Cyber Attacks, Threats, and Vulnerabilities
The Real Power of ISIS (Daily Beast) The West has failed utterly to understand the appeal of the ISIS narrative, much less to develop effective counter narratives
Russian Ships Near Data Cables Are Too Close for U.S. Comfort (New York Times) Russian submarines and spy ships are aggressively operating near the vital undersea cables that carry almost all global Internet communications, raising concerns among some American military and intelligence officials that the Russians might be planning to attack those lines in times of tension or conflict
TalkTalk CEO admits security fail, says hacker emailed ransom demand (Register) 'We've invested significantly in security'. Was it enough?
TalkTalk Hackers Demanded £80K in Bitcoin (KrebsOnSecurity) TalkTalk, a British phone and broadband provider with more than four million customers, disclosed Friday that intruders had hacked its Web site and may have stolen personal and financial data
TalkTalk hires BAE Systems to investigate cyber attack (Reuters) British broadband provider TalkTalk said on Sunday it had hired defense company BAE Systems to investigate a cyber attack that may have led to the theft of personal data from its more than 4 million customers
TalkTalk cyber-attack not as bad as first thought, company says (Guardian) Firm says customer data stolen 'materially lower' than thought and would not allow money to be taken from bank accounts
TalkTalk set to face '£75 million losses' after devastating cyber attack (Metro) TalkTalk is set to face devastating losses of £75 million as the fallout from the cyber-attack on the network continues
TalkTalk cyber-attack sparks calls for new regulatory powers (Guardian) Warning that telecom firm's security breach could cause problems that will last for years, including identity theft risks
TalkTalk hack: Institute of Directors says cyberhacking is biggest threat to UK businesses (International Business Times) The Institute of Directors has called for action in the wake of the TalkTalk hacking scandal singling out the hacking of customer data as one of "the biggest threats facing businesses and their customers". The organisation said that only "serious breaches" make the headlines, but attacks on UK businesses "happen constantly"
TalkTalk's problems go beyond cyber security (Financial Times) Sir Charles Dunstone has a knack for extracting extraordinary value from ordinary businesses
TalkTalk criticised for poor security and handling of hack attack (Guardian) Security experts say telecom firm let down customers with slow and poor reaction, and failure to encrypt and secure data
TalkTalk Hacked…Again (Check & Secure) For the third time in a year, the UK internet and telephone provider TalkTalk is in the spotlight following a cyber incident
Cambridge's Darktrace comments on TalkTalk attack (Cambridge News) The cyber attack on TalkTalk has prompted Cambridge firm Darktrace to put its head above the parapet
TalkTalk cyberattack: am I liable for fraud losses if I don't inform my bank? (Telegraph) Ask an expert: concerned customers are being told to scrupulously monitor their bank details — but if they do lose money, who is to blame?
TalkTalk was hacked. But it's silly to ask if the data was encrypted (Graham Cluley) TalkTalk has announced that they've been hacked. The details of four million customers are in play
TalkTalk's CEO offers some poor advice, following hack (Graham Cluley) Four million TalkTalk customers are worried that *their* details might be amongst the information stolen by hackers
Why do companies keep getting hacked? (BBC) Police are investigating a sustained attack on the TalkTalk website that might have let hackers get at details of the firm's four million customers
Hackers Are Using CCTV Cameras to Create Botnet network to launch DDoS attacks (Techworm) CCTV cameras have now become a norm for maintaining security
Possible Ashley Madison extortion campaign identified (SC Magazine) A cyber-security company says it may have spotted a round of extortions on Ashley Madison customers from a notorious hacking group
New ransomware delivered via Windows Remote Desktop Services (Help Net Security) A new type of ransomware — dubbed LowLevel04 — is hitting users in Greece and Bulgaria. It is apparently delivered on the affected computers manually by the attackers, via Windows' built-in Remote Desktop Services (RDS) or Terminal Services
How To Stop Ransomware, The Cyberattack That Holds Your Computer Hostage Until You Pay (International Business Times) Russian hackers are bringing a whole new meaning to "disruptive"
Report: IRS' tax refund fraud detection system vulnerable to hackers (Tampa Tribune) The new computer system the IRS is using to detect identity theft refund fraud may be vulnerable to hackers, according to a recent inspector general report, which cited delays in patching known cyber security issues
CIA director hack by teen spotlights US cyber-frailty (Al Jazeera via Yahoo! News) Back in May 2009, a freshly inaugurated US President Barack Obama launched a crackdown on "spoofing and phishing and botnets" in a government-wide web security overhaul
Are Microsoft and Google better at cybersecurity than the CIA? (Quartz) Who knew people still used AOL?
Serious Flaws Found in Janitza Power Analyzers (SecurityWeek) Researchers have uncovered several vulnerabilities in power quality measurement products from Janitza Electronics, a Germany-based company that specializes in the development of energy efficiency systems
That Little USB of Horrors (Digital Guardian) Beware USBs promising a quick recharge of your mobile device; they might also be leeching data as well
After fending off cyber attack, FirstEnergy says government coordination lacking (Utility Dive) Hackers attempted a denial of service attack on FirstEnergy's servers this week, but while information on the unsuccessful attempt was quickly shared with the industry and the U.S. government, company officials say there was no response from federal officials, EnergyWire reports
How real is the risk of visual hacking? (Information Age) For many organisations, visual hacking — or 'shoulder surfing' — is a forgotten risk, but awareness is growing
Train rider has his contactless card e-pickpocketed (Naked Security) It could have been just another one of those jostlings that happen on the train: a man bumped into a writer for SC Magazine
Car's Safety Bags Unsafe As Hackers Find A Way To Disable Them As Well (WCCF Tech) Vehicles that can have their safety bags disabled are usually those whose functions are electronically controlled
Barclays hit by 'network problems' at the weekend (ComputerWeekly) Barclays service disruptions raise cyber security concerns, but the bank says the problem was purely internal
City computer hacking was just a test (Las Vegas Review-Journal) On the morning of Aug. 13, armed men disguised as janitors strolled into Las Vegas City Hall, made their way to the city's data center and started hacking into computer servers
Police force blames hacker after #CyberAware tweet sent out containing bogus security advice (We Live Security) Normally, the boys in blue at UK police forces do a fantastic job on social media — offering advice to the local community on how to fight crime, and putting a human face on the officers who protect us
Bulletin (SB15-299) Vulnerability Summary for the Week of October 19, 2015 (US-CERT) The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week
Cyber Trends
Why IoT Security Is So Critical (TechCrunch) Twenty years ago, if you told me my phone could be used to steal the password to my email account or to take a copy of my fingerprint data, I would've laughed at you and said you watch too much James Bond
As more devices go online, hackers hunt for vulnerabilities (Baltimore Sun) The hack was simple. Terry Dunlap tapped out a few commands on his laptop and within seconds a message popped on the screen: "Done!" With a few more keystrokes, he could see what the security camera could see and swivel it at will
The Internet of Things: Stop the things, I want to get off! (Naked Security) Last week was week four of Cybersecurity Awareness Month (CSAM) and the theme was Your Evolving Digital Life
Cyber-Vulnerability Of Physical Security Systems: Lessons From 2008 Turkish Pipeline Explosion (SourceSecurity) Discussions in our industry about cyber-threats to physical security systems, including IP video, often center around hypotheticals
Five Ways Shadow IT in the cloud hurts your enterprise (Network World) According to the Skyhigh Networks Cloud Adoption & Risk Report Q2 2015, the average enterprise now uses 1,083 cloud services. That astounding figure is almost 50% higher than this time last year, and up 100% from two years ago
The Dark Web for Dummies, Part Two: Why the Dark Web Matters (ZeroFOX) In our last installment we learned about the dark web and where it came from. If you missed it, you can catch it here. In short, the dark web, as most people know it in the form of The Onion Router (or TOR), was created by the United States government as a way to help people connect to the internet anonymously
Over half of worldwide news media outlets have suffered some form of cyber-attack (The Drum) Over 50 per cent of media companies across the world have been victim to some sort of cyber-attack according to a global study by Newscycle Solutions
Australia falling behind in cyber-attack protection, report says (SBS News) A new report has found Australia is falling behind countries like Japan and South Korea in its ability to protect itself from cyber attacks
Marketplace
Machine learning key to 'rethinking everything' at Google, says CEO Pichai (FierceCIO) Google's new CEO Sundar Pichai called the company's efforts in machine learning a "priority" during Alphabet's financial call Thursday
Why Corporate Boards Are Picking Women to Fill Cybersecurity Posts (Bloomberg Business) Earlier this year, American International Group Inc. added Linda Mills to its board, attracted partly by her expertise in cybersecurity. In February, Wells Fargo & Co. selected Suzanne Vautrinot for its board for similar reasons. Before that, Walgreens Boots Alliance Inc. picked Janice Babiak
How the government tries to recruit hackers on their own turf (Washington Post) Alejandro Mayorkas, a high-ranking Department of Homeland Security official, opened a speech over the summer in Las Vegas before hundreds of hackers with a dare
Cybersecurity Startups Are Raising $2.5 Billion a Year (Inc.) The industry is on pace to equal last year's staggering funding numbers, with U.S. companies grabbing the majority of the money
DISA Seeks Development, Sustainment Support Sources for Data Discovery Platform (ExecutiveBiz) The Defense Information Systems Agency wants information on potential contractors that can provide development, engineering, infrastructure and sustainment support for a data discovery service that DISA uses to acquire open source-based information from content providers
Security consulting firms find niche in breach detection platforms (TechTarget) Channel partners, particularly those with IT security experience, may find new opportunities in the emerging field of breach detection technology
Ex-NSA Chief's Cybersecurity Startup Draws Funding (Wall Street Journal) Infusion of $32.5 million in IronNet highlights ties between Silicon Valley and Washington
Former intel officials take new approach to cyber-defense (CBS News) The revelation this week that hackers broke into the personal e-mail accounts of two of the nation's top national security officials has put new focus on the importance of cyber security
Sophos hits Gartner Leaders Quadrant seven times (IT-Online) Sophos has announced that it has once again been positioned in the "Leaders" quadrant of Gartner's 8 October 2015 "Magic Quadrant for Mobile Data Protection Solutions"
Security researcher has last laugh over Oracle (CRN) 'The best way to make researchers mad is to tell them you don't need them', says ERPScan as Oracle plugs six vulnerabilities it discovered in its code
Security Company's Cryptography Play Aims at Tech Firms, Finance (Fast Company) A new suite of tools by startup Dyadic can stop a cybersecurity breach in progress
Artificial intelligence fuelled cyber security firm Cylance targets Australian launch (FInancial Review) Australians will soon be fighting fire with fire, as artificial intelligence cyber security firm Cylance prepares to open up operations in Sydney
Yahoo Hires Bob Lord as its CISO (Threatpost) Yahoo has filled the vacancy in its CISO office, today announcing the hiring of former Twitter and Rapid7 security executive Bob Lord
Products, Services, and Solutions
Government Acquisitions, Inc. Launches New Hyperconverged Analytics Platform Solution (Government Acquisitions) Government Acquisitions, Inc. (GAI), a leading Federal Information Technology (IT) solutions provider and small business, today announced the launch of their Hyper Converged Analytics Platform (HyperCAP) — an end-to-end data analytics solution. Integrated and optimized with best-of-breed commercial-off-the-shelf (COTS) technologies from Dell, Palo Alto Networks, Nutanix, and Splunk Inc., the HyperCAP solution enables Federal agencies to harness powerful analytics for IT and security operations
Dell extends end-to-end security offerings (ChannelWorld) Dell announced a new, full range of security solutions that enable customers to implement a comprehensive enterprise security strategy to protect their organization from evolving threats while strengthening business agility
Microsoft doesn't see Windows 10's mandatory data collection as a privacy risk (IDG via CSO) Exec says telemetry data is key to improving the operating system
Google Expert on Windows 10 Security: Two Steps Forward, One Step Back (Softpedia) Microsoft has improved some features but failed with others
Fortinet's New Solution To Thwart Cloud-Security Breaches (CSO Today) After posting a strong financial third quarter, Fortinet has strengthened focus on cybersecurity to remain profitable
Technologies, Techniques, and Standards
NIST rides identity, privacy momentum with two new projects (FierceGovernmentIT) The National Institute of Standards and Technology is collaborating on two new projects that aim to foster the development of privacy-enhancing technologies
NSA's Divorce from ECC Causing Crypto Hand-Wringing (Threatpost) The National Security Agency has long cuddled up to Elliptic Curve Cryptography, swaying standards bodies away from RSA crypto and toward ECC in the late 1990s, as well as recommending it as a strong enough solution for sensitive government agencies to use in guarding their biggest secrets
New Approaches to Vendor Risk Management (Dark Reading) The key to managing partner security risk is having truly verifiable evidence
Social engineering: Employees could be your weakest link (Computerworld) Business leaders should be aware of the risks that social engineering can pose to their operations, reputation and customers
Are mobile persistent cookies a threat to enterprise data security? (TechTarget) While cookies can be helpful, mobile persistent cookies can pose a serious threat to users and enterprises
Design and Innovation
Computer vs. Lawyer? Many Firm Leaders Expect Computers To Win (American Lawyer) Junior lawyers are used to feeling like cogs in a machine. According to a new report, a surprising number of law firm leaders expect to be able to replace them with actual machines — and soon
This 11-year-old is selling cryptographically secure passwords for $2 each (Ars Technica) Girl makes Diceware passwords, rolled with real dice, written by hand, sent by mail
Research and Development
DISA looks to DARPA for 'quantum leap' in cybersecurity (C4ISR & Networks) The Defense Department's primary IT organization is partnering with its advanced research arm in a partnership aimed at accelerating military technology into the future
NSF grantees conclude phase one of insider threat research project (FierceGovernmentIT) Cybersecurity experts from State University of New York at Buffalo and University of Texas at Arlington have concluded the first phase of research around insider threat protection under an almost $500,000 grant from the National Science Foundation
Academia
CMU Partners with NSA Day of Cyber Program (Carnegie Mellon University News) Not much is known about a typical day at the National Security Agency (NSA), but a new initiative aims to provide U.S. middle school, high school and college students with an inside look
National Cyber Quests Competition Challenges Top Cybersecurity Talent (US Cyber Challenge) Winner to receive $1,000 scholarship from the Center for Internet Security
German-speaking nations dominate in European Cyber Security Challenge (Engineering and Technology) Austria has won the first European Cyber Security Challenge, followed by Germany and Switzerland
Schools Learn Lessons From Security Breaches (Education Week) When an employee of the Provo, Utah, school district mistakenly clicked on a phishing link in an email last year, the private data of about 500 employees were put at risk
Colleges are spying on prospective students by quietly tracking them across the internet (Quartz) "So, where else are you applying?"
Legislation, Policy, and Regulation
Four things to know about new net neutrality rules (Help Net Security) Net neutrality is crucial to the future development of the Internet. It is the principle that all online traffic should be treated equally, regardless of the type of content or platforms involved
Seoul seeks hacker troops to fend off North Korean cyberattacks (Washington Post) A new army of South Korean soldiers was intently focused on fending off the enemy attack. Where were they coming from? What tactics were they using? And how best to neutralize them?
South Korea's defence ministry to welcome tech-savvy 'white-hat' hackers team to fight cyber warfare (International Business Times) The South Korean defence ministry has undertaken a new initiative to fight against cyber-attacks, which are prominent in the 21st century, by conducting a "White Hat" hacking competition to select the best hackers across the nation
'Indian enterprises not doing enough to share information on cyber attacks' (Economic Times) Indian enterprises have done little to share information on cyber attacks, at a time when the US is in the middle of deciding on the Cyber Security Information Sharing Act that would make the process easier
White House backs CISA despite privacy groups' concerns (Daily Dot) The White House and the Department of Homeland Security have endorsed a controversial cybersecurity bill that the Senate is expected to pass early next week
Battle Continues Over Information-Sharing Bill (eWeek) The Cybersecurity Information Sharing Act pits privacy-focused consumer advocates against government efforts to open the door to information sharing
Five players to watch in Senate cyber fight (The Hill) The final battle over the Senate's biggest cybersecurity bill in years is slated to take place Tuesday on the floor of the upper chamber
American Watchdog Imposes New Cybersecurity Regulations (Finance Magnates) The newly approved information protection program includes several measures meant to prevent identity theft and hacking
Health and Human Services Raises Bar for Risk Analysis with latest HITECH Rules (Digital Guardian) Organizations will need to match features to security mitigations in qualifying electronic health records systems
Hacked Opinions: The legalities of hacking — Simon Crosby (CSO) Simon Crosby, from Bromium, talks about hacking regulation and legislation
Litigation, Investigation, and Law Enforcement
The European Court of Justice Decision on United StatesEuropean Union Safe Harbor Framework: Policy Highlights and Business Implications (Chertoff Group Point of View) On October 6, 2015 the European Court of Justice (ECJ) ruled in the case of Schrems v. Data Protection Commissioner, calling into question the utility of the United States-European Union (U.S.-E.U.) Safe Harbor Framework
SEC Potentially Targets CCOs for Cybersecurity Lapses (Legaltech News) CCOs would be well advised to carefully review and implement where appropriate the SEC's latest cybersecurity guidance
Precise policy language needed to cover affiliated businesses (Business insurance) Broad wordings can lead to narrow coverage rulings in court
Federal Government Sued Again For OPM Breach (Legaltech News) The plaintiff wants to be compensated for current and future losses and wants to see injunctive relief to fix OPM's security protocol
Bitcoin Alliance Aims to Boost Reputation of Digital Currency (Legaltech News) Blockchain Alliance formed to establish and build trust between the industry and government
Judge dismisses Wikimedia lawsuit over NSA surveillance — report (Reuters via Yahoo!) A federal judge has dismissed a lawsuit by Wikimedia and other groups challenging one of the U.S. National Security Agency's mass surveillance programs, the Baltimore Sun reported
ACLU lawsuit against NSA mass surveillance dropped by federal court (Guardian) Judge TS Ellis III dismissed the suit because it relied on 'subjective fear' that National Security Administration collects information that is innately harmful
Iran slams U.S. jailing of engineer for documents smuggling (Military Times) The Iranian government has criticized a U.S. court's decision to sentence an engineer with dual citizenship to more than eight years in prison for trying to send sensitive military documents to Iran, the official IRNA news agency reported Sunday
Nine arrested in UK investigation of criminal network defrauding bank customers (Help Net Security) Detectives investigating an organized criminal network responsible for defrauding bank customers across the UK out of approximately £60 million have arrested nine people
