Cyber Attacks, Threats, and Vulnerabilities
How Pak cyber firm sold 'salary hikes' for babus to steal govt info (Economic Times) A Pakistani cyber security firm with close ties to Islamabad has been found stealing information from Indian government and defence establishments, according to a two-year investigation by a US-based IT security firm
Equation APT Group Attack Platform a Study in Stealth (Threatpost) Spies thrive only when they're able to quietly infiltrate targets and slither away unnoticed; this principle is the same whether we're talking about the physical world, or digital
CIA spends years trying to break Apple security (ZDNet) Security researchers working for the CIA have been poking holes in Apple security as part of a multi-year campaign
Kaspersky reveals CAPTCHA-tricking Podec Trojan (ZDNet) Kaspersky has unearthed an Android-targeted Trojan, dubbed Podec, that can trick the CAPTCHA image verification system into thinking it is human
DroppedIn: Remotely Exploitable Vulnerability in the Dropbox SDK for Android (IBM Security Intelligence) The IBM X-Force Application Security Research Team has discovered a vulnerability in the Dropbox SDK for Android (CVE-2014-8889) which allows attackers to connect applications on mobile devices to a Dropbox account controlled by the attacker without the victim's knowledge or authorization
Beware of fake invites for WhatsApp's Free Voice Calling feature! (Help Net Security) Fake WhatsApp invites are actively luring users to sites where they are urged to fill out surveys and download unknown applications
Active campaigns deliver old and new ransomware families (Help Net Security) Cyber crooks' love for ransomware continues unabated, and user are warned about several active campaigns trying to deliver the malware on target computers
Tool allows account hijacking on sites that use Facebook Login (IDG via Computerworld) A new tool allows hackers to generate URLs that can hijack accounts on sites that use Facebook Login, potentially enabling powerful phishing attacks
Email Spoofing Flaw Found in Google Admin Console (SecurityWeek) Researchers have identified a security issue in the Google Apps Admin console that could have been exploited to claim any domain and use it to send out spoofed emails
8 Android Security Concerns That Should Scare IT (InformationWeek) Even though mobile operating systems such as Android are superior to PCs when it comes to protecting against security threats, there still are several concerns that IT should beware
Point-of-Sale Device Manufacturer Investigating Card Breach At Soup Franchise (Dark Reading) Are remote administration exploits or new malware strains to blame for the compromise of NEXTEP devices at Zoup! soup shops?
Point-of-sale supplier compromise highlights need to update legacy systems (ComputerWeekly) The compromise of point-of-sale (POS) system supplier Nextep highlights the need to update legacy systems, according to the information security industry
Operating System Vulnerabilities, Exploits and Insecurity (We Live Security) Hands up who believes that OS X and iOS are the most vulnerable operating systems in use today? Well, I find it a bit hard to believe, too, even though I've had a lot of hate-mail over the years for pointing out that Apple's operating systems are not invulnerable
Lack of WordPress User Education Affecting Security Posture (Dark Reading) Survey shows many users lack knowledge to effectively protect their sites
Cyber attack hits Madison, Wisconsin, after police shooting of teen (Reuters) Cyber attackers are targeting city and county computer systems in Madison, Wisconsin, in retaliation for the shooting death of a 19-year-old unarmed black man by police in the Wisconsin capital, city officials said on Tuesday
UPDATE: FBI joins in effort to combat cyber attack following shooting (AP via WMTV) The FBI is investigating a cyber attack focused on Internet resources for city and county governments in Madison that comes after a white police officer shot and killed an unarmed biracial teenager
Bulletin (SB15-069) Vulnerability Summary for the Week of March 2, 2015 (US-CERT) The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information
Security Patches, Mitigations, and Software Updates
Patch Tuesday patches FREAK, Universal XSS (Ars Technica) Two high profile and widely publicised flaws are among the many others fixed
Microsoft Security Bulletin Summary for March 2015 (Microsoft Security TechCenter) This bulletin summary lists security bulletins released for March 2015
Patched Windows Machines Exposed to Stuxnet Link Flaw All Along (Threatpost) A five-year-old Microsoft patch for the .LNK vulnerability exploited by Stuxnet failed to properly protect Windows machines, leaving them exposed to exploits since 2010
Microsoft and Lenovo work on cleaning up 60,000 Superfish infected PCs (Win Beta) In the wake of Superfish, there seems to be a BP oil spill-like taint on the Lenovo brand in the eyes of many consumers. Trust was lost, images were tarnished and the MacBook-toting crowd began their chants of superiority. Unfortunately, Lenovo didn't just ruin their name alone, as with most things that go wrong with PCs (usually driver related), Microsoft was run through the ringer for this as well. Questions of whether or not Microsoft's licensing policies lead to this sort of OEM greed or should Microsoft have built a better system to avoid this type of tampering, etc
Yahoo Patches Critical eCommerce, Small Business Vulnerabilities (Threatpost) Yahoo has fixed a handful of vulnerabilities that could have given an attacker free reign over all of its user-run eCommerce websites and caused multiple headaches for small business owners
Kik Adds Tools to Prevent Child Exploitation on Messaging App (Bloomberg) Kik Interactive Inc., which makes a messaging application popular with younger users, is taking steps to make sure they aren't exploited while using it
Cyber Trends
'Intelligence Failures' Are Inevitable. Get Over it (Cicero) The Iraq War marked the first time that secret intelligence was used in the public domain to justify America going to war
Kaspersky: "A very bad incident" awaits critical infrastructure (CSO) Organizations are slow to upgrade security while attackers are getting better
With 'smart cities' just around the corner, we need to understand the security risk first (Information Age) As the connected infrastructure of our cities grows, the potential for security disaster will grow with it
IoT, new tech pose challenges, rewards in defense (San Diego Source) The Internet of Things promises to bring enormous opportunities to the security and defense fields, but serious risks accompany every benefit as increasing the available tools also increases the threat
Businesses taking PCI compliance more seriously: Verizon (ZDNet) The 2015 Verizon PCI compliance report showed an increase in PCI compliance among businesses globally during 2014
Eighty percent of global merchants fall short on card data security compliance: report (Reuters) Four out of five global retailers and other merchants failed interim tests to determine whether they are in compliance with payment card data security standards, putting them at increased risk of cyberattacks, according to a new report by Verizon Communications Inc
No Application Is Invulnerable, Now What? (Trend Micro Simply Security) Looking back at 2014, we see an abundance of vulnerabilities in Adobe Acrobat, Java, Windows, and others. The steady stream of disclosures came as a shock to no one
The Deep Web: Shutdowns, New Sites, New Tools (TrendLabs Security Intelligence Blog) 2014 was a year in flux for the Deep Web. We briefly discussed this in our annual security roundup, but this is a topic worth exploring in some detail
Marketplace
Most SMBs are Unaware of Cyber-insurance (Infosecurity Magazine) In a business environment that seems chronically susceptible to breaches, purchasing cyber-risk insurance may sound like common sense. Yet despite the historic increase in data breaches in 2014, a new survey has revealed that more than two-thirds (67%) of small and medium-sized businesses (SMBs) are not aware that dedicated cyber-insurance even exists
Stop thinking of fraud as taboo, and start addressing this critical IT security topic (TechRepublic) How much does your business lose to fraud? If you don't know the answer, fraud is likely a taboo IT security topic at your organization. Argyle Data's CEO explains why it shouldn't be
Observations From Advisen Cyber Risk Conference March 3rd in San Francisco (Infosec Island) Advisen provides information, analytics, research, and events for the insurance industry and reaches more than 150,000 commercial insurance and risk professionals at 8,000 organizations worldwide. There were approximately 150 attendees at the Conference from insurance companies, brokers, and consultants. The following were my observations
10 young security companies to watch in 2015 (Network World) One common thread is helping to make detection and remediation easier
Cybersecurity stocks sell off; FBN remains bullish (Seeking Alpha) Security tech plays, several of which were huge gainers in February, have been hard hit (HACK -2.6%) amid a market selloff. Major decliners include FireEye (FEYE -4%), CyberArk (CYBR -6.6%), Proofpoint (PFPT -4.7%), and Vasco (VDSI -5.5%). Imperva is off sharply after announcing a 3M-share offering
Palo Alto and Fortinet gain in network security market (Infotech Lead) The network security appliance and software revenue increased 6 percent to $6.9 billion in 2014. Palo Alto Network and Fortinet were the star performers
Bain to buy Blue Coat for about $2.4 billion (Reuters) Bain Capital LLC will acquire Blue Coat Systems Inc from fellow private equity firm Thoma Bravo LLC in a deal that the network security company said on Tuesday would value it at about $2.4 billion, including debt
PayPal confirms CyActive acquisition (Globes) PayPal will open a second Israeli development center in Beersheva, based on cyber security company CyActive's offices
Our Journey from Pioneering Predictive Cybersecurity Solution to PayPal (Cyactive Blog) Since launching in 2013, we have been tirelessly developing our future-proof solution to secure networks against increasingly complex multi-pronged cyber attacks. We are excited to announce today that we have entered an agreement to be acquired by PayPal
Startup Spotlight: GuruCul's Risk Analytics (eSecurity Planet) Data breaches occur when identity is compromised or misused, which is why GuruCul focuses on identifying anomalous behavior that can point to identity issues
Wynyard is your modern day Sherlock Holmes (e27) The company uses Big Data and advanced crime analytics to fight serious crimes
Isle of Man steps up efforts to court cryptocurrency startups (ComputerWeekly) The Isle of Man (IoM) government says it's making good legislative headway on the regulation of cryptocurrencies, as it seeks to position itself as a prime location for firms dealing in digital money
Cyber pay bump: Put your security clearance to work (Military Times) Conventional wisdom holds that your security clearance lands you a bigger paycheck in the cybersecurity world. While this is true statistically, it may not be true for you. In cyber, clearance doesn't automatically mean more money
CensorNet snatches Trustwave man for tech push (CRN) Security vendor appoints Alex Kurz as new head of sales engineering
Products, Services, and Solutions
The best 5 secure browsers 2015 (TechWorld) All browsers claim to be secure these days, so is there any point in using one that majors on its security?
Cloudflare Aims to Defeat Massive DDOS Attacks with Virtual DNS (Threatpost) DDoS attacks have been a persistent problem for the the better part of 20 years, and as ISPs and enterprises have adjusted their defenses, attackers have adapted their tactics. One of the more effective tools in the attackers? arsenal now is the use of botnets to generate massive numbers of DNS queries for a target site, a technique that can be quite difficult to defend against
Threatglass has pcap files with exploit kit activity (Internet Storm Center) Threatglass is a one way to find up-to-date examples of exploit kit traffic. Not all of it is exploit kit traffic, but all of it represents some sort of malicious activity
Cyveillance, Centripetal Networks Combine Tech for Cyber Threat Intell (ExecutiveBiz) QinetiQ's Cyveillance subsidiary has partnered with Centripetal Networks to combine the former's threat intelligence streaming technology and the latter's RuleGate platform to provide customers with actionable information on cyber threats
Cryptsoft collaborates with Intel on key management approach (PRNewswire) Cryptsoft, the preferred OEM provider of technology to the enterprise key management security market today announced a collaboration with Intel focussed on standards based encryption key management using OASIS Key Management Interoperability Protocol (KMIP) conformant technology
Cyber-risk May Take a Bite Out of Apple Watch (Infosecurity Magazine) Apple has unveiled the Apple Watch — a smart wearable that will function as a Mac-on-the-wrist. It has tech-heads excited, but security researchers warn that consumers should be careful of the potential cyber-risks that the gadget's on-board connectivity represents
Technologies, Techniques, and Standards
10 Ways to Leave Cybercriminals in the Dust (Pymnts) Cybercrime is on the rise, as are its associated fraud rings that are now more immune than ever to the multitude of fraud prevention tactics out there. But is there a way to fight the criminals' intelligence with even more sophisticated intelligence?
Hack yourself first: How we can take the fight to the black hats (Help Net Security) The Internet has increased the interconnectivity of everyone and everything on the globe. From healthcare to commerce, public services and beyond, being connected has enriched our quality of life like never before. But it's also exposed businesses and consumers alike to unprecedented levels of risk
Four Critical Questions to Ask Yourself When Looking for a Cyber Threat Intelligence Partner (iSIGHT Partners Blog) When looking at the Cyber Threat Intelligence (CTI) market, you should approach your research with the idea that you're not buying technology so much as forming a partnership with your vendor. Force multiplication is a core value proposition for this segment of the security market, as is enhanced effectiveness of the team you have in place
IT Disaster or Data Breach?: 7 Must-Do Steps (Information Management) It's no secret 2014 was a notable year for enterprise IT crises, and it's safe to say 2015 will have its fair share of scares as well. Unfortunately, data breaches aren't the half of it — system and service outages can be equally (if not more) devastating to enterprises. While major IT disruptions are damaging, preserving customer trust and confidence afterward is the next challenge organizations must perfect
How CIOs can create a culture of security awareness (FierceCIO) Numerous studies have agreed that IT security is the top concern among CIOs this year, especially with the topic rising to discussions among top boards of directors. That makes it critical that CIOs be able to communicate security risk at the executive level, and obtain buy-in for security investment
Security, Know Thine Enemy (SecurityWeek) Security professionals must know the categories of threats an enterprise faces and how to respond to each
An Audit Versus an Assessment (Infosec Island) A lot of people are always calling their PCI assessment an audit. However, certified public accountants (CPA) would tell them that there is a vast difference between the two
Legislation, Policy, and Regulation
Parliament Report Dismisses Cameron Encryption Ban (Computer Business Review) Authors claim 'widespread agreement' that anonymising tech should stay
Australia could become Asian cyber security base, says CBA's security chief (CIO) But we need to get our "home front" sorted first and make Australia a hard target for cyber criminals
Guest Post: Is the Sony Hack the Dawn of Cyber Deterrence? (Council on Foreign Relations) In the confines of national security, deterrence is the act of preventing another party from taking action out of fear of the consequences. In the attack against Sony Pictures Entertainment, North Korea failed in deterring Sony from releasing the movie "The Interview," and the United States failed in deterring North Korea from attacking Sony. Why? In cyberspace, the rules of the game are different. States are not deterred and regard cyberattacks as consequence-free because adversaries have not paid a price for the attacks. That changed with the Obama's unprecedented actions against North Korea and may herald the dawn of cyber deterrence
NSA Director Adm. Michael Rogers discusses freedom, privacy and security issues at Princeton University (NJ.com) Edward Snowden is not the "whistleblower" some have labeled him to be after releasing top-secret government information, said Adm. Michael Rogers, director the U.S. National Security Agency
Government report and US senator criticises Air Traffic Control network security (Lumension Blog) New York Senator Charles Schumer held a press conference this weekend, demanding "immediate action" to improve the security of the Federal Aviation Administration's computer systems
State Says It Needs to Rebuild Classified Computer Networks After Hack (Nextgov) The State Department says it needs to reconstruct its classified computer systems after suffering a hack the agency has said only affected its unclassified networks
Litigation, Investigation, and Law Enforcement
Cyber Regulators Emphasize Process Over Products (Forbes) It has been called "the most important cybersecurity case you've never heard of," and now it's getting a second life. The core issue in the dispute between the Federal Trade Commission (FTC) and Wyndham Worldwide WYN -1.74% Corporation is whether the FTC has the authority to enforce data security standards in the US commercial sector. Last April a federal judge ruled in favor of the FTC, but Wyndham has appealed. The 3rd Circuit Court of Appeals heard oral arguments earlier this month, and regardless of how that court rules, that decision is also likely to be appealed
Wikimedia v. NSA: Wikimedia Foundation files suit against NSA to challenge upstream mass surveillance (Wikimedia Blog) Today, the Wikimedia Foundation is filing suit against the National Security Agency (NSA) and the Department of Justice (DOJ) of the United States
ACLU: Snowden proved NSA Internet spying harms Americans (AP via KLTV) The American Civil Liberties Union and other groups sued the National Security Agency and the Justice Department on Tuesday, challenging the government's practice of collecting personal information from vast amounts of data harvested directly from the Internet's infrastructure
Lawsuit seeks damages against automakers and their hackable cars (Computerworld) A Senate report backs up claims that automakers haven't addressed electronic security
Clinton: Private email had 'no breaches' (The Hill) Former Secretary of State Hillary Clinton said on Tuesday that her private email server has never been compromised by hackers
Experts are skeptical that Hillary Clinton's 'homebrew' email server could withstand cyberattacks (Business Insider) As Hillary Clinton sought to assure the public that her exclusive use of a private email account while working in the State Department was innocuous, cybersecurity experts are wondering whether she could have exposed the nation to a major security threat
Cyber expert: Hillary's press conference did not inspire confidence (Business Insider) At a press conference on Tuesday, Hillary Clinton told reporters that the private email server she used while working in the State Department "had numerous safeguards" and "there were no security breaches"
Government to Drop Charges in Federal Employee Hacking Case (AP via ABC News) A National Weather Service employee accused of illegally accessing a restricted federal computer database containing information about the nation's dams, stealing information and lying to federal investigators will have charges against her dismissed if a judge approves the prosecution's request