Cyber Attacks, Threats, and Vulnerabilities
U.S. government concludes cyber attack caused Ukraine power outage (Reuters) A December power outage in Ukraine affecting 225,000 customers was the result of a cyber attack, the U.S. Department of Homeland Security said Thursday, marking the first time the U.S. government officially recognized the blackout as caused by a malicious hack
Feds advise utilities to pull plug on Internet after Ukraine attack (Washington Examiner) The Department of Homeland Security advised electric utilities Thursday that they may need to stop using the Internet altogether, after the agency found that a cyberattack that brought down Ukraine's power grid in December could have been far more devastating than reported
Pro-ISIS Hacker Group Video Threatens Twitter, Facebook CEOs Over Account Suspensions (TechCrunch) In recent times Twitter and Facebook have both claimed to be stepping up their fight against extremist content being hosted on their platforms
What Role Should Silicon Valley Play in Fighting Terrorism? (Technology Review) Politicians are trying to recruit technology companies to help fight ISIS. Does it make sense?
KeyBase Threat Grows Despite Public Takedown: A Picture is Worth a Thousand Words (Palo Alto Networks Research Center) In June 2015, Unit 42 reported on a keylogger malware family known as KeyBase, which had first appeared in February 2015
90% of SSL VPNs are ‘hopelessly insecure’, say researchers (Register) Computer says "...oh"
A Top Cybersecurity Firm Says Ransomware Attacks Are Getting Worse (Fortune) “It is something we are seeing more of”
Ransomware rising (CSO) Ransomware has been around for decades, but has been aimed mainly at organizations or individual computers. With the devices making up the Internet of Things headed for the hundreds of billions, that is an attack surface most cybercrooks can’t resist
Ransomware on the Rise (Federal Bureau of Investigation) FBI and partners working to combat this cyber threat
Why ransomware is on the rise (News@Northeastern) A California hospital recently had its patients' records held hostage
Zehn Tipps, wie Sie sich vor Erpressersoftware Locky schützen (Focus) Der Erpressungs-Trojaner Locky treibt weltweit sein Unwesen
Threat Averted: Ransomware Attack Against Arizona Courthouse (Legaltech News) The court’s IT staff watched the system as the week continued to ensure that no problems reoccurred
Sioux City church has records held ransom in cyber attack (Radio Iowa) The computer system of a Sioux City church has been hit by a cyber attack and hackers are holding it for ransom
Hospitals vulnerable to cyber attacks on just about everything (Naked Security) They entered the hospital and moved from floor to floor, dropping malware-laced USB thumb drives where staffers might tend to pick them up
Phishing Attacks Increase Tech Sophistication, Focus On Financial Fraud (Dark Reading) With a prevalence of free, feature-rich phishing kits and multi-million dollar profits from business email compromise attacks, no wonder phishing's so popular
FighterPOS PoS Malware Gets Worm Routine (TrendLabs Security Intelligence Blog) Last April 2015, we talked about FighterPOS, a point-of-sale (PoS) malware that was used in a one-man cybercriminal operation to steal over 22,000 unique credit card numbers and affected more than 100 PoS terminals in Brazil and other countries
JSU official: student used staff member credential to leak data (Anniston Star) JSU official: student used staff member credential to leak data
Breached Credit Union Comes Out of its Shell (KrebsOnSecurity) Notifying people and companies about data breaches often can be a frustrating and thankless job
Security Patches, Mitigations, and Software Updates
About the security content of Apple TV 7.2.1 (Apple Support) This document describes the security content of Apple TV 7.2.1. For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available
Apple will unbrick iPhones bricked by “1970” bug (Naked Security) Earlier this month, iPhone fans and detractors alike were abuzz on technical forums over what seemed to be a rather tricky bug in iOS
Mystery high severity bugs in OpenSSL to be patched on Tuesday (Graham Cluley) You'll find out soon enough
Nissan Disables LEAF’s Remote Telematics System After ‘Profoundly Trivial’ Hack (Dark Reading) All that is needed to gain access to any LEAF's telematics system is the car's VIN, researcher says
Cyber Trends
Infographic: Statistics About the Security Scans of 396 Open Source Web Applications (Netsparker) Every so often we publish advisories about vulnerabilities we identify in open source web applications while testing the Netsparker security scanning engine
Cybersecurity works only half of the times, researchers say (IT Pro Portal) Security firm Venafi says there isn’t a single cyber-security company in the world that can keep you safe, as all of them are trying to protect a system that’s fundamentally flawed and can be secure in roughly 50 per cent of the cases
How much do Americans really value their online privacy? (Digital Trends) Do as I say, not as I do appears to be the approach of most Americans when it comes to digital security and privacy
The Dangers of our Digital Lives (Hide My Ass) Nationwide study reveals deep disconnect between attitudes and actions in online security and privacy
Is It Ever Acceptable for Companies to Share Your Data? (Tech.co) According to a recent survey by the National Cyber Security Alliance, more Americans are concerned with the risk of losing their online privacy than losing their own income
Not all data breaches are created equal (Help Net Security) 1,673 data breaches led to 707 million data records being compromised worldwide during 2015, according to Gemalto’s Breach Level Index
Breach Stats: Improving From Abysmal To Just Awful (Dark Reading) Breach response times and volumes decreased significantly last year, but overall numbers still look ugly
Internet of Evil Things: The growing risks of connected devices (Help Net Security) As risk and concern around connected Internet of Things (IoT) devices continues to grow, resources and visibility into such connected devices have stagnated despite the introduction of countless new entry points for malicious actors across the enterprise, according to Pwnie Express
Cybersecurity Industry To-Do List for RSA Conference (Network World) Industry must do more to decrease the attack surface, increase the productivity of cybersecurity professionals, and enhance overall protection without getting in the way of users
Marketplace
Contractors Annoyed After DHS Scraps $675M Cyber Contract (Nextgov) A trade group representing federal contractors says it is frustrated the Department of Homeland Security has left vendors in the dark after scrapping a 2-year competition for cybersecurity support jobs
Data breach ‘more dangerous than CEO departure’ (Irish Times) CIOs call for firms to highlight data security capabilities in financial statements
Half of CEOs Unsure Their Cybersecurity Policy is ‘Well-Established’: Survey (Legaltech News) Many CEOs, as well as other C-suite positions, feel left out of the organization’s cybersecurity planning, an IBM survey found
Swiss Re chief cautions on cyber security risks (Financial Times) Cyber security risks are far from being understood by the global insurers and could pose a threat rather than underwriting opportunity, according to the departing boss of Swiss Re, one of the world’s biggest reinsurance companies
Cybercrime Looms As Biggest 'Disruptive Threat' To Finance Markets (Forbes) Cybercrime and cyber security attacks hardly seem to be out of the news these days and the threat is growing globally
Microsoft Calls for Health Care 'Security Intervention' (eWeek) After a seemingly nonstop series of breaches affecting health care organizations, the software giant announces plans to engage with IT security professionals in the industry
Palo Alto's earnings arrive early; results beat, guidance mixed (Seeking Alpha) Palo Alto Networks (PANW +9.7%): FQ2 EPS of $0.40 beats by $0.01. Revenue of $334.7M (+53.8% Y/Y) beats by $16.38M.Expects FQ3 revenue of $335M-$339M (+43%-45% Y/Y) and EPS of $0.41-$0.42 vs. a consensus of $334.6M and $0.45.Shares spiked higher before getting halted
Success beyond Hacker Prevention: Cyber Security Firm enSilo Raises $19 million in Funding (Legaltech News) Funding will be used to grow its enSilo’s exposure, improve customer experience, and support the company’s strategy of protecting firms from data exfiltration
RSA brings a slew of Microsoft security announcements (Enterprise Times) With RSA starting over the weekend, Microsoft is the latest company to make a slew of security announcements in order to get everyone’s attention
Veterans can get free training for cybersecurity jobs (Military Times) Military veterans who are interested in cybersecurity jobs can receive free training in the field through a special program. Omaha Internet security firm Solutionary is sponsoring an intensive six-week training program for veterans who qualify as long as they agree to work for the Omaha company for at least two years
Optiv Further Strengthens Commitment to Helping Organizations Holistically Solve Cyber Security Problems (BusinessWire) Hires respected security strategists Stuart Solomon and JD Sherry to develop programmatic offerings for planning, building and running comprehensive security environments
Qualys Welcomes Shail Khiyara as Chief Marketing Officer (MarketWired) Seasoned marketing executive to spearhead the next phase of company's growth
Products, Services, and Solutions
Microsoft strengthens security tools for Azure, Office 365 (CIO) CEO Satya Nadella promised a new approach to enterprise security. Now the company is rolling out upgrades for protecting data stored in Microsoft cloud environments
CGI Launches Insider Threat Advisory Services; Michael Roach Comments (ExecutiveBiz) CGI-logo - ExecutiveMosaicCGI has introduced new insider threat advisory services in an effort to help government and commercial customers respond to cybersecurity threats
BrightPoint Threat Intelligence Exchange Speeds Machine-Learning Results (NewsFactor) BrightPoint Security™, a leading Threat Intelligence Platform provider for automation, threat analytics, and sharing threat insight into critical cyber threats, today announced the latest release of its Sentinel Security Command Platform, advancing the speed and depth of threat intelligence data now available for security analysts and their executives
CenturyLink Mounts Multi-Pronged Security As A Service Offering (InformationWeek) CenturyLink has added server log monitoring and historical analysis of log data for real time protections to its managed security suite
IBM, Check Point Software Technologies Ltd Expand Partnership to Fight Cybercrime (Bidness Etc.) IBM and Check Point have extended their ties to fight against cybercrime
CrowdStrike updates Falcon platform to combat security breaches (IT Pro Portal) Effective cyber security is all about seeing threats and being able to respond to them quickly and effectively. Increasingly this means using the cloud to deliver intelligence
Technologies, Techniques, and Standards
The Enemy Within: Data Breaches by Employees (LinkedIn) It's true - if you ever become the victim of a sustained cyber attack by a sophisticated actor, say, a nation state in Asia, statistically you do not stand a chance
Design and Innovation
Apple Hires Lead Dev of Snowden’s Favorite Messaging App (Wired) Anyone wondering if Apple was going to be cowed by the FBI’s ongoing pressures might find some relief in the company’s most recent hire: Frederic Jacobs, previously a lead developer for Signal, one of the most secure messaging apps there is
iPhone Encryption: 5 Ways It's Changed Over Time (InformationWeek) Apple's battle with the FBI has put iPhone encryption in the spotlight. However, some might be surprised that the company's encryption efforts have evolved slowly and are not that different from those of other smartphone makers. Here's a look at the 5 phases of the process so far
Google Wants Less Reliable Hard Disks (InformationWeek) With less reliable hard disks tuned for collective operation, Google believes cloud data can be kept more affordably and securely
Research and Development
Detecting hidden malicious ads (Science Daily) Dynamic detection system could protect smartphones from malicious content
Academia
Raytheon and (ISC)2 Foundation offer scholarships to encourage college women to pursue cybersecurity degrees (PRNewswire) Initiative to foster more female experts in burgeoning field
Legislation, Policy, and Regulation
Spy head: ‘Jury’s out’ on whether China quit hacking after deal (The Hill) The Obama administration still can’t assess whether China is adhering to a September pledge to stop hacking private American companies, Director of National Intelligence James Clapper told lawmakers on Thursday
Op-ed: The international politics of VPN regulation (Ars Technica) Repressive nations are pursuing increasingly diverse strategies for curbing VPN use
Obama Administration Set to Expand Sharing of Data That N.S.A. Intercepts (New York Times) The Obama administration is on the verge of permitting the National Security Agency to share more of the private communications it intercepts with other American intelligence agencies without first applying any privacy protections to them, according to officials familiar with the deliberations
President Creates Cybersecurity National Action Plan and Commission on Enhancing National Cybersecurity (JDSupra) President Obama's Cybersecurity National Action Plan (CNAP), a comprehensive plan to address the nation's cybersecurity challenges through increased funding, a more robust cybersecurity workforce, and education initiatives, was announced on February 9, 2016. Highlights of CNAP include
FTC, SEC struggle to fill gaps in federal cybersecurity rules (FierceITSecurity) When it comes to cybersecurity enforcement, I don't usually think of the Federal Trade Commission (FTC) or the Securities and Exchange Commission (SEC)
Congressman Hurd wants agreement reworked that makes sharing cyber technology difficult (Valley News Live) A Texas congressman says there need to be fewer barriers when it comes to sharing cyber information
Pentagon boosts spending to fight cyber attacks (Inquirer) The Pentagon plans to spend an additional $900 million in the coming year to boost cyber defense measures, Defense Secretary Ashton Carter said Thursday
Rear Adm. Timothy White Named Cybercom Cyber National Mission Force Chief (Executive Gov) Rear Adm. Timothy White, formerly director for intelligence at the U.S. Pacific Command, has been named commander of the Cyber National Mission Force as part of the U.S. Cyber Command
Top naval commanders asks Carter to include SCADA on cyber scorecard (FCW) Two Navy admirals have sent a letter to Defense Secretary Ash Carter asking him to pay greater attention to the cybersecurity of the industrial control systems that underpin U.S. infrastructure
Litigation, Investigation, and Law Enforcement
Apple responds in iPhone unlocking case: US seeks “dangerous” powers (Naked Security) Apple filed a motion in a California court yesterday, asking the judge to throw out the order compelling Apple to assist the FBI in unlocking an encrypted iPhone, and calling the US government’s demands a “dangerous” overreach of its constitutional powers
FBI Chief Says Finding Right Balance on Encryption Is ‘Hardest Question’ (Wall Street Journal) In questions before Congress, Comey didn’t demonize Apple or Silicon Valley
FBI director: Apple encryption ruling could lead to more requests (IDG via CSO) A judge's ruling in the smartphone unlocking case will be 'instructive for other courts'
Here’s how Apple would build crypto-cracking software for the FBI (Ars Technica) Apple objects to the resources it would need to dedicate to "Government OS"
Apple Lawyer And FBI Director Will Face Off In Public Hearing Next Tuesday (Fast Company) The hearing will center around Apple's refusal to help the FBI access the iPhone 5c of San Bernardino shooter Syed Farook
Privacy at what cost? Apple vs the US government (CSO) It’s now more than two months after Tashfeen Malik and Syed Rizwan Farook shot and killed 14 people and injured 21 others at the Inland Regional Center in San Bernardino, Calif., before being shot to death by police
Apple v the FBI: why the 1789 All Writs Act is the wrong tool (Guardian) The law requires a balance between flexibility and tyranny, and was never intended to allow the government to dictate software design
Apple Must Forever Threat Model Against Itself (Threatpost) Apple, like most advanced tech companies, understands threats and how to close them off
The Apple Case Will Grope Its Way Into Your Future (New York Times) To understand what’s at stake in the battle between Apple and the F.B.I. over cracking open a terrorist’s smartphone, it helps to be able to predict the future of the tech industry
Apple vs. FBI: “Just This Once”? (Just Security) I wrote about the FBI’s attempt to force Apple to write an iPhone hacking tool for the bureau over at Time last week — and go read that if you’re getting caught up on the case — but we’ve had some added developments over the weekend worth noting
Taking a bite at the Apple (Economist) The FBI’s legal battle with the maker of iPhones is an escalation of a long-simmering conflict about encryption and security
In Republican Debate, Candidates Back FBI Over Apple (Wired) Thursday night's Republican debate was the knock-down, drag-out, screaming slugfest pundits have been predicting
FBI’s Tor Hack Shows the Risk of Subpoenas to Security Researchers (Wired) Computer security researchers who expose hackable vulnerabilities in digital products face plenty of occupational hazards
Clinton Email Issues Shake Up State Dept. FOIA Operations (Government Executive) As unanswered questions about her private email server continue shadowing Hillary Clinton’s presidential campaign, the State Department she once led remains on the receiving end of criticisms, legal actions and disclosure requests involving the Freedom of Information Act
Cyberwarfare Defined and Lawyers’ Role in the Fight (Legaltech News) Panelists discuss the modern state of cybercrime and how lawyers can help address it
Crime rate to double once cyber offences included in figures, says Labour (Guardian) Andy Burnham says Conservative claims to have presided over a fall in crime while cutting police budgets would be proved false
Anonymous France’ Trio Due to be Sentenced in March for Targeting Police sites (Hack Read) French judicial system is known for its speedy justice and serving the culprits well