Cyber Attacks, Threats, and Vulnerabilities
Cabinet ministers' email hacked by Isil spies (Telegraph) Intelligence agency investigation discovers extremists linked to the Islamic State of Iraq and the Levant (Isil) have been targeting information held by some of David Cameron's most senior ministers
Zawahiri calls for jihadist unity, encourages attacks in West (Long War Journal) Al Qaeda has released the second installment in its "Islamic Spring" series, which features Ayman al Zawahiri delivering lectures
In Dabiq magazine, Islamic State complains about jihadist rivals in Libya (Long War Journal) The latest edition of the Islamic State's English-language Dabiq magazine, which was released online on September 9, contains the usual litany of horrors
Stolen information using Corebot sold on Btcshop.cc? (Damballa: Day Before Zero Blog) We have been investigating several domains registered using the email address drake.lampado777@gmail[dot]com. IBM Security X-Force spotted the information-stealing malware named Corebot
Highmark customers' data may have been exposed in Blue Cross cyberattack (Pittsburg Tribune) Highmark Inc. insurance customers may have lost personal information to a cyber attack on a fellow Blue Cross carrier in New York, the Downtown-based insurer said Friday
TSA master luggage keys are 3D printed after photo published online (Naked Security) Deep in the bowels of the labyrinth that is the US's Transportation Security Administration (TSA), luggage trundling along on conveyor belts gets barcoded, weighed, sniffed for traces of explosives, 3D imaged, and, if it appears suspicious, opened
How Command and Control Servers Remain Resilient (TrendLabs Security Intelligence Blog) One of the ways that malware activity on a network is spotted is via the activity of their network activity
Researchers Decrypt Ashley Madison Passwords With Different Results (eWeek) Although members' names and email addresses were publicly posted, their user accounts were protected with passwords secured by a powerful hashing algorithm
Ashley Madison passwords like "thisiswrong" tap cheaters' guilt and denial (Ars Technica) New analysis of cracked passcodes shines a light into mindset of account holders
Stolen storage device leads to loss of customer bank and personal data (Naked Security) The personal details of thousands of Lloyds Bank account holders have gone missing following the suspected theft of a data storage box
Nearly 80,000 college students affected by data breach (Fox News) A data breach of a White House-recommended vendor compromised the personal information of nearly 80,000 California college students who had signed up for a mandatory online sex violence prevention course, officials revealed Tuesday
US agency in charge of power grid and nukes keeps getting breached (Naked Security) The US Department of Energy (DOE), which oversees the US power grid, nuclear arsenal and national science labs, is a prime target for cyberattackers who want to harm the United States
Phish me once, shame on you. Phish me twice… (GCN) What should we make of the most recent announcements of government "awareness campaigns" about phishing?
The Lord of the Hacktivist Rings (Help Net Security) Cyber attacks against websites have been around for about a decade
Even the FBI is worried about Internet of Things security (Network World) Amidst all the excitement about the possible benefits of the Internet of Things, a slew of warnings have been sounded by IT pros, vendors and analysts about looming security threats. Now you can add the FBI to that list of those cautioning enthusiasts
Internet of Things Poses Opportunities for Cyber Crime (Federal Bureau of Investigation) The Internet of Things (IoT) refers to any object or device which connects to the Internet to automatically send and/or receive data
Bulletin (SB15-257) Vulnerability Summary for the Week of September 7, 2015 (US-CERT) The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week
Security Patches, Mitigations, and Software Updates
Apple complicates app sideloading in iOS 9 for increased security (Help Net Security) Making things easier for users is generally a good idea, but sometimes complicating a process could lead to increased security, and should be the preferred option
Cyber Trends
The coming private cyber 'war' (FCW) The next war might not be a "war" at all
Report: The $120 trillion gap between a safe and insecure future Internet (Christian Science Monitor Passcode) The economic difference between the best and worst forecasts of the Internet could be as high as $120 trillion over the next 15 years, according to a new report from the Atlantic Council think-tank and Zurich Insurance
Experts: Consumer protections vital as Internet of Things expands (Christian Science Monitor Passcode) At Thursday's Security of Things Forum in Cambridge, Mass., experts such as FTC Commissioner Julie Brill stressed the need for makers of connected devices to do more when it comes to safeguarding consumer data
Valasek: Today's Furby Bug is Tomorrow's SCADA Vulnerability (Threatpost) Chris Valasek and Charlie Miller's car hacking research put a crunching reality on Internet of Things security, moving it beyond almost clichéd discussions of smart refrigerators leaking inconsequential data, to hackers remotely manipulating car brakes
Special Report: Car Security & the Internet of Things (Threat Brief) A special feature on car security — what's happening now in the industry and what is in store for the future?
Nearly Half of Federal Agencies Were Targets of Insider Threats in the Last Year, Despite Formal Prevention Programs (MeriTalk) New Report Examines Actions Agencies Should Take to Minimize Risk and Cyber Incident Consequence
Do conventional security measures negatively impact productivity? (Help Net Security) 91 percent of business respondents reported that their productivity is negatively impacted by security measures their employer has put in place, according to Dell
Marketplace
Vulnerability management embraces new functions (Help Net Security) Vulnerability management (VM) solution providers have always held their own in the global network security domain
Ashley Madison attack shows evolving risks (Business Insurance) Cyber exposure stakes keep escalating
Insurance requirements can drive stronger cybersecurity, Treasury official says (Washington Post) The insurance industry has a key role to play in helping U.S. companies strengthen cybersecurity, a senior Treasury Department official said Thursday
Now is the right time for agents to talk cyber insurance (Insurance and Financial Advisor) Target, Michaels, eBay, JPMorgan Chase, the New York Times, Google, Anthem, the U.S. Government… The list of high profile data breaches grows longer each day, and doesn't include the countless number of small businesses that have their data compromised in attacks we may never hear about
Why is Cybersecurity Important to Hedge Funds? (Capital Support) With cybercriminals employing ever more sophisticated methods, cybersecurity has never been more important to hedge funds and other alternative investment managers
Ten reasons threat intelligence is here to stay (Beta News) Over the past couple of years, the volume and frequency of new malware and its variants has exploded
Too much emphasis on threat intelligence sharing, Gula says (TechTarget) There's a lot of present-day talk about threat intelligence sharing and a lot of companies are introducing dozens of threat intelligence services, but there's too much emphasis on this side of the coin, according to Ron Gula, CEO of Tenable Security
The cost of EMV compliance (Help Net Security) Credit card companies are making the final call for US merchants to switch over to EMV chip technology in anticipation of the looming deadline
Intelligence Start-Up Goes Behind Enemy Lines to Get Ahead of Hackers (New York Times) On a recent Wednesday morning, 100 intelligence analysts crammed into a nondescript conference room here and dialed into a group call with 100 counterparts in Argentina, Brazil, Cyprus, India, the Netherlands, Romania, Spain, Taiwan and Ukraine
Palantir IPO: PayPal Inc's (NASDAQ:PYPL) Top Secret Spin-off May Be About to Go Public (Profit Confidential) Just months after eBay Inc. (NASDAQ:EBAY) spun off PayPal Inc. (NASDAQ:PYPL), another firm related to the payments processor is set for an initial public offering. Eighty percent of the management team at this startup worked for PayPal; including one of PayPal's founders
Argus raises $26m to protect connected cars from hackers (Start-Up Israel) Israeli cyber-security firm's embedded cyber-security solution suite for vehicles safeguards critical systems from attack
Here's Cybersecurity Accelerator Mach37's Newest Class of Startups (DCInno) Cyber data marketplaces, cloud authentication and hacker crowdsourcing startups
Palo Alto Does It Again (Seeing Alpha) Palo Alto Networks showed once again why it is rightfully trading at such high valuation multiples
This One Stock Is Winning the Global Cybersecurity War (The Street) Cybersecurity firm Palo Alto Networks (PANW) is cashing in on the data center security market at the expense [of] industry titans such as Cisco Systems (CSCO) and Check Point Software (CHKP)
3 Challenges the Internet of Things Is Facing That Few Investors Realize (Motley Fool) Every silver lining must have a cloud. What's holding the Internet of Things back from instant triumph?
Sevatec to Support NOAA Cybersecurity Center Under Sole-Source Contract (GovConWire) Sevatec will provide support to the National Oceanic and Atmospheric Administration Cyber Security Center under a $9.9 million sole-source contract from the Commerce Department
Products, Services, and Solutions
Invizbox Go aims to make mobile privacy painless over any Wi-Fi (Ars Technica) Mobile VPN and Tor router can tether to public Wi-Fi — and charge your phone
Symantec Outlines Future of Managed Security Services (MSPmentor) Symantec's upcoming security broker software will make use of advanced analytics, machine learning software and telematics technologies
Seyfarth Shaw Assembles Global Privacy and Cybersecurity Team (Legaltech News) The group of 35 lawyers will help guide clients through the increasingly complex maze of laws and enforcement actions related to data privacy and security
LUCY Phishing Server Lets You Phish Yourself to Defeat Hackers (PRNewswire) New features expose your organization's weakest security links
Technologies, Techniques, and Standards
DHS awards $11M to set cyber-sharing standards (The Hill) The Department of Homeland Security on Thursday awarded an $11 million grant to the University of Texas at San Antonio to serve as the standards-setting body for new cyber information-sharing groups
US-CERT's do's-and-don'ts for after the cyber hack (Federal News Radio) Too often, agencies are erasing key forensic evidence after a cyber attack
3 Critical yet Unaddressed Information Security Challenges in a New Enterprise (IT Security Guru) Defending a newly established enterprise from high-profile security breaches and potential loopholes is one of the major IT challenges that most of the businesses face today
The Truth About DLP & SIEM: It's A Process Not A Product (Dark Reading) If you know what data is critical to your organization and what activities are abnormal, data loss prevention and security information event management work pretty well. But that's not usually the case
Five ways CIOs tackle hybrid cloud security (TechTarget) The traditional moat model is disappearing as companies embrace hybrid cloud strategies from microsegmentation to perimeter controls
How to detect credit card theft in the early moments (CSO) A single email helped avoid serious losses
Are you prepared for a cyber attack? (Property Casualty 360) Regulatory issues affect insurance companies after a data breach
Four Non-Technical Measures for Mitigating Insidious Insiders (Dark Matters) Even the best technology will be useless if the non-technical basics aren't correct. Can threats from insiders be proactively mitigated with non-technical measures? The short answer is "yes and no"
The Two Most Valuable Pieces of Information You're Likely Throwing Away (SecurityWeek) With enough data, any problem can be understood. Solving it is another matter
As iPhone 6S Launches, Time to Remember Some Mobile Security Basics (Trend Micro: Simply Security) If you've been hiding on Mars for the past week, you might have missed that Apple has just launched its latest iPhone
Design and Innovation
Vint Cerf Wants Your Help Re-Imagining The Internet (InformationWeek) Vint Cerf, recognized as one of the fathers of the Internet, is using social media to generate new ideas about how the Web should evolve
Here Is How To Address Car Hacking Threats (TechCrunch) When you connect a car to the Internet, it is no longer just a car: It is a computer on wheels
Research and Development
Southampton study identifies anti-hacking techniques for Internet of things devices. (Engineer) Researchers at Southampton University have identified a number of techniques that could be used to help make internet-connected devices safer from online attacks
Near-Perfect Computer Security May Be Surprisingly Close (Wired) In July 2013 a pair of studies set the cryptography world on fire
Academia
Cadets get cyber training (Air Force Times) Cyber skills are an increasing part of the Air Force Academy's curriculum, said Superintendent Lt. Gen. Michelle Johnson
Legislation, Policy, and Regulation
China, US gradually move to manage cyber dispute (China Daily) While cybersecurity has been a thorny issue between China and the United States in the last few years, there are signs in the past days that both sides do not want it to spill into the overall bilateral relationship and impact negatively on the upcoming state visit to the US by President Xi Jinping
US and Chinese officials finished meetings on cyber security issues. Here's what they came up with (Reuters via Business Insider) Senior U.S. and Chinese officials concluded four days of meetings on Saturday on cyber security and other issues, ahead of Chinese President Xi Jinping's visit to Washington later this month, the White House said
Obama: China cyber attacks 'unacceptable' (BBC) US President Barack Obama has said that alleged Chinese cyber attacks are "not acceptable", ahead of a visit from Chinese leader Xi Jinping
Murder, Money, and Spies: An Investigative Series on the Chinese Military's For-Profit Ventures (Epoch Times) For more than two years, Epoch Times has been investigating the shadowy organizations behind the Chinese regime’s cyberattacks
Statement for the Record: Worldwide Cyber Threats (James R. Clapper Director of National Intelligence September 10, 2015) (House Permanent Select Committee on Intelligence) Chairman Nunes, Ranking Member Schiff, Members of the Committee, thank you for the invitation to offer this Statement for the Record
U.S. policies have influenced Iranian, North Korean behavior in cyberspace (Washington Examiner) In a Sept. 10 appearance that amounted to a "state of cybersecurity" presentation to the House Intelligence Committee, leaders of the government's intelligence agencies detailed the threat environment facing the nation in cyberspace
Intel chiefs draw distinction between digital espionage and malicious hacks (Christian Science Monitor Passcode) At a Congressional hearing Thursday, officials stressed the need to develop clearer international norms to determine what's a tolerable amount cyberspying and what's unacceptable
Tipping point imminent for cyber sharing legislation (Federal News Radio) A "tipping point" is coming regarding the need for legislation that will let the government and industry share information on cyber attacks, said House Intelligence Committee chairman Devin Nunes
Cybersecurity Information Sharing Act has 'significant problems' (Tech Target) A new version of the Cybersecurity Information Sharing Act is scheduled to go in front of the Senate this fall, but one expert said the bill has 'significant problems'
OMB readies next phase of cyber sprint plan (FCW) Federal CIO Tony Scott said the Cybersecurity Sprint Strategy and Implementation Plan would likely be unveiled next month
Cyberattacks: The Danger, the Cost, the Retaliation (GovTech DigitalCommunities) How do we get better cybersecurity technologies out quickly while having enough personnel to rapidly respond to the ever-changing exploits?
Where Next for Government Cybersecurity? (Emergency Management) On the 14th anniversary of 9/11/01, there are plenty of reasons to be thankful regarding public safety in America. And yet, there is also a growing list of cyber threats that are grabbing news headlines. We talked with Dr. Andy Ozment, the U.S. Department of Homeland Security (DHS) Assistant Secretary, who is the new point person for the National Cybersecurity and Communications Integration Center (NCCIC)
Hire (Some of) the Hackers (Slate) The U.S. government needs cybersecurity experts who have thought like intruders
63% in favor of encryption backdoors to respond to national security threats (Help Net Security) Vormetric did a survey on how Americans view "backdoor" access by government entities to the encrypted data of private businesses. Ninety-one percent recognized that there were risks to encryption backdoors, but also felt that it is justified in some circumstances
Litigation, Investigation, and Law Enforcement
Extent Of U.K.'s Surveillance Dragnet Probed In Fresh Legal Challenge (TechCrunch) A new legal challenge to U.K. intelligence agency surveillance practices has been filed in the U.K. by human rights organization Human Rights Watch and three unnamed individuals working in security research, investigative journalism and law
Prepare for the inevitable: Post-data breach class actions (Business Insurance) Lightning may not strike twice in the same place, but the same cannot be said of class action lawsuits
A Bizarre Twist in the Debate Over Vulnerability Disclosures (Wired) The ongoing battle between researchers and vendors over the public disclosure of security vulnerabilities in vendor products took a bizarre turn yesterday in a new case involving two security firms, FireEye and ERNW
FireEye legally censors crucial parts of a researcher's talk at 44CON (Help Net Security) Felix Wilhelm, a researcher with German security firm ERNW, was scheduled to give a talk at 44CON on Thursday about the critical vulnerabilities he and his colleagues found in a FireEye NX device running the webMPS operating system
Installation of Tor Relay in Library Attracts DHS Attention (Threatpost) The Tor Project recently started a program to help libraries install Tor relays as a way to protect the privacy of patrons and other Internet users. The program didn't get too far, however, as the first library to install a relay had to turn it off after town police officials were contacted by Department of Homeland Security agents
Dept. of Justice shutters Sharebeast, the largest US-based filesharing service (Ars Technica) Sharebeast.com tried to host Kanye West album leaks and the 2014 World Cup
Tracking a Bluetooth Skimmer Gang in Mexico (KrebsOnSecurity) Halfway down the southbound four-lane highway from Cancun to the ancient ruins in Tulum, traffic inexplicably slowed to a halt
Founder of collapsed Bitcoin exchange Mt. Gox arrested, charged again (Naked Security) Mt. Gox was once the world's biggest Bitcoin exchange
Area Man Pleads Guilty to Cyber Attack on the St. Louis County Police Union Website (Federal Bureau of Investigation, St. Louis Division) Justin Payne pled guilty to destroying the St. Louis County Police Association website through a distributed denial of service attack