Cyber Attacks, Threats, and Vulnerabilities
New Evidence of Hacked Supermicro Hardware Found in U.S. Telecom (Bloomberg) The discovery shows that China continues to sabotage critical technology components bound for America.
U.S. Republican senator seeks briefings on reported China hacking... (Reuters) The top Republican on the Senate Commerce Committee has asked Apple Inc, Amazon....
The Cybersec World Is Debating Who to Believe in This Story About a Massive Hack (Motherboard) No one is really sure who to believe after Businessweek's bombshell story on an alleged Chinese supply chain attack against Apple, Amazon, and others.
Homeland Security Throws Apple and Amazon a Bone on Hacking Report (Barron's) The U.S. Department of Homeland Security says it has no reason not to believe Apple, Amazon, and other companies that have denied a Bloomberg Businessweek report that Chinese intelligence services inserted malicious computer chips into their equipment.
Supply Chain Security is the Whole Enchilada, But Who’s Willing to Pay for It? (KrebsOnSecurity) From time to time, there emerge cybersecurity stories of such potential impact that they have the effect of making all other security concerns seem minuscule and trifling by comparison.
Ukraine's state fiscal service disrupted by cyber attack (Reuters) A cyber attack has affected the internet services of Ukraine's state fiscal...
Latvia Says Russia Targets Its Foreign, Defense Bodies with Cyber Attack (VOA) Several Western countries issues coordinated denunciations of Russia last week for running what they described as a global hacking campaign
‘Weaponisation’ of religious sentiment in Indonesia’s cyberspace (The Strategist) The announcement that prominent Indonesia Ulema Council chairman and cleric Ma’ruf Amin will be President Joko ‘Jokowi’ Widodo’s vice-presidential running mate for the 2019 election has stimulated fresh debate about the ‘Islamisation’ of Indonesian politics. ...
New Pentagon Weapons Systems Easily Hacked: Report (SecurityWeek) New US weapons systems being developed by the US Department of Defense can be easily be hacked by adversaries, the U.S. Government Accountability Office said.
Weapon Systems Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities (US Government Accountability Office) In recent cybersecurity tests of major weapon systems DOD is developing, testers playing the role of adversary were able to take control of systems relatively easily and operate largely undetected. DOD's weapons are more computerized and networked than ever before, so it's no surprise that there are more opportunities for attacks.
MY TAKE: Cyber attacks on industrial controls, operational technology have only just begun (Security Boulevard) “May you live in interesting times.” The old Chinese proverb–some consider it a blessing and others a curse–certainly describes the modern-day cyber landscape. Related: 7 attacks that put us at the brink of cyber war In today’s geopolitical terrain, nation-state backed cyber criminals are widening their targets and starting to zero in on their adversaries’
Magecart Group Targets Shopper Approved, Customers in Latest Attack (Threatpost) The breach also impacted hundreds of Shopper Approved's customers.
9 million Xiongmai cameras, DVRs wide open to attack (Help Net Security) SEC Consult researchers have found a handful of critical vulnerabilities in cameras, DVRs by Chinese manufacturer Hangzhou Xiongmai Technology.
Naming & Shaming Web Polluters: Xiongmai (KrebsOnSecurity) What do we do with a company that regularly pumps metric tons of virtual toxic sludge onto the Internet and yet refuses to clean up their act?
Unpatched routers bad, doubly unpatched routers worse – much, much worse! (Naked Security) Two bugs can be four times the trouble! If you missed the last Microtik router patch, you’re at risk, but if you’re *two* patches behind …
Tenable Research Advisory: Multiple Vulnerabilities Discovered in MikroTik's RouterOS (Tenable™) Tenable Research has discovered several vulnerabilities in RouterOS, an operating system used in MikroTik routers, the most critical of which would allow attackers to potentially gain full system a
Researchers KRACK Wi-Fi Again, More Efficiently This Time (SecurityWeek) Researchers have revealed more practical versions of Key Reinstallation Attack (KRACK), attacks that exploit security weaknesses in the Wi-Fi Protected Access II (WPA2) protocol.
Consumers say scammers swiped money from their Cash App accounts (FOX59) Chances are this app is on your phone and you use it often. We're talking about Cash App, a peer to peer money transfer system. But now customers are saying someone is swiping money out of their account.
So we reached out to tech experts and talked to Cash App directly to find out how to keep your money safe.
Phishing Campaign uses Hijacked Emails to Deliver URSNIF by Replying to Ongoing Threads (TrendLabs Security Intelligence Blog) A spam campaign we observed in September indicates attackers are angling towards a more sophisticated form of phishing. The campaign uses hijacked email accounts to deliver URSNIF as part of or as a response to an existing email thread.
Don’t fall for the Facebook ‘2nd friend request’ hoax (Naked Security) Cloned accounts are a real thing, but this viral message isn’t. Don’t forward it!
Cyber security expert: 'reverse engineering' will tell you if your Facebook has been cloned (ABC 12) f you've been on your Facebook news feed lately, you probably have noticed some rather odd posts. Many people are posting that they've gotten either 'hacked' or 'cloned' and to not accept new friend requests.
Hook, Line and Sinker: After Phish Get Caught (SecurityWeek) Cyber defenders need to take action to make sure that their networks are secure against the consequences of phishing attacks regardless of user actions.
Credential-Phishing Attempts Highest on Tuesdays (Infosecurity Magazine) OneDrive, LinkedIn and Office 365 logins are the most popular phishing lures, says Menlo Security.
CEO Fraud: Barriers to Entry Falling, Security Firm Warns (BankInfo Security) Barriers to getting into the business email compromise - aka CEO fraud - game continue to fall, with security vendor Digital Shadows finding that compromised email
DDoS Attacks Targeted Final Fantasy XIV and Ubisoft on the Same Day (PlayStation LifeStyle) It appears that yesterday's DDoS attacks targeting Square Enix's Final Fantasy XIV and multiple Ubisoft games at the same time.
How hackers could disrupt Election Day — and how the bad guys could be stopped (Boston Globe) The US elections system is rife with technological weak spots, but election security experts have identified plenty of ways to fend off threats.
Voting Experts: Why the Heck Are People Still Voting Online? (Nextgov.com) At least 100,000 online ballots—including the votes of overseas military personnel—were cast in 2016.
Survey: Most Feds Could Steal Government Data If They Wanted To (Nextgov.com) But most have no desire.
Cyber Attack in Otsego County (CNYHOMEPAGE) County Website Remains Offline
BBC Reports Over 170 Devices Lost or Stolen (Infosecurity Magazine) Past two years saw devices costing over £100K go missing
South Korean Cryptocurrency Exchanges Have Lost $99 Million Over 3 Years (ICO Brothers Media) South Koren crypto exchanges have lose almost $100 million because of hackers' attacks over the last three years, and damages keep growing each year.
Security Patches, Mitigations, and Software Updates
Spectre and Meltdown Hardware Protection Added to Intel's 9th Gen CPUs (BleepingComputer) As part of today's Intel's Fall Desktop Launch event, new 9th generation CPUs were announced that include hardware protection for two of the Spectre and Meltdown vulnerability variants.
October Patch Tuesday: Microsoft Repairs JET Database Engine Bug, Win32K EoP Zero-Day (TrendLabs Security Intelligence Blog) In the October Patch Tuesday edition, Microsoft fixes CVE-2018-8423 that Trend Micro’s Zero Day Initiative disclosed last September.
Microsoft Patches Windows Zero-Day Exploited by 'FruityArmor' Group (SecurityWeek) Microsoft patches nearly 50 vulnerabilities with its October 2018 Patch Tuesday updates, including a Windows zero-day exploited by the FruityArmor APT group
Windows 10 October 2018 Update no longer deletes your data (Ars Technica) Microsoft will help those affected attempt to recover their files.
VERT Threat Alert: October 2018 Patch Tuesday Analysis (The State of Security) Today’s VERT Alert addresses Microsoft’s October 2018 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-800 on Wednesday, October 10th.
No Security Fixes in Patch Tuesday Updates for Flash Player (SecurityWeek) The Patch Tuesday updates released by Adobe for Flash Player include no security fixes. Vulnerabilities patched in Digital Editions, Framemaker, and Technical Communications Suite
Apple Patches Passcode Bypass in iOS (SecurityWeek) Apple has released patches for iOS devices to address a recently disclosed vulnerability that could result in the bypass of the lockscreen.
Who's watching your TV? Sony quietly killed three critical Bravia TV bugs (ZDNet) Owners of a Bravia smart TV should check it has the latest firmware updates, which patch three bad security flaws.
Data Breaches Compromised 4.5 Billion Records in First Half of 2018 (BusinessWire) Gemalto, the world leader in digital security, today released the latest findings of the Breach Level Index, a global database of public data breaches
The DMARC Challenge for Federal Agencies Report - October 2018 (Valimail) Federal BOD 18-01 DMARC Status Report: Analysis of SPF and DMARC records for 1,315 federal .gov domains as recorded in DNS as of 10/1/18.
Small Business Cybersecurity and Data Breach Risks | Insureon
(insureon) Only 16% of small-business owners think they might face a cyber breach. Find out how damaging a breach can be and get small business cyber security tips.
IIS attacks surge from 2,000 to 1.7 million over last quarter (Help Net Security) IIS, Drupal, and Oracle WebLogic web technologies experienced increased attacks in Q2 2018. IIS attacks showed a massive increase.
China is ahead of Russia as 'biggest state sponsor of cyber-attacks on the West' (The Telegraph) China has become the biggest state sponsor of cyber-attacks on the West, primarily in its bid to steal commercial secrets, according to a report today by one of the world’s largest cybersecurity firms.
Growing intrusion trends: A perspective on today's most sophisticated cyberattacks (Help Net Security) According to a new CrowdStrike report, the technology, professional services, and hospitality sectors were targeted most often by cyber adversaries.
Privileged account practices are poor, and IT security teams know it (Help Net Security) One Identity released new global research that uncovers a widespread inability to implement basic best practices across identity and access management
Most consumers don't trust companies to keep personal information secure (Help Net Security) Consumers feeling uneasy about businesses sharing their personal data with other companies, according to original research from Oxford Economics.
Huawei, ZTE Charm Offensive Just Got Harder (Light Reading) A report from Bloomberg, alleging China infiltrated servers used by the US government, could spell further trouble for Huawei and ZTE.
Canadian government IT security boss on Huawei: 5G review isn’t over yet (IT World Canada) Reading one of Canada's biggest newspapers, you might get the impression our electronic spy agency doesn't see a need to forbid this
Huawei willing to work with government to allay Korea's 5G security fears (Totaltelecom) Korea's big three network operators are currently in the final stages of selecting their technology partners for their 5G rollout programmes
Splunk lays out its cybersecurity vision (CSO Online) At Splunk .Conf 2018, we learned how the company continues to expand its cybersecurity footprint, work with industry partners, and commit to customer success.
Intel's commitment to making its stuff secure is called into question (Register) Security is a process or at least an aspiration
The Murky Market for Zero-Day Bugs (Infosecurity Magazine) Danny Bradbury shines a light on the thriving online zero-day marketplace
7 best practices for working with cybersecurity startups (CSO Online) Security startups are often ahead of the technology curve and can provide more personalized service. Here's how to find the best of them and minimize risks.
Centrify Spins Out IDaaS into new Vendor Idaptive (Infosecurity Magazine) Centrify has spun out its Identity-as-a-Service (IDaaS) service into a new company, which it has named Idaptive
Fortnite Developer Epic Games Acquires Anti-Cheat Company Kamu (IGN) The Finnish company has already been providing its services to Epic for Fortnite.
Products, Services, and Solutions
KnowBe4 Brings Artificial Intelligence to Security Awareness Training (SecurityWeek) KnowBe4 has added a Virtual Risk Officer (VRO), a Virtual Risk Score (VRS), and Advanced Reporting (AR) features to its security awareness training and simulated phishing platform.
Healthwise enhances hybrid IT strategy with Pulse Secure vADC and Microsoft Azure (GlobeNewswire News Room) Reliability, performance and powerful scripting tools help leading non-profit organization deliver mission critical applications 24/7
Cymulate Announces Technology Integration with Tenable (BusinessWire) Cymulate, a provider of a leading Breach & Attack Simulation (BAS) platform which was recognized as a Gartner 2018 Cool Vendor, announced today th
Alert Logic Extends Security to Cover Any Container Across Multiple Platforms, Breaking Barriers to Visibility, Portability and Threat Detection (GlobeNewswire News Room) Industry’s Only Network IDS for Containers Adds Log Management and Expands Coverage Beyond AWS to Azure, On-Premises and Hosted Environments
Bro IDS is One of the Most Powerful Cybersecurity Tool You’ve Never Heard of (Bricata) Bro IDS is around 20 years old, but awareness of the technology doesn’t match its age.
Looking back at Google+ (TechCrunch) Google+ is shutting down at last. Google announced today it’s sunsetting its consumer-facing social network due to lack of user and developer adoption, low usage and engagement. Oh, and a data leak. It even revealed how poorly the network is performing, noting that 90 percent of Google+ user …
Bitdefender Announces Complete Endpoint Prevention, Detection and Response Platform Designed for all Organizations (Bitdefender) Company continues investment in innovation with industry-first, full-stack EPP/EDR platform, GravityZone
NETSCOUT Offers Free DDoS Protection to Election Officials (NETSCOUT) NETSCOUT SYSTEMS, INC., (NASDAQ: NTCT), a leading provider of service assurance, security, and business analytics, today announced it is making its Arbor Cloud DDoS prot
WhiteHat Security Introduces Dynamic Single-page Application Scanning for an Automated, Seamless Customer Experience (BusinessWire) WhiteHat Security, the leading application security provider committed to securing digital businesses, today announced a new feature for dynamic singl
ZeroFOX introduces new social media and digital protection managed services platform (Help Net Security) ZeroFOX OnWatch managed service provides social and digital risk protection by experts who help to ensure brands’ reputation and integrity.
Pixel 3 launch: Google unveils new smartphone and Home Hub smart screen (The Telegraph) Google has launched two phones that answer calls on behalf of the owner in tricky situations, as it continues its mission of placing powerful artificial intelligence in the pockets of consumers around the world.
Symantec expands cloud security portfolio to secure cloud applications and infrastructure (Help Net Security) Symantec's integrated approach to cloud security, compliance and management delivers visibility and control to IaaS, PaaS and SaaS applications.
Is it Safe to Send Crypto via Email? New Payment Platform Promises ‘Complete Security’ (Cointelegraph) A startup helps cryptocurrency owners protect digital assets from being stolen and lost. Security is provided by decentralizing private key shards.
Don't hope just to keep watch against hacking (Tech Wire Asia) The sad fact about hacking and cyberattacks, in general, is that it's a case of when it happens to you, not if. While the mainstream press seems to be full of high-profile cyber security breaches and massive data losses, there are innumerable successful hacks into businesses and organizations of all sizes – from
Iron Bow to Launch Cloud-Ready Product for Interactive Video Communication and Patient Monitoring Using Vidyo (BusinessWire) Iron Bow Technologies, an information technology solutions provider and global managed services provider to healthcare, government and commercial mark
Bitdefender Announces Complete Endpoint Prevention, Detection and Response Platform Designed for All Organizations (PR Newswire) Bitdefender, a global cybersecurity company protecting over 500 million systems ...
Technologies, Techniques, and Standards
Mastercard, WorldPay and Amex among the payment processors in first-ever 'cyber war game' (Computing) Payment processors tighten collaboration to fight rising IT security threats
Teach Your AI Well: A Potential New Bottleneck for Cybersecurity (Dark Reading) Artificial intelligence (AI) holds the promise of easing the skills shortage in cybersecurity, but implementing AI may result in a talent gap of its own for the industry.
The government is rolling out 2-factor authentication for federal agency dot-gov domains (Washington Post) Government officials managing dot-gov websites will soon have to use the Google Authenticator app on their smartphones for two-factor verification.
Lessons learned from the Facebook security breach (SearchCIO) With attacks like the Facebook security breach becoming more commonplace and sophisticated, experts sound off on what organizations can do to secure critical data.
FDA Partners with Sensato-ISAO and H-ISAC to Create Open Source Cybersecurity Intelligence Network and Resource (Benzinga) FDA, Sensato and H-ISAC created the network to ensure that essential medical device and healthcare cybersecurity vulnerability information can be shared with all stakeholders...
Army may incorporate more civilians into its cyber teams (Federal News Network) Only 20 percent of the Army's cyber teams are made up of civilians. The Army is analyzing whether that's the right ratio in an environment where every uniformed servicemember is expected to be able to deploy to combat.
Are wireless voting machines vulnerable? Florida, other states say they’re safe enough (McClatchy DC) Several states insist on using wireless voting machines to transmit election results. But watchdog groups and technologists warn that they can be hacked and cause ‘havoc’ in midterm vote.
Design and Innovation
Instagram now uses machine learning to detect bullying within photos (TechCrunch) Instagram and its users do benefit from the app’s ownership by Facebook, which invests tons in new artificial intelligence technologies. Now that AI could help keep Instagram more tolerable for humans. Today Instagram announced a new set of antii-cyberbullying features. Most importantly, it c…
Rethinking the concept of trust (Fifth Domain) How best to protect the government’s critical data.
Better Customer Experience is More Than a "Nice to Have" for Security (SecurityWeek) Improved security leads to improved customer experience – and improved customer experience leads to improved security.
Professor of cyber appointed at Cranfield (Cranfield University) The role will strengthen the relationship between Atkins and Cranfield University, to support advances in through-life cyber security.
CIS students prepare for Cybersecurity competition (CSU-Pueblo Today) The "CyberWolves," Colorado State University-Pueblo’s National Cyber League Cybersecurity team, nationally ranked No. 9 in the U.S. out of over 265 university teams, will begin preparing for
Legislation, Policy, and Regulation
How Russian hybrid warfare changed the Pentagon’s perspective (Fifth Domain) As the Russians blitzed the Crimean region of Ukraine with cyberattacks, electromagnetic jamming and unmanned aerial systems, the U.S. military closely observed the battle tactics and recognized its need to transform.
Network defense is an always-on kind of warfare (Fifth Domain) Adversaries are constantly probing networks trying to exploit vulnerabilities.
The Tech Implications of the White House's New Cybersecurity Strategy (Technology Solutions That Drive Government) The new policy plan emphasizes investing in both technology and workforce development.
From Inside The NSA, A Call For More Whistleblowers (NPR.org) The National Security Agency has a reputation as the nation's most secretive intelligence agency. But a new inspector general arrived this year and is calling for a "robust whistleblower program."
Litigation, Investigation, and Law Enforcement
Salisbury spy Alexander Mishkin unmasked by proud gran’s picture of Putin handshake (Times) A grandmother’s pride and a love of expensive cars helped to uncover the true identity of the second alleged Salisbury poisoner, it was revealed yesterday. Alexander Mishkin was identified this...
Can the FCC Really Block California's Net Neutrality Law? (WIRED) A lawsuit raises novel questions about the relationship between the federal government and the states.
Google appeals €4.3 billion EU fine over Android (CRN Australia) European regulators found Android breached EU antitrust rules.
Romanian national accused of being leader of an international cyber fraud ring that used malware to steal $4 million after taking people’s passwords, personal and bank information (US Department of Justice) A Romanian national was returned to the United States Friday to face federal charges that accuse him of being the leader of an international cyber fraud ring that used malware to steal in excess of $4 million after taking people’s passwords, personal identifying information, and bank account information.
Convicted leaker Reality Winner moved from Lincoln County jail (The Augusta Chronicle) The former National Security Agency contractor sentenced to 63 months in prison has been moved to several different prison sites since her August...
Ngapuhi mum loses daughter to cyber-bullying (Māori Television) A Northland mother of a cyber-bullying victim is speaking out following the sudden death of her 15-year-old daughter.