Cyber Attacks, Threats, and Vulnerabilities
The Caliphate Is Destroyed, But the Islamic State Lives On (Foreign Policy) Why the United States can’t be complacent about undermining the remnants of the terrorist group.
The jihadist plan to use women to launch the next incarnation of ISIS (Washington Post) Wives and mothers of the fighters are starting to come home, but not all have left the caliphate behind.
They're calling it "love Jihad"—ISIS supporters in India are marrying Hindu women to spread extremism, reports say (Newsweek) Critics say the claim is a conspiracy theory concocted by Hindu hardliners.
Is the Philippines the Next Caliphate? (Foreign Policy) ISIS is looking to regroup, and is setting its sights eastward.
OSX.CpuMeaner: New Cryptocurrency Mining Trojan Targets macOS (SentinelOne) OSX.CpuMeaner: New Cryptocurrency Mining Trojan Targets macOS - SentinelOne
Tizi backdoor rooted Android devices by exploiting old vulnerabilities (Help Net Security) Google has discovered and removed from Google Play a number of apps that contained the Tizi backdoor, which installs spyware to steal sensitive data.
Three quarters of Android apps track users with third party tools – study (the Guardian) Yale University’s Privacy Lab using research to call on developers and Google ‘for increased transparency into privacy and security practice’
Ransomware Attack Involving Scarab Malware Sends Over 12M Emails in 6 Hours (HackRead) Security researchers at the Austin based Anti-virus software firm Forcepoint have discovered a massive spam ransomware campaign in which the Scarab malware
Warning issued for ransomware outbreak (IT World Canada) Infosec leaders should be warning employees of opening email with the headers
Cybercrime selling like hotcakes: Ransomware sales soar 2500% in one year (Security Brief) The way criminals ply their trade has changed dramatically since the rise of the digital era, and not for the better – at least for the victims.
Tailored, Targeted Ransomware Evolves (Infosecurity Magazine) A focused targeting of extensions can allow many ransomware samples to hide under the radar of many defenders.
Evolution of ransomware makes it hard to defend against, warns National Crime Agency (Computing) New strains of ransomware are both more subtle and more virulent, explains head of technology Paul Edmunds
Punycode: Undetectable, but not Unbeatable (Infosecurity Magazine) While Punycode attacks can be beaten, there’s only so much that businesses can do to protect individuals and organizations.
How does the Stack Clash vulnerability target Unix-based OSes? (SearchSecurity) Stack Clash, an older privilege escalation vulnerability in Unix-based OSes, puts enterprises at risk. Here's how to defend against potential exploits.
Chicago: Uber’s claim that hackers fully deleted stolen data is “nonsensical” (Ars Technica) Uber's been sued at least 11 times in just 1 week, faces new scrutiny from Senate.
Data Breaches Within the Retail and Hospitality Industries (BitSight) In this blog, BitSight researchers examine data breach trends within the Retail and Hospitality industries.
10 tips to optimize security during the holidays (Help Net Security) Optiv Security shared its annual list of tips to help organizations get the most from their security programs during the busy holiday season.
Expensify sent images with personal data to Mechanical Turkers, calls it a feature (Ars Technica) Expensify announces "private" transcription on Mechanical Turk as "Turkers" report seeing sensitive data.
Hackers can Exploit Load Planning Software to Capsize Balance of Large Vessels (HackRead) Ships can be hacked and the reason is its vulnerable messaging system. It is a fact that ship loading and container stowage plans are created without using
IBM Discovers Cybercrime Ring Targeting Canadian Businesses (PYMNTS) IBM X-Force, the cybersecurity intelligence and research unit of IBM, has reportedly discovered a cybercriminal ring operating out of Ukraine targeting Canadian businesses.
Canadian Business Banking Customers Hit With Targeted Phishing, Account Takeover Attacks (Security Intelligence) A targeted phishing campaign aimed at Canadian businesses prompts users with high levels of access to divulge login credentials and authentication codes.
Thousands of FTSE 100 Corporate Log-Ins Found on Dark Web (Infosecurity Magazine) Thousands of FTSE 100 Corporate Log-Ins Found on Dark Web. Anomali spots over 16,000 emails and plain text passwords for sale
Federal student aid site offers one-stop shopping for ID thieves (Ars Technica) If you have someone’s name, birthdate, and SSN, FAFSA site will give up sensitive data.
Federal Websites Still Lack Basic Security (Infosecurity Magazine) Only 71% of all the reviewed websites passed the SSL test.
DoS (Denial of Service) Attack Tutorial: Ping of Death, DDOS (guru99) DOS is an attack used to deny legitimate users access to a resource such as accessing a website, network, emails, etc. or making it extremely slow.
The 10 Wildest Ways Hackers Steal Data (Top10VPN.com) Our infographic reveals the unexpected ways that hackers steal data. It's not just your laptop and smartphone, even your morning cup of coffee isn't safe.
What Amazon Echo and Google Home Do With Your Voice Data (WIRED) Like the idea of Amazon Echo and Google Home, but feel uneasy about all that recording? Here's what they listen to—and how to delete it.
Security firm Bkav: Face ID not secure enough for business transactions (Phone Arena) You might recall that earlier this month, we told you that Vietnamese security firm Bkav had invented a mask that apparently defeated the Apple iPhone X's Face ID. The company has reached out to us this morning to tell us that it has invented a new mask that will allow twins to defeat Apple's facial recognition system. And with that, comes a warning.
iPhone X Face ID fooled again by 'evil twin' mask (Register) Apple's facial-recog tech 'not secure enough for business' claim researchers
Hackers can easily tap into an office phone and listen to everything you're saying — here's how (Business Insider) Cybersecurity expert Ang Cui explains the exploit, how someone might use it to spy on you, and what you can do to protect yourself.
How one man could have deleted any image on Facebook (Naked Security) Pouya Darabi found how to embed other people’s images in a Facebook poll so that deleting *his* poll also deleted *their* files.
Security Patches, Mitigations, and Software Updates
PowerDNS patches five security holes in widely used nameserver software (Help Net Security) PowerDNS has pushed out security updates and patches for its PowerDNS Authoritative Server and Recursor nameserver software.
Google Detects Android Spyware That Spies On WhatsApp, Skype Calls (The Hacker News) Google has discovered a fully featured backdoor that that installs an auto-tooting Tizi Android spyware app on targeted devices.
Google Finance gets redesigned, finally dumps Adobe Flash (Ars Technica) Google Finance now lives as a tab in Search, and some features are going away...
Cyber Trends
The Looming War of Good AI vs. Bad AI (Dark Reading) The rise of artificial intelligence, machine learning, hivenets, and next-generation morphic malware is leading to an arms race that enterprises must prepare for now.
Q3 2017 Akamai State Of The Internet / Security Report Reveals Significant Increase In Web Application Security Attacks, Evolution Of Attacker Strategies (Akamai) Holiday shopping season may see new attack types leveraging IoT devices, mobile platforms
Majority of consumers would stop doing business with companies following a data breach, finds Gemalto (CSO) A majority (70%) of consumers would stop doing business with a company if it experienced a data breach, according to a survey of more than 10,000 consumers worldwide conducted on behalf of Gemalto, the world leader in digital security.
What Developers Need to Know about the State of Software Security Today (Veracode) Developers are constantly thrown under the bus when it comes to appsec woes, but it's time to put the “lazy developer trope” to bed. Devs do care about security- Veracode recently found that developers rarely try to rig the system by rejecting findings as false positives or as mitigated by design. In the last year, devs documented mitigations for just 14.4% of all the flaws found by Veracode’s platform.
Why the Cyber-Criminals are Winning the Fight of Good vs. Evil (Infosecurity Magazine) There’s an entirely new way of being a criminal, and most people don’t even realize it.
Soaring Cost of Cyber Attacks Raises Concerns for Boston Healthcare Industry (BostInno) According to a new report from the Ponemon Institute, the cost and frequency of cyber attacks is on the rise — and one industry, in particular, is getting hit especially hard. Healthcare institutions are expected to lose $1.3 billion to cyber attacks in 2017 alone, and with some of the top hospitals in the country located here in Boston, that brings the threat and potential economic impact of cyber attacks even closer to home.
London and Berlin are Most Exposed Cities in Europe (Infosecurity Magazine) London and Berlin are Most Exposed Cities in Europe. Trend Micro research finds millions of connected devices can be remotely attacked
The Quantum Spy Author David Ignatius on the Future of High-Tech Espionage (WIRED) In his latest novel, David Ignatius tackles the intersection of quantum computing and spying
Marketplace
Security business Barracuda Networks acquired for $1.6 billion (TechCrunch) Private equity giant Thoma Bravo has agreed today to buy Barracuda Networks in a take-private deal that's valued at $1.6 billion. The company was offered..
Barracuda reeled in by Thoma Bravo (CRN) UK's sole Premier partner anticipates a faster Barracuda under private equity ownership,Finance and M&A ,Barracuda,Thoma Bravo,Altinet
Trend Micro Buys Immunio (Dark Reading) The acquisition is aimed at balancing the speed of DevOps with application security.
Akamai Completes Acquisition of Nominum (Multichannel News) Akamai Technologies, Inc. (NASDAQ: AKAM) today announced the company has completed its acquisition of Nominum, a provider of DNS-based security solutions supporting many of the world’s leading carriers.
SoftBank makes offer for Uber shares at 30% discount (TechCrunch) A SoftBank Group-led team of investors has made an offer to buy Uber's shares in a tender offer that would value the company at about a 30% discount to Uber's..
A $35 million expansion to the Cyber Innovation and Training Center (WJBF-TV) The second facility should be finished in December of 2018.
Cybersecurity Professional Recruitment Chaos (CSO Online) Because of the global cybersecurity skills shortage, nearly half of all cybersecurity professionals are solicited to consider other jobs at least once per week
Meg Whitman’s legacy? Restoring Hewlett-Packard's relevancy (Silicon Valley Business Journal) After six years helming Hewlett Packard businesses, Meg Whitman’s legacy will be known for the resurrection of a veteran Silicon Valley company that long struggled to regain its luster.
Booz Allen's defense and intelligence chief to retire, setting up leadership change across three divisions (Washington Business Journal) McLean-based Booz Allen Hamilton (NYSE: BAH) will undergo a major leadership change come mid-2018, as the longtime head of its defense and intelligence businesses retires.
John McAfee Joins Advisory Board of Hacken (Business Insider) Hacken, the first custom-tailored decentralized token for cybersecurity professionals, announces John McAfee, a legend in the IT and cybersecurity fields, joining as an advisor to the Hacken Ecosystem, where he joins advisor Krowd Mentor and partner TaaS Fund.
New CSO, CISO appointments (CSO Online) Find up-to-date news of CSO, CISO and other senior security executive appointments.
Products, Services, and Solutions
The Risk of Overconfidence in the Cybersecurity Perimeter (Bricata) A 2017 survey of IT leaders suggests the vast majority of businesses are overconfident in their perimeter defenses. More than 90% said, “businesses feel that perimeter security is keeping them safe.”
CrowdStrike Falcon is Now Available on AWS Marketplace (BusinessWire) CrowdStrike Inc., a leader in cloud-delivered endpoint protection, today announced the availability of the CrowdStrike Falcon platform on Am
Prey Software Expands Mobile Device Management Capabilities for Apple iOS Users (GlobeNewswire News Room) Apple Push Certification establishes trusted connection for advanced anti-theft security such as data lock/wipe and mass actions
GuardiCore Advances Centra Platform To Simplify Micro-Segmentation (PRNewswire) GuardiCore, a leader in cloud and data center...
ERPScan releases AI-driven SAP cybersecurity platform (Inside SAP) A new platform from cybersecurity research firm ERPScan uses machine and deep learning to cover all aspects of SAP security – predictive, preventive, detective and responsive capabilities – in a single solution.
Technologies, Techniques, and Standards
Massively Popular, Session Replay Scripts are a GDPR Liability (RiskIQ) Querying our own data, RiskIQ uncovered that the domains of 38 of the top 50 U.S. online retailers contain session replay scripts.
GDPR is not an IT project, warns expert panel (Computing) Erik Vynckier, board member of Firesters Friendly Society and Paul Edmunds, head of technology at the National Crime Agency explains how they're preparing for the upcoming GDPR
Alliance for Cyber Risk Governance Conference Establishes Community to Develop New Framework (GlobeNewswire News Room) Inaugural conference highlights the gaps in risk measurement and reporting reaffirming need for a more pragmatic framework
IoT Regulation: One Rule to Bind Them All vs Mission Impossible (Infosecurity Magazine) Two experts explore whether the IoT could (and should) be regulated
Could an air conditioner take down a military base? The Pentagon is worried (Fifth Domain) he Pentagon is looking to take steps against the possibility that a cyberattack could take down the crucial infrastructure at its bases, both domestically and overseas, per a top department official.
Advancing ICS Cybersecurity for Low-Impact Electricity Carriers (Nozomi) Cybersecurity threats to the power grid are a continuous danger nowadays, and because of this, regulation in North America may expand from covering bulk electricity carriers to low-impact carriers.
The best defense is a good offense: The case for new data security platforms (SiliconANGLE) Damaging news reports of data breaches at familiar companies like Uber Technologies Inc. and Equifax Inc. are scaring enterprises straight.
Get serious about patch validation and deployment -- fast (SearchITOperations) Patch validation keeps IT infrastructure stable and secure. Develop a security patching process to protect data, with dedicated staff or as-a-service tools.
The Motherboard Guide to Avoiding State Surveillance (Motherboard) A straightforward guide to privacy, messaging, and keeping yourself safe from passive and active surveillance.
Design and Innovation
Is the US behind in cyber-enabled info operations? (C4ISRNET) How information-related capabilities – especially through the cyber domain – manifest themselves from a joint command construct, is murky.
Facebook tool will reveal if you were fooled by Russian propaganda (Naked Security) Facebook says that Russia-backed posts reached 126 million Americans during the 2016 US election.
To Handle Its Influx of Drone Footage, Military Should Teach AI to Watch TV (WIRED) Opinion: The Pentagon collects so much surveillance footage that humans can’t watch all of it. It’s time to deploy AI.
The Federal Cyber AI IQ Test (MeriTalk) With the advent of cloud, IoT, and other next-gen technologies, the Federal government’s digital footprint is growing at an exponential rate.
AI is Here, Is Your Company Ready? (Hint: No) (New York Law Journal) The scale and scope of artificial intelligence is well-described. Merrill Lynch predicts an “annual creative disruption impact” of $14 to $33 trillion…
Penthouse adopts Blockchain as Traffic Becomes Adult Industry’s Top Revenue Source (ChipIn) Penthouse and Exxxtasy join forces to launch Vice Token that enables content monetization and payments...
Research and Development
Researchers Demonstrate 'Un-Hackable' Quantum Encryption (Infosecurity Magazine) It’s capable of creating and distributing encryption codes five to 10 times faster than existing methods and on par with current internet speeds.
Legislation, Policy, and Regulation
Opinion: Pakistan's ignominious surrender to Islamists (Deutsche Welle) November 27 will be remembered as a "black day" in Pakistan – a day when religious hardliners forced the entire state to surrender over a blasphemy row. And the military sided with Islamists, writes DW's Shamil Shams.
Allies and EU countries developing cyber offenses, but against whom to apply them? (Jane's 360) While a number of NATO and EU countries are developing their cyber offensive capabilities, these will do little good if the provenance of cyber attacks against them cannot be precisely attributed.
The end of net neutrality draws near (Naked Security) Will it mean a newly vibrant and competitive internet or an internet for the rich?
The End of Net Neutrality Means ISPs Could Crack Down on Cryptocurrencies (Motherboard) Experts worry that net neutrality repeals could affect everyone's favorite magic internet money.
Many agencies leery of continuous evaluation, as DoD plans to go all in (FederalNewsRadio.com) Many civilian agencies say they need more guidance and information from ODNI about key components of the continuous evaluation program.
“Fixes” to FISA Could Severely Harm FBI National Security Investigations (Slate Magazine) There is a national security imperative for the FBI to review quickly and efficiently data that the government has lawfully collected.
Senators introduce revenge p[0]rn bill (TechCrunch) Senators Kamala D. Harris (D-CA), Richard Burr (R-NC) and Amy Klobuchar (D-MN), as well as Rep. Jackie Speier introduced a bill today to address revenge p[0]rn...
Litigation, Investigation, and Law Enforcement
Iran targeting international IP for theft and extortion (CSO Online) Various Iranian hacker groups are successfully stealing or illegally procuring IP using all the tools in the toolbox to achieve their results.
US charges 3 Chinese nationals with hacking (CNN) The Justice Department on Monday unsealed an indictment against three Chinese nationals in connection with cyberhacks and the alleged theft of intellectual property of three companies, according to US officials briefed on the investigation.
Security firm was front for advanced Chinese hacking operation, Feds say (Ars Technica) The accused hacked 3 multinational corporations in pursuit of intellectual property.
Flynn's lawyer meets members of special counsel's team, raising specter of plea deal (ABC News) The lawyer for President Donald Trump’s former national security adviser Michael Flynn met Monday morning with members of special counsel Robert Mueller’s team.
FBI deviated from its policy on alerting hacking victims (WTOP) WASHINGTON (AP) — The FBI deviated from its own policy on notifying victims of computer hacking when it left many U.S. officials and other Americans in the dark about Kremlin-aligned attempts to break into their…