Cyber Attacks, Threats, and Vulnerabilities
New data shows China has “taken the gloves off” in hacking attacks on US (Ars Technica) The new normal: More sophisticated attackers, more destructive attacks.
New Stuxnet Variant Allegedly Struck Iran (BleepingComputer) A malware similar in nature to Stuxnet but more aggressive and sophisticated allegedly hit the infrastructure and strategic networks in Iran.
TV report: Israel silent as Iran hit by computer virus more violent than Stuxnet (Times of Israel) Tehran strategic networks attacked, Hadashot TV says, hours after Israel revealed it tipped off Denmark about Iran murder plot, and days after Rouhani's phone was found bugged
The CIA's communications suffered a catastrophic compromise. It started in Iran. (Yahoo) From around 2009 to 2013, the U.S. intelligence community experienced crippling intelligence failures related to the secret internet-based communications system, a key means for remote messaging between CIA officers and their sources.
BleedingBit Information from the Research Team (Armis Labs) Read this report on how BLEEDINGBIT exposes Millions of Enterprise Access Points and Unmanaged Devices to an Undetectable Chip Level Attack
Bleedingbit zero-day chip flaws may expose majority of enterprises to remote code execution attacks (ZDNet) Updated: The BLE chip zero-day vulnerabilities have the potential to render millions of enterprise security systems powerless.
Mystery of the Midterm Elections: Where Are the Russians? (New York Times) Nefarious activity by known or suspected hackers seems low this year. But that might not be good news and could spell trouble even after Tuesday’s vote.
The Pentagon Has Prepared a Cyberattack Against Russia (The Daily Beast) U.S. military hackers have been given the go-ahead to gain access to Russian cybersystems as part of potential retaliation for any meddling in America’s elections.
Joe Manchin’s social media accounts hacked, the senator’s office says (Washington Post) Accounts have since been secured, the West Virginian’s aides say.
Report: Majority of Americans Unable to Discern Fake Election Emails (MarketWatch) Valimail Survey Finds Older Americans Better at Identifying Fake Emails - But Average Success Rates Very Low Among All Groups
Real vs. Fake Email Test Results (Valimail) Prior to the 2018 midterm elections, Valimail conducted a survey to test adult Americans’ ability to distinguish fraudulent campaign emails.
A vote for better security (SC Media) In light of rampant concerns about election tampering and voting machine manipulation, here are some steps IT security experts believe that state and
Will 'Deepfakes' Disrupt the Midterm Election? (WIRED) Advances in machine learning allow almost anyone to create plausible imitations of candidates in video and audio, potentially sowing confusion.
How Do You Say ‘Fake News’ in Russian? (Foreign Policy) Russian news sites portray the U.S. presidential election as a prelude to civil war.
Hacked Facebook private messages for sale (BBC News) The perpetrators told the BBC Russian Service they had details from a total of 120 million accounts.
New techniques expose your browsing history to attackers (Help Net Security) Security researchers have discovered new techniques that could be used by hackers to learn which websites users have visited as they surf the web.
Old School 'Sniffing' Attacks Can Still Reveal Your Browsing History (Motherboard) The way that major browsers store history and structure links leaves them vulnerable to old school ‘sniffing’ attacks, according to new research from the University of California San Diego.
Emotet Trojan Begins Stealing Victim's Email Using New Module (BleepingComputer) The Emotet malware is typically used as a banking trojan and more recently for distributing other malware, but has now become more versatile via a module that allows it to steal a victim's actual emails going back six months.
SMS Phishing + Cardless ATM = Profit (KrebsOnSecurity) Thieves are combining SMS-based phishing attacks with new “cardless” ATMs to rapidly convert phished bank account credentials into cash. Recent arrests in Ohio shed light on how this scam works.
Cisco zero-day exploited in the wild to crash and reload devices (ZDNet) No patch available,yet. Vulnerability affects devices running ASA 9.4+ and FTD 6.0+ software.
Yi IoT Home Camera Riddled with Code-Execution Vulnerabilities (Threatpost) Five of them allow remote compromise of the IoT gadgets, so attackers can intercept video feeds and more.
Another day, another update, another iPhone lockscreen bypass (Naked Security) Researcher José Rodríguez beats the lockscreen to display contact phone numbers and email addresses.
Defence shipbuilder Austal hit by cyber-attack (ABC Radio) A cyber-attack and extortion attempt has forced major Australian Defence shipbuilder Austal to increase its data security.
How Hackers Exploit Online Games (Security Boulevard) Legitimate platforms like online gaming services are a breeding ground for hackers, with in-game currencies and micro-transactions putting a target on the gaming industry’s back
Bogus Porn Emails Using Old Passwords to Scam You Out of Cash (PCMAG) Cisco Talos says email scammers have made at least $146,000 in bitcoin by circulating sextortion messages. But don't fall for it: no one has incriminating video footage of you.
Experts Divulge Memorable IT/Information Security Nightmares (eWEEK) Just in time for Halloween, industry experts have weighed in, sharing their IT nightmare stories (and lessons learned), as well as offering their analysis around DevSecOps (development of security operations).
Cyber Trends
Internet freedom continues to decline around the world, a new report says (The Verge) Governments are reining in liberty for the eighth consecutive year, Freedom House reports
We need thicker skins in age of social media (Times) We live in an age when events that used to take place behind closed doors are now more visible. People leave traces of their stupidity online where once their tracks were covered and, for the most...
Microsoft boss hammers home 'unintended consequences' of AI (CRN) Satya Nadella implored the industry to be leaders in setting the standards around privacy and ethics in AI
Report reveals one-dimensional support for two-factor authentication (Naked Security) 34 popular consumer websites were put to the 2FA test.
Eight resellers name their top cybersecurity threats to watch out for in 2019 (CRN) From whaling and USB attacks to third-party exploitation, what will be the biggest threats facing end users next year? We asked execs at eight cyber-security resellers and consultancies to name their picks.
Marketplace
Bull or Bear? How the Market Reacts to Data Breach News | Lexology () Last week, Cathay Pacific Airlines Ltd., the Hong Kong-based international airline, disclosed that a hacker had broken into its computer system and…
Cisco Chairman John Chambers invests in India-based cybersecurity startup (CISO MAG) The startup delivers information security platforms and services to enterprises and governments globally
Emerging Leader Attila Security Announces First Round of Funding (PRWeb) Attila Security, a company providing visibility, control and threat defense across physical, virtual, and cloud applications is pleased to announce it has com
QuoVadis to be sold to US firm DigiCert (The Royal Gazette) Cybersecurity firm QuoVadis is to be sold by its Swiss owners to US company DigiCert.QuoVadis, which was founded in Bermuda in the late 1990s, was
Australia's top cyber spy says Chinese tech is too good to be allowed near its key infrastructure (Business Insider) Australia's top cyber spy says Chinese technology like Huawei is too good and Chinese state media can't really agree
Huawei says no Australia barriers are needed (IOL Business Report) Australia must restrict foreign firms with government ties from its 5G mobile communications network.
Huawei Lobbyists Visit Canadian MPs to Alleviate Security Concerns (Epoch Times) Huawei lobbyists started paying visits to Canadian parliamentarians in August.
The Privacy Battle to Save Google From Itself (WIRED) Interviews with over a dozen current and former Google employees highlight a commitment to privacy—and the inherent tensions that creates.
Employee Discontent Threatens Google’s Reputation (Wall Street Journal) On Thursday, Google workers who took part in a walkout at the company’s offices around the world signaled a crisis in faith—one that, if widespread, could cause reputational harm, potentially affecting the Alphabet Inc. unit’s standing as an aspirational workplace, risk experts and analysts said.
A Chinese Dissident Artist Is Taking Aim at Google for Censored Search Engine (Motherboard) Badiucao’s new exhibition compares Google's censored search engine for China, codenamed Dragonfly, to Donald Trump's wall.
Why recruiting cyberwarriors in the military is harder than retaining forces (Fifth Domain) Recruiting the American military’s cyber force is more difficult than retaining digital warriors, top Pentagon officials said during the CyberCon conference hosted by Fifth Domain Nov. 1.
EDA, Thales sign network services contract - DB - Digital Battlespace (Shephard Media) The European Defence Agency (EDA) has signed a contract with Thales Six GTS France for the provision of secure network and communication services to the ...
AllegisCyber Names Mike Aiello-- Director of Product Management for Go (PRWeb) Mike Aiello, a cybersecurity executive at Alphabet Inc.’s Google and previously a Chief Information Security Officer (CISO) at Goldman Sachs for Consumer B
Absolute Software Names Christy Wyatt as Chief Executive Officer (BusinessWire) Absolute (TSX: ABT), the endpoint visibility and control company, today announced the appointment of accomplished security and technology industry lea
AppRiver Bolsters Executive Management Team with Chief Marketing Officer (GlobeNewswire News Room) Leading Cloud Cybersecurity and Productivity Provider Appoints 20-Year Marketing Veteran Cleve Bellar as its First CMO
Paul Wang joins High-Tech Bridge’s Advisory Board (CSO) With over 20 years of cybersecurity practice in all four Big 4 companies, Paul Wang will support High-Tech Bridge’s sustainable global growth, competitive AI strategy and customer value creation.
Products, Services, and Solutions
Keeper Security Unveils New Dark Web Monitoring Product, BreachWatch™ (PR Newswire) Keeper Security, Inc., the leading creator of zero-knowledge security solutions, Keeper® Password Manager and...
HITRUST releases Threat Catalogue to improve risk management (Help Net Security) HITRUST's Threat Catalogue will provide organizations with visibility into the threats and risks targeting their information, assets and operations.
New TITUS machine learning capabilities enable confidence in identifying and protecting data (Help Net Security) TITUS' Intelligent Protection offers machine learning driven by classification to reduce risk of data loss.
Covata's Enterprise Security Console to provide visibility and control over sensitive data (Help Net Security) Covata’s Enterprise Security Console empowers businesses to discover, protect, and control their sensitive information across multiple platforms.
TierPoint Launches CleanIP Next-Generation Firewall (PR Newswire) TierPoint, a leading provider of secure, connected data center and cloud solutions at the edge of the internet, today...
Bitdefender Labs Launches Election Security Central to Track Cybersecurity and Information Warfare on Voters | Markets Insider (Business Insider) Bitdefender, a leading global cybersecurity company protecting over 500 millio...
Technologies, Techniques, and Standards
Are We Really Okay With Facial Recognition? (IQS Directory Resource Center) Everyone is talking about facial recognition these days? But things aren’t as simple as they seem. We need to consider these key factors.
IBM manager: Cyber-resilience strategy part of business continuity (TechTarget) Make sure a cyber-resilience strategy is top of mind at your organization. In this podcast, learn ways to minimize the constant threat of cyberattacks and enhance your business continuity.
Managing Cyber Risks: A New Tool for Banks (BankInfo Security) Banks have a new tool available for developing cyber risk management programs. In an interview, architects of the Financial Services Sector Cybersecurity Profile,
EZShield + IdentityForce Provide Holiday Shopping Tips to Protect Consumers Against Identity Theft (AP NEWS) EZShield + IdentityForce , issued five tips today to help consumers protect themselves from identity theft during the holiday shopping season. These tips can help safeguard consumers whether they are purchasing gifts on mobile phones, keeping their children’s identity safe, or returning items.
Design and Innovation
Google’s stealthy sign-in sentry can pick up pilfered passwords (Naked Security) The search giant’s secret sauce can see when somebody’s using your stolen password.
How Microsoft's Defending Democracy program amplifies account security (TechRepublic) Diana Kelley, Microsoft's Cybersecurity Field CTO, explains how the company is combating disinformation, phishing attacks, and cloud security.
Microsoft's security tactics focus on customers, transparency, and working with its tech competitors (TechRepublic) Diana Kelley, Microsoft's Cybersecurity Field CTO, talks about the company's approach to data security, collaborating with its major tech competitors, and why the cloud is a security imperative.
Verint System unveils Cyber Intelligent Reasearch and Development Center in Romania (Business Review) Verint Systems announced the opening of a Cyber Intelligence Research and Development Center in Romania offering Romanian IT professionals the
Research and Development
Quantum Random Numbers Future-Proof Encryption (Semiconductor Engineering) Three universities chose to build and license quantum random number generators.
Academia
Software Engineering Institute Names Leading Cybersecurity Researcher as CTO (PR Newswire) The Software Engineering Institute at Carnegie Mellon University today announced the appointment of nationally known...
Purdue professor led Worm research that began cybersecurity work () Purdue University Professor Eugene Spafford is known for his work almost 30 years ago in defeating one of the first major malware programs released onto the internet.
Computer Science Department plans to change curriculum (The Cavalier Daily) The Computer Science Undergraduate Curriculum Committee is considering curriculum changes to both the Bachelor of Science and Bachelor of Arts degrees for computer science.
Legislation, Policy, and Regulation
'GDPR is one of the best things to happen for data security,' says CIO roundtable (Computing) A CIO roundtable states that the EU's General Data Protection Regulation has helped focus board minds on security
GDPR's First 150 Days Impact on the U.S. (Threatpost) Weighing the impact of GDPR and how the historic legislation has shaped privacy protection measures in the U.S., so far.
Canada Eyes Ban On Shady Piracy Warnings That Demand Payment (Motherboard) Bill C-86 would end the obligation for ISPs to forward misleading copyright infringement notices that ask for a settlement payment to customers accused of pirating media.
Analysis | The Cybersecurity 202: Trump takes harder line on digital security just before the midterms (Washington Post) His attorney general announced a program to curb Chinese economic espionage.
Sen. Ron Wyden Introduces Bill That Would Send CEOs to Jail for Violating Consumer Privacy (Motherboard) The 'Consumer Data Protection Act' is a bill that would comprehensively overhaul internet privacy protections.
Wyden Releases Discussion Draft of Legislation to Provide Real Protections for Americans’ Privacy (U.S. Senator Ron Wyden of Oregon) Bill Requires Radical Transparency About How Corporations Share, Sell and Use Your Data; Creates Tough Penalties and Jail Time for Executives
Discussion Draft: ‘Consumer Data Protection Act (US Senate) To amend the Federal Trade Commission Act to establish requirements and responsibilities for entities that use, store, or share personal information, to protect personal information, and for other purposes.
Pentagon official: Cyber Command and NSA may split infrastructure (Fifth Domain) The split stems from the different missions of the two agencies, according to Capt. Ed Devinney, director of corporate partnerships and technology outreach at Cyber Command.
Everyone in DoD is a cyberwarrior (Fifth Domain) Each person is responsible for cyber hygiene and cyber defense today, according to Vice Adm. Nancy Norton, director of DISA and commander of Joint Force Headquarters-DoD Information Networks.
Mattis stands up new Pentagon office to safeguard Defense information (Federal News Network) Defense Secretary James Mattis has appointed a new task force to cut theft and misappropriation of DoD information, reporting directly to the deputy defense secretary and vice chairman of the Joint Chiefs of Staff.
HHS opens health cybersecurity coordination center (Health Data Management) Agency will provide timely and actionable intelligence on cyber threats to healthcare organizations.
HHS kills HCCIC cyber command center, aligns with Homeland Security (Healthcare IT News) The new HHS-DHS Health Cybersecurity Coordination Center, HC3, replaces the Healthcare Cybersecurity Communications and Integration Center after a year of turmoil and unraveling.
Speaker Ryan appoints three to cyberspace commission (Homeland Preparedness News) Rep. Mike Gallagher (R-WI), Samantha Ravich, and Frank Cilluffo were appointed this week by House Speaker Paul Ryan (R-WI) to the Cyberspace Solarium Commission. The commission was established by the National Defense Authorization Act to develop a framework for U.S. … Read More »
Litigation, Investigation, and Law Enforcement
Senate Panel Seeks FBI Briefing on Super Micro Hacking Report (Bloomberg) A U.S. Senate committee asked the FBI and Department of Homeland Security for a classified briefing on a report saying China’s intelligence services used subcontractors to plant malicious chips in Super Micro Computer Inc. server motherboards.
Chinese ‘cyber-attack’ on Oz firm linked to jet company (The Australian) An alleged Chinese cyber-attack that US prosecutors say targeted an Australian website registration firm has been linked to a French company building one of the most common commercial jet engines.
Arq Group addresses speculation over its involvement in China hacks (CRN Australia) Said it had no knowledge of events detailed in a US indictment.
U.S. Accuses Chinese Firm, Partner of Stealing Trade Secrets From Micron (Wall Street Journal) The Justice Department unsealed charges Thursday against a Chinese state-owned firm and its Taiwan partner for allegedly stealing trade secrets from the U.S.’s largest memory-chip maker, Micron Technology.
Analysis | One month after Jamal Khashoggi’s killing, these key questions remain unanswered (Washington Post) Saudi Arabia finally admitted to killing Khashoggi, but the case is far from closed.
One month on: The Jamal Khashoggi murder case so far (Al Jazeera) Assassination of Saudi journalist inside the kingdom's Istanbul consulate has drawn global ire, intense media scrutiny.
Activist investor Carl Icahn sues Dell over alleged financial disclosure failure (CRN Australia) Carl Icahn alleges financial information on VMware stock swap plan wasn't disclosed.
Russia’s GRU provides crypto twist to Mueller investigation (Asia Times) The Mueller probe into possible links between Trump family and Moscow claims Russian intelligence mined its own crypto to launder money for US operations
In email to Trump’s campaign strategist, Roger Stone implied he knew of WikiLeaks’s plans (Washington Post) The exchange with Stephen K. Bannon undercuts Stone’s claim to The Washington Post that he never communicated with campaign officials about WikiLeaks.
The Real Houseguest of the Ecuadorian Embassy (WIRED) As details of his democracy-bending relationship with Roger Stone break, Julian Assange is proving guests, like fish, stink after six years.
Financial and psychological toll of catfishing scams (CBS News) A North Carolina woman is in jail for allegedly plotting to kill her mother for insurance money after she fell victim to a so-called catfishing scam, when stolen identities are used to lure people into fake relationships. These online romance scams can lead to bullying, cyberstalking, theft, and even worse consequences. Victims in the U.S. and Canada say they lost nearly a billion dollars over the last three years. Meg Oliver reports.
"Emotional terrorists": The financial and psychological toll of catfishing scams (CBS News) Why scam victims send thousands of dollars to people they've never met -- one woman allegedly plotted a murder to gain more cash