Cyber Attacks, Threats, and Vulnerabilities
Isis uses terror attack to sign up YouTube recruits (Times (London)) Islamic State has flooded YouTube with hundreds of violent recruitment videos since the terrorist attack in London last week in an apparent attempt to capitalise on the tragedy, The Times can reveal.
Annual Anonymous cyber attack against Israel April 7 (Israel National News) 'Despite meager achievements of offensive in previous years, take into account this year takes place on weekend'
Apple Ransom Threat: Legitimacy is Elusive (Infosecurity Magazine) The group is asking for $75,000 in Bitcoin or $100,000 in iTunes gift cards before the April 7—or it will wipe millions of iPhones.
Experts Doubt Hackers’ Claim Of Millions Of Breached Apple Credentials (Threatpost) Security experts say they are skeptical that a group called Turkish Crime Family actually possess a cache of hundreds of millions of Apple iCloud account credentials.
WikiLeaks Won’t Tell Tech Companies How To Patch CIA Zero-Days Until Its Demands Are Met (Collective Evolution) WikiLeaks doesn’t like to make things easy, and now it seems Google, Microsoft, and Apple are learning that reality firsthand. A partnership between the three tech companies and the non-profit organization has hit its first road block. WikiLeaks recently promised it would spill the technical details and code of the hacking tools the CIA used against Google...
Why Apple totally dissed WikiLeaks this week (Business Insider Australia) Julian Assange's website WikiLeaks is in...
WikiLeaks: CIA hacking tools infiltrate iPhones, MacBooks - Apple: It's an old story (HackRead) WikiLeaks have been known to publish classified documents for a long time, and Thursday was no different the whistleblower organization revealed a new set
Apple: Mac, iPhone Bugs That CIA Allegedly Exploited Were Fixed Years Ago (Dark Reading) New WikiLeaks data dump describes Sonic Screwdriver, other CIA exploits for Mac desktops and iPhones
WikiLeaks Claims CIA Bugs ‘Factory Fresh’ iPhones – OpEd (Eurasia Review) The latest leaks from WikiLeaks’ Vault 7 is titled “Dark Matter” and claims that the CIA has been bugging “factory fresh” iPhones since at least 2008 through suppliers. Following is the full …
Latest WikiLeaks dump shows CIA targeting Apple earlier than others (Naked Security) Focusing on Macs makes sense, say experts: ‘many high-value targets love to use Macs’
The U.S. government is stockpiling lists of “zero day” software bugs that let it hack into iPhones (Vice) When the U.S. government couldn’t force Apple to give it access to the iPhone used by the shooter in the San Bernardino massacre, it reportedly paid $1 million for a secret software vulnerability that gave it full access to the phone. These undiscovered software bugs — so-called “zero day” vulnerabilities…
Cyber Firm Rewrites Part of Disputed Russian Hacking Report (VOA) CrowdStrike has revised, retracted statements it used to support allegations of Russian hacking during US presidential campaign; VOA reported company misrepresented data acquired from British think tank
Android Forums hacked; password reset notice issued (HackRead) Android Forums, a popular platform for Android users, has announced that its servers were accessed by a third-party resulting in a data breach.
Lesson from Cloudbleed: reverse proxy or DNS redirection-based third party security solution integrations in your website are privacy risks (ShieldSquare) The Cloudbleed security bug raises serious concerns on the privacy implications when integrating reverse proxy or DNS redirection-based third party security solutions in your site.
Quick Heal detects ‘Cerber Ransomware’ delivered from an Indian bank’s website - ET CIO (ETCIO.com) Quick Heal has detected that the Cosmos Bank website was compromised with the infamous RIG exploit kit which was delivering ‘Cerber Ransomware’
Bot wiping out gift card accounts (CSO Online) Distil Networks has found a bot affecting nearly 1,000 customer websites. Gift cards are under attack by hackers, and consumers are being advised to check their balances.
Watch Out For GiftGhostBot: Steals Gift Card Balances (Tech Times) Distil Networks identified a major threat to online businesses dubbed GiftGhostBot. The bot stole money from customers' gift card accounts and caused distress to retailers.
Almost 1,000 Online Stores Under Attack from GiftGhostBot Botnet (BleepingComputer) A botnet specialized in gift card fraud is using the infrastructure of nearly 1,000 websites to check the balance of several types of electronic gift cards in order to defraud legitimate card owners.
Stolen Credit Cards for Sale Via CryptoCheck Payments (Wapack Labs) A member of a clear web hacker forum is hosting an active website advertising services. The website provides links to stolen credit/debit ...
87 fake Minecraft mods exposed Android users to scammy websites, aggressive ads (Graham Cluley) Google has removed 87 fake Minecraft mods from its Play Store that exposed Android users to scammy websites and aggressive ads.
New Attack "XSSJacking" Combines Clickjacking, Pastejacking, and Self-XSS (BleepingComputer) Security researcher Dylan Ayrey detailed last week a new web-based attack named XSSJacking that combines three other techniques — Clickjacking, Pastejacking, and Self-XSS — to steal data from careless users.
March Madness Hoops Baskets of Malware, Scams (Infosecurity Magazine) Best ratings in two decades attract threat actors who've produced a variety of ways to trick fans into downloading malicious code.
March Madness Fake Streams and Phishing Attempts (Cloud Security Solutions | Zscaler) A look at malicious activity on the Internet around March Madness
14,766 Let's Encrypt SSL Certificates Issued to PayPal Phishing Sites (BleepingComputer) During the past year, Let's Encrypt has issued a total of 15,270 SSL certificates that contained the word "PayPal" in the domain name or the certificate identity. Of these, approximately 14,766 (96.7%) were issued for domains that hosted phishing sites.
The most common types of phishing attacks (Hotspot Shield) Hackers can carry out phishing attacks in a number of ways. Here are three of the most common ones, and how an Internet security VPN can prevent them.
Most Common Forms of Cyber Attack (Business News Wales) As more and more of our business is carried out online, and further innovation allows greater and more efficient use of the Internet with increased use of data
Hackers increase attacks on energy sector computers (Houston Chronicle) The agency responsible for protecting the nation from cybercrime said it worked to mitigate 290 incidents last year across more than a dozen industries that rely on computer controls to run industrial sites, including manufacturing sites, power generation facilities, refineries, chemical plants and nuclear facilities.
SCADA cyber attacks: Eugene Kaspersky warns of global blackout (Computer Business Review) Eugene Kaspersky issues a warning of catastrophic attacks on infrastructure unless we utilise skills and technologies to secure it...
Surprise: Cyber presents serious environmental consequences (C4ISRNET) Too often cyber talk overlooks potential for devastating cascading effects.
The Apps That Most Frequently Appear on Companies' Blacklists (Panda Security Mediacenter) Apps installed on smartphones and tablets can be one of the biggest risks for companies. Here, we look at some of the ones that are most frequently banned.
Used devices are a treasure trove of personally identifiable information (Help Net Security) 40 percent of hard drives, mobile phones and tablets resold in publicly-available resale channels contain personally identifiable information (PII).
Is It OK to Dox a Nazi? Antifascists Think So (WIRED) The antifascist doxxing guru thinks hate should have consequences. But doxxing anyone is morally sticky.
Security Patches, Mitigations, and Software Updates
Instagram Has Two-Factor Authentication Now, So Turn It On (WIRED) It takes just a few minutes to secure your Instagram account. Here's how to do it.
Is eBay putting users' security at risk by 'downgrading' to text-based authentication? (International Business Times UK) Is SMS-based authentication really such a bad thing? The debate rages on.
Google, Symantec Security Clash (Channel News) Google and Symantec are set to lock horns over the use of standard certificates that check the identity of thousands of Web sites.
A Message To Our CA Customers (Symantec) In connection with the statement posted to Symantec’s Blog on March 24, 2017, Symantec has been reaching out to its customers.
Reminder: Microsoft Will Pull the Plug on Windows Vista in Two Weeks (BleepingComputer) We're almost two weeks away from Windows Vista's official End of Life (EoL) date, April 11, 2017, more than ten years after Microsoft officially launched Windows, back in January 2007.
Microsoft vows to strengthen the security of Edge's sandbox (Neowin) Microsoft has detailed the several layers of security in its Edge browser that reduce the chances of malicious exploits by attackers, stating that it will continue to strengthen the Edge sandbox.
Cyber Trends
Ixia survey finds network complexity is weakening enterprise security (Security Brief Asia) IT networks that are too complex may be the downfall of organisations' security, new study by Ixia finds.
IoT Devices are Dramatically Expanding Your Digital Footprint (SecurityWeek) IoT devices are the rage for consumers and business alike. While sound business has always been data-driven, consumers have latched onto data and remote control capabilities.
Emerging Tech Creates Cybersecurity Solutions, Threats (Bloomberg) Companies must understand that artificial intelligence, quantum computing and other new technologies bring both opportunities and collateral cybersecurity threats, panelist and lawmakers said at a...
Tobias Stone talks about identity, cryptography, and the future of citizenship (TechCrunch) In this episode of Technotopia I walk to Tobias Stone, a writer, entrepreneur, and academic. Tobias has been writing on Trump and Brexit and worked with..
Privacy vs. Cybersecurity (SecureWorks) Do today's models work with the Internet of Things and its cousin, big data?
SailPoint President: There is no perimeter anymore, defence must start from within - Computer Business Review (Computer Business Review) Kevin Cunningham, SailPoint President and Co-founder told CBR about his take on the cyber threat landscape, and what he thinks must be done to survive...
Like it or not, "cyber" is a shorthand for all things infosec (Help Net Security) It’s fair to say that some of the industry’s suspicion about cyber comes from the fact that it’s broad enough to cover the charlatans in the industry.
Marketplace
Data obstacles hamper cyber insurance growth (Property Casualty 360) Insurers may need to change their traditional underwriting approach to meet bullish forecasts for cyber coverage sales.
UK’s SMEs See the Light as Cyber-Insurance Adoption Grows (Infosecurity Magazine) UK’s SMEs See the Light as Cyber-Insurance Adoption Grows. GlobalData stats show levels still low overall
Israeli cyber firms show their wares in Paris (Globes) At an event backed by the France-Israel Chamber of Commerce, Israeli cyber-security pioneers met CISOs from major French corporations.
Israeli cyber security firm Votiro raises $10 million for Aussie IPO expansion plans (Financial Review) Votiro Cybersec will become the third foreign cyber security firm to announce its plans to list on the ASX in as many weeks.
Cybersecurity stocks: one to buy and one to avoid (The Motley Fool UK) Cyber security stocks are one of the hottest tickets around. But which are best? Here's one to love and one to avoid.
General Dynamics to support intel ops in Europe (C4ISRNET) General Dynamics Information Technology has been awarded a $16 million DIA task order to support intelligence operations in Europe.
The Secret to Winning the War for Security Talent (Infosecurity Magazine) Hiring the right security staff is the most critical for managing risk.
Darktrace joins elite as Business of the Year (Business Weekly) Cyber security star Darktrace was last night named Business of the Year in the 28th annual Business Weekly Awards at Queens’ College, Cambridge.
Products, Services, and Solutions
Comodo to open its Certificate Transparency logs to all CAs (SearchSecurity) Two new Certificate Transparency logs from Comodo aim to keep the process free and open; Google will review the proposed logs.
Fidelis Cybersecurity joining forces with A10 Networks Inc. (NYSE:ATEN) (Benchmark Monitor) Fidelis Cybersecurity is joining forces with A10 Networks Inc. (NYSE:ATEN), a secure application services™ company. A10 lets customers gain visibility into encrypted traffic and Fidelis uses its deep session inspection to discover and prevent the advanced tactics used by today’s adversaries such as exploits and malware embedded in content that other solutions miss.
Hawaiian Telcom adds DDoS mitigation services to security services line (Fierce Telecom) Hawaiian Telcom is looking to help its business customers stay ahead of security threats with its cloud-based Secure Internet Protection solution that it said protects businesses against distributed denial-of-service (DDoS) attacks.
Zukünftig gemeinsame Sache: G DATA und Dicide gehen Partnerschaft ein (Pressebox) Microsoft Cloud Solution Provider setzt auf Managed Endpoint Security Made in Germany
SIX and IBM to build Watson-powered cyber-security hub (Finextra Research) Swiss Financial infrastructure operator SIX is to use the cognitive computing ability of IBM Watson to build a new cyber-security hub to help banks comply with Swiss privacy laws and regulations.
Technologies, Techniques, and Standards
US Critical Infrastructure Cybersecurity Milestone - Information Security Buzz (Information Security Buzz) Last week the Idaho National Laboratory (INL) and the Department of Homeland Security (DHS) announced the successful completion of the 100th iteration of the Industrial Control Systems Cybersecurity training on defending systems used across the critical infrastructure sectors. Since April 2007, over 4,000 cybersecurity professionals have participated in the advanced course. These professionals represent all …
Phishing 101 at the School of Hard Knocks (KrebsOnSecurity) A recent, massive spike in sophisticated and successful phishing attacks is prompting many universities to speed up timetables for deploying mandatory two-factor authentication (2FA) — requiring a one-time code in addition to a password — for access to student and faculty services online.
Intro to Cyber Insurance: 7 Questions to Ask (Dark Reading) Buying a cyber insurance policy can be complex and difficult. Make sure you're asking these questions as you navigate the process.
Network Access Control: Restricting and Monitoring Access to Your Network and Data (eSecurity Planet) Network access control lets IT departments determine which users and devices have authorized permissions, adding another level of security to the network and its data.
Do You Know Your ABCs? (SecurityWeek) Ah, RSAC 2017. Into the bowels of Moscone, I dove. Submerged in a calliopean frenzy of schwag hawkers and “where the world talks security” messaging. From the Marvel-esque call to “Be a hero!” to the more existential reminder that “Every moment counts!” I found myself drowning in a sea of Secure! Protect! Defend!
Vulnerability Intelligence in the Age of Rapid Exploitation and Patch Fatigue (SC Magazine US) With the advent of automated malware creation, distribution and attacks, InfoSec teams are finding that protection tools -- firewalls, intrusion detection
How to make your small business ready for a potential cyber attack (Baltimore Business Journal) In a technology climate riddled with ransomware and other threats, there’s no room for complacency.
A new approach is needed in the battle against cyber attacks (Help Net Security) How do you search for something that’s invisible? An increase in the sophistication means that it takes 146 days before a corporate hack is discovered.
Design and Innovation
Matroid can watch videos and detect anything within them (TechCrunch) If a picture is worth a thousand words, a video is worth that times the frame rate. Matroid, a computer vision startup launching out of stealth today, enables..
The Spy Who Checkmated Me: Why Postal Chess Was Banned During Wartime (Motherboard) The United States banned postal chess during WWII because it feared the game was being used to send secret messages. But how would this actually work?
Research and Development
N. Korea invents ‘quantum code communication’ tech: Naenara | NK News - North Korea News (NK News - North Korea News) North Korea claims it has invented a system for secure quantum-cryptographic communications, according to a report from the state-run Naenara news outlet published on Friday.
Legislation, Policy, and Regulation
Estonia: security will not be bargaining chip in Brexit negotiations (the Guardian) President Kaljulaid says Estonia sorry to see UK leave EU after British troops arrived under Nato to deter Russian aggression
Govt agencies urged to adopt a 'culture of security' (Technology Decisions) Government agencies should draw lessons from the 2016 online census outage and take steps to improve their cybersecurity posture, relationships with vendors and public engagement, according to Alastair MacGibbon.
Country to deploy cyber defence system in October (Star) The country’s cyber defence system will be fully operational this October, said Datuk Seri Hishammuddin Hussein.
SB 1277 no guarantee for secure Internet access–Kaspersky Lab (Business Mirror) Russian cyber-security firm Kaspersky Lab ZAO has cautioned Filipino netizens on a proposal to provide open Wireless-Fidelity (Wi-fi) networks in public places nationwide.
Developing countries support cybersecurity: Official (The Jakarta Post) The Communications and Information Ministry’s International Cooperation Center head, Ikhsan Baidirus, said developing countries had agreed to give close attention to the strengthening of cybersecurity during the regional preparatory meeting for 2017 World Telecommunication Development Conference in Bali.
U.S. needs to stop Russian electoral interference, NSA’s top civilian leader says (Washington Post) Richard Ledgett, the deputy director who dealt with the Snowden disclosures, will retire in April.
Beyond Russian hacking, cyber policy options begin to emerge (Washington Examiner) That Russia conducted an influence campaign is clear, but what does that mean for the policy world?
This Is How Russian Hackers Will Attack the US Next (Defense One) The U.S. needs to be planning now how it will respond.
Pentagon growing concerned with Chinese investments in America’s high-tech start-ups (Defense News) A report commissioned by DoD was circulated among senior Trump administration officials this week, stating that Beijing has been encouraging Chinese companies to invest in American start-ups.
Privacy Advocates Vow to Fight Rollback of Broadband Privacy Rules (Threatpost) Privacy activists say rolling-back ISP privacy rules means health, financial and browsing habits can be used, shared and sold to the highest bidder without consent.
How ISPs can sell your Web history—and how to stop them (Ars Technica) How the Senate's vote to kill privacy rules affects you.
Former Govt Officials Push for DHS Cyber Reorganization (Executive Gov) Some former government cybersecurity experts said at a House committee hearing held Wednesday they b
SECURITY: Grid execs seek to reopen threat-sharing pipeline with Trump (null) Members of the electric power industry's leadership committee on cybersecurity met privately with Energy Secretary Rick Perry and other White House and government officials Wednesday, seeking the new administration's commitment to continue high-level sharing of sensitive cyberthreat intelligence.
Next Steps for U.S. Cyber Command after Split with NSA (The Cipher Brief) We all know it’s coming, and soon. There is significant momentum for elevating U.S. Cyber Command to a full combatant command. We should expect that soon. Bifurcating Cyber Command’s and the National Security Agency’s leadership from one leader to separate leaders for each organization also has strong momentum and should happen by October 2018 or sooner. Why that date?
New cyber warriors face culture shock (FCW) The U.S. military services are scrambling to recruit and train new cyber warriors, but that is also requiring cultural changes in institutions known for order, tradition and stability.
Litigation, Investigation, and Law Enforcement
One man still held by terror police (Times (London)) The Westminster attacker is suspected of taking instructions from accomplices in the moments before he struck, counter-terrorism investigators believe. Khalid Masood, 52, used an encrypted...
House Panel Seeking More Testimony From FBI, NSA Chiefs in Russia Probe (US News and World Report) The U.S. House of Representatives Intelligence Committee will ask the directors of FBI and the National Security agency to appear in a closed session in its probe of allegations of Russian interference in U.S. elections and U.S. spy agency surveillance of President Donald Trump's team, the head of the panel said on Friday.
Were the hackers who broke into the DNC’s email really Russian? (Miami Herald) Though the FBI and other U.S. authorities have said the hacking was the work of Russians, not all computer security experts believe it.
Vermont seeking recourse in Joblink employment cyber attack - Watchdog.org (Watchdog.org) Vermont may seek legal recourse against America’s Joblink Alliance after job-seekers and the Department of Labor were affected by the firm's data breach.
Prosecutors access data from locked phones of 100 Trump protesters (Naked Security) Personal data from protesters’ devices including photographs will be available to all the defendants’ lawyers via a cloud portal
Donald Trump 'could be removed from office' over Russia allegations (The Independent) Donald Trump could be forced to leave office over the investigations into his administration’s links with Russia, a former national National Security Agency (NSA) analyst has warned.
The Supreme Court Should Bring Sanity to Patent Law (WIRED) Opinion: Senator Orrin Hatch on how the Supreme Court can stop patent trolling lawsuits.
A win for Apple in Beijing as court overturns iPhone patent ruling (TechCrunch) Apple has bigger fish frying in the world of intellectual property. But it must be a relief that an IP court in Beijing has handed the smartphone pioneers a..
Judge: eBay can’t be sued over seller accused of patent infringement (Ars Technica) Who's making the "offer for sale?"
Who owns the data anyway? Definitely the client, says IBM (Which-50) The growing potential to monetise data and extract business value from it means businesses and vendors must consider who owns the data collected it the process of doing business, and who has a licence to use it. Sign up for Which-50’s Irregular Insights newsletter Data is increasingly seen as a
Ricardo Branch, Army sergeant, faces discharge for email to brass about classified data (The Washington Times) The Army is booting out a 13-year public affairs sergeant for including in an unclassified government email the same information about a special operations unit and Osama bin Laden found on Army.mil web pages.
Man charged with $100m ‘whaling’ attack on two US tech giants (Naked Security) Victims of whaling attack not named, but it’s not the first time a big multinational has been targeted, and it won’t be the last