Wall Street Journal) The U.S. Treasury Department and Washington's allies are ramping up efforts to hit Islamic State's finances, particularly focusing on steps to choke off its oil sales, its donations from the Persian Gulf and its extortion rackets
Estonian Officials Meet With Detained Security Officer in Russia (Wall Street Journal) Estonian officials said Tuesday they had met with Eston Kohver, the Estonian security officer at the center of rising tension between Tallinn and Moscow, who is being held in a Russian jail accused of spying
AFP to embark on international placements in cybercrime fight (ZDNet) The Australian Federal Police is about to embark on a number of strategic placements within international crime fighting agencies, in a bid to take its fight against cybercrime offshore, according to its head of Cyber Crime Operations, Glen McEwan
Senators call for investigation of Home Depot breach (TechWorld) A recent breach raises questions about the company's data protection practices, two senators say
Microsoft agrees to contempt order so e-mail privacy case can be appealed (Ars Technica) The contempt order doesn't include any sanctions, but those could be sought later
Google grapples anew with EC in the search/advertising antitrust swamp (Naked Security) In a surprise move, the European Commission has poked the sleeping dragon by yet again reopening a four-year antitrust investigation into Google's search and advertising business
Kim Dotcom will get back computers seized during Megaupload raid (Ars Technica) Dotcom gets "clones" of his devices, as long as he gives passwords to NZ police