Cyber Attacks, Threats, and Vulnerabilities
Hackers breach the Warsaw Stock Exchange (The Hill) Hackers breached the Warsaw Stock Exchange Thursday, exposing login credentials for dozens of brokers in apparent retaliation for the bombing campaign against the Islamic State in Iraq and Syria (ISIS)
ISIL sympathizer hits Warsaw Stock Exchange (Politico) The Warsaw Stock Exchange was apparently hacked by an attacker claiming to act in support of the Islamic State yesterday. The hacker posted logon credentials of brokers and other internal data apparently stolen from the computer network of the Warsaw Stock Exchange online, and the exchange's English language website also appeared to be inaccessible to users in the U.S
ISIS is training its fighters to conduct online attacks, data security experts view (Helsinki Times) The Islamic State of Iraq and Syria (ISIS) is training its volunteer fighters to carry out online attacks, believes the chief research officer at F-Secure, Mikko Hyppönen, who has studied the online behaviour of terrorists since 2012
British counter terrorism officials to wage cyber war on ISIS in bid to stop home grown jihad (news.com.au) A cyber war is set to be declared on terrorist group Islamic State amid fears the militant's use of the internet is successfully inspiring troubled youths into home grown jihad
Anonymous Shuts Down Top Israeli Govt Sites Against Killing Of 14-Yr-Old Kid (HackRead) The online hacktivist Anonymous is back with yet another cyber attack. This time the group has taken down 43 top Israeli government websites against shooting and killing of a 14-year-old U.S. citizen Orwah Hammad by Israeli Defence Forces
Hackers attack Ukraine election website (Press TV) Ukraine's election commission website has been attacked by hackers on the eve of the country's parliamentary polls
Websites of 66 municipal bodies in State hacked (The Hindu) In the ongoing Indo-Pak cyber war, hackers have targeted websites of municipal bodies in Karnataka and successfully defaced as many as 66 of them
Anonymous Supporter Hacks India's National Academy of Customs, Excise & Narcotics Website (HackRead) A hacker who calls himself an Anonymous Lover (the hacktivist group) and goes with the handle of 'H34r75 7h!3f' has hacked and defaced the official website of India's National Academy of Customs, Excise & Narcotics (NACEN)
Rogue Tor node wraps executables with malware (ZDNet) Researcher finds malicious Tor exit node which envelops Windows EXEs inside another Windows EXE which drops malware
Report: Criminals use Shellshock against mail servers to build botnet (CSO) However unlikely, their stab in the dark approach is working
Poll: Patching Is Primary Response to Shellshock (Dark Reading) As potential threats mount, Dark Reading community members hone in on patching infrastructure but not devices, according to our latest poll
'Replay' Attacks Spoof Chip Card Charges (KrebsOnSecurity) An odd new pattern of credit card fraud emanating from Brazil and targeting U.S. financial institutions could spell costly trouble for banks that are just beginning to issue customers more secure chip-based credit and debit cards
Two-thirds of online transaction services in Vietnam vulnerable to Poodle bug: Bkav (Tuoi Tre News) Two-thirds of websites that provide online transaction services in Vietnam are vulnerable to Poodle, a new security bug in widely-used web encryption technology recently discovered by Google, a local Internet security firm reported Tuesday
Samsung Knox Is Weak, Researcher Says (InformationWeek) Samsung's Knox security software for Android devices handles passwords in a way that undermines encryption, an anonymous researcher says
Samsung DENIES vulnerability claims, says mysterious blogger is wrong (Threat Brief) A damning security critique against Samsung's US government-approved Knox system has been dismissed by the South Korean tech giant
Apple Pay isn't magic, and it isn't 'private' (ZDNet) Apple's new iPhone-based payment system may offer advantages, as will any similar product from competitors. But adding in a smartphone doesn't add privacy, it removes it
Verizon's 'Perma-Cookie' Is a Privacy-Killing Machine (Wired) Verizon Wireless has been subtly altering the web traffic of its wireless customers for the past two years, inserting a string of about 50 letters, numbers, and characters into data flowing between these customers and the websites they visit
Verizon Wireless token tracker triggers tech transparency tempest (Register) Users say opt out a feature in name only
Staples Investigates Breach — Expert Comments (Information Security Buzz) Earlier this week, Staples announced that it is investigating a potential data breach at several of its northeastern-based stores. Here to comment on this potential breach are a number of experts in the information security field. Leading enterprises including STEALTHbits Technologies and Network Box USA are represented
57% increase in Backoff malware from August to September (Help Net Security) Damballa released a new report highlighting the extent to which malware infections, such as Backoff malware, are able to bypass network prevention controls. The report reveals the ongoing challenges faced by security teams in managing a mountain of security events and the positive impact of taking measures which can identify the true positives within these alerts
Continued use of obsolete systems led to recent ATM hacks (HITBSecNews) The spate of Automated Teller Machines (ATM) hacks last month were due to financial institutions' continued use of obsolete operating systems and lack of "penetration testing", opined an IT security consultant
'Spear-phishing' tactics becoming more sophisticated (Federal Times) The email looks legitimate: It's from your office's IT department, or your bank, or the airline you recently booked a flight with. It's specific to you and it comes with an attachment that is as plausible as the email itself
GCHQ cyber-attack cost €15m, says Belgacom security head Fabrice Clement (Computing) The alleged attack by Britain's security agency, GCHQ, on Belgium's national telecom operator, Belgacom, cost the company €15m, according to the company's head of security and information management, Fabrice Clement
Clueless Founder "Hacks" Jason Calacanis' Voicemail After Spoofing Phone Calls (TechCrunch) I don't like to bring up these little lapses of judgement (or, in this case, horrendous lapses of reason) but it's an interesting story and deserves at least a brief mention. An entrepreneur, who shall remain nameless, wanted Jason Calacanis and Tim Ferris to invest in his startup. Instead of emailing the two, the founder spoofed a phone call from Ferris to Calacanis, assuming that Calacanis would immediately pick up if his friend called
Security Patches, Mitigations, and Software Updates
After uproar, Adobe begins encrypting user data collected from Digital Editions app (PCWorld) Adobe Systems said Thursday it is now encrypting data it collects about certain ebooks after facing criticism earlier this month for not protecting the data
PHP Patches Vulnerabilities, Including Remote Code Execution Flaw (Threatpost) Developers at PHP recently pushed out a series of patches to fix a handful of vulnerabilities, including one that can lead to a heap-based buffer overflow and remote code execution
Cyber Trends
Is this Unix's Code Red Moment? (CSO) Back in July 2001 two security researchers, Marc Maiffret and Ryan Permeh from eEye Digital Security, discovered the Code Red worm — a piece of malware that targeted Microsoft's IIS software and propagated wildly until it was stopped. It was followed by more vulnerabilities and threats until Microsoft was forced to launch its Trustworthy Computing initiative in 2002
Dear IAF, every smartphone not just Xiaomi could be a security threat (BGR) Earlier this week, a report citing an Indian Air Force (IAF) circular about Xiaomi smartphones being a security threat and banning its use by staffers and their immediate family, created quite a flutter
Security Will Need Big Insight, Not Just Big Data (TechCrunch) In looking for new opportunities in security and many other sectors, we look for the echoes of the current IT mega-trends: cloud, mobile, big data. These trends, and especially the interactions between them, are dramatically changing security needs. Add to that the changing profile of would-be hackers — now a frightening mix of international organized crime and employees of enemy governments — and we see the potential for several new solutions that can each be the foundation of one or more successful companies
Marketplace
Retailers prepare for cybercrime offensive (The Star) Retailers are shoring up defenses against escalating hacking attacks but as threats multiply so do costs, with businesses increasingly factoring cybercrime into their prospects for growth
Proofpoint gets into social media security with $35M Nexgate buy (Silicon Valley Business Journal) Security-as-a-service company Proofpoint has agreed to buy social media security startup Nexgate for about $35 million in cash
Websense Bypasses Low-Value Partners To Focus On Elite Integrators (CRN) Most channel partners don't have the time or budget to invest in the necessary training and certifications to properly deploy the myriad of so-called advanced threat detection platforms on the market today, according to Websense CEO John McCormack
Gemalto Rides The Mobile Commerce Wave (Find Biometrics) The fortunes of the mobile payment and biometric security boom are beginning to trickle down to the rest of the digital security industry, if Gemalto is any indication
Internet Security Names Climb After Check Point, Fortinet Beat Expectations (The Street) Shares of a number of Internet security stocks are rising after two companies in the sector, Check Point (CHKP) and Fortinet (FTNT) , reported stronger than expected results
FTNT: Expand Your Portfolio With Fortinet?s Security (Investor Place) Fortinet could more than just protect your returns
Company Profile for Intel Security (MarketWatch) McAfee is now part of Intel Security INTC, +1.50% With its Security Connected strategy, innovative approach to hardware-enhanced security, and unique Global Threat Intelligence, Intel Security is intensely focused on developing proactive, proven security solutions and services that protect systems, networks, and mobile devices for business and personal use around the world
NIKSUN Awarded Company of the Year 2014 in Networking! (Herald Online) "NIKSUN is Leading the Way with Groundbreaking Innovations" — Silicon India Magazine
NATO security certification opens new markets for Australia's Senetas (CSO) Australian security company Senetas is eyeing new government and commercial contracts after announcing this week that its encryption technologies had been certified to NATO security standards
Zimperium Appoints Shridhar Mittal as New CEO and Zuk Avraham as Chairman (WebWire) Zimperium continues rapid growth in billion-dollar mobile security space with expansion of executive team
Chinese hackers show off skills at GeekPwn security contest (Want China Times) Chinese hackers have shown off their skills at GeekPwn, the first ever worldwide security geek contest for smart devices, reports Chinese internet services portal Tencent
For big raises in IT, look to mobile, security, big data (IDG via CSO) IT salaries will remain mostly stagnant in 2015, except for workers with highly coveted skill sets, according to a report tracking IT salaries and skills demand in the coming years
Products, Services, and Solutions
IBM Unveils New Security Offering For Travel & Transportation Industry (MarketWatch) Software and services suite will close vulnerabilities of systems that safeguard corporate assets as well as customer data for hotel chains, airlines, car rental agencies, commercial freight and others
Fasoo Launches Persistent Security Solution for Enterprise Content Management to Extend Control and Protection of Sensitive Files (PRWeb) Increased security drives demand for ECM & Fasoo Enterprise DRM applications
New Website Helps Small Business Leaders Take Cybersecurity Action (Business News Daily) Cybersecurity is important for companies of all sizes, but it can be difficult for smaller businesses to keep their companies protected
Haystax helps Florida Strengthen School Safety (BusinessWire) Secure tool will provide school officials and their public safety partners with a comprehensive picture of the K-12 campus security environment
Sources of cyber intelligence from governments and academia (CTO Vision) Cyber intelligence is a growing discipline in the cybersecurity community, providing important information for cyber defenders in enterprises large and small. This post reviews key sources of cyber intelligence provided free from governments and academia
Cashiers don't understand Apple Pay and it's totally adorable (ITWorld) Apple Pay is so easy to use, it's almost not worth writing about. It's laughably fast and stupidly simple. So simple it's confusing the heck out of clerks and cashiers nationwide
Retailers are disabling NFC readers to shut out Apple Pay (The Verge) Some merchants hope to launch their own mobile payments system next year
Technologies, Techniques, and Standards
FIPS 140-2 stamp a boon for customers, a "challenge" to cloud-security industry (CSO) It may have taken nearly two years to complete, but certification of CipherCloud's cryptographic tools to US government FIPS 140-2 requirements is finally set to help the cloud industry overcome many of the obstacles that have hindered its adoption in the past, the company's senior security director believes
Turning Data into Threat Intelligence: A Case Study (BrightTalk) Many security professionals find it challenging to keep up with vast amounts of data from multiple sources without hiring additional analysts to analyze it and find what's most important. We'll be discussing this topic in our next webcast, as we present a case study of how Open Source Intelligence (OSINT) can help you better protect your organization, and how you can turn data into threat intelligence faster
Your company is probably going to get hacked. Here's how to protect it (Fortune) Three Fortune 500 information security chiefs share their companies' secrets to staying safe
How Facebook prevents account hijacking when old email addresses are recycled (Help Net Security) Remember when last summer Yahoo announced they will recycle inactive accounts and offer them to other users? The scheme was more or less successful
How-to guide to protecting yourself from electronic spying (Help Net Security) The Electronic Frontier Foundation (EFF) launched its updated Surveillance Self-Defense report, a comprehensive how-to guide to protecting yourself from electronic spying for Internet users all over the world
Snapchat Photo Leak Shines a Light on Vulnerable Third-Party Apps (Cyveillance Blog) After a massive photo leak dubbed "The Snappening" exposed an estimated 200,000 images from Snapchat users, the company took to Twitter and their blog to make something clear: the attack was carried out against a third-party app, not Snapchat itself
Energy rebounds from cyber attack thanks to new IT asset tracking tool (Federal News Radio) The Energy Department is finding a silver lining from its cyber breach that exposed the data of more than 50,000 employees last year
From strong, to stronger, to the strongest password security possible (CA Highlight) How to make sure your business is in the headlines for the right reasons and not the wrong ones by making password use "unbreachable"
6 tips for effective security tabletop testing (CSO) Tabletop exercises help security teams prepare for the worst
Design and Innovation
Another Tor router crowdfunding project nixed by Kickstarter (Ars Technica) TorFi project, a hack of TP-Link routers, is suspended, developer's account deleted
Research and Development
Mysterious Statistical Law May Finally Have an Explanation (Wired) Imagine an archipelago where each island hosts a single tortoise species and all the islands are connected — say by rafts of flotsam. As the tortoises interact by dipping into one another's food supplies, their populations fluctuate
Scientific Community Blasts Microsoft for Closing of Silicon Valley Lab (IEEE Spectrum) "Dear Harry, Peter, and Jeannette," starts a letter dated 14 October. It sounds like a casual note to a few good friends — or at least familiar colleagues. And indeed, that's what the letter from more than 30 researchers from the U.S. computer science community to the leaders of Microsoft Research is
Legislation, Policy, and Regulation
Russia and China to sign cyber-security treaty in November (Computing) The governments of Russia and China are close to signing a cyber-security cooperation agreement that would enable the two countries to conduct "joint cyber-security operations", according to Russian media reports
Russian/Chinese cyber-security pact raises concerns (SC Magazine) News that Russia and China are set to sign a cyber-security treaty next month have left Western cyber experts unsure whether it is a threat or a promising development
Keep Calm and Carry On, Stephen Harper (Foreign Policy) Doubling down on counterterrorism at home and abroad won't make Canada a safer place
ASIC wants telco interception powers (ZDNet) The Australian financial regulatory agency that accidentally blocked 250,000 websites due to a lack of technical knowledge is now pushing to have the power to intercept telecommunications information to investigate financial crime
Domains, Budgets and Bureaucracies: Nukes, Space & Now — Cyber (Breaking Defense) Analysis of the Peloponnesian War is a standard of military and security studies curricula. Strategists had it relatively easy between the 5th century BC and the 19th century AD: land power versus sea power, but then things began to get complicated. In the 19th century "domains" — warfighting environments — began to expand
Hospital CIOs: ONC leadership exodus raises questions about federal HIT priorities (FierceHealthIT) Hospital CIOs expressed concern that the sudden announced departures of National Coordinator for Health IT Karen DeSalvo and Deputy National Coordinator Jacob Reider potentially leave federal health IT efforts in limbo
Litigation, Investigation, and Law Enforcement
Canada Privacy Law Hampered Intelligence Sharing (Wall Street Journal) U.S. wasn't told about man on Canadian watch list
Fighting Cybercrime Across Borders: Why Law Enforcement Collaboration Matters (TrendLabs Security Intelligence Blog) We've frequently talked about how important it is for law enforcement and security companies to work together to stop cybercrime. One particular reason to do so is because of the nature of cybercrime: simply put, it has no borders
Peekaboo, I See You: Government Authority Intended for Terrorism is Used for Other Purposes (EFF) The Patriot Act continues to wreak its havoc on civil liberties. Section 213 was included in the Patriot Act over the protests of privacy advocates and granted law enforcement the power to conduct a search while delaying notice to the suspect of the search. Known as a "sneak and peek" warrant, law enforcement was adamant Section 213 was needed to protect against terrorism. But the latest government report detailing the numbers of "sneak and peek" warrants reveals that out of a total of over 11,000 sneak and peek requests, only 51 were used for terrorism
US former NSA chief suspected of insider trading with Chinese, Russian stocks (Want China Times) Keith Alexander, former director of the US National Security Agency, is suspected of insider trading during his term in office, according to US-based bimonthly magazine Foreign Policy
Edward Snowden dreams of returning to US (TASS) Former National Security Agency contractor Edward Snowden addresed the Liberty Festival in Brussels
US Senate calls Whisper in for serious questioning on user tracking (Naked Security) The US Senate has a few privacy-related questions it would like to ask the people in charge at Whisper, the self-proclaimed "safest place on the internet"
US Operators Fined $10 Million After Data Security Shambles (Infosecurity Magazine) Two US mobile operators have been fined $10 million jointly by the FCC after they stored customer information in publically accessible folders on the internet with zero security in place
Court pulls plug on multimillion dollar fake Microsoft support operation (ZDNet) A US court has granted an injunction on an alleged tech support scam and frozen the company's assets ahead of a trial
FTC takes down fake support scammers, upbeat about "getting consumers' money back" (Naked Security) When I first heard about the CryptoLocker malware, I thought, "As cybercrime goes, that's about as low as you can get"… But, as low as CryptoLocker might have stooped, I soon decided that fake support call scammers actually crawl yet lower still
Temporary Restraining Order and Order to Show Cause Why a Preliminary Injunction Should not Issue (US Federal Trade Commission) Plaintiff, the Federal Trade Commission ("FTC" or the "Commission"), pursuant to Section 13(b) and 19 of the Federal Trade Commission Act ("FTC Act"), 15 U.S.C. §§ 53(b) and 57b, has filed a Complaint for Injunctive and Other Equitable Relief, and has moved ex parte for a temporary restraining order and for an order to show cause why a preliminary injunction should not be granted pursuant to Rule 65(b) of the Federal Rules of Civil Procedure
UK police arrest trio over £1.6 million cyber theft from cash machines (SC Magazine) London Police have arrested three suspected members of an Eastern European cyber-crime gang who installed malware on more than 50 bank ATM machines across the UK to steal £1.6 million
Hacker Sentenced To 30 Months In Prison For Stealing $15 million (HackRead) Lamar Taylor, 38, a hacker from state of Massachusetts has been sent to prison for 30 months for using stolen data in order to attempt hack attack on business accounts and steel $15 million. He will also pay a fine of $338,649
CHP officers reportedly stole cell phone photos from women in custody (Ars Technica) One CHP officer allegedly asked for a woman's iPhone password during her arrest