Cyber Attacks, Threats, and Vulnerabilities
North Korea Getting Ready Wage a Global Cyber War, Experts Say (eWEEK) NEWS ANALYSIS: Sound computer hygiene will protect your organization from malware threats, even those launched by a North Korean dictator bent on cyber-war.
Researcher Provides Insight Into North Korea Cyber-Army Tactics (eWEEK) In a session at the SecTor security conference, a security researcher provides details on the tools and methods used by multiple attack groups operating out of North Korea.
Internal Kaspersky Investigation Says NSA Worker’s Computer Was Infested with Malware (Motherboard) The Russian cybersecurity firm released a new report that pushes back against accusations that it helped leak sensitive NSA materials and suggests that a backdoor found on worker’s machine could have allowed others to take files from his machine.
'Leaker' behind massive NSA breach possibly still working at agency (Security Brief) A cybersecurity expert has said it is a ‘stunning admission’ by the former CIA director about the NSA breach that is being touted as catastrophic.
Shadow Brokers cause ongoing headache for NSA (Naked Security) It’s not been a great few years for the NSA when it comes to breaches…
Russian Hackers Aren't the NSA's Biggest Problem (Bloomberg) The FBI and CIA recovered from colossal embarrassments by rebuilding their entire cultures.
Years after regulatory crackdown, some security cameras still open to hackers (Washington Post) Cybersecurity start-up claims flaws allow access to people’s video feeds
Hackers mimicking little kids can fool voice recognition systems (Naked Security) Misuse of the technology is going to rise right along with the popularity of voice apps, says a recent study.
Amazon Echo, Google Home Vulnerable to BlueBorne Attacks (Security Week) Amazon Echo and Google Home devices are vulnerable to attacks exploiting a series of recently disclosed Bluetooth flaws dubbed “BlueBorne.”
BlueBorne Information from the Research Team (Armis Labs) BlueBorne is an attack vector by which hackers can leverage Bluetooth connections to penetrate and take complete control over targeted devices.
Multi-stage malware appeared on Google Play targeting various apps (WeLiveSecurity) ESET researchers have discovered malware with improved ability to bypass Google Play’s protection mechanisms using multi-stage architecture and encryption.
Google Play Store Sees Sudden Surge of Malicious Apps (BleepingComputer) The Google Play Store is seeing a wave of malware-infested apps like never before. Four separate security companies have reported —or are preparing to release reports— on malware campaigns currently underway via Android apps available on the Play Store.
Ransomware: Ordinypt erpresst deutsche Nutzer (netzwelt) Deutsche Nutzer sollten im Internet derzeit besonders vorsichtig sein. Eine Ransomware namens "Ordinypt" hat es speziell auf deutsche Nutzer abgesehen, warnen die Sicherheitsanalysten von G Data....
Ransomware-spreading hackers sneak in through RDP (Naked Security) Sophos has uncovered a new niche in the world of cybercrime: ransomware infections where the crooks run the ransomware themselves
Malware spreading that mines cryptocurrency (Fortune) Watch out for web sites that steal your PC power
Researchers Hack Car Infotainment System and Find Sensitive User Data Inside (Motherboard) Contacts, call logs, text messages and other information from paired phones was stored unencrypted.
No boundaries: Exfiltration of personal data by session-replay scripts (Freedom to Tinker) This is the first post in our “No Boundaries” series, in which we reveal how third-party scripts on websites have been extracting personal information in increasingly intrusive ways.
Second OnePlus Factory App Discovered. This One Dumps Photos, WiFi & GPS Logs (BleepingComputer) A security researcher has found a second factory app that was included on OnePlus devices delivered to customers, and this one can be abused to dump the user's photos and videos, but also GPS, WiFi, Bluetooth, and various other logs.
DXC spills AWS private keys on public GitHub (Register) 'Unknown persons' spin up 244 VMs at cost of $64k. Whoops
Amazon S3 cloud storage security breach hits corporations (TechTarget) The Amazon Simple Storage Service (S3) has been giving big businesses –and their customers — big trouble.
Sharp rise in fileless attacks evading endpoint security (Help Net Security) A Ponemon Institute survey of 665 IT and security leaders unveiled a surge in fileless attacks evading endpoint security.
Forever 21 reports data breach, failed to turn on POS encryption (SC Media US) The clothing retailer Forever 21 reported today that some of its payment card systems had been breached when the installed encryption was not activated.
Confusion reigns over crypto vuln in Spanish electronic ID smartcards (Register) Certs revoked, but where are the updates?
Be Wary of Apparently Internal Emails, Report Says (FEDweek) Email fraud is getting more frequent and more sophisticated, including greater use of a tactic to which federal agencies are especially vulnerable, making
Ransomware Targets J. Sterling Morton High School Students With Fake Survey (BleepingComputer) An in-development ransomware has been discovered that is targeting the high school students of the J. Sterling Morton school district in Illinois.
Security Patches, Mitigations, and Software Updates
Cisco Warns of Critical Flaw in Voice OS-based Products (Threatpost) Cisco Systems issued patch that fixes a critical vulnerability impacting 12 products running the Cisco Voice Operating System software.
Firefox Quantum: Security and privacy improvements (Help Net Security) Learn more about the Firefox Quantum security and privacy improvements. Tracking Protection can now be enabled for regular browsing windows.
Patch Tuesday - Rapid7 Comment (Information Security Buzz) Microsoft has just released their patches for the month of November and Greg Wiseman, Rapid7’s Senior Security Researcher has provided his thoughts below. Greg Wiseman, Senior Security Researcher at Rapid7: “Web browser issues account for two-thirds of this month’s patched vulnerabilities, with 24 CVEs for Edge and 12 for Internet Explorer being fixed. Many of these are …
Cyber Trends
KnowBe4: “Six Cybersecurity Trends Organizations Need to Watch for in 2018” (PRWeb) New-school security awareness training company ID’s phishing, social engineering and ransomware trends as continuing to get worse in 2018
ISACA Research: Only Half of Organizations Say Their Leaders Are Digitally Literate (BusinessWire) ISACA's new Digital Transformation Barometer looks at the impact of digitally literate leaders on an organization's digital transformation initiatives
Oil and Gas Cybersecurity Conference Yields New Insights (Journal of Petroleum technology) Operators, vendors, academics, and government officials offered new insights into meeting the growing incidence of cyber-threats across the industry during the 12th Annual American Petroleum Institute Cybersecurity Conference on 7–8 November in The Woodlands, Texas.
Infosec expert viewpoint: IoT security initiatives (Help Net Security) In order to educate and promote safety, many IoT security initiatives have emerged in the past few years. Here's what nfosec experts think about them.
Bot-driven web traffic and its application security impact (Help Net Security) Research focused on highly targeted industries exposes the proliferation of bot-driven web traffic and its impact on organizations’ application security.
Marketplace
ReFirm Labs Announces $1.5 Million in Funding From Startup Studio DataTribe and Launches Firmware Validation Platform (GlobeNewswire News Room) National Security Agency veterans develop automated platform to detect firmware vulnerabilities in billions of IoT and other connected devices
Deal Street: Big Data Startup Raises $25 Million From Singtel Group (Bloomberg Quint) Your weekly dose of startup deals
Cybercom Challenges Industry: Be Agile, Precise (U.S. DEPARTMENT OF DEFENSE) At U.S. Cyber Command’s first-ever industry day, Cybercom leaders briefed nearly 400 members of private industry about the command’s acquisition priorities at the National Geospatial-Intelligence
Taking extra precaution, firms plan to spend more on cybersecurity (Indiana Lawyer) As the threat of cyberattacks continues to loom over professions including the law, legal practitioners are taking additional steps to protect themselves and their firms from harmful access to their data.
Emerging IT Security Technologies: 13 Categories, 26 Vendors (Dark Reading) A rundown of some of the hottest security product areas, and vendors helping to shape them.
Israeli support for AI slipping, Nvidia executive says (The Jerusalem Post) Japanese and Chinese supercomputers may leave start-up nation in the dust
Here's how some local companies are trying to close the cyber talent gap (Washington Business Journal) “We can’t sit around and expect the kind of talent we’re going to need is just going to show up,” says a Northrop Grumman executive. “Because it’s not.”
Companies turn to ‘war games’ to seek out cyber security talent (Business Tech) With demand for cyber security expertise exploding, but qualified people in short supply, war-gaming competitions have become key recruiting grounds for companies and government security agencies.
Experian warns of increased scrutiny after Equifax hack (Financial Times) Credit monitoring service says data hack has led to greater regulatory pressures
FireEye CEO Kevin Mandia joins Shape Security Board of Directors (GlobeNewswire News Room) Shape Security, provider of the leading platform for online application defense, today announced the appointment of Kevin Mandia, CEO of FireEye, to its board of directors.
Products, Services, and Solutions
Oxygen Forensic® Detective X Launches with New WhatsApp Extraction Features (Oxygen Forensics) Oxygen Forensics, a worldwide developer and provider of advanced forensic data examination tools for mobile devices, cloud services and drones, today announced that its new flagship product, Oxygen Forensic®® Detective X (version 10), which contains the industry-leading Oxygen Forensic®® Cloud Extractor, has added new WhatsApp extraction features.
New Quad9 DNS service means more private, secure browsing (IBM) IBM has collaborated with PCH and GCA to develop the new Quad9 DNS service. Learn about the latest evolution of collaborative defense for more secure, private internet browsing
Aqua Security Launches On-Demand Security Scanner for Container Images on AWS Marketplace (Aqua) Aqua Security today announced that it’s launched a pay per scan, on-demand vulnerability scanning service for Amazon Web Services (AWS) customers that build, store, or manage container images …
Cylance debuts consumer version of its AI based antivirus software (Computerworld New Zealand) Cylance, one of a new breed of developers of antivirus software that relies on artificial intelligence and machine learning for its functionality, has begun offering a consumer version of its product in New Zealand and Australia.
RapidFire Tools Introduces Detector SDS 2.0, Enhancing Functionality and Adding a New Service Tier (GlobeNewswire News Room) Enhancements include new “Bronze” level internal IT service offering, redesigned interface, new at-a-glance views, and automated threat alert workflows
SonicWall Launches New Lineup Of Professional Security Services (Channel Partners) Through the Partner Enabled Services Program, partners are vetted, granted status as a SonicWall Authorized Services Partner and given access to training, tools, sales, marketing and technical resources aimed at helping them deliver the new services.
Anomali To Provide Threat-Sharing Expertise To U.S. House of Representatives Homeland Security Subcommittee On Cybersecurity And Infrastructure Protection (BusinessWire) Anomali, a provider of market-leading threat intelligence solutions, announced today that it will be appearing before the U.S. House of Representative
Malwarebytes introduces new MSP program (ARN) Cybersecurity company, Malwarebytes, has taken the wrappers off a new managed service provider (MSP) program specifically aimed at the A/NZ market.
Technologies, Techniques, and Standards
How to stop Emotet malware from infecting your computer (Help Net Security) Learn more about how to stop Emotet malware, a dangerous banking Trojan has been around for several years and continues to evolve.
7 Ways E-Commerce Sites Must Battle Bots Stealing Credentials (Credit Union Times) Experts say the biggest website security threat comes from bots.
How Hacking Works (Motherboard) Motherboard's 2017 Hacking Week aims to demystify how the security industry really works.
Motherboard Hacking Livestream: Cracking MMORPGs (Motherboard) Join us on YouTube or Facebook to learn how hacking works.
Motherboard Hacking Livestream: How to Pwn a Router (Motherboard) Join us on YouTube or Facebook to learn how hacking works.
Design and Innovation
Facebook, Google and others join The Trust Project, an effort to increase transparency around online news (TechCrunch) "Fake news" and other misinformation, online propaganda, and satirical content people believe is true have filled the web via search engines and social..
Legislation, Policy, and Regulation
Improving and Making the Vulnerability Equities Process Transparent is the Right Thing to Do (White House) There can be no doubt that America faces significant risk to our national security and public safety from cyber threats.
FACT SHEET: Vulnerabilities Equities Process (White House) The newly released Vulnerabilities Equities Process (VEP) Charter spells out how the Federal Government will handle the process that determines whether the Government will notify a private company about a cybersecurity flaw in its product or service or refrain from disclosing the flaw so it can be used for operational or intelligence gathering purposes.
Vulnerabilities Equities Policy and Process for the United States Government (White House) This document describes the Vulnerabilities Equities Policy and Process for departments and agencies of the United States Government (USG) to balance equities and make determinations regarding disclosure or restriction when the USG obtains knowledge of newly discovered and not publicly known vulnerabilities in information systems and technologies.
Cybersecurity pros take first peek at once secretive process behind US hacking toolkit (TheHill) The White House released a charter Wednesday publicly describing the principles, aims and values of the secretive process it uses to decide what hacking tools to keep in its arsenal and which it would report to tech companies to allow them to fix.
US clarifies handling of cybersecurity flaws (VEP) (WeLiveSecurity) US clarifies handling of cybersecurity flaws, publishes Vulnerabilities Equities Policy and Process
Trump administration releases rules on disclosing security flaws (ZDNet) The White House's cybersecurity coordinator said the rules are "vital" to ensuring a balance between public disclosure and retaining flaws for intelligence operations.
White House releases new VEP charter (Open Policy & Advocacy) This morning, the White House released a new version of the Vulnerabilities Equities Process (VEP). We want to thank Rob Joyce, and the rest of the NSC staff working on ...
Feds Explain Their Software Bug Stash—But Don’t Erase Concerns (WIRED) A new charter for the Vulnerabilities Equities Process sheds some light, but doesn't fix the underlying problems.
Trump administration pulls back curtain on secretive cybersecurity process (Washington Post) The rules guide government decisions over whether and when to disclose software flaws that can be turned into cyberweapons.
China’s Ministry of State Security Likely Influences National Network Vulnerability Publications (Recorded Future) Recorded Future analysis has uncovered evidence that CVEs are likely evaluated for their operational utility by the MSS before publication on CNNVD.
All’s fair in cyberwar (Korea JoongAng Daily) What got President Park Geun-hye interested in “cyber defense” was a short briefing by Korea University professor and cryptology expert Lim Jong-in. When he had three minutes in the 30-minute Ministry of National Defense report to the Blue House in J
Sessions: Surveillance Reform Could Be 'Exceedingly Damaging' to National Security (Nextgov) Getting a warrant before searching through information collected under Section 702 authorities would be burdensome, the attorney general told lawmakers.
IBM's Schneier: It's Time to Regulate IoT to Improve Cyber-Security (eWEEK) At the SecTor security conference in Toronto, IBM Resilient Systems CTO Bruce Schneier makes a case for more regulatory oversight for software and the internet of things.
Homeland Security Will Soon Have a Tough, Smart Leader at the Helm (The Daily Signal) Fixing broken policies will not be easy, but Kirstjen Nielsen is the right person for the job.
Business Cybersecurity Letter (Commonwealth of Pennsylvania Department of Banking and Securities) Deliberate cyberattacks and cyberthreats pose substantial risk to Pennsylvania’s financial infrastructure and national security.
Litigation, Investigation, and Law Enforcement
AP spreads 'Russia hacked DNC' claim as though it is gospel truth (ITWire) ANALYSIS The current reds-under-the-beds scare in the US is increasingly being sold by the media, with unproven claims often being paraded as fact.
Assange isn’t a dreamer, he’s a destroyer (Times) I remember when Julian Assange was the coolest thing on the planet. Back in 2010, on his first visit to London after his Wikileaks organisation revealed secrets of the US war on terror, I debated...
Will Equifax Ever Be Held Accountable For Its 'Rookie Mistakes'? (Forbes) For a few bracing weeks this fall, consumers harmed by Equifax, Wells Fargo or another financial institution had the right to their day in court.
Criminals make student data public in escalating demands for ransom (NBC News) Cyber criminals are increasingly targeting schools across the United States and holding student data for ransom.
Probable-Cause Warrant Needed for Cell-Tracking, Brooklyn Judge Rules (New York Law Journal) The decision may be the first time a state judge has ruled that a warrant based on probable cause rather than on a lesser standard is necessary before police deploy a cell site simulator.
