Cyber Attacks, Threats, and Vulnerabilities
Philippines Dept of Trade and Industry Hacked, Login Details Leaked by Anonymous (HackRead) An online hacktivist going with the handle of Anonymous Leyte has claimed to hack in to the official website of Philippines' Department of Trade & Industry (DTI), ending up with leaking login details of 1900+ members online yesterday
Pro-democracy Hong Kong sites DDoS'd with Chinese cyber-toolkit (The Register) Now we're not saying it was the Chinese government, but
DDoS Against Hong Kong's Pro-Democracy Movement Linked to Chinese APT Actors (Infosecurity Magazine) As the pro-democracy movement in Hong Kong has continued to mount a series of protests, attackers believed to be China-backed have launched a series of distributed denial of service attacks (DDoS) against websites promoting the movement there
Report Links China to Cyberattacks on Hong Kong Protestors (TIME) A new report supports the theory that the Chinese government is sponsoring the attacks
BlackEnergy APT Has a Rich List of Plug-ins for Windows and Linux (Softpedia) Known for being used in cyber espionage operations as well as in financially driven campaigns, BlackEnergy advanced persistent threat (APT) has an entire infrastructure behind it and an adept group, known as Sandworm, customizing its functionality for a given mission
This system will self destruct: Crimeware gets powerful new functions (Ars Technica) Refurbished BlackEnergy does Windows and Linux — even Cisco routers
Flaw in Visa's contactless payment system could lead to fraud (Help Net Security) Researchers from Newcastle University have discovered a serious flaw in Visa's contactless credit cards which could allow attackers to siphon large amounts of money off users' bank accounts without them even noticing
Flaw in New 'Secure' Credit Cards Would Let Hackers Steal $1M Per Card (Wired) As U.S. banks and retailers are barreling toward a 2015 deadline to replace magnetic-stripe credit and debit cards with more secure cards that come embedded with a microchip, researchers have announced a critical flaw in the card system
Serious security flaw in OS X Yosemite 'Rootpipe' (ZDNet) Details are emerging about a serious vulnerability found by a Swedish hacker in Apple's OS X Yosemite, called "Rootpipe." A patch isn't likely to appear until January 2015
Why you should worry about HTML5 mobile apps (IT World) New research demonstrates that, unlike native apps, those written in HTML5 are susceptible to code injection attacks
Drupalgeddon megaflaw raises questions over CMS bods' crisis mgmt (Register) Fallout spreads as securobods issue warnings
Indiana State Department of Education Website Hacked (HackRead) A group of hackers going with the handle of Nigeria Cyber Army hacked and defaced the official website of State of Indiana Department of Education, Monday morning
GATSO! Speed camera phish leads to CryptoLocker ransomware clone… (Naked Security) Recently, we came across an intriguing phishing campaign that combines two feared products of the information age
Fileless Trojan Poweliks Virus on the Rise (Computer Business Review) Backdoor enabler delivered through phoney postal service spam. A fileless trojan virus that hides inside a registry key is becoming increasingly prevalent according to the security company Symantec
From the horse's mouth: brands leaking your information open the door to effective spearphishing (SecureList) A few months ago, I requested an online quote for some home repairs. The recipient was a very well-known company here in US. The service I got actually was very good. Under my explicit approval the company kept my email address and has been sending me several promotions that I had signed up to
Exposed Corporate Credentials on the Open Web, a Real Security Risk (Recorded Future) Last Friday, a New York Times article described how the recent online attack against JPMorgan was possibly connected to a data breach on a third-party website. The target mentioned in the article is Corporate Challenge, a company that organizes charitable races sponsored by JPMorgan
Rise of free Wi-Fi hotspots 'presents serious security risks' (We Live Security) The BBC reports that there is currently one Wi-Fi hotspot for every 150 people in the world, but these unmonitored hotspots can potentially cause problems, experts have warned
The psychology of Facebook scam victims (Help Net Security) A two-year study of over 850,000 Facebook scams by antivirus software provider Bitdefender has revealed that scammers have infected millions of users with the same repackaged tricks. The in-depth study was conducted on scams spreading across the UK, the US, Europe and beyond
Security Patches, Mitigations, and Software Updates
iOS 8.1.1 said to address iPhone 4S and iPad 2 performance problems (Ars Technica) When released, the update could fix one of iOS 8's worse regressions
Cyber Trends
2015 Predictions: The Invisible Becomes Visible (TrendLabs Security Intelligence Blog) 2014 brought with it many significant additions to the technology landscape. These put new capabilities into the hands of users and companies that allowed them to do things that they would not have thought possible before. However, these same changes also aid threat actors: threats can now come from unexpected vectors, and augment the existing capabilities that attackers already possess
Survey: Cybersecurity priorities shift to insider threats (Federal Times) A survey of federal IT managers in both the civilian and defense sectors showed a shift in cybersecurity concerns from outside actors to insider threats and a focus on the need to educate employees
Infosec heading to tipping point, says NTT Com Security (ComputerWeekly) Information security is heading to a tipping point that will force a shift in focus to understand threats and their potential impact on business, says NTT Com Security
Persistent cyberattacks of U.S. companies on the rise (Washington Times) Economic cyberwarfare is on the rise as cyberattacks on U.S. companies are increasing in both frequency and severity. And costs are mounting
Marketplace
Security Innovation Network (SINET) Announces Its 2014 Top 16 Emerging Cybersecurity Companies (Yahoo! Finance) The Security Innovation Network™ (SINET), an organization focused on advancing Cybersecurity innovation through public-private collaboration, announced today the winners of its annual SINET 16 competition
Is cyber liability insurance right for your clients? (PropertyCasualty360) Zurich Insurance report details how companies are at risk, but not all are ready for a cyber attack
Prelert Aiming To Make Its Mark In Advanced Security Analytics (CRN) A new crop of emerging advanced security analytics vendors are promising to exceed security and information event management platforms and provide the visibility and context that incident responders need to investigate the riskiest threats to the network
Cyber-security newbie challenges for channel supremacy (CRN) Resolution1 Security expects to harvest up to 90 per cent of sales through partners after it goes live on 1 January
Belgacom sells Telindus to UK comms specialist (CRN) Telent extends reach with takeover of infrastructure services provider
Alcatel-Lucent adjusts cyber security strategy with Thales sale (Telecoms) Defence specialist Thales has confirmed the acquisition of Alcatel-Lucent's cyber security services and solutions division, as well as its communications security activities. In a strategic partnership, the two organisations claim the expertise of each will provide holistic, secure communications services
Company news: Big moves at Veracode, Malwarebytes and CipherCloud (SC Magazine) Prevendra, a Woodinville, Wash.-based security company, launched its Red Folder web application that allows users to put their important information behind a protected portal. This information can also be retrieved by a designated contact in case of emergency
Vintz Joins Executive Team to Help Tenable Scale for Next Phase of Growth (Tenable) Tenable Network Security®, Inc., the leader in continuous network monitoring, has appointed Steve Vintz as chief financial officer. An accomplished leader in financial, operational and strategic planning for high-growth companies in the technology industry, Vintz will have a critical role in leading Tenable to its next stage of growth. Vintz will have worldwide responsibility for finance, legal, human resources, corporate communications and information technology and will report to CEO Ron Gula
Products, Services, and Solutions
American Express Brings Tokenization to Payment Cards (Threatpost) American Express has taken steps toward lifting the burden from retailers having to store payment-card data with the announcement of its American Express Token Service
Researchers audit the TextSecure encrypted messaging app (Help Net Security) A group of German researchers have audited TextSecure, the popular open source encrypted messaging application for Android, and the news is good
RemoteIE gives free access to Internet Explorer VMs without the VM (Ars Technica) Service uses Azure RemoteApp to run the browser in the cloud
AVG Technologies Launches 2015 Products ( PR Newswire via CNN Money) AVG Zen update includes release of new AVG Protection and AVG Performance suites
10 Cool Security Tools Open-Sourced By The Internet's Biggest Innovators (Dark Reading) Google, Facebook, Netflix, and others have all offered up tools they've developed in-house to the community at large
Technologies, Techniques, and Standards
Drag Your Adolescent Incident-Response Program Into Adulthood (Dark Reading) It's not about how many tools you have, but what you can do with them
The View From A High-Value Data Breach Target (Dark Reading) Financial services, retail, media, and healthcare industry representatives share their biggest threats and strategies for combating them
Firewall admins turning off security to boost performance — bad move (Techworld via CSO) A third of organizations are turning off some of their next-generation firewall's (NGFW) security features to boost performance with the most commonly deactivated layer being intrusion prevention, a McAfee survey has discovered
Acting out: Cyber simulation exercises (SC Magazine) Simulation exercises show how companies should respond under a cyberattack, says HHS's Sara Hall
Preparing For A Data Breach: Think 'Stop, Drop & Roll' (Dark Reading) Breaches are going to happen, which is why we need to treat incident response readiness like fire drills, practicing time and time again until the response is practically instinctive
Spotting Malicious Injections in Otherwise Benign Code (Sucuri Blog) Being able to spot suspicious code, and then determine whether it is benign or malicious is a very important skill for a security researcher. Every day we scan through megabytes of HTML, JS and PHP. It's quite easy to miss something bad, especially when it doesn't visually stick out and follows patterns of a legitimate code
When to use tools for ISO 27001/ISO 22301 and when to avoid them (Help Net Security) If you're starting to implement complex standards like ISO 27001 or ISO 22301, you're probably looking for a way to make your job easier. Who wouldn't? After all, reinventing the wheel doesn't sound like a very interesting job
Using Relative Metrics to Measure Security Program Success (SecurityWeek) In my previous column, I discussed the "So What Factor", which reminds us that we must know our audience. Many of the people we interact with professionally will not be as enamored by the beauty or elegance of a technical solution as we are. Instead, they will be more concerned with consequences, effects, and results. As such, it's important to remember to communicate appropriately towards those ends
Three branches of security: Strengthening your posture with checks and balances (Help Net Security) With Election Day around the corner, we thought it an appropriate time to take a look at the checks and balances model that has served the United States well for over two centuries, and think about how it might apply to a more modern challenge — securing your enterprise
Making the Case for Application Security (Security Intelligence) Many of the most important assets organizations own are in the form of information. These include intellectual property, strategic plans and customer data. As we have seen in recent news reports, the cost of a data breach can be significant. Interestingly, one of the main areas of weakness in organizations' IT infrastructures occurs where people don't expect it — in the application layer
Forging administrator cookies and crocking crypto … for dummies (Register) Gun security chap releases infosec 101 courseware and book
Design and Innovation
A New Kind of Incubator Where Painters Rub Elbows With Physicists (Wired) Once or so a week — maybe more, maybe less, depending on her schedule — Janna Levin ventures from the Upper West Side of Manhattan, where she teaches astrophysics at Barnard and Columbia University, to Brooklyn's Red Hook neighborhood
From "cash only" to NFC-ready, how we buy determines what we buy (Ars Technica) Showrooming, car-sharing, and chicken sandwiches — all within a smartphone's reach today
Research and Development
Cars, toasters, medical devices add to DHS' cyber headaches (Federal News Radio) Cars, medical devices and even toasters are among the facets of life that are quickly becoming Internet based. This is why the Homeland Security Department already is working on cybersecurity technologies for these and many other everyday devices
A New Kind of Atom Trap Chip for Quantum Computers (IEEE Spectrum) Ultracold atoms have long been on the list of potential parts for quantum computers. Early experiments were done with tabletop experimental gear, more recently, but researchers have also designed chips on which these atoms can be trapped and cooled to near absolute zero. (Some such chips even achieved the strange physical state known as a Bose Einstein condensates.) However, even the chip-based traps had to be surrounded by a complicated sets of coils to create the required magnetic field for trapping them
Academia
Global cybersecurity skills shortage incoming, warns House of Lords committee (We Live Security) A special Parliamentary Select Committee has told peers in the United Kingdom's House of Lords that there will be a global shortage of "no less than two million cyber security professionals" by the year 2017, IT Pro Portal reports
Greg Shannon to Lead IEEE Cybersecurity Initiative (GovConExecutive) Greg Shannon, CERT Division chief scientist at Carnegie Mellon University's Software Engineering Institute, will lead the IEEE Cybersecurity Initiative as chairman
SAIC Donates $750,000 to Virginia Tech's Hume Center for National Security and Technology (MarketWatch) Over the next five years, company will support the Hume Center's Education Program and Intelligence Community Center for Academic Excellence
Legislation, Policy, and Regulation
British spy agency demands more help from tech titans (C/Net) Following US government counterparts, the new head of Britain's Government Communications Headquarters criticizes tech firms for permitting terrorists to use their services
HMRC promises post-Aspire world will not compromise cyber vigilance (Government Computing) Department's CIO responds to PAC query on security and says digital strategy relies on effective cyber monitoring
NSA director: US needs Silicon Valley's expertise (AP via the San Diego Union-Tribune) U.S. intelligence depends on Silicon Valley innovation for technologies that strengthen the Internet and staff to provide national cybersecurity, National Security Agency director Mike Rogers told Stanford University professors and students Monday
Task Force Cyber Awakening Recommendations Due (SIGNAL) The Navy task force is set to deliver its first report in November
As cyber force grows, manpower details emerge (Defense News) The military will need to expand its force of cyber warriors beyond plans for 6,200 personnel, and the individual services are hammering out the manpower-related details of precisely how to build that force from the ground up, according to a new Pentagon report
Litigation, Investigation, and Law Enforcement
Security contractor breach not detected for months (AP via KLTV 7) A cyberattack similar to previous hacker intrusions from China penetrated computer networks for months at USIS, the government's leading security clearance contractor, before the company noticed, officials and others familiar with an FBI investigation and related official inquiries told The Associated Press
Online Drug Dealers Are Now Accepting Darkcoin, Bitcoin's Stealthier Cousin (Wired) When the cryptocurrency darkcoin launched earlier this year, it distinguished itself from dozens of bitcoin copycats by promising to keep users' transactions far more anonymous than its predecessor. Now that promise is being tested in the Internet's fastest-growing proving ground for privacy technologies: the online black market for drugs
A top appeals court to hear why NSA metadata spying should stay or go (Ars Technica) DC Circuit Court of Appeals may confirm ruling that ended practice, was stayed
In Klayman v. Obama, EFF Explains Why Metadata Matters and the Third-Party Doctrine Doesn't (EFF) How can the US government possibly claim that its collection of the phone records of millions of innocent Americans is legal? It relies mainly on two arguments: first, that no one can have a reasonable expectation of privacy in their metadata and second, that the outcome is controlled by the so-called "third party doctrine," which says that no one has an expectation of privacy in information they convey to a third party (such as telephone numbers dialed). We expect the government to press both of these arguments on November 4, before the D.C. Circuit Court of Appeals. We look forward to responding
Sources: Navy intel chief's security clearance suspended, can't view classified info (Navy Times) The head of naval intelligence has not been able to view classified information for an entire year
NSA Chief Bet Money on AT&T as It Spied on You (Daily Beast) The former head of the world's biggest spy agency didn't just oversee the collection of billions of AT&T records. He also tried to make money off its customers
Not-so Anonymous: How hackers wreaked havoc in St. Louis (St. Louis Post-Dispatch) The first call came on a Thursday, 12 days after Michael Brown was shot. Patti Knowles and her granddaughter were watching "Mickey Mouse Clubhouse"
RBS to help police with cyber and other expertise to fight financial crime (ComputerWeekly) The Royal Bank of Scotland is to provide the City of London Police with free training and advice to help fight financial crime
Pirate Bay co-founder 'TiAMO' arrested in Thailand (BBC) A co-founder of Swedish file-sharing website Pirate Bay has been arrested while trying to cross into Thailand from Laos, local police say
Cyber-attack weblink 'malicious' (BBC) A Twitter user signposted cyber-attacks which crippled the Home Office website by flooding it with huge amounts of internet traffic, a jury heard
'US intelligence needs prosecutions to get more budget dollars' (Russia Today) There is competition among 17 US intelligence agencies — they catch people whether it is within the law or not to get part of the multi-billion 'black budget,' George Mapp, an investigative journalist, said on RT's In the Now show