Cyber Attacks, Threats, and Vulnerabilities
The Russian Embassy Is Asking People to Become Twitter Bots (Motherboard) The Embassy to the UK's diplomatic newsletter service involves a suspect third-party Twitter app.
Kremlin seeks to sway British public opinion? (SC Magazine UK) Head of the UK's National Cyber Security Centre has written to political parties, warning of potential Russian-backed hacking to sway British electorate a certain way.
Beware of the app that’s out to empty your bank account (The Standard) Cyber security company ESET has discovered a dangerous new application that is targeting Android devices.
13 Google Play Store Apps Caught Stealing Instagram Credentials (BleepingComputer) Instagram users are once again the targets of malicious Android apps hosted on the Play Store, apps which steal their credentials on false claims of boosting their account's follower numbers.
How 13 apps attempted to steal 1.5M Instagram credentials: ESET (TECHSEEN) ESET has discovered 13 mobile applications on the Google Play Store that were phishing for Instagram credentials and stealing them to a remote server
PetrWrap, the "Almost Flawless" Ransomware (Infosecurity Magazine) Cyber-criminals are stealing from their peers in the latest ransomware family example, dubbed PetrWrap.
New 'PetrWrap' Signals Intensified Rivalry Among Ransomware Gangs (Dark Reading) PetrWrap modifies Petya ransomware so its authors can't control unauthorized use of their malware.
Experts Warn On Rise Of Hacker Ransoms (Information Security Buzz) The National Crime Agency and National Cyber Security Centre have launched a report into ‘The cyber threat to UK businesses’ …
Third-Party App Hack Results in Hijack Twitter Accounts (Infosecurity Magazine) Accounts belonging to BBC, Amnesty and security expert Graham Cluley among those used to send pro-Turkey messages
Prominent Twitter accounts compromised after third-party app Twitter Counter hacked (TechCrunch) A number of prominent Twitter accounts were hacked to tweet Nazi messages after Twitter Counter, a popular tool for analyzing Twitter followers, was hacked...
Sorry for the Nazi spam from my Twitter account (Graham Cluley) It happened to me (and many others). It could happen to you.
New Imeij IoT Malware Targets AVTech Equipment (BleepingComputer) A new malware strain named Imeij has been detected in the wild targeting equipment made by Taiwanese manufacturer AVTech. According to Trend Micro ...
EdgeWave Discovered New Spam Technique Exploiting Ubiquitous URL Shorteners (Marketwired) EdgeWave, Inc.®, a leading provider in cybersecurity and compliance, today revealed a new, malicious exploit embedded in popular URL shorteners, which are being mistaken as legitimate URLs.
Addressing SAP HANA Zero-Day Critical Vulnerabilities (Security Intelligence) SAP HANA customers should invest in an active threat monitoring and detection solution — meaning a SAP-specific threat vector detection.
Vulnerability in WhatsApp and Telegram allowed complete account takeover (Help Net Security) Check Point researchers revealed a new vulnerability on WhatsApp & Telegram’s online platforms – WhatsApp Web & Telegram Web.
Hire a DDoS service to take down your enemies (CSO Online) With the rampant availability of IoT devices, cybercriminals offer denial of service attacks to take advantage of password problems.
AlphaBay: Avenue on the “new” Silk Road? (Wapack Labs) Carding forum AlphaBay’s (AB) rules, posted on Twitter, have sparked debate in the underground that the forum is controlled by malicious ac...
MajikPOS Combines PoS Malware and RATs to Pull Off its Malicious Tricks - TrendLabs Security Intelligence Blog (TrendLabs Security Intelligence Blog) We’ve uncovered a new breed of point-of-sale (PoS) malware currently affecting businesses across North America and Canada: MajikPOS.
Canadian Agency Narrowly Avoids Breach from Zero-Day Flaw (BankInfo Security) Canadian authorities narrowly escaped a data breach by stopping an intrusion at the country's statistics agency. The cyberattack used a zero-day vulnerability in
How a serious Apache vulnerability struts its stuff (Naked Security) Officially it’s CVE-2017-5638, but in practice it’s “the bug in Apache Struts you really should have patched by now”. Here’s why…
Apache Struts 2 bug bites Canada, Cisco, VMware and others (Register) Canuck tax and stats outages revealed as patch pauses
Cisco Systems, Inc. (NASDAQ:CSCO) security team evaluating its products to assess impact (Benchmark Monitor) Cisco Systems, Inc. (NASDAQ:CSCO) security team called the weakness in Apache Struts “critical” and is evaluating many its products to assess the impact.
Where Have All The Exploit Kits Gone? (Threatpost) For a long time, exploit kits were the most prolific malware distribution vehicle available to attackers. Where did they go and what’s replaced them?
How Every Cyber Attack Works - A Full List - Heimdal Security Blog (Heimdal Security Blog) Here's an full list with explanations about (almost) every type of cyber attack out there.
Questions linger after ISP blocks TeamViewer over fraud fears (Naked Security) Data stolen from an ISP after a breach has led to its customers being targeted by scammers – but blocking a widely used tool is not a way to improve security
Tax office and immigration at risk of external cyber-attack, report says (the Guardian) In contrast, audit office says Department of Human Services, which includes Centrelink, is ‘cyber-resilient’
More than 120,000 affected by W-2 Phishing scams this tax season (CSO Online) Tax season doesn't officially end in the United States until April 18. At last count, 110 organizations have reported successful Phishing attacks targeting W-2 records, placing more than 120,000 taxpayers at risk for identity fraud.
March Madness Is A Winning Play For Hackers (Information Security Buzz) For fans of NCAA Men’s Basketball, there may be no greater sign of spring than Selection Sunday.
Security Patches, Mitigations, and Software Updates
Adobe, Microsoft Push Critical Security Fixes (KrebsOnSecurity) Adobe and Microsoft each pushed out security updates for their products today.
Patch Tuesday: Microsoft releases 18 security bulletins, 9 critical (Network World) Be prepared for restarts and big day of patching after Microsoft skipped Patch Tuesday in February. For March, Microsoft released 18 security bulletins split into nine critical and nine important security updates.
Microsoft stays security bulletins' termination (TechWorld) Microsoft today postponed the retirement of the security bulletins it uses to describe in detail each month's slate of vulnerabilities and patches.
SAP Patches Critical HANA Vulnerability That Allowed Full Access (Threatpost) SAP patched a critical vulnerability in its cloud-based business platform HANA today that if exploited, could allow for a full system compromise, without authentication.
Google Eliminates Android Adfraud Botnet Chamois (Threatpost) Google removed a family of malicious apps, Chamois, from its Play marketplace recently that were found manipulating ad traffic.
ZTE releases two-month-old Android security patches for Blade V8 Pro - and still no Nougat (Neowin) ZTE launched the Blade V8 Pro last month with Android 6.0.1 Marshmallow onboard. Its first software update isn't Android 7.0 Nougat, though - it's the Android security patches from January.
Cyber Trends
Online fraudsters' preferred tools and techniques revealed (Help Net Security) A new report has revealed online fraudsters' favorite tools and attack techniques for creating accounts and evading detection.
DataVisor Online Fraud Report (DataVisor) The DataVisor Online Fraud Report provides insight into how bad actors are hiding amongst us inside consumer websites and mobile apps.
MWC 2017: AdaptiveMobile warns operators about IoT risks (Mobile News Online) 5G and network splicing open up new vulnerabilities to the Internet of Things UK mobile operators need to ramp up security to weather eventual attacks from vulnerabilities opened by mass amounts of Internet of Things (IoT) devices.
Mobile workers continually expose organizations to security risks (Help Net Security) 29% of organisations have experienced a data loss or breach as a direct result of mobile working. 48% say employees are one of their biggest security risks.
Marketplace
Worldwide infosec spending to reach $90 billion in 2017 (Help Net Security) Enterprises are transforming their security spending strategy in 2017, moving away from prevention-only approaches to focus more on detection and response.
Citrix up for sale, claims report (Computing) Citrix has hired Goldman Sachs to search for potential buyers, according to insiders
Crossrider buys German co Cyberghost (Globes) Crossrider CEO Ido Erlichman: Expansion in the cyber security arena is strategically very significant.
Changing face of security and Niara acquisition (Computer Business Review) HPE’s purchase of intelligent security provider Niara is evidence of just how profoundly enterprise security is changing.
Verizon originally asked for $925M discount following Yahoo breach disclosures (CIO Dive) Eventually receiving $350 million off its original $4.83 billion purchase price, Verizon sought the discount after Yahoo revealed breaches impacted more than 1 billion users.
Why you need cyber security checks during a merger or acquisition (BetaNews) 2016 was a record setting year for data breaches and hacks.
Cryptography co Dyadic Security raises $12m - Globes English (Globes) Dyadic CEO: We've changed the game for financial institutions and enterprise companies in how they protect sensitive data assets.
Sophos Plots a Course for a Synchronized Security Future (eWeek) Kris Hagerman, CEO of Sophos, discusses his security firm's strategy and technology to keep organizations safe from cyber-threats.
NSA-born Sqrrl to grow staff after finding its big data niche (Boston Business Journal) Cambridge-based Sqrrl has made the transition from one hot segment of the Greater Boston tech scene to another, and now the startup says it's ready to double down on its new market by hiring salespeople and looking for more funding in 2017.
Banks just can't find enough cyber-security talent (eFinancialCareers) Cybersecurity talent continues to be in short supply, especially when it comes to quality hires and in areas like advanced threat management, per Deloitte.
9 out of 10 IT Security Pros Surveyed Favor Experience over Qualifications, FireMon Study shows (Yahoo! Finance) FireMon, the leader in Intelligent Security Management, today announced results from a survey conducted at the recent RSA Conference that gauged the attitudes of 350 IT security professionals towards the ...
Emy Donavan to Lead AGCS Cyber Insurance Business (Yahoo! Finance) Allianz Global Corporate & Specialty SE announced a change in its global cyber leadership team. Effective March 31, 2017, Emy R. Donavan will be promoted to Global Head of Cyber reporting to Bernard Poncin, Global Head of Financial Lines at AGCS.
Forcepoint™ Expands Executive Management Team, Commitment to Customer Success Initiatives (Yahoo! Finance) Global cybersecurity leader Forcepoint™ today announced Brian J. Miller joins the company as senior vice president of customer success and operations. Miller ...
Apple hires security researcher Jonathan Zdziarski (TechCrunch) Jonathan Zdziarski has been a leading expert on Apple and iOS security and forensics for years — and now he's taking his expertise inside the company...
Products, Services, and Solutions
LockPath Partners with BankPolicies.com to Improve Policy Management for Financial Services Companies (Yahoo! Finance) LockPath, a leader in governance, risk management and compliance software, today announced its partnership with BankPolicies.com, a provider of banking policies and procedures. Through the partnership, ...
Digital Shadows Expands Visibility into Evolving Mobile Driven Risks (ResponseSource Press Release Wire) New capability will protect businesses from the threat posed by mobile apps London and San Francisco, March 14, 2017 – Digital Shadows today announced new enhancements to its SearchLight™ digital...
5 Risks Posed by Mobile Applications that Searchlight Helps You Manage (Digital Shadows Blog) Organizations face a wide range of risks online, including cyber threats, data leakage and reputational damage.
NIKSUN Named Industry’s “Most Comprehensive Solution” (Yahoo! Finance) NIKSUN® Inc., the world leader in developing real-time and forensics-based cyber security and network performance monitoring solutions, announced today it has been featured as the cover story for Silicon India’s special Enterprise Security edition.
Technology-Savvy Hospital Outsmarts Cybercriminals With Palo Alto Networks Next-Generation Security Platform (PRNewswire) Palo Alto Networks® (NYSE: PANW), the next-generation security...
Trustonic TEE to Help Protect UK Government Communications - Mobile ID World (Mobile ID World) A new partnership with Armour Communications will see Trustonic Trusted Execution Environment (TEE) technology protecting UK government assets...
Express Logic Introduces First Industrial-Grade IoT Device-to-Cloud Connectivity Platform (Businesswire) Express Logic's new X-Ware IoT Platform provides device-to-cloud connectivity for fast, safe, secure, industrial-grade connectivity of deeply em
TopSpin Makes Intelligent Deception a Hacker's Worst Nightmare (eSecurity Planet) Setting a trap using deceptive techniques may just snare many a hacker.
Austrian Social Services Provider Relies on Android Smartphones Protected by MobileIron to Enhance its Services (Yahoo! Finance) MobileIron (MOBL), the security backbone for the digital enterprise, today announced that Hilfswerk Niederösterreich, an Austrian provider of social services, chose the MobileIron platform to enhance the mobility of its 3,600 staff and 2,800 volunteers. MobileIron
Firm wins cyber security certificate (Bradford Telegraph and Argus) Bradford IT consultancy firm ITWiser is one of the first companies in the North of England to become an accredited Cyber Essentials certification…
LR announces its Cyber Secure programme – a unique, world-class approach to providing cyber security services to the marine and offshore industry (Hellenic Shipping News) Recognising the need to go further than ensuring the safe integration of cyber technology, LR has launched the next stream in its cyber and digitalisation suite of services.
Swimlane Integrates Its Automated Security Platform With Trend Micro Deep Discovery (Yahoo! Finance) Swimlane, a leader in automated incident response and security orchestration, announced today an integration with Trend Micro Deep Discovery. Together, Swimlane and Trend Micro will help customers quickly identify and respond to targeted attacks and
Imagination and Intercede demonstrate the power of the Trust Continuum in securing the IoT (GlobeNewswire News Room) Joint initiative addresses consumer security risk driven by today’s on-demand economy
Prevoty Automatically Protects Against the Latest Struts 2 Vulnerability and Attacks Targeting Remote Code Injection Vulnerabilities (Yahoo! Finance) Prevoty, the runtime application defense and intelligence company, announced today that its customers are automatically protected against popular remote code injection vulnerabilities such as the recent ...
Barracuda and Zscaler Team for Cloud-Delivered User Security (eSecurity Planet) The companies float a new cloud-based security service aimed at helping SMBs keep their users and data safe wherever they roam.
Technologies, Techniques, and Standards
Scratching the Surface: The FTC’s Phishing Tips for Victim Companies Are a Good First Step but Companies Should Not Stop There | JD Supra (JD Supra) In one type of phishing, fraudsters impersonate your business when contacting consumers. Phishing victims think they’re giving information to your...
Debunking 5 Myths About DNS (Dark Reading) From the boardroom to IT and the end user, the Domain Name System is often misunderstood, which can leave organizations vulnerable to attacks.
Data-matching: what happens when firms join the dots about you? (Naked Security) What is data matching, and what can you do to reduce the trail of digital breadcrumbs you leave as you travel around the web?
Why can't AI do more to help with information overload? (Computing) Microsoft, Google and others have spent enough on AI, but Peter Cochrane sees little evidence of it when it comes to email and search
A Guide to Indicator Expiration (ThreatQuotient) There is no shortage of indicator data these days. Large numbers of providers, both commercial and free, have set up shop to help fight the cause.
Verizon’s Data Breach Digest Uses Case Studies as Security Response Teaching Tools (IT Business Edge) Verizon’s annual Data Breach Investigations Report (DBIR) is one of the most respected studies on cybersecurity, cited by security professionals and security writers regularly and throughout the year.
How bad endpoint security can leave IT pros flying blind (IT Pro Portal) Many organisations consider it to be only a matter of time before they fall victim to a cyberattack.
Hackers Take Aim At The Arizona Cyber Warfare Range (KJZZ) Budding hackers huddle in a secure, windowless room as they gulp energy drinks and munch on pizza.
Cyber Resilience Framework: A Must Have for Digital Response (DATAQUEST) By Neeraj Parashar, Senior Manager-Digital Solution Architect, Business Process Services, Wipro Recently, a cyber-hacking team successfully hacked into a driverless car model’s AI system and was able control the car...
Guide to Safe Internet Browsing (Beginner's 101) (TheBestVPN.com) The Internet can be a dangerous place for the careless. Land on the wrong website, and you can infect your computer with malicious software that will steal your data or scramble it and demand a ransom for its return. Fill in a username and password in a bogus form, and your digital life can be …
Design and Innovation
The Autonomous Future of Warfare Looks a Lot Like Pokémon Go (WIRED) The head of the Pentagon's Strategic Capabilities Office explains how apps can help show the future of war.
The CIA uses board games to train officers—and I got to play them (Ars Technica) Also: why the CIA embraces training game cheaters, whether El Chapo hit a fire alarm.
Research and Development
Cyber Supply Chain (Defense Science Board) Modern weapons systems have depended on microelectronics since the inception of integrated circuits over fifty years ago.
BAE tech helps rapidly restore power grid after cyberattack (C4ISRNET) BAE was awarded a contract under a DARPA program aimed at quickly restoring power to the electric grid in the event of a cyberattack.
Academia
Real-world simulation to provide practice during cyber defense competition at Highline College (Auburn Reporter) College students from throughout the Pacific Northwest will have the chance to practice thwarting hackers during the annual Pacific Rim Collegiate Cyber Defense Competition on Friday, Saturday and Sunday at Highline College.
How can cyber security become part of the school curriculum? (Acumin) A new initiative, the Cyber Schools Programme, will teach school children aged between 14 and 18 on cyber security skills.
Legislation, Policy, and Regulation
How Australia’s ‘Essential Eight’ sets the standard for sensitive data protection and breach notification (Security Brief) Globally, more and more jurisdictions are releasing mandates that will have a substantial impact on companies regarding breach notification.
Conflicts in cyberspace: a normative approach to preventing cyberwars (Euronews) The Russian cyber attacks that were meant to skew the 2016 US election toward Donald Trump have raised new concerns about conflicts in cyberspace. How might normative taboos, such as those against chemical and biological weapons, be adapted to the cyber realm?
A market-based approach to cyber defense: Buying zero-day vulnerabilities (Bulletin of the Atomic Scientists) It's time to look behind the tropes.
The NSA's foreign surveillance: 5 things to know (CSO Online) A contentious piece of U.S. law giving the National Security Agency broad authority to spy on people overseas expires at the end of the year.
Cybersecurity Collaboration Bill Aims to Help Companies (Bloomberg) A bipartisan Senate bill would give states more resources to help companies combat the growing cybersecurity risk, Sen. John Cornyn (R-Tex.) said March 10 in a statement.
All U.S. Companies Need to Share Cybersecurity Threat Data (Bloomberg) U.S. companies large and small feeling the burn in the aftermath of a data breach are struggling to find resources to bolster their security systems, cybersecurity industry panelists said at a March...
Statement From Advertising Trade Associations Urging Rapid Congressional Action on FCC Broadband Privacy Rule (PRNewswire) The American Association of Advertising Agencies ("4A's), American Advertising Federation ("AAF"), Association of National Advertisers ("ANA"), Data & Marketing Association ("DMA"), Interactive Advertising Bureau ("IAB"), and Network Advertising Initiative ("NAI") issued the following statement in support of Senator Jeff Flake and Congressman Marsha Blackburn's recently introduced Joint Resolutions disapproving of the Federal Communications Commission's ("FCC") broadband privacy regulations.
Trump’s Pick For White House Cyber Post Faces Growing Industry Distrust (MeriTalk) President Donald Trump picked a National Security Agency official to lead White House cybersecurity policy issues during a time when NSA surveillance powers are up for discussion and bad blood exists between the NSA and industry.
Litigation, Investigation, and Law Enforcement
A CIA Whistleblower Shares His Views on WikiLeaks, Trump, and More (WIRED) How does the Vault 7 leak look to a famous CIA whistleblower? It's complicated.
British security official denies UK spy agency eavesdropped on Trump (Reuters) A UK spy agency did not eavesdrop on Donald Trump during and after last year's U.S. presidential election, a British security official said on Tuesday, denying an allegation by a U.S. television analyst.
U.S. to Charge 4 Hackers Involved in Massive Yahoo Data Breach (HackRead) The U.S. Department of Justice is gearing up to issue indictment orders against four hackers involved in cyber attacks against Yahoo which affected hundred
Facebook—in hate-crime clash with MPs—claims it’s “fixed” abuse review tool (Ars Technica) Lawmaker accuses Twitter, Google, and Facebook of "commercial prostitution."
Court blocks American from suing Ethiopia for infecting his computer (CSO Online) An appeals court has barred an Ethiopian-born U.S citizen from filing a civil suit against the African country, which allegedly infected his computer with spyware and monitored his communications.
GDPR: Confusion reigns as experts disagree as to whether it's already in force (Computing) Could you be fined in May 2018 for a breach now, if the GDPR is already in force in the UK? Some experts say yes,
FBI’s methods to spy on journalists should remain classified, judge rules (Ars Technica) Reaction: "It is antithetical to a democracy that supposedly values a free press."
DOJ: No, we won't say how much the FBI paid to hack terrorist's iPhone (CSO Online) The Justice Department says it should not have to reveal the maker of a tool used last year to crack an alleged terrorist's iPhone or disclose how much it paid.
Pennsylvania sues IBM over troubled $110M IT upgrade (Computerworld) Pennsylvania is suing IBM over a never-finished $110 million IT upgrade to its unemployment compensation system. Such large-scale projects often run into trouble.
University Expels Student After Hacking Professors' Emails (BleepingComputer) A young student at the Technion Institute of Technology in Haifa, Israel was expelled this past week after the University discovered he hacked into the email inboxes of several of his professors.
How The CIA And A Tech Startup Are Arming Police, Intelligence Agencies (MintPress News) Police officers and private security contractors are getting hi-tech help with their surveillance efforts - and the CIA is picking up the tab.