Cyber Attacks, Threats, and Vulnerabilities
New Virobot Ransomware and Botnet Emerges (SecurityWeek) A newly discovered piece of malware combines ransomware and botnet capabilities in a single package, Trend Micro security researchers reveal.
Researcher Discloses New Zero-Day Affecting All Versions of Windows (The Hacker News) Researcher Discloses Unpatched Windows Zero-Day Vulnerability In Microsoft JET Database Engine
ZDI Shares Details of Microsoft JET Database Zero-Day (SecurityWeek) Trend Micro's Zero Day Initiative (ZDI) has shared details on a zero-day vulnerability impacting the Microsoft JET Database Engine. ET Database Engine that could be exploited for remote code execution.
ZDI-CAN-6135: A Remote Code Execution Vulnerability in the Microsoft Windows Jet Database Engine (Zero Day Initiative) Today, we are releasing additional information regarding a bug report that has exceeded the 120-day disclosure timeline. More details on this process can be found here in our disclosure policy . An out-of-bounds (OOB) write in the Microsoft JET Database Engine that could allow remote code execut
Microsoft's Jet crash: Zero-day flaw drops after deadline passes (Register) Don't click on that dodgy link, people
Twitter says bug may have exposed some direct messages to third-party developers (TechCrunch) Twitter said that a “bug” sent user’s private direct messages to third-party developers “who were not authorized to receive them.” The social media giant began warning users Friday of the possible exposure with a message in the app. “The issue has persisted since…
Zaif Cryptocurrency Exchange Hacked Losing $60 Million To Hackers (Latest Hacking News) Japan's Zaif cryptocurrency exchange allegedly lost cryptocurrencies worth $60 millions to hackers. This includes theft of 6000 BTC as well.
Suspicious DNS Requests ... Issued by a Firewall (SANS Internet Storm Center) An anonymous reader contacted us because he noticed DNS requests for malicious domains originating from his Windows machine, even before he opened a browser.
Thousands of Breached Websites Turn Up On MagBo Black Market (Threatpost) The research team said it has shared its findings with law enforcement and victims are being notified.
Lucy Gang Debuts with Unusual Android MaaS Package (Threatpost) The threat actor's Android-focused cyber-arms package, dubbed Black Rose Lucy, is limited in reach for now, but clearly has global ambitions.
Malware Businesses Blending the Legitimate and the Illegitimate (SecurityWeek) A malware development organization can and does acquire and use our same tools to “improve” their product.
Thousands of stolen frequent flyer miles of top airlines sold on Dark Web (HackRead) Dark Web has become a business hub for malicious hackers and cybercriminals.
Analysis | The Cybersecurity 202: Why lawmakers' personal accounts are a prime target for foreign hackers (Washington Post) Congress doesn't have a plan for protecting them.
Foreign hackers a legitimate concern for ballot machines, says cybersecurity expert (TheHill) Cybersecurity expert Dena Graziano on Thursday said foreign hackers are a legitimate concern for U.S. ballot machines.
Wireless Infusion Pumps Could Increase Cybersecurity Vulnerability (HealthITSecurity) Wirelessly connecting infusion pumps to point-of-care medication systems and EHRs improves healthcare delivery but also increases cybersecurity vulnerability.
Bankrupt NCIX customer data resold on Craigslist (Naked Security) What happens to sensitive customer data when a large company that has collected it over many years suddenly goes bust?
Cyber attack limits parental access to Oklahoma City schools site (NewsOK.com) Spokeswoman Beth Harrison said the "denial of service" attack on Infinite Campus, which houses the district's parent portal, has made it difficult if not impossible to access the site.
Arran Brewery attacked with ransomware under cover of recruitment-ad CV spam (Computing) Attackers placed Brewery job ads on recruitment sites worldwide to provide cover for their phishing emails,Security ,Arran Brewery,ransomware,CV spam
Security Patches, Mitigations, and Software Updates
Twitter says it patched a bug that could have shared users' private messages (CNBC) Twitter said Friday that private messages sent between users and some brands since May 2017 might have been improperly shared with external software developers.
Gmail users now automatically logged into Chrome without their consent (Computing) Google has apparently changed Chrome's default permissions without informing users
Did Apple Just End The 'Golden Age' Of Government iPhone Hacking? (Forbes) Apple iPhone XS, XR and XS Max have been called the most secure iPhones ever. And it may well have ended the so-called "golden age" of government iPhone hacking ...
iTunes is assigning you a ‘trust score’ based on emails and phone calls (Naked Security) It’s just a number to detect fraud, not a Black Mirror-esque score that’s going to rate us all as social misfits unworthy of wedding invitations.
Cyber Trends
The Coming Crime Wars (Foreign Policy) Future conflicts will mostly be waged by drug cartels, mafia groups, gangs, and terrorists. It is time to rethink our rules of engagement.
A law enforcement view of emerging cybercrime threats (Help Net Security) Europol’s Internet Organised Crime Threat Assessment offers a law enforcement view of the threats and key developments in the field of cybercrime.
How companies view their cyber exposure, and how they deal with it (Help Net Security) 52% of respondents believe that suffering a cyber attack is inevitable, yet a majority reported not taking adequate steps to protect themselves.
Cyber security: Your boss doesn't care and that's not OK anymore (ZDNet) Hacking and data breaches are an ongoing threat, so why are so many execs ignoring the issue?
Better security needed to harness the positive potential of AI (Help Net Security) Digital Transformation Barometer finds better security needed to harness the positive potential of AI and mitigate risks of malicious attacks.
Akamai says UK saw 30% rise in malicious logins in May and June (IBS Intelligence) Malicious login attempts in UK by bots using credential stuffing grew by 30% in May and June this year, a report from Akamai showed.
SMB Pulse Survey (Webroot) Webroot and the small- to medium-sized business (SMB) focused research agency Bredin recently conducted a survey on the cybersecurity habits of small (1-19), medium (20-99), and large (100-500) companies.
TAG Cyber Annual: Automation, Analytics & Cloud Driving Improved Security Picture (Light Reading) Organization led by former AT&T security chief Ed Amoroso updates third volume of annual reports tracking cybersecurity trends.
How organizations overcome cybersecurity hiring challenges (Help Net Security) This report provides a window into how this gap can be leveraged by individuals and organizations alike to overcome cybersecurity hiring challenges.
For Hackers, Anonymity Was Once Critical. That’s Changing. (New York Times) At Defcon, one of the world’s largest hacking conferences, new pressures are reshaping the community’s attitudes toward privacy and anonymity.
Marketplace
Google Suppresses Memo Revealing Plans to Closely Track Search Users in China (The Intercept) The company forced employees to delete the document, which stated that a Chinese partner would have “unilateral access” to user data.
Why the Right-wing backlash against Google is only going to get worse (The Telegraph) Tech giants have successfully seized power, but now they find it makes them a target
Facebook under fire as cyberbullying scheme struggles to hit targets (The Telegraph) Facebook is facing calls to take concrete action on cyber-bullying after it emerged a scheme it is helping fund to protect children has been forced to push back targets.
John Oliver Calls Facebook 'a Fetid Swamp of Mistruths and Outright Lies' (Motherboard) Oliver goes long on Facebook's content moderation problems.
The curious sudden rise of free US election 'net security guardians (Register) There is no such thing as a gratis lunch, after all
LORCA: Driving Startup Growth & Innovation (Infosecurity Magazine) Michael Hill attended the official opening of East London’s new center for cybersecurity advancements and reports on the new development
Products, Services, and Solutions
50 Best Cloud Security Podcasts (Security Boulevard) Some of the earliest podcasters were influencers in the technology and online space. For well over a decade, programs that specifically discuss security news and topics have been keeping people up to date on data and systems safety. For many, it’s the ideal medium to learn about the latest happenings in the industry via a …
News Site to Investigate Big Tech, Helped by Craigslist Founder (NYTimes) The Markup, dedicated to investigating technology and its effect on society, will be led by two former ProPublica journalists. Craig Newmark gave $20 million to help fund the operation.
Alternate E Source and Blue Ridge Networks Announce Partnership to Bring Cybersecurity Solutions to Smart Building Technology (PR.com) Alternate E Source, provider of Kentix IoT smart sensor technologies, and Blue Ridge Networks, a Northern Virginia based Cybersecurity company, today announced a partnership to add a new layer of cybersecurity...
Company That Pushed Hackers Out of DNC Now Protecting Government Systems (Nextgov.com) CrowdStrike is authorized to protect ‘moderate impact level’ cloud-based government systems.
RedSeal Launches Remote Administrator Managed Service to Augment Customers' Security Teams (Dark Reading) Cyber security's comprehensive news site is now an online community for security professionals, outlining cyber threats and the technologies for defending against them.
RSA launches £25m capacity cyber protection product (ReinsuranceNe.ws) RSA, one of the largest UK commercial insurers, has expanded its cyber protection to provide standalone, comprehensive worldwide cover of up to £25
Verizon Digital Media Services adds managed security services to its cloud solution for enterprises - Verizon Digital Media Services (Verizon Digital Media Services) New offering is available as part of a suite of security services including a dual web application firewall, DDoS protection, bot management, and real-time analytics and reporting
U.S. General Services Administration Selects HackerOne as TTS Bug Bounty Partner (Odessa American) HackerOne, the leading hacker-powered security platform, today announced the General Service Administration’s (GSA) Technology Transformation Service (TTS) awarded HackerOne a multi-year contract to run a bug bounty program. GSA was the first federal civilian agency to engage in a bug bounty program and continues their ongoing momentum with this latest bug bounty contract.
Technologies, Techniques, and Standards
French cybersecurity agency open sources security hardened CLIP OS (Help Net Security) The National Cybersecurity Agency of France (ANSSI) has decided to open source CLIP OS, a Linux-based, security hardened operating system.
Amnesty International Toils To Tell Real Videos From Fakes (RadioFreeEurope/RadioLiberty) The rights group Amnesty International is determined to expose fake Internet videos and confirm the authenticity of real footage documenting human rights abuses.
Privacy Protection Means Encryption at the Application Layer (SecurityWeek) As organizations work to address GDPR compliance requirements, it would be a mistake to implement data security measures without holistic consideration for application layer encryption and vulnerability assessments.
Reconciling information security and shrink-wrap agreements (CSO Online) Addressing the security risks that come with non-negotiable shrink-wrap (or click-wrap) agreements.
Mitigate Risk From Malicious and Accidental Insiders (SecurityWeek) Every industry has insiders that are disgruntled, may be seeking revenge or simply want to make a profit and aren’t above engaging in illicit activity to do so.
Machine Learning Confronts the Elephant in the Room (Quanta Magazine) A visual prank exposes an Achilles’ heel of computer vision systems: Unlike humans, they can’t do a double take.
What do you mean by storage encryption? (Help Net Security) In my year-long research project, the F5 Labs’ 2018 Application Protection Report, I asked if security professionals used storage encryption for data and
5 Reasons why e-commerce sites need a token gateway (Rambus) Growing card-not-present fraud is driving demand for card-on-file EMV payment tokenization. As industry players look to simplify tokenization initiatives, token gateway solutions can deliver considerable competitive advantages:
We are all at risk from high-tech snooping (Times) Smuggling Oleg Gordievsky out of the Soviet Union under the noses of the KGB was one of the greatest feats in British intelligence history. It wouldn’t work today. Britain’s top spy in the KGB...
Design and Innovation
Clouldflare and Google Will Help Sync the Internet's Clocks—and Make You Safer (WIRED) Syncing clocks online is vital to web security, which is why Cloudflare will embrace Google's next-gen timekeeping protocol.
Microsoft offers completely passwordless authentication for online apps (Ars Technica) Phone-based authentication is the way forward instead.
The New YubiKey Will Help Kill the Password (WIRED) The latest batch of hardware-based tokens from Yubico will eventually let you skip the password altogether.
Pokémon's revival raises bar for data privacy and protection (SiliconANGLE) It’s really hard to overestimate the power of small, game-animated, yellow furry bodies.
PAID POST: Can blockchain save the vote? (TechCrunch) Elections are a symbol of hope and freedom, and the right to vote is an expression of belonging and of having a voice. We trust our electoral systems to preserve an immutable record of the voices we have raised, and the choices we have made. Yet the concept of “one person, one vote” is [&hel…
Academia
Sinclair receives almost $1 million in grant award (WDTN) The grant money will be used to support the Community College Accelerated CyberCorp Pilot Program, a project that aims to help strengthen cybersecurity education programs and improve security of information technology across the country.
Experience often key in cybersecurity job market (The Augusta Chronicle) he arrival of U.S. Army Cyber Command will bring hundreds of jobs to the Augusta area, and schools are attempting to meet that demand.
Legislation, Policy, and Regulation
Challengers Defeat Pro-Kremlin Candidates In Two Governor Races (RadioFreeEurope/RadioLiberty) Two challengers have defeated pro-Kremlin candidates in gubernatorial runoffs, amid widespread anger over pension reforms backed by the ruling United Russia party and President Vladimir Putin.
Kremlin Scrambles As Regions Prepare For Runoff Votes (RadioFreeEurope/RadioLiberty) Regional elections have exposed cracks in the Kremlin's "power vertical," leaving Moscow scrambling to avert defeat in regional runoff elections.
U.S. urge other countries to curtail ties with Russia’s defense and intelligence sectors (Vestnik Kavkaza) The Trump administration will continue to vigorously implement CAATSA and urge all countries to curtail relationships with Russia’s defense and intelligence sectors, State Department spokeswoman Heather Nauert said in a press statement.
UK plan to build cyber warfare unit to combat online threat posed by Russia, North Korea and Iran (Computing) Plan to build cyber-force being held up by political rows over funding, and command and control
Former MI5 chief calls for UK to mount cyber attacks on Russia (The Telegraph) One of Britain's most senior former security officials has urged the government to meet Russian "aggression with aggression", by launching retaliatory cyber attacks against Moscow.
U.S. Takes Off the Gloves in Global Cyber Wars: Top Oficials (SecurityWeek) The United States is taking off the gloves in the growing, shadowy cyber war waged with China, Russia and other rivals, National Security Advisor John Bolton said.
Trump’s national cyber strategy praised by experts (Fifth Domain) President Donald Trump’s new national cyber strategy has been met with praise by experts and even political opponents
Trump eases curbs on US cyber weapons as election threat looms (The Straits Times) President Donald Trump has issued an order making it easier for the United States to launch cyber attacks, highlighting the potential for a counter-attack if a foreign government is found to be trying to meddle in congressional elections in November.. Read more at straitstimes.com.
Trump Has a New Weapon to Cause ‘the Cyber’ Mayhem (Foreign Policy) The U.S. president and his advisor John Bolton want to take the gloves off in cyberspace—but experts worry offensive attacks could backfire.
Trump's new strategy means the U.S. could get more aggressive with Russia and China over hacking (CNBC) Some of the changes emphasize a shift toward a more offensive cybersecurity posture, a longtime request from the National Security Agency and cybersecurity branches of the U.S. Armed Forces.
Bill to codify DHS cyber program introduced into Senate after passing House (SC Media) Two weeks after it passed the U.S. House of Representatives, a bill that would codify and modernize the Department of Homeland Security (DHS) Continuous
U.S. Senate introduces companion bill to Ratcliffe’s cybersecurity legislation (Ripon Advance) A U.S. Senate version of the bipartisan Advancing Cybersecurity Diagnostics and Mitigation Act introduced by U.S. Rep. John Ratcliffe (R-TX) was unveiled on Sept. 18. Rep. Ratcliffe said he was grateful that his Texas counterpart, U.S. Sen. John Cornyn (R-TX), Read more...
DHS cyber-agency bill may finally come to pass; will it make a difference? (Inside Cybersecurity) The frenetic recent efforts by Senate Homeland Security and Governmental Affairs Chairman Ron Johnson (R-WI) to secure final passage of a long-stalled DHS reorganization measure may finally pay off -- prompting the next question: whether creation of a cyber agency at the Department of Homeland Security actually improves cybersecurity.
DHS Needs to Define Network Disruptions Before It Can Fight Them (Nextgov.com) Agencies have different definition of what an outage is and that matters.
House Members Plan Election Hacking Demonstration (Roll Call) Two members of the House, a Democrat and Republican, will sponsor an event to show how easy it is to engage in hacking a voter database.
Separate The NSA And Cyber Command Now (Law360) Since its inception in 2009, U.S. Cyber Command has been functioning concurrently and under the same leadership as the National Security Agency. In the beginning this may have been appropriate, but in today’s environment they should be conducting their missions independently, says Daniel Garrie of JAMS.
Government draws up plans for social media regulator following Telegraph campaign (The Telegraph) Ministers have started drafting proposals for new laws to regulate social media and the internet after a Daily Telegraph campaign.
While Everyone Was Distracted By Strawberries, Peter Dutton Introduced Laws To Snoop On Your Private Chats (BuzzFeed) The legislation was introduced into parliament just 10 days after consultation ended, and not all submissions have been made public.
Politicians are threatening our right to have private discussions - we must not let them ban secret social media groups (The Telegraph) Imagine being unable to hold a conversation in your own house without the world knowing the topic of conservation and where you live.
Social media is a battlefield that can perpetuate sexual violence and cyber-bullying (Times Live) Rape culture and cyber-bullying are dominating the spaces students at higher-education institutions find themselves in. The South African Human Rights Commission (SAHRC) in collaboration with the University of Johannesburg held a dialogue in an effort to unpack the causes and solutions to the challenges of rape culture and cyber-bullying at universities.
SEC shuffle: CIO, top cyber adviser to step down (FCW) The personnel moves come as the agency looks to FireEye for cyber forensic support.
California wants to stop hackers from taking control of smart gadgets (MIT Technology Review) A proposed state law would help bolster the security of internet-connected devices, but what’s really needed is federal action.
California may ban terrible default passwords on connected devices (Engadget) A proposed law could force smart device manufacturers to shore up security.
State Cybersecurity Plan to Advise Businesses, Election Administrators (93.1 WIBC) A new state cybersecurity plan hopes to help yo
Litigation, Investigation, and Law Enforcement
Iran vows vengeance after military parade slaughter (Times) Iran furiously condemned Britain and other European countries for “harbouring terrorists” yesterday as it accused the West of orchestrating an attack on a military parade that killed 29 people. A...
Analysis | Who spread disinformation about the MH17 crash? We followed the Twitter trail. (Washington Post) The answer might surprise you.
Senators are asking whether artificial intelligence could violate US civil rights laws (Quartz) Senators are pressuring government agencies to study bias in artificial intelligence.
Facebook faces sanctions if it drags its feet on data transparency (Naked Security) The EU justice commissioner said she’s out of patience. Also, she quit Facebook because it’s a “channel of dirt.”
Why was Equifax fined for 2017 cyber attack? (Evening Standard) Credit reference agency Equifax has been fined £500,000 for failing to protect peoples' personal information during a 2017 cyber attack. Up to 15 million Brits had their personal information compromised in the attack but the company said the breach would not have put consumers at risk.
Blockchain Used to Track Down DNC Email Hackers (CoinCentral) The bitcoin blockchain was used to track down Russian DNC hacker group. Find out more about this at CoinCentral.
Trump walks back his plan to declassify Russia probe documents (Washington Post) President says Justice Dept. and others convinced him to change course
Trump Aide Taps 'Fastest Growing' Boutique in DNC's Russia Interference Case (New York Law Journal) For Pierce Bainbridge Beck Price & Hecht—which aims to beat firms like Quinn Emanuel at their own game—client George Papadopoulos is the firm's first foray into the legal drama surrounding Russia and the election of President Donald Trump.
Cybercrime police in Vizag alert citizens about fake sellers in OLX (Yo Visag) Considering the rise in cybercrime activities, the Vizag Cyber Police are alerting the citizens to be careful while dealing with strangers on the popular sell and buy e-platform OLX.
Vote Leave Analytics Firm Hit with GDPR Notice (Infosecurity Magazine) Vote Leave Analytics Firm Hit with GDPR Notice. Another blow for leave campaign
Chinese police arrest 21 over data theft at Alibaba's delivery arm:... (Reuters) Chinese police on Friday arrested 21 suspects in connection with the theft of cu...
Hacker gets 14 years jail time for operating Scan4You malware scanning service (HackRead) Follow us on Twitter @HackRead
Ecuador wanted to make Julian Assange a diplomat and send him to Moscow (Ars Technica) Reuters: UK's Foreign Office did not accept diplomatic status, so plan was scuttled.
Victims report losing more than £21 million in one year to Computer Software Service fraud (Action Fraud) Action Fraud launches a campaign to warn people about the threat of Computer Software Service fraud, one of the country’s most reported top five frauds.