Cyber Attacks, Threats, and Vulnerabilities
Yahoo Triples Estimate of Breached Accounts to 3 Billion (Wall Street Journal) A massive data breach at Yahoo in 2013 was far more extensive than previously disclosed, affecting all of its 3 billion user accounts, its parent company Verizon said.
All 3 Billion Yahoo Accounts Were Affected by 2013 Attack (New York Times) Shortly before it was acquired by Verizon, the company had said one billion users were hit by what was considered the largest known breach of a company.
So, Uh, That Billion-Account Yahoo Breach Was Actually 3 Billion (WIRED) Ten months ago, Yahoo disclosed the biggest breach in history. As it turns out, the company severely underestimated the impact. Think a billion users is bad? Try three billion.
Yahoo provides notice to additional users affected by previously disclosed 2013 data theft (Oath) Yahoo, now part of Oath, today announced that it is providing notice to additional user accounts affected by an August 2013 data theft previously disclosed by the company on December 14, 2...
Yahoo 2013 Account Security Update FAQs (Yahoo! Help) Yahoo is providing notice to additional user accounts affected by an August 2013 theft of user data previously announced by the company in December 2016. This is not a new security issue. In 2016, Yahoo previously took action to protect all user accounts.
Congress pries new details on massive data breach from Equifax ex-CEO (Fifth Domain) One week after retiring, and less than a month after disclosing potentially one of the most consequential data breaches in U.S. history, former Equifax CEO Richard F. Smith faced a barrage of questions on the theft of Americans’ financial data when he testified before the House Digital Commerce and Consumer Protection Subcommittee on Tuesday.
Former Equifax CEO Explains What Caused the Cyber Attack (Fortune) Richard Smith testified in front of Congress.
Ex-Equifax CEO: TransUnion, Experian Should Offer Free Services (US News & World Report) The former head of Equifax on Tuesday said other credit agencies should cover costs to consumers in the wake of his company's data breach.
Equifax security breach worsens as investigations continue (TechSpot) In part of the ongoing investigation into the Equifax security breach, private security firm Mandiant has finished its first round of forensic data collection and analysis.
Equifax Retained Law Firm a Month Before Notifying Public of Data Breach (New York Law Journal) Equifax waited more than a month before on Sept. 7 notifying the public that hackers had accessed personal and financial information for about 145.5 million ...
6 Fresh Horrors From the Equifax CEO's Congressional Hearing (WIRED) With each new revelation about the devastating Equifax breach, the company's defenses and response appear increasingly inadequate.
Scammers Hosted Files on Equifax's Australian Website (BankInfo Security) Credit-reporting agency Equifax's Australian website played host to scammers promoting pirated videos, live streams and books. The finding raises further questions
Battling the forces of darkness: Gary Steele, CEO, Proofpoint cybersecurity firm (San Jose Mercury News) Valuable personal data for millions of Americans, stolen in the Equifax hack, will likely end up for sale on the dark web, cybersecurity firm founder says.
Reseting your PIN isn’t hard when hackers have all of your info (American Genius) When you freeze an account it’s common to be asked for a PIN. When you forget a PIN it’s common to be asked sensitive information to prove yourself. What happens when hackers have access to all of the above?
Massive data breach hits 6,000 Indian organisations including govt offices, banks: Quick Heal (Business Today) Information from servers of more than 6,000 Indian enterprises was reportedly put up for sale on dark net in one of the biggest data breach reported in the country.
IT pros not confident of Aussie data breach prevention: study (iTWire) Nearly 70% of Australian IT professionals lack confidence in the ability of their organisations to prevent, detect and resolve data breaches, accordin...
Google Warns of DoS and RCE Bugs in Dnsmasq (Threatpost) A domain name system server implementation is at risk of remote code execution, information exposure and denial-of-service attacks after a seven vulnerability were disclosed by Google and patched by the maintainers of Dnsmasq.
Researchers Link CCleaner Attack to State-sponsored Chinese Hackers (Security Week) The sophisticated supply chain attack that resulted in millions of users downloading a backdoored version of the popular CCleaner PC software utility was the work of state-sponsored Chinese hackers, according to a new report.
The Increasing Effect of Geopolitics on Cybersecurity (Security Week) Cyber warfare can be exerted by any nation with an actual or perceived grievance against any other nation
New York Times Reporter: False Claims Could Signal ISIS' Fractured State (NPR.org) NPR's Kelly McEvers talks with Rukmini Callimachi of The New York Times about why ISIS falsely claimed responsibility for the Las Vegas attacks. The FBI flatly rejected the claim.
Special Report: HP Enterprise let Russia scrutinize cyberdefense system used by Pentagon (Reuters) Hewlett Packard Enterprise allowed a Russian defense agency to review the inner workings of cyber defense software used by the Pentagon to guard its computer networks, according to Russian regulatory records and interviews with people with direct knowledge of the issue.
Foreign government code reviews 'problematic': White House cyber official (Reuters) Allowing foreign governments to require reviews of software secrets of technology products built by U.S. companies is "problematic," the top White House cyber security official said on Tuesday, adding that the increasingly common arrangements presented both security and intellectual property risks.
How US Surveillance Helps Repressive Regimes—the Ethiopia Case (Just Security) Snowden docs indicate NSA gave surveillance technology to Ethiopia's repressive regime. Is the U.S. now complicit?
Bitcoin Exchange Denies Getting Hacked After Customers Lose $3 Million (BleepingComputer) OKEx, a Bitcoin exchange based in China, issued a statement over the weekend, denying it was hacked and blaming recent thefts on careless users who didn't secure their accounts.
Bitcoin’s soft and vulnerable underbelly (Naked Security) Your bitcoins are only as safe as your private key
Three WordPress Plugin Zero-Days Exploited in the Wild (BleepingComputer) Hackers have exploited three zero-days to install backdoors on WordPress sites, according to a security alert published minutes ago by WordPress security firm Wordfence.
5 Cybersecurity Vulnerabilities That People Still Forget About - Information Security Buzz (Information Security Buzz) People are cautious of physical theft, but the security of digital assets is often ignored. The simplest actions can have devastating consequences for your data security. Outdated software, weak credentials, and malware all create opportunities for data exfiltration. Studies show that many users believe they won’t be targeted by hackers and aren’t aware of the …
The Age of Modern Mac Malware (Macworld) Over the past 2 decades, Mac-specific malware has grown in volume, variety, and sophistication.
According to Star Trek: Discovery, Starfleet still runs Microsoft Windows (The Verge) The final frontier indeed
Security Patches, Mitigations, and Software Updates
ZTE is now rolling out a security patch to the Blade V8 Pro with a fix for BlueBorne vulnerability and bug fixes (Devs-Lab) The ZTE Blade V8 Pro is now getting the Android October security patch. ZTE has pushed out a new update that also contains bug fixes and performance improvements apart from the security patch. The update also fixes an issue where the device crashed due to a recent Facebook update. We're Hiring! Join now This is …
Serious Linux kernel security bug fixed (ZDNet) Linux server administrators will want to patch their systems as soon as possible.
IBM Patches 28 More Security Vulns In JDK (IT Jungle) IBM on Saturday released patches to fix 28 flaws in the Java Development Kit (JDK) that ships with the IBM i operating system. Almost all of the flaws originated in Oracle’s underlying Java Standard Edition (SE) kit, and many of them are considered very severe. Twenty-seven of the 28 flaws impact the IBM SDK Java
Cyber Trends
When it comes to data breaches, consumers don't know where to turn (Help Net Security) Nearly half of consumers don't know how to respond in immediate wake of identity theft, a study by the Identity Theft Resource Center (ITRC) has found.
PKI changes and uncertainty due to new applications (Help Net Security) Research by the Ponemon Institute reveals the Internet of Things is playing an increasingly important role in influencing PKI planning and usage.
The changing role of the Chief Information Officer (Help Net Security) Digitalization and technological innovation are changing the nature of the job of the Chief Information Officer, according to Gartner.
Marketplace
IRS gives Equifax $7.25 million to prevent tax fraud (CNET) The credit-monitoring agency responsible for exposing 145.5 million Americans’ sensitive data just got a big paycheck from the government.
Russian cybersecurity magnate Kaspersky slams Congress (TheHill) Cybersecurity magnate Eugene Kaspersky chided Congress in a blog post on Monday over his abruptly postponed testimony in front of the House Science Committee, which had originally been scheduled for last week.
ForeScout Technologies unveils security IPO filing (TechCrunch) ForeScout Technologies has unveiled its IPO filing. This puts the network security company on track for a public debut that could happen as soon as late..
CyberCore Technologies gets investment from Chevy Chase firm (Baltimore Business Journal) Enlightenment’s been active this year, with other investments, a high-profile advisory board appointee and an exit.
Cisco: Is There Patience To Wait For The Future? (Seeking Alpha) The company's current difficulty in growing is still clear. Investors who want to minimize downside risk may buy Cisco stock at a price well below intrinsic val
100 cyber security experts will work at this 'world class' innovation hub (Cambridge News) Digital giant invests in new Cambridge HQ
Research Innovations, Inc. Hires Top Cyber Expert Brian Shirey as VP of Cyber Technology & Solutions to Expand its Cyber Business (Markets Insider) Research Innovations, Inc. announced the appointment of Brian Shirey as Vice President of Cyber Technologies & Solutions.
Products, Services, and Solutions
Comodo Launches Comodo Dome Firewall 2.0, a CC EAL 4+ Certified Unified Threat Management Virtual Appliance (Markets Insider) Comodo, a global innovator and developer of cybersecurity solutions and the worldwide leader in digital certificates, today announced the release of Comodo Dome Firewall 2.0, an all-in-one Unified Threat Management (UTM) virtual appliance, which provides a comprehensive suite of boundary and network security features in a single pane of glass, installed on-premises and free of charge.
Comodo Unveils New IoT PKI Platform, Partner Program (Channel Partners) The Comodo IoT Security Platform will allow device manufacturers and network providers to issue and manage PKI and SSL certificates for private ecosystems, and the company is expanding the traditional use of PKI to offer an automated platform for PKI certificates to be managed throughout the entire lifecycle at volumes that can increase to the level required for the IoT market.
Neustar and NetFoundry Deliver World’s First Identity-Secured IoT Networking Solution (BusinessWire) Neustar, Inc., a trusted, neutral provider of real-time information services, and NetFoundry™, a Tata Communications business incubated in Tata
Netwrix to Launch Data Access Bundle Targeted at SMBs (Markets Insider) Netwrix Corporation, provider of a visibility platform for user behavior analysis and risk mitigation in hybrid environments, today announced the launch of special Data Access Bundle tailored to meet the specific needs of SMBs.
eScan launches new TSPM technology to block RDP hacking attacks (eGov) eScan, a security company that focuses on providing enterprise security, has launched the new Terminal Services Protection Module (TSPM) to block Remote Desktop Protocol (RDP) hacking attacks.
MobileIron and Zimperium to Deliver First Real-Time Detection and Remediation for Mobile Threats (Markets Insider) MobileIron (NASDAQ:MOBL), the security backbone for the multi-cloud enterprise, and Zimperium, the global leader in enterprise mobile threat defense (MTD), today announced that MobileIron will integrate Zimperium's machine learning-based threat detection with MobileIron's security and compliance engine and sell the combined solution.
CREST introduces new Threat Intelligence Analyst Certification (CREST) Industry accreditation body sets the bar for threat intel professionals
Un-Delled SonicWall beefs up firewall to wrestle ransomware (Register) Newly-freed security vendor thinks it can drag users into cloudy security analytics
ShieldX and Webroot Join Forces to Help Customers Defend the Cloud Against Onslaught of Cyberattacks (BusinessWire) As Cyber Security Awareness Month kicks off, ShieldX and Webroot partner to provide cloud security solutions. Companies to host joint webcast Oct 25
Google's new Gmail security: If you're a high-value target, you'll use physical keys (ZDNet) Google will launch a new service to protect politicians and senior executives from sophisticated phishing attacks.
How a Twitter troll was slain (Naked Security) After two months tracking down the troll, what does Foxlin think of Twitter support? “Twitter support was a bot”
The Google tracking feature you didn’t know you’d switched on (Naked Security) Matt’s a security expert but Google’s Your Timeline slipped past him and almost everyone he asked
Windows 10: Why does Microsoft Edge have only 70 extensions after a whole year? (ZDNet) Because we're really picky about which ones are allowed, says Microsoft.
Technologies, Techniques, and Standards
How forgetting to renew a domain name cost $3m (Naked Security) If only they’d hit auto-renew
Want to prevent ransomware attacks? Prepare. (SC Media US) The threat is huge. The response? Not so much. Or at least the response isn't on par with the threat when it comes to ransomware.
How boardrooms are safeguarding digital assets (Help Net Security) More than 90% of surveyed senior business leaders agree that strong technology governance contributes to improved business outcomes and increased agility.
Three Clues Your App Has Been Hacked (SIGNAL Magazine) Most organizations find out too late they've been hacked and are left to control damage.
Use of ‘shadow IT’ solutions in data sharing can be avoided (Advanced Manufacturing) To help ensure terabytes of data at manufacturers’ disposal are a blessing, use content-collaboration solutions to prevent use of solutions IT hasn't blessed.
15 Cybersecurity Tips to Staying Secure While Staying Connected (Secureworks) Learn how strong cybersecurity hygiene can help protect you in today’s digitally connected world.
Design and Innovation
The Pentagon Has the World’s Largest Logistics Problem. Blockchain Can Help (Defense One) DoD should join other logistics-heavy organizations in experimenting with the cryptography-messaging-accounting technology that powers Bitcoin.
Academia
UW Bothell prepares students to meet the demand in cybersecurity | Bothell-Kenmore Reporter (Bothell-Kenmore Reporter) There were one million cyber-security job openings in the United States in 2016. More than 200,000 of those positions went unfilled.
Legislation, Policy, and Regulation
Equifax, SEC And Deloitte Cyber Breaches: Is It Time To Remove Executive Immunity From Prosecutions? (Forbes) Here we go again; another corporate scandal.
US Reviewing Better Tech Identifiers After Hacks: Trump Aide (Security Week) US officials are studying ways to end the use of social security numbers for identification following a series of data breaches compromising the data for millions of Americans, a Trump administration official said Tuesday.
Why Cyberattacks Need to be Treated Like Air Disasters (Windows IT Pro) Many years ago I made a decision that saved my life. Living in Sydney at the time, I deferred a planned trip back to Auckland, New Zealand...
Hackers wanted: Special ops leaders seek soldiers who can fight the enemy up close and online (Army Times) Already in high demand for their rare and elite skills, special operations soldiers need to add one more capability to their toolbox: cyber.
Marine cyber defense command educates new units on cyberwarfare (Fifth Domain) The Marine Corps' chief cyber operations outfit will be offering education to help leaders understand how cyber can be employed into traditional operations.
Privacy Experts Urge House to Reform Section 702 NSA Spying Loophole (InsideSources) Privacy experts want Congress to reform a loophole to FISA Section 702, an expiring NSA authority that allows NSA to collect data without a warrant.
DHS Seeks to Be More Active in Agencies' Cyber Defense (BankInfo Security) A top Department of Homeland Security cybersecurity official says DHS is seeking to play a more active role in responding to cyber incidents at other U.S. federal
WIU Alumnus, Former Head of the Defense Intelligence Agency Moves to U.S. Cyber Command Post (Western Illinois University) U.S. Marine Corps Lt. Gen. Vincent Stewart, a 1981 Western Illinois University history graduate, will step down as the head of the Defense Intelligence Agency today (Oct. 3). He has been tapped to become the Deputy Commander of U.S. Cyber Command.
Former US DIA Chief Tells Analysts, 'Speak Truth to Power' (VOA) Lt. Gen. Vincent Stewart says integrity has never been more important
New top tech exec starts at OPM (Federal Times) Acting Director of the Office of Personnel Management Kathy McGettigan has named David Garcia as the agency’s new chief information officer.
Litigation, Investigation, and Law Enforcement
US senator seeks cyber info from voting machine makers (Fifth Domain) In a letter Tuesday to the CEOs of top election technology firms, Sen. Ron Wyden writes that public faith in American election infrastructure is “more important than ever before.”
Exclusive: Jared Kushner's personal email re-routed to Trump Organization computers amid public scrutiny (USA TODAY) Records show the personal email Jared Kushner used for White House business was redirected to a Trump Organization computer after scrutiny intensified.
