Cyber Attacks, Threats, and Vulnerabilities
The Bloody Battle of Website Defacement: "ISIS" Hackers vs. WordPress (Infosec Island) Police and FBI are investigating defacement attacks on numerous North American websites in which attackers placed an ISIS flag banner on website home pages and played an Arabic song in the background
State Dept. Shuts Down Email After Cyber Attack (ABC News) The State Department shut down large parts of its unclassified email system today in a final attempt to rid it of malware believed to have been inserted by Russian hackers in what has become one of the most serious cyber intrusions in the department's history, U.S. officials told ABC News
Maldoc VBA Sandbox/Virtualization Detection (Internet Storm Center) As could be expected, we witness an arms race when observing the evolution of VBA malicious documents. First the VBA code was trivially simple (download and execute), then obfuscation was added (strings and code), and now we see more attempts to evade detection
MongoDB tool vulnerable to remote code execution flaw (CSO) A MongoDB tool, phpMoAdmin, uses eval() on a public-facing GET function
The FREAK Vulnerability: From Discovery to Mitigation (Infosec Institute) A few weeks ago, security experts discovered a new major security SSL/TLS vulnerability, dubbed FREAK, that for more than a decade left users of Apple and Google devices vulnerable to hacking when they visited millions of legitimate and secure websites
Facebook worm spreads by leveraging cloud services (Help Net Security) Facebook users are in danger of having their computers turned in a bot by a worm that spreads via the social network
VIRLOCK Combines File Infection and Ransomware (TrendLabs Security Intelligence Blog) Ransomware has become one of the biggest problems for end users are as of late. In the past months alone, we have reported on several variants of both ransomware and crypto-ransomware, each with their own "unique" routines. We recently came across one malware family, detected as PE_VIRLOCK, as that not only locks the computer screen but also infects files — a first for ransomware
Malicious Android App Fakes Shutdown and Allows Bad Guys to Take Control (Trend Micro: Simply Security) The more our lives become dependent on mobile devices like Android smartphones, the more important it is to have mobile security to protect them and our digital lives. This is not just a concern for the future, but affects many users today in ways they could never have anticipated
Don't trust other people's USB flash drives, they could fry your laptop (IDG via CSO) Have you ever heard stories about malicious USB thumb drives frying laptops and thought they were far fetched? An electronics engineer heard them too, and then set out to create a prototype
Strange snafu hijacks UK nuke maker's traffic, routes it through Ukraine (Ars Technica) Lockheed, banks, and helicopter designer also affected by border gateway mishap
BBC website goes offline, but Jeremy Clarkson probably not to blame (Graham Cluley) This weekend, the BBC's website was inaccessible to millions of internet users around the world
Jamie Oliver's website found spreading malware… again (Graham Cluley) You won't need an incredibly good memory to recall that Jamie's Oliver was found to have been spreading malware recently
Can Your Smart Car Be Hacked? The Frightening Reality Is That Worse May Be Happening on the Road (Main Street) Today's cars ship with big brains. Sensors monitor everything from oil temperature to tire pressure and, on many cars, they can tell you exactly how many miles you can drive before running out of gas. Cars also are networked, and that means their condition and location can, in many cases, be monitored remotely
Pssst: Wanna Buy a Used Spy Website? (Wired) The names suggest a parade of a C-list websites. There was NewJunk4U.com and Monster-Ads.net, CoffeeHausBlog.com and SuddenPlot.com. But, these sad-sounding domains actually were artful creations of the National Security Agency: They were fronts for distributing and controlling government malware around the world
Security Patches, Mitigations, and Software Updates
After Delays, Samsung Patches Social Media Vulnerability in Millions of Devices (Threatpost) Samsung patched a vulnerability last month in SNS Provider, a popular application that manages other social media apps present in millions of its devices. If exploited the bug could have given attackers the ability to access to any personal information users stored on Facebook, LinkedIn and Twitter
Apple iOS 8.2 Has Two Nasty Surprises (Forbes) iOS 8.2 gets a lot right. Don't let the Apple AAPL -0.72% Watch compatibility fool you, the update is mostly about optimisations and bug fixes and in this regard it is the company's most diligent release to date. Yet 24 hours on what has become clear is that there are two nasty surprises awaiting users
Bypassing ASLR with CVE-2015-0071: An Out-of-Bounds Read Vulnerability (TrendLabs Threat Intelligence Blog) Almost every Patch Tuesday cycle contains one bulletin that (for convenience) rolls up multiple Internet Explorer vulnerabilities into a single bulletin. February?s Patch Tuesday cumulative IE bulletin (MS15-009) included a fix for a particularly interesting vulnerability that could be used to bypass one of the key anti-exploit technologies in use today, address space layout randomization (ASLR)
Microsoft EMET 5.2 is available (Internet Storm Center) Microsoft has announced a new release of the Enhanced Mitigation Experience Toolkit (EMET) 5.2
Yahoo Introduces Password-Free Login — Just Don't Lose Your Phone (TechCrunch) Yahoo wants to end your dependency on memorizing passwords — or creating crap ones that can be guessed or hacked — after it introduced a new "on-demand" system that sends a one-time password when you need to log in
Cyber Trends
Online trust is at the breaking point (Help Net Security) IT security professionals around the globe believe the system of trust established by cryptographic keys and digital certificates, as well as the security of trillions of dollars of the world's economy, is at the breaking point
New York's top bank cop says "cyber 9/11" attack could happen (Albany Times-Union) Department of Financial Services Supt. Benjamin Lawsky says threat of financial market panic is biggest concern
7 In 10 Businesses Struggle To Sustain PCI Compliance (Dark Reading) Maintaining PCI compliance is a bigger challenge that achieving it for many companies, Verizon study finds
Digital Transformation Ends in Breaches For 40% of UK Public Sector (Infosecurity Magazine) Nearly half (40%) of UK public sector organizations have suffered a data breach as they struggle to keep up with the pace of digital transformation demanded by Westminster, according to Iron Mountain
Homeland Security says US industrial control systems hit by 245 cyber attacks in 2014 (HazardEx) US industrial control systems were hit by cyber attacks at least 245 times over a 12-month period, the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has revealed. ICS-CERT is part of the National Cybersecurity and Integration Center, which is itself a unit of the Department of Homeland Security
Trustwave: 78% of IT Pros Expect to Partner With MSSP in 2015 (MSP Mentor) Most businesses anticipate pressure to protect their organizations against cyber threats will increase this year
Forty per cent of public-sector bodies 'have suffered data breach', lack of skills blamed (Computing) Forty per cent of IT leaders in the public sector have admitted that their department has suffered a data breach because management is struggling to deal with the pace of change as more and more services shift towards digital
Marketplace
Nevermind Your Cyber Defense: "Ostrich Security" Is Impacting Your Brand and Reputation (SecurityWeek) Recently, Benjamin Dean, Fellow for Internet Governance and Cyber-security, School of International and Public Affairs at Columbia University, wrote a very compelling piece in which he asserts — justifiably, I might add — that large corporations have little actual incentive to invest in cybersecurity
Survey: 54% of Patients Would Switch Providers After Data Breach (HIT Consultant) 54 percent of patients say they would be "very" or "moderately likely" to change providers after a security data breach impacting their personal health information, according to a recent survey conducted by Software Advice. In light of recent high-profile security breaches at medical organizations such as Anthem, Software Advice surveyed patients on their fears of a breach, and explored how software solutions can minimize data security risks
Chief Data Officers — The Case for the Defence (WillisWire) A large number of financial institutions (FIs) have appointed chief data officers (CDOs) over the past couple of years. I know a few of them and while they come from a wide variety of backgrounds — some technical, some business, some 'data geek' — they share a common belief that an organization's data is one of its most important assets. They would like to be shaping their data agenda to help drive business growth, even business transformation. However, most of them find themselves fighting a rearguard action, focusing on the basics, laying fundamental foundations without which the 'clever stuff' is no more than a pipe dream
CyberArk Tumbles after Pricing 4M Secondary Public Offering (Zacks) Shares of the global IT security software solution provider, CyberArk Software Ltd. (CYBR - Snapshot Report) declined approximately 7% yesterday after the company announced the pricing of the secondary public offering registered last month
Business Briefs: Pindrop Security Raises $35 Million (India West) Atlanta, Ga.-based Pindrop Security, a provider of phone fraud prevention and call center authentication, has raised $35 million in series "B" round funding led by Institutional Venture Partners, with participation by existing investors Andreessen Horowitz, Citi Ventures, Felicis Ventures, Redpoint Ventures and Webb Investment Network
Google's "security princess" targets bugs, "boys club" rep (CBS News) The tech industry may finally be tackling its "boys club" reputation. At Google, one employee is a rising female star and has what may be the most unusual job title in the field, CBS News' John Blackstone reports
Products, Services, and Solutions
BlackBerry partners with IBM, unveils high-security Samsung tablet (CBC) The BlackBerry owned-company Secusmart has unveiled a new high-security tablet at CeBIT, a technology conference in Hanover, Germany
AlienVault Partners With T-Systems and Deutsche Telekom to Power New Cyber Defense Solution (MarketWired) Partnership enables 'German Mittelstand' mid-market customers to detect and mitigate the impact of a breach
'Google VPN' in-built Hidden Service spotted in Android 5.1 (Hacker News) Good news for all Android Lollipop-ers! Google appears to be secretly working on a Virtual Private Network (VPN) service, dubbed 'Google VPN'
Yahoo will offer end-to-end e-mail encryption by year-end (BizNews) Yahoo said Sunday it plans to introduce "end to end encryption" for email this year to boost privacy protection for users concerned about snooping from governments or hackers
Yahoo puts email encryption plugin source code up for review (IDG via PC World) Yahoo released the source code for a plugin that will enable end-to-end encryption of email messages, a planned data-security improvement prompted by disclosures of U.S. National Security Agency snooping
Mozilla Relases Releases Open Source Masche Forensics Tool (Threatpost) Mozilla has released an open source memory forensics tool that some college students designed and built during the company?s recent Winter of Security event
Service lets CISOs compare effectiveness of security products (IT World Canada) Ever wondered how your IT security environment stacks up against another organization?s? What your weak products are? Or which applications create the most problems for a given malware
Technologies, Techniques, and Standards
Influential National Association of Insurance Commissioners (NAIC) Moves On Cyber (CTO Vision) Cybersecurity practitioners and policymakers have long been discussing the potential positive benefits of smart insurance policy and standards to reduce risk. Of the many actions and activities we see in the insurance world today, the news of NAIC involvement is seen as particularly interesting
Principles for Effective Cybersecurity Insurance Regulatory Guidance (NAIC) Due to ever increasing cybersecurity issues, it has become clear that it is vital for insurance regulators to provide effective cybersecurity guidance regarding the protection of the insurance sector?s data security and infrastructure
ISACs Demystified (Dark Reading) How some intelligence-sharing organizations operate in the face of today's threat landscape
Enterprise scenarios for threat intelligence services (TechTarget) Expert contributor Ed Tittel explains which types of organizations need a threat intelligence service as part of a proactive, layered security strategy
Investigating and Detecting Command and Control Servers (TrendLabs Security Intelligence Blog) Information about the overall threat landscape can be gathered from many sources. One useful method is by looking at the overall activity of botnet command-and-control (C&C) servers, as used both in targeted attacks and in attacks against the broader Internet user base
Deconstructing Threat Models: 3 Tips (Dark Reading) There is no one-size-fits-all approach for creating cyber threat models. Just be flexible and keep your eye on the who, what, why, how and when
Mistakes the Good Guys Make During a Hack Attack (Reuters via the Fiscal Times) Financial advisory firms are so busy trying to prevent computer hacking that they sometimes neglect an equally vital issue: what to do when hackers succeed
Has Security Ops Outlived Its Purpose? (Dark Reading) CISOs will need more than higher headcounts and better automation tools to solve today's security problems
Lessons from Anthem: Make Every Employee Part of the Cyber Security Team (Entrepreneur) By now, many of us in the cyber security world are combing through a litany of materials to analyze the causes, motives and methods of the Anthem data security breach that turned the health insurance conglomerate upside down and affected more than 80 million people
Listen to your employees or deal with shadow IT (Help Net Security) Data leakage, compliance breaches, business inefficiency and hidden costs are just some of the risks organizations are leaving themselves open to by not meeting the IT demands of their workforce
Protecting sensitive data: an approach to prevent data exfiltration (Security Affairs) Data exfiltration is mechanism to data breach that occurs when an individual's or organization's data is illegally copied from its systems
Hurry shipmates — the black hats have hacked our fire control system (Register) Infosec younglings stave off cyber-assault on WWII cruiser
This is what a cyber attack on London looks like (BT) The Cyber Security Challenge is putting on quite a show in London to test its finalist, with a career in online protection at stake
It was risky as hell, but the crazy thing is that Hillary Clinton's home email server actually worked (Quartz) Responding to mounting questions, Hillary Clinton — the former US secretary of state and a presumptive presidential candidate — said this week that she "opted for convenience" by using a personal email account instead of her official one
Anti-doxing strategy — or, how to avoid 50 Qurans and $287 of Chick-Fil-A (Ars Technica) Act before it's too late. Simple strategies can minimize the physical toll of doxing
Design and Innovation
IBM reported to be investigating 'Bitcoin-style', blockchain-based currency transaction system (The Stack) IBM is investigating the possibility of using the underlying exchange mechanism of Bitcoin to develop a digital cash system based on existing national currencies, according to an inside source
Hey Twitter, Kiling Anonymity's a Dumb Way to Fight Trolls (Wired) Tor users started reporting last week that they are being prompted more frequently than ever for a phone number confirmation when creating a new Twitter account — or in some cases when using a long-standing account. This development is disastrous for the free speech the platform generally stands for, and will likely not curb the abuse for which it has come under fire. If this change was targeted at that harassment — addressing the leaked acknowledgment from CEO Dick Costolo that "We suck at dealing with abuse and trolls on the platform and we?ve sucked at it for years" — it's a dangerous example of the Politician's Syllogism: we must do something; this is something; therefore, we must do this
Research and Development
Sell By Date: Research Finds Stolen Data is a Perishable Commodity (Digital Guardian) New research to develop a computer based model of cyber crime finds that time is the critical element assessing the cost of cyber incidents
MIT launches three-pronged effort to thwart cyber attacks (Network World) Groups across university will work with businesses to develop technical, regulatory and managerial remedies
Legislation, Policy, and Regulation
China put its crackdown on foreign tech companies on hold — for now (Quartz) China's proposed law that would require tech companies to help the government spy on their users has been put on hold, according to the White House's top cybersecurity official. The controversial law would have required foreign tech companies wishing to do business in China to make their encryption keys available to authorities, and build special "back doors" in their software to enable Chinese government surveillance
Wyden blasts cyber threat-sharing bill (The Hill) Sen. Ron Wyden (D-Ore.) lambasted a controversial cybersecurity threat-sharing measure after it passed the Senate Intelligence Committee on Thursday
Amias Gerety: Treasury Eyes Collaboration on Cyber Info-Sharing Standards, Automation (ExecutiveGov) Amias Gerety, acting assistant secretary for financial institutions at the Treasury Department, has said collaboration between the department and other government agencies as well as the financial industry is key to bolster cybersecurity
Q&A With The Congresswoman Taking On Gamergate (TechCrunch) Earlier this week, Massachusetts Rep. Katherine Clark called other members of Congress to sign a letter with her that demands the FBI crack down on cyberstalking and online harassment
Defense secretary: We could create separate military force to fight cyber wars (Baltimore Sun) Army, Navy, Air Force, Marines — and the Cyber Force? Could be on the cards new defense secretary says
Cyber force grows, along with retention concerns (Military Times) The military's effort to build a 6,200-strong force of cyber warriors is well underway, but questions remain about long-term retention of the highly skilled troops who will have big opportunities in the private sector
Japan recruits hackers for cyber security force (ComputerWeekly) Japan is the latest country to officially tap into hacking skills to identify and protect against cyber security threats
Full rules for protecting net neutrality released by FCC (Naked Security) The US Federal Communications Commission (FCC) on Thursday lay down 400 pages worth of details on how it plans to regulate broadband providers as a public utility
Litigation, Investigation, and Law Enforcement
The Crooked Path to Determining Liability in Data Breach Cases (Wired) From the high-stakes international intrigue and political espionage of Stuxnet, to the Sony hack of late 2014, which was first tentatively credited to pranksters, and later to conceded to North Korean hackers, the past few years have showcased pretty much every existing version, and underlying motive of cyber-attack — from outright warfare to hacktivist vandalism — all over the news headlines
Three Data Breach Trends to Watch for 2015 (Legal Intelligencer) With 2014 dubbed the "year of the data breach," questions loom over corporations for 2015: When will it happen to us? Are our security measures adequate? Will we be prepared for the fallout? The law is hurrying to keep up with the rapid pace of these leaks and attacks, and it is difficult to predict how data breach scenarios will play out in the future. Here is a snapshot of what we might expect to see this year in this area of the law
Assuring Authority for Courts to Shut Down Botnets (US Department of Justice) In our first post, we noted the dramatic growth over the past several years in the incidence of cybercrime that victimizes Americans. One of the most striking examples of this trend is the threat from botnets — networks of victim computers surreptitiously infected with malicious software, or "malware." Once a computer is infected with the malware, it can be controlled remotely from another computer with a so-called "command and control" server
German Police Just Made a Gigantic Dark-Web Drug Bust (Wired) If anyone had forgotten the sheer scale of the dark-web drug trade, German police just offered a helpful reminder. They've seized more than a third of a ton of narcotics from a single online drug seller — a haul that, despite its size, represents an insignificant dent in the burgeoning digital narcotics market known as Evolution
Why the Clinton Email Case Matters (Pell Center Blog) As you may have heard in the news recently, former Secretary of State Hillary Clinton did not use an official US government email with a .gov address during her entire tenure as Secretary, and instead exclusively used a ClintonEmail.com personal address for all State Department-related correspondence
Letter Calls Plea Deal for David Petraeus a 'Profound Double Standard' (New York Times) The plea deal given to retired Gen. David H. Petraeus, which spares him prison time even though he gave military secrets to his mistress, reveals a "profound double standard" in the way the Obama administration treats people who leak classified information, a lawyer for an imprisoned government contractor wrote in a letter to prosecutors
Silk Road moderator "Samesamebutdifferent" pleads guilty, faces life in prison (Ars Technica) Peter Nash, 42, worked for Dread Pirate Roberts for 10 months in 2013
Government Requests For Facebook Data Decrease In U.S. And UK, But Rise In India (TechCrunch) Facebook's latest report on government requests shows a decrease in requests from many Western countries in the second half of 2014, but that's offset by increases from India, Turkey and Russia