Cyber Attacks, Threats, and Vulnerabilities
EU digital boss says he 'sure' Russia spied during Gazprom talks (Reuters via Yahoo! News) Spies regularly target the European Commission, the region's digital economy boss said on Thursday, specifically suggesting that Russia had listened in during negotiations last year over gas supplies to Ukraine
Online jihadist hails power of social media after Texas attack (Sydney Morning Herald) An Australian Twitter user and Islamic State supporter who appeared to encourage the terrorist attack on an anti-Islamic cartoon event in the US says his movement is "winning the minds of the young generation"
FBI director says Islamic State influence growing in U.S. (USA TODAY) In a dramatic assessment of the domestic threat posed by the Islamic State, FBI Director James Comey said Thursday there are "hundreds, maybe thousands" of people across the country who are receiving recruitment overtures from the terrorist group or directives to attack the U.S
Vulnerable Islamic State Still Winning Online Battle (Voice of America) Setbacks on the battlefield seem to be doing little to dent the success the Islamic State is having in the world of social media. And that's prompting a new outcry from U.S. lawmakers, who say Washington's online strategy is off-base
'ISIS Recruitment in SA Should be Taken Seriously' (Eyewitness News) The Iraqi Ambassador to South Africa says the younger generation needed to be educated about terror groups
ISIS: The most successful terrorist brand ever? (CNN) Like moths to a flame, a growing number of people around the world have been drawn to the terrorist organization ISIS
Ad Network Compromised, Users Victimized by Nuclear Exploit Kit (TrendLabs Security Intelligence Blog) MadAdsMedia, a US-based web advertising network, was compromised by cybercriminals to lead the visitors of sites that use their advertising platform to Adobe Flash exploits delivered by the Nuclear Exploit Kit. Up to 12,500 users per day may have been affected by this threat; three countries account for more than half of the hits: Japan, the United States, and Australia
JetPack and TwentyFifteen Vulnerable to DOM-based XSS (Sucuri Blog) Any WordPress Plugin or theme that leverages the genericons package is vulnerable to a DOM-based Cross-Site Scripting (XSS) vulnerability due to an insecure file included with genericons. So far, the JetPack plugin (reported to have over 1 million active installs) and the TwentyFifteen theme (installed by default) are found to be vulnerable. The exact count is difficult to grasp, but both the plugin and theme are default installs in millions of WordPress installs. The main issue here is the genericons package, so any plugin that makes use of this package is potentially vulnerable if it includes the example.html file that comes with the package
GPU-based rootkit and keylogger offer superior stealth and computing power (Ars Technica) Proof-of-concept malware may pave the way for future in-the-wild attacks
CPL Malware in Brazil: somewhere between banking trojans and malicious emails (We Live Security) When we analyze the most prevalent threats in Latin America, we see the same malware families across the region. In Brazil, however, there is a different situation. Not only is Brazil one of the most populated countries in the world, but it is also one of the countries with the highest percentage of Internet users using online banking. That is why Brazil is the country where banking trojans are the number one threat
F*cking DLL! Avast false positive trashes Windows code libraries (Register) Avast there indeed, matey, wail admins as rogue guard dog savages their jugular
Deconstructing the 2014 Sally Beauty Breach (KrebsOnSecurity) This week, nationwide beauty products chain Sally Beauty disclosed that, for the second time in a year, it was investigating reports that hackers had broken into its networks and stolen customer credit card data. That investigation is ongoing, but I recently had an opportunity to interview a former Sally Beauty IT technician who provided a first-hand look at how the first breach in 2014 breach went down
Casino installs new POS equipment while investigating potential data breach (Help Net Security) A few days after Las Vegas' Hard Rock casino revealed that it has been hit by carders, another US casino has started an internal investigation aimed at finding out whether they've also been successfully targeted
EMC-owned Spanning sounds alarm over enterprise attitude to SaaS backups (ComputerWeekly) Enterprises are taking unnecessary business risks by mistakenly assuming their data will be automatically backed up when they use cloud-based services
Weak Homegrown Crypto Dooms Open Smart Grid Protocol (Threatpost) In the three years since its inception, the Open Smart Grid Protocol has found its way into more than four million smart meters and similar devices worldwide
If a hacker can turn traffic lights green, could a plane’s wifi open it to attack? (Irish Times) Smart cities are the future but all that interconnectivity means more opportunities for hackers to create havoc
Mind the Cyber Gap (CIO) Today there is much greater threat to the modern railway: cyber crime
Will the Internet of Things be more damaging to security policies than BYOD? (Information Age) Security must be tackled before this futuristic-sounding network comprising billions of smart digital devices truly hits the mainstream
Security Patches, Mitigations, and Software Updates
Cisco Patches Remote Code Execution Bugs in UCS Central (Threatpost) Cisco has patched a serious remote code execution vulnerability in its Unified Computing System (UCS) Central software, a data center platform that integrates processing, networking, storage and virtualization into one system
Google pumps out updates to security extension to patch vulnerabilities (SC Magazine) Persistent problems are plaguing the Google engineers who developed an anti-phishing extension for Chrome
Cyber Trends
More evidence that employee negligence is security risk No. 1 (GCN) What: The BakerHostetler Data Security Incident Response Report. Why: Thirty-six percent of data security incidents handled last year by the BakerHostetler law firm were due to employee negligence, making it the leading cause of security incidents. According to the firm's newly released report, other causes were outsider and insider theft, malware and phishing attacks
Infrastrukturen und Industrie im Kreuzfeuer (Security-Insider) SCADA-Systeme und Industrial Control Systems sind bedroht, diese Erkenntnis hat sich seit 2010 durchgesetzt. Stuxnet, Duqu und Flame haben bewiesen, dass sich Industrieanlagen durch Malware und Hackerangriffe manipulieren lassen. Aber wie ist der Bedrohung konkret zu begegnen?
Marketplace
Risk IT and services spending to reach $78.6 Billion in 2015 (Help Net Security) According to a new IDC Financial Insights forecast, worldwide risk information technologies and services (RITS) spending will reach $78.6 billion in 2015 and is expected to reach $96.3 billion by 2018 at a compound annual growth rate (CAGR) of 6.97% during the 2013-2018 forecast period
BlackBerry Completes WatchDox Acquisition (MarketWatch) Acquisition expands BlackBerry's enterprise portfolio to provide the most secure end-to-end mobile solution
App Annie Grows with Mobidia Acquisition (PYMNTS) The biggest mobile intelligence platform has gotten even bigger with the acquisition of a mobile measurement company
Antivirus vendor AVG buys VPN service provider Privax for up to $60M (FierceITSecurity) Reflecting the growing concern among companies about mobile security, antivirus software provider AVG has purchased Privax, a provider of virtual private network services for mobile devices and desktops, for up to $60 million
A Match Made In Heaven — Lockheed Martin Partners With Cybereason (Forbes) Cybereason is a cyber security company that was founded by ex-members of Israel's crack intelligence agency's cybersecurity unit 8200
Cybereason Raises $25M Because Corporate Security Is Broken (TechCrunch) As data breaches expose millions of U.S. health records and cyber attacks threaten to cause an accidental nuclear war, security tech is more relevant than ever
CyberArk: A Pure Cybersecurity Play (Seeking Alpha) There has been an explosion in the number of cybersecurity threats in recent years, leaving both governments and corporations vulnerable to data breaches that are both embarrassing and damaging
Security Software Stocks See Upward Trend (Market Realist) FireEye share prices have appreciated by &126;30% year-to-date
Why FireEye Stock Lost 6% on May 5, 2015 (Market Realist) After gaining more than 6%, FireEye shares tumble on May 5, 2015
US Navy Looks to Dump Lenovo Servers on Security Concerns — Report (Infosecurity Magazine) The US Navy is reportedly looking for a new server supplier for some of its guided missile cruisers and destroyers due to security concerns around Lenovo's recent purchase of IBM's x86 server division
UK is leading the way at the forefront of cyber security (IT Pro Portal) The RSA Conference has grown significantly in size and stature in recent years, fuelled by the news of seemingly endless security breaches and the real effects being felt by business leaders across the world. With such a laser-like focus on security issues, events such as RSA have become must-attend affairs for enterprises and public sector organisations alike
Products, Services, and Solutions
LightCyber Zeros in on Data Breaches With Increased Accuracy and Actionability (BusinessWire) New N2PA feature directly traces attack activity identified on the network to the source executable on the endpoint
Porter Novelli's PNProtect Cybersecurity Crisis Management Offering to Help Clients Predict, Prepare for, Manage and Recover from Digital Attacks (PRNewswire) Global public relations leader Porter Novelli (PN) announces the launch of PNProtect, a full-service cybersecurity offering to help clients predict, prepare for, identify, monitor, manage and recover from online threats and attacks. Powered by Rook Security, a best-in-class cybersecurity technology company, PNProtect addresses what is fast becoming the biggest dual threat to businesses: online attacks and the resulting reputation damage. Whether you're trying to predict your company's level of risk, deal with an active crisis or recover from a breach, PNProtect will help manage and mitigate the issues along the way
Red Lambda deploys artificial intelligence and peer-to-peer technology for cybersecurity (FierceFinanceIT) A Florida company is taking peer-to-peer and artificial intelligence technology originally developed through the University of Florida and National Science Foundation research and applying it to enterprise-level security
Security On-Demand® Launches New Cyber-Attack Detection Solution: ThreatWatch® 2.0 (PRNewswire) First managed security provider to provide behavioral analytics "as-a-service"
Classification and protection of unstructured data (Help Net Securiity) In this podcast recorded at RSA Conference 2015, Stephane Charbonneau, CTO of TITUS, talks about TITUS Classification Suite 4, a significant new release of its flagship data identification and information protection suite.
Technologies, Techniques, and Standards
Best Practices for Victim Response and Reporting of Cyber Incidents (US Department of Justice Cybersecurity Unit) Any Internet-connected organization can fall prey to a disruptive network intrusion or costly cyber attack. A quick, effective response to cyber incidents can prove critical to minimizing the resulting harm and expediting recovery. The best time to plan such a response is now, before an incident occurs
NIST prepping more cloud security control guidance to complement FedRAMP (FierceGovernmentIT) Forthcoming guidance NIST SP 800-174 will look at security control allocation, reference SP 800-53 controls
Rethinking & Repackaging iOS Apps: Part 2 (Bishop Fox) In the first part of our series, we looked at how to modify an iOS application binary by inserting load commands to inject custom dynamic libraries. In Part 2, we take this a step further by introducing a toolchain designed to make some of our favorite iOS application hacking tools available on non-jailbroken devices
How to make two binaries with the same MD5 hash (Nat McHugh) One question I was asked when I demo'd creating two PHP files with the same hash is; does it work on compiled binaries?
APTs: The fine balance of control and monitoring (Help Net Security) Security is not about winning the war. It is more like insurance, it's about how we handle risks. In order to successfully handle the risk of Advanced Persistent Threats (APTs) we need to focus on the high stake targets that we want to protect. The challenge, then, is to build a multi-layered security architecture with the right balance of control and monitoring technologies that can prevent any lower-impact threats from escalating into a full blown attack
Five reasons threat intelligence fails today, and how to overcome them (ChannelWorld) As cyber security threats have become increasingly sophisticated and pervasive, it's become impossible to identify and defend against every probable attack with traditional security budgets. That's where threat intelligence comes in. Effective use of threat intelligence is a way for businesses to pool their resources and overcome internal technical or resource limitations. Theoretically, it allows companies to "crowd source" security and stay one step ahead of malicious entities
Social Engineering Defenses: Reducing The Human Element (Dark Reading) Most security awareness advice is terrible, just plain bad, and not remotely feasible for your average user
Insiders — The Threat Right in Your Blind Spot (Information Security Buzz) While you're standing on the ramparts of your enterprise perimeter, scanning for bad guys, there may well be a threat right in your blind spot: Insiders. Maybe it's someone truly malicious
Don't just secure the network — secure the breach: three simple steps (GSN) As we've seen by recently reported hacks of healthcare networks, security breaches are becoming commonplace. Attacks on secure networks can come from internal or external sources. "Breach prevention" is no longer a workable strategy
Remediation is the Foundation of your Security Strategy! (LinkedIn) In many ways, this year's RSA conference was overwhelming. In other ways, it was a disappointment in how the market is providing solutions to mitigate our security risks. As several colleagues have pointed out, "remediation" is a huge gaps at 2015 RSA,
Who's Watching You? Video Surveillance-User Beware! (Willis Wire) I routinely find myself being called upon to provide advice regarding the various benefits and risks associated with the applications of video surveillance, particularly the possible exposures to property owners or other key stakeholders regarding its use
How to Win the Cloud Security Game by Balancing Risk with Agility (Trend Micro Simply Security) The cloud is changing the way organizations around the world do IT. Attracted by lower costs, improved efficiency, and faster development and deployment times for apps, users everywhere are migrating to this new computing model in droves, with or without the blessing of IT. Yet security is a top concern due to the loss of control of a physical infrastructure
Design and Innovation
What you really accept when you use How-Old.net (Trend Micro Countermeasures) Microsoft had an apparently unexpected hit on their hands with the unveiling of the "How Old Do I Look?" service at the Microsoft Build conference last week. By the weekend my Facebook feed was filling up with friends from all over the globe sharing the results of their own submissions to the service. For the three of you that haven't come across this viral hit recently, "How Old Do I Look" allows a user to upload a photo and will attempt to correctly guess the age of the subject of the picture, with the results ranging from the spectacularly awful to the incredibly accurate
Research and Development
Facebook Echo Chamber Isn't Facebook's Fault, Says Facebook (Wired) Does the Internet help facilitate an echo chamber? In an age where so much of the information that we see online is filtered through opaque algorithms, the fear is that we only get exposed to viewpoints with which we already agree. Behemoths like Facebook and Google show you new stuff based on what you've previously liked, the argument goes. And so we get stuck in a polarizing cycle that stifles discourse. We only see what we want to see
Academia
DMU joins forces with Airbus Group to protect critical national infrastructure from cyber attacks (DeMontfort University) De Montfort University Leicester (DMU) has launched a research programme with Airbus Group to develop a new digital forensic capability for the Supervisory Control and Data Acquisition (SCADA) industrial control systems that underpin the UK's critical national infrastructure
Legislation, Policy, and Regulation
China's draft national security law calls for cyberspace 'sovereignty' (Reuters) China has included cybersecurity in a draft national security law, the latest in a string of moves by Beijing to bolster the legal framework protecting the country's information technology
A Chinese Response to the Department of Defense?s New Cyber Strategy (Council on Foreign Relations: Net Politics) Last week, a Chinese Ministry of Defense spokesman condemned the Pentagon's new cybersecurity strategy. Geng Yansheng not only opposed the "groundless accusations" about Chinese cyber espionage contained in the strategy, but also suggested it "will further escalate tensions and trigger an arms race in cyberspace." Geng called on the United States to promote common security and mutual trust, rather than "seeking absolute security for itself"
German spies curb Internet snooping for U.S. after row — sources (Reuters) Germany has halted its Internet surveillance for the U.S. National Security Agency (NSA) in response to a row over the BND intelligence agency's cooperation with Washington, German intelligence sources said on Thursday
Germany Spies, U.S. Denies (BloombergView) Reports of German spying on European corporate targets at the behest of the U.S. have led to calls that Chancellor Angela Merkel was hypocritical for complaining about U.S. spying on Germany. Well, yes — but the hypocrisy of politicians hardly comes as a shock. What's more striking about the recent revelations is their targets — and what they say about U.S. government claims that it doesn't spy on behalf of private U.S. corporations
Senate GOP leader pushes for phone spying after court says it’s illegal (Ars Technica) "They're not running rogue out there," Sen. Mitch McConnell (R-Ky.) says of the NSA
Cybersecurity bill more likely to promote information overload than prevent cyberattacks (The Hill) A growing number of information security and hacking incidents emphasize the importance of improving U.S. cybersecurity practices. But many computer security experts are concerned that the Cybersecurity Information Sharing Act of 2015 (CISA) is unlikely to meaningfully prevent cyberattacks as supporters claim. Rather, it will provide another avenue for federal offices to extract private data without addressing our root cybersecurity vulnerabilities
Senators back Cyber Protection Team proposal, includes Rome Lab (Rome Sentinel) A New York and New Jersey Army National Guard proposal for a multi-state Cyber Protection Team that would include the Rome Air Force Research Laboratory is being backed by U.S. Senators Charles Schumer and Kirsten Gillibrand.
Researchers create searchable database of intelligence operators (Help Net Security) The researchers behind Transparency Toolkit, a venture whose goal is to develop source software to collect and analyze publicly available data on surveillance and human rights abuses, have released ICWATCH, a collection of 27,094 resumes of people working in the intelligence community
Litigation, Investigation, and Law Enforcement
Forget unconstitutional, America's mass surveillance program is just plain illegal (Quartz) A US federal appeals court — essentially, the second-highest in the land — has ruled that the bulk collection of US telephone records by the National Security Agency isn't permitted by laws passed after the 9/11 attacks to increase intelligence collection. You can read the entire decision here
American Civil Liberties Union et al. v. James R. Clapper et al. (United States Court of Appeals for the Second Circuit) Plaintiffs?appellants American Civil Liberties Union and American Civil Liberties Union Foundation, and New York Civil Liberties Union and New York Civil Liberties Union Foundation, appeal from a decision of the United States District Court for the Southern District of New York (William H. Pauley, III, Judge) granting defendants?appellees' motion to dismiss and denying plaintiffs?appellants' request for a preliminary injunction. The district court held that § 215 of the PATRIOT Act impliedly precludes judicial review; that plaintiffs?appellants' statutory claims regarding the scope of § 215 would in any event fail on the merits; and that § 215 does not violate the Fourth or First Amendments to the United States Constitution. We disagree in part, and hold that § 215 and the statutory scheme to which it relates do not preclude judicial review, and that the bulk telephone metadata program is not authorized by § 215. We therefore VACATE the judgment of the district court and REMAND for further proceedings consistent with this opinion
White House Evaluating New Court Ruling Declaring NSA Data-Collection Program Illegal (Dark Reading) Administration will continue to work with Congress to reform surveillance laws, NSC spokesman says
Posturing on the National Security Agency ruling (Washington Post) The Post reports: :A federal appeals court on Thursday ruled that the National Security Agency's collection of millions of Americans' phone records violates the Patriot Act, the first appeals court to weigh in on a controversial surveillance program that has divided Congress and ignited a national debate over the proper scope of the government's spy powers
If you have a Verizon phone, you may be able to sue the NSA (Fusion) Today, a federal appeals court ruled that the bulk phone metadata collection program run by the National Security Agency that was brought to light thanks to the leaks of former contractor Edward Snowden was illegal, and not covered by Section 215 of the Patriot Act. But the ruling went further than that; it said, essentially, that anyone whose data was collected as part of the program, called PRISM, may be allowed to sue the NSA for harvesting their data
Islamic State's mixed funding sources pose a challenge for US, int'l efforts to eradicate group (FierceHomelandSecurity) The Islamic State's varied sources of funding — from oil revenue to the sale of looted antiquities — are a challenge for U.S. and international efforts intended to weaken and destroy the terrorist group, according to the Congressional Research Service
Agenda: A smart response to keeping people safe from the threat of cybercrime (Herald Scotland) s the world around us changes, the threats we face as communities change
Five Ways IT Security Companies Help Cyberpolice (Forbes) One of the guiding principles of my company has always been to marry the business of selling IT security solutions with in-depth research of malware and cybercrime
DEF CON's "Spot the Fed" contest a sore spot for Feds (MuckRock) "Attendees… appear to pride themselves on their ability to spot federal law enforcement officers"