skip navigation

More signal. Less noise.

Daily briefing.

IS has operated effective information campaigns (particularly effective in recruiting) and now, observers argue, aspires to develop an active hacking capability. This is so far more a matter of a priori probability than indications and warnings, but the possibility bears watching. Security experts and 9/11 commissioners outline trends in state and non-state cyber operations.

Several million Gmail credentials turned up on a Russian Bitcoin forum, but there's apparently less here than meets the eye: Google wasn't breached, says that 98% of the credentials were invalid, obsolete, or fake accounts, and that only a fraction of the remaining credentials could be used to access accounts. Ordinary security precautions with respect to Gmail seem more than sufficient to deal with the residual threat.

VMware patches third-party components in vSphere.

Certificate authorities want Google to give websites more time for upgrades before it expands Chrome safety warnings.

A survey of the financial sector purports to expose its four biggest fears: "a systematic attack on the markets as a whole, manipulation of product data, losing customer data to the extent of losing customer confidence, and employees becoming the weakest links."

In industry news, analysts look at the prominence of NSA and Unit 8200 alumni in, respectively, US and Israeli cyber start-ups. (Former NSA Director Alexander's patent application draws particular interest.)

As the US and Europe tighten restrictions on oil production equipment exports to Russia, Western energy companies would do well to look to the security of their networks: those networks have already been reconnoitered.

Notes.

Today's issue includes events affecting China, Iraq, Israel, Democratic Peoples Republic of Korea, Republic of Korea, Russia, Syria, United Kingdom, United States.

The CyberWire will be providing special coverage of the 2014 Cyber Security Summit, convening in New York on September 18. Watch for interviews and live coverage of Summit events. We also plan to cover the 5th Annual Billington Cybersecurity Summit in Washington, DC, on September 16, which promises an interesting set of speakers and sessions.

Cyber Attacks, Threats, and Vulnerabilities

Digital jihad: ISIS, Al Qaeda seek a cyber caliphate to launch attacks on US (Fox News) Jihadists in the Middle East are ramping up efforts to mount a massive cyber attack on the U.S., with leaders from both Islamic State and Al Qaeda — including a hacker who once broke into former British Prime Minister Tony Blair's Gmail account — recruiting web savvy radicals

Gmail Leak: 5 Million Addresses and Passwords Compromised (HGN) An archive file of 5 million Gmail addresses and plain text passwords have leaked online. Possibly 60 percent of the information is valid. Security experts don't want users to worry too much

Google denies breach after hackers leak millions of user logins (ComputerWeekly) Google has denied that its computer systems were breached and downplayed the threat after hackers claimed to have leaked 4.9 million Gmail logins

5 Million Gmail accounts hacked…or not (CSO) There it was on the screen staring back at me. The cursor blinked incessantly as I tried to wrap my head around the news. 5 million Gmail accounts had been compromised. I mopped the sweat from my brow with the back of my sleeve as I tried to regain composure. I reached across the desk for the bottle of headache remedy and flicked the cap off. It never seemed to be fastened

Yahoo, Amazon and YouTube Hit By Malvertising Campaign (Infosecurity Magazine) Security experts are warning that Yahoo, YouTube and Amazon amongst others are serving up malicious ads to Windows and Mac users thanks to a newly discovered malvertising network

Researchers analyze phishing campaign spreading 'vawtrak' malware (SC Magazine) Experts have discovered a phishing campaign targeting users with a phony PDF attachment that leads to the vawtrak malware

Crypto blunder makes TorrentLocker easy to crack (Virus Bulletin) Use of single XOR key leaves ransomware open to known-plaintext attack

iPwned: How easy is it to mine Apple services, devices for data? (Ars Technica) High-end tools, simple hacks can still make iPhone data less private than we'd like

Botnet Twists the Knife in iCloud Security (TechNewsWorld) Cybercrooks are preying on widespread fear over iCloud insecurity, luring users to give up the very information they want most to protect — their IDs and passwords. If you get an email from Apple informing you your account has been compromised and you need to click on a link and log in to fix it — just don't. In the meantime, what should Apple do? The short answer: more

Prosecting the Citadel botnet — revealing the dominance of the Zeus descendent: part one (Virus Bulletin) It is unlikely that anyone still thinks that cybercrime is performed by 16-year-old kids who write short pieces of code that wreak havoc all over the world, but if you do still hold that belief, it won't hurt to take a look behind the scenes of a modern botnet operation. Today's botnets show how cybercrime has become a professional 'industry' in which many tactics seen in the legitimate e-commerce and IT service industries are deployed

Prosecting the Citadel botnet — revealing the dominance of the Zeus descendent: part two (Virus Bulletin) Citadel is a sophisticated descendent of the Zeus botnet. In this two-part article, Aditya Sood and Rohit Bansal provide insight into the bot's design components, including its system infection and data exfiltration tactics. In this, the second part of the article, Aditya and Rohit present the results of their experiments

Zemot Malware Dropper Strain Delivered via Asprox Botnet and Exploit Kits (Softpedia) Zemot dropper is a strain of the Upatre malware dowloader that has been observed by security researchers to benefit from multi-distribution points that include both compromised websites as well as the Asprox/Kuluoz spam botnet

Uncovering Malicious Browser Extensions in Chrome Web Store (TrendLabs Security Intelligence Blog) Months ago, Google published a blog post informing users of Google Chrome that they cannot install browser extensions from third parties. The reason: security. By only permitting extensions from official Chrome Web Store, Google claims they would be able to police these extensions in order to prevent malicious ones

Hacker Threatens to Expose Bitcoin Founder Nakamoto After Cracking Email Account (Infosecurity Magazine) A hacker is threatening to expose the identity Satoshi Nakamoto, after claiming to have compromised the email account of the Bitcoin creator

Computer hardware containing patient data stolen from Ohio plastic surgery office (SC Magazine) More than 6,000 patients of Beachwood-Westlake Plastic Surgery and Medical Spa in Ohio are being notified that their personal information was on computer hardware that was stolen during an office burglary

SnoopWall Cybersecurity Experts Issue Consumer Digital Privacy Protection Advisory for Mobile Banking Apps and Internet of Things (IoT) at CTIA's Super Mobility Week (Sys-Con Media) SnoopWall, the world's first counterveillance security software company, has issued a consumer protection advisory that consumers need to cover their television screens and their webcam lenses when not in use, and, delete their mobile banking apps immediately

All About Rogue Mobile Apps: A Conversation with Tim Vert, Cyveillance Mobile Security Expert (Cyveillance Blog) As more organizations release mobile applications to satisfy customer demand for on-the-go services, instances of rogue or spoofed mobile apps are rising. There are a lot of questions when it comes to this evolving sphere of cyber security, so we recently sat down with Tim Vert, a mobile security expert and Manager in Cyveillance's Security Operations Center, to get some answers

2014 — An Explosion of Data Breaches and PoS RAM Scrapers (TrendLabs Security Intelligence Blog) The computer security industry will always remember 2013 as the year the U.S. suffered one of the largest data breaches in history. In a targeted attack, U.S. retailer Target was compromised during the Christmas shopping season using the BlackPOS malware, a PoS RAM scraper family. According to estimates, cybercriminals stole 40 million credit and debit card numbers as well as 70 million personal records of Target shoppers

Russia Versus Wall Street: The JPMorgan Attack (Infosec Institute) JPMorgan Chase is the largest bank in the United States, with total assets of over $2.5 trillion. They reportedly spend about $250 million per year on technical security, or one dollar for every $10,000 they have in assets. They also employ more information security professionals than Google does, about a thousand compared to Google's approximately 400

Security Patches, Mitigations, and Software Updates

VMware patches third-party components in vSphere platform (IDG via CSO) VMware has updated third-party libraries and components used by its vSphere server virtualization platform to integrate security patches released in recent months

How Google's tiff with certificate authorities can impact you (CSO) Certificate authorities are calling on Google to give websites more time to make security changes before issuing warnings through the Chrome browser

Blackphone SSL security flaw was patched within days, says CEO (CSO) We responded quickly, says firm after researchers found issue

Cyber Trends

The War Of Zeros And Ones (Popular Science) Military operations around the world are quickly expanding into the digital realm. With cyberwarfare, we're all in the line of fire

A New Threat Grows Amid Shades of 9/11 (Wall Street Journal) The nation remains largely unaware of the potential for disaster from cyberattacks

Is there any part of government that hasn't been hacked yet? (Nextgov) Cybersecurity has been touted by the Obama administration as one of its top technology priorities over the past several years, but heightened visibility alone has done little to deter adversaries that include state-sponsored hackers, hackers for hire, cyber syndicates and terrorists

The financial industry's biggest cyber fears (MarketWatch) The FBI is investigating cyber attacks on J.P. Morgan Chase and as many as four other banks, according to reports, at a time when (legitimate) paranoia about hacking is becoming a mainstream concern

Cyber breaches rare among U.S. state-registered investment advisers: study (Reuters) Cyber security breaches are rare among investment advisory firms registered with U.S. states, but improvements to technology and procedures could still bolster protection of client information, state securities regulators said on Wednesday

Cyber loss surveyed (Professional Security) Near half, 48 per cent, of e-commerce/online retail businesses and 41 per cent of financial services organisations have reported losing some type of finance-related information to cybercriminal activities within a 12 month period

Marketplace

Veracode Closes $40 Million Funding Round (SecurityWeek) Veracode, a Burlington, Massachusetts-based provider of web and mobile application security testing solutions, today announced that it has closed a late-stage $40 million funding round led by Wellington Management with participation from previous investors

Israeli Cyber Startup LightCyber in $10 Million Funding Round (Wall Street Journal) Light Cyber Ltd., an Israeli based cyber-security start-up, has raised $10 million in a new funding round led by Battery Ventures

Iovation Gets Recognition on Inc. 5000 (Insurance News Net) Iovation has made the Inc. 5000, Inc. magazine's ranking of the nation's fastest-growing private companies

Ex-NSA Chief's Anti-Hacker Patent Sparks Ethics Questions (Bloomberg) A 5-month-old company in Washington has developed what it calls groundbreaking technology to thwart cyber-attacks before they've been identified — a significant advancement over current systems that react to known threats

Meet The Ex-NSA And Ex-Unit 8200 Spies Cashing In On Security Fears (Forbes) Before Edward Snowden smashed its digital doors wide open, the National Security Agency was seen as the mysterious keeper of an arsenal of dark-voodoo hacking weapons

Products, Services, and Solutions

Payment security bods: Nice pay-by-bonk (which NO ONE uses) on iPhone 6, Apple (Register) Retailers won't lose sales 'cos they can?t take mobe payments

With Apple Pay and Smartwatch, a Privacy Challenge (New York Times) No one has considered Apple a serious data company, until now

IPhone Wallet Seen Boosting Demand for Gemalto Contactless Chips (Bloomberg) The new iPhone, set to be unveiled today with Apple Inc.?s first shot at a mobile wallet, may lead to a bonanza for providers of contactless technology such as Gemalto NV

Walmart banks on mobile payments, chip-and-PIN (FierceRetail) Walmart (NYSE:WMT) is counting on mobile payments and chip-and-PIN cards to not only improve security of retail transactions, but also make it easier for consumers to buy products

PayPal goes crypto-currency with Bitcoin (Register) eBay no Silk Road

Juniper Adds Lastline Advanced Threat Intelligence to SRX Firewalls (Dark Reading) Lastline Knowledge Base of Advanced and Evasive Threats immediately accessible and actionable through Juniper Spotlight Secure Platform

Cimcor Releases CimTrak 2.0.6.18 with Web Based Security Dashboard and Policy Manager (Virtual Strategy) CimTrak 2.0.6.18 File Integrity Monitoring and Compliance Solution now provides a new web-based dashboard to allow companies to gain greater insight into their infrastructure and security threats

Close to Home: IBM Puts Its Trust in Endpoint Manager, MaaS360 (CIO) Remember that commercial where the guy says he?s not just the president of the company, he?s a client, too? Hard to argue with someone who trusts the product that much. Which is why you might want to know that IBM didn?t just develop Endpoint Manager; they use it, too

AVG claims zero day protection (Fudzilla) Protection from things which are not there now

Tenable's Technology Risk Management Dashboard Eases Compliance with Hong Kong's Financial Services Regulations (Japan Corporate News via Nasdaq) Tenable Network Security®, Inc. (Tenable), today announced the launch of its new SecurityCenter Continuous View (CV)(™ pre-defined Technology Risk Management (TRM) dashboard for Hong Kong's financial institutions

CAST Launches Software Certification Program (TopTechNews) leading provider of software analysis and measurement technology, today launched the CAST Software Certification Program to provide organizations with standards-based verification of the quality of their critical systems

Technologies, Techniques, and Standards

PCI Updates Skimming Prevention Guide (BankInfoSecurity) Best practices for protecting merchants from POS attacks

Want to Limit PCI DSS Scope? Use Tokenization (Infosec Institute) Every organization should follow a proactive rather than a reactive approach to protect against threats, risks and vulnerabilities, to which if their IT infrastructure is exposed can lead to data loss, regulatory penalties, and lawsuits and damaged reputation. Moving on the same lines, to reduce the credit card fraud via its exposure, a standard known as Payment Card Industry Data Security Standard (PCI DSS) was formed. In this article we are going to learn about various ways in which PCI DSS scope can be reduced using Tokenization

Addressing Security with the Board: Tips for Both Sides of the Table (CIO) Clearly security is a boardroom topic, but the trick is to get both sides on the same page

No business is too small for information governance (FierceContentManagement) Implementation doesn't have to cost a king's ransom

Beyond Buzzwords (Part II): Concrete Steps to Deploying an Effective Threat Intelligence Capability (Cyveillance Blog) A few days ago, we told you about a recent webinar on Defining Threat Intelligence, hosted by our own Eric Olson, Vice President of Product Strategy. Today we're going to recap Part II of that webinar, Concrete Steps to Deploying a Threat Intelligence Capability

The 7 Steps For Wi-Fi Security Without Slowing Employee Productivity (F-Secure Community Blog) Whether your employees are taking some personal vacation time or work-related business keeps them on the road, now is a perfect time to think about your company's Wi-Fi knowledge

A system that facilitates malware identification in smartphones (Alpha Galileo) Malware is a type of malicious program whose general aim is to profit economically by carrying out actions without the user's consent, such as stealing personal information or committing economic fraud. We can find it "in any type of device ranging from traditional cell phones to today's smartphones, and even in our washing machine," explained one of the researchers, Guillermo Suarez de Tangil, from the Computer Science Department at UC3M

tinfoleak — Get detailed information about a Twitter user activity (Kitploit) tinfoleak is a simple Python script that [allows users] to obtain

Design and Innovation

AVG Launches a 'Nutritional Label' Style Privacy Notice on its Mobile Apps (CNN Money) New AVG Short Data Privacy Notice for AVG's online security, privacy and performance apps makes it clear what information is collected and why

Research and Development

Researcher tracks photons to develop unprecedented quantum technology (Phys.org) Quantum photonics research could change the way we communicate, compute, and measure phenomena on the smallest scales possible

Academia

Colleges, Employers Team Up to Train, Hire High-Tech Workers (US News) A number of businesses are supporting technical education in hopes of producing a more experienced workforce

Legislation, Policy, and Regulation

The West is prepared to threaten Russia's oil future (Quartz) The US and Europe are on the brink of threatening the heart of the Russian economy: its oil industry. New sanctions would cut off Russia's access to the technology required to drill its richest new fields

Lu Wei: the internet must have brakes (China Media Project) Speaking to a panel on "the future of the internet economy" at the World Economic Forum's 2014 Summer Davos in Tianjin yesterday, Lu Wei, the director of China's State Internet Information Office (SIIO), said there must be "mutual integration" of international rules for internet governance and the national laws of various countries

UK National Cyber Security Programme not delivering promised economic benefits (Computerworld) NAO update paints mixed picture of progress

Senators hold out hope on info-sharing bill while Obama official points to other measures (Inside Cybersecurity) Homeland Security and Governmental Affairs Chairman Tom Carper (D-DE) and ranking member Tom Coburn (R-OK) today held out hope that information-sharing legislation can clear the Senate this year, while an administration official reiterated the call for action on less controversial measures

DOD Deputy CIO: 'Cybersecurity should vary by mission' (FCW) No "one size fits all" at the Pentagon

Implementation of Web portal delays HIPAA audits (FierceHealthIT) The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) has delayed its second round of HIPAA audits while it works to get a Web portal up and running through which entities can submit information

Litigation, Investigation, and Law Enforcement

VA IG: About 75% of investigated facilities engaged in data manipulation (FierceGovernmentIT) About 75 percent of Veterans Affairs Department medical facilities being investigated by the VA inspector general manipulated data related to patient wait times, VA Acting IG Richard Griffin told a Senate panel Tuesday

U.S. antitrust official concerned by China anti-competition stance (Reuters) A top U.S. antitrust enforcer expressed concern on Wednesday about China's enforcement of its antitrust law after Beijing opened a probe into Qualcomm Inc for allegedly abusing its market position

Are the FBI and "weev" both hackers? (Ars Technica) FBI's conduct to find Silk Road servers was similar to "weev's" criminal hacking

How Online Black Markets Have Evolved Since Silk Road's Downfall (Wired) When the FBI tore down the billion-dollar drugs-and-contraband website Silk Road last October, its death made room for a new generation of black-market bazaars

3 gambling operators indicted for buying NK hacking software (Korea Times) Three men were indicted for buying hacking programs from North Korean agents to use for online gambling, prosecutors said Wednesday

U.K. man, who obtained bank details of 28K, pleads guilty to blackmail (SC Magazine) A U.K. man, Lewys Martin, pleaded guilty in London last week to blackmail, possession of articles for use in fraud and possession of indecent images of children, a report from a Bitcoin news site CoinTelegraph.com revealed

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Upcoming Events

AFCEA TechNet Augusta 2014: Achieving Force 2025 Through Signals and Cyber (Augusta, Georgia, USA, September 9 - 11, 2014) The overall theme of TechNet Augusta 2014 is "Achieving Force 2025 Through Signals and Cyber." The overall focus is on Army ground forces, including Joint component interface, other Department of Defense...

Suits and Spooks London (London, England, UK, September 12, 2014) On September 12th, in London's South bank neighborhood of Southwork, approximately 50 former intelligence officials, corporate executives, and security practitioners from the U.S. and the EU will gather...

Build IT Break IT Fix IT: Fix IT (Online, September 12, 2014) The Build it Break it Fix it security contest is a new security-oriented programming contest held by the Maryland Cybersecurity Center, Cyberpoint, and Trail of Bits. The Build it Break it Fix it security...

NOPcon Security Conference (Istanbul, Turkey, September 16, 2014) NOPcon is a non-profit hacker conference. It is the only geek-friendly conference without sales pitches in Turkey. The conference aims to learn and exchange ideas and experiences between security researchers,...

5th Annual Billington Cybersecurity Summit (Washington, DC, USA, September 16, 2014) The 5th Annual Billington Cybersecurity Summit, a leading conference produced by Billington CyberSecurity, will feature an all-star cast of cybersecurity speakers including Admiral Michael Rogers, Commander,...

SINET Global Summit (London, England, UK, September 16 - 17, 2014) "Advancing Global Collaboration and Innovation." Global Summit focuses on building international public-private partnerships that will improve the protection of our respective homeland's critical infrastructures,...

Cyber Attack Against Payment Processes Exercise 2 (Online, September 16 - 17, 2014) FS-ISAC, the Financial Services Information Sharing and Analysis Center will conduct its fifth annual simulated cyber security exercise related to payment processes used by banks, community institutions,...

Global Identity Summit (Tampa, Florida, USA, September 16 - 18, 2014) The Global Identity Summit is focused on identity management solutions for corporate, defense and homeland security communities. This conference and associated exhibition bring together a distinctive,...

Defense Intelligence Agency (DIA)/National Intelligence University (NIU) Open House (Washington, DC, USA, September 17, 2014) On September 17, 2014, the National Intelligence University (NIU) will hold a Tech Expo as part of its annual "NIU OUTREACH DAY" in the Tighe Lobby of DIA Headquarters on Joint Base Bolling-Anacostia.

Fraud Summit Toronto (Toronto, Ontario, Canada, September 17, 2014) From account takeover to payment card fraud and the emerging mobile threatscape, the ISMG Fraud Summit series is where thought-leaders meet to exchange insights on today's top schemes and the technology...

CSA Congress 2014 & IAPP Privacy Academy 2014 (San Jose, California, USA, September 17 - 19, 2014) This year, the CSA and the International Association of Privacy Professionals (IAPP) are combining their Congress US and Privacy Academy events into a conference in the heart of Silicon Valley. This conference...

ICS-ISAC Fall Conference (Atlanta, Georgia, USA, September 17 - 20, 2014) Cybersecurity issues — such as the DHS release of Operation Aurora information; legislation like CISA (S. 2588), CIRDA (H.R. 2952) & H.R. 3696; and the NIST Cybersecurity Framework — can leave...

The 2014 Cyber Security Summit (New York) (New York, New York, USA, September 18, 2014) The Cyber Security Summit, an exclusive conference series sponsored by The Wall Street Journal, has announced their second annual event in New York City. The event will connect C-Level & Senior Executives...

Ft. Meade Technology Expo (Fort Meade, Maryland, USA, September 18, 2014) The Ft. Meade Technology Expo is a one-day event held at the Officers' Club (Club Meade) on base. Industry vendors will have the unique opportunity to showcase their products and services to personnel...

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.