Researchers and analysts describe the reciprocal reinforcement of information operations and battlefield success.
US-Ukrainian military cooperation revives interest in "electronic warfare," with its irreducible cyber dimension (and cyber operators have much to learn from practitioners of the older discipline).
An Angler variant has been found infecting point-of-sale systems.
"Windows 10 upgrade" emails are ransomware vectors, warns Cisco.
TrueCrypt, abandoned by its makers, resurfaces in a Trojanized variant directed against Russian-speaking targets.
Researchers claim that customer feedback tool Aptean SupportSoft can be exploited to steal credentials and other sensitive information.
The demonstrated Jeep-hack and subsequent vehicle recall by Fiat-Chrysler (now under investigation by the US National Highway Traffic Safety Administration) as well as similar vulnerabilities reported in GM's OnStar system continue to trouble consumers and industry. And on Friday the US Food and Drug Administration warned hospitals to stop using Hospira's Symbiq infusion pumps: they may be vulnerable to remote exploitation. Lloyd's report on the cyber vulnerability of power grids — disturbing enough — is criticized on technical grounds: perhaps the report should have been even more disturbing.
The Royal Bank of Scotland says a service outage last week was the result of a hack.
Businesses are warned against third-party risks.
The New York Times reports the US has decided upon some unspecified retaliation against China for the OPM breach and other cyber capers. US officials repeat their familiar "impose-costs-on-hackers" policy, but also talk about establishing an international cyber-deterrence regime.
Italian authorities suggest a terrorist connection in the Hacking Team breach.
Today's issue includes events affecting China, Germany, India, Iraq, Israel, Italy, Japan, Kenya, Nigeria, Pakistan, Russia, Syria, Tunisia, Ukraine, United Arab Emirates, United Kingdom, United States, and Vietnam.
Electronic Warfare: What US Army Can Learn From Ukraine(Defense News) The US military has for weeks been training Ukrainian forces in US tactics, but the commander of US Army Europe says Ukrainian forces, who are fighting Russian-backed separatists, have much to teach their US trainers
Your Files Are Encrypted with a "Windows 10 Upgrade"(Cisco Blogs) Adversaries are always trying to take advantage of current events to lure users into executing their malicious payload. These campaigns are usually focussed around social events and are seen on a constant basis. Today, Talos discovered a spam campaign that was taking advantage of a different type of current event
Major Security Bug In Aptean's Customer Response System Puts User Data At Risk(TechCrunch) A bug discovered by security researchers Eric Taylor and Blake Welsh can change a standard customer feedback system called Aptean SupportSoft into a method for hackers to grab passwords, credit card information and usernames. Taylor and Welsh have also been able to inject code into chat sessions that makes small windows appear when a customer service chat session is initiated
Is Bitdefender a Heartbleed Victim(Check and Secure) As you can read on the site "hackerfilm.com", the Romanian anti-virus producer Bitdefender has fallen victim to a cyber attack. Marius Buterchi, the US spokesman for the company, confirmed that a data breach had taken place, but reassured listeners that the company had already taken reactive measures
Researchers Create First Firmware Worm That Attacks Macs(Wired) The common wisdom when it comes to PCs and Apple computers is that the latter are much more secure. Particularly when it comes to firmware, people have assumed that Apple systems are locked down in ways that PCs aren't
Chris Hadnagy on the Def Con hackers posing as your coworkers(Christian Science Monitor Passcode) At a conference famous for its hackers, one of the most popular events requires no technical skill whatsoever. Rather than breaking into computers, contestants try to trick companies' well-meaning employees to give out valuable information
Michael Schrenk on stealing data your company gives away for free(Christian Science Monitor Passcode) In advance of his presentation at the Def Con conference in Las Vegas, Passcode spoke with Schrenk about the insider information he's paid to glean from the open Internet — and how companies can better protect themselves from having their inside plans exposed or used against them by competitors
Cybertheft is more than stolen identity(San Diego Source) "Our research team at UCSD needs a large number of bogus credit cards in order to buy illegal products from international criminals," was the message that Stefan Savage, Ph.D. shared with a group of Chancellor's Associates at the Faculty Club in June. That may seem like a strange study program for a group of undergraduates
City faced cyberattacks amid chaos and unrest on the streets(Baltimore Sun) As Baltimore remained under curfew after riots over Freddie Gray's death, a cyberattack knocked out the city's website while hackers who sympathized with protesters on the streets threatened to target the government's computer systems, according to newly released documents
Cisco: Attackers innovating, evading defenses in first half of 2015(SC Magazine) Attackers are relaying command-and-control communications through Tor and the Invisible Internet Project, the report showed. Increasingly innovative threat actors are becoming faster at attacking, quicker at adapting, and better at evading detection, according to Cisco's 2015 Midyear Security Report
The Technical Limitations of Lloyd's Cyber Report on the Insurance Implications of Cyberattack on the US Grid(Infosec Island) The recent Lloyd's report on cyber implications of the electric grid serves a very important need to understand the insurance implications of a cyber attack against the electric grid. There have already been more than 250 control system cyber incidents in the electric industry including 5 major cyber-related electric outages in the US. There have been numerous studies on the economic impact of various outage durations, but they have not addressed issues associated with malicious causes. Consequently, there is a need to address the missing "malicious" aspects of grid outages. Unfortunately, I believe the technical aspects of the hypothesized attack in the Lloyd's study are too flawed to be used
The Weakest Link in the Supply Chain: Beware of Third Party Hacks(Comilion) There's a shift happening in the world of cybercrime. This shift is towards using indirect attacks where hackers use compromised data, such as login credentials from individuals or smaller companies within a supply chain, to then access companies higher up the chain and ultimately infiltrate mass numbers of user accounts and their Personally Identifying Information (PII) therein. You can describe this attack as using a 'stepping stone' principle, hopping from an easier target, to breach a more lucrative company
Complacency — The Biggest Cyber Risk to Construction and Real Estate Companies(Willis Wire) Stories of cyber attacks reported on television or in newspapers invariably point to anarchist groups, disgruntled techies or bored geeks, holed up in their parents' lofts. Successful attacks cannot happen without geeks and technology, but the threats faced by corporates are focused mainly on financial gain
Cyber insurance market to hit US$10 billion by 2020(Help Net Security) Continued and sustained cyberattacks are having a ruinous effect on enterprises and driving up the cost of incident response. With over 900 million reported records exposed in 2014, more companies are seriously starting to consider transferring risks to insurance providers
Cybersecurity Becoming a Major Industry For Investors(Nasdaq) Over the last several weeks, a variety of data breaches have brought attention to cybersecurity shortcomings in a variety of places, namely the Office of Personnel Management, Ashley Madison, Jeep, and United Airlines. In addition to highlighting various network failures, these hacks have also shown the extent to which our personal information and safety are wrapped up in technology. This level of exposure, in turn, speaks to the growing demand for better cybersecurity offerings as companies that experience hacks lose significant credibility among consumers, business clientele and investors alike
Cybersecurity Is Dominated by Startups In The US, With Israel A Distant Secon(CB Insights) As cybersecurity startups innovate to meet an expanding number of online security threats, they're attracting increased attention from investors. 2014 was a record year for private-company funding in the space. We used CB Insights data to understand the regions and markets attracting the most cybersecurity funding
IBM: New business lines falter as old ones die(Geekzone) IBM's reinvention as a software and services business still serves as an object lesson in turning troubled technology companies around. It switched from dependence on mainframe and servers to selling software, services and outsourcing
L-3 Evaluating Future of VIP Jet Conversions, Cyber Unit(Wall Street Journal) L-3 Communications Holdings Inc. said Thursday that it was evaluating a business that converts big commercial jets for VIPs after running up charges of more than $100 million on two existing contracts, and may also sell or spin off its $1 billion cybersecurity unit
Sophos introduces cloud-based secure web gateway(Times of Oman) Sophos recently announced the availability of Sophos Cloud Web Gateway, a cloud-based secure web gateway that delivers advanced protection for users, devices and data across multiple operating systems, regardless of their location. The addition of secure web gateway to Sophos Cloud integrates technology from Mojave Networks, which Sophos acquired in October 2014
simplicam® Announces New Security Upgrades(BusinessWire) ArcSoft's home monitoring Wi-Fi camera is upgraded with improved security, giving simplicam customers even more peace of mind when they're away from home
The Need for Third Party Risk Management(Legaltech News) Organizations have to establish third party risk management strategies in order to mitigate the potentially huge financial and reputational fallouts from insecure partnerships
Best Practices to Protect You, Your Network, and Your Information(US-CERT) The National Cybersecurity and Communications Integration Center (NCCIC) and its partners responded to a series of data breaches in the public and private sector over the last year, helping organizations through incident response actions, conducting damage assessments, and implementing restoration and mitigation actions
Important Advice on Surviving an Employee Data Breach(IT Business Edge) Recent large data breaches involving the loss of sensitive employee information is signaling a shift in the security landscape. Hackers are no longer focusing solely on credit card information and financial data alone to sell on the black market. Instead, cyber thieves driven by different goals are now targeting a wider variety of information, from password credentials and employment records, to potentially damaging email exchanges that could be used as blackmail or to damage brand reputation
Using the COSO Framework to Mitigate Cyber Risks(Wall Street Journal) Cyber risks cannot be avoided, but such risks can be managed better through careful design and implementation of appropriate controls. Using the internal control framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) as a guide, organizations can build preventive and detective controls aimed at mitigating cyberthreats to an acceptable level
Phish or Be Phished? The Choice is Yours(KnowBe4) It is mid-2015. By now, we have all seen incoming emails claiming we have been bequeathed a huge sum of money from a Nigerian Prince, or we have won a foreign lottery we never entered. Most employees have seen these scam emails long enough to know they are not real
Debunking Myths: Application Security Checklists Suck(Infosec Island) There is a pervasive sentiment amongst the security community about checklists: they suck. We?ve all seen inflexible audit checklists that seem to be highly irrelevant to the specific system being audited
Back Doors: Are You Prepared?(Tripwire: the State of Security) "Honey… Did you make sure you locked the basement door and activated the security system? I can't wait to get to the Big Rock Campground, the kids are going to love the waterslide…" Sound familiar?
Hacking Team and other breaches as security lessons learned(We Live Security) If you are in charge of defending IT systems you know there's a big difference between an attacker who is trying to steal payment card data and an aggressive assault by folks who wants to expose your internal emails and trash your servers and/or reputation. In the last twelve months we've seen a number of high profile attacks that were not straightforward grabs for monetary instruments or intellectual property (although there were plenty of those as well). So what can we learn from these aggressive attacks, like the one on the Italian "security" company called Hacking Team, or AshleyMadison, and SonyPictures?
Your Security Policy Is So Lame(Internet Storm Center) Every person should avoid lame security policies because of the lack of clarity they leave behind. Often times we find ourselves forced into creating security policies due to compliance requirements. Is there a way to lean into this requirement and get value beyond the checkbox? I certainly think so and would like to share some ideas on how you can do this as well
Drawing Lessons From July's Jeep Hack(TechCrunch) If you were anywhere near the internet in late July, you probably read the news: Charlie Miller and Chris Valasek, two security researchers who specialize in hacking cars, figured out how to remotely take control of a Jeep
The cyber-mechanics who protect your car from hackers(New Scientist) A couple of weeks ago, a small team of security researchers gathered near a car parked outside one of their company's buildings. The vehicle was on loan to them from a carmaker, and the goal was to find out how hackable it was
Machine Learning And Human Bias: An Uneasy Pair(TechCrunch) "We're watching you." This was the warning that the Chicago Police Department gave to more than 400 people on its "Heat List." The list, an attempt to identify the people most likely to commit violent crime in the city, was created with a predictive algorithm that focused on factors including, per the Chicago Tribune, "his or her acquaintances and their arrest histories — and whether any of those associates have been shot in the past"
The difference between newspaper and online ads( Graham Cluley) With online mags like The Verge claiming "the mobile web sucks" and others showing that no, it's the The Verge website that sucks because it's so plastered with ads and trackers, technology journalist Charles Arthur has hit the nail right on the head
When Innovation Fails(IEEE Spectrum) We are too quick to chase wild and crazy innovation and too slow to implement obvious, practical ideas
Research and Development
Gerogia Tech Receives $4.2 Million Grant to Battle Cyber Threats(Global Atlanta) A $4.2 million grant has been awarded to researchers at the Georgia Institute of Technology?s College of Computing in an effort to develop programs that will improve cybersecurity, especially for online banking, shopping and trading transactions
Cyber Boot Camp: Lessons Learned(Dark Reading) What happens when 50 young people spend a week in the trenches with cybersecurity researchers from ESET? One picture is worth a thousand words. Here are seven
How to Secure India's Sacred Cyber Space(New Indian Express) Writing 2,500 years ago, Sun Tzu declared in his military treatise The Art of War: "Supreme excellence consists of breaking enemy's resistance without fighting". It is a tribute to the Chinese military strategist's genius that his dictum holds good even today after a couple of millennia
U.S. Decides to Retaliate Against China's Hacking(New York Times) The Obama administration has determined that it must retaliate against China for the theft of the personal information of more than 20 million Americans from the databases of the Office of Personnel Management, but it is still struggling to decide what it can do without prompting an escalating cyberconflict
Pentagon seeks cyberweapons strong enough to deter attacks(Los Angeles Times) The nation that brought the world the mushroom cloud is now hard at work on a new project: coming up with cyberweapons so strong that their very existence would deter foreign governments from attacking U.S. databases and crucial computer systems
Can real-world rules be applied to cyber response?(Defense Systems) When it comes to defining responses to attacks in the cyber domain, the Defense Department's policies are still in flux. But officials appear to be shaping the cyber domain in the same scope as the physical, kinetic world. "We're still working our way through this," Adm. Mike Rogers, head of both the National Security Agency and U.S. Cyber Command, said at the Aspen Security Summit last week
US response to China's hacking shows double standard: Analyst(PressTV) China's alleged theft of personal information of millions of American employees is embarrassing while Washington's response to the hacking indicates "double standard hypocrisy" in US foreign policy, a geopolitical commentator in Missouri says
Strengthening & Enhancing Federal Cybersecurity for the 21st Century(The White House) From the beginning of the Administration, the President has made it clear that cybersecurity is one of the most important challenges we face as a Nation. It is also an ever-growing and constantly changing challenge. For years, whenever I've spoken with private and public sector leaders, I've regularly asked them how much time they spend on cyber and related issues. And each year, the answers have been a higher proportion of their time than the year before. Today, any responsible leader of an organization — public or private sector — is dedicating significant attention and resources to addressing evolving cyber threats. And for good reason
Legislation Introduced to Enhance Government Cybersecurity(FedSmith) Congressman Michael McCaul (R-TX) has introduced legislation designed to strengthen the government's cybersecurity defenses in light of the recent data breaches that hit the Office of Personnel Management and left the personal data of millions of current and former federal workers at risk
CISA could turn into extremely messy floor fight(Washington Examiner) As the final work week begins before summer recess, it remains unclear whether the Senate will manage to tackle a major cybersecurity information-sharing bill before leaving town
Crypto Tools Export: Commerce Department Withdraws Proposal, Promises Rewrite(Forbes) The U.S. Department of Commerce has been deluged the last two months with comments from the cryptography community, after the Department?s Bureau of Industry Standards (BIS) issued proposed new export regulations covering, among other items, "encryption and cryptanalysis" tools. These regulations were resoundingly criticized as potentially barring the export of standard security testing tools
Why We Really Should Ban Autonomous Weapons: A Response(IEEE Spectrum) We welcome Evan Ackerman's contribution to the discussion on a proposed ban on offensive autonomous weapons. This is a complex issue and there are interesting arguments on both sides that need to be weighed up carefully. This process is well under way, and several hundred position papers have been written in the last few years by think tanks, arms control experts, and nation states. His article, written as a response to an open letter signed by over 2500 AI and robotics researchers, makes four main points
The FBI Is Not Equipped To Protect America From Cyber Threats, New DOJ Investigation Reveals(Inquisitr) A report recently released by the United States Department of Justice shows that FBI staffing is problematic for combating cyber threats. Though the Bureau began an official cyber-security program in 2012, and the government released the Next Generation Cyber Initiative a partner to the White House's National Cyber Security Initiative that same year, there simply aren't enough FBI employees to handle the job and it is all due to lack of funding
Clinton e-mail disclosure slowed by security concerns(Boston Globe) Dozens of e-mails that traversed Hillary Clinton's private, unsecure home server contain national security information now deemed too sensitive to make public, according to the latest batch of records released Friday
Italian police shutter Dark Web marketplace(IDG via CSO) Italian police have shut down a Dark Web marketplace offering illegal goods ranging from child pornography to forged luncheon vouchers, and seized 11,000 bitcoin wallets worth about 1 million euros, authorities said Friday
The Mt.Gox Arrest Is The End Of The First Age Of Bitcoin(TechCrunch) The former head of bitcoin exchange Mt.Gox, Mark Karpeles, screwed a lot of early adopters. It is unclear at this point how much Karpeles allegedly lost or took, but the Japanese police are claiming he lost about $387 million while Mt. Gox was in business
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
Black Hat USA(Las Vegas, Nevada, USA, August 1 - 6, 2015) Black Hat — built by and for the global InfoSec community — returns to Las Vegas for its 18th year. This six day event begins with four days of intense Trainings for security practitioners...
ISSA CISO Forum: Third Party Oversight(Las Vegas, Nevada, USA, August 2 - 3, 2015) The CISO Executive Forum is a peer-to-peer event. The unique strength of this event is that members can feel free to share concerns, successes, and feedback in a peer only environment. Membership is by...
BSides Las Vegas(Las Vegas, Nevada, USA, August 4 - 5, 2015) BSides Las Vegas is an Information/Security conference that's different. We're a 100% volunteer organized event, put on by and for the community, and we truly strive to keep information free. There is...
Defcon 23(Las Vegas, Nevada, USA, August 4 - 7, 2015) DEF CON has been a part of the hacker community for over two decades. See the organization's website for more information
3rd Annual Psyber Behavioral Analysis Symposium(Fort Meade, Maryland, USA, August 11, 2015) The 3rd Annual Psyber Behavioral Analysis Symposium is hosted by the NSA/CSS Threat Operations Center and the FBI Behavioral Analysis Unit-2/Cyber Behavioral Analysis Center. The goal of the Symposium...
USENIX Security(Washington, D.C., USA, August 12 - 14, 2015) The USENIX Security Symposium reunites researchers, practitioners, system administrators, system programmers, and others specialists interested in the latest advances in the security and privacy of computer...
5th Annual Cyber Security Training & Technology Forum (CSTTF)(Colorado Springs, Colorado, USA, August 19 - 20, 2015) The Information Systems Security Association (ISSA) Colorado Springs Chapter and FBC, Inc. will once again co-host the 5th Annual Cyber Security Training & Technology Forum (CSTTF). CSTTF 2015 will bring...
Decepticon 2015(Cambridge, England, UK, August 24 - 26, 2015) Decepticon brings together researchers and practitioners in the detection and prevention of deception. Previously, deception research has been fragmented across conferences in many different disciplines,...
AFCEA OKC Technology & Cyber Security Day(Oklahoma City, Oklahoma, USA, August 27, 2015) FBC and the Armed Forces Communications & Electronics Association (AFCEA) Oklahoma City Chapter will be partnering once again to host the annual Technology Day & "Scholarship" Golf Tournament at Tinker...
Power Grid Cyber Security Exchange 2015(San Diego, California, USA, August 30 - September 1, 2015) The Power Grid Cyber Security Exchange will take a deep dive into the cyber security strategies, innovative approaches and strategic planning necessary to balance the competing priorities of today's technology...
2015 HTCIA International Conference & Training Expo(Orlando, Florida, USA, August 30 - September 2, 2015) Bringing together experts from all over the world to share their latest research and techniques related to cybersecurity, incident response and computer forensics
ICFP 2015(Vancouver, British Columbia, Canada, August 31 - September 2, 2015) ICFP 2015 provides a forum for researchers and developers to hear about the latest work on the design, implementations, principles, and uses of functional programming. The conference covers the entire...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.