Cyber Attacks, Threats, and Vulnerabilities
Greek banks: Hackers extend ransom payment deadline (Keep Talking Greece) A team of hackers has allegedly threatened to bring down the electronic systems and websites of Greek banks, unless they pay ransom in Bitcoins
Anonymous Hacks UN Climate Change Site Against Police Attack on Cop21 March (Hack Read) The hacktivist group Anonymous breached into the website of United Nations Framework Convention on Climate Change (UNFCCC) and leaked a trove of personal information of 1415 officials
Darkode Reloaded — New Forum Gets "F" Grade (Damballa: Day Before Zero) Last July, Damballa's Threat Discovery Center discussed the infamous web forum, Darkode, that was supposed to be resuscitated by sp3cial1st
Top malware families targeting business networks (Help Net Security) Check Point has revealed the most common malware families being used to attack organisations' networks during October 2015
Telegram Messenger delivers candygrams to stalkers (Register) Too easy to work out who's talking to whom, says researcher
Millions of Internet Things are "secured" by the same "private" keys (Naked Security) European security consultancy SEC Consult has spent time over the past few years looking at embedded devices on the internet
Spyware/adware combo masquerading as AnonyPlayer hits Android users (Help Net Security) If you suddenly start seeing random advertisements popping up on your Android device, you have likely been infected with adware. But if you're terribly unlucky, you might have also been hit with information-stealing malware
Malvertising — When will we learn? (Check & Secure) We have spoken previously about the responsibility of advertisers to keep their networks clean and to ensure that even if the messages they display are annoying, uncalled for and bandwidth sapping, they are at least safe and free from Malvertising
Port fail — Serious privacy vulnerability threatens VPNs with port-forwarding capabilities (Graham Cluley) Researchers have identified a serious vulnerability affecting VPN providers with port-forwarding services that allows an attacker to obtain the real IP address of a user's computer
IP leak affecting VPN providers with port forwarding (Perfect Privacy) We have discovered a vulnerability in a number of providers that allows an attacker to expose the real IP address of a victim
Chip-Bearing Credit Cards Present New Vulnerabilities (SIGNAL) Consumers and merchants alike could face increased cyber crime
Phishing blast uses Dropbox to target Hong Kong journalists (CSO) Campaign uses a legitimate Dropbox account as C2
Allied Bank's website hacked again (Daily Pakistan) The official website of Allied Bank Limited of Pakistan got hacked last weekend, for the second time in two years
Bluebox Broadband: 3,000 customers' details published online (BBC) Details of more than 3,000 customers or potential customers of Bluebox Broadband have been published online
Hacked toymaker leaked gigabytes' worth of kids' headshots and chat logs (Ars Technica) Company encouraged parents to use the pictures and chats with the apps it sold
The Grinch Who Exposed Your Kids' Identities (Dark Reading) 5 Ways VTech's Scrooge-like security spending put young users at risk
Abysmal security practices by toy maker VTech result in massive data breach (Help Net Security) Hong Kong-based electronic toy maker VTech has suffered a massive breach
Hey Reader's Digest: Your site has been attacking visitors for days (Ars Technica) Researchers estimate the same campaign has infected thousands of other sites
Won a £950,000 Google anniversary prize? Spoilers: It's a scam! (Graham Cluley) I received an email from Larry Page
Most hackable devices (CSO) There are now more than 3 billion connected devices in use by consumers, according to Gartner, and this number will increase to 4 billion next year
Why you shouldn't have geolocation turned on if you're a racist (Naked Security) An anti-racism group in Brazil is waging an intriguing campaign against intolerant internet commenters — ironically, by attempting to make racist comments as visible as possible
Cyber Trends
State & Local Government Hit By Malware, Ransomware More Than SMBs (Dark Reading) Localities and education networks suffered twice as many infections of the infamous CyptoWall ransomware than other sectors
Cyber warfare fallout to businesses, customers predicted (Business Insurance) Businesses and consumers will become collateral damage in cyber conflicts among countries next year, while activists' hacks will make a comeback, says a report
Cybercrime and shipping: the facts (Splash 24/7) Does the industry have the tools to combat this rising scourge?
RSA President: We 'Underestimate' Security Risks In Internet Of Things (CRN) Industry leaders predict the Internet of Things market will pass the trillion-dollar mark in terms of value during the next several years, but RSA President Amit Yoran said that presents a huge security challenge as well
Email Data Breaches: The Threat That Keeps On Giving (Information Management) By most accounts, 2015 was a year of unprecedented data breaches
How UK businesses plan to tackle security threats in 2016 (Help Net Security) 81% UK IT decision makers experienced some sort of data or cyber security breach in their organisation in 2015, according to training company QA
Marketplace
EY: Cybersecurity threats major concern for global corporate sector (Deal Street Asia) At least a third of global organisations (global: 36 per cent, Singapore: 30 per cent) still lack confidence in their ability to detect sophisticated cyberspace attacks, according to the annual EY's Global Information Security Survey (GISS) 2015, Creating trust in the digital world
Cyber Security Risk a Factor in Hospital Credit Ratings (HealthLeadersMedia) The not-for-profit healthcare sector is not immune to cyber security threats, particularly as they relate to patient records and the disruption of medical technology, Moody's Investors Service says. And larger healthcare systems are more vulnerable than stand-alone hospitals
How CISOs Can Change The Game of Cybersecurity (Dark Reading) In the modern enterprise, chief information security officers need a broad mandate over security and risk management across all operational silos, not just the datacenter
How to calculate ROI and justify your cybersecurity budget (CSO) If you speak with management about money — speak their language and you will definitely get what you need
Cybersecurity's hidden pool of talent (Healthcare IT News) 'There's a pressing need for professionals adept not just at meeting but exceeding HIPAA security and privacy requirements'
Ron Woerner on the pathway to the security talent we crave (CSO) Ron Woerner shares his Point of View (POV) on the pathway to talent as part of Leading Security Change
In a Global Market for Hacking Talent, Argentines Stand Out (New York Times) Want to learn how to break into the computerized heart of a medical device or an electronic voting machine?
The British Monarchy is looking for an IT security expert (IT Pro Portal) The British Monarchy is looking for an IT security expert and, as you might imagine, it's paying solid money for the position
6 Experts on How to Win at Managed Security (Channel Partners) Enterprises that work with security solution providers or MSSPs rather than managing security in-house enjoy a lot of benefits, including lower costs and access to staff and skills they may not be able to find — or afford to hire, even if the talent were available
Products, Services, and Solutions
CONCERT Advisor Services selects Bronzeye as technology security partner (PRWeb) CONCERT announced a service relationship and strategic partnership with Bronzeye to provide technology security audit and network security monitoring services as well as becoming a key component of CONCERT's new Advisor Technology services platform
ERPScan extends support for new ISACA and DSAG SAP Security Guidelines (ERPScan) Recently updated ERPScan Security Monitoring Suite for SAP now provides special templates to comply with the latest security guidelines from DSAG and ISACA
Gemalto SafeNet Luna EFT Supports New Standards From Major Credit Card Networks (RTT News) Digital security provider Gemalto (GTOFF.PK) said its SafeNet Luna Electronic Funds Transfer or EFT PaymentHSM (Hardware Security Module) supports new standards from the major credit card networks for secure implementations of contactless payments via mobile phones
Centrify brings in new identity management partners (ChannelBiz) Centrify has made HANDD Business Solutions and Identity Methods it latest partners in the identity management space
Technologies, Techniques, and Standards
MISP taxonomies and classification as machine tags (CIRCL) Taxonomies that can be used in MISP (2.4) and other information sharing tool and expressed in Machine Tags (Triple Tags). A machine tag is composed of a namespace (MUST), a predicate (MUST) and an (OPTIONAL) value. Machine tags are often called triple tag due to their format
NIST at work on new data safety guide (FierceGovernmentIT) As the year nears its close, the data breaches that came to light in the past 12 months remain top of mind. To help combat that cyber threat, the National Institute of Standards and Technology is seeking comments on a new project that would help organizations prepare for and recover from data attacks
GAO approves of NIJ's offender tracking system standard (FierceGovernmentIT) After seven years of work, the National Institute of Justice is expected to publish by March 2016 a device standard for offender tracking systems
Security Think Tank: Threat intelligence feeds not for everyone (TechTarget) What is the best practice for collecting and using threat indicators from security incidents to improve defences against future cyber attacks?
How can you predict the impact of the inevitable data breach on your organisation? (Computing) Nowadays, it seems that it's not a case of if an organisation will suffer a data breach but when
'Everyone should own a data breach' so that blame isn't pinned on any one person (Computing) Everyone in an organisation should "own" a data breach, so that the blame isn't pinned on any one person, according to Neil Thacker, information security and strategy officer EMEA at Websense
Cybersecurity risk management benefits from analytics, reporting (TechTarget) Data breaches continue to threaten businesses, but companies are turning to data analytics to help identify vulnerabilities and make cybersecurity risk management more efficient
Retail data breaches: 3 lessons companies have learned (PropertyCasualty360°) The holiday shopping season is in full swing, it's 'Cyber Monday' and retailers need to take extra precautions
Cybersecurity experts' guide to outwitting Black Friday and Cyber Monday scammers (Christian Science Monitor Passcode) Watch out for bogus e-mails and copycat sites designed to mimic big brands, hang up on unknown callers warning you're an identity theft victim, and never use public WiFi to make a purchase
Shop Safely During Black Friday and Cyber Monday (Lifars) It's that time of the year again. Consumerism reaches a frenzied state during the holiday season and Black Friday with the subsequent Cyber Monday deals are widely seen as some of the best bargains available all year around
CISO at U.S. Bank offers tips for secure online purchasing (Help Net Security) The thrill and chaos of holiday shopping has started, and unfortunately with that comes the inherent risk of fraud. With an increased threat of digital fraud, what can consumers do to secure their personal data?
Kaspersky: 1 in 7 people use one password (ZDNet) Security firm Kaspersky has found that one in seven people are leaving themselves open to attack by having the one password for multiple accounts
Advent tip #1: Clean up your passwords before Christmas (Naked Security) Passwords. Until there's another widely-adopted way to verify that we're who we say we are, we're sort of stuck with them
Academia
Securing America's cyberfuture goal of new Cyber Security Institute (Communities Digital News) Cybersecurity protection of our digital information is a top concern among American consumers, business leaders and government officials, and for good reason
Legislation, Policy, and Regulation
China, Japan, South Korea Talk Cyber Issues (Dark Matters) In mid-October, China, Japan, and South Korea convened for the second time in order to discuss potential cooperation on cyber issues such as international rules governing cyberspace, and cooperation against cybercrime and terrorism
Following U.S. indictments, China shifts hacking away from military to civilian agency (Washington Post) The Chinese military scaled back its cybertheft of U.S. commercial secrets in the wake of Justice Department indictments of five officers, and the surprising drawdown shows that the law enforcement action had a more significant impact than is commonly assumed, current and former U.S. officials said
Time to Retaliate Against China's Cyber Espionage (World Affairs) "To my Chinese counterparts, I would remind them, increasingly you are as vulnerable as any other major industrialized nation state," said Admiral Mike Rogers, director of the National Security Agency and the chief of US Cyber Command, on November 21st at the Halifax Security Forum. "The idea you can somehow exist outside the broader global cyber challenges I don't think is workable"
How Does Israel Regulate Encryption? (Lawfare) Recent terrorist attacks and resulting questions about the limits of surveillance have rekindled debate about how governments should deal with the challenges of powerful, commercially available encryption. With active debate in the United States and Western Europe surrounding this issue, it is instructive to note that Israel has been regulating encryption for decades
CTO Insights: Encryption Works — Don't Break It! (Trend Micro) Every now and then, an ill-informed politician will stand before a microphone and say something along the lines of: encryption is helping bad guys (either terrorists, child pornographers, or other similarly acceptable target), because law enforcement can't see what the bad guys are doing because they're using sophisticated tools that use encryption. Said politician will urge tech companies to "work with us" to help catch these bad guys
Google Denies Online Censorship Deal with Israel (Hack Read) Google has denied all the accusations that were put forward regarding monitoring or censoring of those YouTube videos that are made for inciting attacks on Israel — Google claims their recent meetings were routine and had no such agreements
Trump would 'err on side of security' in NSA debate (The Hill) Donald Trump is aligning himself with GOP presidential rivals Sen. Marco Rubio (Fla.) and former Florida Gov. Jeb Bush in the Republican Party's divide over federal surveillance powers
Ted Cruz and Marco Rubio Are Fighting About Your Phone Data (Federalist) Sen. Ted Cruz (R-Texas) and Sen. Marco Rubio (R-Fla.) are clashing over how intelligence agencies should handle the phone data of private citizens
Ex-US Intelligence Chief on Islamic State's Rise: 'We Were Too Dumb' (Spiegel) Without the Iraq war, Islamic State wouldn't exist today, former US special forces chief Mike Flynn openly admits. In an interview, he explains IS' rise to become a professional force and how the Americans allowed its future leader to slip out of their hands
Senators campaign for clause to assess infrastructure cyber defenses (The Hill) A bipartisan group of senators wants to ensure that the major cybersecurity legislation headed for President Obama's desk includes a provision they believe would help defend the nation's critical infrastructure against a cyberattack
DHS Giving Firms Free Penetration Tests (KrebsOnSecurity) The U.S. Department of Homeland Security (DHS) has been quietly launching stealthy cyber attacks against a range of private U.S. companies — mostly banks and energy firms
Why are only moneymen doing cyber resilience testing? (Register) …and the National Grid?
OMB tells GSA, agencies to draw up rapid contracting plans for cyber breaches (Federal News Radio) The Office of Management and Budget is directing federal agencies and the General Services Administration to come up with a single mechanism to rapidly hire outside expertise the next time a civilian agency's systems are breached in a cyber attack, reasoning that time will be of the essence and that virtually no agency will have the resources needed to mount an adequate response with in-house staff
OMB's Cybersecurity Implementation Plan Should Measure Agency Resilience (SIGNAL) Following the distressing headlines that cataloged repeated cyber breaches of U.S. federal computer networks — some that compromised the personal data of millions of people — government officials have implemented a patchwork of safeguards to shore up vulnerabilities, including the identification of high value assets
Incoming: A Handful of Heretical Thoughts (SIGNAL) Two things have me thinking about heresy
Litigation, Investigation, and Law Enforcement
Judge applies common sense to question of what constitutes a data breach (Computerworld via CSO) A breach that doesn't result in anyone compromising any data is something like the proverbial tree that falls in the forest with no one around. Is it truly a data breach?
The National Security Letter spy tool has been uncloaked, and it's bad (Ars Technica) No warrants needed to get browsing history, online purchase records, and other data
OPM Just Now Figured Out How Much Data It Owns (Atlantic) Months after it announced that it was hacked, the agency has finally put together an inventory of its own servers
Senator Labels OPM Breach a 'Federal Fumble' of 2015 (Nextgov) The massive data breach at the Office of Personnel Management, in which hackers stole personal information on nearly 22 million federal employees, retirees and contractors has already been called one of the largest cybercrimes ever carried out against the U.S. government
U.S. states probe VTech hack, experts warn of more attacks (Reuters via Business Insurance) U.S. states said they will investigate a massive breach at digital toy maker VTech Holdings Ltd. as security experts warned that hackers are likely to target similar companies that handle customer data
The Ferizi Arrest — Helping Narrow the Aperture of Cyber Terrorism (Dark Matters) In October 2015, Malaysian authorities arrested Ardit Ferizi, a Kosovo hacker known as "Th3Dir3ctorY." Ferizi, suspected of being the leader of the hacker group "Kosova Hacker Security," is accused of hacking into a firm and stealing a substantial amount of personal identifiable information (PII) for more than a thousand federal employees and service members
"Walter Mitty type" IT manager jailed over attempted dark web gun buy (Naked Security) The law has grown quite adept at flipping on the light switch in the dark web to unmask crooks, be they child predators, kids buying poison, people hiring hitmen, or operators of contraband sites like Silk Road or Utopia
Decision to force out Marine who sent warning ahead of insider attack upheld (Washington Post) A senior Navy Department official decided Monday to force a Marine Corps officer out of the service for his handling of classified information, three years after he was first investigated after sending a warning to deployed colleagues about an Afghan police chief whose servant later killed three Marines