The cyber world continues to react to Shellshock. Various patches and preventive measures have been released, all of them so far incomplete, but better than nothing. Apple promises a patch to address the Bash bug even as it seeks to reassure OS X users that most of them remain safe. Various web-application firewall and intrusion detection system vendors have updated their products with rules designed to ward off exploitation. Analysts advise taking prompt, prudent action to protect your systems, but recognize that closing this vulnerability will be a labor-intensive process requiring long-term attention to fixes under development.
Shellshock is already being exploited in the wild, with the first reports of malicious activity surfacing within a few hours of the bug's disclosure (AusCERT was among the first to sound warnings). Kaspersky detected reverse-shell exploits, and AlienVault's honeypot picked up two attempts to use the vulnerability to assemble botnets.
BlackEnergy malware, found in attacks against Ukrainian government systems, shows a striking convergence of the political and criminal in its employment. Some observers are calling it "privateering" with Russian attack tools. The Russian government continues to spook its neighbors with a warning to Latvia that it would do well to treat its ethnic Russian minority well. (The Netherlands, at least, draws a public lesson from Russian policy, avowing a Dutch offensive cyber capability as a common-sense military measure.)
Middle Eastern cyber combatants maintain their focus on information operations.
Malvertising rises in the ranks of cyber threats, with some seeing it eclipsing exploit kits.
A note to our readers: We began publishing the CyberWire in September 2012, and today marks our second anniversary. Thanks to all of you for following and subscribing to the CyberWire. Thanks especially for your many supportive emails, tweets, and face-to-face talks. We hope to continue delivering what we promised two years ago: a relevant and intelligently organized daily digest of the critical news happening across the global cyber security domain.
Today's issue includes events affecting Australia, Bulgaria, Czech Republic, European Union, Hungary, Iran, Latvia, NATO/OTAN, Netherlands, Romania, Russia, Singapore, Ukraine, United Kingdom, United States.
Cyber Attacks, Threats, and Vulnerabilities
Alert (TA14-268A) GNU Bourne Again Shell (Bash) 'Shellshock' Vulnerability (CVE-2014-6271, CVE-2014-7169)(US-CERT) A critical vulnerability has been reported in the GNU Bourne Again Shell (Bash), the common command-line shell used in most Linux/UNIX operating systems and Apple's Mac OS X. The flaw could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system. The United States Department of Homeland Security (DHS) is releasing this Technical Alert to provide further information about the GNU Bash vulnerability
Shellshock and its early adopters(Securelist) Shortly after disclosure of the Bash bug called "Shellshock" we saw the first attempts by criminals to take advantage of this widespread vulnerability also known as CVE-2014-6271
Bash Exploit Reported, First Round of Patches Incomplete(Threatpost) The urgency to patch systems against the Bash zero-day vulnerability has been cranked to 10 after reports of an exploit in the wild have been made public by AusCERT, the Computer Emergency Response Team of Australia. This seems to reflect a similar finding posted by a researcher who goes by the handle Yinette who found a malware sample that points to a bot being distributed by the exploit
What is a specific example of how the shellshock bash bug could be exploited?(Information Security) I read some articles about the shellshock bash bug (CVE-2014-6271 reported Sep 24, 2014) and have a general idea of what the vulnerability is and how it could be exploited. To better understand the implications of the bug, what would be a simple and specific example of an attack scenario that could exploit the bug?
Shellshock — How Bad Can It Get?(TrendLabs Security Intelligence Blog) In the immediate aftermath of the Bash vulnerability known as Shellshock, we have already seen some attacks using it to deliver DDoS malware onto Linux systems. However, given the severity of this vulnerability, it is almost certain that we will see bigger, more severe attacks. What are some of the scenarios we could potentially see?
Update on CVE-2014-6271: Vulnerability in bash (shellshock)(Internet Storm Center) Yesterday, a vulnerability in bash was announced, that was originally found by Stephane Schazelas. The vulnerability allows for arbitrary code execution in bash by setting specific environment variables. Later Travis Ormandy released a second exploit that will work on patched systems. Demonstration that the patch released yesterday is incomplete
Bash Vulnerability Leads to Shellshock: What it is, How it Affects You(TrendLabs Security Intelligence Blog) A serious vulnerability has been found in the Bash command shell, which is commonly used by most Linux distributions. This vulnerability — designated as CVE-2014-7169 — allows an attacker to run commands on an affected system. In short, this allows for remote code execution on servers that run these Linux distributions
'Shellshock' Bug Spells Trouble for Web Security(Krebs On Security) As if consumers weren't already suffering from breach fatigue: Experts warn that attackers are exploiting a critical, newly-disclosed security vulnerability present in countless networks and Web sites that rely on Unix and Linux operating systems. Experts say the flaw, dubbed "Shellshock," is so intertwined with the modern Internet that it could prove challenging to fix, and in the short run is likely to put millions of networks and countless consumer records at risk of compromise
This is how the "Shell Shock" bug imperils the whole Internet(Quartz) It's a hacker's wet dream: a software bug discovered in the practically ubiquitous computer program known as "Bash" makes hundreds of millions of computers susceptible to hijacking. The impact of this bug is likely to be higher than that of the Heartbleed bug, which was exposed in April. The National Vulnerability Database, a US government system which tracks information security flaws, gave the bug the maximum score for "Impact" and "Exploitability," and rated it as simple to exploit
Kremlin warns about Russian minorities(Washington Post) As top Kremlin officials have sounded ominous new warnings that they will defend ethnic Russians wherever they live, Latvia, the NATO nation with the highest proportion of Russians, is feeling in the crosshairs
A Deep Dive Into the Ayatollah's Twitter Hate for America(Slate) Iranian President Hassan Rouhani spoke at the U.N. General Assembly today as his country negotiates with the United States over their nuclear program and works to normalize relations with the international community. At a press conference during last year's Assembly, Rouhani attempted to offer the Iranian regime a softer image, hailing the United States as a "great nation" and asking that the two countries "stop the escalation of tensions." The country's actual decision maker, though, is Supreme Leader Ayatollah Ali Khamenei and he has continued to take a hardline
ISIS Videos Employ 'Good Cop, Bad Cop' Approach(NPR) While we are just learning about the Khorasan group, ISIS has been actively spreading its message through propaganda videos. This week it released a second video featuring the British hostage John Cantlie
Malvertising Could Rival Exploit Kits(Dark Reading) Spate of malvertising campaigns gain steam in recent months, including the Kyle and Stan network, which researchers now believe is nine times bigger than initially estimated
Optimized Mal-Ops: Hack the ads network like a boss(Bromium Labs) In this research we perform an in-depth analysis of malicious web ads with the focus on Flash banners. We investigate various possibilities for an attacker to leverage ad networks to spread malware. Then we showcase that from the attackers perspective ad networks are no different and may be even better than exploit kits and thus it's a viable candidate for the next primary attack vector. And finally we explore how current security technologies are ineffective against attacks propagated through ad networks
Cyber Criminals Using Fake Government E-Mail to Perpetrate Scam(IC3) Cyber criminals posing as Internet Crime Complaint Center (IC3) employees are defrauding the public. The IC3 has received complaints from victims who were receiving e-mails purported to be from the IC3. This advisory informs readers how the scheme works, offers measures to help mitigate the threat, and advises how to report incidents to law enforcement
Cyber Thieves Targeting Flower Shops Across Southern California(ABC 7 Los Angeles) Angel Flowers and Gifts in Riverside fell victim to cyber thieves. The business' identity was hijacked, and a website that dupes customers into believing they're ordering from the real flower shop, is in fact stealing their business
Home Depot: Could The Impact Of The Data Breach Be Significant?(Forbes) Falling unemployment rates, rising builders' confidence and increasing number of housing starts — all bode well for the U.S. housing industry in the near term. In turn, this trend should benefit the largest home improvement retailer, Home Depot, which depends on consumers who look to buy home improvement goods and services to furbish their newly bought/rented homes. However, in light of the recent news of a massive data breach at the retailer, the expected rise in sales for the retailer in the latter half of the year could be drastically hurt
Security Patches, Mitigations, and Software Updates
Apple to release fix for Bash bug(ComputerWeekly) Apple has confirmed that its Mac OS X operating system is vulnerable to the newly reported Bash bug that experts estimate puts up to 500 million Unix-based computers at risk
The Rise of the Hacker Bounty Hunter(New York Magazine) One night earlier this year, while playing around with a new anonymous-sharing app called Secret, Benjamin Caudill was gripped by a familiar sensation: This thing is not secure
'Bitcoin Jesus' Offers Bounties to Hunt Down Hackers and Thieves(Wired) Roger Ver is so well known for his role in the rise of the world's most popular digital currency that some people call him "The Bitcoin Jesus." That makes him a prime target for hackers. They've stolen his money, and they've broken into his email account. But the Bitcoin Jesus is becoming the Bitcoin Vigilante
Consumers increasingly blame companies for data breaches(Help Net Security) Moving forward, every company involved in a major data breach — those actually attacked, such as retailers Home Depot, Target, Goodwill and Neiman Marcus, as well as banks, healthcare, insurance and Internet Service Providers, etc. — is going to pay an even higher price when customers' information is compromised. In fact, each high-profile hack will take its toll on the executive suite and the bottom line alike, say the results of a poll conducted by HyTrust
Online privacy: It's time for a new security paradigm(FCW) Compounding the challenge is the fact that verifying identity, relationships and authorization typically involves evaluating sensitive and proprietary information about us and our relationships. Often, that information is more sensitive than the content to be accessed
Businesses, governments value local skills in joint malware fight: BAE SAI(CSO) Establishment and expansion of Australian information-security centres of excellence is becoming increasingly appealing to private and public-sector organisations that are finding them invaluable partners in the race to keep up with malware threats, according to the regional head of cyber security at BAE Systems Applied Intelligence (SAI)
National Security Agency: No risk to Bulgaria's banking system(Standart News) "At the moment no serious risk is facing the banking system," assured National Security Agency director Vladimir Pisanchev after participating in an international conference on information security and data storage in Sofia. "We see no cardinal threat to the banking system in terms of cyber security," he added
General Motors appoints its first cybersecurity chief(Reuters) General Motors Co (GM.N) on Tuesday named an engineer to serve as its first cybersecurity chief as the No. 1 U.S. automaker and its rivals come under increasing pressure to better secure their vehicles against hackers
Cyber-Ark Jumps 87% On Nasdaq Debut(Bidness etc.) Cyber-Ark made its public debut on the Nasdaq today, and its shares closed up almost 87% after pricing its IPO at $16 earlier in the day
Jindal and CSC Officials Break Ground on 800-Job Technology Center in NELA(MyArkLaMiss) Today, Governor Bobby Jindal, CSC executive John DeSimone and local officials broke ground on CSC's 116,000-square-foot, next-generation technology center at the National Cyber Research Park in Bossier City. The project will create 800 new direct jobs over the next four years, as CSC becomes an anchor tenant of the 3,000-acre research park being developed by the Cyber Innovation Center, a not-for-profit research corporation
Symantec Unveils Norton Security for Threat Protection(Zacks) IT security provider Symantec Corporation (SYMC - Analyst Report) recently rolled out an enhanced personalized security service product named Norton Security, which is expected to protect consumers across multiple devices
What to do about Shellshock Bash bug on Mac OS X, web servers, routers, and more(We Live Security) A serious software vulnerability called the "Bash Bug" or "Shellshock" has just come to light and it affects a wide range of computers and digital devices, many of which will need to be fixed to prevent them leaking information or being taken over by malicious persons. The systems affected include Mac OS X computers, many web servers, and some home networking devices like routers
New Forensic Subcommittee on Digital Evidence Added to NIST OSAC(Forensic Focus) Digital evidence, one of the fastest growing areas of forensic science, will now have its own subcommittee in the National Institute of Standards and Technology (NIST)-administered Organization of Scientific Area Committees (OSAC). NIST is establishing the OSAC to identify and develop national standards and guidelines for forensic science practitioners to strengthen forensic science in the United States
Spotlight: Threat Visualizations(Arbor Insight Blog) Research firm Software Advice has published a review of Threat Visualizations. According to the firm, "When deciding which Threat Maps to feature, we were seeking maps that combined innovative designs with informational clarity, so that the viewer could clearly see what attack information was being presented. Visual elegance, interactivity, user friendly qualities, and organization were all also taken into consideration"
Lockheed Martin CEO Outlines Technology Priorities (Lockheed Martin) Lockheed Martin [NYSE: LMT] Chairman, President and Chief Executive Officer Marillyn Hewson shared her vision for the future in a speech to 500 of the Corporation's top engineering, technical and scientific professionals
Leidos Invests $200K in UMd Innovation(InTheCapital) The University of Maryland received a generous donation from a national security, health and engineering solutions company Wednesday. According to the College Park school, Leidos is investing $200,000 to support research, programs, activities and fellowships that help facilitate high-quality education and innovation on campus
Ukraine Pushes for NATO Membership as Gas Talks Commence(Bloomberg) Ukraine kick-started the process to strengthen its ties with NATO and will strive to join the alliance in the "short term," its government said, a day after its president declared the worst of its separatist war was over
HRC may shut some personnel systems down, command says(Army Times) The Human Resources Command is working with Army Cyber Command, the Army Network Enterprise Technology Command and the Army G6 (chief information officer) to resolve a "significant and complex" information technology challenge that may result in several key personnel services systems being pulled off line, HRC officials said Thursday morning
Yahoo reports a drop in government data requests(IDG via CSO) The amount of personal information held by firms like Google and Facebook has made them ripe targets for data-hungry governments and intelligence agencies. But the bull's-eye on Yahoo's back may be losing its appeal
Home Depot breach leads to fraudulent transactions, class-action lawsuits(SC Magazine) The retailer's massive breach has spawned multiple lawsuits and reports of fraudulent transactions. In the wake of Home Depot's breach, reports of fraudulent transactions have surfaced on the heels of two class-action lawsuits, one filed in Canada by a consumer and the other filed in Florida on behalf of financial institutions
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
Newly Noted Events
U.S. Army ITA Security Forum(Fort Belvoir, Virginia, USA, October 20, 2014) The U.S. Army Information Technology Agency Security Forum is taking place at the Ft. Belvoir site and will be a one day event focusing on cyber security education and training for the workforce. The...
VB2014(, January 1, 1970) Over its 24-year history, the VB conference has become a major highlight of the IT security calendar, with many of its regular attendees citing it as the security event of the year. The conference provides...
DerbyCon 4.0(Louisville, Kentucky, USA, September 24 - 28, 2014) Welcome to DerbyCon 4.0 — "Family Rootz". This is the place where security professionals from all over the world come to hang out. DerbyCon 4.0 will be held September 24-28th, 2014. DerbyCon 2013...
BruCON 2014(Ghent, Belgium, September 25 - 26, 2014) BruCON is an annual security and hacker conference providing two days of an interesting atmosphere for open discussions of critical infosec issues, privacy, information technology and its cultural/technical...
ROOTCON 8(, January 1, 1970) ROOTCON is the first hacking convention in the Philippines. A hacker conference and not a seminar, training or a workshop. It will feature the following tracks: advanced HTTP header security analysis,...
INTEROP(New York, New York, USA, September 29 - October 3, 2014) Interop returns to New York with practical and visionary conference sessions designed to help you accelerate your career. This year's conference tracks include: Applications, Business of IT, Cloud Connect...
Indianapolis SecureWorld(Indianapolis, Indiana, USA, October 1, 2014) A day of cyber security education. Earn 6-8 CPE credits, network with industry peers, and take advantage of more than thirty educational events. Larry Ponemon, Chairman and Founder of the Ponemon Institute,...
Suits and Spooks New York(, January 1, 1970) Not another hacker conference. Suits and Spooks is a unique gathering of experts, executives, operators, and policymakers who discuss hard challenges in a private setting over two days. Suits and Spooks...
Open Analytics Summit(Dulles, Virginia, USA, October 7, 2014) Open Analytics Summits are for Developers, Engineers, Data Scientists, CMOs, Data Analysts, CTOs, Architects, Brand Managers, and anyone passionate about open source technologies, big data, or data analytics...
MIRcon 2014(Washington, DC, USA, October 7 - 8, 2014) MIRcon 2014 is the premier information security industry event of the year. The conference is designed to educate innovators and executives battling cyber attackers daily
Cyber Security, Meet Workforce Development(Silver Spring, Maryland, USA, October 8, 2014) Per Scholas convenes leaders in the Nation's Capital to develop a blueprint for building today's entry-level cyber security workforce
Technology & Cyber Security Day(Hill Air Force Base, Utah, October 8, 2014) The Armed Forces Communications & Electronics Association (AFCEA) Wasatch Chapter will once again host the 5th Annual Information Technology & Cyber Security Day at Hill AFB. This annual event is an excellent...
Cyber Security EXPO(, January 1, 1970) Securing information, mobility, cloud, and social interaction for the modern enterprise. Disruptive technologies such as cloud computing, mobile, bring your own device (BYOD) and social media are pushing...
InfoSec 2014(Kuala Terengganu, Malaysia, October 8 - 10, 2014) You are invited to participate in The International Conference on Information Security and Cyber Forensics (InfoSec 2014) that will be held at Universiti Sultan Zainal Abidin (UniSZA), Kuala Terengganu,...
Hacktivity 2014(Budapest, Hungary, October 10 - 11, 2014) Official and alternative representatives of the information security profession meet with all those interested in this field in framework which is at the same time informal and informative, and sometimes...
Ruxcon(Melbourne, Australia, October 26 - 27, 2013) Ruxcon is a computer security conference that aims to bring together the best and the brightest security talent within the Aus-Pacific region. The conference is a mixture of live presentations, activities...
Hack-in-the-Box Malaysia(Kuala Lumpur, Malaysia, October 13 - 16, 2014) HITBSecConf or the Hack In The Box Security Conference is an annual must attend event in the calendars of security researchers and professionals around the world. Held annually in Kuala Lumpur, Malaysia...
FS-ISAC Fall Summit 2014(Washington, DC, USA, October 13 - 16, 2014) The Financial Services Information Sharing and Analysis Center (FS-ISAC), is a non-profit association comprised of financial institution members, that is dedicated to protecting the global financial services...
CYBERSEC 2014(, January 1, 1970) CYBERSEC is a 4-day event geared toward helping you achieve your cybersecurity goals. Whether your focus is on cybersecurity management, investigation, defense, or offense we are offering specialty cybersecurity...
Black Hat Europe 2014(, January 1, 1970) The premier conference on information security returns to the beautiful city of Amsterdam, Netherlands in October, 2014. Professionals from all over the world gather for two days of intense Trainings and...
Denver SecureWorld(Denver, Colorado, USA, October 16, 2014) A day of cyber security education. Earn 6-8 CPE credits, network with industry peers, and take advantage of more than thirty educational events. Over the past decade SecureWorld has emerged as one of North...
TechCrunch Disrupt Europe Hackathon(London, England, UK, October 18 - 19, 2014) For the second year in a row, TechCrunch is jumping across the pond and bringing the iconic Disrupt and our Hackathon to Europe. We're heading your way, London
CSEC 2014 Cyber Security Summit(Kingdom of Bahrain, October 20 - 22, 2014) At the Inaugural Cyber Security Summit 2014, you will have the opportunity to seek ways to reset your IT security and risk strategy for success; stay relevant as IT security and risk are redefined; implement...
2014 ICS Cyber Security Conference(, January 1, 1970) The 14th ICS Cyber Security Conference (sometimes known as "Weisscon") will be held October 20-23, 2014 at Georgia Tech in Atlanta, GA. Cyber Security is becoming a critical infrastructure issue with implications...
Cyber Security Summit 2014(, January 1, 1970) Cyber security breaches have a profound impact on all areas of society. Join the discussion at Cyber Security Summit 2014. For two days, leaders from the public and private sectors meet to identify cyber...
ISSA International Conference(Orlando, Florida, USA, October 22 - 23, 2014) Join us for solution oriented, proactive and innovative sessions focused on security as a vital part of the business.
Hack.lu 2014 (Dommeldange, Luxembourg, October 21 - 24, 2014) Hack.lu is an open convention/conference where people can discuss about computer security, privacy, information technology and its cultural/technical implication on society
ToorCon San Diego(San Diego, California, USA, October 22 - 26, 2014) For hackers like you, because what could possibly go wrong?
FOCUS 14: Empowering the Connected World(Las Vegas, Nevada, USA, October 26 - 27, 2014) FOCUS will offer you a unique opportunity to learn directly from other McAfee users. Hear real-world scenarios from McAfee customers and learn how they maintain the highest standards of security while...
Dallas SecureWorld(Dallas, Texas, USA, October 29 - 30, 2014) Offering two days of cyber security education. Earn 12-16 CPE credits, network with industry peers, and take advantage of more than sixty educational events. Over the past decade SecureWorld has emerged...
CyberMaryland 2014(Baltimore, Maryland, USA, October 29 - 30, 2014) Entrepreneurs, investors, academia and government will convene in Maryland — the nation's epicenter for cybersecurity for the fourth annual CyberMaryland Conference.
Cyber Job Fair(Baltimore, Maryland, USA, October 29, 2014) ClearedJobs.Net is partnering with CyberMaryland to present the Cyber Job Fair at the CyberMaryland 2014 conference. The Cyber Job Fair is a hiring event for cleared and non-cleared cybersecurity professionals...
ekoparty Security Conference 10th edition(Buenos Aires, Argentina, October 29 - 31, 2014) ekoparty — Electronic Knock Out Party — Security Conference, is a one of a kind event in South America; an annual security conference held in Buenos Aires, where security specialists from all over Latin...
Cyber Risk Summit(Washington, DC, USA, May 22, 2014) This one-day leadership conference will provide a discussion forum for business executives, insurance companies and policymakers on more effective private and public responses to cyber risk management.
Senior Executive Cyber Security Conference(Baltimore, Maryland, USA, October 30 - November 1, 2014) North Star Group, LLC and the Johns Hopkins University's Whiting School of Engineering and Information Security Institute sponsor this senior executive focused cyber security conference.This event is designed...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.