The Cybersecurity (CS) Digest is a curated bi-weekly news summary for cybersecurity professionals. It is transmitted in an HTML-formatted email and provides links to articles and news summaries across a spectrum of cybersecurity topics.
Today’s Predictions for Tomorrow’s Internet – National Cyber Security Awareness Month – Week 3: October 16-20 - CSIAC
Smart cities, connected devices, digitized records, as well as smart cars and homes have become a new reality. Week 3 will remind citizens that their sensitive, personal information is the fuel that makes smart devices work. While there are tremendous benefits of this technology, it is critical to understand how to use these cutting-edge innovations in safe and secure ways.
Free CSIAC Webinar – Thursday, October 26 @ 12:00 pm EDT – Applying the 20 Critical Controls for Risk Assessment - CSIAC
This webinar will introduce attendees to the Center for Internet Security (CIS) Top 20 Critical Security Controls. Tools and techniques to implement the controls will be discussed. With the uncertainty and risks associated with the Internet of Things (IoT), it is essential to understand how to assess a system or a business network and implement controls to eliminate, minimize, mitigate or manage risk. The "Top 20" is an industry accepted framework for cyber security managers to address all elements within and threats to a network. The incorporation of these controls provides learners with real world skills and experiences.
The UpGuard Cyber Risk Team can now disclose that Viacom Inc, the Fortune 500 corporation that owns Paramount Pictures, as well as cable channels like MTV, Comedy Central, and Nickelodeon, exposed a vast array of internal access credentials and critical data that could be used to cause immense harm to the multinational corporation's business operations.
The potentially catastrophic cyber threat looming over the U.S. critical infrastructure is potentially worse than a busy hurricane season according to a key Department of Energy infrastructure security official.
Moscow was probably behind interruptions in Latvia's mobile communications network before Russia's war games last month, in an apparent test of its cyber attack tools, Baltic and NATO officials said, based on early intelligence of the drills.
DOD Tests and Deploys Upgraded JRSS - Defense Systems
The Navy is now assessing its implementation of its Joint Regional Security Stacks data consolidation and interoperability initiative by subjecting data networks to a wide range of attack scenarios, emerging threats and operational conditions.
North Korea Hackers Stole South Korea-U.S. Military Plans to Wipe Out North Korea Leadership: Lawmaker - Reuters
Democratic Party representative Rhee Cheol-hee said 235 gigabytes of military documents were taken from the Defense Integrated Data Center in September last year, citing information from unidentified South Korean defense officials.
In May credit reporting service Equifax's website was breached by attackers who eventually made off with Social Security numbers, names, and a dizzying amount of other details for some 145.5 million US consumers. For several hours on Wednesday, and again early Thursday morning, the site was maliciously manipulated again, this time to deliver fraudulent Adobe Flash updates, which when clicked, infected visitors' computers with adware that was detected by only three of 65 antivirus providers.
A most-recent example shows a message that again spoofs Netflix but also collects credit card details.
An air of unease set into the security circles on Sunday as they prepared for the disclosure of high-severity vulnerabilities in the Wi-Fi Protected Access II protocol that make it possible for attackers to eavesdrop Wi-Fi traffic passing between computers and access points. The proof-of-concept exploit is called KRACK, short for Key Reinstallation Attacks.
Cisco Talos previously published research into a targeted attack that leveraged an interesting infection process using DNS TXT records to create a bidirectional command and control (C2) channel. Using this channel, the attackers were able to directly interact with the Windows Command Processor using the contents of DNS TXT record queries and the associated responses generated on the attacker-controlled DNS server. We have since observed additional attacks leveraging this type of malware attempting to infect several target organizations. These attacks began with a targeted spear phishing email to initiate the malware infections and also leveraged compromised U.S. state government servers to host malicious code used in later stages of the malware infection chain.
Researchers have demonstrated a way for remote attackers to exfiltrate data from and send malicious commands to air-gapped networks, using infrared surveillance cameras that ironically are supposed to make the organizations using them more secure.
Russia Turns Cold on Crypto-Currencies - Reuters
President Vladimir Putin said on Tuesday crypto-currencies were risky and used for crime, as Russia’s central bank said it would block websites selling bitcoin and its rivals - a change of tone from a month-old promise to legalize the market.
The smaller version of Google's Assistant-equipped smart speaker, unveiled earlier this month, apparently suffers from a bug that caused some units to record sounds at random times and transmit the audio to Google's servers. Google said Tuesday it issued a software update on Saturday to address the issue.
In its ongoing quest to trap and kill Android malware, Google has, as usual, turned to machine learning - and is reporting some success.
Do you want the user's Apple ID password, to get access to their Apple account, or to try the same email/password combination on different web services? Just ask your users politely, they'll probably just hand over their credentials, as they're trained to do so.
White House officials believe that chief of staff John Kelly's personal cellphone was compromised, potentially as long ago as December, according to three U.S. government officials.
Cable Internet with download and upload speeds of 10Gbps may eventually come to American homes thanks to a new specification for higher-speed, symmetrical data transmissions.
New NIST and DHS Standards Get Ready to Tackle BGP Hijacks - Bleeping Computer
Two US government agencies have united forces to coordinate the creation of a new set of standards aimed at securing the process of routing of information between major Internet entities, such as Internet Service Providers, hosting providers, cloud providers, educational, research, and national networks.
The solution they developed is actually a collection of standards known collectively as Secure Inter-Domain Routing (SIDR).
CVE-2017-11779 fixed by Microsoft in October of 2017, covers multiple memory corruption vulnerabilities in the Windows DNS client. The issues affect computers running Windows 8/ Server 2012 or later, and can be triggered by a malicious DNS response. An attacker can exploit this issue to gain arbitrary code execution in the context of the application that made the DNS request.
It was a case of spies watching spies watching spies: Israeli intelligence officers looked on in real time as Russian government hackers searched computers around the world for the code names of American intelligence programs.
Apple Releases macOS High Sierra 10.13 Supplemental Update With Fix for APFS Disk Utility Bug and Keychain Vulnerability - Mac Rumors
Apple today released a supplemental update to macOS High Sierra 10.13, the first update to the macOS High Sierra operating system that was released to the public in late September. The macOS High Sierra 10.13 update comes just over one week after the release of macOS High Sierra.
CSIAC supports several communities of practice, such as the Cyber Community of Interest (COI) Group and research & development working groups.
This list of related sites provides additional sources to pursue the topic of Cybersecurity. The sites include Government organizations, including federal agencies, Department of Defense and military service agencies, commercial organizations, and academic institutions.
The CS Digest provides links to third party Websites. The CSIAC is not responsible for the availability of, and content provided on, third party Websites. You should refer to the policies posted by other Websites regarding their privacy and other topics before you use them. The CSIAC is not responsible for third party content accessible through the CSIAC CS Digest, including opinions, advice, statements, advertisements and endorsements, and you bear all risks associated with the use of such content.