Cyber Attacks, Threats, and Vulnerabilities
UK, US Security Agencies Deny Investigating Chinese Spy Chips (SecurityWeek) The US Department of Homeland Security and the UK National Cyber Security Centre deny investigating the presence of Chinse spy chips in Supermicro servers
Super Micro China super spy chip super scandal: US Homeland Security, UK spies back Amazon, Apple denials (Register) Officials: Not saying Bloomberg was wrong, we just believe biz saying Bloomberg was wrong
Statement from DHS Press Secretary on Recent Media Reports of Potential Supply Chain Compromise (Department of Homeland Security) Statement from Press Secretary Tyler Houlton on recent media reports of a potential supply chain compromise.
Read Apple’s letter to Congress denying spy chip report (The Verge) The letter is penned to some of Congress’s top tech watchdogs following the explosive Bloomberg report last week
Risky Business Feature: Named source in "The Big Hack" has doubts about the story (Risky Business) Risky Business Feature: Named source in
Why I don’t believe Bloomberg’s Chinese spy chip report (CSO Online) China can and has stolen the information it wants from US companies without using secretly embedded hardware, so why would it jeopardize its massive semiconductor industry?
The biggest cybersecurity threat you never thought that much about is the factory (Marketplace from APM) Why it's so hard to lock down the supply chain that makes our electronics.
Russian Hackers Are Trying To Interfere In Brazilian Elections, Cybersecurity Firm Says (Folha de S.Paulo) Russian hackers tried to interfere in the Brazilian elections using social media to artificially amplify discussions that questioned democracy in Brazil and other topics connected to the presidential run. Moscow's activities were discovered by cybersecurity firm FireEye, a company that usually
Primary season cyberattacks illuminate campaign vulnerabilities (TheHill) The spotlight on cyber vulnerabilities of political campaigns has grown brighter after three Democratic campaigns in California were hacked during the state’s primary elections.
Researchers: No Evidence That Russia Is Messing With Campaign 2018—Yet (The Daily Beast) By the first week of October 2016, Russia’s pawprints were all over the presidential race. Not this year, researchers say.
Trump says China is meddling in our elections. Cyber firms disagree (POLITICO) Beijing is still involved in cyberattacks against other targets, they say.
Google Exposed User Data, Feared Repercussions of Disclosing to Public (Wall Street Journal) Google exposed the private data of hundreds of thousands of users of the Google+ social network, though it didn’t find evidence of misuse. The company opted not to disclose the issue this past spring, in part because of fears doing so would draw regulatory scrutiny.
RIP Google+. We Hardly Knew Ye. (Wall Street Journal) Few tears were shed Monday over the death of Google+, the search giant’s oft-derided effort at challenging Facebook in social media.
Google Criticizes Apple Over Safari Security, Flaw Disclosures (SecurityWeek) One year after Google Project Zero released its Domato fuzzer as open source, the tool still finds a significant number of vulnerabilities in Apple's Safari
Shedding Skin – Turla’s Fresh Faces (Securelist) Turla, also known as Venomous Bear, Waterbug, and Uroboros, may be best known for what was at the time an “ultra complex” snake rootkit focused on NATO-related targets, but their malware set and activity is much broader. Our current focus is on more recent and upcoming activity from this APT.
Germany calls on Russia to halt campaign of cyberattacks (AP News) Germany has become the latest European country to blame the Russian military for a worldwide campaign of cyberattacks against sports organizations, businesses and ...
Latvia says Russia targeted its foreign and defense bodies with cyber attacks (Reuters) Russia has carried out cyber attacks on Latvia's foreign and defense appara...
Denmark Reportedly Calls for Attacking Russia in Cyberspace (Sputnik) Earlier this week, the US and the Netherlands accused Russian intelligence services of cyberattacks against different international organizations, including the Organisation for the Prohibition of Chemical Weapons, anti-doping agencies and sports federations. Moscow responded by saying about Western governments' "spy mania."
Russia slams US over cyber attack claims (euronews) Kremlin accuses Washington of taking a "dangerous path"
Russia dismisses suspected spy actions as routine Dutch trip (AP News) Russia's foreign minister on Monday dismissed accusations made in the Netherlands against suspected Russian spies, saying they were intended to distract public attention...
Moscow to summon Dutch envoy over cyber-attack claim (RTE.ie) The Russian foreign ministry was to summon the Dutch ambassador today after the Netherlands said it had foiled a cyber attack by Russians, state news agencies reported.
Russian spies in new humiliation as hundreds of GRU agents' names found online (The Telegraph) Russia's GRU spy agency has suffered a new humiliation after a list of over 300 names of suspected agents was discovered online.
Russia is Winning the Information War in Iraq and Syria: UK General (Defense One) Moscow is “better than us” in using social media to shape the strategic landscape, says a former deputy commander of the West’s anti-ISIS coalition.
Why the Department of Energy is worried about turbine hacking (Fifth Domain) Hackers are taking aim at America's power grid, making renewable energy infrastructure such as wind turbines an increasingly tantalizing target.
Fact Sheet: DOE Award Selections for the Research, Development, and Demonstration of Next-Generation Cybersecurity Tools and Technologies for Critical Energy Infrastructure (US Department of Energy) On October 1, 2018, the Department of Energy (DOE) announced the award of up to $28 million to support the research, development, and demonstration (RD&D) of next-generation tools and technologies that will improve the cybersecurity and resilience of the Nation's energy critical infrastructure, including the electric grid and oil and natural gas infrastructure.
Code Execution Flaws Found in WECON Industrial Products (SecurityWeek) Many vulnerabilities, including serious flaws that allow arbitrary code execution, found recently in ICS products from China-based Wecon
Five Trends in Attacks on Industrial Control Systems (eWEEK) Attacks on industrial control systems are up, according to Kaspersky and Symantec. Yet, there are specific trends in the attack data: Developing countries are being hit harder than Western Europe and the United States; most attacks come via the internet, removable drives or email; and between 1 and 4 percent of IC systems are attacked by cryptocurrency malware each month.
DHS Warns of Cybersecurity Threats to Agriculture Industry (BleepingComputer) A new report from the U.S. Department of Homeland Security called Threats to Precision Agriculture warns against the cybersecurity risks faced by the emerging technologies being adopted by the agricultural industry.
North Korea is the most destructive cyber threat right now: FireEye (ZDNet) DPRK hackers are cybering every way they can, and according to FireEye their destructiveness and unpredictability makes them dangerous.
FBI ATM Warning: What Banks Need to Know (PaymentsJournal) A recent warning issued to banks by the FBI reads like the script for a Hollywood movie: cybercriminals are plotting
Silence: Moving into the Darkside (Group-IB) Group-IB has exposed the attacks committed by Silence cybercriminal group. While the gang had previously targeted Russian banks, Group-IB experts also have discovered evidence of the group's activity in more than 25 countries worldwide.
A 'Scarily Simple' Bug Put Millions of Cox Communications Customer Accounts at Risk (WIRED) The most straightforward insecurities can sometimes be the riskiest.
Experian credit freeze flaw may have revealed your PIN to fraudsters (USA TODAY) The credit bureau’s process to retrieve a PIN that safeguards a frozen Experian credit report had a security defect that's since been fixed.
PoC Attack Escalates MikroTik Router Bug to 'As Bad As It Gets' (Threatpost) Researchers say a medium severity bug should now be rated critical because of a new hack technique that allows for remote code execution on MikroTik edge and consumer routers.
Fallout Exploit Kit Now Installing the Kraken Cryptor Ransomware (BleepingComputer) The Fallout Exploit has been distributing the GandCrab Ransomware for the past few weeks, but has now switched its payload to the Kraken Cryptor Ransomware.
Attackers use voicemail hack to steal WhatsApp accounts (Naked Security) The Israeli National Cybersecurity Authority issued an alert warning that WhatsApp users could lose control of their accounts.
Chrome Extension Devs Use Sneaky Landing Pages after Google Bans Inline Installs (BleepingComputer) Distributors of unwanted Chrome extensions are coming up with new, sneaky, and simple methods to trick users into installing their extensions now that Google has banned inline installs.
Hackers target the Queensland government with online attacks (Canberra Times) Cyber security experts blocked almost 20 denial of service attacks targeting the Queensland government last year.
Security Patches, Mitigations, and Software Updates
Data-deletion bug forces Microsoft to suspend rollout of Windows 10 update (Ars Technica) The bug had been reported by insiders, but it looks like nothing was done about it.
Git Project Patches Remote Code Execution Vulnerability in Git (BleepingComputer) The Git Project announced yesterday a critical arbitrary code execution vulnerability in the Git command line client, Git Desktop, and Atom that could allow malicious repositories to remotely execute commands on a vulnerable machine.
Apple fixes iOS 12 passcode bypass vulnerabilities (Help Net Security) Apple has released security updates to address a number of vulnerabilities in iCloud for Windows and two iOS 12 passcode bypass bugs.
VMware, Apache, Mozilla push out patches (SC Magazine) A series of patches and updates were issued by VMware, Mozilla and Apache to patch critical and moderately rated vulnerabilities.
Cyber Trends
Cryptomining Dethrones Ransomware as Top Threat in 2018 According to Webroot’s Mid-Year Threat Report Update (Webroot) Also, Phishing Attempts Seen by Webroot Increased by More Than 60 percent
Marketplace
Analysis | The Cybersecurity 202: Google faces calls for privacy legislation, FTC probe after exposing user data (Washington Post) Its secrecy could get them in the most trouble.
Google's Privacy Whiplash Shows Big Tech's Inherent Contradictions (WIRED) Google announced on Monday that it is shuttering its Google+ social network, following revelations in a Wall Street Journal report that the company did not disclose a recently discovered bug that had exposed data from up to 500,000 Google+ users users since 2015.
Managed security services a sweet spot for service providers—report (Fierce Telecom) With security concerns continuing unabated, carriers stand to make a tidy profit in delivering managed security solutions to their customers.
India invites Huawei for 5G trials despite security concerns (TelecomLead) India Government has invited Huawei, the largest telecom equipment maker, for conducting the 5G trials in the country. India aims to conduct 5G spectrum auction towards the end of 2019 due to weak financial conditions of the telecom industry.
Durchbruch: Senat gibt grünes Licht für Siemens-Campus (Berliner Morgenpost) Konzept innerhalb kurzer Zeit erarbeitet. Nun muss der Konzern über das 600-Millionen-Projekt entscheiden
BluVector's quiet win speaks plenty about cyber opportunity (Washington Technology) BluVector is coy about a recent contract win but even without details the deal says plenty about where the government is in need of cybersecurity support.
Leaving the NYSE was 'best decision yet,' Barracuda CEO says (Silicon Valley Business Journal) BJ Jenkins discusses what security investors and executives can learn from Barracuda's success going private, and how Campbell is a hotbed for talent.
NSA whistleblowers come out of retirement to launch data intelligence startup - StartUp Beat (StartUp Beat) If you’re looking for an ordinary story of Silicon Valley startup founders, then keep looking, because Bill Binney ...
How Maryland’s Cybrary Turned a Mechanic into a Cybersecurity Analyst in 3 Months (DC Inno) A career change can be daunting, but for Gabrielle Hempel, it only took a few months.
Akamai Opens Its Second Largest Facility in the World, in Bengaluru (NDTV Gadgets360.com) It would house more than 2,000 employees over the next few years
Products, Services, and Solutions
GlobalPlatform enhances Secure Element deployment for payment-enabled wearables (GlobalPlatform) New configuration supports financial services sector to manage multiple applications including payment, access control and transport ticketing
Polyverse Partners with Soliton to Expand into Japanese Cybersecurity Market (Polyverse) Polyverse Corporation has expanded into the Japanese cybersecurity market through a distribution partnership with Soliton Solutions, K.K., a leading Japanese technology company serving industries across the globe.
New AT&T Alliance Introduces Affordable Cybersecurity Insurance for Businesses (AT&T) In partnership with industry leaders Lockton and CNA, AT&T will help make broad cyber insurance policies and cybersecurity solutions available to small and midsize businesses.
Technologies, Techniques, and Standards
Trump administration tackles pipeline cybersecurity (Utility Dive) The U.S. Department of Energy and the Department of Homeland Security this week co-chaired a meeting with the oil and gas industry to address how pipelines can be protected from cyberattacks.
NHS Digital to ignore IT security recommendations despite WannaCry (Computing) £1bn estimated cost not considered worth it, despite ongoing attacks targeting NHS data
Researchers Call for a Shared Dark Web Taxonomy (Infosecurity Magazine) Researchers Call for a Shared Dark Web Taxonomy. Terbium Labs argues that current reports on pricing are inconsistent and misleading
How to Protect Against Software Supply Chain Attacks (OPSWAT) Cyber security solutions to identify, detect, and remediate advanced security threats from data and devices coming into and out of enterprise networks.
Cybersecurity disclosure benchmarking (EY) EY explores how various types of governance stakeholders have expressed interest in the ways companies guard against and respond to cybersecurity incidents.
How Can Brick-and-Mortar Retailers Make Payment Acceptance Work for Them? (Rambus) Retailers are racing to deliver engaging and experiential buying experiences to differentiate themselves from the competition.
Design and Innovation
Hey Alexa, asks BlackBerry: Want to learn security? (CRN Australia) In talks with Amazon to add authentication smarts to speakers.
Research and Development
Catching hackers in the act (Santa Fe New Mexican) At Los Alamos National Laboratory, where some of the nation’s most precious secrets are kept, we’re not only working to guard our own information; we’re also developing tools to help
China's tech giants spending more on AI than Silicon Valley (The Telegraph) China’s biggest tech companies have overtaken the giants of Silicon Valley in the race to invest in artificial intelligence and machine learning this year, according to new research for The Daily Telegraph.
New patent for cybersecurity firm LogRhythm (BizWest) LogRhythm, a Boulder-based cybersecurity firm, was granted a new U.S. patent.
Graduate Student Solves Quantum Verification Problem (Quanta Magazine) Urmila Mahadev spent eight years in graduate school solving one of the most basic questions in quantum computation: How do you know whether a quantum computer has done anything quantum at all?
Academia
Norwich University kicks off Cybersecurity Awareness Month, public presentations (VTDigger) Norwich University officials kicked off Cybersecurity Awareness Month, with a presidential declaration proclaiming Norwich University’s participation in the national campaign and information on a public speaker series along with other activities. Each Thursday, guest …
Legislation, Policy, and Regulation
Russia's Hackers Long Tied to Military, Secret Services (SecurityWeek) The skills of Russian hackers today developed from a tradition of excellent computing and programming skills dating back to the Soviet era.
EU, NATO will need to do more to confront Russia in cyberspace - expert (UKRINFORM) The EU and NATO have over the last few years stepped up strategic interaction in countering Russia's cyberattacks, but they need more capabilities to strengthen steadfastness.
UK war-games cyber attack on Moscow (Times) Defence chiefs have war-gamed a massive cyber-strike to black out Moscow if Vladimir Putin launches a military attack on the West, after concluding that the only other way of hitting back would be...
Trump’s Looser Reins on Offensive Cyber Get Positive Reviews from Army (Nextgov.com) Trump rescinded Obama-era rules that required White House sign off for most offensive cyber operations.
State Department needs a makeover for the digital age (TheHill) To be credible and effective, the State Department needs a top “digital diplomat” with the rank of ambassador.
Silicon Valley congressman unveils an Internet Bill of Rights (Washington Post) A list of consumer protection calls for network neutrality, consumer choice for Internet service providers, greater transparency into data collection practices and opt-in consent.
California’s IoT Security Law – Will this Law Really Improve Security? (cyber/data/privacy insights) California’s legislature recently passed SB-327, which is designed to require Internet of Things (IoT) and other “connected device” manufacturers to implement security features into internet connec…
Former NSA deputy is Mattis’s leading choice to head the spy service if it splits from Cyber Command (Washington Post) Senior officials are still debating whether Cybercom is ready to stand on its own.
Cybercrime and cybersecurity surveys reveal important answers (WeLiveSecurity) Public support for efforts to reduce negative incidents in cyberspace is critical to society’s efforts to preserve the benefits of digital technologies. By having regular surveys on cybercrime and cybersecurity we can better gauge public opinion in relation to the topic.
Analysis | The Cybersecurity 202: California's new Internet of Things law only protects against a small portion of cyberthreats (Washington Post) It's a step forward. But an elementary step.
What New Calif. Law Means For Connected Medical Devices (Law360) Last month, California passed the first-ever state legislation aimed at regulating "internet of things" devices. The new law restricts liability to manufacturers of physical hardware — drawing a narrower line than the U.S. Food and Drug Administration's previous guidance, say Michael Buchanan and Michelle Bufano of Patterson Belknap Webb & Tyler LLP.
How state governments bolster cybersecurity (GCN) States are strengthening their election infrastructure, institutionalizing threat information sharing and implementing software-defined access solutions.
How the Army Cyber Center of Excellence fits into the high-tech battlefield (C4ISRNET) Maj. Gen. John Morrison, the commanding general of Fort Gordon, talks about the Army's role in the cyber mission force, training electronic warfare officers and more.
Litigation, Investigation, and Law Enforcement
Mass lawsuit against Google over data collection thrown out (Computing) 'Google You Own Us' legal action had claimed that Google collects a vast range of private and personal information about individuals
Military doctor named as second novichok spy (Times) The second suspect in the Salisbury poisoning was unmasked last night as a military doctor working for Russian intelligence. Alexander Yevgenyevich Mishkin, 39, allegedly travelled to Britain in...
Investigators fail to ascertain at what price FSB's Centre for Information Security officers sell homeland (Crime Russia) The case on high treason is brought to trial with no amount of compensation for disclosure of state secrets pointed out.
Sources tell Russian newspaper that FSB agents leaked secret data to the FBI for 10 million dollars (Meduza) The newspaper Kommersant reported on October 5 that former FSB Information Security Center agent Sergey Mikhailov and his three accomplices allegedly received $10 million for giving the FBI classified data about Pavel Vrublevsky, the former head of the payment services company Chronopay.
Staffer who 'doxed' GOP senators faces nearly 50 years in federal prison (Washington Examiner) The former Democratic congressional staffer who posted personal information about Republican senators online faces nearly 50 years in prison.
Rick Gates Sought Online Manipulation Plans From Israeli Intelligence Firm for Trump Campaign (NYTimes) The company pitched plans for fake avatars that would try to persuade Republican delegates to back the Trump campaign over that of Senator Ted Cruz and to gather intelligence on Hillary Clinton.
GOP Operative Secretly Raised at Least $100,000 in Search for Clinton Emails (Wall Street Journal) A veteran Republican operative and opposition researcher solicited and raised at least $100,000 as part of a project to obtain what he believed to be emails stolen from Hillary Clinton, an effort that remains of intense interest to federal investigators.
‘Bob Smith’ was a Black Lives Matter sympathizer with lots of Facebook friends. It turned out he was a white undercover cop. (NBC News) Facebook is teeming with fake accounts created by undercover law enforcement officers. They're against the rules — but cops keep making them anyway.
Jamal Khashoggi's Disappearance Is a Slap in the Face to the United States (Foreign Policy) Washington should explore retaliatory measures that impose real costs on Saudi Crown Prince Mohammed bin Salman.
Man Pleads Guilty to Hacking Websites of New York City Comptroller and West Point (SecurityWeek) Billy Ribeiro Anderson admitted to obtaining unauthorized access to websites and to defacing them by replacing publicly available contents of the website with hacker-generated content.
Silk Road Admin Pleads Guilty (SecurityWeek) Gary Davis of Ireland pled guilty in a United States court to his role in the administration of Silk Road, a black-market website, and now faces up to 20 years in prison.
Navy cyber unit commander fired (Navy Times) The commander was relieved last month after an investigation raised questions about his
Anti-malware patent survives obviousness claims over internet posts (Out-Law) A series of messages posted on an internet bulletin board about how certain anti-malware software could be used did not invalidate a patent covering that technology, the High Court in London has ruled.
Feds to judge: We still think we can put GPS trackers on cars entering US (Ars Technica) Top HSI official makes assertion after judge already ruled against this legal position.
Amazon Fires Employee for Sharing Customer Emails (Wall Street Journal) Amazon.com said it has terminated an employee responsible for an incident in which a third-party seller on the tech giant’s website got access to email addresses of some Amazon customers.
Italy police ID suspect in 2013 NASA hack (AP News) Italian authorities say they have placed a 25-year-old Italian under investigation for allegedly hacking eight NASA web domains in 2013.