Cyber Attacks, Threats, and Vulnerabilities
Software Cut Off Fuel Supply In Stricken A400M (Aviation Week) The crash of an Airbus A400M airlifter that killed four people on May 9 may have been caused by new software that cut off the engine-fuel supply, industry sources have said
Hacking Airplanes: No One Benefits When Lives Are Risked To Prove A Point (Dark Reading) In the brave new world of self-driving cars and Wifi-enabled pacemakers, everything we do as information security professionals, everything we hack, every joke we make on Twitter, has real, quantifiable consequences
Who's flying the plane? The latest reason to never ignore security holes (Computerworld) Companies make excuses for not addressing security holes that seem unlikely to be exploited. The problem is that they often do get exploited. Just ask United
Should airlines offer bounties to hackers who find security flaws in avionics? (tnooz) The FBI has issued a search warrant for a hacker who controversially claims to have used his laptop to briefly seize control of a plane during flight, tilting it briefly
Their View: Don't punish plane hacker: Learn from him (Centre Daily TImes) Bringing down a plane carrying hundreds of passengers doesn't require a suicidal pilot, a missile or a terrorist bomb. Apparently, a guy with a computer may be able to pull it off by hacking into the airliner's entertainment system
Arvig Hackers: 'We Did This for Islam' (Velley News Live) Lisa Green with Arvig Communications confirms their website was attacked Tuesday morning. She says the homepage was replaced with a picture from a group called Cyb3r CommandOS
Bishop Urges Government To Take Hacking Incident Seriously (Tribune 242) Bishop Simeon Hall yesterday urged the government to "exercise the highest seriousness" in its response to the recent hacking of two government websites
PHL likely targeted by China-backed cyberspies since 2005, security group warns (GMA News) The Philippines may have been the target of a cyber-espionage campaign likely sponsored by the Chinese government, a cybersecurity company said Tuesday
Vulnerability found in IBM statistical analysis suite (IT World Canada) CISOs worry about vulnerabilities in the most commonly-attacked platforms in their inventory — Web servers, password databases, Flash, operating systems and productivity software. They rarely think about other applications
Fake PayPal payment reversal notification leads to phishing (Help Net Security) PayPal phishing attempts take many forms, and one of the most often used techniques is fake emails containing a warning and a prompt to act quickly
'Los Pollos Hermanos' ransomware — what will they think of next? (Naked Secuirty) Cryptoransomware isn't a new topic any more, but it's intriguing to look at what the crooks are up to these days
How much money do cyber crooks collect via crypto ransomware? (Help Net Security) FireEye researchers have calculated that the cybercriminals wielding TeslaCrypt and AlphaCrypt have managed to extort $76,522 from 163 victims in only two months
Many ransomware victims plead with attackers (CSO) The shamelessness of ransomware pushers knows no bounds
Steganography and Malware: Final Thoughts (TrendLabs Security Intelligence Blog) Steganography will only become more popular, especially among the more industrious malware groups out there. For an attacker, the ability to hide stuff in plain sight is like peanut butter on chocolate: it makes their favorite thing even better
DDoS attackers testing tools on IPv6 (FierceITSecurity) Attackers are beginning to test their ability to launch distributed of denial of service attacks over the new IPv6 Internet protocol
DDoS attacks double, old web application attack vectors still active (Help Net Security) Akamai Technologies analyzed thousands of DDoS attacks as well as nearly millions of web application attack triggers across the Akamai Edge network
St. Louis Federal Reserve forces password change after DNS attack (IDG via CSO) A branch of the U.S.'s central bank is forcing a password reset after a cyberattack briefly redirected visitors to parts of its website to bogus Web pages
Hard-coded credentials placing dental offices at risk (CSO) Full Disclosure: US-CERT has known about the issue in Dentrix for more than a year and has remained silent
Group Health customers affected by Premera cyber attack (Puget Sound Business Journal) The effects of a data breach at Washington state's third-largest insurance company are spilling over to customers elsewhere
Security Patches, Mitigations, and Software Updates
Stable Channel Update (Chrome Releases) The Chrome team is happy to announce the promotion of Chrome 43 to the stable channel for Windows, Mac and Linux. Chrome 43.0.2357.65 contains a number of fixes and improvements. A list of changes is available in the log
Cyber Trends
The cybersecurity domino effect (Help Net Security) RedSeal unveiled its survey of high-ranking executives that illustrates widespread concern regarding the potential effects of cyberattacks in corporate America
New Ponemon Institute Survey Reveals Time to Identify Advanced Threats is 98 Days for Financial Services Firms, 197 Days for Retail (Yahoo! Finance) 83 percent of financial services, 44 percent of retail firms experience more than 50 incidents per month
Can you afford to wait 197 days to detect a threat? (Help Net Security) Financial services and retail organizations agree, advanced threats are the most serious security challenge facing their organizations, shows a new Ponemon Institute study
Too many false positives in traditional security approaches (IT Pro Portal) According to 62 per cent of IT professionals traditional security approaches produce too many alerts and false positives for them to handle
Why Companies Need to Learn How to Share (Information Security Buzz) For many years, members of this industry have been wary about sharing their intellectual property with others. They believed doing so would jeopardize their competitive differentiation and business opportunities
'The user is today's new corporate security perimeter (CIO) 'The security perimeter in organisations is dissolving - IT and security management can no longer count on well-defined network security perimeters to protect their organisations,' according to the latest Global Threat Intelligence report
Enterprise employees choose adult content, app downloads over security (ZDNet) Research suggests despite knowing otherwise, workers worldwide regularly ignore IT policies and place businesses at risk
Marketplace
The Benefits and Limits of Cyber Value-at-Risk (Wall Street Journal) Many CIOs across industries struggle to answer questions about cyber risk posed by their executive teams and boards of directors: How likely are we to experience a damaging attack?
CSC Board Approves Plan for Separate Commercial-, US Public Sector-Focused Companies (GovConWire) The board of directors at Computer Sciences Corp. (NYSE: CSC) has approved a plan to divide the Falls Church, Va.-based technology and services contractor into two separate publicly-traded companies: one solely focused on the U.S. public sector, with another for commercial enterprises and non-U.S. government agencies
Symantec Security Has A Growth Problem (Seeking Alpha) Symantec will soon be splitting up into two standalone companies. The security division is suffering from weak sales, and does not seem to be profiting from surging enterprise demand. At the moment, the prospects of the standalone security company don't look particularly good
Sources: Sophos To Acquire Email Security Player Reflexion Networks (CRN) Sophos this week will acquire SMB email security and archiving powerhouse Reflexion Networks, CRN has learned
Will AVG Sustain Its Impressive Growth? (Guru Focus) AVG Technologies (AVG) is a Czech company that specializes in computer security software
Security Startup vArmour Hires Experienced Tech Team, Plans ‘Healthy’ Channel Program (VaR Guy) A data security startup is arming itself with a raft of tech-industry veterans in its mission to provide the latest technology to help secure the enterprise data center with substantial help from the channel
Products, Services, and Solutions
How a Small Taiwanese Software Company Can Impact the Security of Millions of Devices Worldwide (SEC Consult Blog) Today the SEC Consult Vulnerability Lab released an advisory regarding a vulnerability in a software component called NetUSB. This post intends to give some background information about this vulnerability
ThreatConnect, Inc. Announces Free Edition for ISACs and ISAOs (BusinessWire) Industry's most widely adopted and comprehensive threat intelligence platform is available immediately to all ISACs, ISAOs, and their members
Catbird Releases Catbird For OpenStack (BusinessWire) First and only solution to enable security policy to move across on- and off-premises infrastructure and leading cloud platforms
Technologies, Techniques, and Standards
What every CSO should be doing now about the Starbucks potential hack (CSO) The potential hack of the Starbucks' app is now a major news story
8 Android security tips for IT, corporate users (CIO via CSO) A set of security experts shares actionable tips for IT departments and users to help reduce the risk associated with the popular mobile OS
Healthcare's 'Internet of Things' should be the 'Security of Things' (Healthcare IT News) There are six fundamental questions to ask about connected devices
CISO: Compliance Is Wrong InfoSec Focus (HealthcareInfoSecurity) Tips for building stronger information security programs
What combination locks teach us about encryption weakness (CSO) Attacking the implementation of a cryptographic algorithm can be much easier than attacking the algorithm itself
Secure smart devices for the holiday season (Help Net Security) Summer is almost here and many are currently considering taking their beloved smart devices with them on their travels. However, the risks of doing so are sizeable
NARA records management guidance should have addressed metadata, says GAO (FierceGovernment) National Archives and Records Administration guidance on how agencies should manage digital records failed to address metadata, which is information that describes a digital asset, according to a May 14 report from the Government Accountability Office
Design and Innovation
A lockbox in the cloud: Microsoft research project reveals new method for keeping data private (Next at Micrfosoft) Microsoft researchers have created a new system that keeps data stored in the cloud safe from prying eyes or malicious players even when it is being accessed to make calculations
Research and Development
Navy Needs Help Making Sure Its Drones are Hack-Proof (Nextgov) The Navy says it's not sure what kind of cyber threats its drones, sensors and missiles are up against
Legislation, Policy, and Regulation
Saudi Arabia committed to increase cyber security measures (Zawya) Over the last several years, it has become clear that the short list of the world's principal challenges includes cybersecurity and the threat of cyber-crime to governments and private organizations and citizens alike
Are We Exaggerating China's Cyber Threat? (Diplomat) A new Harvard report suggests that China may not be much of a threat to U.S. cybersecurity. Is that really the case?
Cyber security bills focus on info sharing (Banking Exchange) Congress likely to consider three measures this month
Congress wants companies facing cyber attacks to share data, and it's not a moment too soon (Quartz) Successful executives know that putting together the right team is a key element in achieving goals and overcoming challenges. In fact, walk into any CEO's office and you are likely to find a number of books on teamwork sitting on the bookshelf. But corporate managers aren't the only ones who recognize the value of collaboration. We've learned the hard way that hackers and other bad actors in cyberspace have become proficient in finding ways to collaborate and share information in real-time on exploits and other offensive strategies
The importance of good threat intelligence (Help Net Security) The cyber-threats our organizations face are continuing to evolve, partly in respect to the broadening motivations behind attacks, and partly due to the increased sophistication of the attacks themselves
McConnell: Senate to vote on bill to end NSA bulk collection (NorthJersey.com) The Senate will vote on legislation that ends the National Security Agency's bulk collection of millions of Americans' phone records as Congress scrambles to renew the Patriot Act before it expires on June 1
As Congress Haggles Over Patriot Act, We Answer 6 Basic Questions (NPR) The rest of the month is setting up to be pretty dramatic in the Senate
Survey finds most US residents want changes to Patriot Act surveillance (IDG via CSO) U.S. residents have major problems with government surveillance, and six in 10 want to see the records collection provisions of the Patriot Act modified before Congress extends it, according to a survey commissioned by a civil rights group
ACLU, Tea Party take on federal spying: 'They've gone too far' (The Hill) The American Civil Liberties Union (ACLU) and a top Tea Party organization are teaming up to pressure lawmakers to oppose renewing controversial parts of the Patriot Act that undergird National Security Agency (NSA) operations
Please no non-consensual BACKDOOR SNIFFING, Mr Obama (Register) Major tech firms against vulnerability by default
Snowden Sees Some Victories, From a Distance (New York Times) For an international fugitive hiding out in Russia from American espionage charges, Edward J. Snowden gets around
Litigation, Investigation, and Law Enforcement
MicroTech sues HP over Autonomy debacle (MicroScope) It was revealed on Monday that MicroTech is suing Hewlett-Packard for $16.6m in unpaid invoices from Autonomy. Invoices that HP claims never actually existed