Cyber Attacks, Threats, and Vulnerabilities
China tried to spy on German parliament — report (Deutsche Welle) Chinese spies have attempted to bribe German MPs for information, according to a newspaper report. Chinese agents would use fake profiles to try to get MPs to give insider information for money.
Israel-Hamas war rages in cyberspace (Arab Weekly) Israel blocks Hamas on Twitter, accuses the Palestinian group of targeting Israelis in dating and World Cup apps.
Cyber boffins drill into World Cup cyber honeypot used to cyber lure Israeli soldiers (Register) Israel reckons it was Hamas
How Facebook’s Rise Fueled Chaos and Confusion in Myanmar (WIRED) The social network exploded in Myanmar, allowing fake news and violence to consume a country emerging from military rule.
Study of 17,260 Android Apps Doesn’t Find Evidence of Secret Spying (BleepingComputer) A thorough study of 17,260 Android apps reveals that while some apps may accidentally take screenshots of the user's screen and upload it online, there is no evidence to suggest that apps are secretly turning a phone's microphone or camera on to spy on device owners behind their backs.
Your smartphone can watch you if it wants to, study finds (Naked Security) Internet users have grown used to the idea that they can be tracked and profiled as they browse the web, but what about the specific risks of smartphones?
Download Bomb Trick Returns in Chrome —Also Affects Firefox, Opera, Vivaldi and Brave (BleepingComputer) The release of Google Chrome 67 has reopened a "download bomb" bug that was exploited by tech support scammers last winter, and which had been fixed with the release of Chrome 65 in March 2018.
This keyboard attack steals passwords by reading heat from your fingers (ZDNet) Thermanator harvests thermal energy to steal passwords directly from your fingertips.
Thermanator Attack Steals Passwords by Reading Thermal Residue on Keyboards (BleepingComputer) A person's fingers leave thermal residue on keyboard keys that a malicious observer could record and later determine the text a user has entered on the keyboard, according to a recently published research paper by three scientists from the University of California, Irvine (UCI).
Title:
Thermanator: Thermal Residue-Based Post Factum Attacks On Keyboard Password Entry (Arxiv) As a warm-blooded mammalian species, we humans routinely leave thermal residues on various objects with which we come in contact.
Google admits third-party app developers read your Gmail emails (HackRead) Google has admitted that "sometimes" emails sent and received by Gmail users can be accessed by third-party app developers.
Weak Admin Password Enabled Gentoo GitHub Breach (Dark Reading) Had the attacker been quieter, breach may not have been discovered immediately maintainers of popular Linux distribution said.
New Malware Variant Hits With Ransomware or Cryptomining (Dark Reading) A new variant of old malware scans a system before deciding just how to administer pain.
Research: 46 Percent of Unauthorized Cryptocurrency Mining Circumvents Antivirus Software (BTC Manager) Cryptojacking continues to be classified as a rising threat in the cybersecurity domain. After considering infiltrated browser systems, miners, macOS’, social groups, and even cellphones, reports suggest over 98.8 percent of unauthorized cryptocurrency mining takes place on Linux-based software.
Serious Security: How to cut-and-paste your way to Bitcoin riches (Naked Security) Malware that steals cryptocurrency doesn’t need to crack passwords, read wallets, copy private keys, or even have a network connection…
Digital India Susceptible to Security Breaches (Infosecurity Magazine) Cyber-threats evolve as India advances into the digital age
NHS Digital Erroneously Reveals Data of 150,000 Patients (SecurityWeek) Roughly 150,000 NHS patients who had specifically opted out of the NHS patient data-sharing regime were in fact not opted out, the parliamentary under-secretary of state for health said.
7-year-old’s avatar sexually assaulted on “family-friendly” Roblox (Naked Security) Her shocked mother grabbed screenshots that show her daughter’s avatar knocked flat and an unambiguous animation of a penis.
Security Patches, Mitigations, and Software Updates
Google Fixes Critical Android Vulnerabilities (SecurityWeek) Google's July 2018 Android address several vulnerabilities in the mobile operating system, including several rated as Critical.
Year-Old Critical Vulnerabilities Patched in ISP Broadband Gear (Threatpost) Broadband gear made by Advanced Digital Broadcast is being patched to fix three vulnerabilities rated critical.
Cyber Trends
Surge in cryptocurrency crimes caused $761m loss in 2018: Report (CISO MAG) The report released on Tuesday stated a total of $761 million was stolen from cryptocurrency exchanges in the first half of 2018. The amount already exceeds the whole amount, $266 million, of 2017 by three times.
Acute pilot shortage and fewer available freighters likely to drive faster drone adoption (The Loadstar) Drones may be hauling cargo in the air much sooner than widely expected.
The worsening shortage of pilots and concerns about available freighter capacity down the road are adding a sense of urgency to the deployment of drones to fill the gaps.
The pilot shortage is the more serious concern for cargo carriers. A study published by Boeing last year found that more than 637,000 pilots would needed between 2017 and 2037.
And even large passenger ...
Tech World (Foreign Affairs) The world is at the dawn of a second Industrial Revolution, this time, a digital revolution. And its impact will be, if anything, even greater than that of the first.
Austerity Bites Critical National Infrastructure Security (BankInfo Security) Much more must be done to shore up the U.K.'s national infrastructure. "It's partly austerity, and it's partly what's happening in the global economy, but
Survey: Most Feds Who BYOD Do It Without Agency Approval (Nextgov.com) It’s hard for agency security officials to protect networks when they don’t know what’s connecting to them, experts say.
State of the SOC? Depends on Who You Ask (Infosecurity Magazine) New report finds distinction in perceived state of SOC among front line and executives
Marketplace
Huawei slams FCC proposal to bar funds for Chinese telecom gear (The Verge) It’s the Chinese telecom’s second battlefront, aside from Congress
The campaign against Huawei (The Strategist) The case against Huawei’s participation in bidding for the 5G network in Australia appears to be based on incomplete information, at least as far as the public record allows us to judge. For a full ...
Some U.S. lawmakers have security concerns about T-Mobile-Sprint merger due to Sprint’s ties to Huawei (TmoNews) Days after a Senate antitrust subcommittee held a hearing about the T-Mobile-Sprint merger, other members of the U.S. government have begun to express concern over the deal. Members of the U.S. House have put together a draft letter arguing that a national security investigation of the T-Mobile-Sprint merger is necessary, The letter is being passed around so that it can get signatures before it’s sent to Treasury Secretary Steve Mnuchin, who is ...
ZTE replaces its CEO and other top execs (TechCrunch) A number of top executives are out at ZTE as the phone maker works to fulfill the requirements of U.S.-imposed restrictions. Among the big changes up top is new CEO Xu Ziyang, who formerly headed up the company’s operations in Germany. A new CFO, CTO and head of HR have been named, as well, accordi…
China’s ZTE Replaces Executives in Rush to Comply With U.S. Mandate (Wall Street Journal) ZTE has named a slate of new top executives, including a new chief executive, as the Chinese telecom firm presses ahead with its U.S.-mandated leadership purge.
Cybersecurity provider Novi invests €160,000 in new CyberView service to identify hidden threats (Business & Finance) Cybersecurity provider Novi invests €160,000 in cloud-based cybersecurity analysis platform CyberView to help identify hidden threats on business's networks
Jeff Vinik-backed startup accelerator DreamIt branching into security technology (Tampa Bay Times) The name of the company in which Jeff Vinik recently invested $12 million is Dreamit Ventures, but its latest initiative is focused on the stuff of nightmares:Cyber attacks. Physical threats.
IBM Lands $740 Million Deal to Supply Data Security to Australia (Bloomberg.com) International Business Machines Corp. has secured a A$1 billion ($740 million) agreement to become a central technology partner of the Australian government over the next five years.
KeyW secures subcontract for US Army’s ATMP programme (Army Technology) KeyW Holding has secured a task order to deliver global support for the US Army intelligence training systems as part of ATMP programme.
Ex-Microsoft COO Kevin Turner emerges at helm of secretive blockchain startup co-founded by former Myspace CTO (GeekWire) Former Microsoft COO Kevin Turner has taken the helm of Core Scientific, a stealthy new blockchain and artificial intelligence startup led by veteran tech executives, GeekWire has learned.
Products, Services, and Solutions
Data Security Startup Enveil Unveils Homomorphic Encryption Platform (SecurityWeek) Data security start-up firm Enveil has launched the first practical and scalable commercial homomorphic encryption platform, ZeroReveal.
Tech Mahindra announces partnership with LIFARS (CISO MAG) To strengthen its threat preventive measures, Tech Mahindra, an IT consultancy tycoon, has announced its partnership with LIFARS, a US-based cybersecurity digital forensics and incident response firm. According to Tech Mahindra, the association will provide innovative threat responsive services to the users. The partnership will integrate LIFARS’ incident response service with Tech Mahindra’s Security Operations …
Hilltop Cybersecurity Inc Announces New Customer and Gives Product Updates (GlobeNewswire News Room) Hilltop Cybersecurity Inc, (“Hilltop” or the “Company”) (CSE:CYBX) (OTC:CYBXF), is pleased to announce PEP Solar in Phoenix Arizona as a new customer. PEP Solar will use the company’s product, “Vauban”, to secure its solar operation and to create awareness and protection from the cyber threats it has experienced in the past.
CryptoSecure Delivers System Security, Scalability for Cryptocurrencies (Dark Reading) Cyber security's comprehensive news site is now an online community for security professionals, outlining cyber threats and the technologies for defending against them.
Carbon Black adds 9 new partners to its ‘Integration Network’ (Channel Life) CbIN represents organisations that have used Carbon Black’s open APIs to build integrations designed to benefit the entire security community.
Terrapin Technologies Confirms Continued SOC 2 Type 2 Data Center… (Virtual-Strategy Magazine) Terrapin Technologies Confirms Continued SOC 2 Type 2 Data Center Compliance Re-examined by Assure Professional, the security of the data, software and consulting services provider's broker-dealer data management system is proven consistent over time.
The Buyer’s Guide to Threat Intelligence Platforms (Network World) Network news, trend analysis, product testing and the industry’s most important blogs, all collected at the most popular network watering hole on the Internet
Technologies, Techniques, and Standards
UK Financial Firms Need 'Plan B' for Inevitable Disruptions from Cyber Attack: BOE (Insurance Journal) Many U.K. financial firms don't have a Plan B to fall back on if they're hit by a cyber attack. The Bank of England wants to change that. Financial
Why Do VPNs Need To Be GDPR Compliant? (Infosecurity Magazine) Now GDPR has been in force for over a month, why do VPNs need to be compliant too?
Back to Basics: Let’s Forget About the GDPR… For A Moment (Security Boulevard) At this point it’s fairly safe to assume that most everyone in the business of “data” has heard of the European Union (EU)-wide General Data Protection Regulation (GDPR) that was signed into law in late April 2016; with the compliance deadline having come into effect on May 25, 2018. Clearly, this new regulation has significant
Five top tips for pentesters when searching for security flaws on iOS apps (WeLiveSecurity) Five top tips for pentesters to implement when searching for any type of security flaw committed by iOS application developers.
How to identify Trojans riding on unauthorised financial apps (LveMint) Trojans can track targeted banking, payment and social media apps whenever you use them
You Know You're at Risk, Now What? (SecurityWeek) This article outlines 7 steps you can take starting today to put your organization on the path toward better situational awareness and risk reduction.
Why Are There So Many Robocalls? Here’s What You Can Do About Them (Wall Street Journal) Remember when phone calls meant people wanted to talk to you? When your phone rings these days, it’s often a robocall. Here’s what to do when you get one, and how to get fewer of them.
How the Army will infuse cyber operations on the battlefield (C4ISRNET) Army Cyber Command is using a pilot program, Cyber and Electromagnetic Activities Support to Corps and Below, to test the infrastructure changes necessary to insert tactical cyber teams within brigades.
How the Army is training for the digital conflict (C4ISRNET) An Army Cyber Command pilot program at the National Training Center at Fort Irwin is using a closed network with mock platforms to exploit to simulate certain effects and test integration of cyber and EW capabilities with brigade staff and tactical units.
Is it better to defend the Army’s network in the field or from afar? (Fifth Domain) An Army Cyber Command pilot program at the National Training Center at Fort Irwin is exploring the integration of cyber planners and tactical cyber operators with brigade combat teams, but also testing the effectiveness of defending battlefield networks from a remote location.
IDF’s cyber defenders prepare their responses for the ‘unknown threat’ (JNS.org) Whether wireless, wired, or using satellites and phones, the Hoshen Unit is involved in enabling military communications, and its personnel are aware of the fact that Israel’s enemies are keen on being able to shut down the IDF’s networks if they could.
Cyber war: An inside look at how tech giants are fighting hackers (TODAY.com) One of out every 130 emails contains malware and there 4,000 ransomware attacks every day, according to experts. So how are American’s top tech companies working to keep users safe? NBC’s Tom Costello takes a look inside Microsoft’s forensics labs and cybersecurity centers to get the details.
XPS Metadata (SANS Internet Storm Center) To answer a question I was asked recently: XPS documents contain metadata too.
Design and Innovation
How Facebook Checks Facts and Polices Hate Speech (WIRED) Chief Product Officer Chris Cox talks to WIRED about disinformation, filter bubbles, and the prospect of regulation.
Research and Development
DHS Builds Mobile Defenses (SIGNAL) R&D is focusing on securing devices and applications.
Legislation, Policy, and Regulation
EU Votes Down Internet-Wrecking Copyright Proposal (Motherboard) Massive backlash drives the controversial measure back to the drawing board
Protecting Civilians in Cyberspace: Ideas for the Road Ahead (Just Security) We must start thinking about how international efforts to protect civilians from conflict offline might help inform efforts to protect civilians from cyber conflict.
NATO advances in its new operational domain: cyberspace (Fifth Domain) The aim is for the alliance to integrate voluntary sovereign national cyber contributions and augment cyber resilience and achieve mission success in a cyber environment that is increasingly contested by adversaries.
Force companies to list who has accessed customer data: Productivity Commission (ZDNet) Australia's Productivity Commission is looking at a world of increased consumer data rights, and to inform users without deluging them with emails.
Iran Increases Censorship Of Cryptocurrency Exchanges, Iranians Still Find Ways To Trade Crypto (CryptoGlobe) Anonymous sources recently revealed that authorities in Iran have been trying to prevent the country’s citizens from accessing cryptocurrency exchanges. This is reportedly due to concerns that cryptocurrencies are being used to send money abroad, something the government wants to prevent because the country’s economy is struggling due to US-led sanctions. Despite the restrictions, Iranians report that they have still found ways to trade and buy cryptos.
Congress Pushes For a Clearer Strategy on Cyber Warfare (MeriTalk) Amid growing fears of large-scale cyberattacks–ranging from attacks on infrastructure, to cyber espionage that threatens national security, to a “terabyte of death”–Congressional lawmakers are calling for a more clearly defined strategy for responding to such attacks.
Senate, House GOP at odds over rare rebuke of Trump on national security (Washington Post) Senators faced pressure to soften their stance on sanctioning the Chinese telecom giant ZTE following White House objections.
Lawmakers should accept reality that digital communication can never be 'too secure' (TheHill) It's time for lawmakers who believe in mandatory backdoors to stand up straight, speak clearly and call for an outright ban.
Analysis | The Cybersecurity 202: Spyware theft case offers a cautionary tale for encryption debate (Washington Post) It's the ultimate insider threat.
Agencies want new emergency powers after a cyberattack (Fifth Domain) The government may be able to award small contracts in the face of a cyberattack under a proposed rule.
Viewpoint: Some FAQs Answered About the New Cybersecurity Rule (National Defense) Viewpoint: Some FAQs Answered About the New Cybersecurity Rule
Net neutrality makes comeback in California; lawmakers agree to strict rules (Ars Technica) After compromise, nation's toughest net neutrality bill back on track.
Litigation, Investigation, and Law Enforcement
Novichok poisoning: police search for syringe as concern grows in Salisbury (Times) A couple poisoned by a nerve agent are likely to have come into contact with a syringe used in the attack on a Russian spy and his daughter in Salisbury. Last night counterterrorism police were...
Cyber-Crime: Israeli tried to sell secrets on dark web for USD 50 million (The Jerusalem Post) A 38 year old Israeli worker for a cyber espionage firm is accused of stealing company secrets and attempting to sell them on the dark web.
Facebook Responding to US Regulators in Data Breach Probe (SecurityWeek) Facebook confirms facing multiple inquiries from US and British regulators about the major Cambridge Analytica user data scandal
Carole Cadwalladr takes us behind the scenes of the Cambridge Analytica investigation (Graham Cluley) Carole Cadwalladr, the investigative journalist who revealed how the personal data of millions of Facebook users was used to influence the US election, speaks about what went on behind the headlines.
Leaked Emails Show Cops Trying to Hide Emails About Phone Hacking Tools (Motherboard) Motherboard recently filed public records requests for law enforcement messages in mobile forensic email groups. But cops are trying to avoid giving up their communications, according to other leaked emails.
Cisco awarded 'seven-figure sum' in grey-market case against Gen-X IT (CRN) Vendor claims victory against defunct Manchester-based reseller, but administrator's report states Cisco had sought £35m
Student killed himself after friends shared private text (Times) An aspiring doctor killed himself after rugby team-mates shared his private message about a fling with a female student and made him fear for his future, an inquest has been told. Edward Senior, 22...
Tor-linked nonprofit raided by police (Naked Security) They were after the authors behind a blog calling for violent protests but didn’t even bother with the authors’ email provider.
Kaspersky Lab wants to fund further investigations into failed distributor (ARN) Kaspersky Lab has offered to fund the investigations and proceedings into dealings between failed distributor Hemisphere Technologies.
Former TX Chief Faces Security Breach Charges (Firehouse) Former Brownsville Fire Chief Carlos Elizondo is charged with felon counts of computer security breach for accessing data from the city.
Former Brownsville Fire Chief Faces Breach Charges (Infosecurity Magazine) Grand jury indicts former fire chief in an 11-count case of computer security breach charges
ID thief steals savings of America’s oldest living war veteran (Military Times) Richard Overton, age 112, fought in World War II in a segregated Army unit.
Overton a victim of 'cyber attack,' police say (KVUE) Investigators say they think Richard Overton -- who is 112 years old -- was the victim of a cyber attack, that this was not the work of someone he knew.