Tag Archives: bay area pr

10Fold – Security Never Sleeps – 94

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider: On Wednesday afternoon, LinkedIn users received an email titled “Important information about your LinkedIn account,” describing the massive 2012 hack and what the company is doing about it. A recently patched Adobe Flash Player vulnerability is being abused in a new malvertising campaign that redirects users to the Angler exploit kit (EK), Malwarebytes researchers warn. The TeslaCrypt creators called it quits recently, but unfortunately for users, there’s a new ransomware program that’s ready to take its place. Google intends to kill off passwords, as well as allow Android apps to run instantly without installing the apps first.

Finally! LinkedIn Comes Clean About Mass Data Breach – Publication: Fortune – Reporter name: Jeff John Roberts

In its email, LinkedIn claimed that it “became aware” last week that the data stolen in 2012 was being made available online. This seems a bit of stretch—the whole point of stealing data is typically to sell it online—but we’ll take them at their word. And, unlike so many other LinkedIn emails, this one is definitely useful. Oddly, the email did not include any acknowledgement or apology for the dreadful security practices used by LinkedIn in the first place. These included poor cryptography, such as failing to “salt” the data, which made it easier for hackers to unscramble users’ passwords.


Angler EK Malvertising Campaign Abuses Recent Flash Zero-Day – Publication: SecurityWeek – Reporter name: STAFF

The campaign relies on domain shadowing and professional-looking fake ads that are sent to ad networks and displayed on legitimate websites. Furthermore, the attack is highly targeted, serving the malicious code conditionally and redirecting users to the Angler EK only after performing a series of checks otherwise known as fingerprinting. While the technique is not new, there are some interesting aspects about this malvertising campaign, including the fact that Angler is abusing the CVE-2016-4117 zero-day flaw in Adobe Flash Player that was patched on May 12. Attackers abused the vulnerability via specially crafted Office documents and an exploit for this vulnerability was added to the Magnitude and Neutrino EKs as well last week.


New DMA Locker ransomware is ramping up for widespread attacks – Publication: CSO- Reporter name: Lucian Constantin

Previous DMA Locker versions did not use a command-and-control server so the RSA private key was either stored locally on the computer and could be recovered by reverse-engineering, or the same public-private key pair was used for an entire campaign. This meant that if someone paid for the private RSA key, that same key would work on multiple computers and could be shared with other victims.


Google’s Trust API: Bye-bye passwords, hello biometrics? – Publication: NetworkWorld – Reporter name: Ms. Smith

Trust API will run in the background, always keeping track of your biometrics, so it will know you are really “you” when you unlock your device. It will utilize some of the common biometric indicators you might expect, such as your face print, as well as others such as how your swipe the screen, the speed of your typing, voice patterns, your current location and even how you walk. Combined, it gives a cumulative “trust score.”

10Fold – Big Data Business Insights – 44

Big Data

10 FOLD ICON 15x15 According to Forbes, data has a lot of enemies – and the largest group of opponents might just be those of who have simply been forced fed too much media spin on the subject in the first place. The term Big Data has arisen to be defined as an amount of data that will not practically fit into a standard (relational) database for analysis and processing caused by the huge volumes of data created by IoT as well as machine-generated and transactional processes. Some of the enemies of Big Data include – IT architecture, amateur data science, resources (resources that are able to analyze data, draw conclusions and help organizations make better business decisions based on the data), and culture – which are the ways an organization makes  decisions based on what has previously been done successfully, or unsuccessfully.

10 FOLD ICON 15x15  What is Big Data? Like most in tech, it depends on your perspective. Big data is data that’s too big for traditional data management to handle. ZDnet describes Big Data in three V’s: volume, velocity, and variety: these three vectors describe how Big Data is so very different from old school data management. Volume is the V most associated with Big Data because, well, volume can be big. Velocity is the measure of how fast the data is coming in.  For example, Facebook has to handle a tsunami of photographs every day. It has to ingest it all, process it, file it, and somehow, later, be able to retrieve it. The variety depends on the type of data coming in. For example, email messages. A legal discovery process might require sifting through thousands to millions of email messages in a collection. Not one of those messages is going to be exactly like another. Each one will consist of a sender’s email address, a destination, plus a time. The three V’s describe the data to be analyzed. Analytics is the process of deriving value from that data.

The Seven Enemies of Big Data – Forbes

Volume, velocity, and variety: Understanding the three V’s of Big Data  – ZDNet

Hadoop

10 FOLD ICON 15x15 With Pivotal Software Inc.’s announcement that it is formally abandoning Hadoop development in favor of standardizing on Hortonworks Inc.’s platform, the field of active competitors in the Hadoop market has been culled to just a handful. With that as a backdrop, SiliconANGLE checked in with Mike Olson, who co-founded Cloudera, the first commercial Hadoop company, in 2008. Cloudera is considered the market leader in Hadoop-related platforms. With massive funding from Intel Capital and others, it’s well-positioned to see the market through to maturity.

Cloudera’s Olson sees innovation flourishing amid consolidation – siliconANGLE

IoT

10 FOLD ICON 15x15 Twin sisters and social entrepreneurs America and Penelope Lopez, are taking up the fight against one of the most revolting crimes on the planet—human trafficking with their Beacon of Hope IoT app. It is the latest in the string of hackathon successes that includes an anti-bullying app and a police body cam with facial recognition. In volume, the cost to set it up would be negligible, and data from Google and Palantir could be used for targeted placement along human trafficking trade routes. Central to the design is a single fact revealed from former victims: the only time victims are away from their captors and alone is when they enter a public bathroom. After a victim acquired a tracker, they would squeeze it to turn it on, broadcasting its unique identifier, which volunteers’ smartphones would pick up and relay to law enforcement and victim assistance non-governmental organizations (NGOs). A rapid response might free the victim.The Lopez sisters will also use the Amazon Dash button as a Button of Hope. Originally designed for reordering products, it has a microcontroller and a Wi-Fi and Bluetooth radio with an AAA battery that is programmed to do just one thing: send a unique identifier over the network to Amazon to order staples such as laundry detergent. Installed in a public restroom, the button would be repurposed to send a signal over the local Wi-Fi network to law enforcement that a victim has temporary sanctuary at a known location.

Using the IoT for good: Beacon of Hope project to help fight human trafficking – Network World

Personalization

10 FOLD ICON 15x15 MediaPost offers a great example of how the concept of personalized marketing has changed over time. 30 years back, a personalized shopping experience would be a family going to a meat market and the butcher knowing the family by face and asking how they are and giving them deals and that in turn makes the family a life time and loyal customer. Today,  marketers are harnessing data because they’re trying to create relationships that are as effective as a local family’s butcher. Targeting and personalization are crucial reasons why more dollars are being spent online than anywhere else, that being said, marketers are in need to find more strategic ways to reach and maintain their loyal customers.

Personalization vs. Personal relationships – MediaPost

OpenStack

10 FOLD ICON 15x15 Red Hat made it clear a few years ago that it couldn’t rely on its Red Hat Enterprise Linux (RHEL) glory forever. It needed a path to transformation and it saw a way with OpenStack and the hybrid cloud. Today it continued its steady march toward fulfilling that cloudy vision with the release of OpenStack Platform 8 and the Red Hat Cloud Suite. The cloud suite offers an integrated package with cloud, DevOps and container tools in a single solution with the kind of management layer you would expect in such a suite. It combines Red Hat OpenStack with Red Hat OpenShift, its container environment and CloudForms for overall management and the ability to add self-service in a private cloud setting. The idea is to provide an integrated package, but recognizing not everyone will want to get the entire solution from one company, it will also offer the pieces individually and work with other offerings.

Red hat continues cloud transformation with new OpenStack and Cloud Platform Suite products – TechCrunch

10Fold – Security Never Sleeps – 75

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider: The European Commission has filed a formal antitrust complaint against Google and has accused the company of wielding its power as the world’s leading phone software supplier to impose its search and Web programs on billions of mobile users.  A new variant of POS malware, “multigrain” has been found by FireEye – the malware targets systems that run the POS process multi.exe. Oracle has adopted the new CVSS 3.0 vulnerability rating system that has resulted in 136 flaws that were rated as high and critical. Apple warns that QuickTime for Windows PC has known flaws – the Department of Homeland Security issued a public statement urging anyone using QuickTime to uninstall the product due to Apple ceasing development and no longer supporting security updates.  

Google’s Android Targeted by EU Over Mobile Search Curbs – Publication: Bloomberg- Reporter name: Aoife White

The European Commission sent Google a formal antitrust complaint, accusing the company of striking restrictive contracts that require makers of tablets and phones to install its search and Web browser on new phones. The company also unfairly pays phone makers and telecom operators a share of advertising revenue if they agree to make Google’s search engine the default on devices, the EU said Wednesday. By sending a statement of objections, the EU is opening a new front in its antitrust battle with the Alphabet Inc. unit — paving the way for potentially huge fines and radical changes to the way the company does business. It comes a year after the EU issued a formal complaint regarding Google’s comparison-shopping service.


‘Multigrain’ variant of POS malware crops up; uses DNS tunneling to steal data – Publication: SC Magazine – Reporter name: Bradley Barth

A variant of the NewPosThings POS malware family, dubbed Multigrain, has introduced an interesting wrinkle—exfiltrating stolen payment card data from POS systems via the Domain Name System (DNS), as opposed to via HTTP or File Transfer Protocol (FTP), FireEye explained in its threat research blog on Tuesday. Because DNS is conventionally used to translate domain names into IP addresses, and not to transfer general data, the system is often overlooked by cybersecurity officials when assessing potential threats to their organizations. While HTTP or FTP traffic might be closely monitored or restricted to prevent unauthorized external queries, the DNS “is still necessary to resolve hostnames within the corporate environment and is unlikely to be blocked,” explains the FireEye blog. Consequently, DNS remains vulnerable to cyber intruders, making this tactic especially appealing to sneaky cybercriminals.


 Oracle releases 136 security patches for wide range of products – Publication: NetworkWorld – Reporter name: Lucian Constantin

Oracle has released another monster quarterly security update containing 136 fixes for flaws in a wide range of products including Oracle Database Server, E-Business Suite, Fusion Middleware, Oracle Sun Products, Java, and MySQL. The biggest change is Oracle’s adoption of the Common Vulnerability Scoring System (CVSS) version 3.0, which more accurately reflects the impact of flaws than CVSS 2.0. This Oracle Critical Patch Update (CPU) has both CVSS 3.0 and CVSS 2.0 scores for vulnerabilities, providing a chance to compare how the new rating system might affect Oracle patch prioritization inside organizations. One immediately noticeable change is that there are five vulnerabilities rated with the maximum score of 10.0 based on the CVSS 2.0 scale, but none when using the CVSS 3.0 rating. At first glance, this would suggest that based on CVSS 3.0, flaws are rated as less critical, but that’s not true.


Apple Abruptly Pulls Plug On QuickTime for Windows – Publication: Forbes – Reporter name: Tony Bradley

Do you have Apple QuickTime installed on your Windows PC? It’s time to remove it. There are known flaws that can be exploited relatively easily, and Apple has confirmed that it is no longer supporting the software. The US-CERT, part of the Department of Homeland Security, recently issued a public statement urging anyone using QuickTime for Windows to uninstall the product immediately due to Apple ceasing development and therefore no longer issuing security updates. This alert stems from a recent call to action from TrendMicro, after the company’s Zero Day Initiative revealed two critical vulnerabilities: ZDI-16-241 and ZDI-16-242, affecting QuickTime for Windows.

10Fold – Security Never Sleeps – 74

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider: A new brand of malware called GozNym, is targeting business accounts at banks rather than the bank itself. New artificial intelligence platform offers 3x detection capabilities with 5x fewer false positives – Dubbed AI2, the technology has shown the capability to offer three times more predictive capabilities and drastically fewer false positive than today’s analytics methods. Real-life whaling attempts show the intricate changes perpetrators try to make to trick a CEO. “60 Minutes” highlights iPhone vulnerability by showcasing how they tapped into a congressman’s calls.

New “Double-Headed” Malware Has Stolen $4 Million From U.S. and Canadian Banks – Publication: Fortune- Reporter name: Clay Dillow

Meet GozNym, the hybrid malware robbing your business account. A new breed of malicious software has stolen roughly $4 million from 24 U.S. and Canadian banks over the first several days of April, IBM cybersecurity researchers report. The malware—known by the portmanteau GozNym—is a hybrid of two strains of known malware “that takes the best of both,” according to a blog post by IBM’s X-Force, part of IBM’s security division. The program is largely targeting business accounts, mostly in the U.S., and mostly via credit unions and “popular e-commerce platforms.” IBM didn’t name the specific institutions but says they have been notified.


MIT AI Researchers Make Breakthrough on Threat Detection – Publication: DarkReading – Reporter name: Ericka Chickowski

CSAIL gave a sneak peek into AI2 in a presentation to the academic community last week at the IEEE International Conference on Big Data Security, which detailed the specifics of a paper released to the public this morning. The driving force behind AI2 is its blending of artificial intelligence with what researchers at CSAIL call “analyst intuition,” essentially finding an effective way to continuously model data with unsupervised machine learning while layering in periodic human feedback from skilled analysts to inform a supervised learning model.


 10 whaling emails that could get by an unsuspecting CEO – Publication: NetworkWorld – Reporter name: Ryan Francis

Whaling threats or CEO fraud continues to grow with 70 percent of firms seeing an increase in these email-based attacks designed to extort money. There has been an uptick of activity lately as fraudsters spend the first few months of the year taking advantage of tax season, targeting finance departments with emails that look like they are coming from a company’s senior executive. Case in point are Snapchat and Seagate as companies that inadvertently gave up employees’ personal information. Email security company Mimecast has shared a handful of real-life examples of fraud attempts targeted at the person in the corner office.


Hackers Track Your Phone No Matter What Security Measures You Take – Publication: Fortune – Reporter name: Aaron Pressman

“60 Minutes” taps congressman’s calls in demo. A flaw in one part of the global cellphone network allows hackers to track phone locations and listen in on calls and text messages, 60 Minutes reported Sunday. Hackers in Germany used the weakness in Signaling System Seven, or SS7, which carriers use to exchange billing information for roaming customers, in a demonstration to track and tap the calls of U.S. Rep. Ted Lieu (D-Calif.). 60 Minutes arranged the demonstration and Lieu knew hackers would be trying to tap his iPhone

10Fold – Security Never Sleeps – 72

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider: First, an anonymous twitter account found a way around having to pay ransomware. Security researcher Zach Straley exposed a way to permanently brick your iPhone. Cisco Talos Lab released a report that highlights what ransomware could have in store next. BAE Systems discovered new shape-shifting malware that is now targeting the public sector.

Experts crack nasty ransomware that took crypto-extortion to new heights – Publication: Ars Technica- Reporter name: Dan Goodin

A nasty piece of ransomware that took crypto-extortion to new heights contains a fatal weakness that allows victims to decrypt their data without paying the hefty ransom. When it came to light two weeks ago, Petya was notable because it targeted a victim’s entire startup drive by rendering its master boot record inoperable. It accomplished this by encrypting the master boot file and displaying a ransom note. As a result, without the decryption password, the infected computer wouldn’t boot up, and all files on the startup disk were inaccessible.


New Threat Can Auto-Brick Apple Devices – Publication: Krebs on Security – Reporter name:Brian Krebs

If you use an Apple iPhone, iPad or other iDevice, now would be an excellent time to ensure that the machine is running the latest version of Apple’s mobile operating system — version 9.3.1. Failing to do so could expose your devices to automated threats capable of rendering them unresponsive and perhaps forever useless.


Imagining The Ransomware Of The Future – Publication: Dark Reading – Reporter name: Sara Peters

That’s the nightmare that researchers at Cisco Talos Labs described in a report today: a self-propagating, stealthy, modular ransomware that can move laterally across internal networks and cross air-gapped systems. In addition to the standard core ransomware functionality, Cisco Talos’ hypothesized “King’s Ransom framework” has a variety of modules for both stealth and propagation.


This new strain of Qbot malware is tougher than ever to find and destroy– Publication: ITPro – Reporter name: Rene Millman

Researchers managed to analyze the new strain and discovered a number of modifications had been made to the original Qbot malware to make it harder to detect and intercept. These included a new ‘shape-changing’ or polymorphic code, which meant that each time the malware’s code was issued by the servers controlling it, it was compiled afresh with additional content, making it look like a completely different program to researchers looking for specific signatures.

10Fold – Security Never Sleeps – 71

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider: The British government will now allow immigration officials to hack refugees phones. A botnet took control of 4,000 Linux computers and forced them to blast spam for over a year before the whole operation was shut down.  An analysis of Dridex infrastructure shows dangerous changes, potentially new operators.

Immigration officials allowed to hack phones of refugees and asylum seekers – Publication: BetaNews – Reporter name: Mark Wilson

The British government secretly rolled out powers that permitted the immigration officials to hack the mobile phones of asylum seekers and refugees, the Observer reveals. The Home Office has confirmed the hacking powers which have sparked outrage from privacy and human rights groups. In a statement about the powers afforded immigration officials, immigration minister James Brokenshire said: “They may only use the power to investigate and prevent serious crime which relates to an immigration or nationality offence, and have done so since 2013”.


Researchers help shut down spam botnet that enslaved 4,000 Linux machines – Publication: Ars Technica – Reporter name: Dan Goodin

A botnet that enslaved about 4,000 Linux computers and caused them to blast the Internet with spam for more than a year has finally been shut down. Known as Mumblehard, the botnet was the product of highly skilled developers. It used a custom “packer” to conceal the Perl-based source code that made it run, a backdoor that gave attackers persistent access, and a mail daemon that was able to send large volumes of spam. Command servers that coordinated the compromised machines’ operations could also send messages to Spamhaus requesting the delisting of any Mumblehard-based IP addresses that sneaked into the real-time composite blocking list, or CBL, maintained by the anti-spam service.


FBI Cyber Warning: Ignore Your CEO’s E-Mail And Phone Her Back — Or Your Company May Pay For It – Publication: Forbes – Reporter name: Steve Morgan

The FBI is warning people about a business email scheme which has resulted in huge losses to companies in Phoenix and other U.S. cities. A CEO seemingly emails an employee — typically in a finance or administrative role — instructing them to perform a wire transfer. The employee follows directions and executes the wire. Money is successfully transferred from the CEO’s company to another party. Turns out the CEO didn’t send the email. The CEO’s email identity was spoofed by a cybercriminal who sent the email. E-Mail spoofing is a widespread hacker practice involving the forgery of an e-mail header.


Dridex Malware Now Used For Stealing Payment Card Data– Publication: Dark Reading – Reporter name: Jai Vijayan

New analysis of the command and control panel and attack mechanisms of the Dridex banking Trojan shows the malware is being used in a wider range of malicious campaigns — and likely by a different set of threat actors than before. Spain-based security vendor buguroo says it recently was able to leverage a surprisingly easy-to-exploit weakness in the C&C infrastructure of Dridex to gain unprecedented visibility into how exactly the malware is being used. The analysis shows that Dridex is no longer being used just to hijack online banking sessions in order to transfer money from a victim’s account to fraudulent accounts, says Pablo de la Riva Ferrezuelo, chief technology officer and co-founder of buguroo.

10Fold – Security Never Sleeps – 69

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider:  Spear-phishing has increasingly become a tailored attacked vs the traditional method of a the mass attacks. The White House won’t support the anti-encryption bill, but has yet to publically state their position. Karamba Security is now starting to develop malware protection for the computers in cars, which could help the car better prepare for malware attacks. Lastly, a blog written by security research Brian Krebs points out how much money has been lost due to CEO email scams.

Crypto ransomware targets called by name in spear-phishing blast – Publication: Ars Technica – Reporter name: Dan Goodin

For the past decade, spear phishing—the dark art of sending personalized e-mails designed to trick a specific person into divulging login credentials or clicking on malicious links—has largely been limited to espionage campaigns carried out by state-sponsored groups. Since the beginning of the year, that truism has begun to unravel. According to researchers at security firm Proofpoint, a single threat actor, dubbed TA530, has been targeting executives and other high-level employees in an attempt to trick them into installing an assortment of malware—including the CryptoWall ransomware program that encrypts valuable data and demands a hefty fee to undo the damage.


Obama won’t support anti-encryption bill, report says – Publication: CNet – Reporter name: Katie Collins

The White House won’t publicly support proposed legislation that would allow judges to compel tech companies to help law enforcement crack open otherwise secret data and communications, Reuters reported Thursday. It’s an about-face for the White House. Obama said last month that he had come around to the view that the government must find a way to access locked devices. Even though the White House has reviewed the legislation’s text and provided feedback, it is not expected to comment publicly on it. The legislation could be introduced in Congress as early as this week.


Your car’s computers might soon get malware protection – Publication: PC World – Reporter name: Lucian Constantin

Modern cars contain tens of specialized computers that control everything from infotainment functions to steering and brakes. The pressing need to protect these computers from hackers will likely open up a new market for car-related software security products. Karamba Security, a start-up based in Ann Arbor, Michigan, is one of the companies that has stepped up to answer this demand. The company’s anti-malware technology, unveiled Thursday, is designed to protect externally accessible electronic control units (ECUs) found in connected cars.


FBI: $2.3 Billion Lost to CEO Email Scams – Publication: Krebs on Security – Reporter name: Brian Krebs

The U.S. Federal Bureau of Investigation (FBI) this week warned about a “dramatic” increase in so-called “CEO fraud,” e-mail scams in which the attacker spoofs a message from the boss and tricks someone at the organization into wiring funds to the fraudsters. The FBI estimates these scams have cost organizations more than $2.3 billion in losses over the past three years. In an alert posted to its site, the FBI said that since January 2015, the agency has seen a 270 percent increase in identified victims and exposed losses from CEO scams. The alert noted that law enforcement globally has received complaints from victims in every U.S. state, and in at least 79 countries.

10Fold – Security Never Sleeps – 67

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider:  Trump luxury hotels have suffered a potential mass data breach. Details from the Panama Papers investigation revealed that all of the stolen data is now being hosted in the Amazon cloud. The White House, US department of Homeland Security and industry experts created a certification program for IoT devices. Osterman Research consultants revealed that 18% of companies have suffered malware infections because of social networks.

Some Trump hotels hit by data breach: Report– Publication: CNBC – Reporter name: Jacob Pramuk

A line of luxury hotels linked to businessman and Republican presidential contender Donald Trump is investigating a possible credit card breach, Krebs on Security reported Monday, citing sources. The cyber security news site said financial industry sources noticed a string of fraud on customer credit cards used at the Trump Hotel Collection. The activity appeared on cards used in the past two to three months at properties including the Trump International Hotel New York, Trump Hotel Waikiki in Honolulu and the Trump International Hotel & Tower in Toronto, sources told the outlet.


From Encrypted Drives To Amazon’s Cloud — The Amazing Flight Of The Panama Papers – Publication: Forbes – Reporter name: Thomas Fox-Brewster

It was an epic haul. Whoever caused the Panama Papers breach at tax avoidance and offshore company specialist Mossack Fonseca leaked an astonishing 11 million documents and 2.6 terabytes of data, the largest of all time. Where’s all of that data stored now? In an Amazon cloud data center, accessible to anyone who knows the URL and has a password. The journey of those files, from the leaks to the revelations, is an astonishing example of developers working with journalists to keep whistleblowers and the information they supply safe and, just as crucially, usable. With the extra kicker: it was largely done using free, open source technology.


‘CyberUL’ Launched For IoT, Critical Infrastructure Device Security – Publication: Dark Reading – Reporter name: Kelly Jackson Higgins

Internet of Things (IoT) devices and industrial systems used in critical infrastructure networks now have an official UL (United Laboratories) certification program – for cybersecurity. UL today rolled out its anticipated—and voluntary–Cybersecurity Assurance Program (UL CAP), which uses a newly created set of standards for IoT and critical infrastructure vendors to use for assessing security vulnerably and weaknesses in their products. The UL CAP was created in conjunction with the White House, the US Department of Homeland Security, industry, and academia, and falls under President Obama’s recently unveiled Cybersecurity National Action Plan (CNAP) as a way of testing and certifying networked devices in IoT and critical infrastructure.


One out of five businesses are infected by Malware through Social Media – Publication: Panda Security – Reporter name: STAFF

What at first seems an unimportant habit, can have serious repercussions.  Yes, an employee risks the chance of being caught in the act, but what about the company? Osterman Research consultants have confirmed in their latest report that 18% of companies have suffered malware infections because of social networks.  Employees aren’t the only ones using these platforms, though.  Companies often have business profiles which make it more difficult to detect the source of the problem. According to this document, 73% use Facebook for work purposes, 64% use LinkedIn and 56% use Twitter.  Companies are also showing interest in collaborative platforms designed for them such as Microsoft SharePoint, different Cisco products, the Salesforce Chatter software solution and Connections, a platform developed by IBM.

10Fold – Security Never Sleeps – 65

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider:  On Thursday, the US Department of Defense announced the launch of a pilot bug-bounty program for DOD’s public-facing websites. Cyber criminals in different hemispheres of the globe are working together to improve malicious tools, software, and techniques to carry out cyber attacks researchers have warned. Both government agencies and private firms are looking for new ways to meet the challenges and overcome the many shortages the cyber security industry is facing- one of the growing trends in this regard is the use of gaming software, the element of competition and simple rewards programs to help find security holes, educate about cyber security issues and recruit talent to plug the skills gap that is riddling the industry. Starting with iOS 9, Apple has tried to make it harder for attackers to trick users into installing unauthorized apps on their devices by abusing stolen enterprise certificates.

DOD invites you (well, some of you) to “Hack the Pentagon” this month– Publication: Ars Technica – Reporter name: Sean Gallagher

On Thursday, the US Department of Defense announced the launch of a pilot bug-bounty program for DOD’s public-facing websites. Called “Hack the Pentagon,” the bounty program will be managed by HackerOne, the disclosure-as-a-service company. Since the Hack the Pentagon pilot, its budget and duration are fairly modest by DOD standards. The Pentagon has budgeted $150,000 for the month-long hunt, which will begin April18st and end byThursday May 12th.


Cybercriminals are overcoming language and timezone barriers to cooperate on making malware more dangerous – Publication: ZDNet – Reporter name: Danny Palmer

Cyber criminals in different hemispheres of the globe are working together to improve malicious tools, software, and techniques to carry out cyber attacks researchers have warned. An investigation by Kaspersky Lab found that cyber criminals situated over 10,000km apart in Brazil and Russia are overcoming substantial time zone differences and language barriers in order to borrow techniques from each other and speed up the development of malware. It signifies evolution of ransomware and other forms malicious software, which not so long ago were developed in complete isolation from one another, resulting in tailored cyberattack techniques.


Meeting cybersecurity challenges through gamification – Publication: TechCrunch – Reporter name: Ben Dickson

When it comes to cybersecurity issues, we always seem to be dealing with either shortages or excess. Everywhere there’s talk of how data breaches are growing in number, size, severity and cost, and there are always too many new security holes, vulnerabilities and attack vectors that need to be fixed. On the other hand, there’s a widening cybersecurity talent gap to fill vacant posts. With the dark shadow of bigger security incidents constantly looming on the horizon, both government agencies and private firms are looking for new ways to meet the challenges and overcome the many shortages the cybersecurity industry is facing. Digital Guardian, a cybersecurity firm that offers namesake data loss prevention (DLP) platform, intends to integrate gaming concepts and mechanics into the daily security practices of firms and organizations.


Hackers use the iOS mobile device management protocol to deliver malware – Publication: ComputerWorld – Reporter name: Lucian Constantin

Starting with iOS 9, Apple has tried to make it harder for attackers to trick users into installing unauthorized apps on their devices by abusing stolen enterprise certificates. However, it left one door open that attackers can still exploit: the protocol used by mobile device management protocols. Apple’s tight control over the iOS App Store has made it hard, but not impossible, for attackers to infect iOS devices with malware. The most common way for hackers to infect non-jailbroken iOS devices with malware is through stolen enterprise development certificates. These are code-signing certificates obtained through the Apple Developer Enterprise Program that allow companies to distribute internal apps to iOS devices without publishing them in the public app store.

10Fold – Security Never Sleeps – 64

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to considerHackers broke into the networks of the country’s top law firms who represent fortune 500 companies and Wall Street banks; no confirmation of what data has been stolen, but expert warn this could result in insider trading.  CNBC published a story on password security with a tool on the page that allowed readers to enter their password to see if it was secure, security researchers determined that this tool actually kept all of the passwords and then sold them to third party advertisers. The National Institute of Standards and Technology (NIST) published a new computer security standard that could potentially secure credit card numbers and healthcare records by various methods of format-preserving encryption. MedStar Health has now been forced to turn patients away due to the ransomware cyberattack, without paying the ransom the healthcare network is forced to operate without any patient records.

Hackers Breach Law Firms, Including Cravath and Weil Gotshal – Publication: The Wall Street Journal – Reporter name: Nicole Hong & Robin Sidel

Hackers broke into the computer networks at some of the country’s most prestigious law firms, and federal investigators are exploring whether they stole confidential information for the purpose of insider trading, according to people familiar with the matter. The firms include Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP, which represent Wall Street banks and Fortune 500 companies in everything from lawsuits to multibillion-dollar merger negotiations. Other law firms also were breached, the people said, and hackers, in postings on the Internet, are threatening to attack more.


CNBC just collected your password and shared it with marketers – Publication: CSO – Reporter name: Jeremy Kirk

CNBC inadvertently exposed peoples’ passwords after it ran an article Tuesday that ironically was intended to promote secure password practices. The story was removed from CNBC’s website shortly after it ran following a flurry of criticism from security experts. Vice’s Motherboard posted a link to the archived version. Embedded within the story was a tool in which people could enter their passwords. The tool would then evaluate a password and estimate how long it would take to crack it.  A note said the tool was for “entertainment and educational purposes” and would not store the passwords. That turned out not to be accurate, as well as having other problems. Adrienne Porter Felt, a software engineer with Google’s Chrome security team, spotted that the article wasn’t delivered using SSL/TLS (Secure Socket Layer/Transport Layer Security) encryption. SSL/TLS encrypts the connection between a user and a website, scrambling the data that is sent back and forth. Without SSL/TLS, someone one the same network can see data in clear text and, in this case, any password sent to CNBC.


New NIST Security Standard Can Protect Credit Cards, Health Information – Publication: National Institute of Standards and Technology – Reporter name: Chad Boutin

For many years, when you swiped your credit card, your number would be stored on the card reader, making encryption difficult to implement. Now, after nearly a decade of collaboration with industry, a new computer security standard published by the National Institute of Standards and Technology (NIST) not only will support sound methods that vendors have introduced to protect your card number, but the method could help keep your personal health information secure as well. Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption, specifies two techniques for “format-preserving encryption,” or FPE. The publication addresses a longstanding issue in many software packages that handle financial data and other forms of sensitive information: How do you transform a string of digits such as a credit card number so that it is indecipherable to hackers, but still has the same length and look—in other words, preserves the format—of the original number, as the software expects?


MedStar Health turns away patients after likely ransomware cyberattack – Publication: The Washington Post – Reporter name: John Woodrow Cox

MedStar Health patients were being turned away or treated without important computer records Tuesday as the health-care giant worked to restore online systems crippled by a virus. By Tuesday evening, MedStar staff could read — but not update — thousands of patient records in its central database, though other systems remained dark, a spokeswoman said. MedStar officials have refused to characterize the attack as “ransomware,” a virus used to hold systems hostage until victims pay for a key to regain access. But a number of employees reported seeing a pop-up message on their computer screens seeking payment in bitcoins, an Internet currency. One woman who works at MedStar Southern Maryland Hospital Center sent The Washington Post an image of the ransom note, which demanded that the $5 billion health-care provider pays 45 bitcoins — equivalent to about $19,000 — in exchange for the digital key that would release the data.