Cyber Attacks, Threats, and Vulnerabilities
The Baltic Elves Taking on Pro-Russian Trolls (Daily Beast) What at first looked like as a social-media grudge match could be a precursor to invasion, war, and resistance in the Baltics
Experts: IS expanding its global reach through social media (Jakarta Post) Law enforcement officials believe the San Bernardino massacre and a stabbing attack on a California college campus were done by lone wolves inspired by the Islamic State group, and counterterrorism experts say both show how the organization is expanding its reach through social media
Google Removes SmeshApp Allegedly Used by Pakistan’ ISI to Spy on Indian military (Hack Read) The rivalry between India and Pakistan is known to the whole world with militaries of both countries at war for several times after getting independence from the Brits — Now the tools of battle are changing and governments are relying on the cyber warfare
Anonymous Leak Data from Japan’ Safari Land-Natural Zoo For Animal Rights (Hack Read) Karmasec from Anonymous Leaked a Trove of Data from Japanese Prefecture to Raise Voice Against Animal Cruelty in the Country
Hackers attack Switzerland’s largest party, claim huge personal data theft (Russia Today) A hacker group claims to have cracked the database of Switzerland’s largest political party, the conservative Swiss People’s Party (SVP) and stolen the personal data of over 50,000 people, including the names and email addresses of SVP supporters
America accuses Iran of hacking the dam, cyber-squirrels rejoice (Engadget) While America is worrying about nation states, our infrastructure is being terrorized by rodents
How cyber criminals targeted almost $1bn in Bangladesh Bank heist (Financial Times) The printer failure that greeted Jubair Bin Huda, joint director for accounts at Bangladesh’s central bank, when he went to its Dhaka headquarters one morning last month was frustrating but not particularly alarming
Hackers Stalked Bangladesh Bank for Two Weeks Before Big Heist (Bloomberg) Hackers who stole $101 million from Bangladesh’s central bank stalked its computer systems for almost two weeks beforehand, according to an interim investigation report seen by Bloomberg
Bangladesh Central Bank 'Complicit' in Heist: Minister (Security Week) The Bangladesh finance minister has accused central bank officials of being complicit in an audacious $81 million theft from an overseas account, in an interview with a leading Bengali newspaper published Friday
Bangladesh gets FBI help on bank heist, cyber expert missing (Reuters) Bangladesh police met an official of the U.S. Federal Bureau of Investigation (FBI) in Dhaka on Sunday to try to track down culprits in an attempted $951 million cyber heist from the country's central bank
Exclusive: SWIFT to advise banks on security as Bangladesh hack details emerge (Reuters) The SWIFT messaging system plans to ask banks to make sure they are following recommended security practices following an unprecedented cyber attack on Bangladesh's central bank that yielded $81 million, a spokeswoman for the group told Reuters on Sunday
Android adware infiltrates devices’ firmware, Trend Micro apps (Help Net Security) Dubbed Gmobi by Dr. Web researchers, the malware comes in the form of a software development kit (SDK), and has been found in several legitimate applications by well-known companies, as well as in firmware for nearly 40 mobile devices
275 million Android phones imperiled by new code-execution exploit (Ars Technica) Unpatched "Stagefright" vulnerability gives attackers a road map to hijack phones
A VAST Malvertising Attack (Proofpoint) On March 13, 2016, Proofpoint researchers observed a large malvertising campaign hitting many highly-ranked websites including MSN.com, foxnews.com and many others. We also surmised (and later confirmed) that there was a video malvertising involved in this campaign
Malvertising Gets Nastier with Fingerprint Technique (eSecurity Planet) Malvertising attacks get more targeted, tougher to detect with fingerprinting
Lenovo Startpage Pushed Angler (F-Secure) Based on upstream detection reports from our customers… it appears that a Lenovo related website was compromised on March 13th. For some (relatively short) period of time, the portal site “startpage.lenovo.com” redirected visitors towards the infamous Angler exploit kit – a source of no small amount of crypto-ransomware
Security Alert: TeslaCrypt 4.0 – Unbreakable Encryption and Worse Data Leakage (Heimdal) Confirming the trends that security specialists have been announcing for 2016, a new version of Teslacrypt has just been launched
Locky Ransomware Infecting 90,000 Systems Daily (Credit Union Times) Ransomware is quickly becoming a mainstream form of malware, according to the Clearwater, Fla.-based cybersecurity firm KnowBe4, and one driving factor is the significant amount of cash being racked up by the notorious Dridex banking Trojan gang with its new Locky strain
ICIT: Ransomware will 'wreak havoc' in 2016; healthcare already 'relentlessly' targeted (FierceHealthIT) Report authors say hospitals need improved training, awareness
FBI investigating cyber-attack at Methodist Hospital in Henderson (WAVE3) A cyber security breach, striking Methodist Hospital in Henderson. We're learning the FBI is investigating this right now, but there's some good news
Pwn2Own contest highlights renewed hacker focus on kernel issues (IDG via CSO) All Pwn2Own exploits this year achieved privilege escalation, mostly through OS kernel flaws
The next generation of APTs: Highly successful but surprisingly simple (SecurityBrief) The number and reach of cyber threats continues to grow, and while reports of increasing sophistication and complexity dominate the news, some of the most highly targeted attacks are surprisingly simple
95% of HTTPS Servers Vulnerable to Trivial MTM Attacks (Information Security Newspaper) Only 1 in 20 HTTPS servers correctly implements HTTP Strict Transport Security, a widely-supported security feature that prevents visitors making unencrypted HTTP connections to a server
Johns Hopkins researchers poke a hole in Apple’s encryption (Washington Post) Apple’s growing arsenal of encryption techniques — shielding data on devices as well as real-time video calls and instant messages — has spurred the U.S. government to sound the alarm that such tools are putting the communications of terrorists and criminals out of the reach of law enforcement
PIN problems: our smartphones aren't as safe as we think (Techradar) TouchID hacked using Play Doh - is phone security really that fragile?
Bitcoin Trading Platform BitQuick down 2 to 4 Weeks after Cyber Attack (CryptoCoinNews) In light of the recent Cryptsy debacle where millions of dollars worth of Bitcoin and other cryptocurrencies went missing after a malicious attack, another cryptocurrency exchange in BitQuick has become victim to hackers
Edmonton-area River Cree Resort and Casino hit by cyberattack (Edmonton Journal) A cyberattack at the River Cree Resort and Casino in Enoch resulted in the theft of customer and employee information
Security Patches, Mitigations, and Software Updates
Critical FreeBSD bug squashed (Register) Time to upgrade, Unix-like OS-havers
Cyber Trends
Cyber war — bigger than ever — is here to stay (Washington Post) When the widely respected national security mandarin Robert Gates was appointed secretary of defense in late 2006, his daily intelligence reports on the cascade of cyberattacks directed against the United States left him incredulous
How the United States Learned to Cyber Sleuth: The Untold Story (Politico) A secret Moscow meeting, a disappeared general and the start of modern cyber-war
Demand for advanced DDoS mitigation on the rise (Help Net Security) The increasing popularity of DDoS attacks as a tool to disrupt, harass, terrorize and sabotage online businesses is boosting demand for mitigation solutions. In the face of universal vulnerability to attacks, end users are looking for cost-effective solutions that can defend against the most sophisticated and large scale attacks
Data Security Trends: Shifting perceptions on data security (Dell) Business and IT decision makers are finally carrying the banner of data security, recognizing not only the safety it brings, but also the opportunity
IoT Security Could Crack Quickly In The Quantum Era (InformationWeek) Internet of Things security is only beginning to get serious attention. However, it might already be too late. In the era of quantum computing, the fragile security that protects IoT devices may crumble faster than you think
IT Pros Are Choosing Between Productivity and Security (Infosecurity Magazine) In an era where operational agility can be a significant differentiator, IT shops face a dilemma: should they adopt security systems that tend to slow down networks and processes with inspections and filtering, or apply a lighter security framework in the name of productivity?
GCC firms to spend $1b on cyber security by 2018 (Khaleej Times) 'GCC organisations are among the world's most advanced in deploying solutions that proactively protect devices, user information, and corporate data'
Lessons for Pakistan on how to gear up for cyber security (Express Tribune) While Middle East countries have faced humanitarian disasters spawned by Syria and Yemen since time immemorial, a greater problem now faces these countries; cyber-crime
English language used the most for cyber attacks: Report (International Business News) English language was the highest spam sending language in 2015 with 84.1 per cent spammers using it for cyber-attack followed by Chinese (2.6 per cent) and German (1.7 per cent) on second and third spots, a report by Trend Micro Incorporated said
Marketplace
Cyber security in 2016: 4 of the biggest and most notable cyber security acquisitions so far this year (Computer Business Review) 2015 saw several large IPOs in the cyber security sector, including Sophos and Rapid7. This year has already seen several big companies buying up smaller, privately held firms as they look to plug the gaps in their solutions
What Does a Typical Fortune 100 CISO Look Like? (SecurityWeek) What does a CISO look like? You may think that's a tough question--and it is. But the folks at cybersecurity firm Digital Guardian have done some research and profiled the typical CISO at a Fortune 100 enterprise
Comodo CEO Doubles Down on Security Disclosure (eWeek) Melih Abdulhayoglu, Comodo CEO and chief security architect, discusses how he wants to work with researchers like Google Project Zero
Q&A: Symantec CEO On Split, New Security-Focused Channel Vision And Apple Vs. FBI (CRN) It's only March, but 2016 has already been a busy year for Symantec
Apple Hires Corporate Security Chief Amid Legal Battle With FBI (Fortune) Addition comes as the tech giants battles with the FBI over iPhone data
Microsoft adds OneDrive to bug bounty program (IT News) Will pay up to $19,700
Products, Services, and Solutions
Cylance® Partners With CoreSec to Bring CylancePROTECT® to the Nordics (Cylance) Partnership will enable government and enterprises in the Nordics for the first time to stop cyber-attacks before they ever execute
Siemens Unveils 3 Cybersecurity Ops Centers for Industrial Facility Protection (ExecutiveBiz) Siemens logoSiemens has unveiled three Cyber Security Operations Centers located in Milford, Ohio, in the U.S. and in Lisbon, Portugal, and Munich, Germany, for industrial facilities protection
Siemens eröffnet Cyber Security Operation Center (Computer-Automation) Siemens hat in Lissabon, München und Milford (Ohio/USA) 'Cyber Security Operation Center' (CSOC) für Dienstleistungen zum Schutz von Industrieanlagen eröffnet
Swiss encrypted email service now available to the public (FierceCIO) ProtonMail, an encrypted email startup based in Switzerland, announced its public launch Thursday. The free email service, which has been in beta since May 2014, is now accepting registrations from the general public
Comodo's "default deny" approach keeps known and unknown malware from endpoints (Network World) Many endpoint protection solutions allow files to open if they are not confirmed as malicious. Comodo denies unknown files access until they are proven to be benign
Visualizing the Entire Attack Surface (BankInfoSecurity) Skybox Security CEO Gidi Cohen on the Evolution of Total Visibility
iGov and NIKSUN Partner to Provide Critical Technology for DISA JRSS (PRNewswire) iGov, a Federal Systems Integrator (FSI) and Value Added Reseller (VAR), headquartered in Reston, VA, together with NIKSUN, an industry leader in providing a suite of scalable, forensics-based cyber security and network performance monitoring solutions, are pleased to announce their work to support the Defense Information Systems Agency (DISA) and the Department of Defense (DoD) by providing a turn-key capability to satisfy DISA Joint Regional Security Stack (JRSS) requirements for full packet capture (FPCAP), analysis and retention
Eris Industries and Ledger Partners for a Secure Blockchain (Bitcoin News Service) Eris Industries and Ledger have partnered together to provide fast, secure and easy to use blockchain solution to the clients
Technologies, Techniques, and Standards
Detect observation and evade theft of sensitive data (Help Net Security) In this interview [Jacob Torrey] talks about architectural tells that can be utilized to detect the presence of analysis tools, and offers practical tips for researchers
How to better protect your Google account with Two-Step Verification (2SV) (Graham Cluley) Enable 2SV on your Gmail, YouTube, Google Docs and other Google accounts
Toolkit boosts Army network visibility, cybersecurity compliance (GCN) The Army is adopting tools to give soldiers greater network visibility to fight off hackers
Robocalls: where is RoboCop? (We Live Security) Some years ago I came across the story – I can’t say whether it’s true – of a decommissioned server that, at the time it was powered down for good, still had a task left unfinished after something like seven years
Hackers crack OS X, Windows, web browsers' security to net $460,000 (Register) Tencent Security Team Sniper crowned Master of Pwn
Microsoft and Apple get a whupping in Pwn2Own 2016 (ITWire) The annual Pwn2Own security-busting competition took place last week, revealing a total of 20 new vulnerabilities
Israel Cyber Cadets Train on Harry Potter-Inspired Battlefield (Bloomberg) The Israeli military’s elite Cyber Command is honing its skills at Hogwarts
Design and Innovation
MIT, Harvard researchers push new way for users to control access to personal data (Computerworld) Called Sieve, the approach could pose challenges to companies storing users' personal data and government searches
Opinion: Why End User Devices are Locked Down For Security, and Why They Have To Be (XDA Developers) I started cutting my teeth on Android here on XDA back in the days of rocking a Kyocera Zio
Privacy by Design: What it is and where to build it (Help Net Security) People tend to think about privacy in terms of the individual, but it is also critically important for the proper functioning of any business organization
Research and Development
Georgia Tech to Conduct C4I & Cyberspace Tech Research Under $84M Navy Contract (GovConWire) Georgia Tech Research Institute has landed a $84.5 million sole-source contract from the U.S. Navy to conduct research as a Defense Department university affiliated research center
Academia
Hacker High School Teaches Cyber Security Skills To Teens (Forbes) High school students thinking about a college education and career in the cybersecurity field may want to begin preparing now
Legislation, Policy, and Regulation
China calls for FBI cooperation in internet security, counter-terrorism (Reuters) China wants to have deeper internet security, anti-terrorism and corruption cooperation with the United States, Chinese security officials told the visiting director of the FBI, state news agency Xinhua said
No More Safe Harbor (Harvard Political Review) I accept the terms and privacy policy
Is the New Post-Safe Harbor Data Privacy Law a Silver Bullet or a First Step? (Nextgov) On Feb. 24, President Obama signed into law the Judicial Redress Act
Bank of England teams with new UK cyber security outfit (Stack) In its first project the UK’s new national cyber security centre will work with the Bank of England, according to a government announcement
A UK Surveillance Bill that Allows Government Hacking Has Passed Its First Legislative Hurdly (Nextgov) The Investigatory Powers bill, which will grant the British government broad powers to collect user data and hack communications systems and networks, has passed its first legislative hurdle. Parliamentarians voted overwhelmingly in favor of the bill yesterday (Mar. 15), with 281 “ayes” to 15 “noes"
The threat of cyberterrorism (Dawn) Over three billion users access the internet today, compared to a measly 400 million in 2000
Can tech community battle Islamic State online without breaking the Web? (Christian Science Monitor Passcode) At the South By Southwest Interactive festival this week, privacy advocates and technologists looked for ways to knock Islamic State militants offline without compromising free speech
Strong Intelligence Oversight Can Happen Within the Executive Branch (Just Security) That the American public is divided on the current showdown between Silicon Valley and the national security state is to be expected
DoD, Intel Leaders Partner on Space Capabilities (DoD News) Space is crucial to U.S. national security, and the Defense Department and intelligence agencies are working together well to ensure the United States dominates that domain, officials told the House Armed Service Committee’s strategic forces subcommittee March 15
New Jersey Utility Board Mandates Cybercrime Prevention (MobiPicker) The New Jersey Board of Public Utilities announces that they adopted a new set of regulations and policies against cyber attacks to different sectors such as the state’s electricity, natural gas, water and wastewater utilities
Litigation, Investigation, and Law Enforcement
US government pushed tech firms to hand over source code (ZDNet) Obtaining a company's source code makes it radically easier to find security flaws and vulnerabilities for surveillance and intelligence-gathering operations
Long Before the Apple-FBI Battle, Lavabit Sounded a Warning (Wired) Three years ago, Ladar Levison, the founder of the now-defunct secure email service known as Lavabit, was in the same position Apple finds itself today: facing off against a formidable government foe with unlimited resources and an aggressive determination to break his tech company’s defiance
Apple sees weakness in FBI hearing request (CSO) Last minute request for witnesses could indicate a change in FBI thinking, says Apple
The Feds Are Wrong to Warn of “Warrant-Proof” Phones (MIT Technology Review) Throughout history, communications have mainly been ephemeral. We need to be sure we can preserve that freedom
Why the NSA shouldn’t crack the San Bernardino shooter’s iPhone for the FBI (BGR) The iPhone 5c that belonged to San Bernardino shooter Syed Farook is susceptible to certain malicious attacks that could get the FBI what it wants: unrestricted access to a device that might hold some evidence linking the shooter to other potential suspects
Former Homeland Security Chief Talks Apple, FBI, And Encryption (Fortune) Michael Chertoff sits down with Fortune to talk Apple, the FBI, and data
Hillary Clinton Failed to Acknowledge the Security Risk of Using a Smartphone to Conduct Government Business, Report Claims (Inquisitr) A new report claims that, although officials warned Hillary Clinton that using a smartphone to conduct government business was a security risk, she failed to take heed to the warning and did it anyway
Will Hillary get charged, or what? (New York Post) FBI chief James Comey and his investigators are increasingly certain presidential nominee Hillary Clinton violated laws in handling classified government information through her private e-mail server, career agents say
ZTE Document Raises Questions About Huawei and Sanctions (New York Times) When the United States government punished ZTE of China this month, saying it had done business with Iran, it released internal company documents that it said detailed how the electronic equipment maker had done it — and that also suggested the problem might not be limited to one Chinese company