Cyber Attacks, Threats, and Vulnerabilities
Cyber Security for the Power Grid — Why We Should Fear Hackers (but not Squirrels) (The CyberWire) Applied Controls Solutions' Joe Weiss, an industrial controls systems security expert who's also the Managing Director of the ISA99 standards body spoke about the December 2015 cyber attack on the power grid in Western Ukraine, and the lessons both cyber security and controls system specialists should draw from it. He put the incident in context and explained to us why people should take cyber threats to controls systems very seriously indeed
More Signs Point To Cyberattack Behind Ukraine Power Outage (Dark Reading) 'KillDisk' and BlackEnergy were not the culprits behind the power outage — there's still a missing link in the chain of attack
Nuclear Facilities in 20 Countries May Be Easy Targets for Cyberattacks (New York Times) Twenty nations with significant atomic stockpiles or nuclear power plants have no government regulations requiring minimal protection of those facilities against cyberattacks, according to a study by the Nuclear Threat Initiative
As Final Head-of-State Nuclear Security Summit Approaches, Nunn and NTI Warn of Slowing Progress on Preventing Nuclear Terrorism (Nuclear Threat Initiative) 2016 NTI Nuclear Security Index finds countries unprepared for cyber attacks on nuclear facilities; introduces new "sabotage ranking"
'Dark DDoS' — a growing cyber security threat for 2016 (Infosecurity Magazine) Today's DDoS attacks are almost unrecognizable from the simple volumetric attacks that gave the technique its name. No longer the preserve of bad actors coding in their bedrooms to carry out protests, today's attacks have the power to wreak significant damage — as all those affected by the TalkTalk and Carphone Warehouse breaches last year will know
#TangoDown: The 'biggest ever' web attack that wasn't (ZDNet) A hacker group attacked the BBC's website on New Year's Eve, which was later claimed as the "biggest ever" attack. But that claim unraveled when basic facts got in the way
DDoS Attacks Increased by 180% Compared to 2014, Reveals Akamai Report (Tripwire: the State of Security) Last September, CloudFlare detected a large-scale browser-based L7 flood
Defense One: Islamic State has written its own encrypted communications app (Network World) It's the scenario predicted by those opposed to government encryption backdoors
EXCLUSIVE: ISIS Inspires Terrorism Emoji Trend (Vocativ) Groups ranging from Lebanon's Hezbollah to Yemen's Houthi rebels created their own set of stickers for Telegram in ISIS' footsteps
ISIS supporters launch online cyberwar magazine (C4ISR & Networks) Supporters of the Islamic State group have published the first issue of Kybernetiq, an online magazine intended to arm prospective jihadists with cyberwarfare knowledge
A News Agency With Scoops Directly From ISIS, and a Veneer of Objectivity (New York Times) The San Bernardino shootings. The killing rampage this week in a Baghdad mall. On Thursday, it was the explosion that ripped through a Starbucks in Jakarta. In each of those terrorist attacks, an outlet called the Amaq News Agency was first with the news that the Islamic State was going to claim responsibility. The agency has been getting the scoops because it gets tips straight from ISIS, and for those of us on the terrorism beat, that has made Amaq a must-read every time a bomb goes off
'Acedia' And An ISIS-Centered Life Full Of Toxic Purpose (MEMRI) Some might say that the spirit of the modern age, at least in the developed West, is all about an exaltation of the self, or about the primacy of personal choice, or about sexual fulfillment and other hedonistic pleasures. Some critics might point to a spiritual malaise with ancient roots
SlemBunk Android Banking Trojan Gets More Dangerous (Infosecurity Magazine) The SlemBunk Android banking trojan identified late last year has turned out to be more persistent than originally thought — and is being used as part of an ongoing and evolving campaign
How malware developers could bypass Mac's Gatekeeper without really trying (Ars Technica) New researcher pokes holes in Apple's whack-a-mole approach for fixing Gatekeeper
Apple's 'Targeted' Gatekeeper Bypass Patch Leave OS X Users Exposed (Threatpost) Apple has had two cracks at patching a vulnerability that allows malicious apps to bypass its OS X Gatekeeper security feature, and twice has taken a shortcut approach to the fix, said the researcher who reported the flaw
Advantech EKI Vulnerable to Bypass, Possible Backdoor (Threatpost) Researchers have uncovered yet another issue — and potential backdoor — in Advantech's beleaguered EKI-1322 serial device server
Malvertising — why fighting adblockers gets users' backs up (Naked Security) Making malware predictions is a popular but often frustrating pastime
Security Firm Finds Zero-Day Flaw by Turning Users Into Honeypots (eWeek) Kaspersky turned details of a Silverlight flaw into detection rules. When an attacker exploited the vulnerability, it had enough information to pinpoint the flaw
Exploit seller, Hacking Team CEO chat lead Kaspersky to zero-day vulnerability (SC Magazine) After Hacking Team, the controversial peddler of zero-day exploits, found itself hacked and the Italy-based company's data was leaked onto the BitTorrent protocol, researchers at Kaspersky Lab decided to follow a hunch.
Copyright Blocking Security Research: Researchers Barred From Exploring Leaked Archive (Tech Dirt) Two researchers for Kaspersky Lab, Costin Raiu and Anton Ivanov, have published an absolutely fascinating tale of how they successfully tracked down a zero day exploit in Microsoft Silverlight
Anonymous Releases 1GB of Data from Supreme Court of Thailand (Softpedia) Ten days after launching operation #BoycottThailand, the Anonymous hacker collective has just released 1GB of data stolen from the Supreme Court of Thailand
Top spy James Clapper is latest victim of (alleged) teen hackers (Naked Security) A few months ago, a "teen stoner" allegedly hacked into an AOL account belonging to the head of the CIA a few months ago and leaked information about him gleaned from private documents
IoT 'ding-donger' reveals WiFi passwords (SC Magazine) The Ring WiFi doorbell, an IoT device, allows users to view whoever is on their doorstep via the internet from a mobile device when they are not home
VTech lost kids photos, but still wants to help with yours… (Best VPN) On the 14 November 2015, toy manufacturer VTech had its Learning Lodge and Kid Connect applications hacked in a cyber attack
Cyber Trends
Hack the Toaster, Cyber National Guard & Why L0pht Didn't Shutter the Internet (New America) Chris Wysopal a.k.a Weld Pond, chief technology officer of application security firm Veracode, joins The Cybersecurity Podcast to discuss the suspected cyberattack on the Ukrainian power grid, ways to increase transparency about cybersecurity expertise at publicly-traded companies, and why the L0pht hacking collective he once belonged to didn't want to shut down the Internet back in the 1990s just to prove to senators it could
ShmooCon: Hackers and frozen hotel rooms (Day 0) (CSO) Salted Hash has traveled to the nation's capital for ShmooCon
Tripwire Study: Cyber Attackers Successfully Targeting Oil and Gas Industry (BusinessWire) Eighty-two percent of oil and gas IT professionals see significant increase in successful cyberattacks
Clawback: Reports Suggest Companies Paying To Reclaim Stolen Data (Guardian) A recent news report and a survey suggest that companies may be paying to get back data stolen more often than you'd think
Morale Remains Low Around Health and Fitness App Security (Threatpost) It seems little has changed over the last several years when it comes to how health and fitness apps go about securing user information
Report reveals scale of health record data breaches (ComputerWorld) 392 million protected health records disclosed globally
Who really owns your Internet of Things data? (ZDNet) In a world where more and more objects are coming online and vendors are getting involved in the supply chain, how can you keep track of what's yours and what's not?
Gazing into access control crystal ball for 2016 (Security Info Watch) Although access control may not generate the same amount of headlines that other product segments do when it comes technology innovation in the security industry, the fact is the market has experienced a proverbial whirlwind of change in recent years
Don't rely on government to defeat cyber crime: Business needs to get its act together (City A.M.) If 2015 taught us anything, it's that it is now a question of when, not if, our data will be compromised. Therefore, 2016 must be the year that business gets serious about the importance of cyber security
Privacy and Information Sharing (Pew Research Center) Many Americans say they might provide personal information, depending on the deal being offered and how much risk they face
This is how much spear phishing costs companies (CIO) Despite spending an average of $319,327 on spear phishing prevention in the past 12 months, an estimated 28 percent of attacks are getting through and are costing companies dearly
Infiziert — Hacker nehmen Mittelstand ins Visier (Unternehmeredition) Viele Unternehmen erwischt es auf dem kalten Fuß
Marketplace
Legal Mandates Fuel Cybersecurity Insurance Growth (Bloomberg BNA) The rise of state data breach notification laws, as well as federal breach notice and data security obligations affecting some businesses, largely created the demand for cybersecurity insurance, analysts told Bloomberg BNA
Raytheon Websense rebrands as Forcepoint, acquires Intel Security's Stonesoft (ZDNet) Cybersecurity firm Raytheon Websense has acquired Intel Security's firewall business, with the three companies to be known collectively as Forcepoint
IBM to tackle fraud with Iris Analytics (IDG via CSO) IBM is adding to its fraud prevention capabilities with the acquisition of a German software firm
Cyber security company Appthority raises $10 mln (PE Hub Network) San Francisco-based Appthority, a provider of mobile enterprise security services, announced this week it has raised $10 million in Series B funding from existing investors U.S. Venture Partners and Venrock, as well as new investors Blue Coat Systems and Knollwood Investment Advisory
CACI wins $81M Army intel contract (C4ISR & Networks) CACI has been awarded an $81 million Army contract to support intelligence-sharing systems
FirstNet RFP released (GCN) The final request for proposals for a nationwide, wireless, interoperable broadband communications network for first responders has been issued after a year of dialogue with public safety and industry leaders on its objectives and scope
Nick FitzGerald joins ESET as a Senior Research Fellow (Exchange 4 Media) Information security expert, Nick FitzGerald is joining ESET as a Senior Research Fellow. Working with ESET Australia, he will focus on the whole Asia-Pacific region, including his home country, New Zealand
Jim Holtzclaw joins Marsh Risk Consulting as Senior VP (Consultancy.UK) Jim Holtzclaw has joined the Cyber Security Consulting and Advisory Services practice at Marsh Risk Consulting (MRC) as Senior Vice-President. He brings more than 34 years of professional experience to the consultancy, and will be charged with providing the firm's offerings to its private and public client base
Products, Services, and Solutions
WatchGuard Announces New Secure Wireless Access Points so Customers Stay Safer Online (Sys-Con Media) AP300 combines modern wireless features with award-winning security to better protect against network attacks
Rambus Cryptography Research Launches CryptoMedia Platform to Provide Secure Access to Premium Digital Entertainment (BusinessWire) Platform to support VIDITYTM requirements for 4K UHD and High Dynamic Range programming
Check Point Aces Rigorous Testing to Achieve Prestigious Common Criteria Certification (CNN Money) Check Point® Software Technologies Ltd. (NASDAQ: CHKP), the largest pure-play security vendor globally, today announced it has achieved a Common Criteria (CC) certification for Check Point R77.30
Fortscale's user behavioral analytics solution provides full context when truly malicious behavior is detected (Network World) 82% of security attacks involve stolen user credentials. UBA is the best type of tool to determine when those credentials are being used for malicious purposes
Technologies, Techniques, and Standards
JavaScript Deobfuscation Tool (Internet Storm Center) Emails remain a nice way to infect people: Write a message with pertinent information, respect the format and style of the organization you're targeting, add some social engineering and you have good chances that your victim will open the attached malicious file
Compliance compounded by evolving threat landscape (Help Net Security) As industry business models change, compliance challenges are being compounded by an evolving threat landscape and by increased scrutiny from federal agencies looking to protect critical data
Server Hardening (Linux Journal) Server hardening. The very words conjure up images of tempering soft steel into an unbreakable blade, or taking soft clay and firing it in a kiln, producing a hardened vessel that will last many years. Indeed, server hardening is very much like that
Six Mistakes That Could Threaten The Security Of Your Web Applications (Forbes) When it comes to monitoring the security of your company's web applications, no detail (no matter how small) can be overlooked. After all, it only takes one vulnerability to take down your business and compromise your customers' sensitive data
Why thinking like a criminal is good for security (CSO) When planning an attack, criminals study their target victims looking for the weakest links.
Create a Back-Up Plan for Your Data (Stamford Advocate) Don't wait until Armageddon strikes
How To Run A Data Breach Fire Drill (Law 360) When a data breach hits a company, it delivers a healthy dose of stress, panic and urgency — and it's just about the worst environment for an incident response team to put its procedures into action for the first time
Design and Innovation
What Everybody Misunderstands About Privacy Pioneer David Chaum's Controversial Crypto Plan (Fortune) Can the online privacy master's scheme disrupt the "encryption wars"?
Building Security In versus Building Security On (SecurityWeek) Built in or bolted on? When have you ever seen "bolted on" as the first choice of anyone in just about any imaginable scenario? Yet for software security, "bolted on" is certainly the norm
Research and Development
ONR Research Seeks Quick-Reaction Capabilities, Breakthrough Technologies (Seapower) The director of the Office of Naval Research (ONR) said he divides his $2 billion science and technology budget into quick-reaction programs that can bring new capabilities to the fleet quickly, in efforts to mature technology that will produce better systems in three to four years, in "leap-ahead innovation" that could become operational within eight years, and into discovery and invention that can uncover new concepts to yield breakthrough capabilities for the warfighters a decade from now
Academia
UCF cyber defense club recognized as best in nation (Central Florida Future) After dominating the collegiate cyber defense circuit last year, Hack@UCF was recognized for best overall performance of the year based on 21 cybersecurity competitions spanning from June 2014 to May 2015
Legislation, Policy, and Regulation
Industry sceptical of new NIS directive passed today (SC Magazine) European member states face a new set of cyber-security rules following a vote in the European Parliament's Internal Markets Committee but industry experts were not impressed
France Moves to Better Coordinate Its Antiterrorism Efforts (Wall Street Journal) French intelligence agencies to share information and resources
In debate, Republicans call on tech sector to aid terrorism fight (Christian Science Monitor Passcode) In the wake of the terrorist attacks in Paris and San Bernardino, most Republican candidates are betting that public worries over national security may supersede concerns over free speech and privacy issues
Jeb Bush Proposes Putting NSA in Charge of Civilian Data, Cybersecurity (Fast Company) The GOP presidential candidate also proposed offering liability relief to tech companies that share data with law enforcement officials
Going Native: A Career Pipeline For U.S. Military Success Out in Silicon Valley (Foreign Policy) Just as we needed people who could interpret for us in Afghanistan and Iraq, so do we need soldiers who can do the same for us in Silicon Valley and other centers of technological innovation across the country
New York tries to force phone makers to put in crypto backdoors (Naked Security) The sport of holding Apple, Google and other tech companies over a barrel to demand backdoors now has a new player: New York
Bill aims to thwart strong crypto, demands smartphone makers be able to decrypt (Ars Technica) NY assemblyman: "Terrorists will use these encrypted devices" to plan attacks
FBI seeking permanent CIO (Federal Times) The FBI is looking for a new agency CIO to fill the vacancy left by its previous top IT manager who departed in August
Litigation, Investigation, and Law Enforcement
State designates Afghan ISIS a foreign terrorist organization (The Hill) The State Department has officially designated the Islamic State in Iraq and Syria's Afghanistan affiliate as a foreign terrorist organization
FTC Cautions Businesses on Big Data Use (Legaltech News) Companies must proceed with caution as they use consumer surveillance tools made possible in today's 'big data' era
Sen. Franken Questions Google About Student Data Privacy (re/code) Sen. Al Franken has asked Google to explain what it does with the personal, private data of students who use its Google Apps for Education products and Chromebooks
The Widow of a Man Killed in Islamic State Attack Is Suing Twitter (Reuters via Vice News) Twitter is being sued by the widow of an American killed in Jordan who accuses the social media company of giving a voice to Islamic State (IS), adding to the pressure to crack down on online propaganda linked to terrorism
Twitter, ISIS, and Civil Liability (Lawfare) A few months ago, we wrote a lengthy piece about the possibility that Apple could face civil liability for providing end-to-end encryption to criminals and terrorists. We got a lot of heat for this piece. But today it's looking pretty good
How Twitter quietly banned hate speech last year (Ars Technica) Company now emphasizes safety and free expression rather than lack of censorship
'Good enough' isn't good enough to secure NRC network center (FCW) The Nuclear Regulatory Commission's network security operations center meets the operational security requirements under an IT services contract, but there's room for improvement, according to a report from the commission's inspector general
The cyber law series: How data privacy and surveillance have crept into the workplace (Tech 2) Privacy concerns take two forms: data privacy and surveillance. The first is an issue that is being addressed, with laws in place protecting and restricting the collection of data
With new deal in place, Sweden asks to question Assange at embassy (Ars Technica) WikiLeaks founder still facing possible sex offense charges
Student who hacked college website escapes jail time, gets job offers (Naked Security) Ryan Pickren was only playing a prank, or so he thought until he found himself in jail on Christmas Eve 2014, facing charges of "computer trespassing"
Online predator busted after being intercepted by tech-savvy mom (We Live Security) Being a tech-savvy parent is one way to make your child's online experience secure, as a recent story has revealed. In what was an almost textbook example of online grooming that surfaced only a few days ago in Colonie, New York, a watchful mom uncovered and helped to arrest an online predator
Wanted man nabbed after he sends police a more flattering mug shot (Naked Security) You have to admit, he did look a bit puffy. Shiny cheeks don't help