Cyber Attacks, Threats, and Vulnerabilities
Twitter password recovery bug exposes 10,000 users' personal information (IDG via CSO) The company has notified those affected and will suspend users who exploited the bug
E-commerce web apps vulnerable to hijacking, database compromise (Help Net Security) High-Tech Bridge researchers have published details and PoC exploit code for several serious vulnerabilities in Osclass, osCmax, and osCommerce, three popular open source e-commerce web apps
Comodo's 'security' kit installed a lame VNC server on PCs on the sly (Register) Modern antivirus: Easily crackable password, lets malware gain admin privileges
Is your WordPress site being misused for DDoS attacks? (Help Net Security) Many WordPress websites are still being misused to perform layer 7 DDoS attacks against target servers, even though preventing them from participating in these attacks is as simple as disabling the pingback feature
Security Alert: New Locky Ransomware Shows Off through Rampant Distribution (Heimdal Security) After hitting a US hospital, cyber security specialists warn that this new strain of ransomware is being aggressively spread to compromise potential victims around the world. Its name: Locky
What does a .locky file extension mean? It means you've been hit by ransomware (Graham Cluley) Ransomware with apparent links to a Dridex botnet affiliate has been spotted attempting to infect at least 450,000 computer users
Hacked Hospital Ransom Payout Will Cause 'Proliferation of Attacks' (Newsweek) A Los Angeles hospital's decision to pay a $17,000 ransom to hackers could lead to a proliferation of cyber attacks on critical infrastructure, experts tell Newsweek
Remotely Disabling a Wireless Burglar Alarm (IOActive) Countless movies feature hackers remotely turning off security systems in order to infiltrate buildings without being noticed. But how realistic are these depictions? Time to find out
This is Why People Fear the 'Internet of Things' (KrebsOnSecurity) Imagine buying an internet-enabled surveillance camera, network attached storage device, or home automation gizmo, only to find that it secretly and constantly phones home to a vast peer-to-peer (P2P) network run by the Chinese manufacturer of the hardware
The Linux GNU C Library Vulnerability: What It Is, How To Fix It (TrendLabs Security Intelligence Blog) Earlier this week, the maintainers of the GNU C Library (known as glibc, an open-source software library widely used in Linux systems) announced that they had released a fix for a vulnerability introduced in 2008 that allowed a buffer overflow to take place
Latest Exploitation of SS7 Network — Next Generation of Location Tracking Attacks (Realwire) AdaptiveMobile, the world leader in mobile network security, announced today it has evidence of sophisticated location tracking platforms exploiting the SS7 network
ISIS-related threat on social media shuts down rural military school (Washington Post) A private military school in Virginia has canceled events throughout the weekend and boosted its security after receiving Islamic State-related threats through social media, law enforcement and school officials said
Cheating site Ashley Madison is popular with Air Force (Air Force Times) The hack of notorious cheating website Ashley Madison, whose uber-classy motto is "Life is short. Have an Affair," is continuing to cause embarrassment around the country. And now, it's the Air Force's turn
DoD databases: A prime target for cyberattacks (C4ISR & Networks) Cyberattacks are on the rise, and networked military resources are on the front line of what may someday escalate into an all-out cyberwar
C-suite is confused about who poses the biggest cybersecurity threat (FierceITSecurity) C-suite executives are confused about who the true cybersecurity adversaries are and how to effectively combat them, a survey released Wednesday by IBM found
A Letter to the Insiders — Think Twice (Team Cymru) Insider threats come in many forms, from the unwitting to the negligent, and even the downright malicious
In The Crosshairs: The Trend Towards Targeted Attacks (Tripwire: the State of Security) Sophisticated targeting is one of the most important trends in security right now
The ghost of Stuxnet continues to haunt enterprise security, says HPE (FierceITSecurity) More than one-quarter of all successful enterprise software exploits in 2015 used a vulnerability that dates from the 2010 Stuxnet attack
Fighting malware monetization and application vulnerabilities (Help Net Security) As the traditional network perimeter disappears and attack surfaces grow, security professionals are challenged with protecting users, applications and data — without stifling innovation or delaying enterprise timelines
Security Patches, Mitigations, and Software Updates
Fixing a recent password recovery issue (Twitter) We recently learned about — and immediately fixed — a bug that affected our password recovery systems for about 24 hours last week
FireEye Detection Engine Was Whitelisting Malware (Softpedia) Vulnerability fixed in FireEye NX, FX, EX, and AX devices
Stable Channel Update (Chrome Releases) The stable channel has been updated to 48.0.2564.116 for Windows, Mac, and Linux
Cyber Trends
Taking Situational Awareness to a New Level: Innovation, Technology and Citizen Stakeholders (Security Magazine) We live in a very dynamic world and the nature of what is considered a threat is constantly changing
New Survey Underscores Law Firm Security Vulnerabilities (Legaltech News) Forty-eight percent of those responding to the Guidance Software survey felt unprepared to identify and protect sensitive information
Healthcare data breaches lead more patients to withhold information from doctors (We Live Security) As 2015 slides into the cybersecurity history books as "the year of the healthcare breach" I decided to examine one aspect of medical data privacy that is sometimes overlooked: the impact of breaches on patient-doctor information exchange
Do you trust the new breed of talking (and listening) toys? (Naked Security) The annual Toy Fair took place this past weekend — the biggest event of the year for the toy industry, where vendors showcase thousands of new toys before they hit retail shelves and Amazon wish lists
Marketplace
Symantec: Has Management Learned From Their Mistakes? (Seeking Alpha) Symantec lost money on its Veritas deal. Nevertheless, the firm now brings back all the proceeds to the shareholder
Palo Alto falls sharply after JMP reports hearing of sales challenges (Seeking Alpha) JMP Securities states its Palo Alto Networks (PANW -9.4%) reseller checks indicate shipping activity towards the end of FQ2 (the January quarter) was "more rushed than usual"
Funds raised will be used for new security products: Quick Heal (CNBC) Kailash Katkar, MD & CEO of the company says that Quick Heal is in process of developing a number of enterprise security products and the funds raised will be utilized for further development and marketing of the products
CensorNet acquires SMS PASSCODE (Channel EMEA) CensorNet, the complete cloud security company, today announces that it has acquired Danish based multi-factor authentication vendor SMS PASSCODE in a closed deal
Solicitation Number: NAMA-16-RFI-0001: Social Media Archiving Tool (FedBizOpps) NARA issues this Request for Information (RFI) package to obtain technical information about a commercially available tool capable of capturing, managing, and preserving social media data in compliance with applicable federal records management and eDiscovery laws
Fortscale Expands Executive Team as User Behavior Analytics Market Momentum Builds (BusinessWire) Company taps Kurt Stammberger, the founder of the RSA Conference, as Chief Marketing Officer
KEYW Adds Brian W. Hobbs as Vice President of Corporate Capture (Nasdaq) The KEYW Corporation, a wholly-owned subsidiary of The KEYW Holding Corporation (NASDAQ:KEYW), announced today the addition of Brian W. Hobbs as Vice President of Corporate Capture
Syniverse Appoints Dave Ratner to Lead Enterprise Solutions (BusinessWire) Business unit focused on enterprise segment with dedicated resources
Products, Services, and Solutions
Exabeam launches Threat Hunter to uncover bad actors already on the enterprise network (FierceITSecurity) Security startup Exabeam on Wednesday launched its Threat Hunter product to provide security analysts the ability to query user data collected by the firm's user behavior analytics (UBA) platform
Synopsys and Cypherbridge Accelerate TLS Record Processing for IoT Communication with Optimized Hardware/Software Security Solution (PRNewswire) Combination of Cypherbridge uSSL SDK and DesignWare SSL/TLS/DTLS Security Protocol Accelerator speeds software development
DB Networks launches Layer 7 Database Sensor (Help Net Security) DB Networks introduced a product that provides OEM partners with real-time deep protocol analysis of database traffic
KEYMILE Enhances its Strategic Positioning with Quantum Cryptography Solutions (Railway-Technology.com) KEYMILE is adding quantum cryptography solutions from ID Quantique, worldwide leader in quantum-safe encryption solutions from Switzerland, to its product range for mission-critical communications networks
New IBM Mainframe Promises Advanced Security for Hybrid Clouds (E-Commerce Times) IBM on Tuesday introduced the z13s, a mainframe computer system optimized for hybrid cloud deployment
Sophos Mobile Security for Android Achieves Best Protection Award From AV-TEST Institute (IT Business Net) Demonstrates consistent detection rates of 100 percent during 2015
Prelert Unveils Behavioral Analytics for the Elastic Stack (BusinessWire) New software product automates analysis of massive data sets in Elasticsearch, detecting and visualizing behavioral anomalies
Avast Virtual Mobile Platform Brings Mobile Enterprise Security to a New Frontier (IT Business Net) Powerful platform focuses on securing data, not devices; delivers security-enabled productivity by protecting company data and workers' personal privacy
FairWarning and FireEye Join Forces to Combat Increasing Security Threats to Healthcare Organizations (BusinessWire) Integration of FireEye Threat Analytics Platform with FairWarning Patient Privacy Monitoring creates a coordinated threat protection and response framework for patient privacy breaches
FireEye Strengthens Platform With 15 New Cyber Security Coalition Technology Partners (Marketwired) Also completes nine technology integrations with CSC partners in the areas of data security, cloud security, user behavior analytics and privileged account security
Farsight Security Announces Farsight DNSDB App for Splunk® (Marketwired) In a significant industry milestone, today Farsight Security, Inc. announced the release of Farsight DNSDB℠ App for Splunk® to enable security analysts to improve the speed, accuracy and global view of their digital investigations for faster risk mitigation and prevention
Clearswift and SecureMySocial Announce Combined Offering (BusinessWire) Data Loss Prevention to combat social media information leaks; anytime, anywhere
Wombat Security Releases PhishAlarm Analyzer (eWeek) The platform scans reported emails and examines them based on standard security indicators of compromise, and the emails are then prioritized
BioCatch warns of RAT-in-the-Mobile malware (Finextra) BioCatch, the global leader in Behavioral Authentication and Malware Detection, announced today that its behavioral authentication platform is the first to successfully detect Remote Access and RAT-in-the-Mobile (RitM) malware, in real time
Technologies, Techniques, and Standards
Why a single point of failure should be your primary concern (Help Net Security) Many organizations are transitioning to digital systems, which has increased the dependency on cloud service providers, web hosting platforms, and other external services
Creating a common cyber lexicon: Harder than it looks (C4ISR & Networks) The Defense Department and service components in recent years have released many documents, directives and guidance on operating in cyberspace, and a common goal in most of them includes reaching a consensus in the language and terminology used for the cyber domain
Cyber-Security: The Best Plan Of Action To Keep Your Data Safe (InformationWeek) Like a perverse iteration of Newton's third law, every clever cyber-attack action is always followed by an equally clever reaction from the organization targeted. Is that enough to keep your data safe?
Perspective: The Legal Ethics of Using the Cloud (Bloomberg BNA) All law firms continue to face a highly competitive marketplace for legal services
Design and Innovation
W3C launches effort to replace passwords (Help Net Security) The World Wide Web Consortium (W3C) is launching a new standards effort in web authentication that aims to offer a more secure and flexible alternative to password-based logins on the Web
WearFit: Security Design Analysis of a Wearable Fitness Tracker (IEEE) In 2014, the IEEE Computer Society — the leading association for computing professionals — launched a cybersecurity initiative by forming the Center for Secure Design
Israeli military techies cook up security alerts software (Register) Threat information as visual story lines
Research and Development
For New Cybersecurity Pilot Program, Collaboration Is Key (Government Technology) The goal is to develop advanced technology to identify, defend and prevent cyberattacks more efficiently and effectively — and deliver a working prototype by 2018 that other institutions and industries, such as banks and government agencies, can use
Academia
NSA, LifeJourney Partner To Give Students a Taste of Cybersecurity Careers (Campus Technology) LifeJourney, an online career simulation experience provider, will launch Day of Cyber February 29 at the RSA 2016 Conference in San Francisco in conjunction with the National Security Agency (NSA)
Legislation, Policy, and Regulation
Tech, business presses Kerry to renegotiate cyber controls (The Hill) A coalition of tech and business groups is pressing the Obama administration to renegotiate an international agreement designed to keep hacking tools out of the hands of repressive regimes
DOD to adversaries: Send us your zero-day attacks (Defense Systems) The Defense Department wants adversaries to increase their spending on cyber attacks, because the attacks they use now don't cost those adversaries enough
DHS Ready to Share Intelligence With Private Sector (Technewsworld) The U.S. Department of Homeland Security this month will start sharing threat information with a small number of hand-picked companies under the newly enacted Cybersecurity Information Sharing Act
Encryption Backdoors Weaken National Security, Invade Personal Privacy, and Endanger the US Economy (Center for Democracy and Technology) As some of you may have noticed, backdoors are back in the news again. Much will be written about this subject in the coming weeks, but today I want to make 3 key points
ODNI task force and DoD partner to fight insider threats (C4ISR & Networks) The Office of the Director of National Intelligence's National Insider Threat Task Force is working closely with the Department of Defense to figure out how 43 of its components can build solid insider threat programs
New Freedom of Information Act Request Documents Released by ODNI (IC on the Record) The Office of the Director of National Intelligence is one of seven federal agencies participating in a pilot program to make records requested via the Freedom of Information Act more readily available
WEST: Personnel, Budget Cuts Leave Gaps in U.S. Cyber Forces (USNI) Saddled with budget cuts and prospects of a smaller force, the military services must find ways to build a specialized cyber force
Litigation, Investigation, and Law Enforcement
Encryption isn't at stake, the FBI knows Apple already has the desired key (Ars Technica) The FBI knows it can't bypass the encryption; it just wants to try more than 10 PINs
Experts Cast Doubt On What Else FBI Might Get From Suspect's iPhone (NPR All Tech Considered) The showdown between the FBI and Apple could result in huge changes for security and privacy, but one thing it may not do is deliver a big break in the San Bernardino case
Apple, FBI encryption clash brings 'backdoor' debate to the fore (Federal Times) Apple, FBI encryption clash brings 'backdoor' debate to the fore
Experts contend Apple has the technical chops to comply with court order (Compuerworld via CSO) Possible to subvert iOS to give FBI ability to brute-force the passcode, say security professionals
Apple's FBI Battle Is Complicated. Here's What's Really Going On (Wired) The news this week that a magistrate ordered Apple to help the FBI hack an iPhone used by one of the San Bernardino shooter suspects has polarized the nation — and also generated some misinformation
Apple–FBI fight over iPhone encryption pits privacy against national security (Los Angeles Times) A court order requiring Apple to create a way to help law enforcement get access to a terrorist's smartphone amounts to an "unprecedented" stretch of an antiquated law — one that is likely to spark an epic fight pitting privacy against national security, legal scholars said Thursday
Why Apple Is Right to Challenge an Order to Help the F.B.I. (New York Times) It is understandable that federal investigators want to unlock an iPhone used by one of the attackers who killed 14 people in San Bernardino, Calif., in December
Apple should work with the FBI instead of pulling a PR stunt (FierceITSecurity) I get very worried when I agree with Donald Trump about anything
The Contrarian Response to Apple's Need for Encryption (Hackaday) On December 2, 2015, [Syed Rizwan Farook] and [Tashfeen Malik] opened fire at a San Bernardino County Department of Public Health training event, killing 14 and injuring 22
FBI Can Use Dead Suspects' Fingerprints To Open iPhones — It Might Be Cops' Best Bet (Forbes) As Apple AAPL makes iPhones increasingly secure, the FBI has found it more difficult to get at data within suspects' iOS devices
Apple's Line in the Sand Was Over a Year in the Making (New York Times) Time and again after the introduction of the iPhone nearly a decade ago, the Justice Department asked Apple for help opening a locked phone. And nearly without fail, the company agreed
How Tim Cook, in iPhone Battle, Became a Bulwark for Digital Privacy (New York Times) Letters from around the globe began pouring into the inbox of Timothy D. Cook not long after the publication of the first revelations from Edward J. Snowden about mass government surveillance
Silicon Valley cybersecurity companies weigh in on Apple encryption dispute (Silicon Valley Business Journal) A judge's order to Apple Inc. that it must provide "reasonable technical assistance" to investigators aiming to unlock an iPhone owned by one of the San Bernardino shooters has prompted Silicon Valley cybersecurity experts to express their support for CEO Tim Cook's resistance, arguing that such a demand wouldn't be isolated
Apple Letter on iPhone Security Draws Muted Tech Industry Response (New York Times) After a federal court ordered Apple to help unlock an iPhone used by an attacker in a December mass shooting in San Bernardino, Calif., the company's chief executive, Timothy D. Cook, penned a passionate letter warning of far-reaching implications beyond the case
Mozilla chief: FBI snooping at Apple 'back door' makes you less safe (CNN) Today, the Internet is where we live our everyday lives
AT&T, Verizon Have Different Obligations Than Apple (Nasdaq) For U.S. phone companies like AT&T Inc. and Verizon Communications Inc., the notion of resisting a court order like Apple Inc. Chief Executive Tim Cook recently did is probably inconceivable. The reason is legal
Clinton email chain discussed Afghan national's CIA ties, official says (Fox News) One of the classified email chains discovered on Hillary Clinton's personal unsecured server discussed an Afghan national's ties to the CIA and a report that he was on the agency's payroll, a U.S. government official with knowledge of the document told Fox News
Navy's intel chief battling clearance controversy, cyber struggles (C4ISR & Networks) As the Navy's top intelligence and information warfare officer calls for increased attention and money for cyber priorities, he's also fighting more personal battles amid a Defense Department corruption investigation
VTech not backing down on terms change after data breach (CSO) Hong Kong toy maker VTech is not backing down from a change in its Terms and Conditions
Anonymous Hacker Gets Lost at Sea, Is Rescued and Then Arrested (Softpedia) Hacker rescued by Disney cruise ship near the coast of Cuba
