Cyber Attacks, Threats, and Vulnerabilities
No blame yet over parliament cyber attack (9News) Senate President Scott Ryan says it's too early to attribute blame for a cyber attack on federal parliament...
Hackers wipe US servers of email provider VFEmail (ZDNet) Hackers did not ask for a ransom. VFEmail described the incident as "attack and destroy."
Email Provider VFEmail Suffers ‘Catastrophic’ Hack (KrebsOnecurity) Email provider VFEmail has suffered what the company is calling “catastrophic destruction” at the hands of an as-yet unknown intruder who trashed all of the company’s primary and backup data in the United States. The firm’s founder says he now fears some 18 years’ worth of customer email may be gone forever.
VFemail, spécialiste de l’e-mail anonyme, balayé par une attaque dévastatrice (LeMagIT) Le fournisseur opérait ses services depuis 2001. Toute son infrastructure aux Etats-Unis vient d’être effacée brutalement, sauvegardes y compris. Un incident qui soulève de très nombreuses questions.
Email provider VFEmail’s US servers wiped (Daily Swig) Data and backup files lost in attack
AWS Issues Alert for Multiple Container Systems (Infosecurity Magazine) Vulnerability impacts 11 AWS container management systems
Root Code Execution Flaw Threatens Container Platforms (Decipher) A flaw in runC, the underlying container runtime for many platforms, can give an attacker root access to vulnerable hosts.
620 million accounts stolen from 16 hacked websites now for sale on dark web, seller boasts (Register) Dubsmash, Armor Games, 500px, Whitepages, ShareThis, and more said to be up for grabs for $$$s in BTC
OkCupid Users Victims of Credential Stuffing (Infosecurity Magazine) OkCupid says there has been no data breach
Exposed: Instagram, OKCupid, Mumsnet All Face Data Concerns (Threatpost) Three major websites are making data-privacy news this week.
Windows App Runs on Mac, Downloads Info Stealer and Adware (TrendLabs Security Intelligence Blog) We found an EXE application that specifically runs on Mac to download an adware and info stealer, sidestepping built-in protection systems on the platform such as Gatekeeper. We suspect the cybercriminals developing this routine as an evasion technique for damaging infections and attacks in the future as our telemetry showed the highest numbers to be in the UK, Australia, Armenia, Luxembourg, South Africa and the US.
With Doctored Photos, Thieves Try to Steal Bitcoin (BankInfo Security) Cryptocurrency exchanges are seeing fraudsters submit doctored photos in an attempt to reset two-step verification on accounts. The ruse appears to have some degree
Cryptocurrency Exchanges Targeted by Fake Photo Scam (NewsBTC) Research indicates that large cryptocurrency exchanges are increasingly being targeted by scammers using doctored photographs to trick two-factor
Private Mossad for Hire (The New Yorker) Inside a plot to influence American elections, starting with one small-town race.
McDonalds app users hatin’ it after being hacked by hungry hamburglars (Naked Security) At least two users of the McDonalds mobile app aren’t lovin’ it after thieves hijacked their accounts and ordered hundreds of dollars of food for themselves.
Senators Urge Security Audit of Foreign VPNs (Infosecurity Magazine) Chinese and Russian apps could be a national security risk
Assessing the risk of foreign-made VPNs, browsers (GCN) Two senators want to know the national security risks of allowing federal employees to use some foreign-made browsers and virtual private networks on government smartphones and computers.
Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire (TrendLabs Security Intelligence Blog) Trickbot's authors clearly aren't done updating it — we recently found a new variant that uses an updated version of the pwgrab module that lets it grab remote application credentials.
Revolut boss denies British digital bank has Kremlin links (The Telegraph) The chief executive of fintech start-up Revolut has denied that his company has links to the Kremlin following a political dispute over its operations in Lithuania.
Norway: GPS jamming during NATO drills in 2018 a big concern (AP NEWS) The Norwegian Intelligence Service says GPS signal disruption as seen during major NATO drills in Norway last year "is of particular concern" for the military and "is also a threat to civil aviation in peacetime."
The U.S. Army's New Up-Gunned Stryker Armored Vehicles Have Been Hacked (The Drive) A Pentagon report says 'adversaries' launched successful cyber attacks against systems on the new 30mm cannon-armed vehicles.
Marines have been personally downloading this software that helps coordinate air support. How that error and big cyber flaws are putting lives at risk. (Marine Corps Times) Some Marines downloaded the software onto personal devices, potentially putting themselves and their unit at risk.
A Popular Electric Scooter Can Be Hacked to Speed Up or Stop (WIRED) A hacker can accelerate Xiaomi M365 scooter—or hit the breaks—while a rider is on it.
Bezos Case Exposes Billionaires' Vulnerability to Hackers (SecurityWeek) The stunning revelation that a tabloid obtained below-the-belt selfies of Amazon founder Jeff Bezos -- the world's richest man -- suggests that even billionaires are not out of the reach of hackers.
Top Data Protection Issues Facing HNW Individuals (WealthBriefingAsia) Often referred to as "the oil" of the modern economy, data is strikingly vulnerable to abuse as more personal information goes online and can be cross-referenced. High net worth individuals are among those with the most to lose.
The Jeff Bezos privacy nightmare could happen to anyone — here’s how to prevent it (MarketWatch) Amazon founder has accused the National Enquirer tabloid of extortion after it acquired compromising photos.
1 in 3 FHFA employees failed phishing test (FCW) A penetration test found some concerning vulnerabilities at the Federal Housing Finance Agency, but auditors weren't able to gain access.
Lenovo Watch X was riddled with security bugs, researcher says (TechCrunch) Lenovo’s Watch X was widely panned as “absolutely terrible.” As it turns out, so was its security. The low-end $50 smartwatch was one of Lenovo’s cheapest smartwatches. Available only for the China market, anyone who wants one has to buy one directly from the mainland. Lucky…
Security Patches, Mitigations, and Software Updates
Temporary Patch Released For Adobe Reader Zero Day (Threatpost) The zero-day flaw in Adobe Reader DC could allow bad actors to steal victims’ NTLM hashes.
Apple Fixes Two Zero-Day iOS Vulnerabilities Exploited in the Wild (Security Boulevard) Apple's newly released iOS 12.1.4 includes fixes for two serious vulnerabilities that are already used by hackers.
Chrome OS Network Manager Sandboxed, Stripped of Root Privileges (SecurityWeek) The latest version of Chrome OS puts the Shill network manager in a sandbox and removes its root privileges.
You can now unsend messages in Facebook Messenger (Naked Security) Facebook Messenger has made available the ability to unsend, or in their words “remove for everyone” your mis-sent messages.
Microsoft: 70 percent of all security bugs are memory safety issues (ZDNet) Percentage of memory safety issues has been hovering at 70 percent for the past 12 years.
Healthcare Email Fraud Attack Attempts Jump 473% Over Two Years (Proofpoint) To better understand how email fraud is impacting healthcare organizations around the world, Proofpoint analyzed email fraud attacks targeting more than 450...
To Understand IoT Security: Look to the Clouds (Government Technology) The Internet of Things (IoT) is growing exponentially. But security and privacy concerns are piling up at the same time. How can we understand where this trend is heading? Here's what we can learn from the history of the cloud.
Healthcare Email Fraud Report (Proofpoint) Email fraud, also known as business email compromise (BEC), is one of today’s greatest cyber threats and it’s impacting healthcare organizations of all sizes across the globe. Email fraud attacks are socially engineered to target people, rather than technology. Fraudsters prey on human nature to steal money and valuable information from healthcare organizations’ staff,
Envisioning the Next Generation Cybersecurity Practices (Frost & Sullivan) Next Generation Security Critical to Protect the Future of Businesses Across Industry Sectors
The Average Cost of a Data Breach (TetherView) Today, few phrases strike fear into the hearts of companies quite like this one: data breach. How much does the average data breach cost?
Opinion | Google and Facebook Worsen Media Bias (Wall Street Journal) Silicon Valley’s advertising monopoly translates into editorial influence.
People still shocked by how easy it is to track someone online (Help Net Security) McAfee discovered less than a fifth (17%) of Brits who lost or had their phone stolen (43%) made any attempt to prevent criminals from accessing data.
Juniper Networks CIO Reflects on 7-Year Cloud Initiative (WSJ) It took seven years for Juniper Networks Inc. to move all of its data and applications from 18 corporate data centers to the cloud, but Chief Information Officer Bob Worrall said the transition is paying off.
Nearly Two-Thirds of Organizations Say Tech Skills Gap Is Already Impacting IT Audits: New Study Identifies Five Top Skills Auditors Seek to Build (BusinessWire) Technologies such as AI are reshaping the future of IT auditors, but auditors are largely optimistic about the future, according to new research from
Everyday AI - Innovative Technology Solutions (Innovative Technology Solutions) There’s no question about it, IT makes the world go around. Systems need to be integrated, data needs to be protected and on Friday nights,…
88% of UK businesses breached during the last 12 months (Help Net Security) The UK’s cyber threat environment is intensifying. Attacks are growing in volume, and the average number of breaches has increased.
Experian: US Suffers the Most Online Fraud (Dark Reading) New data from the credit reporting firm shows the sheer scale of online activity in the US also has made businesses and consumers there prime targets.
2019 has security execs crying uncle (SC Media) By Jon Check, senior director, cyber protection solutions at Raytheon Intelligence, Information and Services From the halls of government to C-Suites
PerimeterX Raises $43M In Series C Funding To Fuel Expansion into New Markets and Accelerate Product Development (PR Newswire) PerimeterX has secured $43 million in Series C funding to expand its product portfolio beyond its PX Bot...
Axonius Raises $13 Million Series A to Help Enterprises Automate Cybersecurity Asset Management and Security Policy Enforcement (AP NEWS) Cybersecurity asset management company Axonius today announced that it has raised $13 million in Series A funding. Bessemer Venture Partners led the round with participation from existing investors YL Ventures, Vertex, WTI and Emerge. The company will use the new funding to accelerate customer growth and expedite product innovations for the Axonius Cybersecurity Asset Management Platform.
UK identity data intelligence firm GBG conditionally acquires American firm in $300M deal (Bankless Times) GBG, the UK-headquartered Identity Data Intelligence specialist, has conditionally agreed to acquire the entire issued share capital of IDology, a US-based provider of identity verification and fra…
Could Demisto Be a Good Fit for Palo Alto Networks? (Market Realist) Demisto could boost automation offerings
This Chicago team wants to protect your data with encryption hardware (Built In Chicago) image via Diamond Key SecurityDigital security is everything these days, as news of data breaches are becoming as co
Apple and Google accused of helping 'enforce gender apartheid' by hosting Saudi government app that tracks women and stops them leaving the country (Business Insider) Absher, an app that Saudi men use to monitor women's travel and stop them leaving, is available for download on iTunes and the Google Play store.
Amazon takes latest step into the smart home with deal for Wi-Fi system company Eero (The Telegraph) Amazon has bought a Silicon Valley Wi-Fi router maker that will help keep its ever-growing line of smart home products online in homes that suffer from patchy internet coverage.
I Tried to Block Amazon From My Life. It Was Impossible (Gizmodo) Not even a custom-built VPN could stop Jeff Bezos's behemoth from slipping through the digital cracks.
Amazon buys Eero: What does it mean for your privacy? (TechCrunch) In case you hadn’t seen, Amazon is buying router maker Eero. And in case you hadn’t heard, people are pretty angry. Deluged in a swarm of angry tweets and social media posts, many have taken to reading tea leaves to try to understand what the acquisition means for ordinary privacy-minde…
Google Wifi vs. Eero: Which mesh router system should you buy? (Android Central) Both are great consumer mesh wireless systems, but which is best for you?
Google and Microsoft Warn That AI May Do Dumb Things (WIRED) Google and Microsoft have added warnings to their "risk factors" for investors about potential legal and ethical problems from their artificial intelligence projects.
Google warns rise of AI may backfire on company (The Telegraph) Google has warned that advances in artificial intelligence may have a negative impact on its business, leading to fines and concerns over ethics.
Former executive of Duo Security, Zscaler joins IronNet as co-CEO (Reuters) IronNet Cybersecurity Inc, a startup led by former U.S. National Security Agency...
Products, Services, and Solutions
Tenable Adds 'Predictive Prioritization' to Vulnerability Management Offering (SecurityWeek) Tenable’s new Predictive Prioritization service is designed to help customers of its vulnerability management offering prioritize flaws that have the greatest likelihood of being exploited.
Trustonic helps Mobile Operators improve financial performance while significantly reducing asset theft & fraud (GlobeNewswire News Room) Slashes theft & fraud across an operator’s device portfolio by combining mobile device and app protection expertise with unique integration into the smartphone manufacturing ecosystem
EZShield Releases Dual Exclusive Resources for Financial Institutions To Protect Account Holders From Identity Crimes (WebWire) EZShield, a portfolio company of The Wicks Group, today announced a series of new resources tailored to address how Financial Institutions (FIs) can combat identity crimes and mobile cybersecurity threats as it impacts the omni-channel customer experience.
Aquila, Inc. joins LMNTRIX Partner Program to Deliver an Outcome-Driven Multi-Vector Cybersecurity Platform (Life Pulse Health) LMNTRIX, the next-generation cybersecurity venture of MSSP pioneer Carlo Minassian, has announced a partnership with Albuque…
Plurilock Introduces New ADAPT MFA Product, 2019 Authentication Guidel (PRWeb) Victoria-based cybersecurity company Plurilock today announced the release of its newest product, ADAPT MFA. ADAPT MFA provides next-generation
Google wants to bring encryption to all with Adiantum (The Verge) ‘Everyone should have privacy and security, regardless of their phone’s price tag’
A New Tool Protects Videos From Deepfakes and Tampering (WIRED) Many of the body cameras worn by police are woefully vulnerable to hacking and manipulation. Amber Authenticate wants to fix that—with the blockchain.
Microsoft & Google expand security tools to political parties in Canada & Europe (ZDNet) Microsoft extends AccountGuard to Canada while Google expands Project Shield to EU Parliament political campaigns.
Technologies, Techniques, and Standards
Quantifying Security Posture is Key to Mitigating Risk (Infosecurity Magazine) What is required for effective risk measurement
#TEISS19: Brute Force Won’t Change Peoples' Behaviors, You Must ‘Modify’ Their Beliefs (Infosecurity Magazine) How security leaders can effect changes in behaviors to improve security buy-in from the C-suite
Boards Must Become More Technical to Make Orgs More Secure (Infosecurity Magazine) Ciaran Martin outlines vision for a more secure Britain
Security Professionals Win When They Can Master Risk Communications (SecurityWeek) The ability to customize threat intelligence scores allows you to prioritize threats to your organization and reevaluate and reprioritize as new data and context becomes available.
Mirror Chess Is Not Good Cyber (Forbes) In chess, mirroring your opponents is a terrible strategy because the opponent is intelligent and you become predictable due to asymmetries in the game. This analogy is perfect for security and helps us see where mirroring in cybersecurity is likewise an awful strategy with critical secondary issues
Crash Course in How Cyberattacks Start (IndustryWeek) In order to effectively defend against such attacks, it is critical to understand how an attacker thinks and how the actual attack is conducted.
Six Steps to Segmentation in a Perimeterless World, Part 2 (SecurityWeek) Network Segmentation can prevent lateral movement and effectively improve security, and is a continuous journey that every organization should take.
Security wellness takes more than a fad diet (Help Net Security) Like the dizzying array of diet and exercise options offering a quick fix, the security landscape is made more complex by the volume of available solutions.
Undertaking the crucial task of bringing cryptography to activists (Equal Times) A group of journalists and activists slowly trickle into a room. They take a seat. Some talk amongst each other, others play around with their phones. They think they are there for a workshop, but unbeknownst to them, they are being hacked. Five minutes after their arrival, a security expert has cracked most of their phones, and with it, sensitive information about contacts, co-activists, planned protests and stories. The story is real, yet nobody got hurt. The course was organised by the (...)
Email Impersonation Scams (Hakin9 - IT Security Magazine) What You or Your IT Staff Can Do to Protect Your Business A major cyber threat to Australian businesses is email-based …
Design and Innovation
DigiCert and Utimaco work on securing the future of IoT from quantum computing threats through collaboration with Microsoft (Utimaco) Today, DigiCert, Inc., the world’s leading provider of TLS/SSL, IoT and PKI solutions; Utimaco, one of the world’s top three Hardware Security Module providers; and Microsoft Research, a leader in quantum-safe cryptography, announced a successful test implementation of the “Picnic” algorithm, with digital certificates used to encrypt, authenticate and provide integrity for connected devices commonly referred to as the Internet of Things (IoT).
IBM's fast-talking AI machine just lost to a human champion in a live debate (CNN) People are great at arguing. But a project from IBM shows that computers are getting quite good at it, too.
AR Will Spark the Next Big Tech Platform—Call It Mirrorworld (WIRED) We are building a 1-to-1 map of almost unimaginable scope. When it's complete, our physical reality will merge with the digital universe.
Research and Development
What comes after air gaps? DARPA asks world for ideas (Naked Security) According to DARPA, air gapping computers and data is a security idea that has run its course and urgently needs to be replaced.
Intrusion Prevention Systems Prove Key to Campus Defense (Technology Solutions That Drive Education) Whether standalone or integrated into a next-gen firewall, IPS is a valuable part of network security for higher education.
Legislation, Policy, and Regulation
EU Considers Response to China Hacking After U.K. Evidence, Sources Say (Bloomberg) European Union member states are considering a possible joint response to cyber attacks allegedly conducted by a Chinese state-linked hacker group after the U.K. presented evidence last month about network infiltration, according to people familiar with the matter.
Russia prepping for US cyberattack by turning off entire internet (New York Post) Russia is shutting off its internet as part of a dramatic test to help it defend against devastating cyberattacks. The experiment is part of preparations for a potential cyberwar with the US that c…
Russia plans to briefly disconnect from the internet to see what happens (The Independent) The trial comes amid escalating cyber war rhetoric between Russia and the West
US Intensifies Pressure on Allies to Avoid Huawei, ZTE (BankInfo Security) The Trump administration is leading a broadside against Chinese telecommunications giants Huawei and ZTE. But concerns that Chinese networking gear could be used as
China to suffer limited impact from ban on Chinese telecoms imports (South China Morning Post) US president set to sign an executive order banning companies in the US wireless sector from buying Chinese telecoms equipment
Rural U.S. Carriers Resist Proposed Chinese Telecom Ban Aimed at Huawei (Wall Street Journal) President Trump is mulling an order that could ban Chinese telecom gear from U.S. networks, but the plan is facing resistance from rural carriers who rely on Huawei equipment.
Hit big tech hard but don’t crush free speech (Times) The campaign for state regulation of the press was always absurd, not only because it was illiberal but because it was already far too late. “Newspapers, through whichever medium they are delivered .
Trump’s Plan to Keep America First in AI (WIRED) The US joined more than a dozen other countries with national AI strategies when President Trump signed an executive order to create the American AI Initiative.
Here’s what you need to know about Trump’s ‘American AI Initiative’ (Popular Science) President Trump issued an executive order today announcing what the White House calls an “American AI Initiative.”
Is 2019 the year national privacy law is established in the US? (Help Net Security) Data breaches and privacy violations are now commonplace. Unfortunately, the consequences for US companies involved can be complicated. A company’s
Data Privacy Top of Mind for 2020 Candidates (Infosecurity Magazine) Sen. Amy Klobuchar says she would focus on creating data privacy regulations
What’s needed now? Trustwave cyber leader says more collaboration, security standards in contracts (Inside Cybersecurity) More information sharing and better collaboration between industries, along with government using its contracting power to drive up security performance, are among the chief policy needs in the cyber space, according to Jeremy Batterman, who leads cyber firm Trustwave’s SpiderLabs Fusion Center here.
Why the new Air Force’s cyber and information strategy is a return to the past (Fifth Domain) What is being hailed as a major breakthrough in the Air Force's cyber and information plan is a return to previous plans.
Analysis | The Cybersecurity 202: Senate committee leaders worry no one’s in charge on cybersecurity (Washington Post) Sens. Rounds and Johnson are considering creating a new centralized agency for cyber.
Where cybersecurity legislation 'goes to die' in Congress (POLITICO) Advocates for major cyber bills say Wisconsin Sen. Ron Johnson has been a roadblock ever since he arrived in Washington.
Litigation, Investigation, and Law Enforcement
Tinder lover must repay businessman’s £182,000 (Times) A lovestruck businessman who handed £182,000 to a woman 20 years his junior after meeting her on the dating app Tinder has won a court fight to make her pay the money back. Marcel Kooter, 57...
Secret Service busts online car sales crime ring (Naked Security) They posed as military needing to offload cars before deployment, allegedly posting bogus ads on Craigslist, eBay, and AutoTrader.