Cyber Attacks, Threats, and Vulnerabilities
LinkedIn Feature Exposes Email Addresses (Krebs on Security) One of the risks of using social media networks is having information you intend to share with only a handful of friends be made available to everyone. Sometimes that over-sharing happens because friends betray your trust, but more worrisome are the cases in which a social media platform itself exposes your data in the name of marketing
Here's What Hackers Can Do With Your CRM Data (Forbes) It is clear why malware writers target such retailers as Home Depot HD +0.6% and Target. It is obvious, if not pathetic, why hackers break into the cloud to find and publish private nude photos of celebrities
Freenode suffers breach, asks users to change their passwords (Help Net Security) Popular IRC network Freenode has suffered a security breach and is asking users to change their passwords, as they might have been compromised
SNMP-Based DDoS Attack Spoofs Google Public DNS Server (Threatpost) The SANS Internet Storm Center this afternoon reported SNMP scans spoofed from Google's public recursive DNS server seeking to overwhelm vulnerable routers and other devices that support the protocol with DDoS traffic
Google Apps scripts can be easily misused by scammers (Help Net Security) Andrew Cantino, VP of Engineering at Mavenlink but also a bug hunter in his free time, has discovered that Google Apps Scripts can be misused by attackers to access users' email and other information
Flaw in Android Browser Allows Same Origin Policy Bypass (Threatpost) There's a serious vulnerability in pre-4.4 versions of Android that allows an attacker to read the contents of other tabs in a browser when a user visits a page the attacker controls. The flaw is present in a huge percentage of the Android devices in use right now, and there's now a Metasploit module available to exploit the vulnerability
Worm Illuminates Potential NAS Nightmare (Dark Reading) A researcher at Black Hat Europe hopes to demonstrate a homegrown, self-replicating worm to illustrate major threats to popular network-attached storage systems
DNS cache poisoning attacks to steal emails are reality (Security Affairs) CERT warns that DNS Cache Poisoning attacks could be used also to hijack email to a rogue server and not only to divert the Internet traffic
Bulletin (SB14-258) Vulnerability Summary for the Week of September 8, 2014 (US-CERT) The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information
Cyber Trends
Why retailers like Home Depot get hacked (CSO) Retailers like Home Depot, which recently suffered a major data breach, have known for years about vulnerabilities in payment systems, but have chosen to ignore them, experts say
Retailers grappling with higher costs of fraud, survey shows (FierceCFO) Mobile commerce seen as thorniest problem for retailers dealing with a big spike in fraud
2 stores, 100M hacks. Where's cybersecurity? Our view (USA Today) Consumers deserve better from U.S. companies than excuses
5 Myths: Why We Are All Data Security Risks (Dark Reading) I am absolutely sure that I could be tricked by a well-crafted spear phishing attack, and I am equally sure I could do the same to you
Your adviser could be an easy target for cyber crooks (MarketWatch) At a time when security experts, regulators and law enforcement are warning of attacks on the financial sector, more than one-third of registered investment adviser firms don't do risk assessments for cyber threats, vulnerabilities or potential consequences, new data finds
Ready, aim, click (My Broadband) If World War III promises to be digital, we must be as prepared as we can be
Our Cyborg Future: Law and Policy Implications (Brookings) In June 2014, the Supreme Court handed down its decision in Riley v. California, in which the justices unanimously ruled that police officers may not, without a warrant, search the data on a cell phone seized during an arrest. Writing for eight justices, Chief Justice John Roberts declared that "modern cell phones…are now such a pervasive and insistent part of daily life that the proverbial visitor from Mars might conclude they were an important feature of human anatomy"
Cyber Security Professionals are Sheep Awaiting Slaughter (Seculert) In a recent article, New York Times technology reporter Nicole Perlroth recounts a gag that, in one variation or another, is racing its way through the cyber security community as only droll jokes can. It goes like this
System failures cause most large outages of communications services (Help Net Security) The European Union Agency for Network and Information Security (ENISA) published a report about large-scale outages in the electronic communication sector. It provides an aggregated analysis of the security incidents in 2013 which caused severe outages
Marketplace
How Edward Snowden boosted infosecurity business and…cybercrime (SC Magazine) Whatever Snowden's motivations, Ilia Kolochenko contends that the industry has misused the resulting information and often sold kit rather than true security solutions and expertise
Crime Ring Revelation Reveals Cybersecurity Conflict of Interest (Scientific American) Hold Security's nebulous report on the "CyberVor" online hacker gang exposed the cybersecurity world's troubling practice of uncovering online threats and then selling proposed solutions
CyberArk IPO Gets Boost as Breaches Trigger Industry Gain (Bloomberg) The data breaches that have rocked corporate America in recent weeks couldn't have come at a better time for CyberArk Software Ltd
Insider Selling: Eric Hahn Sells 10,000 Shares of Proofpoint Stock (PFPT) (WKRB) Proofpoint (NASDAQ:PFPT) Chairman Eric Hahn sold 10,000 shares of Proofpoint stock in a transaction that occurred on Tuesday, September 9th. The stock was sold at an average price of $39.87, for a total transaction of $398,700.00
Joseph DiZinno Named American Systems Identity Intell VP (GovConWire) Dr. Joseph DiZinno, a two-decade FBI veteran and a former executive at BAE Systems, has joined American Systems as vice president of identity intelligence for the Chantilly, Virginia-based government services contractor
Products, Services, and Solutions
Tim Cook Holds Firm On iMessage Security: It's Encrypted, And We Don't Have A Key (TechCrunch) As Apple continues to come under some attack for how it handles iCloud security, the company's CEO Tim Cook is holding firm on the company's priorities when it comes to data protection
Cisco's industrial Internet of Things campaign hones in on railroads (TechTarget) Cisco's Connected Rail effort kicks off its strategy for an industrial Internet of Things, with a reference architecture for a network that can improve operations and passenger services for passenger and freight systems
Brit to Launch Cyber Attack Product (BusinessWire) Brit PLC ('Brit' or 'the Group'), a market-leading global specialty insurer and reinsurer, has developed a unique insurance service to protect companies operating critical infrastructure and industrial machinery from terrorist and other malicious attacks, such as sabotage, espionage and theft
Comcast calls rumor that it disconnects Tor users "wildly inaccurate" (Ars Technica) The Internet is mad at Comcast, but the latest rage appears to be unjustified
EventTracker Announces 7.6 with Smart Search (Dark Reading) EventTracker Enterprise 7.6 new features simplify the extraction of operational and security intelligence from machine data
Technologies, Techniques, and Standards
Draft NISTIR 8023: Risk Management for Replication Devices (NIST) This publication provides guidance on protecting the confidentiality, integrity, and availability of information processed, stored, or transmitted on replication devices (RDs). It suggests appropriate countermeasures in the context of the System Development Life Cycle. A security risk assessment template in table and flowchart format is also provided to help organizations determine the risk associated with replication devices
Windows malware must be top endpoint security priority (TechTarget) The number of endpoint security vulnerabilities is daunting, but endpoint admins should first focus on updating patches against Windows malware
Emerging cloud threats and how to address them (Help Net Security) As organizations deploy and harness private, community and hybrid clouds, they encounter new types of threats, along with the old ones they've been battling for years
WordPress Security Checklist (Help Net Security) WordPress is not only easy to use, it also comes with many plugins and themes for you to choose from, making it extremely customizable. However, like all other popular platforms, it is also more prone to hacking
Research and Development
Open-source project promises easy-to-use encryption for email, instant messaging and more (IDG via CSO) A software development project launched Monday aims to create free tools that simplify the encryption of online forms of communication like email, instant messaging, SMS and more by solving the complexity associated with the exchange and management of encryption keys
Patterns in banking personal identification numbers (FierceBigData) If you've ever wondered about the security of personal identification numbers, or PINs, used in banking, wonder no more. While in theory the 10,000 possible combinations presented in a four digit sequence and chosen randomly by users is good protection for banking accounts and credit cards, it turns out that the human factor weakens the design in practice
Academia
Tech company calls for perception change in STEM subjects (Microscope) IT professionals need to be viewed with the same esteem as lawyers, architects and accountants if young people are to choose technology related degrees
La. Tech full of cyber synergy (News-Star ) New cyber engineering program at Louisiana Tech University attracting interest from across the United States
Legislation, Policy, and Regulation
Russia This Week: Rights or Revanchism? Russian Human Rights Commissioner Blasts Ukraine, Baltic States (Interpreter) A speech from Konstantin Dolgov, the Foreign Ministry's Commission for Human Rights, Democracy and the Rule of Law has been published on […] the official web site of the Foreign Ministry. The speech was made at the Regional Conference of Russian Compatriots of Latvia, Lithuania and Estonia in Riga on 13 September
While NSA 'maps' the Internet landscape, German tech companies want Cloud cover (Deutsche Welle) Microsoft Germany wants Cloud services to be regulated at home in a bid to protect data from foreign espionage. The announcement coincides with a new report pointing to NSA activities targeting German telecommunications
Don't Fear the Leaker: Thoughts on Bureaucracy and Ethical Whistleblowing (SSRN) In this brief essay, I argue that rather than trying to eliminate leaks entirely, which experience demonstrates is impossible, we should instead try to channel leaks so that they provide the maximum benefit to transparency while reducing risks to national security and other secrecy concerns. I also offer some preliminary suggestions about how to accomplish this goal
Cyber airmen race to stay ahead of new threats (Air Force Times) As cyber threats increase and become more sophisticated, airmen in the Cyber career field find themselves operating in a fast-paced environment just trying to stay two steps ahead
Tactical Cyber: How to Move Forward (Small Wars Journal) Cyberspace operations, both defensive and offensive, captured the attention of many pundits, military professionals, and interested observers
Litigation, Investigation, and Law Enforcement
Nigerian bank IT worker on the run after $40m cyber heist (Naked Security) A Nigerian IT worker is wanted by police after a major cyber-heist at the bank where he was employed
Liberty Reserve CTO pleads guilty to involvement in massive money laundering (Naked Security) Mark Marmilev, CTO of former digital currency brokerage Liberty Reserve, has pleaded guilty to playing a major role in the operation of the business which became a favourite for cybercrooks and money launderers
Insider Credit Card Breach Leads to $400,000 Saks Shopping Spree (eSecurity Planet) Six former Saks Fifth Avenue employees have been charged with grand larceny and identity theft