Cyber Attacks, Threats, and Vulnerabilities
With his internet cut off, Julian Assange steps down as editor of WikiLeaks (TechCrunch) WikiLeaks has a new top dog. Its contentious figurehead and founder, Julian Assange, will step aside, letting former WikiLeaks spokesperson Kristinn Hrafnsson take the reins due to what WikiLeaks calls “extraordinary circumstances” that have seen Assange “held incommunicado.”…
Russia’s Elite Hackers Have a Clever New Trick That's Very Hard to Fix (WIRED) For the first time, a so-called UEFI rootkit has been spotted in the wild. And it appears to come from Russia.
Phorpiex bots target remote access servers to deliver ransomware (Help Net Security) Threat actors are brute-forcing their way into enterprise endpoints - they target remote access servers in an attempt to spread the GandCrab ransomware.
Local-Privilege Escalation Flaw in Linux Kernel Allows Root Access (Threatpost) Researchers said the vulnerability "is very easy to exploit."
Venafi Retail Research: Will Holiday Shoppers be Duped By Look-alike Domains? (Venafi) Venafi research reveals dramatic explosion of illegitimate look-alike domains targeting online retail customers.
Secret Service Warns of Surge in ATM ‘Wiretapping’ Attacks (KrebsOnSecurity) The U.S. Secret Service is warning financial institutions about a recent uptick in a form of ATM skimming that involves cutting cupcake-sized holes in a cash machine and then using a combination of magnets and medical devices to siphon customer account data directly from the card reader inside the ATM.
Mobile password managers vulnerable to phishing apps (Naked Security) Several leading Android-based password managers can be fooled into auto-filling login credentials on behalf of fake phishing apps.
SECURITY: Russian cybersecurity firm drew rare grid warning (E&E News) North American grid regulators share the U.S. government's misgivings about Moscow-based cybersecurity company Kaspersky Lab, according to a confidential alert sent to the power sector last year.
200,000+ MikroTik routers worldwide have been compromised to inject cryptojacking malware (Bad Packets Report) Over the last two months, the Bad Packets LLC team has been monitoring over 80 unique cryptojacking campaigns targeting vulnerable MikroTik routers. The latest statistics available from Censys and …
Sunny Cali goes ballistic, this ransomware is atrocious. Even our IT bill will be something quite ferocious (Register) Stay decrypted, San Diego
British Airways data theft demonstrates need for cross-site scripting restrictions (TechRepublic) A major airline suffered a data breach involving a cross-site scripting attack. Learn how it happened and how you can protect your organization.
COI on SingHealth cyber attack: Server accessed by hackers missed security updates for over a year (The Straits Times) A server exploited by hackers to reach SingHealth's critical system, leading to Singapore's worst data breach in June, had not received the necessary security software updates for more than a year.. Read more at straitstimes.com.
Hackers are finding creative ways to target connected medical devices (Help Net Security) Hackers are leveraging error messages from connected medical devices — including radiology, X-ray and other imaging systems — to gain valuable insights.
Someone on Capitol Hill just doxxed Republican Sens. Mike Lee, Orrin Hatch, and Lindsey Graham (Washington Examiner) Somebody working from a House of Representatives office is editing the Wikipedia pages of Republican senators to post what looks like their home addresses.
Hacker Says He'll Attempt to Wipe Out Mark Zuckerberg's Facebook Page—And You Can Watch It Live (Fortune) Self-professed bug bounty-hunter Chang Chi-yuan says he’ll live-stream the effort.
7 Most Prevalent Phishing Subject Lines (Dark Reading) The most popular subject lines crafted to trick targets into opening malicious messages, gleaned from thousands of phishing emails.
Why I’m done with Chrome (A Few Thoughts on Cryptographic Engineering) This blog is mainly reserved for cryptography, and I try to avoid filling it with random “someone is wrong on the Internet” posts. After all, that’s what Twitter is for! But from …
Cyber Trends
Attack Automation and Spray and Pray Posing Bigger Cyber Threat to Organisations (Computer Business Review) Alert Logic took into account over a quarter million verified security incidents from April 2017 June 2018 for the Critical Watch Report 2018.
An investigation into how cyber ready businesses really are (Help Net Security) The more cyber ready a business becomes, the better its overall business outcomes. Vodafone’s Cyber Ready Barometer notes 48% of cyber ready businesses
Marketplace
'I bought my house with hacking': Meet the ethical hackers getting rich at their keyboards (The Telegraph) At just 15, Ibram Marzouk bought his parents a house with money made finding bugs in websites.
WhatsApp cofounder: “I sold my users’ privacy” (Naked Security) Regretful WhatsApp cofounder Brian Acton has joined the ranks of the Silicon Valley mea-culpa-rati.
SolarWinds, Continuum: Similar Owners, Different MSP Security Strategies (ChannelE2E) SolarWinds MSP & Continuum, both backed by Thoma Bravo private equity, each outline strategies to help MSPs & MSSPs with security operations centers (SOCs). The similarities end there.
Multiven Celebrates €15 Million in ICO Pre-sale Milestone (Markets Insider) PARIS, September 26, 2018 /PRNewswire/ --Multiven, the developer of the world's first blockchain-based marketplace for the global Information Technology (IT...
NetDiligence Announces Strategic Alliance With InfoArmor (PRNewswire) Adds advanced threat intelligence to NetDiligence services
Veriato Names Pete Nourse as CMO (PRNewswire) Veriato, an innovator in actionable user behavior analytics and a global leader in user activity monitoring, has named Pete Nourse as Chief Marketing Officer. Nourse is responsible for Veriato's global marketing initiatives.
Ex-Skyhigh Networks Exec Named CEO Of Container Security Startup (CRN) New StackRox CEO Kamal Shah wants to make sure solution providers can not only handle product fulfillment, but also provide customers with expertise and services through the container deployment and rollout process.
Products, Services, and Solutions
New infosec products of the week: September 28, 2018 (Help Net Security) Chronicle announces VirusTotal Enterprise with greater search and analysis capabilities Chronicle, the cybersecurity subsidiary of Google’s parent company
London-based bank touts safety of new online safety deposit box (The London Free Press) CEO asks London business community spread word of bank’s success
Rsam and Edwards Performance Solutions Partner to Improve Information Assurance and Cybersecurity for Small and Medium Enterprises (Rsam) Rsam, a leader in Governance, Risk Management and Compliance (GRC) solutions and Edwards Performance Solutions today announced a partnership to bring enterprise-caliber cybersecurity risk and compliance capabilities to small and medium organizations.
Microsoft Threat Protection Bundles Multiple Enterprise Security Solutions (Redmondmag) Microsoft Threat Protection, a newly assembled bundle of security solutions for enterprise organizations, was announced this week as part of the ongoing Microsoft Ignite event.
Lockpath Reveals New Risk Management Platform (Database Trends and Applications) Lockpath, a provider of integrated risk management solutions, unveiled a new risk management platform for configuration assessment and asset discovery. The product, Blacklight, allows customers to identify and assess configuration anomalies while maintaining a complete and accurate asset inventory.
Technologies, Techniques, and Standards
Homeland Security Wrestles with Defending a Disappearing Network Perimeter (Nextgov.com) Homeland Security and administration officials are working on an update to the Trusted Internet Connection policy and keeping it tech-agnostic.
Analysis | The Cybersecurity 202: Def Con researchers came to Washington to poke holes in voting machine security (Washington Post) They showcased their new report.
Defcon Voting Village report: bug in one system could “flip Electoral College” (Ars Technica) High-speed tabulator vulnerable to remote attacks, and that's only part of the problem.
Vulnerabilities and architectural considerations in industrial control systems (Help Net Security) The reason SCADA security is so controversial stems primarily from the intense consequences that come from a compromise in this area. In this podcast,
Cryptojacking – coming to a server-laptop-phone near you (and how to stop it) (Naked Security) Cryptomining apps were banned from the Play Store some time ago – but that hasn’t stopped the crooks getting cryptojackers past Google…
Connected car security is improving, researchers say (Help Net Security) The automotive industry has apparently stepped up their game when it comes to improving connected car security, IOActive researchers have found.
10 Tactics For Teaching Cybersecurity Best Practices To Your Whole Company (Forbes) It's not just your tech team that needs to be well-versed in cybersecurity.
Michael Dell: It’s Prime Time For Public Cloud Repatriation (CRN) "Some big shops are giving us numbers that they've spent in the public cloud that are just astronomical," said Craig Manahan, practice manager at RoundTower Technologies.
Data breach risks and prevention for small businesses (TGDaily) 43% of all UK businesses suffered a data breach or attack in the 12 months between April 2017 and April 2018
How Data Security Improves When You Engage Employees in the Process (Dark Reading) When it comes to protecting information, we can all do better. But encouraging a can-do attitude goes a long way toward discouraging users' risky behaviors.
Design and Innovation
Hey Facebook: Quit discouraging people from using 2FA (CSO Online) Facebook is spying on user 2FA phone numbers to target them with ads. A non-trivial percentage of Facebook users will not use two-factor authentication as a result, a net loss to security.
Finally, a fix for the encrypted web’s Achilles’ heel (Naked Security) Everyone knew that SNI needed to be fixed sooner or later, but nobody was quite sure how.
How Egress is doing away with usernames and passwords, and making security frictionless (Computing) Tony Pepper, CEO of Egress, explains what he's doing to make security a help rather than a hindrance, and how his organisation is finding success at the highest levels of government
HMRC's successful blockchain proof-of-concept: the technology's the easy part (Computing) Initial trials 'very successful' says platform architect Richard Mander, but mind the policy gap
Blockchain update: Nick Szabo, inventor of the smart contract, on its evolution (Computing) Smart contracts will be negotiable and customisable,
Legislation, Policy, and Regulation
PM to world leaders: Show strong political resolve to secure cyberspace (Dhaka Tribune) 'Cooperation on cybersecurity between all nations is integral, as the misuse of cyberspace can pose a threat to international peace'
Turkish watchdog RTÜK set to censor internet platforms (Ahval) A by-law which will allow for Turkey’s state-run broadcasting watchdog to censor all internet broadcasting platforms has been approved, left-wing Evrensel daily reported.
The UK is an easy target for cyber-attackers — we must reboot our defences (Evening Standard) It all started with a statue. In late April 2007 the government in Estonia proposed to remove a controversial Soviet war memorial from the capital city Tallinn. Vladimir Putin wasn’t happy about this — it was yet more proof that the tiny country was turning away from Russia and towards the West. What happened next marked a new era in international relations. On April 27 Estonia was hit by a powerful cyber-attack — the first example of such state-sponsored aggression in history.
Trump's election meddling charge against China marks U.S. pressure... (Reuters) President Donald Trump’s accusation of Chinese meddling in upcoming U.S. election...
Trump Accuses China of Meddling in Midterms. It's All About Trade. (Atlantic Council) US President Donald J. Trump accused China of attempting to interfere in the US midterm elections in November at a meeting of the United Nations Security Council (UNSC) in New York on September 26. China does “not want me or [the Republicans] to...
Election Security is National Security (The Cipher Brief) Rob Joyce, Senior Advisor for Cyber Strategy at the National Security Agency writes about election security for The Cipher Brief
A Key to DoD’s Updated Cyber Strategy is at Grassroots (Meritalk) The Department of Defense’s release last week of its upgraded cyber strategy understandably drew attention for its focus on the threats from China and Russia in a re-emerging, artificial intelligence-fueled great power competition reminiscent of the Cold War.
Mattis predicts DoD will one day offer cyber protection to private sector (Fifth Domain) The top Pentagon official is predicting that the US government will offer cyber protection to the private sector and even individuals in light of technological advances.
Cyber Force Fights Training Shortfalls: NSA, IONs, & RIOT (Breaking Defense) The military’s new cyberspace force is working to overcome recruiting and retention shortfalls, training bottlenecks, and its dependence on the National Security Agency, officials told the Senate Armed Services Committee yesterday..
DOE Modernization: The Office of Cybersecurity, Energy Security, and Emergency Response - Energy and Commerce Committee (Energy and Commerce Committee) Subcommittee on EnergyMeeting Date: Thursday, September 27, 2018 10:15 AM 2322 RHOB
Schatz, Gardner Introduce Legislation To Improve Federal Government's Use Of Artificial Intelligence (Brian Schatz, US Senator for Hawai'i) The official U.S. Senate website of Senator Brian Schatz of Hawaii
NSW govt's first cyber security strategy emerges (CRN Australia) Promises to introduce mandatory incident reporting.
Litigation, Investigation, and Law Enforcement
Dems want briefing on Trump claims of Chinese election meddling (TheHill) Democrats on the House Intelligence Committee have requested a briefing on President Trump’s accusations that China has tried to interfere in the midterm elections.
House Judiciary panel subpoenas McCabe memos, Page surveillance documents (Washington Post) The committee demanded the Justice Department turn over memos that depict the deputy attorney general suggesting recording President Trump.
Google CEO Sundar Pichai will reportedly meet with Republican lawmakers this week (TechCrunch) Google CEO Sundar Pichai will meet in private with Republican lawmakers on Friday to discuss issues including its work in China and alleged political bias, reports the Wall Street Journal. The meeting was organized by House Majority leader Kevin McCarthy, who has accused Google of “controllin…
SEC Charges Firm With Deficient Cybersecurity Procedures (US Securities and Exchange Commission) The Securities and Exchange Commission today announced that a Des Moines-based broker-dealer and investment adviser has agreed to pay $1 million to settle charges related to its failures in cybersecurity policies and procedures surrounding a cyber intrusion that compromised personal information of thousands of customers.
Here is the SEC complaint against Elon Musk and Tesla (TechCrunch) Update: There’s a live stream of the SEC press conference detailing the complaint: The Securities and Exchange Commission lodged a complaint today against Elon Musk following tweets sent last month by the CEO involving a planned private takeover of the electric car company at $420 a share. Th…
Elon Musk faces possible exit from Tesla after SEC sues over tweets (San Diego Unio Ttribune) he Securities and Exchange Commission sued Elon Musk on Thursday, alleging that the Tesla chief's tweets about taking the electric-car company private at $420 a share were “false and misleading” — and asking the court to, in effect, force Musk out of Tesla’s leadership.
SEC’s Musk Lawsuit Highlights Dangers of Social Media Disclosures (Wall Street Journal) A Securities and Exchange Commission lawsuit against Tesla CEO Elon Musk highlights the compliance challenges companies face in an era of informal, immediate social media discourse.
Estonia sues Gemalto for 152 mln euros over ID card flaws (Reuters) Estonian police are seeking to recover 152 million euros ($178 mln) in a lawsuit...
Robocallers slapped with huge fines for using spoofed phone numbers (Naked Security) One poor woman whose phone number was hijacked by robocallers got several calls a day from irate consumers who thought she was trying to market to them.
Did the NSA snoop on Utahns during the 2002 Games? An attorney drops his lawsuit, says we’ll never find out. (The Salt Lake Tribune) A federal judge Thursday tossed a lawsuit filed by Utahns who allege the government used “blanket” warrantless surveillance of Salt Lake City-area residents and visitors during the 2002 Winter Olympics.
Australian teen who hacked into Apple and stole 90 GB of files avoids jail (The State of Security) An Australian teenager who hacked into Apple's network on multiple occasions over several months, and stole sensitive files, has been told that he will not be imprisoned.