Cyber Attacks, Threats, and Vulnerabilities
A Journalist Was Killed in Mexico. Then His Colleagues Were Hacked. (New York Times) Text messages sent to them were infected with a spyware that the Mexican government bought from an Israeli cyber arms dealer, according to a forensic analysis.
Reckless VI: Mexican Journalists Investigating Cartels Targeted with NSO Spyware Following Assassination of Colleague (The Citizen Lab) Two days after the murder of award-winning Mexican journalist Javier Valdez Cárdenas, two of his colleagues began receiving text messages laden with NSO Group's Pegasus spyware. To date, 24 targets of Pegasus have been identified in Mexico. This case additionally illustrates an alarming trend of spyware attacks around the world specifically aimed at journalists.
Widely used open source software contained bitcoin-stealing backdoor (Ars Technica) Malicious code that crept into event-stream JavaScript library went undetected for weeks.
Bypassing CVE-2018-15442: Another case of DLL Hijacking (SecureAuth) As an exploit writer, one of my tasks consists of gathering common vulnerabilities and exposures (CVE) and all of the information related to them in order to design an exploit for Core Impact. As part of this process I stumbled across CVE-2018-15422: A vulnerability in the update service of Cisco WebEx Meetings Desktop App for Windows.
Fake Voice Apps on Google Play, Botnet Likely in Development (TrendLabs Security Intelligence Blog) Several apps on Google Play posing as legitimate voice messenger platforms have automated functions such as fake survey pop-ups and fraudulent ad clicks.
These Hugely Popular Android Apps Have Been Committing Ad Fraud Behind Users’ Backs (BuzzFeed News) “Why isn't Google immediately dropping such apps from the Play store and advising users to uninstall them?” one analyst asked.
AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor (TrendLabs Security Intelligence Blog) We came across a worm that propagates through removable drives and installs a fileless version of the BLADABINDI/njRAT backdoor.
Researchers Use Smart Bulb for Data Exfiltration (SecurityWeek) Researchers with software risk measurement and management company Checkmarx were able to create two mobile applications that abuse the functionality of smart bulbs for data exfiltration.
People Who Buy Smart Speakers Have Given Up on Privacy, Researchers Find (Motherboard) Smart speakers raise a number of privacy questions, which owners are choosing to just shrug off.
Email Scammers Leverage California Wildfire Tragedy (Agari) With multiple dead, hundreds missing, and homes destroyed, those affected by the California Camp Fire are looking for help. But be cautious—fraudsters are using email to scam helpful citizens out of money.
Attackers Are Landing Email Inboxes Without the Need to Phish (SecurityWeek) With the right combination of people, processes and technology, organizations can mitigate the risk of Business Email Compromise (BEC) attacks and scams.
Fraudsters changing contact details of banks on Google Maps to scam users (HackRead) Don’t trust Google Maps for banks’ contact details – At least not for now.
Obfuscated bash script targeting QNap boxes (SANS Internet Storm Center) One of our readers, Nathaniel Vos, shared an interesting shell script with us and thanks to him!
Edinburgh Napier University Student Named as 2018 Cyber Security Challenge Champion (Infosecurity Magazine) Student Charlie Hosier has been named as the 2018 Cyber Security Challenge champion
Presumed technical issue disrupts Google Adsense payouts worldwide (HackRead) Still didn’t receive your Google Adsense payouts? Don’t worry, you are not alone.
Mobile Rotexy Malware Touts Ransomware, Banking Trojan Functions (Threatpost) A mobile malware has accelerated its activity in 2018, launching more than 70k attacks in August through October.
ATM attackers strike again: Are you at risk? (Help Net Security) The United States National ATM Council recently released information about a series of ATM attacks using rogue network devices. The criminals opened the
USPS, Amazon Data Leaks Showcase API Weaknesses (Threatpost) The incidents affected millions, just as Black Friday, Cyber Monday and the holiday shopping season kicked off.
Amazon 'technical error' exposes customer names and emails (CSO Online) Amazon isn't saying how many customers had their names and email addresses exposed due to a data leak caused by an unexplained technical error.
Ransomware Attack Forced Ohio Hospital System to Divert ER Patients (Dark Reading) Malware infection fallout sent ambulances away from East Ohio Regional Hospital and Ohio Valley Medical Center over the Thanksgiving weekend.
More details on One Planet York app vulnerability don't paint council in a good light (Graham Cluley) New information has come to light which makes it more difficult to defend York city council’s actions and communications in response to being told about a vulnerability in its One Planet York app.
Parents slam “weirdo” fraudsters for using child’s Facebook pic for cash (Naked Security) Did you help spread the viral scowling Pop-Tart™-deprived kid photo last week? Can’t be helped, mom said, but using it to raise cash was “lame.”
Security Patches, Mitigations, and Software Updates
USPS Fixed Vulnerability That Exposed The Data of 60 Million People (Nextgov.com) Just in time for the mail deluge of the holidays.
Google makes good on promise to remove some Symantec PKI certificates (CSO Online) If you get this digital certificate error using Chrome, then Google now considers that website's Symantec PKI certificate untrustworthy.
Cyber Trends
High-Level Cybersecurity Meeting Warns of Dire Effects of Cyberattacks on Prosperity, Innovation and Global Collaboration (World Economic Forum) Georg Schmitt, Head of Corporate Affairs, World Economic Forum: Tel.: +41 (0)79 571 8287; Email: gsch@weforum.org
GDPR's impact: The first six months (Help Net Security) GDPR is now six months old – it’s time to take an assessment of the regulation’s impact so far. At first blush it would appear very little has changed.
Buckle Up: A Closer Look at Airline Security Breaches (Dark Reading) Cyberattacks on airports and airlines are often unrelated to passenger safety - but that's no reason to dismiss them, experts say.
The current state of cybersecurity in the connected hospital (Help Net Security) Abbott and The Chertoff Group shared key findings from a recent study of 300 physicians and 100 hospital administrators on cybersecurity challenges.
Marketplace
CYBERCOM Has a Vendor In Mind For Its Big Data Platform But Is Open to Options (Nextgov.com) The military’s cyber branch plans to award a sole-source contract to manage and enhance its Big Data Platform but wants to know if other vendors are capable of bidding.
Why cyber compounds Pentagon purchasing problems (Fifth Domain) The Pentagon's cyber acquisition process is “too slow,” a “support nightmare,” and one that “puts the warfighter at risk,” an upcoming paper argues.
Huawei to Complete Network Project Despite Fierce U.S. Opposition (WSJ) Chinese telecom giant Huawei will complete construction of an internet network in Papua New Guinea despite opposition from Australia, Japan and the U.S.
Connected Intelligence firm eyes growth with new funding (Growth Business) Connected intelligence firm Alva plans growth with new funding injection from Clydesdale and Yorkshire Bank
Facebook denies report that election war room was disbanded (TechCrunch) Facebook’s election war room monitors and dashboards remain, since so does the threat of election interference. Facebook has confirmed to TechCrunch that its election war room that it paraded reporters through in October has not been disbanded and will be used again for future elections. That…
Six months in, Europe’s privacy revolution favors Google, Facebook (POLITICO) GDPR awakened the world to the importance of data — but it’s dampened investment in European tech startups.
Here are the winners of the Security Excellence Awards (Computing) It was a hotly-contested year - here are the companies that made it big on the night
Products, Services, and Solutions
Silverfort Launches First Holistic AI-Driven Adaptive Authentication Engine for Securing Corporate Identities without Impacting Usability (AP NEWS) Silverfort, the provider of next-generation multi-factor authentication solutions, today announced a first-of-its-kind AI-based risk engine that analyzes activities across all on-premises and cloud environments, to dynamically calculate the most accurate risk score per user, device and resource, and apply effective authentication policies.
CyberPolicy’s Cyber Insurance Options Now Available Through Progressive Insurance (GlobeNewswire News Room) CyberPolicy, the world's first marketplace to help small business owners compare, quote and buy cyber insurance online, is proud to provide a seamless, high touch experience when purchasing cyber insurance, alongside other small business coverages, through Progressive Insurance.
Infineon’s Blockchain Security 2Go starter kit protects digital transactions - Infineon Technologies (Infineon Technologies AG) Digital transactions require secured yet user-friendly solutions.
Rohde & Schwarz adds SSH classification to R&S PACE 2 DPI engine (Advanced Television) ipoque GmbH, a Rohde & Schwarz company, has announced new Secure Shell (SSH) metadata extraction capabilities for its acclaimed R&S PACE 2 deep packet i
Product showcase: Cynet 360 Security Platform (Help Net Security) The Cynet 360 Security Platform supports four deployment methods: On-premise, IAAS, SAAS and hybrid mode. Deployment takes only a few minutes.
GLESEC Launches New Advanced Detection and Response Incident Management Service (EDR) (PR Newswire) International Cyber-Security Firm GLESEC announces the launching of its Managed End Point Incident Response...
Siemens teams with Aruba to merge OT and IT - Tracking The Internet of Things (Tracking The Internet of Things) Siemens and Hewlett Packard Enterprise's networking subsidiary Aruba have formed a partnership to bridge the worlds of operational technology and information technology.
10 Slack security tools compared (CSO Online) Slack does a good job of protecting its own code, but you'll need help to stop malware delivered through Slack messages or to avoid exposing personal information.
Technologies, Techniques, and Standards
Why cyberspace demands an always-on approach (Fifth Domain) Cyber Command has said that the constant threat from adversaries will require persistent engagement below the threshold of conflict.
The Army’s ‘new’ network isn’t actually new (C4ISRNET) The Army has outlined a different network design based on a series of programs and systems making the Army more lethal and faster.
Why Deep Defense Should Start with Detecting Compromised Credentials (Infosecurity Magazine) Obtaining valid credentials using multiple mechanisms and tools continues to be extremely lucrative for a cyber-criminal
Protecting Your Website Visitors from Magecart: Trust but Verify (Akamai) There have been many news reports recently which outline how cyber criminals have successfully injected credit card skimming JavaScript code into the checkout process pages of various websites. Dubbed Magecart, these attacks refer to a number of threat actors who...
IT leaders admit their biggest security mistakes (Computing) A panel of IT leaders at Computing's recent Enterprise Security and Risk Management Live conference discuss their biggest security failings
Why you shouldn't be worried about UPnP port masking (Help Net Security) If your mitigation fails to protect against randomized ports, it's not sufficient. Hype around UPnP port masking confuses real DDoS protection issues.
How to keep your kids safe from toys and apps that pry into their lives (CNBC) As the holiday season kicks into gear, it's important to understand that a lot of kids' toys and apps collect and store information about them, often with little regard for privacy and security. Here's how to make wise choices.
Hawaii’s false missile alert leads to new recommendations to prevent mistakes (Military Times) Multiple investigations blamed the alert on human error and inadequate safeguards.
New campaign launched to fight festive fraud (Action Fraud) This Christmas, Action Fraud and City of London Police are reminding shoppers to take extra care when shopping for gifts online. As consumers search online for bargains and gifts for loved ones, fraudsters are seeing this as an opportunity to trick people with the promise of great deals and big cash savings.
Design and Innovation
Google Wants to Ensure Integrity of EU Parliamentary Elections (SecurityWeek) Google is rolling out new tools to ensure Europeans receive the information they need for the 2019 Parliamentary elections in the European Union (EU).
Academia
Edinburgh Napier University Student Named as 2018 Cyber Security Challenge Champion (Infosecurity Magazine) Student Charlie Hosier has been named as the 2018 Cyber Security Challenge champion
Legislation, Policy, and Regulation
Ukraine counters Russian threat with martial law (Times) President Poroshenko won approval in parliament last night for martial law as a response to Russia’s attack on Ukrainian naval vessels in the Black Sea. Ukrainian regions “subject to Russian...
The Nigerian Cyber Warfare Command: Waging War In Cyberspace (Forbes) The newly-launched Nigerian cyber army wants to monitor, defend and assault in cyberspace through DDoS attacks on criminals, nation states and terrorists. Can it succeed?
Australia launches joint cyber centre (Jane's 360) Australia has launched a Joint Cyber Security Centre (JCSC) to provide enhanced protection for its critical infrastructure, including its national defence industry, the government announced on 23 November.
Congress raises 15 questions to the PM on the state of national security (National Herald) The Congress slammed the PM for having played ‘despicable politics’ during the Mumbai terror attack
Trump pick to lead intelligence post remains in congressional limbo (Fifth Domain) William Evanina, Trump’s choice to lead the National Counterintelligence and Security Center, has not been confirmed by the Senate months after being nominated.
Analysis | The Cybersecurity 202: Lawmakers seek to quash ‘Grinch bots' inflating holiday toy prices (Washington Post) "That’s not how the marketplace is supposed to work," says Sen. Tom Udall.
New Law Could Give U.K. Unconstitutional Access to Americans’ Personal Data, Human Rights Groups Warn (The Intercept) This form of international data-sharing could put Americans’ privacy at risk and expose citizens to potential Fourth Amendment abuses, critics say.
Litigation, Investigation, and Law Enforcement
Fake news inquiry: Facebook questioned by MPs from around the world – as it happened (the Guardian) Rolling updates as representatives from nine parliaments question the social media company, who refused to send CEO Mark Zuckerberg
MPs to grill Facebook over data scandals as Damian Collins threatens to expose firm's private emails (The Telegraph) Belgium and France will join an international grand committee on “fake news” that will today question Facebook’s actions in a series of recent data breaches at a hearing in Parliament.
Six4Three exec “panicked” in UK MP’s office, gave up Facebook internal files (Ars Technica) App maker had been ordered to not share docs obtained via discovery, but did anyway.
Canadian MPs criticize Facebook's Zuckerberg for U.K. parliament no-show (CBC) Facebook comes under fire from lawmakers from several countries — including Canada — who accuse the firm of undermining democratic institutions. CEO Mark Zuckerberg takes the brunt of it.
Manafort Breached Plea Deal by Repeatedly Lying, Mueller Says (New York Times) Mr. Manafort, President Trump’s onetime campaign chairman, breached his plea agreement by repeatedly lying to investigators, Mr. Mueller said.
Analysis | Could Robert Mueller be about to tell us something big? (Washington Post) Mueller has accused Paul Manafort of lying — and is going to tell us what he lied about.
Student accused of spying thanks wife on return from UAE (Times) The PhD student pardoned after being convicted of being an MI6 spy in the United Arab Emirates has landed back in Britain. Matthew Hedges, who was freed from a prison in Abu Dhabi yesterday after...
Assange Case, If It Exists, Can't Be Made Public, U.S. Argues (Bloomberg) The news media has no legal right to learn whether WikiLeaks founder Julian Assange was charged in a sealed proceeding, despite an inadvertent filing in an unrelated case that said the Justice Department has accused him of wrongdoing, the U.S. said.
Alleged LinkedIn hacker to undergo psychiatric evaluation, trial pushed to February (Cyberscoop) Yevgeniy Nikulin is scheduled to visit a psychiatric facility, where a doctor will determine whether he is fit to stand trial.
Russia opens civil case against Google over search results (Reuters) Russia has launched a civil case against Google , accusing it of failing to comp...
European consumer groups want regulators to act against Google... (Reuters) Consumer agencies in the Netherlands, Poland and five other European Union count...
British and Dutch regulators fine Uber for 2016 hack (Computing) Regulators fined the ride-hailing firm more than £900,000
Supreme Court Weighs Whether Apple’s App Store Is a Monopoly (Motherboard) Looming Supreme Court ruling could impact antitrust enforcement for years.