Las Vegas: the latest from Black Hat, Defcon, and BSides
Winners of the 2017 Pwnie Awards (CSO Online) The very best and the very worst in the security community were recognized at the annual Pwnie Awards at Black Hat USA.
ESET’s Anton Cherepanov picks up Pwnie for Best Backdoor (WeLiveSecurity) Anton Cherepanov, a malware researcher at ESET, has picked up a Pwnie Award for Best Backdoor at this year’s ceremony at Black Hat USA 2017 in Las Vegas.
CWI and Google research team wins Pwnie Award for Best Cryptographic Attack (CWI) Researchers at CWI and Google have won the Pwnie Award for Best Cryptographic Attack at the BlackHat USA security conference. They were awarded the prize for being the first to break the SHA-1 internet security standard in practice.
Australia’s war on maths blessed with gong at Pwnie Awards (Computerworld) Australia’s own Malcolm Turnbull has been recognised at the Pwnie Awards in Las Vegas, with the prime minister taking out the ‘Pwnie for Most Epic FAIL’.
Kaspersky Anti-Virus Can Actually Help Spies Steal Data, Warn Researchers (Forbes) In many ways Kaspersky anti-virus tools are a boon for personal and business security. But in one rather significant way, the Russian company's security software can actually help criminal hackers and spies, researchers claimed Thursday.
Flush times for hackers in booming cyber security job market (Reuters) The surge in far-flung and destructive cyber attacks is not good for national security, but for an increasing number of hackers and researchers, it is great for job security.
How to Build a Path Toward Diversity in Information Security (Dark Reading) Hiring women and minorities only addresses half the issue for the IT security industry -- the next step is retaining these workers.
Automation key to tackling supply chain security (Infosecurity Magazine) Improving security best practices across your supply chain is very difficult
Shorting-For-Profit Viable Business Model For Security Community (Threatpost) MedSec CEO Justine Bone said shorting companies to profit off discovered vulnerabilities is a viable business model for the security community.
How to protect the power grid from low-budget cyberattacks (Help Net Security) Vulnerabilities combined with publicly available information can provide enough guidance to execute low-budget power grid cyberattacks.
Black Hat 20.0: Man vs. Thing (Cloud Security Solutions | Zscaler) It’s Black Hat week in Las Vegas, this summer’s event marking the 20th year of the hacking convention that never fails to entertain. You never know what you’ll find here, or what disruptions you may encounter as a result of the hijinks of the fun-loving attendees.
Top 3 Things You Need to Remember for Better IoT Security (Neustar) If you’re involved in the world of IoT (Internet of Things), specifically the security aspect of it, you likely know most of the challenges that are involved. At my presentation during Black Hat today in Las Vegas, I talked about my past and present experiences with PKI (public key infrastructure) and what we’re doing at Neustar to make things easier on securing IoT networks.
Black Hat: Shooting down drones in the wild (Neowin) With drones flying around seemingly everywhere, companies are coming up with anti-drone technology. At a Black Hat talk, we learned which ones work and which ones are nothing but snake oil.
Hackable smart car wash systems can hurt people (Help Net Security) Researchers have demonstrated a car wash hack in a live setting and proved it could lead to car damage and injury or loss of life of customers.
Attack Uses Docker Containers To Hide, Persist, Plant Malware (Threatpost) Abuse of the Docker API allows remote code execution on targeted system, which enables hackers to escalate and persists thanks to novel attacks called Host Rebinding Attack and Shadow Containers.
Active Directory Botnet sets up C&C infrastructure inside infected networks, while bypassing defenses (SC Media US) Researchers have developed a potentially devastating new botnet that abuses infected victims' Active Directory Domain Controllers, turning them into internally hosted command and control servers.
IOActive Uncovers Security Vulnerabilities in Radiation Monitoring Devices (PRNewswire) IOActive, Inc., the worldwide leader in research-driven security...
The "Cloak & Dagger" Attack That Bedeviled Android For Months (WIRED) Not all Android attacks come from firmware mistakes.
Update your phone: Avoid being Pwned by bug residing in WiFi chip (HackRead) We all use wireless network; it makes internet surfing hassle-free and profitable. Usually, many of us leave Wi-Fi open throughout the day even at night.
How a Bug in an Obscure Chip Exposed a Billion Smartphones to Hackers (WIRED) A Broadcom flaw that undermined scores of Android and iOS devices hints the future of smartphone hacking lies in third-party components.
Sandsifter checks your processor for secrets (TechCrunch) Are you sufficiently paranoid? If you're not, there's now Sandsifter. This project, just announced at Defcon 2017, tests your x86 processor for hidden..
Google Study Quantifies Ransomware Profits (Threatpost) A ransomware study released Google revealed the malware earned criminals $25 million over the past two years.
Cyber Attacks, Threats, and Vulnerabilities
3 New CIA-developed Hacking Tools For MacOS & Linux Exposed (The Hacker News) Wikileaks has exposed Achilles backdoor, SeaPea Rootkit for Apple Mac OS and Aeris Linux hacking tools developed by the CIA.
The CIA Allegedly Named a Hacking Tool After Aeris from 'Final Fantasy 7' (Motherboard) Turns out CIA hackers are a bunch of nerds.
TheShadowBrokers Monthly Dump Service - August 2017 (Steemit) August Announcement for TheShadowBrokers Monthly Data Dump Service Hello thepeoples! July is being good month for… by theshadowbrokers
ShadowBrokers Remain an Enigma (Threatpost) As we approach the first anniversary of the ShadowBrokers, their true identity and source of their stolen NSA exploits remains a mystery.
Russia ‘used Facebook’ to spy in French election (Times (London)) Russian agents posed as friends of Emmanuel Macron’s circle on Facebook to spy on the French president’s campaign in the spring. Agents used as many as two dozen fake Facebook accounts to befriend...
Countermeasures to a Real Threat: Thoughts in a Dire Time (SIGNAL Magazine) The mind of society is the battlefield in the current global struggle for geopolitical domination.
NZ linked to North Korea cyber attacks in report (Newsroom) North Korea may be using NZ as a virtual launching pad for cyber attacks around the world, a new report suggests.
North Korea Commences Large-Scale Bitcoin Mining Operation (Bitcoin News) Information recently surfaced that someone in North Korea has started mining bitcoin. According to Recorded Future, a threat intelligence company, on May 17 North Korea initiated a rather large mining operation. Prior to this date, there was minimal bitcoin node activity in the country.
Cyber spies stole this woman’s image to use in a ‘honey pot’ scam (NewsComAu) MIA Ash is young, attractive and popular, with hundreds of social media connections.
Meet Mia Ash, the Fake Woman Iranian Hackers Used to Lure Victims (WIRED) A fake persona tied to a massive international spying campaign illustrates how social engineering attacks have evolved.
Flashpoint - With a boost from Necurs, Trickbot expands targeting to U.S. financials (Flashpoint) Necurs is now delivering a different type of malware that poses a threat specifically to the financial sector: the Trickbot banking Trojan.
Don’t want your SMSs stolen? Don’t download these Android apps (Naked Security) We’ve found two apps in Google Play that use plugins to help themselves to your text messages
Wells Fargo apologizes for spilling trove of data on wealthy clients (Naked Security) The e-discovery process during litigation is a challenge to make sure that all the data is properly handled and disclosed, as Wells Fargo has learned
Tackling the cyber security conundrum (Seatrade Maritime News) If cyber security wasn’t in focus before in maritime it certainly is after the Petya virus took out the global IT systems, both internal and customers facing, of Maersk Line in late June.
TNT cyber-attack crippling small firms, says FSB (BBC News) The Federation of Small Businesses says it has concerns over the effects of the 28 June attack.
Brexit negotiations could be hit by DDoS attacks (BetaNews) Hackers could use DDoS to disrupt the Brexit negotiations for the UK's leaving the European Union, or use attacks as a distraction technique while they seek to steal confidential documents or data, according to new research.
IT Security Professionals Foresee an Escalation in DDoS Attacks Throughout the Rest of 2017 (BusinessWire) Financially motivated criminal extortion threats are the types of forthcoming DDoS attacks that have garnered security professionals’ attention.
Credential stuffing rules the day as 90% of login attempts no longer made by humans (SecureIDNews) Credentials, such as usernames and passwords, are becoming high-risk forms of authentication with each major corporation credential spill and technological advancement. As credential stuffing becomes rampant, are biometric identifiers the answer to the seemingly endless question of personal security in our digital age?
Phishers' techniques and behaviours, and what to do if you've been phished (Help Net Security) A new report reveals phishers' techniques and behaviors, how long it takes from takeover to exploitation, and what they do to cover their tracks.
Hackers are targeting people using free Wifi at hotels around the world (Thai Tech) Travellers are being warned about an evil new form of malware that is targeting people who use free wifi at hotels around the world.
Wait, this email isn’t for me – what’s it doing in my inbox? (Naked Security) Emails can contain confidential information and are often sent to the wrong person, yet many businesses don’t even bother to verify addresses when you sign up with them. What can be done?
Hospitals Face Growing Cybersecurity Threats (NPR.org) Cyberattacks and data breaches are common at health care facilities, and they can put patients' health at risk. Hospitals are behind the curve in beefing up defenses, industry analysts say.
Exploring the psychology of ransomware (BetaNews) In recent months we've seen high profile ransomware attacks target many businesses, and we've seen cyber criminals making greater efforts to target their victims.
Imperva Researchers Go Undercover to Study Tactics of Phishing Hackers (BusinessWire) Imperva announces its report - "Beyond Takeover--Stories from a Hacked Account." It reveals how hackers find and use data in compromised accounts.
Malware creators increasingly run their business like legitimate software companies (Help Net Security) Malware business is booming, and malware creators are increasingly running their business like legitimate software companies.
Security Patches, Mitigations, and Software Updates
Three Vendors Decline to Patch Vulnerabilities in Nuclear Radiation Monitors (BleepingComputer) Ruben Santamarta, a security researcher for IOActive, has found various vulnerabilities in nuclear radiation monitoring equipment from three vendors, who when contacted by the researcher, declined to fix the reported flaws, each for various reasons.
Flash Enters Final Three Years as Adobe Pulls Support Plug (Infosecurity Magazine) Adobe announced this week that it plans to bring down the curtain on the Flash Player in three years.
Adobe's Move to Kill Flash Is Good for Security (Dark Reading) In recent years, Flash became one of the buggiest widely used apps out there.
Cyber Trends
Cybersecurity Industry Believes GDPR Is Stifling Innovation And Could Encourage Organisations To Cover Up Security Breaches (Information Security Buzz) AlienVault survey of over 900 attendees at Infosecurity Europe exposes widespread concern about upcoming GDPR legislation, and the UK government’s technology policies Half of those surveyed fear that GDPR could cause people to try and cover up data breaches Over half (54%) believe that a change of leadership at No. 10 would have made the …
Majority of Global Orgs Lack Security Best Practices (Infosecurity Magazine) For instance, four out of five companies don’t know where their sensitive data is located, or how to secure it.
Applying AI to cyber security is a force multiplier attracting big investors and customers (diginomica) Cyber security is always a top of mind topic in the IT department. Now we are seeing AI related methods being applied in the next wave of security measures
Most Companies Worldwide Fail to Measure Cybersecurity Effectiveness and Performance (PRNewswire) Thycotic, a provider of privileged account management (PAM) and endpoint...
Cyber security not a priority for most sectors, study finds (ComputerWeekly) Despite data breaches costing UK firms nearly £30bn in 2016, cyber security is still not a priority for most UK industry sectors, a study has revealed.
UK companies most likely to avoid ransomware advice (Computing) UK firms have lost confidence in their ability to combat ransomware following the WannaCry NHS breach
Indian IT firms value scaling encryption, lag in adoption: Study (The Economic Times) "95 per cent of organisations in India valued scalability for encryption solutions, which was much higher than any other country, global average of 29 per cent."
Malaysians’ concern about cyber security issues escalates: Unisys Security Index (Digital News Asia) Concern about ID theft and cyber security overtakes concern about physical threats. Malaysia recorded the third highest level of concern of the 13 countries surveyed
US consumers happy to give data to emergency services but fears remain (Internet of Business) Most consumers in the US would share their personal data with police or healthcare providers via IoT devices, according to Unisys Security.
Privacy Isn't Dead. It's More Popular Than Ever (WIRED) WhatsApp's rise and Twitter's decline converge to send a message about the way we communicate now.
Marketplace
PerimeterX raises $23 million in Series B round - CyberScoop (Cyberscoop) The Israel- and Silicon Valley-based cybersecurity company sells tools defending retailers against automated web attacks.
Raytheon: No Plans For IPO On Cybersecurity JV (Aviation Week) Raytheon chief executive Tom Kennedy said July 27 his company has no plans to pursue an initial public offering of stock for its Forcepoint cybersecurity joint venture. Raytheon paid $1.9 billion for a majority stake in the then-Websense business in 2015. Kennedy reminded financial analysts in the latest quarterly teleconference that Raytheon made the deal as a long-term play in cyber capabilities.
AWS won’t be ceding its massive market share lead anytime soon (TechCrunch) Now that all the major cloud players have reported their earnings, we have seen some eye-popping growth numbers, particularly from Microsoft. Yet in spite of..
Protect Four Key Areas To Create A Balanced Cybersecurity Portfolio (Forbes) For this article, I had the chance to speak with Jay Chaudhry, the CEO and Founder of Zscaler. Zscaler bills itself as a cloud cybersecurity solution, or “Security as a Service.”
Zscaler CEO: How Cloud Security Is Changing The Partner Model (CRN) In an interview with CRN, Zscaler CEO Jay Chaudhry discusses how he sees the massive spike in demand for cloud and security changing the partner and vendor model – and who will ultimately succeed.
Sophos gets boost from cyber-attacks (Financial Times) British cyber security group Sophos struck an optimistic note in quarterly results on Thursday, as more companies used its software to defend themselves following a spate of hacking attacks since the start of the year.
Channel partners reveal biggest annoyances with vendors (CRN Australia) From taking deals direct to deal registration abuse.
Guest Comment: Why Greater Washington's commercial cyberstartups don't boom (Washington Business Journal) Product companies, not services companies, move the economic needle.
How Wales has evolved into a hotspot for cyber security (ComputerWeekly) Wales may be a small country, but in just a few years, it has become a global hotspot for cyber security innovation.
Top 100 Cybersecurity Startups in Q2 of 2017 (TechCo) With Black Hat in full swing and global cyber attacks making headlines more often than the Kardashians, the cybersecurity discussion is trending up in the
Kroll Names William Dixon Associate Managing Director in Cyber Security and Investigations Practice, Los Angeles (BusinessWire) Kroll (“the Company”), a global leader in risk mitigation, investigations, compliance, cyber resilience, security, and incident response s
Meg Whitman says she’s not going to Uber (TechCrunch) Hewlett Packard Enterprise CEO Meg Whitman wants everyone to know that's not going to Uber. Bloomberg and Recode had reported that she was on the short list..
Products, Services, and Solutions
Microsoft opens fuzz testing service to the wider public (Help Net Security) Microsoft Security Risk Detection, a cloud-based fuzz testing service previously known under the name Project Springfield, is now open to all and sundry.
Securonix Offers First Ever SaaS based User Behavior Analytics Product with Securonix Cloud (IT Briefing Net) Recognizing the high TCO and long time to value that security operations (SOC) analysts face when operationalizing an on premise security monitoring solution, Securonix today announced industry's first SaaS-based UEBA solution. This new offering provides the benefits of Securonix UEBA 6.0 without the implementation or operational overhead of other security analytics tools.
DefPloreX: A Machine-Learning Toolkit for Large-scale eCrime Forensics (TrendLabs Security Intelligence Blog) The security industry as a whole loves collecting data, and researchers are no different. With more data, they commonly become more confident in their statements about a threat. However, large volumes of data require more processing resources, as extracting meaningful and useful information from highly unstructured data is particularly difficult. As a result, manual data analysis is often the only choice, forcing security professionals like investigators, penetration testers, reverse engineers, and analysts to process data through tedious and repetitive operations.
Halt the Sidecar Bear’s infrastructure with Intel 471 and Anomali Threatstream (Anomali) By Mark Arena, Intel 471 and Travis Farral, AnomaliWe’ve all seen the research into Fancy Bear (aka APT28, Sofacy etc) which is likely a group sponsored by or a part of the Russian government. They even have their own website. Research into these groups is predominantly reactive.Typical process for investigating nation state malware.You’ll note in the above process that this is all driven by malware or attack samples being obtained at the beginning. The very nature of this
National Theatre moves to cloud security with Forcepoint (Computing) Cloud solution replaced legacy on-premise product,Cloud and Infrastructure
Regional Community Bank Expands Use of Fraud and Security Intelligence Solutions from Verint (BusinessWire) Regional Community Bank Expands Use of Fraud and Security Intelligence Solutions from Verint
Votiro Introduces New Version of Secure Data Sanitization Platform, Allowing Global Customers to Better Defend Themselves Against High-profile Attacks (PRNewswire) Votiro, global provider of Advanced Content Disarm and Reconstruction...
Technologies, Techniques, and Standards
Cyber Attacks on Critical Infrastructure: Insights from War Gaming (War on the Rocks) An April 2017 issue of The Economist headlined with the dire warning: “Computers will never be safe.” The headline seems especially prescient given the las
An Overview of PCI DSS 3.2: Part 1 (SecurityScorecard Insights & News) PCI compliance is a critical factor in the trustworthiness of your business when it comes to handling customers’ credit card information. While PCI compliance does not equal bulletproof security of credit card data, it does set a bar for companies who transmit, store, or process credit card data must meet. The Payment Card Industry Data … Continued
The biggest threat to cybersecurity is not enough info sharing (CSO Online) Information sharing may be the best cybersecurity strategy for government agencies as they face evolving threats. But are agencies ready for the level of sharing needed to make it really work?
Cybersecurity In The Boardroom: A Complete Guide For Security Professionals (BitSight) Check out this complete guide to reporting cybersecurity to the board for CISOs, CIOs and other security professionals.
Interview: US Army Gen. Perkins talks NIE, battlefield networks (Defense News) The U.S. Army is nearing the end of its two-week annual Network Integration Evaluation at Fort Bliss, Texas, where it tests out capabilities to determine how to continue to shape the network in the context of real battlefield operations.
How to Overcome Cyber "Insecurities" (Security Week) Being a CISO is not an easy job. It takes a certain type of person who has the right mix of passion, discipline, technical knowledge and business acumen to be able to lead their organization in the right direction.
Throw Out the Playbooks to Win at Incident Response (Dark Reading) Four reasons why enterprises that rely on playbooks give hackers an advantage.
How to Build an Ethereum Mining Rig (Motherboard) DIY computer building for the masses.
Design and Innovation
Start-up accused of undermining popular open-source tools (Naked Security) San Francisco company Kite ‘wants to do better’ after users object to its changes to Minimap for Atom
Siri Is Not 'Genderless' (Motherboard) Siri is the culmination of decades of feminized emotional labour.
Research and Development
Facebook funds Harvard effort to fight election hacking, propaganda (Reuters) Facebook Inc (FB.O) will provide initial funding of $500,000 for a nonprofit organization that aims to help protect political parties, voting systems and information providers from hackers and propaganda attacks, the world's largest social network said on Wednesday.
Why China's 'Unhackable' Quantum Network is Unlikely to Replace Existing Ones (Sputnik) China’s recent success in testing a new communications network based on the quantum technology, labeled as "unhackable" by the media, is unlikely to bring overhauling changes or replace existing communications networks, experts told Sputnik.
True random numbers are here — what that means for data centers (Network World) The Entropy Engine can deliver 350 Mbps of true random numbers—enough to give a data center enough random data to dramatically improve all cryptographic processes.
Legislation, Policy, and Regulation
Australia's suspicions of China might halt a project to bring faster internet to an island nation (Quartz) The prospect of China's Huawei installing an undersea cable between the Solomon Islands and Sydney has Canberra worried.
Australia's Cyber Challenges Are An Opportunity For Us To Lead (LifeHacker) Australia's Minister Assisting the Prime Minister for Cyber Security, Dan Tehan, closed out the round of opening keynotes at this years RSA Conference for...
Russia Orders ‘Hundreds’ of U.S. Staff Out in Sanctions Reprisal (Bloomberg) Russia ordered the U.S. to slash hundreds of embassy and other personnel in the country in a dramatic and sweeping retaliation to the passage of a new sanctions bill in the U.S. Congress.
ITIF Welcomes Introduction of ECPA Reforms to Safeguard Privacy and Fourth Amendment Protections on Digital Content (ITIF) The Information Technology and Innovation Foundation (ITIF), the top-ranked U.S. science- and tech-policy think tank, today released the following statement from Daniel Castro, ITIF vice president, commending Senators Patrick Leahy (D-VT) and Mike Lee (R-UT) for introducing the ECPA Modernization Act of 2017:
Here's how DoD organizes its cyber warriors (Federal Times) This is part one of a series exploring the differences between military cyber forces, capabilities, mission sets and needs.
Litigation, Investigation, and Law Enforcement
Judge Hears Terror Lawsuit Against Social Media Giants (NBC Bay Area) The family of a young woman killed in a Paris terror attack two years ago is accusing social media of helping fuel such attacks in what could be a groundbreaking lawsuit.
EXCLUSIVE: A top FBI lawyer is allegedly under an investigation for leaking classified information (Circa) FBI General Counsel James A. Baker allegedly leaked classified national security information to the media, according to government officials
Group of Republicans want separate special counsel to investigate Hillary Clinton and James Comey (Washington Examiner) Twenty Republicans requested the appointment of a new special counsel.
Global Operations Ends in Arrest of US DDoS Suspect (Infosecurity Magazine) Global Operations Ends in Arrest of US DDoS Suspect. Australian, Canadian and US law enforcers worked on case for over two years
Cyber Detective (InsideSources) Being a detective means investigating and solving crimes. President Trump said about Russia’s cyber meddling in our voting process, “No one can really know...
Revealed: 779 cases of data misuse across 34 British police forces (Register) Probe finds widespread abuse of cop IT systems by personnel
State of Cybercrime 2017: Security events decline, but not the impact (CSO Online) Even as the average number of security events dropped year-over-year, events that resulted in a loss or damage rose, and fewer companies reported no losses.
Law firms report record £3.2m cybercrime theft in first quarter but prosecutions have fallen (Legal Business) UK law firms have reported a record 45 cases of cyber thefts to the Solicitors Regulation Authority (SRA) in the first quarter of this year, with £3.2m stolen through conveyancing and inheritance matters as well as from law firms’ own accounts - mainly through email modification fraud.