Cyber Attacks, Threats, and Vulnerabilities
Riyadh confirms hacking of Foreign Ministry servers (PressTV) Riyadh has confirmed the internal Internet network belonging to the Saudi Foreign Ministry has come under a cyber-attack
Yemeni Hackers Reveal Top Secret Docs in Saudi Government Cyber Attack (Sputnik News) Yemeni hackers reveal top secret docs in Saudi government cyber attack
St Clare's College website hacked with Islamic messages (Canberra Times) The St Clare's College website was hacked to display white Arabic text on a black background with "scary" music playing in an apparent reference to Islamic State over the weekend
New Point-of-Sale Malware NitlovePoS Sends Card Data via Encrypted Connection (Softpedia) Security researchers identified a fresh malware piece targeting point-of-sale (PoS) systems that relies on encrypted communication to exfiltrate payment card info from the memory of the payment processing machines
Attackers use email spam to infect point-of-sale terminals with new malware (CSO) They're likely counting on some employees misusing such terminals to browse the Web or check their personal email at work
Meet 'Tox': Ransomware for the Rest of Us (McAfee Labs Blog) The packaging of malware and malware-construction kits for cybercrime "consumers" has been a long-running trend. Various turnkey kits that cover remote access plus botnet plus stealth functions are available just about anywhere. Ransomware, though very prevalent, has not yet appeared in force in easy-to-deploy kits
New research suggests that hackers can track subway riders through their phones (Daily Dot) Underground subways offer no place to hide from hackers
Could thieves use jamming technology to steal your car? (Guardian) Theoretical attack becomes real as criminals begin using jammers to block remote locking car keys
mSpy finally admits they've been hacked (Help Net Security) After having first denied that they suffered a breach and had their customer's data stolen and leaked on the Dark Web, mobile spyware maker mSpy has finally admitted that the incident happened, but they claim that only 80,000 customers (and not 400,000) have been affected
CareFirst breach demonstrates how assumptions hurt healthcare (CSO) Assumptions related to criminals, security posture, and remediation are hurting healthcare
3 Critical Takeaways From The Damaging CareFirst Hack That Exposed Millions (DCInno) On Wednesday, District-based not-for-profit insurer CareFirst BlueCross BlueShield announced it had been hacked in June 2014
The human cost of the Adult Friend Finder data breach (CSO) This Friday the news hit that 3.5 million personally identifiable records were leaked from systems belonging to the adult oriented website, AdultFriendFinder
Recent Breaches a Boon to Extortionists (KrebsOnSecurity) The recent breaches involving the leak of personal data on millions of customers at online hookup site Adult Friend Finder and mobile spyware maker mSpy give extortionists and blackmailers plenty of ammunition with which to ply their trade. And there is some evidence that ne'er-do-wells are actively trading this data and planning to abuse it for financial gain
Insider Data Breach at Medical Billing Company Hits Patients at Several Hospitals (eSecurity Planet) A call center employee at billing company Medical Management, LLC stole thousands of patients' names, birthdates and Social Security numbers
Isle of Man taxpayers' info leaked due to email error (Help Net Security) Email addresses of approximately 5000 customers of the Income Tax Division (ITD) of the Isle of Man — a self-governing British Crown dependency and a tax haven for the rich — have been leaked via email
Hackers Target Bitcoin Exchange BitFinex’ Hot Wallet (HackRead) Reportedly BitFinex was hacked but due to strict security measures implementation just minimal amount was lost
Scareware: Fake Minecraft apps Scare Hundreds of Thousands on Google Play (We Live Security) ESET has discovered over 30 scareware applications available for download from the Google Play store
Researcher who exploits bug in Starbucks gift cards gets rebuke, not love (Ars Technica) Plenty of poor manners to go around in fraudulent $1.70 purchase
With all its political bluster, Anonymous can't shake its 'prankster' past (Christian Science Monitor Passcode) A study shows that the media regards the online collective as 'pranksters' even though its various elements take part in social action and political causes
Social Engineering: Even Shakespeare understood security's weakest link (CSO) What do Shakespearean tragedies and security issues have in common? Both are overwhelmingly the result of human error. Othello is one Shakespeare greatest plays, and Iago is one of literature's first social engineers
Bulletin (SB15-145) Vulnerability Summary for the Week of May 18, 2015 (US-CERT) The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week
Cyber Trends
Is security really stuck in the Dark Ages? (CSO) Amit Yoran's colleagues didn't agree with everything the RSA President said at his keynote last month. But most say he got the essentials right — things are bad and getting worse, and the industry needs a new mindset
Plane safe? Hacker case points to deeper cyber issues (Reuters) Security researcher Chris Roberts made headlines last month when he was hauled off a plane in New York by the FBI and accused of hacking into flight controls via his underseat entertainment unit
Will our future Internet be paradise or dystopia? (Christian Science Monitor Passcode) What we learned from an Atlantic Council event discussing digital trends and possible scenarios for the world?s online future
More bad news: The bad guys are getting better (GCN) If there's one lesson to be gained from all the security breaches and revelations of major bugs in security protocols in 2014, it?s that attackers are upping their game and finding more opportunities. That?s only reinforced by several new studies
MIT CIO Symposium: Outdated security assumptions put companies at risk (TechTarget) It's a digital world, and as much of a good thing as this is, a digital world is also infested with cybercriminals who eat enterprise security for lunch. That was the message from Roland Cloutier, chief security officer (CSO) at HCM provider ADP, at this year's MIT CIO Sloan Symposium
What the security industry can learn from the World Health Organization (Christian Science Monitor Passcode) The discovery of computer bugs can be marketing boons for cybersecurity firms. But one critic says the industry should take a page from the health profession and select names for flaws that aren't designed to stoke fear or generate buzz
Cyber Threat Analysis: A Call for Clarity (Dark Reading) The general public deserves less hyperbole and more straight talk
Malware is not only about viruses — companies preinstall it all the time (Guardian) Since I started free software in the 80s, developers have grown to routinely mistreat users by shackling behaviour and snooping — but we have ways to resist
Top lessons from data breach investigations (Betanews) Data breaches are an all too common part of our landscape today, but are we learning the lessons from them to make our systems more secure?
20% of IT professionals have witnessed a security breach cover-up (IT Security Guru) Research conducted by AlienVault has shown that 20% of IT security professionals have witnessed a breach being hidden or covered up. The survey also found that in the event of a breach, only 25% of professionals would see the best course of action as telling the regulator and paying the fine
Breaches Cost Healthcare $6 Billion Annually (Health IT Outcomes) A Ponemon Institute report indicates cyber criminals have increased their attacks on healthcare 125 percent, costing the industry $6 billion annually
Employees Engaging in Risky Cyber-Security Activities (eWeek) The majority of global survey participants admitted understanding the obvious cyber-threats when downloading email attachments from an unknown sender
Threats in Polish networks — CERT Polska 2014 report (CERT Polska) Today, we published the annual CERT Polska report in its English version. This report presents the most important trends and observations that we think shaped Polish cybersecurity in 2014. This includes new, upcoming threats, their evolution and our responses to them
Marketplace
Confronting the widening infosec skills gap (CSO) Estimates of the shortage of qualified information security professionals needed to fill available jobs in the next several years range into the multiple millions. A number of organizations are trying to change that. But they say it will likely be years before the gap is closed
Blackberry Acquisition: Apple, Microsoft, Xiaomi & Lenovo Are In $7B Acquisition Race — Reports (Trak.in) Blackberry is back in demand, and be assured that this is not 2010
BlackBerry Ltd Laying off Device Employees to Increase Software Development (Viral Global News) After another significant loss in their fiscal fourth quarter of 32 percent, BlackBerry is making some harsh choices
Jim Cramer: Why FireEye's Losses Are Actually a Good Sign (The Street) What opportunities are so great that you have to be willing to lose money to grab them all? What kind of business willingly loses money in order to capture all the business out there? I can think of only one: cyber security
Why small firms mean big business for cybersecurity (Fortune) Small firms, especially in finance, need cybersecurity companies that can provide affordable solutions
Israel emerges as global cyber superpower (Haaretz) Sales by Israeli companies reached 10% of world total, figures show
Woolworths hires first-ever CISO (IT News) KPMG exec to head IT security ranks
Products, Services, and Solutions
Microsoft ATA: Worthy Successor To Patch Tuesday (InformationWeek) Tight integration with Active Directory gives Microsoft's new Advanced Threat Analytics appliance a powerful claim to stake in enterprise IT security
Huawei unveils APT big data security solution (IT Brief) Huawei has released a new solution designed to protect against Advanced Persistent Threat (APT) and denial-of-service (DdoS) attacks
Enterprise Level Cyber Security from Digital Shadows (Tech.Co) "You can no longer assume you're never going to be hacked. You have to assume that you will be," says James Chappell, co-founder of cyber threat intelligence company, Digital Shadows
Technologies, Techniques, and Standards
Identifying Fake Social Media Profiles Possible With Google Image Search (HackRead) Creating fake social media accounts has been the favorite trick of hackers and scammers for interacting with potential victims. However, thanks to Google Search now you can identify if such an account is real or fake by searching the profile picture
Info sharing best defence against cyber threat (Gulf News) Organisations have to start thinking of concerted actions rather than go it alone
Best Practices for Deterring Cyber Hackers (MSPMentor) eFax Corporate recently hosted a webinar to inform covered entities in healthcare of the dangers that today?s sophisticated cyber hackers pose to their electronic protected health information (ePHI) and other intellectual property
Stripping back security with 'less is more' approach (IT Pro Portal) Today's businesses have never spent more on cyber security, yet they've never been less protected. While the global security spend races towards $30 billion, breaches in UK businesses alone have shot up by almost 25 per cent in the past three years
13 must-have security tools (Network World via CSO) The experts weigh in on their top picks for protecting enterprise networks
Have You Been Hacked? How to Recover from a Data Breach (Business Daily) It's every modern business's worst nightmare: You discover there's been a security breach, and your sensitive business and customer data has ended up in the hands of hackers
5 security questions to ask before clicking on a link (We Live Security) URLs used to be a nice and simple way to link to an online destination without a long and fiddly URL, but in today's world of advancing cybercrime they can lead to password and data theft, even drive-by-download malware attacks. So ask yourself these five questions before clicking on that shortened link
Travel smart: Tips for staying secure on the road (Help Net Security) Whether you're taking a personal holiday or a business trip, traveling by car or by plane, planning a quick jaunt or preparing for an extended stay, make sure your security best practices are coming along for the ride
8 Android security tips for IT, corporate users (CIO via CSO) A set of security experts shares actionable tips for IT departments and users to help reduce the risk associated with the popular mobile OS
Incorporating Threat Intelligence Into Cyber Risk Scoring (T3 — Tieu's Tech Tidbits) Most approaches to cyber security risk scoring are based on findings on assets against various defect checks, e.g. vulnerabilities, compliance, configurations, etc. With the growing availability of threat intelligence, this risk scoring should be enhanced to incorporate threat intelligence so that known threats can be taken into account
Compliance is Like Asking Your Kids to Clean Their Room (Dark Matters) I just received an email from a new friend of mine who was telling me about her troubles with bringing a company up to compliance standards. She was performing security compliance testing. Testing?
Do elected officials encrypt their email? (CSO) Let me know when you're done laughing. It's OK…I can wait. So, this was a thought that occurred to me one night as I was fighting through some rather nasty heartburn
Design and Innovation
Why we need a standardized IoT tech stack (Venture Beat) Everyone is talking up IoT (the Internet of Things) as the next mega trend. Analysts are predicting that IoT will be a multi-trillion dollar category, and thousands of companies, from GE to Evernote, are redefining themselves as IoT companies
NSA Trying to Track Your Smartphone Finger Strokes (Defense One) Smartphone technology built by Lockheed Martin promises to verify a user's identity based on the swiftness and shape of the individual's finger strokes on a touch screen
Bitcoin's baby: Blockchain's 'tamper-proof' revolution (BBC) For Bitcoin, 2014 was not a good year. The virtual currency's value slumped as scandal after scandal struck, resulting in many people losing significant amounts of money
Windows and OS X are malware, claims Richard Stallman (Register) 'Resist gratification', says super-GNU-man freedom fighter
Research and Development
Manhattan Project for Cybersecurity R&D (GovInfoSecurity) Employing ISAO to get researchers to collaborate
Hacking Virginia State Trooper Cruisers (Dark Reading) Working group of federal agencies and private industry launched by the state of Virginia is studying car vulnerabilities and building tools to detect and protect against vehicle hacking and tampering
Academia
Which students get to have privacy? (Ars Technica) There's a push to protect student data, but those in need are the ones being left behind
University of Houston Recognized For Its Cybersecurity, Cyber Defense Program (University Herald) The National Security Agency and the Department of Homeland Security has recognized the University of Houston's educational and research programs in cybersecurity and cyber defense, school officials announced
CIC fills first phase, eyes future (Shreveport Times) With four buildings on its 66-acre footprint in Bossier City just east of Bossier Parish Community College, the Cyber Innovation Center has filled its phase one acreage and is looking toward expansion
Legislation, Policy, and Regulation
Fiercely critical of NSA, Germany now answering for its own spy practices (Christian Science Monitor Passcode) Germany is embroiled in a spying controversy that is causing political upheaval and sparking a national debate about surveillance
Press Digest: Government urged to establish special agency dealing with cyber attacks (Sun Daily) The government has been urged to create an agency specialising in handling cyber attack which is becoming a threat to national security
National Security Agency begins winding down collection of American phone records (Economic Times) The National Security Agency has begun winding down its collection and storage of American phone records after the Senate failed to agree on a path forward to change or extend the once-secret program ahead of its expiration at the end of the month
The Senate Fails to Reform NSA Spying, Votes Against USA Freedom Act (Wired) A last-minute bid to reform NSA spying before lawmakers break for a week-long recess failed early Saturday morning after hours of debate and filibuster overnight when Senate lawmakers voted 57-42 against the USA Freedom Act
Senate blocks House surveillance bill, 2-month extension (AP via Yahoo! Tech) The Senate struggled unsuccessfully to prevent an interruption in critical government surveillance programs early Saturday, blocking a House-passed bill and several short-term extensions of the USA Patriot Act
Opinion: An ex-NSA chief and ACLU adviser can agree on surveillance reform. Why can't Congress? (Christian Science Monitor Passcode) Former National Security Agency Director Keith Alexander and law professor Geoffrey Stone say it's time for Congress to put politics aside and act quickly to reform surveillance laws in order to protect American privacy and maintain an intelligence edge
NIST Official: Businesses Need to Take More Responsibility for Cybersecurity (Nextgov) When it comes to cybersecurity, the relationship between businesses and the government has been mostly all carrot and no stick
US spy agency: 'Intelligence doesn't always equal secrecy' (http://www.businessinsider.com/r-intelligence-agency-opening-up-to-a-changing-world-2015-5#ixzz3b9TtVNO5) Much about the National Geospatial-Intelligence Agency remains classified, but the U.S. spy agency that maps and analyzes the earth is opening up more than ever, from sharing computer source code on a public website to tapping new sources of intelligence
How one mayor struggles with balancing privacy and surveillance (Ars Technica) Oakland must determine limits on LPRs, stingray use, "and we have not done that"
Litigation, Investigation, and Law Enforcement
The Hacker, the Plane and the TSA (Silicon Angle) Last month my good friend and security researcher, Chris Roberts of One World Labs, was detained by FBI agents after a United Airlines flight from Chicago to Philadelphia, about which he tweeted comments regarding the network security on his plane
Don't let a cyber-attack put you 'undersea': implications of the Pacnet security breach (Lexology) Pacnet experienced a cyber-attack in April, compromising the personal details of thousands of customers. Despite the fact that under the current Privacy Act there is no requirement to notify affected individuals or the Office of the Australian Information Commissioner (OAIC) of a serious data breach, organisations should nevertheless take measures to reduce their risk of a cyber-attack and limit the impact of an attack that has been detected
VA fails cybersecurity audit for 16th straight year (FierceHealthIT) CIO Stephen Warren: 'There were areas where the intensity wasn't where it needed to be'
County sheriff has used stingray over 300 times with no warrant (Ars Technica) San Bernardino Sheriff's Department doesn't tell judges it's using spy device
Before sentencing, Ulbricht begs for leniency: "please leave me my old age" (Ars Technica) "Silk Road turned out to be a very naive and costly idea that I deeply regret"
High schooler allegedly hired third party to DDoS his school district (Naked Security) A 17-year-old high school boy may face state and federal charges for allegedly having paid a third party to launch a distributed denial of service (DDoS) attack that crippled the West Ada school district in Idaho, US, for a week and a half earlier this month