Cyber Attacks, Threats, and Vulnerabilities
UAE ‘planted fake news to trigger Qatar crisis’ (Times (London)) Qatar accused the United Arab Emirates of a “shameful act of cyberterrorism” after reports that US intelligence officials had evidence that it orchestrated a hack of Qatar’s state news agency and...
UAE denies Qatar media hack that set off diplomatic crisis (Deutsche Welle) The United Arab Emirates has rejected a report alleging it arranged for the Qatari government's news sites to be hacked. The incident has sparked a diplomatic crisis and left Qatar largely isolated in the Gulf region.
Qatar alleges Gulf rivals broke international law by hacking its websites (the Guardian) Alleged hack reported by Washington Post precipitated diplomatic and economic blockade, but UAE minister denies claims
Qatar lashes out at UAE over QNA hacking (Al Jazeera) Qatar says UAE's involvement in the hacking of the Qatar news agency is a violation of international law.
FedEx still feeling effects of TNT cyber attack (The Commercial Appeal) TNT Express is still feeling effects of Petya, an information technology virus that was spread to TNT through a Ukrainian tax software product.
FedEx-TNT integration plans hit as cyber attack wreaks hi-tech havoc (LoadStar) FedEx could change its integration plans for TNT following last month’s Petya cyber attack, admitting that some systems may never be fully recovered.
Didn’t get your Oreo cookie shipment? Last month’s global cyber attack may be to blame (HOTforSecurity) More and more details are emerging of the financial impact that last month's malware attack has had on major businesses. As everyone who works in IT security is all too aware, a massive malware attack crippled organisations and critical infrastructure in late June...
GCHQ Says Hackers Have Likely Compromised UK Energy Sector Targets (Motherboard) The news comes after the FBI and Homeland Security warned hackers had targeted US energy firms too.
"Devil's Ivy" Vulnerability Could Hit Millions of IoT Devices (WIRED) An obscure bug in 34 companies' physical secure gadgets could leave them open to hackers.
Experts in Lather Over ‘gSOAP’ Security Flaw (KrebsOnSecurity) Axis Communications — a maker of high-end security cameras whose devices can be found in many high-security areas — recently patched a dangerous coding flaw in virtually all of its products that an attacker could use to remotely seize control over or crash the devices.
IoT Security Incidents Rampant and Costly (Dark Reading) New research offers details about the hidden - and not so hidden - costs of defending the Internet of Things.
Exploit Derived From ETERNALSYNERGY Upgraded to Target Newer Windows Versions (BleepingComputer) Thai security researcher Worawit Wang has put together an exploit based on ETERNALSYNERGY that can also target newer versions of the Windows operating system.
Why it took more than a week to resolve the Verizon data leak (Washington Post) A communication breakdown and an employee's vacation were why it took nine days for Verizon to stop a data leak.
GhostCtrl malware silently haunts Android users, hijacking functionality (SC Media US) Researchers have uncovered a highly versatile Android remote access trojan that hijacks device functionality, steals information and can even perform ransomware attacks.
Android backdoor GhostCtrl can do many unusual things (Help Net Security) There is no shortage of Android malware, but it's not often that one encounters an Android threat that can do as much as the GhostCtrl backdoor.
The Adwind Remote Access Tool Experiences a Resurgence (Security Intelligence) A new report detailed how Adwind, a remote access tool, is surging in popularity and putting countless users at risk for cyberattack.
Attackers are taking over NAS devices via SambaCry flaw (Help Net Security) A Samba remote code execution flaw patched in May is being exploited to compromise IoT devices running on different architectures. Patch for SambaCry today!
Code Execution, DoS Vulnerabilities Found in FreeRADIUS (SecurityWeek) Security testing of FreeRADIUS using a technique known as fuzzing revealed more than a dozen issues, including vulnerabilities that can be exploited for denial-of-service (DoS) attacks and remote code execution.
751 Domains Hijacked to Redirect Traffic to Exploit Kits (BleepingComputer) On July 7, French domain registrar Gandi lost control over 751 customer domains, which had their DNS records altered to point incoming traffic to websites hosting exploits kits.
RoughTed Malvertising Peaks in June, According to Check Point's Latest Global Threat Impact Index (GlobeNewswire News Room) 28% of organizations globally impacted by RoughTed malvertising campaign in June 2017
A Myspace Security Flaw Let Anyone Take Over Any Account (WIRED) If you know someone's date of birth, you can crack their Myspace account.
Hackers tried to infiltrate state's voter registration system almost 150,000 times on US election day (The Independent) Hackers tried to access South Carolina's voter registration system almost 150,000 times on Election Day alone, a new report from the state's Election Commission has revealed. The report plays into a larger pattern of attempted hacking in the 2016 election, in which the Department of Homeland Security (DHS) says more than 20 US states were targeted. Intelligence officials believe much of the election meddling was carried out by Russian hackers.
Hackers secretly burn businesses (Stuff) Infecting a computer with ransomware isn't the worst thing a hacker could do - more damage can go on behind the scenes.
Newcastle City Council Leaks Data of Thousands of Adopted Children (Infosecurity Magazine) Blunder took place on June 15 2017
Religare suffers cyber attack; data completely safe: Company (Moneycontrol) IT systems across the globe in the recent past have been facing some or the other kind of malware attacks with the intention to extract money from the system owners.
You can buy password stealing malware 'Ovidiy Stealer' for $7 (HackRead) Researchers at Proofpoint recently discovered a mass-marketed malware called Ovidiy stealer whose main purpose is to steal passwords from victims. It is th
Botnet Tweeting, Spamming Porn Shut Down (Threatpost) Researchers discovered an active Twitter botnet made up of 38,000 bots, generating 8.5 million tweets and netting over 30 million clicks from its victims.
Siri implicated in yet another iPhone lockscreen hole (Naked Security) We can’t reproduce an iPhone lockscreen bug that hit the news last week – but there are plenty of lockscreen lessons to learn anyway.
Alexa is listening to what you say – and might share that with developers (Naked Security) How do you feel about the possibility of your recorded requests to Alexa being shared with third-party developers? Here’s what we know about that – and some tips to manage your data
FBI Issues Warning on IoT Toy Security (Dark Reading) IoT toys are more than fun and games and can potentially lead to a violation of children's privacy and safety, the Federal Bureau of Investigation warned Monday.
Think twice before buying a smart toy for your child (Help Net Security) The potential misuse of sensitive data such as location, visual identifiers, and known interests to garner trust from a child present exploitation risks.
Free Certs Come With a Cost (Threatpost) Leading certificate authority Let’s Encrypt is facing criticism that its rapid growth and eagerness to encrypt internet communications is happening at a cost.
Security Patches, Mitigations, and Software Updates
Linux Users Urged to Update as a New Threat Exploits SambaCry (TrendLabs Security Intelligence Blog) A seven-year old vulnerability in Samba—an open-source implementation of the SMB protocol used by Windows for file and printer sharing—was patched last May but continues to be exploited.
Cisco Patches Another Critical Ormandy Bug in WebEx Extension (Threatpost) Researchers Tavis Ormandy and Cris Neckar privately disclosed a critical vulnerability in Cisco’s WebEx extension for Chrome and Firefox that allows for remote code execution.
FreeRADIUS Update Patches Bugs Static Analysis Tools Missed (Threatpost) FreeRADIUS today released an update that patches a number of vulnerabilities uncovered in a commissioned engagement using a customer fuzzer.
What You Need to Know About Comodo’s DCV Changes (SSL Store) Changes to Comodo’s Domain Validation Procedures coming next week
Damages From a Well Executed Cyber Attack Could Reach $121.4 Billion (BleepingComputer) Lloyd's of London, one of the world's largest insurers, warns that a well executed cyber attack could cause damages around to world ranging from $53.1 billion to $121.4 billion, according to a report the company released today.
10 Years of (Hacking) iOS (Skycure) Skycure helps to celebrate the 10-year anniversary of the iPhone with this latest Mobile Threat Intelligence Report. As iOS devices continue to become more and more popular in the enterprise …
Mobile Threat Intelligence Report Q1 2017 (Skycure) This report seeks to expose the security impact of iOS in the enterprise at this 10-year anniversary of the iPhone.
The Cloud in 2017: Trends in Security (Clutch) Clutch's new survey data analyzes trends in cloud security, revealing companies' preference for the cloud, their willingness to invest heavily in additional cloud security, and the most popular cloud security features and regulations.
New Study Reveals Companies Generally Unprepared to Meet EU GDPR (BusinessWire) With the European Union General Data Protection Regulation (EU GDPR) set to go into effect in less than a year, Crowd Research Partners today released
EU GDPR Report (Crowd Research (presented by STEALTHbits) The EU GDPR study focuses on identifying the impact of the new regulations on organizations and how they plan to be compliant. The study, sponsored by STEALTHbits Technologies, is based on input from over 500 global cybersecurity professionals who are members of the 370,000 member Information Security Community on Linkedin.
AI technologies will be in almost every new software product by 2020 (Help Net Security) Analysts predict that by 2020, AI technologies will be virtually pervasive in almost every new software product and service.
Continental business leaders trounce UK leaders on cyber risk management (Computing) Business leaders in France and Germany are more aware of cyber risks and more likely to take steps to mitigate failures than those in the UK
As security AI explodes, lack of efficacy comparisons leaves CSOs flying blind (CSO) Machine-learning security tools flooding market but customers lack concrete methods for comparing their efficacy
FIRST: Sleeping with the enemy - How cyber criminals are the new monsters under our beds (The Malta Independent) "Hey @CloudPets, someone named S. Atan keeps sending messages to my kids' cloud pets and the app won't let me block him. Please help."
Wait, you didn’t want to clean the toilets? Should have read the terms! (Naked Security) Some 22,000 people unwittingly agreed to clean bathrooms and hug stray cats and dogs in return for free WiFi – and their experience is a good reminder to be aware of what you’re agreeing…
Vietnam falls in global cyber security index (Xinhua) Vietnam ranked 101st out of 193 countries with a score of 0.245 in the Global Cyber security Index (GCI) 2017 compiled by the International Telecommunication Union, while Singapore topped the ranking with a score of 0.925.
Make war on cybercrime work for you (TheBull) Cyber-economy researcher Cyber Ventures recently predicted that global spending on cybersecurity will exceed US$1 trillion over 2017-2021. Firms will spend more than US$120 billion this year alone on cybersecurity, up 35 times in little over a decade.
Sandvine to be combined with Procera in $444M deal (FierceWilreless) Private equity firm Francisco Partners said it will spend roughly $444 million to acquire Sandvine Corp., then will combine the company with its own Procera Networks.
Exclusive: Cyber Startup Awake Security Debuts With $31 Million in Funding (Fortune) The company has been in stealth mode for two years.
Ironhack raises $3 million for its coding bootcamp (TechCrunch) As the focus on new educational models and coding bootcamps continues to attract attention (rightly or wrongly) as a cure for the world's economic woes..
Cybersecurity programme at STATION F (Thales) Thales joins STATION F to accelerate the future of cybersecurity, by partnering the field’s expert startups in their development.
5 questions with Team8 (The Straits Times) Q How did Team8 start and what is it about?. Read more at straitstimes.com.
Former AVG Executives Beef Up Cyber Security Investment Fund (New York Times) A group of former executives and investors from antivirus software maker AVG Technologies have raised an additional $55 million for their fund that invests in cyber security companies, its managing partner said.
Leadership In Cognitive Cybersecurity Makes IBM A Worthy Investment (Seeking Alpha) Investors should now take a good look at IBM's emergence as an early leader in cognitive cybersecurity. Watson, IBM's most famous creation for Artificial Intell
IBM: Riskier, But The Payoff Could Be Greater (Seeking Alpha) IBM's cognitive computing strategy is relatively more speculative than that of competitors. The company is somewhat placing its eggs in one basket with its Wats
Will CyberArk Software Ltd. Sink or Swim? (The Motley Fool) The Israeli cybersecurity firm’s shocking second-quarter miss raises bright red flags.
Lockheed Martin’s UK Cyber Works centre (Software Testing News) American global aerospace, defence, security and technologies company, Lockheed Martin, has invested £3million in a cyber security centre in Gloucester.
CrowdStrike eyes Germany and France as next European expansion targets (Channelnomics) Freshly appointed channel and business development boss sets course for geographic expansion
CrowdStrike Appoints Laurel Finch as Chief Legal Officer (BusinessWire) CrowdStrike® Inc., the leader in cloud-delivered endpoint protection, today announced the appointment of Laurel Finch as chief legal officer and s
Products, Services, and Solutions
Bay Dynamics Announces Technology Partnership with Symantec to Detect and Stop Insider Threats (Bay Dynamics) Bay Dynamics’ User and Entity Behavior Analytics (UEBA) technology partnership with Symantec enables organizations to identify malicious insiders & prioritize threats to data assets
CrowdStrike and Dragos Inc. Partner to Drive Unmatched Cybersecurity Capabilities for Industrial Control Systems (CrowdStrike) Read more about how CrowdStrike and Dragos Inc. to drive unmatched cybersecurity capabilities for industrial control systems.
StackRox Unveils First Container Security Platform That Adapts to Evolving Threats (BusinessWire) Partnered with Sequoia Capital, StackRox Unveils First Container Security Platform That Adapts to Evolving Threats
etouches Announces EU-U.S. and Swiss-U.S. Privacy Shield Framework Certification (BusinessWire) etouches announces EU-U.S. and Swiss-U.S. Privacy Shield framework certification, representing an industry-first in U.S. event management solutions.
Infoblox introduces cloud service to protect remote workers (4-Traders) Infoblox has launched the global availability of Infoblox ActiveTrust Cloud, a service that will address the needs of enterprises with a mobile workforce.
How Netronome Systems is optimizing distributed security (SiliconANGLE) How Netronome Systems is optimizing distributed security - SiliconANGLE
Gas producer gets boost from SolarWinds network monitoring software (SearchNetworking) To boost its network infrastructure monitoring, Chart Industries, an industrial gas producer, chooses SolarWinds network monitoring software.
IBM Z Mainframe Brings Encryption Super Powers (CIO Today) Aimed at enterprise customers facing increasing threats of data breaches, the new IBM Z mainframe features "breakthrough" encryption capabilities that can secure information in any cloud application or database at all times, the company said today.
Dicker Data picks up Symantec's Blue Coat network security portfolio (CRN Australia) Expands existing deal with Symantec.
Technologies, Techniques, and Standards
Crowdsourcing cyber defence is now a necessity (Information Age) The recent wave of cyber attacks reinforces the need for greater global collaboration on cyber threat intelligence sharing
How ISPs Can Lead the Charge in DDoS Protection (CED) Malicious traffic has long been a problem for internet service providers (ISPs). In recent years, it has become much more difficult for ISPs to deliver “clean pipe,” primarily because malware, botnets, and distributed denial of service (DDoS) attacks have increased in size, sophistication, and frequency. In particular, the DDoS threat is decreasing internet service availability across the globe. Fortunately, some ISPs are taking a proactive role to thwart this threat.
Preventing the Next Petya: Block New Exploits by Defending Old Vulnerabilities (McAfee Blogs) For ransomware enthusiasts, the April release of stolen NSA Windows exploits is a gift that will not stop giving. Just weeks after the Shadowbrokers' "Lost
The complete list of Infosec related cheat sheets (Peerlyst) I do not think I have collected them all yet, but here's what I have so far. Please suggest more.
Becoming an Analyst Part 2: Educational Foundations (Recorded Future) In this episode, we discuss unconventional educational pathways to working in threat intelligence, including benefits, lessons learned, and advice.
SIEM Training Needs a Better Focus on the Human Factor (Dark Reading) The problem with security information and event management systems isn't the solutions themselves but the training that people receive.
Design and Innovation
Security guard robot ends it all by throwing itself into a watery grave (Ars Technica) Knightscope K5 security bot shows your job is probably safe from automation. For now.
How to fight the forces in the cyber threat universe (Information Age) Every day hundreds of network security devices generate millions of log files, creating a detailed millisecond-by-millisecond record of all authorised and unauthorised user activity. Finding a way to extract meaningful evidence of cyber threat activity from this vast data set is crucial to the long-term security of any organisation. In the past few years
The future of macOS security: Baked-in protection and third-party tools (Help Net Security) What can we expect from future macOS security? Security researcher Patrick Wardle, developer of free, open source Mac security tools, looks ahead.
What does Imogen Heap have in common with mail? The blockchain (Naked Security) The blockchain isn’t just for verifying Bitcoin transactions – a number of very different ventures are using it to cut out middlemen and keep people honest
The Curious Comeback of the Dreaded QR Code (WIRED) Don't look now, but QR codes are back—and they're going to change your digital life in all sorts of previously impossible ways.
Research and Development
Defence awards AU$3.26m to QuintessenceLabs for quantum cyber development (ZDNet) The Australian Department of Defence has allocated AU$3.26 million to explore the feasibility of the establishment of highly secure communications links to defend against 'malicious cyber intrusion and disruption'.
Winning Hackers Announced for U.S. Cyber Challenge Competition at Southern Utah University (USCC) This morning, a number of the nation’s rising cybersecurity talent competed in the annual U.S. Cyber Challenge (USCC) Capture-the-Flag (CTF) competition at Southern Utah University (SUU) in Cedar City, UT.
Institute for CyberScience to offer graduate student travel awards (Penn State University) The Institute for CyberScience is accepting applications for the SuperComputing '17 Student Travel Awards. Through this new program, graduate students can receive funding to attend the SuperComputing 2017 conference in Denver, Colorado, this November.
Local colleges educate students on cybersecurity (Times Telegram) For people such as Jake Mihevc, sometimes educating students to work in a rapidly changing global market starts with seeds planted locally.
NSA's GenCyber Reaches New Territories (NSA) This year, the GenCyber Program, co-sponsored by the National Security Agency (NSA) and the National Science Foundation (NSF), is bigger and better than before. The program is offering more than 130 summer camps in 39 states across the nation, and in Washington D.C. and Puerto Rico.
PDX Cyber Camp 2017 Kicks Off Today; Cybersecurity Camp for Local High School Students Receives Widespread Community Support (PRWeb) Industry experts and hands-on education program teach students high-demand skills in cybersecurity
Singtel's new CSX platform aims to entice Singaporeans to cybersecurity careers (Security Brief) Singtel is promising to strengthen Singapore’s cybersecurity talent for students and mid-career professionals who want to get a start in the industry.
Legislation, Policy, and Regulation
Estonia to open world's first 'data embassy' (The Straits Times) Cyber-savvy Estonia has taken yet another step forward in global technology - the small Baltic state is set to open the world's first "data embassy" in Luxembourg early next year.. Read more at straitstimes.com.
Credlin slams PM’s ‘super security’ ministry (NewsComAu) SKY News political commentator Peta Credlin has weighed in on the Turnbull Government’s Home Affairs super portfolio, slamming the new ministry as “cooked up”.
'Trump administration has zero patience for Pakistan's terror policy' (Deutsche Welle) The US is aiming to impose aid restrictions on Pakistan. In an interview with DW, analyst Michael Kugelman says if there's one US administration likely to take a hard line against Pakistan, it's the Trump administration.
US to create independent military cyber command (AP via Fios Trending) The US plans to create independent military cyber command in order to enable military to more aggressively wage cyberwar against IS and others
US Places Cyberattacks on Par With Traditional Warfare Via Cyber Command Reform (Sputnik News) Donald Trump's administration is finalizing plans to revolutionize the US' military command for defensive and offensive cyber operations, in hopes of intensifying America's ability to wage cyberwar against foes such as Daesh. Serious questions abound as to whether Cyber Command can function as an independent entity, however.
Cuts Proposed for Key Cybersecurity Agency (Defense One) House Appropriations Committee reduces but retains White House cuts to the National Institute of Standards and Technology.
State Department's top cyber official to leave post (TheHill) Chris Painter appointed cyber coordinator in 2011 under Obama.
Governors told to not let up in cyber war; Sandoval reveals feds inspected Nevada voting security ahead of 2016 election (Nevada Independent) Governors who gathered in Rhode Island for their semiannual meeting this weekend got a chilling warning from the tech experts who know best -- the hacks and cyberattacks they’ve seen so far are just the beginning.
Tech vs. Telecom: Closing Arguments in Net Neutrality Battle (Motherboard) It’s a clash of corporate titans over the future of internet governance.
Litigation, Investigation, and Law Enforcement
Appeals court OKs secrecy of FBI national security data requests (Ars Technica) Targets of NSLs can't challenge them because ISPs can't tell the target about them.
Justice Department: 2 Iranians charged with hacking into Vermont software companies (Washington Examiner) Iranians sought to market and sell information relating to projectile technology and aerodynamics, prosecutors said.
Susan Rice's testimony to House Intelligence committee delayed: Report (Washington Examiner) Her testimony is still expected at a later date.
Fate of Kushner’s security clearance could ultimately lie with Trump (POLITICO) The president’s son-in-law and adviser has come under fire for initially failing to disclose meetings with Russian officials.
Lawyers score big in settlement for Ashley Madison cheating site data breach (Ars Technica) Members who paid $19 for their data to be deleted (it wasn't) might get a refund.
Facial Recognition Coming to Police Body Cameras (Defense One) An approach to machine learning inspired by the human brain is about to revolutionize street search.
People Keep Getting Charged With a Crime for Selling Bitcoin (Motherboard) We called a lawyer to find out when selling bitcoin is "operating an illegal money transmission business" in the eyes of the law.