Cyber Attacks, Threats, and Vulnerabilities
ISIS rakes in donations on Twitter (The Hill) The United States is "very focused" on disrupting the social media fundraising by supporters of the Islamic State in Iraq and Syria (ISIS), the Treasury Department said Thursday
Surprise! ISIL is using banks, and that makes it vulnerable (Quartz) We've long known that the Islamic State pulls in vast sums of money from oil sales, extortion, ransom, and donations — but it turns out that the group is also, somewhat improbably, using the international financial system to manage its money
Iran Protests: Twitter, the Medium of the Movement (TIME) The U.S. State Department doesn't usually take an interest in the maintenance schedules of dotcom start-ups. But over the weekend, officials there reached out to Twitter and asked them to delay a network upgrade that was scheduled for Monday night. The reason? To protect the interests of Iranians using the service to protest the presidential election that took place on June 12
Cyberespionage group launches sophisticated phishing attacks against Outlook Web App users (IDG via CSO) A cyberespionage group has been using advanced spear-phishing techniques to steal email log-in credentials from the employees of military agencies, embassies, defense contractors and international media outlets that use Office 365's Outlook Web App
Operation Pawn Storm: Varied targets and attack vectors, next-level spear-phishing tactics (Help Net Security) In a recently released whitepaper, Trend Micro researchers have shared many details about a long-standing economic and political cyber-espionage operation they dubbed Pawn Storm
US Military Officials, Defense Firms Targeted In 'Operation Pawn Storm' (Dark Reading) Cyber espionage attackers "did their homework" in an attack campaign that has intensified in the wake of US-Russian tensions
Attackers bypass Sandworm patch with new 0-day (Help Net Security) The Sandworm vulnerability has been patched, but unfortunately attackers have discovered a way to bypass the patch and continue with their targeted attacks
Has the "Sandworm" zero-day exploit burrowed back to the surface? (Naked Security) You've probably heard of Sandworm
Two exploit kits prey on Flash Player flaw patched only last week (Help Net Security) Two exploit kits have been outfitted with the exploit for a Flash Player vulnerability that has been patched only a week ago, the researcher that goes by the handle Kafeine has shared on Tuesday
Disaster as CryptoWall encrypts US firm's entire server installation (CSO) "Here is a tale of ransomware that will make your blood run cold," announced Stu Sjouwerman of security training firm KnowBe4 in a company newsletter this week and he wasn't exaggerating
The 'Backoff' malware linked to data breaches is spreading (IDG via CSO) The number of computers in North America infected by the Backoff malware, which is blamed for a string of payment card breaches, has risen sharply, according to research from network security company Damballa
Are You Vulnerable to Memory Scraping? (And What to Do About It) (Fishnet Security) The Target breach that first made news in late 2013 was facilitated using "memory scraping malware" called "BlackPOS" or "TrackR" running on the Point of Sale (POS) systems. While many pundits have given Target a hard time, claiming they were misconfigured or that PCI compliance did not result in adequate security for cardholders, the truth is sensitive data having permanence in memory is a very prevalent problem affecting many types of point of sale systems. Worse yet, there is no quick and easy solution
Security Experts: Remove Reimage Optimization Tool (GDN9) According to the latest security researches, the suspicious computer optimization tool Reimage has managed to install itself on numerous computers without the permission of their users
Abandoned subdomains pose security risk for businesses (IDG via CIO) Many companies set up subdomains for use with external services, but then forget to disable them when they stop using those services, creating a loophole for attackers to exploit
Check Point suggests ways to thwart Admin WebUI exploits (InfoTechLead) Check Point Software Technologies announced that its Security Research Group has discovered vulnerabilities in the Admin WebUI portals of three network security vendors
'Malvertising' Crooks Earn $25,000 A Day Attacking Yahoo And AOL Users (Forbes) Cyber criminals were making an estimated $25,000 a day by forcing a host of big name websites, including Yahoo YHOO +1.27%! finance and sports sites, The Atlantic and a real estate service belonging to AOL AOL +3.35%, to chuck malware at visitors' PCs. Though none of those sites were hacked, they were serving ads from compromised advertising networks, in an attack type known as "malvertising"
Zeus malware: Analyzing next-generation features (TechTarget) An updated, 64-bit version of the Zeus malware leverages Tor for C&C. What does this mean for enterprises?
Fokirtor Trojan: How to avoid infection, boost Linux security (TechTarget) The Fokirtor Trojan creates a dangerous backdoor in Linux systems. Learn how to keep enterprise Linux systems from being infiltrated and compromised
VBS worms: Still dangerous? (TechTarget) VBS worms were a top security concern in the early 2000s. Should enterprises still be worried? Nick Lewis explains
Personal information of almost 100,000 people exposed through flaw on site for transcripts (Washington Post) The personal information of almost 100,000 people seeking their high school transcripts was recently exposed on a Web site that helps students obtain their records. The site, NeedMyTranscript.com, facilitates requests from all 50 states and covers more than 18,000 high schools around the country, according to its Web site and company chief executive officer
Few vets use free credit monitoring after VA breaches (Military Times) Only about one in 25 veterans offered free credit monitoring in the wake of Veterans Affairs Department security breaches has signed up for the service, a figure that VA officials call disappointingly low
Employee Error at Touchstone Medical Imaging Exposes 307,528 Patients' Personal Data (eSecurity Planet) A folder containing billing information was mistakenly left accessible online
Security Patches, Mitigations, and Software Updates
Cisco Patches Three-Year-Old Telnet Remote Code Execution Bug in Security Appliances (Threatpost) There is a severe remote code execution vulnerability in a number of Cisco's security appliances, a bug that was first disclosed nearly three years ago. The vulnerability is in Telnet and there has been a Metasploit module available to exploit it for years
VMSA-2014-0011 (VMware Security Advisories) VMware vSphere Data Protection product update addresses a critical information disclosure vulnerability
Google rolling out new anti-piracy search algorithm (Ars Technica) "We've now refined the signal in ways we expect to visibly affect the rankings"
About the security content of QuickTime 7.7.6 (Apple Support) This document describes the security content of QuickTime 7.7.6. This update can be downloaded and installed using Software Update, or from the Apple Support website. For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website
Microsoft offers two-factor authentication in Windows 10 (ITNews) Microsoft will bake two-factor authentication into its new Windows 10 operating system in an effort to avoid the data theft and systems break-ins that arise from the insecure single-password approach, the company said
Chipmaker deliberately cripples user devices with driver update (CSO) FTDI's anti-piracy efforts are intentionally bricking consumer devices
Cyber Trends
Your business can't afford the cost of cyber crime (CSO) It's not a surprise that cyber crime is costly for organizations. The cost of any lost productivity, combined with the fallout of any compromised data, the impact to the organization's reputation, and the cost to clean up and recover from an attack all add up
How cybercrime and cybersecurity affects nations and geopolitics (Crowdstrike Adversary Manifesto) The Adversary Manifesto recently spoke with Shawn Henry, President of CrowdStrike Services about geopolitics and cybersecurity. Henry is a sought-after expert on cybersecurity who was formerly the executive assistant director for the FBI. While there, Henry boosted the organization's computer crime and cybersecurity investigative capabilities
Cyber security's "Doomsday Warning" (Microscope) Earlier this month, President Obama spoke of a devastating wave of cyber attacks that could soon strike the US in what Washington insiders are calling a "Doomsday Warning"
3 Enterprise Security Tenets To Take Personally (InformationWeek) Individuals need to become conscious advocates for their own security — after all, no one cares about your data like you do
Security skills shortage leaving the UK open to attack (Microscope) Across the industry warnings are being sounded about looming skills shortages that are going to hinder the ability for firms to compete and innovate in the future
Marketplace
Cybersecurity help coming for franchises (The Hill) Two industry groups are teaming up to help franchise businesses learn about cybersecurity. The National Cyber Security Alliance (NCSA) — backed by companies such as Facebook, Google and Microsoft, as well as the Department of Homeland Security — will work with the International Franchise Association (IFA) on basic cybersecurity strategy
Enterprises Establish a 'Cybersecurity Cavalry' (Networkworld) As expert group gains status and budget, large organizations are moving away from the status quo
Tech firms form new security alliance, while new study details carding black market (FierceCIO) A new alliance of technology companies has formed "to help stem the rising tide of cybersecurity threats"
10 Things IT Probably Doesn't Know About Cyber Insurance (Dark Reading) Understand the benefits and the pitfalls you might miss when evaluating cyber policies
Who controls the data? The answer will be critical to insurers (Accenture Insurance Blog) Data privacy is set to be the catalyst for the emergence of a totally new business model: the trusted ecosystem
Angel Investing in Cybersecurity: Understanding the Technology (Mach37) In our White Paper "Angel Investing in Cybersecurity: Aligning With a Vertical Accelerator," we make the argument that by partnering with a vertical accelerator, angel investors can bridge the knowledge gap caused by the technical complexity of the cybersecurity market and establish the confidence needed to invest in it
The Laborers Who Keep Dick Pics and Beheadings Out of Your Facebook Feed (Wired) The campuses of the tech industry are famous for their lavish cafeterias, cushy shuttles, and on-site laundry services. But on a muggy February afternoon, some of these companies' most important work is being done 7,000 miles away, on the second floor of a former elementary school at the end of a row of auto mechanics' stalls in Bacoor, a gritty Filipino town 13 miles southwest of Manila
Force 3 Names Steve Scribner as New CFO (PRWeb) Force 3, delivering the best in federal security, collaboration, next-generation networking, and support solutions, today announced Steve Scribner as their new Chief Financial Officer
White Ops adds big-name security veteran (New York Business Journal) The ad-fraud detecting startup White Ops has added another senior-level veteran of the computer security industry to its team, hiring Eddie Schwartz as its first president and chief operating officer
Bricata, LLC Announces Management Team (Virtual-Strategy) Bricata announces the formation of its management team, bringing together nearly eight decades of combined cyber security, engineering, sales, and management experience
Products, Services, and Solutions
secunet wins PKI tender from the Norwegian Police (Biometric Update) Secunet has been awarded with a contract in which the Norwegian Police will use secunet's public key infrastructure as the basis to check electronic travel documents, as well as issue electronic passports and electronic residence permits in the near future
SolarWinds solutions approved for secure government deployment (Financial News) SolarWinds (NYSE: SWI) reported that multiple products are now certified under the Common Criteria for Information Technology Security Evaluation, an internationally recognized standard for computer security achieved through independent laboratory testing and evaluation
Blackthorn Technologies Launch Game-Changing Product Portfolio (Sys-Con Media) Blackthorn Technologies, a London-based software company, unveiled its new approach to product development today with the release of its first product from a new suite of software solutions aimed at large organisations who value data sensitivity and security
ESET bolsters flagship products (IT Web) Security solutions vendor ESET has unveiled the latest versions of its flagship security software products, ESET NOD32 Antivirus n8 and ESET Smart Security 8
Cutting-edge software helps detect cyberattacks, insider threats (Security Info Watch) Exabeam solution learns normal user behaviors and provides alerts about potential anomalies
Bitdefender Reveals Portable Adware Removal Tool (JBG News) Bitdefender has announced yet another way to keep you safe from the harmful viruses, adware, and malware available across the Internet, albeit with more of a focus on the adware aspect this time around. The security company has unveiled the Bitdefender Adware Removal Tool for PC. The tool is currently in the midst of its first public beta. The program will detect and remove and unwanted software from your computer, ensuring nothing harmful remains and you?re cleaned up perfectly
OPSWAT Introduces IP Scanning in Metascan Online (Virtual-Strategy) New IP scanning functionality of Metascan Online can help users guard against security risks from malicious and compromised websites
Snort 2.9.7.0 has been released! (Snort Blog) Snort 2.9.7.0 is now available on snort.org in the Snort Stable Release section
Authentic8 Enhances Silo for Enterprise Information Security Researchers (Marketwired) The one-time use browser and storage system adds a network of global Internet exit nodes for isolated and anonymous data analysis
Technologies, Techniques, and Standards
Now Everyone Wants to Sell You a Magical Anonymity Router. Choose Wisely (Wired) Maintaining your privacy online, like investing in stocks or looking good naked, has become one of those nagging desires that leaves Americans with a surplus of stress and a deficit of facts. So it's no surprise that a cottage industry of privacy marketers now wants to sell them the solution in a $50 piece of hardware promising internet "anonymity" or "invisibility." And as with any panacea in a box, the quicker the fix, the more doubt it deserves
Shellshock a Fail for Security Disclosure (eSecurity Planet) Shellshock and the Xen vulnerability. One of these things is not like the other, and an expert says they can teach us a lot about how to disclose security vulnerabilities
Hacked: What to Do When Cybercriminals Hit Your Firm (ThinkAdvisor) Kimberly Foss of Empyrion Wealth shares her experiences with cybercrime and how she's protecting her business
Security pros forgetting the basics, complains expert (IT World Canada) All IT security conferences have one thing in common: Speakers have dozens of ghastly, yet funny, stories of blunders
Cyber resilience: Why networks matter (C4ISR & Networks) To encourage a more stable, safe and resilient cyberspace, President Obama issued Executive Order 13636 in early 2013, which called for the establishment of a set of security standards for critical infrastructure, including military operations
How to kill a troll (Naked Security) A new Pew Research Center survey on online harassment — the first such of its kind undertaken by Pew — confirms what most of us already know: the internet can be a vicious, frightening place, especially for young people, and most particularly so for young women
Twitter invites us to say goodbye to passwords, use Digits instead (Naked Security) Passwords, says Twitter senior product manager Michael Ducker, "just suck"
Do we really need strong passwords? (Naked Security) The idea that computer users should use long, complex passwords is one of computer security's sacred cows and something we write about a great deal at Naked Security
'Spam Nation' Publisher Discloses Card Breach (KrebsOnSecurity) In the interests of full disclosure: Sourcebooks — the company that on Nov. 18 is publishing my upcoming book about organized cybercrime — disclosed last week that a breach of its Web site shopping cart software may have exposed customer credit card and personal information
Academia
Lessons in cybersecurity launched for schoolchildren (Telegraph) Secondary pupils across the UK will take part in cybersecurity lessons as Cabinet funded resources are launched in response to the rising industry skills gap
Trend Micro Supports Next Generation of Cybersecurity Professionals (CNN Money) Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global leader in security software, announced today its participation as a diamond sponsor of Carnegie Mellon University's annual "capture the flag" computer security game challenge, picoCTF2014
Legislation, Policy, and Regulation
Fort Meade and the Maple Leaf (Foreign Policy) The terror attacks in Ottawa mean that NSA-style surveillance could be coming to Canada much faster than anyone thought
Computer users who damage national security could face jail (Guardian) Human rights experts criticise proposed legislation saying new law could be used to target legitimate whistleblowers
Director of National Security Agency speaks about private, government partnerships in cyber defense (Augusta Chronicle) The director of the National Security Agency said Thursday that the nation's security rests on breaking down barriers between private and government sectors specializing in cyber defense
DTCC urges greater collaboration on cyber-crime threats (COOConnect) A white paper published by the Depository Trust & Clearing Corporation (DTCC) has urged regulators and financial institutions to collaborate more on the increasing threats posed by cyber-crime
Experts Fret Cyber Risk to Electronic Health Records (National Law Journal) A cybersecurity framework for medical devices and health-care technology needs to be developed in a partnership between the government, manufacturers and health-care providers, officials from across the public and private sectors during a workshop convened by the U.S. Food and Drug Administration
Cybersecurity Legislation Forecast is Grim (Threatpost) If you're expecting federal cybersecurity legislation any time soon, forget it
House CISO Talks Threat Landscape, Challenges with Information Sharing (Wall Street Journal) Darren Van Booven, CISO of the U.S. House of Representatives, runs into many of the same technological challenges as CISOs of big companies. He sat down with CIO Journal on the sidelines of the SC Congress, an information security conference hosted by SC Magazine, this week to discuss how he approaches both insider and outsider security threats, the role of information sharing in the government, and the importance of the security product portfolio. Here are edited excerpts
New York Financial Regulator Shifts Agency's Focus on to Cyber Security (SC Magazine) New York's financial regulator said on Monday his agency will focus on cyber security over the next year, saying the possibility of a systemic attack to the financial system is one thing that keeps him awake at night. Benjamin Lawsky, superintendent of the Department of Financial Services for the state of New York said, "It is impossible to take it seriously enough
Cyber disruption team practices online warfare (NBC 10 WJAR) Inside Rhode Island State Police headquarters, the National Guard, law enforcement and IT experts are training to be on the front lines of online warfare
Karen DeSalvo steps down from ONC post; Jacob Reider to leave in November (FierceHealthIT) Former National Coordinator will serve on HHS Ebola task force
Litigation, Investigation, and Law Enforcement
Where Is the Investigation Into Financial Corruption at the NSA? (The Atlantic) Suspicious business dealings by several high-ranking officials easily warrant an inquiry. Does anyone in Congress care enough to make it happen?
Why Was the NSA Chief Playing the Market? (Foreign Policy) Newly released documents show the NSA chief was investing his money in commodities so obscure that most financial pros stay away
Court Finds, Again, That Device ID Is Not Personally Identifiable Information (PII) Under The Video Privacy Protection Act (VPPA) (Global Regulatory Enforcement Blog) On October 8, 2014, a district court judge in Georgia dismissed with prejudice a Video Privacy Protection Act (VPPA) action against The Cartoon Network (CN), holding that the disclosure of the plaintiff's Android ID was not actionable because the Android ID did not qualify as "personally identifiable information" (PII)
10-Year-Old Filipino Virtual Girl "Sweetie" Takes Pedophile To Prison In Australia (HackRead) An Australian citizen Scott Robert Hansen, 37, was sentenced to one year in prison for keeping obscene conversations with children on the internet. Hansen was caught by Sweetie, a ten-year-old Filipino virtual girl