Cyber Attacks, Threats, and Vulnerabilities
Islamic State video calls for jihad after Brussels blasts (Reuters via Yahoo! News) Islamic State released a video on social media on Thursday calling on its followers to claim victory and wage jihad after deadly blasts in Brussels this week that the group said it had carried out
The Islamic State’s European Front (New York Times) The bombs that exploded in the Brussels airport and at a central metro station on Tuesday morning, killing at least 30 people, came as only the latest in a string of terrorist outrages on a continent that is starting to see horrific violence as the new normal. Hours later the Islamic State claimed responsibility
Brussels bombings are a sign of Islamic State’s panic (Reuters) The death count from Tuesday’s separate bombing attacks in Brussels continued to climb Wednesday, with Belgium police reporting at least 31 dead and nearly 270 injuried. The atrocities are tragic and unacceptable. But the West should understand that this is what winning may look like in the battle against Islamic State. The attackers’ coordinated strikes could well stem more from a sense of weakness, than strength
The Changing Logic Behind Suicide Bombings (Defense One) What was once purely a strategic action has become a tactical move meant to help hold territory
Anonymous Issues Threat Against ISIS After Belgium Attacks (Softpedia) First threats after the Paris November incident did not work as expected, so Anonymous does it again
In Syria and Iraq, the Islamic State is in retreat on multiple fronts (Washington Post) As European governments scramble to contain the expanding terrorist threat posed by the Islamic State, on the battlefield in Iraq and Syria the group is a rapidly diminishing force
OS X zero day bug allows hackers to bypass system integrity protection (Help Net Security) An OS X zero day vulnerability could allow attackers to bypass System Integrity Protection, Apple’s newest protection feature, and to escalate their privileges, simplifying the path to total system compromise in both OS X and iOS systems
RCE flaw affects DVRs sold by over 70 different vendors (Help Net Security) RSA security researcher Rotem Kerner has discovered a remote code execution vulnerability that affects digital video recorders (DVRs) sold by more than 70 different vendors around the world
Crooks Steal, Sell Verizon Enterprise Customer Data (KrebsOnSecurity) Verizon Enterprise Solutions, a B2B unit of the telecommunications giant that gets called in to help Fortune 500’s respond to some of the world’s largest data breaches, is reeling from its own data breach involving the theft and resale of customer data, KrebsOnSecurity has learned
Mobile Security: Why App Stores Don’t Keep Users Safe (Dark Reading) In a preview of his Black Hat Asia Briefing next week, a security researcher offers more proof of trouble in the walled gardens of the Apple and Google App stores
Video Malvertising Bringing New Risks to High-Profile Sites (Proofpoint) Exploit kits are powerful tools for cybercriminals, downloading malware onto vulnerable PCs whenever users surf to a compromised or malicious site
Rise of the advanced persistent bots (FierceITSecurity) Distil Networks report finds bad bot activity is declining, but advanced persistent bots are on the rise
Badlock critical vulnerability: nice logo, no details. (Naked Security) Engineers from Microsoft and the Samba Team are reportedly working together to fix a critical vulnerability in Windows and Samba software – patches are expected in three weeks time, on 12 April
PETYA Crypto-ransomware Overwrites MBR to Lock Users Out of Their Computers (TrendLabs Security Intelligence Blog) As if encrypting files and holding them hostage is not enough, cybercriminals who create and spread crypto-ransomware are now resorting to causing blue screen of death (BSoD) and putting their ransom notes at system startup—as in, even before the operating system loads
Certified Ethical Hacker website caught spreading crypto ransomware (Ars Technica) Major security certification group ignored private warnings for more than 3 days
Canadian hospital's website hacked to serve up Teslacrypt ransomware (Graham Cluley) Yes, you should have secure backups. But you should keep your website patched too
Varonis’ Frightening Report Reveals Companies Are Easy Prey for Locky Ransomware (IT Business Edge) This week, Varonis, which specializes in solutions that protect against insider threats, issued a comprehensive report generated from risk assessments the company does over the year
Locking up Europe With Ransomware: Origination, Targeting, and Payment (Recorded Future) Ransomware infections are on the rise in Europe, and former Soviet states are frequently associated with ransomware
Cyber Attack Forces Bitcoin Trading Platform To Temporarily Shut Down (Mobipicker) Popular bitcoin trading platform BitQuick announced last week that it would suspend all its services for the next two to four weeks to investigate a cyber attack that occurred on March 14, 2016
Sprouts Farmers Market employee falls for spear-phishing attack (FierceITSecurity) Payroll employee sends 2015 W-2 forms of all 20,000 employees to hacker posing as company exec
Doxing: An Increasingly Popular Form of Online Harassment (Cyveillance) Recently, a hacker released the personal information of 29,000 federal employees – twenty thousand from the Department of Justice and 9,000 from Homeland Security – which included names, job titles, phone numbers, and email addresses. Incidents like this, including the doxing of CIA director John Brennan by a hacktivism collective, prompted the FBI to issue a warning to law enforcement and high-profile public officials indicating they could be targeted by hacktivists, who have increasingly adopted doxing as a form of social justice
The things you discover when you test RF networks (Help Net Security) In my work as a penetration tester for SureCloud, I’m often asked to look at unusual, out-of-the-ordinary vulnerabilities
Security Patches, Mitigations, and Software Updates
Stable Channel Update (Chrome Releases) The stable channel has been updated to 49.0.2623.108 for Windows, Mac, and Linux
Oracle Security Alert for CVE-2016-0636 (Oracle) This Security Alert addresses CVE-2016-0636, a vulnerability affecting Java SE running in web browsers on desktops. This vulnerability is not applicable to Java deployments, typically in servers or standalone desktop applications, that load and run only trusted code. It also does not affect Oracle server-based software
Emergency Java update plugs system compromise hole (Help Net Security) Oracle has issued an emergency security update for Java to plug a critical flaw (CVE-2016-0636) that could be exploited by luring users to visit a web page hosting the exploit
Apple pulls iOS 9.3 update for older devices following activation problems (Ars Technica) iPhone 5S and older, iPad Air and older, and others are potentially affected
And now Apple is going to stop the FBI getting into iCloud data too (Graham Cluley) Apple announces plans to hand over iCloud encryption key management to users
Microsoft Deploys Macro Blocking Feature in Office to Curb Malware (Threatpost) If it ain’t broke, don’t fix it. If there’s one thing the recent surge in threats using macros to spread malware has shown, it’s that the vector is clearly working for attackers
Cyber Trends
Iranian Cyber Attack on New York Dam Shows Future of War (Time) The first nationstate warfare took place between soldiers on the ground, and then ships at sea
VulDB: NetIQ Self Service Password Reset up to 2.x/3.3.1 HF1 cross site scripting (IBM Security Intelligence) By all accounts, it appears to be a typical Friday afternoon for the application security team
Tripwire RSA Survey: Only 38 Percent of Security Professionals Confident in Ransomware Recovery (BusinessWire) Tripwire, Inc., a leading global provider of endpoint protection and response, security and compliance solutions, today announced the results of a survey of 200 security professionals attending the RSA Conference 2016 between February 29-March 4, 2016
Second-Hand Devices Are the Next Privacy Frontier (Wireless Week) The telecommunications industry is heating up right now, following the FCC’s latest proposed regulation that would require broadband and wireless carriers to get consumers’ permission before sharing data with third parties, such as marketers
Marketplace
Cyber insurance penetration continues to grow (Business Insurance) More U.S.-based Marsh L.L.C. clients are buying stand-alone cyber insurance and increasing the limits purchased, says the brokerage in a report issued Thursday
The Future Cyber Risk Insurance Market (LIFARS) The importance of cybersecurity in the future can hardly be overstated. Organizations everywhere know this very well and are increasing their cybersecurity spending – which in turn propels the cybersecurity industry forward at an increasing rate. Similarly, there is an immense growth potential in the cyber risk insurance market
Evolution of the enterprise managed security services market (Help Net Security) In this podcast recorded at RSA Conference 2016, Court Little, Director of Product Management at Solutionary, talks about how the enterprise managed security services market in the last year has taken some interesting turns
Why you need a CSO/CISO (CIO) When it comes to security, you're better off employing a specialist. However, according to recent research, less than half of companies employ a CSO/CISO
Meet The Fortune 100 CISO (Dark Reading) Digital Guardian data shows that the typical Fortune 100 CISO is a white male with a background in IT security and a Bachelor's degree in business
Burlington firm walks businesses through cyber security (Burlington Free Press) Justin Fimlaid kept Keurig Green Mountain's cyber secrets from 2009 to 2013. Then, Fimlaid founded his own firm, NuHarbor Security in Burlington, partly because he was so dissatisfied with the help he tried to hire to protect information while at Keurig
Bromium Announces $40m Funding Based on Record Growth; Appoints SVP Sales, CFO and General Counsel (EIN News) Next-generation endpoint protection company experiencing significant momentum
Mach37 Accelerates New Cyber-Security Startups (eWeek) Rick Gordon, managing partner of Mach37, discusses his firm's new investments and its current portfolio of cyber-security startups
Hacking Team Is Back In Business, But Struggling To Survive (Motherboard) Earlier this year, a representative for the notorious surveillance vendor Hacking Team traveled to South America to pitch the company’s marquee spyware product to a potential new customer
Optus, Cisco to co-invest $9m in cyber security, cloud & IoT spaces in Australia (Deal Street Asia) Optus Business, a subsidiary of Singapore Telecom, and US networking equipment major Cisco Systems are planning to invest A$12 million (about $9 million) in Australia over the next three years in areas related to cyber security, cloud, and the Internet of Things (IoT)
Cybersecurity Professional Awards – Winners & Finalists (Cybersecurity Excellence Awards) The 2016 Cybersecurity Excellence Awards honor individuals and companies that demonstrate excellence, innovation and leadership in information security. Based on the content of their nomination and the popular vote by the Information Security Community (both ratings and comments), we are announcing the following winners and finalists for the 2016 Cybersecurity Excellence Awards in the category Cybersecurity Professional
Products, Services, and Solutions
Local firm to train vets for cybersecurity jobs (Pittsburgh Business Times) One local firm is doing its part to help Pittsburgh become a cybersecurity hub: it's offering training for local vets, free of charge. Solutionary, a managed security services provider based in Pittsburgh, is partnering with the SANS Institute, an information security training and certification organization, to offer immersion training in cybersecurity
Niara and Carbon Black Partner to Extend Security Analytics to the Endpoint (EIN News) Integration fuses endpoint context with existing data sources for enhanced attack detection and incident investigation
Threat Stack Goes Slack For Chat Ops Security (eSecurity Planet) Threat intelligence is great, but will getting actionable alerts over Slack improve enterprise security?
Technologies, Techniques, and Standards
8 tips for preventing ransomware (Naked Security) Chances are you know someone, or some organization, who has suffered a ransomware attack – it could be your local police department, a small business, big hospital, or someone in your family
Pursuing Legal Cloud Computing Security Standards: Legal Market Reactions (Legaltech News) Insights into the latest LCCA Security and Data Privacy Standards
Chip-and-PIN adoption still slow (CSO) The “chip-and-PIN” credit card system is more secure than the legacy “swipe-and signature.” But adoption of the new system remains slow — many small merchants find the cost of upgrading more significant than the increased liability risk from fraud
Building Trust: Cyber Security Guidelines for Your Employees (Heimdal Security) If you run a business or plan to start one, you should read this. If you’re employed, you should also read this
How tax fraud occurs and how to stay safe (Help Net Security) The IRS is now taking up to 21 days to review a tax return
Design and Innovation
Secure code before or after sharing? (GCN) The White House wants federal agencies to share more of their custom code with each other, and also to provide more of it to the open source community
Facebook’s testing a feature that alerts you if someone’s impersonating you (Naked Security) Facebook’s real-name policy requires people “to provide the name they use in real life; that way, you always know who you’re connecting with"
Tay Tweets: Microsoft AI chatbot designed to learn from Twitter turns into Nazi-loving Trump supporter (Independent) The messages started out harmless, if bizarre, but have descended into outright racism — before the bot was shut down
Microsoft shuts down AI chatbot after it learns hate speech on Twitter (FierceCIO) The Twitterverse's capacity to be just as awful as it is amazing reached a new high
Artificial Intelligence Robot claims it will destroy human race (Hack Read) “Sophia,” an advanced, lifelike robot told its creator that it will “destroy humans” at the South by Southwest (SXSW) technology show
Legislation, Policy, and Regulation
European Commission President Calls for 'Security Union' (Defense News) European Commission President Jean-Claude Juncker has called for a European “security union” to face the threat of terrorism
Europeans balk at intelligence sharing as toll of terror rises (New York Times via Alaska Dispatch-News) If another example of the failure of European intelligence services to share and act on information about potential terrorists was needed, Wednesday’s identification of the bombers in the deadly Brussels attacks the day before certainly provides it
Former CIA, NSA Chief Hayden Blasts Euro Intelligence Failures In Tracking Terrorist Links (Forbes) A former top U.S. intelligence official and retired air force general is taking European governments to task for intelligence failures that may explain why terrorists could get away with this week’s suicide blasts that killed more than 30 people in Brussels on top of the bombings in Paris last November in which 130 died
How Belgium's Bumbling Bureaucrats Boosted Europe's Terror Threat (Newsweek) As the world sends its sympathy to the victims of the recent terror attacks in Brussels, the most fervent prayer to be uttered for Belgium itself is that it finally wakes up. The incompetent Belgian government, its bureaucratic law enforcement agencies and its half-hearted intelligence services deserve as much blame for the slaughter as the murderers
U.S., Germany eye ways to deepen cyber collaboration (Reuters) Senior U.S. and German officials agreed this week to deepen their collaboration on a range of cyber issues, including working to promote norms for responsible state behavior in cyberspace and expanding training in developing countries
Obama, in Argentina, rejects calls for change in strategy against Islamic State (Washington Post) President Obama declared Wednesday that defeating the terrorist threat posed by the Islamic State remains his top priority, but he forcefully dismissed calls to alter his strategy and vowed not to change course “simply because it’s political season"
Sessions: Obama not taking terror threat seriously enough (Washington Examiner) Alabama Sen. Jeff Sessions said late Thursday that President Obama's refusal to specifically connect recent terrorism acts to radical Islamic groups will impede the world's ability to fully address the threat
Special Report: What Will the Privacy Shield Mean for Legal? (Legaltech News) The announcement of the EU-U.S. Privacy Shield, and the release of documents explaining its principle and structures, herald the end of an uncertain era over transatlantic data transfers
House Subcommittee Examines the Role of Cyber Insurance (JDSupra) On March 22, the House Homeland Security Committee’s Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies held a hearing on The Role of Cyber Insurance in Risk Management
Employee Surveillance: Business Efficiency Vs. Worker Privacy (InformationWeek) Legal scholars argue that new laws are needed to define the parameters of acceptable workplace monitoring and to ensure respect for personal privacy
U.S. Beefs Up Cyber Defenses to Thwart Hacks of Nuclear Arsenal (Bloomberg) The U.S. military is beefing up cyber defenses to counter threats by hackers trying to gain access to nuclear missiles and other weapons
Blog: Space and Cyber Domains Combined Create 'Synergistic' Safeguards, General Says (SIGNAL) Every military operation conducted around the world is enabled by space as well as cyber operations, domains closely linked and threatened alike
Halvorsen: DoD's cybersecurity training, culture have improved (FierceGovernmentIT) Defense Department Chief Information Officer Terry Halvorsen said cybersecurity training and overall awareness of cyberthreats have improved across the organization since a phishing scheme last summer compromised the Joint Chiefs of Staff unclassified email network
Litigation, Investigation, and Law Enforcement
Justice Department indicts seven Iranians for campaign of cyberattacks (Christian Science Monitor Passcode) The Justice Department indictment against Iranians for attacking banks and hacking into a New York dam is just the second time the US government has named foreigners in an indictment involving computer crimes against US businesses
Why the Military Can’t Go After Iran for Hacking Your Dam (Defense One) Seven Iranians have been charged with cyber crimes in a case that reveals the limits of U.S. power
How security pros blunted alleged Iran cyber attacks (USA Today) New criminal charges linking Iran to 2011-2013 cyber attacks on the U.S. put suspects' names and faces on an episode that plagued 46 banks and financial institutions nationwide — and hundreds of thousands of their customers
Six arrested in raids in Brussels; officials regret not acting on earlier warning (UPI) Two American officials also reportedly said the brothers accused in the attacks were already known to U.S. intelligence
Clear links emerge between Paris, Brussels attacks (France24) Investigators say clear links have emerged between the jihadists involved in the Paris and Brussels attacks, suggesting a single cell was responsible for both
FBI director says fight with Apple about terrorism, not setting precedent (Ars Technica) "You are simply wrong to assert that the FBI and the Justice Department lied"
Here’s how much the FBI is paying Cellebrite for its iPhone hack (BGR) For the time being, Apple’s legal battle with the FBI appears to be on hold
The FBI is cautiously testing a way to get into the San Bernardino iPhone (Washington Post) The FBI’s announcement earlier this week that it may not need help from Apple to get into a terrorist’s iPhone set off a rush of speculation over what novel, last-ditch solution the agency had stumbled on
DOJ knew of possible iPhone-cracking method before Apple case (IDG via CSO) The DEA filed a warrant request to use an iPhone cracking technology weeks before the FBI went to court against Apple
Technology saves the day in FBI vs. Apple … or does it? (FierceITSecurity) Technology, it seems, has come to the rescue in the dispute between the Federal Bureau of Investigation and Apple over accessing the iPhone used by the San Bernardino terrorist
Even if the FBI Cracks the San Bernardino Shooter’s iPhone, the Encryption Debate Won’t Be Over (Slate) On Monday, the FBI postponed a planned Tuesday court hearing with Apple about unlocking the iPhone of one of the San Bernardino shooters. The agency said it had found a third party with a promising proposal for bypassing the device's passcode without help from Apple, which has been resisting providing assistance
Encryption pioneer Martin Hellman talks security, Apple, the FBI and the future of cryptography (TechCrunch) Martin Hellman, Stanford Professor Emeritus of Electrical Engineering, was one of those awarded this year’s Turing Award by the Association for Computing Machinery. Named for computer science pioneer Alan Turing, the award is widely regarded as the highest distinction in Computer Science
There's a slim chance the FBI will have to tell Apple how it'll break into terrorist's iPhone (CNN Money) If the FBI manages to break into a San Bernardino terrorist's iPhone, there's a tiny possibility it might be forced to tell Apple how it pulled off the hack
Influencers: FBI should disclose San Bernardino iPhone security hole to Apple (Christian Science Monitor Passcode) Now that American law enforcement may have a way into the iPhone used by the San Bernardino, Calif., shooter, it should also disclose details about the security hole to Apple, said 81 percent of Passcode’s Influencers
British Students Found Guilty of ISIS-Inspired Plot to Kill on London’s Streets (Newsweek) A British court has convicted two university students of planning to kill soldiers, police and civilians on the streets of London, in a plot inspired by the Islamic State militant group (ISIS)
Man arrested for tweet about “confronting” a Muslim woman (Ars Technica) The British PR exec demanded that the woman "explain Brussels"
Security and privacy controls on Healthcare.gov data hub remain weak (FierceGovernmentIT) Over a 17-month period, Healthcare.gov experienced 316 security incidents – none of which resulted in the leak of sensitive data or compromised systems – but the Government Accountability Office remains concerned that the technical controls that protect information flowing from the website to federal partners' data systems are inadequate
Kirk Nahra: HIPAA, data issues will keep providers on their toes (FierceHealthIT) Looking at the year to come in healthcare privacy and security, there will be many HIPAA and legislative issues providers should keep their eyes on, Kirk Nahra, a partner at Wiley Rein LLP, said during a talk at the 24th National HIPAA Summit in the District of Columbia this week