Cyber Attacks, Threats, and Vulnerabilities
'ISIS Hackers' Googled Their Hit List; Troops' Names Were Already on Public Websites (Daily Beast) They swore they "hacked military servers" to threaten U.S. troops. Actually, these self-proclaimed ISIS whiz kids basically cobbled together information that was already online
U.S. sees 'more sophistication' in Islamic State cyber capabilities (Washington Times) The Islamic State's cyber capabilities are becoming more sophisticated, though information published by the terrorist group in a kill list last week did not come from Defense Department networks, the leader of U.S. Strategic Command said Tuesday
Senator says military members on ISIS 'kill list' need help 'immediately' (The Hill) Sen. Mark Warner (D-Va.) wants Defense Secretary Ashton Carter to assure the safety of 100 U.S. service members whose personal information was recently published online by the Islamic State in Iraq and Syria (ISIS)
Cyber Attack on Frontpage (Frontpage) The enemies of freedom never rest — and neither do we
Behind a Veil of Anonymity, Online Vigilantes Battle the Islamic State (New York Times) They use screen aliases like IS Hunting Club, TouchMyTweets and The Doctor. They troll Twitter for suspected accounts of Islamic State fighters, recruiters and fund-raisers. Then they pounce
Did Vigilantes Knock North Korea Offline? (Daily Beast) U.S. cyberspies swear they didn't take down the Hermit Kingdom's Internet after the Sony hack. And those spies weren't the only ones rooting around Pyongyang's servers
Full, cracked version of NanoCore RAT leaked, onslaught of infection attempts expected (Help Net Security) NanoCore, a lesser-known remote access Trojan (RAT), has recently been spotted being delivered to employees of energy companies in Asia and the Middle East via spear-phishing emails impersonating a legitimate oil company in South Korea
Old Adobe Flex SDK bug still threatens users of many high-profile sites (Help Net Security) An old vulnerability affecting old releases of the Adobe Flex SDK compiler can be exploited to compromise user data of visitors to many popular sites, including three of most visited ones in the world according to Alexa, two researchers claim
Android Installer Hijacking Vulnerability Could Expose Android Users to Malware (Palo Alto Networks) We discovered a widespread vulnerability in Google's Android OS we are calling "Android Installer Hijacking," estimated to impact 49.5 percent of all current Android users
Camwood highlights Windows Server 2003 security risks (MicroScope) It might have taken a while but the alarm calls around the demise of Windows Server 2003 are getting louder with each passing day with the July cut-off for support moving ever closer
Premera's IT Security Audit Report Revealed Lack of Multi-Factor Authentication (Duo Security) Back at the end of November 2014, the Office of Personnel Management (OPM) released an IT security audit report on the state of Premera's security profile, noting a gap in access controls. A few months later, Premera discovered a breach of their systems that may have compromised the medical and financial data of 11 million individuals
Bahncard-Mail täuscht Rechnung vor (IT SecCity) Verschachteltes Schadprogramm baut Bot-Netz auf Gefälschte Bahncard-Mails sollen Anwender in die Schadcode-Falle locken
Cyber attack disrupts school test in Glouco district (South Jersey Courier Post) A controversial statewide test was interrupted for two days by a cyber attack on Swedesboro-Woolwich Schools' network, according to district officials
Cybercriminals moving into cloud big time, report says (Network World) Global telecommunications equipment provider Alactel-Lucent's latest cybercrime attack predictions are covered in its recent report. No one is spared
The average DDoS attack tripled in volume (Help Net Security) The average packet volume for DDoS attacks increased 340 percent to 4.36 million packets per second (Mpps), and the average bit volume swelled 245 percent to 12.1 Gbps in the final quarter of 2014, according to Black Lotus
100 Days of Malware (Push the Red Button) It's now been a little over 100 days since I started running malware samples in PANDA and making the executions publicly available. In that time, we've analyzed 10,794 pieces of malware, which generated
Cyber Trends
Over 15,000 Vulnerabilities Detected in 2014: Secunia (SecurityWeek) IT security solutions provider Secunia today published its annual vulnerability review. The report provides facts and details on the security flaws uncovered in 2014
Foreign Policy in the Age of Cybersecurity Threats (IBM Security Intelligence) The Obama administration has been the first to face the foreign policy and national security challenges of what may be called the modern age of cyberthreats and cybersecurity
Cyber Armageddon is a Myth (Counterpunch) Over the past several years mainstream news outlets have conveyed a litany of cyber doomsday scenarios on behalf of ostensibly credible public officials. Breathless intimations of the End Times. The stuff of Hollywood screenplays. However a recent statement by the U.S. intelligence community pours a bucket of cold water over all of this. Yes, Virginia, It turns out that all the talk of cyber Armageddon was a load of bunkum. An elaborate propaganda campaign which only serves as a pretext to sacrifice our civil liberties and channel an ocean of cash to the defense industry
A Quarter of Businesses Have No Control over Network Privileges (Infosecurity Magazine) While data breaches stemming from insider privilege abuse continue to make headlines, the sad reality is that a full quarter of organizations have zero control over who accesses what in the network
Excessive User Privileges Challenges Enterprise Security: Survey (SecurityWeek) It is no secret that enterprises sometimes have trouble keeping a handle on privileged users. In the wrong hands, excessive privileges can lead to data breaches and sleepless nights for IT
Security Sense: Did You Really Think Websites Were Always Hacked for a Reason?! (Windows IT Pro) Here's one I hear a lot: "Oh we're not worried about being hacked, there's no reason an attacker would want to break into our system"
Hackers are ahead in the cyberwar — businesses need to wake up (Guardian) With cybercrime costing the UK billions, experts say it is time to confront hackers head on
9 Threats on the 2017 Threat Horizon (Mobile Enterprise) Senior business managers, information security professionals and other key organizational stakeholders beware — by 2017 nine emergent threats will make cybersecurity challenges even more difficult
Avast: Here's Why Smartphone Security Really Matters (TechWeek Europe) Around 50 million Android users were hit by some form of security issue last year, firm tells TechWeekEurope
The Gemalto hack is déjà vu for state-backed hacking — but businesses can stop it (Information Age) The recent hack on Gemalto has exposed whether organisations can truly trust their security solutions against state-sponsored surveillance
Marketplace
2% of UK Firms Insured Against Cyber Attacks (Newsweek) Just 2% of large UK firms have specialised insurance cover against cyber attacks, according to a report published today. This figure dropped close to zero for smaller companies and around half of the CEOs interviewed were unaware that cyber risks can be insured
The race to build the Silicon Valley of cybersecurity (Christian Science Monitor: Passcode) Cities and regions around the US vie to draw business and brainpower in a market projected to top $160 billion by 2020
Cybersecurity Firms Are Ready To Fight For Government Contracts (Benzinga) Cyber attacks have become one of the largest threats to U.S. security, as more of the nation's infrastructure has become dependent on the Internet. High profile hacking attacks against major companies and government agencies have been on the rise this year, leading the Pentagon to look for ways to prevent major security breaches moving forward
A virtual Iron Dome: Israeli cybertech wins fans at home and abroad (Haaretz) Hundreds of thousands of dollars have been invested in about 250 Israeli cyber firms, and this is just the beginning
NCC bolsters security muscle with Accumuli buy (MicroScope) Security player Accumuli has plenty of experience on the acquisition front but this time it is the one being picked up by NCCGroup
Lookingglass Raises $20 Million in Series B Funding Led by Neuberger Berman Private Equity Funds (Lookingglass) Investment will be used to fund company's dynamic growth and strategic initiatives
Mobile phone security co Skycure raises $8m (Globes) The funds will be used to expand marketing efforts and invest in R&D, including hiring in the US and Israel
Shevirah Set to Break Into Mobile Penetration Testing Market (eWeek) Security innovator Georgia Weidman started up a new company, Shevirah, in a move to take her open-source project commercial
ProtectWise Launches Its Network Security Product In A Deadly Hail Of Buzzwords (Forbes) Startup ProtectWise is launching out of stealth today and at the same time announcing over $17 million in venture funding from Crosslink Capital, Trinity Ventures. Paladin Capital Group and Arsenal Venture Partners. The company was founded by Scott Chasin, who previously started companies subsequently acquired by Symantec and McAfee. On top of this Chasin was McAfee's CTO from 2009-2012
IOActive Launches New Hardware Lab (Dark Reading) Company adds new Global 50 clients to roster, expands into Middle East
Kaspersky, Bloomberg Spar Over KGB Allegations (PC Magazine) Bloomberg accused Kaspersky Lab of excluding its Mother Russia from reports examining electronic espionage by the U.S., Israel, and the U.K.
Why You Should Be Losing Sleep over the Security Skills Shortage (Trustwave) We've written a few times in this space about the seemingly ineradicable security skills shortage that exists in organizations worldwide. Bad news: The picture doesn't appear to be getting any rosier.The latest ominous headline comes from Burning Glass, a labor market analytics firm, which has documented a 74 percent spike in cybersecurity job postings from 2007 to 2013, double the rate of all IT jobs
RedSeal Expands Management Team With Steve Timmerman as VP of Corporate Marketing and Business Development (Marketwired) RedSeal (redseal.co), the cybersecurity certification company, today announced that it will further strengthen its management team by bringing aboard Steve Timmerman as VP of Corporate Marketing and Business Development. The new appointment highlights RedSeal's aggressive expansion plans — the company has a rich portfolio of product and service offerings and is moving into new markets around the world
Products, Services, and Solutions
Dragos Security Launches CyberLens™ for Passive Identification of Cyber Assets and their Communications (PRWeb) Today, Dragos Security LLC launched its solution for identifying assets and understanding the networks of critical infrastructure and high value information technology — CyberLens™. The software passively discovers assets and visualizes them on an easy to use graphical map while storing historical records for network security monitoring, incident response, and network configuration use cases
Blue Coat Global Intelligence Network Enables Customers to More Effectively Block, Detect and Respond to Advanced Threats (Marketwired) Unification of products and labs produces single stream of web and malware threat intelligence to deliver unprecedented protection while reducing the total cost of security
Leading Life Insurance Company Using EnCase® Security Products to Comply with PCI DSS (BusinessWire) EnCase® Cybersecurity and EnCase® Analytics hunt down sensitive data and undetected breaches
Datapipe Launches Enhanced Cloud Security Service for Enterprise Web Applications (BusinessWire) Cloud based web DDoS and WAF protection service adds real time protection for cloud assets against web application attacks
Conformance Technologies Launches Pen-Testing and PAN Scanning Solution (BusinessWire) Helps merchants meet PCI DSS 3.0 requirement 11.3 easily and cost-effectively
Proaktive Sicherheit für Onlinebanking & -shopping (IT SecCity) Sicherheitslösungen: G Data bringt umfassende Programm-Aktualisierungen. Neue Schutztechnologien "Made in Germany" für sicheres Online-Banking und -Shopping ab April 2015 verfügbar
Columbus Business Solutions offers Cyber Security for Schools (Barbados Advocate) Schools are under attack both from internal and external vices. Whether it is device misuse, students and teachers surfing dangerous sites or downloading unknown files or hackers, the threats to education facilities are real. This is why it's even more important for schools — whether private or public and from primary to tertiary — to have adequate security to protect their network, staff and students
Technologies, Techniques, and Standards
Premera breach: Are HIPAA standards too low? (Help Net Security) Here's an interesting twist regarding the Premera data breach revealed last week: the company has been deemed compliant with the Health Insurance Portability and Accountability Act (HIPAA) in late November 2014
Sue Schade: 4 traits of hospitals with a 'security culture' (FierceHealthIT) A key piece of any healthcare organization's IT security program has to include creating a security culture, writes Sue Schade, chief information officer at University of Michigan Hospitals and Health Centers
Hacking oil and gas control systems: Understanding the cyber risk (Plant Engineering) Cyber attacks are growing in number and intensity over the past decade. Companies in the oil and gas industry are high-profile targets and must take measures to protect themselves from hackers
See Your Company Through the Eyes of a Hacker (Harvard Business Review) JP Morgan Chase. Target. Sony. Each has been part of the growing number of cyber-attacks against private companies around the world in recent years. In the latter two cases, CEOs were forced to resign in the wake of the breach. Attacks are growing more sophisticated and more damaging, targeting what companies value the most: their customer data, their intellectual property, and their reputations
Implementing an effective risk management framework (Help Net Security) In today's marketplace, almost every employee is now a content contributor. Although beneficial to the collective of information available, this influx brings about new risk. Legal systems worldwide are clamping down and demanding greater compliance — particularly on IT systems — making it essential for organizations to implement compliance and risk management protocols. So how do we balance the benefit of the free flow of information with the risk of inappropriate access and/or disclosure? What are the consequences of not doing so?
Is Your Threat Intelligence Platform Just a Tool? (Sys-Con Media) "If the only tool you have is a hammer, you tend to see every problem as a nail." Abraham Maslow
Why aren't you vulnerability scanning more often? (CSO) I've always been curious about companies that scan their enterprises for vulnerabilities once per quarter or even once per year. Why is this the case exactly? I've worked in these environments and I've heard all manner of excuses as to why this was an issue. "We can't have any outages because it is a critical roll out for $project and we can't have any downtime." That one was always one of my favorites
Four advantages of an identity behavior-based approach to cybersecurity (Help Net Security) With an ever-increasing number of data breaches, more money is being poured into IT security budgets. According to Gartner, the average global security budget increased 8 percent from 2013 to 2014 and will grow another 8 percent in 2015. Additionally, data loss prevention (DLP) system investments will increase by almost 19 percent
How to Install Bro Network Security Monitor on Ubuntu (Known) The Bro Network Security Monitor is an open source network monitoring framework. In a nutshell, Bro monitors packet flows over a network and creates high-level "flow" events from them and stores the events as single tab-separated lines in a log file
Just how safe is encryption anyway? (Technology Spectator) When checking your email over a secure connection, or making a purchase from an online retailer, have you ever wondered how your private information or credit card data is kept secure?
Design and Innovation
Finalists announced for Innovation Sandbox at RSA Conference 2015 (Help Net Security) RSA Conference announced the 10 finalists for its annual Innovation Sandbox Contest. The competition is dedicated to encouraging out-of-the-box ideas and the exploration of new technologies that have the potential to transform the information security industry
Coca-Cola Looks to Secure Edge for Age of Cloud, Mobility (Wall Street Journal) Coca-Cola Co.KO -0.13%, feeling the pressure to strengthen its digital security, is experimenting with a new approach that makes use of software virtualization, a concept that revolutionized computer servers during the last decade or so
Research and Development
Israel, US To Integrate Cyber Test Beds (Defense News) The Cyber Security Division of the US Department of Homeland Security (DHS) aims to expand collaboration with the Israel National Cyber Bureau (NCB), Israeli cyber companies and local start-up firms
Academia
U.S. Cyber Challenge Announces Open Registration for Annual Cyber Quests Competition (US Cyber Challenge) Upcoming Cyber Quests Competition to determine qualifiers for Summer 2015 Cyber Camps
BAE funds Malaysian cyber school (C4ISR & Networks) BAE is funding a new post-graduate cybersecurity program at Malaysia's National Defense University
UK government launches Cyber First recruitment drive for future white hats (V3) The UK government has announced a Cyber First programme designed to find and train the next generation of security professionals, continuing its efforts to bolster the nation's digital defences
Legislation, Policy, and Regulation
Russia playing the long game in global cyberwar campaign (International Business Times) The recently published US intelligence community's annual threat assessment promotes cyberattacks the most serious threat to US national security
Cyberthreat Bills Take Shape on Hill, With Key Votes Looming (Wall Street Journal) Goal in Congress is to help prevent large cyberattacks that have recently hit major U.S. companies
Congress moving on long-sought legislation to thwart cyberattacks (Washington Post) The House Intelligence Committee introduced bipartisan legislation Tuesday to grant legal immunity to firms that pass cyberthreat data to the government, as lawmakers expressed cautious optimism that there is finally enough support to pass a bill that the president will sign
House Intel unveils cyber sharing legislation (The Hill) The House Intelligence Committee on Tuesday afternoon will introduce its bill to bolster cyber threat data sharing between the government and the private sector
Key Democrat: Congress Won't Tackle NSA Reform Before Cybersecurity (National Journal) "High-level" discussions on surveillance overhaul aren't taking place, Rep. Adam Schiff said
Cybersecurity Information Sharing: A Legal Morass, Says CRS (Federation of American Scientists) Several pending bills would promote increased sharing of cybersecurity-related information — such as threat intelligence and system vulnerabilities — in order to combat the perceived rise in the frequency and intensity of cyber attacks against private and government entities
Tech firms and privacy groups press for curbs on NSA surveillance powers (Washington Post) The nation's top technology firms and a coalition of privacy groups are urging Congress to place curbs on government surveillance in the face of a fast-approaching deadline for legislative action
U.S. Joint Chiefs drafting military cyber standards: arms tester (Reuters) The chief U.S. weapons tester said on Tuesday he was working with the Joint Chiefs of Staff to draft military requirements to address widespread cyber vulnerabilities in nearly every arms program and military command
Litigation, Investigation, and Law Enforcement
First lawsuits filed to block net neutrality action (FierceCIO) It had been suggested that the recent net neutrality vote by the Federal Communications Commission would be tied up for years in the courts, and the telecommunications industry hasn't disappointed
Washington officials leading Premera cyberattack investigation (Spokesman-Review) Washington insurance officials will lead a multistate investigation into how computer hackers were able to breach the security of the state's largest health insurance company and whether Premera Blue Cross took the proper steps to notify some 11 million customers after it was discovered
Fugitive posts on Snapchat that he’s hiding in the cupboard, while police search his house (Hot for Security) Is this the dumbest fugitive ever? Meet 24-year-old Christopher Wallace, wanted by police in Somerset County, Maine, in connection with the theft of a wood stove earlier this year from a sporting camp, and violation of administrative release