Concerned observers in the Middle East and North Africa note the Islamic State's (formerly known as ISIS or ISIL) alarming proficiency with information operations, particularly its ability to rapidly spawn social media accounts and its Hollywood-like proficiency at lurid terror-propaganda.
The PLA seems to have probed Israel's defense industry with some success (although IAI says China got no sensitive data). The hack of Canada's National Research Council (NRC), also attributed to Chinese intelligence services, is forcing the NRC to undertake a costly, yearlong overhaul of its network security.
Worries about Tor anonymity persist; perhaps details will be forthcoming at Black Hat or DEFCON. Amazon EC2 is exploited for denial-of-service. Android users are warned against the Fake ID vulnerability, and of the possibility of exploits attacking device speakers. This last is a proof-of-concept: expect a flurry of such demonstrations over the next two weeks as Black Hat and DEFCON convene. An Instagram vulnerability exposes iPhones to hijacking.
Various warnings concering Internet-of-Things (IoT) vulnerabilities appear: IoT devices' limited memory limits security possibilities; the devices also tend to communicate insecurely.
The video game industry is under attack by IP thieves known as "Threat Group-3279."
Trustwave compares black market malware to items one might purchase in ordinary life. (While the Chicagoans may be buying high-end seats at White Sox games, the degree of exploit tool commodification remains sobering.)
Worries about empowering a tribe of twelve-year-old script kiddies induce the Hoboken (New Jersey) School District to cancel its program of giving every middle-schooler a laptop.
Today's issue includes events affecting Australia, Canada, China, European Union, Germany, Iraq, Israel, New Zealand, Syria, United Kingdom, United States.
Cyber Attacks, Threats, and Vulnerabilities
The Islamic State's most effective wars are waged online(The National) The internet has provided an extremely effective platform for the warring parties in Iraq and Syria to wage a proxy war. The Islamic State group (formerly known as the Islamic State of Iraq and the Levant, or ISIL), has launched a global campaign on social media, which has wrong-footed the international community. Compelled by the success of this propaganda, government officials in Iraq and Syria have also bolstered their cyber warfare efforts
IAI denies cyber attack claims(IHS Jane's Defense Weekly) Israel Aerospace Industries (IAI) released a statement on 29 July refuting a report claiming that the company lost sensitive information in a 2012 cyber attack
Attack on Tor Has Likely Stripped Users of Anonymity(Gizmodo) Tor, the network used specifically for privacy and anonymity, just warned users of an attack meant to deanonymize people on the service. Anyone who used Tor from February 2014 through this July 4 can assume they were impacted
Researchers successfully attack Android through device's speaker(Help Net Security) A group of researchers from the Chinese University of Hong Kong have demonstrated that even applications with zero permissions can be used to launch attacks that allow attackers to forge text and email messages, access private information, receive sensitive data, and even gain remote control of the targeted device
New Ransomware Strain Causes Data Breaches, KnowBe4 Warns (Business Solutions) CryptoWall leads to data breach at brokerage house. Ransomware continues to proliferate, fulfilling the predictions of IT Pros and security experts. A new survey by IT Security company KnowBe4 shows the growing alarm among IT Pros about the threat of ransomware like the infamous CryptoLocker
Zero-day flaws found in Symantec's Endpoint Protection(IDG News Service via PC World) Symantec's Endpoint Protection product has three zero-day flaws that could allow a logged-in user to move to a higher access level on a computer, according to a penetration testing and training company
The Dawn of Government-Grade Cybercrime: Gyges(Cyactive) Gyges, a malware currently being used for cybercrime purposes, was found in the wild in March 2014. Believed to have originated in Russia, its stealth techniques suggest that it was developed originally for use in government espionage programs. Such reuse constitutes a step-up in cybercrime sophistication
Smart Meters May Provide An Entrance Point for Cyber Attacks on the Connected Home(Appliance Magazine) Adoption of Internet-enabled Smart Meters is growing, and the meters may be intrinsic to future widespread efforts to connect a home to the Smart Grid and enable efficient home energy use. But cyber security solutions provider Trend Micro says smart meters offer a pathway for cyber criminals to access the home network and all its connected appliances and electronics
Security Patches, Mitigations, and Software Updates
Vulnerabilities in Alipay Android App Fixed(TrendLabs Security Intelligence Blog) Alipay is a popular third-party payment platform in China that is operated by Alibaba, one of the biggest Internet companies in China. We recently found two vulnerabilities in their Android app that could be exploited by an attacker to carry out phishing attacks to steal Alipay credentials. We disclosed the said vulnerabilities to Alipay; they acknowledged the issue and provided updates to their users earlier this month which fixed this vulnerability. Version 8.2 and newer of the Alipay app no longer contain this vulnerability. We urge all users of the Alipay app to check if they still have the vulnerable version and update to the latest version (if needed)
What You Can Buy for the Same Cost as Malware(Trustwave Blog) Malware is easier to use and more affordable than ever, making the barrier to entry especially seamless for modern-day cybercriminals - no matter how skilled they are or how deep their pockets run
Healthcare Security: CSOs Needed(InformationWeek) Too many healthcare environments cling to insecure legacy systems and lax accessibility standards. It's time to enact strong security leadership
Utilities told of cyber attack danger(Radio NZ) A new survey indicates the majority of New Zealand and Australian organisations, responsible for providing critical infrastructure, aren't doing enough to prevent serious cyber attacks
German Government Chooses BlackBerry For Its Security(Übergizmo) Several years ago, the idea of using an Android phone or an iPhone as a government or corporate device seemed a little ludicrous. This is thanks to the fact that back in the day, BlackBerry devices were at the forefront of mobile security, and thanks to features like BES, it made the lives of IT admins a little easier
Sysorex Companies Open Joint Offices and Technology Demonstration Center in Southern California(Wall Street Journal) Two Sysorex Global Holdings Corp. (NASDAQ:SYRX) ("Sysorex") subsidiaries today announced the opening of joint offices in Carlsbad, California, about 30 miles north of San Diego. AirPatrol Corporation ("AirPatrol"), which develops a suite of location-based security and services platforms for mobile devices, and Lilien Systems ("Lilien"), an IT infrastructure and big data solutions provider, will use the location to demonstrate the enhanced capabilities of the integrated technologies of both companies and to support the customer base in the region. It is the fifth office for both organizations and the first time two Sysorex subsidiaries will share facilities
Verdasys Promotes Peter Tyrrell to Chief Operating Officer(MarketWatch) Verdasys, the leading provider of advanced data protection for endpoints for Global 2000 and mid-sized companies, has promoted Peter Tyrrell to chief operating officer (COO). As COO, Pete will be responsible for enabling operational excellence across the company and building capabilities for the company's future growth
Bugcrowd's Independent Security Research Community Reaches 10,000 Participants(Broadway World) Bugcrowd, the innovator in crowdsourced security testing for the enterprise, today announced that its network of independent security researchers the Crowd has reached a milestone of 10,000 participants, making it the largest and most diverse security testing team in the world. These researchers have opted-in to participate in more than 90 bug bounty, responsible disclosure and Flex Bounty programs that the company has conducted to-date
Your iPhone Can Finally Make Free, Encrypted Calls(Wired) If you're making a phone call with your iPhone, you used to have two options: Accept the notion that any wiretapper, hacker or spook can listen in on your conversations, or pay for pricey voice encryption software
BAE Systems and Mach 1 Development Partner to Deliver Secure Document Management and Tracking Solutions(Wall Street Journal) BAE Systems is enhancing its highly sophisticated data collaboration and dissemination tool, SIBA(TM) , through the interoperability of Mach 1 Development's DocuTRACER(R) document watermarking solution. By combining SIBA with DocuTRACER, SIBA will now have the added capability of tracking who accesses each file shared and what changes were made, while also tracing where each document is distributed
Continuous monitoring for enterprise incident response(Help Net Security) Qualys has further bolstered its Continuous Monitoring (CM) cloud service. The latest features include automated alerts for changes in perimeter IP addresses, as well as a new API interface that enables integration of alerts into incident response systems and SIEMs such as Splunk and HP ArcSight
Layered security in the cloud(Help Net Security) When designing your cloud architecture you may notice several differences between the cloud-computing environment and the "old world" of physical infrastructure. Two of the main differences are elasticity and dynamism, which are part of the cloud's DNA
Using Hollywood to improve your security program(Help Net Security) I spend a lot of time on airplanes, and end up watching a lot of movies. Some of my favorite movies are adventures, spy stuff, and cunning heist movies. Recently, I realized that a lot of these movies provide great lessons that we can apply to information security
Secure Microkernel SEL4 Code Goes Open-Source(Threatpost) General Dynamics C4 Systems and Australia's Information and Communications Technology Research Centre (NICTA) today open sourced the code-base of a secure microkernel project known as seL4. Touted as "the most trustworthy general purpose microkernel in the world," seL4 has previously been adapted by organizations like DARPA as high-assurance systems used onboard military unmanned aerial vehicles and for similar defense and commercial uses
Cliché: open-source is secure(Errata Security) Some in cybersec keep claiming that open-source is inherently more secure or trustworthy than closed-source. This is demonstrably false
Research and Development
Threat Intelligence Tool Connect Dots on Pre-Attack Data(Threatpost) Enterprises longing for an automated system that sends up a smoke signal that attackers may be planning a move against a particular organization or are promoting a new tool that targets companies in a specific industry may have had their wish come true
Can Winograd Schemas Replace Turing Test for Defining Human-Level AI?(IEEE Spectrum) Earlier this year, a chatbot called Eugene Goostman "beat" a Turing Test for artificial intelligence as part of a contest organized by a U.K. university. Almost immediately, it became obvious that rather than proving that a piece of software had achieved human-level intelligence, all that this particular competition had shown was that a piece of software had gotten fairly adept at fooling humans into thinking that they were talking to another human, which is very different from a measure of the ability to "think"
CyberPatriot Having Big Impact on STEM Education and Career Choices, Data Shows(KAIT8) The Air Force Association's CyberPatriot Program Office released today results of its first comprehensive survey assessing current education and career pursuits of past participants of AFA's CyberPatriot National Youth Cyber Education Program. Graduates of the program who have now entered higher education and the workforce were surveyed to determine whether they are now in science, technology, engineering, and mathematics (STEM) higher education programs or, if already in the workforce, if CyberPatriot had led them to STEM career paths
Sen. Leahy's Latest NSA bill: The Good, The Bad, and The Ugly(Just Security) This morning, Senator Patrick Leahy released a new version of the USA Freedom Act, a bill intended to reform NSA surveillance following Edward Snowden's revelations that the intelligence agency collects Americans' calling records in bulk. USA Freedom Act has a disappointing history. While initially proposing much for Americans, if not our friends overseas, to like, the version that eventually passed the House in May was, at best, utterly neutered. Today's version, hashed out between Sen. Leahy, Obama Administration officials, and civil liberties proponents, moves the needle much closer to the original version
Homeland Security wants corporate board of directors more involved in cyber-security(ComputerWorld) Setting corporate cyber-security policy and taking actions around it must be a top concern for the board of directors at any company, not just the information-technology division, the Department of Homeland Security (DHS) indicated as a high-level official there backed a private-sector effort to raise awareness at the board level
Delaware Adopts Law Requiring the Destruction of Consumers? Personally Identifiable Information(JD Supra Business Advisor) On July 1, 2014, Delaware Governor Jack Markell signed into law Delaware House Bill 295, which amends Section 6 of the Delaware Code relating to trade and commerce. The new law, 6 Delaware Code §§50C-101 thru 50C-401, places new obligations on commercial entities with respect to the destruction of records containing the personally identifiable information of consumers. Importantly, the law exposes companies to new civil lawsuits by consumers and administrative enforcement actions by the Delaware Department of Justice. The new law is effective on January 1, 2015
Microsoft Faces Investigations in China(VPN Creative) According to a report by the South China Morning Post, Microsoft is officially under investigation by the Chinese government as of July 28, 2014. Officials visited Microsoft offices in Shanghai, Beijing, Chengdu, and Guangzhou representing the State Administration for Industry and Commerce (SAIC). This investigation comes in the wake of several media accusations against US-based tech industries
About those alleged backdoors in Microsoft products…(NetworkWorld) Scott Charney, of Microsoft's Trustworthy Computing, said the government has "never" asked for a backdoor in Microsoft products. Yet a former engineer working on BitLocker claimed the government does ask, but those requests are "informal"
VirnetX Announces Denial of Three Microsoft Petitions for Inter Partes Review(Wall Street Journal) VirnetX™ Holding Corporation (NYSE MKT: VHC), an Internet security software and technology company, announced today that last week, the United States Patent and Trademark Office (USPTO) denied three petitions for inter partes review (IPR) filed by Microsoft. These petitions sought review of certain claims of VirnetX's U.S. Patent Nos. 6,502,135 ('135 patent) and 7,188,180 ('180 patent). Like some of the petitions filed by Apple and all of the petitions filed by RPX, the USPTO found that Microsoft's petitions were not filed within the time limit imposed by the statute and declined to institute inter partes review. Microsoft was found to infringe both '135 and '180 patents in a prior lawsuit filed by VirnetX against Microsoft
Can BYOD solve challenge of electronic discovery?(Tech Page One) Employers aren't always able to prevent employees from using their own devices while on the job. This can cause problems for a company's legal counsel when a lawsuit involves electronic discovery of company documents. More and more these of documents are being created on personal devices and stored somewhere on the internet. One possible solution for companies might be to enter into agreements that make the employee's personal device the employer's device as well
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
Black Hat USA 2014(, January 1, 1970) Black Hat USA is the show that sets the benchmark for all other security conferences. As Black Hat returns for its 17th year to Las Vegas, we bring together the brightest in the world for six days of learning,...
SHARE in Pittsburgh(Pittsburgh, Pennsylvania, USA, August 3 - 8, 2014) LEARN: Subject-matter experts and practitioners are on-hand at SHARE events to discuss major issues facing enterprise IT professionals today.
FOCUS: SHARE provides leading-edge technical education on a variety of topics. Whether you are an IT manager, IT architect, systems analyst, systems programmer or in IT support, SHARE offers focused sessions to benefit all job roles.
ENGAGE: At SHARE events, you will experience a wide variety of formal and informal networking opportunities that encourage valuable peer-to-peer interaction...
4th Annual Cyber Security Training Forum(Colorado Springs, Colorado, USA, August 5 - 6, 2014) The Information Systems Security Association (ISSA) — Colorado Springs Chapter and FBC, Inc. will co-host the 4th Annual Cyber Security Training Forum (CSTF). CSTF is set to convene from Tuesday August...
BSidesLV 2014(Las Vegas, Nevada, USA, August 5 - 6, 2014) We have an amazing array of speakers each year, covering topics such as Penetration Testing, Forensics, Incident Response, Risk, and everything in between. We have a Lockpick Village, the Squirrels in...
Passwords14(Las Vegas, Nevada, USA, August 5 - 6, 2014) Passwords is the first and only conference of its kind, where leading researchers, password crackers, and experts in password security from around the globe gather in order to better understand the challenges...
DEF CON 22(Las Vegas, Nevada, USA, August 7 - 10, 2014) The annual hacker conference, with speakers, panels, and contests. Visit the site and penetrate to the schedules and announcements.
South Africa Banking and ICT Summit(Lusaka, Zambia, August 8, 2014) The South Africa Banking and ICT Summit is the exclusive platform to meet industry thought leaders and decision makers, discover leading edge products and services and discuss innovative strategies to...
SANS Cyber Defense Summit and Training(Nashville, Tennessee, USA, August 13 - 20, 2014) The SANS Institute's Cyber Defense Summit will be paired with intensive pre-summit hands-on information security training (August 13-18). This event marks the first time that SANS will conduct a training...
AFCEA Technology & Cyber Day(Tinker AFB, Oklahoma, USA, August 21, 2014) The Armed Forces Communications & Electronics Association (AFCEA) — Oklahoma City Chapter will once again host the 10th Annual Information Technology & Cyber Security Day at Tinker AFB. This is the only...
Resilience Week(Denver, Colorado, USA, August 19 - 21, 2014) Symposia dedicated to promising research in resilient systems that will protect critical cyber-physical infrastructures from unexpected and malicious threats—securing our way of life.
The Hackers Conference(New Delhi, India, August 30, 2014) The Hackers Conference is an unique event, where the best of minds in the hacking world, leaders in the information security industry and the cyber community along with policymakers and government representatives...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.