Cyber Attacks, Threats, and Vulnerabilities
Terrorists opt for consumer tools (CSO) Although cybercriminals have been turning out specialized hacking and attack tools at a rapid pace, terrorists are often using legitimate, consumer-focused technologies
ISIS Membership Drops Amid Reports Of Increased Brutality (Western Journalism) ISIS outdid itself in its barbarism
Pawn Storm APT targets members of Angela Merkel’s party (Help Net Security) Pawn Storm, one of the oldest APTs engaging in cyber espionage, has been spotted targeting members of the German Christian Democratic Union (CDU), the political party of German Chancellor Angela Merkel
Second bank cyber-attack detected by Swift after Bangladesh raid (BBC News) A cyber-attack, similar to one that saw $81m (£56m) stolen from Bangladesh's central bank, has hit a second bank
Second SWIFT Attack Hits Vietnam Bank Showing Links to Sony Hack (SecurityWeek) At a financial conference in Frankfurt, Thursday, SWIFT's chief executive Gottfried Leibbrandt told the audience that the $81 million theft from the Bangladesh central bank's New York account "was from our perspective a customer fraud." He added, "I don’t think it was the first, I don’t think it will be the last"
Bangladesh Bank Heist Probe Said to Find Three Hacker Groups (Bloomberg Technology) Investigators examining the theft of $81 million from Bangladesh’s central bank have uncovered evidence of three hacking groups -- including two nation states -- inside the bank’s network but say it was the third, unidentified group that pulled off the heist, according to two people briefed on the progress of the bank’s internal investigation
OpIcarus: Anonymous Shut Down 4 More Banking Websites (Hack Read) After a short break, Anonymous, BannedOffline and Ghost Squad are back in action — Their latest targets to face the fury are banking websites in Jordan, South Korea, Monegasque and Montenegro. All attacks were conducted under the banner of operation OpIcarus
Parrot Copter and Viking Jump apps hide malware in Google Play (Naked Security) Security researchers at Check Point blogged earlier this week about an Android malware family they dubbed the Viking Horde
Older Android devices vulnerable to malware: Kaspersky Labs (Digit) Researchers at Kaspersky Labs have found that devices running Android v4.1.x or lower are susceptible to being targeted by malicious scripts on infected websites
Double trouble for Android (ITWeb) Check Point and Kaspersky Lab unearthed major vulnerabilities in the Android OS. Android, the most dominant operating system, faces more security challenges, with two global security companies discovering major flaws in a week
Anti-virus products, security devices affected by 7-Zip flaws (Graham Cluley) Users should update their vulnerable versions ASAP
Dangerous 7-Zip flaws put many other software products at risk (CSO) The flaws could allow arbitrary code execution when the 7-Zip library processes specially crafted files
Microsoft Windows zero-day exposes companies to credit card data theft (ZDNet) The boom in PoS systems in the US has its drawbacks
KnowBe4 Alert: Cyber Criminals Switch to Malicious HTML Attachments (PR Rocket) While ransomware attacks and new strains explode, organizations are reminded to be aware of new forms of social engineering that leave them open to attack
Carding Sites Turn to the ‘Dark Cloud’ (KrebsOnSecurity) Crooks who peddle stolen credit cards on the Internet face a constant challenge: Keeping their shops online and reachable in the face of meddling from law enforcement officials, security firms, researchers and vigilantes. In this post, we’ll examine a large collection of hacked computers around the world that currently serves as a criminal cloud hosting environment for a variety of cybercrime operations, from sending spam to hosting malicious software and stolen credit card shops
Most Popular Business Apps Fail to Protect Personally Identifiable Information (Information Security Buzz) Wandera, the leader in mobile data security and management, today announced the findings of its comprehensive security assessment of the most popular business apps used on corporate liable devices by enterprise customers across North America, UK, Europe and Asia
Max Yamabiko: Arming against the F1 cyber war (Crash) Max Yamabiko discusses the increasing threat of 'cyber warfare' in both F1 and the car industry, and how companies like Kaspersky are arming against it
Pirates find rich pickings in shipping computer files (Standard) Pirates have become more sophisticated and can now hack into the management systems of shipping companies targeting various vessels, cybersecurity consulting firm Verizon Asia Pacific said in a report issued yesterday
FDIC reports five ‘major incidents’ of cybersecurity breaches since fall (Washington Post) The Federal Deposit Insurance Corp. (FDIC) on Monday retroactively reported to Congress that five additional “major incidents” of data breaches have occurred since Oct. 30. FDIC also is launching “a new initiative to enhance security"
Google Hit by Insider Data Breach (Infosecurity Magazine) Google has suffered an embarrassing insider data breach after an employee at a third-party vendor mistakenly sent personal information on an unspecified number of Mountain View employees to another company
Security Patches, Mitigations, and Software Updates
Emergency Flash Update Patches Public Zero Day (Threatpost) As promised earlier this week, Adobe today released an updated version of Flash Player that includes a patch for a zero-day vulnerability
Adobe Flash zero-day patch is out…for the third month in a row (Naked Security) At the risk of sounding like a gramophone record that is stuck in a groove...for the third month in a row, Adobe has pushed out a Flash update that patches a zero-day hole
Critical patches target privilege escalation (SC Magazine) Half of the sixteen Microsoft bulletins in this month's Patch Tuesday (16 May) are rated “critical” importance and the other half “important”
Cyber Trends
Criminals continue to target healthcare data – Ponemon study finds (id experts) The Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data by the Ponemon Institute, finds that criminal attacks are the leading cause of half of all data breaches in healthcare. Employee mistakes, third-party snafus, and stolen computer devices—are the root cause of the other half of data breaches. The study also found that while most healthcare organizations believe they are vulnerable to a data breach, they are unprepared to address new threats and lack the resources to protect patient data
Almost half of companies don't teach staff data security (CloudPro) Businesses are failing to take company-wide security seriously, Egnyte research shows
Sextortion as Cybersecurity: Defining Cyber Risk Too Narrowly (Lawfare) When we think of cybersecurity, we don't think of sexual violence. Sexual assault, rape, and child molestation are problems of intimate contact between individuals in close proximity to one another. By contrast, we tend think of cybersecurity as a problem of remote attacks that affect governments, major corporations, and—at an individual level—people with credit card numbers or identities to steal
Marketplace
Wall Street Doesn’t Care About Breaches (Digital Guardian) Wendy’s says that only 5% of its stores were hacked. But does it matter?
Why M&A activity leaves companies vulnerable to cyber criminals (City A.M.) Global merger and acquisitions (M&A) activity reached record-breaking deal values in 2015 at over $5 trillion. Whilst these vast sums excite shareholders, they also attract cyber criminals who sense an opportunity via inherent weaknesses in the M&A process
Is FireEye Finished? (GuruFocus) I have been bullish on FireEye (FEYE) for quite some time. I recommended buying FireEye multiple times over the last few months and the stock, on average, was up —…% until I recently suggested investors to sell it and book profits
Are Investors Wrong to Ditch FireEye? (GuruFocus) Company changed leadership and is positioned for growth
Palo Alto Networks Is a Screaming Buy (Investor Guide) Palo Alto Networks (PANW) announced second quarter ended January 31, 2016 total revenue of $334.7 million, up 54 percent year-over-year from $217.7 million of total revenue during the same period last year. Going forward, the company estimates third quarter of 2016 total revenue in the $335 to $339 million range, illustrating 43 percent to 45 percent of year-over-year growth
Mimecast Lockup Expiration Could Bring Risky Declines: Consider Shorting Today (Seeking Alpha) May 17, 2016 concludes the 180-day lockup period on MIME, which offers cloud-based risk management and security services
Finjan Holdings (FNJN) Enters $10.2M Series A Preferred Private Placement (StreetInsider) Finjan Holdings, Inc. (Nasdaq: FNJN) announced that it has secured a $10.2 million Series A Preferred Stock financing in a private placement transaction led by Halcyon Long Duration Recoveries Investments I LLC ("Halcyon LDRII"), an affiliate of both funds managed by Halcyon Long Duration Recoveries Management LP and its affiliates ("Halcyon") and Soryn IP Group, LLC ("Soryn")
How 102-year-old Booz Allen tackles new cybersecurity marketplace (Washington Business Journal) McLean-based Booz Allen Hamilton Inc. has been busy reinventing itself
Infoblox (BLOX) Stock Skyrockets, Receives Takeover Offer From Thoma Bravo (The Street) Infoblox (BLOX - Get Report) shares are soaring 18.81% to $18.19 on Thursday morning after the company received a buyout approach from technology-focused private equity firm Thoma Bravo, valuing the deal at around $886 million, Bloomberg reports
Optiv Security Acquires Substantially All Assets of Evantix to Build Industry’s First Holistic, Cloud-Based Third-Party Risk Solution (BusinessWire) Optiv Security, a market-leading provider of end-to-end cyber security solutions, today announced that it has completed the purchase of substantially all assets of Evantix GRC, LLC, a Calif.-based provider of a Software as a Service (SaaS) application for managing third-party risk
Check Point Software Co-Founder Launches Simple Network Security In The Cloud (Forbes) Shlomo Kramer, who co-founded Check Point Software alongside Gil Schwed and Marius Nacht in 1993, raised $20 million in a series A funding round for Cato Networks late last year, a startup venture aimed at redefining how enterprises secure their networks and mobile devices. His elevator pitch: “Network security is simple again.” Now Kramer is up and running in the cloud
ZENEDGE Announces Record Quarter with Growing Momentum to Displace On-Premise and Legacy WAF and DDoS Solutions (PRNewswire) Hardened DDoS mitigation centers, new artificial intelligence web application firewall, key customer wins contribute to triple-digit growth
Quick Heal enhances security software revenue in Q1 (Infotechlead) Quick Heal Technologies, a IT security software products and solutions provider, said its revenues grew 26 percent to Rs 1,314.4 million in Q4 fiscal 2016 and 18 percent to Rs 3,380.7 million in FY 2016
Sophos in MSP push (ChannelWeb) Security vendor has launched a new partner programme aimed at MSPs
Gartner Names Morphisec as a 2016 "Cool Vendor" (PRNewswire) Endpoint security company Morphisec selected for Gartner's annual list of innovative vendors
Deep Instinct Named a Cool Vendor in Digital Workplace Security by Gartner (Marketwired) Leading analyst firm recognizes Deep Instinct in its annual selection of innovative, interesting, and impactful vendors
Fireglass Named a 'Cool Vendor' by Gartner (PRNewswire) Fireglass' Web Isolation technology recognized by Gartner as innovative, impactful and intriguing
Fortscale Named a 2016 “Cool Vendor” (PR Rocket) Company recognized in identity and access management and fraud for its groundbreaking User and Entity Behavior Analytics (UEBA) solution
illusive networks Wins 2016 Cybersecurity Excellence Award (PRNewswire) Deception technology innovator recognized as Best Cybersecurity Startup Under 100 Employees
This Cambridge security startup now has a billionaire, an ex-MI5 chief and an ex-CIA tech leader on its board (Business Insider) British cybersecurity startup Darktrace has appointed former Central Intelligence Agency (CIA) official Alan Wade to its advisory board
Products, Services, and Solutions
Microsoft's Shielded VMs Designed To Add Security Against Rogue Admins (Redmond Magazine) Microsoft this week talked more about its Shielded Virtual Machines datacenter security technology
Twistlock Releases New Security Platform for Container Environments (App Developer Magazine) Twistlock has announced the release of Twistlock Runtime, a set of automated capabilities that defend against active threats targeting container environments
IBM Security to safeguard CIBIL data against cyberattacks (Times of India) Credit Information Bureau India Limited (CIBIL) has partnered with IBM Security to secure its critical business systems against cyberattacks
Brandwatch Partners with Proofpoint, Conversocial, Domo, and Binary Fountain (PRNewswire) Reveals product roadmap at Now You Know Conference
RiskIQ Partners With Fishtech Labs To Accelerate Adoption Of The RiskIQ External Threat Management Platform (PRNewswire) RiskIQ, the leader in External Threat Management, today announced that it has partnered with Fishtech Labs to expedite the adoption of cutting edge, next-generation security and networking solutions in the market
Which Porn Sites are Trustworthy? (Check and Secure) Porn – it’s what the internet was made for, according to the musical Avenue Q. Website popularity listings like Alexa seem to support with this, showing that U.S. pornsite XVideo is more popular than Apple.com
Technologies, Techniques, and Standards
What the C-Suite Should Know about the Rise of Ransomware (Palo Alto Networks) With ransomware on the rise, executives have many questions on their minds. What do I need to know about ransomware? To what extent is ransomware covered by cyber insurance? And most importantly, what can be done to prevent these attacks from happening in the first place?
Tips to Use Penetration Testing to Protect Your Business From Cyber Attacks (App Developer Magazine) Forty-seven percent of all breaches were caused by malicious or criminal attacks according to the most recent global data breach study released by the Ponemon Institute. Resolving an attack cost businesses an average of $170 per record, translating to an average total cost of $3.79 million for a data breach
Enterprises Must Consider Privacy Concern For Biometrics (Dark Reading) On-server storage and processing of biometric authentication presents a host of regulatory and corporate responsibility issues
Bridging the security automation gap (Help Net Security) Security management has gotten out of hand, according to our recent State of Automation in Security Report. 48% of survey respondents had an application outage as a result of a misconfigured security device, 42% experienced a network outage, while 20% suffered a security breach. And on average, these issues took up to three hours to fix, while 20% of organizations needed a day or more to fix the problem
Design and Innovation
MIRACL and NTT announce open source cryptography for the cloud (Fatacenter Dynamics) British distributed cryptography specialist MIRACL and the research subsidiary of NTT have developed a security framework for cloud computing, contributed to open source as Apache Milagro
Milagro: A distributed cryptosystem for the cloud (Help Net Security) A new open source project within the Apache Incubator aims to create an alternative to outdated and problematic monolithic trust hierarchies such as commercial certificate authorities
Apache incubating project promises new Internet security framework (CIO via CSO) The newly announced Apache Milagro (incubating) project seeks to end to centralized certificates and passwords in a world that has shifted from client-server to cloud, IoT and containerized applications
Verizon DBIR Puzzler Solved With Meghan Trainor And ‘Cyber Pathogens’ (Dark Reading) All about that puzzler's paradise that is the 2016 Annual Verizon Data Breach Investigations Report cover contest
The Dark Web Has Its Own Lit Magazine (Wired) When most people think about the dark web, they envision the Silk Road, terrorist networks, pornography, and other sinister threats. They certainly don’t imagine finding poetry. Or short stories. Or creative nonfiction. That’s a preconception the founders of The Torist, the first literary magazine on the encrypted network Tor, hope to correct
Research and Development
DARPA’s Plan X Gives Military Operators a Place to Wage Cyber Warfare (DoD News) Since 2013, the Defense Advanced Research Projects Agency’s Plan X cyber warfare program engineers have done the foundational work they knew it would take to create for the first time a common operating picture for warriors in cyberspace
IBM Watson Will Help Battle Cyberattacks (Dark Reading) IBM and leading universities will train IBM Watson to discover hidden patterns and cyber threats
Lie back and think of cybersecurity: IBM lets students loose on Watson (Register) Elementary
IBM Researcher: Fears Over Artificial Intelligence Are ‘Overblown’ (Time) "If we don't use AI technologies, we're going to be losing out"
Academia
New Certificate Program Prepares Students for Homeland Security Careers (Montclair State University) Fully online post-BA program meets needs of a growing field
Legislation, Policy, and Regulation
European Central Bank creates cyber attack real-time alert system (Financial Times) Eurozone banks will be obliged to inform regulators of “significant” cyber attacks, under a pioneering real-time alert service by the European Central Bank to tackle the growing threat of digital theft
From hacking to cyber espionage: US and China discuss security in the digital age (International Business Times) Officials from the US and Chinese governments have met for the first since an agreement was established last year in an attempt to curb the rising threat of cyber espionage and hacking between the two nations
US Focusing Intently on China's Cyber Commitments (Voice of America) U.S. officials say they are watching closely to ensure that China abides by its cybersecurity commitments, following the first meeting between the two sides since they struck an anti-hacking agreement in September
Pentagon chief sees problems with cybersecurity (National Defense via Bloomberg Government) The private sector in the United States is underinvesting in network protection and hindering the growth of the cybersecurity market, Secretary of Defense Ashton Carter told reporters on May 11
Cyber attacks on Islamic State use tools others also have, says US defense chief (First Post) Cyber attack techniques used by the U.S.-led coalition against Islamic State could also be used by other countries, U.S. Defense Secretary Ashton Carter said on Wednesday
Cyberspace - the world’s largest crime zone - why it is essential for South Africa to establish and implement cybersecurity measures and legislation (Lexology) The rapid evolution and widespread deployment of information and communication technologies (ICTs) has tremendously increased accessibility to the internet in developing nations where cyber security laws are either non-existent or still in their infancy. Rights such as freedom of expression, freedom of trade and access to information apply equally in cyberspace and need to be both recognised and protected
Litigation, Investigation, and Law Enforcement
Lawmakers probe large data breaches at US bank insurance agency (IDG via CSO) The FDIC saw about 160,000 personal bank records leave the agency on removable media in recent months
How Steel City Became the Front Line in America’s Cyberwar (Foreign Policy) Blending gumshoe investigations with high-tech research, Pittsburgh has become a hotbed of the Justice Department’s fight against international hackers
FBI wasn't able to unlock iPhone, even with a 'fingerprint unlock warrant' (CNN Money) A judge recently took the controversial step of letting the FBI force a woman to unlock an iPhone with her fingerprints. But it didn't work
Motion Filed Asking FBI To Disclose Tor Browser Zero Day (Threatpost) Mozilla on Wednesday filed a motion with the U.S. District Court in Tacoma, Wa., asking the government to disclose a vulnerability it exploited in the Tor Browser and Firefox. The FBI used the zero-day to hack a child pornography site and de-anonymize users visiting the site using the Tor Browser
Cisco Told to Pay $23.5 Million Over Hacker-Security Patents (Bloomberg Technology) Jury found Cisco infringed patents held by SRI International. Technology tracks intrusions into computer networks by hackers
In on-going litigation, startup now sues prominent VCs and angel investors for aiding and abetting a fraud, trade secret misappropriation and other wrongdoing. (PRNewswire) Tech entrepreneurs Jason Hullinger and Benjamin de Bont, as well as start-up Agora Systems LLC, filed a lawsuit this week in a Los Angeles federal court against prominent venture capital firms U.S. Venture Partners and Karlin Ventures, tech incubator Launchpad LA, angel investors Michael Stern, Adam Lilling and Sam Teller, famed technologist Dan Kaminsky and others. The lawsuit supplements original claims against Defendants Kunal Anand, Julien Bellanger and their security tech start-up Prevoty, Inc., seeking compensatory and punitive damages for fraud, breach of fiduciary duties and trade secret misappropriation, among other wrongdoing
Call Centers In The Bullseye (Dark Reading) Cheap set-ups, economic recession, and the US rollout of chip-and-PIN technology, all contribute to dramatic increase in call center fraud
6 Shocking Intellectual Property Breaches (Dark Reading) Not all breaches involve lost customer data. Sometimes the most damaging losses come when intellectual property is pilfered