Cyber Attacks, Threats, and Vulnerabilities
The Dark Web Is Too Slow and Annoying for Terrorists (Defense One) For starters, a site on the dark web doesn’t do what jihadis need it to do: get their message out
Totalitarianism 101: The Islamic State’s Offline Propaganda Strategy (Lawfare) In the last few years, the Islamic State has expended a staggering amount of energy in pursuit of a position at the top of the global jihadist food chain. Given its sustained control over of huge tracts of land in Iraq and Syria, declaration of a transnational caliphate, and wide-ranging assaults against civilians from Paris to Jakarta, some would say it has achieved this with remarkable efficiency
ISIS's Campaign in Europe: March 2016 (Institute for the Study of War) ISIS is using its foreign fighters and safe haven in Iraq and Syria to execute a terror campaign within Europe. ISIS’s March 22 Brussels attacks support a larger strategy to punish, destabilize, and polarize the West
Ron Johnson on ISIS: 'Our critical infrastructure is vulnerable' (CNN) The Senate's homeland security chairman says he is "highly concerned" that infrastructure like power plants in the United States and Europe is vulnerable to ISIS attacks
Nine Lessons of Russian Propaganda (Small Wars Journal) After visiting repeatedly, I moved to Ukraine from the United States in 2012. My parents had been born in Ukraine and taught me some of the language during my childhood in Queens, NY
Google Search Technique Aided N.Y. Dam Hacker in Iran (Wall Street Journal) Iranian charged with hacking computer system that controlled New York dam used search process to identify the vulnerable system
TWSL2016-006: Multiple XSS Vulnerabilities reported for Zen Cart (Trustwave SpiderLabs Blog) Today Trustwave released a vulnerability advisory in conjunction with Zen Cart. Researchers from the SpiderLabs Research team at Trustwave recently found multiple Cross-Site Scripting (XSS) vulnerabilities in the popular online open source shopping cart application
Malware authors quickly adopt SHA-2 through stolen code-signing certificates (IDG via CSO) Malware pushers have adapted to new Windows restrictions on files signed with SHA-1-based digital certificates
New ransomware abuses Windows PowerShell, Word document macros (IDG via CSO) The PowerWare ransomware is written completely in the Windows PowerShell scripting language
Fileless Powerware Ransomware Found on Healthcare Network (Threatpost) Attackers are not through testing the limits of what they can do with new features in ransomware samples
Key takeaways from the rise of KeRanger malware (Trend Micro: Simply Security) The Mac versus PC debate is often framed in the context of cyber security
HTTPS may not be as safe as it once was (Trend Micro: Simply Security) Proper encryption is seen by many as the linchpin to the Internet's current and future success
Verizon says security breach leads to customer data leak (Reuters) Verizon Communications Inc (VZ.N) said an attacker had exploited a security vulnerability on its enterprise client portal to steal contact information of a number of customers
Facebook Safety Check develops glitch, checks on people far from Lahore blast (IDG via CSO) People as far away as the the UK and the US received notifications
Enterprise security: The easiest data breaches are the hardest to stop (ZDNet) Stealing sensitive data can be as easy as emailing a payroll staff member and requesting copies of everyone's W-2s
Cyber Trends
Data Ethics Dilemma?: Privacy in the Modern Age (Legaltech News) Big Data has changed our interaction with the world. What does it mean for ethics and privacy?
Your Favorite Movies and Cyber from Down Under (New America) New America's Peter Singer and Passcode's Sara Sorcher interview Walter Parkes, the noted screenwriter-turned-film producer who’s behind many of your all time favorite cybersecurity movies: Sneakers and WarGames. They talk about the hacker archetypes depicted in pop culture, why these movies resonate with this community, how fiction sometimes inspires real policy change in this field – and whose cybersecurity work he finds most fascinating
Marketplace
Care in writing cyber cover warranted (Business Insurance) Lack of data on threats troubles insurers
Bromium raises $40M and hires a CFO (Silicon Valley Business Journal) Security startup Bromium raised $40 million in funding on Friday and hired a chief financial officer
Splunk: Is The Share Price Outrageous? (Seeking Alpha) Splunk shares have been in an extended downtrend since last summer and are selling for 36% less than they were 5 months ago. The company continues to beat consensus expectations significantly and to raise guidance almost continuously
Symantec Is A Value Trap (Seeking Alpha) Symantec seems like a good relative value play in its space. However, there are many reasons to dislike Symantec. And further still, there's a powerful bearish thesis that calls into question all of Symantec's profitability. Moreover, this bearish thesis is structural
IBM plans to open 250 cybersecurity managers designation in New Brunswick for future (Markets Morning) In collaboration, both New Brunswick premier Brian Gallant and IBM Canada would create approx. 100 full time jobs within company’s security division in Fredericton – pay range: US$ 50,000 to US$ 75,000 on an individual scale basis
NIST is looking for a few good cryptographers (FCW) The National Institute of Standards and Technology wants to hire more than a dozen cryptographers to deal with a growing portfolio, said Matthew Scholl, chief of NIST's Computer Security Division
Hackers Can Be Our Cybersecurity Allies (Wall Street Journal) It’s time to stop stigmatizing and start recruiting those whose technology skills could keep the country safe
What will it take to diversify the cyber workforce? (FCW) The cybersecurity field is dominated by white men, but the International Consortium of Minority Cybersecurity Professionals aims to help ensure that U.S. companies and government agencies have access to a full spectrum of talent -- and that all Americans have a shot at jobs in the increasingly critical cybersecurity arena
Products, Services, and Solutions
Even Apple uses tech from the company allegedly helping the FBI crack an iPhone (BGR) There’s an entire industry devoted to cracking the iPhone and other smartphones
Technologies, Techniques, and Standards
Evaluating a NGFW? Here Is All You Need to Know (eSecurity Planet) Here is solid advice for evaluating a next-generation firewall (NGFW), from features to consider to questions to ask
How To Share Threat Intelligence Through CISA: 10 Things To Know (Dark Reading) If you want those liability protections the Cybersecurity Information Sharing Act promised, you must follow DHS's new guidelines
Confused by crypto? Here's what that password hashing stuff means in English (Register) Encryption, certificates, public and private keys – it's all here
No One Should Ever Pay to Remove a Bitcoin Ransomware Infection (Bitcoins Channel) Bitcoin ransomware has been a topic of considerable discussion in the media throughout 2015
Banks failing with password management, but why? (Help Net Security) A recent study shows some terrifying results: banks in the U.S. often have less secure password policies in place than do social media websites
Building a Resilient Cyber Defense (InfoRiskToday) Experts: New Framework Should Resist and Respond to Emerging Threats
Security doesn't just happen, cyber experts say (Business Insurance) Risk managers worrying about cyber threats have to be aware that not only can their systems be attacked for their data, but that criminals also may use their systems to commit cyber crimes against others, according to a security expert
Design and Innovation
Software security needs a new perspective (TechCrunch) Source code bugs have been a constant in the software industry since the dawn of computers — and have ever been a major source of attacks, exploits and security incidents
How 4 Startups Are Harnessing AI In The Invisible Cyberwar (Dark Reading) Cybersecurity startups are setting their scopes on a potential goldmine of automated systems they hope will be more effective than hiring human enterprise security teams
It’s Your Fault Microsoft’s Teen AI Turned Into Such a Jerk (Wired) It was the unspooling of an unfortunate series of events involving artificial intelligence, human nature, and a very public experiment
Legislation, Policy, and Regulation
This war on math is still bullshit (TechCrunch) In the wake of Paris, San Bernardino, and now Brussels, the encryption debate has become such a potent cocktail of horror, idiocy, and farce that it has become hard to tease out any rational threads of discussion
Time to rewrite the rules on cyberattacks (Washington Post) About 30 miles north of New York City, in Rye, N.Y., sits the Arthur R. Bowman Dam, a reinforced-concrete gravity dam constructed a century ago for ice-making, and now primarily used for flood control, with a sluice gate that can control water permitted to flow downstream. Between Aug. 28 and Sept. 18, 2013, a hacker sneaked into computer systems that monitor the dam and move the sluice gate
U.S. National Security Agency Head Paid Secret Visit to Israel (Haaretz) Working visit dealt with deepening cooperation between Israeli and American intelligence units, especially against cyber attacks by Iran and Hezbollah
Marines forming new cyberwarrior unit (Stars and Stripes) The Marine Corps is standing up a new unit of cyberwarriors as the global battlefield evolves to include more and more computer networks
White House Petition Aims To Stop The JavaScript Scourge (InformationWeek) Is it time to put an end to JavaScript once and for all? Someone thinks so, and they've got the White House petition to prove it
Litigation, Investigation, and Law Enforcement
Can Europe Connect the ISIS Dots? (Foregin Policy) The Brussels attacks expose yet again the bureaucratic walls that prevent European agencies from sharing intelligence on terror threats
Who Will Become a Terrorist? Research Yields Few Clues (New York Times) The brothers who carried out suicide bombings in Brussels last week had long, violent criminal records and had been regarded internationally as potential terrorists. But in San Bernardino, Calif., last year, one of the attackers was a county health inspector who lived a life of apparent suburban normality
How Belgian prisons became a breeding ground for Islamic extremism (Washington Post) Stephane Medot knows a thing or two about Belgian prisons
Who lives, dies in attacks can give clues about terror cells (AP via Yahoo! News) The bomb maker, the transporter, the landlord and the cipher. The four men slipped away after the Nov. 13 attacks in Paris, and all but one reappeared as key figures in the Islamic State cell that went on to attack Brussels
UAE finds 38 guilty in terror case, issues 11 life sentences (AP via Yahoo! News) The top security court in the United Arab Emirates on Sunday sentenced 38 people to prison in connection to a cell accused of plotting terrorist attacks and seeking to overthrow the government to create an Islamic state
Former NSA head to FBI: ‘Get over’ Apple dispute (The Hill) A former head of two intelligence agencies had a clear message on Friday for the government as it tries to get Apple to unlock an iPhone used by one of the San Bernardino shooters
Opinion: Why the FBI will eventually reveal its iPhone hack to Apple (Christian Science Monitor Passcode) Because of a two-year-old policy known as the Vulnerability Equities Process, the government may be compelled to disclose the flaw it is attempting to use for unlocking the San Bernardino shooter's iPhone
Iran Rebuffs U.S. Cyber-Attack Charges for Lack of Evidence (Bloomberg) Iran brushed aside cyber-attack charges brought against seven of its citizens by U.S. prosecutors, accusing Washington of putting millions of Iranians in danger with its own attacks on Iran’s nuclear program
From a dam in New York to the cyberattacks on Aramco (Al Arabiya) If engineers at a dam in New York hadn’t disconnected water gates from its electronic control center for maintenance work, a major disaster would have happened
Cyber-attackers follow VVIPs, spike in attacks before important meetings (Economic Times) A day before Prime Minister Narendra Modi's visit to Afghanistan in December 2015, the email account of India's then ambassador to the country Amar Sinha was hacked by cyber attackers when he downloaded a malicious MS Word document sent as an email attachment
How Clinton’s email scandal took root (Washington Post) Hillary Clinton’s email problems began in her first days as secretary of state
The Forgotten 1957 Trial That Explains Our Country’s Bizarre Whistleblower Laws (Politico) In John Nickerson’s trial, we see the early rumblings of tensions that plague leak prosecutions today
Russian investor, funds settle U.S. press release hacking case (Business Insurance) A Moscow-based hedge fund manager, his investment firms and two Paris-based funds have agreed to pay nearly $18 million to resolve a U.S. regulator's claims that they engaged in insider trading using hacked press releases from newswire services
Court: Essentially none of cryptocurrency firm’s assets “actually exist” (Ars Technica) Gemcoin videos claimed that "trusted" cryptocurrency was "backed" by amber mines