Cyber Attacks, Threats, and Vulnerabilities
Digital Quartermaster Scenario Demonstrated in Attacks Against the Mongolian Government (Palo Alto Networks) Unit 42 has collected multiple spear phishing emails, weaponized document files, and payloads that targeted various offices of the Mongolian government during the time period of August 2015 and February 2016
Korean Energy and Transportation Industries attacked by OnionDog APT (eHacking News) Chinese security researchers from cyber-security vendor, Qihoo 360 have blown the lid on a hacker group, ‘OnionDog’ which has been infiltrating and stealing information from the energy, transportation and other infrastructure industries of Korean-language countries through the Internet
Exclusive: Chinese hackers behind U.S. ransomware attacks - security firms (Reuters) Hackers using tactics and tools previously associated with Chinese government-supported computer network intrusions have joined the booming cyber crime industry of ransomware, four security firms that investigated attacks on U.S. companies said
Iran responsible for cyber attack on New York flood control structure: Senator (Canadian Underwriter) A cyberattack on a small dam in the New York City suburbs was a “shot across the bow” of the United States and should be met with tougher sanctions against Iran, U.S. Senator Charles Schumer said Friday
Why the OPM Hack Is Far Worse Than You Imagine (Lawfare) The Office of Personnel Management (“OPM”) data breach involves the greatest theft of sensitive personnel data in history. But, to date, neither the scope nor scale of the breach, nor its significance, nor the inadequate and even self-defeating response has been fully aired
Compromised data goes public as Staminus recovers from attack (CSO) Security firm responsible for anti-DDoS protection still recovering from last week's incident
Attacker leaves “SECURITY TIPS” after invading anti-DDoS firm Staminus (Naked Security) Staminus, a California-based internet hosting provider that specializes in helping sites stay online when distributed denial of service (DDoS) attackers try to elbow them off, was itself the target of a cyber broadside last week
Staminus Breach: Just How Bad Is It? (Risk-Based Security) In terms of data security, 2016 is off to a pretty grim start, as we have already tracked 510 data breaches exposing over 175 million records
Top websites affected by Angler exploit kit malvertising, security vendors say (IDG via CSO) The attacks delivered a backdoor called BEDEP and sometimes the TeslaCrypt ransomware
A history of ransomware (CSO) What ransomeware is, why it works, and what you need to do to protect against this top threat
Security vs convenience: The story of ransomware spread by spam email (Naked Security) Like many others, you’ve probably faced the ‘Security vs Convenience’ question many times
Ransomware author's bravado shot down by release of decryption keys (Graham Cluley) "You'll never be able to find me. Police will never be able to find me"
Bug in surveillance app opens Netgear NAS systems to compromise (Help Net Security) A security vulnerability in the ReadyNAS Surveillance Application can be exploited by unauthenticated, remote attackers to gain root access to Netgear NAS systems, Sysdream Labs researcher Nicolas Chatelain has found
Code.org website leaked volunteers’ email addresses (Help Net Security) Code.org, the non-profit organization dedicated to increasing diversity in computer science, has admitted its website has been leaking volunteer email addresses
Anonymous Announces Major Campaign Against Donald Trump for April 1, 2016 (Softpedia) The Anonymous hacker collective has put out a video threatening to "dismantle" Donald Trump's presidential campaign, announcing a series of cyber-attacks against a several of his personal and business websites on April 1, 2016
Typosquatters Target Mac Users With New ‘.om’ Domain Scam (Threatpost) Typosquatters are targeting Apple computer users with malware in a recent campaign that snares clumsy web surfers who mistakenly type .om instead of .com when surfing the web
What does Oman, the House of Cards, and Typosquatting Have in Common? The .om Domain and the Dangers of Typosquatting (Endgame) House of Cards Season 4 debuted on Netflix this past weekend, much to the joy of millions of fans, including many Endgamers. One particular Endgamer made an innocent, but potentially damaging mistake
Vulnerabilities on SoC-powered Android devices have implications for the IoT (Trend Micro: Simply Security) Trend Micro has discovered a new vulnerability that could bring into question the security of the Internet of Things
Hotel replaces light switches with insecure Android tablets (Help Net Security) Here’s another documented instance for the “insecure Internet of Things” annals, courtesy of CoreOS security developer Matthew Garrett
Music streaming has a nearly undetectable fraud problem (Quartz) Loud controversies are a hallmark of the music streaming industry
Shopping Apps: Pro's and Con's (Fox 45 News) Many consumers use shopping app's when they are buying items from their cell phones
One of the world’s most notorious hackers just revealed his identity to me (The Next Web) The man behind Team GhostShell — the hacker collective behind some of the biggest cyber attacks in recent memory, including attacks on the FBI, NASA and the Pentagon as well as a leak that saw 2.5 million Russian “government, educational, academic, political and law enforcement” accounts compromised — is ready to come clean and face the music
This hacker has doxxed himself to get a job (TechWorm) 24-year old Romanian claims he is notorious Hacker GhostShell to get a job!
Bulletin (SB16-074) Vulnerability Summary for the Week of March 7, 2016 (US-CERT) The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week
Cyber Trends
State of Automation in Security (Algosec) The “State of Automation in Security” survey uncovers key trends on the use of automation to manage security processes across today’s constantly-evolving environments
Marketplace
The risks of hedging your security bets on cyberinsurance (Information Security Buzz) Data breaches are expensive
Orange Cyberdefense to Acquire Threat Intelligence Provider Lexsi (Infosecurity Magazine) Orange enters into exclusive talks to acquire French threat intelligence services provider Lexsi
Bold Capital Partners Invests in Security Network Company BlueLine Grid (ExecutiveBiz) Security collaboration platform BlueLine Grid has received an additional round of investment funds from equity firm Bold Capital Partners for an undisclosed sum
Envistacom Lands Army Contract for Cyber Adversary Identification Tech (ExecutiveBiz) Atlanta, Georgia-based cybersecurity firm Envistacom has received a five-year, $90 million contract from the Army to provide cyber technology for U.S., coalition and regional military forces
Luthra & Luthra advises Quick Heal on IPO (Legal Era) Luthra & Luthra Law Offices recently acted for the underwriters on the Initial Public Offering of Quick Heal Technologies Limited, one of the leading IT security solutions company, first provider of security software products and solutions to begin an Initial Public Offering (IPO) in India
5 Hot Security Job Skills (Dark Reading) Cybersecurity job openings are looking for people with a blend of technical, security, and industry-specific talents -- and it helps to know Python, Hadoop, MongoDB, and other big-data analysis tools, too
Google has doubled its bounty for a Chromebook hack to $100,000 (IDG via CSO) The top reward is for someone who can attack a Chromebook in guest mode
Lastline Names Brian Stoner as VP of Global Alliances (Marketwired) Former FireEye executive joins leader in network-based cyber threat detection and defense
Products, Services, and Solutions
Cybersecurity Operations Growing at Port (Port San Antonio) Radiance Technologies launches first Texas location in support of region’s defense community
Symantec partners with hosting providers to offer free TLS certificates to website owners (CSO) Symantec's Encryption Everywhere program will offer basic SSL/TLS certificates to domain owners for free
Review: Consider VPN services for hotspot protection (Network World via CSO) We review 7 low-cost VPN services for when you’re out of the office or out of the country
Neue G DATA Business-Generation 14 schützt gegen Zero-Day-Attacken (Finanzen) G DATA stellt auf der CeBIT seine richtungsweisenden Unternehmenslösungen der Generation 14 vor
Teradata Completes Security and Compliance Audits for Teradata Cloud (PRNewswire) Demonstrates Teradata's commitment to protecting customer data
Technologies, Techniques, and Standards
Risk managers key to managing cyber exposures (Business Insurance) Risk managers play an integral role in ensuring that their companies adopt an enterprisewide approach to cyber security, the Federation of European Risk Management Associations told a European Commission consultation on public-private partnerships in cyber security
Follow the data to improve security preparedness, hospital CISO says (FierceHealthIT) Healthcare organizations must shift their thinking about security to improve their preparedness, according to Joey Johnson, chief information security officer at Premise Health in Brentwood, Tennessee
How to conduct a tabletop exercise (CSO) As you discovered in the first installment of this five-part series, tabletop exercises can be an important practical tool for reviewing and updating incident response plans
Defense in depth: Stop spending, start consolidating (CSO) How many tools are too many tools to have an efficient defense in depth security infrastructure?
Why outsource risk management to people who don’t care? (Help Net Security) The 2015 Cost of Cyber Crime Study by the Ponemon Institute reported that 50% of companies have implemented some sort of access governance technology. It fell 4th on the list in terms of ROI that people were getting from governance. The implementation trend is driven primarily by compliance
Data is a toxic asset, so why not throw it out? (CNN) Thefts of personal information aren't unusual. Every week, thieves break into networks and steal data about people, often tens of millions at a time. Most of the time it's information that's needed to commit fraud, as happened in 2015 to Experian and the IRS
It’s time to kill the static password (Help Net Security) How do you manage your passwords? Do you set them all to approximately the same value, for fear of forgetting them? Or do you write them down in a little book, or in a spreadsheet? Perhaps you use clever character combinations or a piece of software to manage them on your behalf?
Two-factor authentication (2FA) versus two-step verification (2SV) (Graham Cluley) What's the difference between 2FA and 2SV? And which is better?
Understanding The 2 Sides Of Application Security Testing (Dark Reading) Everybody likes to focus on the top 10 vulnerabilities, but I've never found a company with a top 10 vulnerabilities problem. Every company has a different top 10
Threat Intelligence Tweaks That’ll Take Your Security to the Next Level (Recorded Future) Addictive, isn’t it?
Design and Innovation
Open source encrypted app is key to security for Facebook (Electronics Weekly) Moxie Marlinspike, a co-developer of the Signal encrypted mobile messages app, is seeing his security technology used by Facebook’s messaging service, WhatsApp
Microsoft isn't betting on Bitcoin, others in e-commerce should take note (FierceCIO) Microsoft no longer accepts Bitcoin in its Windows Store – reversing a decision the tech giant made less than a year and a half ago to honor the payment method through a third-party provider called Bitpay
Research and Development
Mathematicians are geeking out about a bizarre discovery in prime numbers (Quartz) Prime numbers have both fascinated and boggled mathematicians for millennia. But a new study contends that one aspect of prime numbers’ core usefulness—the ability to appear random—may not be what we suspected it to be
Academia
Here's How Cyber Security, Big Data Are Edging Their Way Into Elite MBA Programs (BusinessBecause) Information management topics trendy at top business schools
AT&T Renews Support of AFA's Flagship STEM Program, CyberPatriot (PRNewswire) The Air Force Association today announced that long-time CyberPatriot supporter, AT&T, has renewed their support of the nationally recognized program
Legislation, Policy, and Regulation
Breach notification in Europe: The GDPR’s far-reaching implications Read more: http://www.itproportal.com/2016/03/12/breach-notification-in-europe-the-gdprs-far-reaching-implications/#ixzz42yjShJkj (IT Pro Portal) In 1995, Iomega introduced the Zip Drive. Palm Pilots were two years from being introduced to the market. In technical terms, 1995 is a very, very long time ago. It was also the year the EU introduced the Data Protection Directive
Obama Makes Case For Mobile Device ‘Back Door' (TechWeek Europe) Governments must have access to encrypted devices in order to enforce basic security and tax laws, Obama says
Encryption, Privacy Are Larger Issues Than Fighting Terrorism, Clarke Says (NPR) David Greene talks to former national security official Richard Clarke about the fight between Apple and the FBI. The FBI wants an iPhone that was used by one of the San Bernardino shooters unlocked
President Obama Is Wrong On Encryption; Claims The Realist View Is 'Absolutist' (TechDirt) This is not all that surprising, but President Obama, during his SXSW keynote interview, appears to have joined the crew of politicians making misleading statements pretending to be "balanced" on the question of encryption
FCC pushes for ISP data-sharing disclosures (FierceCIO) The Federal Communications Commission issued proposed rules on Thursday that would require Internet Service Providers to obtain the consent of those using their services if they plan to share customer data with third parties
What the FCC privacy push means for consumers, Internet providers (Christian Science Monitor Passcode) The Federal Communications Commission has proposed new security and privacy standards for broadband providers. Industry groups complain the proposal goes too far
Litigation, Investigation, and Law Enforcement
FBI's Most Wanted Cybercriminals (Dark Reading) The Federal Bureau of Investigation has got millions of dollars worth of rewards waiting for those who can help them nab these accused cyber thieves, spies and fraudsters
White House set to send Iran cyber message (The Hill) The Obama administration is reportedly poised to indict the Iranian hackers responsible for infiltrating a New York dam in 2013
Why This Former U.S. Counterterrorism Chief Supports Apple (Fortune) You might think that as the senior counterterrorism official in the U.S. government for nine years, and the man whose warnings of an impending al-Qaida attack before 9/11 were famously ignored by the second Bush administration, Richard Clarke would be sympathetic to the FBI in its standoff with Apple AAPL 0.25% over access to a terrorist’s locked iPhone. You would be wrong
Why you should side with Apple, not the FBI, in the San Bernardino iPhone case (Washington Post) Either everyone gets security, or no one does
John Oliver explains why he's on Team Apple in the encryption debate (CSO) "There is no easy side to be on in this debate," Oliver said on Last Week Tonight. So he explained why Apple's side is right
In the FBI’s Crypto War, Apps May Be the Next Target (Wired) If there's anything the world has learned from the standoff over the encrypted iPhone of San Bernardino killer Syed Rizwan Farook, it’s that the FBI doesn’t take no for an answer
WhatsApp Encryption Said to Stymie Wiretap Order (New York Times) While the Justice Department wages a public fight with Apple over access to a locked iPhone, government officials are privately debating how to resolve a prolonged standoff with another technology company, WhatsApp, over access to its popular instant messaging application, officials and others involved in the case said
Feds ask for 5 years jail for journalist who handed over newspaper login (Naked Security) Federal prosecutors want a 5-year jail sentence for Matthew Keys – the journalist convicted of handing over login credentials for the Los Angeles Times’s parent company and then telling Anonymous to “go f**k some s**t up”
#Arrested: Md. man accused of using hashtags in bank robberies (Daily Record) Prince George's County authorities say they have arrested a robber who used hashtags in his notes to bank tellers, linking him to at least nine bank robberies in Maryland. County police spokeswoman Julie Parker announced Friday that 45-year-old Leroy Earl Daley, of Landover, likely will be charged with five bank robberies in the county