Cyber Attacks, Threats, and Vulnerabilities
Digital jihad: ISIS, Al Qaeda seek a cyber caliphate to launch attacks on US (Fox News) Jihadists in the Middle East are ramping up efforts to mount a massive cyber attack on the U.S., with leaders from both Islamic State and Al Qaeda — including a hacker who once broke into former British Prime Minister Tony Blair's Gmail account — recruiting web savvy radicals
Gmail Leak: 5 Million Addresses and Passwords Compromised (HGN) An archive file of 5 million Gmail addresses and plain text passwords have leaked online. Possibly 60 percent of the information is valid. Security experts don't want users to worry too much
Google denies breach after hackers leak millions of user logins (ComputerWeekly) Google has denied that its computer systems were breached and downplayed the threat after hackers claimed to have leaked 4.9 million Gmail logins
5 Million Gmail accounts hacked…or not (CSO) There it was on the screen staring back at me. The cursor blinked incessantly as I tried to wrap my head around the news. 5 million Gmail accounts had been compromised. I mopped the sweat from my brow with the back of my sleeve as I tried to regain composure. I reached across the desk for the bottle of headache remedy and flicked the cap off. It never seemed to be fastened
Yahoo, Amazon and YouTube Hit By Malvertising Campaign (Infosecurity Magazine) Security experts are warning that Yahoo, YouTube and Amazon amongst others are serving up malicious ads to Windows and Mac users thanks to a newly discovered malvertising network
Researchers analyze phishing campaign spreading 'vawtrak' malware (SC Magazine) Experts have discovered a phishing campaign targeting users with a phony PDF attachment that leads to the vawtrak malware
Crypto blunder makes TorrentLocker easy to crack (Virus Bulletin) Use of single XOR key leaves ransomware open to known-plaintext attack
iPwned: How easy is it to mine Apple services, devices for data? (Ars Technica) High-end tools, simple hacks can still make iPhone data less private than we'd like
Botnet Twists the Knife in iCloud Security (TechNewsWorld) Cybercrooks are preying on widespread fear over iCloud insecurity, luring users to give up the very information they want most to protect — their IDs and passwords. If you get an email from Apple informing you your account has been compromised and you need to click on a link and log in to fix it — just don't. In the meantime, what should Apple do? The short answer: more
Prosecting the Citadel botnet — revealing the dominance of the Zeus descendent: part one (Virus Bulletin) It is unlikely that anyone still thinks that cybercrime is performed by 16-year-old kids who write short pieces of code that wreak havoc all over the world, but if you do still hold that belief, it won't hurt to take a look behind the scenes of a modern botnet operation. Today's botnets show how cybercrime has become a professional 'industry' in which many tactics seen in the legitimate e-commerce and IT service industries are deployed
Prosecting the Citadel botnet — revealing the dominance of the Zeus descendent: part two (Virus Bulletin) Citadel is a sophisticated descendent of the Zeus botnet. In this two-part article, Aditya Sood and Rohit Bansal provide insight into the bot's design components, including its system infection and data exfiltration tactics. In this, the second part of the article, Aditya and Rohit present the results of their experiments
Zemot Malware Dropper Strain Delivered via Asprox Botnet and Exploit Kits (Softpedia) Zemot dropper is a strain of the Upatre malware dowloader that has been observed by security researchers to benefit from multi-distribution points that include both compromised websites as well as the Asprox/Kuluoz spam botnet
Uncovering Malicious Browser Extensions in Chrome Web Store (TrendLabs Security Intelligence Blog) Months ago, Google published a blog post informing users of Google Chrome that they cannot install browser extensions from third parties. The reason: security. By only permitting extensions from official Chrome Web Store, Google claims they would be able to police these extensions in order to prevent malicious ones
Hacker Threatens to Expose Bitcoin Founder Nakamoto After Cracking Email Account (Infosecurity Magazine) A hacker is threatening to expose the identity Satoshi Nakamoto, after claiming to have compromised the email account of the Bitcoin creator
Computer hardware containing patient data stolen from Ohio plastic surgery office (SC Magazine) More than 6,000 patients of Beachwood-Westlake Plastic Surgery and Medical Spa in Ohio are being notified that their personal information was on computer hardware that was stolen during an office burglary
SnoopWall Cybersecurity Experts Issue Consumer Digital Privacy Protection Advisory for Mobile Banking Apps and Internet of Things (IoT) at CTIA's Super Mobility Week (Sys-Con Media) SnoopWall, the world's first counterveillance security software company, has issued a consumer protection advisory that consumers need to cover their television screens and their webcam lenses when not in use, and, delete their mobile banking apps immediately
All About Rogue Mobile Apps: A Conversation with Tim Vert, Cyveillance Mobile Security Expert (Cyveillance Blog) As more organizations release mobile applications to satisfy customer demand for on-the-go services, instances of rogue or spoofed mobile apps are rising. There are a lot of questions when it comes to this evolving sphere of cyber security, so we recently sat down with Tim Vert, a mobile security expert and Manager in Cyveillance's Security Operations Center, to get some answers
2014 — An Explosion of Data Breaches and PoS RAM Scrapers (TrendLabs Security Intelligence Blog) The computer security industry will always remember 2013 as the year the U.S. suffered one of the largest data breaches in history. In a targeted attack, U.S. retailer Target was compromised during the Christmas shopping season using the BlackPOS malware, a PoS RAM scraper family. According to estimates, cybercriminals stole 40 million credit and debit card numbers as well as 70 million personal records of Target shoppers
Russia Versus Wall Street: The JPMorgan Attack (Infosec Institute) JPMorgan Chase is the largest bank in the United States, with total assets of over $2.5 trillion. They reportedly spend about $250 million per year on technical security, or one dollar for every $10,000 they have in assets. They also employ more information security professionals than Google does, about a thousand compared to Google's approximately 400
Security Patches, Mitigations, and Software Updates
VMware patches third-party components in vSphere platform (IDG via CSO) VMware has updated third-party libraries and components used by its vSphere server virtualization platform to integrate security patches released in recent months
How Google's tiff with certificate authorities can impact you (CSO) Certificate authorities are calling on Google to give websites more time to make security changes before issuing warnings through the Chrome browser
Blackphone SSL security flaw was patched within days, says CEO (CSO) We responded quickly, says firm after researchers found issue
Cyber Trends
The War Of Zeros And Ones (Popular Science) Military operations around the world are quickly expanding into the digital realm. With cyberwarfare, we're all in the line of fire
A New Threat Grows Amid Shades of 9/11 (Wall Street Journal) The nation remains largely unaware of the potential for disaster from cyberattacks
Is there any part of government that hasn't been hacked yet? (Nextgov) Cybersecurity has been touted by the Obama administration as one of its top technology priorities over the past several years, but heightened visibility alone has done little to deter adversaries that include state-sponsored hackers, hackers for hire, cyber syndicates and terrorists
The financial industry's biggest cyber fears (MarketWatch) The FBI is investigating cyber attacks on J.P. Morgan Chase and as many as four other banks, according to reports, at a time when (legitimate) paranoia about hacking is becoming a mainstream concern
Cyber breaches rare among U.S. state-registered investment advisers: study (Reuters) Cyber security breaches are rare among investment advisory firms registered with U.S. states, but improvements to technology and procedures could still bolster protection of client information, state securities regulators said on Wednesday
Cyber loss surveyed (Professional Security) Near half, 48 per cent, of e-commerce/online retail businesses and 41 per cent of financial services organisations have reported losing some type of finance-related information to cybercriminal activities within a 12 month period
Marketplace
Veracode Closes $40 Million Funding Round (SecurityWeek) Veracode, a Burlington, Massachusetts-based provider of web and mobile application security testing solutions, today announced that it has closed a late-stage $40 million funding round led by Wellington Management with participation from previous investors
Israeli Cyber Startup LightCyber in $10 Million Funding Round (Wall Street Journal) Light Cyber Ltd., an Israeli based cyber-security start-up, has raised $10 million in a new funding round led by Battery Ventures
Iovation Gets Recognition on Inc. 5000 (Insurance News Net) Iovation has made the Inc. 5000, Inc. magazine's ranking of the nation's fastest-growing private companies
Ex-NSA Chief's Anti-Hacker Patent Sparks Ethics Questions (Bloomberg) A 5-month-old company in Washington has developed what it calls groundbreaking technology to thwart cyber-attacks before they've been identified — a significant advancement over current systems that react to known threats
Meet The Ex-NSA And Ex-Unit 8200 Spies Cashing In On Security Fears (Forbes) Before Edward Snowden smashed its digital doors wide open, the National Security Agency was seen as the mysterious keeper of an arsenal of dark-voodoo hacking weapons
Products, Services, and Solutions
Payment security bods: Nice pay-by-bonk (which NO ONE uses) on iPhone 6, Apple (Register) Retailers won't lose sales 'cos they can?t take mobe payments
With Apple Pay and Smartwatch, a Privacy Challenge (New York Times) No one has considered Apple a serious data company, until now
IPhone Wallet Seen Boosting Demand for Gemalto Contactless Chips (Bloomberg) The new iPhone, set to be unveiled today with Apple Inc.?s first shot at a mobile wallet, may lead to a bonanza for providers of contactless technology such as Gemalto NV
Walmart banks on mobile payments, chip-and-PIN (FierceRetail) Walmart (NYSE:WMT) is counting on mobile payments and chip-and-PIN cards to not only improve security of retail transactions, but also make it easier for consumers to buy products
PayPal goes crypto-currency with Bitcoin (Register) eBay no Silk Road
Juniper Adds Lastline Advanced Threat Intelligence to SRX Firewalls (Dark Reading) Lastline Knowledge Base of Advanced and Evasive Threats immediately accessible and actionable through Juniper Spotlight Secure Platform
Cimcor Releases CimTrak 2.0.6.18 with Web Based Security Dashboard and Policy Manager (Virtual Strategy) CimTrak 2.0.6.18 File Integrity Monitoring and Compliance Solution now provides a new web-based dashboard to allow companies to gain greater insight into their infrastructure and security threats
Close to Home: IBM Puts Its Trust in Endpoint Manager, MaaS360 (CIO) Remember that commercial where the guy says he?s not just the president of the company, he?s a client, too? Hard to argue with someone who trusts the product that much. Which is why you might want to know that IBM didn?t just develop Endpoint Manager; they use it, too
AVG claims zero day protection (Fudzilla) Protection from things which are not there now
Tenable's Technology Risk Management Dashboard Eases Compliance with Hong Kong's Financial Services Regulations (Japan Corporate News via Nasdaq) Tenable Network Security®, Inc. (Tenable), today announced the launch of its new SecurityCenter Continuous View (CV)(™ pre-defined Technology Risk Management (TRM) dashboard for Hong Kong's financial institutions
CAST Launches Software Certification Program (TopTechNews) leading provider of software analysis and measurement technology, today launched the CAST Software Certification Program to provide organizations with standards-based verification of the quality of their critical systems
Technologies, Techniques, and Standards
PCI Updates Skimming Prevention Guide (BankInfoSecurity) Best practices for protecting merchants from POS attacks
Want to Limit PCI DSS Scope? Use Tokenization (Infosec Institute) Every organization should follow a proactive rather than a reactive approach to protect against threats, risks and vulnerabilities, to which if their IT infrastructure is exposed can lead to data loss, regulatory penalties, and lawsuits and damaged reputation. Moving on the same lines, to reduce the credit card fraud via its exposure, a standard known as Payment Card Industry Data Security Standard (PCI DSS) was formed. In this article we are going to learn about various ways in which PCI DSS scope can be reduced using Tokenization
Addressing Security with the Board: Tips for Both Sides of the Table (CIO) Clearly security is a boardroom topic, but the trick is to get both sides on the same page
No business is too small for information governance (FierceContentManagement) Implementation doesn't have to cost a king's ransom
Beyond Buzzwords (Part II): Concrete Steps to Deploying an Effective Threat Intelligence Capability (Cyveillance Blog) A few days ago, we told you about a recent webinar on Defining Threat Intelligence, hosted by our own Eric Olson, Vice President of Product Strategy. Today we're going to recap Part II of that webinar, Concrete Steps to Deploying a Threat Intelligence Capability
The 7 Steps For Wi-Fi Security Without Slowing Employee Productivity (F-Secure Community Blog) Whether your employees are taking some personal vacation time or work-related business keeps them on the road, now is a perfect time to think about your company's Wi-Fi knowledge
A system that facilitates malware identification in smartphones (Alpha Galileo) Malware is a type of malicious program whose general aim is to profit economically by carrying out actions without the user's consent, such as stealing personal information or committing economic fraud. We can find it "in any type of device ranging from traditional cell phones to today's smartphones, and even in our washing machine," explained one of the researchers, Guillermo Suarez de Tangil, from the Computer Science Department at UC3M
tinfoleak — Get detailed information about a Twitter user activity (Kitploit) tinfoleak is a simple Python script that [allows users] to obtain
Design and Innovation
AVG Launches a 'Nutritional Label' Style Privacy Notice on its Mobile Apps (CNN Money) New AVG Short Data Privacy Notice for AVG's online security, privacy and performance apps makes it clear what information is collected and why
Research and Development
Researcher tracks photons to develop unprecedented quantum technology (Phys.org) Quantum photonics research could change the way we communicate, compute, and measure phenomena on the smallest scales possible
Academia
Colleges, Employers Team Up to Train, Hire High-Tech Workers (US News) A number of businesses are supporting technical education in hopes of producing a more experienced workforce
Legislation, Policy, and Regulation
The West is prepared to threaten Russia's oil future (Quartz) The US and Europe are on the brink of threatening the heart of the Russian economy: its oil industry. New sanctions would cut off Russia's access to the technology required to drill its richest new fields
Lu Wei: the internet must have brakes (China Media Project) Speaking to a panel on "the future of the internet economy" at the World Economic Forum's 2014 Summer Davos in Tianjin yesterday, Lu Wei, the director of China's State Internet Information Office (SIIO), said there must be "mutual integration" of international rules for internet governance and the national laws of various countries
UK National Cyber Security Programme not delivering promised economic benefits (Computerworld) NAO update paints mixed picture of progress
Senators hold out hope on info-sharing bill while Obama official points to other measures (Inside Cybersecurity) Homeland Security and Governmental Affairs Chairman Tom Carper (D-DE) and ranking member Tom Coburn (R-OK) today held out hope that information-sharing legislation can clear the Senate this year, while an administration official reiterated the call for action on less controversial measures
DOD Deputy CIO: 'Cybersecurity should vary by mission' (FCW) No "one size fits all" at the Pentagon
Implementation of Web portal delays HIPAA audits (FierceHealthIT) The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) has delayed its second round of HIPAA audits while it works to get a Web portal up and running through which entities can submit information
Litigation, Investigation, and Law Enforcement
VA IG: About 75% of investigated facilities engaged in data manipulation (FierceGovernmentIT) About 75 percent of Veterans Affairs Department medical facilities being investigated by the VA inspector general manipulated data related to patient wait times, VA Acting IG Richard Griffin told a Senate panel Tuesday
U.S. antitrust official concerned by China anti-competition stance (Reuters) A top U.S. antitrust enforcer expressed concern on Wednesday about China's enforcement of its antitrust law after Beijing opened a probe into Qualcomm Inc for allegedly abusing its market position
Are the FBI and "weev" both hackers? (Ars Technica) FBI's conduct to find Silk Road servers was similar to "weev's" criminal hacking
How Online Black Markets Have Evolved Since Silk Road's Downfall (Wired) When the FBI tore down the billion-dollar drugs-and-contraband website Silk Road last October, its death made room for a new generation of black-market bazaars
3 gambling operators indicted for buying NK hacking software (Korea Times) Three men were indicted for buying hacking programs from North Korean agents to use for online gambling, prosecutors said Wednesday
U.K. man, who obtained bank details of 28K, pleads guilty to blackmail (SC Magazine) A U.K. man, Lewys Martin, pleaded guilty in London last week to blackmail, possession of articles for use in fraud and possession of indecent images of children, a report from a Bitcoin news site CoinTelegraph.com revealed