skip navigation

More signal. Less noise.

Daily briefing.

Observers continue to pick through the files pulled from recently doxed Hacking Team, reading customer lists (which appear to confirm longstanding views of the company's business), pricing, emails, etc. The same hacker ("PhineasFisher") who claimed responsibility for last year's breach at Gamma International tells Motherboard he (or she) is also behind this one.

Among the lessons and observations being drawn from the leaks are two obvious ones that bear repeating (1) use strong passwords (not, e.g. "P4ssword") and (2) offensive cyber tools are effectively indistinguishable from defensive ones (if for no other reason than the role they play in testing and vulnerability research). Control of such tools is a tough problem, as may be seen in the case of a University of Northumbria student dissertation, apparently redacted (says Threatpost) in the name of Wassenaar compliance.

Russian cyber operations appear to continue in the hybrid war against Ukraine.

MalwareMustDie reports finding a KINS malware builder being distributed in the underground, and predicts a surge in KINS Trojan infestations.

Team GhostShell's self-described community-spirited (but obviously unwelcome) hacks of universities reach several institutions in Hong Kong.

US state and Federal authorities investigate hacks of New Jersey online casinos.

Several sources warn enterprises to expect a major patch of OpenSSL this Thursday.

Mozilla patches Firefox.

Not-for-profits are warned of risks their collection of personally identifiable information pose. Some such collection is probably inevitable, but it exposes them, their donors, and their clients to cyber risk.

FBI Director Comey calls for debate over strong encryption.

Notes.

Today's issue includes events affecting Azerbaijan, Bahrain, China, Ethiopia, Israel, Italy, Kazakhstan, Romania, Russia, Saudi Arabia, Sudan, Ukraine, United Arab Emirates, United States, and Uzbekistan.

Cyber Attacks, Threats, and Vulnerabilities

Surveillance software maker Hacking Team gets taste of its own medicine (Reuters) Italy's Hacking Team, which makes surveillance software used by governments to tap into phones and computers, found itself the victim of hacking on a grand scale on Monday

Massive leak reveals Hacking Team's most private moments in messy detail (Ars Technica) Imagine "explaining the evilest technology on earth," company CEO joked last month

Hacker Claims Responsibility for the Hit on Hacking Team (Motherboard) An online anti-surveillance crusader is back with a bang

Hacking Team hacked: firm sold spying tools to repressive regimes, documents claim (Guardian) Cybersecurity firm has 400GB of what purport to be its own documents published via its Twitter feed after hack

Leaked Documents Suggest Hacking Team Sold Tech To Sanctioned Russian Conglomerate (BuzzFeed) According to hacked data, the Italian company may be in violation of European Union sanctions

Leaked Emails: How Hacking Team And US Government Want To Break Web Encryption Together (Forbes) Get ready America: one of the most notorious surveillance providers on the planet, Hacking Team, is expanding in earnest on US shores. And, if it hasn't collapsed as a result of a hugely embarrassing attack on its servers, the likes of the FBI, Drug Enforcement Agency and a slew of other US government departments will welcome the controversial company with open arms as they seek to break common encryption across mobiles and desktops

The FBI Spent $775K on Hacking Team's Spy Tools Since 2011 (Wired) The FBI is one of the clients who bought hacking software from the private Italian spying agency Hacking Team, which was itself the victim of a recent hack. It's long been suspected that the FBI used Hacking Team's tools, but with the publication yesterday of internal documents, invoices, emails and even product source code from the company, we now have the first concrete evidence that this is true

Someone Just Leaked The Price List for Cyberwar (DefenseOne) A controversial cyber arms dealer gets hacked, revealing sales to the US military and less savory customers around the world

Hacking Team's Dingy Laundry Hung Out Online (E-Commerce Times) Fireworks of a different kind rocked the security world this Fourth of July weekend, when news surfaced that hackers breached Hacking Team, an Italy-based firm that develops malware for sale to governments and law enforcement. The attackers exposed 400 GB of data stolen from its servers, including sales records, according to reports

U.S. Hired Dictators' Favorite Hackers (Daily Beast) New documents reveal that a firm that helps authoritarian governments like Russia, and Saudi Arabia is also connected to the U.S. military's burgeoning cyber warfare apparatus

Unpatched Flash Player Flaws, More POCs Found in Hacking Team Leak (TrendLabs Security Intelligence Blog) Earlier this week the Italian company Hacking Team was hacked, with more than 400GB of confidential company data made available to the public. The company was known for selling what it described as tools used to lawfully intercept communications that could be used by governments and law enforcement agencies. The company has stated they do not do business with oppressive countries in the past

Lesson #1 from the Hacking Team hack: Choose strong passwords ( Graham Cluley) Italy's controversial Hacking Team, which supplies spyware and surveillance technology to countries and law enforcement agencies around the world, hasn't been having the best of times

Hacking Team Couldn't Hack Your iPhone (Threatpost) More than 36 hours after the huge cache of data from Hacking Team's corporate network was dumped online, researchers are continuing to find surprising bits and pieces in the documents. Among them is evidence that the company had an enterprise developer certificate from Apple, allowing it to develop internal apps, but could not get its malware onto iOS devices

Hacking Team's Equipment Got Stolen in Panama (Motherboard) A surveillance system sold by the infamous surveillance software developer Hacking Team went "missing" after presidential elections in Panama at the end of 2014

Six Degrees Of 3rd Party Risk From Russian Cyber Ops (HS Today) Six degrees of separation is a theory that everyone in the world is six, or fewer steps, from any other person in the world. This theory was popularized through Kevin Bacon, who has been in so many movies, that it's believed he can be linked to any actor in a maximum of six links

KINS Malware Builder Leaked on numerous crime forums (SecurityAffairs) Researchers at MalwareMustDie group have discovered a KINS Malware builder leaked online, it is easy to predict a rapid diffusion of the banking trojan

Old MS Office feature can be exploited to deliver, execute malware (Help Net Security) A Microsoft Office functionality that has been in use since the early 1990s can be exploited to deliver malicious, executable files to users without triggering widely used security software, claims security researcher Kevin Beaumont

New "Porn Droid" ransomware hits Android (Cybersecurity Place) Researchers at ZScaler have discovered a new variationof the "Porn Droid" ransomware that affects Android devices. Once the device is infected, the malware sends the user a message, apparently from the FBI, accusing the user of watching child pornography. It then demands a $500 ransom to restore the device to normal. Infection: After masquerading as a Google patch update, the malware then asks for a number of powerful permissions including "Erase all data" and "set storage encryption"

Fraudulent Batterybot Pro App Yanked from Google Play (Threatpost) A malicious Android app spoofing the popular BatteryBot Pro app has been pulled from Google Play

Notes from SophosLabs: Poisoning Google search results and getting away with it (Naked Security) SophosLabs researchers recently uncovered a hack being used by unscrupulous web marketers to trick Google's page ranking system into giving them top billing, despite Google's ongoing efforts to thwart this sort of search poisoning

Top Hong Kong universities caught up in major hack attack on more than 100 global institutions (South China Morning Post) A number of major educational institutions in Hong Kong were allegedly affected by a major hack attack encompassing more than 100 universities and government agencies worldwide

Cyber-attack hits N.J. gambling sites (NJ.com) State and federal authorities are investigating a cyber-attack on four Atlantic City online casino gaming sites, which were apparently targeted by a hacker who promised more disruption unless a ransom was paid in Bitcoin, officials said today

The Rise Of Social Media Botnets (Dark Reading) In the social Internet, building a legion of interconnected bots — all accessible from a single computer — is quicker and easier than ever before

Malware as a service — cyber crime's new industry (IT Pro Portal) Organised criminal gangs (OCGs) are increasingly using software services of the type more usually associated with legitimate corporations to grow their operations. By offering 'malware as a service', OCGs are employing business models similar to those developed by legitimate companies in order to extend their global reach

Security Patches, Mitigations, and Software Updates

Awoogah: Get ready to patch 'severe' bug in OpenSSL this Thursday (Register) Heads up for July 9 security vulnerability fix

Get ready. Mystery high severity bug in OpenSSL to be patched on Thursday (Graham Cluley) OpenSSLA new version of OpenSSL, the open-source software widely used to encrypt internet communications using SSL/TLS, is due to be released this Thursday 9th July, patching a single "high severity" vulnerability

Firefox 39 bites four critical bugs (Register) Set phasers to Frag, says Mozilla, in gaming roadmap for future browsers

Security Updates for Node.js and io.js (US-CERT) Networking applications using Node.js or io.js contain a vulnerability in the V8 JavaScript engine. Exploitation of this vulnerability may allow a remote attacker to cause a denial-of-service condition

Bitcoin glitch expected to abate as software upgrades continue (IDG via Network World) Bitcoin experienced a glitch over the weekend that is expected to be resolved as software clients that handle transaction data are upgraded

Cyber Trends

Cyber War Is Hell (eSecurity Planet) Think cyber war is bad now? It is only going to get worse — much worse — says security expert Bruce Schneier

IoT Flaw Discoveries Not Impactful — Yet (Dark Reading) As flaws announced at Black Hat USA and elsewhere highlight IoT weaknesses, the impact of these vulns still remains low in the face of vast distribution. But that could change with market consolidation

Data Privacy Risks And Cyber Liability: The digital age is filled with 404 Errors and plenty of theft (NonProfit Times) Managers at nonprofits across the U.S. collect and store — in filing cabinets, networked servers and in rented "cloud" space — vast amounts of personal information. And despite the increasing frequency of data breaches affecting public, private and nonprofit organizations, most nonprofit leaders admit knowing too little about the risks and consequences of failing to adequately protect personal information collected from employees, volunteers, clients and donors

Marketplace

How the Cybersecurity Industry Became a House Divided (DCInno) A one-on-one interview with Invincea CEO Anup Ghosh

The start-up catching white-collar criminals in the web's darkest places (Telegraph) Digital Shadows hunts through the deep, dark web for the hidden threats that could topple global businesses

Radware Announces CFO Transition (Nasdaq) After 16 years as Radware's CFO, Meir Moshe stepping down. Will be replaced by Mr. Doron Abramovitch

Products, Services, and Solutions

Data-centric security with RightsWATCH (Help Net Security) The fact that sensitive data seems to increasingly follow a pattern of being leaked, loss or stolen, has forced security professionals to rethink how their organizations can keep their most valuable assets safe

Bivio Networks Provides Network Threat Visibility on Integrated Cyber Intelligence Platform for Department of Defense Exercise (Bivio) High-performance network security configuration featuring Symantec, Proofpoint and OISF software strengthens Joint Cyber Operations emphasis at JUICE 2015

Technologies, Techniques, and Standards

Underwriters Laboratories To Launch Cyber Security Certification Program (Dark Reading) Meanwhile, UL is also in discussion with the White House on its plans to foster standards for Internet of Things security

The best way to prevent data breaches? It's not what you think (Help Net Security) Data security breaches seem to be popping up almost daily. From the 2015 IRS breach, to the hacking of federal government employees' data by China, it's clear much of our most important data are at risk. Yet, one of the most obvious frontline defenses is often overlooked

Steer clear of low-tech hacks: How to keep your information safe (CNET) It doesn't take a coding genius to steal your Social Security number, but you can be smarter than identity thieves

Proxy Services Are Not Safe. Try These Alternatives (Wired) Millions of people across the world use free proxy services to bypass censorship filters, improve online security, and access websites that aren't available in their country. But an analysis has found those free services come at an unexpected cost for users: their privacy and security. Christian Haschek, an Austria-based security researcher, wrote a script that analyzed 443 open proxies, which route web traffic through an alternate, often pseudo-anonymous, computer network. The script tested the proxies to see if they modified site content or allowed users to browse sites while using encryption. According to Haschek's research, just 21 percent of the tested proxies weren't "shady"

The Phases of a Data Breach: Detecting an Attack Before the Damage is Done (Legaltech News) A new report from security firm Vectra looks at the strategic phases of a cyberattack and what companies can do to shore up their defenses

Understanding the Threat Intelligence Lifecycle (Dark Matters) Everyone is interested in Threat Intelligence (TI). There is a race to the top of the mountain with regards to providing 'Intelligence' on the 'latest threats'; but, what does that really mean for information consumers?

SMS & Authentication: Security Concerns (InfoRisk Today) India's high mobile penetration has meant a widespread adoption of SMS as a channel for two-factor authentication. Unlike developed economies, where the cost of text-based notification services may be high, India's competitive and booming telecom sector has ensured that SMS is the preferred channel for mobile banking and one-time passwords — even in the pre-smartphone era

Design and Innovation

Verisart Plans To Use The Blockchain To Verify The Authenticity Of Artworks (TechCrunch) Verifying the authenticity of a fine art work has become almost the raison d'être of the art world itself. Without either, an art work can be entirely worthless. For instance, in this year's respected Hiscox Online Art Trade Report, "Certificates of Authenticity and Condition Reports" are the top two services people want when buying art and collectibles online. But with the rise of the Blockchain — a decentralised permanent ledger — verifying the truth of something has come within reach of just about anything

Inside the WhiteHat Aviator Web browser controversy (TechTarget) When they originally conceived Whitehat Security's Aviator Web browser, little did Robert "Rsnake" Hansen and his team know what they were getting into

Research and Development

Pre-Crime Startup BioCatch Authenticates Users Via Touch And Your Phone’s Accelerometer (TechCrunch) It's not often that I write about a startup being granted a patent. However, the latest successful filing from Israeli startup BioCatch caught my attention. Essentially it offers a way for app developers to authenticate users based on how they interact with their phone's touch screen and accelerometer

Internet, smartphones cause 'digital amnesia' (ITWeb) Consumers today remember far less than before, because of a growing reliance on the Internet and smartphones, according to research conducted by Kaspersky Lab

Academia

Hacker High: Why We Need to Teach Hacking in Schools (Tripwire: the State of Security) We're in the midst of a national cybersecurity crisis. Breaches, such as the ongoing OPM breach, are continuing at an alarming rate; organizations are building their security infrastructure, but are lacking staff. We need more skilled cybersecurity professionals, yet we don't have a consolidated plan for building the cybersecurity skills pipeline

Legislation, Policy, and Regulation

Digital India Raises Security Concerns (InfoRisk Today) On July 1, India's Prime Minister Narendra Modi launched 'Digital India,' to connect all gram panchayats by broadband internet, promote e-governance and transform India into a digital knowledge economy

Encryption, Public Safety, and "Going Dark" (Lawfare) I am worried we are talking past each other with respect to "Going Dark," so let me try to frame it in a way that I hope is fair-minded and provides a basis for healthy discussion

White House sprints to patch security flaws (The Hill) The White House is nearing the end of a 30-day "cyber sprint" aimed at plugging the most gaping holes in the government's network security

Hillary Clinton: China hacks 'everything that doesn't move' in the US (Naked Security) US presidential hopeful Hillary Clinton has accused China of state-sponsored hacking designed to steal both trade secrets and government information

Christie: Paul should be 'in front of hearings' if US is attacked (The Hill) New Jersey Gov. Chris Christie says Sen. Rand Paul (R-Ky.) will be responsible if the U.S. is ever again hit by a major terrorist attack

The private-sector focus of the Pentagon's annual cyber exercise (FCW) An annual cyber defense exercise held last month by the departments of Defense and Homeland Security and the FBI simulated a "whole-of-nation response" to attacks on critical infrastructure, with an emphasis on the private sector, where most of the potential targets reside

Military looks to private sector to build cyber mission force (Defense Systems) The U.S. is continuing to build its cyber force with hopes of eventually gaining over 6,000 civilian and military personnel and 133 teams. While not quite there yet, the military recently released a few proposals looking for help from the private sector in building its new force

Senate advances secret plan forcing Internet services to report terror activity (Ars Technica) Legislation modeled on 2008 law requiring Internet companies to report child porn

DHS IG: NPPD's lack of law enforcement authority could hinder internal criminal probes (FierceHomelandSecurity) The Homeland Security Department's watchdog said it has "serious questions" concerning the National Protection and Programs Directorate's authority to conduct criminal investigations, potentially hampering inquiries and prosecutions of employees accused of wrongdoing

NSA's XKeyscore collects router data, Skype conversations, webcam images (Naked Security) We've been thinking of the National Security Agency's (NSA's) XKeyscore search engine on the wrong scale

Pell Center Senior Fellow Appointed to State Cybersecurity Panel (Newport Patch) The new commission is tasked with developing a clear strategy to make Rhode Island more secure and resilient to cyber threats

Litigation, Investigation, and Law Enforcement

UK Student's Research a Wassenaar Casualty (Threatpost) U.S.-based security researchers may soon be championing the case of Grant Wilcox, a young U.K. university student whose work is one of the few publicly reported casualties of the Wassenaar Arrangement

Cyber Heist on Romanian Banks Thwarted (Softpedia) Crooks access sensitive info but fail to steal money

How to Deal with Reverse Domain Name Hijacking (Infosec Institute) The fact that one owns a trademark which is identical or confusingly similar to a domain name does not necessarily mean that she is entitled to that domain name. For example, under the Uniform Domain-Name Dispute-Resolution Policy (UDRP) managed by the Internet Corporation for Assigned Names and Numbers (ICANN), a trademark holder will also need to prove that the domain name owner: (1) has no rights or legitimate interests in respect of the domain name; and (2) registered and uses the domain name in bad faith. The term "bad faith" can be broadly defined as "intent to deceive"

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Upcoming Events

National Insider Threat Special Interest Group Meeting (Laurel, Maryland, USA, July 16, 2015) Topics to be discussed at the meeting; Insider Threat Program Development & Implementation, Behavioral Indicators Of Concern, Legal Considerations When Developing & Managing An Insider Threat Program.

National Cybersecurity Center of Excellence (NCCoE) Speaker Series: Janet Levesque, Chief Information Security Officer at RSA (Rockville, Maryland, USA, July 16, 2015) Traditional security models are failing. While the idea of a shift from prevention to detection has gained traction, most current approaches to detection rely heavily on the same techniques that have rendered...

TakeDownCon Rocket City (Huntsville, Alabama, USA, July 20 - 21, 2015) TakeDownCon is a highly technical forum that focuses on the latest vulnerabilities, the most potent exploits, and the current security threats. The best and the brightest in the field come to share their...

CyberMontgomery 2015 (Rockville, Maryland, USA, July 30, 2015) Montgomery County, Maryland, is home to the National Institute of Standards and Technology (NIST), the National Cybersecurity Center of Excellence (NCCoE), the FDA, NIH, NOAA, NRC and more than a dozen...

Career Discovery in Cyber Security: A Women's Symposium (New York, New York, USA, July 30, 2015) Our annual conference brings together some of the best minds in the industry, with the goal of guiding women with a talent and interest in cyber security into top-flight careers

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.