Cyber Attacks, Threats, and Vulnerabilities
Facebook Says Fewer Users Impacted by Recent Cyberattack than First Thought (Wall Street Journal) Facebook said fewer users than it initially thought were impacted by hackers in the largest-ever security breach at the social-media giant two weeks ago—and the company detailed for the first time the depth of personal information that was accessed.
Facebook says millions of users had phone numbers, search history and location data stolen in recent hack (Washington Post) An online attack that forced Facebook to log out 90 million users last month directly affected 29 million people on the social network, the company said Friday as it released new details about the scope of an incident that has regulators and law enforcement on high alert.
An Update on the Security Issue | Facebook Newsroom (Facebook Newsroom) We're sharing new details about the recent security issue.
Why Facebook's Breach Should Mean #DeleteFacebook But Won't (Forbes) The sad truth is that Facebook's network has become so ingrained in society across the world that we simply cannot function without it anymore and thus we'll look past the latest breach. What must change to make the Facebooks of the world more like the Googles?
The security community increasingly thinks a bombshell Bloomberg report on Chinese chip hacking could be bogus (Business Insider) A Bloomberg report from last week alleged that Chinese spies had been able to malicious chips into servers made by SuperMicro, an American company. All parties involved have denied the report, including, most recently, secretary of the Department of Homeland Security, during a Senate hearing.
Yossi Appleboum Disagrees with How Bloomberg is Positioning His Research Against Supermicro (ServeTheHome) Today Bloomberg cited security researcher Yossi Appleboum, CEO of Sepio Systems, as supporting Supermicro hardware supply chain issues. We interviewed Mr. Appleboum and he is angry with how Bloomberg is presenting his research saying it impacts many more vendors and impacts networking equipment as well
The tech giants, the US and the Chinese spy chips that never were… or were they? (the Guardian) A sensational Bloomberg story about a major hardware hack was swiftly denied. But the journalists aren’t backing down
Supply Chain Security 101: An Expert’s View (KrebsOnSecurity) Earlier this month I spoke at a cybersecurity conference in Albany, N.Y. alongside Tony Sager, senior vice president and chief evangelist at the Center for Internet Security and a former bug hunter at the U.S. National Security Agency.
1 bn records compromised in Aadhaar breach since January: Gemalto (Hindu Business Line) In the first six months of 2018, almost one billion records were compromised in Aadhaar breach incident, including name, address and other personally identified information, according to a new report
'Five Eyes' Agencies Release Joint Report on Hacking Tools (SecurityWeek) Cybersecurity agencies in the US, UK, Canada, Australia and New Zealand release joint report on publicly available hacking tools
Largest Cyber Attack Against Iceland Driven by Complex Phishing Scheme (BleepingComputer) A brazen phishing campaign took Iceland by surprise the last weekend, sending out malicious emails to thousands of individuals, in an attempt to fool them into installing a powerful remote access tool.
Industry Reactions to Google+ Security Incident: Feedback Friday (SecurityWeek) Industry professionals comment on recent Google+ security incident involving a bug that exposed personal information from 500,000 accounts
Magecart Injects Skimmer Code in Customer Rating Widget (Security Boulevard) The groups of attackers who specialize in injecting payment card skimmer code called Magecart into online shops managed to compromise a third-party The Magecart payment card skimmer code was used to compromise a third-party customer rating plugin called Shopper Approved.
Payment skimmers sneaking on to websites via third party code (Naked Security) Whatever Magecart is, it’s been blamed for several high-profile payment card breaches this summer.
GandCrab ransomware operators team up with crypter service (ZDNet) The hacking agreement could result in the ransomware strain becoming more difficult to spot and analyze in the future.
Proof-of-concept code published for Microsoft Edge remote code execution bug (ZDNet) The PoC can be hosted on any website and requires that users press the Enter key just once.
India’s online festive sales are a happy hunting ground for cybercriminals (Quartz India) Expert tips on how to avoid phishing.
Colorado Springs on front lines of cyber Cold War with Russia (Colorado Springs Gazette) The Russians have come, and Colorado Springs is a bit shaken after a Putin-directed military intelligence operation purloined data from a local non-profit.For decades, Colorado Springs was on the lookout
Pentagon Reveals Cyber Breach of Travel Records (SecurityWeek) The Pentagon said there has been a cyber breach of Defense Department travel records that compromised the personal information and credit card data of U.S. military and civilian personnel.
Pennsylvania voting systems at risk of cyber attack, says commission urging more security (themorningcall.com) A Pennsylvania commission is urging the state and counties to better protect voting system from cyber attacks.
ICS Security Plagued with Basic, Avoidable Mistakes (Threatpost) A survey of ICS security posture found outdated firewalls, improper segmentation password mistakes and more.
The Columbia Gas natural gas pipeline ruptures were process sensor-related and there is still little understanding (Control Global) The September 13, 2018 Columbia Gas Low-pressure Natural Gas Distribution System pipeline explosions killed one-person, injured 28, and damaged 131 structures. This was not a malicious control system cyber event (though it could have been) but a tragic comedy of errors, lack of appropriate process sensor monitoring, lack of SCADA control, and lack of understanding of similar events that have already occurred.
Preliminary Report Pipeline: Over-pressure of a Columbia Gas of Massachusetts Low-pressure Natural Gas Distribution System (National Transportation Safety Board) The information in this report is preliminary and will be either supplemented or corrected during the course of the investigation.
ECP thwarts cyber-attack attempts at I-voting website for overseas Pakistanis (Pakistan Today) The website set up by the Election Commission of Pakistan (ECP) to for I-voting by overseas Pakistanis sustained multiple cyber-attacks, reported a private media outlet. Voting for the by-election on 35 national<a href="https://www.pakistantoday.com.pk/2018/10/14/ecp-thwarts-cyber-attack-attempts-at-i-voting-website-for-overseas-pakistanis/" title="Read more" >...</a>
Security Patches, Mitigations, and Software Updates
Microsoft patch for Jet Engine Database Zero-day Bug is ‘incomplete’, making Windows still vulnerable (Cyware) Microsoft patch issued for zero-day in its JET Database Engine may not be a complete fix for the remote code execution vulnerability. The vulnerability (CVE-2018-8423) is a memory corruption vulnerability, and could also allow remote code execution on a targeted computer.
The vulnerability quoted as a zero-day was discovered by Trend Micro’s Zero Day Initiative (ZDI). The company swiftly notified Microsoft about the vulnerability. However, Microsoft did not patch the vulnerability for at least 135 days after Trend Micro’s notification.
Juniper issues seven critical updates (SC Magazine) Juniper Networks released a long list of security updates including seven critical flaws, six of which affect all platforms running Junos OS.
Cyber Trends
Privacy advocates face negative stereotyping online (TechRadar) A stigma exists for those who seek privacy online
How to irregular cyber warfare (Errata Security) Somebody ( @thegrugq ) pointed me to this article on " Lessons on Irregular Cyber Warfare ", citing the masters like Sun Tzu, von Clausewitz...
10% would steal boss’s passwords, finds SailPoint (Business Computing World) Do you think about your digital identity? Many of us are at least somewhat in tune to our reputations – how we look, how we feel and what is happening in our social circles. However, the extension of ourselves in today’s digital world is not as material as the ways we often think of when we hear the word “identity.”
Who's Winning the Cybercrime Battle? (SecurityWeek) We all need to be aware of the need for innovative responses on the part of the security industry, to counter a threat industry which is innovating both technical and business models at a rapid pace.
The Issue of Generational Cyber-Risk: Millennials Versus Baby Boomers (Dynamic Business) How can we deal with the generational tech divide?
The Growing Issue Of Compromised Credentials (Forbes) Detecting and protecting against the use of compromised credentials should be a top priority for businesses.
PH banks build up defense vs cybercriminals (Business Inquirer) As the Philippines emerges as a hotbed of online gaming firms, it has also become an attractive target for international cybercriminals, challenging banks to invest in stronger firewall and IT risk management systems.
Are Blue Teamers the True Heroes? (Infosecurity Magazine) Is it time to recognize those tasked with defending and recovering from incidents?
Marketplace
Microsoft employees speak out against US government's JEDI Project (Computing) Like Google, Microsoft workers have concerns about how the Department of Defense will use technology
Look to Cyber Security ETFs to Capitalize on a Growing Digital Industry (ETF Trends) In the age of communications, an increasing number of professionals are growing concerned about potential digital threats, bolstering demand for cyber security. Investors can also capitalize on this growing industry through sector-specific ETF plays.
L3, Harris to merge in deal creating ’sixth prime’ defense giant (Washington Busijness Journal) Meet the sixth prime — L3 Harris Technologies.
Nucleus Cyber Acquires Security Sheriff (PRWeb) Nucleus Cyber, the AI-driven data security company for the intelligent workplace, acquired the Security Sheriff platform from Cyxtera Technologies and launched int
SAP, Symantec extend contracts with AWS (CRN Australia) Worth an estimated US$1 billion in revenue over five years.
Window Snyder Shares Her Plans for Intel Security (Dark Reading) The security leader, known for her role in securing Microsoft, Apple, and Mozilla, discusses her new gig and what she's working on now.
Even the bad guys have a talent problem: Sandra Joyce, FireEye’s vice president (The Economic Times) "You can expect every responsible nation state to be conducting espionage of some kind. That is a normal nation-state behaviour," Joyce said.
Thales and Gemalto Expect Merger Deal to Close in Q1 2019 (FindBiometrics) The leadership at Gemalto and Thales are adjusting their expectations with respect to their proposed merger, announcing that they now expect the deal to...
C6 Intelligence is now Acuris Risk Intelligence (Tech Observer) C6 Intelligence which deals in data intelligence for anti-money laundering, third-party risk and cybersecurity professionals has rebranded as Acuris Risk Intelligence.
Centrify CEO Tom Kemp to step down, IDaaS unit spun off (SC Media) Centrify has spun off its Identity-as-a-Service business creating the standalone company Idaptive. Tom Kemp The creation of Idaptive will help spur
Safaricom to launch a programme to support ethical hackers (Business Chief) Kenya's Safaricom to promote the ethical hacking of its software
Security Industry Association to Present Larry Folsom With Jay Hauhn Excellence in Partnerships Award (Security Industry Association) Folsom, president of I-View Now, will be honored at SIA Honors Night 2018 for his leadership in collaboration in the security industry.
Products, Services, and Solutions
Using Machine Learning to Find Human Social Engineering Risks (Credit Union Times) “We’ve integrated a deep learning neural network that evaluates risk changes over time within an organization.
enSilo and Arbala Systems Form Partnership Delivering Managed Detection and Response Services (PR Newswire) enSilo, the company protecting endpoints pre-and post-infection, stopping data breaches in real time and...
5 Best Anonymous Browsers for Private Web Browsing (Technotification) Do you want complete privacy while browsing the web? The following are the five best anonymous browsers that for private web browsing.
F-Secure partners with NetAssist to provide solutions to Malaysian SMEs (CISO MAG) The company claims that the new partnership will address the cyber protection issues facing by SMEs across the cloud, hybrid, and on-premise environments.
Technologies, Techniques, and Standards
How to Fight Russian Infowar in Central Europe (Defense One) Traditional counter-propaganda techniques are decreasingly effective. The next steps will require focus, engagement, and new thinking.
Meet The Internet Researchers Unmasking Russian Assassins (NPR.org) The group Bellingcat seeks to unmask covert operations, rogue groups and corruption around the globe. But can it keep its independence?
Here Is How Social Media Crime Fighters Find Fake Accounts (Popular Mechanics) FireEye helped Facebook identify fake accounts with subversive international agendas. Here’s how.
How to Check If Your Facebook Account Got Hacked—and How Badly (WIRED) On Friday, Facebook offered more details about its recent breach. Here's how to see if you were affected.
Purging Long-Forgotten Online Accounts: Worth the Trouble? (SecurityWeek) The internet is riddled with long-forgotten accounts on social media, dating apps and various shopping sites used once or twice. Sure, you should delete all those unused logins and passwords. And eat your vegetables. And go to the gym.
Seven Security Activities You Should Automate (SecurityWeek) Automation can bring value to just about any security team, but the amount of value will depend entirely on how well you match it to your most pressing needs, existing security infrastructure, and organizational procedures.
Securing legacy medical devices is daunting – but not optional (MobiHealthNews) Skipping out on comprehensive device documentation and risk assessment will cripple an organization's cybersecurity program, experts say.
Cops Told ‘Don’t Look’ at New iPhones to Avoid Face ID Lock-Out (Motherboard) After five failed attempts with the 'wrong' face, Apple's Face ID system will fall back to asking a passcode; a tricky situation for investigators.
What is the Army’s integrated jamming and cyber pod capable of? (C4ISRNET) Leidos believes its solution exceeds the Army's expectations.
Scaling the IoT product security lifecycle with automation (Help Net Security) There are many security standards applicable to IoT products. Manufacturers are having a hard time understanding which standards apply to their products.
The future of OT security in modern industrial operations (Help Net Security) Both the likelihood and consequences of cyberattacks to OT/ICS components continue to grow for modern industrial operations.
Government puts IoT security at the forefront with new Code of Practice for industry (Computing) The IoT has gone unsecured for too long, say DCMS and NCSC
PSD2: The real RTS deadline is closer than banks think (Fintech Finance) Let’s work backwards. Most banks know that the final deadline to comply with PSD2’s Regulatory Technical Standard (RTS) is 14th September 2019. Eleven months away. Following the amendments to the R…
Design and Innovation
PAID POST: Can blockchain save the vote? (TechCrunch) Elections are a symbol of hope and freedom, and the right to vote is an expression of belonging and of having a voice. We trust our electoral systems to preserve an immutable record of the voices we have raised, and the choices we have made. Yet the concept of “one person, one vote” is [&hel…
Research and Development
DARPA Says the Biggest Obstacle to Effective Artificial Intelligence Is Common Sense (Outer Places) If you went through public school in the last fifteen years, odds are that your math tests included a space for an answer and a follow-up question tha...
The Pentagon’s Push to Program Soldiers’ Brains (Defense One) DARPA’s developing capabilities still hover at or near a proof-of-concept stage. But that’s close enough to have drawn investment from some of the world’s richest corporations.
“Fixed mindsets” might be why we don’t understand statistics (Ars Technica) Study finds people prefer complicated methods because that's what they're used to.
Academia
Online cybersecurity training propels students into industry jobs (CIO Dive) More affordable for students, online training programs like Cybrary focus on real-world applications and can help workers expand their existing knowledge base or pivot careers entirely.
UVU promotes cybersecurity through 'Hacktober' event (Daily Herald) An October campaign is hoping to convince students to have “the talk” with their parents. No, not that one. The one about cybersecurity.
Legislation, Policy, and Regulation
GCC should join hands to fight cyber threats: experts (DT News) The Gulf Cooperation Council (GCC) nations should form a cyber-security alliance unit to tackle...
The challenge of providing a common defense in cyberspace (FCW) Government leaders should examine how the private sector addresses massive vulnerabilities and inherent instability through collaboration.
Italy resisting EU push to impose sanctions over cyberattacks (Reuters) Italy is resisting a European Union push to impose sanctions on states who carry...
Estonia joins other EU states pressing for cyber-attack sanctions listing (ERR) Several EU member states including Estonia have called on the EU to add cyber-attacks to its sanctions regime.
Is Crystallizing Red Lines in Cyber Space a Good Idea? (TechNative) Recently, the U.S. Senate's version of the 2019 National Defense Authorization Act (NDAA) was approved and sent back to the House for reconcilement of differences
U.S. and Macedonia Participate in Cyber Defense Cooperation (U.S. Cyber Command) U.S. service members, working alongside cyber defenders from the Republic of Macedonia, have been cooperating over the last few weeks to share best practices in cyber security and to build cyber
Apple to Australia: “This is no time to weaken encryption” (Ars Technica) Apple underscores that access for only good guys is "a false premise."
Cybercom: How DOD’s Newest Unified ‘Cocom’ Works (U.S. DEPARTMENT OF DEFENSE) Due to increasing cyber threats across the world, U.S. Cyber Command officially became a unified combatant command this past spring.
U.S. lawmakers urge Canada to snub China's Huawei in telecoms (Reuters) Two leading U.S. lawmakers, both sharp critics of China, urged Canadian Prime Mi...
It’s not just foreign state-owned telecom posing a threat (TheHill) Every device connected to the internet creates a potential pathway for foreign governments and other malevolent actors to compromise essential networks — particularly the electric power grid.
Support for ‘hack back’ grows after Trump’s pledge to get aggressive in cyberspace (Fifth Domain) Support for the idea that businesses should be able to retaliate to cyberattacks, or “hack back,” has recently come from former government officials, experts and lawmakers who say it could be effective deterrent.
Analysis | The Cybersecurity 202: The U.S. needs a law that requires companies to disclose data breaches quickly, cybersecurity experts say (Washington Post) We asked The Network, a group of 100 cybersecurity experts who participate in our informal survey.
No One Can Get Cybersecurity Disclosure Just Right—Especially Lawmakers (WIRED) If Facebook and Google's recent security debacles proved anything, it's that disclosure is tricky business.
Amid Church Rift, Kremlin Vows To 'Protect Interests' Of Faithful In Ukraine (RadioFreeEurope/RadioLiberty) The Kremlin has issued a fresh warning following a key step in Kyiv's quest for an independent church that is recognized by the Orthodox Christian leadership, saying Russia will protect the interests of the faithful in Ukraine if the historic split leads to illegal action or violence.
Ukraine’s Spiritual Split From Russia Could Trigger a Global Schism (The Atlantic) For Moscow, the crisis is geopolitical as well as religious.
Litigation, Investigation, and Law Enforcement
Russian UK envoy denies Kremlin tried hack computers and murder ex-spy (Reuters) Russia's ambassador to London denied on Friday that spies from his country&...
Crown prince sought to lure Khashoggi back to Saudi Arabia and detain him, U.S. intercepts show (Washington Post) Some Western officials believe that what transpired at the consulate in Istanbul may have been a “rendition” gone bad, ending in the Post contributor’s death.
A Saudi Disappearance With Russian Echoes (Bloomberg) The death of a journalist shaped Putin’s rule. Will it do the same for Saudi Crown Prince Mohamed?
Trump, Saudis Escalate Threats (Wall Street Journal) The White House and Saudi Arabia traded sharp words over the suspected killing of a dissident Saudi journalist as the case tests the Trump administration efforts to make the kingdom the linchpin of its Middle East policy.
Naher Osten: „Bei Khashoggi ging es nicht nur um Journalismus“ (Die Welt) Der Politologe Asiem El Difraoui kannte den verschwundenen Saudi-Araber Jamal Khashoggi. Er stellt eigene Vermutungen über den Fall an. Denn sein Bekannter war nicht nur Journalist.
Saudi Journalist’s Disappearance Sends Chill Through Foreign Investors, Firms (Wall Street Journal) Crown Prince Mohammed bin Salman’s plans to attract investors and transform his country’s economy face dire threats after the disappearance and alleged murder of a dissident writer at a Saudi consulate in Turkey.
The Russia Investigations: Unanswered Questions In The Eye Of The Storm (NPR) The president and his lawyers may be close to submitting a take-home exam of sorts to special counsel Robert Mueller, but so many other points about this imbroglio remain unresolved.
Robert Mueller Has Already Told You Everything You Need To Know (WIRED) With the exception of President Trump’s legal team, no one has been watching the Mueller investigation more closely than Garrett Graff.
Grassley pressures Google for details of user data breach (TheHill) The Chairman of the Senate Judiciary Committee is pressing Google to explain its data privacy practices in the wake of revelations that user data was hacked from its now defunct social media platform, Google Plus.
Google CEO Tells Senators That Censored Chinese Search Engine Could Provide “Broad Benefits” (The Intercept) Google CEO Sundar Pichai refused to answer a list of questions from a bipartisan group of six senators.
How An Amateur Rap Crew Stole Surveillance Tech That Tracks Almost Every American (Forbes) Both the Freebandz Gang and its crimes would have been quickly forgotten as garden variety larceny were it not for the way it stole people's identities.
FCC resorts to the usual malarkey defending itself against Mozilla lawsuit (TechCrunch) Mozilla filed a lawsuit in August alleging the FCC had unlawfully overturned 2015's net neutrality rules, by among other things "fundamentally mischaracteriz[ing] how internet access works." The FCC has filed its official response, and as you might expect it has doubled down on those fundamental mi…
Ex-NASA Contractor Pleads Guilty in Cyberstalking Scheme (SecurityWeek) A former NASA contractor who allegedly threatened to publish...