skip navigation

More signal. Less noise.

Daily briefing.

The US FBI has warned against the possibility of ISIS-inspired hacking. So far this amounts to recognition that allied airstrikes are likely to summon a response from Islamist sympathizers and useful idiots in the hacktivist world, but the FBI's surely prudent to keep its antennae up.

China continues cyber surveillance and information operations against dissidents in Hong Kong, who themselves are turning, with some apparent success, to FireChat as a social media tool.

Shellshock is found in OpenVPN. Bash bug fixes continue to roll out from many affected vendors as exploitation increases around the world. VMware, among others, issues a major security update. Some patches (notably but very far from exclusively Apple's) are found to be partial solutions only, so admins should remain alert for continuing updates. Security experts warn enterprises not to neglect easily overlooked embedded devices, where the vulnerability is particularly widespread.

Researchers demonstrate proof-of-concept exploits of new payment systems, which analysts observe will be particularly dangerous to smaller banks.

Signature Systems, closing the point-of-sale system holes that led to the Jimmy John's breach, warns that other retailers may be similarly vulnerable.

Private equity, not often thought of as a "cottage industry," nonetheless faces cyber risks one would associate with smaller businesses. But the value-at-risk is very high, and the sector is advised to look to its defenses (and its insurance, especially D&O insurance).

Deutsche Bank London gets good reviews for cyber self-defense.

The StealthGenie indictment may set precedents in prosecuting suppliers as opposed to users of spyware.

Notes.

Today's issue includes events affecting Australia, Cambodia, China, Germany, India, Iraq, Israel, Pakistan, Syria, United Arab Emirates, United Kingdom, United States.

To all US Feds among our readers, a happy fiscal new year.

Cyber Attacks, Threats, and Vulnerabilities

FBI Issues Warning Over Islamic State Cyber Attacks (VPNCreative) The FBI says that it is monitoring social media activity for possible cyber-attack plots in response to airstrikes against the Islamic State

Malware program targets Hong Kong protesters using Apple devices (IDG via CSO) A malware program that targets Hong Kong activists using Apple devices has trademarks of being developed by a nation-state, possibly China, according to a security company

Hong Kong protesters hit with malware, turn to "off-the-grid" chat app (Help Net Security) The pro-democracy protests started by Hong Kong students and backed by the Occupy Central protesters (Central is the name of Hong Kong's financial district) are picking up speed, supporters, and have, unfortunately, also resulted in violent confrontations with the police

Shellshock fixes beget another round of patches as attacks mount (Ars Technica) SANS Internet Storm Center moves up threat level based on bash exploits in wild

Shellshock: Millions of servers under attack (SC Magazine) In the wake of Shellshock, end-users and security managers race to patch web servers and desktops, but may be forgetting vulnerable embedded devices

SHELLSHOCKED: Fortune 1000 outfits Bash out batches of patches (Register) CloudPassage points to 'pervasive' threat of Bash bug

OpenVPN Vulnerable to Shellshock Bash Vulnerability (Threatpost) OpenVPN wasn't immune to the Heartbleed vulnerability in OpenSSL, and it's not going to sidestep Shellshock either

Voice-activated devices pose security threat (BBC) Voice-activated smartphones and other devices can be a significant security risk, warn researcher

Likes of Apple Pay may make smaller banks more vulnerable (NetworkWorld via CSO) Researchers show how criminals can divert legitimate financial transfers worth millions to their own accounts

Google's DoubleClick ad network abused once again in malvertising attacks (Malwarebytes Unpacked) Last week we uncovered a large-scale malvertising attack involving Google's DoubleClick and Zedo that affected many high-profile sites

'Anti-Facebook' Ello: swamped with privacy-hungry refugees, bouncing back from DDoS (Naked Security) Either somebody really, really hates the idea of a social media platform that doesn't sell ads based on user data, or Ello is so popular it got trampled

POS system breach goes well beyond Jimmy John's, says vendor (FierceITSecurity) Signature Systems' point-of-sale, or POS, system breach could involve more than 100 stores in addition to the Jimmy John's breach, the company said in a statement

Signature Systems Acts to Block Payment Card Security Incident (Signature Systems) Signature Systems, Inc. provides point-of-sale (POS) systems for restaurants. We were alerted to a potential issue at one restaurant on July 30, 2014. We immediately began an investigation and found malware on a POS device at that restaurant that had not been detected by the restaurant's anti-virus program. We removed the malware and engaged a leading computer security firm to investigate every POS system and help us implement enhanced security measure

Supervalu says malware affects four stores in Minnesota (Reuters) Supermarket chain Supervalu Inc (SVU.N) reported on Monday a second attack against its payment systems barely two months after it said it was investigating a potential data breach

Point of Sale Breach Timeline (OpenDNS Security Labs) If you're like us you have a hard time remembering the point of sale (PoS) breaches that have occurred over the years. In an effort to simplify past public breaches, we have created a timeline that describes 59 distinct PoS-related breaches where the following were (or are believed to be) true

Retailers Realize EMV Won't Save Them From Fraudsters (Dark Reading) Fraudsters hit retailers harder than ever in 2014 and many recognize that even though EMV's chip-and-pin authentication will stem skimming, breaches and other forms of fraud will persist

Snapchat says fat spam is not its fault (Naked Security) Have your Snapchat friends taken to calling you fat recently? If so, don't get mad at them — their suggestion that you pop a weight loss pill is probably the result of having their account hacked

Registration bug blocked 60,000 Canadians from opting into organ donation (Ars Technica) Ontarian government insists users' data is secure in spite of pancreatic error

People will do anything for free Wi-Fi (Help Net Security) A new Wi-Fi investigation conducted on the streets of London shows that consumers carelessly use public Wi-Fi without regard for their personal privacy

1–15 September 2014 Cyber Attacks Timeline (Hackmageddon) This month will be probably remembered for the Home Depot breach. Yet another one caused by the same POS malware family that hit Target, with a similar dramatic extension: unfortunately the retailer believes that 56 million of credit cards could have been compromised in this case. After such a similar gigantic breach there is not so much to add as far as Cyber Crime is concerned, as it overshadowed all the rest

An In-Depth Analysis of Abuse on Twitter (Trend Micro) In this paper, we examine Twitter in depth, including a study of 500,000,000 tweets from a two-week period to analyze how it is abused. Most Twitter abuse takes the form of tweets with links to malicious and spam websites

Security Patches, Mitigations, and Software Updates

New VMware Security Advisory VMSA-2014-0010 (shellshock) (VMware Blog) Today VMware has released the following new security advisory: VMSA-2014-0010. This advisory list the VMware product updates and patches that address the bash security issues CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187, aka shellshock. It will be updated when new product updates and patches are released in the coming days

Apple's Shellshock patch is incomplete experts say (CSO) On Monday, Apple released three patches to address two vulnerabilities in GNU Bash, commonly referred to as Shellshock. Experts who have tested the various known attack surfaces say that Apple's patch doesn't fix everything

Cyber Trends

The Weird Way the Heartbleed Bug Made the Web More Secure (Wired) Over the weekend, the world wide web became a lot more secure. That's because a San Francisco start-up called CloudFlare turned on a free service that will let its 2 million customers add SSL encryption to their websites

Fraud insights from the iSMG summit (Bloor Research) I have been getting some insights into Fraud at an iSMG Fraud Summit. With my Governance hat on, I think that we too often neglect the possibilities for Fraud when building automated business systems. We make a big fuss over external hacking, which (even in the worst scenario), is a one-off thing that can be managed. Yes, reputation risk is a serious problem on top of any losses, but if you think about the risks in advance they can be managed or mitigated

Shock Fall in Security Spending as Incidents Rise 48% (Infosecurity Magazine) The number of reported "security incidents" worldwide rose 48% this year to reach over 40 million, but despite the growing risk and expense associated with data breaches, security spending dropped, according to PwC

New AlgoSec Survey Reveals Huge Challenge to Unify Security Policy Management (CloudTweaks) AlgoSec, the market leader for Security Policy Management, today announced the results of its "Security Policy Management in Hybrid Cloud Environments" survey

United States Country Report (Secunia) The Secunia Country Reports tell you how much vulnerable software is present on private PCs in your country, plus a few extra, interesting facts

Exploring today's top security concerns (Help Net Security) Security related topics are often front and center in the 24-hour news cycle, but what concerns Americans the most? According to a new national survey from University of Phoenix College of Criminal Justice and Security, identity theft (70 percent) and personal cybersecurity (61 percent) are the security issues of greatest concern

UK falling behind in cyber intrusion detection, study shows (ComputerWeekly) UK firms are suffering more cyber security incidents than their global counterparts and are falling behind in identifying breaches, a study shows

Marketplace

Private equity must improve cyber security (COO Connect) Private equity managers need to up their ante on mitigating the risk of cyber-attacks following a number of high-profile cases and regulatory interest

Lack of cyber security investment could backfire on boards: PwC (CIO) Take the security conversation outside of IT, says PwC Australia national cyber leader Steve Ingram

Cyber risk — are you covered? (Lexology) Recent high-profile incidents, such as the hacked celebrity iCloud accounts in August 2014, have shown that individuals, businesses and public bodies are all at risk of a cyber-attack. However, while awareness of the threat may have increased, recent reports suggest that many businesses are currently unprepared to deal with the financial consequences of an attack

Diana Gowen: The big telecom pivot (FCW) July 4 was a personal Independence Day for Diana Gowen as she started her retirement after a 30-plus-year career in government contracting

Young adults clueless on cybersecurity profession (CSO) Survey of Millennials between 18 and 26 finds many would be interested in a cybersecurity career, but a majority don't know what the job entails

Nsfocus Information plans to acquire computer security firm (Reuters) China's Nsfocus Information Technology Co Ltd says plans to acquire Beijing-based computer security firm for 498 million yuan (80.98 million US dollar) via cash, share issue

Berlin privacy startup ZenMate secures £2m for its VPN plugin (TechWorld) Platform has attracted 5 millions users in just over a year

Imperva: Cyber-Security Long Play (Seeking Alpha) Imperva (NYSE:IMPV) competes in the heavily contested market of cyber-security with firms such as Palo Alto Networks (NYSE:PANW), FireEye (NASDAQ:FEYE) and Barracuda (NYSE:CUDA). IMPV specializes in data center security: the "third pillar" of cyber defense

Longview Wins Information Assurance Contract (SIGNAL) LongView International, Reston, Virginia, has been awarded a maximum $8,291,746 modification (P0006) exercising the first option period on a one-year base contract (HT0011-13-F-0039) with three one-year options for software design, development and testing to support emerging requirements in the Defense Medical Logistics Standard Support (DMLSS), DMLSS Customer Assistance Module and Joint Medical Asset Repository applications to meet information assurance and the establishment of new data exchanges/services

Tenable Network Security Joins the Cisco Solution Partner Program (Digital Journal) Tenable Network Security Inc., the leader in continuous network monitoring, announced that it has joined the Cisco Solution Partner Program as a Preferred Solution Partner

Malvern hosts cyber training to raise business awareness of risk (Financial Times) Malvern has added to its reputation as one of the UK's leading cyber security hubs as the Worcestershire town was chosen to host the first training course for companies wanting sensitive government contracts

Google triples bug bounty reward range to $15,000 (IDG via CSO) Google has tripled its maximum reward for finding flaws in its software to $15,000, a figure the company hopes will deter independent researchers from selling their information on shady markets

Products, Services, and Solutions

Free is good: No-cost Panda Software tops AV-Test's rankings of antivirus software (PCWorld) Antivirus suites are only as good as their latest tests. And in AV-test.org's latest roundup for July and August, the usual suspects — BitDefender, Kaspersky, McAfee, and Symantec — came out on top

SANS Institute and the National Health Information Sharing & Analysis Center Partner to Advance Healthcare Cyber Security (InsuranceNewsNet) With an ever-evolving threat landscape threatening to wreak havoc on the healthcare industry, SANS Institute and the National Health Information Sharing & Analysis Center (NH-ISAC) today announced a partnership to help healthcare organizations overcome today's complex cyber security issues through greater awareness and information sharing. The partnership combines SANS' world-class cyber security training and expertise with NH-ISAC's growing healthcare information sharing network

New CimTrak API Provides Open Access to Security Related Information (Digital Journal) Cimcor, Inc. announced an advanced data integration API for their world class File and Network Integrity Monitoring software, CimTrak

Firechat was sparking interest in India, even before it became a mainstay of the Hong Kong protests (Quartz) Firechat, an app that allows people to communicate without an internet connection, is firing up the pro-democracy street protests in Hong Kong. The app has been downloaded by more than 100,000 users in Hong Kong in the last 24 hours, according to Open Garden, the company that created it

Rockwell Collins delivers cryptographic radios (C4ISR & Networks) Rockwell Collins has delivered the first Modernized Type I Cryptographic Airborne radios to the U.S. Navy

MASSCAN — Mass IP port scanner (fastest Internet port scanner) (Kitploit) This is the fastest Internet port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second

New German data centre to operate European 'Intercloud' service (Out-Law) T-Systems, a subsidiary of German telecoms provider Deutsche Telekom, said it is working with US-based Cisco to develop cloud services in Europe which are as secure as data centres and meet EU and German data protection requirements

Rapidly Discover IOCs With Maltego and Recorded Future (Recorded Future) Discovering and validating known indicators of compromise (IOCs) can be a daunting task for any cyber security operation. This is especially true if you do not have the luxury to pay for all of the costly closed source premium intelligence feeds, cyber threat intelligence reports, or various IDS/AV signature sets offered by a growing number of cyber security vendors

Technologies, Techniques, and Standards

How A Major Bank Hacked Its Java Security (Dark Reading) Deutsche Bank London helped create a new application self-defense tool to lock down and virtually patch its Java-based enterprise applications — even the oldest ones

The Importance of an Effective VPN Remote Access Policy (Infosec Institute) With the number of employees telecommuting, traveling often or working remotely on the rise, the conventional corporate security model is undergoing a major shift. With the availability of VPN (Virtual Private Network) technologies allowing ubiquitous access to company systems, networks and servers, the standard security perimeter many enterprises once enjoyed needs rethinking

Password security is not just a user problem (Help Net Security) When high profile password compromises occur, we often spend a lot of time focusing on advice to the users — "Use strong passwords;" "Don't reuse passwords across sites;" "Don't write passwords down;" "Don't disclose your password via email or on an untrusted site;" and so forth

Software Assurance: Time to Raise the Bar on Static Analysis (Dark Reading) The results from tools studies suggest that using multiple tools together can produce more powerful analytics and more accurate results

National Cybersecurity Awareness Month: How Do Users Become Victims? (TrendLabs Security Intelligence Blog) Cybersecurity is an important part of our daily lives, whether people are aware of it or not. Building awareness that being secure online is everyone's responsibility is a key part of fighting cybercrime. This is why one of the themes of this year's National Cyber Security Awareness Month is the 'Stop. Think. Connect™' campaign, which promotes this very message

Research and Development

£2.5 million to recognise and reduce cyber-attack threats to critical infrastructure (Process and Control Today) New research co-funded by the Engineering and Physical Sciences Research Council (EPSRC) will focus on the cyber-security of the UK's vital industrial control systems which run, for example, manufacturing plants, power stations, the electricity grid, and the rail network

AirPatrol Corporation Receives Two Patents for Mobile Location and Security (Benzinga) AirPatrol Corporation ("Airpatrol"), a wholly-owned subsidiary of Sysorex Global Holdings Corp. (NASDAQ: SYRX), today announced that the U.S. Patent and Trademark Office has issued two new patents to AirPatrol for its technology developments in the areas of mobile device detection, locationing and security

Academia

University of Maryland receives $200,000 grant from Leidos (The Diamondback) National security, health and engineering solutions company Leidos donated $200,000 to this university Wednesday to support high-quality research and education programs, among other things. The donation from Leidos will support this university's public health, cybersecurity research, education and engineering programs

Legislation, Policy, and Regulation

Israel offers India to join new cyber security body (Hindustan Times) Israel has invited India to be part of Prime Minister Benjamin Netanyahu's latest pet project of national cyber defense authority — a dedicated force to fight cyber threats — during his meeting with his Indian counterpart Narendra Modi in New York on Sunday

UAE Military To Set Up Cyber Command (DefenseWorld) The United Arab Emirates is gearing up to launch a cyber command within the General Headquarters (GHQ) of the UAE Armed Forces

Australia passes security law, raising fears for press freedom (Reuters) The first of a series of security powers requested by Australia's government to combat Islamist militants passed through parliament on Wednesday, despite criticism that they could land journalists in jail for reporting on national security

Fear of ascendancy of Scott Morrison leads to scuttling of homeland security superministry (Sydney Morning Herald) A move within the Abbott cabinet to establish a homeland security super-ministry drawing together several major departments and functions looks to have been scuttled because senior figures viewed it as an attempt by backers of Immigration Minister Scott Morrison to elevate him to future leader status

Govt not prepared to handle cyber threats: experts (Dawn) Calling for urgent steps for legislation on cyber security, experts on Tuesday warned that the government was not adequately prepared to deal with cyber threats

New Concerns Over Phones, Intelligence Gathering And National Security (NPR (WAMU)) Tech giants Apple and Google recently announced that operating systems for their newest phones will be encrypted with a complex code

US Military Command Holds Informational Meeting With Bitcoin Industry (Coindesk) Officials from the US Special Operations Command met with American business executives and bitcoin community leaders on Monday in Tampa, Florida, to discuss bitcoin and its role in illicit finance

Former NSA Director: Better Information Sharing Needed on Cybersecurity (Wall Street Journal) Former U.S. National Security Agency Director Keith Alexander called for more information sharing between companies and government agencies about cyberattacks, and encouraged legislation that would incentivize sharing by providing liability protection in exchange for meeting agreed-upon cybersecurity standards

Litigation, Investigation, and Law Enforcement

Four charged with stealing intellectual property from US Army, Microsoft (Ars Technica) Defendants allegedly stole various games and built a counterfeit Xbox One

Hackers charged with stealing Apache training software (Army Times) Two members of what the Justice Department calls an "international computer hacking ring" pleaded guilty to charges related to the theft of $100 million in intellectual property — including software used to train Apache helicopter pilots

Germany Warns Google Over User Profiling Privacy Violations (TechCrunch) Google has been warned it needs to rein in its user profiling activities in Germany because its current practice of joining the dots across multiple services is in violation of local privacy laws

The Criminal Indictment That Could Finally Hit Spyware Makers Hard (Wired) The indictment this week of the man behind an app designed for surreptitiously monitoring cellphone activity is only the second federal case filed against someone involved in the commercial sale of so-called spyware and stalkingware. But the case could have negative implications for others who make and sell similar snooping tools, experts hope

Trend Micro to share threat information with Interpol (ZDNet) Security software provider Trend Micro will share its threat information analysis with global police agency Interpol for the next three years, in a bid to bridge the gap in information sharing between the public and private sectors

FBI's Sentinel System Still Not In Total Shape to Surveil (IEEE Spectrum) Other than the rather entertaining kerfuffle involving Apple's new iPhone OS and its initial (non)corrective update (along with the suspicious "bendy phone" accusations), the IT Hiccups front was rather quiet this past week

Trade secrets and reverse engineering — the legal view (Computing) The Max Planck Institute for Innovation and Competition recently said that proposals for a new EU Trade Secrets Directive should be amended to better protect product developers

Hackers cut deal to work for gov't (Phnom Penh Post) Two members of "hacktivist" group Anonymous Cambodia convicted of computer hacking yesterday will be spared further jail time. Instead, they have been ordered to put their "excellent" IT skills to use combating cybercrime in the Ministry of Interior

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Newly Noted Events

NASA Goddard Cyber Expo (Greenbelt, Maryland, USA (also available by webex), October 2, 2014) The 2014 Goddard Cyber Expo will be a dedicated Information Technology & Cyber Expo at this secure facility hosted by the Office of the Chief Information Officer. The OCIO will be recruiting speakers to...

NGA Cyber Security Day (Springfield, Virginia, USA, October 6, 2014) The National Geospatial-Intelligence will be hosting the 2014 Cyber Security Day at the NGA Headquarters in Springfield, VA. Featuring government and industry speakers, the focus will include such topics...

"Women in Government Contracting" Networking Reception (Columbia, Maryland, USA, October 9, 2014) A special invitation to executive women in technology sponsored by COPT-Corporate Office Properties Trust and the GovConnects Advisory Council. Guest speaker, Deborah Bonanni, former Chief of Staff NSA...

Cybergamut Tech Tuesday: Software-Defined Networking Security (Columbia, Maryland, USA, October 28, 2014) Security-Defined Routing combines cyber analytics and SDN to protect the network: SDR technology assists organizations in scaling the delivery of network traffic to analytic security applications. When...

Upcoming Events

Interop New York (New York, New York, USA, September 29 - October 3, 2014) Interop is the leading independent technology conference and expo series designed to inform and inspire the world's IT community. Through in-depth educational programs, real-world demos, Interop showcases...

INTEROP (New York, New York, USA, September 29 - October 3, 2014) Interop returns to New York with practical and visionary conference sessions designed to help you accelerate your career. This year's conference tracks include: Applications, Business of IT, Cloud Connect...

Indianapolis SecureWorld (Indianapolis, Indiana, USA, October 1, 2014) A day of cyber security education. Earn 6-8 CPE credits, network with industry peers, and take advantage of more than thirty educational events. Larry Ponemon, Chairman and Founder of the Ponemon Institute,...

NASA Goddard Cyber Expo (Greenbelt, Maryland, USA (also available by webex), October 2, 2014) The 2014 Goddard Cyber Expo will be a dedicated Information Technology & Cyber Expo at this secure facility hosted by the Office of the Chief Information Officer. The OCIO will be recruiting speakers to...

NGA Cyber Security Day (Springfield, Virginia, USA, October 6, 2014) The National Geospatial-Intelligence will be hosting the 2014 Cyber Security Day at the NGA Headquarters in Springfield, VA. Featuring government and industry speakers, the focus will include such topics...

Cyber Threat Detection and Information Sharing Training Conference (Washington, DC, USA, October 6 - 8, 2014) Cyber Threat Detection and Information Sharing Training Conference is about education on cyber threat detection and information sharing solutions and product training and not about why this subject is...

Open Analytics Summit (Dulles, Virginia, USA, October 7, 2014) Open Analytics Summits are for Developers, Engineers, Data Scientists, CMOs, Data Analysts, CTOs, Architects, Brand Managers, and anyone passionate about open source technologies, big data, or data analytics...

MIRcon 2014 (Washington, DC, USA, October 7 - 8, 2014) MIRcon 2014 is the premier information security industry event of the year. The conference is designed to educate innovators and executives battling cyber attackers daily

Hill AFB Technology & Cyber Security Day (Hill Air Force Base, October 8, 2014) The Armed Forces Communications & Electronics Association (AFCEA) Wasatch Chapter will once again host the 5th Annual Information Technology & Cyber Security Day at Hill AFB. This annual event is an excellent...

Cyber Security, Meet Workforce Development (Silver Spring, Maryland, USA, October 8, 2014) Per Scholas convenes leaders in the Nation's Capital to develop a blueprint for building today's entry-level cyber security workforce

Technology & Cyber Security Day (Hill Air Force Base, Utah, October 8, 2014) The Armed Forces Communications & Electronics Association (AFCEA) Wasatch Chapter will once again host the 5th Annual Information Technology & Cyber Security Day at Hill AFB. This annual event is an excellent...

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.