Cyber Attacks, Threats, and Vulnerabilities
A Deadly Mistake: Don't Underestimate ISIS in Cyberspace (National Interest) The nature of ISIS's online presence is intended to do three things. Firstly, and most importantly for the longevity of its existence, it's intended as a mechanism to attract and recruit members to its ranks. Secondly it's a means through which ISIS aims to strike fear into the hearts of all that come across its frequently gruesome propaganda. Both objectives are well documented, but a third dimension to the ISIS presence online is emerging: their attempts to use cyberspace for offensive purposes
Cyberattack tied to Hezbollah ups the ante for Israel's digital defenses (Christian Science Monitor Passcode) A sophisticated malware campaign recently discovered by an Israeli firm has been linked to Hezbollah, suggesting that the militant group has more advanced technological skill than previously thought
The Failed North Korean Cyber Attack (Lawfare) According to this report from Reuters, the Unites States tried, but failed, to implant a Stuxnet-like virus within the North Korean nuclear weapons program operating system. The effort failed due, it is said, to North Korea's extreme isolation of its communication system. What are we to make of this report (which, I hasten to add, is lightly sourced — much more lightly than, say, the original New York Times piece outing Stuxnet) assuming it is true?
Chinese Hackers Steal Data From Powerful Party Security Agency (Epoch Times) Most Chinese hackers usually seem to work for the state in one way or another, pilfering the commercial secrets of companies abroad and feeding them back to state-run firms. But another group is instead targeting the Chinese Communist Party itself
Airbus confirms software configuration error caused plane crash (Ars Technica) Airbus A400M flight recorder data confirms "quality issue" in setup caused failure
Understanding Flash Exploitation and the Alleged CVE-2015-0359 Exploit (Palo Alto Blogs) What follows is a detailed analysis of the root cause of a vulnerability we call CVE-2015-X, as well as a step-by-step explanation of how to trigger it
ESET uncovers new Linux/Moose malware threat (SecurityWatch) Security specialists ESET has discovered a new threat from the Linux/Moose malware family that is generating fake activity on social networks, the company announced today
New remote exploit leaves most Macs vulnerable to permanent backdooring (Ars Technica) Hack allows firmware to be rewritten right after Macs made before mid-2014 sleep
Ransomware creator apologizes for 'sleeper' attack, releases decryption keys (NetworkWorld) Criminal with a soft spot relents on successful Locker ransomware campaign and offers free decryption for victims. Refunds don't appear to be coming, however
XSS flaw exposed in IBM Domino enterprise platform (ZDNet) A cross-site scripting vulnerability, allegedly ignored by IBM, has been revealed in the public domain
DYRE Banking Malware Upsurges; Europe and North America Most Affected (TrendLabs Security Intelligence Blog) Online banking users in Europe and North America are experiencing the upsurge of DYRE, a malware family notorious for the multiple ways it steals data and its ties to parcel mule scams, among others
Researchers: Hola Fixes Incomplete (Threatpost) Hola, a popular, free, peer-to-peer service that enables anonymous surfing and access to blocked online resources, said today it has patched vulnerabilities discovered last week that expose its millions of users to possible code execution, remote monitoring and other threats to privacy and security
Hola! TV geo-block botters open bug bounties (Register) Bot shop's security chop shot
IRS Using 13-Yr. Old Microsoft Software (Fox Business) IRS computers are still running the 13-year old Microsoft (MSFT) Windows XP operating software which Microsoft stopped supporting a year ago with security updates
Why IRS breach is bigger than you think: Frank Abagnale (CNBC) The data breach involving IRS files affects many more people than taxpayers think, conman-turned-consultant Frank Abagnale said Monday
IRS breach shows the importance of PII security (TechTarget) A breach of the IRS' Internet tax form service "Get Transcript" exposed the personal information and tax filings of thousands of people
IRS Data Breach — A 'Teachable Moment' for Government Agencies (Legal Tech News) Internal reports show that cybersecurity budgets within the IRS were insufficient and the fallout of failure could change its priority in government organizations
States Seek Better Mousetrap to Stop Tax Refund Fraud (KrebsOnSecurity) With the 2014 tax filing season in the rearview mirror, state tax authorities are struggling to incorporate new approaches to identifying and stopping fraudulent tax refund requests, a $6 billion-a-year problem that's hit many states particularly hard this year
Seeing Through the Outsider's Insider Mask: Reflections on the IRS Breach (The CyberWire) We spoke with Bay Dynamics CEO Feris Rifai on the lessons he thinks we can draw from the breach of the US Internal Revenue Service's "Get Transcript" service
The Future of Cyber Crime, and What Enterprises Can Do About IT (The CyberWire) The CyberWire was able to hear David Remnitz speak at 2015's inaugural Billington Corporate Cybersecurity Summit in New York. We caught up with him after the conference to discuss the future of cyber crime, and what enterprises can do about it
A Look at the Real Social Engineers (Tripwire: the State of Security) Since the very first day I started working in the information security industry, I have found everything to be just so interesting and fascinating
3 Lessons From Heartland Breach The Second Time Around (Dark Reading) While not even a drop in the bucket compared to its last breach, Heartland's exposure this week does offer some lessons to the security community
Hackers stole personal info of over a million of Japanese pensioners (Help Net Security) Personal information of some 1.25 million of Japan's pensioners has been compromised and some of it was leaked following a successful breach of Japan Pension Service's computer systems
Hackers Expose 49% of FT 500 Europe (Recorded Future) Recorded Future analysis identified recent employee credential exposures for at least 49% (244) of the FT 500 Europe, a Financial Times listing of Europe's largest companies
Woolworths' Self-Inflicted Breach A Clear Example Of Insider Negligence (Dark Reading) Australian grocer sent master spreadsheet of customer information and redeemable codes for thousands of gift cards to hundreds of customers
Social media gives clues to security questions (USA TODAY) What was your high school mascot?
SourceForge locked in projects of fleeing users, cashed in on malvertising [Updated] (Ars Technica) "Hotel California" of code repositories lets you check out, but you can never leave
Keep My Opt-Outs, the Google Chrome privacy extension, hasn't been updated for years (Graham Cluley) Many internet users aren't too keen on being tracked by ad-tracking cookies as they surf the web
Are hackers experiencing karma in the Underground Economy? (HackRead) The underground economy is a large group of websites that make it possible for hackers and fraudsters to trade illegal services and stolen goods such as credit card and online account credentials
Security Patches, Mitigations, and Software Updates
Facebook just made a move that will infuriate law enforcement (Business Insider) Facebook has announced it is letting users add encryption keys to their profiles and opt in to have notification emails sent in an encrypted format
New Google My Account Manages Privacy, Security Settings (Threatpost) Less than a week after announcing some welcome changes that keep Android mobile app permissions in check, Google on Monday announced a new privacy and security settings tool
Cyber Trends
Security vendors guilty of virtualization 'gap' (Channelnomics) Partner says security vendors lack in securing customers moving to cloud
3 Reasons IT Security Breach Costs Keep Rising (MSPMentor) Last week the Ponemon Institute rolled out the results of yet another Global Cost of Data Breach report and, surprising very few people in the security world, the stats show costs rising again
Over 12,000 DDoS Victims Recorded in First Quarter of the Year (Softpedia) Longest assault lasted for about six days
Phishing study finds major brands heavily targeted, niche sites also at risk (Naked Security) Phishing experts at the Anti-Phishing Working Group (APWG) have released their latest global survey, revealing the latest trends observed in the second half of 2014
Surfing porn, downloading apps: Employees ignore obvious cyber risks at work (First Post) Blue Coat Systems, Inc., enterprise security solution provider, revealed the results of a global research study of 1580 respondents across 11 countries that highlighted a global trend of employees ignoring cyber risks while at work
Are some reading the Verizon breach report?s mobile section all wrong? (CSO) "Mobile malware is not a problem." "Enterprises, ignore mobile threats; they're not there." "You're more likely to be struck by lightning than by mobile malware"
Can Tweeters be tamed? (Christian Science Monitor) In an age of uncivil social media, a simple tweet can bring a torrent of threats and taunts. Can anything be done to stop the 'trolls?'
Marketplace
A fundamental shift in security spending (Help Net Security) Firms are shifting their cyber security spend away from traditional Prevent & Protect approaches towards Detect & Respond operations, according to Pierre Audoin Consultants (PAC)
Confusion regarding strategic defenses for network security (Help Net Security) RedSeal uncovered a high level of confusion regarding security issues in the network infrastructure. Nearly 60% of the 350 C-level executives surveyed believe they can "truthfully assure the board beyond a reasonable doubt" that their organization is secure, a surprising show of confidence in an environment where many reports reveal a high incidence of network breaches in up to 97% of all companies
Execs admit 'blind spots' hurt network security: report (ZDNet) The majority of C-level executives say it is impossible to protect what they cannot fully see or understand
CSO's CISO Executive Career and Leadership Success Guide (CSO) What CISOs need to know to adapt and succeed
Cyber Security And The CIO: Changing The Conversation (InformationWeek) Do CIOs have an inherent conflict of interest when it comes to security? What should be their InfoSec involvement?
Cyphort Raises $30 Million in Series C Funding Led by Sapphire Ventures (Street Insider) Cyphort, a pioneer of Advanced Threat Defense (ATD) solutions, today announced it has secured $30 million in Series C funding
French connection creates web content mining powerhouse (BusinessWeekly) A new powerhouse in web content mining, with a particular edge in cyber security, has been created by an all-French acquisition
HP ConteXtream acquisition complements open NFV work (TechTarget) Hewlett-Packard's acquisition of ConteXtream is likely to bring a number of valuable features to HP's upcoming open NFV products
Elastica snaps up Exclusive Networks (ChannelPro) Exclusive to develop channel for cloud app security vendor Elastica
Key Cisco executives to step down alongside John Chambers (ComputerWeekly) Cisco's COO and sales chief are both understood to be leaving as Chuck Robbins takes over as CEO from John Chambers in July
Hexis Cyber Solution's Katherine Russ-Hotfelter Named to 2015 CRN Women of the Channel List (Nasdaq) Russ-Hotfelter recognized second year in a row for strategic leadership
Centrify's Holly Adams Named to 2015 CRN Women of the Channel List (BusinessWire) Centrify Corporation, the leader in unifying identity management across cloud, mobile and data center, today announced that Holly Adams, head of channel marketing for Centrify, has been named to The Channel Company's prestigious 2015 CRN® Women of the Channel
Products, Services, and Solutions
Security Watch: HP and FireEye team up for threat detection (CSO) HP and FireEye have announced a partnership to make incident response, compromise assessment and threat detection offerings available to HP Enterprise Services' most strategic clients globally
Wearable security: Authentication apps for Apple Watch (Macworld) The Apple Watch could become our central hub in a wheel of identity, in which all spokes rotate around our wrist
Light Point Security Provides Safe Downloads with Metascan (Benzinga) Light Point Web uses Metascan to scan downloads with 40+ anti-malware engines to provide users with advanced threat protection
BalaBit Announces Availability of Update to Its Flagship Product Shell Control Box (Sys-Con Media) New version of BalaBit's Privileged User Management Solution features focuses on PCI DSS compliance requirements
Fortinet Unveils New FortiGuard Mobile Security Subscription Service (Channel EMEA) Reinforces company's commitment to helping enterprises of all sizes deploy, manage and secure networks in a mobile era
Radware Launches New Device Fingerprinting Technology to Mitigate Malicious Bot Attacks (Dark Reading) Radware® (NASDAQ: RDWR), a leading provider of cyber security and application delivery solutions ensuring optimal service level for applications in virtual, cloud and software defined data centers, today announced enhanced protection from threats posed by advanced bots through its Attack Mitigation System
Technologies, Techniques, and Standards
Experts divided on security implications of DOJ's deal with Box (CSO) Security experts are divided about the U.S. Department of Justice's decision to use Box
The challenges of data classification (Help Net Security) We are living in a data driven society with globalizing economies, data transfer, and ubiquitous access to everything from everywhere
How to reduce the risk of social engineering attacks (ComputerWeekly) Implement simple checks to reduce the risk of the main types of social engineering attacks
Which malware lures work best? (Help Net Security) More often than not, malware peddlers' main goal is to deliver their malicious wares to the maximum number of users possible. Choosing the right lure is crucial to achieving that goal
Detecting Lateral Movement (Windows Incident Response) Almost two years ago, I posted this article that addressed how to track lateral movement within an infrastructure. At the time, I'd been using this information successfully during engagements, and I still use it today
Protecting Client Data: Shoring Up Information Security at Law Firms (Duo Security) According to Marsh's 2014 Global Law Firm Cyber Survey published early this year, nearly 80 percent of law firms consider cyber security and privacy to be one of their firm's top 10 risks, but 51 percent said they have not taken measures to reduce cyber risk
Don't get distracted in the cyberbattle (CSO (Australia)) Telstra's CSO Mike Burgess says it's critical to avoid distractions when fighting against cybercriminals
Design and Innovation
How the Tech Behind Bitcoin Could Stop the Next Snowden (Wired) The National Security Agency knows Edward Snowden disclosed many of its innermost secrets when he revealed how aggressive its surveillance tactics are. What it doesn't know is just how much information the whistleblower took with him when he left
Russian billboard advertising contraband hides when it recognises cops (Naked Security) Moscow's Don Giulio Salumeria promises "small islands of warm and sunny Italy," offering authentic Italian prosciutto, ricotta, mozzarella and tiramisu for sale in the cold lands of Russia
Cookie warnings: Useless and bad for security? (Help Net Security) Cookies are the official and standard and preferred way of keeping state in the (otherwise) stateless HTTP protocol
Research and Development
Battle alien invaders, explore kingdom of monsters to help DARPA find software bugs (FierceGovernmentIT) The Defense Advanced Research Projects Agency, or DARPA, released a new set of publicly accessible online games designed to crowdsource analysis of software applications to test their security
Academia
Cybersecurity Program Launches in Kansas City (Webster Today) The new Kansas City metro location at 10450 Holmes Street has about 19,000 square feet designed to encourage collaboration among students and faculty
Legislation, Policy, and Regulation
At first-ever conference, UN takes aim at cyber-threats against nuclear safety (UN News Centre) The international community must intensify efforts to protect the world's nuclear facilities from cyberattacks, the head of the United Nations nuclear watchdog declared today
Either way, no more NSA collection of U.S. phone records (MIlitary Times) However Congress resolves its impasse over government surveillance, this much is clear: The National Security Agency will ultimately be out of the business of collecting and storing Americans' calling records
Patriot Act provisions lapse: Is the U.S. less safe today? (CBC) Opinions are mixed on whether expired provisions of the Patriot Act will put U.S. security at risk
Why the US Patriot Act's expiration is so dangerous (Telegraph) The non-renewal of the Patriot Act limits the reach of the US intelligence community in a time when their service is needed more than ever
Sunset of Section 215 Means All Eyes on USA Freedom Act (Threatpost) The sun may have set at midnight on Section 215 of the PATRIOT Act, putting a temporary halt to the NSA's bulk collection of phone call metadata, but privacy champions and legal experts point to May 7 as the day the lights dimmed on that facet of the government's surveillance efforts
With sections of Patriot Act expired, attention focuses on surveillance reform bill (Christian Science Monitor Passcode) The Senate is expected to begin debating the USA Freedom Act as early as Monday afternoon. Yet both privacy advocates who oppose NSA phone records collection and security hawks object to the bill for different reasons
Opinion: Why Congress should not pass USA Freedom (Christian Science Monitor Passcode) While it has been hailed as a surveillance reform bill, the USA Freedom Act would immediately ramp back up the collection of billions and billions of records about our everyday actions
Don't (Just) Let the Sun Go Down on Patriot Powers (Motherboard) A handful of provisions of the sprawling USA Patriot Act are now all but certain to at least temporarily expire at the end of the month, including the controversial section 215, the basis of the National Security Agency's notorious bulk telephone records dragnet
Newly Declassified Documents (IC on the Record) Today we've added newly declassified documents to two prior posts: The Department of Justice Releases Additional Documents Concerning Collection Activities Authorized by President George W. Bush Shortly After the Attacks of September 11, 2001 — Published December 12, 2014; Release of Documents Concerning Activities under the Foreign Intelligence Surveillance Act — Published March 3, 2015
Congress: US military highly vulnerable to cyber attacks (Fox News) Congress wants the Pentagon to spend more than $200 million to identify holes in U.S. weapons and communications software that could allow foreign militaries to disrupt or defeat advanced arms in cyber attacks
EPA must tackle several cybersecurity issues to deal with persistent threats, watchdog says (FierceGovernmentIT) With advanced persistent cyber threats continuing to pose a challenge, the Environmental Protection Agency needs to make some tough choices on where it can spend its limited security budget to make the most impact, according to a recent report by the agency's watchdog
Defending the Cyber Nation: Lessons from Civil Defense (War on the Rocks) If you grew up during the Cold War, as we both did, you probably remember all sorts of ways that we prepared for the possibility of a nuclear attack
Japan and the United States to Deepen Cybersecurity Cooperation (Diplomat) The growing threat of digital attacks moves Washington and Tokyo closer together in trying to secure cyberspace
Litigation, Investigation, and Law Enforcement
Cyber criminals cashing in on digital currencies (ITProPortal) In the digital age, money is rapidly evolving into lines of computer code which can easily be hacked, ransomed or stolen by organised criminal gangs (OCGs)
If lax security leads to a data breach, your insurer may not pay out (Lumension) It all started with the kind of story that we're sadly all too familiar with
Proposed rule change to expand feds' legal hacking powers moves forward (Ars Technica) Change would allow one judge to authorize "remote access" basically anywhere
Proving an Online Threat Is a Threat Just Got a Lot Tougher (Wired) On Monday, the Supreme Court overturned the 2011 conviction of Anthony Elonis, a Pennsylvania man who was sentenced to jail time for writing a series of threatening Facebook posts