Cyber Attacks, Threats, and Vulnerabilities
Report: Ex-Iranian president Ahmadinejad arrested for inciting unrest (Times of Israel) According to Arab paper, former leader's comments against Rouhani government amid rallies have led authorities to seek to place him under house arrest
Winter Olympics 'targeted by hackers' (BBC News) Cyber-security firm McAfee said the focus of the attack included groups affiliated with ice hockey.
Malicious Document Targets Pyeongchang Olympics | McAfee Blogs (McAfee Blogs) McAfee Advanced Threat Research analysts have discovered a campaign targeting organizations involved with the Pyeongchang Olympics. Attached in an email wa
At least three billion computer chips are vulnerable to a security flaw found this week (MIT Technology Review) Companies are rushing out software fixes for Chipmageddon.
Meltdown and Spectre: clearing up the confusion (SANS Internet Storm Center) Unless you’ve been living under a rock (or on a remote island, with no Internet connection), you’ve heard about the latest vulnerabilities that impact modern processors.
Scary Chip Flaws Raise Spectre of Meltdown (KrebsOSecurity) Apple, Google, Microsoft and other tech giants have released updates for a pair of serious security flaws present in most modern computers, smartphones, tablets and mobile devices. Here’s a brief rundown on the threat and what you can do to protect your devices.
Banks, telcos working to mitigate major chip flaws (The Straits Times) Essential-services sectors in Singapore are working furiously to mitigate cyber security risks linked to two critical hardware flaws discovered last year but made public only last week.. Read more at straitstimes.com.
When Speculation Is Risky: Understanding Meltdown and Spectre (TrendLabs Security Intelligence Blog) For several days, rumors circulated about a serious vulnerability in Intel processors. It wasn’t until January 3 that the official disclosure of the Meltdown and Spectre vulnerabilities was made, and it became clear how serious the problems were. To summarize, Meltdown and Spectre both allow malicious code to read memory that they would normally not have permission to.
Spectre & Meltdown: Tapping into the CPU's Subconscious Thoughts (DS9A.NL) In this post I will attempt to fully explain the Spectre and Meltdown vulnerabilities in an accessible way. I decided to write it up after I realised it took me more than a day to figure it out, even though I’ve been doing security related stuff on CPUs for 20 years.
Who's affected by computer chip security flaw (Fifth Domain) Technology companies are scrambling to fix serious security flaws affecting computer processors built by Intel and other chipmakers and found in many of the world’s personal computers and smartphones.
Cisco Investigating Dozens Of Routers, Switches, Servers That May Be Affected By Spectre, Meltdown Exploits (CRN) In a security advisory issued Thursday night, Cisco says it is putting dozens of routers, switches and servers under the microscope to find out whether any of them may be affected by the Spectre or Meltdown exploits.
Feds face limited options for Meltdown, Spectre bugs (FCW) Patches can mitigate some of the vulnerabilities found in virtually every processor, but a DHS spokesperson said decisions on hardware replacement will be left up to individual agencies and CIOs.
Huge coordinated vulnerability disclosure needed for Meltdown (SearchSecurity) A massive coordinated vulnerability disclosure was required for the Meltdown and Spectre CPU flaws, now remediation concerns remain.
How So Many Researchers Found a 20-Year-Old Chip Flaw At Once (WIRED) The uncanny coincidences among the Meltdown and Spectre discoveries raise questions about "bug collisions"—and the safety of the NSA's hidden vulnerability collection.
Meet the researcher who hacked his own computer and discovered Meltdown flaw (CRN Australia) The man who exposed Meltdown.
The Bright Side of the Two Intel Chip Security Vulnerabilities (Slate Magazine) Let's hear it for the independent security researchers!
Security Flaw in AMD's Secure Chip-On-Chip Processor Disclosed Online (BleepingComputer) AMD has fixed, but not yet released BIOS/UEFI/firmware updates for the general public for a security flaw affecting the AMD Secure Processor.
LockPoS Malware Sneaks onto Kernel via new Injection Technique (Dark Reading) Alarming evolution of Flokibot bypasses antivirus software and was likely built by a group of advanced attackers, researchers say.
Python-Based Botnet Targets Linux Systems with Exposed SSH Ports (BleepingComputer) Experts believe that an experienced cybercrime group has created a botnet from compromised Linux servers and is using these systems to mine Monero, a digital currency.
PyCryptoMiner- Python Crypto Miner Botnet Spreads via Exposed SSH Ports (The Zero Miles) Researchers discovered a new Linux crypto-miner botnet that is spreading over the SSH protocol. The botnet, which we’ve named PyCryptoMiner:
Bitcoin price rise could lead to smart home attacks and higher bills, cybersecurity expert warns (The Independent) People’s homes could come under attack as a consequence of bitcoin’s price surge, a cybersecurity expert has warned. “Cryptojacking” incidents, in which people’s devices are quietly hijacked and forced to mine digital currencies for other people, are on the rise. However, it’s not just regular computers that are at risk.
22 different flashlight apps in Google Play were found to contain malicious adware (Business Insider) Some Android users with the adware were forced to press on ads before they could answer calls on their phones.
DHS insider breach resulted in theft of personal info of staff and people involved in investigations (Help Net Security) The US DHS OIG has confirmed that the "privacy incident" discovered in May 2017 resulted in the theft of personally identifiable information of DHS employees and individuals associated with investigations.
Aadhaar's security flaws can have devastating consequences for Indians (Business Standard) Does UIDAI think citizens' privacy is a 'small price' to pay for how the govt can monetise Aadhaar in future?
UIDAI's Defensive Stance on Aadhaar Security Breaches Isn't Helping Anybody but the Government (The Wire) The biometric identification agency and the government need to start listening to those who are pointing out critical flaws instead of issuing blanket denials and template answers.
Wall Street Journal kicks off 2018 by throwing mud at Kaspersky (iTWire) Last year, the three big mainstream US newspapers ran articles that more or less spelt the death knell for Kaspersky Lab's deals with the American pub...
Children at ‘significant’ social media risk (Naked Security) Children aren’t getting enough guidance to cope with the emotional demands that social media puts on them, according to new report.
Alteryx Takes Action Following Big Data Breach (Datanami) Following a report that it left data about more than 100 million households exposed on AWS, Alteryx's CEO declared that the company has taken steps to ensu
Q&A: Edward Snowden on rights, privacy, secrets and leaks in conversation with Jimmy Wales (Wikitribune) WikiTribune founder Jimmy Wales interviewed former CIA employee Edward Snowden to talk about privacy, journalism and spying
Cyber attack closed Cardiff restaurant, claims businessman (The Irish Times) Publican and restaurateur Darryl Kavanagh had to shut Welsh outlet after six months
Security Patches, Mitigations, and Software Updates
Microsoft warns patches for Meltdown, Spectre may clash with AV (IT World Canada) Windows administrators will have to be careful applying a Microsoft fix for the Meltdown/Spectre microprocessor flaws that burst suddenly in the news
Windows Meltdown-Spectre fix: How to check if your AV is blocking Microsoft patch (ZDNet) Antivirus firms are playing patch catch-up, as Microsoft releases Meltdown firmware updates for Surface devices.
Intel says performance impact of security updates not significant (The Express Tribune) Security researchers had disclosed two security flaws exposing vulnerability of devices containing chips from Intel
Experts Weigh In On Spectre Patch Challenges (Threatpost) Mitigating Spectre and Meltdown flaws won't be easy, but experts say exploits targeting Spectre will be hard to patch against.
Relax, the Meltdown and Spectre CPU Patches Aren't Messing With Your Frame Rates (Motherboard) Your ability to crush noobs won’t be impeded.
ICO urges patching to fix Meltdown and Spectre vulnerabilities, despite performance hit (Computing) Fail to patch at your own risk
Businesses cautious in installing patches to fix chip flaw (Reuters) Chances that a fix to a major microchip security flaw may slow down or crash some computer systems are leading some businesses to hold off installing software patches, fearing the cure may be worse than the original problem.
Dell EMC Protection Suite vulnerabilities identified and quickly fixed (Computing) Digital Defense flagged the weaknesses up to Dell EMC
Cyber Trends
More industrial companies facing targeted cyber attacks: Kaspersky (Arabian Industry) A Kaspersky survey showed that the fastest growing type of threat among industrial organizations in 2017 was targeted attacks
'Swarm' cyber attacks, crypto-currency stealing malware predicted for 2018 (The Sydney Morning Herald) New attacks will utilise AI to form massive 'hive-nets' that can communicate with each other and execute hard-to-detect heists across the web.
Hackers adopt ‘school of fish’ approach as they sharpen focus on mid-sized businesses (eSentire Managed Detection and Response) Rudimentary attacks, like information gathering, reputation blocks, fraud, and brute force attacks, increased by 71%...
Healthcare breaches involving ransomware increase year-over-year (Help Net Security) Stats don't lie: healthcare breaches involving ransomware are on the rise. This is the beginning of a trend that will increase very substantially in 2018 and 2019.
Marketplace
New ways to bet on bitcoin? (Seeking Alpha) The SEC has received a request to allow five bitcoin-related ETFs to be listed on Arca, a secondary marketplace on the NYSE (NYSE:ICE).The instruments, created by Direxion Asset Management, are not ti
The changing face of cyber insurance (Intelligent Insurer) It’s time for insurers to wake up to the reality of their role in protecting companies from the fallout from cyber attacks, says Dan Trueman, the global head of cyber at AXIS Insurance.
Cyber Insurance Gets a Boost with Cyber Risk Benchmarking Model (CPO Magazine) AIG releases new cyber risk benchmarking model to quantify and score cyber maturity of clients, boosting cyber insurance and promoting metrics useful for the industry to evaluate the risks that organizations face in terms of cyber security.
UK’s big companies rush to take action on cyber threats (FInancial Times) Bellwether survey finds FTSE 350 fears on rise over exposure to digital attacks
Cyxtera To Acquire Immunity Inc. (PRNewswire) Cyxtera Technologies, the secure infrastructure company, today announced it has...
Richmond-based machine learning technology firm Notch acquired by Capital One (Richmond Times-Dispatch) Notch, a technology consulting company founded in Richmond in 2014 that specialized in data engineering and machine learning, has been acquired by Capital One Financial Corp.
PolySwarm announces decentralized security marketplace at CoinAgenda (Bankless Times) PolySwarm today announced the first decentralized IT marketplace allowing security experts to build anti-malware engines that compete to protect consumers.
Anti-Virus Token? Polyswarm Seeks Safer Internet With ICO (CoinDesk) PolySwarm will be running an initial coin offering for the purpose of enlisting security researchers across the globe in creating a safer internet.
FHOOSH Announces Cybersecurity Strategic Alliance with Verizon (PRNewswire) FHOOSH™, a high-speed cybersecurity leader, announced it has formed a...
Intel Faces Scrutiny as Questions Swirl Over Chip Security (New York Times) Intel and its chief executive, Brian Krzanich, are in the hot seat over Meltdown and Spectre, two chip security issues that were disclosed last week.
Don’t Blame Intel for the Failures of Computer Security (Barron's) New approaches are necessary to get ahead of malicious hackers. And why you shouldn’t try to trade the Consumer Electronics Show.
IBM, Comcast Ventures back fund for blockchain business startups (The Times of India) Venture Capital News: The startup accelerator, called MState, plans to invest $25,000 to $50,000 apiece in five or six companies over the next six months
The End of WhoIs as We Know it (Galkin Law) Compliance with the GDPR requirements is going to limit access to WHOIS data.
Clarksons says full-year results to meet expectations despite cyber attack (Proactiveinvestors UK) Clarkson Group (LON:CKN) - Clarksons was the victim of a hack last year but said it would not affect its ability to do business
JPMorgan doesn’t trust YouTube to keep its ads out of sketchy channels (Naked Security) Following ads appearing next to hate-filled/extremist content, the bank says it’s not relying on Google to protect its brand.
Google makes millions from plight of addicts (Times) Google has been profiting from a practice banned in America in which brokers secretly reap millions of pounds from vulnerable people seeking treatment for addictive diseases in the UK. An...
Scramble, Cycle, Repeat: Polyverse’s Fascinating Take on Computer Security (Barron's) For years now, researchers have sought to make a security approach called “moving target defense" a practical technology, though there have been many obstacles.
Indonesia's new cybersecurity agency looks to recruit staff of hundreds (The Straits Times) Indonesia's recently established cyber security agency will recruit hundreds of personnel in the coming months, its chief said on Friday (Jan 5).. Read more at straitstimes.com.
Products, Services, and Solutions
Dashlane’s “Project Mirror” will kill the password by managing your passwords (Android Authority) Today, Dashlane announced 'Project Mirror' and its intent to kill the password in 2018. That's a bold claim that their press release doesn't seem to back up. Passwords aren't the best, but they are here to stay.
Technologies, Techniques, and Standards
Four misconceptions around compensating controls (Help Net Security) This article from PCI Pal contains the top four misconceptions around the use of compensating controls to adhere to PCI DSS.
Embracing Artificial Intelligence at Your Law Firm (Legal Tech News) These three keys can go a long way towards helping introduce artificial intelligence at your law firm.
Design and Innovation
Forget Face ID. The Future of Secure Authentication Is Your Voice (Fortune) Call it the gift of gab.
How Blockchain Will Protect Driverless Cars (Overstock Garage) Have you ever taken a ride in a self-driving car? You will. The industry shift towards autonomous vehicles is gaining so much momentum that you might even own one eventually.
Research and Development
The quantum computing apocalypse is imminent (TechCrunch) According to experts, quantum computers will be able to create breakthroughs in many of the most complicated data processing problems, leading to the..
Academia
Plugging Singapore’s cyber security skills gap (Computer Weekly) Some 20 teams of cyber security industry professionals and tertiary students in Singapore pitted their skills against one another in a competition aimed at plugging the cyber security skills gap in the city-state.
Whizz kids could one day save you from a cyber attack (Māori Television) A group of Auckland youngsters are learning skills that could make them our new wave of crime fighters - but not the ones you'd find on the street.
Legislation, Policy, and Regulation
Wassenaar Export Controls on Surveillance Tools: New Exemptions for Vulnerability Research (Lawfare) The newest changes to an international export control regime exempt cybersecurity research and information sharing from surveillance software export license requirements. Will the revisions satisfy the security industry?
Erdogan takes total control of Turkish defense industry (Al-Monitor) With yet another emergency status decree, Turkey's president makes himself top gun of the country's entire defense industry.
Why the UAE is well-positioned to fend off cyber attacks (Khaleej Times) Nation's cyber-security legislation a big positive
Summary: U.K. Intelligence and Security Committee Annual Report (Lawfare) Everything you need to know from the U.K. Parliament’s Intelligence and Security Committee annual report.
Agency Transformed, NSA Chief Rogers Set for Spring Departure (The Cipher Brief) The Cipher Brief spoke with its former NSA and cyber experts on their reactions to the news that NSA and Cyber Command chief Adm. Michael Rogers would be retiring in the spring. In his four years in the post, Rogers presided over a controversial reorganization of NSA that some hailed as rendering the top code-breaking agency
Donald Trump must cut intelligence spending, which tops government revenues of 189 countries (The Washington Times) There were 17 separate agencies and bureaus doing intelligence gathering, analysis, field ops of one kind or another, civilian and military at the time. There still are. To the inexpert mind, half that number might seem excessive.
US Gov Outlines Steps to Fight Botnets, Automated Threats (Dark Reading) The US Departments of Commerce and Homeland Security identify the challenges of, and potential actions against, automated cyberattacks.
DHS Election Unit Has No Plans for Probing Voter Fraud: Sources (Reuters via US News and World Report) The U.S. Department of Homeland Security's election security unit has no immediate plans to probe allegations of electoral fraud, despite President Donald Trump's announcement this week he was giving the issue to the agency, according to administration officials.
How 30-day prototyping could solve the Army’s cyber-buying woes (Fifth Domain) A new Army strategy for cyber-specific acquisition zeroes in on rapid prototyping.
Litigation, Investigation, and Law Enforcement
Reporter who revealed that India's biometric identity database was busted to facing police investigation (Computing) Indian journalist targeted by government for revealing national identity database's insecurity
Intel hit with multiple lawsuits over Meltdown, Spectre bugs (CRN Australia) Three class actions as chipmaker grapples with fallout.
Equifax Says It Will Hand Over NY Data Breach Info (New York Law Journal) A spokeswoman for Atlanta-based credit reporting agency Equifax said the company would comply with a demand by Secretary of State Rossana Rosado for information on a July data breach that was made public in September. The demand was made under emergency regulations issued by New York state in December.
Marcus Hutchins was coerced into admitting to cyber charges, his lawyers claim (Computing) Hutchins sleep-deprived and intoxicated at the time of his arrest, claim his lawyers
.NL leads the way in the fight against malicious online activity (Lexology) Malicious activities are an ongoing problem across the Internet and growth is increasing as a result of ever more sophisticated phishing attacks. One…
For Doing His Job, the Left Tortures FCC Chairman Ajit Pai and His Family (Commentary Magazine) There is nothing that justifies how the left has persecuted and harassed FCC Chairman Ajit Pai and his family, especially not opposition to net neutrality.
GOP senators request criminal investigation of Trump dossier author (TheHill) Sens. Chuck Grassley and Lindsey Graham sent a criminal referral to the Justice Department.
Byron York: What the Trump dossier criminal referral means (Washington Examiner) Here is what appears to be going on behind Sens. Chuck Grassley and Lindsey Graham's letter to the Justice Department about Christopher Stee...
Federal Judge Deals HUGE Blow To Fusion GPS In Bank Records Battle (The Daily Caller) A federal judge has ruled against Fusion GPS in the Trump dossier firm's quest to block the release of its bank records to the House Intelligence Committee. Judge Richard Leon shot down all four of
DOJ prepares new probe of Clinton’s email server (New York Post) The Trump administration is launching another probe into Hillary Clinton’s use of a private email server when she was secretary of state, a new report said Thursday. Attorney General Jeff Sessions …
At Least 18 Classified Emails Discovered On Anthony Weiner’s Laptop (Law and Crime) At least 18 classified emails have been found on Anthony Weiner‘s laptop, according to a review of 798 documents recently released by the State Department.
FBI launches new Clinton Foundation investigation (TheHill) The Justice Department has launched a new inquiry into whether the Clinton Foundation engaged in any pay-to-play politics or other illegal activities while Hillary Clinton served as secretary of State, law enforcement officials and a witness tells
Here's Why There May Be No More Free Passes For The Clinton Foundation (LifeZette) A new Department of Justice probe of the email and charity fraud scandals won't end well for Bill or Hillary