Atlanta: the latest from SecurityWeek's ICS Security Conference
ForeScout and Belden Form Strategic Alliance to Secure Industrial Environments (ForeScout) Companies execute on joint strategy to address IT/OT convergence by providing visibility and automated access controls to secure mission critical networks
ICS Networks Continue to be Soft Targets For Cyberattacks (Dark Reading) CyberX study shows that many industrial control system environments are riddled with vulnerabilities.
Cyber Attacks, Threats, and Vulnerabilities
Too Quiet? Security Official Wary of Russia’s Cyber-Silence Ahead of Midterms (RealClearLife) As voters across the country ready for the 2018 midterm elections, there has been little hint of a big Russian hacking campaign on election infrastructure.
The U.S. Government Will Use Pop-Up Messages to Dissuade Russian Election Meddling (Slate Magazine) A little well-targeted fearmongering might be sufficient to make employees of the Internet Research Agency think twice about their chosen profession.
U.S. Cyber Command Could Be Way More Aggressive in Deterring Russian Election Meddling (Slate Magazine) It’s time to crank up the volume.
Survey: Fears over election security will stop Americans from voting in midterms (TheHill) Nearly 1 in 5 Americans is unlikely to vote in the upcoming midterm elections, largely over worries of foreign interference, accordi
Google Blocks New Ad Fraud Scheme (SecurityWeek) Google says it recently blocked a new ad fraud scheme spread across a large number of applications and websites and monetizing with numerous ad platforms
Investigating Implausible Bloomberg Supermicro Stories (ServeTheHome) We thoroughly evaluate the claims made by Bloomberg in their Supermicro China tampering stories and found them likely impossible or implausible at best. We take stock of sources and discuss the next steps calling for formal SEC and shareholder investigations of Bloomberg.
DDoS-Capable IoT Botnet 'Chalubo' Rises (SecurityWeek) New malware named Chalubo is targeting IoT devices to ensnare them into a DDoS botnet
Exploit for New Windows Zero-Day Published on Twitter (SecurityWeek) A new zero-day vulnerability in Windows was made public on Twitter by the same researcher who published an exploit for a bug in the Windows Task Scheduler at the end of August
Malware Targeting Brazil Uses Legitimate Windows Components WMI and CertUtil as Part of its Routine (TrendLabs Security Intelligence Blog) We recently found a malware that abuses two legitimate Windows files — the command line utility wmic.exe and certutil.exe, a program that manages certificates for Windows — to download its payload onto the victim’s device.
AXA Cyber Attack Prompts Mexico Central Bank to Issue Security Alert (Insurance Journal) Mexico's central bank said on Tuesday it had raised the security alert level in its payment system after a non-banking financial user reported
Cathay Pacific Hit by Data Leak Affecting 9.4M Passengers (SecurityWeek) Hong Kong flag carrier Cathay Pacific said Wednesday it had suffered a major data leak affecting up to 9.4 million passengers
Government Spyware Vendor Left Customer, Victim Data Online for Everyone to See (Motherboard) The Germany-based spyware startup Wolf Intelligence exposed its own data, including surveillance target’s information, passports scans of its founder and family, and recordings of meetings.
Smart cities: 'A cyber-attack could stop the country' (BBC News) As the internet of things takes off, is security being sacrificed in the quest for higher speeds?
'Cyber Pearl Harbor' Unlikely, But Critical Infrastructure Needs Major Upgrade (Forbes) No, vast swaths of the U.S. are not about to go dark and cold because of a "9/11"-style cyberattack. But the nation's critical infrastructure remains much more vulnerable than it should be, and needs to improve its security - a lot.
Twitter thought Elon Musk's bizarre tweets were evidence he'd been hacked (Graham Cluley) It’s an odd state of affairs when the bogus Elon Musk accounts offering bitcoin giveaways appear more legitimate than the real Elon’s tweets.
Security Patches, Mitigations, and Software Updates
WordPress takes aim at ancient versions of its software (Naked Security) If you’re running a very old version of WordPress on your website, the project’s staff would like a word with you.
Firefox 63 Blocks Tracking Cookies (SecurityWeek) Firefox 63 patches 14 vulnerabilities and brings a new cookie policy meant to prevent cross-site tracking
Monero’s Second Bulletproof Protocol Audit Gets All Vulnerabilities Patched Up (BitcoinExchangeGuide) Monero developers seem to be working hard to make the Bulletproof protocol really live up to its name. After the security research company QuarksLab audited the Bulletproof protocol and announced i…
Cyber Trends
Keynote at EnergyTech –control system cyber incidents continue to occur (Control Global) My list of actual control system cyber incidents continues to grow with almost 1,100 incidents with more than 1,000 deaths, and more than $60Billion in direct damage. Unfortunately, there is still very little control system cyber forensics or training for the control system engineers to identify these types of incidents.
Explosive IoT Growth Slowed By ‘Early Adopter Paradox’ (F-Secure) Adoption of the internet of things (IoT) continues to explode but it could be even more transformative, a new F-Secure survey finds.
Security Alert: Lack of Trust Comes with a High Price Tag for U.S. Bus (PRWeb) Almost half (44%) of US consumers have suffered the negative consequences of a security breach or hack, according to new research conducted on behalf of s
Eighty two percent of security professionals fear artificial intelligence attacks against their organization (Neustar) Neustar's International Cyber Benchmark Index™ reveals the top cybersecurity concerns
2018 Global DNS Threat Survey Report (EfficientIP) Discover the prominence and business impact of DNS attacks this past year, plus results from the Coleman Parkes global survey covering multiple sectors.
Endpoint cyberattacks cost organizations more than $7M on average (Clinical Innovation + Technology) As the frequency of cyberattacks increases, the cost to fix security risks is also on the rise. Successful endpoint cyberattacks cost organizations an average of $7.1 million, according to a report that analyzed the state of endpoint security.
More Jobs of the Future: A Guide to Getting and Staying Employed through 2029 (Cognizant) Last year, we proposed 21 jobs that will emerge in the next 10 years and be central to the future of work. This year, we present 21 more.
Marketplace
Ottawa companies turn to tech, training to fill cybersecurity talent gap (Ottawa Business Journal) Experts from Ottawa’s cybersecurity sector say a mix of both tech and talent is necessary to keep Canadians and businesses safe
Apple’s Tim Cook blasts Silicon Valley over privacy issues (Washington Post) He lamented an emerging “data industrial complex” — and eroding trust.
Analysis | The Cybersecurity 202: Tim Cook's sharp rebuke of 'data industrial complex' draws battle lines in privacy debate (Washington Post) Apple is positioning itself as the tech industry's privacy leader. That could pay off.
Twitter Sheds Users Again in Fake-Account Purge (Wall Street Journal) Twitter reported its first consecutive quarterly drop in users, losing more than it had expected and signaling further declines to come as it continues to purge fake accounts. Even so, Twitter said it boosted revenue and swung to a profit as it extracted more advertising revenue out of its existing users.
Google drops plans for Berlin campus (BBC News) The US firm had faced strong local opposition and will now give the space to charities.
Check Point Software to Acquire Dome9 to Transform Cloud Security (Globe Newswire) Acquisition will strengthen Check Point’s position as a global leader in Cloud Security
MIT Spinoff Blockchain Startup Algorand Raises $62M (BostInno) Hires LogMeIn, Fuze Execs
Synack Awarded US Department of Defense Crowdsourced Security Contract (PRWeb) Crowdsourced security is now considered a “best practice” for the US government to protect the nation’s assets and services, thanks in large part to
Department of Defense Awards HackerOne Third ‘Hack the Pentagon’ Crowdsourced Security Contract (BusinessWire) The U.S. Department of Defense (DoD) today announced that HackerOne, the leading hacker-powered security platform, has been awarded a third crowdsourc
Solers Awarded Army Responsive Strategic Sourcing for Service (RS3) IDIQ contract (Virginian-Pilot) Solers, Inc. announced that is has been awarded a prime contract on the Aberdeen Proving Ground (APG) Responsive Strategic Sourcing for Service (RS3)
Perspecta Wins $36 Million Contract with Naval Surface Warfare Center (PR Newswire) Perspecta Inc. (NYSE: PRSP), a leading U.S. government services provider, announced today that it received a...
CrowdStrike Added to the Department of Homeland Security’s Continuous Diagnostics and Mitigation Approved Products List (AP NEWS) CrowdStrike® Inc., the leader in cloud-delivered endpoint protection, today announced that its portfolio of cutting-edge solutions, part of the CrowdStrike Falcon® platform, has been approved to deliver critical cyber capabilities in support of the Department of Homeland Security (DHS) Continuous Diagnostics and Mitigation Program (CDM).
Raytheon Picks Cybraics & Authentic8 Tech in Push for Critical Infrastructure Cybersecurity (GovCon Wire) Raytheon (NYSE: RTN) has established partnerships with Cybraic
SIEM Leader Exabeam Celebrates Record EMEA Momentum (BusinessWire) Exabeam has announced strong EMEA growth led by significant customer wins, geographic expansion across the region and a rapidly increasing headcount.
Products, Services, and Solutions
Cylance keeps Property Brokers cyber-safe (Computerworld New Zealand) After fighting a losing battle against malware that culminated in a ransomware attack, New Zealand real estate organisation Property Brokers deployed Cylance's antivirus software and says it has successfully blocked all attacks.
Ntrepid Transitions Anonymizer VPN Accounts to InvinciBull (BusinessWire) Ntrepid Corporation announced today that it will be transitioning all Anonymizer.com consumer anonymity accounts to InvinciBull.
Department of Energy (DOE) Announces Funding Award for Dragos’ “Neighborhood Keeper” Program for Threat Detection and Shared Threat Intelligence Across Small Infrastructure Providers (Odessa American) Dragos, Inc, developers of the Dragos threat detection and response platform, announced today the DOE’s partnership on a cooperative agreement to research and develop a collaborative threat detection and shared intelligence program, Neighborhood Keeper.
Quantum Xchange Selects Zayo Group for Dark Fiber to Deploy First Quantum Network in the United States (BusinessWire) Quantum Xchange announces their agreement with Zayo Group for dark fiber to deploy the first Quantum Key Distribution (QKD) network in the U.S.
StackRox Delivers Kubernetes Security and Compliance for Mux (StackRox) Container Security Platform Enables Video Infrastructure Provider to Protect Microservices and Containers in Amazon Web Services and Google Cloud Platform
Combining Threat Detection with Artificial Intelligence, Logz.io Launches Security Analytics App for ELK Stack on its Continuous Operations Platform (GlobeNewswire News Room) Logz.io Security Analytics Combines Operations and Security into one Simple, Open Source Based Platform for Easier and Faster Mitigation
BAE Systems’ Epiphany automatically completes, stores sensitive forms (Jane's 360) Key Points
Epiphany could cut down on labour intensive compliance documentation work
BAE Systems repository will store all relevant project information
BAE Systems has developed a new information security and risk management framework (RMF) tool that searches an organisation’s historical
Palo Alto Networks Secures FedRAMP Milestone (PR Newswire) Palo Alto Networks® (NYSE: PANW), the global cybersecurity leader, today announced its WildFire® malware...
Know your enemy: Lockheed Martin touts ‘intelligence-driven’ cyber security (Military & Aerospace Electronics) In a bland office building 30 minutes from the Pentagon, a wall-mounted screen shows, in real time, every suspicious email and LinkedIn request sent to employees of Lockheed Martin, the world’s largest defense contractor
EclecticIQ strengthens threat intelligence for critical infrastructures with new integrations (PR Newswire) EclecticIQ, which empowers cyber defenses with threat intelligence, today announced the availability of new...
Netscout Launches Arbor Edge Defense for Enterprise DDoS Security (eWEEK) Netscout is aiming to help organizations block both inbound and outbound threats with its Arbor Edge Defense security system.
High-Tech Bridge to Leverage AI and Big Data to Map Application Security Risks and Threats (Global Banking and Finance) Web security company High-Tech Bridge, Winner of the SC Awards Europe 2018 Best Usage of Machine Learning / AI category, launches today ImmuniWeb Discovery AI to conduct the threat-aware risk…
American Express and Rambus Join Forces on Secure Global E-commerce Tokenization (Rambus) Rambus Inc. (NASDAQ: RMBS) and American Express Australia today announced a new collaboration to help merchants enrich and secure e-commerce and m-commerce transactions with tokenization.
Technologies, Techniques, and Standards
Global Study Reveals Increased SD-WAN Deployments, But Networking and Security Challenges Persist (Barracuda Networks) Research Indicates Improved Network Security, Connectivity, Flexibility, and Cost Savings with SD-WAN
Is AI Resilient Enough for Security? (SIGNAL) Machines need to be hard to fool and reliable under pressure.
3 Public Cloud Security Myths Debunked (SecurityWeek) Enterprises need to know that their data is going to be secure if they choose to embrace a cloud-based model, particularly a public cloud
3 Strategies for Successful Cybersecurity Programs (Government Technology) The 2018 Deloitte-NASCIO Cybersecurity Study found that while CISOs are gaining a real foothold in state government, there remain key areas where progress can still be made.
CA Veracode’s Latest State of Software Security Report Finds Organizations Implementing DevSecOps Address Flaws 11x Faster Than Others (GlobeNewswire News Room) First Veracode analysis of flaw persistence finds 1 in 4 flaws remain open more than a year after discovery
The Enduring Password Conundrum (SecurityWeek) Instead of relying solely on passwords, security professionals should consider implementing a Zero Trust approach to identity and access management based on the these best practices.
Examining Cybersecurity from a Risk-Management Viewpoint (InCyberDefense) When it comes to risk management for an organization, it can be used to leverage multiple solutions to bolster an organization’s security.
Are you Cyber Aware? How about your friends and family? (Naked Security) A Cyber Aware survey found 30% of Britons still have just one password for all their accounts – so let’s help that 30% change their lives!
Design and Innovation
Facebook says it removed 8.7M child exploitation posts with new machine learning tech (TechCrunch) Facebook announced today that it has removed 8.7 million pieces of content last quarter that violated its rules against child exploitation, thanks to new technology. The new AI and machine learning tech, which was developed and implemented over the past year by the company, removed 99 percent of th…
Why Duo Security’s dev team includes game designers and self-taught coders (Built In Austin) Duo Security has a unique approach to recruiting engineers. Instead of looking strictly for candidates with experience in cybersecurity, the company also seeks out those with complementary skill sets. This has opened the door for former video game designers, systems administrators and self-taught engineers to join Duo’s team.
Academia
Georgetown University Partners with Cybersecurity Company to Augment Graduate Programs (Telos) Telos Corporation Offers Real-world Cyber Experience through Workforce Events and Internships
Legislation, Policy, and Regulation
Shifting Patterns in Internet Reveal Adaptable and Innovative North Korean Ruling Elite (Recorded Future) Over the course of the past year and a half, Recorded Future has published a series of research pieces revealing unique insight into the behavior of North Korea's most senior leadership.
Calls grow for foreign powers law to limit Russian influence (Times) Parliamentarians, lobbyists and advisers with financial links to overseas powers should be forced to declare such arrangements in a public register, say proposals backed by MPs. Cross-party calls...
UK cyber intelligence chief urges west to engage with China (Financial Times) Ian Levy softens GCHQ tone after warnings about big telecoms and tech companies
The UK and the Netherlands to keep cyber security partnership alight (IT PRO) Further cooperation is expected between the UK and Holland within cyber security and digital industries
Eisenkot: Someday the IDF will be under one cyber command (The Jerusalem Post) Israel cyber chief: Until disaster happens, world will not have united cyber defense.
NSA official: new U.S. cyberwar policy isn't the 'Wild West' (FCW) Rob Joyce, former White House cyber coordinator, said the Trump administration's new cyber warfare policy is more 'thoughtful' than some might think.
Agency tech leaders want more force behind Nat'l Cybersecurity Strategy (Federal News Network) The White House recently released the first National Cybersecurity Strategy in 15 years. Now top tech leaders in the administration seek to put some force behind it.
DHS Preps Extra Cyber Support for States with Close Midterm Races (Nextgov.com) The tightness of an election is just one factor in where the Homeland Security Department will field its Election Day cybersecurity teams.
Litigation, Investigation, and Law Enforcement
This Week's Bomb Scares Are a Perfect Misinformation Storm (WIRED) News of apparent mail bombs targeting prominent Democrats and CNN give way to a deluge of false reports, partisan finger-pointing, and bad-faith conspiracy theories online.
Saudi crown prince calls Khashoggi murder ‘heinous crime,’ vows perpetrators will be brought to justice (Washington Post) In an appearance at an investment conference in Riyadh, Crown Prince Mohammed bin Salman acknowledged no responsibility for the journalist’s murder.
UK watchdog hands Facebook maximum £500K fine over Cambridge Analytica data breach (TechCrunch) The U.K. Information Commissioner’s Office (ICO) has confirmed that it has hit Facebook with a maximum £500,000 ($645,000) fine around the way it mishandled user data following the Cambridge Analytica scandal earlier this year. The ICO announced its intention to hand Facebook the fine back in July …
Google and Facebook accused of secretly tracking users’ locations (Naked Security) Google and Facebook have been hit separately by class action lawsuits accusing them of secretly tracking user locations.
How One Stubborn Banker Exposed a $200 Billion Russian Money-Laundering Scandal (Wall Street Journal) Billions in illicit funds flowed through accounts held at Danske Bank’s branch in tiny Estonia. One employee dug into the details and tried to alert his superiors at headquarters. The resulting scandal cut the bank’s value in half, cost the CEO his job and prompted a new round of soul-searching.
A convenient omission? Trump campaign adviser denied collusion to FBI source early on (TheHill) Just weeks after the FBI opened a dramatic counterintelligence probe into President Trump and Russia, one of his presidential campaign advisers emphatically told an undercover bureau source there was no election collusion occurring because such activity would be treasonous.
Trump has two ‘secure’ iPhones, but the Chinese are still listening (TechCrunch) President Trump has three iPhones — two of them are “secure” and his third is a regular personal device. But whenever the commander-in-chief takes a call, his adversaries are said to be listening. That’s according to a new report by The New York Times, which put a spotlight on the…
When Trump Phones Friends, the Chinese and the Russians Listen and Learn (New York Times) President Trump has been repeatedly told by aides that his cellphone calls are not secure from foreign spies. But he has refused to heed the warnings to stop talking.
Why does one California county sheriff have the highest rate of stingray use? (Ars Technica) San Bernardino County denies EFF's request to see 6 stingray warrant applications.
Former High School Teacher Pleads Guilty to “Celebgate” Hacking (US Department of Justice) A Richmond man pleaded guilty today to unauthorized access to a protected computer and aggravated identity theft.