Cyber Attacks, Threats, and Vulnerabilities
Uber Paid Hackers to Delete Stolen Data on 57 Million People (Bloomberg.com) Hackers stole the personal data of 57 million customers and drivers from Uber Technologies Inc., a massive breach that the company concealed for more than a year. This week, the ride-hailing firm ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers.
Uber Hacked: Information of 57 Million Users Accessed in Covered-Up Breach (Security Week) Uber covered up massive hack in 2016 for more than a year
Uber Paid Off Hackers to Hide a 57-Million User Data Breach (WIRED) The ridesharing service's latest scandal combines routine security negligence with an "appalling" coverup.
Uber data breach from 2016 affected 57 million riders and drivers (TechCrunch) Uber faced a data breach in 2016 that affected some 57 million customers, including both riders and drivers, revealing their names, email address and phone..
Uber admits hiding huge data breach (Computing) Over 57 million clients and staff affected by concealed hack
Uber Paid Hackers $100,000 to Cover Up a Breach Impacting 57 Million Customers (Motherboard) In addition to being yet another public relations nightmare for Uber, the way the company handled the breach might be in violation of data breach disclosure laws.
Uber Supposedly Paid Hackers $100,000 to Keep Quiet About a 2016 Data Breach (BleepingComputer) Uber confirmed that hackers breached some part of its network in October 2016 and made off with personal data for 50 million users and 7 million drivers.
Analysis | Would cyberattacks be likely in a U.S.-North Korea conflict? Here’s what we know. (Washington Post) Pyongyang has a track record of increasingly daring cyberattacks.
Saudi Arabia claims it was hit with cyber espionage attack that also targeted Israel (haaretz.com) Saudi's cyber officials say that they are among five Middle Eastern countries targeted in cyberattack attributed to 'MuddyWater' group
The State Department's Fumbled Fight Against Russian Propaganda (WIRED) Former staffers of the State Department's Global Engagement Center, tasked with fighting propaganda, say that 'administrative incompetence' has hamstrung efforts.
I Unknowingly Went to a Trump Protest Organized by Russian Agents (Motherboard) My understanding of protests changed after recently discovering the origins of a “Not My President” march I attended a few days after Trump’s election.
US-CERT warning over security vulnerabilities found in Apple MacOS and iOS (Computing) Security researchers have found dozen of vulnerabilities affecting iOS and MacOS
macOS Malware Spread Via Fake Symantec Blog (Security Week) A newly observed variant of the macOS-targeting Proton malware is spreading through a blog spoofing that of legitimate security company Symantec.
U.S. government warns businesses about cyber bug in Intel chips (Reuters) The U.S. government on Tuesday urged businesses to act on an Intel Corp alert about security flaws in widely used computer chips as industry researchers scrambled to understand the impact of the newly disclosed vulnerability.
Critical Flaws in Intel Processors Leave Millions of PCs Vulnerable (The Hacker News) Intel Patches Critical Flaws in Its Processors that Left Millions of PCs Vulnerable
Code Execution Flaw Found in HP Enterprise Printers (Security Week) Researchers have found a potentially serious remote code execution vulnerability in some of HP’s enterprise printers. The vendor claims to have already developed a patch that will be made available to customers sometime this week.
qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware (TrendLabs Security Intelligence Blog) We encountered a few interesting samples of a file-encoding ransomware variant implemented entirely in VBA macros called qkG (detected by Trend Micro as RANSOM_CRYPTOQKG.A).
Cobalt Hackers Now Targeting Banks Directly (Security Week) The notorious Cobalt hackers have shown a change in tactics recently, switching their attacks to targeting banks themselves, instead of bank customers, Trend Micro reports.
Top Sites Expose Visitors to Breaches by Tracking Keystrokes (Infosecurity Magazine) Top Sites Expose Visitors to Breaches by Tracking Keystrokes. Princeton researchers find privacy and security concerns in use of session replay scripts
Google collects Android location data even if location service is off (HackRead) Smartphones are fun to use, but what if someone is watching every step you take and collecting data of wherever you go? That is what Google has been up to.
Samsung Pay Leaks Mobile Device Information (Dark Reading) Researcher at Black Hat Europe will show how Samsung Pay's security falls short and ways attackers could potentially bypass it.
Microsoft warns: Bogus Apple, Windows tech support sites open your phone app (ZDNet) Tech-support scam sites now contain click-to-call to "help" victims more easily contact their sham hotlines.
Stuxnet’s Footprint in Memory with Volatility 2.0 (Penetration Testing Experts) We’ll examine Stuxnet’s footprint in memory using Volatility 2.0. A talk was given at Open Memory Forensics Workshop on this topic (see the online Prezi) and the details will be shared here for anyone who missed it. I picked this topic for two reasons. First, Stuxnet modifies an infected system in such ways that are …
Microsoft Warns of Late-Year Spike in Office Threats (eWEEK) Attackers are using a handful of recent Office vulnerabilities and sophisticated techniques to slip through antivirus defenses and infect PCs.
Internet Wide Ethereum JSON-RPC Scans (SANS Internet Storm Center) Ethereum is certainly getting a lot of press this year, and with this, we also see the bad guys spending more effort to steal the shiny fresh off the digital mint crypto coins.
Final Version of 2017 OWASP Top 10 Released (Security Week) The final version of the 2017 OWASP Top 10 was released on Monday and some types of vulnerabilities that don’t longer represent a serious risk have been replaced with issues that are more likely to pose a significant threat.
New OWASP Top 10 List Includes Three New Web Vulns (Dark Reading) But dropping cross-site request forgeries from list is a mistake, some analysts say.
Has Everyone Really Been Hacked? (Security Week) There is little doubt that fear sells security products, hikes law enforcements agency (LEA) budgets and sells newspapers.
Police say everyone in UK has been hacked – Expert says not quite (Security Brief) UK's Police representatives have revealed virtually everyone in the country has been hacked, however, High-Tech Bridge's CEO disagrees.
Look Out! Black Friday Phishing and Cyber Attack Monday (Barracuda) Big Brands and Bonus Bucks Gift Cards: Cybercriminals launching widespread phishing campaigns spoofing popular brands aimed to steal your information.
Black Friday: When is a deal too good to be true? (Help Net Security) If you're shopping online, here's a few tips from PhishMe to keep in mind to make sure you avoid Black Friday cyber scams.
Cyber Monday Alert: Half of American Consumers Unable to Determine Safety of Online Shopping Sites, New Survey Finds (Business Insider) With Cyber Monday just days away – the official start of the busiest online shopping month of the year – a new survey of American consumers finds that only half think they can determine the safety and legitimacy of online shopping sites and 35% claim to have stopped an online purchase because of security fears.
Experts share how to protect identity, financial info during holiday shopping season (Fox 59) With the holiday shopping season just around the corner, experts say it’s important to keep an eye out for potential scams and attempts by thieves to gain control over your identity and financial information.
Why you don't need an RFID-blocking wallet (CSO Online) RFID wallets, sleeves and clothing are security snake oil. You don't need RFID protection because there is no RFID crime.
Security Patches, Mitigations, and Software Updates
Intel Patches Management Engine for Critical Vulnerabilities (eWEEK) A pair of security researchers found flaws in Intel's Management Engine that could have potentially enabled an attacker to execute arbitrary code without detection.
Patch on way 'this week' for HP printer vulns (Register) RCE? Check. Clear passwords? Check. Interfere with print jobs? Check
Cyber Trends
As unencrypted data becomes “negligence”, business leaders are taking encryption strategy away from IT (CSO) Business executives are increasingly recognising that unencrypted data represents a governance shortcoming tantamount to “negligence”, one Australian security innovator has warned as figures suggest that business unit leaders now have more influence over corporate encryption strategies than IT leaders.
Linus Torvalds: Some security folks can't be trusted to do sane things (CSO Online) Proposed changes to version 4.15 of the Linux kernel resulted in Linux creator Linus Torvalds going on a profanity-laced rant about security professionals.
Threat Predictions for Connected Life in 2018 (Securelist) Every year, Kaspersky Lab’s experts look at the main cyberthreats facing connected businesses over the coming 12 months, based on the trends seen during the year. For 2018, we decided to extract some top predictions that also have big implications for everyday connected life.
Marketplace
Israeli IoT cybersecurity co SCADAfence raises $10m - Globes English (Globes) The Tel Aviv based company provides cybersecurity systems for industrial operational technology (OT) networks.
Palo Alto Networks Growing Revenue from Both New and Updated Services (eSecurity Planet) Palo Alto Networks Growing Revenue from Both New and Updated Services
Meg Whitman steps down as HPE CEO, shares tumble (Computing) Whitman's six-year tenure saw HP split into four separate businesses
Silent Circle Appoints Andy Meister, CISSP as Vice President of Engineering (BusinessWire) Silent Circle today announced the addition of cybersecurity professional, Andy Meister, as the company’s Vice President of Engineering.
Products, Services, and Solutions
Amazon’s New ‘Secret Region’ Promises Easier Sharing of Classified Data (Defense One) CIA info chief says the intelligence community has been eager for a way to put secret-level data in a secure cloud.
The First AI-driven Solution for SAP Cybersecurity (PRNewswire) ERPScan, the most innovative ERP cybersecurity provider, announces the...
VIPRE Announces Launch of VIPRE Endpoint Security - Cloud Edition (VIPRE) VIPRE Security today announced the launch of VIPRE Endpoint Security - Cloud Edition, an innovative endpoint security cloud solution for small and medium-sized businesses (SMBs).
Cybertrust Japan Selects CryptoManager IoT Security Service from Rambus (BusinessWire) Cybertrust Japan selects Rambus CryptoManager IoT Security Service to provide enhanced protection for new IoT platform.
Tanium and Intelligence Services Group Partner to Deliver Unique Security Capability (PRNewswire) Tanium, the revolutionary and...
Tech company alliance gives critical infrastructure cybersecurity a boost (Fifth Domain) Defense contractor Raytheon and digital communications MetTel are collaborating with the aim to bake cybersecurity into government telecom modernization.
Kaspersky Lab: Friend or Foe? (Legal Talk Network) David Ries talks about whether Kaspersky Lab is safe for lawyers to use, diving into where the controversy started and what the results have been so far.
Keeper Launches Version 11 of its Flagship Consumer Password Manager (Business Insider) Keeper Security, Inc., the world's leading password manager and secure digital vault, today announced the release of its newest update for Keeper Unlimited.
Booz Allen-NVIDIA Team to Develop AI Training Program for Federal Employees (ExecutiveBiz) Booz Allen Hamilton will team up with NVIDIA to establish a hands-on training program designed to help federal employees hone their artificial intelligence skills...
Sophisticated industrial network monitoring without connectivity risks (Help Net Security) SecurityMatters and Waterfall Security Solutions announced a global partnership to protect industrial control systems from the most advanced cyber threats.
Technologies, Techniques, and Standards
Defining and securing the Internet of Things (Help Net Security) A new ENISA survey serves as a reference point in this field and as a foundation for relevant forthcoming initiatives and developments.
Ready for more secure authentication? Try these password alternatives and enhancements (CSO Online) Password-only authentication is dead. Combine passwords with multifactor authentication, social login, biometrics, or risk-based authentication to better protect users and your reputation.
A vulnerability by any other name (Hi, I'm Alex) Heartbleed, POODLE, Shellshock. Giving vulnerabilities names may be controversial, but there's no doubt it's effective.
Army Looks To Replace $6 Billion Battlefield Network After Finding It Vulnerable (Foreign Policy) Hailed as a transformation in battlefield communications, the WIN-T program can’t stand up to foes versed in sophisticated electronic warfare.
Brazilian Armed Forces Summit Aligns Electronic Warfare Knowledge (Dialogo Americas) The Brazilian Ministry of Defense sponsors the annual event that brings together service members from the Army, Navy, and Air Force, as well as civilian experts to promote interoperability and capacity building in the field of electronic warfare.
Insurers Can Protect Ratings with Cautious Approach to Cyber Risk: Fitch (Insurance Journal) The influence of cyber risk on insurer ratings is likely to be neutral or gradual as long as insurers continue take a cautious approach to the business, ac
Cybersecurity resources and tips for journalists and news media (WeLiveSecurity) Journalists and news media outlets face many issues on a daily basis and having cybersecurity resources and contacts at hand can make a huge difference.
The Definitive Guide to Sharing Threat Intelligence (Infosecurity Magazine) Download this whitepaper to learn the main points for consideration in regards to sharing threat intelligence.
Design and Innovation
Buggy Whips and Segways: Historical Misinnovation in National Security and Intelligence Technology (War on the Rocks) In the 1991 film Other Peoples’ Money, Danny DeVito plays Lawrence Garfield, a corporate raider hell-bent on acquiring and dismantling a cable-and-wire man
BlackBerry’s seven recommendations for a more secure smart car (IT World Canada) As cars get smarter and more connected, they are equipped with more mechanisms that can be targeted in cyberattacks, like infotainment systems
Cybersecurity Entrepreneur Wants AI to Make the Web a Nicer Place (CTECH) Israeli cybersecurity entrepreneur Idan Plotnik says that fixing the way we behave online is his “life’s mission”
Research and Development
Argonne scientists capture several R&D 100 Awards (EurekAlert!) Innovative technologies developed by researchers at the U.S. Department of Energy's (DOE) Argonne National Laboratory recently earned several R&D 100 Awards.
Legislation, Policy, and Regulation
US Senate takes aim at “warrantless surveillance” (Naked Security) The proposal would put curbs on Section 702, but will it pass?
Booz Allen-NVIDIA Team to Develop AI Training Program for Federal Employees (ExecutiveBiz) Booz Allen Hamilton will team up with NVIDIA to establish a hands-on training program designed to help federal employees hone their artificial intelligence skills, Nextgov reported Monday. The NVIDIA Deep Learning Institute and Booz Allen team aims to launch the program in early 2018 to help employees understand the basics of emerging technologies and create...
FCC chairman sets out to repeal ‘net neutrality’ rules (Maryland Daily Record) Federal Communications Commission Chairman Ajit Pai on Tuesday followed through on his pledge to repeal 2015 regulations designed to ensure that internet service providers treat all on…
FCC will also order states to scrap plans for their own net neutrality laws (Ars Technica) Double win for ISPs: No more net neutrality, and state laws will be preempted.
Senator Schatz on net neutrality: “This has to be a real political movement” (TechCrunch) Following the news yesterday morning that the FCC will be voting on the proposal to kill net neutrality come December 14, officials and advocacy organizations..
Ex-Facebook privacy manager dishes the dirt on your data (Naked Security) “Lawmakers shouldn’t allow Facebook to regulate itself. Because it won’t.”
Opinion | We Can’t Trust Facebook to Regulate Itself (New York Times) It has no incentive to do so. I would know — I worked there.
Facebook (still) lets housing advertisers exclude users by race (Ars Technica) ProPublica bought ads that excluded African-Americans, Spanish speakers, Muslims.
A Call for Greater Regulation of Digital Currencies (Dark Reading) A new report calls for international collaboration to create more transparency with virtual currencies and track money used for cybercrime.
New Cyber Civilian Corps to serve as a “volunteer fire brigade” in case of digital attack (Michigan Radio) Think for a moment of what a cyber-attack would mean for business, for government, for health care systems. Without the internet, it'd be incredibly
Vermont governor appoints 10 cybersecurity advisers (Fifth Domain) When the Republican governor announced the formation of the team last month he said that since January there had been more than 3.3 million attacks on the state’s computers, none of which were successful.
Marine Corps Sgt. Scott Stalker Assigned to Cybercom as Senior Enlisted Leader (Executive Gov) U.S. Marine Corps Master Gunnery Sgt. Scott Stalker, senior enlisted adviser for the Defense Intelli
Litigation, Investigation, and Law Enforcement
New York attorney general launches investigation of Uber’s $100,000 hack cover-up (TechCrunch) The revelation that Uber concealed a 2016 data breach affecting 57 million users and paid hackers to destroy the evidence is yet another PR nightmare for..
Skype joins list of apps on China's blacklist (Bull) Skype has apparently joined the lengthening list of internet communication tools on China's blacklist, with Apple saying Wednesday it was ordered to clear its download store of apps that violate national laws.
House Committees Get Serious in New Letter to Equifax (Security Week) The chairpersons of the House Science, Space, and Technology Committee and the House Oversight and Government Reform Committee on Monday sent a new letter to Paulino Barros, the interim CEO of Equifax.
Former Blackwater chief to testify to House panel in Russia inquiry (POLITICO) Erik Prince is reported to have tried setting up secret communications between Trump and Putin.
Iranian charged in HBO hack as Congress weighs nuclear pact (POLITICO) The indictment comes amid allegations the charges were rushed to bolster Trump's case against Tehran.
Alleged Hacker Who Stole 'Game of Thrones,' Other HBO Shows Indicted (New York Law Journal) According to prosecutors the Iranian national formerly worked for the military before hacking HBO's network and then attempting to ransom the company' shows and information for $6 million.
Feds Indict Iranian for HBO Hack—But Good Luck Arresting Him (WIRED) Months after tormenting HBO with the release of unaired episodes and Game of Thrones spoilers, the alleged hacker has been indicted.
French police detain Russia's 'secret oligarch' in Nice (Deutsche Welle) Russian lawmaker Suleiman Kerimov, dubbed the "secret oligarch," has been taken into police custody in southern France. Russia's embassy has extended "all possible assistance" to the billionaire senator.
