Cyber Attacks, Threats, and Vulnerabilities
ISIS Brutality Rooted in an Apocalyptic Vision (USNI News) The extreme radical beliefs and brutal actions that caused al Qaeda in Iraq to fail earlier remain the heart of the success of today's Islamic State in Iraq and Syria (ISIS or ISIL), all because the political context of a decade ago and today have changed, a leading scholar on Islamic terrorism said Monday
Number of XcodeGhost-infected iOS apps rises (Help Net Security) As the list of apps infected with the XcodeGhost malware keeps expanding
More genuine iPhone apps may still be infected with malware following massive App Store hack (BGR) Cunning hackers from China managed to sneak malware into what's generally thought of as an impenetrable target, Apple's App Store
Reactions to the XcodeGhost malware infecting iOS apps (Help Net Security) Unknown malware pushers have managed to trick Apple into offering for download from the company's official App Store a considerable number of malicious apps
Android trojan drops in, despite Google's Bouncer (We Live Security) We at ESET recently discovered an interesting stealth attack on Android users, an app that is a regular game but with one interesting addition: the application was bundled with another application with the name systemdata or resourcea and that's certainly a bit fishy
Run, Jump, Shoot, Infect: Trojanized Games Invade Google Play (Dark Reading) ESET Researchers find Trojan Mapin bundled with games that look like popular titles such as Plants vs. Zombies and Candy Crush
Cyber crims up the ante with Google Play brainteaser malware (Register) Intelligence-testing app attack shows it isn't just dumb people who get caught
Android SMS Trojans evolve, go after bank and payment system accounts (Help Net Security) Once upon a time cyber crooks used SMS Trojans to earn themselves money by subscribing users to unwanted premium mobile services
SAP Afaria vulnerability: One SMS to wipe and lock 130m+ mobile devices of enterprises (ERPScan) Dmitry Chastuchin, director of research at ERPScan, presented details of critical vulnerabilities in SAP Afaria (Mobile Device Management solution) at the HackerHalted security conference in Atlanta
Danish Post Office Now Delivers Ransomware, Sort Of (Softpedia) Heimdal Security is reporting on a new email campaign that poses as the Danish post office, luring users into accessing a website where they're infected with the Cryptolocker 2 ransomware
Data breach puts millions in B.C. at risk, say security experts (Vancouver Sun) Education Ministry improperly stored student data on a hard drive, failed to encrypt it, then lost it
The Darknet is Thriving & Diversifying with Cybercrime-as-a-Service (Damballa: the Day Before Zero) Just like legitimate web commerce, the dark side of the web has become a place where you can find nearly anything, no matter how much of a niche
Security Patches, Mitigations, and Software Updates
Mozilla Releases Security Updates for Firefox (US-CERT) The Mozilla Foundation has released security updates to address critical vulnerabilities in Firefox and Firefox ESR. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system
Starbucks stays schtum, after patching critical website vulnerabilities (Graham Cluley) Starbucks has patched three critical vulnerabilities on its website, but it still hasn't respond to the security researcher who first found the bugs
Cyber Trends
National Cyber Security Hall of Fame Announces 2015 Inductees (National Cyber Security Hall of Fame) The National Cyber Security Hall of Fame has released the names of five innovators who will be inducted into the Hall of Fame at its award ceremony on Thursday, October 29, at the Four Seasons Hotel in Baltimore, Maryland
Insurance and education should be weapons in fight against cyber-crime (Banking Technology) The majority of businesses do not have cyber security insurance, with many not even aware such protection exists — and even those that do have insurance in place may find themselves at a loss if they don't have the correct cover
Still no correlation of cyber vulnerabilities to ICS reliability and safety impacts — VW testing is an example (Control Global: Unfettered Blog) Many people wonder why there is still such a gulf between the IT and ICS communities about ICS cyber security
How Engineers at West Virginia University Caught VW Cheating (IEEE Spectrum) Volkwagen, which had just become the biggest-selling auto maker in the world, has been nabbed committing perhaps the biggest corporate cybercrime of all time
Top 3 Reasons for the Increase in Data Breaches (Information Security Buzz) The past few years have seen a steady increase in major hacking incidents, with high-profile breaches at corporations like Target, Sony Pictures and Home Depot as well as the US government making headlines worldwide
Follow the Data: Dissecting Data Breaches and Debunking the Myths (TrendLabs Security Intelligence Blog) Data breaches are daily news items. Reports of data breaches affecting governments, hospitals, universities, financial institutions, retailers, and recently an extra-marital affairs site, dominate the news with increasing frequency
3 out of 4 Consumers Will Leave your Websites Because of Security Concerns (Infosec Island) As part of the ongoing battle for eyeballs, marketing departments implement tracking technologies that encroach on customer privacy, while digital assets are cobbled together from third-party technology to accelerate time-to-market
Cybersecurity Rating Firm Finds Energy and Utilities Industry Performance Concerning (Power) Researchers looking at "quantifiable differences in security performance" across industries from August 1, 2014, to August 1, 2015, found "challenging performance trends" in the critical energy and utilities sector
KPMG: Detection Tools, Readiness Among Cyber Vulnerabilities for Healthcare Firms (ExecutiveBiz) KPMG has found that 81 percent of healthcare organizations that were part of its recent cybersecurity survey have been compromised by at least one cyber attack in the past two years
BYOD Security Policies May Be Too Invasive for Providers (mHealth Intelligence) BYOD programs have brought to users many benefits, including easier access to patient information and increased mobility throughout a healthcare facility
The UK IS better than Europe, FACT! (at implementing cybersecurity measures) (Register) Code that, Delors!
India ranks first among Asian nations in taking proactive steps to secure devices, ESET study reveals (News Patrolling) Over 38 percent of users across Asia engage in risky behavior online, despite knowing the danger India ranked most proactive nation in Asia in terms of taking steps to secure devices from cyber attacks Malaysia takes the lead as the most cyber-savvy nation in the region, Indonesia ranked last
Marketplace
Palo Alto Networks Continues To Impress (Seeking Alpha) Palo Alto Networks recorded yet another stellar quarter, beating growth expectations on many fronts
CloudFlare raises $110M as Microsoft, Google, Qualcomm embrace cyber security startup (GeekWire) CloudFlare brought on some impressive strategic investors today, announcing a $110 million funding round that included participation from tech giants like Microsoft, Google, Qualcomm and Baidu, the Chinese search engine giant
Farmer family leads $10M investment in Cincinnati cybersecurity company (Cincinnati Business Courier) The family of Cintas Corp. founder Richard Farmer led a $10 million investment in a Cincinnati-area cybersecurity startup
Can Lockheed spur interest in DHS's cyber services program? (Federal Times) The Department of Homeland Security added contracting giant Lockheed Martin to its list of commercial providers authorized to sell services using cyber threat information
CACI Receives $102M SEC Litigation, Computer Forensics Contract (GovConWire) CACI International (NYSE: CACI) has received a five-year, $102 million contract to perform litigation support and computer forensics services for the Securities and Exchange Commission
Splunk leverages its Caspida acquisiton with new security offerings (NetworkWorld) It's always interesting to check back in after a corporate acquisition
Former AVG investors build cyber security fund to chase growth (Reuters) A group of former executives and investors from antivirus software maker AVG Technologies (AVG.N) is raising a $125 million fund to tap into opportunities in the booming cyber security sector, a founding partner in the fund said
$1M Offered for iOS 9 Exploit: Damballa's prediction comes true (Damballa: the Day Before Zero) A few days ago, a mainstream media channel asked the Damballa Threat Discovery Center our opinion about the newest and biggest cyber threats facing US business and law enforcement. We responded that the business of Zero Day exploits is on the rise
Deborah Golden Named Deloitte Federal Cyber Risk Services Lead (GovConWire) Deborah Golden, formerly principal at Deloitte, has been appointed as lead of the company's federal cyber risk services
CrowdStrike Expands Executive Team to Support Explosive Market Demand and Expand Global Presence (MarketWatch) Company appoints Burt Podbere as Chief Financial Officer and Liza Cuevas as Vice President of People
Fortinet Nabs Marketing Exec Holly Rollo From FireEye For Its CMO Spot (CRN) Fortinet has hired away marketing executive Holly Rollo from FireEye, adding Rollo as its new chief marketing officer
Products, Services, and Solutions
Webroot and Lynx Partner to Protect Connected IoT Devices from Targeted Attacks (Webroot) BrightCloud® Threat Intelligence and LynxSecure vVirtualization platform integration delivers advanced threat detection and protection in real time
KoolSpan Lauches Free Trustcall Service Promotion for Samsung Galaxy Users (KoolSpan) 30 day free trial of TustCall Encrypted Wireless Calling and Messaging now available to Samsung Mobile customers
Tenable Network Security Wins Frost & Sullivan 2015 Technology Innovation Award for SecurityCenter Continuous View (BusinessWire) Tenable's continuous network monitoring recognized for excellence in technology innovation by leading global analyst firm
HackerOne launches free Vulnerability Coordination Maturity Model tool (CSO) HackerOne is in the business of vulnerability disclosure and bug bounty programs — helping customers to implement solid strategies for communicating and resolving vulnerabilities effectively
Prelert V4 Goes Beyond Anomaly Detection with Behavioral Analytics that Tell the Stories Hidden in IT Security and Operations Data (BusinessWire) Prelert, the leading provider of behavioral analytics for IT security and operations teams, today announced V4 of its Anomaly Detective application
Neovera Announces Enhanced Cyber Security Monitoring Services (BusinessWire) Reston, VA based MSP, Neovera, adds continuous, comprehensive monitoring services to Cyber Security portfolio
Digital Shadows Finds Security Intelligence in the Shadows (eWeek) Security intelligence is a hot buzzword in the modern IT marketplace, but it's a term that means different things, depending on the vendor and the context
Fortinet joins forces with Splunk (ARN) Alliance to deliver security intelligence, visibility and protection
ThreatStream Announces Threat Intelligence Splunk App and Expands Breadth and Depth of Integrations (MarketWatch) ThreatStream®, the pioneer of an enterprise-class threat intelligence platform, today announced the ThreatStream Splunk App as well as new integrations with leading security solutions
Technologies, Techniques, and Standards
Security experts: Cyber sharing isn't enough (Computerworld) It's a helpful tool, but more holistic methods could do more to fend off attacks
Smart devices to get security tune-up (BBC News) Hi-tech firms are banding together to make sure "internet of things" smart devices are safe to use
Breach Response: The New Security Mandate (InfoRiskToday) RSA's Shahani on why quick anomaly detection is key
Overcoming Mobile Insecurity (InfoRiskToday) Gartner's Girard on how to tackle common mobility challenges
The Common Core Of Application Security (Dark Reading) Why you will never succeed by teaching to the test
Why It's Insane To Trust Static Analysis (Dark Reading) If you care about achieving application security at scale, then your highest priority should be to move to tools that empower everyone, not just security experts
TLS Everywhere: Upgrade Insecurity Requests Header (Internet Storm Center) TLS (I still have to get used to saying TLS instead of SSL) everywhere is a goal many sites attempt to achieve
Design and Innovation
From Hacker to IoT Security Hero? Red Balloon Floats New Solution (Enterprise Tech) The same person who once hacked HP printers and other telecommunications products to demonstrate the vulnerability of embedded devices has now developed a platform-independent real-time host-based intrusion defense system designed to secure all embedded products, regardless of vendor or operating system
Art Meets Cryptography And Bitcoin's Blockchain (Brave New Coin) Cryptography dates back to the beginning of written language, and is derived from the Greek words kryptós, which means "hidden" or "secret"; and graphein, "writing"
Research and Development
Bank of America files patent for cryptocurrency wire transfer system (FierceFinanceIT) Bank of America has filed a patent for a cryptocurrency wire transfer system
US Navy develops new system to defend against internet attacks (Graham Cluley) In the wake of the widely-reported hacking that has taken place on just about everything that moves, the United States Navy has announced that it is developing a system to protect its fleet from internet attacks
Academia
Webroot Survey: 1 in 4 Moms Report Their College Student Lacks a PC Security Solution (Webroot) Webroot, the market leader in intelligent cybersecurity for endpoints and collective threat intelligence, today announced the results of its survey on moms' perceptions about their college student's online safety
Legislation, Policy, and Regulation
Chinese president emphasizes cybersecurity during Seattle visit (Los Angeles Times) In a policy address peppered with Hollywood allusions and assurances of China's economic health, President Xi Jinping pledged Tuesday that his country would protect the rights of foreign investors and vowed that the nation would "never close its open door to the world"
Xi: 'China is ready' for cyber crime dialogue (The Hill) Chinese President Xi Jinping is prepared to start a "high-level" cybersecurity dialogue with the United States
On U.S. visit, China's president seeks to reassure on trade, security (Reuters) Chinese President Xi Jinping, facing a skeptical audience on the first day of a week-long U.S. visit, sought to reassure business and government officials on Tuesday over a long list of irritants, from economic reform to cyber attacks, human rights and commercial theft
White House: No Cyber Attack Pact with China, For Now (Defense One) The Chinese president's visit to Washington will highlight how far apart the two nations are on cyber issues
National Security Advisor Susan E. Rice's As Prepared Remarks on the U.S.-China Relationship at George Washington University (The White House) Good morning everyone. Thank you, President Knapp, for that kind introduction, and thank you to everyone at GW for hosting me
Conflict Flavors Obama's Meeting With Chinese Leader (New York Times) For the past two years, the critical question confronting the Obama administration about Xi Jinping, the Chinese president who defied American predictions by challenging the United States' superpower status early and directly, has been how forcefully to respond
US, China appear close on cyber economic espionage deal (IDG via CSO) With China's president due in Washington, both countries have expressed a desire to stop cyber espionage for economic gain
For China and the U.S., Cyber Governance Is Better Than Cyberwar (Huffington Post) Before setting foot in Washington and New York, Chinese President Xi Jinping, on his first state visit to the United States, is holding court in Seattle
Does China's government hack US companies to steal secrets? (BBC) On Monday this week, a US national security adviser warned China that the hacking must stop and said it put an "enormous strain" on the relationship between the two nations
Federal CISOs Propose New Efforts to Shore Up Cybersecurity (Threatpost) Nearly six months removed from the OPM hack and with many government departments still reeling when it comes to security, several federal chief information security officers volunteered a handful of new ideas at last week's Billington Cybersecurity Summit in Washington, D.C to combat future hacks and improve overall security in the private sector
Cyber chiefs talk security after OPM hack (Federal Times) In the wake of the OPM hack, the federal government is rethinking cybersecurity and how to apply it to digital operations
CSOs aren't waiting for cyber sharing legislation (CSO) Security executives say the sharing of threat information is useful — and they're already doing it. Legislating it, some say, could get in the way
NGA heightens cyber security by mapping mountain of data (Belleville News-Democrat) The world is a complicated place
The Pentagon's Next Unclassified Email System May Live in the Cloud (Defense One) The Defense Department's IT agency is asking industry about setting up a new email system for its 1.6 million users
The Internet of Things, smart cities and what both mean to DHS (Federal Times) Last week both the FBI and the Department of Homeland Security warned of risks associated with the emerging Internet of Things
UK companies urged to tighten cyber defence (Financial Times) Businesses have been urged to protect themselves from a growing cyber threat by the government in a drive to tighten internet security in the UK
Concern raised over Cybercrime and Cybersecurity Bill in SA (IT News Africa) The draft Cybercrimes and Cybersecurity Bill currently out for public comment is timeous in that it proposes legislation that will bring South Africa in line with international laws governing internet-based crimes
Litigation, Investigation, and Law Enforcement
U.S. SEC fines advisory firm for shoddy controls after cyber attack traced to China (Reuters) A St. Louis-based investment advisory firm will pay $75,000 to settle civil charges alleging it failed "entirely" to protect its clients from a July 2013 cyber attack that was later traced to China, U.S. regulators said on Tuesday
The British Library Did Not Need to Self-Censor (Just Security) I enjoyed reading Shaheed Fatima's excellent post from last week about the British Library's decision not to accept the digital archive of materials collected by the Taliban Sources Project
Unprecedented Hacking and Trading Scheme Highlights Key Cybersecurity Lessons (JD Supra) On Aug. 11, 2015, federal prosecutors in the District of New Jersey and the Eastern District of New York unsealed indictments against nine individuals in the U.S. and Ukraine who were allegedly involved in a five-year, widespread hacking and trading scheme
Florida Cops Couln't 'Survive' Without Hacking Team's Spy Tools (Motherboard) One of the largest sheriff's departments in the country gushed over Hacking Team, released emails show
