skip navigation

More signal. Less noise.

Daily briefing.

Heads up all who produce or trade in oil: Anonymous says it will resume #OpPetrol today. It may fizzle again, or perhaps not: the story is developing.

The lethal (in a business sense) attack on Code Spaces (see yesterday's issue for discussion and links) contains useful if discouraging lessons. The online collaboration platform was probably a target of opportunity, simply proving softer than other marks the criminals prospected. It's also worth reviewing your own security practices if you use a service like Amazon EC2. Note that the attack began with denial-of-service, followed by extortion, completed with data destruction triggered by the company's attempt to remediate compromise of its EC2 credentials. The DDoS itself didn't bring Code Space down — they could have handled DDoS.

DDoS incidents are on the rise (both Move and Ancestry.com sustained them this week) and they're increasingly being used in conjunction with other kinds of attack: observers compare them to smokescreens or misdirection.

Columbia University researchers crawl Google Play apps and find, disturbingly, thousands of authentication tokens in source code. Enterprises take note: the finding has implications for your BYOD policy.

Servers containing Supermicro motherboards are found broadcasting admin passwords in the clear.

More bad news on user security slackness: researchers at Carnegie Mellon, Penn State, and NIST find that many (most) subjects in an experiment were willing to download an unknown executable when offered a small payment (a dollar or less).

California and Missouri court decisions send diverse messages about banks' liability for customer data loss.

Notes.

Today's issue includes events affecting Brazil, Canada, China, Colombia, France, Germany, Israel, Italy, Kuwait, Qatar, Russia, Saudi Arabia, United Arab Emirates, United Kingdom, United States..

Cyber Attacks, Threats, and Vulnerabilities

#OpPetrol: Anonymous to attack major oil exporting countries on 20th June, 2014 (HackRead) The Anonymous hackers who initiated #OpPetrol in 2013 are back in news with same operation, this year on 20th June, 2014

DDoS Attack Puts Code Spaces Out of Business (PC) CodeSpaces.com closed its doors this week, following a 12-hour security breach that completely wiped its servers. Days after Feedly and Evernote were briefly forced offline by hackers demanding a ransom payment, a code-hosting service was run out of business by a similar scheme

Code Spaces Probably A 'Target of Opportunity' (Security Ledger) The spectacular collapse this week of Code Spaces, a cloud-based code repository, may have been the result of a an unspectacular "opportunistic" hack, rather than a targeted operation, according to one cloud security expert

Ancestry.com Hit by 3-Day DDoS Attack (PC) Ancestry.com became the latest target of a cyber attack, when the site was knocked offline for three days

Move says cyberattack caused realtor.com and Top Producer outages (Inman News) Access to realtor.com and Top Producer remains spotty. A "distributed denial of service attack" bombarded realtor.com and other websites operated by Move Inc. with "massive amounts of traffic," causing the extended outages experienced Wednesday, Move said in a statement

Hackers Using DDoS to Distract Infosec Staff (eSecurity Planet) Hackers are increasingly using DDoS attacks as a kind of 'smokescreen' that helps them carry out data breaches

Hackers Renege On Threat To Publish Domino's Customer Data (Dark Reading) Although Domino's Pizza refused to pay a ransom, the hacking group Rex Mundi has yet to follow through on threats to release stolen customer data

Authentication Tokens Found in App Source Codes by the Thousands (Softpedia) Custom crawler PlayDrone was used by researchers to download and decompile over 880,000 free programs to find thousands of secret tokens that authenticate service to service communication embedded in the source code

Companies warned of major security flaw in Google Play apps (CSO) Many Android apps on Google Play contain authentication keys that can be easily taken to steal corporate and personal data

At least 32,000 servers broadcast admin passwords in the clear, advisory warns (Ars Technica) Exploiting bug in Supermicro hardware is as easy as connecting to port 49152. An alarming number of servers containing motherboards manufactured by Supermicro continue to expose administrator passwords despite the release of an update that patches the critical vulnerability, an advisory published Thursday warned

Yet Another BMC Vulnerability (And some added extras) (CARISIRT) After considering the matter for the past 6 months while continuing to work with Supermicro on the issues, I have decided to release the following to everyone. On 11/7/2013, after reading a couple articles on the problems in IPMI by Rapid7's HD Moore (linked at the end), I discovered that Supermicro had created the password file PSBlock in plain text and left it open to the world on port 49152

Simplocker ransomware: New variants spread by Android downloader apps (We Live Security) Since our initial discovery of Android/Simplocker we have observed several different variants. The differences between them are mostly in

Research Project Pays People to Download, Run Executables (Threatpost) It's been well documented that people will give up their computer passwords for a piece of chocolate. But what would they be willing to give up for a dollar — or even a penny? Plenty as it turns out

Uh-oh, Yo has major security flaws (Quartz) Yo, the mobile messaging app that quickly rose to popularity this week with a bewilderingly simple premise — the only message it can send is "yo" — has a lot more than that lurking beneath its surface

Slow internet? Maybe you have one of 120,000 vulnerable broadband routers (Sydney Morning Herald) Is your home internet running slow? Is your monthly internet bill larger than you expected? Perhaps your home broadband router is one of the 120,000 used by Australians that is vulnerable to a new type of scam being leveraged by criminals who use them to launch cyber attacks

American Express customers receiving new breach notifications (CSO) It's been a busy month for the American Express General Counsel's Office

7 Million+ Cards Likely to Have Been Stolen in P.F. Chang's Breach (Softpedia) The computation took into consideration the possibility that the company's restaurants had in fact been leaking credit card data for a period of nine months, since September 2013

Email Breaches Expose Over 37,000 People's Data at California Colleges (eSecurity Planet) Names, Social Security numbers and birthdates were exposed, along with a variety of other information

Prank URL Shortening Service is Good Security Basics Reminder (Infosec Island) Many of us use URL shortening services on a daily basis, especially when dealing with short form communication tools such as Twitter. Of course, it pays to be vigilant when presented with a shortening service link. While it's a useful tool to have, there have always been issues with regards to your possible final destination

One in five businesses are still using Windows XP despite the risks (BetaNews) Microsoft ended support for XP two months ago, yet consumers are still proving resistant to change, and many businesses are similarly reluctant to upgrade to a newer version of Windows

Cybercriminals Zero In on a Lucrative New Target: Hedge Funds (New York Times) They say crime follows opportunity. Computer security experts say hedge funds, with their vast pools of money and opaque nature, have become perfect targets for sophisticated cybercriminals. Over the past two years, experts say, hedge funds have fallen victim to targeted attacks. What makes them such ripe targets is that even as hedge funds expend millions in moving their trading operations online, they have not made the same investment in security

Security Patches, Mitigations, and Software Updates

Android 4.4.4 fixes OpenSSL connection hijacking flaw (ComputerWorld) A new version of Android for Nexus devices is primarily a security update that patches the bundled OpenSSL library

Is Microsoft withholding Windows 7 security patches? Probably not (NetworkWorld) Researchers say Windows 8 is getting fixes that Windows 7 is not getting, but the devil is in the details

And now a word from the people invading your privacy (Quartz) Last week, as we reported, Apple made a tiny technical change that could make it more difficult for marketers to spy on you. The company changed a setting that broadcasts an iPhone's Media Access Control (MAC) address to any Wi-Fi network within range. Businesses use this to identify a phone and figure out how many times its owner has been in a shop and for how long, or where in the shop she is browsing. The change is that in iOS 8, the iPhone's new operating system due out later this year, your Apple device will broadcast a random "fake" MAC address, which will make tracking somewhat more difficult, unless you actually connect it to a Wi-Fi network

Cyber Trends

Sophisticated malware, lack of threat intelligence: Key factors in growing number of successful attacks (BDaily) Check Point has today announced the findings of a survey showing that a combination of progressively more sophisticated malware and lack of intelligence about new security threats are key reasons for the growing number of successful malware attacks.

10 Ways To 'Fix' Cybersecurity (Forbes) Security reporter Byron Acohido and I asked ten cyber-experts to offer up their best ideas for stemming the threats we face when it comes to digital security. Note: Almost every one of them muttered something about there being no silver bullets

What Workplace Privacy Will Look Like In 10 Years (Dark Reading) New laws like Europe's "right to be forgotten" in Google search are just the latest examples of how quickly perceptions and practices about personal privacy in the workplace are changing

Marketplace

A third of boards remain in the dark on cyber defence status (Information Age) 'Cyber resilience' increasingly overtaking 'cyber security' as companies' prevailing defensive objective

Cisco's Acquisition Of ThreatGRID Fine-Tunes Cyber Security Division (GuruFocus) Cisco acquires ThreatGRID, a NYC startup, for an undisclosed sum. ThreatGRID will join SourceFire, acquired last year, in Cisco's bid to expand its role in cyber security. ThreatGRID also helps Cisco realize its dream to offer the Internet of Everything to its clients. This acquisition positions Cisco well as a company to buy as its stock will increase in value

Cisco mum on future of ThreatGrid's partnership arrangements (NetworkWorld) Cisco is clear on integration of ThreatGRID into Cisco's AMP and Cisco security products

ForgeRock Raises $30M for Open-Source Identity-Relationship Tech (eWeek) ForgeRock's $30 million capital injection will help the company drive adoption of identity-relationship management technology

Target CISO takes over at a time of consumer anger with data breaches (FierceITSecurity) Target's new chief information security officer Brad Maiorino takes the reins of the retailer's IT security program at a time of growing consumer anger at retailers for data breaches

FireEye (FEYE) Taps Mandiant's McGee as Privacy Chief; Forms New Global Privacy Group (StreetInsider) FireEye, Inc. (Nasdaq: FEYE) announced the appointment of Shane McGee as chief privacy officer. McGee, previously general counsel and vice president of legal affairs at Mandiant, will assume responsibility for growing and governing a new global privacy program that will establish data protection standards and lead industry improvement initiatives

CSG Invotas Appoints Paul Dorey to Advisory Board (MarketWatch) CSG Invotas, the enterprise security business from CSG International (NASDAQ: CSGS), today announced the addition of Paul Dorey, Visiting Professor in the Department of Mathematics' Information Security Group at Royal Holloway College, University of London, to its advisory board

Products, Services, and Solutions

TrueCrypt mystery — forking weirder than before (Naked Security) Naked Security readers will be well aware of the great TrueCrypt mystery. TrueCrypt is, or was, a long-running software project that claimed to provide strong encryption software that you could use for free on Windows, Linux and OS X

Thales launches Critical 48, a new UK-based 24/7 Cyber Incident Response Service (IT News Online) Thales UK have announced the launch of Critical 48, a new cyber incident response service that delivers a low-risk, high-value response for the critical first 48 hours of a cyber-incident

SENGEX to Showcase Expanded Cyber Security Capabilities at AFCEA Cyber Symposium (PRWeb) Enhanced mobility and Intrusion Detection security solutions focused on protection from evolving risks

BitSight Security Ratings for Benchmarking Improves Security Performance Awareness for Executives & Boards (Digital Journal) BitSight Technologies, the standard in Security Ratings, today announced BitSight Security Ratings for Benchmarking. The first-of-its-kind solution enables anyone from C-level executives to board members to IT professionals to quantify their security performance, measure the success of their overall security program and benchmark that over time and against an industry, individual peers or competitors

Technologies, Techniques, and Standards

Open-Source Tool Aimed At Propelling Honeypots Into the Mainstream (Dark Reading) Free software automates the setup, management of honeypots for enterprises

Pen Testing Payment Terminals: a Step-by-Step How-to Guide (Blog: SANS Penetration Testing) There is plentitude of payment terminals out there and the design principles vary quite a bit. The ones I have run into in Finland appear to be tightly secured with no attack surface. At first glance, that is. These generally open only outbound connections and use SSL encryption to protect the traffic. Here, I explain why testing a simple, tightly secured payment terminal is not as simple as one might think

As iPhone thefts drop, Google and Microsoft plan kill switches on smartphones (ITWorld) After a year of pressure, U.S. law enforcement officials announce a major success in their phone anti-theft push

Identity theft consequences and tips to stay secure (Help Net Security) In this interview, Tom Feige, CEO of idRADAR, shares alarming identity theft stories, explains the consequences of getting your identity stolen, offers advice to organizations that want to prevent their employees from becoming victims of identity theft, and more

Authorization model for home automation (Help Net Security) Smartphones promise to play an important role in the management and control of Home Automation (HA) solutions. When things and devices have either no or a constrained user interface (UI), the phone's display becomes more and more relevant to managing devices. Additionally, new capabilities for biometric authentication to the phone such as Apple's Touch ID will help secure these management features

Technology key to secure document future, says UK Home Office (ComputerWeekly) Physical security is just as important as digital security in documents such as passports, according to Frank Smith, strategy co-ordinator for the Home Office biometric programme

If you lose your key staff, are you prepared to maintain security? (CSO) Leaders need to assess and prepare for the security impact of key people leaving the organization while making it better for those who stay

Do you have what it takes to Detect and Respond to Targeted Attacks? (Trend Micro Simply Security ) With the topic of targeted attacks and advanced threats capturing so much attention as of late, you could be forgiven for some initial scepticism on yet another article on the subject. However, despite the justifiable attention to the topic, the truth is that targeted attacks are a major yet relatively unmanaged threat to your data and intellectual property. Before you develop a list of options to the problem, it is crucial to consider the nature of the problem from the eyes of your adversary… that being the attacker

Design and Innovation

Hackers reverse-engineer NSA spy kit using off-the-shelf parts (The Register) Expect a busy DEFCON with lots of new pwnage products

This Tool Boosts Your Privacy by Opening Your Wi-Fi to Strangers (Wired) In an age of surveillance anxiety, the notion of leaving your Wi-Fi network open and unprotected seems dangerously naive. But one group of activists says it can help you open up your wireless internet and not only maintain your privacy, but actually increase it in the process

Academia

Girls Who Code kicks off summer immersion program (SC Magazine) A nonprofit focused on equipping young women for opportunities in tech-related fields has launched its 2014 Summer Immersion Program. Started by the organization, Girls Who Code, the program expects to reach 380 high-school girls in classes throughout New York, Boston, Miami, Seattle and the San Francisco Bay Area

High School Students Attend Boot Camp to Fight Cyber Crime (Times of San Diego) Some of San Diego's most computer-savvy high school students are learning how to hack a network in order to prepare themselves for a career in cyber security

Cybersecurity center earns DHS, NSA designation (Phys.org) Kansas State University's cybersecurity center is receiving national recognition for its dedication to cutting-edge research

Number of STEM College Degrees and Jobs on the Rise (SIGNAL) Here's a little good news for students who not only are college-bound, but who want to or plan to study in the fields of science, technology, engineering and mathematics, or STEM, according to a government watchdog report

Legislation, Policy, and Regulation

Indian officials see cyber threats from Wassenaar arrangement (Economic Times ) An inter-ministerial panel has expressed apprehension about changes in the list of software items that a group of 41 nations like the US and the UK can export to non-member countries like India

China ardently denies cyperspying accusations (EET India) This is first of a three-part series examining the fallout on industry from China's alleged cyber spying. Today we review history: piecing together the evidence of proof that spying and how costly industrial espionage is. Science writer Kevin Fogarty takes an in-depth look for EE Times. Despite years of accusations and mounting

GCHQ promotes collaborative action (SC Magazine) The IA14 Conference in London on Monday concluded with GCHQ director, Sir Iain Lobban, giving an insight into how GCHQ sees its role protecting and supporting UK citizens, industry and the economy

Former UK security minister calls for tighter surveillance law (ComputerWeekly) Former UK security minister Pauline Neville-Jones has called for the law governing mass internet surveillance to be tightened up

Private bill would increase oversight of Canada's electronic spy service (Canadian Press via the Times Colonist) A private member's bill sponsored by the Liberal defence critic would bolster oversight of Canada's electronic eavesdropping agency by transferring some ministerial powers to the courts

House backs limits on NSA spying (AP via Fox News) House libertarians and liberals banded together for a surprise win in their fight against the secretive National Security Agency, securing support for new curbs on government spying a year after leaker Edward Snowden's disclosures about the bulk collection of millions of Americans' phone records

House Votes To Cut Key Pursestrings For NSA Surveillance (Wired) The House of Representatives may have only passed a puny attempt to reform the NSA's surveillance activities last month. But on Thursday evening it swung back with a surprising attack on a key element of the agency's spying programs: their funding

U.S. government's civil war over civil liberties (Salon) The State Department is now touting itself as a proponent of Internet privacy. It's not as ridiculous as it sounds

Senators fear plan will muzzle whistleblowers (The Hill) A bipartisan pair of senators fear that new Obama administration intelligence policies could crack down too hard on whistleblowers

Unto the Breach (Slate) The FCC chairman shouldn't make government regulation of cybersecurity seem like a last resort

Pentagon cyber unit wants to 'get inside the bad guy's head' (Washington Post) After several years of planning, the Pentagon's Cyber Command is finally beginning to conduct operations such as tracking adversaries overseas to detect attacks against critical computer networks in the United States, according to a senior defense official

Army aware, but wary of cyber warfare challenges (Fort Leavenworth Lamp) Army senior leaders posit that communications technology is being developed and put into use inside the Army before its vulnerability to cyber-attacks has been fully evaluated

Litigation, Investigation, and Law Enforcement

Bank Not Liable for Customer's $440,000 Cybertheft (CIO) A Missouri escrow firm that lost $440,000 in a 2010 cyberheist cannot hold its bank responsible for the loss an appeals court said this week affirming a lower court's previous ruling on the issue

Oil Co. Wins $350,000 Cyberheist Settlement (Krebs on Security) A California oil company that sued its bank after being robbed of $350,000 in a 2011 cyberheist has won a settlement that effectively reimbursed the firm for the stolen funds

FCC issues largest fine in history to company selling signal jammers (The Verge) The Federal Communications Commission is laying down its largest fine ever against a Chinese retailer that's allegedly been selling hundreds of models of illegal signal jammers over at least the past two years. The online retailer, CTS Technology, is being given a fine of $34.9 million, the maximum that the FCC can issue in this instance

Colombia peace talks spying suspect receiving death threats: Attorney (Colombia Reports) A former campaign worker of ex-presidential candidate Oscar Ivan Zuluaga, accused of spying on ongoing peace talks with rebel group FARC, is receiving death threats, the suspect's attorney told local media on Tuesday

Cops hid use of phone tracking tech in court documents at feds' request (Ars Technica) ACLU uncovers e-mails regarding Stingray devices borrowed from US Marshals Service

Google and Microsoft want to kill your phone if it's stolen. Do you feel safer? (Naked Security) The law enforcement group Secure Our Smartphones is claiming victory after Google and Microsoft announced they will add a "kill switch" to their mobile operating systems

Google forced to e-forget a company worldwide (Naked Security) Likely inspired by Europeans winning the right to be forgotten in Google search results last month, a Canadian court has ruled that Google has to remove search results for a Canadian company's competitor, not just in Canada but around the world

Federal judge dismisses lawsuit alleging JBLM "spy" violated Olympia protesters' civil rights (The Olympian) A federal judge in Tacoma has dismissed a federal civil rights lawsuit alleging that former Joint Base Lewis-McChord employee John Towery violated the civil rights of Olympia anti-war protesters when he infiltrated the group under an assumed name in 2007 and reported on their activities to his superiors

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Upcoming Events

Detroit SecureWorld (Detroit, Michigan, USA, September 9 - 10, 2014) Two days of cyber security education and networking. Earn 12-16 CPE credits, network with industry peers, and take advantage of more than sixty educational events. Over the past decade SecureWorld has...

St. Louis SecureWorld (, January 1, 1970) Offering two days of cyber security education. Earn 12-16 CPE credits, network with industry peers, and take advantage of more than sixty educational events. Over the past decade SecureWorld has emerged...

Indianapolis SecureWorld (Indianapolis, Indiana, USA, October 1, 2014) A day of cyber security education. Earn 6-8 CPE credits, network with industry peers, and take advantage of more than thirty educational events. Larry Ponemon, Chairman and Founder of the Ponemon Institute,...

Denver SecureWorld (Denver, Colorado, USA, October 16, 2014) A day of cyber security education. Earn 6-8 CPE credits, network with industry peers, and take advantage of more than thirty educational events. Over the past decade SecureWorld has emerged as one of North...

Dallas SecureWorld (Dallas, Texas, USA, October 29 - 30, 2014) Offering two days of cyber security education. Earn 12-16 CPE credits, network with industry peers, and take advantage of more than sixty educational events. Over the past decade SecureWorld has emerged...

Bay Area SecureWorld (Santa Clara, California, November 5, 2014) A day of cyber security education. Earn 6-8 CPE credits, network with industry peers, and take advantage of more than thirty educational events. Over the past decade SecureWorld has emerged as one of North...

Seattle SecureWorld (Seattle, Washington, USA, November 12 - 13, 2014) Offering two days of cyber security education. Earn 12-16 CPE credits, network with industry peers, and take advantage of more than sixty educational events. Over the past decade SecureWorld has emerged...

Suits and Spooks New York (, January 1, 1970) Not another hacker conference. Suits and Spooks is a unique gathering of experts, executives, operators, and policymakers who discuss hard challenges in a private setting over two days. Suits and Spooks...

SANSFIRE (Baltimore, Maryland, USA, June 21 - 30, 2014) For more than 10 years, the Internet Storm Center has been providing free analysis and warning to our community. SANSFIRE 2014 is not just another training event. It is our annual "ISC Powered" event.

26th Annual FIRST Conference (Boston, Massachusetts, USA, June 22 - 27, 2014) The Forum of Incident Response and Security Teams (FIRST) is a global non-profit organization dedicated to bringing together computer security incident response teams (CSIRTs) and includes response teams...

Gartner Security & Risk Management Summit 2014 (National Harbor, Maryland, US, June 23 - 26, 2014) The Gartner Security & Risk Management Summit is the only time when the entire Gartner analyst and security and risk management community come together in one location to bring the latest research, insights...

AFCEA International Cyber Symposium (Baltimore, Maryland, USA, June 24 - 25, 2014) National security is continuously being redefined as awareness of the cyberspace domain evolves. Cyber threats and challenges grow every day. Successfully defending our networks requires a team approach.

AFCEA Information Technology Expo at Joint Base Lewis-McChord (JBLM) (, January 1, 1970) Federal Business Council, Inc. (FBC) and the Armed Forces Communications & Electronics Association (AFCEA) Pacific Northwest Chapter (PNC) will be partnering once again to co-host the 4th Annual Information...

United Nations Interregional Crime and Justice Research Institute Cyber Threats Workshop (Turin, Italy, June 27 - 29, 2014) The United Nations Interregional Crime and Justice Research Institute (UNICRI) is organizing a series of workshops and short courses within the framework of the UNICRI Journalism and Public Information...

SiliconExpert Counterfeit Electronic Component Detection & Avoidance (Webinar, July 10, 2014) Join us for a free 60 minute webinar with Dr. Diganta Das from the University of Maryland's Center for Advanced Life Cycle Engineering (CALCE), which is a research leader in the area of counterfeit electronics...

2nd Annual Oil & Gas Cyber Security Conference (Houston, Texas, USA, July 15 - 17, 2014) This highly interactive, hands-on forum will break down each potential cyber threat specific to the oil and gas industry, as well as tackle key issues including managing communication between OT and IT...

SINET Innovation Summit (New York, New York, USA, August 6, 2013) The purpose of the Innovation Summit is to reinvigorate public private partnership efforts and increase relationships between industry, government and academia that fosters sharing of information and collaboration...

Security Startup Speed Lunch DC (Washington, DC, USA, July 22, 2014) Our goal is to connect the most promising security startups in the world with decision-makers at aerospace, asset-management, banking, communications, defense, energy, healthcare, government, technology...

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.