Cyber Attacks, Threats, and Vulnerabilities
FBI Issues Warning Over Islamic State Cyber Attacks (VPNCreative) The FBI says that it is monitoring social media activity for possible cyber-attack plots in response to airstrikes against the Islamic State
Malware program targets Hong Kong protesters using Apple devices (IDG via CSO) A malware program that targets Hong Kong activists using Apple devices has trademarks of being developed by a nation-state, possibly China, according to a security company
Hong Kong protesters hit with malware, turn to "off-the-grid" chat app (Help Net Security) The pro-democracy protests started by Hong Kong students and backed by the Occupy Central protesters (Central is the name of Hong Kong's financial district) are picking up speed, supporters, and have, unfortunately, also resulted in violent confrontations with the police
Shellshock fixes beget another round of patches as attacks mount (Ars Technica) SANS Internet Storm Center moves up threat level based on bash exploits in wild
Shellshock: Millions of servers under attack (SC Magazine) In the wake of Shellshock, end-users and security managers race to patch web servers and desktops, but may be forgetting vulnerable embedded devices
SHELLSHOCKED: Fortune 1000 outfits Bash out batches of patches (Register) CloudPassage points to 'pervasive' threat of Bash bug
OpenVPN Vulnerable to Shellshock Bash Vulnerability (Threatpost) OpenVPN wasn't immune to the Heartbleed vulnerability in OpenSSL, and it's not going to sidestep Shellshock either
Voice-activated devices pose security threat (BBC) Voice-activated smartphones and other devices can be a significant security risk, warn researcher
Likes of Apple Pay may make smaller banks more vulnerable (NetworkWorld via CSO) Researchers show how criminals can divert legitimate financial transfers worth millions to their own accounts
Google's DoubleClick ad network abused once again in malvertising attacks (Malwarebytes Unpacked) Last week we uncovered a large-scale malvertising attack involving Google's DoubleClick and Zedo that affected many high-profile sites
'Anti-Facebook' Ello: swamped with privacy-hungry refugees, bouncing back from DDoS (Naked Security) Either somebody really, really hates the idea of a social media platform that doesn't sell ads based on user data, or Ello is so popular it got trampled
POS system breach goes well beyond Jimmy John's, says vendor (FierceITSecurity) Signature Systems' point-of-sale, or POS, system breach could involve more than 100 stores in addition to the Jimmy John's breach, the company said in a statement
Signature Systems Acts to Block Payment Card Security Incident (Signature Systems) Signature Systems, Inc. provides point-of-sale (POS) systems for restaurants. We were alerted to a potential issue at one restaurant on July 30, 2014. We immediately began an investigation and found malware on a POS device at that restaurant that had not been detected by the restaurant's anti-virus program. We removed the malware and engaged a leading computer security firm to investigate every POS system and help us implement enhanced security measure
Supervalu says malware affects four stores in Minnesota (Reuters) Supermarket chain Supervalu Inc (SVU.N) reported on Monday a second attack against its payment systems barely two months after it said it was investigating a potential data breach
Point of Sale Breach Timeline (OpenDNS Security Labs) If you're like us you have a hard time remembering the point of sale (PoS) breaches that have occurred over the years. In an effort to simplify past public breaches, we have created a timeline that describes 59 distinct PoS-related breaches where the following were (or are believed to be) true
Retailers Realize EMV Won't Save Them From Fraudsters (Dark Reading) Fraudsters hit retailers harder than ever in 2014 and many recognize that even though EMV's chip-and-pin authentication will stem skimming, breaches and other forms of fraud will persist
Snapchat says fat spam is not its fault (Naked Security) Have your Snapchat friends taken to calling you fat recently? If so, don't get mad at them — their suggestion that you pop a weight loss pill is probably the result of having their account hacked
Registration bug blocked 60,000 Canadians from opting into organ donation (Ars Technica) Ontarian government insists users' data is secure in spite of pancreatic error
People will do anything for free Wi-Fi (Help Net Security) A new Wi-Fi investigation conducted on the streets of London shows that consumers carelessly use public Wi-Fi without regard for their personal privacy
1–15 September 2014 Cyber Attacks Timeline (Hackmageddon) This month will be probably remembered for the Home Depot breach. Yet another one caused by the same POS malware family that hit Target, with a similar dramatic extension: unfortunately the retailer believes that 56 million of credit cards could have been compromised in this case. After such a similar gigantic breach there is not so much to add as far as Cyber Crime is concerned, as it overshadowed all the rest
An In-Depth Analysis of Abuse on Twitter (Trend Micro) In this paper, we examine Twitter in depth, including a study of 500,000,000 tweets from a two-week period to analyze how it is abused. Most Twitter abuse takes the form of tweets with links to malicious and spam websites
Security Patches, Mitigations, and Software Updates
New VMware Security Advisory VMSA-2014-0010 (shellshock) (VMware Blog) Today VMware has released the following new security advisory: VMSA-2014-0010. This advisory list the VMware product updates and patches that address the bash security issues CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187, aka shellshock. It will be updated when new product updates and patches are released in the coming days
Apple's Shellshock patch is incomplete experts say (CSO) On Monday, Apple released three patches to address two vulnerabilities in GNU Bash, commonly referred to as Shellshock. Experts who have tested the various known attack surfaces say that Apple's patch doesn't fix everything
Cyber Trends
The Weird Way the Heartbleed Bug Made the Web More Secure (Wired) Over the weekend, the world wide web became a lot more secure. That's because a San Francisco start-up called CloudFlare turned on a free service that will let its 2 million customers add SSL encryption to their websites
Fraud insights from the iSMG summit (Bloor Research) I have been getting some insights into Fraud at an iSMG Fraud Summit. With my Governance hat on, I think that we too often neglect the possibilities for Fraud when building automated business systems. We make a big fuss over external hacking, which (even in the worst scenario), is a one-off thing that can be managed. Yes, reputation risk is a serious problem on top of any losses, but if you think about the risks in advance they can be managed or mitigated
Shock Fall in Security Spending as Incidents Rise 48% (Infosecurity Magazine) The number of reported "security incidents" worldwide rose 48% this year to reach over 40 million, but despite the growing risk and expense associated with data breaches, security spending dropped, according to PwC
New AlgoSec Survey Reveals Huge Challenge to Unify Security Policy Management (CloudTweaks) AlgoSec, the market leader for Security Policy Management, today announced the results of its "Security Policy Management in Hybrid Cloud Environments" survey
United States Country Report (Secunia) The Secunia Country Reports tell you how much vulnerable software is present on private PCs in your country, plus a few extra, interesting facts
Exploring today's top security concerns (Help Net Security) Security related topics are often front and center in the 24-hour news cycle, but what concerns Americans the most? According to a new national survey from University of Phoenix College of Criminal Justice and Security, identity theft (70 percent) and personal cybersecurity (61 percent) are the security issues of greatest concern
UK falling behind in cyber intrusion detection, study shows (ComputerWeekly) UK firms are suffering more cyber security incidents than their global counterparts and are falling behind in identifying breaches, a study shows
Marketplace
Private equity must improve cyber security (COO Connect) Private equity managers need to up their ante on mitigating the risk of cyber-attacks following a number of high-profile cases and regulatory interest
Lack of cyber security investment could backfire on boards: PwC (CIO) Take the security conversation outside of IT, says PwC Australia national cyber leader Steve Ingram
Cyber risk — are you covered? (Lexology) Recent high-profile incidents, such as the hacked celebrity iCloud accounts in August 2014, have shown that individuals, businesses and public bodies are all at risk of a cyber-attack. However, while awareness of the threat may have increased, recent reports suggest that many businesses are currently unprepared to deal with the financial consequences of an attack
Diana Gowen: The big telecom pivot (FCW) July 4 was a personal Independence Day for Diana Gowen as she started her retirement after a 30-plus-year career in government contracting
Young adults clueless on cybersecurity profession (CSO) Survey of Millennials between 18 and 26 finds many would be interested in a cybersecurity career, but a majority don't know what the job entails
Nsfocus Information plans to acquire computer security firm (Reuters) China's Nsfocus Information Technology Co Ltd says plans to acquire Beijing-based computer security firm for 498 million yuan (80.98 million US dollar) via cash, share issue
Berlin privacy startup ZenMate secures £2m for its VPN plugin (TechWorld) Platform has attracted 5 millions users in just over a year
Imperva: Cyber-Security Long Play (Seeking Alpha) Imperva (NYSE:IMPV) competes in the heavily contested market of cyber-security with firms such as Palo Alto Networks (NYSE:PANW), FireEye (NASDAQ:FEYE) and Barracuda (NYSE:CUDA). IMPV specializes in data center security: the "third pillar" of cyber defense
Longview Wins Information Assurance Contract (SIGNAL) LongView International, Reston, Virginia, has been awarded a maximum $8,291,746 modification (P0006) exercising the first option period on a one-year base contract (HT0011-13-F-0039) with three one-year options for software design, development and testing to support emerging requirements in the Defense Medical Logistics Standard Support (DMLSS), DMLSS Customer Assistance Module and Joint Medical Asset Repository applications to meet information assurance and the establishment of new data exchanges/services
Tenable Network Security Joins the Cisco Solution Partner Program (Digital Journal) Tenable Network Security Inc., the leader in continuous network monitoring, announced that it has joined the Cisco Solution Partner Program as a Preferred Solution Partner
Malvern hosts cyber training to raise business awareness of risk (Financial Times) Malvern has added to its reputation as one of the UK's leading cyber security hubs as the Worcestershire town was chosen to host the first training course for companies wanting sensitive government contracts
Google triples bug bounty reward range to $15,000 (IDG via CSO) Google has tripled its maximum reward for finding flaws in its software to $15,000, a figure the company hopes will deter independent researchers from selling their information on shady markets
Products, Services, and Solutions
Free is good: No-cost Panda Software tops AV-Test's rankings of antivirus software (PCWorld) Antivirus suites are only as good as their latest tests. And in AV-test.org's latest roundup for July and August, the usual suspects — BitDefender, Kaspersky, McAfee, and Symantec — came out on top
SANS Institute and the National Health Information Sharing & Analysis Center Partner to Advance Healthcare Cyber Security (InsuranceNewsNet) With an ever-evolving threat landscape threatening to wreak havoc on the healthcare industry, SANS Institute and the National Health Information Sharing & Analysis Center (NH-ISAC) today announced a partnership to help healthcare organizations overcome today's complex cyber security issues through greater awareness and information sharing. The partnership combines SANS' world-class cyber security training and expertise with NH-ISAC's growing healthcare information sharing network
New CimTrak API Provides Open Access to Security Related Information (Digital Journal) Cimcor, Inc. announced an advanced data integration API for their world class File and Network Integrity Monitoring software, CimTrak
Firechat was sparking interest in India, even before it became a mainstay of the Hong Kong protests (Quartz) Firechat, an app that allows people to communicate without an internet connection, is firing up the pro-democracy street protests in Hong Kong. The app has been downloaded by more than 100,000 users in Hong Kong in the last 24 hours, according to Open Garden, the company that created it
Rockwell Collins delivers cryptographic radios (C4ISR & Networks) Rockwell Collins has delivered the first Modernized Type I Cryptographic Airborne radios to the U.S. Navy
MASSCAN — Mass IP port scanner (fastest Internet port scanner) (Kitploit) This is the fastest Internet port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second
New German data centre to operate European 'Intercloud' service (Out-Law) T-Systems, a subsidiary of German telecoms provider Deutsche Telekom, said it is working with US-based Cisco to develop cloud services in Europe which are as secure as data centres and meet EU and German data protection requirements
Rapidly Discover IOCs With Maltego and Recorded Future (Recorded Future) Discovering and validating known indicators of compromise (IOCs) can be a daunting task for any cyber security operation. This is especially true if you do not have the luxury to pay for all of the costly closed source premium intelligence feeds, cyber threat intelligence reports, or various IDS/AV signature sets offered by a growing number of cyber security vendors
Technologies, Techniques, and Standards
How A Major Bank Hacked Its Java Security (Dark Reading) Deutsche Bank London helped create a new application self-defense tool to lock down and virtually patch its Java-based enterprise applications — even the oldest ones
The Importance of an Effective VPN Remote Access Policy (Infosec Institute) With the number of employees telecommuting, traveling often or working remotely on the rise, the conventional corporate security model is undergoing a major shift. With the availability of VPN (Virtual Private Network) technologies allowing ubiquitous access to company systems, networks and servers, the standard security perimeter many enterprises once enjoyed needs rethinking
Password security is not just a user problem (Help Net Security) When high profile password compromises occur, we often spend a lot of time focusing on advice to the users — "Use strong passwords;" "Don't reuse passwords across sites;" "Don't write passwords down;" "Don't disclose your password via email or on an untrusted site;" and so forth
Software Assurance: Time to Raise the Bar on Static Analysis (Dark Reading) The results from tools studies suggest that using multiple tools together can produce more powerful analytics and more accurate results
National Cybersecurity Awareness Month: How Do Users Become Victims? (TrendLabs Security Intelligence Blog) Cybersecurity is an important part of our daily lives, whether people are aware of it or not. Building awareness that being secure online is everyone's responsibility is a key part of fighting cybercrime. This is why one of the themes of this year's National Cyber Security Awareness Month is the 'Stop. Think. Connect™' campaign, which promotes this very message
Research and Development
£2.5 million to recognise and reduce cyber-attack threats to critical infrastructure (Process and Control Today) New research co-funded by the Engineering and Physical Sciences Research Council (EPSRC) will focus on the cyber-security of the UK's vital industrial control systems which run, for example, manufacturing plants, power stations, the electricity grid, and the rail network
AirPatrol Corporation Receives Two Patents for Mobile Location and Security (Benzinga) AirPatrol Corporation ("Airpatrol"), a wholly-owned subsidiary of Sysorex Global Holdings Corp. (NASDAQ: SYRX), today announced that the U.S. Patent and Trademark Office has issued two new patents to AirPatrol for its technology developments in the areas of mobile device detection, locationing and security
Academia
University of Maryland receives $200,000 grant from Leidos (The Diamondback) National security, health and engineering solutions company Leidos donated $200,000 to this university Wednesday to support high-quality research and education programs, among other things. The donation from Leidos will support this university's public health, cybersecurity research, education and engineering programs
Legislation, Policy, and Regulation
Israel offers India to join new cyber security body (Hindustan Times) Israel has invited India to be part of Prime Minister Benjamin Netanyahu's latest pet project of national cyber defense authority — a dedicated force to fight cyber threats — during his meeting with his Indian counterpart Narendra Modi in New York on Sunday
UAE Military To Set Up Cyber Command (DefenseWorld) The United Arab Emirates is gearing up to launch a cyber command within the General Headquarters (GHQ) of the UAE Armed Forces
Australia passes security law, raising fears for press freedom (Reuters) The first of a series of security powers requested by Australia's government to combat Islamist militants passed through parliament on Wednesday, despite criticism that they could land journalists in jail for reporting on national security
Fear of ascendancy of Scott Morrison leads to scuttling of homeland security superministry (Sydney Morning Herald) A move within the Abbott cabinet to establish a homeland security super-ministry drawing together several major departments and functions looks to have been scuttled because senior figures viewed it as an attempt by backers of Immigration Minister Scott Morrison to elevate him to future leader status
Govt not prepared to handle cyber threats: experts (Dawn) Calling for urgent steps for legislation on cyber security, experts on Tuesday warned that the government was not adequately prepared to deal with cyber threats
New Concerns Over Phones, Intelligence Gathering And National Security (NPR (WAMU)) Tech giants Apple and Google recently announced that operating systems for their newest phones will be encrypted with a complex code
US Military Command Holds Informational Meeting With Bitcoin Industry (Coindesk) Officials from the US Special Operations Command met with American business executives and bitcoin community leaders on Monday in Tampa, Florida, to discuss bitcoin and its role in illicit finance
Former NSA Director: Better Information Sharing Needed on Cybersecurity (Wall Street Journal) Former U.S. National Security Agency Director Keith Alexander called for more information sharing between companies and government agencies about cyberattacks, and encouraged legislation that would incentivize sharing by providing liability protection in exchange for meeting agreed-upon cybersecurity standards
Litigation, Investigation, and Law Enforcement
Four charged with stealing intellectual property from US Army, Microsoft (Ars Technica) Defendants allegedly stole various games and built a counterfeit Xbox One
Hackers charged with stealing Apache training software (Army Times) Two members of what the Justice Department calls an "international computer hacking ring" pleaded guilty to charges related to the theft of $100 million in intellectual property — including software used to train Apache helicopter pilots
Germany Warns Google Over User Profiling Privacy Violations (TechCrunch) Google has been warned it needs to rein in its user profiling activities in Germany because its current practice of joining the dots across multiple services is in violation of local privacy laws
The Criminal Indictment That Could Finally Hit Spyware Makers Hard (Wired) The indictment this week of the man behind an app designed for surreptitiously monitoring cellphone activity is only the second federal case filed against someone involved in the commercial sale of so-called spyware and stalkingware. But the case could have negative implications for others who make and sell similar snooping tools, experts hope
Trend Micro to share threat information with Interpol (ZDNet) Security software provider Trend Micro will share its threat information analysis with global police agency Interpol for the next three years, in a bid to bridge the gap in information sharing between the public and private sectors
FBI's Sentinel System Still Not In Total Shape to Surveil (IEEE Spectrum) Other than the rather entertaining kerfuffle involving Apple's new iPhone OS and its initial (non)corrective update (along with the suspicious "bendy phone" accusations), the IT Hiccups front was rather quiet this past week
Trade secrets and reverse engineering — the legal view (Computing) The Max Planck Institute for Innovation and Competition recently said that proposals for a new EU Trade Secrets Directive should be amended to better protect product developers
Hackers cut deal to work for gov't (Phnom Penh Post) Two members of "hacktivist" group Anonymous Cambodia convicted of computer hacking yesterday will be spared further jail time. Instead, they have been ordered to put their "excellent" IT skills to use combating cybercrime in the Ministry of Interior