Cyber Attacks, Threats, and Vulnerabilities
Canadian Banks Say ‘Fraudsters’ Stole Information From at Least 40,000 Customers (Motherboard) Attackers electronically accessed personal and account information from clients at Simplii Financial and the Bank of Montreal.
Bank of Montreal says it was subject of cyber attack on Sunday (Reuters) Bank of Montreal said on Monday it was contacted by fraudsters on Sunday who claimed they were in possession of the personal and financial information of a limited number of the bank’s customers.
Hackers may have stolen data of 90,000 Canadian bank customers (ComputerWorld) Customers of Bank of Montreal, Canadian Imperial Bank of Commerce believed to be affected
Cobalt Hacking Group Still Active Despite Leader's Arrest (BleepingComputer) Despite their leader's arrest in Spain two months ago, the Cobalt hacker group that's specialized in stealing money from banks and financial institutions has remained active, even launching a new campaign.
Hacker Steals $1.35 Million From Cryptocurrency Trading App Taylor (BleepingComputer) The creators of the Taylor cryptocurrency trading app claim that an unidentified hacker has stolen around $1.35 million worth of Ether from the company's wallets.
Cryptocurrency Miners Are Sabotaging Blockchains for Their Personal Gain (Motherboard) A wave of 51 percent attacks affecting Bitcoin Gold, Verge, and Monacoin resulted in nearly $20 million worth of cryptocurrency being stolen from exchanges this week.
BackSwap Trojan exploits standard browser features to empty bank accounts (Help Net Security) The BackSwap Trojan eschews the usual "process injection for monitoring browsing activity" trick. Instead, it handles everything by working with Windows GUI elements and simulating user input.
Z-Shave Attack Could Impact Over 100 Million IoT Devices (BleepingComputer) The Z-Wave wireless communications protocol used for some IoT/smart devices is vulnerable to a downgrade attack that can allow a malicious party to intercept and tamper with traffic between smart devices.
Identifying Top Vulnerabilities in Networks: Old Vulnerabilities, IoT Botnets, Wireless Connection Exploits (TrendLabs Security Intelligence Blog) Using our IoT Smart Checker, a tool that scans networks for potential security risks, we looked into home and other small network environments and the vulnerabilities that connected devices usually encounter. Our findings homed in on known vulnerabilities, IoT botnets with top vulnerability detections, and devices that are affected.
Singapore ISP Leaves 1,000 Routers Open to Attack (Threatpost) Telcom firm leaves port open on customer routers after maintenance update exposing hundreds of customers to possible attack.
FBI issues formal warning on massive malware network linked to Russia (TheHill) The FBI on Friday issued a formal warning that a sophisticated Russia-linked hacking campaign is compromising hundreds of thousands of home network devices worldwide and it is advising owners to reboot these devices in an attempt to disrupt the malicious software.
VPNFilter botnet: a SophosLabs analysis, part 2 (Sophos News) The second part of our technical investigation of the malicious components involved in the attack that infected over 500,000 routers and network storage devices.
BackSwap Banking Trojan Uses Never-Before-Seen Techniques (BleepingComputer) Security researchers have discovered a new banking trojan named BackSwap that uses never-before-seen techniques to facilitate the theft of online funds.
PGP Founder: Don’t Disable Encryption Service (Infosecurity Magazine) Experts claim EFF advice and reporting of new flaws could do more harm than good
Essays: What "Efail" Tells Us About Email Vulnerabilities and Disclosure (Schneier on Security) Last week, researchers disclosed vulnerabilities in a large number of encrypted email clients: specifically, those that use OpenPGP and S/MIME, including Thunderbird and AppleMail. These are serious vulnerabilities...
Persistent Bots: Five Ways They Stay Enmeshed in Your Network (eWEEK) Attackers have created the first persistent internet-of-things botnet, Hide 'N Seek, using a well-known tactic from server- and desktop-based systems. Here are five ways the attackers stay on your system following a compromise.
MalHide: an interesting Malware sample (Security Boulevard) Today I'd like to share an interesting (at least to me) analysis on a given sample.
Ghostery’s goofy GDPR gaffe – someone’s in trouble come Monday! (Naked Security) Ever CCed an email you were supposed to BCC? Sure you have! But we bet it wasn’t your company’s “look how good we are at GDPR” email…
There are cyber threats to veterans' medical records (TheHill) America’s veterans have served our country and protected our freedoms, sometimes at the expense of their own well-being and health.
Coca-Cola Suffers Breach at the Hands of Former Employee (BleepingComputer) The Coca-Cola company announced a data breach incident this week after a former employee was found in possession of worker data on a personal hard drive.
Cola-Cola breach: ex-employee stole hard drive with 8,000 workers' data (HackRead) Coca-Cola believes that the breach may have allowed unauthorized individuals to gain access to certain personally identifiable information (PII).
UVM hit by cyber attack (The Vermont Cynic) UVM was targeted by a cyber attack that could potentially lead to the malicious use of University NetIDs and passwords. Julia Russell, associate chief information officer of Enterprise Technology Services, alerted the University community in a May 23 email that the Information Security Office and ETS were taking steps to correct a computer system intrusion....
Watch thieves steal keyless Mercedes within 23 seconds (HackRead) The owner of the Mercedes said he could track his stolen vehicle by using Mercedes Find My Car tracker app but it shows the car is still in his driveway.
Security Patches, Mitigations, and Software Updates
Does your BMW need a security patch? (Naked Security) Researchers have found 14 security vulnerabilities affecting BMW i Series, X Series, 3 Series, 5 Series and 7 Series.
Avast releases fix for incompatibility issue with Windows 10 April 2018 update (Gizbot) Avast releases fix for incompatibility issue with Microsoft Windows 10 April 2018 update. A large number of complaints said that their PCs were not booting up properly after the installation of Windows 10 April.
Facebook 2FA no longer needs a phone number: here’s how to set it up (Naked Security) One more excuse for not using 2FA bites the dust.
Cyber Trends
Defending the Indefensible: A New Strategy for Stopping Information Operations - War on the Rocks (War on the Rocks) In the book Snow Crash by Neal Stephenson, malicious viral information is deliberately spread by a nefarious actor to infect computers and people's brains. The virus is transmitted in a variety of ways: via bodily fluid exchange, exposure by observing code with your eyes, as an injected drug, and via computer
Disinformation Wars (Foreign Policy) The United States and Europe are ill-prepared for the coming wave of "deep fakes" that artificial intelligence could unleash.
The bogus expert and social media chicanery of DC’s top cyber think tank (Engadget) The unmasking of a cybersecurity grifter
5 ways deception tech is disrupting cybersecurity (The Next Web) Enterprises and their Security Operations Centers (SOCs) are under siege. Security events are being triggered from all corners of the security stack – from the firewall, endpoints, and servers, from intrusion detection systems and other security solutions.
IBM banned USB drives. Is it the future of security or a knee-jerk reaction? (Digital Trends) Despite the wide use of cloud services like Dropbox, sometimes a handy old USB drive is the quickest way to get large amounts of data from one computer to another.
Quantifying cyber exposure: Attackers are racing ahead (Help Net Security) Quantifying cyber exposure is essential. Cybercriminals have a median seven-day window of opportunity during which they can exploit a vulnerability to attack their victims, potentially siphoning sensitive data, launching ransomware attacks and causing extensive financial damage.
CIOs are forced to compromise between faster innovation and perfectly working software (Help Net Security) On average, organizations release new software updates three times per working hour, as they push to keep up with competitive pressures and soaring consumer expectation.
Self-driving technology is going to change a lot more than cars (Ars Technica) How self-driving technology could transform everything from retail to transit.
Op-ed: Game companies need to cut the crap—loot boxes are obviously gambling (Ars Technica) Much as game companies try to deny it, the truth is plain to see.
Marketplace
Opportunities in Cyber Security Stocks (The Bull) There are an increasing number of cyber-security companies listing on the ASX...
U.S. Software Firm Verint Is in Talks to Buy NSO for About $1 Billion (Wall Street Journal) U.S. software firm Verint has offered to acquire the Israeli company known for selling military-grade cyber surveillance technology to government security agencies.
Surveillance Company Verint Negotiating $1 Billion Merger with Israeli NSO Group (CTECH) NSO develops and sells cyber attack tools that can be used to gather intelligence from mobile phones
Trump reveals terms for ZTE US return (TechRadar) Major fine and job changes among terms put to Congress
Thales eyes bolt-on M&A but not chasing scale of U.S. rivals (Reuters) France's Thales has its eye on bolt-on acquisitions after securing chipmaker Gemalto but feels no immediate pressure to match the scale of 'nose-to-tail' aircraft parts suppliers like United Technologies, its chief executive said.
China Set to Approve Qualcomm-NXP Deal, a Sign of Easing Trade Tensions (WSJ) Chinese authorities are set to approve Qualcomm’s planned $44 billion acquisition of NXP Semiconductors in the next few days, in what would be a significant step toward easing U.S.-China trade relations.
Splunk: Running On Fumes (Seeking Alpha) Spunk reported another strong quarter as revenues smashed estimates. The intelligence platform saw sales growth dip below 30% after years of growth exceeding 40
Products, Services, and Solutions
This Chrome extension reveals if your password has been breached (HackRead) Okta has introduced new password manager PassProtect in its latest, free Google Chrome browser extension.
Start Your Bug Bounty Program at Open Bug Bounty (Open Bug Bounty) Open Bug Bounty allows any verified website owners to run a bug bounty for their websites at no cost. The purpose of this non-profit activity is to make relations between website owners and security researchers sustainable and mutually beneficial in a long-term prospective.
Technologies, Techniques, and Standards
Observations from May 2018 Air Force Cyber Strategy Conference and the importance of monitoring process sensors (Control Global) I participated in the 2018 Air Force Cyber Strategy Conference at Maxwell Air Force Base’s Air University giving a presentation on control system cyber security with a focus on the lack of security in process sensors, actuators, and drives. Following my presentation, I was on a panel with JD Work from Columbia University and retired Major General Brett Williams. As with other conferences, the focus was on IT network security not control systems.
What Lies Beneath – Avoiding the Unseen Dangers of OT Vulnerabilities (Infosecurity Magazine) Attacks on OT systems are rapidly escalating, yet many industrial organizations focus cybersecurity efforts on IT-centric, rather than production-centric, endpoints.
UK Government’s IoT Best Practices are a Wake-Up Call to Manufacturers, Will They Hit Snooze? (Infosecurity Magazine) If we don’t take action and follow government guidelines on IoT, then Parliament will be forced to enact legislation.
Here Are Some of the Worst Attempts At Complying with GDPR (Motherboard) Owen Williams, a freelance developer, has been collecting the more embarrassing, silly, and downright lame attempts companies are making to comply with Europe's General Data Protection Regulation.
Want to Keep Your Data Safe? Secure Your Organization’s Privileged User Accounts (Infosecurity Magazine) Companies are adopting privileged account technology to monitor behavior and secure their sensitive data.
Ars Asks: Are your company’s IT policies flexible, or nonsensical? (Ars Technica) Help us understand the middle ground between getting work done and keeping work safe.
What You Need to Know About Cyber Safety While Traveling (Consumer Reports) In this primer on cyber safety while traveling, Consumer Reports has some tips for protecting your digital privacy while away from home.
How WIRED Lost $100,000 in Bitcoin (WIRED) We mined roughly 13 bitcoins and then ripped up our private key. We were stupid—but not alone.
What CISOs can learn from Tyrion on Game of Thrones (Help Net Security) GoT shares incredible parallels with the world of cybersecurity (E.g., The Wall can be likened to perimeter protection, White Walkers are the hackers, the Iron Throne is like the company’s sensitive data, etc.).
F-35 one of most cyber tested US weapons (SBS News) The F-35 stealth fighter jet is probably one of the most cyber tested weapon systems in the US defence inventory, manufacturer Lockheed Martin says.
StratCom laughs: in search of an analytical framework (NATO Strategic Communications Center of Excellence) The study "StratCom laughs: in search of an analytical framework" is a multidisciplinary effort to design an analytical framework for analysing humour in scenarios where researchers and practitioners find themselves working through large data collections where humour has been used as a potent tool in the construction of messages designed for strategic communication.
Design and Innovation
Microsoft building tool to spot bias in artificial intelligence algorithms (The Economic Times) The Microsoft tool has the potential to help businesses make use of AI without inadvertently discriminating against certain groups of people, MIT Technology Review reported on Friday.
XiaoIce, Microsoft’s social chatbot in China, makes breakthrough in natural conversation (Panorama)
It’s effective, but Li Zhou, engineer lead for XiaoIce, Microsoft’s wildly popular artificial intelligence-powered social chatbot in...
Facebook touts transparency with new political ad archive, but a security expert isn't convinced (CNBC) Facebook product director Rob Leathern said the company is building an API to accompany the political ad archive.
Here’s Facebook’s Internal Policy on Pepe the Frog (Motherboard) The far-right adopted Pepe the Frog as its own symbol of intolerance. Breaking with its policy of allowing fictional characters to push hateful messages, Facebook banned certain images of Pepe, according to internal documents.
Facebook’s counterintuitive way to combat nonconsensual [adult content] (Naked Security) “Upload your nudes to stop revenge [...]” might sound crazy but it actually makes sense.
What is Satoshi Nakamoto doing 10 years after Bitcoin was launched? (Digital Journal) One of the technological world’s biggest mystery to this day, is the true identity of Satoshi Nakamoto, the computer programmer (or programmers) who created and developed the digital currency known as Bitcoin. There is much speculation as to whether Satoshi is an actual person, or a collection of individuals using a pseudonym for a consortium of cypherpunk developers that designed wrote and tested the Bitcoin experiment.
Legislation, Policy, and Regulation
UK Warns That Aggressive Cyberattack Could Trigger Kinetic Response (SecurityWeek) The political ramifications of launching any type of response against another country without definitive proof can lead to far greater disasters.
Colombia to be NATO's first Latin American global partner (Reuters) Colombia will next week formally join the North Atlantic Treaty Organization, making it the only Latin American nation in the alliance, President Juan Manuel Santos said late on Friday.
Papua New Guinea to ban Facebook for a month (Graham Cluley) The country of Papua New Guinea is reportedly planning a month-long national ban of Facebook.
Why? To research the effect that the addictive social network has on the South Pacific island’s populace, and to root out “fake users.”
But important questions remain unanswered.
Trudeau urged to probe Chinese telecom giant Huawei’s role in Canada (The Globe and Mail) Security, economic concerns raised over transferral of intellectual property to the company as it develops 5G technology
Trump admin. briefs Congress on tentative deal with China's ZTE (WKBT) The Commerce Department informed lawmakers on Friday of the outlines of a tentative deal that could save sanctioned telecommunications company ZTE, a key priority for Chinese President Xi Jinping, according to two people familiar with the matter.
Senate Defense Bill Aims to Scrub Cyber Adversaries from U.S. Military Tech (Nextgov.com) The bill would require companies to disclose if they’d shared source code with foreign governments.
Senators look to emphasize U.S. cyber prowess (Fifth Domain) The Senate's version of the NDAA looks to certify DoD's cyber authorities.
What Is GDPR and What Can America Learn From it? (Motherboard) After four years of debate, the General Data Protection Regulation is finally going into effect later this month. Personal privacy is of particular concern, but GDPR effect on consumers and Silicon Valley is still shaking out.
From Safe Harbour to Privacy Shield to GDPR: the journey of data protection laws (ETCIO.com) The journey of data protection laws has come a long way from just being statutory to now being compulsive with hefty penalties, ultimately safeguardin..
Why Is Your Location Data No Longer Private? (KrebsOnSecurity) The past month has seen one blockbuster revelation after another about how our mobile phone and broadband providers have been leaking highly sensitive customer information, including real-time location data and customer account details.
Chinese surveillance firm hits out at ‘baseless’ US Congress ban (South China Morning Post) Security camera manufacturer reacts after House of Representatives adds it to list of companies seen as threatening US national security
Litigation, Investigation, and Law Enforcement
GDPR Oddsmakers: Who, Where, When Will Enforcement Hit First? (Dark Reading) The GDPR grace period ends today. Experts take their best guesses on when data protection authorities will strike - and what kind of organizations will be first to feel the sting of the EU privacy law.
It’s Day One of GDPR, and Facebook, Google Are Accused of Breaking New Rules (Barron's) Within hours of the General Data Protection Regulation going into effect today, a privacy group accused Facebook, Alphabet, WhatsApp, and Instagram of violating Europe's strict new data-protection law.
Europol Signs Cybersecurity Agreement With EU Agencies, WEF (SecurityWeek) Europol has signed two cybersecurity memorandums of understanding this week – one with three EU agencies and one with the World Economic Forum (WEF)
Activists Urge Amazon to Drop Facial Recognition for Police (SecurityWeek) Activist groups urged Amazon to stop providing facial recognition technology to law enforcement, warning that it could give authorities "dangerous surveillance powers."
Apple sees steep increase in U.S. national security requests (The Mighty 790 KFGO) By Stephen Nellis
(Reuters) - Apple Inc on Friday issued its twice yearly transparency report on government data requests, showing another sharp increase in U.S. national security-related requests.
Apple said it received as many as 16,249 national security requests affecting up to 8,249 accounts during the second half of 2017. The number of requ...
Three FBI officials to answer House panel's questions about Clinton emails (Fox News) House Republicans in June plan to interview three FBI officials linked to the agency’s controversial handling of the Hillary Clinton email probe, part of an ongoing joint investigation by the House Judiciary and Oversight and Government Reform committees.
Prolific Phisher ‘Courvoisier’ Gets 10 Years Behind Bars (Infosecurity Magazine) UK man stole details of tens of thousands of consumers
'One man crime wave' hacker Grant West jailed for 10 years (Computing) West sent phishing emails to Just Eat customers and hacked Barclays, BA and Ladbrokes
Man arrested for possession of 58 terabytes of child sexual abuse material (HackRead) 58 terabytes of data mean videos worth thousands of hours requiring hundreds of devices to be stored - A terabyte is more precisely defined as 1,024 gigabytes (GB).
Mt. Gox, Coincheck and the Biggest Hacks and Scams in Cryptocurrency History (Smartereum) On Monday, Verge suffered a second cyber attack in the space of two months bringing to for the bitter taste of cryptocurrency heists. The first hack happened in April and 250,000 XVG coins were stolen. This latest breach was more hurtful; about 35 million XVGs worth approximately $1.7 million was stolen. This narrative has increased …