Cyber Attacks, Threats, and Vulnerabilities
Cyberespionage arsenal could be tied to French intelligence (Computerworld) Five additional Trojan programs are related to the Babar malware that Canada's government thinks came from French intelligence
Spionageprogramm Casper gelangt über Sicherheitslücke auf Computer (Pressebox) Dritte Malware mit Verbindung zu kanadischen Nachrichtendienst-Dokumenten entdeckt
Bloc Québécois website apparently hacked, taken over by 'United Islamic Cyber Force' (National Post) A group calling itself the United Islamic Cyber Force took credit for a cyber attack on the Bloc Québécois website and many other sites Monday morning
Italy's Hacking Team allegedly sold Ethiopia's despots cyberweapons used to attack journalists (BoingBoing) Ethopia's despotic regime has become the world's first "turnkey surveillance state," thanks to technology sold to it by western companies, including, it seems, Italy's Hacking Team, whose RCS spyware product is implicated in an attack on exiled, US-based journalists reporting on government corruption
Xiaomi says Mi 4 smartphone tested for security issues was a fake (SC Magazine) A smartphone maker says that a firm's security analysis of one of its phones was actually done on a counterfeit device
Malware Snoops Through Your Home Network (TrendLabs Security Intelligence Blog) In recent years, we have seen a lot of reports about home routers being vulnerable to attacks. Our research as early as 2008 shows malware rigging routers to redirect users to different sites. Other attacks we have seen include backdoors and possible DNS rebinding attacks. In these scenarios, the intent and goal of the attacks are pretty straight-forward
Fancy a cryptocoin miner with your Torrent client? "Foistware" back in the spotlight… (Naked Security) You're probably all-too-familiar with "foistware"
BEDEP: Backdoors Brought Into The Light By Flash Zero-Days (TrendLabs Security Intelligence Blog) The earlier Flash zero-days of the year have brought a new malware threat to the forefront: the BEDEP malware family. It has been the payload of two zero-day exploits in recent weeks: CVE-2015-0311 in late January, and CVE-2015-0313 in early February
Ouch! Google crocks capacitors and deviates DRAM to root Linux (Register) 'Rowhammer' attack flips bits in memory to take control of the kernel
State Investigating Cyber-Attack On FSA Testing System (CBS Miami) South Florida students did not encounter any technical issues Monday while taking the state's new standardized test, however, the state's top law enforcement agency is investigating testing delays caused by cyber-attacks on a server used to administer the Florida Standards Assessment (FSA)
Busted scammer resorts to death threats (Naked Security) When his phone rang and he began to listen to the crook on the other end, Jakob Dulisse wasn't fooled for an instant by the "Microsoft tech support" scam
Whoops! AVG data centre KO'd by 'unplanned' outage (Register) Anti-spam software hit, firm says all will be well again 'soon'
How a UK Bank's Security Flaws Dodged FCA Scrutiny (Computer Business Review) Two-factor flaws and a plethora of bugs passed by the regulators
Cyber criminals turn their attention to cloud service credentials (ComputerWeekly) Cyber criminals are turning their attention to cloud-based services to steal credentials as the use of cloud-based documents becomes increasingly popular, say researchers at security firm Proofpoint
Security Patches, Mitigations, and Software Updates
Apple fixes FREAK in iOS, OS X and Apple TV — and numerous other holes besides (Naked Security) Apple has just announced its latest round of security updates
iOS 8.2 stops attackers being able to restart your iPhone with a malicious Flash SMS (Graham Cluley) Apple rolled out a brand new version of iOS for iPhone owners today, largely in readiness for the imminent arrival of the Apple Watch
Seagate Confirms NAS Zero Day, Won't Patch Until May (Threatpost) Seagate, over the weekend, confirmed the zero-day vulnerability in its Seagate Business Storage 2-Bay NAS boxes disclosed March 1. But in the same breath, told customers exposed to the vulnerability that a patch is still two months away
TextSecure to Drop Support for Encrypted SMS (Threatpost) Open Whisper Systems is phasing out support for encrypted SMS and MMS messages in its TextSecure messaging product. The move does not spell the end for encrypted messaging for users of the Android app, as the company plans to switch to its own transport protocol to address some of the security and performance issues inherent in SMS
Dell Enhances Cloud Access Manager With More Security Features (eWeek) Adaptive risk-based security lands in Dell's access management single-sign-on platform
February 2015 Cyber Attacks Statistics (Hackmageddon) Here we go with the aggregated statistics extracted from the Cyber Attacks Timelines of February 2015
Cyber Trends
Should we hack the hackers? (Guardian) Western companies are being fleeced for hundreds of millions by cybercriminals. Is it time to give them a dose of their own medicine?
Enterprises Seek Third-Party Compliance with Security Requirements (eSecurity Planet) 79 percent of respondents to a recent survey said ensuring that partners comply with their security requirements is a top priority in the coming year
Data classification ranks in top 3 security controls (Help Net Security) Bloor Research surveyed 200 senior IT security executives in the UK and the US, all with organizations that have more than 1,000 employees
Marketplace
Cybersecurity Companies Booming in Wake of Major Corporate Cyber Attacks (Intellectual Property Brief) Over the last year and a half, several major multinational corporations have fallen victim to an unprecedented number of massive cyber attacks and security breaches. Consumer databases and information systems have released millions of records. But not everyone is suffering; cyber security companies and the overall stock market are reaping the benefits of hackers' dirty work
Why Israel could be the next cybersecurity world power (ITWorld via CSO) A well established university program, major industry partners, sponsored research projects and a venture capital partner give Beersheva the makings for becoming a major cybersecurity player
Startup Focuses On Stopping Data Exfiltration (Dark Reading) Former Akamai and Imperva exec heads up new security firm enSilo, launches an operating system-level endpoint security tool
Defense Firm Called Isis Wins $7 Million Pentagon Cyber Contract (Nextgov via Defense One) A little-known Virginia startup company with an unfortunate name will help Pentagon analysts sift through big data research to track threats
Shortage of security pros worsens (Network World via CSO) Cisco estimates a million unfilled security jobs worldwide
Obama Unveils Cyber Training Initiative (GovInfoSecurity) Program aims to bolster nation's high-tech workforce
Akamai CSO takes a creative approach to finding security pros (Network World via CSO) Andy Ellis, chief security officer at Akamai, doesn't try to hire perfect candidates. Here's why
FireEye CTO Tony Cole Enters Wash100 List for Public Sector Cyber Leadership (GovConWire) Tony Cole has been listed among this year's Wash100 most influential leaders in GovCon for his leadership role in the public sector cyber market
Products, Services, and Solutions
NSS Labs Launches New "Radar" for Cyber Threats (Yahoo! Finance) World's first cyber Advanced Warning System™ helps clients focus on the threats relevant to their environment
Tired of paying for automated scanning and still seeing your website hacked? (Help Net Security) Try ImmuniWeb now. ImmuniWeb combines automated assessment with manual penetration testing performed by experienced security experts
Pindrop Security (Jitter) Protect your assets, reputation, and goodwill before your company becomes the next big news story
CertainSafe Neutralizes Threat of Payment Card Industry (PCI) Data Breaches with Solution that Sets New Record of Tokenization at 2 Billion Bits (CBS 8) MicroTokenization® adds protection to data "around the card", adding to the newest requirement set for October 2015 EMV Standards
NRI SecureTechnologies Launches New Cutting-Edge Security Operation Center in US (Nomura Research Institute) Firm strengthens services to promote information security measures for global companies
Check Point Strips Malware From Emails in Less Than a Second (Infosecurity Magazine) Check Point is claiming to offer 100% malware-free emails with a new threat protection service that strips away any unsafe content in real-time
Technologies, Techniques, and Standards
OpenSSL To Undergo Major Audit (Dark Reading) The Linux Foundation's Core Infrastructure Initiative funding work to take a closer look at the TLS stack
Techniques, Lures, and Tactics to Counter Social Engineering Attacks (Dark Reading) If you are unsure of whether a destination link is safe, tools like TrustedSource are a good place to start
Managing cyber risks more than just IT: p&c conference (Canadian Underwriter) Managing cyber risk in brokerages is really about managing people, not just IT issues, said two speakers at Insurance Canada's 13th Annual P&C Insurance Technology Conference in downtown Toronto on Monday
For threat intelligence programs, ROI evaluation proves tricky (TechTarget) Threat intelligence programs are taking root in many enterprises, but experts say variables like disparate service offerings, pricing models and response capabilities make ROI evaluation a vexing proposition
CISO's Need a Seat at the Table (Venafi Blog) Cyber breach headlines are on the increase and underscore the need for security awareness at the very highest levels of an organization. In 2014 alone, hundreds of millions of records were stolen and tens of millions of dollars were spent on investigations, fines and lawsuits. I was wondering… in how many cases did the CISO have access to the Board of Directors?
How to keep your connected home safe: 7 steps you can take to boost home security (TechHive) The Internet of Things is based on sensors and controls in all sorts of devices. When those types of devices are used to create a smart home, they can give residents unprecedented control and insight. The proliferation of smart devices, however, also opens the door to new dangers and threats
Why the Hillary Clinton email story is a big deal (CSO) A look into the security problems behind Hillary Clinton's use of a personal email address for official government business. Could the same thing happen at your company?
Don't Be Like Hillary: Tips to Make Sure Your Email is Safe and Sound (MainStreet) Most people have something in common with Hillary Clinton, and it has nothing to do with politics: they struggle to keep their email accounts safe. This could be particularly dangerous as far as their finances are concerned
Small-time security threats bigger concern (Automotive News) Hackers? Stolen laptops more likely an issue
Design and Innovation
'Dark' coins rising (CSO) Cryptocurrency users are stepping up efforts to make payments payments untraceable and fully anonymous
The Security Download: Anticipating Cyberattacks with Machine Learning (Wall Street Journal) Artificial intelligence and machine learning are playing a larger role in cybersecurity, which can in theory help companies identify risks and anticipate problems before they occur. The idea is to create software that can adapt and evolve to combat ever-changing attack strategies, or identify patterns of suspicious behavior
Wearable technology — vulnerabilities are too often ignored (IT Security Guru) Whilst wearable technology and Internet of Things (IoT) are popular, security concerns are often ignored for convenience
Research and Development
Galois Successfully Demonstrates 'Anti-Hacking' Software For UAVs And Cars (Midland Daily News) To address growing evidence that commercial Unmanned Aerial Vehicles (UAV), automobiles and other vehicles are vulnerable to hacking and sophisticated cyber security attacks, Galois today announced it has developed and successfully demonstrated what has been called "the world's most secure UAV software"
Academia
Mother-Son Team Poised For Cybersecurity National Finals (Leesburg Today) A Leesburg 11-year-old discovered a love for cybersecurity less than a year ago and is now on his way to go up against some of the brightest young minds in the nation at the CyberPatriot National Youth Cyber Defense Competition this week
Legislation, Policy, and Regulation
New Zealand Prime Minister Retracts Vow to Resign if Mass Surveillance is shown (Intercept) In August, 2013, as evidence emerged of the active participation by New Zealand in the "Five Eyes" mass surveillance program exposed by Edward Snowden, the country's conservative Prime Minister, John Key, vehemently denied that his government engages in such spying
Government must encourage cyber threat information sharing to combat hacking (The Hill) In such uncertain times, Americans are justifiably seeking safety and security. That extends to their lives in cyberspace, where threats are poorly understood and growing
Cybersecurity legislation needed to safeguard personal information (The Hill) In representing Texas's 4th Congressional District, I have the privilege of meeting many hardworking Texans who together represent all aspects of our diverse private sector
Stepping up defense of net infrastructure (The Hill) You leave for work and lock the door behind you. You get in the car and fasten your seatbelt. On the highway, you abide by the legal speed limit. These choices reflect a desire for physical security and an awareness, even subconsciously, of potential danger in your daily routine
U.S. credit unions locked in cyber battle with their regulator (Reuters) A common question asked of people in positions of power is what keeps them up at night
The government is doubling down on cybersecurity — really this time (Washington Business Journal) I tend to be reluctant to make definitive forecasts, but I'm ready to say 2015 is quickly turning into the year of cybersecurity. Yes, cyber has been a top concern for several years, and several policy initiatives are simply carrying over. But a brand new initiative potentially brings a fresh, game-changing new focus to the crucial concept of cyber threat sharing
Should the U.S. be able to counter-attack nation-state cyber-aggressors without attribution? (The Stack) The testimony of U.S. Navy Adm. Michael S. Rogers on March 4th — before the House Armed Services Committee on cyber operations and improving the military's cybersecurity posture — not only paints an unusually vivid picture of a nation trying to re-invent its military infrastructure in response to a problem that it only partially understands, but also provides some indication as to the means by which it intends to get off the back-foot regarding response policies to cyber-attacks such as last autumn's Sony Hack incident
Maritime Security: Sneak Preview of the Coast Guard's Cybersecurity Strategy (In Homeland Security) Last week, the Coast Guard participated in a maritime cybersecurity learning seminar and symposium with American Military University (AMU) and Command, Control and Interoperability Center for Advanced Data Analysis, (CCICADA), at Rutgers University. The organizers of the event plan to publish a comprehensive book on cybersecurity as an outcome of the symposium. The attendees included participants from government, private sector and academia. CCICADA is the Department of Homeland Security's University Center of Excellence on cybersecurity
Cyber Subs: A Decisive Edge For High-Tech War? (Breaking Defense) THE FUTURE: Imagine you're a Chinese high commander, taking stock at the outbreak of the next great war. All your aides and computer displays tell you the same thing: For hundreds of miles out into the Western Pacific, the sea and sky are yours. They are covered by the overlapping threat zones of your long-range land-based missiles, your Russian-made Sukhoi aircraft, your home-grown stealth fighters, and your ultra-quiet diesel submarines, all cued by your surveillance network of sensors on land, sea, air, and space
Litigation, Investigation, and Law Enforcement
Curious Case of M. Yousefi: How Iran Traps its Facebook users with "Black Spider" Program (HackRead) A 27-year-old graduate student Mohammad Yousefi, was sent to prison in Iran as part of a crackdown on social media users by using "Black Spider" trapping project
Justice Dept. vows to strike harder against hackers, nations behind cyberattacks (Christian Science Monitor: Passcode) John Carlin, chief of the Justice Department's National Security Division, says the US needs to raise the stakes for cyberattacks on the US: If the cost of stealing information from American companies results in swift criminal action or sanctions, hackers may eventually decide it's not worth it
Authorities Strike Against Dozens Of Cyber Crooks (Dark Reading) Last week was a banner week for the arrest and indictment of criminals accused of data theft, massive fraud, and DDoS attacks against private and public sector targets
Canada's anti-spam law gets first success with $1.1m fine (Naked Security) Canada's fledgling anti-spam laws have brought their first success, with a $1.1 million fine levied against a Canadian business training firm
Pence offers assistance in cyber attack investigation (WTHI TV) Governor Mike Pence is among those seeking to find out who committed cyber attacks on websites in Indiana
Microsoft Case: The Government Responds, But Fails to Convince (Just Security) The government has now filed its Second Circuit brief in the dispute with Microsoft (discussed here, here, and here), challenging key assertions by Microsoft and its many amici, and making a strong argument that a warrant issued under the Stored Communications Act (SCA) requires Microsoft to turn over emails in its custody and control, regardless of whether they are being held (in this case in Dublin)
Programmer Pleads Guilty to Hacking High-Voltage Power Manufacturer's Networks (Dark Matters) In yet another example of the difficulty in combating threats from malicious insiders, a former employee has pled guilty to hacking into the computer network of a Long Island-based company that manufactures high-voltage power supplies
Armed robber caught after boasting about planned stick-up on Facebook (Naked Security) Doing. Tesco. Over. Andrew Hennells wrote it at 7.25 pm on 13 February. At 7:40 pm, that's exactly where he was: trying to rob a branch of Tesco, the UK supermarket chain