August 5, Softpedia – (International) HEIST attack can steal data from HTTP-encrypted traffic. Two security researchers discovered hackers could carry out a Web-based attack, dubbed HEIST to steal encrypted content from Hypertext Transfer Protocol Secure (HTTPS) traffic by embedding special JavaScript code on a Webpage that fetches content via a hidden JavaScript call from a private page containing sensitive information including credit card numbers and Social Security numbers, then pinpoints the size of the embedded data transferred in small transmission control protocol (TCP) packets using a repeated probing mechanism in order to guess the content exchanged in the HTTPS traffic. Researchers advised users to disable support for third-party cookies or JavaScript execution in their browsers to block HEIST attacks. Source
August 5, Help Net Security – (International) 58% of orgs have no controls in place to prevent insider threats. Veriato and other firms released the Insider Threat Spotlight Report which found that nearly half of the 500 cybersecurity professionals surveyed experienced an increase in insider attacks since 2015, 58 percent of organizations lack appropriate control to prevent insider attacks, and 44 percent of those surveyed were unaware if their organization had experienced an insider attack. The survey also found that the endpoint is the most common point for a malicious actor to launch an insider attack, followed by mobile devices. Source
Above Reprinted from the USDHS Daily Open Source Infrastructure Report
August 5, Dark Reading - New Internet Security Domains Debut. Meet the new .security and .protection domains. Registry operator gen.xyz these week launched two new top-level Internet domains -- .security and .protection -- aimed at creating websites with higher security as well as a safer online experience for end users. Registrants can use domains to reinforce a brand, organization name, service locations, or industry keywords, says Nils Decker, director of business development for gen.xyz. Big security players such as Norton, FireEye, and Masterlock, have already registered names with the new .security and .protection domains. An organization in Southern California, for example, might select la.security; spam.protection could do the trick for an email filtering company. Source