Cyber Attacks, Threats, and Vulnerabilities
Chinese Hacking Groups Team Up Against Government, Military Systems (Threatpost) Two Chinese cyber espionage campaigns are working in tandem in hopes of sniffing out trade secrets from surrounding nations
The Path to Mass-Producing Cyber Attacks (FireEye Blog) Lines of people, lines of parts. The modern production line is composed of individuals contributing to a larger process. This common manufacturing approach is efficient, effective, and profitable
Franchising The Chinese APT (Dark Reading) At least two different cyber espionage gangs in China appear to be employing uniform tools and techniques, FireEye finds
Massive Gmail credential leak is not result of a breach (Help Net Security) By now, you might have heard that there has been a leak of a nearly 5 million username and password combinations associated with Google accounts
Google Locks Down Stolen Credentials (BankInfoSecurity) Search giant says its systems were not breached
What you need to know about the Gmail password compromise (Computerworld via CSO) There's no need to panic about the nearly five million compromised Gmail passwords that appeared in a Russian Bitcoin security forum this week, according to Google
Home Depot Breach May Not Be Related To BlackPOS, Target (Dark Reading) New analysis of the malware earlier identified as a BlackPOS variant leads some researchers to believe that they are two different malware families entirely
Vulnerability in popular Joomla e-commerce extension puts online shops at risk (IDG via CSO) A critical vulnerability in a popular e-commerce extension for the Joomla content management system allows malicious users to gain super-admin privileges to sites that run the software
Incapsula — Semalt Botnet Spreading Strongly Across the Web (Spamfighter News) Security researchers of security firm Incapsula warn that the "Semalt" botnet is spreading quickly over the Internet
TorrentLocker unlocked! Buggy ransmoware allows easy recovery for victims. (Tripwire: The State of Security) Far from being the geniuses that the media like to portray, malicious hackers can make mistakes just as well as the next person… and that's certainly true of whoever was behind the TorrentLocker ransomware
Cycbot Backdoor (Infosec Institute) Cycbot is a malware that spreads using instant messaging and removable drives and contains backdoor functionality that allows unauthorized access to an affected computer
Your Ticket to Malware (Cyveillance) A recent spate of scam emails purporting to be e-tickets from a major airline has been spreading in the wild recently. The "ticket" is really a zipped malware executable. Here is what one of the scam emails looks like
MH17 plane crash victims exploited by cold-hearted scammers (We Live Security) When Malaysia Airlines Flight 17 (MH17) was shot down in Ukrainian airspace in July of this year, the world was understandably shocked
Security Patches, Mitigations, and Software Updates
US-CERT Warns of Vulnerability in Cisco Baseboard Controller (Threatpost) US-CERT today released an advisory warning of a vulnerability in Cisco's Integrated Management Controller (IMC). Cisco released an update that patches the security hole
Cisco Unified Computing System E-Series Blade Servers Cisco Integrated Management Controller SSH Denial of Service Vulnerability (Cisco) A vulnerability in the Cisco Integrated Management Controller (Cisco IMC) SSH module of the Cisco Unified Computing System E-Series Blade servers could allow an unauthenticated, remote attacker to cause a denial of service condition
Microsoft patch fixed IE flaw used against U.S. military (CSO) Microsoft's batch of patches released this week for Internet Explorer included a fix for a vulnerability exploited in February by hackers hunting for U.S. military secrets
Cyber Trends
How Apple Pay could make the Target and Home Depot breaches a thing of the past (IDG via CSO) The launch of Apple's mobile payment system could prove a turning point in the battle to secure your debit and credit card information from hackers
Apple Pay: A Necessary Push To Transform Consumer Payments (Dark Reading) Apple Pay is a strategic move that will rival PayPal and other contenders in the mobile wallet marketplace. The big question is whether consumers and businesses are ready to ditch the plastic
Envisioning a Collaborative Approach to Cybersecurity (Corporate Counsel) Unless Congress acts on a major cybersecurity bill this session, the U.S. will face "a major catastrophic event" that takes down an American company or institution in the next 18 months, according to Rep. Michael Rogers, R-Mich., chairman of the U.S. House of Representatives Select Committee on Intelligence
Information Sharing on Threats Seen as a Key for Auto Makers (Threatpost) A small segment of the security research community has been spending a lot of time tearing apart the innards of various vehicles and looking at ways that the computers and local networks that reside in modern cars can be hacked. There has been some remarkable success on this front, and while auto makers haven't paid much attention so far, the acting head of the National Highway Traffic Safety Administration says that it's time they did
Why Turning Data Into Security Intelligence Is So Hard (Security Intelligence) I was hanging out in a local graveyard a few years ago doing math on the ages of the people buried there when it suddenly occurred to me why turning massive volumes of data into security intelligence is so hard
The systems is REALLY broken — even the banks don't get ICS cyber security (Control) Several months ago I was approached by an executive at a large bank. The concern was cyber security of their building controls and the lack of a bridge between the IT security people and the building controls people
Privacy, Security & The Geography Of Data Protection (Dark Reading) Data generation is global, so why do different parts of the world react differently to the same threat of security breaches and backdoors?
Nearly Half of Businesses Surveyed by Pwnie Express Say They Don't Thoroughly Assess Security at Remote and Branch Locations (Digital Journal) Nearly half of businesses surveyed don't assess their wireless assets at remote and branch locations, leaving the entire organization exposed to cyber attack
Consumers worried about call centre security, new survey reveals (Graham Cluley) We're all becoming far too familiar with stories of large organisations being hacked and sensitive information being stolen
Most people still unconcerned about privacy threats (Help Net Security) While cyber thieves continue to breach major corporations such as JP Morgan and, just last week, the Salvation Army and Home Depot, Americans still seem to be unconcerned about the growing cyber crisis, according to idRADAR
29 data losses per day as ANZ companies struggle with security (IT Brief) A staggering 90 percent of Australian and New Zealand organisations experienced data loss events, according to Check Point Software Technologies' 2014 Security Report
Malicious Web access skyrockets (ITWeb) The threat of unknown malware is on the increase, says Doros Hadjizenonos, Check Point's sales manager for SA. Hackers have stepped up their game so as to infiltrate organisations, mainly for financial gain
Marketplace
Startup Uncovers Flaws In Mobile Apps, Launches New Security Service (Dark Reading) Wandera says only one of seven US employees is given any guidance on mobile security by the employer
Rook Security Takes Top Honors For Most Innovative Managed Security Service At Golden Bridge Awards (Herald Online) Latest accolade adds to growing list of industry recognition garnered by rapidly expanding Indiana security consulting and managed services firm
Frost & Sullivan Names Procera Networks' President and CEO James Brear a Silicon Valley Legend at GIL 2014 (IT Business Net) Procera Networks, Inc. (NASDAQ: PKT), the global Subscriber Experience company, today announced that president and CEO, James Brear, will be honored as a Legend of Silicon Valley
Products, Services, and Solutions
What security experts think about Apple Pay (Help Net Security) Apple announced Apple Pay, a new category of service that works with iPhone 6 and iPhone 6 Plus through a NFC antenna design, a dedicated chip called the Secure Element, and the security and convenience of Touch ID
Cimcor Releases CimTrak 2.0.6.18 with Web Based Security Dashboard and Policy Manager (IT Business Net) Cimcor, Inc. announced a major new version of their file integrity monitoring and compliance software suite, CimTrak Version 2.0.6.18
Technologies, Techniques, and Standards
Your configuration files are showing (CSO) One of my favorite activities is using search engines to hunt for things that, realistically, I should not be able to find. Recently, I was able to find thousands of sites with their databases exposed. This time I was able to unearth a treasure trove of configuration files on a wide range of devices. These configuration files showed routes, rules and even passwords
Security of Password Managers (Schneier on Security) At USENIX Security this year, there were two papers studying the security of password managers… It's interesting work, especially because it looks at security problems in something that is supposed to improve security
Password Managers: Attacks and Defenses (Stanford University) We study the security of popular password managers and their policies on automatically filling in Web passwords. We examine browser built-in password managers, mobile password managers, and 3rd party managers. We observe significant differences in autofill policies among password managers. Several autofill policies can lead to disastrous consequences where a remote network attacker can extract multiple passwords from the user's password manager without any interaction with the user. We experiment with these attacks and with techniques to enhance the security of password managers. We show that our enhancements can be adopted by existing managers
The Emperor's New Password Manager: Security Analysis of Web-based Password Managers (USENIX) We conduct a security analysis of five popular web-based password managers. Unlike "local" password managers, web-based password managers run in the browser. We identify four key security concerns for web-based password managers and, for each, identify representative vulnerabilities through our case studies. Our attacks are severe: in four out of the five password managers we studied, an attacker can learn a user's credentials for arbitrary websites. We find vulnerabilities in diverse features like one-time passwords, bookmarklets, and shared passwords. The root-causes of the vulnerabilities are also diverse: ranging from logic and authorization mistakes to misunderstandings about the web security model, in addition to the typical vulnerabilities like CSRF and XSS. Our study suggests that it remains to be a challenge for the password managers to be secure. To guide future development of password managers, we provide guidance for password managers. Given the diversity of vulnerabilities we identified, we advocate a defense-in-depth approach to ensure security of password managers
Are free file storage solutions a safe bet for businesses? (Help Net Security) The benefits of cloud computing are becoming increasingly recognized, and with this heightened understanding comes growing numbers of UK businesses that are embracing the use of the cloud for the storage of data
Hacker publishes tech support phone scammer slammer (Register) Now who's got a 'security problem on your computer'?
Design and Innovation
Facebook tests Snapchat-like vanishing act for posts (Naked Security) Good morning, Facebook citizens. Your mission, if you choose to accept it, is to have your Facebook postings self-destruct in 5 seconds
Research and Development
DHS Transition To Practice Program Aided By Sandia Cyber Testing (Homeland Security Today Staff) Cybersecurity technologies developed at Sandia National Laboratories and at other federal labs "now stand a better chance of finding their way into the real world" through the Department of Homeland Security's Transition to Practice (TTP) program
Head of DHS's R&D arm says new strategic plan will better meet user needs (FierceHomelandSecurity) The head of the Homeland Security Department's research and development arm told lawmakers Sept. 9 that the long-term strategy that his organization is currently developing will better meet what Border Patrol agents and other end users need to do their jobs
Academia
Oculus CEO Brendan Iribe Donates $31M To Build VR Lab At His Alma Mater University Of Maryland (TechCrunch) Brendan Iribe dropped out of University Of Maryland his freshman year to launch a startup before going on to form Oculus. But now inspired by Mark Zuckerberg's philanthropy and made rich by Zuck's company buying Oculus for $2 billion, Iribe is donating $31 million to build the Brendan Iribe Center for Computer Science and Innovation at University Of Maryland (UMD), plus set up a CS scholarship
Intro to computer science is now the most popular course at Harvard (Quartz) Harvard students know which way the wind is blowing. According to a report from the Harvard Crimson, the school's introductory computer science class (CS50) has a record 818 undergraduates this fall. Twelve percent of undergraduates are taking the course, making it the most popular Harvard course in at least a decade
The MOOC Revolution That Wasn't (TechCrunch) Three years ago this week, Sebastian Thrun recorded his Stanford class on Artificial Intelligence, released it online to a staggering 180,000 students, and started a "revolution in higher education." Soon after, Coursera, Udacity and others promised free access to valuable content, supposedly delivering a disruptive solution that would solve massive student debt and a struggling economy. Since then, over 8 million students have enrolled in their courses
Legislation, Policy, and Regulation
The Mouse That Roars (Foreign Policy) Tiny Jordan's spies have helped the United States hunt down some of its most dangerous enemies. Now Obama is hoping those spooks can beat the Islamic State
E.U. tightens sanctions against Russian banks, defense companies and individuals (Washington Post) The European Union's new economic sanctions against Russia will go into effect Friday, for the country's involvement in the Ukraine crisis. The U.S. is scheduled to outline to outline a new series of sanctions Friday
Treasury expands sanctions on Russia over Ukraine conflict (MarketWatch) The Treasury Department announced expanded sanctions against Russian businesses on Friday in response to "continued Russian efforts to destabilize eastern Ukraine." Russia's largest bank, Sberbank, will no longer have access to long-term debt financing from the U.S. In addition, the U.S. is blocking the assets of five state-owned defense-technology firms. U.S. companies will also be blocked from cooperating with five firms in the Russian energy sector, including Gazprom gazp Lukoil and Rosneft rosn
Putin's new counter-sanctions are aimed at selling more Russian stuff, not punishing the West (Quartz) With draconian new western sanctions looming today, Russian president Vladimir Putin is planning what his aides call "asymmetric" retaliation. But rather than punishing the West directly, he seems to be pushing to make Russia more economically self-reliant — while also taking care not to rile Russians who are accustomed to a wide range of western goods
Official: US laws need to be updated to help DHS better tackle cyber threats and attacks (FierceHomelandSecurity) A top Homeland Security Department official told Senate lawmakers Sept. 10 that Congress needs to update laws to help the department better tackle the growing threat of cyber threats and attacks
Gillibrand: On The 13th Anniversary Of 9/11, Let's Help Businesses Fight Cyber Terrorism (Forbes) Nearly every day now, news of a new cyber-attack possibility hits the front pages: Credit card theft, hacked hospitals, or even a "Fort Hood in cyberspace." To most of us whose lives don't typically intertwine with the tech industry, these digital crimes lack the immediacy of fear-inducing physical threats. But a well-planned cyber-attack could certainly cause the kind of damage we would expect from a natural disaster or a violent terror attack
Dropbox Calls For Support Of The Senate's NSA Reform Bill (TechCrunch) This morning, Dropbox released new information detailing government requests for its user data, and information about certain user accounts. The company also called for the passage of the Senate's version of the USA FREEDOM Act
Privacy advocates, tech companies nudge Congress to protect 'abandoned' e-mails (Washington Post) Ranging from Adobe to the ACLU, from Facebook to FreedomWorks, and from Twitter to the Taxpayers Protection, a coalition of more than 80 civil liberties groups and tech companies has sent a pair of letters to Congress meant to nudge the House and Senate into moving ahead with a vote on legislation that would require e-mails stored longer than six months to be accessed only by a warrant
Settling Cyber Differences (SIGNAL) Military officials will attempt to reach agreement on critical cyber issues
Army Cyber Chief: Let's Get Closer To Industry (Defense News) To keep pace with rapid changes in the cyber domain, the military needs "a much tighter relationship between industry and government," the head of U.S. Army Cyber Command said Thursday
Did You Know You Had Diabetes? It's All Over the Internet (Bloomberg) Dan Abate doesn't have diabetes nor is he aware of any obvious link to the disease. Try telling that to data miners
Litigation, Investigation, and Law Enforcement
Statement by the Office of the Director of National Intelligence and the U.S. Department of Justice on the Declassification of Documents Related to the Protect America Act Litigation (IC on the Record) On January 15, 2009, the U.S. Foreign Intelligence Surveillance Court of Review (FISC-R) published an unclassified version of its opinion in In Re: Directives Pursuant to Section 105B of the Foreign Intelligence Surveillance Act, 551 F.3d 1004 (Foreign Intel. Surv. Ct. Rev. 2008). The classified version of the opinion was issued on August 22, 2008, following a challenge by Yahoo! Inc. (Yahoo!) to directives issued under the Protect America Act of 2007 (PAA). Today, following a renewed declassification review, the Executive Branch is publicly releasing various documents from this litigation, including legal briefs and additional sections of the 2008 FISC-R opinion, with appropriate redactions to protect national security information. These documents are available at the website of the Office of the Director of National Intelligence (ODNI), and ODNI's public website dedicated to fostering greater public visibility into the intelligence activities of the U.S. Government
US threatened Yahoo with $250,000 daily fine over NSA data refusal (Guardian) Company releases 1,500 documents from failed suit against NSA over user data requests and cooperation with Prism compliance
US Government Requests Access to Non-Existent Dropbox Accounts (Infosecurity Magazine) US government requests for access to Dropbox user content and account details rose in line with subscriber numbers over the first half of 2014, but several of the accounts requested didn't actually exist, according to the firm
TV monitoring service is fair use, judge rules (Ars Technica) Fox News sued TVEyes, which records television 24/7/365 — but it's fair use
