Cyber Attacks, Threats, and Vulnerabilities
This new botnet could take down the internet - and it's rapidly spreading across the world (International Business Times UK) New botnet spotted enslaving internet-of-things (IoT) devices, said Check Point.
A New IoT Botnet Storm is Coming (Check Point Research) A massive Botnet is forming to create a cyber-storm that could take down the internet. An estimated million organizations have already been infected. The Botnet is recruiting IoT devices such as IP Wireless Cameras to carry out the attack. New cyber-storm clouds are gathering. Check Point Researchers have discovered of a brand new Botnet evolving …
APT28 racing to exploit CVE-2017-11292 Flash vulnerability before patches are deployed (Proofpoint) On Tuesday, October 18, Proofpoint researchers detected a malicious Microsoft Word attachment exploiting a recently patched Adobe Flash vulnerability, CVE-2017-11292. We attributed this attack to APT28 (also known as Sofacy), a Russian state-sponsored group.
Malware in firmware can be as equally creative as it can be destructive (WeLiveSecurity) Malware in firmware can be both creative and destructive and runs before the OS loads and target components in order to modify or subvert their behavior
MacOS Proton backdoor delivered via Trojanized media player app (Help Net Security) A Trojanized version of Elmedia Player software for Mac was available for download for who knows how long from the developer's official site.
'BoundHook' Technique Enables Attacker Persistence on Windows Systems (Dark Reading) CyberArk shows how attackers can leverage Intel's MPX technology to burrow deeper into a compromised Windows system.
Quarter of emails claiming to be from feds are malicious, unauthenticated, says cyber firm (Fifth Domain) Some 25 percent of emails claiming to be from the federal government are either unauthenticated or malicious, according to a new report from cybersecurity firm Agari.
Inside the thriving ransomware market (CSO Online) Researchers at Carbon Black examined the Ransomware market and discovered some interesting facts about the booming criminal economy. Mirroring some of the legal technology markets, such as those for software development, the market for Ransomware is dominated by unique custom solutions and turnkey offerings.
How individuals can use online ad buying to spy on you (Naked Security) It’s not just the advertisers who can track you
As our power grids get smarter, they're more vulnerable to attack (WIRED) In a sprawling office building in south Wales, Kevin Jones simulates massive cyber attacks on power grids, factories and other vital parts of national infrastructure. It’s the only way of knowing whether these facilities will cope when the real attack comes, he says.
Hacking the grid may not be as difficult as the October 13, 2017 Wired article suggests (Control Global) Aurora, forced oscillations, and other types of incidents that can manipulate physics may not be a difficult to cause as previously believed and may not be detectable from network anomaly detection.
10 Social Engineering Attacks Your End Users Need to Know About (Dark Reading) It's Cybersecurity Awareness Month. Make sure your users are briefed on these 10 attacker techniques that are often overlooked.
Security Patches, Mitigations, and Software Updates
Cisco plugs WPA2 holes, critical Cloud Services Platform flaw (Help Net Security) Cisco fixes WPA2 flaws that can be exploited in the newly unveiled KRACK attacks, as well as a critical vulnerability affecting its Cloud Services Platform.
Ubuntu 17.10 brings enhanced security and productivity for developers (Help Net Security) Ubuntu 17.10 features a new GNOME desktop on Wayland, and new versions of KDE, MATE and Budgie. On the cloud, it brings Kubernetes 1.8.
PC maker Purism disables flawed Intel Management Engine (Computing) Disabling Intel Management Engine, deeply embedded in Intel CPUs, could circumvent security risks,Security ,Intel,Purism,Intel Management Engine,Active Management Technology,AMT
Visa integrates biometrics for credit card payments (Computing) Visa plans to tighten payments with biometric authentication - although 'cardholder not present' will remain a problem,Financial Solutions,Security ,Visa,biometric,authentication,Visa ID Intelligence
The difference between cybersecurity and cybercrime, and why it matters [Commentary] (Fifth Domain) Most advice for avoiding online dangers – like having long passwords, using two-factor authentication and encrypting data – wouldn’t have helped Amy.
Business suffers as over-zealous security tools block legitimate work (Help Net Security) Security tools block legitimate work and lead to frustrated users, unhappy CISOs and strained relationships between workers and IT departments.
Can it be true? Most consumers value security more than convenience (Help Net Security) New research contradicts the widely-held belief that consumers value convenience and experience over security when shopping online.
The complex digital life of the modern family: Online safety and privacy concerns (Help Net Security) Learn about the concerns about online safety and privacy, and how the modern family views responsibility to keep themselves safe while on the Internet.
More than Half of US Banks Say Fraud Schemes Too Sophisticated and Evolve Too Quickly to Stop, Survey Reveals (GlobeNewswire News Room) Massive data breaches, such as Equifax, and quickly evolving hacking attacks present challenges as fraud related incidents increase
Alert Logic survey finds only 5% of EU companies believe they are compliant with GDPR - VanillaPlus - The global voice of Telecoms IT (VanillaPlus) Alert Logic, the provider of Security-as-a-Service solutions for the cloud, announced the results of a survey conducted with over 200 European based compan
Facebook is struggling to meet the burden of securing itself, security chief says (Ars Technica) Chief Security Officer described security report as a “very painful process.”
Merck cyber attack may cost insurers $275 million - Verisk's PCS (Reuters) Insurers could pay $275 million (209.06 million pounds) to cover the insured portion of drugmaker Merck & Co's loss from a cyber attack in June, according to a forecast by Verisk Analytics Inc's Property Claim Services (PCS) unit.
DHS piloting agile cyber acquisition, CDM for cloud, CISO says (Fedscoop) CISO Jeffery Eisensmith said the agency was developing a new acquisition management directive tailored around agile development, as well as cloud CDM.
Google wants bug hunters to probe popular Android apps for bugs (Help Net Security) Google has started the Google Play Security Reward Program, for bugs in all of Google's Android apps, as well as a short list of other popular ones.
Fidelis Cybersecurity Acquires TopSpin Security (BusinessWire) Fidelis Cybersecurity announces it has acquired TopSpin Security Ltd., a leading provider of deception and detection technologies.
Cisco Systems Acquires New-Gen Application Monitor Perspica (eWEEK) Networker said it will integrate Perspica’s engineers and intellectual property with its new AppDynamics team, which it acquired in January for $3.7 billion.
Intezer Raises $8M in Series A Funding (BusinessWire) Intezer (www.intezer.com), a cyber security startup focusing on malware analysis and detection, today announced it has raised $8 million in series A.
Is It Time for Data Center Managers to Say Goodbye to Kaspersky? (Data Center Knowledge) Experts question the company’s ability to survive allegations that the Russian government has built backdoors into its software.
Kaspersky's KGB links make it a bad choice for U.S. consumers (Philly.com) To some, it's the best antivirus security software. To others, a devil in disguise.
MobileIron CEO out in favor of CFO: Why now? (TechTarget) As the biggest standalone vendor left in the EMM market, MobileIron has faced questions about its future for years. Those will only intensify in light of the surprise departure of CEO Barry Mainz.
Tanium CEO moves forward through hiring a slew of executives and prepping for IPO (San Francisco Business Times) After a rocky start to the year, Emeryville-based security giant Tanium is in rebuilding mode. CEO Orion Hindawi talked about the new executives the company has brought on and how employees and customers reacted to reports earlier this year about alleged missteps.
Egnyte Appoints New Data Protection Officer, Releases First GDPR eBook (Business Insider) Co-Founder Kris Lahiri takes on new role to ensure company-wide data compliance.
Bicoastal bot detection company Distil Networks names new CEO (Technical.ly DC) Tiffany Olson Jones will be based at the company's Arlington office.
Proofpoint Inc. Appoints Kristen Gil to its Board of Directors (GlobeNewswire News Room) Proofpoint, Inc., (NASDAQ:PFPT), a leading next-generation cybersecurity company, today announced its Board of Directors has appointed Kristen Gil as a new independent director, effective October 17, 2017.
Terbium Labs Wins Cybersecurity Breakthrough Award (PRWeb) Terbium's Dark Web monitoring solution, Matchlight, named Data Leak Detection Solution of the Year
Products, Services, and Solutions
New infosec products of the week: October 20, 2017 (Help Net Security) New infosec products of the week include offerings from Aqua Security, Barracuda, FileCloud, Ntrepid, Optiv Security, Samsung, and Scythe.
Top security tools, 2017: How cutting-edge products fare against the latest threats (CSO Online) We go hands-on with some of the most innovative, useful and, arguably, best security tools from today's most important cybersecurity technology categories.
NSS Labs Announces 2017 Breach Detection Systems Group Test Results (Business Insider) 4 Products Receive Recommended Rating; 1 Receives Neutral Rating; 1 Receives Security Recommended Rating; 1 Receives Caution Rating
Bell and Akamai to offer suite of web security and performance solutions for Canadian businesses (PRNewswire) Bell, Canada's largest communications company, and...
WISeKey blockchain platform allows countries to launch their own cryptocurrencies (BiometricUpdate) WISeKey has introduced World Internet Secure Coin (WISeCoin), a blockchain platform that allows countries to launch their own cryptocurrencies in an environment that provides interoperability in a …
LogRhythm launches cloud-based threat detection analytics (ITP Net) Cyber security vendor enhances threat lifecycle management with advanced analytics that leverage artificial intelligence
Technologies, Techniques, and Standards
7 things you might not know about cybersecurity insurance (JD Supra) The number of cyber attacks and data breaches are increasing, and the costs to respond to such incidents are also increasing. This underscores the...
Top Thoughts for GDPR Third-Party Management (Infosecurity Magazine) Your organization is explicitly responsible for the readiness and conduct of the third parties that store or process your EU citizen’s personal information.
DPP's commitment to cyber security (IBC) The Digital Production Partnership (DPP) has opened its Committed to Security Programme to the entire media industry to help reduce the loss or theft of content.
Design and Innovation
Craig Wright Couldn’t Prove He Invented Bitcoin, But He’s Back Anyway (Motherboard) Wright isn't mad, actually he's laughing.
Research and Development
Stunning AI Breakthrough Takes Us One Step Closer to the Singularity (Gizmodo) Remember AlphaGo, the first artificial intelligence to defeat a grandmaster at Go? Well, the program just got a major upgrade, and it can now teach itself how to dominate the game without any human intervention. But get this: In a tournament that pitted AI against AI, this juiced-up version, called AlphaGo Zero, defeated the regular AlphaGo by a whopping 100 games to 0, signifying a major advance in the field. Hear that? It’s the technological singularity inching ever closer.
WGU about to launch third year of Tenn-K scholarships (Kingsport Times-News) The Tenn-K is not an athletic road race but a post-high school academic endeavor, part of Gov. Bill Haslam's Drive to 55. Come Nov. 1 and going through March 15, Tennesseeans may apply for the Tenn-K Scholarship with WGU Tennessee. It's a $10,000 award paid out over two years.
Legislation, Policy, and Regulation
China goes looking online for government secrets (CSO Online) China’s president painted a picture of openness and diplomacy, but cyber activity that seems to come from the country indicate Chinese hackers pose a threat.
US, allies grapple with countering Russia’s cyberoffensive (Stars and Stripes) NATO’s long-standing tactical advantage on the battlefield could be at risk as cyber adversaries probe for weak points in the U.S.-led security pact’s networks, a top alliance official said.
So Who Has the Most Advanced Cyber Warfare Technology? (NASDAQ.com) Cyber warfare by definition is the use of computer technology to disrupt activities of a state or organization.
Cryptographic Identity: How Estonia Is Leading The World (Digit) Reliance on old-fashioned and inherently untrustworthy 'wet signatures' how can we move towards trusted cryptographic identity? Estonia is leading the way.
Trump UN envoy: Russia's election interference is 'warfare' (Fifth Domain) Nikki Haley, President Donald Trump’s chief envoy to the United Nations, cast Russian interference in the 2016 election as “warfare” on Thursday, breaking in tone, if not substance, from a president who has consistently downplayed Russian influence in American politics.
CIA director rebuked for false claim on Kremlin's election meddling (POLITICO) Democratic critics accused Mike Pompeo of echoing Trump that the meddling didn't affect the outcome.
How Facebook Will Protect the 'Integrity' of Canada's Next Election (Motherboard) "We don't want anyone to use our tools to undermine democracy."
Canada's 'super secret spy agency' is releasing a malware-fighting tool to the public (CBC News) The Communications Security Establishment acknowledges it needs to do a better job of explaining to Canadians what it does.
Senate Intelligence Committee to debate in secret a bill that would renew a powerful spy tool (Washington Post) The legislation would not impose new limits on data searches to protect privacy.
DoD Just One Piece of Cyberdefense Puzzle, Official Says (U.S. DEPARTMENT OF DEFENSE) Defense of America’s interests in cyberspace took center stage on Capitol Hill as the Senate Armed Services Committee heard testimony from the assistant secretary of defense for homeland defense and
DoD says it shouldn’t protect homeland from cyberthreats; McCain disagrees (Fifth Domain) The chairman of the Senate Armed Services Committee sparred with DoD representatives regarding the Pentagon's role in cyberspace in protecting the nation.
Frustrated senators demand cyber war strategy from Trump (TheHill) The issue has gained greater attention in the wake of Russia’s interference in the election.
Senators criticize White House as cyber adviser is no-show (Fifth Domain) Senators are criticizing the Trump White House for not allowing its senior cybersecurity adviser to testify before the Armed Services Committee.
McCain threatens to subpoena Trump's cybersecurity czar after he skips hacking hearing (ABC News) A clearly frustrated, bipartisan panel of senators today threatened to subpoena the Trump administration’s cyber czar, demanding to know how the White House plans to address "the disarray" that has embodied the U.S. government's response to cyber threats from Russia and other adversaries.
The Dragon Is Winning: U.S. Lags Behind Chinese Vulnerability Reporting (Recorded Future) Organizations need access to the latest vulnerability (CVE) information to manage their exposure to risk. The U.S. National Vulnerability Database (NVD) trails China’s National Vulnerability Database (CNNVD) in average time between initial disclosure and database inclusion (33 days versus 13 days).
Creating A National ID Would Threaten Americans’ Privacy And Security (The Federalist) The proposition that the federal government should be entrusted with even more information on citizens in a National ID is a bit of a high-stakes gamble.
NIST Small Business Cybersecurity Act Passes in the House (Lexology) On October 11, 2017, the House of Representatives passed bill H.R. 2105, the NIST Small Business Cybersecurity Act (NIST Act), which would require the…
Military Aims to Maintain Its Cyber Mission Force Roster (GovTechWorks) What the U.S. military is trying to achieve in building its Cyber Mission Force is akin to building an airplane – as it flies coast to coast. Even before the armed services achieve their goal of building a fully operational elite corps, they’re already putting those teams to work battling it out in cyberspace.
Ohio National Guard organizing volunteer teams to protect businesses from cyberattacks (Columbus Business Journal) The Ohio National Guard wants to introduce volunteer response teams to help businesses and government groups in the state defend from a cyber attack.
EU MEPs want stronger privacy rules for Internet-enabled communication services (Help Net Security) The European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE) has backed new privacy protections for EU citizens.
Litigation, Investigation, and Law Enforcement
Germany's domestic intelligence agency warns of 'IS' sympathizers (Deutsche Welle) Germany’s domestic intelligence agency says 'IS' sympathizers returning to the country could pose a security risk. The agency's head also warned of the increasing threat of cyberwarfare.
Equifax Deserves the Corporate Death Penalty (WIRED) Opinion: The company had one job, and it failed. It deserves to be dissolved.
Judge: MalwareTech is no longer under curfew, GPS monitoring (Ars Technica) Marcus Hutchins, awaiting trial, can now live and work unencumbered in LA.
A 'Fortnite' Cheat Maker Duped Players Into Downloading a Bitcoin Miner (Motherboard) And now he's being sued.