Cyber Attacks, Threats, and Vulnerabilities
Hackers accused of ties to Russia hit three East European... (Reuters) Hackers have infected three energy and transport companies in Ukraine and Poland...
DoD knows future terror groups will seek to copy ISIS, turn social media into a weapon (Military Times) ISIS' use of social media will likely be replicated by a future network.
ISIS threatens more attacks 'in cyberspace and the real world' in chilling warning to the West (The Sun) A SINISTER poster purporting to come from ISIS has threatened cyber attacks against the West. The chilling caption on the image, which has been circulating online, reads: “We will terrorise you in …
Ministry of Defence information exposed to nation state attackers in 37 incidents (Computing) Sensitive information was left exposed to physical and cyber attackers in 2017,
UK's National Cyber Security Centre gives itself big ol' pat on the back in annual review (Register) Nixing 139k phishing sites is pretty good going to be fair
Cyber defense expert reverse engineers “The Big Hack” and says I would have done it that way, in fact he even suggested it in 2010 (VT News) After Bloomberg reported ‘The Big Hack,’ denials from the tech industry and government officials were swift and most reporting focused on these contradictions. However, cyber defense expert Matthew Hicks’ reaction was a little more like deja vu. Over 8 years ago he suggested something almost identical in his dissertation.
DHS Downplays Report That Data Thieves Are Selling Millions of Voters’ Data (Defense One) But your personal data from voting rolls is more public than you likely realize.
DHS cyber head pushes back on report of increased attacks on election infrastructure (TheHill) The Department of Homeland Security’s (DHS) top cyber official said Tuesday that a report on an increased number of cyberattacks on election infrastructure points to a rise in reporting the attempted hacks and not necessarily a spike in the attack
Fear of Russian Meddling Hangs Over Next Year's EU Elections (Bloomberg) EU pushes for measures on cybersecurity, combating fake news
Russia-Linked Hackers Target Diplomatic Entities in Central Asia (SecurityWeek) A Russia-linked threat group tracked as DustSquad and Nomadic Octopus has been targeting diplomatic entities in Central Asia
Planning for ‘Cyber Fallout’ After the Iranian Nuclear Deal (Just Security) Post-nuclear deal Iran presents a unique cyber threat that requires understanding not only of technical capabilities but also cultural context. We need both to build an effective cyber strategy that will ‘defend forward' -- By Jessica 'Zhanna' Malekos Smith
FDA Warns of Flaws in Medtronic Programmers (SecurityWeek) A vulnerability in the software update process of certain Medtronic Programmer models has determined the company to block the functionality on some devices
New iPhone Passcode Bypass Method Found Days After Patch (SecurityWeek) A new iPhone passcode bypass method that works on the latest version of iOS was disclosed just days after Apple patched a similar vulnerability
Hackers tamper with exploit chain to drop Agent Tesla, circumvent antivirus solutions (ZDNet) A new campaign is spreading information-stealing malware including Agent Tesla and Loki.
Malicious RTF Documents Deliver Information Stealers (SecurityWeek) A newly discovered infection campaign is leveraging malicious RTF files to deliver information-stealing Trojans without being detected
In County Crippled by Hurricane, Water Utility Targeted in Ransomware Attack (The first stop for security news | Threatpost) The Emotet Trojan is behind a crippling ransomware attack that hit the Onslow Water and Sewer Authority.
Feds Investigate After Hackers Attack Water Utility (SecurityWeek) Federal and state officials are working with Onslow Water and Sewer Authority after hackers attacked some of its computer systems.
Researchers expose security vulnerabilities in terahertz data links (Help Net Security) Researchers have successfully challenged terahertz data links security. It is possible for an eavesdropper to intercept a signal without detection.
Facebook data breach: Victims will not be offered free identity theft protection (Help Net Security) Facebook announced that the recent data breach it has suffered is a little less massive than initially thought: "only" 30 million users have been affected.
Facebook hack affected 3 million in Europe, creating the first big test for privacy regulation there (CNBC) A spokesperson for the Irish Data Protection Commission told CNBC on Tuesday that the Facebook security breach in September, in which hackers accessed information from user accounts, affected 3 million European citizens.
Apple ‘Deeply Apologetic’ Over Account Hacks in China (WSJ) Apple apologized over the hacking of some Chinese accounts in phishing scams, almost a week after it emerged that stolen Apple IDs had been used to swipe customer funds.
Outage pulls the plug on YouTube, YouTube TV and YouTube Music (Engadget) It's not just you -- YouTube has been down since about 9:20 PM ET.
Text Bomb Causing PS4 to Crash (HackRead) Sony’s most prestigious gaming console till date PlayStation 4 or PS4 contains a bug that exploits and crashes the console through a text message. It is believed that malicious threat actors are sending infected messages to the console to crash it.
No, your Twitter was not hacked (TechCrunch) Twitter users on iOS were hit with a strange bug today. Instead of receiving notifications that included the tweet itself, they received a string of alphanumeric characters. The issue only affected iOS users, we confirmed with the company, and has since been resolved. Twitter was quick to address t…
Twitter Is Spamming Users With Unexplained Notifications And Everyone Is Losing Their Minds (Motherboard) Twitter is sending out strange notifications to users, and no one knows what's going on.
Security Patches, Mitigations, and Software Updates
Guidance on Oracle October 2018 Critical Patch Update (Waratek) The final Oracle Critical Patch Update (CPU) of 2018 fixes 12 Java SE-related vulnerabilities and a dozen new WebLogic flaws, part of the 301 patches across Oracle’s product set.
Major Browsers to Kill TLS 1.0, 1.1 (SecurityWeek) All major web browsers will deprecate support for the older Transport Layer Security (TLS) 1.0 and 1.1 protocols in the first half of 2020
Cisco says WebEx is totally fixed now (except for two problems) (CRN Australia) Outage and subsequent wobbles lasted 20 days.
Sony Fixed a Bug That Allowed Players to Crash PlayStations by Sending Them Messages (Motherboard) The PlayStation unicode glitch is a new spin on an old prank.
(ISC)2 Report Finds Cybersecurity Workforce Gap Has Increased to More Than 2.9 Million Globally (PR Newswire) (ISC)² – the world's largest nonprofit association of certified cybersecurity professionals – today announced...
Exploring the current state of employee knowledge in cybersecurity and data privacy (Help Net Security) In an age where our society is increasingly digitally connected, cybersecurity and data privacy are significant, real-time threats.
Tech Support Victims Fall as Consumers Get Savvy (Infosecurity Magazine) Microsoft stats also reveal fall in number losing money
6 Reasons Why Employees Violate Security Policies (Dark Reading) Get into their heads to find out why they're flouting your corporate cybersecurity rules.
Execs Fear Orgs Unprepared for Incident Response
(Infosecurity Magazine) Lack of practicing cyber war games leaves employees at a loss when it comes to incident response, says Deloitte.
Cybersecurity Salaries Rise 6% in One Year (Infosecurity Magazine) Wage rise is double the national average
Jack Dorsey on Twitter's Role in Free Speech and Filter Bubbles (WIRED) The Twitter CEO talks with WIRED Editor-in-Chief Nicholas Thompson about how the social media service is different today than 12 years ago.
Facebook Expands Efforts to Squash Voter Suppression (Threatpost) The social network will crack down on those spreading disinformation in an effort to keep people away from the polls.
Facebook rolls out checks for UK political ads (TechCrunch) Facebook has announced it rolled out a system of checks on political ads run on its platform in the UK which requires advertisers to verify their identity and location to try to make it harder for foreign actors to meddle in domestic elections and referenda. This follows similar rollouts of politic…
Facebook News Feed now downranks sites with stolen content (TechCrunch) Facebook is demoting trashy news publishers and other websites that illicitly scrape and republish content from other sources with little or no modification. Today it exclusively told TechCrunch that it will show links less prominently in the News Feed if they have a combination of this new signal …
Rapid7 Acquires tCell (Dark Reading) The purchase brings together a cloud security platform with a web application firewall.
ZenMate Acquired by Kape Technologies (PR Newswire) ZenMate (www.zenmate.com), the leading VPN service provider owned by the internet security company ZenGuard...
UK Cybersecurity Startup Garrison Secures £23 Million Funding (Computer Business Review) The Garrison funding will be used to expand sales and marketing, grow engineering team, and enhance “safe web browsing as a service” cloud offering.
Exertis rebrands acquired US firm in the UK and Europe (CRN) Stampede becomes Exertis Pro AV Solutions
CensorNet guns for UK growth with move to two-tier channel (CRN) Security vendor appoints Infinigate as part of strategy to grow channel business.
Products, Services, and Solutions
Webroot Enters VPN Space, Launches Webroot® WiFi Security (PRNewswire) Webroot, the Smarter Cybersecurity® company, announced the launch of Webroot WiFi Security, a virtual private network (VPN) that provides security and privacy for users who connect to WiFi networks.
Why Should You Trust VyprVPN? (Golden Frog) The Center for Democracy and Technology (CDT) created an independent vetting process & standards to hold VPN companies to. Read more about VyprVPN and why you can find our service trustworthy.
How one company's software solution has stepped up the game against end node threats (Armarius) Armarius believes that understanding and controlling user behavior makes security compliance truly achievable. If you know how your employees use their computers, and they are locked down based on defined rules, then their adherence to their companies polices can be ensured.
Ayehu Announces Free 30-day Trial Availability of its Newly Enhanced Next Generation Intelligent IT Automation and Orchestration Platform (GlobeNewswire News Room) The Free Trial Version Featuring an Enhanced Workflow Designer and AI-Powered Automation Engine is Now Available for Download from the Ayehu Website
Tripwire Enterprise Now Fully Integrates Lastline Advanced Malware Threat Detection (Digital Journal) solutions for enterprises and industrial organizations, announced with
RiskRecon invents asset risk valuation algorithms (Help Net Security) New algorithms solve the cyber risk equation by automatically determining the risk value of computer systems, enabling cyber risk assessment and action.
Telit introduces new smaller IoT form factor module family (Help Net Security) Telit's xE310 form factor family meets the demand for wearable medical devices, fitness trackers, sensors, smart metering, and other applications.
Bacula Systems Introduces Native Backup and Recovery for Red Hat Virtualization (Digital Journal) Open Source-based Bacula Enterprise Edition version 10.2 adds advanced-functionality to Backup and Restore for Red Hat Virtualization
New IBM Security Platform Connects Data, Tools From Several Vendors (SecurityWeek) IBM Security Connect is a new cloud platform that brings together data, applications and tools from over a dozen vendors
It turns out that Facebook could in fact use data collected from its Portal in-home video device to target you with ads (Recode) Who you call and what apps you use could determine what ads you see.
Facebook may not be free, but paying with your data isn’t wrong (The Telegraph) If the data-slurping business models of Facebook and Google make you a little uneasy, then you should probably steer clear of Shiru Cafe.
Akamai Bolsters Intelligent Edge Platform With Focus on Security, Latency (Sports Video Group) After disclosing some new features with Sports Video Group at last month’s IBC 2018, Akamai followed up last week with more details on enhancements ...
Duo Security and Exabeam Partner to Expedite User-Based Threat Detection and Response (Duo Security) Duo Security and Exabeam have partnered to enhance and accelerate organizations’ threat protection with data-rich automated monitoring and incident response.
DataLocker Sentry K300 features encrypted micro SSD keypad flash drive (Help Net Security) DataLocker Sentry K300 is the next generation of DataLocker’s encrypted storage solutions that uses alpha-numeric keypads for secure access to data.
BestCrypt Explorer: Create and access storage space for data encryption on Android (Help Net Security) BestCrypt Explorer is an Android file manager that ensures a safer file storage ecosystem for customers on computers, mobile devices and cloud.
Zyxel launches SD-WAN solution for SMBs and MSPs (Help Net Security) Zyxel launches SD-WAN solution giving enterprise-class network performance, stability, security to SMBs and Managed Service Providers.
ISARA Corp. Introduces Catalyst™ Agile Digital Certificate Technology to Ease Transition to Quantum-Safe Future (BusinessWire) ISARA Corp., the world’s leading provider of agile quantum-safe security solutions, today announced the launch of ISARA Catalyst™ Agile Digital Certif
Nebbex™, a revolutionary new semi-decentralised vault, aims at solving the problem of asset losses from hacking which is af... (ADVFN) Nebbex™, a revolutionary new semi-decentralised vault, aims at solving the problem of asset losses from hacking which is af...
Technologies, Techniques, and Standards
An Army Veteran Wages War on Social-Media Disinformation (Wall Street Journal) Kris Goldsmith has become the cybersleuth for the Vietnam Veterans of America, hunting fake Facebook pages that sow discord and often have roots overseas.
Signals of Trustworthy VPNs – Questions for VPN Services (Center for Democracy & Technology) A list of questions that a trustworthy VPN service should be able to answer honestly, clearly, and thoroughly, signaling the provider’s commitment to earning user trust. The goal of these questions is to improve transparency among VPN services and to provide a way for users to easily compare privacy, security, and data use practices.
UK Launches “World First” IoT Code of Practice (Infosecurity Magazine) Experts caution it doesn’t go far enough
How To Use an Offensive Approach to Improve Enterprise Security (eSecurity Planet) Find out how the CISO of an infamously breached website uses an Offensive Risk Management approach to improve the security of his organization.
Legacy government networks stifle cloud migration (Help Net Security) Most government agencies’ legacy network infrastructures are not prepared to keep pace with the changing demands of cloud and hybrid networks.
You are who you say you are: Establishing digital trust with the blockchain (Help Net Security) While blockchain-based identity can disrupt the way users identify themselves, it will not replace all existing enterprise identity management systems.
Spies Among Us: Tracking, IoT & the Truly Inside Threat (Dark Reading) In today's ultra-connected world, it's important for users to understand how to safeguard security while browsing the web and using electronic devices.
Why we need to bridge the gap between IT operations and IT security (Help Net Security) Nearly two out of three say complexity in deployment and complexity in daily use are the biggest hindrances in security tool effectiveness.
Protecting applications from malicious scripts (Help Net Security) The solution to preventing these kinds of attacks is to avoid giving client applications, such as web browsers, bad code to run in the first place.
How corporate boards are navigating cybersecurity risks and data privacy (Help Net Security) Developing a strategic path for an organization's digital transformation and devoting board oversight to cybersecurity and data privacy are now essential.
Few organizations use cyber wargaming to practice response plan (Help Net Security) Nearly half (46 percent) of executive-level respondents to a Deloitte poll say their organizations have experienced a cybersecurity incident over the past
Design and Innovation
Facebook’s former security chief warns of tech’s ‘negative impacts’ — and has a plan to help solve them (Washington Post) Facebook's former security chief plans to launch an institute at Stanford University to help technology companies and the public work together to solve the negative effects technology can have on society.
Collection Strategies: The Key Differentiator Among Threat Intelligence Vendors (SecurityWeek) Evaluating a threat intelligence vendor’s collection strategy effectively is a complex process that requires far more than simply obtaining the answers to the questions outlined above.
Google Tests of a Censored Chinese Search Engine Went Well (WIRED) At WIRED's 25th anniversary festival, Google CEO Sundar Pichai said the company would be able to serve more than 99 percent of queries.
Startup Puts Quantum Security on USB, Dongles (Semiconductor Engineering) Taking quantum-mechanical principles and dragging them kicking and screaming into the real world.
Is this the simple solution to password re-use? (Naked Security) Researchers concluded that passphrase requirements such as a 15-character minimum length deter the majority users from reusing them on other sites.
Research and Development
Pentagon Criticized for ‘Spray and Pray’ Approach to Innovation (Foreign Policy) A prominent tech leader says the Defense Department’s investment strategy hampers its ability to compete with China on military innovation.
Legislation, Policy, and Regulation
EU-U.S. Cyber Dialogue Joint Elements Statement (U.S. Department of State) On the occasion of the fifth meeting of the EU-U.S. Cyber Dialogue in Brussels on 10 September 2018, the European Union (EU) and United States reaffirmed their strong partnership in favour of a global, open, stable and secure cyberspace where the rule of law fully applies, where the same rights that individuals have offline are protected online, and where the security, economic growth, prosperity, and integrity of free and democratic societies is promoted and preserved.
Russia’s Strategy, ISIS’ Future & Countering China: CJCS Dunford Speaks (Breaking Defense) Gen. Joe Dunford, Chairman of the Joint Chiefs Staff, spoke last week with a small group of traveling reporters after attending a conference of NATO Military Chiefs in Warsaw...
After 2012 hack, Saudia Arabia relied on US contractors (Fifth Domain) The extent of Saudi Arabia’s reliance on western cybersecurity contractors appears to be extensive.
SEC Calls for Better Accounting Controls as Cyber Scams Increase (WSJ) Public companies that are easy targets of cyber scams could be in violation of accounting rules that call for firms to safeguard assets, the Securities and Exchange Commission said.
Privacy Regulation Could Be a Test for States’ Rights (Threatpost) As more states take cybersecurity and privacy issues into their own hands, experts worry that big tech will push for preemption.
Status of Implementation of PPD-28: Response to the PCLOB’s Report, October 2018 (IC on the Record) Today, ODNI is releasing the report “Status of Implementation of PPD-28: Response to the PCLOB’s Report, October 2018” prepared by ODNI’s Office of Civil Liberties, Privacy, and Transparency (CLPT) in consultation with other relevant ODNI components and relevant elements of the Intelligence Community (IC). This report outlines the status of the IC’s implementation of Presidential Policy Directive-28, Signals Intelligence (PPD-28), and responds to the report on PPD-28 by the Privacy and Civil Liberties Oversight Board (PCLOB). Today , the PCLOB released its report, in redacted form, and it was posted on PCLOB’s public website...
Litigation, Investigation, and Law Enforcement
Mueller Ready to Deliver Key Findings in His Trump Probe, Sources Say (Bloomberg) Rosenstein is pressing Mueller to wrap it up, official says
House Russia-probe witness invokes Fifth Amendment as Trump urges firing of DOJ official connected to dossier (Washington Post) The president appeared to be urging the attorney general to fire Bruce Ohr, on a day when Fusion GPS co-founder Glenn Simpson’s attorney and Trump’s GOP allies jousted on Capitol Hill.
Colorado’s “Strong Arm” law firm sues Facebook, seeks compensation in latest hack attack (The Denver Post) A Colorado law firm that advertises as ‘The Strong Arm’ is looking to wrestle Facebook in court over the latest breach of users’ personal information.
Advertisers Allege Facebook Failed to Disclose Key Metric Error for More Than a Year (Wall Street Journal) Facebook knew of problems with how it measured viewership of video ads for more than a year before it disclosed them in 2016, according to a complaint filed Tuesday by some advertisers.
Judge denies Qualcomm, FTC request for more time to reach a settlement in antitrust lawsuit (San Diego Union Tribune) Both sides request a delay in a key ruling to explore a deal, but a federal judge in San Jose denies the request.
Why the class action against Google for misuse of personal internet data was rejected by the Court (Computing) Rory Lynch, a solicitor in the media team at law firm Seddons, discusses a recent English High Court decision to stop a class action lawsuit brought against Google,
Google to charge a licensing fee for Android apps in Europe (Computing) Google responds to anti-trust fine over bundling of apps with Android by levying licence fee for apps in the EEA,
Will the Saudis’ Khashoggi Confession Get Them Off the Hook? (Foreign Policy) By claiming they were only trying to abduct the journalist, they’re hoping to draw a moral equivalence with U.S. renditions.
Judge rules against voting security advocates in Tennessee (AP NEWS) A federal judge declined Tuesday to order election officials in Tennessee's largest county to perform rigorous safeguards to its voting systems ahead of early voting for the November elections. U.S. District Judge Thomas Parker denied a request for an order requiring that the Shelby County Election Commission ask the U.S. Department of Homeland Security to perform risk and vulnerability assessments on electronic voting systems.
21-year-old who created powerful RAT software sentenced to 30 months (Ars Technica) DOJ says Colton Grubbs "has no respect for the law."
Iran says it killed 'mastermind' behind military parade attack (TheHill) Iran's Revolutionary Guard said Tuesday that it had killed Abu Zaha, the alleged "mastermind" behind an attack on a military parade last month.