Cyber Attacks, Threats, and Vulnerabilities
Fearing cyberattack, Israel curbs government websites' foreign traffic (Reuters via the Chicago Tribune) Israel will temporarily suspend some of its government websites' international traffic to fend off a potential mass-cyber attack by pro-Palestinian hackers, an Israeli security source said on Thursday, without elaborating on the threat
Vulnerability in World's Largest Site Turned Million of Visitors into DDoS Zombies (The Hacker News) An application layer or 'layer 7' distributed denial of service (DDoS) attacks is one of the most complicated web attack that disguised to look like legitimate traffic but targets specific areas of a website, making it even more difficult to detect and mitigate. Just Yesterday Cloud-based security service provider 'Incapsula' detected a unique application layer DDoS attack, carried out using traffic hijacking techniques. DDoS attack flooded one of their client with over 20 million GET requests, originating from browsers of over 22,000 Internet users
UPATRE Ups the Ante With Attachment Inside An Attachment (TrendLabs Security Intelligence Blog) In 2013, the malware UPATRE was noted as one of the top malware seen attached to spammed messages. The malware was also notorious for downloading other malware, including ZeuS and ransomware, particularly its more sophisticated form, Cryptolocker. This was enough reason to believe that the UPATRE threat is constantly advancing its techniques—this time, by using multiple levels of attachments
This phishing page can do more than steal your credentials (Help Net Security) Every now and again, we read reports about phishing sites that look dangerously convincing—you can hardly tell the real one apart from the fake one anymore, unless you know what to look for and where. Our friends at Symantec found one such site some time in March
New iOS 7 bug allows anyone to disable Find My iPhone feature (Security Affairs) A new iOS 7 bug allows anyone to disable Find My iPhone feature and to bypass Activation Lock without user's Apple credentials
F-Secure has discovered MiniDuke malware samples in the wild (Security Affairs) Security Experts at F-Secure discovered a collection of pdf documents, that had references to Ukraine, containing MiniDuke malware samples
Hunting Session Fixation Bugs (Infosec Institute) Improper handling of session variables in asp.NET websites is considered a serious threat and opens various doors to malicious hackers. For instance, a session variable could be manipulated in a way to subvert login authentication mechanisms. However, this article illustrates a session fixation bug in a .NET website by demonstrating various live scenarios which usually leads to a website becoming vulnerable, in terms of session hijacking. Moreover, the article circulates detailed information about exploiting vulnerable websites, as well as recommendations of practices for protecting them against session fixation attacks
"Castle Clash" Game Developer Claims It's Not Behind The Tinder Exploit (TechCrunch) A quick follow-up to the problem with the bots invading dating app Tinder which are pushing people to download a mobile game called "Castle Clash" using fake profiles and a domain ("Tinderverified.com") designed to give the scam an air of legitimacy: the company behind the game in question is today claiming they are a victim, too, not the culprit
WhatsApp experiences major outage after record user numbers (ITProPortal) If WhatsApp is down for you, you're not alone
Revealed — the most eclectic spam in the world! (Naked Security) When we write about spams and spammers, it's usually as part of a security warning. But from time to time, we write about them simply because they've made us laugh. They might have been hapless, bizarre or even insulting. We once had an email offering us a liver, or part of one, in case we needed a transplant
5-year-old Ocean Beach boy exposes Microsoft Xbox vulnerability (10News) A young Ocean Beach boy is in the spotlight after he discovered a back door in to one of the most popular gaming systems in the world
Security Patches, Mitigations, and Software Updates
Final Windows XP-Office 2003 Patch Tuesday a light one (ZDNet) Windows XP and Office 2003's final Patch Tuesday will have only four updates total and only one critical each for Office and XP. The number of vulnerabilities is still undisclosed. The recent zero-day vulnerability in Word will be one of the fixed problems
Yes, you *can* still get Windows XP security updates after April 8th. But it will cost you £5.5 million (Graham Cluley) So, Microsoft was telling us fibs all along. It turns out that when they said, way back in 2007, that they would no longer support Windows XP after April 8th 2014, and that no more security updates would be made available, they weren't actually telling the truth
Windows 8.1 Update will be available on April 8 — here's what's new (Beta News) Microsoft has just unveiled the Windows 8.1 Update at Build, and it will be rolling it out to users of the tiled operating system on April 8
Patch Tuesday will fix zero-day flaw that meant just previewing an Outlook email could infect your computer (We Live Security) Patch Tuesday, the day when Microsoft releases its regular bundle of security fixes, is looming — and now we have some details of what it is going to contain. A Microsoft Security Bulletin pre-announces that the company will release four bulletins, two rated Critical and two rated Important in severity, on 8th April
Cyber Trends
Cyberespionage, not cyber terror, is the major threat, former NSA Director says (Threatpost) The list of threats on the Internet is long and getting longer each day. Cybercrime, nation-state attackers, cyber espionage and hacktivists all threaten the security and stability of the network and its users in one way or another. But the one threat that some experts have warned about for years and has never emerged is cyber terrorism, a former top U.S. intelligence official said
U.S. regulators warn banks about rise in cyber-attacks (Reuters) A group of top U.S. regulators on Wednesday warned about the threat of rising cyber-attacks on bank websites and cash machines, urging the industry to put proper measures in place to guard against fraud. The Federal Financial Institutions Examination Council (FFIEC) said it had seen a rise of so-called denial-of-service attacks on bank websites, which were sometimes a cover for criminals committing fraud
Smaller banks warned of hackers raising ATM withdrawal limits (Computerworld) A US federal agency warns of 'unlimited operations' where payment card limits are raised by attackers
EU regulators call for tougher defences against cyber-attacks (Financial News) European regulators have called on financial institutions to bolster their defences against cyber-attacks and recommend that firms put money aside to deal with potential incidents
Senate Homeland Security and Governmental Affairs Committee Hearing (Insurancenewsnet) Chairman Carper, Ranking Member Coburn, and distinguished Members of the Committee, thank you for the opportunity to present to you today. My name is Tiffany Jones, and I represent iSIGHT Partners, a leading cyber threat intelligence firm. Over the last seven years, we have built a team of 200+ experts dedicated to studying cyber threats in many nations across the
Kenneth van Wyk: Where mobile apps go wrong (ComputerWorld) More so than Web-based applications, mobile apps tend to have security design flaws that attackers can exploit
The top security worry keeping businesses awake at night? Insider threats (ZDNet) Today's modern business has to worry about stiff competition, rising energy prices, innovation, and how to poach talent to keep a corporation thriving — as well as the persistent threat of cybercrime. However, new research suggests that within European organizations, one worry tops the rest: the possibility of insider threats
Marketplace
2014 May Be Cyber Insurance's Most Popular Year Yet (Law360) February 2014 may ultimately be seen as the month when the cyberinsurance coverage market really began. Although certain insurance companies are writing cyber coverage, and some insureds have acquired that coverage, neither group is currently comprised of significant numbers of entities. That may be about to change
Cyber security is economic opportunity for the UK, says government (ComputerWeekly) Cyber security is not a necessary evil, it is both an essential feature of — and a massive opportunity for — the UK's economic recovery, says Francis Maude, Cabinet Office minister
Russia's War on Internet Freedom Is Bad for Business and the Russian Economy (Forbes) Russia's invasion of the Crimea could push the country into a sharp recession. Yet Moscow's war on Internet freedom should spook investors even more. It risks long term damage to Russia's economy, according to a recent report by Dalberg. President Putin should change course and support a free and open Internet before it's too late
Microelectronics Technology Corporation Acquires Bitcoin Cyber Currency Digital Mining Company (MarketWatch) Microelectronics Technology Corporation MELY +262.50% (otcqb:MELY), is pleased to announce the Company has entered completed negotiations for the acquisition of an established digital mining company and its digital mining assets. The acquisition is now subject to final formal documentation to be completed by April 18, 2014
Hackathon gold: How to win a job offer in a coding competition (ITWorld) Some developers say hackathons can stifle innovation and chill the vibe of camaraderie because they offer large prizes. But that doesn't have to always be the case. Here's how to parlay those coding competitions into potential job offers
James Gillie Joins Telos as Cyber Operations VP, Deputy GM (GovConWire) James Gillie, formerly vice president of business operations at CACI International's intelligence business group, has joined Telos a VP and deputy general manager of cyber operations and defense
Jim Anderson Named BAE Applied Intell Division Americas Region President (GovConWire) Jim Anderson, formerly director of unified computing global sales at Cisco, has joined BAE Systems' applied intelligence division as president for the Americas region
Products, Services, and Solutions
Fidelis, Fortinet, Sourcefire, Trend Micro top NSS Labs' breach detection system ranking (FierceITSecurity) General Dynamics' Fidelis, Fortinet, Cisco's SourceFire and Trend Micro all ranked above average in security effectiveness and value (cost per protected Mbps) for their breach detection systems, according to an assessment by NSS Labs
eScan Internet Security Suite with Cloud Security Proves 100% Effective Against Zero-Day Malware Attacks (Virtual Strategy) eScan, one of the leading Anti-Virus and Content Security Solution providers, has bagged the AV-Test certification for their Home user product, eScan Internet Security Suite with Cloud Security, for the tests conducted in January and February 2014
Which Web browser is the most secure? (proofpoint) Internet Explorer is the most secure Web browser, according to a study by NSS Labs
7 all-in-one security suites: Anti-malware for all your devices (Computerworld via Networkworld) Let's face it: No matter what device you use, you're in danger. Security threats and malware lurk on Windows PCs, Macs, and Android and iOS devices. If you use more than one device — like most of us do — that makes it even more difficult and expensive to be vigilant and keep yourself safe
New Windows Phone security necessary, but not groundbreaking (CSO via Networkworld) Microsoft, which is far behind Apple and Google in the smartphone market, has introduced a number of security features in Windows Phone that are not groundbreaking, but necessary to attract businesses
Cryptocat sticks to openness despite grief over audits (IDG News Service via Networkworld) Cryptocat's founder says the project will continue to release its audits and improve its code
Interface Masters Technologies Announces New Deep Packet Inspection System Supporting Application Identification (MarketWired) Interface Masters Technologies, an industry leader and innovator in networking solutions, today announced a new addition to the Niagara Deep Packet Inspection (DPI) product family, the Niagara 5004. The Niagara 5004 provides application identification, session based load balancing, 50,000 complex filters, VoIP call based load balancing, and flow/traffic statistics. The system has a network analytics engine providing session statistics, metadata and CDRs according to user specifications
Microsoft and secunet Team Up on Secure Tablet (InfoSecurity Magazine) secunet and Microsoft Germany are showing how a reliable, highly secure and ultra-mobile solution can become reality through a combination of security technology made in Germany and a high-performance tablet
EMC intros data protection-as-a-service: You shall D-PAAS (The Register) Firm faces up to virtual reality
Is Amazon hacking our apps? Or doing us all a security favour? (Naked Security) A war of words that started out as a fairly stinging criticism of Amazon has mellowed out into praise for the cloud services behemoth
Technologies, Techniques, and Standards
Bridging the cybersecurity skills gap with automation: a blueprint for federal agencies (Government Security News) Major security breaches in 2013 have raised the level of interest in cybersecurity to near fever-pitch. Such breaches shine a spotlight on a shared challenge in successful cybersecurity strategy implementation: the increased sophistication of cyber attacks and the shortage of skilled workers available to defend against them
What Homeland Security wants utilities to know and do (SmartGridNews) Quick Take: You know that NERC is developing more and more security mandates for utilities. And you may recall that two congressmen want the federal government to take over grid security. But don't forget that the U.S. Department of Homeland Security has its eyes on our industry, as demonstrated by its recently revised National Infrastructure Protection Plan
3 smarter ways to fight social engineering (FierceITSecurity) If Chris Hadnagy wants your data, he's probably going to get it. Social engineering experts like Hadnagy have a pretty high success rate in getting employees to cough up passwords, open unknown attachments, and otherwise take whatever bait they're offered. This is despite the fact that social engineering is nothing new—anybody who didn't already connect the concept of non-technical manipulation to information security should have caught on after Kevin Mitnick's antics grabbed headlines in the 90s
Sweeping Away a Search History (New York Times) Your search history contains some of the most personal information you will ever reveal online: your health, mental state, interests, travel locations, fears and shopping habits
Her website was hacked away; here's how she got it back (Naked Security) Jordan Reid, a blogger and what one news outlet called "A star of the post-expertise how-to landscape", learned on Saturday that her "Ramshackle Glam" site was gone — poof! Suddenly, the site that had been hers for five years was whisked away
Design and Innovation
A Fresh Coat of Paint Makes Bitdefender Better Than Ever (PC Magazine) I've looked at a lot of Android security apps, and finding an app that does it all is pretty tricky. It needs to be easy on your smartphone's limited resources, but also robust enough to defend against malicious applications. It also needs to go further, and protect your device with anti-theft tools since loss and theft are still the biggest threats to Android users. Oh, and one more thing: it needs to look the part
Research and Development
Quantum cryptography for mobile phones (Science Codex) Secure mobile communications underpin our society and through mobile phones, tablets and laptops we have become online consumers. The security of mobile transactions is obscure to most people but is absolutely essential if we are to stay protected from malicious online attacks, fraud and theft
A Survey of Intrusion Detection in Wireless Network Applications (Virginia Tech) Information systems are becoming more integrated into our lives. As this integration deepens, the importance of securing these systems increases. Because of lower installation and maintenance costs, many of these systems are largely networked by wireless means. In order to identify gaps and propose research directions in wireless network intrusion detection research, we survey the literature of this area. Our approach is to classify existing contemporary wireless intrusion detection system (IDS) techniques based on target wireless network, detection technique, collection process, trust model and analysis technique. We summarize pros and cons of the same or different types of concerns and considerations for wireless intrusion detection with respect to specific attributes of target wireless networks including wireless local area networks (WLANs), wireless personal area networks (WPANs), wireless sensor networks (WSNs), ad hoc networks,
mobile telephony, wireless mesh networks (WMNs) and cyber physical systems (CPSs). Next, we summarize the most and least studied wireless IDS techniques in the literature, identify research gaps, and analyze the rationale for the degree of their treatment. Finally, we identify worthy but little explored topics and provide suggestions for ways to conduct research
Academia
Stanford University Offering Free Course on Cryptography (NewsBTC) If you thought that the University of Nicosia's free bitcoin introductory course was a deal, you might be happy to learn that Stanford University is offering a free course on Cryptography, as pointed out on Reddit
Legislation, Policy, and Regulation
Rogers Takes Over as NSA Director (BankInfoSecurity) The new director of the National Security Agency, Navy Adm. Michael Rogers, says he accepts the challenge of regaining the trust of some Americans "who don't believe in us"
NSA's Big Surprise: Gov't Agency Is Actually Doing Its Job (Dark Reading) When people claimed after 9/11 that the NSA was ill equipped to deal with a changing world, I wonder what they expected to happen. As I read all of the stories about the NSA, they come across as if this is somehow surprising. You can search back to the early 2000s and find stories that state how the NSA was behind the technology curve, and was woefully unprepared to deal with the ever-growing Internet and new technologies
Obama's NSA overhaul may require phone carriers to store more data (Reuters) President Barack Obama's plan for overhauling the National Security Agency's phone surveillance program could force carriers to collect and store customer data that they are not now legally obliged to keep, according to U.S. officials
The Grill: Rep. William Keating wants cross-sector data sharing (ComputerWorld) This cybersecurity-focused lawmaker wants cross-sector data sharing for faster response to cybersecurity threats
Clarity in OMB, DHS roles should be addressed in cybersecurity legislation (FierceGovernmentIT) Confusion over which responsibilities for federal cybersecurity policy reside in the Office of Management and Budget rather than in the Homeland Security Department isn't helping federal networks be more secure, a witness told a Senate panel
DOD switches to NIST security standards (Defense Systems) In a far-reaching move, the Pentagon has chosen to move all IT systems used by its organizational entities to a governmentwide set of IT security accreditation standards
Lightening the Workload for Cyber Command (SIGNAL) The U.S. Defense Department struggles to defend the current network infrastructure
New law increases cyber attack risks for French companies (Out-Law) Businesses in France are being asked to compile a database of commercially sensitive information that will potentially attract increased interest from cyber criminals
China to work with EU on cybersecurity as Xi wraps up Europe tour (South China Morning Post) Beijing's updated EU policy paper also suggests studying Europe's approach to urbanisation
'We have to implement it, but we don't have to respect it,' Turkish PM says on Twitter ruling (Hurriyet Daily News) Prime Minister Recep Tayyip Erdoğan has publicly expressed his discomfort at the Turkish Constitutional Court's ruling to unblock access to Twitter, describing the move as an attempt to protect "an American company's product"
Litigation, Investigation, and Law Enforcement
Target breach: Court of public opinion not as forgiving as court of law (FierceITSecurity) While Target continues to suffer in the court of public opinion, its fortunes in a court of law just improved
Federal Agencies Fail To Protect Personal Data (InformationWeek) Government agencies have inconsistently responded to both cyber and non-cyber incidents, a watchdog group says
DOJ Apologizes (Twice) to Court in NSA Case (US News and World Report) Government attorneys failed to note preservation of evidence orders, leading judge to write inaccurate ruling
DOJ Notifies Terror Suspect Evidence Gathered Through NSA Program (Wall Street Journal) Federal prosecutors have notified a terror suspect in Portland, Ore., that some of the evidence against him was gathered through the controversial National Security Agency bulk surveillance program—marking another case where judges will likely have to rule on the legality of such government programs. Reaz Qadir Khan, 48, is the fourth terror suspect in the U.S. to receive such a notification. The first came in October
U.S. States Investigating Breach at Experian (Krebs on Security) An exclusive KrebsOnSecurity investigation detailing how a unit of credit bureau Experian ended up selling consumer records to an identity theft service in the cybercrime underground has prompted a multi-state investigation by several attorneys general, according to wire reports
City investigates Anonymous cyber attack (KRQE) The City of Albuquerque is still dealing with the major cyber attack that shut down some online pages over the weekend
Former Microsoft employee accused of leaking software pleads guilty (SC Magazine) A former Microsoft employee has pleaded guilty to charges related to sharing software code for looming company products
Scottish Officers Convicted Of On-Duty Data Offences (InformationSecurityBuzz) Following news that an increasing number of Scottish police officers are being investigated for breaching data protection laws whilst on duty, find the following comments and thoughts from John Walker, Patrick Oliver Graf and Girish Bhat
Barrett Brown Signs Plea Deal in Case Involving Stratfor Hack (Wired) Barrett Brown, whose case became a cause célèbre after he was charged with crimes related to the Stratfor hack, has agreed to a plea deal with prosecutors, according to court filings