Cyber Attacks, Threats, and Vulnerabilities
Iran-Linked DNS Hijacking Attacks Target Organizations Worldwide (SecurityWeek) A DNS hijacking campaign targeting government, telecoms and commercial entities around the world has been linked to Iran.
For Owners of Amazon’s Ring Security Cameras, Strangers May Have Been Watching Too (The Intercept) Sources disclosed troubling privacy practices at a Ring office in Ukraine.
America’s Electric Grid Has a Vulnerable Back Door—and Russia Walked Through It (Wall Street Journal) A Wall Street Journal reconstruction of the worst known hack into the nation’s power system reveals attacks on hundreds of small contractors. The hackers then worked their way up the supply chain. Some experts believe two dozen or more utilities ultimately were breached.
NATO's Achilles' Heel: Power Grids (Atlantic Council) NATO leaders spent much of the last year trying to improve the mobility of Alliance forces across the European continent. While the elimination of logistical barriers between allies is an important first step, arguably too little attention was paid...
Task Force Update: With Three Months Until Ukraine’s Election Day, Foreign Interference Picks Up (Ukraine Elects) With less than three months to go before Ukrainians head to the polls to cast their votes for president, the election campaign is heating up. A number of political figures have registered their candidacies, and more are expected to follow suit. Accompanying ramped up election activity in Ukraine is
Google Search Results Spoofed to Create Fake News (Threatpost) The technique can be used to spread disinformation while leveraging the trust people have in Google's search results.
A DNS hijacking wave is targeting companies at an almost unprecedented scale (Ars Technica) Clever trick allows attackers to obtain valid TLS certificate for hijacked domains.
DNS Hijacking Campaign Targets Organizations Globally (Dark Reading) A group believed to be operating out of Iran has manipulated DNS records belonging to dozens of firms in an apparent cyber espionage campaign, FireEye says.
Global DNS Hijacking Blamed on Iranian Hackers (Infosecurity Magazine) Attacks seek to harvest log-ins from Middle East government users
Reports raise video privacy concerns for Amazon-owned Ring (TechCrunch) Amazon -owned smart doorbell maker Ring is facing claims that might give some smart home enthusiasts pause. Recent reports from The Intercept and The Information have accused the company of mishandling videos collected by its line of smart home devices, failing to inform users that their videos wou…
At Ring’s R&D Team, Security Gaps and Rookie Engineers (The Information) Jamie Siminoff had flown to frigid Kiev, Ukraine, to give a pep talk to the roughly 30 people who worked there for his fast-growing video doorbell startup, Ring. It was December 2016, and the Santa Monica, Calif., company had recently opened a satellite office in Ukraine to develop products that ...
High Toxicity SystemD Vulnerabilities in Most Linux Distros Identified (Computer Business Review) Major Linux distributions, from Red Hat to Debian, are exposed to three systemd vulnerabilities (the Linux initialisation system and service manager)
Secret Service: Theft Rings Turn to Fuze Cards (KrebsOnSecurity) Street thieves who specialize in cashing out stolen credit and debit cards increasingly are hedging their chances of getting caught carrying multiple counterfeit cards by relying on Fuze Cards, a smartcard technology that allows users to store dozens of cards on a single device, the U.S. Secret Service warns.
An unsecured database exposed the personal details of 202M job seekers in China (TechCrunch) The personal details belonging to more than 202 million job seekers in China, including information like phone numbers, email addresses, driver licenses and salary expectations, were freely available to anyone who knew where to look for as long as three years due to an insecure database. That’…
No more privacy: 202 Million private resumes exposed (HackenProof Blog) Bob Diachenko, Director of Cyber Risk Research at Hacken.io discovered resume data base breach which he responsibly reported, and now it is safe.
Your Old Tweets Give Away More Location Data Than You Think (WIRED) Researchers built a tool that can predict where you live and work, as well as other sensitive information, just by using geotagged tweets.
AT&T to Stop Selling Location Data to Third Parties After Motherboard Investigation (Motherboard) After Motherboard found that AT&T, T-Mobile, and Sprint are selling their customers' phone location data ultimately to bounty hunters, AT&T has decided to stop service for all location aggregators, an essential part of the data supply chain.
Carriers Swore They'd Stop Selling Location Data. Will They Ever? (WIRED) Months after Sprint, AT&T, T-Mobile, and Verizon promised to stop selling user location data, the practice continues.
System Down: A systemd-journald exploit (Qualys Security Advisory) We discovered three vulnerabilities in systemd-journald.
Z-WASP Vulnerability Used to Phish Office 365 and ATP (Avanan) The ZWASP phishing method was taking advantage of a vulnerability in Office 365 to bypass all of Microsoft's security. All Office 365 users were vulnerable, with or without ATP. Avanan worked with Microsoft to repair the vulnerability.
How Chinese hackers pulled off the Italian con job, a Rs 130-crore heist (The Economic Times) Fraudsters spoofed emails of group CEO, held fake conference calls to fool India head of Italian co.
Heartbreaking Emails: "Love You" Malspam (SANS Internet Storm Center) Malicious spam (malspam) using zipped JavaScript (.js) files as email attachments--this is a well-established tactic used by cyber criminals to distribute malware.
'WhatsApp Gold' hoax makes a comeback (Action Fraud) The 'WhatsApp Gold’ scam, which has being doing the rounds since 2016, has surfaced again in the form of a new message.
Victims report losing over £200,000, as fraudsters claim to be from TV Licensing (Action Fraud) Fraudsters are sending the public fake TV licensing emails to steal their personal and financial information.
Security Patches, Mitigations, and Software Updates
Cisco fixes serious DoS flaws in its email security appliances (Help Net Security) Cisco has plugged two vulnerabilities (one of which is critical) that open its email security appliances to denial of service attacks.
Cyber Trends
World War 3: Half US public fear major cyber attack while Russians boast 'we are ready' (Express.co.uk) Russians are confident their country is well prepared to deal with cyber warfare, more so than Britons or Americans according to a new poll by the Pew Research Centre.
Four cybersecurity trends every CIO should know (Help Net Security) Given the intricacy of today’s cyber security challenges, organisations will need to adopt a security approach that requires digital support.
Syncsort Survey Finds Disconnect Between Confidence in IT Security Programs and Data Breaches (BusinessWire) Despite an optimistic security outlook, 61 percent of organizations report they have either experienced a security breach or aren’t sure.
Is Security The Loser As Open Banking Takes Hold? (Infosecurity Magazine) What security challenges does PSD2 and open banking present?
Marketplace
The pre-seed diligence framework (TechCrunch) By now it’s clear that seed is the new Series A. Seed rounds have tripled in size and companies have been around for 2.4 years before they raise a seed round. A new stage has emerged to fill the gap.
The cybersecurity skills shortage is getting worse (CSO Online) More than half of organizations report a “problematic shortage” of cybersecurity skills, and there is no end in sight.
Cyren Announces Voluntary Delisting from the Tel Aviv Stock Exchange (PR Newswire) Cyren (NASDAQ: CYRN), a leader in cloud security, today announced that it is voluntarily delisting the company's...
Federal Bureau of Investigation Awards Salient CRGT $40.1M Prime Contract for Cybersecurity and Information Assurance Services (PR Newswire) Salient CRGT has been awarded a $40.1 million prime contract to provide critical cybersecurity services enabling...
Kaspersky Targets Enterprise Cybersecurity (PYMNTS) Russian cybersecurity company Kaspersky Lab announced plans to grow its enterprise cybersecurity position in Asia through a partnership with MSI-ECS Philippines, according to BusinessWorld reports this week. In its announcement, Kaspersky pointed to the Philippines’ “young and highly active online population,” making it a key market for the company. Its collaboration with MSI-ECS will focus […]
Sectigo Revamps Partner Program Post Comodo Rebrand (Channel Partners) Partners can work toward four tiered levels, each providing incremental benefits, support, and pricing discounts, such as new revenue streams to capitalize on sales of Sectigo S/MIME, Certificate Manager, or IoT Manager, as well as CodeGuard backup and recovery solutions.
Forcepoint Names Matt Preschern as Chief Marketing Officer (PR Newswire) Global cybersecurity leader Forcepoint today announced that veteran technology marketing executive Matt Preschern...
Products, Services, and Solutions
Infosec products of the week: January 11, 2019 (Help Net Security) The most interesting information security releses of the week include the following vendors: Avnet, Continuum Security, Ledger, FireEye, Neurotechnology, Regulus Cyber.
Elcomsoft forensic tools can now extract Apple Health data from iCloud (iLounge) Elcomsoft has announced that its Phone Breaker 9.0 forensic extraction tool now has the ability to remotely access Apple Health data stored in iCloud, making it the first forensic tool to gain access to this information, and adding it to the list of other data such as call logs, photo libraries, passwords, messages, and more that can already be extracted by Elcomsoft’s forensic tools.…
Trustwave unveils new advanced Secure Email Gateway for blended threats (Help Net Security) Trustwave Secure Email Gateway 8.2 addresses phishing campaigns, policy control and supports Microsoft Azure Rights Management.
Threat modelling joins DevSecOps processes through automation (Help Net Security) IriusRisk 2.0 enables threat modelling at scale and provides follow-up throughout the development process via integration with DevSecOps.
Trend Micro IoT Security 2.0 enhances end user protection and device makers’ reputation (Help Net Security) Trend Micro IoT Security 2.0 helps customers improve the security of products and the wider IoT ecosystem, while enabling them to drive differentiation.
Technologies, Techniques, and Standards
Why do video games use stronger security than some Canadian banks? (The Globe and Mail) I’ll be blunt: Securely authenticating users’ digital identities – without trips to the bank – is a solved problem
Get a Password Manager. No More Excuses (WIRED) How important are password managers? Even their flaws double as reminders why you need one.
What is a software-defined perimeter, and do I need it? (SearchNetworking) A software-defined perimeter improves enterprise security by making users and devices invisible to outside attacks. Discover the basics of SDP and learn how it can alleviate common security challenges.
Phishing: The future is zero tolerance (GCN) After years of data, the numbers are in: You're letting me hack you every time.
Design and Innovation
Lithuanian 'Elves' Fight Russian Trolls Online (Fifth Domain) Your news and information resource bringing the civilian, defense, industry, private sector and critical infrastructure cyber conversations together in one place.
Facebook brings fact-checking service to the UK to take down disinformation (The Telegraph) Facebook has launched its fact-checking service in the UK to deal with pages of disinformation that have become commonplace on the social network.
A Blueprint for Content Governance and Enforcement (Facebook) My focus in 2018 has been addressing the most important issues facing Facebook. As the year wraps up, I'm writing a series of notes about these challenges
At CES, Focus is On ‘Cool Factor’ Not IoT Security (Threatpost) When it comes to IoT, the priority at CES is the "wow factor" – but not so much a focus on security.
Research and Development
DARPA probes tech to solve supply chain uncertainty (FCW) DARPA and private companies are looking to improve supply chain security through the use of tiny chips and diamonds that can authenticate IT parts used by the government.
Researchers Retract Study That Said Fake News Is Just as Likely to Go Viral as the Truth (Motherboard) A paper that claimed the quality of information doesn't factor into how viral it becomes under conditions of "information overload" has been retracted.
People older than 65 share the most fake news, a new study finds (The Verge) And the finding holds true across party lines
Research finds heavy Facebook users make impaired decisions like drug addicts (TechCrunch) Researchers at Michigan State University are exploring the idea that there’s more to “social media addiction” than casual joking about being too online might suggest. Their paper, titled “Excessive social media users demonstrate impaired decision making in the Iowa Gambling …
Academia
Analysis | The Cybersecurity 202: High schoolers must start training for security jobs to fill the talent gap, professors say (Washington Post) There's a national shortage of workers in a critical field.
Legislation, Policy, and Regulation
Software patents poised to make a comeback under new patent office rules (Ars Technica) New rule narrows landmark 2014 Supreme Court decision limiting software patents.
Reps. McNerney and Latta Reach Across the Aisle to Introduce Grid Security Legislation (Congressman Jerry McNerney) To combat the increasing threat of cyberattacks and strengthen critical national infrastructure, Congressmen Jerry McNerney (CA-09) and Bob Latta (OH-05) introduced two bipartisan pieces of legislation to improve our nation’s grid security and resilience. H.R. 359, the Enhancing Grid Security through Public-Private Partnerships Act, and H.R. 360, the Cyber Sense Act, aim to bolster America’s electric infrastructure by encouraging coordination between the Department of Energy (DOE) and electric utilities.
DoD ramps up development of a ‘cyber factory’ (Fifth Domain) The Department of Defense is rapidly working to provide cyberwarriors capabilities under the Unified Platform.
We Could Easily Stop Location Data Scandals, But We Cower to Lobbyists Instead (Motherboard) Your daily habits are collected, sold, and abused by a universe of shady middlemen—and government couldn’t care less.
Katie Arrington has a new job at the Department of Defense (The State) Former SC candidate for Congress Katie Arrington has a new job. On her Facebook page, Arrington says she is working in the Defense Department after she lost her 1st District race to Democrat Joe Cunningham.
Litigation, Investigation, and Law Enforcement
Chinese Huawei Executive Is Charged With Espionage in Poland (Wall Street Journal) Polish authorities detained and charged the sales director of Huawei’s local office, a Chinese national, for conducting high-level espionage, amid widening global scrutiny of the technology giant.
Google Nears Win in Europe Over ‘Right to Be Forgotten’ (Wall Street Journal) Alphabet’s Google and other search engines shouldn’t be forced to apply the European Union’s “right to be forgotten” beyond the bloc’s borders, an adviser to the EU’s top court argued.
Hackerangriff auf Politiker: 20-Jähriger gesteht Datendiebstahl (netzwelt) Die persönlichen Daten von mehreren Politikern, Prominenten und Journalisten sind an die Öffentlichkeit geraten. Das Bundeskriminalamt (BKA) handelte schnell und der mutmaßliche Täter wurde vier...
Wie wehren "wir" uns am Besten? Hier Ratschläge von G-Data aktuell zum Thema: Was Nutzer aus dem „Hackerangriff“ lernen sollten (Lokalkompass) Quelle Doxing: Was Nutzer aus dem „Hackerangriff“ lernen sollten Die Veröffentlichung privater Daten von Politikern, Satirikern und anderen Prominenten sorgt derzeit für viel Aufregung.
Kaspersky Spotted Leak NSA Missed as Spy Agency Lacks ‘Good Handle’ on Security (Sputnik) On Wednesday, Politico reported that Moscow-based Kaspersky Labs, which is banned on US government computers over spying fears, helped uncover in 2016 perhaps the single largest theft of US intelligence in history. Sputnik spoke with Kim Zetter, the author who broke the ironic story, about what happened.
Russian cyber firm hounded in US helped NSA bust 50TB data breach – report (RT International) Kaspersky Lab may be portrayed by the US media as an extension of the Russian government using its antivirus software to snoop on gullible Americans, but in 2016 it helped the NSA to bust a massive security breach.
Supreme Court refuses to hear Fiat Chrysler appeal in Jeep hacking case (Naked Security) The court’s action means that one of the first legal cases involving cyber security risks in cars will go to trial in October.
Zurich Refuses to Pay Out For NotPetya ‘Act of War’ (Infosecurity Magazine) Confectionary maker Mondelez is claiming $100m
Mondelez sues Zurich in test for cyber hack insurance (Financial Times) Insurance group had refused to pay for NotPetya attack, invoking a war exclusion
Cooking Utensil Firm OXO Files Data Breach in California (Infosecurity Magazine) Hackers are believed to have accessed names, addresses and credit card information.
El Chapo Trial: How a Colombian I.T. Guy Helped U.S. Authorities Take Down the Kingpin (New York Times) Cristian Rodriguez was hired by the Sinaloa drug cartel to create a secure encrypted communications network. Then he helped the F.B.I. break into it.
IT Guy’s Help Snares Mexican Drugs Baron (Infosecurity Magazine) Consultant helped Feds listen in on ‘secret’ chats
'El Chapo' computer whiz tells court of 'nervous breakdown' after... (Reuters) Self-described computer whiz Christian Rodriguez told jurors on Thursday how he ...
Massachusetts man gets 10 years in prison for hospital cyberattack (Reuters) A Massachusetts man was sentenced on Thursday to more than 10 years in prison fo...