Cyber Attacks, Threats, and Vulnerabilities
Romania minister says country facing cyber-attacks (Fifth Domain) Romania faces Russian aggression on a daily basis in the Black Sea, and is fending off a wave of cyber-attacks and political interference, the defense minister said Monday.
Threat of cyber attack from Russia has intensified, British MPs told (The National) UK parliamentary committee heard evidence of evolving threats from states and criminals
China-linked Hackers Targeting Air-Gapped Systems: Report (SecurityWeek) A cyber espionage linked to China has been targeting a secure USB drive built by a South Korean defense company, likely in an attempt to compromise air-gaped systems, according to a report.
Air-Gapped Systems Targeted with Weaponized USBs (Infosecurity Magazine) A cyber-espionage group targets Japan and South Korea with malware.
Tick Group Weaponized Secure USB Drives to Target Air-Gapped Critical Systems (Palo Alto Networks Blog) Recently, Palo Alto Networks Unit 42 discovered the Tick group targeted a specific type of secure USB drive created by a South Korean defense company
American Cyber Security Firm FireEye Denies Hacking Chinese Military (Motherboard) In a new book, New York Times reporter David Sanger made the explosive claim that cybersecurity firm Mandiant hacked into the laptops of Chinese military hackers. Now FireEye, which owns Mandiant, has vehemently denied the claims.
Doing Our Part – Without Hacking Back (FireEye) In his new book, "The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age," author David E. Sanger chronicles numerous examples of the impact of cyber activities on geopolitical conditions.
Malware in South Korean Cyberattacks Linked to Bithumb Heist (Dark Reading) Lazarus Group is likely behind a spearphishing campaign containing malicious code to download Manuscrypt malware.
We are entering the twilight zone of cyber warfare (Financial Times) The risk of escalation is high as it is hard to know who is attacking whom or why
Mobile Devices Exposed to Spying via Malicious Batteries: Researchers (SecurityWeek) Researchers demonstrate how installing a malicious battery into a smartphone can allow attackers to harvest and exfiltrate sensitive data
"Wavethrough" Bug in Microsoft Edge Leaks Sensitive Information (SecurityWeek) A security vulnerability patched by Microsoft earlier this month in its Edge browser could be exploited via malicious or compromised websites to read restricted data.
Known Threat Actor Develops Malware Downloader (Infosecurity Magazine) Kardon Loader is a new malware downloader with full bot capabilities.
Meet MyloBot malware turning Windows devices into Botnet (HackRead) Dubbed MyloBot by researchers; the malware steals data from Windows PCs and make them part of a botnet to carry further attacks.
The Biggest Digital Heist in History Isn’t Over Yet (Bloomberg.com) It’s like something out of a movie.
Nintendo Switch hackers show hacking for mischief is alive and well (Naked Security) Think today’s hackers are only motivated by money? Think again. In the gaming world, there’s plenty of hacks-for-lulz on display.
How telework fuels the insider threat (Fifth Domain) Following several intelligence leaks, a large percentage of corporate executives and small business owners believe that data breach risks increase when employees work out of the office, a new study finds.
Number of Fake Homograph Domains Continues to Increase (Infosecurity Magazine) The number of IDN lookalike domain pages continues to increase
IRS’ Rush to Secure Exposed Taxpayer Data Left It Vulnerable Again (Nextgov.com) Personal information about more than 350,000 taxpayers was compromised in 2015. Three years later, it’s still not secure.
What is a zero-day exploit? A powerful but fragile weapon (CSO Online) A zero-day is a security flaw that has not yet been patched by the vendor and can be exploited. These vulnerabilities fetch high prices on the black market
The Pirate Bay stays down - Here's how to access its Dark Web domain (HackRead) The Pirate Bay is down but its dark web domain is online and here is how you can access The Pirate Bay on the dark web.
1.7 Million Phishing Emails Blocked in June: Barracuda Networks (Dark Reading) Brand-name spoofing still a popular tactic to lure victims into giving up their login credentials and payment card information, new data shows.
AT&T collaborates on NSA spying through a web of secretive buildings in the US (TechCrunch) A new report from The Intercept sheds light on the NSA’s close relationship with communications provider AT&T. The Intercept identified eight facilities across the U.S. that function as hubs for AT&T’s efforts to collaborate with the intelligence agency. The site first identifie…
Security Patches, Mitigations, and Software Updates
Oracle Patches New Spectre, Meltdown Vulnerabilities (SecurityWeek) Oracle starts releasing software and microcode updates for products affected by the recently disclosed Spectre and Meltdown variants, namely Variant 3a and Variant 4
Rockwell Patches Flaw Affecting Safety Controllers From Several Vendors (SecurityWeek) Researchers warned in April of a serious DoS flaw affecting safety controllers from several major vendors. Rockwell Automation has now released a patch
Samsung Galaxy S9 Line Receives June Security Patch On Verizon (AndroidHeadlines.com) Verizon started distributing an optimized version of Google's June 2018 Android security patch to all Galaxy S9 and Galaxy S9 Plus units on its network,
Hyperthreading under scrutiny with new TLBleed crypto key leak (Ars Technica) A new attack prompted OpenBSD's developers to disable hyperthreading by default.
Cyber Trends
Cyber attack could cost bank half of its profits, warns IMF (Internet of Business) Cyber risk has emerged as a significant threat to the financial system, according to a new report from the International Monetary Fund (IMF). Although hardly a day goes by without another report warning of the dangers of cyber attacks, a new IMF modelling exercise has estimated that financial institutions’ average annual losses from cyber-attacks could …
Bot-driven credential abuse, DDoS attacks continue to rise (Help Net Security) Researchers tracked advanced techniques that show the influence of intelligent, adaptive enemies who change tactics to overcome the defenses in their way.
Midsized Organizations More Secure Than Large Ones (Dark Reading) New report offers data and analysis as to why midsized organizations hit a cybersecurity sweet spot in terms of security efficacy.
The State of Digital Lifestyles 2018 (Limelight Networks) Consumers Are Optimistic About Online Digital Technology
Human Behavior Risk Analysis Downloadable Report (Wiretap) Get the 'Human Behavior Risk Analysis' report in your inbox to receive specific insights and benchmarks on employee behavior that could be threatening your organization's security, compliance and culture.
Marketplace
Andreessen Horowitz Lends Credence to Crypto With New Fund (WIRED) The high-profile venture capital firm hires its first female general partner, a former federal prosecutor, to manage the $300 million fund.
Andreessen Horowitz has a new crypto fund — and its first female general partner is running it with Chris Dixon (TechCrunch) Silicon Valley powerhouse Andreessen Horowitz (a16z) has some big, and bigger, news today. First, it closed a dedicated crypto fund late last week from a subset of its limited partners, who’ve provided the firm with $300 million in capital commitments. The fund had become the worst-kept secre…
Quantum Xchange Launches First Quantum Network (QuantumXC) Quantum Xchange raises $10 Million Series A from New Technology Ventures to bring its QKD network and patent-pending trusted node technology to market. This is the first quantum, fiber-optic network in the United States and commercial Quantum Key Distribution (QKD) service for quantum-safe data protection.
Ping Identity Acquires Elastic Beam and Launches New AI-Driven Solution to Secure APIs (Digital Journal) Ping Identity, the leader in Identity Defined Security, today announced
Telos Corporation Awarded $45 Million Contract to Modernize Army Communications Systems in Pacific Region (BusinessWire) US Army has selected Telos Corporation to support migration and modernization of VoIP communications throughout the Pacific region.
How under pressure IBM thinks it has reinvented itself for the AI, quantum and blockchain era (Financial Review) At almost 107 years-old, IBM has faced accusations of lacking fresh vision, yet despite revenue falls and redundancy rounds it believes it has positioned itself to lead future trends.
Forcepoint Opens Cork Centre On Albert Quay (BizPlus) Cybersecurity company Forcepoint has opened a Centre of Excellence in Cork which will concentrate on new product development.
Intel Names Window Snyder as Chief Software Security Officer (Dark Reading) The microprocessor giant hires security veteran credited with leading both Microsoft's and Apple's security advancements.
Cybersecurity Innovator Selects COPT’s Columbia Gateway for Headquarters Location (Business Wire) Corporate Office Properties Trust (“COPT” or the “Company”) (NYSE: OFC) has executed an 18,000 square foot lease with The Maryland Innovation and Security Institute (“MISI”) in the Columbia Gateway Business & Innovation Center in Columbia, Maryland.
Products, Services, and Solutions
Ping Identity Improves Customer Experience for Global Enterprises with Adaptive Authentication Enhancements (Ping Identity) Ping Identity, the leader in Identity Defined Security, today announced major enhancements to PingFederate and PingID SDK that improve the authentication flow and make it easier to natively provide adaptive authentication within consumer-facing mobile applications.
Ping Identity Makes it Easy to Modernize Legacy IAM Systems (Ping Identity) Ping Identity, the leader in Identity Defined Security, today announced a new product and features designed to simplify the transition to its identity and access management (IAM) solution.
Brave browser starts feeding ads to willing guinea pigs (Naked Security) Hands up who wants to sign up to receive advertising as they browse the internet? Probably no-one, and yet that’s exactly what the new Brave browser is asking its users to do.
Microsoft brings immutable storage to Azure blobs (CRN Australia) Encouraging regulated industries to move sensitive data to the cloud.
Yubico launches FIPS 140-2 validated YubiKey series (Help Net Security) YubiKey FIPS 140-2 covers the use of cryptographic functionality such as encryption, authentication, and digital signatures.
Technologies, Techniques, and Standards
Threat Sketch, with Funding and Support from the Department of Homeland Security, Releases Nonprofit Cybersecurity Guide (PR Newswire) Threat Sketch, a cybersecurity firm specializing in small business...
WPA3 Brings New Authentication and Encryption to Wi-Fi (Dark Reading) The Wi-Fi Alliance officially launches its latest protocol, which offers new capabilities for personal, enterprise, and IoT wireless networks.
The Next Generation of Wi-Fi Security Will Save You From Yourself (WIRED) With better password security and idiot-proof IoT connections, WPA3 will make your internet experience much, much safer.
GDPR: Don’t Rest on Your Data, We’ve Only Just Begun (Infosecurity Magazine) A month in, GDPR is not a set-it-and-forget it regulation.
In non-startling news, EFF says STARTTLS email crypto is mostly done wrong (Regoster) And so it's trying to kick off an effort to fix that up, because security and privacy matter
Kantara welcomes IDESG to enhance protection of online identities (Help Net Security) Kantara Initiative continues to be focused on improving use of identity and personal data through innovation, standardization and good practice.
American Association of Water Distribution & Management (AAWDM) critical infrastructure video (Control Global) The water industry doesn’t have an organization that specifically addresses risk the same way it is done in other industries. As such this new organization, AAWDM, is making a series of videos.
Industrial IoT: Protecting the Physical World from Cyber Attacks (SecurityWeek) Industrial IoT in the enterprise expands the threat landscape by opening up new vulnerabilities that can be exploited across endpoints, applications, cloud infrastructure and networks.
WebAssembly: potentials and pitfalls (Forcepoint) We at Forcepoint have recently touched on the topic of WebAssembly (also known as WA or Wasm). Part of this effort was discussed briefly in an earlier blog post on in-browser coin mining. Today we are going to talk more about the basics of Wasm, and discuss some of the security implications of this new technology. More posts will follow in this series. Later, we will make another post on reverse-engineering a basic Wasm file.
Mattis declares vigilance to be the best cyber defense (Federal Times) Secretary of Defense James Mattis has issued a memo warning the department’s employees of the consequences for poor cyber hygiene in a world where secrets can fall into the hands of digital intruders.
Army trying to keep up with ‘changing character of war’ (FederalNewsRadio.com) As the Army shifts its focus from violent extremist organizations to near-peer adversaries per the national defense strategy, staying on top of emerging domains and technologies will be what keeps it in a position of dominance going into the future.
Top Tech Companies Met With Intelligence Officials to Discuss Midterms (NYTimes) A meeting in May was meant for a discussion of foreign meddling in this year’s midterm elections. But some tech officials left frustrated.
Managing and maintaining security in the enterprise (Help Net Security) Utilizing tools and services that exist to protect IT systems should be the first step in maintaining security and minimizing risk in the enterprise.
Secure Code: You Are the Solution to Open Source's Biggest Problem (Dark Reading) Seventy-eight percent of open source codebases examined in a recent study contain at least one unpatched vulnerability, with an average of 64 known vulnerabilities per codebase.
What Metrics Should Enterprises Focus On to Improve Cybersecurity? (eSecurity Planet) VIDEO: Dmitri Alperovitch, co-founder and CTO of CrowdStrike, says simply focusing on malware prevention isn't enough for modern cybersecurity.
Analysis | The Cybersecurity 202: Maryland ballot snafu offers lessons in how to respond to an election hack (Washington Post) As many as 80,000 voters will have to cast provisional ballots.
Research and Development
Finally, a Problem Only Quantum Computers Will Ever Be Able to Solve (WIRED) Computer scientists have been searching for years for a type of problem that a quantum computer can solve but that any possible future classical computer cannot. Now they’ve found one.
Royal Bank of Canada and Ben-Gurion University Enter Into Cyber Security Partnership (PR Newswire) The Royal Bank of Canada (RBC) and BGN Technologies,...
Academia
Internet shut down in Algeria to stop exam cheats (Naked Security) It’s exam time again, and aside from panic and caffeine-fuelled all-nighters, that can only mean one thing: A lot of people are getting their internet shut off.
Northrop Grumman Expands Youth Cyber Education Program into Australia with CyberTaipan (Northrop Grumman Newsroom) Northrop Grumman Corporation (NYSE: NOC) has introduced CyberTaipan, a national cyber defence competition for Australian youth designed to encourage interest in technical fields. The Hon Angus Taylor MP, Minister for...
Legislation, Policy, and Regulation
Private Sector Cyber-Norm Initiatives: A Summary (Lawfare) In the wake of the U.N.’s failure to articulate new norms on cyber governance, the private sector is developing its own ideas.
Vietnam New Cyber Security Law (CyberDB) Vietnam’s National Assembly passed a new cyber security law that has generated much concern for its stringent restrictions on popular social media.
House passes bill to addressing industrial cybersecurity (TheHill) House lawmakers approved legislation Monday aimed at securing technology used to power critical infrastructure from cyberattacks.
Litigation, Investigation, and Law Enforcement
Rights Groups: EU States Ignored CJEU Mass Surveillance Rulings (Infosecurity Magazine) Non-targeted bulk data retention still widespread, say activists
Opinion | The Supreme Court just struck a blow against mass surveillance (Washington Post) Requiring a warrant will change bulk collection.
Tesla Breach: Malicious Insider Revenge or Whistleblowing? (SecurityWeek) A breach of Tesla's Manufacturing Operating System was a mainstream malicious insider attack -- but there may be more to it than meets the eye.
Mueller Poised to Zero In on Trump-Russia Collusion Allegations (Bloomberg.com) Special Counsel Robert Mueller is preparing to accelerate his probe into possible collusion between Donald Trump’s presidential campaign and Russians who sought to interfere in the 2016 election, according to a person familiar with the probe.
What did Peter Strzok do? (TheHill) As former top FBI official Peter Strzok faces congressional requests to testify, it’s worth examining who he is.
Millions of UK voices stored by HMRC (BBC News) Privacy campaigners say 5.1 million Britons have had their voices stored without permission.
Senator to FCC: How much do police stingrays drain a cellphone battery? (Ars Technica) "If the Commission does not conduct or require testing, please explain why…"
Dem Chief Of Staff Tried To Expose Suspected Theft Ring On Capitol Hill, Was Met With Resistance (Daily Caller) 'It looked like Christmas with Apple TV's, iPods, etc. scattered around the room'
An Overwatch hacker in South Korea just got sentenced to a year in prison (TechCrunch) A 28-year-old man in South Korea faces a year in prison for hacking Overwatch . The sentence, reported by South Korea’s SBS News and Dot Esports, handed the hacker one year in prison and two years of probation for illicit activity related to the hit online multiplayer game. The particularly s…