Cyber Attacks, Threats, and Vulnerabilities
US military carried out secret cyberstrike on Iran to prevent it from interfering with shipping, officials say (Stars and Stripes) American military cyber forces in June knocked out a crucial database used by Iran's elite paramilitary force to target oil tankers and shipping traffic in the Persian Gulf hours after that force shot down an unmanned U.S. surveillance drone, according to U.S. officials.
Google Says Malicious Websites Have Been Quietly Hacking iPhones for Years (Vice) It may be the biggest attack against iPhone users yet.
Mysterious iOS Attack Changes Everything We Know About iPhone Hacking (Wired) For two years, a handful of websites have indiscriminately hacked thousands of iPhones.
‘Heatstroke’ Campaign Uses Multistage Phishing Attack to Steal PayPal and Credit Card Information (TrendLabs Security Intelligence Blog) We uncovered a campaign named Heatstroke whose phishing attacks use multistage techniques to steal PayPal and credit card information.
Botnet targets set-top boxes using Android OS (Naked Security) Production systems aren’t supposed to have the ADB turned on, but some set-top boxes do.
TimThumb Attacks: The Scale of Legacy Malware Infections (Sucuri Blog) Our senior researcher describes the scope and impact of the TimThumb vulnerability and how it lead to remote code execution and backdoors on compromised websites.
This Spreadsheet of ‘The Worst 25 Passwords’ Is Actually Malware (Vice) Hackers are getting meta.
Phishing Campaign Hides Malware in Resumes (Infosecurity Magazine) Cyber-criminals pose as job seekers to deliver Quasar RAT.
Popular CamScanner app for Android infected with nasty malware (HackRead) CamScanner app has been deleted by Google from Play Store.
More_eggs, Anyone? Threat Actor ITG08 Strikes Again (Security Intelligence) X-Force IRIS observed ITG08, which has historically targeted POS machines in the retail and hospitality sectors, injecting malicious code into online checkout pages to steal payment card data.
Ransomware Bites Dental Data Backup Firm (KrebsOnSecurity) PerCSoft, a Wisconsin-based company that manages a remote data backup service relied upon by hundreds of dental offices across the country, is struggling to restore access to client systems after falling victim to a ransomware attack.
Hundreds of dental offices crippled by ransomware attack (CNN) A ransomware attack has crippled an estimated 400 dental practices across the US.
IntSights Exposes Top Dark Web Marketplace Selling Digital Browser Identities as the Latest Hot Commodity (PR Newswire) IntSights, the threat intelligence company focused on enabling enterprises to Defend Forward™, announced today the...
Change Healthcare McKesson and Horizon Cardiology (CISA) 1. EXECUTIVE SUMMARY
CVSS v3 7.8
ATTENTION: Low skill level to exploit
Vendor: Change Healthcare
Equipment: Change Healthcare Cardiology, Horizon Cardiology, McKesson Cardiology
Vulnerability: Incorrect Default Permissions
Philips HDI 4000 Ultrasound (CISA) 1. EXECUTIVE SUMMARY
CVSS v3 3.0
ATTENTION: Public exploits are available/exploitable from within the same local subnet
Equipment: HDI 4000 Ultrasound Systems
Vulnerability: Use of Obsolete Function
2. RISK EVALUATION
Successful exploitation of this vulnerability could lead to exposure of ultrasound images (breaches of confidentiality) and compromised image integrity.
Facebook Admits 'Technical Error' In Messenger Kids App Connected Children With Strangers (Forbes) Facebook acknowledged on Thursday in a letter to two Democratic senators that a design flaw in its Messenger Kids app allowed users under the age of 13 participate in group chats with strangers, without their parents permission, essentially letting those kids sidestep one of the core security fe...
Starbucks Abandons Azure Site, Exposed Subdomain to Hijacking (BleepingComputer) An oversight from Starbucks exposed one of its subdomains to takeover threat, which could be further leveraged in attacks against customers and the company.
Starbucks disclosed on HackerOne: Subdomain takeover on svcgatewayus[dot]starbucks[dot]com (HackerOne) Subdomain takeover possible on one of Starbucks's subdomain. The subdomain pointed to Microsoft Azure Cloud App which was no longer registered under Azure.
Most Ransomware Attacks Target Government Networks (MSSP Alert) Nearly 70 percent of ransomware attacks this year targeted U.S. state, local and county governments, Barracuda Networks research finds.
Dime-a-dozen ransomware attacks could mess with elections (Axios) The attacks are commonplace, but that doesn't mean election systems will be able to avoid them.
Montana schools still vulnerable to cyber attacks, experts warn (Fairfield Sun Times) It's easy to assume that a quiet school in rural Montana won't be the target of a cyber attack. That assumption is also wrong.
A week after cyberattack, Regis University makes some progress to restore normalcy (The Denver Post) A week after a “malicious threat” likely from outside the country downed internet technology systems at Regis University, the community at the private, religious college can finally beg…
Security Patches, Mitigations, and Software Updates
Apple Updates Privacy Policies After Siri Audio Recording Faux Pas (Threatpost) Apple's "grading" process, which listens to Siri voice recordings, will now be in-house and has an option for users to opt out.
Apple to stop storing Siri audio after contractors heard private talks and sex (Ars Technica) Fall 2019 update will disable storage of Siri audio—users can turn it back on.
Cloud Security Boom Creates New Crop of Tech Darlings (Supply Chain Brain) A new generation of cybersecurity companies is creating billions of dollars in market value for investors as businesses increasingly turn to cloud-based products for better protection from sophisticated attacks.
Six Hackers Break Bug Bounty Record, Earning Over $1 Million Each on HackerOne (BusinessWire) HackerOne, the number one hacker-powered pentesting and bug bounty platform, today announced that six individual hackers have earned over one million
Hackers Report First Security Vulnerability to 77% of Customers Within 24 Hours HackerOne Report Reveals (BusinessWire) HackerOne, the number one hacker-powered pentesting and bug bounty platform, today announced findings from its 2019 Hacker-Powered Security Report. Th
How one teenager took out a secure Pentagon file sharing site (C4ISRNET) A vulnerability in the Pentagon's secure file sharing system allowed near unencumbered access to files.
Carbon Black's relationship with VMware started well before acquisition (SiliconANGLE) Familiarity may breed contempt, as the saying goes, but in the case of Carbon Black Inc. and VMware Inc. it bred an opportunity to secure enterprise workloads and lay the groundwork to transform the security industry.
F-Secure joins Broadband Forum to help shape Connected Home security standards (Global Security Mag Online) F-Secure has joined Broadband Forum, the communications industry’s leading organization focused on accelerating broadband innovation, standards, and ecosystem development, to better serve communication service providers and secure its wireless home offerings better in the battle against ever-increasing cyber threats.
Zix: The Mouse That Roared (Seeking Alpha) Zix is a cybersecurity company focused on Email. The company recently acquired AppRiver which is larger and has better metrics. As a result of the acquisition, Zix is left with a small amount of cash and a lot of debt.
Aryaka Names Christiana Khostovan General Counsel and Corporate Secretary (Yahoo) Christiana Khostovan, Former General Counsel and Corporate Secretary for Revel Systems Brings Tremendous Legal and Regulatory Experience to Aryaka
SAIC Announces the Appointment of Two New Board Members (Yahoo) Joining the board are Carol Goode and Yvette Kanouff. Goode will serve on the Human Resources and Compensation Committee and the Nominating and Corporate Governance Committee. Kanouff will serve on the Audit Committee and the Risk Oversight Committee.
Products, Services, and Solutions
Cyxtera Achieves Common Criteria Security Certification for AppGate SDP (BusinessWIre) Cyxtera Technologies, today announced that AppGate SDP, the leading SDP solution, has achieved Common Criteria Certification.
Herjavec Group Leverages Google Chronicle for Managed Security Services - MSSP Alert (MSSP Alert) Herjavec Group leverages Google Chronicle's Backstory & VirusTotal for expanded managed security services capabilities.
StackRox Announces New Capabilities in Its Kubernetes Security Platform to Increase Protection of Kubernetes Applications (StackRox) StackRox announces general availability of version 2.5 of the StackRox Kubernetes Security Platform
Technologies, Techniques, and Standards
What can be done about the rising click interception threat? (Help Net Security) Ad networks' successful efforts to detect bot-based ad click fraud has forced attackers to focus on intercepting and redirecting legitimate users’ clicks.
Design and Innovation
The Pentagon Is Exploring New Ways to Isolate Its Networks (Nextgov.com) Three companies have already received multimillion-dollar contracts to explore new ways to protect the data flowing through the military’s IT systems.
Research and Development
Brisbane scientist cracks secret IRA message from 1920s (The Age) The cryptogram, about the theft of explosives, eluded the world's top code-breakers for decades.
Colleges and Universities at Risk for Cyber-Attacks as School Year Starts (The National Law Review) It&rsquo;s a busy time for colleges and universities as the fall semester starts and campuses are bustling with activity. It&rsquo;s also the perfect time for cyber criminals to create mayhem for inst
As the school year begins, beware of hackers (CNBC) A new report finds that hackers are increasingly targeting the education industry, leaving students' information vulnerable to identity theft and other types of fraud.
Security by Sector: Young Brits Call for Smartphone Policies and Social Media Lessons in Schools (Infosecurity Magazine) Does the education system need new approaches in how it handles technology?
Kaspersky partners with Temasek Polytechnic to offer technical cybersecurity courses to more Singaporeans - The Online Citizen (The Online Citizen) Earlier this week, Kaspersky signed a three-year agreement with Temasek Polytechnic (TP) to provide cybersecurity courses for corporate practitioners and members of the public in Singapore. The training collaboration agreement was signed on Monday (26 Aug) by Stephan Neumeier, Managing Director for Asia Pacific (APAC) at Kaspersky, and John Leong, Director of the Temasek SkillsFuture …
Legislation, Policy, and Regulation
Hong Kong ISPs Hit Back at Government Censorship Plans (Infosecurity Magazine) Hong Kong ISPs Hit Back at Government Censorship Plans. Concerns city-state’s CEO will order blocking of specific apps
New Rule Takes Effect Barring Contractors From Supplying Huawei, ZTE Equipment to the Feds: What In-House Counsel Need to Know (Corporate Counsel) Contractors can no longer supply telecom or surveillance equipment from certain manufacturers, including Huawei and ZTE Corp., to U.S. federal agencies.
Huawei represents national security risk to US, says analyst (Yahoo) Raymond James Washington policy analyst Ed Mills discusses the probe into Chinese tech giant Huawei and the U.S.-China trade dispute.
Suppressing Huawei beyond US security concerns: expert (Global Times) How is cybersecurity connected with geopolitics? In what way will cyber geopolitics influence a country’s diplomacy? How to establish effective diplomatic mechanism in cyberspace?
U.S. Official Involved in Huawei Dispute Steps Down (Wall Street Journal) A senior Commerce Department official overseeing an office at the center of President Trump’s battle with Chinese telecommunications giant Huawei Technologies is moving to a more junior position.
Intelligence Consolidation Looms for the U.S. Military (SIGNAL Magazine) U.S. intelligence must integrate its assets and procedures to address the challenges of new technologies and malevolent potential adversaries, says the former head of Army intelligence.
DHS sees more cyber outsourcing (Washington Technology) Chris Krebs, the head of the Cybersecurity and Infrastructure Security Agency at DHS, said that many federal agencies will be outsourcing cyber to a shared service provider in the future.
Litigation, Investigation, and Law Enforcement
WSJ News Exclusive | U.S. Prosecutors Probe Huawei on New Allegations of Technology Theft (Wall Street Journal) Investigators are looking into episodes in which Huawei was accused of stealing intellectual property from people and companies and how it recruited employees from competitors.
Snake oil or genius? Crown Sterling tells its side of Black Hat controversy (Ars Technica) In an exclusive interview with Ars, execs of controversial crypto company explain everything.
Bulgaria's tax agency fined $3 million over data breach, will appeal (Reuters) Bulgaria's tax agency will appeal a fine of 5.1 million levs ($2.9 million)...
Google Docs: Sign-in () Access Google Docs with a free Google account (for personal use) or G Suite account (for business use).
Everything We Know About the Capital One Hacking Case So Far (Wired) A new indictment against alleged Capital One hacker Paige Thompson includes a few fresh details about the case.
Capital One hack shows difficulty of defending against irrational cybercriminals (CSO Online) The motivation of the malicious actor who stole data of more than 100 million people was driven by emotional distress and did not follow traditional hacker patterns.
What the Jetflicks and iStreamItAll Takedowns Mean for Piracy (Wired) In a sweeping indictment, the feds came down hard on two unauthorized streaming services that allegedly crossed a very important line.
Facial Recognition Technology Creates a Fine Mess in Sweden (Infosecurity Magazine) A Swedish municipality may still introduce facial recognition technology in schools despite receiving the country’s first GDPR violation fine for trialing it.
Microsoft may still be violating privacy rules, says Dutch regulator (Naked Security) EU data watchdogs are yet again sniffing at Windows 10.
Big News For Facebook Investors And No One Noticed (Seeking Alpha) ...This week, the first Cartel the Senate of the Düsseldorf Higher Regional Court expressed massive doubts about the FCO's reasoning on which it based the restrictions. The Court decided that Facebook does not have to implement the antitrust office's orders for the duration of the appeal proceedings. In its explanatory statement the Düsseldorf Higher Regional Court has raised "serious doubts" as to the legality of the globally respected action against Facebook...
Levandowski’s Fate May Turn on the Meaning of ‘Trade Secret’ (Wired) Former Google and Uber engineer Anthony Levandowski was indicted on charges of stealing trade secrets. But what exactly are those, anyway?
Md. top court upholds child porn charge against teen who texted friends (Maryland Daily Record) Delving into the high school world of sexting, Maryland’s top court ruled Wednesday that a 16-year-old who texted a video of herself engaging in a consensual sexual act with an adult was “involved” in distributing child pornography in violation of Maryland law.