Some news sources report that ISIS is doxing US service members and their families, posting personally identifying information online and howling for lone wolves to behead those so identified. It's unclear how real the threat is (and the arrest of a Georgia Guardsman for falsely reporting similar but unrelated threats should give one pause) but authorities urge caution. Other ISIS information ops sicken even the Taliban, which objects to recent execution videos.
An international dragnet (US, UK, and Danish authorities at least were involved) resulted in the indictment of at least nine (Naked Security says thirty-two) stock traders and hackers for a five-year-long criminal campaign to profit from illicitly obtained inside information. The SEC suggests they may have made up to $100 million by hacking press release services to obtain early warning of material information. In one case, half an hour advance warning of an earnings downgrade yielded $500 thousand in ten minutes of short-selling. Observers draw the following lessons: 1) hackers needn't be flash traders to game the market, 2) enterprises really need to take a hard look at third-party risk, 3) such financial cyber crime isn't unique — consider FIN4 and last decade's Estonian gang, and 4) inevitably, more legislation is needed.
On the subject of cyber risk and its transfer, some thoughts are offered on determining value-at-risk in the absence of a large corpus of actuarial data.
Yesterday was Patch Tuesday. In addition to Microsoft's fixes, see upgrades from Google, Mozilla, Adobe, and OpenSSH.
Oracle anathematizes reverse engineering.
Today's issue includes events affecting Afghanistan, Australia, Estonia, Iraq, Mexico, New Zealand, South Africa, Syria, Ukraine, United States.
Smile! The malware is taking a picture of you(Fortinet Blog) The malware claims it has detected "forbidden pornographic" pictures on your device, says it has reported it to the FBI and asks you to pay a fine of $500. To make the (fake) report appear even more scary, the malware displays your IP address and a picture of you. It says those were sent in the report to the FBI
Chip Card ATM 'Shimme' Found in Mexico(KrebsOnSecurity) Fraud experts in Mexico have discovered an unusual ATM skimming device that can be inserted into the mouth of the cash machine's card acceptance slot and used to read data directly off of chip-enabled credit or debit cards
IoT devices: The good, the bad and the ugly(Help Net Security) Cognosec has revealed critical security flaws in ZigBee, one of the most popular wireless communication standards used by Internet of Things (IoT) devices today
Security Patches, Mitigations, and Software Updates
Patched Android 'Serialization' Vulnerabilty Affects 55 Percent of Devices(Threatpost) Google has patched a severe Android vulnerability that researchers at IBM said impacts more than 55 percent of devices. As with most Android vulnerabilities, users are reliant on handset makers and carriers to push patches downstream to devices, something they've not always been diligent about
Security updates available for Adobe Flash Player(Adobe Security Bulletin) Adobe has released security updates for Adobe Flash Player. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system
The impact of the IoT on access control(Security InfoWatch) The IoT represents a fundamental change to the access control industry that not only impacts the kinds of tools we use and how we use them, but who makes the decisions on the customer side of the table
Corporate Encrypt–Everything Policies Gain Interest(Infosecurity Magazine) With tale after tale of data breaches and cyber-espionage making its way into the headlines, encryption by default has been a hot topic of late — and enterprises are beginning to respond. A large majority (84%) of respondents in a recent survey said that they had considered a security strategy of encrypting all sensitive data
3 Steps to Evaluate Your Supply Chain Preparedness(Security Magazine) Your supply chain is the lifeline of your business, but it also can be a significant vulnerability during a hurricane or a natural catastrophe or other event such as a cyber-attack, strike or delay. With hurricane season underway, it might be a good time to review your supply chain to understand critical dependencies and identify alternate sources in the event of a failure
VARs must add more value in security(CRN) Value-added resellers are perfectly placed to step in and help customers as the global threat landscape continues to escalate, argues Performanta Ltd CTO Lior Arbel
Top 10 U.S. cities for online fraud(Help Net Security) Data reveals Tampa as the top hot spot for online fraud and ThreatMetrix found a correlation between top cities for fraud and those home to hosted data centers
Driving Your Car Will Soon Be Illegal(TechCrunch) Driving a car will be illegal by 2030. Our economy will be severely impacted as millions of truck drivers, cabbies and delivery people are put out of work. In this era of endless innovation, man's century-long relationship with the automobile is about to be permanently disrupted
Getting to Cyber Value-at-Risk (While We're Still Young)(CyberPoint Risk Analytics) In the Wall Street Journal's CIO Journal, Deloitte writes, after a thoughtful consideration of the World Economic Forum's Partnering for Cyber Resilience, "It took the financial services industry 30 years to refine value-at-risk to the point where it's useful and trustworthy." Deloitte offers some useful interim measures that could contribute to risk mitigation, but their conclusion seems to be that a comprehensive solution remains to be achieved: we need "a large set of real-world historical data regarding the frequency and severity of risk events that's not yet widely available"
Oracle CSO: You 'Must Not Reverse Engineer Our Code'(Threatpost) Oracle, never the most researcher-friendly software vendor, has taken its antagonism to another level after publishing a blog post by CSO Mary Ann Davidson that rails against reverse engineering and saying that the company has no need for researchers to look at Oracle's code for vulnerabilities because "it's our job to do that, we are pretty good at it"
Rook Security Growing Indy HQ(Inside Indiana Business) Rook Security Inc. has announced plans to expand its Indianapolis headquarters and create more than 130 jobs by 2024. The company, which moved to Indianapolis from Silicon Valley in 2010, says the move will help it keep pace with sales growth
Meet Sundar Pichai, Google's new CEO(IT World) As part of a corporate reshuffle announced Monday, Sundar Pichai has been named the CEO of Google as it becomes a subsidiary of a new company called Alphabet. It's yet another step up for the 43-year-old executive who has been on a meteoric rise through Google's corporate structure
Frost & Sullivan Recognizes WatchGuard's APT Blocker with the 2015 New Product Innovation Award(ADVFN) WatchGuard® Technologies, a leader in multi-function integrated security appliances, today announced that its advanced malware and zero-day threat protection solution, APT Blocker, has been named a recipient of Frost & Sullivan's 2015 New Product Innovation Award. This recognition is based on an extensive and independent analysis by Frost & Sullivan of the worldwide small and midsize business (SMB) market for advanced persistent threat (APT) protection solutions
Elcomsoft Phone Breaker Targets Popular Password Keepers(PRNewswire) ElcomSoft Co. Ltd. updates Elcomsoft Phone Breaker, the company's mobile forensic tool for logical and over-the-air acquisition of mobile devices. Version 4.10 decrypts passwords stored in 1Password containers and becomes an industry first tool to instantly unlock BlackBerry Password Keeper for BlackBerry 10. The tool integrates the extraction of iCloud authentication tokens into the user interface
IBM Watson Applied to Intelligence Problems(National Defense) IBM's cognitive computer system, Watson, which once beat Jeopardy's top human players, can assist in situations specific to defense and intelligence communities, product officials said
Cloud security: Integrated global CDN with DDoS mitigation and WAF(Help Net Security) Applications are becoming more accessible on the web across all industries including gaming, e-commerce, software, and media. This is great for reaching new customers around the globe, but along with new opportunities comes the threat of increasingly complex attacks against web applications
Technologies, Techniques, and Standards
Winning the Online Banking War(TrendLabs Security Intelligence Blog) Detecting banking malware has become part and parcel of the security industry, so cybercriminals are continuously looking to gain the upper hand in the battle against the financial industry and security vendors. In the BlackHat presentation Winning the Online Banking War last August 5, Sean Park proposed the use of a new online banking security framework for banks and web app developers called "Malware Inject Prevention System"
Managing Reputational Risks Across the Enterprise(Wall Street Journal) Too often, managing reputational risk is a task left for individual functions, without a unified channel to the board and C-suite executives. Social media, however, is creating an imperative for many organizations to take a consistent, broader and strategic approach to managing reputational issues, starting with a fully dedicated chief risk officer (CRO). Henry Ristuccia, a Deloitte Advisory partner in Deloitte & Touche LLP, and Global Governance, Regulatory and Risk leader, Deloitte Touche Tohmatsu Limited, discusses the importance of viewing reputation as an asset that contributes value and what the C-suite can do to protect it
Improving Healthcare Data Security With a Single View of the Patient(B2C) According to the Department of Health and Human Services, medical information about more than 120 million people has been compromised in more than 1,100 separate breaches since 2009, and sadly the number is rising as healthcare data breaches continue to occur at alarming rates. Healthcare industry data theft accounts for 42.5 percent of all data breaches since 2012, followed by the business sector with 33% of breach activity and the government with 11.7 percent
Windows Service Accounts — Why They're Evil and Why Pentesters Love them!(Internet Storm Center) Windows Service Accounts have been one of those enterprise "neccessary evils" — things that you have to have, but nobody ever talks about or considers to be a problem. All too often, these service accounts are in the Domain Admins group, with passwords like "Service123", "S3rvic3" or something equally lame. And all too often, application vendors that use these services insist on just such a configuration
How to prevent insider threats in your organization(Help Net Security) Time and again, organizations of all sizes and in all industries fall victim to insider threats: disgruntled, malicious insiders — employees, former employees, contractors or business associates — who want to hurt the company or make money, or, more often, bumbling or indifferent employees who accidentally put sensitive company information at risk
Design and Innovation
New IP address blacklist based on Web chatter(CSO) Traditionally, blacklists of malicious IP addresses are assembled using honeypots and intrusion detection systems but a new approach, analyzing chatter on the dark and open Web, can find malicious addresses that would have been otherwise missed
How Uber Could Contribute to the Future of Spycraft(Nextgov) The intelligence community this month quietly released an unprecedented, unclassified five-year-roadmap charting the future of data analysis it wants commercial startups like ride-sharing firm Uber to read
Hitting the Cyber Skills Shortage Head On(IBM Security Intelligence) The low availability of professionals with specialized cyber skills is one of the biggest issues facing organizations looking to defend their core business systems against cyberattacks. A recent report from Information Systems Audit and Control Association (ISACA), titled "The Growing Cybersecurity Skills Crisis," estimated that there are as many as 1 million unfilled security jobs worldwide, as shown below
HCC offers 2-year program in burgeoning cybersecurity(Honolulu Star Advertiser) Are you considering a career in cybersecurity? There were more than 75,000 information security analyst positions available in 2012, and it is projected that the number will climb to over 100,000 jobs by 2022, according to the U.S. Department of Labor's Occupational Outlook Handbook. Reports from Cisco and Symantec indicate a shortage of talent with over 1 million unfilled openings globally. Fortunately, formal education programs are available on Oahu
Senators have clear choices on CISA in the fall(Washington Examiner) The Senate fumbled on cyber legislation as it headed out the door for a month-long recess, but perhaps set the stage for success in the fall by separating the debate on information-sharing from assorted "poison pills" that had varying degrees of relevance to cybersecurity
Phreaker, Maker, Hacker, Ranger: One Vision for Cyber Support to Corps and Below in 2025(Small Wars Journal) The operationalization of the Cyberspace Domain at the tactical-level continues to exacerbate both tactical theorists and practitioners alike. For theorists, much of this stress and anxiety stems from a deficiency in unclassified historical examples and the abstractness of cyberspace as a warfighting domain. The lack of historical examples and cross-domain nature of cyberspace makes it difficult to fit cyber-related tactical concepts into traditional doctrine. For tactical practitioners who employ troops on the battlefield, the lack of a concise and communicable Mission Essential Task List (METL) to assist commanders in understanding, visualizing, and describing operational concepts to their staffs continues to limit cyberspace integration into maneuver. The purpose of this paper is not to provide a concrete solution on which to base the tactical-level operationalization of cyberspace off of, but rather to establish an intellectual target reference point for Army thinkers to "adjust fire" off of as they develop the Army's cyber way-ahead for the next decade
Nine Charged in Insider Trading Case Tied to Hackers(New York Times) Federal authorities announced on Tuesday that they had broken up a five-year scheme in which rogue traders gave overseas hackers a "shopping list" of confidential corporate news releases to steal, generating more than $100 million in illegal profits
Hackers who breached corporate wires made millions off insider trading(Washington Post) An international hacking ring armed with tens of thousands of corporate secrets pocketed more than $100 million from illicit trades, targeting a core vulnerability of the financial system in one of the digital age's most sprawling insider-trading schemes, federal investigators said Tuesday
Feds charge hackers in massive insider trading scheme(The Hill) Federal authorities say they have busted a massive, global ring of hackers and traders who allegedly conspired to access financial press releases before they were published, making more than $100 million in profits off illegal trades based on the information
Defense Stocks Involved in Hacking Scheme(Defense News) Three major US defense firms were among the victims of an alleged hacking ring based in Ukraine that accessed and leaked press releases to co-conspirators who traded on the information before it became public
Hacking charges show merger of finance and cybercrime(AP) Companies can spend millions of dollars on state-of-the-art cybersecurity to protect their most precious information, but that could all be for naught if outside companies with access to it don't adhere to the same high security standards
Hackers in chains: Class of 2015(FierceITSecurity) Should a hacker spend as much time in prison as a person who, say, robs a bank? Are crimes as devastating in the virtual world as they can be in the physical world? These are questions that pop up often when cybercriminals get caught
Twitter Adds Email Privacy Data to Transparency Report(Theatpost) The number of information requests Twitter is receiving from the United States government is increasing steadily, having risen roughly 50 percent in the first six months of this year compared to the last six months of 2014
Threat to American soldiers was a hoax(11 Alive) A National Guard soldier was arrested for filing a false report of a threat that took social media by storm and created fear among local military personnel
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
Newly Noted Events
(ISC)2 SecureTurkey(Istanbul, Turkey, October 8, 2015) Sessions include exploring the threat landscape and its drivers, the common pitfalls endemic to current business trends that ensure a perpetual pipeline of vulnerabilities available for exploitation and...
USENIX Security(Washington, D.C., USA, August 12 - 14, 2015) The USENIX Security Symposium reunites researchers, practitioners, system administrators, system programmers, and others specialists interested in the latest advances in the security and privacy of computer...
5th Annual Cyber Security Training & Technology Forum (CSTTF)(Colorado Springs, Colorado, USA, August 19 - 20, 2015) The Information Systems Security Association (ISSA) Colorado Springs Chapter and FBC, Inc. will once again co-host the 5th Annual Cyber Security Training & Technology Forum (CSTTF). CSTTF 2015 will bring...
Decepticon 2015(Cambridge, England, UK, August 24 - 26, 2015) Decepticon brings together researchers and practitioners in the detection and prevention of deception. Previously, deception research has been fragmented across conferences in many different disciplines,...
AFCEA OKC Technology & Cyber Security Day(Oklahoma City, Oklahoma, USA, August 27, 2015) FBC and the Armed Forces Communications & Electronics Association (AFCEA) Oklahoma City Chapter will be partnering once again to host the annual Technology Day & "Scholarship" Golf Tournament at Tinker...
Power Grid Cyber Security Exchange 2015(San Diego, California, USA, August 30 - September 1, 2015) The Power Grid Cyber Security Exchange will take a deep dive into the cyber security strategies, innovative approaches and strategic planning necessary to balance the competing priorities of today's technology...
2015 HTCIA International Conference & Training Expo(Orlando, Florida, USA, August 30 - September 2, 2015) Bringing together experts from all over the world to share their latest research and techniques related to cybersecurity, incident response and computer forensics
ICFP 2015(Vancouver, British Columbia, Canada, August 31 - September 2, 2015) ICFP 2015 provides a forum for researchers and developers to hear about the latest work on the design, implementations, principles, and uses of functional programming. The conference covers the entire...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.