Cyber Attacks, Threats, and Vulnerabilities
IS 'CyberCaliphate' Hacked 600 Russian Websites In 2014, Security Company Says (Radio Free Europe/Radio Liberty) According to a new report, websites targeted by the Islamic State group include a number of banks, construction companies, government organizations, and even schools. Hackers aligned to Islamic State (IS) militants attacked 600 Russian websites last year, according to a new report by Russian cyber intelligence company Group-IB
ISIS 'hack' draws skepticism but raises wariness (Defense Systems) Following last weekend's leak of sensitive information on military personnel apparently by ISIS supporters, many are scrambling to discover how this information was accessed and if Pentagon servers were breached. Some military families, meanwhile, are altering their approach to what they post online
Ex-Gov. Ridge: Hacking group's kill list only a scare tactic (Trib Live) Former Pennsylvania Gov. Tom Ridge, the nation's first Homeland Security chief, does not believe the 100 military members identified in a so-called "kill list" posted online last week by a group calling itself the Islamic State Hacking Division need to fear for their lives, he told the Tribune-Review on Wednesday
Vawtrak malware uses steganography to hide update files in favicons (Security Affairs) A new strain of Vawtrak malware implements capabilities to send and receive data through encrypted favicons distributed over the Tor network
Many Canadian banks target of attack, says security vendor (IT World Canada) Fifteen Canadian financial institutions have been targeted by new a malware attack aimed at stealing passwords, says a Danish security company
Researcher finds backdoor opened by Dell's helper app (Help Net Security) A security researcher has discovered a serious bug in Dell System Detect, the software Dell users are urged to use to download the appropriate drivers for their machines. The flaw can be exploited by attackers to make the computer download and execute potentially malicious files
The Spy in the Sandbox — Practical Cache Attacks in Javascript (Columbia University) We present the first micro-architectural side-channel attack which runs entirely in the browser. In contrast to other works in this genre, this attack does not require the attacker to install any software on the victim's machine — to facilitate the attack, the victim needs only to browse to an untrusted webpage with attacker-controlled content. This makes the attack model highly scalable and extremely relevant and practical to today's web, especially since most desktop browsers currently accessing the Internet are vulnerable to this attack
SSL/TLS Suffers 'Bar Mitzvah Attack' (Dark Reading) Researcher at Black Hat Asia shows how attackers could abuse a known-weak crypto algorithm to steal credentials and other data from encrypted communications
Serious Security: China Internet Network Information Center in TLS certificate blunder (Naked Security) TLS certificates are very important. So we thought we'd use a story about a recent certificate security blunder to remind you why
Macro-based Malware Increases Along with Spam Volume, Now Drops BARTALEX (TrendLabs Security Intelligence Blog) Early this year Microsoft reported an increase in macro-related threats being used to spread malware via spam. Similarly, we've been seeing a drastic increase in spammed emails with attached Microsoft Word documents and Microsoft Excel spreadsheets that come with embedded macros
Macro-based malware continues to gain traction (Help Net Security) After having "rediscovered" the usefulness of MS Office macros, malware peddlers have been ramping up email spam runs delivering documents that request users to enable them
Default Setting in Windows 7, 8.1 Could Allow Privilege Escalation, Sandbox Escape (Threatpost) A default setting in both Windows 7 and 8.1 could allow local users to elevate privileges and in some situations, escape application sandboxes
The disturbing truth behind the Premera, Anthem attacks (FierceHealthIT) As details continue to emerge following the recent hack attacks on payers Anthem and Premera--in which information for close to 90 million consumers combined may have been put at risk--perhaps the most disturbing revelation of all is that, in both instances, neither entity appears to truly take security seriously
Bitcoin & Altcoin Exchange 'Cryptoine' Gets Hacked (Hack Read) Not even a month has passed since AllCrypt Bitcoin was taken down and another Altcoin exchange has been attacked by hackers
Anonymous Targets NYPD Captains Union Website with Malware (Hack Read) On Friday, a cyberattack on NYPD captains union website infected it with malware and forced it to shut down
Maine.gov hit by cyber attack for third time in three days (WGME) For the third straight day, Maine.gov was taken down by a cyber attack, and this time, the group claiming responsibility also said it's recorded the IP addresses of anyone who tried to visit the site
Xtube porn website spreads malware, after being compromised by hackers (Graham Cluley) XtubeThe popular Xtube hardcore porn website, visited by approximately 25 million people every month, has been compromised by hackers and is spreading malware onto visiting computers
Mobile 'sextortion' schemes on rise, Trend Micro reports (Network World) Victims pay up or their sex videos get sent to their contact lists
Too Many Adverts and Porn pop-ups in your Web Browser? Maybe your Router has been Hijacked (Tripwire: the State of Security) If you've recently found your web browsing plagued by pornographic pop-ups and irritating adverts, there might be a simple — but dangerous — explanation
Tax Fraud Advice, Straight from the Scammers (KrebsOnSecurity) Some of the most frank and useful information about how to fight fraud comes directly from the mouths of the crooks themselves. Online cybercrime forums play a critical role here, allowing thieves to compare notes about how to evade new security roadblocks and steer clear of fraud tripwires. And few topics so reliably generate discussion on crime forums around this time of year as tax return fraud, as we'll see in the conversations highlighted in this post
Security Patches, Mitigations, and Software Updates
GE Fixes Buffer Overflow Bus in DTM Library (Threatpost) GE has released a fix for a vulnerability in a library that's used in several of its products deployed in critical infrastructure areas. The flaw in the HART Device Type Manager library could allow an attacker to crash affected applications or run arbitrary code
iOS 8.3 Lets You Skip Password Entry to Download Free Apps. Good Idea? (Intego Blog) iOS 8.3 settingsThe new version of iOS, version 8.3, is getting ever closer and pre-release beta testers are stumbling across new hidden features and tweaks that Apple has made with the iPhone and iPad operating system
Cyber Trends
Lessons From The New Threat Environment From Sony, Anthem And ISIS (TechCrunch) The cyberattack on Sony Pictures entertainment left plenty of roiled waters in its aftermath: lawsuits from employees whose personal information was leaked; apologies to President Obama and other subjects of hasty emails; U.S. sanctions against North Korea and a war of words back and forth; and the irony of Sony turning to the entity most identified in those emails as a threat to its content distribution model, Google, to distribute "The Interview"
State-backed cybercrime hits our screens (Guardian) Today's hackers are not just criminals and activists — governments are launching cyber-attacks to hunt for secrets, research vulnerabilities or cause disruption. How can we defend ourselves?
NSA Doesn't Need to Spy on Your Calls to Learn Your Secrets (Wired) Governments and corporations gather, store, and analyze the tremendous amount of data we chuff out as we move through our digitized lives. Often this is without our knowledge, and typically without our consent. Based on this data, they draw conclusions about us that we might disagree with or object to, and that can impact our lives in profound ways. We may not like to admit it, but we are under mass surveillance
Survey: 75% of firms would take hours or longer to spot breach (CSO) Organizations say they can deal with a breach, but first they'll have to detect it
Rise of threat intelligence is leading to too many sources, finds MWR, CPNI and CERT-UK (IT Security Guru) Threat intelligence is rapidly becoming an ever-higher business priority with a general awareness of the need to 'do' threat intelligence, but vendors are falling over themselves to offer a confusingly diverse array of threat intelligence products
Zero day, Web browser vulnerabilities spike in 2014 (IDG via CSO) The number of zero-day and Web browser vulnerabilities shot up in 2014, but overall software vendors are patching faster
Former NSA Director: Breaches Will Get Worse (PYMNTS) Over the next two years, cyberattacks will get worse before they get better. But there's some good news. There are methods to counter cyber threats — by working with stakeholders across the political aisle, including private to public sector initiatives, to create enforceable barriers to bring about change
RFID use reaching 'tipping point' (FierceRetailIT) RFID is gaining traction with retailers and manufacturers, nearing an adoption and usage "tipping point," according to a recent study from GS1 US
Study: When it comes to security, smartphone users aren't very smart (BGR) Even though you may be familiar with how your smartphone works and the various security issues that threaten your privacy, chances are that if you're also a millennial you also aren't doing simple things to secure your data. At least that's what a study from security firm Lookout seen by the LA Times seems to indicate
Millennials Like Their Privacy, but Give It Away Freely (eWeek) More than half of smartphone owners under 35 years old believe they are privacy-savvy, yet they tend to take the most risks with their personal data
Power grids vulnerable to attacks (Great Falls Tribune) About once every four days, part of the nation's power grid — a system whose failure could leave millions in the dark — is struck by a cyber or physical attack, a USA Today analysis of federal energy records finds
UK attacks on crypto keys and digital certificates endemic (ComputerWeekly) All 499 UK security professionals polled in a global survey say their organisations have responded to multiple attacks on keys and certificates in the past two years
Marketplace
Calculating The Colossal Cost of A Data Breach (CFO) Some targets have spent tens of millions just to notify customers and provide identity-theft monitoring
Apple is picking off iOS antivirus apps one by one: Who'll be spared? (Register) Some slain in the software store, some survive — but why?
Palo Alto splashes $200m to strengthen endpoint security offering (Computer Business Review) Company acquires Israeli cybersecurity company Cyvera
Darktrace enters Asia Pacific security appliance market (Digital News Asia) Comes in as market is expected to register double-digit growth
Huawei does not pose UK national security threat (V3) Chinese telecoms firm Huawei has been given the all clear, meaning that the use of its technology in UK communications networks does not pose a national security risk
Leidos Board Appoints CEO Roger Krone to Chairman to Consolidate Roles (GovConWire) Leidos (NYSE: LDOS) CEO Roger Krone has taken the additional role of chairman of the board of directors beginning March 20, less than a year after he joined the company from Boeing
Products, Services, and Solutions
Red Owl Analytics: Next generation analytic platform (CTO Vision) This is an update of our write-up on Red Owl Analytics. We cover them in our special reports on Analytical Tools, Big Data, and Security
Microsoft Bombs Antivirus Tests Yet Again (Tom's Guide) If you're using nothing but Microsoft Windows Defender to protect your PC, you may want to toss the system into a bonfire now, before it's too late for the rest of your network
Targeted Attack: The Game (Trend Micro: Simply Security) April 2015 sees the release of a project that has been a year in the making for us. Something that we had affectionately been calling "Choose Your Own Adventure" for most of its lifetime as we laid it out, put some meat on the bones and finally stitched it all together (no we weren't making Frankenstein's monster)
Popular Cryptography Game Released for iOS & Android (prMac) Vito Technology Inc., award-winning developer has released an update and an Android version of their popular educational game Next Quote. The app offers a thrilling experience of deciphering a hidden message which contains an inspirational quote from famous authors, founding fathers and modern day politicians. Impossible at first glance, the game will draw you in while simultaneously developing your logic skills
Technologies, Techniques, and Standards
How to tell if you've been hacked (Guardian) Worried that you might get compromised by hackers? The bad news is that the rest of the internet might know before you do
Dissecting Network Segmentation, Data Traffic and Encryption (Dark Matters) Last year — dubbed "the Year of the Hack" — saw numerous major cyber attacks against prominent corporations, including JP Morgan bank and Sony Pictures Entertainment. And after Target in 2013, another retailer, Home Depot, suffered a data breach with more than 56 million credit cards stolen
Junk it: How BAE saves $3.2m a year by throwing out excess data (Computing) "Every IT person should be saving at least 10 per cent of their annual yearly salary," BAE Systems data centre storage director Mark Tango tells Computing
Security best practices for users is your first line of defense (CIO) Most savvy businesses are on top of their game when it comes to securing networks, encrypting sensitive data and keeping private customer information safe. But there's a glaring security vulnerability you may not have thought of: your end-users
Applying a Stress-Test to Your IT Infrastructure (Tripwire: the State of Security) Banks regularly undergo mandatory stress tests. These tests are clearly defined, and the results are used to determine how well each bank can maneuver through an economic calamity
CISSP 2015 Update: Identity and Access Management (Infosec Institute) The CISSP 2015 Update brings new viewpoints on the key domains covered in this certification. The CISSP is already one of the broadest of all certs in that the amount of information it covers in different fields is staggering. However, breaking this down into its component domains or fields can help to chop at it bit by bit. With the new updates, each domain is a bit more streamlined — a bit easier to manage in the overall picture — and becomes easier to understand
ISACA Lays Out Forensics for the Data Breach Era (Infosecurity Magazine ) When faced with a data breach, the first order of business for companies is to find out what happened, and then how it happened and who did it. To aid in the process, which is unfortunately no longer a rare scenario, ISACA has issued a new set of guidelines that outline the digital forensics process and identify the key steps for organizations to consider when dealing with attacks
Design and Innovation
You in Your Internet of Things (IEEE Spectrum) Should privacy and security measures be built into devices before they reach the market?
Research and Development
Drop User Names To Improve Security, Says Dartmouth Research (THE Journal) The focus on coming up with unusual passwords for improving security is likely misplaced, particularly when those passwords are accompanied by user names that are all too guessable. That's what a joint academic and industry research team has come up with after nearly a year of working together on the problem of authentication
Navy Engineer Impacts Public-Private Sector Research on Wearable and Embeddable Technology (Southern Maryland Online) How easy is it to hack a pacemaker? Your "FitBit" is designed to track your physical movements. Who else can see it?
Academia
Taking the Tech Track (US News and World Report) Across fields, grad programs are adding training in technology
Computer science surge sparks campus building boom (Network World) College campuses across the U.S. are building new computer science facilities that encourage hands-on education and interdisciplinary research
Foreign Affairs Ministry names teens in national cyber education initiative 'Cyber Ambassadors' (Jerusalem Post) Initiative is geared towards junior high students which offers after-school programs in computer technology
Legislation, Policy, and Regulation
NATO Chief: Cyber Can Trigger Article 5 (DefenseNews) NATO leaders on Wednesday reiterated the alliance's stance on treating cyber attacks against a member as an Article 5 issue, which would potentially draw a military response from the entire alliance
'States preparing cyber-attack options to cripple enemies' infrastructure' (Jerusalem Post) States engaged in arms race, building offensive and defensive capabilities in form of cybersecurity
Three Questions about Admiral Rogers' Testimony on Cyber Deterrence (Council on Foreign Relations) Last week, Admiral Mike Rogers, commander of U.S. Cyber Command, testified before the Senate Committee on Armed Services. Most of the media attention (see this, this, and this) has focused on Rogers' argument that deterrence is not working, and that defense in cyberspace will be "will be both late to need and incredibly resource intensive." As a result, Rogers argued, Cyber Command needs "to think about how can we increase our capacity on the offensive side to get to that point of deterrence"
National Breach Notification Bill Advances (GovInfoSecurity) Amendments to keep some state safeguards rejected
Would NSA Data Surveillance End With Patriot Act? (US News and World Report) The Patriot Act sunsets in June, but other legal powers may continue data collection
FBI needs better intelligence, information sharing: U.S. report (Reuters) The FBI needs to strengthen its intelligence programs and information sharing to counter the diverse and fast-moving national threats that have evolved since the Sept. 11, 2001, attacks, a congressional commission said on Wednesday
FBI Threat Intelligence Cyber-Analysts Still Marginalized In Agency (Dark Reading) Despite good progress, 9/11 Review Commission says that analysts could have a greater impact on FBI counter-terrorism activities if they had more domain awareness, forensics capabilities, and were more empowered to question agents
Carter: Cyberworkforce Development Is a Model for DOD (FedTech) Defense Secretary Ash Carter said the freshness of approach and the constant effort to reinvent can be an example for other DOD efforts
DoD Advances Elements of Joint Information Environment (DoD News) Defense Department Chief Information Officer Terry Halvorsen held a media roundtable recently to discuss progress on elements of his department?s transition to an information environment that's faster, safer and less expensive for the DoD
Litigation, Investigation, and Law Enforcement
What security leaders need to know about the Target breach settlement (CSO) Consider these three points before discussing the Target consumer breach settlement with other leaders
India strikes down controversial "Section 66A" social media policing law (Naked Security) India's Supreme Court on Tuesday repealed a controversial law after civil rights groups and a law student filed petitions arguing that it violated people's rights to freedom of speech and expression
Inquiry into electronic surveillance agency launched (New Zealand Herald) An inquiry into the activities of New Zealand's electronic surveillance agency has been launched by the Inspector General of Intelligence and Security
Alaska Joins Investigation Into Premera Cyber Attack (Alaska Public Media) Alaska is participating in an multi-state investigation into Premera following a cyber attack on the health insurer early this year. The state's insurance director says she has a lot of questions about why the attack occurred and why it took the company two months to announce it publicly