Cyber Attacks, Threats, and Vulnerabilities
Fake recruiters on LinkedIn are targeting infosec pros (Help Net Security) "There's a group of fake recruiters on LinkedIn mapping infosec people's networks. Not sure what their goal is yet, just a heads-up to others," Yonathan Klijnsma, a threat intelligence analyst working at Dutch infosec firm Fox-IT, warned via his Twitter account
LinkedIn Sockpuppets Are Targeting Security Researchers (F-Secure Labsblog) Multiple LinkedIn accounts recently targeted numerous security specialists in an attempt to map their social graphs. Several of our researchers received these LinkedIn invitations themselves and Daavid from our Threat Intelligence team decided to investigate
Cyber attack against Match.com exposes millions of singles to malware (City A.M.) UK's online daters could be the victims of cyber crime, after researchers discovered a malware attack aimed at Match.com's millions of users
Ads on Match.com can let hackers hold computers for ransom: report (Washington Times) Members of Match.com in search of companionship were warned by security experts Thursday to expect something else as the British version of the popular online dating service is serving viruses to visitors through Web ads embedded with malware
Persistent cyber spies try to impersonate security researchers (Help Net Security) Rocket Kitten, a cyber espionage group that mostly targets individuals in the Middle East, has been spotted attempting to impersonate security researchers
New Android Ransomware Communicates Over XMPP (Threatpost) A new strain of Android ransomware disguised as a video player app uses a means of communication unseen in other similar malware
PayPal stored XSS vulnerability exposed (Help Net Security) Bitdefender researchers have located a stored XSS vulnerability in PayPal that leaves the e-payment service open for hackers to upload maliciously crafted files, capable of performing attacks on registered users of the service
More ATM "Insert Skimmer" Innovations (KrebsOnSecurity) Most of us know to keep our guard up when withdrawing cash from an ATM and to look for any signs that the machine may have been tampered with
Ashley Madison still a top lure for scammers and crooks (CSO) The Ashley Madison breach is an early Christmas for spammers and scammers
Cayman Islands — Phishing in the Caribbean? (Check & Secure) Banking in the Cayman Islands is curious to say the least… It comes as little surprise then to hear that the cyber criminals are chancing their arm, if recent phishing emails are to be believed
Stealing Data By 'Living Off The Land' (Dark Reading) Hackers latest tactic involves a malware-free attack using a company's own system credentials and admin tools to gain access
Australia emerges as source for DDoS attacks (IT News) NBN connections abused for service disruption attacks
Hacker Puts Crude Poem on Hacked Electronic Signpost in France (Hack Read) If you see a crude poem on an electronic signpost, it is not the handy work of the municipal authorities rather, it is the work of an annoyed, attention-seeking hacker
Security Patches, Mitigations, and Software Updates
Cisco Integrated Management Controller Supervisor and Cisco UCS Director Remote File Overwrite Vulnerability (Cisco) Cisco Integrated Management Controller (IMC) Supervisor and Cisco UCS Director contain a remote file overwrite vulnerability that could allow an unauthenticated, remote attacker to overwrite arbitrary system files, resulting in system instability or a denial of service (DoS) condition
Google's Latest Chrome Update Emphasizes Speed And Lower Memory Usage (TechCrunch) Chrome started out as one of the least memory hungry browsers on the market, but over time, it developed a bit more of an appetite for RAM. Now, however, Google is starting to get back to basics and the latest Chrome release (version 45) focuses on making the browser faster and more efficient
Cyber Trends
New cybersecurity mantra: "If you can't protect it, don't collect it" (Brookings) In early August I attended my 11th Black Hat USA conference in sunny Las Vegas, Nevada. Black Hat is the somewhat more corporate sibling of the annual DEF CON hacker convention, which follows Black Hat. Since my first visit to both conferences in 2002, I've kept tabs on the themes expressed by computer security practitioners. This year I heard a new refrain: "If you can't protect it, don't collect it"
Is juggler your weakest link? (Banking Exchange) Multitasking, long hours result in insider slips
Hacking Victims Deserve Empathy, Not Ridicule (New York Times) Every day for nearly two weeks, Troy Hunt, an Australian Internet security expert, has opened up his computer to find a plea for help from someone on the edge
Latest security flaw to destroy all business? 'Sanity check' your cybercrime statistics (ZDNet) The difficulty telling fact from fiction in cybercrime news has been getting worse over the past few years. For decision makers, this means a "sanity check" on reported stats should be in your everyday toolkit
Children's apps and websites raise privacy concerns (Naked Security) Earlier this year the UK Information Commissioner's Office (ICO), along with 28 other data protection regulators from around the world, announced an investigation into how websites and apps — squarely aimed at children — were collecting and sharing personal information
The Kids Aren't Alright: Cyber Security and the 'Digital Natives' (Team Cymru) There seems to be two pervading extremes of opinion regarding youngsters growing up with technology. The first is that today's (and tomorrow's) children will consume code with their cornflakes, becoming an army of top-flight computer whizzes apparently by osmosis
Thailand at high risk for cyberattack (Bangkok Post) Thailand ranks ninth worldwide for web-based security threats, making it one of the most targeted countries by hackers, says Kaspersky Lab, a Moscow-based supplier of security software
Marketplace
Pwn2Own loses HP as its sponsor amid new cyberweapon restrictions (Ars Technica) Concerns about violating international arms treaty behind pull-out
The Wassenaar effect (Hindu Business Line) In December 2013, the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies extended its reach to the cyber world
Retail IoT Technology Spend to Hit $2.5 Billion by 2020 (VAR Guy) By 2020, retailers will spend some $2.5 billion on Internet of Things (IoT)-related technologies such as Bluetooth-equipped beacons and radio frequency ID tags (RFID), about four times more than the $670 million expected to be spent this year
Scrutiny of Security Start-Ups May Signal Shift in Venture Funding (New York Times) A funny thing happened to Orion Hindawi while he was raising $120 million for his cybersecurity start-up last month: Investors asked him about profits
UK cloud security company CensorNet raises £2m in funding (Computer Business Review) Talis Capital led Series A funding round, with Vasile Foca appointed to CensorNet board
FireEye's Third Quarter Earnings Review (Seeking Alpha) Leading position and expanded product capabilities in the specialized advanced threat-detection analysis segment of the security market continue to drive organic growth
WatchGuard Technologies Recognized as a Visionary in Gartner's Magic Quadrant for the Unified Threat Management (UTM) Market (KCEN) WatchGuard® Technologies, a leader in integrated security platforms, today announced that it has been named a "Visionary" in Gartner's Magic Quadrant for Unified Threat Management (UTM)
Scheitert Joe Kaeser an seinem eigenen Versprechen? (Die Welt) Siemens-Chef Joe Kaeser hat versprochen, den Rückstand auf den Erzrivalen General Electric aufzuholen. Zwei Jahre später regiert Ernüchterung, denn der Konzern hat jetzt mehr Probleme als vorher
Trustwave 'hiring like mad,' including in Canada, after acquisition (ITWorld Canada) The finalization this week of the US$810 million purchase of security vendor Trustwave by Asian provider Singtel Telecommunications means the Chicago-based company is on an expansion binge here as well as around the world to grow its managed security services
5 Growing Cyber-Security Epicenters Around the World (Entrepreneur) The recent hack of Ashley Madison reminds us just how vulnerable society is to cyber attacks. Big companies such as Target, Home Depot, Michaels, P.F. Chang's and JP Morgan fell victim to data breaches in 2014, and the attacks have continued this year
Maryland's Most Admired CEOs: Karl Gumtow, CEO CyberPoint International, LLC (Daily Record) Karl Gumtow and his wife, Vicki, started CyberPoint International, LLC in their Baltimore condo in 2009. They had plans and, importantly, money set aside
RSA's Ex-CEO Coviello Back In The Game (Dark Reading) Art Coviello, former head of RSA Security, has returned to the security industry after retiring from RSA for health reasons
Products, Services, and Solutions
Advanced Threat Detection Buying Guide (eSecurity Planet) Advanced threat detection offers a more proactive approach to enterprise security than traditional perimeter defenses
Financial Institutions Need Cyber Insurance (Legaltech News) ABA Insurance Services has partnered with Baker Hostetler to provide legal services and insurance for banks
WhiteHat Is Guaranteeing Security (eWeek) WhiteHat Security founder Jeremiah Grossman discusses his company's security guarantee and explains why automated scanning alone is never enough
ESET Releases Next Generation of ESET® Mail Security for Microsoft Exchange Server (PRNewswire) ESET®, a global pioneer in IT security for more than two decades, today announced the release of a new generation of ESET Mail Security for Microsoft Exchange Server® with a completely redesigned user interface, enhanced anti-spam engine, and antivirus with optional cloud-powered scanning
MetaSensor Launches Sensor-1, Tiny and Powerful Security System with Machine-Learning Capabilities (IT Business Net) Available for pre-order; Company also introduces the Aletha Platform, connecting sensors and IoT wearables through an API
Reserve Bank of NZ deploys Wynyard software for risk management (ZDNet) Risk management software will support RBNZ's goal of ensuring financial system stability
Coalfire Expands Cyber Risk Advisory Services (BusinessWire) New offerings help Corporate Boards, Management and Operations Teams Identify, Protect, Detect, and Respond to Cyber Risk
Introducing PhishAlarm, Wombat's One-Click Email Reporting Button (Benzinga) On August 18, we publicly announced general availability of PhishAlarm™, a new Wombat Security behavior reinforcement tool
VMware Expands NSX Platform Security (Dark Reading) VMware is working to add network encryption as a distributed service via its network virtualization platform
G DATA tritt Verein zur Prävention gegen Cyberkriminalität bei (Online PC) Der Bochumer IT-Sicherheitshersteller G DATA ist dem German Competence Centre against Cyber Crime e.V. (G4C) beigetreten, dem einige Banken angehören
Technologies, Techniques, and Standards
Should you jailbreak an iPhone: Is jailbreaking good for an iPhone or iPad? Is jailbreaking safe? The pros and cons of iOS jailbreaking (MacWorld) After more than 225,000 jailbreakers see their data stolen by the KeyRaider breach, we examine again the pros and cons of iPhone jailbreaking. Is it safe to jailbreak an iPhone? How can you jailbreak an iPhone? We take a look at whether it's worth jailbreaking so you can install non-authorised iOS apps on your iPhone and generally customise the experience
Self-Hacking: Corporations Start Thinking Like Criminals (Security Intelligence) How do companies defend their assets against cybercriminals?
Design and Innovation
The Art Of Deception: New Class Of Security Startups Use Decoys To Disrupt A Hacker's Movement (CRN) As companies continue to get hammered by breaches, a clear gap in the effectiveness of many security portfolios becomes more evident with each attack. However, a new category of emerging security startups say they have the answer and are disrupting the threat detection space with what they call "deception" technology
DoD's top secret smartphone expected in the fall (C4ISR & Networks) Government agencies have made significant strides in incorporating smartphones and tablets into their offices and missions, even at the Defense Department. But the caveat always has been that those devices could only be used for non-classified purposes. That's changing
Research and Development
The Subatomic Race to Harness Quantum Science (Defense One) US, China are betting millions on the promise of this newish field, but the real-world potential remains a mystery
IBM Lands Mobile Tech Security R&D Contract From DHS S&T (ExecutiveBiz) IBM's Thomas J. Watson Research Center has received a $1.3 million contract from the Department of Homeland Security's Science and Technology Directorate for research and development work on mobile technology security
Hands Off! NIST Helps Bring Contactless Fingerprint Technology to Market (NIST) Quickly moving through security checkpoints by showing your hand to a scanner seems straight out of science fiction, but the National Institute of Standards and Technology (NIST) is working with industry to bring fast, touchless fingerprint readers out of the lab and into the marketplace
How A 1200-Year-Old Hacking Technique Can Already Crack Tomorrow's Encrypted Vaults (Forbes) In the ninth century, Baghdad was not the violent epicentre of a conflict between Western and Eastern ideologies it would become once Bush and Blair sent the troops to Iraq
Academia
Northrop Grumman Conducts Cyber-Focused Activities (GovConExecutive) Northrop Grumman held several activities in the summer that aimed to promote cybersecurity careers among high school and college students
Legislation, Policy, and Regulation
Beijing Tightened Internet Controls Before Glitzy Military Parade (Foreign Policy) Chinese censors have systematically knocked out tools to evade the Great Firewall
China's Great Cannon: The Great Firewall's More Aggressive Partner (Dark Reading) Crowdstrike researchers Adam Kozy and Johannes Gilger visit Dark Reading News Desk at Black Hat to describe how China went on the offensive and extended its Internet censorship efforts beyond Chinese borders. It already hit Github, but it's poised to do so much more
Cyberwarfare key component of China's military modernization, new wide-ranging CSIS report says (FierceGovernmentIT) Cyberwarfare is emerging as a key element of the Chinese military's modernization efforts and a major concern for the nation's most senior leaders, a new report from Center for Strategic and International Studies said
Chinese Strategy and Military Modernization: A Comparative Analysis (Center for Strategic and International Studies) China's emergence as a global economic superpower, and as a major regional military power in Asia and the Pacific, has had a major impact on its relations with the United States and its neighbors
US mulls over sanctions on China and Russia for cyber attacks (Deutsche Welle) The US is weighing sanctions on individuals and firms for cyber attacks, reports say. Speculation could indeed come in handy, as it gives the White House leverage ahead of a state visit by Chinese President Xi Jinping
US to hit China hackers before Xi's Washington visit (CNBC) The White House is preparing to slap sanctions as early as next week on Chinese companies connected to the cyber theft of US intellectual property
The US government is not spending enough on cybersecurity (Business Insider) In the past 12 months, the US government has not fared well against cyberattacks, and the budget may give an insight why
5 things the FTC should do to improve data security in the wake of Wyndham (FierceITSecurity) The Federal Trade Commission recently won an enormous court victory. In FTC v. Wyndham Worldwide Corp., the 3rd U.S. Circuit Court of Appeals rejected a challenge to the FTC's power to regulate data security
Halvorsen wants to change economics of cyberspace (FCW) Defense Department CIO Terry Halvorsen on Sept. 2 called for industry help in changing the economics of cyberspace so that is more costly for hackers to inflict damage and cheaper for the Pentagon to defend itself
Here's What OPM is Offering to Protect Hack Victims from Blackmail (Nextgov) The government is planning to invest $330 million in financial fraud protections for Office of Personnel hack victims, even though the suspected computer intruders are not thought to be in the business of ID theft
U.S. Navy chief: Cyber missions could fuel orders for Boeing EA-18G Growlers (St. Louis Post-Dispatch) The Pentagon is evaluating whether potential cyber missions could drive demand for additional Boeing Co. EA-18G electronic attack jets, or Growlers, the top Navy officer told Reuters on Thursday
Technology & Consultants Won't Save CIA. Only Humans Can. (Overt Action) I understand that a website run by former members of the Intelligence Community who are looking to support informed debate about national security policies might not be the best place to quote James Bond
Litigation, Investigation, and Law Enforcement
The Microsoft Warrant Case: A Response to Orin Kerr (Just Security) With less than a week before the Second Circuit considers the dispute between Microsoft and the government over emails stored in Ireland (an issue I have blogged about here, here, and here), I thought it worth responding to Orin Kerr's novel suggestions as to how to understand the case
Court: FTC can take action on corporate data breaches (CSO) Security experts are split about whether the FTC's oversight will help improve enterprise security
Justice Department Announces Enhanced Policy for Use of Cell-Site Simulators (US Department of Justice) Increased privacy protections and higher legal standards to be required
State Department seeks to consolidate Hillary Clinton email cases in court (Washington Times) Administration says it's 'struggling' with 32 cases
Read Hillary Clinton's Emails Here and Make Your Own Call (War on the Rocks) The State Department has released a large cache of former Secretary of State Hillary Clinton's emails, sent to and from her private email server. They can be perused here and are fully searchable
Hillary Clinton, inner circle responsible for most classified emails (Washington Times) Nearly a third of the classified messages released so far from former Secretary of State Hillary Rodham Clinton's emails came from one man: Jake Sullivan, who served as her deputy chief of staff in the department, and is now the top foreign policy adviser to her presidential campaign
Clinton 'jeopardized national security' by using private email server — Snowden (Russia Today) National Security Agency whistleblower Edward Snowden said that Hillary Clinton's use of a private email server while serving as secretary of state jeopardized national security secrets. He said Clinton's claims to the contrary "is completely ridiculous"
3 ways to get busted on the Dark Web (Naked Security) The Dark Web is a small and secretive part of the regular web that's become a haven for drug markets, paedophiles and sex traffickers
8 of the most unsettling things you'll find on the darknet (ITWorld) Catch a glimpse of what flourishes in the shadows of the Internet
Fresno teen arrested after he allegedly posts Eminem lyrics on Instagram (Ars Technica) Guns, ammunition discovered under the teen's house, but lawyer says cops went too far