Cyber Attacks, Threats, and Vulnerabilities
Facebook Says 50M User Accounts Affected by Security Breach (SecurityWeek) Facebook said hackers exploited its "View As" feature, which lets people see what their profiles look like to someone else.
The Facebook Security Meltdown Exposes Way More Sites Than Facebook (WIRED) The social networking giant confirmed Friday that sites you use Facebook to login to could have been accessed as a result of its massive breach.
Everything We Know About Facebook's Massive Security Breach (WIRED) Up to 50 million Facebook users were affected—and possibly 40 million more—when hackers compromised the social network's systems.
Facebook Finds Security Flaw Affecting Almost 50 Million Accounts (Wall Street Journal) Facebook discovered a security flaw affecting almost 50 million accounts, the company said Friday. A problem in its code allowed outsiders to take over users’ accounts.
Facebook’s worst security breach hammers user trust again as 50 million accounts affected (The Indian Express) Facebook Security Breach: A hacker -- or hackers, as Facebook doesn’t know the number -- exploited several software bugs at once to obtain login access to as many as 50 million account
The terrible truth is that there's no escape from the Facebook data vortex (The Telegraph) How bad is the latest Facebook data breach?
Two reasons to reconsider your Facebook membership (Graham Cluley) It's been a bad week for Facebook and its billion-plus users. Not only was it revealed that millions of users had their accounts exposed by a vulnerability, but the site has been up to dirty tricks with mobile phone numbers you gave them to supposedly enhance your security.
You gave your number to Facebook for security and it used it for ads (Naked Security) Facebook has been adding phone numbers registered for 2FA to the other data it uses to target people with advertising.
Until data is misused, Facebook’s breach will be forgotten (TechCrunch) We cared about Cambridge Analytica because it could have helped elect Trump. We ignored LocationSmart because even the though the company was selling and exposing the real-time GPS coordinates of our phones, it was never clear exactly if or how that data was misused. This idea, that privacy issues …
Industry Leaders Reaction on Recent Facebook Hack (Information Security Buzz) It is being reported that Facebook said an attack on its computer network led to the exposure of information from nearly 50 million of its users. The company discovered the breach earlier this week, finding that attackers had exploited a feature in Facebook’s code that allowed them to take over user accounts. Facebook fixed the vulnerability and notified law enforcement officials. More …
Evidence Indicates China Set to Target US Elections (VOA) Even before accusations from President Trump, intelligence officials were worried Beijing was setting its cyber weapons to 'meddle'
Decline in Chinese cyberattacks against U.S. suggests attacks getting more efficient (SC Media) Trump might still be blaming China for interfering with U.S. elections at the UN, but there are other issues he should be worried about ...
Russians stealthy 'LoJax' malware can infect on the firmware level (Cyberscoop) ESET says that this is the first instance of a successful UEFI rootkit seen in the wild.
Things That One Needs to Know about Qatar’s Cyber Espionage Campaign in the United States (The Crystal Eyes) Based on some legal documents and technical reports from former CIA operatives, it has been found that Qatar not only hacked the accounts of over 1200 Americans, it also hacked the accounts of Arab leaders, European counterterrorism officials, Bollywood actresses, …
UK Conservative Party conference app leaks MPs' personal details (ZDNet) MP members received prank calls, had their phone numbers and email addresses shared online.
Hackers Are Holding High Profile Instagram Accounts Hostage (Motherboard) Hackers have hijacked the accounts of at least four high profile Instagrammers recently, locking them out and demanding a bitcoin ransom. But Instagram is silent.
Notorious Hackers Serve SpicyOmelette to Unsuspecting Victims (SecurityWeek) The financially-motivated "Cobalt" hackers have been establishing a foothold onto victim machines using a JavaScript remote access Trojan called SpicyOmelette, Secureworks says.
Meet Torii, a Stealthy, Versatile and Highly Persistent IoT Botnet (SecurityWeek) Torii is a stealthy Internet of Things (IoT) botnet written in Go that could be easily recompiled to run on virtually any architecture to serve as backdoor or a service to orchestrate multiple machines.
New Torii Botnet uncovered, more sophisticated than Mirai (Avast) Research by the Avast threat intelligence team reveals details about new botnet targeting IoT devices
Linux kernel 'give me root, now' security hole sighted, dubbed 'Mutagen Astronomy' (Register) Red Hat Enterprise and CentOS users at risk
Hide 'N Seek IoT Botnet Now Targets Android Devices (SecurityWeek) The Hide ‘N Seek Internet of Things (IoT) botnet is now capable of infecting devices running Android, including smart TVs, DVRs and any other device that has ADB over Wi-Fi enabled.
Phishing campaign targets developers of Chrome extensions (ZDNet) If the campaign was successful, we should expect new cases of hacked extensions used to infect users.
Android password managers vulnerable to phishing apps (Naked Security) Several leading Android-based password managers can be fooled into auto-filling login credentials on behalf of fake phishing apps.
New Malware-as-a-Service Threat Targets Android Phones (Security Intelligence) Security researchers discovered a new malware-as-a-service offering designed to enable cybercriminals to infect Android phones and block users from running security solutions on their devices.
Dark Web Azorult Generator Offers Free Binaries to Cybercrooks (Threatpost) The Gazorp online builder makes it easy to start stealing passwords, credit-card information, cryptocurrency wallet data and more.
Hackers Are Selling Botnets and Stolen ‘Fortnite’ Accounts Over Instagram (Motherboard) As hacking and gaming communities continue to intersect, some hackers are selling access to botnets and likely stolen Fortnite, Spotify, and other online accounts on Instagram.
No Patches for Critical Flaws in Fuji Electric Servo System, Drives (SecurityWeek) Critical vulnerabilities affecting Fuji Electric servo systems and drives have been disclosed, but patches are not available
Voice Phishing Scams Are Getting More Clever (KrebsOnSecurity) Most of us have been trained to be wary of clicking on links and attachments that arrive in emails unexpected, but it’s easy to forget scam artists are constantly dreaming up innovations that put a new shine on old-fashioned telephone-based phishing scams.
Bitcoin [BTC] demanded as ransom after cyber-attack on Port of San Diego (AMBCrypto) The Port of San Diego was recently hit with a cybersecurity attack, which led to the involvement of the Federal Bureau of Investigation [FBI] and the Department of Homeland Security [DHS]. Their systems were hit with a ransomware attack, which led to the attackers asking for their ransom in Bitcoin [BTC]. While how much money […]
DoorDash Customers Possibly Suffered Credential Stuffing Attack (Latest Hacking News) Online food delivering platform DoorDash urges users to reset passwords after several DoorDash customers possibly suffered credential stuffing attacks.
How hackers use Twitter to infiltrate millions of devices (http://socialbarrel.com) How hackers use Twitter to infiltrate millions of devices. Duo researchers found that a huge Twitter botnet was created to spread giveaway scams.
Hacker vows to delete Mark Zuckerberg’s Facebook account; reports it for bounty instead (HackRead) Follow us on Twitter @HackRead
Security Patches, Mitigations, and Software Updates
Monero fixes major ‘burning bug’ flaw, preventing mass devaluation (Naked Security) The flaw arises from the use of stealth wallet addresses, an anonymity concept that’s especially important to privacy-sensitive Monero users.
Cyber Trends
Half of data breaches are the fault of insiders, not hackers, research finds (Computing) Panel urges companies to avoid euphemisms and acknowledge when they've been breached - or risk being fined,
Big U.S. Banks Face Increase in Attempted Cyberattacks (Wall Street Journal) Some large U.S. banks have seen an uptick in attempted cyberattacks in recent weeks, according to people familiar with the matter, at a time when federal officials are stepping up warnings to banks about cyberthreats.
Organizations need to shift strategies, adopt a proactive approach to cybersecurity (Help Net Security) The cybersecurity market has reached a point whereby organisations need to shift their strategies and have a new, proactive approach to cybersecurity.
Marketplace
DOD has lost 4,000 civilian cyber workers in the past year (Defense Systems) The Defense Department looks to targeted recruiting and bonuses to check the loss of cyber workers as it expands the Cyber Excepted Service Personnel System.
DOD struggles with loss of cyber personnel (FCW) The Defense Department looks to targeted recruiting and bonuses to check the loss of cyber workers as it expands the Cyber Excepted Service Personnel System.
Army wants to change its cyber training to beef up ranks (FederalNewsRadio.com) The military is facing a shortage in cyber talent and the Army is considering changing the way it trains its cyber soldiers to deal with the shortfall.
Berners-Lee launches startup to commercialise his Solid decentralised web project (Computing) New startup to drive adoption of decentralised web project aimed at passing control from tech giants to users.
Another fund? This cyber startup exec aims to raise up to $150M. (Washington Business Journal) Kumo Capital Partners, led by Virgil exec Dmitry Dain, has a listed ceiling of $150 million.
Iron Bow Partners with H.I.G. Capital to Accelerate Growth (Odessa American) Iron Bow Technologies, an IT solution provider serving government, commercial and healthcare clients, today announced an equity partnership with H.I.G. Capital, a leading global private equity investment firm. The partnership will accelerate Iron Bow’s rapid growth in prospective markets across the public and private sectors.
Exclusive: Cisco, Duo Execs Share Plans for the Future (Dark Reading) Cisco's Gee Rittenhouse and Duo's Dug Song offer ideas and goals for the merged companies as Duo folds under the Cisco umbrella.
KnowBe4 Names Seasoned Finance and Tech Executive Krish Venkataraman as CFO to Support the Company's Rapid Growth Strategy (PR Newswire) KnowBe4, the provider of the world's largest security awareness training and simulated phishing platform, today ...
Products, Services, and Solutions
Booz Allen Launches a New Mobility Technology District Defend (ReadITQuik) Booz Allen Hamilton recently announced the availability of District Defend, a new mobility technology that utilizes proprietary security protocols to render the management of mobile devices
KnowBe4 Introduces Domain Doppelgänger to Help Brands Identify Malicious, Fake Web Domains (Globe Newswire) Look-alike domains pose threats for phishing and other social engineering attacks
Cybint establishes the Italian Cybersecurity Center with local partners to deliver cyber education solutions to organizations and professionals in Italy (PR Newswire) Global cyber education leader Cybint, a BARBRI company, is expanding its presence and offerings in Italy through its...
ESET launches cloud-based security management solution for SMBs (BetaNews) Smaller businesses are not immune to cyber security threats, but they often don't have the budgets or staffing resources to deal with them.
ERP Maestro Launches Free, First of Its Kind Access Risks Tool for Companies Using SAP® ERP (Markets Inside) PLANTATION, Fla., Oct. 1, 2018 /PRNewswire/ -- ERP Maestro, provider of automated and cloud-based controls for access, security and GRC, announces today the...
Web security podcasts we are currently listening to (Detectify Blog) Here is a list of web security podcasts we are listening to now. These podcasts cover cybersecurity tips, hacker stories, defense/offensive security, etc.
Sectra Tiger to protect NATO secrets from eavesdropping (Cision) Sectra Tiger/S 7401
Technologies, Techniques, and Standards
When Good Apps Go Bad: Protecting Your Data Through App Permissions (SecurityWeek.Com) By paying just a bit more attention to the permissions you are allowing on your phone or computer, you could protect yourself from a much more significant headache down the road.
6 security tips for freelancers (Kaspersky) Freelancers are beloved targets for cybercriminals, who use phishing and malware to steal credentials and money. Here’s how to avoid their traps and stay safe.
Two-factor authentication vs. Two-step verification – you’ve probably missed this tiny difference (TechRadar) Add a second layer of defense to your accounts online with two-factor authentication or two-step verification
4 Traits of a Cyber-Resilient Culture (Dark Reading) Companies with a solid track record of cybersecurity share these practices and characteristics.
Building a Cybersecurity Culture in the Campaign Space (Campaigns and Elections) It’s a stark reality for campaigns: the threat of a cybersecurity breach is ever present, and that means the need to embrace better security protocols from top to bottom.
Crowdstrike CTO on securing the endpoint and responding to a breach (Information Age) Dmitri Alperovitch, co-founder and CTO of Crowdstrike, shares his views on securing the endpoint and responding to a data breach
Reputational Risk and Third-Party Validation (BankInfo Security) Third-party ratings are increasingly popular as a means of selecting cybersecurity vendors. But Ryan Davis at CA Veracode also uses BitSight's ratings as a means of
Shouldn’t Sharing Cyber Threat Information Be Easy? | CyberDB (CyberDB) A recent article revealed that the United States government has gotten better at providing unclassified cyber threat information to the private sector.
Ivanti Offers Six Security Tips for Cybersecurity Awareness Month | Markets Insider (markets.businessinsider.com) Ivanti, the company that unifies IT to better manage and secure the digital workplace, today announced top cybe...
Design and Innovation
The web is broken, so its founder is taking another stab at it (Quartz) Tim Berners-Lee has a new venture.
Sainsbury's lead architect: 'The next time somebody mentions AI ask them what they're really talking about (Computing) 'AI is a meaningless term, it doesn't say anything about anything.
Here's how Apple, Google, and Microsoft can stop robocalls (ZDNet) In the war against telephone spam, only superior firepower will win. But it will require cooperation between the competing tech superpowers and their clouds in order to do it.
Research and Development
To Break a Hate-Speech Algorithm, Try 'Love' (WIRED) Companies like Facebook use artificial intelligence to try to detect hate speech, but new research proves it’s a daunting task.
Are we speeding towards AI consciousness? (Computing) Jeff NG, Chief Scientist, Founders Factory, explains recent developments paving the way to AI consciousness and why it is important to our world's future
Legislation, Policy, and Regulation
In Cyberspace, Governments Don’t Know How to Count (Defense One) NATO’s governments can’t agree on what constitutes a cyber attack, and that’s a big problem.
It’s a new era for cyber operations, but questions remain (Fifth Domain) Despite praising new offensive cyber authorities, officials are still unclear how the process will work exactly.
U.S. Vows To Go On Cyber Offense (Forbes) The U.S. vows to go on offense against cyber attackers. But experts say this is not a major change - it just applies conventional policy on conflict and espionage to the online world.
The US cyberspace commission is taking shape ... slowly (Fifth Domain) A new bipartisan commission may finally develop a United States cyberspace doctrine.
Why the government will publicly name the hackers who attack the US (Fifth Domain) The United States could begin attributing cyber incidents publicly with more frequency.
NZ and Canada decline to jump on the Huawei banned wagon (Telecoms.com) Despite the current fashion for banning Huawei among US allies, New Zealand and Canada have both indicated they may not play ball.
Analysis | The Cybersecurity 202: Facebook hack compounds the company's woes in Washington (Washington Post) Lawmakers are already calling for action.
Congress falls flat on election security as midterms near (TheHill) Congress has failed to pass any legislation to secure U.S. voting systems in the two years since Russia interfered in the 2016 election, a troubling setback with the midterms less than six weeks away.
Electric industry, government work together to enhance grid cybersecurity (Daily Energy Insider) As protecting critical infrastructure from cyberattacks has become a national priority, the electric power industry and U.S. government agencies have strengthened their partnership in order to better tackle energy grid cybersecurity.© Shutterstock Just as a ...
Justice Department Hosts Cybersecurity Industry Roundtable (US Department of Justice) The Justice Department’s Criminal Division hosted a cybersecurity roundtable discussion yesterday on the challenges in handling data breach investigations.
Sri Lanka’s cyber security strategy: Open for public comments soon (Sunday Observer) The much anticipated cyber security strategy for the country will be open for public comments within a couple of weeks, a senior official of ICTA told the gathering at the Organisation of Professional Associations of Sri Lanka (OPA) conference in Colombo last week.ICT Agency of Sri Lanka Director and Legal Advisor Jayantha Fernando said the cyber strategy will be available for public comment within the next couple of weeks and added that the draft strategy was presented to the Cabinet two weeks an ago.
Litigation, Investigation, and Law Enforcement
Facebook Scrabbles to Provide Breach Info to Regulators (Infosecurity Magazine) Experts point to potential nation state involvement
MPs demand answer from Facebook boss over hack shock (The Telegraph) MPs have demanded that Mark Zuckerberg travels to the UK to face questions about his “terrible disrespect” for the data of citizens, following last week’s data breach at Facebook that resulted in 50 million user accounts being exposed to hackers.
Facebook Faces Potential $1.63 Billion Fine in Europe Over Data Breach (Wall Street Journal) A European Union privacy watchdog could fine Facebook as much as $1.63 billion for a data breach in which hackers compromised the accounts of over 50 million users.
EU Lawmakers Push for Cybersecurity, Data Audit of Facebook (SecurityWeek) European Union lawmakers appear set this month to demand audits of Facebook by Europe's cybersecurity agency and data protection authority in the wake of the Cambridge Analytica scandal.
Ottawa teams with brain injury experts as it probes mystery attacks on Canadian diplomats in Cuba (Star) The federal government has partnered with a brain injury centre in Nova Scotia in its search for what has caused health problems among Canadian and American diplomats based in Havana as speculation swirls they may have been the targets of a microwave weapon.
Feds Force Suspect To Unlock An Apple iPhone X With Their Face (Forbes) Cops tell a child abuse suspect to unlock their iPhone with their face. It's the first time since the iPhone X launched that any cop has used Face ID to force an iOS device open.
Facebook wins court battle over law enforcement access to encrypted phone calls (Washington Post) The ruling is a setback to the Justice Department and a victory for tech firms.
Trump Administration Sues Over California Net Neutrality Law (Wall Street Journal) Gov. Jerry Brown on Sunday signed a bill reinstating Obama-era open-internet rules in California.
Calif. enacts net neutrality law—US gov’t immediately sues to block it (Ars Technica) Justice Department sues California—Ajit Pai called state rules "illegal."
Tesla's Musk Facing SEC Charges Over Tweets About Taking Company Private | New York Law Journal (New York Law Journal) On top of monetary penalties regulators from the SEC are seeking to have Musk banned from serving as an officer or board member of a publicly traded company.
Judge finds Apple infringes on Qualcomm patent but declines to block iPhone imports (San Diego Union Tribune) A U.S. International Trade Commission judge finds patent infringement but recommends against blocking the sale of certain iPhone 7 models.
Man Sentenced to Prison for ATM Jackpotting (SecurityWeek) A 22-year-old man from Massachusetts has been sentenced to one year and one day in prison for his role in an ATM jackpotting scheme
Sydney couple allegedly used cryptocurrency to launder fraud proceeds (Computerworld) A Sydney couple allegedly used cryptocurrency to help launder the proceeds of credit card fraud.
How Dirty Money Disappears Into the Black Hole of Cryptocurrency
(Wall Street Journal) A Wall Street Journal investigation documents millions of dollars in suspicious trades through ShapeShift, a company backed by mainstream venture capitalists.