Cyber Attacks, Threats, and Vulnerabilities
GSA says cyber ‘mistake’ was ‘no breach'; others investigate (Washington Post) A Government Services Administration office known as 18F functions as a computer consultancy for federal agencies and says it was “built in the spirit of America’s top tech startups.” But this government tech start-up had a technical slip-up of its own
How 18F handles information security and third party applications (18F GSA) Today the General Services Administration’s Office of Inspector General (an independent part of our agency, entrusted with carefully inspecting agency operations) published a report on a mistake made in the configuration of Slack, an online chat tool we use
Management Alert Report: GSA Data Breach (GSA OIG Office of Inspections and Forensic Auditing) During the course of an ongoing evaluation, the OIG Office of Inspections and Forensic Auditing identified an issue that warrants immediate attention. Due to authorizations enabled by GSA 18F staff, over 100 GSA Google Drives were reportedly accessible by users both inside and outside of GSA during a five month period, potentially exposing sensitive content such as personally identifiable information and contractor proprietary information
ISIS and Central Asia: A Shifting Recruiting Strategy (Diplomat) The region’s leaders must ask themselves if they are ready to deal with new threats tailored to recruit the discontented
Why Islamic State Militants Care So Much About Sykes-Picot (Radio Free Europe/Radio Liberty) One hundred years ago, on May 16, 1916, representatives from the United Kingdom and France (with the agreement of Russia) met in secret and signed what has come to be known as the Sykes–Picot Agreement. The pact, signed amid World War I, divided the Ottoman Empire into spheres of imperial control, and is often held responsible for establishing the current borders of the Middle East
Latest Flash 0day exploit delivered via booby-trapped Office file (Help Net Security) Four days have passed since Adobe patched the latest Flash Player 0day vulnerability exploited in attacks in the wild and, in the meantime, we have been given more details about the attacks and the exploit used
Flash zero day phished phoolish Microsoft Office users (Register) If you 'must' run Flash, run EMET, hacker begs
Symantec antivirus bug allows utter exploitation of memory (Register) Cross-platform nasty is simplicity itself to exploit, so get patching peeps
Symantec/Norton Antivirus ASPack Remote Heap/Pool memory corruption Vulnerability CVE-2016-2208 (Chromium) When parsing executables packed by an early version of aspack, a buffer overflow can occur in the core Symantec Antivirus Engine used in most Symantec and Norton branded Antivirus products. The problem occurs when section data is truncated, that is, when SizeOfRawData is greater than SizeOfImage
95.4% of All Android Devices Are Susceptible to Accessibility Clickjacking Exploits (Skycure) This is a follow up to our blog post during RSA (https://www[dot]skycure[dot]com/blog/accessibility-clickjacking/), where we explained how a hacker, by combining two features of Android, Accessibility Services and the ability to draw over other apps, may gain control of the mobile device, including acquiring elevated privileges and exposing the content of all apps on the device
An HTTPS hijacking click-fraud botnet now infects almost 1M computers (Computerworld) The malware replaces search results with ones from an affiliate program
Inside The Million-Machine Clickfraud Botnet (Bitdefender Labs) Online advertising is a multi-billion dollar business mostly ran by Google, Yahoo or Bing via AdSense-like programs. The current generation of clickbots such as the Redirector.Paco Trojan have taken abuse to a whole new level, burning through companies’ advertising budget at an unprecedented pace
Furtim: The Ultra-Cautious Malware (enSilo) Furtim is the latest stealthy malware, found in the wild, and its discovery is credited to @hFireF0X. Clearly, Furtim’s developers were more interested in keeping their malware hidden from security’s prying eyes than hitting more targets. With stealth a key component, we code-named this downloader Furtim, the Latin translation for “stealthy”
Analyzing Furtim: Malware that Avoids Mass-Infection (Breaking Malware) Recently we came across a new malware strain, first discovered by @hFireF0X, and at point of discovery, it was not detected by any of the 56 anti-virus programs tested by VirusTotal service
Paranoid Furtim Malware Checks for 400 Security Products Before Execution (Softpedia) Malware most likely used in cyber-espionage campaigns
Vietnam: Bank Said They Stopped Cyber Attack via SWIFT Messaging System (OCCRP) Cybercriminals tried to use fake transfer requests to steal more than US$ 1.1 million from a bank in Vietnam, a similar technique to that used to steal millions from the central bank of Bangladesh earlier this year
Inter-bank system SWIFT on security? User manual needs 'revamp’ (Register) Call for, er, tailored action
Five Necessary Improvements to the SWIFT (not Taylor Swift) Security Model (Skyport Systems) @securiTay – Taylor has better security than some banks transferring millions using SWIFT. Recently there has been what is likely the beginning of a wave of break-ins and financial exfiltrations via the SWIFT Alliance. Reports vary a bit, but between vendor/operator mistakes, weak security controls, lack of integrated forensics, and some not-so-best practices we have ended up witnessing the theft of over $80 million dollars. (It could have been over $950 million dollars but for the successful identification of typos by some astute bank operators)
AppRiver warns of PayPal themed Phishing making the rounds (IT Security Guru) Leading provider of email messaging and web security solutions, AppRiver, has warned of an ‘old fashioned’ but equally effective phishing campaign currently circulating that is impersonating PayPal
Web2py 2.14.5 CSRF / XSS / Local File Inclusion (PacketStorm) Web2py version 2.14.5 suffers from cross site request forgery, cross site scripting, and local file inclusion vulnerabilities
Runkeeper: A fitness app or a tracking app? (Help Net Security) Popular fitness app Runkeeper tracks users even when not in use, does not delete personal data when users stop using it, and shares users’ personal data with an advertising company in the US, the Norwegian Consumer Council (NCC) says in a complaint lodged with the Norwegian Data Protection Authority
Gboard enhances your keyboard, but what about your privacy? (Help Net Security) Gboard is a Google app for your iPhone that lets you search and send information, GIFs, emojis and more, right from your keyboard. You can search and send anything from Google, including news, articles, videos, images, etc
Hacker fans give Mr. Robot website free security checkup (Ars Technica) Days after USA Network patches XSS bug, hacker finds a way to inject SQL code
John McAfee claims to have hacked WhatsApp encrypted messages on Android (Computer Business Review) Cybersecurity expert John McAfee and his team claim to have hacked an encrypted Whatsapp message, using their servers located in remote areas in the mountains of Colorado
Security Patches, Mitigations, and Software Updates
OS X 10.11.5 and iTunes 12.4 updates bring security and usability fixes (Ars Technica) El Capitan receives what will likely be its last major update ahead of WWDC
iOS 9.3.2 is here, fixes iPhone SE Bluetooth problems and other bugs (Ars Technica) tvOS 9.2.1 and WatchOS 2.2.1 are also here
Motorola Droid Turbo Awaits Android Marshmallow While Verizon Pushes Out a Minor Update (MobiPicker) If you are using the Verizon Motorola Droid Turbo, then you should check your phone for an update notification. But before you get all excited, let us tell you that the 18 months-old device hasn’t received the Android Marshmallow update yet and is still on Android Lollipop. Instead, Verizon has rolled out a minor update
Cyber Trends
Top 20 risk factors for retailers (Help Net Security) According to BDO’s analysis of risk factors listed in the most recent 10-K filings of the 100 largest US retailers, risk associated with a possible security breach was cited unanimously by retailers, claiming the top spot, up from the 18th spot in 2007
Security spending rises in areas ineffective against multi-stage attacks (Help Net Security) Vormetric announced the results of the Financial Services Edition of the 2016 Vormetric Data Threat Report (DTR). This edition extends earlier findings of the global report, focusing on responses from IT security leaders in financial services, which details IT security spending plans, perceptions of threats to data, rates of data breach failures and data security stances
Most organizations can’t protect digital information in the long-term (Help Net Security) New research has revealed that the majority of organizations do not have a coherent long-term strategy for their vital digital information even though virtually all of them (98%) are required to keep information for ten years or longer
Tech Trends: Cyber Vulnerabilities Galore (Security Info Watch) In March I attended for the first time in five years the RSA Conference, the world’s largest cyber security conference, with nearly 40,000 people attending. Sadly, representation from our industry was noticeably lacking and many security people I have spoken to have never even heard of this important event
Taking no compromises when it comes to security (IT Pro Portal) Security stories are everywhere at the moment, so we spoke to Mark Valentine, head of information at car dealership Lookers, to discuss the current security landscape and issues around data protection
It's about time Australian businesses invested in cyber security (Security Brief) Cyber crime costs Australia upwards of a billion dollars every year, and many large companies have been the target of malicious attacks, including Kmart, David Jones, the Australian Bureau of Meteorology, The Royal Melbourne Hospital and Australian Government Parliamentary Services
Marketplace
Cisco Systems Could Disappoint With Guidance (Barron's) The networking company has been executing well but in a mixed spending environment it could guide below consensus estimates
Avanan Raises $14.9 Million Series A Financing Round (BusinessWire) Avanan, a cloud security innovator, today announced that it has raised $14.9 million in Series A financing. Greenfield Cities Holdings, L.P. (GFC), a TPG Growth portfolio company, led the round, with participation from both of Avanan’s existing investors, Magma VC and StageOne Ventures. The round brings the company’s total capital raised to $16.4 million and will allow Avanan to support its rapidly growing customer base and the fast pace of market adoption
illusive networks Announces Series B Funding Extension (Broadway World) illusive networks, a cybersecurity company at the forefront of deception technology, today announced extending the Series B funding to $25M by investors New Enterprise Associates (NEA), Bessemer Venture Partners, Cisco Investments, Marker LLC, Citi Ventures, and Eric Schmidt's Innovation Endeavors
Portland tech firm Galois spins out new company to make elections more secure (Portland Business Journal) Portland computer science research and development firm Galois is taking aim at election security with its latest spin-off, Free & Fair
Q&A: Driving growth in the application security market (IT Pro Portal) WhiteHat Security – an ethical hacking company – is 15 years old this year and is now experiencing something of a teenage growth spurt, both in terms of customers and headcount
Verizon Communications Inc Gets Sandwiched Between On-Strike and Shadow Workers (Business Finance News) Verizon agreed to renegotiate with the unions upon the request of Department of Labor Secretary Thomas E. Perez
CYREN Announces Office Expansion and Executive Management Appointments (PRNewswire) CYREN (NASDAQ: CYRN) today announced the expansion of its sales and support footprint with additions to its executive management team and a new enterprise sales office
Cybersecurity Firm Pwnie Express To Expand in Boston and Burlington (Seven Days) Protecting customer and employee data against cyber attacks is increasingly challenging. That’s bad news for the government and for corporate America, but good news for Boston-based Pwnie Express
Kroll Appoints Four New Directors in Growing Cyber Practice (BusinessWire) Kroll (“the Company”), a global leader in risk mitigation, compliance, security, and incident response solutions, today announced the appointment of four new Directors in its Cyber Security and Investigations practice – Devon Ackerman, Mari DeGrazia, Ron Dormido, and Ray Manna
Tempest Security Intelligence expands London office (Channel Biz) Company already supports customers like Tesco and Guardian News & Media
Ignition turns key on three more security channel partners (Channel Biz) Cato Networks, Digital Guardian and WhiteHat Security now join the distie’s fold alongside growing firm Cylance
INSA Names Suzanne Wilson-Houck Organization’s First COO (Washington Exec) Intelligence and National Security Alliance (INSA) announced May 13 the appointment of Suzanne Wilson-Houck as the company’s first Chief Operating Officer
Products, Services, and Solutions
Trusona Announces World's First Insured Authentication (Marketwired) Trusona, the category-defining identity and authentication platform for the world's most critical and sensitive Web and mobile transactions, today announced that its unique authentication platform and federated identity solution for the enterprise is now insured by an A+ Rated insurance carrier. The insurance approval of Trusona's technology follows rigorous and broad security testing conducted by one of the world's premier cybersecurity and forensics firms, Stroz Friedberg. Insurance for Trusona's solution is available for up to $1,000,000 coverage per transaction
EventTracker Adds Unlimited Acquisition Model for Log Manager (Virtual Strategy Magazine) EventTracker, a leading provider of comprehensive and co-managed SIEM solutions, today announced a new unlimited acquisition model for its EventTracker Log Manager offering. Available immediately, customers can now purchase EventTracker Log Manager for an unlimited number of log sources per year
Digital Shadows Helps Organizations More Quickly Identify and Mitigate Systemic Security Weaknesses (KTVN) Credential compromise and typosquatting identification, and new topical research reports, provide security teams with relevant analysis critical to security decision making
Microsoft Broadens Preview of Windows 10 Security Service (Redmond Channel Partner) Windows 10's new Windows Defender Advanced Threat Protection service, which Microsoft unveiled in March, is now available to a larger audience to try out
Kaspersky launches new solution to combat targeted attacks (Khaleej Times) The Kata Platform analyses data collected from different points of the corporate IT infrastructure
BAE Systems and Fujitsu Collaborate on Cyber Threat Intelligence Sharing (BusinessWire) BAE Systems and Fujitsu of Japan have implemented a new cyber threat intelligence sharing solution that will enable company analysts to easily review intelligence, modify their security settings to their respective networks, and adjust what types of intelligence they wish to share with their partners
Equifax and BAE Systems launch anti-financial crime package (Finextra) Business insights expert Equifax and BAE Systems, cyber security and anti-financial crime specialists, are launching the Equifax Watchlist Check to help companies fight money laundering and terrorist financing
NeverBounce.com Introduces a System to Avoid Information Hacking (Digital Journal) According to NeverBounce.com, protecting email and social networking accounts is an easy task. However, the large majority of email users opt to take it for granted. To aid with this, NeverBounce.com simplifies the methods that they find useful and divide it into two steps: to test email address and to use virtual private network (VPN)
Invincea Debuts New Invisible Endpoint Security Agent (eWeek) X was developed independently to secure enterprise endpoint devices by combining deep learning with behavioral monitoring in one lightweight agent
PhishMe Helps SMBs Avoid Falling Victim to Ransomware (IT Business Edge) By now, most organizations are at least familiar with the concept of “ransomware”: cybercriminals using social engineering to fool unsuspecting end users into downloading malware that winds up encrypting all of their data and then demanding a ransom in return for the keys needed to de-encrypt that data
Security vendor offers free checkup (Business IT) If you've ever wondered whether your business's IT security practices are adequate, Check Point will set your mind at ease or indicate where improvements are needed
Technologies, Techniques, and Standards
Cyber attack attribution: Strategies and tools for business organizations (Economic Times) Attack Attribution is all about finding out the entity that has successfully breached your cyber defences. This is an important consideration for forensic investigators, intelligence analysts, and national security officials
Giving Red-Teamers the Blues (Threatpost) Pen-testing engagements are generally a breeze for most red-teamers; roadblocks are few, despite the ones in place being expensive and often paid for by very large companies
My anti-virus is up to date so I am protected, right? (Naked Security) The world of malware was a lot simpler 20 years ago
What’s The Deal With Scanning Engines? (F-Secure) People (such as tech journalists and product reviewers) often ask us how our scanning engines work, and what the difference is between signature engines and other types of scan engines. In fact, we were asked such a question just last week. So, let’s explore the topic in-depth
Interconnectivity Put to Good Use (Security Info Watch) As security professionals continue to evolve systems and operations from being reactive to proactive, the concept of predictive analytics is quickly gaining traction
Common Misconceptions About Machine Learning in Cybersecurity (Information Management) Machine learning has never been more accessible than it is right now. Amazon utilizes it to uncover shopping habits and Netflix uses it to propose personalized movie selections
A Holistic Approach to Cybersecurity; Technologies, Process, & People (Bizcatalyst 360) In the past, much of the cybersecurity focus and activities by both industry and government have been reactive to the latest threat or breach. That trend appears to be changing from reacting to being more proactive. That is a good thing
Design and Innovation
Is the enterprise ready to automate security operations? Splunk makes the case (Diginomica) We sat down with chief security evangelist at Splunk, Monzy Merza, who argued that enterprises are ready to give some control over to the machines
Slow, sluggish mobile money uptake (National) Some years back, the Central Bank of Nigeria (CBN) licensed some firms to offer mobile money services. The most successful model is the telco-led, but Nigeria has chosen the bank-led model which appears to be slowing down uptake
Research and Development
MIT, Lockheed Martin launch long-term research collaboration (MIT News) Initial focus will be on transformative technologies, autonomy, and robotics
Academia
Partnership prepares undergraduates to tackle cybersecurity (Globe Newswire) In a time when million-dollar security breaches of major corporations regularly make headlines and complicate lives, computer science undergraduates at America's universities remain surprisingly underexposed to basic cybersecurity tactics
NYIT Designated as National Center of Academic Excellence in Cyber Defense Education (Newswise) The National Security Agency (NSA) and the Department of Homeland Security (DHS) have designated New York Institute of Technology (NYIT) as a National Center of Academic Excellence in Cyber Defense Education (CAE-CDE) through academic year 2021. NYIT is the first university on Long Island to receive this designation, and one of only eight in New York State
Creating a digital career path for Native Americans (Federal Times) Native American contributions to U.S. national security hasn’t been widely appreciated. The Navajo Code Talkers of World War II played an amazing role in helping the U.S. and its allies achieve victory
Waikato University takes the lead in cyber security research (Scoop) Waikato University takes the lead in cyber security research and education
Legislation, Policy, and Regulation
The Cyber Threat: Government Debates Cyber Counterattacks as Chinese Attacks Continue Unabated (Washington Free Beacon) Recent talks with Chinese delegation achieve little progress
DOD report on China details escalation in the cyber domain (Defense Systems) The United States has put a lot of emphasis lately on the importance of cyberspace as a domain of warfare. China is doing the same
British Spy Agency GCHQ Joins Twitter (PC Magazine) The Government Communications Headquarters is the first UK Intelligence Agency to join the social network
Presidential Cybersecurity Panel Hears Blockchain Testimony By IBM (CoinDesk) A panel on national security and cyberspace appointed by President Barack Obama heard testimony on blockchain technology from a representative of IBM earlier today
Needed: More Snowdens - Ex-intel analyst (USA Today) He made my job harder and most of my military colleagues hated him. But he did the right thing
Cyber Command Focused on ‘Speed, Agility and Precision’ (Seapower) Commanders know they no longer should assume that they possess a cyber capability greater than their potential adversaries. Less clear is how they should adapt to this change. The Fleet Cyber Command has the answer
Litigation, Investigation, and Law Enforcement
How the Government Monitored Twitter During Baltimore's Freddie Gray Protests (Vice) After Freddie Gray died from injuries he sustained while in police custody, citizens of Baltimore took to the streets. The death of the 25-year-old African American man in April 2015 sparked many peaceful demonstrations throughout the city, but when riots broke out, the Department of Homeland Security (DHS) monitored Twitter and other social media platforms for "intelligence" about the protests and the protesters
When Do Law Firms Have to Disclose a Data Breach? (Wall Street Journal) Cyber attacks against some of the country’s top law firms are reigniting concerns about the legal industry’s handling of data breaches
Supreme Court sides with search engine (CNET) The high court rules in favor of Spokeo, a people-search company that a man accused of displaying inaccurate information about him
Top programmer describes Android’s nuts and bolts in Oracle v. Google (Ars Technica) On cross, Dan Bornstein is asked about scrubbing the "J-word" from source code