Cyber Attacks, Threats, and Vulnerabilities
Russia-Ukraine Crisis Could Trigger Cyber War (Voice of America) On the day Crimeans voted in a referendum in March on secession from Ukraine, hackers from a group calling itself the "Cyber Berkut" pelted NATO websites with online nuisance attacks designed to knock the pages offline
Hackers target Algerian president in Oman state news agency attack (Arabian Business) An investigation has been launched after Oman's state news agency was targeted by cyber attackers and used to send "inaccurate news" about newly re-elected Algerian president Abdelaziz Bouteflika
Heartbleed maliciously exploited to hack network with multifactor authentication (Ars Technica) In-the-wild VPN attack using Heartbleed underscores real-world threat of bug. Demonstrating yet another way the catastrophic Heartbleed vulnerability threatens users, malicious hackers were able to exploit the bug to successfully bypass multifactor authentication and fraud detection on an organization's virtual private network (VPN), security researchers said
8 Heartbleed responses from financial firms (Investment News) Advisers and financial services firms have been scrambling to avert any potential damage from the "Heartbleed" cybersecurity bug that threatens millions of web users
Heartbleed Means Healthcare.gov Users Must Reset Passwords (Nextgov) Federal officials are telling Obamacare website account holders to reset their passwords, following revelations of a bug that could allow hackers to steal data
Poll: Dark Reading Community Acts On Heartbleed (Dark Reading) Roughly 60 percent of respondents to our flash poll have installed the Heartbeat fix or are in the process of doing so
Heartbleed Bug Bit Before Patches Were Put in Place (IEEE Spectrum) It's been a little less than a month since the Heartbleed bug and was discovered and less than two weeks since the public was informed about it. The bug is a "trivial" programming error made in early 2012 and discovered by Google in March that non-trivially affects the OpenSSL (secure socket layer) cryptographic software library
Criminals try to cash in on 'Heartbleed' bug (Boston Globe) As Internet users worldwide race to guard their computers against the potentially devastating Heartbleed security breach, criminals are moving just as quickly to exploit it
Heartbleed: A Password Manager Reality Check (Dark Reading) Is a password manager an effective defense against vulnerabilities like Heartbleed, or just another way to lose data to hackers?
RedHack Hackers Target Aktif Bank over Controversial e-Ticketing System (Softpedia) Members of the hacktivist collective RedHack claim to have breached into the systems of Aktif Bank, Turkey's largest privately owned investment bank. The attack comes just as the bank introduced a controversial e-ticketing system for soccer (football) fans
Easy-to-Use NTP Amplification Emerges as Common DDoS Attack Vector (eWeek) Reflection attacks using the Network Time Protocol surge in the first quarter, as attackers shift to bandwidth-clogging floods of data
WordPress plugin vulnerability puts mobile visitors at risk (Avast Blog) Today one of our colleagues came into our office and said, "Hey guys, I've been infected." I thought to myself, yeah, how bad can this be? After a bit of digging we found the results were worth it; it turned out to be a really "interesting " case of mobile redirected threats localized for each country
Android Malware Repurposed to Thwart Two-factor Authentication (InfoSecurity Magazine) A malicious mobile application for Android that offers a range of espionage functions has now gone on sale in underground forums with a new trick: it's being used by several banking trojans in an attempt to bypass the two-factor authentication method used by a range financial institutions
Beware of clever phishing scam that bypasses Steam Guard (Help Net Security) Malwarebytes' Chris Boyd is warning owners of Steam accounts about a relatively new phishing approach that goes after both their account login credentials and a file that allows them to bypass the entering of the Steam Guard verification code
3M payment cards compromised in Michaels Stores/Aaron Brothers breach (Help Net Security) In the wake of the highly publicized Target and Neiman Marcus breaches, Texas-based arts and crafts store chain Michaels has stated in January that it has been targeted by cyber crooks that were after their customers' payment card data
Don't share your location with your friends on WhatsApp (Naked Security) A group of budding security researchers at the University of New Haven (UNH) in Connecticut, USA, recently taught themselves a handy lesson about the difference between liking something and trusting it
Bulletin (SB14-111) Vulnerability Summary for the Week of April 14, 2014 (US-CERT) The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information
Security Patches, Mitigations, and Software Updates
Most but not all sites have fixed Heartbleed flaw (ComputerWorld) Web's top-1,000 sites are immune to exploit but 2% of the top 1 million have yet to patch the problem
Windows XP security update with bug error causes havoc (V3) An update to Microsoft's anti-malware software for Windows XP has caused systems to crash in the latest issue for those running the ageing platform
Microsoft corrects Windows XP/Security Essentials bug (ZDNet) A bad update caused users of many Microsoft security products, not just Security Essentials, to experience "interrupted service". The latest update fixes the problem
Cyber Trends
Next target for cyber hackers could be your smart TV, says anti-virus chief (Telegraph) The chief executive of global IT security business Kaspersky Lab says financial services firms now have most to fear from criminals
Experts Worry About Future of Critical Infrastructure Security (Threatpost) The problem of critical infrastructure security has become a key issue in the last few years, as high-profile attacks such as Stuxnet and others have grabbed headlines and alerted politicians and others to the weaknesses facing these vital systems. It's an issue that Eugene Kaspersky has been thinking about for a long time, and isn't sure that the organizations running these systems are any closer to addressing these threats than they were several years ago
Internet of Things, Boon for Manufacturers (Product and Service Advantage) It's planting season and a farmer in the Midwest is busy at work, but he's not in the field — he's working from a digital operations center on his tablet computer. Meanwhile, one of his tractors is running low on diesel. No problem. The tank has already notified the supplier it needs a refill
Will the Internet of Things become the Internet of Broken Things? (ComputerWorld) Cisco Systems estimates that the number of devices connected to the Internet will reach 50 billion by 2020. This brings promise for users, corporations and vendors but also a major challenge: What happens if this Internet of Things (IoT), all 50 billion of them, morphs into the Internet of broken things?
IT security is national security — but you're not alone (Network World) Managing the danger of cyberattacks has to involve all parts of an enterprise, speakers tell a Kaspersky conference
How the cyber threat landscape is evolving — Comodo security [Q&A] (Beta News) In recent years the threats faced by both individuals and businesses have changed thanks to the adoption of new technologies like the cloud, a shift towards social engineering attacks, BYOD and more. We spoke to Egemen Tas, vice president of engineering for leading certificate authority and security software provider Comodo to get his view on current threats
Organizations remain vulnerable to SQL injection attacks (Help Net Security) Privacy and information security research firm Ponemon Institute, along with DB Networks, an innovator of behavioral analysis in database security, today announced the results of the Ponemon Institute's first-of-its-kind SQL injection threat study
Compliance is no guarantee of security (Help Net Security) The regulatory landscape is constantly evolving. For example tougher new EU data protection laws are scheduled to come into effect over the next year or two. These new regulations will result in non-compliant firms being fined €100m or up to five per cent of global turnover — whichever is the higher. Last year there were 2,164 incidents of data loss. According to a report by Risk Based Security and the Open Security Foundation 72% involved external attackers while 25% were classified as internal incidents, although the latter were attributed mainly to human error and accidents rather than malicious intent
10 Big Ideas in Digital Security (PC Magazine) From Snowden to Heartbleed, security is arguably the biggest tech story of the year. But what's the real story, and what's just hype? Here's what the experts are saying, thinking, and fearing.It wasn't long ago that security news meant obscure vulnerabilities and viruses spreading across desktop computers. But now people everywhere are worried about snooping government agencies, Heartbleed letting their personal data loose on the Web, and rising mobile threats. Heck, the coverage of Edward Snowden's leaks about the National Security Agency's domestic spying efforts netted Pulitzer Prizes this year. As our lives become more focused around digital devices and the Internet, more people are getting worried about security, and rightly so. The question is, what are the real issues—and what's just flavor-of-the-month hype from the mainstream media?
Security pros largely unhappy with compliance methods (Help Net Security) Despite the fact that 63% consider regulatory compliance to be "very important", a new Osterman study shows a low satisfaction level with current methods of managing compliance. Only 13% are very satisfied with the current methods they use
Security Policies Hampered by Limited Visibility, Manual Processes (eWeek) Almost 20 percent of respondents raised the issue of poor communication among key stakeholders across development, security and operations groups
Firewall Policy Management Evolves To Security Policy Orchestration (Forbes) As networks have grown and network security device deployments have skyrocketed, it has become much more difficult to manage the policies that go along with those devices
Cyber security a must for telcos, banks (Free Malaysia Today) Banks, telecommunications and government portals in Malaysia must ramp up efforts in adopting advance and effective cyber-defence capabilities to protect against espionage and fraud
Marketplace
Cambridge security software startup Threat Stack raises $2.7M (Boston Business Journal) Cambridge startup Threat Stack, a TechStars alum offering security software aimed at the cloud, has raised $2.7 million in funding, according to a U.S. Securities and Exchange Commission filing
FireHost Secures $25 Million in Series E Funding (Talkin' Cloud) FireHost, a managed cloud infrastructure-as-a-service (IaaS) provider, has received $25 million in Series E funding led by private investment firm The Stephens Group. According to a press release, FireHost plans to use the funds to extend its brand awareness, product development and sales
Why Splunk Is A Good Buy For The Long Run (Guru Focus) As traffic over the Internet increases, the demand for traffic analysis arises by the organization that enables them in decision making and planning. Web analytics software resolves most of the traffic analysis requirement for an individual or organizations. Splunk (SPLK) is one such company that provides operation intelligence software solution that comprises of analytics and security solutions at an enterprise level
Security innovator Finjan returns as security investor (Times of Israel) California-based company, itself a pioneer in the cyber field, sees Israel as the source of new tech successes
The Upshot of 'Heartbleed'? Jobs (Newswise) Higher than average job growth expected in cybersecurity and information assurance
Homeland Defense Advisory Firm Taps Into Demand for Market Intelligence (National Defense) The homeland security business is mind-boggling, for both buyers and sellers. Agencies need products but may not know where to find them. And sellers have trouble locating customers in the maze of federal, state and local agencies that are responsible for homeland defense
Products, Services, and Solutions
Netcraft tool flags websites affected by Heartbleed (PCWorld) Worried about how the Heartbleed vulnerability may affect your personal accounts? A new tool may be of help
ZoneAlarm Extreme Security review: antivirus that lives up to its name (PCWorld) Extreme Security offers top-tier protection but lacks the cross-platform and mobile support that are becoming common in similar suites
ESET launches secure authentication SDK (Help Net Security) ESET launched the ESET Secure Authentication Software Development Kit (SDK). With this release, ESET provides system architects with a comprehensive developer guide in three mainstream programming languages to add two-factor authentication (2FA) protection to nearly any system that requires protection
emt and Catbird offer security products for virtualisation (Zawya) New range for specialised security solutions for virtualisation from Catbird to feed the growing demand for secure virtualisation in Middle East
Technologies, Techniques, and Standards
Even the most secure cloud storage may not be so secure, study finds (NetworkSecurity) Johns Hopkins researchers question 'zero-knowledge' policies
PCI DSS — What's new in v3.0? (Naked Security) If the Payment Card Industry Data Security Standard (PCI DSS) applies to your business you should also know that it has been updated
Understanding What Constitutes Your Attack Surface (Tripwire) Put simply, your attack surface is the sum of your security risk exposure. Put another way, it is the aggregate of all known, unknown and potential vulnerabilities and controls across all software, hardware, firmware and networks. A smaller attack surface can help make your organization less exploitable, reducing risk
Questioning Information Security — You are only as good as your questions (Life at 6700') Your security is only as good as the questions you ask. It is the questions that drive the search for answers. And the answer drives informed action or inaction. Anything else is a random, uninformed walk. So, as you shape your security strategy to support the innovations of the business, it is in asking good questions and creating correct answers through which effective security is achieved. No one else but the enemy will tell you the questions you should have asked and the answers you should have come up with. But by then it is too late. Because they told you by running all over your system
Heartbleed: A chance to talk to kids about guarding online personal information (Trend Micro: Internet Safety) In the last week or so, there has been a lot of news around an Internet vulnerability called Heartbleed that was recently discovered. Without getting into too much technical detail, this basically caused many websites to possibly expose the personal information people submitted to those sites. This includes shopping sites, social networks, email services, music streaming services, and gaming sites, because many of the world's websites use the same technology that was impacted
Academia
Field Set for 2014 Raytheon/UTSA National Collegiate Cyber Defense Competition Championship (MarketWatch) Top 10 teams in the country meet in San Antonio to compete for the Alamo Cup
Area Cyber Security students take part in first ever Mohawk Valley Hackathon (WKTV) SUNYIT'S Cyber Security and Information Systems Information Analysis Center was filled with a flurry of activity on Saturday
Learning to Code: New After-School Activity (Wall Street Journal Digits) With the advent of smartphones and handy mobile applications that help you hail a cab or find a gas station, the use of software has become more tightly intertwined with our daily lives. The success stories of some app developers have encouraged students and professionals to learn coding, the language of the future
The Sorry State Of IT Education (InformationWeek) Our profession is rife with people capable of performing procedures they've been taught, but incapable of thinking through a problem. Here's what we need to do
Legislation, Policy, and Regulation
Way to go DHS! And Shame on the Rest of You (ACLU) A very important government report on privacy and cybersecurity programs flew under the radar last week. Produced following President Obama's executive order from last February, agencies were directed to explain how they share our private information, and what they do to protect it. Overwhelmingly, agencies offered little to no information, and what they did share was discouraging. With one exception: the Department of Homeland Security (DHS)
The NSA Shouldn't Stockpile Web Glitches (Daily Beast) Members of the President's Intelligence Review Group declare that playing defense by alerting the public to hacks is the best response when situations like Heartbleed occur
Did President Obama Accept Recommendation 30? (Lawfare) Richard Clarke and Peter Swire, two of the five members of the President's Intelligence Review Group, argue at The Daily Beast that the NSA should rarely keep (as opposed to disclose, and allow patching of) software vulnerabilities, and that those rare circumstances should be decided in the White House rather than NSA. The argument basically repeats the Review Group's Recommendation 30
Activists want net neutrality, NSA spying debated at Brazil Internet conference (ComputerWorld) A campaign on the Internet is objecting to the exclusion of issues like net neutrality, the cyberweapons arms race and surveillance by the U.S. National Security Agency from the discussion paper of an Internet governance conference this week in Sao Paulo, Brazil
Gen. Franz takes over INSCOM (FCW Insider) The U.S. Army on April 17 named Maj. Gen. George J. Franz III commanding general of its Intelligence and Security Command in Ft. Belvoir, Va. INSCOM is a main Army command center for information security and has personnel in 180 locations worldwide
Litigation, Investigation, and Law Enforcement
Cyber cops: Target hackers may take years to find (AP via Yahoo! News) Secret Service investigators say they are close to gaining a full understanding of the methods hackers used to breach Target's computer systems last December
New VOICE website a resource tool for cyber crime victims (SC Magazine) A new website aimed at arming consumers with the ability to quickly report cyber crime is now available
Edward Snowden asks Vladimir Putin softball questions on surveillance (Kansas City Star) If Edward Snowden had any credibility as a fugitive former National Security Agency contractor he lost it this week when he asked Russian President Vladimir Putin softball questions about whether the communist country conducts mass surveillance on its citizens as the United States does
Here's What Putin Didn't Tell Snowden About Russia's Spying (WAMC) "Does Russia intercept, store or analyze in any way the communications of millions of individuals?" former National Security Agency contractor Edward Snowden asked Russian President Vladimir Putin on Thursday
Edward Snowden on his Putin TV appearance: 'Why all the criticism?' (The Register) Denies Q&A cameo was meant to slam US, big-up Russia
Snowden reporter promises more NSA revelations are coming (The Hill) One of the reporters honored with a Pulitzer Prize last week for his reports on National Security Agency surveillance on Sunday promised further revelations
Snowden Email Provider Remains in Contempt (Courthouse News Service) The former email provider of National Security Agency leaker Edward Snowden should be held in contempt for trying to keep its metadata out of the government's hands, the 4th Circuit ruled
Three Self-Described Anonymous Hackers Arrested in South Korea (eSecurity Planet) The three have been charged with threatening to launch cyber attacks against the Korean government