National Harbor: news from the 2nd Annual National Cybersecurity Summit
NSA’s Neuberger explores pilot project to inform 'security standards' for private sector (Inside Cybersecurity) The National Security Agency is preparing to launch an ambitious pilot project over the next two months to move cyber policy “beyond information sharing,” with extensive input from CISA, according to the NSA official leading the effort.
CISA Chief Calls on Cybersecurity Community to ‘Stop Selling Fear’ (Nextgov) Director Chris Krebs wants government and industry to get a broader community of people involved in the fight against digital threats but not by fearmongering.
Cyber Attacks, Threats, and Vulnerabilities
A persistent group of hackers has been hitting Saudi IT providers, Symantec says (CyberScoop) Over the last 14 months, a determined group of hackers has breached IT companies in Saudi Arabia in a likely attempt to gain access to their customers, security researchers said Wednesday.
DNSSEC fueling new wave of DNS amplification attacks (Help Net Security) DNS amplification attacks swelled in the second quarter of this year, with the amplified attacks spiking more than 1,000% compared with Q2 2018.
Confidential data of 24.3 million patients discovered online (Help Net Security) Greenbone discovers confidential data about 24.3 million patients freely available on the internet – unprotected image servers to blame.
400 Million Medical Radiological Images Exposed on the Internet (BleepingComputer) An analysis of medical image storage systems exposed to the public web reveals that almost 600 servers in 52 countries are completely unprotected against unauthorized access.
Scotiabank slammed for 'muppet-grade security' after internal source code and credentials spill onto open internet (Register) Blueprints for mobile apps, databases exposed in public GitHub repos
Clever New DDoS Attack Gets a Lot of Bang for a Hacker's Buck (Wired) By exploiting the WS-Discovery protocol, a new breed of DDoS attack can get a huge rate of return.
New DDoS Vector Observed in the Wild: WSD attacks hitting 35/Gbps (Akamai) Additional research and support provided by Chad Seaman. Introduction Members of Akamai's Security Intelligence Response Team have been investigating a new DDoS vector that leverages a UDP Amplification technique known as WS-Discovery (WSD). The situation surrounding WSD was recently made...
The Massive Propagation of the Smominru Botnet (Guardicore) Read how Guardicore Labs uncovered the scope of the Smominru mining botnet. The attack campaign compromises Windows machines using an EternalBlue exploit and brute-force.
Old Magecart Domains are Being Bought Up for Monetization (RiskIQ) Old Magecart domains are finding new life in subsequent threat campaigns, many of which are entirely unrelated to web skimming.
Broken security - SOHO routers found to have multiple flaws (SC Media) Security researchers have found over 100 flaws in small office/home office (SOHO) routers and network-attached storage devices (NAS).
Common storage and router devices are still hopelessly broken (Naked Security) Don’t be lulled into a false sense of security by that shiny new router or network-attached storage (NAS) device – the chances are that it’s no more secure than its predecessors.
New ransomware strain uses ‘overkill’ encryption to lock down your PC (ZDNet) The new Nemty malware may have ties to GandCrab and Sodinokibi.
Fake Ad Blockers 2: Now with Cookies and Ad Fraud (AdGuard Blog) Here is a story of how we (once again) found some fake ad blockers on Chrome Web Store — now with cookies and ad fraud.
WannaCry – the worm that just won’t die (Naked Security) WannaCry never went away – it just became less obvious.
Malindo Air confirms data breach, exposing records of millions of passengers (South China Morning Post) Information including passport details, home addresses and phone numbers were leaked onto data exchange forums last month.
Public warned not to click Facebook messages, open text messages that contain ’Is This You?’ (WAFB) The Better Business Bureau (BBB) says it’s best that consumer not click messages on social media sites, emails, or text messages that state “Is this you?”
Misconfigured Google Calendars Share Events With the World (BleepingComputer) Thousands of Google users are exposing the contents of their calendars to the public. The information is indexed by search engines and can include email addresses as well as private events from individuals and businesses.
How to protect yourself against web miners (TechRepublic) While using your browser to mine cryptocurrencies for profit, web miners can chew up power from your computer, says a new report from Kaspersky.
Warning: Researcher Drops phpMyAdmin Zero-Day Affecting All Versions (The Hacker News) Researcher publishes proof-of-concept for an unpatched zero-day vulnerability in the latest version of phpMyAdmin.
Don't Forget About Legacy Systems (Forbes) The retention of legacy IT systems comes with a unique set of risks.
Cybercriminal's Black Market Pricing Guide (Dark Reading) Common prices criminals pay one other for products and services that fuel the cybercriminal ecosystem.
How Cybercriminals Exploit Simple Human Mistakes (Dark Reading) A new report explores how attackers identify psychological vulnerabilities to effectively manipulate targets.
Smart TVs, Subscription Services Leak Data to Facebook, Google (Threatpost) Researchers discovered that smart TVs from Samsung, LG and others are sending sensitive user data to partner tech firms even when devices are idle.
Automated Cyberattacks on E-commerce Companies Growing More Sophisticated and Difficult to Detect (Imperva) Imperva Bot Management Threat Research Reveals Growing Risk of Cyber Attacks and Website Downtime on Black Friday and Cyber Monday
Security is slowly becoming essential to doing business (Help Net Security) A veteran of the infosec industry, Greg Jensen has spent the last six years at Oracle as the Senior Director of Oracle’s Cloud Security solutions.
Businesses facing post breach financial fallout by losing customer trust (Help Net Security) PCI Pal research finds a significant change in how consumers around the world are thinking about and reacting to data breaches.
New Research from AppRiver Reveals SMBs Severely Underestimate the Damaging Consequences of Successful Cyberattacks (Yahoo) AppRiver, a Zix (ZIXI) company and leading channel-first provider of security, productivity and compliance solutions, today announced the findings of its Q3 Cyberthreat Index for Business Survey, revealing the extent to which small-to-medium-sized businesses (SMBs) underestimate the impact of today’s
Ireland's steadily growing reputation as a global leader in internet security (Irish Examiner) Joe Dermody looks at a selection of cyber security companies which IDA Ireland has helped establish in Ireland.
Huawei suspended from global cyber-security forum, so what does this mean? (Android Authority) The effects of the US trade ban on Huawei continue to be felt, with the firm now suspended from a major security forum.
Cisco acquisitions in 2019 bolster service provider strategy (SearchNetworking) Three of 10 Cisco acquisitions in 2019 and 2018 show the IT supplier preparing for when carriers abandon frugality and increase network spending in preparation for next-generation business services.
Cybersecurity company Acronis hits unicorn status after raising $147 million led by Goldman Sachs (TechCrunch) Cybersecurity solutions provider Acronis announced today that it has raised $147 million in funding led by Goldman Sachs, bringing it to unicorn status. The company did not disclose its valuation, but founder and CEO Serguei Beloussov told TechCrunch that it is between $1 billion and $2 billion. Fo…
Cyber firms Owl, Tresys merging (Jane's 360) Two US cybersecurity companies – Owl Cyber Defense and Tresys Technology – are in the process of merging, according to Owl officials.
The merger is occurring because DC Capital Partners, the Alexandria, Virginia-based private equity investment firm that already owned Owl, recently
Ping Identity Announces Pricing of Initial Public Offering (Yahoo) Ping Identity Holding Corp. ("Ping Identity") today announced the pricing of its initial public offering of 12,500,000 shares of its common stock at a price to the public of $15.00 per share. The shares are expected to begin trading on the New York Stock Exchange on September
'New day' as rivals Oracle and VMware unite on hybrid cloud deal (CRN) Vendors bury the hatchet to run and maintain Oracle Cloud in VMware environments
Eset wants a Silicon Valley in Bratislava (Slovak Spectator) The IT security provider is now looking for architects for its new research and innovation campus.
Quick Heal is venturing into uncharted territory. Can it thrive outside its comfort zone? (ET Prime) Quick Heal is heavily concentrated in one segment and one geography. This lack of diversification has made the business vulnerable. But after being around for 25 years, the homegrown software-security firm is in the process of reinventing itself, and its future success story will depend on new areas of growth.
Is $100 million enough to save the web from ads? (Naked Security) Mozilla, Creative Commons and Coil are teaming up to launch a $100m fund to drive out advertising and advocate privacy across the web.
6 questions candidates should ask at every security job interview (CSO Online) The cybersecurity skills shortage means security pros can be picky about where they work. Here's how to suss out bad employers.
Morphisec Appoints Eric Dougherty as Chief Revenue Officer (PRWeb) Morphisec, the leader in Moving Target Defense, today announced it has appointed Eric Dougherty to Chief Revenue Officer (CRO). In this r
Products, Services, and Solutions
Nets and KPMG Partner to Launch AI-Powered Payment Fraud Prevention Solution (Nets) Nets Fraud Ensemble uses machine learning to reduce fraudulent transactions by up to 40%.
Exabeam Earns Federal Common Criteria Certification for its Security Management Platform (BusinessWire) Exabeam Security Management Platform (SMP) underwent security testing and assessment to achieve federal Common Criteria certification; announced today
Odo Security Emerges from Stealth with Agentless Access Management Platform for Safe “Any Device to Any Resource” Connectivity (BusinessWire) Odo is unique in its ability to support web access as well as SSH, RDP and database access which is a game-changer for DevOps teams.
Bank of Hawaii Eliminates Most Web-Based Threats with Isolation Secure Web Gateway (Menlo Security) The bank is able to leverage malware-free browsing without impacting users’ native webbrowsing experience.
IBM to host free ransomware exercises for cities (StateScoop) IBM Security will hold three exercises at its Cambridge, Massachusetts, cyber range where local-government officials will respond to simulated cyberattacks.
buguroo and Lookout Partner to Mitigate Cyber Threats (CIOReview) This new strategic partnership aims at providing a cloud-based, deep learning approach to mitigate cyber threats and fraudulent...
Technologies, Techniques, and Standards
Digital Trust Insights: Raising the resilience quotient (PwC) Keeping data and operations running smoothly and securely while digital connections multiply is changing the face of resiliency, according to PwC’s new Digital Trust Insights.
The problems ISIS creates for the US military online (Fifth Domain) ISIS hackers heavily rely on commercial IT services, which can pose difficulties for the military in creating disruption.
What's in a Name? (Infosecurity Magazine) Naming hacking groups is a complex task for reasons both technical and commercial
Why securing Kubernetes and containers can't come 'after the app' (SiliconANGLE) Why securing Kubernetes and containers can't come 'after the app' - SiliconANGLE
Design and Innovation
Top 10 Security Challenges in the Automotive Industry for Connected Cars (Trustonic) What are the top security challenges for connected cars? With the global market for connected cars expected to grow significantly, what are the risks to brands and consumers?
Facebook is betting the next big interface is conversation (Fast Company) Bots still can’t converse like humans. But Facebook’s AI researchers are making major inroads—with implications for the company’s messaging apps and beyond.
Gamification: A winning strategy for cybersecurity training (SC Media) Block a hacker and win a gift certificate for a nice dinner out on the town? Absolutely! That’s just one example of how companies are bolstering their
Research and Development
UPDATE: Avanan Email Security Granted US Patent (West) Pre-Delivery Prevention of Phishing, the Future of Security for Cloud Email and Collaboration Suites
IBM will soon launch a 53-qubit quantum computer (TechCrunch) IBM continues to push its quantum computing efforts forward and today announced that it will soon make a 53-qubit quantum computer available to clients of its IBM Q Network. The new system, which is scheduled to go online in the middle of next month, will be the largest universal quantum computer a…
How Much Is Your Privacy Really Worth? (Medium) No one knows. And it might be time to stop asking.
KnowBe4 to Offer $10,000 Women in Cybersecurity Scholarship, Summer 2020 Internship (Dark Reading) The organization partners with the Center for Cyber Safety and Education to bolster women in cybersecurity.
Legislation, Policy, and Regulation
How to Win the Battle Over Data (Foreign Affairs) The United States dithers while authoritarians seize the day.
Pompeo Calls Attacks on Saudi Arabia ‘Act of War’ and Seeks Coalition to Counter Iran (New York Times) The secretary of state’s words were the strongest so far from any American official regarding the attack on Saudi oil facilities last weekend.
Trump Sanctions Iran Again, Inching Toward Economic Blockade (Foreign Policy) But some experts say the move is a weak response to alleged Iranian attacks on Saudi oil.
Trump Weighs Retaliation Against Iran and Names National Security Adviser (New York Times) To help sort through the options — including sanctions and the deployment of more American forces — the president chose Robert C. O’Brien, the State Department’s chief hostage negotiator.
Trump Picks Low-Key Operative as National Security Advisor (Foreign Policy) The choice of Robert O’Brien to replace John Bolton reinforces Secretary of State Mike Pompeo’s power in the Trump administration.
Air Force creates new information warfare organization, revamps Cyber Command teams (C4ISRNET) The Air Force is creating 16th Air Force that will combine cyber, electronic warfare, intelligence, surveillance and reconnaissance and information operations into a single organization.
The American way of cyber warfare and the case of ISIS (Atlantic Council) Restraint and sober consideration ought to be expected of any cyber actor who engages in intelligence or effects actions in the networked environment.
CCPA Exceptions: What Qualifies as Activity ‘Wholly Outside’ of California? (Data Privacy Monitor) Much has been said about the scope of the California Consumer Privacy Act (CCPA) and the far-reaching implications the law will have on businesses
Facebook, Google and Twitter face fresh heat from Congress on harmful online content (Washington Post) The continued struggles of Facebook, Google and Twitter to stop the spread of hate speech, disinformation and other harmful content online have sparked heightened interest on Capitol Hill, where lawmakers are expected to unveil legislation to probe the matter in coming days.
Twitter says murderous dictators can stay on its service as long as they follow the rules (The Telegraph) Allowing violent dictators to spread their message on Twitter is a benefit to the world because it promotes "dialogue", the company has said.
Big Tech’s Big Divorce From Democrats (Intelligencer) Inside the collapsed marriage of Silicon Valley and the Democratic Party.
Democrats dubious of Trump administration’s push to renew controversial spy power (Washington Post) Republican lawmakers, meanwhile, used a hearing Wednesday to air grievances about the FBI’s probes of political figures.
Crucial Tasks for the Next Director of National Intelligence | National Review (National Review) The White House should insist these steps be implemented as soon as possible regardless of who is heading the ODNI to keep our nation safe.
Litigation, Investigation, and Law Enforcement
Documents reveal how Russia wiretaps phone companies (TechCrunch) In cities across Russia, large boxes in locked rooms are directly connected to the networks of some of the country’s largest phone and internet companies. These boxes, some the size of a washing machine, house equipment that gives the Russian security services access to the calls and messages…
Discovery of Document Led to Arrest of Canadian Intelligence Official (Wall Street Journal) The investigation that led to the arrest last week of a senior Canadian intelligence official was triggered by the discovery in 2018 of a document held by a Vancouver businessman who was suspected of operating a mobile-phone network used to distribute narcotics and payments, a person familiar with the matter said.
Everything You Need To Know About the Massive Canadian Spy Scandal (Vice) Cameron Ortis, one of the highest ranking intelligence officials in the country, was arrested and charged in connection to espionage last week.
Who is Cameron Ortis?: RCMP espionage suspect’s journey from geeky teen to man of mystery (National Post) When news broke that Ortis, a senior civilian RCMP intelligence official, had been accused of violating secrecy laws, to his friends it just didn’t compute
Report: FBI Tried to Get Encrypted Phone Firm to Build Backdoor So They Could Spy on Sinaloa Cartel (Gizmodo) The FBI tried to get the CEO of encrypted phone company Phantom Secure, Vincent Ramos, to install a backdoor in his service so that the agency could spy on Sinaloa Cartel members, Motherboard reported on Wednesday.
More young Scots are falling prey to money mule scam (Times) The number of young Scots falling prey to money laundering has tripled in two years, amid concerns that thousands of students do not know how to protect themselves from fraud. In April Police...
Home Office ‘manipulates crime figures by telling Action Fraud to dismiss identity theft’ (Times) The Home Office is manipulating crime figures by instructing Action Fraud to dismiss as many as tens of thousands of legitimate cases, two former heads of fraud for the police have told The Times.
Teenage gamer jailed over lethal swatting (Naked Security) Casey Viner got into a spat over a $1.50 wager in a Call of Duty World War II game that led to the fatal shooting of an innocent man.
The first casualty of the US culture war is truth (Times) There’s an old trick in the less reputable corners of journalism. Publish a smear story on the flimsiest of evidence. Then, when it’s exposed as bunk, issue a correction or even a retraction.
Colorado stockholder sues to stop Carbon Black-VMWare deal (BizWest) A Colorado shareholder is suing to stop VMWare Inc.’s (NYSE: VMW) $2.1 billion bid to buy IT security firm Carbon Black Inc. (Nasdaq: CBLK).