Cyber Attacks, Threats, and Vulnerabilities
Magecart Back Again as Feedify is Hit (Infosecurity Magazine) Malicious script injected into supplier’s JavaScript library
Ramnit Trojan reveals overlooked seasonal threat to the enterprise (SC Magazine) There is a seasonal pattern to malware attacks which is particularly clear from analysing the behaviour of the Ramnit banking Trojan, according to researchers at Check Point.
Browser security hole on Macs and iPhones – just how bad is it? (Naked Security) A URL spoofing bug in Safari is being reported with the word BEWARE! – we explain how bad it really is, and what to do about it.
Tech support scammers leverage "evil cursor" technique to "lock" Chrome (Help Net Security) Tech scammers are constantly coming up with new techniques to make users panic. In the latest one they make it seem like the cursor doesn't work.
Veeam contacts partners after data leak (CRN) Vendor tells partners that 'human error' led to the exposure of data
Really old computer viruses are still infecting new machines (Fifth Domain) Researchers say that known vulnerabilities are still attacking machines, shedding light on poor cyber hygiene.
Is Huawei a Genuine Security Threat? (TechCo) Huawei phones are effectively banned from sale in the US, due to suspicion of ties to the Chinese state and military. Would you be safe buying a Huawei phone?
Phishing from Beyond the Grave... (KnowBe4) Phishing from Beyond the Grave...
Security Patches, Mitigations, and Software Updates
Root KSK Roll: Replacing the Root of Trust for the DNS (Akamai) On October 11, 2018 -- for the first time ever -- the Root Key Signing Key (Root KSK), that is the single root of trust used to verify all DNSSEC responses, is scheduled to change. Validating resolvers...
Cyber Trends
Cyber attack on financial system could trigger next crisis, Charles Schwab strategist says (CNBC) Michael Farr of Farr, Miller and Washington and Liz Ann Sonders, chief investment strategist with Charles Schwab, discussed whether or not a cyber attack could trigger the next financial crisis. Sonders said that a cyber attack on the financial system could create fear in investors and trigger a crisis. Farr agreed, but added that cybersecurity is not the only threat to the economy.
Analysis of half-a-billion emails reveals malware-less email attacks are on the rise (Help Net Security) The analysis of over half-a-billion emails from 1H reveals that malware-less email attacks are on the rise and impersonation attacks have gone mainstream.
Lawmaker: If You Think Patching is Tough Now, It’s Going to Get Worse (Nextgov.com) Without security standards for the internet of things, the government is leaving open billions of “stupid” vulnerabilities, said Sen. Mark Warner.
#44CON: In a Time of Genuine Threats, Talk Sensibly and Act Efficiently (Infosecurity Magazine) Let’s change the way we talk about security, as global news and incidents are creating new threats.
Marketplace
Apple Has Started Paying Hackers for iPhone Exploits (Motherboard) Despite their value in the grey market, security researchers are reporting bugs as part of the Apple iOS Bug Bounty program, and some are getting rewards.
Justin King: 'Tech firms behave in a way that would be unacceptable in any other industry' (Computing) We're 'past the point of peak tech'. Legislators will act on the monopolies controlled by Amazon and Google, says former Sainsbury's CEO King
Senior Google Scientist Resigns Over “Forfeiture of Our Values” in China (The Intercept) The specialist said that the plan to resume the censored search engine project in China could endanger dissidents and encourage online repression elsewhere.
Google Is Handing the Future of the Internet to China (Foreign Policy) The company has been quietly collaborating with the Chinese government on a new, censored search engine—and abandoning its own ideals in the process.
Why Big Tech and the Government Need to Work Together (WIRED) Opinion: Former Secretary of Defense Ash Carter argues for cooperation between tech workers and the DoD
Why the Military Must Learn to Love Silicon Valley (Foreign Policy) The U.S. Defense Department and big tech need each other—but getting along won’t be easy
How Malwarebytes founder Marcin Kleczynski turned an infected family computer into a multimillion-dollar cyber security company (SmartCompany) Malwarebytes co-founder Marcin Kleczynski was inspired to found the multimillion-dollar cyber security company after fixing his family's computer.
Microsoft bolsters its AI portfolio with latest acquisition (CRN) Vendor's buyout of Lobe marks its third acquisition of an AI startup this year
Second Cyrise cohort attracting “more mature” cybersecurity startups (CSO) Australian cybersecurity startups are “a lot more mature” this year and many are ready to go to market as they push for support under the auspices of cybersecurity incubator Cyrise, the firm’s head has noted as the firm counts down the last days for applications to its second round of funding.
Webroot's Market Momentum Continues with Double-Digit Growth in Fiscal Year 2018 (PRNewswire) Webroot, the Smarter Cybersecurity® company, announced 12 percent annual recurring revenue (ARR) growth for its fiscal year ending on June 30, 2018, marking the company's eighteenth consecutive quarter of double-digit company growth.
Bitdefender moves closer to IPO with latest acquisition (Axios) It's acquired its local partner in Australia and New Zealand.
Why Cisco’s Cybersecurity Business Is About to Take Off (The Motley Fool) The networking giant is all set to tighten its grip over the cybersecurity space.
British Airways hack upgrades cyber risk pipeline (iTnews) Supply chain risk spend to increase.
Multi-Billion Dollar ICO Market down to a Few Hundred Million (CoinCentral) The Initial Coin Offering (ICO) market is currently experiencing a sharp decline according to August statistics. The industry, which peaked during the months of January, February, and March is believed to be moving down in lockstep with the current floundering cryptocurrency market.
Crypto’s second bubble, Juul has 60 days and three Chinese IPOs (TechCrunch) Hello and welcome back to Equity, TechCrunch’s venture capital-focused podcast where we unpack the numbers behind the headlines. After a long run of having guests climb aboard each week, we took a pause on that front, bringing together three of our regular hosts instead: Connie Loizos, Danny Chrich…
FBI loses another cybersecurity expert to private sector (Cyberscoop) Trent Teyema has been named senior vice president and chief technology officer for the government-focused wing of Parsons Corporation.
Products, Services, and Solutions
New infosec products of the week: September 14, 2018 (Help Net Security) Exabeam adds updated Case Management module to behavioral analytics product Exabeam Case Management is a module that provides a user interface designed
Safe-T Announces FIPS 140-2 Compliance and Additional Feature Integrations with Release of SDE Version 7.3 (PRNewswire) Features include new third party security and cloud feature integrations; delivers cryptographic functionality allowing federal government deployment.
eSentire Launches Integrated MDR and SIEM Platform for Full Threat Visibility and Rapid Response (eSentire) eSentire, Inc., the largest pure-play Managed Detection and Response (MDR) provider, today announce...
Digital Defense, Inc. Achieves Certified Integration with McAfee ePolicy Orchestrator Through the McAfee Security Innovation Alliance (Digital Defense) Integrated Solutions Deliver Enhanced Security Capabilities to Provide Real-Time Visibility
What every OT and IT leader should know about protecting industrial control systems and critical infrastructure (Forcepoint) Forcepoint's approach to cybersecurity within critical infrastructure provides the end-user an option to quickly move from visibility to control with Forcepoint NGFW and Forcepoint Data Guard to provide robust network defense and secure segmented network communications. Leveraging defense-grade approaches which are used by top government agencies, customers can deploy a variety of solutions for highly sensitive areas like nuclear and power generation, or meet simple DMZ and remote access requirements.
Rambus Token Gateway for E-Commerce Certified “Visa Ready” (Rambus) Rambus Inc. (NASDAQ: RMBS) today announced that its Token Gateway for e-commerce solution is one of the first to be qualified under the “Visa Ready” for Tokenization program.
The Security Maturity Model Knowledge Center (Secureworks) The Secureworks Security Maturity Model is a pragmatic methodology for evaluating your cybersecurity maturity and identifying next steps in your organization's security journey.
Universal Reward Protocol | A Blockchain-Based Protocol Where Retailers Reward Shoppers For Sharing Their Behavioral Data (URP) Universal Reward Protocol is a blockchain-based protocol for retailers to reward shoppers sharing their data by tailoring exclusive and personalised offers.
You didn’t buy ‘your’ iTunes movies; Apple can delete them anytime (Naked Security) It’s in the terms of service, as one man found out after Apple removed three movies from his iTunes library.
Technologies, Techniques, and Standards
Agencies Should Rethink Their Communications in an Era of Leaks (Nextgov.com) Both government organizations and political campaigns must rethink how they communicate, as channels once thought to be secure are not.
New voting machines will provide ‘paper trail’ (Delaware State News) Delaware is set to have new voting machines for the 2020 presidential election, with the goal of putting them in place by May’s school board elections. A task force given the responsibility of approving a contract with a vendor to replace the current machines unanimously approved the selection Tuesday, although the choice …
‘Cyber Fog’ exercise aims to strengthen US and Estonian defences (Jane's 360) US and Estonian militaries conducted a joint cyber exercise aimed at boosting their co-ordination and communication in combined cyberspace operations.
The two-day ‘Cyber Fog’ exercise took place in late July/early August at the Estonia Defence Forces Cyber Command in Tallinn. US Navy
What is the difference between sandboxing and honeypots? (Panda Security Mediacenter) Today we take a look at two strategies that are very common in the sector: honeypots and sandboxing, two IT risk prevention strategies.
Design and Innovation
Preventing exfiltration of sensitive docs by flooding systems with hard-to-detect fakes (Help Net Security) A group of researchers from Queen's University (Canada) have proposed a new approach for keeping important documents safe: creating so many believable
This Twitter Bot Will Tell You if a Login Page is Phishing (Motherboard) @isthisphish takes submissions from users, then generates a report on how suspicious the domain seems to be.
Solid password practice on Capital One's site? Don't bank on it (Register) What's in your wallet? Definitely not a password manager
Research and Development
Researchers exploring how IoT apps can to imitate human decisions (Help Net Security) CA Technologies is participating in scientific research to discover how IoT apps can use a type of AI known as ‘deep learning’ to imitate human decisions.
Academia
Cornell Beats Other Ivies in Cryptocurrency Course Offerings (The Cornell Daily Sun) Cornell is among several other higher education institutions in actively meeting the rising academic interest in this field by offering a total of 28 relevant courses — the largest amount among the world’s top 50 universities as ranked by U.S. News and World Report, beating other Ivy League universities.
University of South Wales is closing the skills gap, say IT professionals (Computing) The Cyber Academy prepares graduates for work through industry partnerships
University harnesses AI to counter cyber threats (Police Professional) Cardiff University has been named as an Academic Centre of Excellence in Cyber Security Research by the UK’s National Cyber Security Centre (NCSC) – the first institution in Wales to be given this status.
Legislation, Policy, and Regulation
N. Korea says U.S. ‘smear campaign’ over hacking undercuts Trump-Kim accord (Washington Post) At the same time, the two Koreas opened their first joint liaison office in the North.
Australia ‘wide open’ to damage from cyberattack (Government News) Governments must move quickly to address potentially catastrophic cybersecurity vulnerability, a state government chief information security officer has warned.
Australia should reverse its Huawei 5G ban (South China Morning Post) The ban was made under the pretext of protecting national security, yet there is no evidence that Huawei gear is insecure
Talking UK Cyberwar With Sir David Omand (SecurityWeek) SecurityWeek talked to Professor Sir David Omand to get a better understanding of the UK viewpoint on the notion that a cyber attack that resulted in actual or threatened loss of life could legally elicit a kinetic military response.
Hackers wage a new Cold War (Help Net Security) Many believe the US and Russia have returned to a Cold War footing, one that promises to re-imagine war. The new Cold War incorporates cyber tactics.
Coercion And Cyberspace – Analysis (Eurasia Review) Cyberspace is a new domain for coercive operations in support of foreign policy and security with advantages for offensive actions and hindrances to its success. By Miguel Alberto Gomez* Over the p…
Venafi Black Hat Survey - Cyber War (Venafi) Venafi conducted a survey at Black Hat 2018 on cyber war and nation state security. Over 500 IT security professionals participated.
Senators: Why we need a better cyber Paul Revere (CNN) Senators Rob Portman and Maggie Hassan write that two bipartisan legislative proposals, the Hack DHS Act and the DHS Cyber Incident Response Teams Act, are necessary to develop a "one if by land, two if by sea"-style warning system for hacking vulnerabilities in the US.
They’re Crying in the Cyber Wilderness (Roll Call) Attacking the United States and its institutions has become a lot simpler since 9/11: a few strokes on a keyboard can now shut it all down.
Trump’s Election Meddling Sanctions Will Not Deter Russia (Atlantic Council) US President Donald J. Trump on September 12 issued a new executive order (EO) authorizing sanctions in response to interference in US elections, likely as an attempt to stave off two bipartisan bills circulating in the Senate that would mandate...
Analysis | The Cybersecurity 202: Lawmakers want intelligence chiefs to help counter threat from doctored videos (Washington Post) There's no easy way to rein in deepfakes through legislation.
Corruption in counterterrorism aid programs fuels extremist groups, says new report (Defense News) The report finds two-thirds of the recipients of U.S. counterterrorism aid pose
Declassified Report Describes Confusion Around Military Cyber Responsibilities in 2014 (Nextgov.com) The inspector general’s report describes poor communication and combatant commanders who hadn’t tallied up their cyber resources.
U.S. Cyber Command looks to grow its acquisition capacity (FCW) U.S. Cyber Command's contracting office is in its 'infancy' with a handful of staff and is looking to expand while showing Congress it knows what it's doing.
Here’s how the Army is grooming and elite cadre of (electronic) cyber soldiers (Fifth Domain) The Army will have cyber soldiers trained in a multitude of electronic disciplines.
Dem introduces bill to create federal cybersecurity apprenticeship program (The Hill) Rep. Jacky Rosen (D-Nev.) on Thursday unveiled legislation to create a Department of Labor grant program for apprenticeships in cybersecurity.
California bill regulates IoT for first time in US (Naked Security) California looks set to regulate IoT devices, becoming the first US state to do so and beating the Federal Government to the post.
Experts Bemoan Shortcomings with IoT Security Bill (Threatpost) The infosec community say California's IoT security bill is "nice," but doesn't hit on the important issues.
An Executive Guide to the Network and Information Security (NIS) Directive (CyberX) Get a free copy of 2017 global ICS & IIoT Risk Report: Data-driven analysis of ICS, SCADA and IIoT vulnerabilities based on the analysis of 375 OT networks.
McRaven, former SOCOM head, resigns from Pentagon board following Trump criticism (Defense News) The retired four-star admiral who once lead U.S. Special Operations Command resigned from the Defense Innovation Board four days after he posted a scathing op-ed in the Washington Post calling out Trump for revoking the security clearance of former CIA director John Brennan.
Litigation, Investigation, and Law Enforcement
Salisbury novichok attack: We were sports nutritionists on a tourist trip, suspects tell Russian TV (Times) Claims by two suspected Russian hitmen that they were in Salisbury as tourists were dismissed as “ludicrous” by a Whitehall source yesterday. The men, who identified themselves as Alexander Petrov...
GCHQ data collection regime violated human rights, court rules (the Guardian) Surveillance system revealed by Snowden breached right to privacy, Strasbourg judges say
“Bulk interception” by GCHQ (and NSA) violated human rights charter, European court rules (Ars Technica) Privacy was violated at moment of collection, not when humans viewed data, ECHR rules.
America’s government is putting foreign cyber-spies in the dock (The Economist) Some of its own hackers are not pleased
Evolving Threats to the Homeland (House Homeland Security & Governmental Affairs Committee) Full committee hearing
Paul Manafort and special counsel reach plea agreement to avert second trial (San Diego Union Tribune) Paul Manafort, Trump's former campaign chairman, is in discussions over a potential plea to avert a second trial on a variety of charges.
Contractor gets prison for sabotaging Army computer program (Fifth Domain) An Atlanta man convicted of sabotaging a computer program housed on servers at an Army base in North Carolina has been sentenced to two years federal prison.
Blockchain hustler beats the house with smart contract hack (Naked Security) A hacker used their own code to tamper with a smart contract run by a betting company, and walked off with $24,000.
Review that! Fake TripAdvisor review peddler sent to jail (Naked Security) Jail time for fake reviews is “a landmark ruling for the Internet,” TripAdvisor said.