Cyber Attacks, Threats, and Vulnerabilities
Russian cyberspies targeted the MH17 crash investigation (CSO) The Pawn Storm cyberespionage group set up rogue VPN and SFTP servers to target Dutch Safety Board employees
WikiLeaks Releases Second Batch From CIA Boss John Brennan's Email (NBC News) WikiLeaks released two more documents and a list of contacts from CIA Director John Brennan's personal email account on Thursday — and again the material was neither classified nor revelatory
TalkTalk discloses possible breach, admits some data not encrypted (CSO) This marks the second time TalkTalk has been targeted this year
TalkTalk cyber-attack: Website hit by 'significant' breach (BBC) Police are investigating a "significant and sustained cyber-attack" on the TalkTalk website, the UK company says
Online accounting software Xero tells users to reset passwords, after accounts breached (Graham Cluley) Cloud-based accounting service Xero has told its customers to reset their passwords after a "small number" of users had their accounts compromised
Kampagnen Malvertising Campaign Goes After German Users (Malwarebytes Unpacked) A large malvertising campaign is currently targeting German users on some popular web sites such as eBay.de or T-Online.de, the latter being a top ISP
More e-tailers suffer disruption after Aria DDoS sting (CRN) Overclockers becomes latest UK e-tailer to suffer website disruption this week
Can bounty hunters stop the DDoS gangs? (SC Magazine) Is the idea of putting a cash bounty on hackers an effective way to disrupt or stop DDoS attacks, or a vigilante action that takes time and money from the business of protecting networks?
Tech support scammers put Mac owners in crosshairs (Computerworld via CSO) Browsing to dodgy sites trigger fake warnings that urge users to call for support
Think twice about Android root (Help Net Security) In recent years the practice of Android rooting, that is the process of allowing an Android phone or tablet to bypass restrictions set by carriers, operating systems or hardware manufacturers, has become increasingly popular
Smartwatch — A Fashionable and Dangerous Gadget (Infosec Institute) Although the market for smartwatches is still in its infancy, there has been a steady increase in the popularity of this sophisticated technological gadget
Chattering Wi-Fi devices are a short hop away from the crown jewels of your network (Graham Cluley) The revelation that security failures had been uncovered in a Wi-Fi Kettle, and that they could be exploited to break into your home network, made big headlines this week
Analysis: How Malware Creators Use Spam to Maximize Their Impact (Heimdal) If it works, why change it?
Malware on a multi-year tear, says G DATA report (FIerceITSecurity) Security researchers at German antivirus firm G DATA have found a 64.8 percent spike in new malware strains for the first half of 2015 compared to the first half of 2014
In testimony, GAO warns of cyber vulnerability in the nation's power grid (Fedscoop) While the federal watchdog identified that progress has been made, it contended that "continued attention" is necessary to secure power infrastructure
Nuclear, grid regulators compare notes on cyberdefense (E&E News) Regulators of the nation's nuclear plants and high-voltage power lines met yesterday for a top-level review of threats and hurdles each faces from cyberattacks, natural disasters and the grid's disruptive transitions
Researchers Prove Connected Cars Can Be Tracked (IEEE Spectrum) Connected cars that communicate with other vehicles or transport systems to improve safety and traffic flow can easily be tracked, a security researcher has shown
Security Patches, Mitigations, and Software Updates
Joomla releases patch for serious SQLi flaw (IDG via CSO) The secure version is 3.4.5
High Severity Flaws Found in iniNet ICS Software (SecurityWeek) Swiss-based visualization and automation solutions provider iniNet Solutions GmbH has released updates to address several vulnerabilities identified by Positive Technologies researchers in some of the company's products
Apple closes a raft of "drive-by download" holes in OS X and iOS (Naked Security) If you're one of those people who waits for the first update to an update before you install it…and you're also an OS X or an iOS user, then your number's just been called
After Wednesday's El Capitan update, some users report lingering problems with Office for Mac (FierceCIO) There are high hopes that Apple's release yesterday of OS X version 10.11.1 will fix problems with Office for Mac that have plagued some users for about a month, although some early reports suggest issues remain
Custom Google App Engine Tweak Still Leads to Java Sandbox Escapes (Threatpost) A tweak carried out by Google in the Google App Engine for Java continues to stir up security concerns
Cyber Trends
Ventured: Cyber Hacking Is The New Global Battlefield (TechCrunch) Kevin Mandia and his security company, Mandiant, are probably most well known for their 2013 report exposing APT-1, one of China's espionage units
Space age perils: hackers find a new battleground on the final frontier (Reuters) Space, the 'final frontier', is rapidly becoming an extra-terrestrial battleground for corporate espionage and other types of cyber attack as hackers seek to gain commercial advantage from rival networks operating in the $330-billion space economy
Tech-savvy users are actually the worst offenders (Help Net Security) Even as businesses and the federal government have made cybersecurity a high priority, 93% of office workers engage in some form of unsafe online habits that could jeopardise their employer or their customers, according to Intermedia
Businesses are over-confident when it comes to data breach defences (IT Pro Portal) A new piece of research has raised further worries about data breaches, and specifically, the perception gap between the number of businesses who believe they've experienced a breach, and the actual numbers of data breaches occurring
New Technology Won't Remove Endpoint From The Bullseye (Dark Reading ) Dark Reading Radio guests from endpoint security vendor Tanium and Intel Security/McAfee may have different product views, but they concur on the problems plaguing end user machines
Experts urge caution when putting health data in the cloud (Dark Reading ) Health care has become a favorite target for criminals
SA surfers underestimate cyber vulnerability (ITWeb) Many consumers underestimate how vulnerable they can be online and behave accordingly — they fail to properly protect devices and data from theft or loss
Marketplace
On the hunt for merger or acquisition? Make sure your target is secure (CSO) Given numerous examples of catastrophic security risks from third-party relationships, the merger and acquisition industry needs to get caught up
Raytheon Posts 3Q Profit Decline on Websense Costs, Boosts Full-Year Revenue Guidance (GovConWire) Raytheon (NYSE: RTN) — one of 30 companies listed on Executive Mosaic's GovCon Index — has reported third quarter earnings of $1.47 per share, a 10.9 percent decline from the same period in 2014 and 4 cents above Wall Street expectations
Fortinet —12.2% due to Q4 guidance; PANW, FEYE, CYBR also drop (Seeking Alpha) …Fortinet has fallen to $37.95 after hours. Rival Palo Alto Networks (NYSE:PANW), which is also dealing with high expectations, is down 3.3%. FireEye (NASDAQ:FEYE) is down 2%, and CyberArk (NASDAQ:CYBR) down 1.8%.
Fortinet, Inc. (FTNT — $43.24) Company Update: Delivers Good, But Not Great, 3Q Results; Prove-Me (FBRFlash) From a headline perspective, Fortinet beat the Street's top line, bottom line, and billings estimates
In run-up to splitsville, HP sells TippingPoint to Trend Micro for $300M (FierceITSecurity) In the run-up to its split into two companies, HP is selling its intrusion prevention system and network security provider TippingPoint to Trend Micro for $300 million
Iceberg, dead ahead! VMware investors jump ship (MicroScope) The jewel in the Federation's crown appears to be drifting slowly towards the seabed, as Dell and EMC announce cloud plans
Citrix CEO departs as EUC industry shakeup continues (TechTarget) Mark Templeton's tenure as Citrix CEO has abruptly come to an end, leaving Citrix users to wonder what's in store for the company's future
Products, Services, and Solutions
Versasec Introduces vSEC:CMS v4.2 Smart Card Lifecycle Management (PRLog) Versasec creates two distinct products, adds increased speed and scalability features and simplifies pricing
Free PCI and NIST compliant SSL test (Help Net Security) High-Tech Bridge announced a free online service designed to check SSL/TLS security of a web server. It performs four distinct tests
Chase's tweet backing PIN credit cards was a mistake, bank says (CSO) Bank has no plans to back chip-and-PIN credit cards
Check your Facebook settings to make sure your posts aren't searchable (Naked Security) Back in December last year, Facebook introduced keyword searching on your or your friends' past posts
Synack Hydra Is Designed to Help Security Researchers Find Threats (eWeek) Synack announced Hydra, a new tool designed to enable its researchers to work faster to find new threats
Hexis Cyber Solutions Releases HawkEye G 3.1 with Extended Support Coverage for Windows 10 and Linux Platforms (Nasdaq) Hexis Cyber Solutions Inc. (Hexis), a wholly-owned subsidiary of The KEYW Holding Corporation (NASDAQ:KEYW), and a provider of advanced cybersecurity solutions for commercial companies and government agencies, today announced significant enhancements to its integrated cybersecurity platform, HawkEye G
Privacy Advocates Launch Anonymous Calling App (Hack Read) For those who seek privacy while working online, you now have a solution in "Warble," an anonymous calling app for Android, iOS and Windows OS
Technologies, Techniques, and Standards
NSA advisory sparks concern of secret advance ushering in cryptoapocalypse (Ars Technica) Once elliptic curve crypto was viewed as a savior. Now its future looks doomed
3 Points on Managing Service Providers for Data Security (Legaltech News) Mayer Brown webinar examines the data security risks compounded by reliance on contractor networks, and the best ways to mitigate those risks
Data breach strategies and cyber risk management for the enterprise (Enterprisers Project) Data breach strategies and cyber risk management for the enterprise
Passing the Sniff Test: Security Metrics and Measures (Dark Reading) Cigital dishes dirt on top security metrics that don't work well, why they're ineffective and which measurable to consider instead
Compliant does not equal protected: our false sense of security (CSO) Being compliant does not mean your organization is safe, nor does it mean that your organization is immune to repercussions at the hands of a data breach
The Scary Truth About Data Breach Fatigue: It's Here to Stay (Credit.com) Increasingly, in the aftermath of a big news data security item — whether it takes the form of a high-profile mega breach (think: Office of Personnel Management, Anthem, Sony Pictures, Home Depot, Target) or a low-tech data grab — an odd phenomenon happens
Engage all levels of employees to achieve effective cyber security (Business Insurance) As emerging technologies introduce new security risks to businesses, risk managers should have a solid plan in place to both prevent and respond to a potential cyber attack, according to a recent panel of insurance industry experts
Design and Innovation
The problem with 'pumpkin spice' security bugs (Engadget) When asked, "Why give a vulnerability a website, logo and brand image?" many infosec professionals will confidently answer that flamboyant bugs raise awareness toward fixes
Privacy by Design Does Not Sacrifice Security (eSecurity Planet) Big Data needs big privacy, says privacy expert at SecTor Security conference
Research and Development
DARPA sets its sights on image manipulation (Naked Security) Thank goodness TMZ revealed that the Hollywood Life UNTOUCHED AND PRE-PHOTOSHOP images of Kim Kardashian's butt-baring photo from Paper magazine last year were fake
Legislation, Policy, and Regulation
UK/China cyber security deal: National security attacks still OK, it seems (Register) Adds to the pageantry of Xi Jinping's visit, if nothing else
Britain's Former Spy Chief Talks Terrorism, Mass Surveillance (Here and Now) Sir John Sawers led MI6, the United Kingdom's government intelligence agency from 2009 to 2014. Now chairman of Macro Advisory Partners, Britain's former top spy talks with Here & Now's Jeremy Hobson about terrorism, mass surveillance and geopolitics
China Military Seeks to Bring Cyber Warfare Units Under One Roof (Bloomberg) China's military chiefs are seeking to unify the country's cyber warfare capabilities as they build a modern fighting force that relies less on ground troops
Controversial cyber security bill advances in Senate (Reuters via Business Insurance) A long-delayed bill that would make it easier for corporations to share information about cyber attacks with each other or the government without fear of lawsuits advanced in the U.S. Senate with strong support from members of both parties on Thursday
Tech Giants Oppose US Threat Intel Sharing Bill (Infosecurity Magazine) Apple and Dropbox have joined a long list of big name tech companies opposed to a new cyber security information sharing bill passing through Congress
How a law making car hacking illegal could make us all less safe (Naked Security) Two troublesome words tucked into proposed US legislation related to cybersecurity for cars and trucks could have some unintended consequences for vehicle security if it ever becomes the law of the land
OMB proposes major update to policy for acquiring, managing and securing IT (FierceGovernmentIT) After 15 years, the Office of Management and Budget issued a draft update to the major policy that governs how agencies plan, budget, acquire, manage personnel, secure, share and maintain information technology resources
A 'Cyber Party' with John McAfee and the White House Cybersecurity Czar (New America) For October's National Cybersecurity Awareness Month, The Cybersecurity Podcast team is bringing you an hour-long special episode featuring White House Cybersecurity Coordinator Michael Daniel, and John McAfee, the security pioneer who just founded his own political party — the Cyber Party — and is running for President of the United States
Litigation, Investigation, and Law Enforcement
Data-Security Assessments? You're Going to Want a Lawyer for That (JDSupra) These days, data breaches and cybersecurity attacks abound
FBI director dodges questions about Clinton's email (Washington Examiner) Federal Bureau of Investigation Director James Comey appeared before a House Judiciary Committee Thursday morning, but refused to answer questions pertaining to the FBI's investigation into Hillary Clinton's use of a private email server
FBI's Advice on Cryptolocker? Just Pay The Ransom. (Security Ledger) The nation's top law enforcement agency is warning companies that they may not be able to get their data back from cyber criminals who use Cryptolocker and other malware without paying a ransom
Federal agents will no longer use 'Stingray' cellphone trackers without warrants (USA Today) Immigration, Secret Service, and Homeland Security investigators must now obtain search warrants before using "Stingray" trackers that reveal the locations of scores of cellphone users, a Department of Homeland Security official told a House panel Wednesday
Should C-level execs face prison for data breaches? (IT Pro Portal) As data theft disclosures hit the headlines in 2015, organisations' dependence on security professionals and senior managers to protect their networks and business critical data has come under serious scrutiny
New charge in Minnesota Islamic State case (KIMT) Five Minnesota men accused of plotting to join the Islamic State group are charged with a new count of conspiracy to commit murder outside the United States, according to a superseding indictment filed Wednesday that offers new details about steps the men took as they allegedly planned to get to Syria