Month: February 2015

Visual Hacking Is Highly Successful At Getting Sensitive Information

Posted on

In an experiment sponsored by 3M carried out by the Ponemon Institute over a two-month period last summer, it was discovered that companies are not prepared against “visual hacking” attempts.

Sensitive info obtained in 88% of the cases

Visual hacking consists in a threat actor collecting information by simply walking in an office and snooping into confidential documents or taking pictures of computer screens. This type of activity could help with better preparing a cyber-attack on a targeted organization as well as lead to unauthorized access to company secrets.

For the study, Ponemon Institute recruited eight US-based companies that allowed a visual hacker to roam in the building and determine the type of information that could be exposed this way; except for the company liaison, the rest of the employees were unaware of the true mission of the hacker.

Walking through the offices the hacker could have harvested personally identifiable information, data about customers, consumers and employees, business correspondence, log-in credentials, confidential documents, designs, presentations and financial information.

Visual Hacking Is Highly Successful
Visual Hacking Is Highly Successful

In 88% of the trials the haccker was able to obtain sensitive data. In most cases (51%) it would be found on the desk of a “fellow co-worker.” The hacker also managed to copy sensitive details from computer screens, print bins or copiers.
Important data sitting in plain sight could be collected

During the experiment, a total of 168 pieces of information were stolen, 34 of them (20%) being marked as having a high value (i.e. access log-ins, confidential or classified documents) due to the security risks involved in losing it to unauthorized persons.

Computer screens and vacant desks were the places where most of the high value data was collected from.

The time needed to spot the assets ranged from less than 15 minutes in 45% of the cases, to two hours in 2% of the cases.

Even if the hacker was spotted to be engaged in collecting data, most of the times the other employees kept quiet and did not intervene. Only in 13 cases out of 43 someone asked questions about the dubious activity.

Although the experiment does have some limitations since the companies participated voluntarily in the research and collecting data depends on the skills of the visual hacker, the risks are still valid and organizations should implement stricter policies as far as protecting the information on and around the desk is concerned.



Android malware hijacks power button, empties wallet while you sleep

Posted on

Security biz AVG has spotted an outbreak of a new kind of Android malware that will come alive even when the phone is supposedly switched off. The software nasty is able to do this by hijacking the mobe’s power-off sequence.

“After pressing the power button, you will see the real shutdown animation, and the phone appears off. Although the screen is black, it is still on,” said the firm’s mobile security team in an advisory.

“While the phone is in this state, the malware can make outgoing calls, take pictures and perform many other tasks without notifying the user.”

Once the malware is installed by the user – it’s typically bundled within an innocent-looking app, but AVG isn’t naming names – it asks for root-level permissions and injects code into the operating system’s system server. Specifically, it hijacks the mWindowManagerFuncs interface so it can display a fake shutdown dialog box when the power button is pressed – and display a fake shutdown animation too. It then blanks the screen to make the mobe look like it’s switched off.

Android malware hijacks
Android malware hijacks

The malware is then free to send lots of premium-rate text messages and make calls to expensive overseas numbers. The code shown by AVG appears to contact Chinese services.

This nasty is killable, and AVG has signatures for its files so it can be detected, but in the meantime the firm suggests taking the battery out of your phone – aka the engineer’s reset – is the only way to be sure. Unfortunately, that’s not an option on many phones these days.

Don’t panic, though. So far the outbreak in small and localized: around 10,000 cases have cropped up almost exclusively in China, none of which work on Android 5.0. But code spreads so fast these days and something so useful is bound to be popping in malicious apps from dodgy online stores in the near future.


Major Adult Website Gets Hacked, Malicious Iframe Leads to Angler EK

Posted on

ust like in the case of Jamie Oliver’s website, the cybercriminals did not resort to a malvertising campaign but hacked the servers of the adult location and planted malicious code straight into the main page source code.
Exploit flung at visitors with outdated Flash Player versions

Security researchers at Malwarebytes discovered the compromise on RedTube, a website providing adult content that ranks 128 on the popularity scale provided by Alexa. The estimated number of visits is 300 million per month.

The malicious code inserted on the website produces an iframe that is invisible to the user, pointing to two domains where Angler browser-based attack tool is hosted.

According to the analysis from Malwarebytes, Angler deploys an exploit for a Flash vulnerability (CVE-2015-0313) recently patched by Adobe.

Major Adult Website Gets Hacked
Major Adult Website Gets Hacked

Until the fix became available in Flash, the security bug had been leveraged in the wild through Hanjuan exploit kit.
RedTube confirms the attack

The researchers say that the end goal of the cybercriminals is installation of a malware family known as Kazy Trojan, which appears to be a variation of other malware families, downloader Ponik and Vundo Trojan.

“This family is known for stealing personal information from users as well as installing browser helper objects that spread pop-up ads, some redirecting to additional exploit pages and therefore more malware infections,” a blog post from Malwarebytes says on Wednesday.

It is not clear how the RedTube compromise occurred but the attack has a significant potential given the large number of visits the website enjoys on a monthly basis and the fact that users are slow at applying the latest patches for the browser plug-ins. Furthermore, infecting a vulnerable machine would occur without any sign of suspicious activity.

On Wednesday, RedTube confirmed the attack via Twitter, saying that it was detected on Sunday and that the necessary steps for mitigating the risk were taken within hours.


Suite of Sophisticated Nation-State Attack Tools Found With Connection to Stuxnet

Posted on

The last two years have been filled with revelations about NSA surveillance activities and the sophisticated spy tools the agency uses to take control of everything from individual systems to entire networks. Now it looks like researchers at Kaspersky Lab may have uncovered some of these NSA tools in the wild on customer machines, providing an extensive new look at the spy agency’s technical capabilities. Among the tools uncovered is a worm that appears to have direct connections to Stuxnet, the digital weapon that was launched repeatedly against centrifuges in Iran beginning in late 2007 in order to sabotage them. In fact, researchers say the newly uncovered worm may have served as a kind of test run for Stuxnet, allowing the attackers to map a way to targeted machines in Iran that were air-gapped from the internet.

For nearly a year, the researchers have been gradually collecting components that belong to several highly sophisticated digital spy platforms that they say have been in use and development since 2001, possibly even as early as 1996, based on when some command servers for the malware were registered. They say the suite of surveillance platforms, which they call EquationLaser, EquationDrug and GrayFish, make this the most complex and sophisticated spy system uncovered to date, surpassing even the recently exposed Regin platform believed to have been created by Britain’s GCHQ spy agency and used to infiltrate computers belonging to the European Union and a Belgian telecom called Belgacom, among others.

Raiu says he thinks Fanny was an early experiment to test the viability of using self-replicating code to spread malware to air-gapped machines and was only later added to Stuxnet when the method proved a success. Notably, the first version of Stuxnet, believed to have been unleashed in late 2007, didn’t use zero-day exploits to spread; instead it spread by infecting the Step 7 project files used to program control systems at Natanz. Fanny was subsequently compiled in July 2008 with the two zero-day exploits. When the next version of Stuxnet was unleashed in 2009, the privilege-escalation exploit from Fanny was added to it. Then in 2010, the .LNK exploit from Fanny was added to a version of Stuxnet unleashed that March and April.

Fanny may have been used initially as proof-of-concept to test the viability of getting Stuxnet onto air-gapped machines in Iran. Or it could have been used for a different operation entirely, and its developers simply shared the exploits with the Stuxnet crew. The vast majority of Fanny infections detected so far are in Pakistan. Kaspersky has found no infections in Iran. This suggests Fanny was likely created for a different operation.

Pakistan’s nuclear weapons program, like Iran’s, has long been a U.S. concern. The centrifuge designs used in Iran’s uranium-enrichment plant at Natanz came from Pakistan—a Pakistani scientist helped jumpstart Iran’s nuclear program with them. Information about the NSA’s black budget, leaked by Snowden to the Washington Post in 2013, shows that Pakistan’s nuclear program, and the security of its nuclear weapons, is a huge concern to U.S. intelligence and there is “intense focus” on gaining more information about it. “No other nation draws as much scrutiny across so many categories of national security concern,” the Post wrote in a story about the budget.

Kaspersky found only one version of Fanny. It arrived in their virus collection system in December 2008 but went unnoticed in their archive until last year. Raiu doesn’t konw where the Fanny file came from—possibly another anti-virus firm’s shared collection.

The new platforms, which appear to have been developed in succession with each one surpassing the previous in sophistication, can give the attackers complete and persistent control of infected systems for years, allowing them to siphon data and monitor activities while using complex encryption schemes and other sophisticated methods to avoid detection. The platforms also include an innovative module, the likes of which Kaspersky has never seen before, that re-flashes or reprograms a hard drive’s firmware with malicious code to turn the computer into a slave of the attackers. The researchers, who gave WIRED an advance look at their findings and spoke about them today at the Kaspersky Security Analyst Summit in Mexico, have dubbed the attackers the Equation Group and consider them “the most advanced threat actor” they’ve seen to date.

The researchers have published an initial paper on their findings and plan to publish more technical details over the next few days, but there’s still a lot they don’t know about the Equation Group’s activities.

“As we uncover more of these cyber espionage operations we realize how little we understand about the true capabilities of these threat actors,” Costin Raiu, head of Kaspersky’s Global Research and Analysis Team told WIRED.

NSA Connections?
Although the researchers have no solid evidence that the NSA is behind the tools and decline to make any attribution to that effect, there is circumstantial evidence that points to this conclusion. A keyword—GROK—found in a keylogger component appears in NSA documents leaked by Edward Snowden to The Intercept that describe a keylogger by that name. There are other connections to an NSA spy tool catalog leaked to other journalists in 2013. The 53-page catalog details—with pictures, diagrams and secret codenames—an array of complex devices and capabilities available to intelligence operatives. The capabilities of several tools in the catalog identified by the codenames UNITEDRAKE, STRAITBAZZARE, VALIDATOR and SLICKERVICAR appear to match the tools Kaspersky found. These codenames don’t appear in the components from the Equation Group, but Kaspersky did find “UR” in EquationDrug, suggesting a possible connection to UNITEDRAKE (United Rake). Kaspersky also found other codenames in the components that aren’t in the NSA catalog but share the same naming conventions—they include SKYHOOKCHOW, STEALTHFIGHTER, DRINKPARSLEY, STRAITACID, LUTEUSOBSTOS, STRAITSHOOTER, and DESERTWINTER.

Other evidence possibly pointing to the NSA is the fact that five victims in Iran who were infected with Equation Group components were also key victims of Stuxnet, which was reportedly created and launched by the U.S. and Israel.

Kaspersky wouldn’t identify the Iranian victims hit by the Equation tools, but the five key Stuxnet victims have been previously identified as five companies in Iran, all contractors in the business of building and installing industrial control systems for various clients. Stuxnet targeted industrial control systems used to control centrifuges at a uranium-enrichment plant near Natanz, Iran. The companies—Neda Industrial Group, Kala Electric, Behpajooh, CGJ (believed to be Control Gostar Jahed) and Foolad Technic—were infected with Stuxnet in the hope that contractors would carry it into the enrichment plant on an infected USB stick. This link between the Equation Group and Stuxnet raises the possibility that the Equation tools were part of the Stuxnet attack, perhaps to gather intelligence for it.

But the newly uncovered worm created by the Equation Group, which the researchers are calling Fanny after the name of one of its files, has an equally intriguing connection to Stuxnet.

It uses two of the same zero-day exploits that Stuxnet used, including the infamous .LNK zero-day exploit that helped Stuxnet spread to air-gapped machines at Natanz—machines that aren’t connected to the internet. The .LNK exploit in Fanny has a dual purpose—it allows attackers to send code to air-gapped machines via an infected USB stick but also lets them surreptitiously collect intelligence about these systems and transmit it back to the attackers. Fanny does this by storing the intelligence in a hidden file on the USB stick; when the stick is then inserted into a machine connected to the internet, the data intelligence gets transferred to the attackers. EquationDrug also makes use of the .LNK exploit. A component called SF loads it onto USB sticks along with a trojan to infect machines.

The other zero-day Fanny uses is an exploit that Stuxnet used to gain escalated privileges on machines in order to install itself seamlessly.

Kaspersky has found 500 victims in some 30 countries infected with EquationLaser, EquationDrug and GrayFish components. But having been active for more than a decade, it’s likely the spy tools have infected tens of thousands of systems. Each time a machine is infected, the malware places a timestamp in the victim’s registry along with a counter that increases with each victim. Based on counters found on victim machines, the victims appear to increase at a rate of about 2,000 a month.

The largest number of victims have been targeted in Iran, but there are also victims in Russia, Afghanistan, Pakistan, Belgium, Germany, Sudan, Lebanon, the Palestinian Territories, the United States and the UK. They include military, government and diplomatic targets, as well as telecoms, nuclear research facilities and individuals, Islamic activists and scholars, the media, and those working on nanotechnology and encryption technologies. Victims found in the U.S. and UK are all Islamic activists or scholars, Raiu says, some with known extremist leanings.

Kaspersky researchers discovered the first component belonging to the Equation Group last March while investigating the Regin malware. The first piece of puzzle found was a driver file that showed up on a system in the Middle East that was also infected with Regin and several other known families of nation-state malware Kaspersky recognized. This apparently high-value target was cluttered with so much malware Kaspersky dubbed it the “magnet of threats”.

They initially believed the driver was part of Regin or another malicious family. It used very advanced stealth techniques to avoid detection and was only discovered because of the way it tried to hijack a specific Windows function to sniff network traffic. This triggered an alert in the Kaspersky software. It was using “some nasty techniques to hook into Windows,” says Vitaly Kamluk, principal security researcher for Kaspersky. The techniques, in fact, had been described years before in a 2005 book titled Subverting the Windows Kernel. “[The attackers] were following the instructions that were uncovered in the book,” Kamluk says.

After adding detection for the driver to their security products, Kaspersky found the malicious driver on other machines as well as additional components related to it. As they collected modules and pieced them together, they also found an extensive network of command-and-control servers—more than 300 in all—that the attackers had set up to communicate with their malware. Kaspersky managed to sinkhole about a dozen of the domains so that traffic that would have once headed from victim machines to the attackers’ domains got re-routed to a server the researchers controlled instead. In this way they were able to uncover more victims. The attackers had allowed the registration for a number of their domains to expire. Kaspersky monitored the domains and simply bought up each as it expired.

As they pieced together components, they were able to establish a timeline and see that EquationLaser was an early-generation implant the attackers used between 2001 and 2004, while EquationDrug was the next-generation tool that came into use sometime around 2003. It was continuously developed and expanded by the attackers until 2013. Over time, it became a robust and full-blown platform composed of numerous plug-ins or modules that could be remotely slipped on to an infected system at will, once the attackers established a foothold on it.

EquationDrug was supplanted by the even more sophisticated GrayFish. Two versions of GrayFish have been uncovered—the first apparently developed in 2008 and the second in 2012, based on compilation timestamps. EquationDrug stopped being used in mid-2013 right around the time the first leaks from NSA whistleblower Edward Snowden were published. The first evidence of GrayFish 2.0 being used in the wild appeared shortly after those first leaks.

Enter GrayFish
GrayFish works on all the latest Windows operating systems as well as Windows 2000. It’s the most sophisticated platform of the three. Its components all reside in the registry of infected systems, making the malware nearly invisible to detection systems.

GrayFish uses a highly complex multi-stage decryption process to unpack its code, decrypting and executing each stage in strict order, with each stage containing the key to unlock the subsequent one. GrayFish only begins this decryption process, however, if it finds specific information on the targeted machine, which it then uses to generate the first key to launch the decryption. This allows the attackers to tailor the infection to specific machines and not risk having it decrypt on unwanted systems. The magic key that initiates this process is generated by running a unique ID associated with one of the computer’s folders through the SHA-256 algorithm 1,000 times. The final hash becomes the key to unlock the malware and launch the nested decryption scheme.

It’s very similar to a process used by Gauss, another piece of malware believed to have been created by the team behind Stuxnet that Kaspersky discovered in 2012. Gauss had a mysterious payload that has never been unlocked because it can only be decrypted by a key generated by running specific data on the targeted machine through the MD5 algorithm 10,000 times. The scheme, as used in both GrayFish and Gauss, not only serves to prevent the malware from unleashing on non-targeted machines, it also prevents security researchers and victims from unlocking the code without knowing the specific data needed to generate the hash/decryption key.

In addition to the encryption scheme, GrayFish uses a sophisticated bootkit to hijack infected systems. Each time the computer reboots, GrayFish loads malicious code from the boot record to hijack the booting process and give GrayFish complete command over the operating system, essentially making GrayFish the computer’s operating system. If an error occurs during this process, however, the malware will immediately halt and self-destruct, leaving the real Windows operating system to resume control, while GrayFish quietly disappears from the system.

Suite of Sophisticated Nation-State Attack
Suite of Sophisticated Nation-State Attack

But the most impressive GrayFish component is one that can be used to reflash the firmware of hard drives. Firmware is the code resident on hardware that makes the device work. Kaspersky uncovered two versions of a module used for reflashing or reprogramming firmware—one version for the EquationDrug platform the other for GrayFish. The EquationDrug version appears to have been compiled in 2010 while the GrayFish one bears a 2013 timestamp. The module reflashes the firmware with malicious code that gives the attackers a persistent foothold on the system even if the owner reformats the hard drive or wipes the operating system and reinstalls it in an attempt to clean the machine of malware. Between them, the two versions can reprogram 12 different brands of hardware drives, including ones made by Samsung and Seagate. To pull off this feat, the modules use a slew of undocumented commands that are specific to each vendor, which the Kaspersky researchers call “an astonishing technical accomplishment” that is a testimony to the group’s high-level skills.

The attackers did make one mistake, however. It appears that one of the developers of the GROK trojan left his username—rmgree5—behind in the file.

Method of Infection
To infect victims, the attackers used multiple methods—such as the Fanny worm or infected USB sticks and zero-day exploits. They also used web-based exploits to infect visitors to certain web sites. The researchers counted at least seven exploits the attackers at least four of which were zero-days when the attackers used them. Notably, one of the exploits had been used before in the so-called Aurora attack that struck Google in late 2009. That hack was attributed to China, but the Kaspersky researchers say the Equation Group apparently recycled it to use in their own later attack against government targets in Afghanistan.

One of the most interesting cases of infection, however, concerned a scientist who was targeted after visiting the U.S.

Trouble in Texas
The scientist had attended an international scientific conference in Houston, Texas sometime around 2009 and received the infection on a conference CD-ROM sent to him after he returned home. The disk contained a slideshow of photos from the gathering. But it also contained three exploits, two of them zero-days, that triggered malware from the Equation Group to load to his machine. Kaspersky software on the scientist’s machine triggered an alert and sent a sample of the malware to Kaspersky’s archive, but the researchers only discovered it last year when they began investigating the Equation Group’s operations. They were able to identify and contact the victim. Raiu won’t name the scientist or indicate his area of research, but he likened the attack to a recent one that occurred against noted Belgian cryptographer and academic Jean-Jacques Quisquater. Quisquater’s computer had been infected with the Regin spy tool.

It’s unclear how the attackers infected the CD-ROM sent to the scientist, but documents leaked by Edward Snowden describe NSA and CIA interdiction efforts that involve intercepting computer hardware as it’s in transit from a factory or seller and then implanting it with spy tools before repackaging it and sending it on to the customer. The same method might have been used in this case. It’s not known if other conference attendees received infected disks.

Although the Equation Group findings are significant, they still represent only a very small subset of nation-state malware out in the wild from not only the U.S. but other actors as well. And given that the samples Kaspersky found are at least a year old, they may not be state-of-the-art any more.

“The thing that scares me the most is that we don’t have any samples from the Equation Group from 2014,” Raiu says, suggesting the group’s capabilities may have already been surpassed by even more sophisticated wares.

PoS malware infected payment systems at the Jefferson National Parks Association

Posted on

Jefferson National Parks Association announced on Friday about malware found on Point-of-Sale (POS) Systems deployed by two gift shops named Gateway Arch located in St. Louis. So far, it has been confirmed that most of the Credit card details are compromised while using credit cards on compromised Point-of-Sale (POS) systems. Information like Credit Card Names, Credit Card Numbers, and Credit Cards expiration dates was hampered with the PoS Malware.

In time I’m writing the Jefferson National Parks Association was unable to specify exact number of credit cards being compromised.

Jefferson National Parks Association responded to this incident immediately by suspending the use of its networked payment systems. The malware has been deactivated from Point-of-sale (POS) systems, by covering & deleting all possible payloads off the systems and instead, stand-alone payment processing system is now being used to continue their business operations. The investigation on the incident is still in progress.

PoS malware infected payment systems at the Jefferson National Parks
PoS malware infected payment systems at the Jefferson National Parks

On Dec. 17, 2014, Jefferson National Parks Association was informed by federal authorities about potentially compromised Point-of-Sale (POS) systems. The malware appears to be most active during early August 2014 to Dec. 17, 2014, to steal credit cards details through compromised Point-of-Sale (POS) Systems. The malware was installed before November 2013, when the Point-of-Sale (POS) systems were physically located at other sites: the Old Courthouse and U.S. Grant National Historic Site.

“The method of malware infection is unclear. Investigators believe that the malware may have been installed as early as November 2013, when these terminals were physically located at other sites, specifically the Old Courthouse and U.S. Grant National Historic Site.”

Other payments at the Arch, including tram and movie ticketing, and riverboat excursions, are not affected. Online purchases and donations made at the Jefferson National Parks Association website are not affected. Other personal information – such as addresses CVVs and PINs – was not captured because that information is not collected. The method of malware infection is still unclear.

“We took immediate steps to address this unfortunate issue and conduct a thorough investigation,” David Grove, president and CEO of Jefferson National Parks Association, was quoted as saying in a notification posted to the Jefferson National Parks Association website.


Hackers Steal Up To $1 Billion From Banks

Posted on

A hacking ring has stolen up to $1 billion from banks around the world in what would be one of the biggest banking breaches known, a cybersecurity firm says in a report scheduled to be delivered Monday.

The hackers have been active since at least the end of 2013 and infiltrated more than 100 banks in 30 countries, according to Russian security company Kaspersky Lab.

After gaining access to banks’ computers through phishing schemes and other methods, they lurk for months to learn the banks’ systems, taking screen shots and even video of employees using their computers, the company says.

Once the hackers become familiar with the banks’ operations, they use that knowledge to steal money without raising suspicions, programming ATMs to dispense money at specific times or setting up fake accounts and transferring money into them, according to Kaspersky. The report is set to be presented Monday at a security conference in Cancun, Mexico. It was first reported by The New York Times.

The hackers seem to limit their theft to about $10 million before moving on to another bank, part of the reason why the fraud was not detected earlier, Kaspersky principal security researcher Vicente Diaz said in a telephone interview with The Associated Press.

The attacks are unusual because they target the banks themselves rather than customers and their account information, Diaz said.

The goal seems to be financial gain rather than espionage, he said.

“In this case they are not interested in information. They’re only interested in the money,” he said. “They’re flexible and quite aggressive and use any tool they find useful for doing whatever they want to do.”

Most of the targets have been in Russia, the U.S., Germany, China and Ukraine, although the attackers may be expanding throughout Asia, the Middle East, Africa and Europe, Kaspersky says. In one case, a bank lost $7.3 million through ATM fraud. In another case, a financial institution lost $10 million by the attackers exploiting its online banking platform.

Kaspersky did not identify the banks and is still working with law-enforcement agencies to investigate the attacks, which the company says are ongoing.

The Financial Services Information Sharing and Analysis Center, a nonprofit that alerts banks about hacking activity, said in a statement that its members received a briefing about the report in January.

Hackers Steal  $1 Billion From Banks
Hackers Steal $1 Billion From Banks

“We cannot comment on individual actions our members have taken, but on balance we believe our members are taking appropriate actions to prevent and detect these kinds of attacks and minimize any effects on their customers,” the organization said in a statement. “The report that Russian banks were the primary victims of these attacks may be a significant change in targeting strategy by Russian-speaking cybercriminals.”

The White House is putting an increasing focus on cybersecurity in the wake of numerous data breaches of companies ranging from mass retailers like Target and Home Depot to Sony Pictures Entertainment and health insurer Anthem.

The administration wants Congress to replace the existing patchwork of state laws with a national standard giving companies 30 days to notify consumers if their personal information has been compromised.


Zero Day Weekly: Thousands doxed by Jeb Bush, Obama’s cybersummit, Facebook’s ThreatExchange

Posted on

This week U.S. President Obama visited Stanford for a cybersecurity summit with Silicon Valley’s corporate technorati, Jeb Bush doxed 12,000 unsuspecting victims, cloud security research got aggressive, Sony argued to dismiss its eight class-action lawsuits, NIST announced updates, Microsoft had a rough Patch Tuesday, Facebook launched ThreatExchange, and much more.

This week’s Microsoft Patch Tuesday release includes three updates rated Critical, including a massive security update that fixes more than 40 flaws in Internet Explorer. A recently disclosed XSS vulnerability remains unpatched, however, and one Windows Server 2003 bug won’t be fixed.
On Tuesday, iSIGHT Partners and Invincea disclosed an attack on, assumed to be the work of actors from China conducting an espionage campaign. But the way the disclosure was handled, including a sensational news cycle and required registration for actual details, makes it look as if both vendors are using the incident to increase their sales channel.
The Washington Post reported this week that there will be a new agency to sniff out threats in cyberspace: The Cyber Threat Intelligence Integration Center, modeled after the National Counterterrorism Center. Some infosec professionals think it’ll likely fail, because “the President continues to ask the wrong questions of the wrong people.”

President Obama is expected to unveil executive actions today designed to increase information sharing among private sector companies and federal law enforcement, at a cybersecurity summit at Stanford University. Chief executives from four major technology companies will not attend a cybersecurity summit in California on Friday. Instead, senior security staffers from the invited companies, Facebook, Google, Yahoo, and Microsoft, will go in their boss’ places. Bloomberg hinted that the reason why the tech executives are not turning up are in part due to a recent back-and-forth between the US government and their companies.
Florida governor (and potential U.S. presidential candidate) Jeb Bush has had his team hurriedly [after-the-fact] redact the social security numbers and other identity details of 12,000 people from emails he released online covering the putative presidential candidate’s eight years. The emails contained names, sensitive healthcare and employment information, birthdates and social security numbers — the three pieces of information key to identity theft. Bush had opened up the 332,999 emails to public scrutiny, seeking to portray himself as a tech-savvy executive.

Cloud security: Reports slam data protection, national Internets, access myths: “Security is often compared to an arms race — a constant grind of building the newer, the better, and the more effective.” We’re told in Leviathan Security Group’s revelatory whitepapers released this week. Leviathan’s research shows why organizations urgently need to understand that “This comparison is inaccurate.”
Around 16 million mobile devices worldwide were infected by malware at the end of 2014, while attacks on communications networks rose during the year, according to new research by Alcatel-Lucent.

Zero Day Weekly: Thousands doxed by cybersummit, Facebook's
Zero Day Weekly: Thousands doxed by cybersummit, Facebook’s

The security hiring crisis: In a whitepaper released by Leviathan Security Group this week, the firm revealed infosec’s problematic hiring arc — where current solutions appear ruinous, at best. Leviathan’s research team reports that, “With more than one million cybersecurity positions unfilled worldwide, currently-identified security needs couldn’t be met if every employee at GM, Costco, Home Depot, Delta, and Procter & Gamble became security experts tomorrow.”
On Monday, Sony Pictures Entertainment offered its first substantive response to the eight class action lawsuits that have been filed by former employees in the wake of a large-scale hack. The company isn’t arguing that the hack was unforseen, but instead Sony believes that victim harm can’t be proven because no one — so far — has filed complaints of identity theft, fraudulent charges, or misappropriation of medical information. Research and experience shows, however, that unless the employees are in a bubble of statistical anomaly, this is just a matter of time.
10 million passwords and usernames published: This week, Mark Burnett, a security consultant and researcher, released 10 million passwords and linked usernames in a data set compiled from existing information. In order to stop the FBI coming after him, Burnett explained why the information was divulged: The information, sourced from the Internet, was compiled with the intention of furthering research in passwords and user behavior.
HSBC’s Swiss banking arm helped wealthy customers dodge taxes and conceal millions of dollars of assets, doling out bundles of untraceable cash and advising clients on how to circumvent domestic tax authorities, according to a huge cache of leaked secret bank account files.
Facebook launched ThreatExchange on Wednesday, a social network of sorts designed to allow companies to share threat information and intel. The move is the latest example in how an age of cooperation may be emerging as companies increasingly battle cyberattacks of various stripes.