Cyber Attacks, Threats, and Vulnerabilities
War by Doxxing (Defense One) Combat pilots are just the most recent victims of a common practice. It doesn't mean that the military has been hacked
Army: We are investigating Islamic State threats (Army Times) The Army says it's investigating an Islamic State group call to harm U.S. troops at home. The militant organization occupying parts of Iraq and Syria reportedly posted the names, photos and home addresses of 100 American service members accused of participating in bombing missions against it
The powerful propaganda being spread online by women in the Islamic State (Washington Post) The Islamic State's online reach is notorious. One study estimated that at least 46,000 Twitter accounts were supporting the militant group in 2014. And while much of the content created by the Islamic State showcases the brutality of the group, a lot actually shows a (relatively) softer side
New IS 'Execution' Video Targets Kurds (Radio Free Europe/Radio Liberty) Footage of a notorious Iraqi Kurdish Islamic State (IS) militant who was reportedly killed in Kobani in February appears in a new video showing the execution-style killing of a Kurdish-speaking prisoner
Snowden Leaks: Canadian Security Establishment Has Tools For 'Deception', 'False Flag' Attacks (International Business Times) Freshly leaked documents show that Canada's electronic surveillance agency has covertly developed a set of cyberwarfare tools designed to steal data and cripple online infrastructure in foreign countries. The targeted countries include ones that Canada has friendly relations with, according to reports
Researchers map Drupal attack that bypasses poorly tuned Web Application Firewalls (CSO) 18 minutes from start to finish, thanks to monitoring mode
DDoS Attackers Distracting Security Teams With Shorter Attacks: Corero Networks (SecurityWeek) Distributed denial-of-service (DDoS) attacks are being leveraged to circumvent cybersecurity solutions, disrupt service availability and infiltrate victim networks, according to a new report from Corero Network Security
Will POSeidon Preempt BlackPOS? (Dark Reading) Research from Cisco Talos uncovers newly evolved POS malware with more sophistication than BlackPOS and similarities to Zeus for camouflage
GoDaddy accounts vulnerable to social engineering and Photoshop (CSO) GoDaddy's layered verification protections defeated by a phone call and four hours in Photoshop
Twitch accounts were compromised, passwords for all users reset (TheNextWeb) Uh oh, game streaming service Twitch has posted a short notice to its blog warning that there "may have been" some unauthorized access to some Twitch user information
DMARC and Spam: Why It Matters (TrendLabs Security Intelligence Blog) Recently I discussed how TorrentLocker spam was using email authentication for its spam runs. At the time, I suggested that these spam runs were using email authentication to gather information about victim networks and potentially improve the ability to evade spam filters. DomainKeys Identified Mail's (DKIM) own specification mentions the possibility of messages with from "trusted sources" and with a valid signature being whitelisted
Fake "Incoming Fax Report" emails lead to crypto-ransomware (Help Net Security) Once again, fake "Incoming Fax Report" emails carrying malware are being sent out to random users. Given the popularity of online fax-sending services, there are likely to be many victims
Scammers use Whatsapp calling feature as a lure (Help Net Security) Survey scammers and adware peddlers continue to advantage of the interest Whatsapp users have in the quietly rolled out Free Voice Calling feature
Google warns of unauthorized TLS certificates trusted by almost all OSes (Ars Technica) Misissued certs known to impersonate several Google domains, may affect others
Maintaining digital certificate security (Google Online Security Blog) On Friday, March 20th, we became aware of unauthorized digital certificates for several Google domains. The certificates were issued by an intermediate certificate authority apparently held by a company called MCS Holdings. This intermediate certificate was issued by CNNIC
Revoking Trust in one CNNIC Intermediate Certificate (Mozilla Security Blog) Mozilla was recently notified that an intermediate certificate, which chains up to a root included in Mozilla's root store, was loaded into a firewall device that performed SSL man-in-the-middle (MITM) traffic management. It was then used, during the process of inspecting traffic, to generate certificates for domains the device owner does not legitimately own or control
Apparent cyberattack knocks out state website (WMTW) Website service restored at about noon
Kreditech Investigates Insider Breach (KrebsOnSecurity) Kreditech, a consumer finance startup that specializes in lending to "unbanked" consumers with little or no credit rating, is investigating a data breach that came to light after malicious hackers posted thousands of applicants' personal and financial records online
Study: One-third of top websites vulnerable or hacked (CSO) One out of three of the top million websites are either vulnerable to hacking or already hacked
Bulletin (SB15-082) Vulnerability Summary for the Week of March 16, 2015 (US-CERT) The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information
Security Patches, Mitigations, and Software Updates
Tails 1.3.1 emergency release fixes security issues (Help Net Security) Tails 1.3.1, is out. This is an emergency release, triggered by an unscheduled Firefox release meant to fix critical security issues
Cyber Trends
Law enforcement and security agencies face big data challenge (ComputerWeekly) Law enforcement and security agencies face the same big data challenge as business, according to John Wright, global director of public safety and justice solutions at Unisys
Cisco 2015 Annual Security Report (Cisco) Understand how attackers are taking advantage of gaps between defender intent and their actions in order to conceal malicious activity and evade detection
Why system testing, a critical aspect of data security, is worsening (Fortune) Pentesting and vulnerability scanning are in decline, according to Verizon's 2015 payment card industry data security report
How cyberattacks can be overlooked in America's most critical sectors (Christian Science Monitor Passcode) Across some of the most crucial sectors of the American economy, there's a lack of consensus of what exactly should be considered a 'cyberincident' — and whether technical mishaps, even without malicious intent, should count. That's a problem
Smart home device vendors know their products are not secure: Symantec (Computer Dealer News) Not only are smart home devices not secure, but device manufacturers are not doing anything about it, according to Symantec
Small businesses pose an easy target for cybercrime (Citizens Voice) Small businesses are more susceptible to cybercrime for many reasons, and thus an easy target, an expert says
Most Small Firms Believe Cyber Protection is too Expensive (Information Security Buzz) Today, there are more SMEs than ever making heavy use of new technologies to cut costs and increase efficiency across all areas of their business. With this, however, comes an increasingly persistent risk of hacking and breaches of security that have the potential to cripple smaller businesses. A recent report has found that many of these small businesses carry misconceptions around cyber protection, resulting in a lack of security which leaves their organisations open to massive hacking losses that last year cost UK businesses between £65,000 and £115,000
Marketplace
Massive Enterprise Endpoint Security Opportunity (Network World) Next-generation endpoint security suite could be a billion dollar play
Six Nordic startups enterprise IT users should watch (ComputerWeekly) Spotify and Angry Birds. Combine the words 'startups' and 'Nordics' and these companies come to mind. But consumer-focused technology is just the tip of the iceberg in the Nordics, with some of the most exciting startups operating in the enterprise space
RedSeal Named to JMP Securities' Fast 50 List of Hottest Privately Held Security and Networking Firms (Marketwired) RedSeal (redseal.co), the cybersecurity certification company, has been named to the JMP Securities Fast 50 list of hottest privately held security and networking companies. The list recognizes innovators that have the capability to dominate their respective markets
Why Shares of CyberArk Software Ltd. Jumped Today (Motley Fool) What: Shares of cyber security company CyberArk Software (NASDAQ: CYBR ) jumped on Monday after Bank of America initiated analyst coverage, giving the stock a buy rating and a $60 price target. At noon, the stock was up just over 10%. It had closed Friday at $48.69
Cyber security co SolebitLABS raises $2m (GLOBES) The Israeli company develops cyber-security solutions that protect networks from zero-day attacks and advanced persistent threats
Help us find Washington's next tech innovators: Week Two (Washington Post) Capital Business is teaming up with the Northern Virginia Technology Council to find the area's most interesting product innovations
Airbus Wins UK Cyber Center Research Deal (DefenseNews) The creation of a UK virtual cyber operations center aimed at defeating battlefield attacks took a step forward with the award of a small study contract to Airbus UK by Ministry of Defence researchers
Huawei to assist on cyber security (Monitor) Chinese technology giant Huawei says it is devising ways to assist the Botswana government on issues of cyber security
Kaspersky accused of having close ties to sauna-loving Russian spies (Graham Cluley) An extraordinary story appeared on the Bloomberg website at the end of last week, accusing security company Kaspersky Lab of having "close ties to Russian spies"
When Cybersecurity Meets Geopolitics (Wall Street Journal) FireEye Chief Executive David DeWalt says all major powers have "somewhat national-born security companies." Before American computer-security company FireEye FEYE -0.88% releases a report on new hacker activity, it sometimes gives the U.S. government an advance copy. Dutch competitor Fox-IT trains the Netherlands' cyberwarriors. Moscow-based Kaspersky Lab helps Russian authorities investigate hacking cases
Products, Services, and Solutions
Will 2015 Be Adobe Flash's Swan Song? (eSecurity Planet) Following more critical zero-day exploits, Adobe's Flash platform's place in the enterprise appears as unsecure as the software itself
Technologies, Techniques, and Standards
Working backwards (CSO) How to think about risk mitigation
Good Security Starts with Knowing What's Valuable (Dark Matters) In February 2015, a report was published based on findings from 2014 investigations which revealed that while organizations were discovering compromises faster, less than one third were identifying breaches on their own
'Compliance fatigue' sets in (CSO) Yes, compliance with multiple security frameworks is difficult, time-consuming and expensive. But those who defend it point out that being breached causes much worse headaches
Clintonemail.com: A Cautionary Call To Action (InformationWeek) As former Secretary of State Hillary Clinton becomes ever more embattled in the press and in politics because of her personal email usage, we can draw lessons for enterprises and employees alike on contending with Shadow IT
5 Social Engineering Attacks to Watch Out For (Tripwire: the State of Security) We have become all too familiar with the type of attacker who leverages their technical expertise to infiltrate protected computer systems and compromise sensitive data. We hear about this breed of hacker in the news all the time, and we are motivated to counter their exploits by investing in new technologies that will bolster our network defenses
Reader Forum: How to ensure your business phone systems are secure (RCRWirelessNews) Hackers have been featured on the news recently as credit cards and passwords have been obtained in breaches, leaving millions to worry about whether their bank accounts or e-mail addresses are secure
5 steps to protecting your privacy online (IoL SciTech) These are troubling times for anyone concerned about the security of their electronic data. Hardly a day goes by without news of another hack or some other form of cyber skulduggery on the part of criminals, corporations and even government agencies
Design and Innovation
New Android 'on-body detection' leaves your phone unlocked as long as you keep moving (Naked Security) Google must be taking pity on index fingers fatigued with all that Android unlocking
Extreme cryptography paves way to personalized medicine (Nature) Encrypted analysis of data in the cloud would allow secure access to sensitive information
Digital Dark Age: Information Explosion and Data Risks (Infosec Institute) "Old formats of documents that we've created or presentations may not be readable by the latest version of the software because backwards compatibility is not always guaranteed," says Vint Cerf, Google's Vice President and one the fathers of the Internet
Legislation, Policy, and Regulation
UK Insurance Act Receives Royal Assent (WillisWire) The Insurance Act 2015 received royal assent on 12th February 2015. The Act, which I described as the "the most profound shift in UK commercial insurance law ever," introduces key changes to the duty of disclosure in commercial insurance contracts as well as to warranties and insurers' remedies for fraudulent claims. These measures will not come into force until August 2016, giving all of us enough time to prepare for them
Government support for cyber insurance should hike security awareness (MicroScope) The government is recommending that firms stop viewing cyber security as just an IT issue and start to look it from a commercial risk perspective setting out defences and recovery plans should the worst happen
Why the PLA Revealed Its Secret Plans for Cyber War (The Diplomat) Revealing the organizational structure of the PLA cyber forces may serve a deterrence purpose
Cyber Commander: United States needs a Cold War deterrence strategy for peace in cyberspace (Flash//Critic) The commander of the U.S. Cyber Command this week called for creating a Cold War-style balance of power in cyber space mirroring the U.S. nuclear deterrent strategy used against the Soviet Union
Preparing for Cyber War: A Clarion Call (Just Security) In every War College in the world, two core principles of military planning are that "hope is not a plan" and "the enemy gets a vote." Any plan developed without sensitivity to these two maxims is doomed to fail. They apply irrespective of the mode in which the conflict is fought, the nature of the enemy, or the weapons system employed. Unfortunately, some states seem to be disregarding the maxims with respect to cyber operations. They include certain allies and friends around the world, states that the United States will fight alongside during future conflicts. The consequences could prove calamitous, especially in terms of crafting complementary strategies and ensuring interoperability in the battlespace
Editorial: Strengthen Electronic Warfare (Defense News) One of the key lessons of Moscow's invasion of Ukraine is the potency of Russia's electronic warfare capabilities, the product of decades of focused investment
CISA Security Bill: An F for Security but an A+ for Spying (Wired) When the Senate Intelligence Committee passed the Cybersecurity Information Sharing Act by a vote of 14 to 1, committee chairman Senator Richard Burr argued that it successfully balanced security and privacy. Fifteen new amendments to the bill, he said, were designed to protect internet users' personal information while enabling new ways for companies and federal agencies to coordinate responses to cyberattacks. But critics within the security and privacy communities still have two fundamental problems with the legislation: First, they say, the proposed cybersecurity act won't actually boost security. And second, the "information sharing" it describes sounds more than ever like a backchannel for surveillance
U.S. to stop collecting bulk phone data if Congress lets law expire (Reuters via Business Insider) U.S. intelligence agencies in June will stop bulk collection of data documenting calls by U.S. telephone subscribers, unless Congress extends a law authorizing the spying, U.S. officials said on Monday
DoD straddles the public cloud fence (Federal Times) The Defense Department has in recent months enacted new policies aimed at accelerated adoption of commercial cloud, even as officials seek to strike a balance between security, savings and efficiency
Litigation, Investigation, and Law Enforcement
Trey Gowdy orders Hillary Clinton to turn over email server as Adam Schiff protests (Washington Times) The committee investigating the Benghazi attacks formally requested Friday that Hillary Rodham Clinton turn her email server over to an independent third party so it can be scrutinized to determine whether she and the Obama administration complied with open records laws
EXCLUSIVE: Jailed hacker Guccifer boasts, "I used to read [Clinton's] memos… and then do the gardening" (Pando Daily) December 2013 in the village of Sâmbăteni, Romania. The air is dull and frosty as Marcel Lazăr Lehel walks out of his mud-brick house, carrying a cheap brand laptop and a mobile phone, and goes to the back garden. Exhaling steam, he places the devices on the ground, picks up his axe and begins to chop with hard, steady blows. Thunk-crunch, thunk-crunch, thunk-crunch
No Harm No Foul: Time to End the Petraeus Saga (Small Wars Journal) It is a tenet of our system of justice that the punishment should fit the crime. Since 2012, the U.S. Justice Department has been investigating whether retired US Army four-star General David Petraeus leaked classified information to his biographer Paula Broadwell, with whom he had an affair after retiring from the military to take the position of CIA Director
European Court of Justice hears NSA/PRISM case: EU-US personal data flows under "Safe Harbor" on the table (European Court of justice via the Christian Science Monitor Passcode) On Tuesday March 24th the Court of Justice (CJEU) will hear a case referred by the Irish High Court on the NSA/PRISM spy scandal, which may have major implications for EU-US data flows and US internet companies operating in Europe (case number: C-362/14)
Wikipedia challenge to NSA surveillance weighs privacy violation and proper targeting (Constitution Daily) What are the basics of Wikipedia's lawsuit against the National Security Agency? In a nutshell, the popular free-knowledge product believes the NSA surveillance of its foreign-based users is discouraging free speech for all people who use Wikipedia
Recent court cases clarify some BYOD legal issues (FierceMobileIT) A number of recent court cases have clarified some of the legal issues around BYOD, observed Amanda Tomney, an associate at the law firm of DLA Piper
Alleged StubHub cyberscalper will be extradited to the US (Naked Security) Just over eight months ago, we wrote about a number of arrests relating to cybercrimes against StubHub
Top Silk Road drug dealer sentenced to 5 years (Naked Security) A major drug dealer operating through the Silk Road underground market has been sentenced to five years in jail for his crimes
Did phone hacking by Mirror newspapers cause 'harm'? (Graham Cluley) A lawyer representing Mirror Group of tabloid newspapers has argued that while unauthorised access to voicemail messages was "unlawful and wrong" it did not result in "permanent harm"
Most parents don't know how to tackle cyber bullying (Help Net Security) 54 percent of UK parents would have no idea if their child was being cyber bullied, highlighting that most parents are completely ill-equipped and under-educated in knowing how to recognize and deal with this growing threat to children
Are smartphones bad for our kids? (Naked Security) Back in the '90s, children attempting suicide were a rare thing