Cyber Attacks, Threats, and Vulnerabilities
Kiev airport goes dark after 'BlackEnergy-linked' power outage (Register) No prizes for guessing who the prime suspect is
Ukraine says to review cyber defenses after airport targeted from Russia (Reuters) Ukrainian authorities will review the defenses of government computer systems, including at airports and railway stations, after a cyber attack on Kiev's main airport was launched from a server in Russia, officials told Reuters on Monday
Scary questions in Ukraine energy grid hack (CNN Money) American investigators are traveling to Ukraine to investigate a recent electricity blackout — perhaps the first major act of cyberwar on a civilian population
DHS Issues Warning About Vulnerabilities Of Electrical Power Infrastructure From Cyber-Attacks (Sceince Times) Power plants and factories are increasingly at risk by employing industrial control systems that are vulnerable to hacks
Worried about cyberattacks on US power grid? Stop taking selfies at work (Christian Science Monitor Passcode) Experts warn that malicious hackers gain valuable insight when companies and employees reveal too much information on the Web — especially when they work at sensitive facilities
U.S. sees jump in cyber attacks on critical manufacturers (Business Insurance) U.S. Department of Homeland Security investigations of cyber attacks on the nation's critical manufacturing sector nearly doubled in the year ended Sept. 30, according to the agency
'Patriotic hackers' attacking on behalf of Mother Russia (Fox News) A proxy war is underway in cyberspace, according to I.T. security analysts, and it is pitting numerous foreign institutions against Russian-speaking cyber militias beholden to President Vladimir Putin
Russian Embassy in Israel Website Hacked — Hackers Post Turkish Flag (Hack Read) The official website of the Russian embassy in Israel was hacked and defaced by Azerbaijani hackers — Thanks to the words for war between the governments
Opinion: Were US sailors 'spoofed' into Iranian waters? (Christian Science Monitor Passcode) In 2011, Iran spoofed — or faked — Global Positioning System signals to send a CIA drone off course. Did it do the same to trick Navy vessels into Iranian waters?
'Islamic State hackers' attack top tier Chinese university's website urging holy war (South China Morning Post) One of the most famous universities in China says its website has been hacked by a group or person claiming to be linked to the militant organisation Islamic State
The Islamic State vs. Al-Qaeda: the War within the Jihadist Movement (War on the Rocks) The post-Arab Spring period has seen extraordinary growth in the global jihadist movement
Hackers reveal flaws in cyber security framework: experts (The Nation) The recent hacking of government websites has called into question the government's cyber security standards and risked its reputation for management, but a single gateway was not a solution to that problem, cyber security specialists said yesterday
'Teens' Who Hacked CIA Director Also Hit White House Official (Motherboard) The hacking group that has been targeting government officials since October, when it broke into the AOL email account of CIA Director John Brennan, has claimed yet another victim
Operation DustySky (Clearsky Cyber Security) DustySky (called "NeD Worm" by its developer) is a multi-stage malware in use since May 2015. It is in use by the Molerats (aka Gaza cybergang), a politically motivated group whose main objective, we believe, is intelligence gathering. Operating since 2012, the group's activity has been reported by Norman, Kaspersky, FireEye, and PwC
German data surveillance includes Finland (Uutiset) According to leaked German intelligence documents, German intelligence agency BND monitored phone calls and possibly Internet traffic to and from Finland in the 2000s
Open sauce has zero-day bugs too (TechEye) A zero-day vulnerability in the FFmpeg open-source multimedia framework, which is used by shedloads of Linux kernel-based operating systems and software applications and Mac OS X and Windows platforms has been spotted
Rarely Patched Software Bugs in Home Routers Cripple Security (Wall Street Journal) Wi-Fi devices, vulnerable to hackers, show difficulty of updating software after release
How email in transit can be intercepted using DNS hijacking (Help Desk Security) This article looks at how an attacker can intercept and read emails sent from one email provider to another by performing a DNS MX record hijacking attack
Cryptsy Hacked: Bitcoin Worth $USD 6 Million Stolen (HackRead) The hacker inserted a Trojan malware into Cryptsy's code so that he could access precious information and transfer cyber currencies
ShmooCon: LastPass design elements create perfect Phishing opportunity (CSO) At ShmooCon on Saturday, Sean Cassidy, the CTO of Praesidio, demonstrated a clever attack against LastPass, which is possible thanks to a security trade off and easily spoofed UX elements
PayPal is making it too easy for the zero dollar invoice spammers (Graham Cluley) A security researcher has uncovered a new form of PayPal spam: zero dollar invoices that evades the company's filters and fails to trigger the typical characteristics of a suspicious email
Kickass Torrents The Latest Victim of DDoS Attacks (Hack Read) The Internet's largest torrents platform Kickass faced major outage due to a series of powerful DDoS attacks by unknown hackers
Agency of 'flag row' Taiwan K-pop star under cyber attack (AFP via Yahoo! News) A South Korean entertainment company, criticised for its handling of a row over a teenage Taiwanese K-pop star forced to apologise for waving the island's flag, has had its website brought down by hackers, a spokesman said Tuesday
Hyatt completes investigation of 2015 cyber breach (Business Insurance) Hyatt Hotel Corp. has completed its investigation of last year's cyber breach, according to the Chicago-based hotel chain
Shopping online at ASDA could put your credit card details at risk ( Graham Cluley) British shoppers might want to check out the following YouTube video by security consultant Paul Moore, especially if they buy their groceries online from ASDA
Malvertising — why fighting adblockers gets users' backs up (Naked Security) Making malware predictions is a popular but often frustrating pastime
Exploit Kits as a Service — How Automation Is Changing the Face of Cyber Crime (Heimdal) If you've been reading this blog for a while now, you're probably pretty much up to date with major threats and painless advice that can help you stay safe online (if you apply the advice, of course)
Hackers promise sophistication, subterfuge — even sex, say experts (Times of Israel) The New Year brings new techniques to an old art — and hackers are thriving as never before, say top cyber-security experts in Israel
Alleged female ISIS supporter tells men to stop sending her d**k pics (Daily Dot) Every woman on social media has received at least one unsolicited message from a man
Bulletin (SB16-018) Vulnerability Summary for the Week of January 11, 2016 (US-CERT) The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week
Security Patches, Mitigations, and Software Updates
Microsoft updates support policy: New CPUs will require Windows 10 (ZDNet) In a change to its longstanding support policy, Microsoft says PCs based on new CPU architectures, including Intel's Skylake chips, will require Windows 10. A list of preferred systems will support older Windows versions on new hardware, but only for 18 months
Cyber Trends
Liability can change attitudes to corporate cybersecurity (Infosecurity Magazine) Throughout the past century we've witnessed how liability, regulation and legislation have been instrumental in improving security and safety. As Britain marks 50 years since the first seatbelt law was introduced this month, we celebrate how driver liability changed norms and saved thousands of lives
How to Improve Cybersecurity? Just Eliminate the Human Factor (Wall Street Journal) The computer systems that run our world — the ones that secure our financial information, protect our privacy and even keep our power grid running — all have a critical, unpatchable weakness. It's the humans who use them
The changing face of the security industry (Security Info Watch) While many organizations' executive-level security positions have historically been filled by those with law enforcement or military experience, there is a growing contingent of young security industry professionals who come from very diverse backgrounds and possess a wide variety of skill sets
Countries underestimate risk of cyber attack, says WEF (Computer Weekly) Cyber attacks are one of the most serious risks facing global economies, according to the World Economic Forum's 2016 risk report
Cisco Reports Rapid Rise of Unauthorized Cloud Usage (Wall Street Journal) CIOs may not realize how often employees route around corporate networks
Compromised credentials a leading concern for most security pros (Help Net Security) 90% of organizations are worried about compromised credentials, though 60% say they cannot catch these types of attacks today, according to a new survey by Rapid7
Key principles for corporate digital responsibility (Help Net Security) Businesses' use of personal data from consumers is at risk and recommends key strategies and principles to properly protect consumer data, build trust and simultaneously grow their businesses
Why the legal sector is risking confidential information (Help Net Security) The lack of unique logins, manual logoffs and concurrent logins is putting confidential information in the legal sector at risk, new research has revealed
Under the HIPAA Radar: Small-Scale Violations of Medical Privacy (LinkedIn) A recent ProPublica article highlighted how small-scale medical data privacy breaches are causing harm across the nation
Marketplace
Has the Time Come to Sell Check Point, the Reliable Cyber Stock? (Bloomberg Business) Check Point Software Technologies Ltd.'s reputation among cybersecurity stocks rests on being a safe, if boring, investment. Now shortsellers are circling the world's top firewall provider in anticipation of a stumble
Despite Strong Competition, FireEye Looks Attractive on the Pullback (Guru Focus) Strong billing growth suggests the recent selloff may have pushed the stock too low
Can FireEye Inc (NASDAQ:FEYE) Impress In 2016? (Invest Correctly) FireEye Inc (NASDAQ:FEYE) was largely a source of disappointment last year despite its operating margins improving steadily throughout the year
Password Manager flaw will hurt Trend Micro's reputation (Network World) The problem was addressed quickly but potential damage remains unknown
Meet Forcepoint: Raytheon's Newly Renamed Cyber Business (Fortune) CEO insists the name was not inspired by "Star Wars"
Thales Steps Up Protection Against Cyber Attacks (AIN Online) Thales is accelerating its efforts to improve cybersecurity in avionics with the air transport increasingly recognizing the gravity of the threat computer hackers present
Fast growing Dynamic Networks secures strategic acquisition (Yorkshire Post) Dynamic Networks has bought V-Earth, an IT services and support company, as part of a strategy to extend its services to customers across Yorkshire
Freshly Funded U.S. Botnet Security Company Eyes Chinese Market (China Tech News) U.S.-based information security company Shape Security recently completed its fourth round financing of USD25 million, which will be reportedly used to expand into the Chinese market
National cybersecurity center could become 'huge economic driver' for Colorado Springs (Colorado Springs Gazette) The opening of a National Cyber Intelligence Center in Colorado Springs is expected to accelerate efforts to make the city a national hub for cybersecurity that will help the thriving local industry grow more quickly, officials say
Products, Services, and Solutions
Swivel Secure Launches Swivel Cloud (Yahoo! Finance) Removes CAPEX investment needed to deploy multi-factor authentication; protects application gateways throughout enterprise cloud migration
Damballa and Interface Masters Partner to Provide Robust Network Visibility and Security Threat Detection Solution (EIN News) Turn-Key Passive Solution for Advanced Cyber Threat Security Includes Failsafe(R) Sensor and Network Active Tap
LastPass's password-shuffling rival Dashlane gets a makeover (Register) Also learns a few new languages
Technologies, Techniques, and Standards
Network Security Sandboxes Driving Next-Generation Endpoint Security (Network World) Anti-malware gateways are driving next-generation endpoint security implementation and antivirus replacements at large organizations
The Right Questions: What CIOs should be asking in the event of a security breach (Computer Business Review) Opinion: Andrew Nanson, CTO at CORVID, looks at what questions CIOs need to be asking to ensure they can report to the board with confidence and negate any chance of future data breaches of the same nature
Endpoint security really can improve user experience (Help Net Security) Traditional security policies are intrusive and impact user productivity
How to build the ultimate free PC security suite (PCWorld) Take some time this weekend to secure your PC without spending a dime
Design and Innovation
Northrop Lays Out Vision for 'Cyber Resilient' Next-Gen Fighter (Defense News) Northrop Grumman is still ramping up its work on the Pentagon?s most advanced fighter jet, the F-35 Joint Strike Fighter, but the company is already thinking about what comes next
Academia
U of T senior research fellow named Forbes' Top 30 Under 30 (The Varsity) Claudio Guarnieri on his win in enterprise technology
Cyber team forms at the Coast Guard Academy (New London Day) A newly formed cyber team at the Coast Guard Academy is providing a route for cadets to deepen their knowledge of computer networks — how they work, how to secure them, and how to identify vulnerabilities within them — while also earning sports credit for their participation
Legislation, Policy, and Regulation
EU-US Safe Harbor Data Flow Talks Still Sticking On Surveillance (TechCrunch) As the three-month deadline for Europe and the U.S. to agree a new transatlantic data transfer deal looms, EC officials are briefing that the U.S. needs to do more to improve transparency around its government mass surveillance programs in order to secure an agreement
Cryptographic backdoors? France says, "Non!" (Naked Security) Genuinely strong encryption — the sort of encryption that is as good as unbreakable if used correctly — is now readily available, even in consumer devices such as mobile phones
On the naughty step (Economist) A slap on the wrist for Poland is a big test for the European Union
Agencies return to drawing board on proposed rules for 'cyber weapons' (Federal News Radio) Over the last several months, security researchers, private firms and some governmental organizations have expressed alarm at federal rules intended to prevent proliferation of offensive cyber tools
Schneck: Export controls could hinder cyber work (Federal Times) A set of export controls, intended to promote transparency and greater responsibility in the exports of weapons systems and other technologies, poses a risk of compromising cybersecurity, according to a Department of Homeland Security official in testimony before a joint House subcommittee hearing
Uproar over Wassenaar followed by GAO report on surveillance tech sales to Iran (SC Magazine) On the heels of Tuesday's Congressional uproar over the Commerce Department's proposed changes to the Wassenaar Arrangement, the Government Accountability Office published a report of companies selling surveillance technologies to Iran, against a longstanding ban on the sale of such technologies to the Iranian government
NSA claims to meet privacy safeguards (The Hill) The National Security Agency is adequately protecting Americans' civil liberties and privacy as it shifts to a new intelligence collection program, it claimed in a transparency report released on Friday
NSA Releases USA FREEDOM Act Transparency Report (IC on the Record) The National Security Agency announced today the public release of its new report on the implementation of the USA FREEDOM Act, along with specific procedures — adopted by the U.S. Attorney General and approved by the Foreign Intelligence Surveillance Court — that are designed to protect privacy rights
The government wants Silicon Valley to build terrorist-spotting algorithms. But is it possible? (Fusion) Last week, a bunch of important people from Washington, D.C. packed their bags and flew to California to meet with a bunch of important people from Silicon Valley
Securities and Exchange Commission gets tough on cyber security (Financial Times) US regulator signals that prevention is the centrepiece of its strategy
FDA proposes cybersecurity guidance for medical devices (Reuters via Yahoo! News) The U.S. Food and Drug Administration on Friday issued draft guidelines to medical device makers on how to protect patients from cybersecurity vulnerabilities in their devices
China to incorporate IP violations into "social credit" system for enterprises (World Trademark Review) Chinese enterprises with a record of IP infringement may soon have that fact reflected in their credit histories. The latest indication came in December, when the country's chief administrative body, the State Council, included the idea in its "Opinion on Building a Strong IP Nation", a blueprint for future reforms
UAE cooperates with UK to increase its cyber security (The National) With Dubai's Expo 2020 four years away, the UAE is increasing its security and is calling on the experts in the UK who have years of experience with major events such as the Olympic Games
Pakistan Lifts Its Three-Year Ban On YouTube (TechCrunch) YouTube has become available in Pakistan today, ending a three-year-ban on the Google-owned video site
State CIOs agenda targets cybersecurity (CSO) NASCIO's federal policy agenda for new year looks to expand resources to secure critical infrastructure, recruit top talent and ease the burden of federal regulations
John McAfee claims cyberwar 'clearly on the horizon' (CRN) McAfee founder argues cybersecurity should be a bigger topic in US presidential race
Dem candidate O'Malley: Regardless of backdoors, warrant always needed (Ars Technica) Clinton, Sanders, and O'Malley touch on encryption in Democratic Party debate
Litigation, Investigation, and Law Enforcement
Firm Sues Cyber Insurer Over $480K Loss (KrebsOnSecurity) A Texas manufacturing firm is suing its cyber insurance provider for refusing to cover a $480,000 loss following an email scam that impersonated the firm's chief executive
Court refuses to dismiss Travelers cyber defense case (Business Insurance) A U.S. District Court in Utah has refused to dismiss a claim by a Travelers Cos. Inc. unit policyholder that the insurer failed to follow industry standards in its denial of defense coverage in a cyber case, in an ongoing dispute between the insurer and its policyholder
Insurer must indemnify genealogy firm that made DNA results public (Business Insurance) A genetic genealogy firm is entitled to indemnification and defense coverage by a Markel Corp. unit for the inadvertent release of personal information under its professional liability policies, and a policy exclusion related to receiving unsolicited communication does not apply, says a federal District Court
US casino operator sues cyber security company (Financial Times) Affinity Gaming, an operator of 11 casinos in four US states, is suing cyber security company Trustwave for failing to contain a breach it was hired to shut down, opening a new avenue of liability around data breaches
Security firm sued for filing "woefully inadequate" forensics report (Ars Technica) Hacked casino operator alleges breach continued while Trustwave was investigating
Apple asked widow for court order when she sought late husband's password (Ars Technica) Woman supplied Apple will and death certificate, but it wasn't enough
EXCLUSIVE: Clinton Aides Resisted State Department Suggestion That Clinton Use State.gov Acctoun (Daily Caller) Bombshell emails from the State Department show that a top official at the agency suggested to Hillary Clinton?s aide, Huma Abedin, in August 2011 that the then-secretary of state begin using a government email account to protect against unexpected outages of her private email server
Finjan wins big patent victory as USPTO denies institution on 6 Symantec IPR petitions (IP Watchdog) Finjan Holdings, Inc. (NASDAQ: FNJN), a subsidiary of Finjan, Inc., recently announced that the Patent Trial and Appeal Board (PTAB) for the United States Patent & Trademark Office (USPTO) denied six of Symantec Corporations petitions for inter partes review (IPR) of Finjan patents
Ross Ulbricht appeals Silk Road conviction — did he get a fair trial? (Naked Security) Lawyers for Ross Ulbricht, once known as Dread Pirate Roberts of the Silk Road, filed an appeal last week
Settlement of NYPD Muslim Surveillance Lawsuits: A Platform for Better Oversight (Just Security) Last week, the City of New York agreed to settle two federal lawsuits challenging the NYPD's surveillance of American Muslims, promising to reform the rules that govern how the Department conducts investigations that involve political and religious activity
Woman given a year in jail for tagging sister-in-law in Facebook post (Naked Security) Anybody who watches US TV cop shows knows that anything you say (at least, anything you say in front of cops) can be used against you in a court of law
The Facebook post that led directly to jail — for more than 15 years (Naked Security) A felon from the US state of Tennessee can henceforth be considered Crown Prince of Incriminating Selfies