skip navigation

More signal. Less noise.

Daily briefing.

Concerned observers in the Middle East and North Africa note the Islamic State's (formerly known as ISIS or ISIL) alarming proficiency with information operations, particularly its ability to rapidly spawn social media accounts and its Hollywood-like proficiency at lurid terror-propaganda.

The PLA seems to have probed Israel's defense industry with some success (although IAI says China got no sensitive data). The hack of Canada's National Research Council (NRC), also attributed to Chinese intelligence services, is forcing the NRC to undertake a costly, yearlong overhaul of its network security.

Worries about Tor anonymity persist; perhaps details will be forthcoming at Black Hat or DEFCON. Amazon EC2 is exploited for denial-of-service. Android users are warned against the Fake ID vulnerability, and of the possibility of exploits attacking device speakers. This last is a proof-of-concept: expect a flurry of such demonstrations over the next two weeks as Black Hat and DEFCON convene. An Instagram vulnerability exposes iPhones to hijacking.

Various warnings concering Internet-of-Things (IoT) vulnerabilities appear: IoT devices' limited memory limits security possibilities; the devices also tend to communicate insecurely.

The video game industry is under attack by IP thieves known as "Threat Group-3279."

Trustwave compares black market malware to items one might purchase in ordinary life. (While the Chicagoans may be buying high-end seats at White Sox games, the degree of exploit tool commodification remains sobering.)

Worries about empowering a tribe of twelve-year-old script kiddies induce the Hoboken (New Jersey) School District to cancel its program of giving every middle-schooler a laptop.

Notes.

Today's issue includes events affecting Australia, Canada, China, European Union, Germany, Iraq, Israel, New Zealand, Syria, United Kingdom, United States.

Cyber Attacks, Threats, and Vulnerabilities

The Islamic State's most effective wars are waged online (The National) The internet has provided an extremely effective platform for the warring parties in Iraq and Syria to wage a proxy war. The Islamic State group (formerly known as the Islamic State of Iraq and the Levant, or ISIL), has launched a global campaign on social media, which has wrong-footed the international community. Compelled by the success of this propaganda, government officials in Iraq and Syria have also bolstered their cyber warfare efforts

Comment Crew Chinese Hackers Blamed for Stealing Israeli Missile Secrets (Infosecurity Magazine) Notorious PLA unit was after IP related to Israel's Iron Dome missile defense system, says CyberESI

IAI denies cyber attack claims (IHS Jane's Defense Weekly) Israel Aerospace Industries (IAI) released a statement on 29 July refuting a report claiming that the company lost sensitive information in a 2012 cyber attack

Suspected Chinese cyber attack forces NRC security overhaul (Ottawa Citizen) The National Research Council has launched a massive, year-long security overhaul of its computer systems after a series of cyber attacks believed to have come from China

Attack on Tor Has Likely Stripped Users of Anonymity (Gizmodo) Tor, the network used specifically for privacy and anonymity, just warned users of an attack meant to deanonymize people on the service. Anyone who used Tor from February 2014 through this July 4 can assume they were impacted

4 Facts About Operation Emmental (BankInfoSecurity) Could malware campaign spread to U.S. and U.K.?

DDoS-ers Launch Attacks From Amazon EC2 (Infosecurity Magazine) Cybercriminals exploit vulnerability in Elasticsearch software to infiltrate cloud instances

Android users warned of critical vulnerability (CSO) Called Fake ID, the vulnerability is in the way Android handles certificate validation, which could let a hacker gain full control of a device

Researchers successfully attack Android through device's speaker (Help Net Security) A group of researchers from the Chinese University of Hong Kong have demonstrated that even applications with zero permissions can be used to launch attacks that allow attackers to forge text and email messages, access private information, receive sensitive data, and even gain remote control of the targeted device

New Ransomware Strain Causes Data Breaches, KnowBe4 Warns (Business Solutions) CryptoWall leads to data breach at brokerage house. Ransomware continues to proliferate, fulfilling the predictions of IT Pros and security experts. A new survey by IT Security company KnowBe4 shows the growing alarm among IT Pros about the threat of ransomware like the infamous CryptoLocker

Instagram vulnerability on iPhone allows for account takeover (CSO) Instagram is moving to full https encryption but isn't there just yet

Zero-day flaws found in Symantec's Endpoint Protection (IDG News Service via PC World) Symantec's Endpoint Protection product has three zero-day flaws that could allow a logged-in user to move to a higher access level on a computer, according to a penetration testing and training company

The Dawn of Government-Grade Cybercrime: Gyges (Cyactive) Gyges, a malware currently being used for cybercrime purposes, was found in the wild in March 2014. Believed to have originated in Russia, its stealth techniques suggest that it was developed originally for use in government espionage programs. Such reuse constitutes a step-up in cybercrime sophistication

Dark Reading Radio: Data Loss Prevention (DLP) Fail (Dark Reading) Learn about newly found vulnerabilities in commercial and open-source DLP software in the 7/30 episode of Dark Reading Radio

Scan Shows Possible Heartbleed Fix Failures (Dark Reading) Study indicates many Global 2000 firms patched, but failed to replace digital certificates

Hacker crack squad hitting the video game industry with IP-stealing attacks (V3) A hacker group, codenamed Threat Group-3279 (TG-3279), is hitting the video games industry with a wave of advanced cyber attacks designed to steal source code, according to Dell SecureWorks

HP Warns Of IoT Security Risks (InformationWeek) Many Internet of Things devices communicate insecurely, warns HP's Fortify unit

Smart Meters May Provide An Entrance Point for Cyber Attacks on the Connected Home (Appliance Magazine) Adoption of Internet-enabled Smart Meters is growing, and the meters may be intrinsic to future widespread efforts to connect a home to the Smart Grid and enable efficient home energy use. But cyber security solutions provider Trend Micro says smart meters offer a pathway for cyber criminals to access the home network and all its connected appliances and electronics

Security Patches, Mitigations, and Software Updates

I2P patched against de-anonymizing 0-day, Tails integration still to follow (Help Net Security) Developers of the I2P anonymous networking tool have released a new version (0.9.14) of the tool that fixes XSS and remote execution vulnerabilities reported by Exodus Intelligence

Vulnerabilities in Alipay Android App Fixed (TrendLabs Security Intelligence Blog) Alipay is a popular third-party payment platform in China that is operated by Alibaba, one of the biggest Internet companies in China. We recently found two vulnerabilities in their Android app that could be exploited by an attacker to carry out phishing attacks to steal Alipay credentials. We disclosed the said vulnerabilities to Alipay; they acknowledged the issue and provided updates to their users earlier this month which fixed this vulnerability. Version 8.2 and newer of the Alipay app no longer contain this vulnerability. We urge all users of the Alipay app to check if they still have the vulnerable version and update to the latest version (if needed)

Cyber Trends

What You Can Buy for the Same Cost as Malware (Trustwave Blog) Malware is easier to use and more affordable than ever, making the barrier to entry especially seamless for modern-day cybercriminals - no matter how skilled they are or how deep their pockets run

Is "Bring Your Own Identity" a security risk or advantage? (NetworkWorld) Questions abound over websites authenticating users via identities established through Facebook, LinkedIn, Google, Amazon, Microsoft Live, Yahoo Ponemon Institute survey shows

Frost & Sullivan: Explosion of Digital Identities Sustains Global Demand for Public Key Infrastructure Certificates (FierceITSecurity) The surge in the number of data breaches and recent security bugs such as Heartbleed has generated strong interest in digital certificates and technologies, including secure sockets layer (SSL) and public key infrastructure (PKI). PKI, in particular, remains the trusted technology for all projects where secured identity management is crucial

IT pros unsure about virtualization security (FierceITSecurity) The need for security in virtual environments escapes many IT pros, yet a majority understand the importance of virtualization to their IT infrastructure

Security risks lie just below the surface of data lakes (FierceITSecurity) While data lakes are being marketed as a key part of any big data solution, they could pose security and regulatory risks to the enterprise

Healthcare Security: CSOs Needed (InformationWeek) Too many healthcare environments cling to insecure legacy systems and lax accessibility standards. It's time to enact strong security leadership

Utilities told of cyber attack danger (Radio NZ) A new survey indicates the majority of New Zealand and Australian organisations, responsible for providing critical infrastructure, aren't doing enough to prevent serious cyber attacks

Marketplace

German Government Chooses BlackBerry For Its Security (Übergizmo) Several years ago, the idea of using an Android phone or an iPhone as a government or corporate device seemed a little ludicrous. This is thanks to the fact that back in the day, BlackBerry devices were at the forefront of mobile security, and thanks to features like BES, it made the lives of IT admins a little easier

Feds doled out millions towards Tor online anonymity tools (Russia Today) The National Security Agency may be working to crack the anonymous Tor browser, but the US government actually donated close to $2 million to the project in 2013

Sysorex Companies Open Joint Offices and Technology Demonstration Center in Southern California (Wall Street Journal) Two Sysorex Global Holdings Corp. (NASDAQ:SYRX) ("Sysorex") subsidiaries today announced the opening of joint offices in Carlsbad, California, about 30 miles north of San Diego. AirPatrol Corporation ("AirPatrol"), which develops a suite of location-based security and services platforms for mobile devices, and Lilien Systems ("Lilien"), an IT infrastructure and big data solutions provider, will use the location to demonstrate the enhanced capabilities of the integrated technologies of both companies and to support the customer base in the region. It is the fifth office for both organizations and the first time two Sysorex subsidiaries will share facilities

Verdasys Promotes Peter Tyrrell to Chief Operating Officer (MarketWatch) Verdasys, the leading provider of advanced data protection for endpoints for Global 2000 and mid-sized companies, has promoted Peter Tyrrell to chief operating officer (COO). As COO, Pete will be responsible for enabling operational excellence across the company and building capabilities for the company's future growth

Prevalent Hires New Chief Strategy Officer (Fort Mill Times) Matthew Hicks joins cyber risk management innovator to expand and accelerate strategic development

BAE cyber wing appoints female head of engineering (Engineering and Technology Magazine) The IT security wing of BAE Systems has appointed Elaine Baker as director of engineering, the first woman to take up the role

Former Coca-Cola CISO joins Accuvant (CSO) Renee Guttmann, former Coca-Cola chief information security officer, has joined Accuvant in the company's office of the CISO

Products, Services, and Solutions

Bugcrowd's Independent Security Research Community Reaches 10,000 Participants (Broadway World) Bugcrowd, the innovator in crowdsourced security testing for the enterprise, today announced that its network of independent security researchers the Crowd has reached a milestone of 10,000 participants, making it the largest and most diverse security testing team in the world. These researchers have opted-in to participate in more than 90 bug bounty, responsible disclosure and Flex Bounty programs that the company has conducted to-date

Nation-E Readies Cybersecurity Center for Critical Infrastructure (Infosecurity Magazine) The focus will be on training and disaster preparedness

Your iPhone Can Finally Make Free, Encrypted Calls (Wired) If you're making a phone call with your iPhone, you used to have two options: Accept the notion that any wiretapper, hacker or spook can listen in on your conversations, or pay for pricey voice encryption software

BAE Systems and Mach 1 Development Partner to Deliver Secure Document Management and Tracking Solutions (Wall Street Journal) BAE Systems is enhancing its highly sophisticated data collaboration and dissemination tool, SIBA(TM) , through the interoperability of Mach 1 Development's DocuTRACER(R) document watermarking solution. By combining SIBA with DocuTRACER, SIBA will now have the added capability of tracking who accesses each file shared and what changes were made, while also tracing where each document is distributed

Continuous monitoring for enterprise incident response (Help Net Security) Qualys has further bolstered its Continuous Monitoring (CM) cloud service. The latest features include automated alerts for changes in perimeter IP addresses, as well as a new API interface that enables integration of alerts into incident response systems and SIEMs such as Splunk and HP ArcSight

Technologies, Techniques, and Standards

Can information sharing stop bots in their tracks? (NetworkWorld) Bots are exceedingly prevalent on networks, but information sharing among security professionals may be the key to fighting them off

A practical survival guide to Black Hat and DEF CON (CSO) If you're heading to Vegas for the annual gathering, here's a realistic list of expectations and precautions

The Battle Of The Block: How LinkedIn Finally Stopped The Stalkers (Readwrite) Inside the building of LinkedIn's block feature

Layered security in the cloud (Help Net Security) When designing your cloud architecture you may notice several differences between the cloud-computing environment and the "old world" of physical infrastructure. Two of the main differences are elasticity and dynamism, which are part of the cloud's DNA

Using Hollywood to improve your security program (Help Net Security) I spend a lot of time on airplanes, and end up watching a lot of movies. Some of my favorite movies are adventures, spy stuff, and cunning heist movies. Recently, I realized that a lot of these movies provide great lessons that we can apply to information security

The Perfect InfoSec Mindset: Paranoia + Skepticism (Dark Reading) A little skeptical paranoia will ensure that you have the impulse to react quickly to new threats while retaining the logic to separate fact from fiction

Design and Innovation

Secure Microkernel SEL4 Code Goes Open-Source (Threatpost) General Dynamics C4 Systems and Australia's Information and Communications Technology Research Centre (NICTA) today open sourced the code-base of a secure microkernel project known as seL4. Touted as "the most trustworthy general purpose microkernel in the world," seL4 has previously been adapted by organizations like DARPA as high-assurance systems used onboard military unmanned aerial vehicles and for similar defense and commercial uses

Cliché: open-source is secure (Errata Security) Some in cybersec keep claiming that open-source is inherently more secure or trustworthy than closed-source. This is demonstrably false

Research and Development

Threat Intelligence Tool Connect Dots on Pre-Attack Data (Threatpost) Enterprises longing for an automated system that sends up a smoke signal that attackers may be planning a move against a particular organization or are promoting a new tool that targets companies in a specific industry may have had their wish come true

Can Winograd Schemas Replace Turing Test for Defining Human-Level AI? (IEEE Spectrum) Earlier this year, a chatbot called Eugene Goostman "beat" a Turing Test for artificial intelligence as part of a contest organized by a U.K. university. Almost immediately, it became obvious that rather than proving that a piece of software had achieved human-level intelligence, all that this particular competition had shown was that a piece of software had gotten fairly adept at fooling humans into thinking that they were talking to another human, which is very different from a measure of the ability to "think"

OKCupid experiments with 'bad' dating matches (BBC) Dating website OKCupid has revealed that it experimented on its users, including putting the "wrong" people together to see if they would connect

Did OKCupid's dating-results experiment help an Arsian find love? (Ars Technica) After dating site revealed Facebook-like plot, one writer questioned everything

Academia

Why one New Jersey school district killed its student laptop program (Ars Technica) "There is no more determined hacker…than a 12-year-old who has a computer"

UAB students help fight hackers in new 'Facebook suite' (WAFF) A team of students working down at The University of Alabama in Birmingham could protect you from the next big computer hack

CyberPatriot Having Big Impact on STEM Education and Career Choices, Data Shows (KAIT8) The Air Force Association's CyberPatriot Program Office released today results of its first comprehensive survey assessing current education and career pursuits of past participants of AFA's CyberPatriot National Youth Cyber Education Program. Graduates of the program who have now entered higher education and the workforce were surveyed to determine whether they are now in science, technology, engineering, and mathematics (STEM) higher education programs or, if already in the workforce, if CyberPatriot had led them to STEM career paths

Legislation, Policy, and Regulation

Google should not decide on right to be forgotten, says Lords' committee (ComputerWeekly) Google and other search engines should not decide what links to remove from search results, says a House of Lords EU sub-committee

Search firms meet EU regulators over right to be forgotten (ComputerWeekly) Google, Microsoft and Yahoo have met EU data-protection authorities to discuss the implications of the landmark ruling by the European Court of Justice (ECJ) upholding the right to be forgotten

Sen. Leahy's Latest NSA bill: The Good, The Bad, and The Ugly (Just Security) This morning, Senator Patrick Leahy released a new version of the USA Freedom Act, a bill intended to reform NSA surveillance following Edward Snowden's revelations that the intelligence agency collects Americans' calling records in bulk. USA Freedom Act has a disappointing history. While initially proposing much for Americans, if not our friends overseas, to like, the version that eventually passed the House in May was, at best, utterly neutered. Today's version, hashed out between Sen. Leahy, Obama Administration officials, and civil liberties proponents, moves the needle much closer to the original version

Analysis: Bill banning phone metadata collection gives NSA access to it (Ars Technica) Proposal "is not perfect" but less surveillance is better than mass surveillance

House Wants Private Sector To Help Bolster U.S. Cyber Defense (DefenseOne) Two bills to strengthen cybersecurity in the systems that underlie the nation's energy, water and food supplies passed the House on Monday evening, along with a measure to improve the federal government's cyber workforce

Homeland Security wants corporate board of directors more involved in cyber-security (ComputerWorld) Setting corporate cyber-security policy and taking actions around it must be a top concern for the board of directors at any company, not just the information-technology division, the Department of Homeland Security (DHS) indicated as a high-level official there backed a private-sector effort to raise awareness at the board level

Delaware Adopts Law Requiring the Destruction of Consumers? Personally Identifiable Information (JD Supra Business Advisor) On July 1, 2014, Delaware Governor Jack Markell signed into law Delaware House Bill 295, which amends Section 6 of the Delaware Code relating to trade and commerce. The new law, 6 Delaware Code §§50C-101 thru 50C-401, places new obligations on commercial entities with respect to the destruction of records containing the personally identifiable information of consumers. Importantly, the law exposes companies to new civil lawsuits by consumers and administrative enforcement actions by the Delaware Department of Justice. The new law is effective on January 1, 2015

Acting NIST Chief Willie May Gets Nominiation for Full-time Director Post (ExecutiveGov) Dr. Willie May, acting director of the National Institute of Standards and Technology since mid-June, has been nominated to serve in the director role on a full-time basis as commerce undersecretary for standards and technology, the White House announced Thursday

NSA seeks strategic comms leader (PR Week) The National Security Agency is hiring a full-time director of strategic communications

Litigation, Investigation, and Law Enforcement

Guns, vandals and thieves: Data shows US networks under attack (IT World) More than a thousand malicious acts have targeted the US telecoms infrastructure in recent years, FCC data shows

German Minister: Best for Snowden to Return to US (AP via ABC News) Germany's justice minister says the best outcome for National Security Agency leaker Edward Snowden would be a deal with U.S. authorities to return home

Privacy groups call for action to stop Facebook's off site user tracking plans (CSO) Authorities should act immediately to stop this new vast expansion of Facebook's data collection and user profiling, privacy groups said

Microsoft Faces Investigations in China (VPN Creative) According to a report by the South China Morning Post, Microsoft is officially under investigation by the Chinese government as of July 28, 2014. Officials visited Microsoft offices in Shanghai, Beijing, Chengdu, and Guangzhou representing the State Administration for Industry and Commerce (SAIC). This investigation comes in the wake of several media accusations against US-based tech industries

About those alleged backdoors in Microsoft products… (NetworkWorld) Scott Charney, of Microsoft's Trustworthy Computing, said the government has "never" asked for a backdoor in Microsoft products. Yet a former engineer working on BitLocker claimed the government does ask, but those requests are "informal"

VirnetX Announces Denial of Three Microsoft Petitions for Inter Partes Review (Wall Street Journal) VirnetX™ Holding Corporation (NYSE MKT: VHC), an Internet security software and technology company, announced today that last week, the United States Patent and Trademark Office (USPTO) denied three petitions for inter partes review (IPR) filed by Microsoft. These petitions sought review of certain claims of VirnetX's U.S. Patent Nos. 6,502,135 ('135 patent) and 7,188,180 ('180 patent). Like some of the petitions filed by Apple and all of the petitions filed by RPX, the USPTO found that Microsoft's petitions were not filed within the time limit imposed by the statute and declined to institute inter partes review. Microsoft was found to infringe both '135 and '180 patents in a prior lawsuit filed by VirnetX against Microsoft

Can BYOD solve challenge of electronic discovery? (Tech Page One) Employers aren't always able to prevent employees from using their own devices while on the job. This can cause problems for a company's legal counsel when a lawsuit involves electronic discovery of company documents. More and more these of documents are being created on personal devices and stored somewhere on the internet. One possible solution for companies might be to enter into agreements that make the employee's personal device the employer's device as well

Guy brags about gift card tinkering at new job, gets house raided by feds (Naked Security) Three years ago, Muneeb Akhter and his twin brother Sohaib, then 19 years old, were featured in the Washington Post in a story headlined "George Mason's youngest grads"

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Upcoming Events

Black Hat USA 2014 (, January 1, 1970) Black Hat USA is the show that sets the benchmark for all other security conferences. As Black Hat returns for its 17th year to Las Vegas, we bring together the brightest in the world for six days of learning,...

SHARE in Pittsburgh (Pittsburgh, Pennsylvania, USA, August 3 - 8, 2014) LEARN: Subject-matter experts and practitioners are on-hand at SHARE events to discuss major issues facing enterprise IT professionals today. FOCUS: SHARE provides leading-edge technical education on a variety of topics. Whether you are an IT manager, IT architect, systems analyst, systems programmer or in IT support, SHARE offers focused sessions to benefit all job roles. ENGAGE: At SHARE events, you will experience a wide variety of formal and informal networking opportunities that encourage valuable peer-to-peer interaction...

STOP. THINK. CONNECT. Two Steps Ahead: Protect Your Digital Life Tour (Clarksville, Tennessee, USA, August 5, 2014) The National Cyber Security Alliance (NCSA), a non-profit public-private partnership focused on helping all digital citizens stay safer and more secure online, is coming to TK with its STOP. THINK. CONNECT.

4th Annual Cyber Security Training Forum (Colorado Springs, Colorado, USA, August 5 - 6, 2014) The Information Systems Security Association (ISSA) — Colorado Springs Chapter and FBC, Inc. will co-host the 4th Annual Cyber Security Training Forum (CSTF). CSTF is set to convene from Tuesday August...

BSidesLV 2014 (Las Vegas, Nevada, USA, August 5 - 6, 2014) We have an amazing array of speakers each year, covering topics such as Penetration Testing, Forensics, Incident Response, Risk, and everything in between. We have a Lockpick Village, the Squirrels in...

Passwords14 (Las Vegas, Nevada, USA, August 5 - 6, 2014) Passwords is the first and only conference of its kind, where leading researchers, password crackers, and experts in password security from around the globe gather in order to better understand the challenges...

DEF CON 22 (Las Vegas, Nevada, USA, August 7 - 10, 2014) The annual hacker conference, with speakers, panels, and contests. Visit the site and penetrate to the schedules and announcements.

South Africa Banking and ICT Summit (Lusaka, Zambia, August 8, 2014) The South Africa Banking and ICT Summit is the exclusive platform to meet industry thought leaders and decision makers, discover leading edge products and services and discuss innovative strategies to...

SANS Cyber Defense Summit and Training (Nashville, Tennessee, USA, August 13 - 20, 2014) The SANS Institute's Cyber Defense Summit will be paired with intensive pre-summit hands-on information security training (August 13-18). This event marks the first time that SANS will conduct a training...

AFCEA Technology & Cyber Day (Tinker AFB, Oklahoma, USA, August 21, 2014) The Armed Forces Communications & Electronics Association (AFCEA) — Oklahoma City Chapter will once again host the 10th Annual Information Technology & Cyber Security Day at Tinker AFB. This is the only...

Resilience Week (Denver, Colorado, USA, August 19 - 21, 2014) Symposia dedicated to promising research in resilient systems that will protect critical cyber-physical infrastructures from unexpected and malicious threats—securing our way of life.

c0c0n: International Information Security and Hacking Conference (, January 1, 1970) c0c0n, previously known as Cyber Safe, is an annual event conducted as part of the International Information Security Day. The Information Security Research Association along with Matriux Security Community...

The Hackers Conference (New Delhi, India, August 30, 2014) The Hackers Conference is an unique event, where the best of minds in the hacking world, leaders in the information security industry and the cyber community along with policymakers and government representatives...

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.