Cyber Attacks, Threats, and Vulnerabilities
Revealed: How a secret Dutch mole aided the U.S.-Israeli Stuxnet cyberattack on Iran (Yahoo News - Latest News & Headlines) For years, an enduring mystery has surrounded the Stuxnet virus attack that targeted Iran’s nuclear program: How did the U.S. and Israel get their malware onto computer systems at the highly secured uranium-enrichment plant?
Stuxnet virus attack details emerge as Israel eases cyber weapons sale restrictions (RT International) The Stuxnet virus that decimated Iran’s nuclear program was introduced by a Dutch mole working with the CIA and Mossad, intelligence sources claimed, as Israel is shopping its cyber weapons to anyone with cash to buy.
iPhone Hackers Caught By Google Also Targeted Android And Microsoft Windows, Say Sources (Forbes) The unprecedented attack on Apple iPhones last week was broader than first thought. There could be many more victims using Microsoft software too.
Chinese authorities behind two-year old iOS hack - and Android and Windows also compromised (Computing) Apple iOS compromise widespread in Xinjiang also affected Android and Windows PCs - but Google's Project Zero did not disclose these findings
Sources say China used iPhone hacks to target Uyghur Muslims (TechCrunch) A number of malicious websites used to hack into iPhones over a two-year period were targeting Uyghur Muslims, TechCrunch has learned. Sources familiar with the matter said the websites were part of a state-backed attack — likely China — designed to target the Uyghur community in the country’…
Hong Kong Protester Forum Says Some DDoS Attacks Came From China (Bloomberg) An online service used by Hong Kong demonstrators said a large digital attack that knocked out its servers briefly over the weekend was unprecedented and originated in some cases from websites in China.
Supermicro Bug Could Let "Virtual USBs" Take Over Corporate Servers (Wired) A newly disclosed vulnerability in Supermicro hardware brings the threat of malicious USBs to corporate servers.
‘USBAnywhere’ Bugs Open Supermicro Servers to Remote Attackers (Threatpost) Trivial-to-exploit authentication flaws can give an unsophisticated remote attacker 'omnipotent' control over a server and its contents.
Coin-mining malware jumps from Arm IoT gear to Intel servers (Register) Cryptocurrency crooks look to siphon cycles from enterprise kit
Astaroth Trojan Uses Cloudflare Workers to Bypass AV Software (BleepingComputer) A new malicious campaign is actively distributing a new Astaroth Trojan variant by abusing the Cloudflare Workers serverless computing platform to avoid detection and block automated analysis attempts.
Android RAT Exclusively Targets Brazil (Infosec Island) A newly discovered Android remote access Trojan (RAT) is specifically targeting users in Brazil, Kaspersky reports.
Report: Flight Booking Platform Exposes Customer Data (vpnMentor) Led by internet privacy researchers Noam Rotem and Ran Locar, vpnMentor’s team recently discovered a huge data breach in flight booking website Option Way. ...
Foxit Software Breach Exposes Account Data (BankInfo Security) Foxit Software, the developer of popular PDF and document software, says user accounts were compromised in a breach. The company, which has 560 million users, isn't
Meet Retadup botnet that was infected by another malware (HackRead) Follow us on Twitter @HackRead
Bluekeep - a sword of Damocles as three exploits detailed and more expected (SC Magazine) Security researchers detail three ways to insert data into kernel using Bluekeep and suggest that further exploitation methods are likely to be developed.
TrickBot Bypasses Secure Email Gateway Using Google Docs PhishingTrickBot Bypasses Secure Email Gateway Using Google Docs Phishing (CSIRT-CY) The Google Docs online word processor is being used by attackers to disseminate TrickBot banking Trojan payloads to unsuspecting victims via executables camouflaged as PDF documents.
Phishers are Angling for Your Cloud Providers (KrebsOnSecurity) Many companies are now outsourcing their marketing efforts to cloud-based Customer Relationship Management (CRM) providers.
Hiding in Plain Text: Jenkins Plugin Vulnerabilities (TrendLabs Security Intelligence Blog) On this blog, we will discuss information exposure vulnerabilities that affect certain Jenkins plugins using plain-text-stored credentials.
Vulnerabilities in WordPress Plugins allow hackers to create rogue admin accounts (SC Magazine) Several WordPress plugins could be used by hackers to create administrator accounts on unpatched websites.
FIN6 APT targeting individuals via LinkedIn in a bid to get web skimmers onto e-commerce sites | Computing (http://www.computing.co.uk) IBM X-Force warns of new spear-phishing attacks by APT it has tracked since 2015,Hacking,Security ,FIN6,ITG08,e-commerce websites,point-of-sale,Skimmer,LinkedIn,X-Force,IBM
Report: Flight Booking Platform Exposes Customer Data (vpnMentor) Led by internet privacy researchers Noam Rotem and Ran Locar, vpnMentor’s team recently discovered a huge data breach in flight booking website Option Way. ...
Fraudsters Used AI to Mimic CEO’s Voice in Unusual Cybercrime Case (Wall Street Journal) Criminals used artificial intelligence-based software to impersonate a chief executive’s voice and demand a fraudulent transfer of funds in March in what cybercrime experts described as an unusual case of artificial intelligence being used in hacking.
Twitter Says CEO Jack Dorsey’s Twitter Account Was Compromised (Wall Street Journal) Several erratic tweets, including racist and anti-Semitic slurs, were posted from the account of Twitter Chief Executive Jack Dorsey, a high-profile security misstep at the social-media company.
Twitter CEO Jack Dorsey’s account was hacked (The Verge) Update: Twitter has now explained how the hack occurred
Viral Chinese face-swap app Zao triggers privacy fears (The Telegraph) A viral Chinese app which lets users swap their faces with celebrities in video clips has come under fire over claims its privacy policy had put millions of people's data at risk.
Chinese deepfake app Zao sparks privacy row after going viral (the Guardian) Critics say face-swap app could spread misinformation on a massive scale
Report: Church Website Builder Leaves Clergy & Volunteer Data Vulnerable (Website Planet) <strong>Severity</strong>: High<strong>Type</strong>: ElasticSearch Database<strong>Size</strong>: 300mb accounting for 65,800
Report: Aliznet Data Breach Exposes Data for Millions of Canadian Customers (vpnMentor) vpnMentor’s research team has discovered a data breach related to Aliznet, a French consulting company in the retail sector. The company provides ...
Western Colorado school district says database was hacked but damage was limited (Denver Post) The Roaring Fork School District says hackers breached a database of special education students and teachers but didn’t obtain any social security numbers or financial information.
Board passes motion to allow Wolcott superintendent to pay ransom after cyber attack (WGNO) A cyber-attack compromised data from Wolcott Public Schools and now hackers are demanding a ransom.
Temple University Health System back online after cyber attack (KYW) A Philadelphia hospital is getting back online after falling victim to a cyber attack.Temple University Health System's computer system was hacked last week, according to officials.
Vulnerability Summary for the Week of August 26, 2019 (CISA) The CISA Weekly Vulnerability Summary Bulletin is created using information from the NIST NVD. In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
Cyber Trends
AI Will Change War, But Not in the Way You Think (War on the Rocks) This article was submitted in response to the call for ideas issued by the co-chairs of the National Security Commission on Artificial Intelligence, Eric
BEC overtakes ransomware and data breaches in cyber-insurance claims (ZDNet) BEC-relatedcyber-insurance claims accounted for nearly a quarter of all claims in the EMEA region, AIG said.
CISOs forced to use worst-case scenarios to gain board attention (SC Magazine) Companies are suffering from security data overload, and a lack of agreed meaningful metrics with CISOs being forced to use worst-case scenarios to gain board attention according to a new report
Cyber security and the cloud (Nominet) Enterprise security leaders have their say
Fileless Malware Detections Soar 265% (Infosecurity Magazine) Fileless Malware Detections Soar 265%. Trend Micro mid-year report warns of growing efforts to keep attacks hidden
Social media apps worsen internal risks to enterprises (SC Magazine) Many organisations list social media apps as the largest IT security threat
These US cities rank higher for tech security than personal safety (CNBC) The U.S. is home to some of the most digitally secure cities in the world, yet it lags behind in other important safety measures, a new study has found.
Bletchley Park veterans urged to share their secrets with world (Times) Winston Churchill called them his special hens, “who laid so well without clucking”, and for decades they kept silent about what they did during the war. Now, with the youngest hen aged well into...
Marketplace
Years in the making: Carbon Black is the capstone for VMware's security business strategy (SiliconANGLE) Don’t look now, but VMware Inc. has built a significant cybersecurity practice.
Huawei hasn’t given up on Australia as it plugs 6G smarts (Telecoms.com) Even though Australia blindly followed the US down the Huawei-accusation rabbit hole, the Chinese vendor hasn’t given up on the country, using the 6G carrot to tempt the Aussies back into the fray.
Booz Allen Awarded $90M DIA Intelligence Support Services Contract (ClearanceJobs) ClearanceJobs is your best resource for news and information on security-cleared jobs and professionals. Learn more with our article, "Booz Allen Awarded $90M DIA Intelligence Support Services Contract ".
DIA chooses 16 firms for massive $17.1 billion military intelligence support contract (Military Embedded Systems) The Defense Intelligence Agency (DIA) has awarded spots to 16 companies on a potential 10-year, $17.1 billion contract to provide military intelligence support for national-security policymakers, defense planners, and warfighters in the field.
Apple’s China conundrum: iPhone maker faces a difficult decision over how to treat Beijing as tariffs bite (The Telegraph) Apple’s Mac Pro, a supercharged high-end computer designed for professional filmmakers and graphics designers, is not one of the tech giant’s more important products.
Products, Services, and Solutions
Data protection analysis: Privacy Status Evaluation (unn | UNITED NEWS NETWORK GmbH) PSE (Privacy Status Evaluation) is a web-based tool by IITR Cert GmbH and was developed for companies to analyze their data protection status
Technologies, Techniques, and Standards
Hong Kong Protestors Using Mesh Messaging App China Can't Block: Usage Up 3685% (Forbes) Mesh networking: how you communicate when China censors the internet.
Why Focusing on Threat Hunting May Leave you Vulnerable (Infosecurity Magazine) Uncovering poorly managed security solutions is a useful byproduct of threat hunting
5 signs your security culture is toxic (and 5 ways to fix it) (CSO Online) Here's how to get the security culture you want if you see these warning signs in your organization.
7 Questions to Ask Your Child’s School About Cybersecurity Protocols (McAfee Blogs) Just a few weeks into the new school year and, already, reports of malicious cyberattacks in schools have hit the headlines. While you've made digital Just a few weeks into the school year and already school cybersecurity is a hot topic. With a number of fraud and ransomware cases making headlines, should you be concerned about . your child's data being compromised at school? You may want to ask school leaders these questions.
Nine in 10 parents have not installed cybersecurity on child’s digital device (Education Technology) Children are more vulnerable to cybercriminals because of their personal digital devices, cybersecurity experts have warned. A survey by security firm Kaspersky found that only 13% of parents have installed online security software to the phone, laptop or tablet used by the child. The survey also found that 87% of parents don’t limit the amount …
Design and Innovation
Identity and Authentication Seek a New Paradigm (SIGNAL Magazine) The secret word is out and crypto is in. Passwords are being abandoned in favor of a range of new methods that are more secure and, in some cases, more user friendly.
The quest to create a world without likes, retweets and follower counts (The Telegraph) Imagine social media without any numbers.
Research and Development
DARPA launches Semantic Forensics project to identify fake news and online disinformation (Computing) Algorithms developed under DARPA's SemaFor project will be able to scan more than 500,000 stories, videos, images and audio files to identify fakes
Academia
Sunway University is the First University in Malaysia and the Region to Set Up a Security Operations Center Lab Powered by RSA Security (PR Newswire) With the enormous growth of e-commerce and readily digitally available data online, accuracy in...
Legislation, Policy, and Regulation
US and Poland sign agreement to cooperate on 5G technology (AP NEWS) The U.S. and Poland signed an agreement Monday to cooperate on new 5G technology as concerns grow about Chinese telecommunications giant Huawei. Vice President Mike...
U.S. and Poland Ink 5G Security Agreement Amid Anti-Huawei Campaign (Bloomberg) Pence signs agreement with Polish prime minister during visit. Trump administration struggling to get Europeans to join ban.
US and Poland sign 5G security agreement amid anti-Huawei campaign (South China Morning Post) US Vice-President Mike Pence and Poland’s Prime Minister Mateusz Morawiecki signed the deal on Monday.
Brazilian citizen data under threat with sale of national tech firms (ZDNet) A manifesto released by the employees at one of the state-controlled firms to be privatized by the government raises concerns over the future of information belonging to millions of citizens.
Insulting Putin May Now Land You in Jail Under a New Russian Law (Bloomberg) President signs laws against ‘fake news,’ disrespect of state. Offenders face fines, possible prison term under crackdown.
Angry Nationalists Don’t Sell China’s Message (Foreign Policy) Targeting Hong Kongers instead of persuading them is a dangerous course.
U.S. Unleashes Military to Fight Fake News, Disinformation (Bloomberg) Pentagon research to sift 250,000 news items in initial phase. Fears grow about viral political memes polarizing society.
Senators on Protecting Kids' Privacy: 'It's Complicated' (Wired) Even conservative lawmakers say they're open to more regulation when it comes to tech companies and children online. So where is it?
Key Republican lawmaker introduces legislation to defend state, local governments against cyberattacks (TheHill) Rep. John Katko (R-N.Y.) introduced legislation Friday designed to help state and local governments defend against cyberattacks on the heels of debilitating ransomware attacks across the country.
Analysis | The Cybersecurity 202: DNC move against phone-in caucuses pits cybersecurity vs. voter participation (Washington Post) 2020 candidates say the move could alienate voters and help a Trump victory
Litigation, Investigation, and Law Enforcement
North Korea denies it amassed $2 billion through cyberattacks on banks (Reuters) North Korea denied on Sunday allegations that it had obtained $2 billion through...
What the Jetflicks and iStreamItAll Takedowns Mean for Piracy (Wired) In a sweeping indictment, the feds came down hard on two unauthorized streaming services that allegedly crossed a very important line.
Google to Pay Millions in Fines Over Children’s Privacy Issues at YouTube (Wall Street Journal) The Federal Trade Commission has approved a settlement with YouTube over children’s privacy issues that imposes a fine of around $150 million to $200 million, people familiar with the matter said.
Google to pay up to $200M to settle FTC YouTube investigation (POLITICO) The FTC voted 3-2 along party lines to approve the settlement
Capital One cryptojacking suspect indicted (Naked Security) The former software engineer allegedly created scanners to look for misconfigured servers rented from a cloud computing company.
Darktrace boss will not appear as key witness for Mike Lynch in $5bn 'trial of the century' (The Telegraph) The chief executive of cyber security start-up Darktrace will not give evidence at the multi-billion "trial of the century" between US technology firm HP and the former chief executive of Autonomy, according to HP's lawyer.
Don’t turn this whistleblower into a saint (Times) A new heroine of the people has burst into celluloid existence as a fresh focus for cosily predictable outrage. Katharine Gun was a GCHQ translator who, in 2003, leaked classified information about...