Cyber Attacks, Threats, and Vulnerabilities
Statement Regarding Recent Media Coverage (Mossack Fonseca) Recent media reports have portrayed an inaccurate view of the services that we provide and, despite our efforts to correct the record, misrepresented the nature of our work and its role in global financial markets. These reports rely on supposition and stereotypes, and play on the public’s lack of familiarity with the work of firms like ours
Twitter and Islamic State Deadlock on Social Media Battlefield (Wall Street Journal) The terror group’s online footprint has shrunk in crackdown aided by global hackers, but supporters open new accounts almost as quickly as digital gatekeepers delete them
ISIS Targets American Imams for Believing Muslims Can Thrive in U.S. (Daily Beast) ISIS just put three American imams on their kill list. One stunned preacher says it's like a twisted episode of 'The Walking Dead'
ISIS threatens Clinton aide, lawmaker (The Hill) The Islamic State in Iraq and Syria (ISIS) is making death threats against a longtime Hillary Clinton aide and a congressman
How real is the threat of cyberterrorism? (Irish Times) Former FBI agent Andre McGregor says Iran and Islamic State pose the greatest danger
Hackers giving up on crypto ransomware. Now they just lock up device, hope you pay (Register) Talks Tor, abuses kidnapped machines but doesn’t encrypt
The ransomware attack that knows where you live (Naked Security) We often hear people saying, “I back myself to spot all the phishes that come my way"
Samsung Galaxy devices can be made to make calls, send messages while locked (Help Net Security) Half a dozen (and possibly even more) Samsung Galaxy phones can be made to place phone calls or send text messages even when they are locked, thanks to exposed USB modems
Broken IBM Java Patch Prompts Another Disclosure (Threatpost) For the second time in two weeks, researchers have discovered a three-year-old broken patch for a vulnerability in IBM’s Java SDK implementation
Hackers help to steal petrol, coal and more as criminals eye industrial systems (ZDNet) Poorly defended Scada systems offer rich picking to crime gangs, warns Kaspersky
Why ICS network attacks pose unique security challenges (Help Net Security) ICS network attacksAttacks on industrial control systems (ICSs) are increasing in frequency – and have become a reality we can no longer ignore. Securing these networks poses unique challenges, primarily because ICS networks are unlike traditional IT networks. They use different technologies and perform discrete functions. In order to protect them we first need to understand how they operate
Don't let Badlock distract you from real vulnerabilities (InfoWorld) Who is afraid of the big bad vulnerability? All the hype on Badlock is a distraction from the real flaws that need patching right away
Hackers hacking hackers to knacker white hat cracker trackers (Register) 'These Russians speak really good Farsi' and other signs thieves lack honour
Staff fall victim to cyber criminals hacking into pay (The Australian Business Review) The pay of hundreds of thousands of Australians is at risk of being siphoned off by cyber criminals because of weak security, according to the Australian Federal Police, which says such crimes have risen dramatically in recent years
IRS Warns of Continued Scams, Varied Tactics as the Tax Deadline Nears (IRS) The Internal Revenue Service today issued a warning that scammers may try using the April 18 tax deadline to prey on hard-working taxpayers by impersonating the IRS and others with fake phone calls and emails
6,013 breaches reported in the US since 2005 (Help Net Security) In 2005, the Identity Theft Resource Center (ITRC) began monitoring and tallying the ever-growing number of US security breaches. Since then, the organization has seen a 397 percent increase in data exposure incidents across financial services, business, education, government and healthcare sectors
Report: 57M fed, military Social Security numbers stolen since 2005 (Federal Times) The government isn’t the hardest hit sector when it comes to cyberattacks but federal and military organizations have been getting hammered for years, according to a recent report from the Identity Theft Resource Center (ITRC) and IDT911
VA Investigates 'Active Shooter' False Alarm to 23K Staffers (AP via ABC News) The U.S. Department of Veterans Affairs is investigating after a false alarm about an active shooter was sent to VA hospitals nationwide. Daniel Henry is a spokesman for the Hampton VA Medical Center in Virginia. He says the alert was sent inadvertently from Hampton on Tuesday during training on a new emergency notification system, and reached about 23,000 employees at hospitals nationwide
Hackers target Newquay dental surgery in cyber attack, redirecting visitors to porn site (Cornish Guardian) Hackers have targeted a Newquay dental surgery in a cyber attack which redirects unsuspecting visitors to a porn site
Security Patches, Mitigations, and Software Updates
Cisco Unified Computing System Central Software Arbitrary Command Execution Vulnerability (Cisco Security Advisory) A vulnerability in the web framework of Cisco Unified Computing System (UCS) Central Software could allow an unauthenticated, remote attacker to execute arbitrary commands on a targeted system. The vulnerability is due to improper input validation by the affected software. An attacker could exploit this vulnerability by sending a malicious HTTP request to an affected system. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system
Stable Channel Update (Chrome Releases) The Chrome team is delighted to announce the promotion of Chrome 50 to the stable channel for Windows, Mac and Linux. Chrome 50.0.2661.75 contains a number of fixes and improvements -- a list of changes is available in the log. Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 50
Hawk up to 3.1.2/4.1.0 CPU Exhaustion Denial Of Service (VulDB) A vulnerability classified as problematic was found in Hawk up to 3.1.2/4.1.0. This vulnerability affects an unknown function. The manipulation with an unknown input leads to a denial of service vulnerability (cpu exhaustion). As an impact it is known to affect availability
CBS Sports App Transmitted Data Unencrypted (Threatpost) CBS recently fixed a vulnerability in its popular Sports application that could have exposed users to man-in-the-middle attacks and inadvertently leaked personal data
‘Badlock’ Bug Tops Microsoft Patch Batch (KrebsOnSecurity) Microsoft released fixes on Tuesday to plug critical security holes in Windows and other software
What Should I Do About BadLock (CVE-2016-2118 & CVE-2016-0128/MS16-047)? (Active Directory Security) The simple answer: Patch soon
Microsoft is boosting security through hardware in Windows 10 PCs, phones (PCWorld) Starting July 28, the company will require new Windows 10 PCs, tablets, and smartphones to ship with TPM 2.0, a hardware-based security layer
Marketplace
Cyber security: ‘Enormous opportunities’ for Australian business (Computerworld) Government’s cyber security strategy to be unveiled 21 April
Cyber risks, consolidation pose challenges for directors and officers insurers (Business Insurance) Cyber-related risks present a growing exposure for insurers providing directors and officers liability coverage, Fitch Ratings Inc. said Wednesday
Optiv Security pursues IPO: source (Reuters) Cyber security company Optiv Security Inc is working with Goldman Sachs Group Inc and Morgan Stanley on an initial public offering that could come as soon as the second half of 2016, a source familiar with the matter said on Wednesday
Why This Cybersecurity Unicorn Doesn't Want an IPO (DC Inno) Much has been made about the clear lack of technology sector IPOs in 2016. But many expect the drought to soon come to an end as Dell Inc's cybersecurity unit, Atlanta, Ga.-based SecureWorks Corp which is valued at $1.42 billion, plans to join the NASDAQ. While a cyber company has emerged to break the ice, it doesn't necessarily mean others in the space are eager to dive into public waters though
Tripwire Business Momentum Accelerates in 2015 (BusinessWire) Tripwire, Inc., a leading global provider of endpoint detection and response, security, compliance and IT operations solutions, today announced record revenues and profits in 2015 led by strong sales of Tripwire® IP360™, a vulnerability management solution; Tripwire® Enterprise, a security configuration management and policy compliance solution; and Tripwire NERC Solution Suite, a security and compliance solution designed to meet the unique compliance and cyber security requirements of energy organizations
The KEYW Holding Corporation (NASDAQ:KEYW): Quick Look at Earnings (Greenville Tribune) When The KEYW Holding Corporation (NASDAQ:KEYW) issues their next quarterly report on or near 2016-05-05, Wall Street analysts are predicting they will report earnings per share of $-0.09
Check Point CEO outlook reflects demands of cyber war (USA Today) Check Point Software Technologies CEO Gil Shwed put a bullish spin on Wall Street's 2016 revenue expectations for the maker of firewall software, suggesting annual growth in its segment of the security market remains at or near double digits
AhnLab shares up on founder’s election victory (Korea Herald) Shares in AhnLab, a security software provider, rallied on the Seoul bourse on Thursday morning, buoyed by a boost in political fortunes of its founder Ahn Cheol-soo in Wednesday’s elections
Cybersecurity Pros Are in High Demand (RSA Conference Blog) When it comes to cybersecurity, there simply aren’t enough of you
BT begins drive to hire 900 cyber security pros (V3) BT is looking to hire 900 staff over the next 12 months to work in its security business, in what the company said is a drive to protect consumers, businesses and governments from the growing threat of cyber crime
Hire-hungry Distil Networks targets Raleigh for growth, wary of HB2 (Triangle Business Journal) Rami Essaid, the San Francisco-based CEO of fast-growing IT security firm Distil Networks, has big plans for Raleigh
Derby cyber firm doubles office space creating 50 jobs (Derby Telegraph) A Derby cyber security firm has said it will create around 50 new jobs over the next 12 months after doubling the size of its office space in the city
Products, Services, and Solutions
After issuing 1.7M certificates, Let’s Encrypt CA officially leaving beta (Help Net Security) Let’s Encrypt, the non-profit Certificate Authority (CA) backed by the Electronic Frontier Foundation, Mozilla, Cisco, Akamai, and others, is ready to be considered a stable offering
Game of Threats: learning to defend your company from cyber-attack (Irish Times) New role-playing game teaches c-suite executives how to deal with security threats
Blue Coat Launches Broad Cloud Security Ecosystem (MarketWired) Cloud ready partner program aimed at easing enterprise cloud migration and decreasing risk; enables integration of services and applications to deliver visibility and control
Thycotic Strengthens Privileged Account Management Solution with Release of Secret Server 9.0 (PRNewswire) Three Major Enhancements Include Geo Replicated Databases, UNIX Command Whitelisting - SUPM, and Mac Session Launcher
LightCyber Introduces Security Industry’s First Attack Detection Metrics; Demonstrates New Level of Efficacy for Finding Attackers (BusinessWire) Metrics set new standard for assessing accuracy and efficiency of security offerings, provide objective benchmark for detecting stealth attackers operating within enterprise networks
Technologies, Techniques, and Standards
Underwriters Labs refuses to share new IoT cybersecurity standard (Ars Technica) "Too many unhealthy products will pass the bare-minimum certification process"
Panama Papers: A data security disaster (Help Net Security) The Panama Papers security breach is a juicy, made-for-the-Internet scandal. It has all the elements – secret off-shore accounts; involvement by international politicians, criminals, celebrities and sports stars; 11.5 million files cyber-filched from a law firm’s files and then leaked to the media
Cutting edge security: Expensive kit won't save you (Register) Stop wading through alerts and get serious
Getting on the Same Page with Your MSSP: A Checklist (RSA Conference Blog) With a 38 percent rise in security incidents between 2014 and 2015 and a 26 percent increase in the cost per breach, organizations are under pressure to reduce risk
Vulnerability in Productivity: Companies Move to Secure Vendor, Cloud Apps (Legaltech News) Underscoring security concerns surrounding vendor and cloud apps use, companies are turning to IAM solutions to better manage and protect their network access
New FTC Tool Could Lead to More Scrutiny on Mobile Health App Developers (Legaltech News) The web-based compliance tool is aimed at educating developers of mobile health apps about the various laws and regulations that they must comply with
How to Ensure Data Security in Cross-border e-discovery (Legaltech News) Scott Herber and David Moncure offer advice for legal professionals and companies navigating an era of increased cyberthreats
Security tips and tricks for businesses and consumers (Help Net Security) In 2015, the number of zero-day vulnerabilities discovered more than doubled to a record-breaking 54, a 125 percent increase from the year before, reaffirming the critical role they play in lucrative targeted attacks, according to Symantec’s Internet Security Threat Report
Vigilant Guard tests system to protect La. against cyber attack (KSLA) When a natural disaster strikes, the first priority is keeping people safe. However, digital security is also a top level priority
Design and Innovation
Special Operators Seek New Social Media Tools (National Defense) As terrorist organizations such as the Islamic State embrace social media, government entities are seeking to exploit open-source information to improve their own operational tactics
Deutsche Bank Americas CIO: Silicon Valley Lab Tech Under Review (Waters Technology) Global head of DB Labs discusses what specific technologies the bank is interested in
New sensors help reduce supply chain risks (CSO) Sensors help companies react faster and reduce risk
Research and Development
DARPA Selects Vencore for DDoS Defense Program Research (ExecutiveBiz) A business unit of Chantilly, Virginia-based defense contractor Vencore has received an estimated $7.7 million contract from the Defense Advanced Research Projects Agency for research on a computer network defense program
Long-range Secure Quantum Communication Transmits Signals 250+ Kilometers (Scientific Computing) A group of scientists has developed a novel approach to the construction of quantum communication systems for secure data exchange
Legislation, Policy, and Regulation
US takes cyber warfare mainstream (Financial Times) No one, Moscow included, will argue against America’s use of the internet to attack Isis
Let slip dogs of cyberwar (Times-Tribune) There is a consensus that aggression by one nation against another is a serious matter, but there is no comparable consensus about what constitutes aggression
Experte: "Der Staatstrojaner trägt kein Schild" (Futurezone) Was denkt eigentlich die IT-Security-Branche über Staatstrojaner? Und was können Bürger dagegen tun? Die futurezone hat mit Experten aus der Branche darüber gesprochen
How Putin Stirs Up Conflict Using Bikers, Militias, and State-Controlled TV (Foreign Policy) It couldn’t have unfolded any better for the Kremlin
Chinese hacking of US companies declines (Financial Times) Chinese cyber spying on American companies has decreased since a September agreement between presidents Barack Obama and Xi Jinping, according to government and private sector experts, but officials are undecided about the significance of the shift
EU Working Party Reproaches Privacy Shield Over Data Protection, Enforcement, Clarity (Legaltech News) The opinion by the Article 29 Working Party may delay the finalization of the agreement, increase anxiety over transatlantic data transfer regulations
EU privacy advocates complain data-sharing pact not good enough (Christian Science Monitor Passcode) On Wednesday, a group of data regulators from the European Union said that the Privacy Shield pact to ensure data flows between the EU and US does little to protect against the threat of surveillance
From Banal to Bombshell: Data Privacy Awareness and a Look at the Privacy Shield (Legaltech News) The Privacy Shield has earned a lot of praise from both sides of the pond, but does it hold up to scrutiny upon a closer look?
Opinion: Europe's privacy advocates should back off Privacy Shield (Christian Science Monitor Passcode) Privacy Shield is certainly not a solution for eternity. But it fills the current void for safeguarding data flows across the Atlantic and attempts to match European and American views on privacy
Senators Propose Encryption Rules (Wall Street Journal) ‘Discussion draft’ could escalate clash between Silicon Valley and Washington
Senators introduce legislation to compel tech companies to submit data to the government (Washington Post) Senate Intelligence Committee Chairman Richard Burr and ranking Democrat Dianne Feinstein released a draft bill on Wednesday that would compel American companies to turn over data to the government under court order, staking out a controversial position in Congress’s ongoing fight over encrypted communications
What Apple vs. FBI Means for the Global 5000 (Venafi) Cryptographic keys and digital certificates are powerful. As a result, they have become the target of nation states and bad guys because they protect the foundation of cybersecurity
Feud Opened by Apple-FBI Case Years From Fix, FireEye Chief Says (Bloomberg Technology) Apple versus the FBI was just the beginning: The debate between privacy and cybersecurity will drag on for years as the government vies with powerful corporations while new forms of hacking attacks arise, according to David DeWalt, chief executive officer of FireEye Inc
Interim guidelines to the Cybersecurity Information Sharing Act (TechCrunch) Despite the objections of many privacy advocates and security professionals, the Cybersecurity Information Sharing Act (CISA) is now the law of the land
The Cybersecurity Act of 2015 Is a Necessary Stake in the Ground (RSA Conference Blog) The Cybersecurity Act of 2015 is approaching its three-month birthday, but you can be excused if you’re oblivious to that. After all, many people probably don’t know it even exists. Very quietly, the law—the first major piece of Congressional cybersecurity legislation, one designed to address the explosive growth of successful cyberattacks—was signed into law in mid-December 2015 by President Obama
US CIO Tony Scott on fixing cybersecurity's talent gap (+video) (Christian Science Monitor Passcode) At a Passcode event Tuesday, the US chief information officer said the federal government wants candidates who know languages, biology, and anthropology to fill cybersecurity roles – and one of its most important hires, the new chief information security officer, will be announced within 30 days
White House to announce federal CISO pick within a month (FierceGovernmentIT) The White House plans to announce its pick for the newly created federal chief information security officer position within a month, according to U.S. Chief Information Officer Tony Scott
Obama names cyber experts from business, academia to new panel (Reuters) The chief executive of MasterCard Inc, the former head of the National Security Agency and officials from Microsoft and Uber will join a commission to strengthen U.S. cyber defenses, the White House said on Wednesday
Intelligence agencies consider striking 'confidential' label (AP) Intelligence agencies are considering eliminating the government's lowest category of classified information — a step a top official has said could simplify the system used to guard intelligence and could prevent unnecessary secrecy
Congressman sees broader role for DHS in state and local cyber efforts (GCN) Cyberthreats are expanding and evolving at such a rate that many state and local governments are struggling to keep up. Rep. Will Hurd (R-Texas) would like to see the Department of Homeland Security do more to help
Homeland Security official shares agency's priorities in lecture at AU (Herald Bulletin) Deputy secretary says encryption trend growing
Litigation, Investigation, and Law Enforcement
Early Results of Edward Lin Espionage Investigation Triggered National Security Alert (USNI) The investigation into a naval flight officer suspected of giving secrets to China and Taiwan triggered a potential national security incident alert to senior leadership in the Navy and Pentagon, two Navy officials confirmed to USNI News late Tuesday
China May Be the Big Winner in the Pentagon’s Newest Spying Scandal (Foreign Policy) The secrets a U.S. Navy officer is suspected of slipping to China could ground America’s most important spy planes just when Washington needs them most
Obama redefines secrets in Clinton defense (Washington Times) President Obama this week redefined the definition of classified information in comments made Sunday in defending Hillary Clinton’s placement of secrets on a private email server while she was secretary of state
Is Apple Trying to Act Like an Offshore Tax Haven in its Fight with the FBI? (War on the Rocks) The war of words arising out of the FBI–Apple controversy is sure to continue, even after the FBI managed to find a “tool” to unlock the San Bernardino cell phone without Apple’s help. There are already more criminals with smart phones that law enforcement wants to get into. The battle lines are drawn. Each side, it seems, is overlooking an important historical analogy arising out of a different industry: American banks
Did NSA underestimate the insider threat? (CSO) In this edition of the Irari Report, Ira Winkler and Araceli Treu Gomes continue their interview of Chris Inglis, former Deputy Director of NSA. In this segment, they focus on how an organization that is so aware of the insider threat can be compromised by a person like Edward Snowden
British Authorities Order Hacker Lauri Love to hand Over Encryption Keys (Hacker News) The National Crime Agency (NCA) of United Kingdom is forcing the British citizen, and political hacktivist Lauri Love accused of hacking to hand over encryption keys to equipment seized from his home
Texas appeals court: Private email addresses aren't private if accounts used to conduct official business (FierceGovernmentIT) The private email addresses of public officials in Texas are subject to disclosure under the Texas Public Records Act if they're used to conduct official business and discussions, a state appeals court has ruled
Is your train or bus eavesdropping on your conversation? (Naked Security) In at least two US states, privacy advocates are raising questions about the use of surveillance equipment to record audio on trains and buses
We’ve got stalkers in our pockets (Naked Security) A study has found that more than a third – 36% – of stalking victims are tormented via cyber methods
Social Autopsy wants to expose trolls' real identities - but is that wise? (Graham Cluley) Website plans to build a searchable database of digital footprints
Former Reuters journalist gets two years in hacking case (CNET) Matthew Keys was convicted of aiding hacktivist group Anonymous in breaking into and defacing the Los Angeles Times Web site
Medical data breach leads to a record cash settlement (We Live Security) When one of the former patients at a hospital managed by St. Joseph Health System ran a routine Google search of her name four years ago, she found that her medical records from this hospital were available online
Kolkata Co CEO held for Forging Quick Heal documents (Dataquest) A Kolkata IT company MD and CEO has been arrested for allegedly forging documents of Quick Heal Technologies to claim substantial share holding in the company