Cyber Attacks, Threats, and Vulnerabilities
OceanLotus adopts public exploit code to abuse Microsoft Office software (ZDNet) APT32 is using a public exploit to abuse Office and compromise targeted systems.
Takeaways From The Times’s Investigation Into Hackers for Hire (NYTimes) Companies that hired former intelligence operatives are selling sophisticated hacking tools to government officials, who in some cases use them for nefarious purposes.
Lexus, Toyota, Ford and Porsche panned for 'poor' keyless car security (Computing) Jaguar, Audi, Mercedes and Land Rover security considered 'superior' by experts at Thatham Research,Security ,Thatcham,car,vehicle,Security,keyless fob,wireless,Lexus,Toyota,Ford,Porsche
APT32 ramps up targeting of global car companies (CyberScoop) Vietnamese hacking group APT32 has been targeting multinational automotive companies in an apparent bid to support the country’s domestic auto industry.
Norske telefoner sendte personopplysninger til Kina (NRK) Eiere av Nokia 7 Plus kan i flere måneder ha fått sendt sensitive opplysninger til en server i Kina. Datatilsynet i Finland vurderer gransking etter NRKs avsløring.
The Norsk Hydro cyber attack is about money, not war (WIRED UK) Aluminium maker shows the importance of manual overrides as a way to cope when hackers cripple your systems
New FIN7 hacking tools uncovered months after Ukrainian arrests (CyberScoop) There is some evidence to suggest the group’s infrastructure is starting to reappear after months, according to research published Wednesday by Flashpoint.
Repeat Trick: Malware-Wielding Criminals Collaborate (BankInfoSecurity) Emotet pushes Ryuk, GandCrab taps NTCrypt, and BokBot borrows from Trickbot. With millions to be potentially stolen from victims, is it any wonder that
Norsk Hydro Unit Begins Operating at 50% of Capacity After Cyber Attack (Insurance Journal) Norsk Hydro, one of the world's largest aluminum producers, said a key unit is operating at only 50 percent of capacity following a cyber attack on the
Fake CDC Emails Warning of Flu Pandemic Push Ransomware (BleepingComputer) A new malspam campaign is being conducted that is pretending to be from the Centers for Disease Control and Prevention (CDC) about a new Flu pandemic. Attached to the emails are a malicious attachment that when opened will install the GandCrab v5.2 Ransomware on the target's computer.
2 in 1 Shopify and Paypal phishing scam (My Online Security) We see lots of phishing attempts for banking, Paypal and other login credentials. This is newer entry to the lists. I don’t often see Shopify phishing emails. I was quite suprised to see a double…
Many Vulnerabilities Found in Oracle's Java Card Technology (SecurityWeek) Nearly 20 vulnerabilities have been found by researchers in Oracle’s Java Card technology, which is used for smart cards and SIMs. Oracle says the technology is deployed on nearly six billion devices each year.
Fake HMRC submission email delivers some sort of malware (My Online Security) I am having difficulty working out what is happening with this malware. The details about it were uploaded via our submissions system yesterday afternoon when I was out for a medical appointment.
North Carolina County Suffers Repeat Ransomware Infections (BankInfoSecurity) Attackers have hit North Carolina's Orange County with ransomware for the third time in six years. Government officials say IT teams have been working overtime to
Telecom Crimes Against the IoT and 5G (Trend Micro) Telecommunications or telecom technology is the underpinning of the modern internet, and consequently, the internet’s growing segment, the internet of things (IoT). At its best, this relationship is exemplified as advances in network connectivity as we move to 5G. In our paper with Europol’s European Cybercrime Centre (EC3), “Cyber-Telecom Crime Report 2019,” we explore how this relationship can also be used to threaten and defraud the IoT.
UK Police Federation Hit by Ransomware (Infosecurity Magazine) Police Federation of England and Whales suffered a malware attack.
Latest tactics used by cybercriminals to bypass traditional email security (Help Net Security) Cybercriminals are using new strategies to get past email security gateways, with brand impersonation being used in 83 percent of spear-phishing attacks.
Cisco posts security advisories for Series 7800 and 8800 phones (SC Media) For the second time in one week security advisories were issued for a line of Cisco IP phones.
Magecart Nightmare Besets E-Commerce Websites (BankInfoSecurity) Script-based payment card malware continues its successful run, impacting a range of e-commerce sites, security researchers warn. With fraudsters continuing to
277,000 Patients Impacted in Medical Device Vendor Breach (HealthITSecurity) This week's breach roundup is led by medical device vendor Zoll's recent discovery that the personal and medical data of 277,000 patients was leaked during a server migration by its third-party vendor
Iphone malvertising app downloaded millions of times calls 22 known malicious servers (SC Media) A compromised iPhone App was found to be using malware to infect users by calling 22 known malicious domains.
Apple, Oracle, VMware products successfully hacked at Pwn2Own (CyberScoop) The white-hat hacking team known as "Flouroacetate," took home the majority of the prize money available on Thursday at Pwn2Own 2019.
Reckless VII: Wife of Journalist Slain in Cartel-Linked Killing Targeted with NSO Group's Spyware (The Citizen Lab) This research brief details how Griselda Triana, journalist and the wife of slain journalist Javier Valdez Cárdenas, was targeted with NSO Group’s Pegasus spyware in the days after his killing.
Over 100,000 GitHub repos have leaked API or cryptographic keys (ZDNet) Thousands of new API or cryptographic keys leak via GitHub projects every day.
Thwarting an invisible threat: How AI sniffs out the Ursnif trojan (Darktrace) The cyber AI approach successfully detected the Ursnif infections even though the new variant of this malware was unknown to security vendors at the time.
'Sharing of user data is routine, yet far from transparent' is not what you want to hear about medical apps. But 2019 is gonna 2019 (Register) Study finds Android software slinging deets all over the place
NSO Group spyware used to target widow of Mexican journalist, researchers say (CyberScoop) A notorious piece of spyware created by NSO Group has been used to target the wife of a slain Mexican journalist, according to Citizen Lab
13-Year-Old Allegedly Hacked Teacher Account to Create Student 'Hit List' (BleepingComputer) A 13-year-old is currently under investigation after he allegedly used a teacher's credentials to hack into his school district's computing system to steal fellow students' personal information and create a "hit list."
Change your Facebook password now! (Naked Security) Facebook has done an audit and shocked even itself by finding plaintext passwords in logfiles back to 2012. Change your password now!
Facebook cares about privacy so much it stored passwords as plaintext (CRN Australia) Only Facebook staff could see them, but they looked nine million times.
Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years (KrebsOnSecurity) Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases going back to 2012, KrebsOnSecurity has learned.
Don't have a heart attack but your implanted defibrillator can be hacked over the air (by someone who really wants you dead) (Register) US govt sounds alarm over wireless comms, caveats apply
Medtronic Conexus Radio Frequency Telemetry Protocol (ICS-CERT) 1. EXECUTIVE SUMMARYCVSS v9.3 ATTENTION: Exploitable with adjacent access/low skill level to exploitVendor: MedtronicEquipment: MyCareLink Monitor, CareLink Monitor, CareLink 2090 Programmer, specific Medtronic implanted cardiac devices listed belowVulnerabilities: Improper Access Control, Cleartext Transmission of Sensitive Information2.
Flaw in popular PDF creation library enabled remote code execution (Naked Security) A researcher has discovered a high-severity bug in a popular PHP library used for creating PDFs.
You may trust your users, but can you trust their files? (Help Net Security) Aviv Grafi, CEO at Votiro, talks about their Content Disarm and Reconstruction (CDR) technology for protection against cyber threats.
Data sharing practices of medicines related apps and the mobile ecosystem: traffic, content, and network analysis (The BMJ) Objectives To investigate whether and how user data are shared by top rated medicines related mobile applications (apps) and to characterise privacy risks to app users, both clinicians and consumers.
Researcher finds new way to sniff Windows BitLocker encryption keys (Naked Security) A researcher has published a new and relatively simple way that Windows BitLocker encryption keys can be sniffed in less secure configurations as they travel from Trusted Platform Modules (TPMs) du…
Most IT and security professionals feel vulnerable to insider threats (Help Net Security) 91 percent of IT and security professionals feel vulnerable to insider threats, and 75 percent believe the biggest risks lie in cloud applications.
Security Patches, Mitigations, and Software Updates
Cisco Patches High-Severity Flaws in IP Phones (Threatpost) The most serious vulnerabilities in Cisco's 8800 Series IP Phones could allow unauthenticated, remote attackers to conduct a cross-site request forgery attack or write arbitrary files to the filesystem.
Multiple Vulnerabilities Patched in PuTTY and LibSSH2 (SecurityWeek) PuTTY, an SSH and Telnet client program, and LibSSH2, a client-side C library for the SSH2 protocol, have both received updates fixing multiple vulnerabilities.
Schneider Electric Working on Patch for Flaw in Triconex TriStation Emulator (SecurityWeek) A serious DoS vulnerability has been found in Schneider Electric’s Triconex TriStation Emulator software. No patch is available, but the vendor says it does not pose a risk to operating safety controllers.
Facebook Pays Big Bounty for DoS Flaw in Fizz TLS Library (SecurityWeek) While Facebook’s bug bounty program does not typically cover DoS vulnerabilities, the social media giant has decided to award $10,000 for a serious flaw affecting its open source TLS library Fizz.
2019 State of Call Center Authentication (TRUSTID) As criminals’ tools and tactics shift, call center leaders become clearer about how they’ll fight back while preserving customer experience.
UK retailers directing more spend on cybersecurity (Essential Retail) British Retail Consortium annual report says cost of crime to retailers totals £1.9 billion, and reveals cybersecurity spending among businesses in the sector is on the rise.
Why Facebook’s Latest Privacy Snafu Is Particularly Gross (Slate Magazine) The company was careless with the information of some of its poorest users.
CEOs more likely to receive pay rise after a cyber attack. Wait, what? (Help Net Security) Bosses are more likely to receive a pay rise after their firm suffers a cybersecurity breach, a Warwick Business School study has found.
Uber developed spyware program in Australia to crush competition (ABC News) Uber developed and deployed a spyware program in its Australian office in an attempt to crush a local start-up that was backed by billionaire James Packer.
Aetna taps startup for broker encryption compliance (Digital Insurance) The health insurer has signed on with AlertSec, to scan the devices used by brokers for encryption capability.
Is A Lack Of Cyber Due Diligence Putting Your Deal At Risk? (Forbes) Just as the FCPA drove investors to formalize their corruption due diligence programs, Europe’s GDPR and China’s Cyber Security Law--alongside a raft of new data protection regulations globally--are beginning to drive a requirement for cyber due diligence.
Nokia says it is not taking on new business in Iran (Reuters) Finnish telecom equipment maker Nokia does not plan to take on any new business ...
Sonatype and HackerOne Team Up to Make Open Source Safer (Globe Newswire) Sonatype, the inventors of software supply chain management, today announced a partnership with HackerOne, the leading hacker-powered security platform, to create The Central Security Project (CSP).
O'Melveny Welcomes Former US Homeland Security Advisor and Senior Justice Department Official Lisa Monaco (PR Newswire) WASHINGTON and NEW YORK, March 21, 2019 /PRNewswire/ -- O'Melveny announced today that Lisa Monaco, former Homeland Security and Counterterrorism Advisor to...
Products, Services, and Solutions
Safety first: Volvo to add in-car sensors to prevent drunk driving (iTnews) Monitoring drivers for signs.
Frost & Sullivan Grants Sepio Systems the 2019 European Enabling Technology Leadership Award in the Rogue Device Mitigation Market (PR Newswire) GAITHERSBURG, Maryland, March 21, 2019 /PRNewswire/ -- Sepio Systems, which is disrupting the cyber-security industry by uncovering hidden hardware attacks,...
SecurityScorecard Announces Security Ratings Professional Advisory Services to Guide Customers Through Assessment Process (PR Newswire) NEW YORK, March 21, 2019 /PRNewswire/ -- SecurityScorecard, the leader in security ratings, today announced the availability of the Vendor Risk Management...
Opera brings back free VPN service to its Android browser (Naked Security) Opera lost its Android browser’s VPN after it was sold to a Chinese consortium, but now it’s back.
Technologies, Techniques, and Standards
Don't become another expensive statistic: Learn how to tackle cyber-criminals, at SANS London next month (Register) Training classes will cover all security angles
Facebook Tries to Explain Why It’s Struggled to Contain the Christchurch Shooting Video (Slate Magazine) Facebook says, “In the first 24 hours, we removed more than 1.2 million videos of the attack at upload.”
Instagram Testing Anti-Squatting Feature that Locks Old Usernames (BleepingComputer) Instagram is currently testing a new feature designed to automatically lock usernames for 14 days after the owners switch to a new handle, as discovered by mobile researcher Jane Manchun Wong in an Alpha version of the platform's Android app.
Threat Hunting Tips to Improve Security Operations (SecurityWeek) With the ability to prioritize, collaborate and learn, security operations teams can turn the unknown into the known more quickly to create a better, safer future.
This ‘Online Lie Detector’ Could Honestly Be a Problem (WIRED) Critics point out serious flaws in a study promising an "online polygraph," with potential to create deep biases.
Breaking the cybersecurity stalemate by investing in people (Help Net Security) Organizations should use virtual training labs or cyber ranges, which enable incident response training in safe environments that mirror real scenarios.
New state CIOs should ‘slow down to go fast’ (StateScoop) Commentary: North Carolina’s former technology secretary and statewide CIO, Chris Estes, tells new IT chiefs how he developed a budget, roadmap and strategy.
New phone who dis? Facial recognition models more farcical despite progress (Register) AI doesn't always work as well as you'd expect in real life
Is Facial Recognition the Key to Safe, Efficient Airports? (Government Technology) Documents obtained by the Electronic Privacy Information Center show that U.S. Customs and Border Protection plans to use facial recognition at 20 major international airports on 16,300 flights per week by 2021.
Livestreamed Massacre Means It’s Time to Shut Down Facebook Live (Opinion) (Government Technology) Children can't handle watching live-streamed massacres – and adults shouldn't have to.
Knowledge Gaps: AI and Machine Learning in Cybersecurity (Webroot) Perspectives from U.S. and Japanese IT Professionals.
Research and Development
Research & Development Coordination Has Improved, but Additional Actions Needed to Track and Evaluate Projects (GAO) GAO was asked to review DHS’s R&D efforts. This report examines (1) how much DHS has obligated for R&D and what types of R&D DHS conducts, (2) to what extent S&T coordinates R&D across DHS, and (3) how, if at all, DHS identifies and tracks R&D efforts.
Teens Learn to Battle Cyber Threats (PR Newswire) At Learn4Life, a dropout recovery program for at-risk high school students, network security is a popular career pathway that introduces students to the fundamentals of computer networking, cyber security and applied cryptography.
Legislation, Policy, and Regulation
Pompeo: China threatens US-Israel intelligence sharing (Washington Examiner) China's investment in Israel could undermine intelligence-sharing and other cooperation between the United States and the major Middle Eastern ally, Secretary of State Mike Pompeo warned Thursday.
Why Beijing is on a mission to quell Europe’s fears about China (South China Morning Post) The European Union has taken a tougher and more united stand on its biggest trading partner as concerns grow about Chinese influence on the continent.
National Archives of Australia concerned with capability to become cyber resilient (ZDNet) While the government entity is implementing a cyber resilience framework, its director-general has reservations around its capability to ensure full compliance.
UK.gov admits it was slow to intervene in Verify's abject failure to meet user targets (Register) We might not have signed up users, but at least we created a standard. It only cost £154m...
China's Xi visits Italy with Belt and Road deal as prize (AP NEWS) MILAN (AP) — At the heart of Chinese President Xi Jingping's visit to Rome that started Thursday is a key prize: a deal to make Italy the first major democracy to join China's ambitious Belt and...
Protests and Blackouts Sweep European Internet Ahead of Copyright Law Vote (Slate Magazine) Internet protesters will also take to the streets.
Senate Committee happy for Consumer Data Right Bill to be passed in current form (ZDNet) Despite hearing concerns around the Bill's ambiguity, lax privacy, and rushed nature, the Senate Economics Legislation Committee has still decided to recommend its passage.
Agencies lament govt's 'patchwork' cyber security model (iTnews) Call for better coordination, more funding.
DHS officials plan Europe trip to brief allies on election security, gather intel for 2020 (CyberScoop) Department of Homeland Security officials plan to visit European allies to share lessons learned from defending the 2018 U.S. midterm elections, a top DHS official said Tuesday.
Where CYBERCOM wants to expand the mission force (Fifth Domain) U.S. Cyber Command seeks to equip cyberwarriors under four main elements.
How the Energy Department is Prioritizing Secure Infrastructure (Nextgov) The budding Office of Cybersecurity, Energy Security and Emergency Response aims to deflect cyber, manmade and natural security hazards.
Trump to nominate Michael Kratsios to U.S. CTO role (FedScoop) President Trump announced Thursday that he intends to nominate Michael Kratsios to serve as U.S. chief technology officer.
A US State of Readiness? (Infosecurity Magazine) Does the US need its own version of GDPR?
Analysis | The Cybersecurity 202: Kushner’s WhatsApp habit raises security concerns (Washington Post) The presidential adviser's personal accounts were vulnerable to hackers.
Kushner used WhatsApp, personal email for gov't biz; McFarland used AOL to discuss Saudi Arabia nuclear transfer (SC Media) First son-in-law Jared Kushner, whose security clearance is currently under probe by lawmakers, “continues to use” WhatsApp and his personal email to
Gen. Dunford to meet with Google on AI work that 'benefits' China (FedScoop) The nation’s top uniformed officer fears that Google and other companies that work with China put the U.S.’s competitive advantage at risk. Gen. Joseph Dunford, chairman of the Joint Chiefs of Staff, said Thursday during an interview hosted by the Atlantic Council that he has a meeting scheduled with Google to discuss the company’s involvement with …
Experts: 2020 Is the ‘Big Game’ for U.S. Cyberadversaries (Government Technology) Forty-five states use voting equipment that is no longer manufactured and 12 use electronic-only machines, and researchers are concerned adversaries could find new ways to exploit these weaknesses.
Litigation, Investigation, and Law Enforcement
Assange lawyer says he's declined to cooperate with Nadler's document requests (The Hill) The founder of WikiLeaks has declined to cooperate with the House Judiciary Committee’s sweeping documents request, which is part of a broad investigation into President Trump's administration, campaign and businesses.
US slaps sanctions on 2 Chinese firms doing business with North Korea (CNN) The Trump administration on Thursday issued its first set of sanctions aimed at North Korea since the failed summit last month between Kim Jong Un and President Donald Trump, going after two Chinese shipping companies that have helped Pyongyang evade restrictions imposed by the US and United Nations Security Council.
Treasury Department Accuses North Korea of Evading U.S. Sanctions (WSJ) North Korea continues to import petroleum and export coal in defiance of U.S. and United Nations sanctions, the U.S. Treasury Department said, as nuclear negotiations between the two countries remain stalled.
Wiretaps, emails and checks: Parents in college admissions scam face tough legal fight (Los Angeles Times) Legal experts say cutting a deal makes sense for some parents in the college admissions scandal because of the overwhelming evidence that federal prosecutors have amassed.
As Russia collusion fades, Ukrainian plot to help Clinton emerges (The Hill) Newly unearthed evidence suggesting another foreign effort to influence the 2016 election — this time in favor of the Democrats.
Finland to Investigate Suspected Nokia Chinese Data Breach (SecurityWeek) Finnish authorities will launch an investigation into claims that Nokia phones have been transmitting users' personal data to China, the country's data protection ombudsman announced.
Finland to investigate Nokia-branded phones after data breach report (iTnews) Report claims handsets sent information to China.
UCLA Health Reaches $7.5M Settlement Over 2015 Breach of 4.5M (HealthITSecurity) UCLA Health has agreed to a $7.5 million settlement and resolution actions with the 4.5 million patients impacted by its 2015 health data breach, caused by a year-long hack on its network.
Tesla suing self-driving startup Zoox and former employees for stealing company data (SC Media) Tesla is accusing self-driving car startup Zoox and former employees of stealing trade secrets.
Autopilot engineer drove off to Chinese rival with our top-secret blueprints in the glovebox, Tesla claims in sueball (Register) Figuratively speaking... Source code for cruise-control system allegedly uploaded to iCloud
Microsoft tech support scammer pleads guilty to defrauding victims of $3 million (ZDNet) Suspect admits role in criminal operation within a week after being arrested.
Pastor convicted of hacking, insider trading gets five years... (Reuters) A former hedge fund manager who also worked as a pastor was sentenced on Thursda...
Chesapeake Beach councilman charged with illegal wiretapping takes Alford plea (Maryland Daily Record) Former Maryland state police officer and current Chesapeake Beach Town Council member Stewart Cumbo was charged with illegal wiretapping after he recorded roughly 275 phone calls between July and November 2018 without notifying the other parties that they were being recorded, the Office of the State Prosecutor announced Thursday.
Alexis Ronickher and Matthew LaGarde Publish Updated Version of Cybersecurity Whistleblower Protections Guide (Katz, Marshall & Banks) Katz, Marshall & Banks partner Alexis Ronickher and associate Matthew LaGarde published an updated version of the