Cyber Attacks, Threats, and Vulnerabilities
Hacked tornado sirens taken offline in two Texas cities ahead of major storm (ZDNet) City officials took hacked tornado sirens offline ahead of major storm. Luckily, they weren't needed.
Attacking the internal network from the public Internet using a browser as a proxy (Forcepoint) Malicious actors are aware of these attacks, but defenders need to be informed as well. In addition to describing the technical details of the attacks, we will discuss means of detecting and protecting
against them.
BEC Goes Mobile as Cybercriminals Turn to SMS (Agari) As employees become more aware of phishing scams, cybercriminals are changing tactics, using SMS instead of email to encourage victims to send gift cards.
New BAE Systems research reveals human error still major vulnerability in network security (IBS Intelligence) New BAE Systems research reveals human error still major vulnerability in network security
Hackers hit aluminum maker Hydro, knock some plants offline (Reuters) Norsk Hydro, one of the world's largest producers of aluminum, battled on T...
Aluminum producer switches to manual operations after 'extensive cyber-attack' (ZDNet) Norway's Norsk Hydro said a cyber-attack on late Monday night crippled its IT systems.
How hackers stole $20m from Bank of Mexico (Computing) Attacks on Bank of Mexico occurred in April 2018 with cash withdrawn from several banks across Mexico.
DHS Secretary Kirstjen Nielsen Warns That U.S. Is 'Not Prepared' for Cyberattacks From Foreign Countries (Townhall ) Department of Homeland Security Secretary Kirstjen Nielsen warned Monday that the United States is “not prepared” to handle cyberattacks from foreign countries and laid out some measures DHS was taking to respond to these threats.
Most antivirus apps do absolutely nothing (The Independent) Some of the Android apps in the Google Play store were so ineffective that they detected themselves as malware
Sprint customers say a glitch exposed other people’s account information (TechCrunch) Several Sprint customers have said they are seeing other customers’ personal information in their online accounts. One reader emailed TechCrunch with several screenshots describing the issue, warning that they could see other Sprint customers’ names and phone numbers. The reader said th…
ISIS Spokesman Ends Silence by Calling for Retaliation Over New Zealand Massacres (NYTimes) As his caliphate crumbles, the Islamic State spokesman, Abu Hassan al-Muhajir, issued a 44-minute speech mocking America’s claim of victory.
UN Report: N. Korea Targets Cryptocurrency Exchanges, Banks (BankInfoSecurity) North Korea's cybercrime capabilities have given the country the ability to flaunt international sanctions by allowing the regime to steal millions in currency not
London’s Tourist Hot Spots Suffer 100m+ Cyber-Attacks (Infosecurity Magazine) London’s Tourist Hot Spots Suffer 100m+ Cyber-Attacks. Kew Gardens tops the list in new FOI research
Threat actors using stolen email credentials to breach cloud accounts: Survey (CISO MAG) According to the research by enterprise security firm Proofpoint, hackers are using IMAP-based password spraying attacks to breach Microsoft Office 365 and G Suite accounts which are protected with multi-factor authentication.
Mirai offshoot offers 'greater firepower' for DDoS attacks, researchers warn (CyberScoop) A new variant of the infamous Mirai botnet is targeting embedded devices like routers and internet-connected cameras with new exploits, security researchers have concluded.
New Mirai Variant Targets Enterprise IoT Devices (SecurityWeek) A new variant of the Mirai botnet is targeting IoT devices specifically intended for businesses, potentially signaling a focus toward enterprise.
New Mirai malware variant targets signage TVs and presentation systems (ZDNet) Security researchers spot new Mirai botnet with an enhanced arsenal of IoT exploits.
Cryptojacking of businesses' cloud resources still going strong (Help Net Security) In the past year or so, many cybercriminals have turned to cryptojacking as an easier and more low-key approach for "earning" money.
Ariana Grande file is 1 of 100+ ways attackers are exploiting WinRAR bug (SC Media) McAfee has observed 100+ exploits for a recently disclosed RCE bug in WinRAR, including one that uses a file containing bootlegged Ariana Grande music.
VMware security advisories issued (SC Media) VMware issued security advisories for VMware Workstation Pro/Player and VMware Horizon.
From MySpace to MyFreeDiskSpace: 12 years of music – 50m songs – blackholed amid mystery server move (Register) Vast storage savings...er, tragic loss attributed to a data migration gone awry
Here's What It's Like to Accidentally Expose the Data of 230M People (WIRED) The owner of Exactis, a 10-person firm that exposed a database including nearly every American, tells the story of his company's downfall.
This headline is proudly brought to you by wired keyboards: Wireless Fujitsu model hacked (Register) If you have an LX901, you are at risk of mild embuggerance
Lone staffer killed our shields, claims etailer Gearbest after infosec bods peep at user deets (Register) Whether it's 1.5m or 280k exposed, it's not a great look
AMD Believes SPOILER Vulnerability Does Not Impact Its Processors (BleepingComputer) AMD thinks that its processors are not impacted by the new SPOILER vulnerability that uses speculative execution to improve the efficiency of memory and cache attacks such as Rowhammer.
JNEC.a Ransomware Spread by WinRAR Ace Exploit (BleepingComputer) A new ransomware called JNEC.a spreads through an exploit for the recently reported code execution ACE vulnerability in WinRAR. After encrypting a computer, it will generate a Gmail address that victims need to create in order to receive the file decryption key once they pay the ransom.
Email scammers stole more than $150K from defense contractors and a university, FBI says (CyberScoop) Cybercriminals defrauded two defense contractors and a university out of more than $150,000 through email scams last year, the FBI has warned companies.
Vendor Compromises Data of 808,000 Singapore Blood Donors (HealthITSecurity) SIngapore is dealing with yet another privacy breach of its citizens, after its HSA vendor left the personal data of 808,000 blood donors exposed online on an unsecured database for about two months.
Vendor Exposes Singapore Health Blood Donor Data (Infosecurity Magazine) Human error leaves data of more than 800,000 blood donors exposed.
Bad cup of Java leaves nasty taste in IBM Watson's 'AI' mouth: Five security bugs to splat in analytics gear (Register) Worst brew than that time El Reg went on a road trip and stopped at a Denny's
'Shameless' Scammers Seek to Cash in on Christchurch Massacre (SecurityWeek) Scammers are trying to cash in on the Christchurch mosque massacres, using phishing emails with links to fake bank accounts to ensnare people keen to donate, New Zealand's cyber security body said Monday.
Vulnerability Summary for the Week of March 11, 2019 (US-CERT) The NCCIC Weekly Vulnerability Summary Bulletin is created using information from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
Is it still a good idea to publish proof-of-concept code for zero-days? (ZDNet) Time and time again, the publication of PoC code for zero-days and recently patched security bugs often helps hackers more than end-users.
EU gov’t and public health sites are lousy with adtech, study finds (TechCrunch) A study of tracking cookies running on government and public sector health websites in the European Union has found commercial adtech to be operating pervasively even in what should be core not-for-profit corners of the Internet. The researchers used searches including queries related to HIV, menta…
Public disgrace: 82% of EU govt websites stalked by Google adtech cookies – report (Register) Plus: UK health service sites contain commercial trackers
Security Patches, Mitigations, and Software Updates
IBM: Patch these critical Java, OpenJ9 Java bugs in Watson, analytics products (ZDNet) IBM warns Watson AI customers to check product versions after releasing new updates that address critical flaws.
Intel releases patches for code execution vulnerabilities (Naked Security) Intel released patches last week, fixing a range of vulnerabilities that could allow attackers to execute code on affected devices.
Microsoft bows to Chrome, Firefox, with security tweak (CRN Australia) Edge to take over when Chrome, Firefox see web nasties.
Google, Microsoft work together for a year to figure out new type of Windows flaw (Ars Technica) Researcher finds building blocks for privilege escalation: Can they be assembled to create a flaw?
Cyber Trends
Intel releases patches for code execution vulnerabilities (Naked Security) Intel released patches last week, fixing a range of vulnerabilities that could allow attackers to execute code on affected devices.
G Suite admins can now disallow SMS and voice authentication (Naked Security) Users of G Suite may find that the option to authenticate themselves via SMS or voice call has suddenly disappeared.
Marketplace
Votiro Announces Strategic Alliance and Distribution Agreement with Ingram Micro Inc. (Business Wire) Votiro announces a strategic alliance and distribution agreement with Ingram Micro, Inc., to help expand Votiro's market reach across North America.
Desperate to get through to execs, some cybersecurity vendors are resorting to lies and blackmail (CNBC) Aggressive sales tactics can make it harder for overworked cybersecurity execs to find and stop real threats.
Mauritius Cyber Security Firm Opens Rwanda Subsidiary (KT PRESS) A Mauritius cyber security company has launched operations in Rwanda with intent to help cut down on cyber security threats across Insurance Companies and Financial Institutions.
The tech company - Secure Services Mauritius will initially invest $500,000 (about Rwf450million) - following its ent
Akamai cuts 140 jobs as it seeks to boost security business (The Boston Globe) Akamai said less than 30 of the positions were in Massachusetts, where it has offices in Cambridge and Westford.
Google seeking to promote rivals to stave off EU antitrust action (Reuters) Google is trying to boost price comparison rivals such as Kelkoo in an effort to appease European Union antitrust regulators and ward off fresh fines following a 2.4-billion-euro ($2.7 billion) penalty nearly two years ago.
Explainer: Germany, at last, launches 5G spectrum auction (Reuters) Germany begins an auction of spectrum for next-generation 5G mobile networks on Tuesday, the outcome of which will play a decisive role in determining whether Europe’s largest economy remains competitive in the digital age.
Facebook plans more fact-checking ahead of European Parliament Election (Reuters) Facebook plans to ramp up efforts to fight misinformation ahead of the European Parliament election in May and will partner with German news agency DPA to boost its fact-checking, a senior executive said on Monday.
Dragos acquires NexDefense to bolster ICS defense capability (SC Media) Dragos has acquired the industrial control system (ICS) visibility technology firm NexDefense and has announced the availability of a suite of tools for companies to assess their ICS security.
MAVA Welcomes, Spotlights Public Companies (Mid-Atlantic Venture Association) Tenable and Yext to be featured at April 11th’s Spring C-Suite Summit.
Google’s terrible, horrible, no good, very bad fortnight (CRN Australia) It's not just Gmail that's wobbled lately, and the problems have been self-inflicted.
CBA assures itself of LandMark White's post-breach infosec (iTnews) First lender to reinstate valuation firm.
Talent Gap: Self-Inflicted Wound? (Forbes) Is the massive talent gap in security actually self-inflicted? Can we close it by changing what and how we design tools and organizations to enable us to recruit, hire and retain differently? It's time to participate in our own rescue and stop whining that there aren't enough people to fill the SOC.
Products, Services, and Solutions
WhiteHat Sentinel Source Standard and Essential Editions Receive Highest OWASP Benchmark Accuracy Ratings of All Submitted SAST Solutions (Business Wire) WhiteHat Security, the leading application security provider committed to securing digital business, today announced that both WhiteHat Sentinel Sourc
SK Telecom to apply quantum cryptographic technology to 5G network (Pulse News) South Korea’s leading mobile carrier SK Telecom Co. will apply quantum cryptography technology, considered as the most complex and safe data security technology, to its 5G network system to ensure dominance in Korea’s wireless market which makes generational shift to 5G for the first time in the world in the first half.
CyberSec First Responder (CFR) Free Training (Phoenix TS) See if the CyberSec First Responder training course and certification are the right fit for you by enrolling in our free 4-hour sample course. This course is available for one day only (Thursday March 21, 2019) in person in Columbia, MD or Live Online
Offensive Security Makes Advanced Web Attacks and Exploitation Training Course Available Online (AP NEWS) Offensive Security, the leading provider of online hands-on training and certification for information security professionals, today announced that the company’s popular Advanced Web Attacks and Exploitation (AWAE) training class is now available as an online course.
DFLabs and CyberGate Join Forces to Deliver SOAR in Middle East (DFLabs) DFLabs announced CyberGate, based in Abu Dhabi, United Arab Emirates, as its first managed security services provider (MSSP) partner in the Middle East.
Slack launches Enterprise Key Management, a tool that gives admins control over encryption keys (ZDNet) With EKM, businesses gain control over the encryption keys used to encrypt the files and messages within their Slack workspace.
Android Q will come with improved privacy protections (Help Net Security) Android Q, the newest iteration of Google's popular mobile OS, will feature a number of changes whose aim is to help protect users' privacy.
Google Gives Users More Choice with Location-Tracking Apps (Threatpost) Developers will have a new option to for Android apps to track location only when in use.
New HTTPS Interception Tools Available from Cloudflare (BleepingComputer) Cloudfare announced the release of two new tools designed to make it simpler to check if TLS connections to a website have been intercepted, to detect vulnerable clients and potentially notify them when their security is compromised or degraded.
Secure Decisions Demonstrates Newest Software Penetration Testing Technology at Department of Homeland Security Cybersecurity Showcase (Globe Newswire) Secure Decisions, a division of Applied Visions, Inc. and a leader in cybersecurity research, will be participating in the 2019 S&T Cybersecurity and Innovation Showcase hosted by the Department of Homeland Security (DHS) Science and Technology (S&T) Directorate, March 18-20, 2019 in Washington, D.C.
Code Dx Selected as Success Story at the Department of Homeland Security’s Cybersecurity and Innovation Showcase (Globe Newswire) Code Dx, Inc., provider of an award-winning application security solution that automates and accelerates the discovery, prioritization, and management of software vulnerabilities, today announced it will be spotlighted as a top success story at the 2019 S&T Cybersecurity and Innovation Showcase hosted by the Department of Homeland Security (DHS) Science and Technology (S&T) Directorate. Code Dx Enterprise, the company’s flagship product, grew out of the research funded by the DHS S&T to help secure the nation’s software supply chain from attack.
Technologies, Techniques, and Standards
Build defenses against cyber-attacks through public-private cooperation (The Japan News) It is necessary to protect social and economic systems from serious cyber-attack threats. The government must expedite arrangements to do so.
If you're still not using a password manager and VPN app, you're officially out of excuses (Futurism) 92 percent of U.S. adults have engaged in risky data security behavior in the past year.
UK code breakers drop Bombe, Enigma and Typex simulators onto the web for all to try (Register) You have to run GCHQ code? Nice try, spy guys
Why Phone Numbers Stink As Identity Proof (KrebsOnSecurity) Phone numbers stink for security and authentication. They stink because most of us have so much invested in these digits that they’ve become de facto identities.
Just One Third of UK’s Small Firms Have Security Strategy (Infosecurity Magazine) New study aims to raise SMB awareness this week
Being Unprepared is Not an Option (Security Today) What does the future hold for audit and compliance?
Design and Innovation
The People Trying to Make Internet Recommendations Less Toxic (WIRED) Recommendation algorithms on sites like Facebook and YouTube can send users down rabbit holes, spread falsehoods, and foster conspiracy theories.
Academia
Northrop Grumman Celebrates Successful Pilot of Australian CyberTaipan Competition (Northrop Grumman Newsroom) CANBERRA, Australia – March 19, 2019 – Northrop Grumman Corporation (NYSE: NOC) has concluded the first year of CyberTaipan with the 2018-19 National Finals held in Canberra on March 16. Launched in June 2018, the competition is a fun way to spark youth...
Legislation, Policy, and Regulation
China rejects 'abnormal' U.S. spying concerns as EU pushes trade (Reuters) China dismissed U.S. security warnings against its telecoms equipment maker Huaw...
U.S. warns Brazil about Huawei and 5G in talks: senior U.S. official (Reuters) U.S. officials have warned their Brazilian counterparts of their security concer...
DHS supply chain task force tees up plans (FCW) The co-chair of the task force laid out five work streams that will steer larger efforts around securing the technology supply chain.
The Honorable Kirstjen M. Nielsen – State of Homeland Security Address (YouTube) Auburn University’s Center for Cyber and Homeland Security (CCHS) hosts a discussion on the State of Homeland Security, featuring the Secretary of Homeland Security, The Honorable Kirstjen M. Nielsen.
DHS pushes new cyber hiring authorities (FCW) The department's budget requests $11.4 million to complete a new Cyber Talent Management System to hire and pay security workers based on their ability, not qualifications.
DoD requests almost $23B for key intel account (Defense News) The Pentagon wants to increase its secretive black budget for intelligence programs for a fifth straight year.
This is why Putin made a provocative visit to Crimea (Navy Times) On Monday, NATO and the European Union reaffirmed their strong condemnation of Russia's land grab.
Venezuelan opposition seizes control of U.S. offices (UPI) Representatives of Venezuelan opposition leader Juan Guaido have seized control of three diplomatic properties in New York and Washington Monday.
Tech giants will have to be regulated in future: EU's Timmermans (Reuters) The European Union and authorities around the world will have to regulate big technology and social media companies at some stage to protect citizens, the deputy head of the European Commission said on Monday.
Australia's Intelligence Agency Publishes its Vulnerability Disclosure Process (SecurityWeek) The Australian Signals Directorate (ASD), has joined NSA and GCHQ in publishing an account of its vulnerabilities disclosure process. All three agencies are part of the Five Eyes western intelligence alliance.
How a simple tweet opened frustration floodgates over security clearances (Federal News Network) Lawmakers introduced legislation to publish standards for granting, denying or revoking security clearances.
White House Requests More Than $17.4 Billion for Federal Cyber Efforts (Nextgov.com) Under the president’s 2020 budget proposal, the Pentagon’s cyber coffers would grow while funds for some civilian agencies dry up.
Cybersecurity Funding (The White House) The President’s Budget includes an estimated $17.4 Billion which supports the protection of Federal information systems and our nation’s most valuable information including the personal information of the American public.
Privacy Regulations Needed for Next-Gen Cars (Threatpost) With wide deployment expected in the next decade, the driverless automobile landscape looks fraught – from road safety to data protection.
Litigation, Investigation, and Law Enforcement
JPMorgan Hack Suspect Is Helping the U.S. Here's What He May Offer (Bloomberg) Shalon could be guide to Russian hacking, money laundering.
As Trump escalates rhetoric, Iran's wartime preparations include terrorist attacks and assassinations (Yahoo News) The Trump administration seems oblivious to the potential Iranian response to U.S. military action, warn multiple former officials. And yet Iran has been telegraphing its intentions — including its capacity and willingness to use terror — if a war takes place.
Mt Gox Crypto Boss Escapes Jail (Infosecurity Magazine) Mt Gox Crypto Boss Escapes Jail. Karpeles given 2.5 year sentence, suspended for four years
Law enforcement agencies across the EU prepare for major cross-border cyber-attacks (Europol) The possibility of a large-scale cyber-attack having serious repercussions in the physical world and crippling an entire sector or society, is no longer unthinkable. To prepare for major cross-border cyber-attacks, an EU Law Enforcement Emergency Response Protocol has been adopted by the Council of the European Union. The Protocol gives a central role to Europol’s European Cybercrime Centre (EC3) and is part of the EU Blueprint for Coordinated Response to Large-Scale Cross-Border Cybersecurity Incidents and Crises1.
New EU Protocol Preps for X Border Cyber Attacks (Infosecurity Magazine) EU law enforcement establishes protocol to prepare for and respond to cross-border cyber threats.
The Dark Web Enabled the Christchurch Killer (Foreign Policy) The attack in New Zealand was inspired in part by the Norwegian mass murderer Anders Behring Breivik, but the real threat is lone wolves lurking…