Las Vegas: a last look back at Black Hat and Def Con
Why cyber insurance policies are so 'ridiculously cheap' (SearchSecurity) At Black Hat 2019, experts from the cyber insurance market discussed how it is growing rapidly but expressed concerns about the lack of actuarial data and proper risk assessments behind those ultra-cheap cyber insurance policies.
‘Please break things’: Hackers lay siege to voting systems to spot weaknesses in security (Washington Post) In three years since its inception, Def Con’s Voting Village has become a destination not only for hackers but also lawmakers and members of the intelligence community.
#DEFCON: How the US's CISA Works to Improve Election Security (Infosecurity Magazine) Members of NCATS outlined their mission and their challenges for election security.
Google Hackers Found 10 Ways to Hack an iPhone Without Touching It (Vice) Many of the vulnerabilities relied on using iMessage to own the rest of the phone, Google's Project Zero said.
Carnegie Mellon team flexes hacking prowess with fifth DefCon title in seven years (PR Newswire) Carnegie Mellon University's competitive hacking team, the Plaid Parliament of Pwning (PPP), just won its fifth...
Cyber Attacks, Threats, and Vulnerabilities
UN probing 35 North Korean cyberattacks in 17 countries (AP NEWS) U.N. experts say they are investigating at least 35 instances in 17 countries of North Koreans using cyberattacks to illegally raise money for weapons of mass destruction...
Anomali discovers phishing campaign targeting Chinese government agencies (Help Net Security) Anomali discovered a new phishing attack designed to steal email credentials from targets within the People’s Republic of China government.
Here’s What Foreign Interference Will Look Like in 2020 (Nextgov.com) The incentives for foreign countries to meddle are much greater than in 2016, and the tactics could look dramatically different.
Voting Machine Security: Where We Stand Six Months Before the New Hampshire Primary (Brennan Center for Justice) While there has been substantial progress in securing voting machines since 2016, there is still more to do ahead of 2020.
PsiXBot Continues to Evolve with Updated DNS Infrastructure (Proofpoint) Proofpoint researchers describe an update to PsiXBot.
Vulnerability Summary for the Week of August 5, 2019 (CISA) The CISA Weekly Vulnerability Summary Bulletin is created using information from the NIST NVD. In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available
Repurposing Mac Malware Not Difficult, Researcher Shows (SecurityWeek) Repurposing Mac malware is not a difficult task for someone with reverse-engineering skills, and it’s a far simpler approach than writing malware from scratch.
Ursnif Malware Campaign Used Multiple Anti-Analysis Tactics (Security Intelligence) Security researchers came across a new Ursnif malware campaign that used multiple anti-analysis techniques to avoid detection.
Gamers Beware: Zero-Day in Steam Client Affects All Windows Users (Threatpost) An elevation-of-privilege bug allows attackers to run any program on a target machine with high privileges.
Beware of Fake Microsoft Account Unusual Sign-in Activity Emails (BleepingComputer) In this article we take a look at a phishing campaign that pretends to be an "Unusual sign-in activity" alertfrom Microsoft that could easily trick someone into clicking on the enclosed link.
Threat Intelligence Bulletin: Evasive Spear Phishing (Glasswall) Glasswall Threat Intelligence Bulletins mine our Threat Intelligence Platform to explore the latest trends in evasive malware that bypasses the various security layers designed to protect an organization. This first part of a two part special Bulletin is a joint effort between Glasswall and Forcepoint, the Raytheon owned military provider of world class gateway security …
Unsafe At Any Speed: Multiple Vulnerabilities Afflict 5G (Breaking Defense) The coming network needed for autonomous vehicles, virtual reality, and the Internet of Things will also bring cybersecurity danger.
Is Shadow IT Really the Perilous Threat It's Made Out to Be? (Infosecurity Magazine) It's difficult for administrators to secure what they don't know exists
Experts: Embedded computers in regular office devices have vulnerabilities (Insurance Business) Caution urged as the embedded device market continues to grow
Outsourcing, Cost Cutting and the Boeing 737 Max Debacle (BlogInfoSec) When we thought that Boeing had come up with ways to mitigate the risks that resulted in two major air crashes, we learn that Boeing has been outsourcing their software development to Indian companies that hired newbie temporary programmers for as little as $9 per hour, as described in a June 28, 2019 article by Peter Robison with the title “Boeing 737 Max software outsourced to $9-an-hour engineers”
We can’t detect a cyber attack that trips a plant, but we immediately identify an outage as not being a cyber attack? (Control Global) It seems premature to immediately rule out an event being cyber-related when you don’t know the cause of the event.
Desjardins spends C$70 million related to data breach (Reuters) Canadian lender Desjardins Group said on Monday it spent C$70 million ($53 milli...
Tangipahoa Parish School System working around cyber attack on first day of school (WAFB) Faculty in Tangipahoa refuse to let a cyberattack ruin students' return to class.
Security Patches, Mitigations, and Software Updates
Tripwire Patch Priority Index for July 2019 (The State of Security) Tripwire's July 2019 Patch Priority Index (PPI) brings together important vulnerabilities from Microsoft and Oracle.
Valve updates Steam over escalation of privilege security flaw - but accused of ignoring other vulnerabilities (Computing) Gaping holes still exist in popular Steam app used by more than 90 million PC users every day, warn security researchers
Cyber Trends
Annual Research from WhiteHat Security Says Remediation Rates for App Vulnerabilities Continue to Fall (BusinessWire) WhiteHat Security has released its 2019 Application Security Stats Report,
The Front Line Of Application Security (WhiteHat Security) Using AppSec Statistics to Drive Better Outcomes
We keep falling for phishing emails, and Google just revealed why (Fast Company) Here’s what Google has learned by blocking 100 million phishing attacks on Gmail users—every day.
GUEST ESSAY: Why the next round of cyber attacks could put many SMBs out of business (The Last Watchdog) In the last year, the news media has been full of stories about vicious cyber breaches on municipal governments. From Atlanta to Baltimore to school districts in Louisiana, cyber criminals have launched a wave of ransomware attacks on governments across the country. Related: SMBs struggle to mitigate cyber attacks As city governments struggle to recover […]
Hiscox Cyber Readiness Report 2019 (Hiscox) Our third Hiscox Cyber Readiness Report provides you with an up-to-the-minute picture of the cyber readiness of organisations, as well as a blueprint for best practice in the fight to counter the ever-evolving cyber threat.
Marketplace
Huawei Hires Trade Lobbyists as Sales Slow in US-China Fight (Transport Topics) Huawei Technologies Co. hired the law firm Sidley Austin to lobby on trade as the U.S. pressures allies to join it in blacklisting the Chinese telecom giant and the company finds itself increasingly mired in President Donald Trump’s trade war with Beijing.
Defense Intelligence Agency selects firms for $17B support contract (C4ISRNET) The Defense Intelligence Agency announced Aug. 5 it had selected 16 companies to provide military intelligence in support of the agency’s missions.
TechOperators leads $8.1 mln round for Polarity (PE Hub) Polarity, a memory augmentation platform, has secured $8.1 million in funding. TechOperators led the round with participation from other investors that included Shasta Ventures, Strategic Cyber Ventures and Gula Tech Adventures. In addition to the funding, Tom Noonan and Dan Ingevaldson will join Polarity's board while Ron Gula will come on board as an observer.
ThreatQuotient has banked millions in new funding (Washington Business Journal) ThreatQuotient CEO John Czupak said the company has closed on millions of dollars in new funding.
DHS chooses GrammaTech for software analysis tools for cyber security of critical infrastructure (Military & Aerospace Electronics) The goal of STAMP is to modernize software analysis tools to improve performance and coverage, and provide more accurate analysis of results.
Products, Services, and Solutions
Enveil Teams Recognized for Innovative Secure Data Collaboration Solution at International TechSprint Events (West) Pioneering Data in Use Security Provider Among Winners at FCA Global AML and Financial Crime TechSprint Events in UK and US
Barracuda acquires bot mitigation technology from InfiSecure to expand advanced bot protection capabilities (Barracuda Networks) Barracuda acquires bot mitigation technology from InfiSecure to expand advanced bot protection capabilities. InfiSecure solution provides seamless integration with CDNs, WAFs.
CompTIA Security+ Surpasses 500,000 Certified Milestone (CompTIA) CompTIA provides the media with unbiased insights into the myriad of issues affecting the industry including trends in technology, research, legal issues, public policy, workforce training, and business trends.
Technologies, Techniques, and Standards
Akamai CIO bets on ‘zero-trust’ approach to security (ETCIO.com) Akamai was one of the companies targeted by Aurora in 2010. An enterprise-wide initiative called the zero-trust security model was triggered post the ..
An ICS Cyber Security Storm is Brewing: How to Prevent Staff Burnout (Nozomi Networks) Building cyber resiliency puts a lot of pressure on an organization’s security team. It requires specialized knowledge that takes time to develop, and there just aren’t enough skilled cyber experts to go around. Which begs the question: are the limited number of security experts holding the front lines in danger of burnout – and what can we do about it?
How government agencies can up their cybersecurity game (Fifth Domain) In order to adopt a more robust cybersecurity posture, agencies must amend their current shortcomings by taking three steps.
Academia
MU recognized for cyber defense research (Columbia Missourian) The National Security Agency and the Department of Homeland Security sponsor the program and gave the distinction, which will last until 2024.
Legislation, Policy, and Regulation
Kashmir’s Paramilitary Lockdown Traps Locals (Foreign Policy) Witnesses say travel is nearly impossible and communications have been severed.
UK goes back to square one on Huawei as Johnson promises to re-examine 5G access (Computing) US national security advisor John Bolton claims that the British government is re-thinking its policy on Huawei
Boris Johnson could shift UK policy on Huawei after US warnings (Washington Examiner) British Prime Minister Boris Johnson’s national security team is reviewing the United Kingdom’s posture toward Huawei, a Chinese telecommunications giant that U.S. officials regard as a platform for spy agencies.
Plot Thickens as Huawei Now Linked to Chinese Intelligence and Military (CPO Magazine) Huawei’s dream of becoming a leader in 5G networks remains on hold as new study found many of its employees had prior links to Chinese intelligence and worked in projects eavesdropping on citizens or scooping up valuable data.
Opinion | The Trade War Hits China Where It Hurts (Wall Street Journal) Beijing’s doctored data shows growth has slowed to 6.2%. The actual rate is almost certainly worse.
Analysis | The Cybersecurity 202: Here's the political bind Democrats face when talking about election security (Washington Post) Eric Swalwell worries voters might stay home if they conclude hacking is inevitable.
DHS bug bounty program gets $44M price tag (FedScoop) A Department of Homeland Security bug bounty program, as proposed by legislation being considered in the House, would cost $44 million, according to the Congressional Budget Office. On July 17, the House Committee on Homeland Security requested CBO perform a cost estimate of H.R. 3710, the Cybersecurity Vulnerability Remediation Act, which calls for DHS to …
Pentagon plans to ask for more money for 5G (C4ISRNET) Pentagon leaders expect to set aside new money for 5G technology in the fiscal 2021 budget.
Are States Taking Cybersecurity Seriously Enough? (Governing) Only one has a cabinet-level official dedicated to the issue.
Litigation, Investigation, and Law Enforcement
FBI seeks to monitor Facebook, oversee mass social media data collection (ZDNet) Plans to track social media activity will potentially clash with existing privacy policies.
South Wales Police to Start Facial Recog Trial (Infosecurity Magazine) Force under fire as court case continues
King's Cross developers say facial recognition cameras 'ensure public safety', amid fears private companies are carrying out ID checks (The Telegraph) The developer of a 67-acre site in London’s King's Cross has defended its use of facial recognition technology as campaigners warned that private companies were increasingly conducting secret identity checks on the public.
Fortnite champ Bugha 'swatted' while streaming (ESPN) Kyle "Bugha" Giersdorf, a 16-year-old Pennsylvanian who last month won the $3 million grand prize in the Fortnite World Cup, was "swatted" while livestreaming on Twitch on Saturday night.
Marines should retain officer who sent classified warning to colleagues ahead of an insider attack, new panel finds (Washington Post) The decision marks a victory for Maj. Jason Brezler, who has fought Marine Corps' attempts to discharge him ever since he self-reported that he sent classified information over an unclassified email network to warn Marines of a security threat in Afghanistan.
Cyber attack on police was revenge for conviction at Warrington (Warrington Worldwide) A MAN who launched a cyber-attack on the Cheshire Police Website in retaliation for a conviction at Warrington has been jailed for 16 months.