Cyber Attacks, Threats, and Vulnerabilities
Colombia raids office that 'spied to undermine peace' (BBC) It is alleged that the emails of President Juan Manuel Santos were also "probably intercepted." Colombian authorities say they have raided an office that illegally spied on rebel and government communication to try to undermine peace talks
Colombian Judge Orders Accused Cyber Spy Held (Latin American Herald Tribune) A man arrested for conducting a clandestine cyber-espionage operation targeting the Colombian government's negotiations with leftist guerrillas will remain in custody pending trial, a judge ordered Wednesday
Syrian Electronic Army Hijacks WSJ Twitter Accounts (Softpedia) The Syrian Electronic Army has hijacked a total of four Twitter accounts of the Wall Street Journal (WSJ) and has posted a message claiming that Ira Winkler is a cockroach
Look out, sysadmins — HOT FOREIGN SPIES are targeting you (The Register) Agents are greasing up IT bods to access all areas, warns MI5
Confessions of a LinkedIn Imposter: We Are Probably Connected (Tripwire: the State of Security) I have a confession to make. I created a fake profile on LinkedIn and we are probably connected. Curious after receiving several obvious and some not so obvious fake profiles, I did a bit of experimenting creating my own
Feds: You Need to Fix Your TSP Passwords this Weekend (Nextgov) The website of the Thrift Savings Plan, the retirement program for 4.6 million federal employees and retirees, gives identity thieves clues about how to crack users passwords, some security analysts say
Koler Android malware demands $300 ransom from its victims (HotforSecurity) Ransomware has posed a serious threat to desktop computer users for some time
Orange warns of Phishing attacks after data breach (CSO) Orange, Europe's fourth largest telecom, has confirmed reports that personal information for 1.3 million customers has been compromised. The breach is the second one in three months, but notification was delayed so that the company could asses the true scale of the problem
Is DDoS smokescreen for real attacks? (Business-Cloud) When companies come under cyber attack, their primary concern is keeping the business running but few do a good enough job of examining what happened
Scam Alert: Your Facebook Accounts will be Permanently Disabled (eHackingNews) We have seen large numbers of facebook posts that promise something, but it turns out to be a scam. Fb users are still believing such kind of posts and blindly following the instructions. So, Cyber criminals are keep coming up with new themes to trick users
Beware of Google+ "Fraudulent Verification Survey" phishing scam (Help Net Security) Phishers are again after Google account login details — this time they are trying pass themselves off as the nonexistent "Google+ All Domain Mail Team" and are urging users to participate in a "spam and fraudulent verification" survey
Apparent cyber attack strikes Pullman schools (Moscow-Pullman Daily News) Numerous apparent cyber attacks on the Pullman School District's computer network have disrupted state standardized tests
POS attacks on the rise as RAM scraping makes a comeback (FierceRetailIT) Cybercriminals are gaining on retailers as hackers use RAM scraping malware to compromise POS systems at retailers at an alarming rate
Attackers rope DVRs in bitcoin-mining botnet in record time (Help Net Security) How long does it take for one out of the box digital video recorder to be compromised with malware once the device has been connected to the Internet? The unfortunate answer is just one day
Tax identity fraudsters target third-party payroll sites: are you protected? (WeLiveSecurity) Tax identity fraud is on the rise this year, possibly due to criminals getting craftier in their choice of breach targets. According to a series of reports from Brian Krebs, fraudsters are now targeting third-party payroll services
Security Patches, Mitigations, and Software Updates
It's time to get rid of Windows XP, as Patch Tuesday looms (Graham Cluley) As I write this today, Windows XP is patched against known Microsoft security vulnerabilities
Why Microsoft is guilty of bad parenting with the IE XP update (ITPro) Microsoft should have employed tough love tactics and excluded XP users from the latest Internet Explorer patch, argues Davey Winder
Cyber Trends
Intelligence-driven security has benefits, but beware its limits (TechTarget) Too often, what firms and vendors consider intelligence-driven security amounts only to threat predictions and is not very worthwhile from a strategy standpoint, according to Kim Jones, Senior Vice President and CSO of payment processing provider Vantiv. Instead, companies need to use security data to drive decision-making in order for it truly to be considered "intelligence-driven," he added
Anti-virus is dead — but ghosts get chased (SC Magazine) Symantec declares AV dead. Not everyone agrees, though FireEye researchers say most malware is gone before AV starts looking
Ghost-Hunting With Anti-Virus (FireEye Blog) In October 2012, data security firm Imperva released a controversial report on the efficacy of anti-virus (AV), which concluded that AV solutions only stopped 5 percent of all malware identified. Few reports in the security industry had been as polarizing as this one—many reacting with white-knuckle rage. It was a classic case of Chris Christensen's "Innovator's Dilemma," where old school technologies cling to life, in the face of a new paradigm. Just yesterday, one of the original anti-virus vendors joined the fray in "declaring anti-virus dead" in the Wall Street Journal
Industries on the cyber war front line (Help Net Security) ThreatTrack Security published a study that looks at the security vulnerabilities of two industries most often targeted by cybercrime: energy and financial services
Verizon Blockbuster Data Breach Report Is Bad News for Organizations (Business2Community) Verizon has published a blockbuster report on Internet "data breaches" which has garnered major headlines because it fingers Eastern Europe (primarily Russia) as a greater source of attacks than those from East Asia, primarily China
Majority of UK firms unprepared for DDoS attacks, study finds (ZDNet) A new survey suggests that most UK businesses are ill-equipped to cope with DDoS attacks
2014 starts with record-breaking malware traffic (Help Net Security) AppRiver released a detailed analysis of web and email-borne threats and malware trends traced between January and March 2014
World's Most Advanced Hackers are in Russia and Eastern Europe (Infosecurity Magazine) At Infosecurity Europe 2014, Eleanor Dallaway caught up with Ross Brewer, vice president and managing director for international markets, and Mike Reagan, CMO at LogRhythm to talk insider threats, and the global threat landscape
Three Ways Criminals Are Using Social Media: Phishing, Malware, and Physical Threats (Cyveillance Blog) In our previous post, we discussed some of the reasons why criminals like social media. In this article, we'll look at more ways that they're using it to find and deceive unsuspecting victims
Tweet your heart out for privacy (ZDNet) Doing what's necessary to protect your own privacy is not easy. Better just to blame someone else for the whole problem. #ResetTheNet!
Marketplace
Steinhafel's departure leaves Target looking for IT redemption (FierceRetailIT) Heads continue to roll at Target (NYSE:TGT) in the wake of its massive data breach. CEO Gregg Steinhafel abruptly resigned and while Target's data breach wasn't the only reason, it certainly was a contributing factor. Steinhafel's sudden departure helps reinforce the growing importance of IT security and systems in the upper reaches of the executive offices
Cyber Insurance Goes Mainstream as Data Security Threats Prevail (Digital Journal) Solace Insurance comments on multi-million dollar threat, potential reputation loss. Recent extensive data breaches have made it evident that no American business is safe from cyber-attacks — Solace Insurance details the nuances of cyber insurance and the steps necessary to secure coverage
Biz Break: FireEye buys a 'black box' to track hackers' movements (San Jose Mercury News) Today: FireEye follows $1 billion Mandiant acquisition with the purchase of a private firm that records all network traffic to track where the bad guys go and what they do. FireEye added another soldier to its mission of helming the most complete network-security offering Tuesday, acquiring nPulse Technologies for about $70 million to act as its "black box" to record attacks from nefarious hackers
Microsoft, Oracle Likely to Stop Working With Russian Banks Over Sanctions (Moscow Times) Leading U.S. IT companies Microsoft, Oracle, Hewlett-Packard and others may be cutting off services to Russian banks and companies to comply with Washington's sanctions over Russia's actions in Ukraine, spreading the same political anxiety that the banking sector has experienced in recent months into the Russian IT market
NSA spy praises Huawei ban (Australian Financial Review) The recently retired director of the United States National Security Agency says Australia was correct to exclude Chinese telecommunications manufacturer Huawei from helping build the national broadband network because of evidence of Chinese espionage against the nation
Lieberman Software rebuilds European channel from scratch (CRN) 'US-centric' privileged identity management vendor claims it can become serious European player following expansion drive
Netskope Named a "Cool Vendor" by Analyst Firm Gartner (Digital Journal) "Cool Vendor" report recognizes innovative, impactful and intriguing vendors in the security intelligence market
GovSec Recognizes Contributions of Government Security Leaders with Gov30 Awards (Fort Mill Times) GovSec — the Government Security Conference and Expo, which also features TREXPO, the Law Enforcement Expo, today announced the individuals who will be honored with the first-ever Gov30 awards
House panel approves $52B for cybersecurity (The Hill) The House Armed Services Committee on Wednesday approved legislation that would provide $52 billion to the Pentagon's cybersecurity operations
Postal Service cloud contracts omit security measures (FierceGovernmentIT) The 13 cloud computing contracts that the Postal Service awarded in recent years inadequately addressed data security, says the USPS office of inspector general
4chan launches bug bounty program (Help Net Security) In the wake of the recent data breach that spelled the end of art products Canvas and DrawQuest, 4chan founder and owner Chris "moot" Poole has announced that they will be launching the 4chan Vulnerability Disclosure Program
Smaller cities look to compete in a growing InfoSec job market (CSO) In 2013, InfoSec accounted for nearly 10 percent of all IT jobs nationwide. On Wednesday, a local firm in Indianapolis, added to that growth
AirPatrol Names New Vice President of Engineering (Wall Street Journal) Director of software development, Mark Wilson, tapped to lead mobile locationing and cyber security company's engineering group
Corero Network Security Names Dave Larson Chief Technology Officer and Vice President, Product (Ulitzer) Corero Network Security (LSE: CNS), a leading provider of First Line of Defense® security solutions, today announced the appointment of 20-year industry veteran, Dave Larson to its management team as Chief Technology Officer and Vice President, Product
Big Data Security Visionary Joins ThreatStream to Lead Data Strategy (Broadway World) ThreatStream, a next generation cyber intelligence company that enables the disruption of cyber attacks in real-time, today announced the appointment of big data security luminary, Jason Trost (formerly with Endgame, Inc.), to lead its data science vision
Paul Falkler Joins Vistronix as National Intell Programs Corporate VP (GovConWire) Paul Falkler, formerly director of strategic development at Varen Technologies, has joined Vistronix as corporate vice president for national intelligence programs
Products, Services, and Solutions
McAfee's Back, With Chadder (InformationWeek) Embattled antivirus pioneer John McAfee backs Chadder, an app that promises private communications through server encryption
Seagate Wireless Plus offers advanced cloud backup (Help Net Security) The Seagate Wireless Plus mobile device storage now consists of a family of capacities at 500GB, 1TB and 2TB versions to suit every need along with integration with cloud services, such as Dropbox and Google Drive
Tor Browser v3.6 Released (ToolsWatch) The Tor Browser Bundle lets you use Tor on Windows, Mac OS X, or Linux without needing to install any software. It can run off a USB flash drive, comes with a pre-configured web browser to protect your anonymity, and is self-contained
Technologies, Techniques, and Standards
Blinding users to URLs: Good or bad for security? (CiteWorld) The URL, or Uniform Resource Locator, has always felt like a leftover from the early age of the commercial Internet, an inelegant address for a specific website or (more inelegantly) a specific website page
Improving the URL bar (Jake Archibald) iOS has hidden the pathname of URLs for some time now, but recently Chrome Canary introduced something similar behind a flag. I'm not involved in the development of Chrome experiment at all, but I've got more than 140 characters worth of opinion on it
Security Slice: the Botnet Wars (Tripwire: the State of Security) ZeuS is one of the most infamous botnets in information security history, but recently, a researcher by the name of Xylitol uploaded a video revealing how to successfully exploit a bug in ZeuS in less than sixty seconds. According to Xylitol: "ZeuS is one of the most popular botnets, it's naturally a good hacking target." Who's going to take advantage of the security vulnerabilities in cybercrimeware?
Data Center Security Lessons from Heartbleed and Target (Data Center Knowledge) Data center security is of increasing concern, with data breaches and cyber vulnerabilities more and more in the news headlines. The recent Symantec's threat report highlighted more "zero day" attacks in 2013 than in the two previous years combined. Verizon's Data Breach Investigations Report shows data breached and cyber attacks at levels substantially above previous years
Employee education: Why cyber attacks are closer to home than CIOs may think (Information Age) The importance of employee education in the fight against cybercrime, and why human error could be the weakest link in a business
It's World Password Day: Change your passwords (Help Net Security) Today (May 7) is World Password Day — a day dedicated to promoting the use of strong passwords and the creation of good habits when it comes to choosing passwords. However insecure this method of authentication is, it's not going away anytime soon, and people should be educated on how to make the best of it
Design and Innovation
Cristin Dorgelo: Gov't Agencies Increasingly Use Prizes to Spur Tech R&D (ExecutiveBiz) Data from the Office of Science and Technology Policy shows that federal agencies hosted 87 technology-related prize competitions during fiscal 2013, an 85 percent increase over the prior fiscal year
Academia
The Role Of STEM Education In Shaping The Future Of Information Security (Forbes) The hardest thing to manage is change
Government launches Your Life campaign to boost STEM interest (ComputerWeekly) The government has launched a campaign to accelerate participation in science, technology, engineering and maths (STEM) subjects at school and beyond
NSA funds 'science of cybersecurity' research (FCW) The National Security Agency is funding the creation of small laboratories — "lablets" in NSA vernacular — that will support research into the science of cybersecurity at four major universities
Legislation, Policy, and Regulation
Tim Berners-Lee: Worldwide web Magna Carta by 2015 (ComputerWeekly) The founder and inventor of the worldwide web, Tim Berners-Lee, has repeated his call for a bill of rights or Magna Carta for the internet, and urged mass action to achieve it in the face of powerful opposing interests
EU Data Protection Regulation: Detection is the best prevention (Help Net Security) The UK government recently published guidelines for companies covering the five basic controls that businesses must follow to ensure a minimum level of protection. The goal of this 'Cyber Security Implementation Profile' is to serve as notice that all companies must ensure that they have defenses in place to protect their intellectual property and the consumer data that they hold. This mirrors similar efforts across the EU. In March the EU parliament voted to implement a new Data Protection Regulation which will seek to eliminate the legal differences in data protection across EU countries
German Lawmakers Want to Question Snowden Despite Government's Warning (Wall Street Journal) Chancellor Angela Merkel's Administration fears relations with the U.S. may suffer
A Bill Drastically Curbing the NSA's Powers Moves a Step Forward (Mashable) A bill to curb the NSA's surveillance powers, including ending its bulk metadata collection program, is moving forward after a House committee voted unanimously in its favor during a markup session on Wednesday. The bill is now one step closer to a floor vote by the full House of representatives
Nadler calls for end to sweeping security measures (San Diego Jewish World) Congressman Jerrold Nadler (D-New York), a veteran member of the House Judiciary Committee, delivered a statement during the markup Wednesday, May 7, of the USA Freedom Act
Former NSA Chief Defends Stockpiling Software Flaws for Spying (Wired) The NSA has never said much about the open secret that it collects and sometimes even pays for information about hackable flaws in commonly used software. But in a rare statement following his retirement last month, former NSA chief Keith Alexander acknowledged and defended that practice. In doing so, he admitted the deeply contradictory responsibilities of an agency tasked with defending Americans' security and simultaneously hoarding bugs in software they use every day
The Way the NSA Uses Section 702 is Deeply Troubling. Here's Why. (Electronic Frontier Foundation) The most recent disclosure of classified NSA documents revealed that the British spy agency GCHQ sought unfettered access to NSA data collected under Section 702 of the FISA Amendments Act. Not only does this reveal that the two agencies have a far closer relationship than GCHQ would like to publicly admit, it also serves as a reminder that surveillance under Section 702 is a real problem that has barely been discussed, much less addressed, by Congress or the President
Public-private partnerships help America combat cyberthreats (MarketWatch) CenturyLink executive testifies before U.S. Senate subcommittee
D.C. Confidential: Secret Service cyber sleuths saved two financial firms from going down the tubes, it says (New York Daily News) The Secret Service notified "two financial institutions" of cyber attacks on their computer systems and saved them from going out of business. Wednesday testimony from William Noonan, who heads the agency's cyber investigations unit, claimed the agency informed the two unidentified institutions of "intrusions" they didn't know about
Litigation, Investigation, and Law Enforcement
Ex-NSA Chief Warns Edward Snowden is Under Russian Control (Reuters via the Moscow Times) Former National Security Agency contractor Edward Snowden is now likely under the control of Russian intelligence agencies former NSA Director General Keith Alexander said
Tales of the Cyber Underground: A Hacker's Life Inside (Infosecurity Magazine) In the latest Tales of the Cyber Underground instalment, Tom Brewster ponders the effect that jail time has on convicted hackers, and talks to cybercriminals who have served prison sentences about their experiences
No, McAfee didn't violate ethics scraping OSVDB (Errata Security) My twitter feed is full of people retweeting this claim that McAfee (the company) violated ethics by scraping [OSVDB]. This is completely wrong: McAfee violated no ethics (nor law)
DEA settles suit alleging government lie-detector abuses (McClatchy) The Drug Enforcement Administration has agreed to pay 14 contractors $500,000 to settle a lawsuit that accuses the agency of illegally requiring them to undergo highly intrusive lie detector tests to keep their jobs as translators
Court: Two accused of hacking Navy servers located in Tulsa to change plea (AP via the Tulsa World) A change of plea hearing has been set for two men accused of conspiring to hack into the computer systems of the Navy and more than 30 other websites in an attempt to steal identities of service members
87 arrested in the Philippines in bust of sextortion ring (Naked Security) A gang of at least 87 Filipino sexual blackmailers, some of them allegedly connected to the suicide of 17-year-old Daniel Perry, was busted last week
