Cyber Attacks, Threats, and Vulnerabilities
Anonymous takes credit for massive cyberattack on Turkey (The Hill) Hacking collective Anonymous is claiming responsibility for a slew of cyberattacks on Turkey's Internet that took down hundreds of thousands of the country's websites
Turkish Internet servers reeling under huge cyber attack (Ahram Online) Turkish Internet servers are suffering a powerful cyber attack, slowing banking services and fanning fears that it could be a politically motivated attack from abroad
Cyber threat could drag on and haunt Turkey, experts warn (Today's Zaman) A potential wave of renewed cyber attacks on Turkey's national ".tr" domains is likely as there are fears a recent attack that has disrupted many public and private servers will evolve into what is called spam zombie networks and strike again
Turks wonder what is next as cyber attack hits gov't sites, banks (Sunday's Zaman) As a two-week-long intense cyber attack continues to disrupt Turkey's national ".tr" domain, some security experts have warned that more could follow, targeting the country's transportation, stock index and government infrastructure
Anonymous Claims To Avert Possible Terrorist Attack On Italy (HackRead) The online hacktivist Anonymous claimed to have averted a terrorist attack in Italy planned by the so-called Islamic State (ISIS) or Daesh terrorist group
Austin business' website hacked by pro-ISIS group (KVUE) An Austin health spa?s website is back up and running after getting shut down by a terrorist group supporting ISIS
ISIL leader says 'caliphate' well, mocks Saudi-led alliance (USA Today) The Islamic State group on Saturday released a new message purportedly from its reclusive leader, claiming that his self-styled "caliphate" is doing well despite an unprecedented alliance against it and criticizing the recently announced Saudi-led Islamic military coalition against terrorism
Security Experts and Officials Diverge on ISIS as Hacking Threat (New York Times) George Osborne, the British chancellor of the Exchequer, said in a speech last month that Islamic State militants were trying to develop the ability to carry out digital attacks on critical systems, like hospitals, air traffic controls and power plants
Iranian Hackers Claim Cyber Attack on New York Dam (CNBC) An Iranian hactivist group has claimed responsibility for a cyberattack that gave it access to the control system for a dam in the suburbs of New York — and intrusion that one official said may be "just the tip of the iceberg"
Astorino Wants Answers On Iranian Hack Security Breach In Westchester (Bronxville Daily Voice) Westchester County Executive Rob Astorino issued a call to action within the Department of Homeland Security after learning about a cyber terrorist threat at the Bowman Avenue Dam in Rye in 2013 just two days ago
Homeland Security: No Comment on Rye Bowman Sluice Gate Breach SECURITY: (My Rye) Department of Homeland Security spokesman S.Y. Lee told MyRye.com the DHS has "no comment on the alleged incident" - referring to reports of Iranian hackers breaching the sluice gate controls of Bowman Dam
Is the U.S. ready for the cyber-attack that's sure to come? (Staten Island Live) Is America being targeted for a cyber Pearl Harbor? There is real concern that an attack via the Internet could devastate the U.S. power grid
New York dam hack underscores threat for connected utilities (Christian Science Monitor Passcode) The ability for hackers to penetrate the network at a small dam in New York reveals the risk of more utilities managing facilities via cell networks and the Internet
Juniper ScreenOS SSH / Telnet Authentication Backdoor (Tenable Network Security) An account on the remote host uses a known password
Researchers Say the Juniper Hack Could be the Work of Government — But Which One? (Fast Company) The Federal Government has reportedly joined the investigation of the hack — which experts say could be the work of spies here or abroad
Juniper Networks Spy Code Story Continues (Argyle Free Press) New developments have occurred regarding the discovery of Juniper Networks spy code in its ScreenOS, that took place last week
NSA hacked Juniper's firewall software — Snowden Leaks (TechWorm) Snowden leaks — NSA helped GCHQ spies find vulnerabilities in Juniper firewalls
Honeypot Trap Suggests NSA Monitoring Associated With Juniper Breach (EMQ Tech) As the final days before Christmas wind down many have been focused on family affairs and wrapping those last couple of presents before Santa's fated visit but security researchers and crypto experts at Juniper NetScreen have been scrambling the last few days to remedy a backdoor hack for they VPN firewalls
NSA suspected in Juniper firewall backdoor mystery, but questions remain (ZDNet) Putting backdoors in encryption isn't looking like such a great idea, after Juniper, a major provider of security networking equipment, falls victim to a suspected nation-state attack
Steam security issue exposes users' personal information (Verge) It's the middle of Steam's big winter sale, which means a huge number of people are browsing, buying, and playing games right now on the platform
LiveStream tells users to reset passwords, after possible data breach (Graham Cluley) Video live streaming platform LiveStream is warning customers that account information, including names, dates of birth, phone numbers, email addresses and encrypted passwords may have been accessed by unauthorised party
Ten Months After Being Taken Down, Ramnit Botnet Returns (Softpedia) At the end of February 2015, Europol in collaboration with multiple security vendors sinkholed the C&C servers of the Ramnit botnet, used for financial fraud
Aethra botnet made up of 12000 Italian devices threatens businesses (Security Affairs) Earlier this year experts at VoidSec discovered the Aethra botnet made up of 12000 Italian devices targeting businesses in various industries
Gootkit banking Trojan jumps the Channel (Proofpoint) First documented in mid-2014 [1], the Gootkit banking Trojan appeared to focus solely on customers from several French banks
Hyatt warns of malware on its payment-processing system (AP) Hyatt Hotels Corp. says it found malicious software on the computer system that processes customer payments, raising the possibility that hackers may have obtained credit card numbers or other sensitive information
Poor security decisions expose payment terminals to mass fraud (IDG via CSO) Cryptographic key reuse is rampart in European payment terminals, allowing attackers to compromise them en masse
Kean University website hacked three times, shut down for days (Union News Daily) Algerian hacker posts expletive-laced condemnation of United States of America; calls for free Palestine
Cyber attack shuts down Rutgers online classroom site (NJ.com) Rutgers University's computer network was attacked on Thursday for the sixth time over the past three college semesters
'Tis the Season for a Law Firm Scamming (American Lawyer) Just in time for Christmas, another law firm is being used in a phishing scam by hackers trying to dupe people into giving up bank account information or click on nefarious links
Security Patches, Mitigations, and Software Updates
Microsoft mistakenly disables macros, other customizations with Word 2016 update (FierceCIO) Microsoft admitted pushing out an update for Word 2016 that prevents customizations, such as macros, autotext entries and styles, from loading
Microsoft accused of releasing 'worst patch yet' for Windows 10 (spoiler: it's not true) (ZDNet) In an all-too-typical pattern, InfoWorld accused Microsoft of releasing a horribly flawed, data-destroying security update for Windows 10, KB3124200. There's only one small problem: That update does no such thing. Is it too much to ask tech reporters to gather some facts before hurling accusations?
Cyber Trends
The Cloud's Biggest Threat Are Data Sovereignty Laws (TechCrunch) The beauty of the cloud is the promise of simplification and standardization — without regard to physical or geographic boundaries. It's this "any time, any place, any device" flexibility that is driving rapid adoption
Why Hacking Is An Integral Part Of The Future Of The Internet (Forbes) As I write this article, a group calling themselves The Phantom Squad have declared that they intend to take down both the Xbox Live and Playstation PSN networks on Christmas Day, and sustain the attack for a week
Cyber security in 2016: Cyber extortion, data breaches and legal reform (V3) A lot has changed in the security industry over the past 12 months, including a rise in cyber attacks against high-profile firms, the genesis of global cyber peace deals and the harsh realisation that no-one is safe from online threats
ESET predictions and trends for cybercrime in 2016 (We Live Security) It?s that time of the year when the information security industry takes part in its annual tradition: coming up with cybercrime predictions and trends for the next 12 months
Five Cybersecurity Trends to Watch in 2016 (Xconomy) To no one's surprise, cybersecurity continued to be a key area of concern and struggle among organizations of all sizes in 2015
Threatposts's 2015 Year in Review (Threatpost) With 2015 more or less in the rear view mirror Mike Mimoso and Chris Brook discuss the year in security: Wassenaar, ransomware, Carbanak and Equation Group,how big of a deal Stagefright was, that Juniper backdoor, and more
Cyber siege: What businesses should learn from 2015's hacks against TalkTalk, Carphone Warehouse and Wetherspoons (City A.M.) We will remember the past year in IT security as yet another in which cyber-attackers have got the better of major organisations, from the US government?s HR agency, the Office of Personnel Management (OPM) and health insurance giant Anthem over in the States, Hong Kong-based toy manufacturer VTech and Japanese-owned Hello Kitty brand, through to some of our best-known British brands, such as TalkTalk and J.D.Wetherspoons
Security Vendors Report Uptick in Whaling, Phishing Scams (Dark Reading) Expect to see an increase in attempts by cyber crooks to trick businesses and individuals to part with their money say Mimecast, Kaspersky Labs
The Year's 11 Biggest Hacks, From Ashley Madison to OPM (Wired) Every year hack attacks seem to get worse — whether in their sophistication, breadth, or sheer brazenness. This year was no different
The Worst Hacks of 2015 (Motherboard) Last year we witnessed some of the most shocking cyberattacks ever, with North Korea allegedly hacking Sony over the release of a dumb comedy movie to unknown hackers spilling the private nude pictures of dozens of celebrities. For some, it was the year hacking truly became the norm
What MacKeeper, Bitdefender, and Hello Kitty Have in Common (Tech.co) Leakage of sensitive and personal information happens on a weekly basis, and quite a lot of such cases have become very resonate
What does a cyber criminal look for in a potential target? (Yahoo! Finance) Most people are aware of how important being secure online is, but a recent report shows that not everyone perceives that threat equally
Don't expect comprehensive IoT security standards — ever (FierceITSecurity) The IoT market is moving at a fast pace, and that means vendors that are developing new products and services throughout the ecosystem are using their own security mechanisms — or in some cases none at all
Top 10 Reasons To Invest In Cyber Security (DDoS Today) Cyber attacks and major cyber crimes are happening on a daily basis. The frequency of the attacks is increasing fast and those who attack are getting more sophisticated by the day. Cyber attacks have undergone substantial changes and are increasingly difficulty to counteract as the attackers? technology advances
Marketplace
Cybersecurity Market Reaches $75 Billion In 2015; Expected To Reach $170 Billion By 2020 (Forbes) In October, The Business of Cybersecurity: 2015 Market Size, Cyber Crime, Employment, and Industry Statistics promised Forbes readers a December follow up. Part II is here, with a recap on cybersecurity spending in 2015 and projections for market growth over the next five years
Why Tech Companies Must Market Their Security Protection In 2016 (Forbes) In 2016, IT security will be more important than ever before
Microsoft's 2015 Acquisitions: Mobile, Analytics, Security (InformationWeek) Microsoft bought a lot of companies during 2015. What were they, and what did they bring to the tech giant?
Microsoft Cybersecurity Centre in Gurgaon to "Protect India's Critical Infrastructure" (Gedgets 360) Some believe the next big war will be fought in the digital world, and even today, some of the greatest threats that governments and other organisations around the world face are in the form of cyberattacks
Palantir Has Raised $880 Million At A $20 Billion Valuation (TechCrunch) Palantir, the data analytics platform used by government agencies and law enforcement pocketed $880 million in new funding, according to a filing from the Securities and Exchange Commission out today
Dell's subsidiary SecureWorks files for IPO (Oceanside Post) Dell acquired SecureWorks in 2011 for $612m. The placeholder value of the IPO has been kept at $100 million, but this may change after the registration fee is taken into account
SecureWorks IPO Brings Marginal Added Value To Investors (Amigo Bulls) Dell is making its cybersecurity arm, SecureWorks, public to finance a portion of the EMC deal. SecureWorks presents impressive top-line growth but a very disappointing bottom line for a 17-year-old company. SecureWorks IPO does not offer investment opportunities over other players in the cybersecurity space
Products, Services, and Solutions
IBM Shares Threat Intelligence Through App Exchange, QRadar (VAR Guy) Companies generally agree that sharing threat intelligence helps to improve everyone?s cybersecurity posture, but some companies are hesitant to do it for fear of giving away too much information
Hillstone Networks Launches CloudEdge to Protect AWS Environments (VAR Guy) Amazon Web Services (AWS) users now have another alternative for protecting their infrastructure with the release of CloudEdge, a virtual firewall solution from network security solution provider Hillstone Networks
Technologies, Techniques, and Standards
Disclose: how soon after a breach should you disclose? (It Security) The recent hack of the UK telecoms company TalkTalk highlights a vexing problem for CISOs: how quickly — and indeed to what extent — should you disclose a breach
Data Breach (Inside Counsel) For many general counsel, a nightmare scenario might be waking up to a phone call alerting them that the organization?s data systems have been breached
The Importance of Effective Oversight for Third-Party Risk (RSA Blog) According to Deloitte, there are three main factors that have led to an increased focus on third-party risk in recent years
Malfunctioning Malware (Internet Storm Center) Malware is software. Thus it contains bugs. And like software, sometimes when deployed "in production", it does not work
For Enterprise Cybersecurity, Think Modern Metropolis, not Fortress (Infosecurity Magazine) Once upon a time, cybersecurity was like a bank vault
Protect Your Privacy & Security on the Internet With These Tools (TechCrunch) All across the web companies are collecting information about you whether you like it or not
Advent tip #24: The Big One! (Naked Security) You're allowed to have offline time over Christmas, so we're not giving you a new Advent tip today
Design and Innovation
Australian Securities Exchange is Likely to Integrate Blockchain Into Its Settlement System (Coinspeaker) The Australian Securities Exchange has unveiled it is considering the possibility of incorporating the blockchain technology to improve its clearing and settlement system
Legislation, Policy, and Regulation
Russia, Taliban share intelligence in fight against ISIS (CNN) Russian President Vladimir Putin is turning to an old enemy — the Taliban — to share intelligence as the number of ISIS fighters grow in regional neighbor Afghanistan
New Chinese law takes aim at encryption (ITWorld) If requested, service providers must help the government decrypt content
ISIS Influence on Web Prompts Second Thoughts on First Amendment (New York Times) It is one of the most hallowed precepts in modern constitutional law: Freedom of speech may not be curbed unless it poses a "clear and present danger" — an actual, imminent threat, not the mere advocacy of harmful acts or ideas. But in response to the Islamic State’s success in grooming jihadists over the Internet, some legal scholars are asking whether it is time to reconsider that constitutional line
Manhattan DA: Smartphone Encryption Foiled 120 Criminal Cases (Daily Beast) Crooks and terrorists know: Everything on their late-model smartphones is encrypted. Could one small change both preserve privacy and help cops?
How to unite privacy and security — before the next terrorist attack (Washington Post) This month it was revealed that the Paris attackers used hard-to-monitor, encrypted applications to coordinate their acts of terrorism, a reminder that we face an enemy that is difficult to find and adapting quickly
US military drafting 'new narrative' for ISIS war (The Hill) The U.S. military is seeking to craft a "new narrative" for the war against the Islamic State in Iraq and Syria (ISIS), in part to push back on the growing perception that President Obama does not have a strategy
White House promotes whole-of-nation cyber deterrence strategy (Defense Systems) Following criticism from lawmakers regarding the lack of a cyber deterrence strategy, the Obama administration recently presented its view on the matter to relevant congressional committees, recommending an across-the-board approach to defending against threats
Is the Cybersecurity Act really government spying in disguise? (Christian Science Monitor Passcode) The Cybersecurity Act of 2015, signed by President Obama last week, promises to expand information sharing on digital threats between the private sector and government. Critics, however, call it privacy-killing surveillance legislation
A Practical Path To Cybersecurity (Forbes) In October, the Senate passed a controversial new bill called the Cybersecurity Information Sharing Act (CISA)
Senate looks to beef up network security (The Hill) The Senate is looking to ramp up its network's cyber defenses
DHS rings its privacy policy bell in 2015 (Federal News Radio) The past 12 months were the year of the cyberattack. Government agencies, infrastructure, private companies and citizens were all impacted by cyber breaches
New Freedom of Information Act Request Documents Released by ODNI (IC on the Record) The Office of the Director of National Intelligence is one of seven federal agencies participating in a pilot program to make records requested via the Freedom of Information Act more readily available to the public, as reflected in the recently released Third National Action Plan for Open Government
BITS President: Cyber Guidance Confuses CISOs (BankInfoSecurity) Chris Feeney on why regulators, agencies need to avoid conflicting advice
Cyber risk is the primary issue that calls for immediate attention: IOSCO (Hindu Business Line) Cyber risk has emerged as the number one systemic risk, according to Tajinder Singh, Deputy Secretary General, International Organisation of Securities Commissions (IOSCO). IOSCO is the international policy forum for securities regulators
Paranoid: North Korea's computer operating system mirrors its political one (Reuters) North Korea's homegrown computer operating system mirrors its political one, according to two German researchers who have delved into the code: a go-it-alone approach, a high degree of paranoia and invasive snooping on users
Kevin Nally Joins US Secret Service as CIO (ExecutiveGov) Kevin Nally, a retired brigadier general and former chief information officer of the U.S. Marine Corps, has joined the U.S. Secret Service as CIO, FCW reported Wednesday
Litigation, Investigation, and Law Enforcement
Security Breach Prompts Shake-Up at Israel Missile Defense Office (DefenseNews) A "serious information security violation" forced Israel's Defense Ministry on Sunday to terminate Yair Ramati as head of the Ministry's Israel Missile Defense Organization (IMDO)
DHS not properly measuring effectiveness of cybersecurity framework outreach, GAO says (FierceGovernmentIT) The Department of Homeland Security failed to properly measure its promotion efforts of cybersecurity standards for critical infrastructure, according to the Government Accountability Office
Why cyber crime is so hard to investigate (San Diego Union-Tribune) San Diego's military, biotech and defense contractors make it constant target
NSA, FBI ask judge to dismiss Utah Olympic spying lawsuit (Deseret News) The FBI and National Security Agency have asked a federal judge to dismiss a lawsuit filed by a former Salt Lake City mayor who claims agencies conducted mass surveillance of emails, texts and phone calls during the city's 2002 Winter Olympics
Decade Old Software Bug Sets 3000 US Prisoners Free (HackRead) A software bug in Washington State Department of Corrections (DoC) has been handing freedom to the inmates well before their sentence was due to end — each year, over 3200 prisoners benefitted from this bug since 2002
