In the News
This section features topical, current news items of interest to the international security community. These articles and highlights are selected from various popular science and security magazines, newspapers, and online sources.
- "Day of commercially available quantum encryption nears", 11 September 2014. Los Alamos National Laboratory and Whitewood Encryption Systems, Inc. have teamed up in the LANL's biggest IT agreement to date to try to bring quantum encryption to the public. Quantum technologies are able to produce truly random cryptographic keys at a unprecedented rate, which is one of many properties of quantum computing that can make encryption even stronger. (ID: 14-50099) See http://www.homelandsecuritynewswire.com/dr20140911-day-of-commercially-available-quantum-encryption-nears
- "Internet's security bug tracker faces its 'Y2K' moment", CNET, 16 September 2014. Common Vulnerabilities and Exposures, or CVE for short, is a list of security bugs used to keep track of vulnerabilities like Heartbleed. Ever since its creation in 1999, CVE has given each bug its own 4-digit identifier, but for the first time in its 15-year history, the number of vulnerabilities is set to exceed 9,999. Suddenly changing the standard to five digits could potentially create a Y2K-type scenario. (ID: 14-50100) Seehttp://www.cnet.com/news/internets-security-bug-tracker-faces-its-y2k-moment/
- "DOD communications: Bringing it all together", FCW, 15 September 2014. The Department of Defense is awaiting NSA approval for a move to bring "unified capabilities" (UC), a collection of "voice, video and instant messaging", to the cloud. In doing so, the DoD hopes to take advantage of the private cloud, with help from industry leaders, to improve internal communications in the Department. (ID: 14-50101) See http://fcw.com/articles/2014/09/15/rfp-for-unified-capabilities.aspx
- "SSL remains security weakness despite latest reinforcements", GCN, 12 September 2014. SSL is used to ensure server-to-client encryption, but a wide range of security weaknesses have become a growing cause for concern. The OpenSSL Project and security researchers have been working to develop tools and methods to find and patch weaknesses. (ID: 14-50102) See http://gcn.com/blogs/cybereye/2014/09/ssl-weakness.aspx?admgarea=TC_SecCybersSec
- "DOE, Google back quantum computing research", GCN, 10 September 2014. The Department of energy is backing several private and academic research groups to work on developing quantum encryption technology to protect America's critical infrastructure, while a Google Quantum Artificial Intelligence team has partnered up with a team at UC Santa Barbara to develop quantum computing and quantum cryptography technologies. (ID: 14-50103) See http://gcn.com/blogs/pulse/2014/09/doe-google-quantum.aspx?admgarea=TC_SecCybersSec
- "Confidence Wanes in Enterprise Ability to Detect a Network Attack", Infosecurity Magazine, 17 September 2014. According to surveys by Lieberman Software, many IT departments and security professionals are losing faith in their ability to detect and prevent intrusion into their networks, perhaps due to the increase of cyber-attack frequency. Fear of state-sponsored attacks are also high among IT and security professionals. (ID: 14-50104) See http://www.infosecurity-magazine.com/news/confidence-ability-to-detect-a/
- "WikiLeaks Releases FinFisher Surveillance Spyware to the Masses", Infosecurity Magazine, 16 September 2104. Wikileaks has released FinFisher, an intrusion system that enables interception of communications from popular operating systems, to the public. According to Julian Assange, "FinFisher continues to operate brazenly from Germany selling weaponized surveillance malware to some of the most abusive regimes in the world.(ID: 14-50105) See http://www.infosecurity-magazine.com/news/wikileaks-releases-finfisher/
- "Massively Distributed' Citadel Trojan Targets Middle East Petrochemical Giants", Infosecurity Magazine, 16 September 2014. The banking malware Citadel, which was discovered in 2012 as a tool for theft of banking credentials, has been re-purposed to attack petrochemical companies in the Middle East. APTs like Citadel often use tactics such as HTML-injection, remote-control, and keylogging. (ID: 14-50106) Seehttp://www.infosecurity-magazine.com/news/citadel-trojan-targets-middle-east/
- "High-Risk flaws affect the NOAA Satellite System JPSS", Cyber Defense Magazine, 15 September 2014. A Department of Commerce's Office of the Inspector General (OIG) audit found that the National Oceanic and Atmospheric Administration's (NOAA) Joint Polar Satellite System is (JPSS) ground system has over 23,000 high-risk vulnerabilities, including missing security patches, and vulnerabilities that were discovered through penetration testing. Though a slight decrease from the number of vulnerabilities found in recent quarters, this number is still dramatically higher than that of 2012 Q1, which was about 14,500. (ID: 14-50107) See http://www.cyberdefensemagazine.com/high-risk-flaws-affect-the-noaa-satellite-system-jpss/
- "'Spike' toolkit scales multi-vector DDoS with Windows, Linux hosts", SC Magazine, 24 September 2014. A newly-discovered toolkit named "Spike", which targets devices running Windows, Linux, and the ARM instruction set architecture, is capable of communicating and executing commands to perform DDoS attacks. The use of several DDoS payloads is a notable characteristic of Spike, as well as Spike's ability to target multiple platforms. (ID: 14-50110) See http://www.scmagazine.com/spike-ddos-toolkit-discovered/article/373501/
- "Mozilla plans to phase out support of SHA-1 hash algorithm", SC Magazine, 24 September 2014. Over the next two years, Mozilla will phase out trust in the SHA-1 -based security certificates. Firefox, Mozilla's popular web browser, will display warnings when SHA-1 certificates are encountered. Though SHA-1 has been in service for many years, advances in methods of attack and in computing power (such as quantum computing) could make SHA-1 obsolete in a few years. (ID: 14-50111) See http://www.scmagazine.com/mozilla-plans-to-phase-out-support-of-sha-1-hash-algorithm/article/373487/
- "IT giants Google and Apple enable encryption by default", SC Magazine, 24 September 2014. Apple and Google both announced moves to increase security for their customers through default encryption, as part of the recent trend towards UCE (User Controlled Encryption). UCE leaves the encryption keys in the user's hands, which means that service providers and companies like Google and Apple would be unable to help law enforcement access encrypted information. (ID: 14-50112) See http://www.cyberdefensemagazine.com/it-giants-google-and-apple-enable-encryption-by-default/
- "Jimmy John's has confirmed breach of POS systems at 216 stores", Cyber Defense Magazine, 26 September 2014. Sandwich chain Jimmy John's announced that POS systems at 216 of its locations suffered a data breach. According to the company, an intruder was able to steal payment card data over the course of about three months. Vulnerabilities in the software of the POS systems is suspected as the cause for the breach. (ID: 14-50113) See http://www.cyberdefensemagazine.com/jimmy-johns-has-confirmed-breach-of-pos-systems-at-216-stores/
- "Chinese hackers hit several US contractors", Cyber Defense Magazine, 19 September 2014. The Senate Armed Services Committee determined that an unreleased number of companies working as contractors for the US Transportation Command (TRANSCOM) suffered attacks from state-led Chinese APTs (Advanced Persistent Threats). The report in which the attacks were disclosed points to the 2015 defense spending bill, as well as better information in government, as an important part of combating APTs. (ID: 14-50114) See http://www.cyberdefensemagazine.com/chinese-hackers-hit-several-us-contractors/
- "GM Appoints First Cybersecurity Chief", Infosecurity Magazine, 26 September 2014. With sights set on potentially becoming a part of the small but growing market for driver-less cars, General Motors appointed its first cybersecurity chief, Jeffrey Massimilla. GM has plans to produce a car that can communicate with other cars and pieces of highway infrastructure, like traffic lights, within a few years. Putting lives in the hands of electronic systems like driver-less cars creates serious security implications and concerns. (ID: 14-50115) See http://www.infosecurity-magazine.com/news/gm-appoints-first-cybersecurity/
- "Apple's New iPhone 6 TouchID Hacked, as Usual", Infosecurity Magazine, 26 September 2014. Security researcher Marc Rogers reported that he was able to fool the iPhone 6's fingerprint scanner. The process Rogers describes would require a skilled criminal and a good copy of the fingerprint, but many would still consider this unacceptable, considering the iPhone 5 was plagued with the same exact security flaw. (ID: 14-50116) Seehttp://www.infosecurity-magazine.com/news/apples-new-iphone-6-touchid-hacked/
- "Shellshock: Internet in Peril Again as 'Heartbleed 2.0' Bash Flaw Strikes", Infosecurity Magazine, 25 September 2014. A security flaw found in the Bourne Again Shell (BASH), received a severity rating of 10 out of 10 by the NIST after it was discovered that the flaw could allow hackers to remotely execute code on a server and thereby steal information and disrupt networks. The flaw affects Linux and UNIX systems, which account for a large portion of the worldwide webpage servers. (ID: 14-50117) See http://www.infosecurity-magazine.com/news/internet-peril-heartbleed-20-bash/
- "Feds Issue Red-Flag Advisory on Escalating Insider Threats", Infosecurity Magazine, 24 September 2014. The Department of Homeland Security and the FBI concluded that insider threats are posing an increasingly grave threat to government and businesses. "Disgruntled" employees and former employees can cause serious harm by stealing data and software, or even sabotaging systems, even if they have been fired or otherwise left the organization. (ID: 14-50118) See http://www.infosecurity-magazine.com/news/feds-issue-redflag-advisory-on/
- "FBI director worries about encryption on smartphones", Computerworld, 25 September 2014. FBI Director James Comey expressed his concerns over the move by tech giants to implement encryption by default, and allow user-based encryption on mobile devices. Though these measures would allow even better data security for users, it also means that law enforcement would have a much harder time obtaining evidence, even with a warrant. (ID: 14-50119) See http://www.computerworld.com/article/2688095/fbi-director-worries-about-encryption-on-smartphones.html
- "AT&T offers secure links to IBM SoftLayer cloud", GCN, 26 September 2014. IBM and AT&T announced a new cooperative service that will allow customers to utilize IBM's SoftLayer cloud through the use of AT&Ts NetBond secure VPN. In doing so, both corporations hope to make it easier for customers to securely use the cloud for their IT needs. (ID: 14-50120) See http://gcn.com/articles/2014/09/26/ibm-att-cloud.aspx?admgarea=TC_SecCybersSec
- "Passwords vs. biometrics", GCN, 19 September 2014. With the rate of data breaches rising, being able to properly identify personnel and users is becoming an increasingly important factor in the world of cybersecurity. With traditional methods of identification (passwords, namely) being susceptible to theft and other weaknesses, biometric identification is becoming increasingly appealing as a better security alternative. Biometrics relies on the "close enough" principle and can be susceptible to spoofing, however, so it is far from perfect. (ID: 14-50122) See http://gcn.com/blogs/cybereye/2014/09/passwords-vs-biometrics.aspx?admgarea=TC_SecCybersSec
- "5 key IT bills still pending in Congress", FCW, 26 September 2014. A few significant IT bills are awaiting approval by the U.S. Congress, including The Federal IT Acquisition Reform Act, The Reforming Federal Procurement of IT Act, The Electronic Communications Privacy Act Amendments Act, The Cybersecurity Information Sharing Act of 2014, and The Federal Spectrum Incentive Act. (ID: 14-50123) Seehttp://fcw.com/articles/2014/09/26/5-key-it-bills-still-pending-in-congress.aspx
- "New approach to computer security: Wrist-bracelet", Homeland Security Newswire, 23 September 2014. A new solution for user identification, called Zero-Effort Bilateral Recurring Authentication (ZEBRA), requires users to wear a wrist that monitors the user's location with an accelerometer and gyroscope and logs them out when the leave a terminal. Continuous monitoring of users could help improve the security in areas such as healthcare by replacing current systems that log users out upon periods of activity. (ID: 14-50124) See http://www.homelandsecuritynewswire.com/dr20140923-new-approach-to-computer-security-wristbracelet
- "In Cyberspace, Anonymity and Privacy are Not the Same", Security Week, 26 September 2014 (Opinion). When it comes to cybersecurity, it is important to recognize the relationship between anonymity and privacy. Making this distinction, along with promoting information sharing, are several goals that have been embodied in bills that are currently being tried in Congress, namely The Cybersecurity Information Sharing Act of 2014 and The National Cybersecurity and Critical Infrastructure Protection Act of 2014. (ID: 14-50125) See http://www.securityweek.com/cyberspace-anonymity-and-privacy-are-not-same
- "ISIS Cyber Ops: Empty Threat or Reality?", Security Week, 25 September 2014 (Opinion). Social media has always been an important tool for extremist and terrorist groups. ISIS, like others before it, uses mediums like Facebook to attract people to their cause, raise funds, and spread their messages. However, more sophisticated cyber tactics, like hacking, could be used to seriously harm U.S. critical infrastructure. If ISIS follows the example of groups like the Syrian Electronic Army, terrorism-based cyber attacks from ISIS could become a reality. (ID: 14-50126) See http://www.securityweek.com/isis-cyber-ops-empty-threat-or-reality
- "The Security Revolution Will Be Automated", Security Week, 22 September 2014 (Opinion). As computer systems develop and evolve to allow increased functionality, lower costs, and increased productivity, vectors through which cyberattack can occur increases as well. Cyber crime and the software it employs evolve to continually test these new systems, with automated attacks becoming an increasingly significant part of this. It is the job of security professionals to combat this threat. (ID: 14-50127) See http://www.securityweek.com/security-insights-defending-against-automated-threats
- "Taiwan probes Xiaomi on cyber security", Reuters, 24 September 2014. Upon learning of reports that smartphones made by Chinese smartphone company Xiaomi Inc. automatically send user data back to servers in China, the Taiwanese Government began independent tests on the phones to determine whether they are a security threat or not. In the recent past, China has been accused of state-sponsored cybersecurity threats and espionage. (ID: 14-50130) See http://www.reuters.com/article/2014/09/24/us-taiwan-xiaomi-cybersecurity-idUSKCN0HJ08Z20140924
- "Bug Bounty Programs n The Good and the Bad", Information Security Buzz, 23 September 2014. Some might argue that bug bounty programs not only help reduce the occurrence of successful cyber attack, but can also be used in favor of the company in legal disputes after a breach. Poorly implemented bug bounty programs, however, have the potential to cause more harm than good, argues High-Tech Bridge CEO Ilia Kolochenko. (ID: 14-50132) See http://www.informationsecuritybuzz.com/bug-bounty-programs-good-bad/
- "Wear the Danger: Security Risks Facing Wearable Connected Devices", Information Security Buzz, 19 September 2014. Wearable devices in the Internet of Things (IoT) are very convenient for the user, but can also pose grave security risks. Researchers from Kaspersky Lab were able to find several vulnerabilities in devices like Google Glasses and Galaxy Gear 2, which could be exploited for MiTM attacks and remote spying. (ID: 14-50133) See http://www.informationsecuritybuzz.com/wear-danger-security-risks-facing-wearable-connected-devices/
- "Professor says Google search, not hacking, yielded medical info", SC Magazine, 29 August 2014. Upon being accused of hacking into a medical center's server and exposing sensitive information to a class of students, professor Sam Bowne of City College San Francisco (CCSF) clarified in an online post that the medical records were found via a simple Google search. According to Bowne, this was not done in front of a class and that the issue was reported to the E.A. Conway Medical Center upon discovery. (ID: 14-50044) See http://www.scmagazine.com/professor-says-google-search-not-hacking-yielded-medical-info/article/368909/
- "DDoS attacks rally Linux servers", SC Magazine, 04 September 2014. Malware known as IptabLes and IptabLex has been posing a significant threat in mid-2014 by using vulnerabilities on neglected Linux servers to propagate DDoS attacks with "significant size and reach." The malware is unusual in that it appears to origionate from Asia, and that it targets Linux systems for such an application. (ID: 14-50045) See http://www.scmagazine.com/ddos-attacks-rally-linux-servers/article/369854/
- "FBI, Apple investigate celebrity photo hacking incident", SC Magazine, 02 September 2014. The FBI and Apple have both confirmed that they are investigating a hacking incident that lead to the release of many "personal photos" from potentially over one hundred celebrities. Though the exact method by which the hacker obtained the photographs is unknown, they are known to have come from Apple's iCloud service. (ID: 14-50047) Seehttp://www.scmagazine.com/fbi-apple-investigate-celebrity-photo-hacking-incident/article/369340/
- "Hackers Breached HealthCare.Gov Website", Security Magazine, 04 September 2014. In July, a hacker was able to upload malicious code into a Healthcare.gov website in July. The hacker was not able to obtain sensitive information, however, as s/he was only able to access a server for testing code for the website, as opposed to "more sensitive parts of the website that had better security protections." (ID: 14-50048) See http://www.securitymagazine.com/articles/85795-hackers-breached-healthcaregov-website
- "Home Depot Reports Credit Card Security Breach", Security Magazine, 02 September 2014. Upon discovering stolen credit and debit card credentials on the underground market, several banks have contacted Home Depot to report evidence that the hardware retailer might be the source of a new round of stolen payment cards. The thieves appear to be the same group of Russian/Ukrainian hackers who were responsible for other recent breaches, such as that of Target and P.F. Chang's. (ID: 14-50049) See http://www.securitymagazine.com/articles/85770-home-depot-reports-credit-card-security-breach
- "Security Implications of the Electric Smart Grid", Security Magazine, 04 September 2014. A long-term plan to upgrade America's worn electrical energy system to a "smart grid" of smart, collaborative systems is underway. The "implicit trust" between devices on this network, however, raises some security concerns; interconnected systems could create more potential for security weaknesses. (ID: 14-50050) See http://www.securitymagazine.com/articles/85785-security-implications-of-the-electric-smart-grid
- "900,000 Android Phones Hit by Ransomware in 30 Days", Cyber Defense Magazine, 26 August 2014. In August alone, almost a million android devices are reported to have been infected with ransomware, which locks down phones and uses scare tactics to coerce victims into paying a ransom. This particular strain of ransomware, known as "ScarePackage," was reverse-engineered by mobile security firm Lookout, which reports that the authors of the ransomware appear to be Eastern European. (ID: 14-50056) See http://www.cyberdefensemagazine.com/900000-android-phones-hit-by-ransomware-in-30-days/
- "Russian Gang's Billions of Stolen Credentials Resurface in New Attack", Infosecurity Magazine, 02 September 2014. By using stolen passwords from the August hacking incident that resulted in a massive compromise of credentials, hackers have been employing brute-force tactics to gain access to people's Namecheap accounts, the domain name registrar claims. (ID: 14-50057) See http://www.infosecurity-magazine.com/news/russian-gangs-billions-of-stolen/
- "HP Warns of Growing North Korean Cyber Menace", Infosecurity Magazine, 02 September 2014. Despite a lack of sufficient critical infrastructure, North Korea has had some success in posing itself as "a serious cyber threat", according to a report by Hewlett-Packard. By using "quick-and-dirty" tactics, the hermit state has been able to launch numerous cyber attacks, including the Dark Seoul campaign in 2013. (ID: 14-50058) See http://www.infosecurity-magazine.com/news/hp-warns-growing-north-korean/
- "Apple CEO: iCloud Nude Photo Hack Wasn't Our Fault", Infosecurity Magazine, 05 September 2014. Following the fallout of the leak of celebrity's personal photos, Apple CEO Tim Cool reassured that security protocols for Apple's iCloud service. While blame for the incident is still somewhat up for debate, additional security features, such as notifications for when a specific device tries to log into an iCloud account for the first time, are expected to make the cloud storage service safer. (ID: 14-50059) Seehttp://www.infosecurity-magazine.com/news/apple-ceo-icloud-nude-photo-hack/
- "Barclays Unveils Vein Scanner to Authenticate Customers", Infosecurity Magazine, 05 September 2014. Financial services company Barclays announced that it will be using vein identification technology to identify customers and reduce the risk of fraud. Vein identification technology, which is already in use elsewhere, looks for unique vein patterns in fingers and is more accurate than conventional fingerprinting. (ID: 14-50060) See http://www.infosecurity-magazine.com/news/barclays-vein-scanner/
- "McAfee: Phishing Awareness Remains Abysmal", Infosecurity Magazine, 04 September 2014. A phishing quiz run by McAfee reveals that the ability to distinguish genuine emails from phishing emails is, overall, underwhelming. Phishing remains one of the largest, most predominant threats to cyber security. (ID: 14-50061) See http://www.infosecurity-magazine.com/news/phishing-awareness-remains-abysmal
- "Mozilla Combats MiTM Attacks, Rogue Certificates in Firefox 32", Infosecurity Magazine, 03 September 2014. Mozilla's newest browser update, Firefox 32, features enhanced security features, including rogue certificate prevention and MiTM-attack prevention through public-key pinning. Pinning creates an enhanced level of verification and trust for certificates, and helps to prevent "imposter" sites from hijacking a network connection. (ID: 14-50062) See http://www.infosecurity-magazine.com/news/mozilla-combats-mitm-attacks-in/
- "Hackers Use Large Numbers of Transient Domains to Hide Attacks", Infosecurity Magazine, 03 September 2014. According to an analysis of over half a billion hostnames by Blue Coat Systems, a not insignificant portion of "One-Day Wonders" (hostnames that exist for a day or less) are used maliciously for launching DDoS attacks, spam, and botnets. Because of their short lifetimes, such domains are hard to detect and employ preventative measures against before it's too late. (ID: 14-50063) See http://www.infosecurity-magazine.com/news/hackers-use-transient-domains-to/
- "NATO Set to Ratify Cyber as Key Military Threat", Infosecurity Magazine, 03 September 2014. This week, NATO plans to adopt a new policy in the cyber realm: an online attack against one NATO member will be considered an attack on all twenty-eight NATO members. The international alliance also plans to make improvements on information sharing and "mutual assistance" to help combat cyber threats. (ID: 14-50064) See http://www.infosecurity-magazine.com/news/nato-set-to-ratify-cyber-as-key/
- "AT&T Launches Security Resource Center", Infosecurity Magazine, 04 September 2014. AT&T has announced that it will be starting a threat intelligence portal for security and IT professionals. AT&T Security Resource Center, as it is called, will allow security experts to research, discuss, share ideas and work together on cybersecurity issues. (ID: 14-50065) See http://www.infosecurity-magazine.com/news/att-launches-security-resource/
- "SAIC debuts tiered cybersecurity solution", GCN, 02 September 2014. SAIC, along with the help of other cybersecurity groups, has created CyberSecurity Edge, a new solution that works with a customer's pre-existing infrastructure to fix vulnerabilities and optimize security measures. CyberSecurity Edge's tiered approach "provides maximum data security readiness and responds to advanced persistent cyber threats," according to sector president Doug Wagoner. (ID: 14-50067) See http://gcn.com/articles/2014/09/02/saic-cybersecurity.aspx?admgarea=TC_SecCybersSec
- "Researchers work to harden cyber infrastructure from WMD", GCN, 27 August 2014. A University of New Mexico team is being funded to research and develop solutions for recovery of cyber-infrastructure that is under threat from attack, including attack by weapons of mass destruction. The project, which is funded by the Defense Threat Reduction Agency (DTRA), aims to create a solution that accurately reflects the "multiple technology domains/layers and support scalable connectivity across large distances" that modern cyber-infrastructure is comprised of. (ID: 14-50070) See http://gcn.com/articles/2014/08/27/unm-dtra.aspx?admgarea=TC_SecCybersSec
- "Security Researchers Lay Bare TSA Body Scanner Flaws", TechNewsWorld, 22 August 2014. A group of researchers reported at the San Diego USENIX security conference that the Rapiscan Secure 1000 full-body scanner, which was employed by the Transportation Security Administration until recently, is vulnerable to cyber attacks. Additionally, the researchers found that someone with an understanding of how the device works would be able to fool it. (ID: 14-50074) See http://www.technewsworld.com/story/80935.html
- "Breaking the Cyber Kill Chain", Security Week, 04 September 2014. Lockheed Martin has created a "cyber kill chain" framework to describe the step-by-step process that hackers take when attacking a system. Depending on the capabilities of the entity defending against the attack, and on the specific type of attack itself, security experts will choose a specific point within the kill chain to attempt to disrupt the hacking process. If any part of the kill chain is interrupted, the entire hacking operation can be severely incapacitated. (ID: 14-50075) See http://www.securityweek.com/breaking-cyber-kill-chain
- "China Launches MitM Attack on Google Users", Security Week, 05 September 2014. Despite being blocked in China, access to google.com is still allowed by the government through CERNET; however, warnings about invalid SSL certificates while accessing Google through CERNET has led some to believe that the Chinese government is most likely attempting a MitM-style attack to monitor usage of the Google search engine by its citizens. (ID: 14-50076) See http://www.securityweek.com/china-launches-mitm-attack-google-users
- "Goodwill Blames Credit Card Breach on Third-Party Vendor", Security Week, 03 September 2014. After launching an investigation into a recent payment card data breach, Goodwill Industries concluded that attackers used a piece of malware to access Goodwill's systems over a one and a half year period. Names, payment card numbers, and expiration dates were stolen, but more sensitive information like PINs are believed to be safe. (ID: 14-50077) Seehttp://www.securityweek.com/goodwill-blames-credit-card-breach-third-party-vendor
- "The Irish Are Being Emailed A Trojan Downloader", Information Security Buzz, 04 September 2014. A malicious email has been identified by ESET Ireland that masquerades as a email to purchase confirmation. Alarmed by the unknown purchase, the victim is baited into following a link provided in the email that downloads the Elenoocka trojan, which then proceeds to attempt to download several other malicious files from the internet. This email appears to be targeted at the Irish. (ID: 14-50078) See http://www.informationsecuritybuzz.com/irish-emailed-trojan-downloader/
- "Data Breaches: Why the Costs Matter", Information Security Buzz, 03 September 2014. Though protecting against data breaches can be costly, cutting corners can lead to drastic consequences, and anyone who watches the news knows this too well. The legal costs, fines, and loss of reputation can easily be more costly to a large business than defensive measures. (ID: 14-50080) See http://www.informationsecuritybuzz.com/data-breaches-costs-matter/
- "Malware Still Generated at a Rate of 160,000 New Samples a Day in Q2 2014, Reports PandaLabs", 02 September 2014. The rate at which new malware is being produces reached 160,000 per day in the second quarter of 2014. Noteworthy malware trends include a significant rise in the occurrence of PUPs (Potentially Unwanted Programs), while trojans now account for a decreasing portion of malware, despite remaining the most common at roughly fifty-eight percent. (ID: 14-50081) See http://www.informationsecuritybuzz.com/malware-still-generated-rate-160000-new-samples-day-q2-2014-reports-pandalabs/
- "Can Cloud Vendors Be Trusted to Obey Data Protection Laws?" Information Security Buzz, 18 September 2104. A study on trust in the security of cloud storage found that European IT generally distrusts the ability of cloud storage providers to properly follow laws regarding protection of their data and their user's privacy, and that many see cloud storage as a factor that increases the likelihood of a data breach. The study also noted that data breaches that involved the cloud tended to have a much higher economic cost, which is known as the "cloud multiplier effect". (ID: 14-50082) See http://www.informationsecuritybuzz.com/can-cloud-vendors-trusted-obey-data-protection-laws/
- "Businesses and IT Security Companies, Unite!", Information Security Buzz, 17 September 2014. Driverless vehicles are one of many futuristic, computer-controlled concepts coming to life. They, as with computers of old, will be subject to the same security risks that classical computer systems are vulnerable to. Kaspersky Labs CEO and Chairman Eugene Kaspersky, believes that securing these systems must be done preemptively to ensure the safety of those who put their lives into the hands of this new technology. Kaspersky Labs has been researching security and risk factors of connected vehicles. (ID: 14-50083) See http://www.informationsecuritybuzz.com/businesses-security-companies-unite/
- "Cyber Security Initiatives Are Key to Public Sector Security, Says Databarracks", Information Security Buzz, 17 September 2014. Secure cloud services provider Databarracks concluded that in the UK, the public sector is often the most hard-hit when it comes to cyber threats. Public organizations, which may have fewer resources and a perceived lower risk, often lag behind government. Cyber initiatives and programs aimed at helping public businesses and organizations are, therefor, crucial. (ID: 14-50084) See http://www.informationsecuritybuzz.com/cyber-security-initiatives-key-public-sector-security-says-databarracks/
- "Preventing the Next Mega-Breach with Identity Relationship Management (IRM)", Information Security Buzz, 16 September 2014. With large-scale "mega data breaches" becoming all too common, speedy disclosure of and response to breaches is crucial to the reputation and financial situation of a company. The surge in data breaches will hopefully bring about a "new awareness" of data security, along with interest in solutions like Identity Relationship Management. (ID: 14-50085) See http://www.informationsecuritybuzz.com/preventing-next-mega-breach-identity-relationship-management-irm/
- "IoT Security Must Be Fixed for the Long Term, Says Beecham Report", Information Security Buzz, 16 September 2014. According to Beecham Research, the security of the rapidly approaching Internet of Things (IoT) is crucial to the safety and well-being of those who will be relying on it. As it stands, current IoT security technologies do not stand to the task. Beecham believes that industry collaboration, semiconductor-level security measures, and general awareness of the issues that interconnected "smart" devices bring about must all be stressed. (ID: 14-50086) See http://www.informationsecuritybuzz.com/iot-security-must-fixed-long-term-says-beecham-report/
- "Context Hacks Into Canon IoT Printer to Run Doom", Information Security Buzz, 15 September 2014. Researchers at Context Information Security, who have gained attention in the recent past for hacking a smart light bulb and other IoT devices, were able to remotely access a networked Canon printer and modify the firmware to run the popular 1990's video game "Doom". Canon was notified and has since fixed the issue. (ID: 14-50087) See http://www.informationsecuritybuzz.com/context-hacks-canon-iot-printer-run-doom/
- "Firms Must Have A BYOD Policy or Risk Major Security Breaches", Information Security Buzz, 09 September 2014. According to recent independent research by Samsung and McAfee, many companies report lost or stolen company-issued mobile devices, which poses a serious security risk. This, along with the not-insignificant cost of providing these devices, has made bring your own device (BYOD) policies more and more attractive to firms and companies. (ID: 14-50088) See http://www.informationsecuritybuzz.com/firms-must-byod-policy-risk-major-security-breaches/
- "Will Technology Replace Security Analysts?", Security Week, 15 September 2014. Chief Security Strategist of the Enterprise Forensics Group at FireEye Joshua Goldfarb discusses thoughts on the automation of security analysis -- Would technology be able to keep up with the ever-changing cyber landscape? Are the cyber threats themselves too dynamic to be able to be stopped by an automated process, or is human intelligence required? (ID: 14-50091) See http://www.securityweek.com/will-technology-replace-security-analysts
- "Next Generation Firewall: Looking Back to See Ahead", Security Week, 15 September 2014. By looking sequence of cat-and-mouse off that constitutes the history of the firewall, we can make predictions of where the imperative security tool is headed in the future. Learning from history will be essential to keeping modern firewalls up to the task they were created for. (ID: 14-50092) See http://www.securityweek.com/next-generation-firewall-looking-back-see-ahead
- "Top security concerns, need-to-know industry trends on agenda for ASIS 2014", Government Security News, 09 September 2014. ASIS International's 2014 Annual Seminar and Exhibits is set to take place in Atlanta, Georgia from Sept. 29th to October 2nd. Guests will be able to visit a wide range of lectures, addresses, and other educational exhibits and sessions on a wide range of security subjects from hundreds of companies. (ID: 14-50093) See http://www.gsnmagazine.com/node/42427?c=cyber_security
- "XSS Flaw Burns a Hole in Kindle Security", TechNewsWorld, 16 September 2014. An XXS flaw in Amazon's Kindle e-book library that allows cross-scripting was discovered by security consultant Benjamin Mussler. The flaw, which was fixed but then re-introduced later, allows hackers to use malicious code injection and steal a user's cookies that are associated with Amazon. (ID: 14-50094) See http://www.technewsworld.com/story/81055.html
- "DoD Ramps Up Security as It Drifts Toward Cloud", TechNewsWorld, 12 September 2014. Amazon Web Services and two other vendors, which have received authorization to be used for certain security levels of the DoD's Cloud Security Model, allow DoD agencies to better utilize cloud technologies. This is part of the DoD's move towards embracing cloud technologies as an effective tool to aid in its missions. (ID: 14-50095) See http://www.technewsworld.com/story/81035.html
- "Millions of Gmail Users Victims of Latest Password Heist", TechNewsWorld, 11 September 2014. A simple text file of approximately five million Gmail usernames and passwords were posted to a Russian security forum and distributed across the web. Google released a statement saying that there is no evidence that any of their systems were compromised, and notified the users who were listed in the text file. (ID: 14-50096) See http://www.technewsworld.com/story/81026.html
- "IBM Enlists Intel to Shore Up Hybrid Cloud", TechNewsWorld, 10 September 2014. To better embrace the potential of cloud technology, IBM announced that it will use Intel's Trusted Execution Technology to allow hardware-level security reassurance for its SoftLayer cloud platform. Security concerns are considered the biggest obstacle to adoption of cloud technologies. (ID: 14-50097) See http://www.technewsworld.com/story/81022.html
- "Virtually every agency of the U.S. government has been hacked: Experts", Homeland Security Newswire, 12 September 2014. Despite measures to bolster the United States' cyber defenses, the FBI's Robert Anderson explained to lawmakers that, in some way or another, nearly every one of the governments agencies has been hacked. Anderson, who is the executive assistant director for the FBIis Criminal, Cyber, Response, and Services branch, also cited cooperation between government and private sector cybersecurity teams is crucial for responding to and preventing cyber attack. (ID: 14- 50098) See http://www.homelandsecuritynewswire.com/dr20140912-virtually-every-agency-of-the-u-s-government-has-been-hacked-experts
Note:
Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to SoS.Project (at) SecureDataBank.net for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.