Cyber Attacks, Threats, and Vulnerabilities
Cellebrite iPhone hacking tools selling on eBay for as little as $100 (AppleInsider) Meant to be used only by law enforcement, Cellebrite hacking tools for iPhones and other smartphones are reportedly selling on eBay for sums as low as $100.
How LinkedIn is being used for a global scam of ‘epic sextortions’ (The Times of India) Cyber criminals keep coming up with novel ways to target vulnerable users but this new report by a security research firm comes as a real revelation
Formjacking is the big new threat in cyberspace, says Symantec report (YourStory.com) Symantec’s 2019 Internet Security Threat Report reveals that formjacking is the greatest threat to ecommerce sites, malware is on the rise, and ransomware continues to worry enterprises.
What’s hiding in encrypted traffic? Millions of advanced threats. (Zscaler) ThreatLabZ has released a new analysis of SSL/TLS-based threats.
'Thunderclap' security flaw in Thunderbolt spec could compromise USB-C and DisplayPort (Computing) Researchers uncovered the flaw in 2016 - but Microsoft still hasn't rolled out patches to protect users of Windows 10
Cybersecurity czar warns of looming threats (Salem News) The state faces myriad threats from hackers and rogue nations trying to get into the computer systems of governments, businesses and individuals to steal confidential information and financial data, according to Massachusetts’ new cybersecurity czar.
Chinese cyber attack group Bronze Union targeting weapons tech (ComputerWeekly.com) Weapons technology is among the latest targets of a highly-adaptable cyber espionage group that uses a wide range of publicly available and custom attack tools, presenting a challenge to network defenders.
Inside a Chinese hacking group's very flexible playbook (CyberScoop) APT27, also known as Bronze Union, dusted off and upgraded a couple of long-available digital weapons to carry out intrusions in 2018, SecureWorks says.
Dow Jones’ watchlist of 2.4 million high-risk individuals has leaked (TechCrunch) A watchlist of risky individuals and corporate entities owned by Dow Jones has been exposed, after a company with access to the database left it on a server without a password.
AltFS Fileless File System Aims to Evade Detection by Security Software (BleepingComputer) Exclusive: Researchers from SafeBreach have developed an open source library that creates a fileless file system residing in operating system resources such as the Windows Registry, WMI, or the user defaults system in macOS.
Feeling Blue About Phishing (EdgeWave) Cybercriminals using Microsoft Azure is not new. The twist here is how Azure is being used as part of a Facebook workplace credential phishing campaign.
Outlook and Microsoft Account Phishing Emails Utilize Azure Blob Storage (BleepingComputer) Researchers have found two ongoing phishing campaigns utilizing Microsoft's Azure Blob Storage in order to steal recipient's Outlook and Microsoft account credentials.
Topps.com Sports Collectible Site Exposes Payment Info in MageCart Attack (BleepingComputer) The sports trading card and collectible company Topps disclosed issued a data breach notification stating that it was affected by an attack, which possibly exposed the payment and address information of its customers.
Cryptocurrency wallet caught sending user passwords to Google's spellchecker (ZDNet) Coinomi wallet bug sends users' secret passphrases to Google's Spellcheck API via HTTP, in plaintext.
Robocall scams surge to 85 billion globally (ZDNet) According to Hiya, robocall spam has surged around the world and each country affected has its own unique favored scam.
A researcher made an elite hacking tool out of the info in the Vault 7 leak (CyberScoop) Australian researcher Wayne Ronaldson has built an elite-level hacking tool out of the Vault 7 dump, and will present his tool at the 2019 RSA Conference.
Federal bidding scam targets US contractors (ZDNet) Phishing websites masquerade as procurement login portals.
Card-Skimming Scripts Hide Behind Google Analytics, Angular (Threatpost) The campaign is marked by a significant level of customization, with an “individualized yet very consistent approach to every compromise."
Chrome Zero-Day Exploited to Harvest User Data via PDF Files (SecurityWeek) EdgeSpot claims to have seen several malicious PDFs that exploit a zero-day vulnerability in Chrome to collect information on users who open the files.
Most UK IT Security Leaders Fear CNI Attack (Infosecurity Magazine) Infosecurity Europe poll reveals siloed teams and gaps in regulatory awareness
Modern browser APIs can be abused for hijacking device resources (Help Net Security) Modern browser APIs could be misused by attackers to take control of a visitor’s browser, add it to their botnet, and use it for malicious actions.
Fin6 using FrameworkPOS scraping malware in POS attacks (SC Media) The threat group Fin6 has been connected to a string of point of sale attacks against VMWare Horizon thin clients.
Farseer backdoor targets Windows systems, linked to 'HenBox' malware (SC Media) Farseer, a backdoor program designed to compromise Windows users, reportedly has strong ties to HenBox, a malware that targest Android devices.
IoT devices attacked faster than ever, DDoS attacks up dramatically: Netscout (SC Media) Cybercriminals upped their game in 2018 dramatically increase the number and severity of DDoS attacks and refine their IoT attacks to entirely new levels.
Running Elasticsearch 1.4.2 or earlier? There's targeted malware going for your boxen (Register) Yes it's years out of date but there's no such thing as security through obscurity.
Hackers target UN and IMF using ‘sophisticated’ cyber attacks (City A.M.) Cyber attackers have ramped up the power and complexity of their efforts, targeting crucial international bodies including the United Nations, US state
Fake Royal Bank of Canada Payment Receipt Advise/Avis de Reception de paiement delivers Trickbot (My Online Security) This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “Payment Receipt Advise/
Security Patches, Mitigations, and Software Updates
Facebook to finally release its ‘clear history’ privacy tool (The Telegraph) Facebook is preparing to release its long-awaited "clear history" tool later this year after months of delays.
Cisco Re-Patches High-Severity Webex Vulnerability For Third Time (Threatpost) Third time's hopefully a charm for Cisco as it patches a high-severity Webex flaw once again.
Ring Doorbell Flaw Opens Door to Spying (Threatpost) Researchers are urging Ring users to update to the latest version of the smart doorbell after a serious flaw triggered privacy concerns.
Nvidia patches eight security flaws in graphics products (Naked Security) Chip maker Nvidia has released a security update, fixing eight CVE flaws in its Windows and Linux graphics display drivers.
Coinhive to shut its in-browser cryptocurrency miner (iTnews) Unlikely to be missed, given its history.
Cisco WebEx Meetings Elevation of Privilege Vulnerability Version 2 (SecureAuth) A vulnerability in the update service of Cisco Webex Meetings Desktop App for Windows could allow a local attacker to elevate privileges.
Cyber Trends
Poor Access Management Leads to Majority of IT Hacks, Study Finds (Business News Daily) Contrary to popular belief, most intrusions on secure networks come from a privileged account. Without proper privileged access management (PAM), companies are vulnerable to preventable breaches in security.
'Immature' firms struggling to manage credential compromise (IT Brief Australia) It’s highly likely that a data breach will involve some kind of privileged credential abuse but it’s still one security issue that is being overlooked by many organizations.
Cybercriminals spend like rockstars (SC Media) A recent study found cybercriminals living like the upper echelon of society by converting their money into assets, flashy jewelry, and expensive cars
Industry Looks Towards ICAM Policy Updates (MeriTalk) With growing interest in cloud, mobility, and zero-trust technology, industry leaders in the identity credential access and management (ICAM) space are seeing a divergence between the existing policy of Common Access Card (CAC) and personal identity verification (PIV) cards, and new technology.
UK consumers more likely to abandon a breached company (SC Media) Yanks and Brits may both have a soft spot in their hearts for beer and sports, but when it comes to trusting a company that has suffered a data breach these two peoples have quite different opinions.
Marketplace
HackerOne Continues Growth with Record Bounties Awarded to Hackers in 2018 and Over 100,000 Valid Security Vulnerabilities Found for Customers (Business Wire) HackerOne, the leading hacker-powered security platform, today announced the appointments of Liz Brittain as Chief Financial Officer, Suzanne Padilla-Messier as Director of Global Hacker Community Development and Jacob Kaplan-Moss as Director of Technical Operations.
ZTE to open three security labs during this year (RCR Wireless News) The vendor said that the first lab will be opened in China while the other two facilities will be located in Belgium and Italy
Silobreaker partners with Anomali to enrich results in leading threat intelligence platform (GlobeNewswire News Room) Silobreaker offers context from unstructured data for more holistic threat intelligence in the Anomali platform
Intel kills 5G deal with China’s Unigroup over U.S. security concerns (VentureBeat) Another Chinese company has been impacted by U.S.-China technology trade tensions, this time a chipmaker that hoped to sell Intel 5G modems in China.
Anitian, a Cloud Security and Compliance Automation Company, Lands $11 (PRWeb) Anitian, a cloud security and compliance automation company, announced today that it has secured $11 million in Series A funding from ForgePoint Capital,
The U.S. Navy Selects BAE Systems to Develop, Secure, and Integrate Future Cybersecurity, Autonomous, and Unmanned Mission Systems (The Progress ) The U.S. Navy has selected BAE Systems to compete for future cyber engineering task orders awarded under a seven and a half-year, indefinite delivery/indefinite quantity (IDIQ).
Tempe cybersecurity consulting firm raises $25M Series A round (Phoenix Business Journal) Bishop Fox, which conducts cybersecurity tests and assessments to help companies secure their products, applications and networks, plans to scale its company with the investment.
Secureworks CEO Joins the ExtraHop Board of Directors (Business Wire) ExtraHop, provider of enterprise cyber analytics from the inside out, today announced Michael Cote, President and CEO of Secureworks and a member of its Board of Directors, has joined the board of directors of ExtraHop.
Products, Services, and Solutions
Forcepoint Unveils Digital Transformation Acceleration Strategy with New Converged Cybersecurity Solutions and Partner Ecosystem (PR Newswire) Global cybersecurity leader Forcepoint today announced the Forcepoint Converged Security Platform which...
DarkMatter Group Unveils World's First Ultra Secure Smartphone for Extreme Field Conditions (PR Newswire) DarkMatter Group, the Gulf's leading digital and cyber transformation firm, has unveiled...
Symantec Advances Integrated Cyber Defense Platform (eWEEK) Symantec is expanding its Integrated Cyber Defense (ICD) platform with new management and data exchange capabilities that enables organizations to gain better visibility and control over threat mitigation.
VMRay Raises the Bar for Malware Sandboxing With New Release of Its Flagship Malware Detection and Analysis Solution (GlobeNewswire News Room) VMRay Analyzer 3.0 Introduces New Capabilities to Help Security Analysts Improve Detection of Evasive Malware Behavior and Achieve Actionable Threat Intelligence at Scale
ZeroFOX Announces New Artificial Intelligence and Computer Vision Tools to Address Evolving Digital Risks (Business Wire) ZeroFOX, the social media and digital security category leader, today announced the release of new artificial intelligence (AI) and computer vision ca
New Cryptographic Invention Dramatically Improves Security (PR Newswire) A new invention, developed by Ternarylogic LLC, applies novel computer functions in cryptographic methods to...
Napatech Accelerates Cybersecurity and Network Monitoring Applications up to 100G (PR Newswire) Napatech™ (OSLO: NAPA.OL), the leading provider of reconfigurable computing platforms, today announced that...
Recorded Future Launches Plug and Play Browser Extension Providing Seamless Access to Threat Intelligence (PR Newswire) Recorded Future, the leading threat intelligence company, today announced Recorded Future Express, a new offering that layers threat intelligence over existing security workflows through an easy-to-use Browser Extension.
CRITICALSTART Announces Managed Detection and Response Services with Palo Alto Networks Traps Management Service (PR Newswire) Industry's only Zero-Trust Analytics Platform with full transparency and MOBILESOC app now integrated with Palo Alto Networks cloud-based endpoint security, and detection and response service
Wipro announce cyber security service with Microsoft security capabilities (Information Age) Wipro to have announced that it will offer advanced cyber security services that are layered with Microsoft security capabilities
TLS 1.3 Support Coming to iOS 12.2, Enabled System-Wide in Beta Releases (BleepingComputer) TLS 1.3, the next major version of the Transport Layer Security (TLS) protocol, will be available in iOS 12.2 and it can already be tested by iOS users willing to install the iOS 12.2 Beta 3 release.
Intel open-sources HBFA app to help with firmware security testing (ZDNet) Intel's new HBFA project will be available in Q2 2019.
Intel SGX Card expands SGX security protections to cloud data centers (ZDNet) Intel announces new Intel SGX Card line.
Capsule8 Protect Achieves PCI DSS Certification (Capsule8) Capsule8’s comprehensive protection platform for Linux production systems exceeds standards for intrusion detection and prevention systems, file integrity monitoring and anti-virus requirements.
Verizon builds a DevSecOps culture with its developer dashboard (CSO Online) Verizon's developer dashboard not only records how vulnerabilities are introduced and by whom, but provides indicators as to why. The goal isn't to name and shame, but to instill a secure-by-design mindset.
CenturyLink Announces New Threat Research and Operations Arm, Black Lotus Labs (PR Newswire) Furthering its dedication to helping protect the internet from malicious actors, CenturyLink, Inc. (NYSE: CTL) is...
ThreatModeler Releases Cloud Edition to Provide Development Teams with Proactive Threat Identification from the Industry Leader (PR Newswire) ThreatModeler™, provider of the industry's #1 Automated Threat Modeling Platform, announced today the release...
Cofense Launches Responsive Delivery Capabilities to Strengthen Effectiveness of Global Anti-Phishing Programs (PR Newswire) Today Cofense™, the global leader in intelligent phishing defense solutions world-wide, announced the addition of...
Technologies, Techniques, and Standards
IT Security Ideas We Once Loved, But Now Should Hate (Twistlock) Sometimes, things that once seemed like good ideas (such as plumbing homes with lead pipes) turn out to be not so smart after all.
How gamification can boost cyber security (Information Age) Using techniques derived from game-playing helps to upskill your staff so they can better cope with cyber threats. Here’s how it can be done.
You must embrace, threats from cyberspace, to your card-on-file database (Rambus) It is hard not to become desensitized to the almost daily news of data breaches.
IoT Cybersecurity Goes To College And It Does Not End Well (Forbes) Analyst Chris Wilder offers recommendations for a successful IoT cybersecurity strategy.
USB standards group introduces confused branding plan to coincide with new USB 3.2 standard (Computing) Confused about USB? You will be following USB-IF's latest branding plan
Design and Innovation
Your Speech, Their Rules: Meet the People Who Guard the Internet (OneZero) Tech platform trust and safety employees are charged with policing the impossible. They open up to Medium’s head of trust and safety.
Insider-threat competition releases a cyber wolf in its flock (Fifth Domain) U.S. Cyber Command, as part of a new public-private partnership with and run by the Maryland Innovation and Security Institute, recently concluded an insider-threat detection competition at the DreamPort facility.
Call for cyber security innovators (Electronics Weekly) The London Office for Rapid Cybersecurity Advancement (LORCA) today launches the open call for its third group of cyber innovators.
Research and Development
Researchers devise algorithm to protect hardware from side-channel attacks (Computing) Algorithm equalises power-draw making side-channel attacks harder to execute
China Is Catching Up to the U.S. on Artificial Intelligence Research (Government Technology) The U.S. may be ahead for now, but not by much.
Legislation, Policy, and Regulation
Controversial EU copyright reforms Articles 11 and 13 move one step closer (Computing) Zoey Forbes looks at how the draft EU Copyright Directive has been tweaked after lobbying from the tech industry and rightsholders.
DOD Leaders Brief Congress on IT, Cybersecurity, Information Assurance (EIN News) Senior Defense Department officials testified on the department’s information technology, cybersecurity and information assurance efforts today at a hearing of the House Armed Services Committee’s panel on intelligence, emerging threats, and capabilities.
Transportation cybersecurity to go under the microscope (POLITICO) Two House Homeland Security subcommittees gavel in to examine cyber threats to transportation infrastructure.
House Lawmakers Want to Avoid a Patchwork of State Data Privacy Laws (Nextgov.com) Experts outlined what they would like to see included in a federal data privacy law.
POLITICO Pro Q&A: Chris Krebs, Cybersecurity and Infrastructure Security Agency director (POLITICO) POLITICO sat down with Krebs the day after a hearing on H.R. 1, House Democrats’ leading vehicle for election security provisions.
SANS Legal Expert to Share How to Get Ahead of Data Privacy Legislation at Northern Virginia Cyber Security Training Event (PR Newswire) SANS Institute, the global leader in cyber security training, today announced SANS Northern VA Spring - Reston 2019 (#SANSReston) taking place May 19-24 in Virginia.
Why the cyber fast track is stalled at DOD (FCW) The Pentagon is having trouble hiring via the Cyber Excepted Service, thanks to too few personnel and a backlogged and complicated security clearance process.
Georgia House OKs Touchscreen Voting Machines Amid Opposition (Government Technology) Critics have called for a return to scannable paper ballots, but lawmakers in the House approved a move to machines that allow voters to make their selections on a screen before a completed ballot is printed.
Ohio Elections Chief Backs Cyberdefense Legislation (Government Technology) A proposal to create a civilian reserve force to fight back against cyberattacks got the support of Secretary of State Frank LaRose, who testified before a Senate oversight committee Tuesday.
Litigation, Investigation, and Law Enforcement
How Huawei Is Battling U.S. Spying Charges (Fortune) And hitting back, reminding the world about Edward Snowden.
Digital bank Revolut's money laundering lapse exposed (The Telegraph) One of Britain's most promising technology startups has been accused of violating basic banking rules by failing to block thousands of potentially suspicious transactions on its platform.
Kaspersky Lab Really Can't Catch a Break (Gizmodo) Russian cybersecurity firm Kaspersky Lab has struggled to regain its reputation after it was accused of aiding Russian intelligence operations and its software was banned from use by the U.S. government. But on Tuesday, another layer of mystery was added to the story when a Russian court convicted a senior researcher at Kaspersky Lab of state treason in the interest of the United States.
Lawmakers Demand Answers on Surprise Microphones Inside Google Nest (Nextgov.com) The group wants Google CEO Sundar Pichai to provide answers—in writing, and in person—on the microphones discovered in Nest products.
Operator of eight DDoS-for-hire services pleads guilty (ZDNet) Investigators tracked him down after he logged into his rented servers using his home IP addresses.
FTC Hits TikTok With Record $5.7 Million Fine Over Children’s Privacy (WIRED) The company will pay $5.7 million to settle allegations that the social media app formerly known as Musical.ly illegally collected information from children under 13.
TikTok fined $5.7m for violating children's privacy (The Telegraph) A video sharing app popular with children has said that it will remove content uploaded by users under 13 years old and instead guide them to age-appropriate content as part of a settlement with US regulators.
U.S. charges My Big Coin virtual currency firm founder with fraud (Reuters) The founder of a Nevada-based company was arrested on Wednesday on federal charges he participated in a $6 million scheme to defraud people who wanted to buy a virtual currency called My Big Coin that he claimed was backed by gold.
French data watchdog withdraws probe from location data guzzling adtech biz Vectaury (Register) CNIL says firm now collects valid consent, shutters case privacy-watchers hoped would help see off adtech's model.
Federal threat information sharing gets a more enterprise mindset (Federal News Network) She may have left federal government two years ago but Suzanne Spaulding is still very much keeping an eye on the state of agency cybersecurity. And she sees some good news.
Web hacker 'Alfabeto Virtual' thrown in the clink for 3 months by US judge who wanted to 'send a message' (Register) By contrast, Russian hack-treason trial ends with 22-year sentence and accusations of foul play.