Cyber Attacks, Threats, and Vulnerabilities
Anonymous Claims Responsibility For 40 Gbps DDoS Attack on Turkish Servers (HackRead) The online hacktivist Anonymous has claimed the responsibility for a massive 40Gbps DDoS attack on Turkish DNS Servers under NIC[dot]tr — The reason behind the attack is that Turkey is allegedly supporting and aiding the Daesh or ISIS/ISIL terrorist group
Daesh cyber-attacks cannot hurt NATO, says expert (Turkish Weekly) Daesh does not have the capacity to endanger NATO members, a senior cyber-technology expert has said
Behind the Black Flag: The Recruitment of an ISIS Killer (New York Times) Since the Syrian rebel leader Hassan Aboud joined ISIS, taking with him fighters and weapons, he has been behind a sprawling mix of battlefield action and crime
United Nations moves to confront Islamic State online (Christian Science Monitor Passcode) In meetings in New York, the UN Security Council's counterterrorism committee pledged to ramp up effort to prevent Islamic State and other terrorists groups from recruiting and organizing online
Pentagon weighs cybercampaign against Islamic State (Los Angeles Times) The Pentagon is considering increasing the pace and scope of cyberattacks against Islamic State, arguing that more aggressive efforts to disable the extremist group's computers, servers and cellphones could help curtail its appeal and disrupt potential terrorist attacks
The US Needs Someone to Run the Effort to Defeat ISIS Online (DefenseOne) Lots of government agencies are doing something; the White House needs to coordinate them
Iranian Hackers Infiltrated New York Dam in 2013 (Wall Street Journal) Cyberspies had access to control system of small structure near Rye in 2013, sparking concerns that reached to the White House
AP Investigation: US Power Grid Vulnerable to Foreign Hacks (ABC News) Security researcher Brian Wallace was on the trail of hackers who had snatched a California university's housing files when he stumbled into a larger nightmare: Cyberattackers had opened a pathway into the networks running the United States power grid
Taiwan Opposition Hacked as China's Cyberspies Step Up Attacks (BloombergBusiness) Chinese hackers have attacked Taiwanese targets including local news organizations and the opposition Democratic Progressive Party in a bid to get information about policies and speeches ahead of presidential and legislative elections next month
Armenian Hackers Leak Sensitive Data from Azerbaijan Ministry Servers (HackRead) The cyber war between Armenians and Azerbaijani hackers seems never ending — Like this recent cyber attack in which the Armenian hackers from The Monte Melkonian Cyber Army (MMCA) hacked top Azerbaijani ministries and stole sensitive data
New report undresses 'Russian speaking' APT 28 (SC Magazine) A new report has shown the APT28 group to be targeting European government officials and defence personnel. In "APT28 Under the Scope: A Journey into Exfiltrating Intelligence and Government Information", cyber-security company Bitdefender undresses the activities of the long running APT group, tracing its origins and showing its latest activity against political targets, especially in Ukraine
Russian hacking group sharpens its skills (ZDNet) APT 28 group targets political figures as well as telecom and aerospace companies and has developed new ways of attacking according to researchers
Juniper's backdoor password disclosed, likely added in late 2013 (CSO) All an attacker needs is the password and a valid username
Infocon Yellow: Juniper Backdoor (CVE-2015-7755 and CVE-2015-7756) (Internet Storm Center) We decided to move to raise our "Infocon" to yellow over the backdoor in Juniper devices. We decided to do this for a number of reasons
Juniper faces questions about spying code planted in software (ComputerWorld) Who were the attackers and how did they get in?
Phantom Squad's website defaced during hacking warfare — but not by Lizard Squad… [Update] (Neowin) Since this article was originally published, @Obstructable — who is part of hacking group SKidNP, but has no affiliation with Lizard Squad — has contacted Neowin to clarify that he defaced Phantom Squad's website, and not Lizard Squad
Lizard Squad member claims Phantom Squad could attack Xbox Live and PSN this Christmas (International Business Times) The new hacking collective Phantom Squad could attack the online networks of PlayStation and Xbox Live this Christmas, creating trouble for gamers. The group had recently claimed responsibility for an outage on Xbox Live network
As Xbox Live goes down, PhantomSquad takes credit for attack (Hot for Security) It's beginning to look a lot like Christmas might be miserable for Xbox and PlayStation video game fans
Microsoft Xbox Live suffers DDoS attack from Phantom Squad, Sony PSN also threatened (Computing) A hacker group known as Phantom Squad has attacked Microsoft's Xbox Live online games service with a DDoS attempt which caused disruption for users during the last few hours
Bernie Sanders campaign improperly accessed Clinton voter data, DNC says (Ars Technica) After breach, DNC cuts off Sanders campaign's access to voter database
DNC Data Breach: What Happened and What It Means for Bernie Sanders' Campaign (ABC News) A Bernie Sanders campaign staffer was fired on Wednesday after allegedly accessing data from the Hillary Clinton campaign, and it has created quite a problem for the Sanders campaign
Democrats' database bug spotlights the rise of big data in elections (Naked Security) In recent election cycles we've heard a lot about big data in political campaigns, and in the future it's possible we'll hear a lot more about big campaign data breaches, too
Crooks update their exploits — have you updated your Office? (Naked Security) Microsoft Office exploits are cunningly-crafted, deliberately malformed chunks of data, inserted into Office files, that crash the application in a way that gives cybercriminals control, so that they can install malware without you noticing
Operation Black Atlas, Part 2: Tools and Malware Used and How to Detect Them (TrendLabs Security Intelligence Blog) Operation Black Atlas has already spread to a multi-state healthcare provider, dental clinics, a machine manufacturer, a technology company focusing on insurance services, a gas station that has a multi-state presence, and a beauty supply shop
Database leak exposes 3.3 million Hello Kitty fans (CSO) Database storing 3.3 million sanriotown.com accounts found online
Password Thieves Target E-Giftcard Firm Gyft (KrebsOnSecurity) Digital gift card retailer Gyft has forced a password reset for some of its users. The move comes in response to the theft of usernames and passwords from a subset of Gyft customers
Twitter Account of Pharma CEO Martin Shkreli Hacked (HackRead) Twitter account of the former CEO of Turing Pharmaceuticals Martin Shkreli aka pharma bro has been hacked by an unknown hacker who then published a series of tweets on his account
HIV dating company accuses researchers of hacking database (CSO) Hzone CEO calls the disclosure a condemnable act, accuses researcher and Databreaches[dot]net of malicious hacking
Facebook Denies Threatening Security Researcher To Keep Quiet Over Major Instagram Security Breach (International Business Times) Facebook has been accused of threatening a security researcher who uncovered a vulnerability that allowed him to access Instagram servers that hold the photos of its 400 million users. But the world's biggest social network is denying the accusation, saying the researcher went too far in an attempt to highlight a problem and claim a reward
Facebook spars with researcher who says he found "Instagram's Million Dollar Bug" (Naked Security) A spat erupted last week between Facebook and a security researcher who reported a vulnerability in the infrastructure behind its Instagram service
Hacker Earns 50k Miles by Exposing Vulnerability in United Airlines Website (HackRead) Earlier this year we reported about security measures taken by United Airlines that they'll give you up to a million miles to find a Security Bug in their system. An Indian researcher Rahul Mohanraj who read about the United Airlines' bug bounty program was perhaps excited to travel those million miles so he started working on it!
Security Patches, Mitigations, and Software Updates
Schneider Electric Patches Buffer Overflow in PLC Line (Threatpost) Automation and energy management company Schneider Electric patched a vulnerability in a product line this week that was leaving a handful of programmable automation controllers at risk of being hacked
FireEye patches urgent security device flaw (SC Magazine) Researchers at Google's Project Zero discovered a critical vulnerability in FireEye NX, EX, AX and FX network security devices that run on security content version 427.334 or prior versions
Microsoft move to revoke trust in 20 root certificates could wreak havoc on sites (PCWorld) Thousands of websites will generate errors in browsers if their owners don't replace certificates in less than a month
Cyber Trends
Defending Data: Turning Cybersecurity Inside Out With Corporate Leadership Perspectives on Reshaping Our Information Protection Practices (Nuix) In 2014, the inaugural Defending Data report highlighted interesting trends associated with managing and protecting an increasingly ephemeral perimeter; a shift in security policies and procedures; and the evolving role of security officers. This year, there is more recognition of damage from insider threats; a lack of familiarity with an organization's entire data landscape; and a rising appreciation for security among corporate executives
Predictions for 2016 (Information Security Buzz) A number of Touchdown Clients have predictions for 2016
Five key cybersecurity trends for 2016 (Help Net Security) The overwhelming shift to mobile and cloud computing among both businesses and consumers will see some surprising additions to the risk landscape in 2016. ISACA shares five cyber risk trends for the coming year that CISOs and CIOs should have on their radar
2016 Cybersecurity Predictions (Anitian Blog) Cybersecurity was definitively in the spotlight for 2015. From the server room to the board room and every hallway in between, everybody was talking about hacking, breaches, and vulnerabilities
Could the Internet of Things spark a data security epidemic? (BetaNews) Internet of Things this, Internet of Things that — it's all anyone can talk about these days
Insight Annual Report: Travel now in cyber attackers’ sights (Travolution) With travel companies firmly in the sights of data hunters, cyber security expert Simon Borwick of Deloitte spoke to Ian Taylor
A third of UAE firms hit by cyber security breaches (Gulf News) Country on list of the top 10 destinations targeted by criminals, survey shows
UK businesses 'slow to respond to unusual network activity' (We Live Security) UK businesses are slower to react to possible data breaches than their international counterparts, a new study has concluded
Cyber-attack risk is too great to ditch the experts (Telegraph) Cybercrime is big business these days, and is evolving fast
Marketplace
Hack attacks and data law boost European cyber insurance demand (Reuters) New European legislation on data privacy is helping push up regional demand for cyber insurance, industry specialists say, after companies such as TalkTalk and Experian were affected by hackers earlier this year
Should you buy cyber insurance? (Network World) With the number breaches reaching an all-time high in 2014 many businesses are looking to mitigate risk with insurance
What's Wrong with Our Ad? Inside Digital Advertising Cyber Risks (Legaltech News) A session at ALM cyberSecure discussed the nature and potential of this expanding industry
Healthcare cyber security market to hit $10.85B worldwide by 2022, study says (HealthcareDive) A new report by Grand View Research, Inc., a U.S. market research and consulting firm, estimates the global healthcare cyber security market will reach $10.85 billion by 2022, thanks to the rapidly increasing number of cyber attacks, regulatory and security compliance issues, and internal data leaks
SEC Approves Plan to Issue Stock Via Bitcoin's Blockchain (Wired) The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come
Exclusive: CACI in the lead to buy Lockheed's IT business — sources (Reuters) Defense contractor CACI International Inc (CACI.N) has emerged as the top contender for Lockheed Martin Corp's (LMT.N) government information technology (IT) business, as the interest of rival bidders fades, people familiar with the matter said
A Look At A Potential Takeover Of CyberArk (Seeking Alpha) There has been a good amount of consolidation in the IT security industry as tech giants acquire small companies. A takeover of CyberArk would be one of the largest deals of the IT security industry. A takeover of CyberArk could carry a premium of 42% of current share prices
ManTech Awarded $5 Billion MAC IDIQ Contract to Provide Cyber Security and Information Systems Technical Support to the Defense Technical Information Center (CNN Money) ManTech International Corporation (Nasdaq:MANT) has been awarded a Cyber Security and Information Systems Technical Area Tasks (CS TAT) contract by the Defense Technical Information Center (DTIC) to provide advanced, full-scope cyber research and development to support multiple technical projects. The contract is a 5-year multiple award contract, indefinite delivery, indefinite quantity (IDIQ) vehicle. The contract ceiling value is $5 billion
Intelligence Should Recruit Like Google (TechCrunch) An interesting story made the rounds back in August. While conducting a search for "python lambda function list comprehension," programmer Max Rosett was suddenly invited to attempt a cryptic coding challenge
Products, Services, and Solutions
Rogers Pitches Cybersecurity Offering (Multichannel News) Develops 'leapfrog' in Partnership with Trustwave
InterApp: The Gadget That Can Spy on Any Smartphone (Softpedia) Israeli company provides an easy-to-use smartphone hacking gadget, complete with an administration panel
PhishMe report shows employees can become assets in anti-phishing battle (CSO) PhishMe report shows employees can improve their ability to detect phishing emails with practice
Social Media Pressure Forces Google To Restore Deleted Cyber Security App (HackRead) On 17th October 2015, a generous man uploaded an application on Google Play Store named "Cybrary"
Technologies, Techniques, and Standards
This video shows why the Death Star needed a cybersecurity platform (Technical.ly Baltimore) CyberPoint International has some pointers for the Galactic Empire's IT staff
Security Tech: It's Not What You Buy, It's How You Deploy (Dark Reading) Good information security depends on a holistic strategy, not on an elite lineup of discretely moving parts
Preventing Hail from the Cloud: Securing the 3 Types of Cloud Models (Legaltech News) You need to know which of the three cloud models your organization will be using and what tools and services your CSP offers you to secure your data
5 Elements of a Reliable Cyber-Control Framework (BizTech) These steps will ensure you roll out cybersecurity smartly and strategically within your organization
Privacy And Security: Learn From Best Practices For HIPAA Compliance (Forbes) Industries such as healthcare and financial services are special targets for data breaches and cyber criminals because, as bank robber Willie Sutton said, "that's where the money is"
Validating Supply Chain Cybersecurity (Dark Reading) How to identify risks, understand downstream effects, and prepare for incidents
The Ultimate Guide to Online Privacy (Fried) Below you will find guides on how to do things from securing your email and encrypting your files, to securing your online storage and privatising your online messaging. We've also compiled 150+ tools and resources to help protect your privacy online
Advent tip #19: Grab hold and give it a wiggle! (Naked Security) The suggestion to "grab hold and give it a wiggle" may not sound like useful security advice
Advent tip #20: Free Wi-Fi is handy — but think before you connect! (Naked Security) Free Wi-Fi can be astonishingly handy
Advent Tip 21: Bought online? Watch out for bogus courier emails! (Naked Security) If you've been doing any last-minute online shopping for Christmas gifts, you may well be waiting with increasing anxiety for the items to be be delivered
Santa's datacenter is the most secure in the world. (InformationWeek) The quickest way to end up on the naughty list
Design and Innovation
Vuvuzela, a next-generation anonymity tool that protects users by adding NOISE (TechFinancials) Cryptography is the science of keeping secrets, with encryption algorithms and methods such as public key encryption the gold standard. Despite widespread usage and heavy scrutiny, these ciphers remain unbroken. But while encryption can keep messages secret, it cannot protect the identities of the sender and receiver
Research and Development
Researchers Break "Unbreakable" Quantum Cryptography (Softpedia) Before it even had a chance to be deployed within real-world applications, a group of Swedish scientists have already found a way to break quantum cryptography, a novel, advanced concept for encrypting data using the law of physics themselves
The alchemy of big data in government (The Hill) For nine luminous centuries, the Library of Alexandria was a grand beacon of innovation
Academia
Oxford University to launch cybersecurity centre in Victoria (ZDNet) Oxford University's Global Cyber Security Capacity Centre will open a new office in Australia, which will see Melbourne become the first location for the global initiative outside of the United Kingdom
Legislation, Policy, and Regulation
Obama Signs Cyberthreat Information Sharing Bill (GovInfoSecurity) Legislation requires scrubbing of PII before it's shared
Congress approves surveillance legislation tucked into budget package (Ars Technica) Obama to sign bill that one senator says has "unacceptable surveillance provisions"
Cyber security information sharing protections included in omnibus bill (Business Insurance) Companies that voluntarily share information about data breaches with the federal government will receive greater protection against privacy suits under a provision in the omnibus spending bill passed by both houses of Congress on Friday
Cybesecurity's winners and losers (The Hill) Congress on Friday approved its first major cybersecurity bill in years as part of a sweeping end-of-year spending deal
CISA — A win for safety or unimportant bill? (Check & Secure) Do you remember my chat about the Cybersecurity Information Sharing Act (CISA)? About how we discussed the issue of safety vs. privacy? The verdict is in. Safety won over privacy
Industry pros, tech firms displeased with cyber bill (SC Magazine) The U.S. House approved controversial cybersecurity legislation buried within a $1.1 trillion government spending agreement that was needed to prevent a government shutdown
How the United States Can Win the Cyberwar of the Future (Foreign Policy) Cold War-era deterrence theory won't cut it anymore
Final verdict on the cybersecurity bill (Politico) The good, the bad, and the ugly…The evil empire's incompetent cybersecurity. With the latest "Star Wars" flick hitting theaters, here's a timely reminder from CyberPoint that the Galactic Empire was terrible at protecting its computers
Secret Code Found in Juniper's Firewalls Shows Risk of Government Backdoors (Wired) Encryption backdoors have been a hot topic in the last few years — and the controversial issue got even hotter after the terrorist attacks in Paris and San Bernardino, when it dominated media headlines. It even came up during this week's Republican presidential candidate debate. But despite all the attention focused on backdoors lately, no one noticed that someone had quietly installed backdoors three years ago in a core piece of networking equipment used to protect corporate and government systems around the world
'We're America': Why Apple's CEO thinks we can have both encryption and national security (Business Insider) Apple CEO Tim Cook remains a strong supporter of encryption, even as governments continue to question the method of securely gathering data in wake of terrorist attacks
Opinion: Encryption backdoors are killers of the innovation economy (Christian Science Monitor Passcode) A government mandate for access to secure communication technologies would cripple the security of the Web and hurt the thousands of small companies that make up the backbone of the Internet
FDA Official: We Can't Share Data Without a Better Security Policy (Nextgov) The Food and Drug Administration's security policy isn't "mature enough" to share data with citizens or with the private sector, the agency's chief technology officer said during a recent panel discussion on health IT
Banks told to get tough on cybersecurity in 2016 (ZDNet) 2016 New York state cybersecurity requirements for banks, expected to be applied country-wide, include multi-factor auth, regular audits and pentests, and exacting third-party vendor cybersecurity scrutiny
How United Is Saudi Arabia's New Anti-Terror Coalition? (Defense News) Days after Saudi Arabia announced the launch of a major anti-terror Islamic military coalition, details remain scarce, including what the coalition will do, how it could affect Syria and, even, who is part of it
China's cyber-diplomacy (China Media Project) China's World Internet Conference is last week's news, but the event will likely reverberate for years to come, as China seeks international support for its notion of a "multilateral" approach to the governance of global cyberspace
Government set to clean up digital network with botnet cleaning centre (Economic Times) Dirty streets aren't the only thing the Narendra Modi government hopes to clean up
Cyber security specialists leave germany to tackle cyber policy challenges in 47 nations (DVIDS) Eighty seven cyber security specialists from 47 nations return home this weekend after attending the two week Program for Cyber Security Studies at the George C. Marshall European Center
Snowden to appear via video link at New Hampshire convention (Washington Times) Edward Snowden will appear via video link as a featured speaker at a New Hampshire convention of libertarian activists
Litigation, Investigation, and Law Enforcement
Bernie Sanders campaign sues the DNC after data breach (Engadget) Sanders' campaign calls the DNC's decision to block it from voter data 'sabotage'
Who Backdoored Juniper's Code? (Data Breach Today) Flaws allow silent authentication bypass, VPN decryption
Should visitors to Islamic State sites face punishments like fines or jail time? (Naked Security) In the US, it was called Operation Avalanche. In the UK, its name was Operation Ore
Venzuela Sues U.S.-Based Currency Exchange Website for 'Cyber-Terrorism' (World News Daily) Desperate attempt to disguise South American nation's economic collapse
