Cyber Attacks, Threats, and Vulnerabilities
Hackers of two Ukrainian utilities probably hit mining and railroad targets, too (IDG via CIO) The attacks may have been test runs for the devastating power-company hacks
KillDisk and BlackEnergy Are Not Just Energy Sector Threats (TrendLabs Security Intelligence Blog) Our new intelligence on BlackEnergy expands previous findings on the first wide-scale coordinated attack against industrial networks. Based on our research that we will further outline below, attackers behind the outages in two power facilities in Ukraine in December likely attempted similar attacks against a mining company and a large railway operator in Ukraine
U.S. official blames Russia for power grid attack in Ukraine (CNN) Russia was behind a December cyber attack on Ukraine's power grid that caused widespread power outages, a senior Obama administration official said Thursday
Cricket can get nasty: India v Pakistan rivalry boils over into cyber-war (Register) Cheer at Test results, find yourself hit by SQL injection
Hacktivism: India vs. Pakistan (Recorded Future) When India gained independence from Britain in 1947, a new, predominantly Muslim nation of Pakistan was created during what was called the "partition"
Hackers Breach Bolivian Army Email Servers (Softpedia) Old exploit and bad configuration let the hackers in
Hacktivists Leak Details for 300,000 Chilean Citizens Looking for State Benefits (Softpedia) A group of Chilean hacktivists that go by the name of Chilean Hackers have broken into the database of CONADI and stolen the personal details of 304,189 Chilean citizens looking for state benefits from the country's government
Anonymous Targets South African Government Employees Through Job Portal Hack (Softpedia) Members of the Anonymous hacker collective have breached one of South Africa's job portals, stolen all the data, but only leaked details belonging to government employees
"As certain as tomorrow's sunrise," the FBI will find whoever's responsible. (The CyberWire) Leo Taddeo, currently CSO of Cryptzone and former Special Agent in Charge of the Special Operations/Cyber Division of the FBI?s New York Office, shared his perspective on the recent apparent compromise of data from FBI networks
Faux Insiders Represent the Greatest Cyber-threat to Organizations (Infosecurity Magazine) When it comes to presenting the largest risk to organizations, the insider threat is perhaps the most dangerous
Social engineering is top hacking method, survey shows (ComputerWeekly) Social engineering tops the list of popular hacking methods, underlining the need for continuous monitoring, according to security firm Balabit
5 Reveals About Today's Attack M.O.s From Skype Spying Malware (Dark Reading) T9000 backdoor is built with many of today's cybercriminal tricks up its sleeves
CryptoWall 3.0 Bags Small Cybercrime Ring Over $300K (IT Security Guru) Cyber security firm Imperva has released a new behind-the-scenes report into the infamous CryptoWall 3.0 ransomware, which show just how much cybercrime pays
Cyber criminals hack Netflix: Symantec (ARN) Phishing campaign redirects users to a fake Netflix website and steals payment card details
Cyber attack, 'backbone failure' to blame for Toronto Internet woes: TekSavvy (Toronto Metro News) TekSavvy has been dealing with increased cyber attacks that have played a role in, or caused, at least one of the outages
Fraudsters Tap Kohl's Cash for Cold Cash (KrebsOnSecurity) Scam artists have been using hacked accounts from retailer Kohls.com to order high-priced, bulky merchandise that is then shipped to the victim's home
Phishing via SMS — crooks target Australian mobile banking users (Naked Security) For better or for worse, most of us are familiar with bank-related phishing
Carbanak Hackers Targeting Banks Again, Security Pros Say (American Banker) Carbanak, a type of cybersecurity attack on banks, has been spotted in action again
Financial institutions on high alert for major cyber attack (ComputerWeekly) The financial sector is facing the highest number of organised cyber attacks and multi-channel threats, a ThreatMetrix report reveals
PIN-stealing IRS attack affects 100,000 taxpayers (Naked Security) It's tax filing season in the United States
Is Tax Preparation Software Safe to Use? (Bloomberg BNA) Tax season is one of the most popular times for people to become victims of scams. According to the IRS, tax refund fraud is expected to soar this tax season, reaching $21 billion this year compared to just $6.5 billion two years ago
Social Scams — The Full Breakdown and Protection Plan (Heimdal Security) Remember the time when our email inbox was filled with requests to help endangered (and filthy rich) Nigerian princes?
A Guide on 5 Common LinkedIn Scams (Tripwire: the State of Security) The fact that scammers haunt social media platforms like Facebook and Twitter is not surprising — at the heart of those platforms lies the drive to broaden one's horizons
iovation Shares Data on Online Dating Scams and Mobile Usage Ahead of Valentine's Day (Dark Reading) Firm names top types of dating fraud leading to lonely hearts and catfish scams
6 Cyber Secrets Setting You Up for Betrayal (IT Business Edge) Valentine's Day is near. And while love is grand, the fact is that human nature can sometimes cause heartbreak. Research shows that one in five people are keeping a major secret — such as infidelity or money troubles — from their spouse. Deceit can be a deal breaker
The Dangers of Online Dating: Watch Out for 'Sweetheart Scammers' (Hack Read) Once an almost unheard-of phenomenon, online dating is today a go-to resource for many busy, career-oriented individuals for finding their true love and future partners. While many succeed in finding their loved ones using this relatively new medium, many become victims to what is known as 'romance' or 'sweetheart' scams
Introducing the Sophos Love Song Collection! Happy Valentine's Day IT heroes (Naked Security) If you're a regular reader of Naked Security, or a Sophos user, you might be aware that our marketing department regularly produces pretty spot-on videos that reflect the experience of IT pros
Kaspersky Researcher Hacked a Hospital While Sitting in His Car (Softpedia) It was only a test, hospital management knew about it
Report examines the massive future cybersecurity problem of connected cars (Network World) The cybersecurity of connected vehicles was called 'a massive future security problem just around the corner'
Security Patches, Mitigations, and Software Updates
Mozilla Releases Security Updates (US-CERT) The Mozilla Foundation has released security updates to address vulnerabilities in Firefox and Firefox ESR. Exploitation of one of these vulnerabilities may allow a remote attacker to take control of an affected system
It's official: Older versions of IE are now at risk (Computerworld via CSO) Two-thirds of the vulnerabilities patched this week in IE11 and Edge likely exist in now-retired IE7 and IE8, definitely in semi-obsolete IE9 and IE10
Cyber Trends
Deloitte: Cybersecurity Moves to the Offensive (Infosecurity Magazine) Organizations with a sophisticated approach to cybersecurity are no longer satisfied with locking the doors after the robbery has been committed. There is instead a distinct shift toward offense
IT Professionals Overconfident in Their Ability to Detect Breaches, Reveals Survey (Tripwire: the State of Security) In today's ever-evolving world, the PC is no longer the sole endpoint found on organizations' networks
DIA's Vincent Stewart: Cyber, Hostile Intell, Terrorism Key Global Security Challenges (ExecutiveGov) Lt. Gen. Vincent Stewart, director of the Defense Intelligence Agency, has informed the Senate Armed Services Committee that regional security issues, malicious intrusion, transnational terrorism and hostile foreign intelligence activities remain as the biggest threats to the U.S. and its allies
Why cybercrime will always need humans (IT Pro) Kaspersky finds robots won't ever replace hackers completely
Voter targeting becomes voter surveillance (CSO) Political campaigns have always sought to shape their message to attract specific groups of voters. But big data analytics now makes it possible to create personal profiles of individual voters. And that is raising concerns among privacy advocates
Marketplace
CyberArk, FireEye Both Miss With EPS Guidance, Shares Fall Late (Investors Business Daily) CyberArk Software (CYBR) stock crashed late Thursday despite the firm's Q4 beat after its earnings outlook lagged, while fellow security vendor FireEye (FEYE) came up just short on Q4 sales and missed with its Q1 bottom-line guidance
FireEye reports record revenue, shows no signs of slowing down (Channel Life) FireEye has reported record billings and revenue for the fourth quarter and fiscal year 2015, and says expanding platform adoption drove record annual operating cash flow, while recent iSight partners and Invotas acquisitions extended the company's addressable market
Why FireEye Stock Should Be Soaring Higher After Q4 Earnings (Seeking Alpha) FireEye reported very strong Q4 earnings and gave bullish guidance. Still, the stock is currently down 5% in after-hours trading. Investors in FireEye fail to realize all the major improvements at the company and the opportunity that now rests in its stock price
FireEye's (FEYE) CEO David DeWalt on Q4 2015 Results — Earnings Call Transcript (Seeking Alpha) Good day everyone and welcome to the FireEye's Fourth Quarter 2015 Earnings Results Conference Call. This call is being recorded
Symantec Beat 3Q16 Estimates despite the Strong Dollar (Market Realist) SYMC's fiscal 3Q16 results beat analysts' expectations
BlackBerry Layoffs Leave Dark Cloud Over Handset Business (InformationWeek) BlackBerry cut about 200 employees this month, which prompted many to question its commitment to smartphones, BlackBerry 10 in particular
Firewall pioneer Kramer bets on shift to cloud security (Reuters) Check Point Software Technologies co-founder Shlomo Kramer, a pioneer of efforts to protect businesses from cyber attacks, is betting on security in the cloud as the sector's next big development
New head of IBM's artificial intelligence group departs (CIO Dive) The head of IBM's cognitive computing group, responsible for Watson, has left the company after just nine months
Products, Services, and Solutions
Zero-Day Exploit (ZDE) prevention for all systems (ITWire) Check Point has developed SandBlast Agent that integrates new protections and advanced forensics to secure end-point devices and accelerate incident response. In short protection from ZDEs
Indegy finds out when industrial controls go bad (think Stuxnet) (Computerworld) Appliance gives insight into the control plane of programmable logic devices that run power grids and factories
Technologies, Techniques, and Standards
IoT security guidelines for providers, vendors, and network operators (Help Net Security) The GSMA Association has published new guidelines designed to promote the secure development and deployment of services in the growing Internet of Things (IoT) market
Cybersecurity Information Sharing for Executives (TruSTAR Technology) It is not about threat intelligence. It is about incident exchange and collaboration
Which security products do enterprises expect too much from? (CSO) Enterprises rely on some security products too much while counting on others too little
How to ensure PCI DSS compliance when dealing with message queues (CSO) Does your message queue contain data in-scope for PCI DSS? For many, the answer seems to be that they've never even considered that data stream. Well, they should
5 Big Incident Response Mistakes (Dark Reading) Failing to have a formal incident response plan is just one of the mistakes organizations make
Free tool Friday — check what your anti-virus product might have missed (Naked Security) Do you ever wonder if your anti-virus product might have let something nasty slip through?
Design and Innovation
3 Flavors of Machine Learning: Who, What & Where (Dark Reading) To get beyond the jargon of ML, you have to consider who (or what) performs the actual work of detecting advanced attacks: vendor, product or end-user
Industrial Control System Security Gets Focused (Automation World) New cybersecurity announcements highlight the move beyond traditional IT-oriented security toward systems designed specifically for the industrial control environment
Google just passed a big milestone for getting self-driving cars on the road (Naked Security) Google has been testing out its egg-shaped self-driving cars for a while now — the company says its cars have racked up over 1.2 million miles
White-hat hackers key to securing connected cars (CSO) Federal regulator warns of security and privacy risks in connected cars, calling on manufacturers to partner with white-hat hackers to seek out flaws and vulnerabilities
Academia
Safety taught during Cyber Week at Porter Twp. Schools (NWI Times) It's never too early to teach cyber safety to students, even those as young as kindergarten, Pamela Kassner said
Legislation, Policy, and Regulation
Finland Aiming To Add Offensive Edge To Cyberwar Arsenal (Defense News) The planned reform of Finland's cyber defense and intelligence gathering laws will likely include new provisions to give the military and national security services new effective legal tools to launch offensive operations against hostile attacks in the cyberwarfare space
Strategic Culture and Cyberspace: Cyber Militias in Peacetime? (The Diplomat) It's time to see how the concept of strategic culture can be used in understanding national approaches to cybersecurity
Snowden warns France against giving up liberties as MPs pass security bill (Russia Today) Whistleblower Edward Snowden has warned the French people to think twice before giving up their freedoms for increased security
Congress Passes Judicial Redress Act, UK Snoopers' Charter Gets Closer Look (Dark Reading) European citizens win right to sue the Americans over privacy violations, while Britain ponders new ways to commit privacy violations
Wanted: A Real National Cyber Action Plan (National Review) The U.S. must treat cyber aggression far more seriously than President Obama proposes to
Password Security Is So Bad, President Obama Weighs In (NPR) You've heard it before. Change your password. Change. Your. Password. But now, Americans are getting that message from the top
ENCRYPT Act co-sponsor learned tech ropes at Microsoft (CSO) Rep. DelBene sees good chance of passage for measure to preempt state encryption laws
The FBI's Encryption 'Debate' Is Going Nowhere (Motherboard) It's been a year and a half since US law enforcement agencies resumed their campaign trying to ban strong end-to-end encryption, and it's pretty clear that the resulting "debate" is going nowhere
A new study on encryption confirms what experts have been telling politicians for years (Business Insider) You can't ban encryption. It just won't work
Cyber, counterterror to be 'cornerstones' of DHS (The Hill) Homeland Security Secretary Jeh Johnson said on Thursday that improving the nation's cybersecurity and protecting against terrorism remain two of the department's "cornerstones" in the final year of the Obama administration
Homeland Security to amp up social media screening to stop terrorism, Johnson says (Washington Post) The Department of Homeland Security is expanding its social media presence in an effort to protect the country, reacting to growing concern about terrorists being radicalized online, Secretary Jeh Johnson said Thursday
Facebook Steps Up Efforts Against Terrorism (Nasdaq) Hours after the December shootings in San Bernardino, Calif., Mark Wallace asked his employees at the nonprofit Counter Extremism Project to comb social media for profiles of the alleged attackers
Security and the Internet of Things (Just Security) On Tuesday, the Obama administration announced a program to better secure the "Internet of Things" and also highlighted the opportunities networked devices provide for the US intelligence community
Junior Marines would be first to go in cuts for cyber capabilities (Federal News Radio) As the Marine Corps is doubling down on cyber and information warfare, the service has made it clear it is willing to take force structure cuts to fulfill its mandates
Trade Groups Seek FTC Reg Model of Broadband CPNI (Multichannel News) Say FCC should stick with enforcing unfair, deceptive practices
Senate committee endorses student privacy bill (AP via Education Week) A state Senate committee has endorsed a proposed bill that would prohibit teachers and school officials from prying into students' private personal social media accounts
Litigation, Investigation, and Law Enforcement
First on CNN: FBI, British police nab alleged 'crackas' hacker (CNN) The FBI and British police think they finally cracked the case of "Crackas with Attitude"
U.K. police arrest teenage hacker who allegedly broke into CIA director's email (Daily Dot) Authorities in East Midlands, England, arrested a 15-year-old boy on Tuesday for allegedly hacking the personal email account of the CIA director and releasing the personal information of 31,000 government agents
Google extends 'right to be forgotten' to all domains (Naked Security) Ever since 2014, when an EU court decreed that people have the right to be forgotten online, Google has tried to slice and dice the requests: it would bury search results for its subsidiary in a given country, only on that country's Google subsidiary, instead of submerging search results on all its domains
Microsoft looks to be retreating from EU antitrust fight against Google (Ars Technica) ICOMP lobby group's long-running campaign against search and ad giant collapses