Cyber Attacks, Threats, and Vulnerabilities
Weighing the pros, cons of blocking ISIS's access to social media (Homeland Security Newswire) The Islamic State has successfully used social media to spread its ideology, share videos of beheadings, and recruit new followers. U.S. counterterrorism agencies have launched their own social media campaigns to diminish ISIS's effects on would be jihadists, but some officials have considered whether it would be simpler to cut off ISIS from social media networks altogether. Doing so would no doubt limit ISIS's reach on Western recruits, but could it create a challenge for officials looking to monitor the group's activities?
Enterprise Security vs. Nation State Threat Actors (Dark Matters) The recently published slides regarding the Gemalto hack have caused quite a stir amongst security practitioners, board members and politicians alike, but the uproar is minor when considering that it is now more than clear that not only non-allied nations such as China, Russia and Iran are attacking commercial entities
Gemalto insists state hacking story more about privacy than security (Telecoms) Speaking to Telecoms.com at Mobile World Congress 2015 Remi de-Fouchier, Marcomms VP of Gemalto's telecom business unit, insisted the issues raised by the latest round of Snowden revelations are more to do with privacy than security
Joint effort guts Superfish (Computerworld via CSO) Microsoft's malware detection data shows that Lenovo's crapware has been scrubbed from about 250K Windows PCs
"Row hammering" — how to exploit a computer by overworking its memory (Naked Security) There's yet another new groovy exploit name on the "this is an interesting security problem" block
New crypto-ransomware encrypts video games files (Help Net Security) A new piece of ransomware that (mis)uses the Cryptolocker "brand" has been analyzed by Bromium researchers, and they discovered that aside from the usual assortment of file types that ransomware usually targets, this variant also encrypts file types associated with video games and game related software
Cyber crooks take advantage of ad bidding networks to deliver ransomware (Help Net Security) Malware peddlers are taking advantage of real time advertising bidding networks to deliver ransomware to unsuspecting users, FireEye researchers are warning
MazelTov! More Android Malware Coming to a Mobile Device Near You (IBM Security Intelligence) Today's motley cybercrime economy is by no means unfamiliar grounds to those tasked with defending their organizations from its many nefarious devices. Cybercriminals congregate in underground forums and darknets globally, peddling everything a would-be cybercriminal could need, from identities and exploits to Web injections or a place to hide a botnet
Talos Discovery Spotlight: Hundreds of Thousands of Google Apps Domains' Private WHOIS Information Disclosed (Cisco Blogs) In mid-2013, a problem occurred that slowly began unmasking the hidden registration information for owners' domains that had opted into WHOIS privacy protection
Huge IT Slider WordPress plugin opens SQL injection hole (Help Net Security) The 50,000+ active users of the Huge IT Slider WordPress plugin are advised to update to the latest version, as it closes a vulnerability that can be exploited by website administrators and anonymous attackers to inject and execute arbitrary SQL queries within the application's database
Security vendor's blog post pinched to make HMRC phish look legit (Register) TrustWave fights off attack of the poison .PNG from the past
KHNP hacker demands money to withhold documents (World Nuclear News) A hacker who launched a cyber attack on Korea Hydro and Nuclear Power (KHNP) last December has released more files and demanded money in return for not exchanging sensitive information with third countries
Florida Not the First to Suffer Testing Cyber Attack (Sunshine State News) Florida is the latest victim of a cyber attack, leaving many students unable to log in and complete the writing portion of the Florida Standards Assessment, but the Sunshine State hasn’t been the only place where technological issues have caused problems for standardized testing
Data security glitch on Verizon Wireless exposes woman's personal data (KATU) Verizon Wireless announced upgraded privacy protections after KATU uncovered a glitch that exposed a woman's personal information
Privacy group wants to shut down "eavesdropping" Barbie (Naked Security) On Valentine's Day, toy maker Mattel introduced its Wi-Fi, microphone-sporting, speech-recognising, interactive Barbie doll
Security Patches, Mitigations, and Software Updates
Paper: Windows 10 patching process may leave enterprises vulnerable to zero-day attacks (Virus Bulletin) Aryeh Goretsky gives advice on how to adapt to Windows 10's patching strategy. Patching is hard, especially when the code base is old and the bugs are buried deeply. This was highlighted once again this week when Microsoft released a patch for a vulnerability that was thought to have been patched almost five years ago, but which could still be exploited
Cyber Trends
Cybersecurity is super scary (Intelligent Utility) But head-in-the-sand time is over
How Data-Breach Hype Undermines Your Security (Tom's Guide) Some media outlets called last month's data breach at health-insurance company Anthem, which resulted in the theft of highly sensitive personal information pertaining to up to 80 million people, a "sophisticated attack." However, later reports showed that weak authentication had let hackers into the database, and that a lack of proper encryption had allowed the personal information to be shared
2,400 unsafe mobile apps found in average large enterprise (Help Net Security) The average global enterprise has approximately 2,400 unsafe applications installed in its mobile environment, according to Veracode
Former national intelligence director Mike McConnell fears for U.S. cybersecurity (Columbia Missourian) The United States will not have the largest global economy within 10 years, a single person could freeze trillions of dollars in milliseconds and every major American corporation has been digitally infiltrated by Chinese hackers
Energy sector tops list of US industries under cyber attack, says Homeland Security report (M2M) A report issued today by the US Department for Homeland Security says that in 2014 the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) responded to 245 incidents reported by asset owners and industry partners
Marketplace
Online security in insurance sector (ComputerWeekly) Much of Quocirca's research looks at the differing attitudes to IT between various business sectors. For example a 2014 report titled Online domain maturity, which was sponsored by Neustar, showed that retailers and financial services were the most likely to interacting online with consumers. Another 2015 report, Room for improvement, Building confidence in data security, which was sponsored by Digital Guardian, showed that by some measure, financial services were the most confident about data security
This is how much a data breach will cost your company (San Francisco Business Times) Huge data breaches or hacks at Anthem, Target, Sony and Home Depot have made headlines recently
The reason companies don't fix cybersecurity (CBS News) U.S. air traffic control systems are vulnerable to hackers, says the General Accounting Office. Cybercriminals target retail loyalty cards. Obsolete encryption leaves phones vulnerable
OpenDNS Acquires BGPmon (BusinessWire) OpenDNS enhances cloud-delivered security services and research capabilities with acquisition of network monitoring company
Vista Said to Hire Bank to Sell Network-Security Firm Websense (Bloomberg) Vista Equity Partners LLC hired Citigroup Inc. to help it find a buyer for network-security company Websense Inc., people with knowledge of the matter said
PayPal Quickens Its Acquisition Pace For Enhancing Customer Security (GuruFocus) The online payments player, PayPal is about to be spun off from its parent company, eBay inc (EBAY), within the coming few months and the announcement of the spin off was done in last September. To compete better in the fast-moving online payments segment, PayPal acquired Braintree to boost its own mobile platform called OneTouch. Recently on March 10, PayPal has declared that is on the verge of completing another vital acquisition which would aid in preventing data breaches during online payment and thus would prevent hackers from deciphering confidential information of its golden customers
Bugcrowd seals $6 million Series A funding round (ZDNet) Australian-founded online crowdsourced security testing startup Bugcrowd is preparing for a period of rapid expansion after completing a $6 million Series A funding round led by Costanoa Venture Capital
4 Reasons Why FireEye Is My Top Pick In The Cybersecurity Space (Seeking Alpha) FireEye reported a 163% revenue increase in 2014 and is forecasting an additional 50% growth in 2015. The company gained notoriety in the first quarter of 2014 on word that its software had identified a breach at Target before it became a bigger issue. It's estimated that the penetration rates for next generation cybersecurity are still less than 10% leaving a lot of room for further revenue growth and investment. FireEye could end up being a takeover target for a big technology firm like Cisco
Palo Alto Networks: Well-Positioned In A Promising Industry (Seeking Alpha) Palo Alto Networks has impressed with its quarterly earnings, beating on many important metrics and growth figures. Palo Alto Networks continues to innovate at a torrid pace, consolidating market share and displacing legacy cybersecurity business. While Palo Alto Networks is well-positioned in the cybersecurity industry, there are still many risks associated with this constantly evolving digital space
Kaspersky, Avast look to entice security partners (Channelnomics) Kaspersky offering greater loyalty and performance incentives, Avast looking to cultivate new crop of MSPs
Cyber Security Challenge: Hack into HMS Belfast and blow up the Mayor (Independent) But the winner of this week's cyber security challenge could find themselves protecting the UK
Former Mandiant chief architect to lead research team at Endgame (SC Magazine) Jamie Butler, former chief architect and chief researcher at Mandiant has been named chief scientist at cybersecurity vendor Endgame, where he will lead the company's research on advanced threats, vulnerabilities and attack patterns
Products, Services, and Solutions
3 mobile email solutions Hillary Clinton can use next time (FierceMobileIT) The stir surrounding Hillary Clinton and the choices she made as secretary of state regarding her mobile work practices have thrust secure device management into the national spotlight. And while the debate is raging over whether or not Clinton was as careful with state intelligence as she should have been, it has certainly made clear that the options users are offered in today's marketplace far outstrip what was available then
Attack Mitigation Platform handles high-volume cyber attacks. (Thomasnet) Intended for carriers and cloud providers, DefensePro® x4420 can address volumetric DDoS attacks while simultaneously picking out and mitigating sophisticated non-volume threats
Webroot Helps 443 Networks Harness The Power Of Collective Threat Intelligence (BusinessSolutions) Webroot, the market leader in cloud-based, real-time internet threat detection, recently announced a partnership with 443 Networks, a developer and distributor of security platforms. The partnership provides 443 Networks with a highly distributed and highly cooperative learning system to deliver smarter security with Webroot BrightCloud Security Services
BT Enhances Security Portfolio With Darktrace's Cyber Threat Detection Capabilities (PRNewswire) Enterprise Immune System technology to be integrated in BT's security offerings
Swimlane launches automated security operations management platform (GCN) Phoenix Data Security has announced the launch of Swimlane, a new security operations management platform and company focused on empowering enterprises and government agencies with data-driven automation and orchestration for incident response and improved security operations
netool.sh - MitM Pentesting Opensource T00lkit (Kitploit) netool.sh toolkit provides a fast and easy way For new arrivals to IT security pentesting and also to experience users to use allmost all features that the Man-In-The-Middle can provide under local lan, since scanning, sniffing and social engeneering attacks "[spear phishing attacks]"
Technologies, Techniques, and Standards
The first 72 hours are critical for hacking victims (Phys.org) If you've been hacked or had your identity stolen, time is of the essence when it comes to minimising the damage. Credit: Shutterstock.com
US President Barack Obama is seeking US$14 billion to tackle it. The UK wants to build a start-up industry around it. And Australia is in the middle of what could be a year-long review into getting better at it. The issue is cyber security, and at risk is the entire digital economy and consumer confidence in it. In this Cyber insecurity series we investigate the size and nature of the cyber crime threat, the industry growing with it, and the solutions emerging to get in front of it
4 things to consider when allowing Macs into your business (Naked Security) Macs are starting to make serious headway into corporate networks, but they're bringing some challenges with them
Preventing fraud through enterprise password management (Help Net Security) The past few years the world has seen various incidents where students have fraudulently modified their school grades, progress reports and attendance records. Recently, there was the incident at the Dutch Barleaus Gymnasium where pupils managed to glean the principal's password, upon which they modified their grades and attendance data from throughout the entire year
Determining Whether a HIPAA Data Breach Occurred (HealthITSecurity) Covered entities need to be able to determine if a HIPAA data breach has taken place following the potential exposure of sensitive data. The implementation of the HIPAA Omnibus Rule slightly changed this process, in that there were new determining factors for assessing exactly what constitutes a data breach
Design and Innovation
Pentagon To Launch Hacker Proof Helicopter Drone By 2018 (Defense One) Boeing is set to replace 100,000 lines of code on its Little Bird drone before a test flight this summer
Halifax trials heartbeat identity authentication (ComputerWeekly) Halifax is testing a technology that identifies customers by their heartbeats, to allow them access to banking services
Research and Development
NIST 2015 SBIR Grants to Fund Research in Manufacturing, Clean Energy, Cybersecurity and Bioscience (NIST Technology Partnerships Office) The National Institute of Standards and Technology (NIST) Small Business Innovation Research (SBIR) program is offering to fund research projects that address specific challenges in the fields of advanced manufacturing, climate change and clean energy, cybersecurity, health care and bioscience
DHS's Brothers tweets about science and tech projects, goals (FierceHomelandSecurity) Reginald Brothers, who heads the Homeland Security Department's research and development arm, took to Twitter March 1, answering questions ranging from cybersecurity and airport security to the Islamic State
Navy engineer impacts public-private sector research on wearable and embeddable technology (DVIDS) How easy is it to hack a pacemaker? Your "FitBit" is designed to track your physical movements. Who else can see it?
Academia
Meet the Air Force's future cyber force (FCW) The young Air Force Academy cadets are glued to their computer screens, staring at jumbled lines of code. One is trying to hack a website in a competition sponsored by the Pentagon's research arm. Another is working on reverse-engineering problems generated by a Korean website
South Dakota CAP cyber team at national competition (KELO) A team of cadet cyber-sleuths from the Big Sioux Composite Squadron in Brookings, members of the Civil Air Patro's South Dakota Wing, are competing in the national finals of CyberPatriot-VII which began today in Washington, D.C. The national finals competition runs from11-15 March
UA to Launch Interdisciplinary Cyber Crime Minor (UA News) The demand for cyber professionals doesn't look to be slowing down. The Pentagon and Congress announced March 5 the approval to hire 3,000 civilian cyber experts, in part because of growing cyber security threats and the struggle by Cyber Command to keep up
Cyber-Security University Announces Accreditation (Virtual Strategy Magazine) EC-Council University (ECCU), sister company of the world-renowned EC-Council creator of the Certified Ethical Hacking Certification (CEH), announces their accreditation from Distance Education Accrediting Commission
Legislation, Policy, and Regulation
EU plans new team to tackle cyber-terrorism (BBC) Plans for a new Europe-wide counter-terrorism unit are being presented to European ministers
U.K. intelligence watchdog defends nation's bulk data spying as necessary (Washington Post) A British intelligence watchdog defended U.K. security agencies' bulk online data collection Thursday but called for a new law to clarify the agencies' "intrusive powers" to help improve public trust
Securing territorial sovereignty in cyberland (Jakarta Post) Decades ago, a computer was nothing more than a calculating device plugged into an electrical outlet in the wall. Yet now we see many forms of computers, like digital watches, smartphones, tablets and whatnot
CSIS gives recommendations for shoring up cybersecurity, while protecting privacy (FierceGovernmentIT) In response to the increase in cyber threats' frequency and complexity, a new report makes 11 recommendations for shoring up security while protecting privacy through information sharing
Cyber Threat Information Sharing: Recommendations for Congress and the Administration (Center for Strategic and International Studies) As technology and the Internet continue to evolve and grow in complexity, so, too, does the nature of cyber attacks. The economics of cyber attacks are skewed to favor the attacker: exploits are easily acquired and can be reused on multiple targets, and the likelihood of detection and punishment is low
Will Public/Private Threat Intelligence Sharing Work? (Network World) Past examples point to a mixed record of success and failure
CISA Cybersecurity Bill Advances Despite Privacy Concerns (Wired) For months, privacy advocates have been pointing to flaws in CISA, the new reincarnation of the cybersecurity bill known as CISPA that Congress has been kicking around since 2013. But today that zombie bill lurched one step closer to becoming law
How the CIA can get from spy to cyberspy (Los Angeles Times) Agility and digital savvy traditionally haven't been the strong suits of government agencies, so it's encouraging that CIA Director John O. Brennan wants a big investment in cyberespionage and a new Directorate of Digital Innovation as part of what he calls a "bold" reorganization of the CIA. Brennan's overhaul is commendable, but it's urgent to do more to make his agency cyber literate
Coast Guard cyber plan to focus on ports, shipping (Federal Times) The Coast Guard plans to unveil a new cyber security strategy within the next month that focuses on protecting not only Coast Guard networks and systems from cyber attacks, but also the country's 3,600 sea ports and the ships they serve
DHS CIOs see cyber, budgets as top concerns (FCW) Cybersecurity remains the biggest headache for CIOs at the Department of Homeland Security, but they say the steady drumbeat of smaller and smaller budgets stings, too
Veterans helping state fight cybersecurity war (KING 5) The state of Washington is recruiting and training military veterans to help fight a war on cyberterrorists
Litigation, Investigation, and Law Enforcement
Hillary's private email server was insecure during first 3 mths as secretary of state (Russia Today) For the first three months Hillary Clinton was secretary of state, her private email server was not encrypted, according to a new report. That left her communications vulnerable while she conducted government business, including international travel
New York private investigator pleads guilty to computer hacking charge (SC Magazine) A New York City-based private investigator has pled guilty to one charge of conspiracy to commit computer hacking, which carries a maximum sentence of five years