Cyber Attacks, Threats, and Vulnerabilities
Twitter warns of government 'hacking' (BBC) Twitter has sent warnings to a number of users that their accounts may have been hacked by "state-sponsored actors"
Justice Department official: ISIS 'crowdsourced' terrorism by exploiting social media (PBS News Hour) One official at the helm of the U.S. government's fight against terrorism is the Assistant Attorney General for National Security John Carlin
Donald Trump Under Cyber Attack Over His Hate Speech Against Muslims (Morocco World News) Anonymous have declared a cyber war against Republican presidential candidate Donald Trump, over his anti-Muslim hate speech
The Hacktivist War on ISIS? (Slate) An offshoot of Anonymous has declared war on terrorism. But its efforts could be making things worse
Latentbot: A Ghost in the Internet (Dark Reading) Malware's multiple layers of obfuscation make it almost invisible FireEye says
Latentbot Is the Next Step in Evolution for Stealthy Backdoors (Softpedia) A stealthy new backdoor was detected by FireEye's Dynamic Threat Intelligence (DTI) team, one that takes great care to cover its tracks and stay hidden on infected systems like no other malware before it
Malware Hides, Except When It Shouts (GovInfoSecurity) Stealthy bootkit, plus refined ransomware, detailed in new reports
TeslaCrypt criminals launch 'very strong' spam campaign to spread crypto-malware (Computing) TeslaCrypt malware was first discovered earlier this year. Like other crypto-malware TeslaCrypt (also known as Alpha Crypt) encrypts the victims files, with the keys to unlock them only being sent after payment of a ransom in Bitcoin
Wexford man has PC ruined after cyber-criminals hack in demanding €800 ransom (Irish Examiner) The case has been made public by internet security firm ESET Ireland which received details from one of its partner companies in Wexford to which the man had gone seeking help
G Data warnt vor neuen Dridex-Malwarekampagnen gegen deutsche Nutzer (IT Espresso) Das gleichnamige Botnetz hat sich offenbar weitgehend von der im Oktober in mehreren Ländern durchgeführten Polizeiaktion erholt
Predictable: How AV flaw hit Microsoft's Windows defences (Register) An ecosystem issue explained
Steam Users Looking for Item Trading Shortcut Find Malware Instead (Motherboard) No good deed goes unpunished. Earlier this week, Valve took measures to protect Steam users from being hacked, but scammers are already using these new protections to lure gullible players into new traps
Polycom VVX-Series Business Media Phones Path Traversal Vulnerability (0-Day) (Depth Security Blog) In June I spent a little time in the web administrative interface of a Polycom VVX600 IP phone running UC Software Version 5.1.3.1675. As I proxied the traffic through BurpSuite, I immediately noticed something interesting in the requests that the interface uses to display phone background images and ring tones to web users
European Space Agency records leaked for amusement, attackers say (CSO) In all, 8,107 names, email addresses, and passwords were posted to the Web
German Cybercriminals Develop Flourishing Local Black Market (Infosecurity Magazine) German cybercrime business owners are developing sophisticated local offerings to better compete with English language and Russian underground marketplaces, according to a new report from Trend Micro
U-Markt Peering into the German Cybercriminal Underground (Trend Micro) The German cybercriminal underground is well-developed and -managed by cybercriminals even though it remains a small community in number compared with the Russian and Brazilian underground markets. It may also be the most developed underground within the European Union (EU) despite the existence of a French underground market. The Spanish underground, however, merged with the Latin American market
Piracy sites make up to '$70m per year by spreading malware' (International Business Times) Apart from selling stolen content, pirates have now found a new way to make their fortune — by spreading malware. They can earn up to $70m per year by merely spreading malware on users' computers
Hello Barbie, goodbye privacy — the internet-connected toys sparking security fears (Sydney Morning Herald) "It is a little freaky having a doll talking to you," says Kate Highfield. She's been chatting with Hello Barbie, a Wi-Fi-enabled plaything who promises to be "just like a real friend" — but for being plastic and having no hips
Business email compromise scams still happening, still successful (Help Net Security) Despite repeated warnings issued by law enforcement, information sharing organizations, and security companies, Business Email Compromise (BEC) scams still abound and the scammers still "earn" money
Cyber-Scammers Step Up Volume of Robocall Schemes During Holidays (eWeek) The advent of the holiday season seems to increase the number of phone scammers trying to install malware on your computer
Bulletin (SB15-348) Vulnerability Summary for the Week of December 7, 2015 (US-CERT) The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week
Security Patches, Mitigations, and Software Updates
Google extends Safe Browsing to Android Chrome (Naked Security) Google says that its Safe Browsing service already protects about 1 billion desktop users from all sorts of online nastiness, be it malware, unsavory software, or social engineering (particularly phishing) sites
Steam tightens security to stem tide of 77,000 monthly hijackings (Naked Security) Steam tightens security to stem tide of 77,000 monthly hijackings
About the security content of iTunes 12.3.2 (Apple Support) This document describes the security content of iTunes 12.3.2
Researcher says Microsoft Edge has inherited many of Internet Explorer's security holes (TechWorm) Microsoft Edge is filled with many Internet Explorer's security holes says researcher
Cyber Trends
Kaspersky Lab's new malware count falls but other AV provider have different figures (SC Magazine) Kaspersky Lab's new malware count falls as cyber-criminals look to save money — but other AV providers dispute Kaspersky's figures
Maintaining Privacy in the IoT Era (Information Security Buzz) Advances in technology have paved the way for an entirely new era of communication between people and machines
Cyber-warrior CEO lists 5 top threats in 2016 (Manila Times) It's almost the end of the year and like most corporate executives, Jeff Castillo finds himself in a mad rush to finish everything that has to be done and prepare for the coming year
TalkTalk style cyber attacks on firms could be set to worsen next year (City a.m.) Hackers will increasingly use distributed denial of service (DDoS) attacks to knock websites offline and dodge cyber security, businesses are being warned
Cyber-Attack Tools Used Against Businesses Differ from Those in Consumer Attacks: Survey (Legaltech News) Kaspersky Lab's experts found that in 2015, 58 percent of corporate PCs were hit with at least one attempted malware infection, up three percent from 2014
Hackers are waging 'asymmetric warfare' against big companies (Business Insider) The cofounder of Europe's only cyber security startup accelerator says big companies are waging "asymmetric warfare" against nimble-footed hackers who are increasingly looking to claim corporate scalps
48% of companies accuse their competitors of staging DDoS attacks against them (SC Magazine) A recent survey has revealed that 48 percent of businesses believe they know both the identity and motivation of those behind DDoS attacks carried out against them, a large portion of which believed it was their competitors orchestrating the attacks
In hacking, the blame game is purely for entertainment (Engadget) Pointing fingers doesn't make your data more secure
Global survey by Gemalto reveals impact of data breaches on customer loyalty (Dark Reading) Nearly two-thirds (64%) of consumers surveyed worldwide say they are unlikely to shop or do business again with a company that had experienced a breach where financial information was stolen, and almost half (49%) had the same opinion when it came to data breaches where personal information was stolen
The Price of the Wearable Craze: Less Data Security (NBC News) Technology pioneer isn't a role people associate with former vice president Dick Cheney, but technology security experts today give his medical advisory team props for a move made back in 2007 — disabling the wireless capability on Cheney's pacemaker
Hackers in 'white hats' join effort to thwart the bad guys (Financial Times) Commuters in the Israeli port city of Haifa fumed during a particularly tedious traffic jam two years ago, never guessing that the logjam was caused not by an accident or some other relatively customary event — but reportedly by cyber attack
Cybersecurity experts cautiously optimistic about 2016 (Christian Science Monitor Passcode) Passcode was the exclusive media partner at an event looking at the cybersecurity landscape of 2016 hosted by the Atlantic Council think tank. Here's what we learned
7 Top Technology Trends for 2016 (LinkedIn) 2o15 was a transformative year for technological innovation. 2106 continues that technology trend with more disruption in sight. Below is a short list of my predicted trends for the coming year
Marketplace
Hacking is the biggest threat to British business (Telegraph) Increased awareness of cyber risks could lead to younger people with greater technical ability sitting on boards
IBM On An Acquisition Spree (Seeking Alpha) IBM has made 12 acquisitions this year, with the cloud and its cognitive system Watson driving them
VMware Throws in White Towel on Virtustream — A Good Move (FBRFlash) This morning, December 14, VMware announced in an 8-K that it would not be participating in the formation of the Virtustream Cloud Services joint initiative between EMC and VMware
CyberArk: Great Company, Expensive Stock (Seeking Alpha) A comparison to peers suggests that CyberArk is trading at high valuations around $40 per share. But CyberArk has a solid business, with strong profitability and a good product. Buying the stock now is very risky, while holding the stock is perfectly fine
LookingGlass Announces Cyveillance Acquisition and $50 Million Funding (BusinessWire) Acquisition positions LookingGlass as the most comprehensive threat intelligence provider adding open source intelligence for customized protection against threats targeted specifically at the client
Cybersecurity startup hires CIO to accelerate growth (CIO) Crowdstrike, armed with $100 million in funding in a burgeoning cybersecurity sector, has hired its first CIO. He will help the company as it expands globally
Products, Services, and Solutions
Cyberbullying insurance? That’s a real thing one company is offering in the United Kingdom. (Washington Post) It's no secret that online trolling can be disruptive. Some of its most extreme forms like swatting — where a harasser fakes an emergency to get police to raid a victim's home — are real world safety threats
QTS Adds Vormetric Encryption Platform to Data Security Offerings (ExecutiveBiz) QTS Realty Trust and Vormetric have teamed up to help QTS' government and commercial data center customers in efforts to meet data compliance requirements and protect their network infrastructures from potential data breaches
Exabeam Announces Technology Partner Program (BusinessWire) Integrated security analytics deliver market-leading protection against cyber threats
Facebook Introduces Security Checkup Tool For Android (Übergizmo) When it comes to security of apps on your mobile devices, not all apps were created equal
Technologies, Techniques, and Standards
Front lines of cyber risk: What's a company's best defense? (PropertyCasualty360°) "We've been hacked"
Cyber security standards office seeks feedback on infrastructure improvements (Busienss Insurance) A comment period on the National Institute of Standards and Technology's voluntary framework for improving critical cyber security infrastructure began Friday
NIST seeks feedback on how agencies use cyber framework (FierceGovernmentIT) The National Institute of Standards and Technology wants to know how people are using its voluntary Framework for Improving Critical Infrastructure Cybersecurity
UK hosts international cyber attack response test (ComputerWeekly) The UK has hosted an exercise to test how investigators and prosecutors across Europe and the US would work together in the event of a complex international cyber criminal incident
Home on the cyber warfare range: Hands-on training on how hackers think (Cronkite News) Other soldiers play war games. Why not cyber warriors?
New threat intelligence sharing site to open for all Canadian firms (IT World Canada) Canadian CISOs are about to get help in defending attacks through something few other nations have — a national cyber threat information exchange for small, medium and large enterprises from all sectors
PSC breaks cloud adoption down to 6 steps for CIOs (FierceGovernmentIT) A new six-step guide offers government agencies tips on how to transition to the cloud
A free, almost foolproof way to check for malware (InfoWorld via CSO) How to scan every running process on your system for malware in seconds, without installing antimalware software
Endpoint security still inadequate despite growing threats (Security Asia) Endpoint security solutions today are lacking in spite of significant gaps, vulnerabilities in security and heightened fear of a security breach, says Promisec, endpoint security and compliance vendor
Inside job: 6 ways employees pose an insider threat (Help Net Security) CISOs and CIOs have seen the prospects of losing control over data and the accompanying data privacy and security concerns as the biggest hurdle to cloud adoption
Learn to Hack Your Own Code (DZone) There are several quick tips and techniques to teach yourself how to hack your own code including free, open-source tools
Use The Privilege (Internet Storm Center) Windows is an operating system with security features. For example, one can specify which users can access a file
Don't Be a Victim of Tax Refund Fraud in '16 (KrebsOnSecurity) With little more than a month to go before the start of the 2016 tax filing season, the IRS and the states are hunkering down for an expected slugfest with identity thieves who make a living requesting fraudulent tax refunds on behalf of victims. Here's what you need to know going into January to protect you and your family
Advent tip #12: Don't email your credit card details! (Naked Security) During the holiday season, you, along with many other people, may use your credit card more than usual
Advent tip #13: Take care if internet friends ask for money (Naked Security) Lots of us have friends in the new-school sense of people that we think we know pretty well, but whom we've never actually met
Advent tip #14: Beware of login links in emails! (Naked Security) You've heard of phishing
Design and Innovation
MIT Creates Untraceable Anonymous Messaging System Called Vuvuzela (Softpedia) Scientists at the MIT Computer Science and Artificial Intelligence Laboratory (CSAIL) have created an anonymous messaging system, in the same category as Tor, I2P, and HORNET, which takes a different approach to relaying messages between two parties
Academia
National Cyber Defence Research Centre opened at PES University (WebIndia123) National Cyber Defence Research Centre, sanctioned by National Cyber Safety and Security Standards (NCSSS), an autonomous body of Government of India was opened at PESUniversity, a Deemed to be University, here yesterday
Legislation, Policy, and Regulation
Firms expect fines, new costs from Safe Harbor changes (CSO) Survey says 70 percent of IT decision makers expect to increase spending next year as a result
Tech Firms Gird for New EU Privacy Law (Wall Street Journal) The new law is expected to be signed Tuesday, and will tighten privacy protections for online users
France won't block public Wi-Fi or ban Tor after all (Ars Technica) French PM has stated that "a ban on Wi-Fi is not a course of action envisaged"
Israel Military Eyes NATO-Like Global Cyber Coalition (Defense News) A principal architect of the Israeli military's cyber defense force says Israel can play a key role in creation of an operational alliance — similar to that of NATO, but global in scope — to collectively defend against global cyber threats
Can Silicon Valley 'disrupt' ISIL's virtual caliphate? (Al Jazeera) After San Bernardino, lawmakers called for tech companies to report or censor 'terrorist' content, but challenges abound
Intelligence agencies are using terrorism as a lever to weaken online privacy (Economic Times) Perhaps predictably, the battle against ISIS is blurring into a battle against encryption — the encoding and scram bling of digital messages so that they can only be read by those who have the right keys
The Moral Failure of Computer Scientists (Atlantic) In the 1950s, a group of scientists spoke out against the dangers of nuclear weapons. Should cryptographers take on the surveillance state?
What's the Plan? (US News and World Report) After the 9/11 attacks, a spooked Congress put aside its partisan divisions and worked quickly to provide law enforcement and intelligence agencies the tools they wanted to prevent another assault
Can National Security Advisor settle cybersecurity feud? (Christian Science Monitor Passcode) Two Congressional lawmakers want Susan Rice to get involved in a dispute between the State Department and industry officials over proposed export rules for technology that could be used for malicious purposes
House bill lets state, local take advantage of DHS cyber tools (Federal Times) A new bill passed a House vote on Dec. 10 expanding the Department of Homeland Security's cybersecurity role to include assisting state and local governments upon request
The FAST Act's Cybersecurity and Privacy Provisions for the Electric Grid, Internet of Things, and Connected Cars (Lexology) On Friday, December 4, President Obama signed the Fixing America's Surface Transportation ("FAST") Act, a $300 billion-plus highway and transportation law and the first comprehensive transportation spending law in a decade
DoD eyeing commercial cloud options for secret data (C4ISR & Networks) The Defense Department's cold feelings toward moving any of its classified data to a commercial cloud provider might be warming up as the department evaluates options for commercial cloud companies to handle and store secret information
Information warfare task force tackles Corps' strategy (Marine Corps Times) Marines are laying the groundwork for the Corps' next generation of information warfare — including offensive operations
National Guard making headway in nationwide cyber force (Defense Systems) As the Pentagon and the individual service branches push forward with filling out the eventual 133 cyber mission teams under the U.S. Cyber Command, the Guard and Reserve will be playing an increasingly important domestic role
Litigation, Investigation, and Law Enforcement
OPM still searching for 7 percent of breach victims (Federal Times) The Office of Personnel Management has been sending some 800,000 letters a day since Sept. 30, alerting current, former and prospective federal employees and family members that their information was compromised in a network breach last year
IG: OPM made mistakes in contracting for identity theft services (FierceGovernmentIT) A member of Congress is calling for the removal of the Office of Personnel Management's chief information officer following the release of an audit showing missteps in the agency's contract for identity theft services
Security of DoD noncore data centers, wireless, software in watchdog's sights (FierceGovernmentIT) The Defense Department's Office of Inspector General has more than 10 IT-related investigations planned for the year