Cyber Attacks, Threats, and Vulnerabilities
NSA Chief Says Cyberattack at Pentagon Was Sophisticated, Persistent (Wall Street Journal) Breach of Joint Staff's unclassified network evolved from failed attack a week before
Russian Spy Gang Hijacks Satellite Links to Steal Data (Wired) If you're a state-sponsored hacker siphoning data from targeted computers, the last thing you want is for someone to locate your command-and-control server and shut it down, halting your ability to communicate with infected machines and steal data
Turla APT Group Abusing Satellite Internet Links (Threatpost) Poorly secured satellite-based Internet links are being abused by nation-state hackers, most notably by the Turla APT group, to hide command-and-control operations, researchers at Kaspersky Lab said today
Shadow Force Uses DLL Hijacking, Targets South Korean Company (TrendLabs Security Intelligence Blog) What sort of interest would a businessman have in a news agency?
Cyber-Extortionists Targeting the Financial Sector Are Demanding Bitcoin Ransoms (BloombergBusiness) 'DD4BC' is is carrying out a string of attacks. Should companies cough up?
Vulnerability Spotlight: Microsoft Windows CDD Font Parsing Kernel Memory Corruption (Cisco Blogs) Talos, in conjunction with Microsoft's security advisory issued on September 8th, is disclosing the discovery of a memory corruption vulnerability within the Microsoft Windows CDD Font Parsing Kernel Driver
Vulnerabilities in WhatsApp Web affect 200 million users globally (Help Net Security) Significant vulnerabilities can exploit WhatsApp Web, the web-based extension of the popular WhatsApp application for phones
Carbanak APT still targeting high-value financial institutions and casinos (Help Net Security) The Anunak / Carbanak hacking group continues to target banks, but has also now hitting Forex-trading companies, casinos, and other institutions from which it can steal large amounts of money or (mis)usable payment card information
Carbanak returns (CSIS) Just recently, CSIS carried out a forensic analysis involving a Microsoft Windows client that was compromised in an attempt to conduct fraudulent online banking transactions
Android Malware Secretly Subscribes Victims to Premium SMS Services (Softpedia) The Android.Trojan.MKero.A malware is making a comeback in Androidland, and this time around, hackers found a method to bundle it with legitimate apps, capable of bypassing Google's Bouncer app scanning system
Android ransomware masquerades as Adult Player app, takes photo of victim (Help Net Security) A new mobile ransomware variant uses a clever new technique to push affected users to pay the asked-for ransom: it takes a photo of the user with the phone's front-facing camera, and inserts that photo in the ransom message
Attacking Diffie-Hellman protocol implementation in the Angler Exploit Kit (SecureList) Exploit kit creators have been inventing increasingly interesting methods of masking their exploits, shellcodes, and payloads so that it is harder for analysts to define the type of the exploit and know what actions they may perform
TLS Implementations Vulnerable to RSA Key Leaks (Threatpost) A number of TLS software implementations contain vulnerabilities that allow hackers with minimal computational expense to learn RSA keys
Researchers respond to developer's accusation that they used crypto wrong (Ars Technica) Microsoft research team points to CryptDB developers' own paper as proof
Facebook Phishing — How to recognise the Bait (Check & Secure) Phishing belongs among the biggest dangers on the internet
Could a Smartphone Camera Pierce Your Bank's Cybersecurity? (American Banker) Financial institutions today spend hundreds of millions of dollars and dedicate hundreds of employees to combatting cybercrime
Duo Security Research Reveals Half of Apple iPhones on Corporate Networks Run Out-of-Date Versions of iOS (Marketwired via Digital Journal) Duo Security, a cloud-based access security provider protecting the world's largest and fastest growing companies, today announced results from a Duo Labs research study focusing on mobile devices on corporate networks
Secunia Report: Vulnerability Update for May-July 2015 out now — comments from Research on Stagefright, Avant and yearly trends (PRNewswire) Secunia, a leading provider of IT security solutions that enable management and control of vulnerability threats, today published a Vulnerability Update with the Top 20 vulnerable products for May, June and July
Security Patches, Mitigations, and Software Updates
Microsoft Security Bulletin Summary for September 2015 (Microsoft SecurityTech Center) This bulletin summary lists security bulletins released for September 2015
Microsoft Pushes a Dozen Security Updates (KrebsOnSecurity) Microsoft today released a dozen security updates for computers running supported versions of its Windows operating system
Windows Media Center Hacking Team Bug Fixed in September 2015 Patch Tuesday (TrendLabs Security Intelligence Blog) This month's Patch Tuesday features 12 updates, with five rated as "critical" and seven as "important"
Security update available for Adobe Shockwave Player (Adobe Security Bulletin) Adobe has released a security update for Adobe Shockwave Player. This update addresses critical vulnerabilities that could potentially allow an attacker to take control of the affected system
Kaspersky rushes emergency patch for critical security flaw in its antivirus software (FierceITSecurity) Anti-virus software provider Kaspersky Lab has been featured in the news lately over allegations that it planted fake malware reports to make its rivals look bad. Now comes word that Kaspersky's antivirus software had critical vulnerabilities, vulnerabilities for which it pushed an emergency patch on Sunday
WhatsApp fixes security vulnerability (ComputerWeekly) Security researchers have praised Facebook's WhatsApp cross-platform messenger service for its quick response to a vulnerability disclosure
Cyber Trends
Our insecure Internet of Things is becoming terrifying (ExtremeTech) Several recent stories in the news have focused on terrifying vulnerabilities in specific pieces of internet-connected technology
The Hacked Data Broker? Be Very Afraid (Wall Street Journal) Potential data breaches would make Ashley Madison break-in pale by comparison
Think your security strategy is up to par? Think again! (CSO) The writing on the wall suggests that our strategies are based upon an outdated understanding of how people, processes, and technology work together to protect our organizations
Marketplace
Cyberattacks Cost Businesses $400 Billion a Year (Inc.) A new report also finds that companies will spend $170 billion on cybersecurity measures in 2020
Online Security A Major Issue For Fundraisers (NonProfit Times) Cyber security has become a leading cause for concern among managers at nonprofit organizations
Digital age comes with cyber risk (East African Business Week) In a world where computers are critical to many aspects of doing business, a new set of risks must be managed
Israel is number two in cybersecurity behind the U.S. (CSO) For such a tiny nation, Israel is big into cybersecurity
Cybersecurity Firm's Strategy Raises Eyebrows (Wall Street Journal) FireEye's plan to reverse losses includes getting close to federal agencies
Ex-Intel security chief says cyber firm ForeScout not ready for IPO just yet (Reuters) Fast-growing Israeli-U.S. cybersecurity firm ForeScout Technologies is set on listing on Wall Street, but may not be ready to launch an IPO in the next year, especially if financial markets remain volatile, its chief executive said
Hillstone Networks Recognized in the Gartner 2015 Magic Quadrant for Unified Threat Management (MarketWatch) Hillstone Networks, a leading provider of enterprise network firewall solutions, today announced that the company has maintained, for a second year, its position in the Magic Quadrant for Unified Threat Management by Gartner, Inc
FireEye names former Informatica finance chief its new CFO (Seeking Alpha) Michael Berry, formerly the CFO of data warehousing software firm Informatica, has been named FireEye's (NASDAQ:FEYE) new CFO
Sotera Names John Pitsenberger as Executive Vice President & Chief Financial Officer (PRNewswire) Sotera Defense Solutions (Sotera), a provider of mission-critical, technology-based systems, solutions and services for national security agencies and programs of the U.S. Government announced today that John C. Pitsenberger has been named Executive Vice President and Chief Financial Officer
Products, Services, and Solutions
HP, IBM, Veracode and WhiteHat Security are leading app-security testing vendors, says Gartner (FierceITSecurity) A number of recent high-profile data breaches have raised concerns among IT security professionals about vulnerabilities in the enterprise application layer
Fortinet Unveils Industry-Leading Security Framework and Partner Ecosystem Designed to Protect Cloud and SDN Data Center Environments (CNN Money) Partners Including HP, Ixia, PLUMgrid, Pluribus Networks, Extreme Networks and NTT Collaborate With Fortinet to Advance SDN Security
LogicNow partners Bitdefender on anti-virus service (Telecompaper) LogicNow announced a partnership with security software provider Bitdefender. Together they will develop a new managed anti-virus service for managed service providers
Technologies, Techniques, and Standards
Cloud Security Alliance touts data breach sharing scheme (Whatech) The US-based Cloud Security Alliance is proposing to set up a scheme that will enable organisations to anonymously report data breaches, in the interests of enabling others to take steps to prevent them becoming victims of similar attacks
How to be a successful CISO without a 'real' cybersecurity budget (CSO) Many new CISOs are stepping into the role for the first time in a company and no formal budget exists
Back To Basics: 10 Security Best Practices (Dark Reading) The most effective strategy for keeping organizations, users and customers safe is to focus on the fundamentals
A 4-Step Information Governance Program for Legal Hoarders (Legaltech News) It's time to shrink risk-laden e-discovery stockpiles
6 ways to become more resilient to cyber-security threats (CGMA Magazine) Large banks have fairly strong cyber-security controls in place, but cyber-criminals are changing their strategy and the financial sector remains difficult to secure against cyber-attacks, according to a special report by Thomson Reuters' risk management business
The Cost of Malware Containment (Information Security Buzz) The volume and severity of threats is increasing every year, which means that it's more important than ever to detect active infections swiftly
Design and Innovation
It's time to start thinking about securing the Internet of Things: Dell (IT Business) Dell sees great potential in the Internet of Things for the line of business worker but adds it's never too early to start thinking about how to keep all of those things secure
The shift to DevOps requires a new approach to security (Network World) DevOps has been a popular topic in IT circles over the past few years
ZTE's Axon Elite Smartphone Can Be Unlocked Using Your Eyes, Voice and Fingerprints (Huffington Post) The Axon Elite is the world's first smartphone that can be unlocked using just your eyes
How talking to recognition technologies will change us (Help Net Security) Ernest Hemmingway once said, "I have learned a great deal from listening carefully. Most people never listen"
Back to the Future: Adam Back Remembers the Cypherpunk Revolution and the Origins of Bitcoin (Bitcoin Magazine) Bitcoin Knowledge Podcast host Trace Mayer interviewed legendary cryptographer Adam Back on his role in the creation and deployment of some of the most potent privacy software to ever affect the world of Bitcoin
Research and Development
A Tricky Path to Quantum-Safe Encryption (Quanta Magazine) In the drive to safeguard data from future quantum computers, cryptographers have stumbled upon a thin red line between security and efficiency
Online security braces for quantum revolution (Nature) Encryption fix begins in preparation for arrival of futuristic computers
Legislation, Policy, and Regulation
Senate Intel chair: Cyber bill not likely until October (The Hill) The Senate's stalled cybersecurity bill will likely have to wait until at least October, Senate Intelligence Chairman Richard Burr (R-N.C.) told The Hill on Tuesday
Proposed federal cybersecurity legislation (Inside Counsel) Changes are on the horizon in the privacy and data security area
Protecting Critical Infrastructure: Should The US Emulate New German Regulations? (HS Today) In August 2014, France's Network & Information Security Agency (ANSSI) publically unveiled plans to "make its critical infrastructure more resilient to cyber attacks"
U.S. Cyber Command Chief Details Plans to Meet Cyberspace Threats (DoD News) The commander of U.S. Cyber Command has stressed the need for the command to integrate its capabilities into all aspects of the national security effort, and today Navy Adm. Michael S. Rogers released the Cybercom vision statement, describing how the command will do just that
U.S. Senator Says Nation Is 'On Point' with Cybersecurity (Government Technology) Although recent cyberattacks have affected U.S. agencies, one Congressman believes that the Army Cyber Command is completely prepared to take on any future hacks
Anti-Virus Software Maker John McAfee Is Running for President (Time) His candidacy will focus on privacy rights
California assembly passes digital privacy bill (CSO) The bill aims to prevent warrantless government access to private electronic communications
Terry McAuliffe Directs Virginia IT Agency to Expand Cyber Risk Mgmt Activities (ExecutiveGov) Virginia Gov. Terry McAuliffe has issued an executive directive to expand the state's cyber-related risk management activities in support of efforts to strengthen cybersecurity measures
Litigation, Investigation, and Law Enforcement
U.S. Poised to Indict China's Hackers for Cyber Blitz (Daily Beast) After months of passivity, the Obama administration is on the cusp of bringing criminal charges against Chinese cyberspies in retaliation for wreaking havoc on U.S. networks
Apple Refuses To Honor Court Order To Decrypt Text Messages (Think Progress) iPhone owners beware: The government is coming for your text messages
Ashley Madison victims sue Amazon Web Services, GoDaddy for hosting searchable databases (FierceITSecurity) Some customers affected by the massive data breach of the Ashley Madison website are filing lawsuits against Amazon Web Services, GoDaddy and a number of other websites that hosted searchable databases of customer information
Clinton Says She's 'Sorry' for Using Private Email Server (Time) "That was a mistake. I'm sorry about that. I take responsibility, and I'm trying to be as transparent as I possibly can"