A roundup of the top news stories in information security this week, including a LinkedIn flaw that could impact millions, President Trump spinning off the U.S. Cyber Command from the NSA, and more.
GOVERNMENT
Trump Takes First Step in Spinning Off US Cyber Command from NSA
The U.S. Cyber Command has been officially elevated to a Unified Combatant Command for cyberspace operations. The move is seen as the first step in removing the department from under the umbrella of the National Security Agency. In a statement announcing the move, President Trump said it should “help streamline command and control of time-sensitive cyberspace operations by consolidating them under a single commander.”
VULNERABILITY
LinkedIn Messenger Flaw Could Expose Millions to Malware
Cyber attackers could have uploaded malicious attachments in LinkedIn’s popular messaging feature, thanks to drawbacks in the social network’s own security restrictions. Research conducted by security firm Checkpoint points to a flaw in LinkedIn’s security protections when scanning attachments for malicious activity, which could result in attackers skirting the system. Checkpoint researchers identified four flaws in LinkedIn’s security systems and reported them to the company.
BUG BOUNTY
Researchers Receive $100K Award for Identifying Spearphishing Detection Method
A group of researchers from the University of California, Berkeley and the Lawrence Berkeley National Laboratory have been awarded $100 for identifying a credential spearphishing detection method. The experts received the award as part of Facebook’s annual Internet Defense Prize partnership with USENIX Association. The group calls the detection method an anomaly scoring technique for ranking alerts.
Spammers Prefer Tuesdays to Strike Their Targets
Recent research suggests that spammers focus their efforts on Tuesdays when their targets are most active online. Experts at IBM X-Force gather six months of data to come to their conclusion. According to the research, 83% of spam is sent on weekends, with Tuesday coming in as the highest day. The data collected by the experts is from December 2016 to June 2017.
Click here for full blog post.
ESPIONAGE
FBI Recommends U.S. Firms Drop Kaspersky Lab Apps
The FBI has been meeting with companies to warn them of the dangers of working with cybersecurity firm Kaspersky Lab. The law enforcement agency believes that the cybersecurity firm cannot be trusted with protecting the country’s critical infrastructure. The company has denied the agency’s claims, even going as far as offering up its source code in an effort to clear its name.
CYBER ATTACK
Ukrainian Security Firm Warns of New Wave of Attacks
ISSP, a Ukranian cybersecurity firm, believes it has detected a new malware campaign that could result in a similar global assault that impacted organizations across the globe in June. Similar to NotPetya, the malware that crippled Ukranian government agencies and businesses this summer, the malware seems to originate in accounting software and may be aimed at taking down Ukranian networks on August 24, the country’s Independence Day.
Cybersecurity Firms Expect a “Chronic Shortage” of Qualified Staff
The number one problem the cybersecurity world faces is a shortage of qualified staff, according to one analyst. Cybersecurity Ventures’ Steve Morgan says it’s an “absolute epidemic” that’s having a profound impact on the industry. After gathering feedback from executives at cybersecurity company’s, a majority pointed to the same problem.
MALWARE
BankBot Malware Found in Google Play Marketplace
Malware has once again managed to get past Google Play’s defenses. Security researchers have discovered that an Android banking malware was hiding on the popular app marketplace that managed to thwart detection view new tactics. Dubbed BankBot, the malware has the ability to download additional programs without the user’s knowledge.
Click here for full blog post.
Secure Messaging App Zero Days Can Earn Researchers $500K
Security researchers looking for a big pay day can earn $500,000 for any remote code execution and local privilege elevation zero days reported to Zerodium, a vendor in the exploit acquisition market. These zero days must be found in messaging apps like WhatsApp, Signal, Facebook Messenger, iMessage, and Telegram.
Yahoo Breach Suspect Pleads Not Guilty
The 22-year-old man that allegedly played a central role in Yahoo’s massive data breach pleaded not guilty before a federal district court judge in San Francisco on Wednesday. Karim Baratov, a Canadian citizen, born in Kazakhstan, was arrested in Canada last March in connection with the data breach that resulted in the compromised account information of 500 million users.