Observers continue to pick through the files pulled from recently doxed Hacking Team, reading customer lists (which appear to confirm longstanding views of the company's business), pricing, emails, etc. The same hacker ("PhineasFisher") who claimed responsibility for last year's breach at Gamma International tells Motherboard he (or she) is also behind this one.
Among the lessons and observations being drawn from the leaks are two obvious ones that bear repeating (1) use strong passwords (not, e.g. "P4ssword") and (2) offensive cyber tools are effectively indistinguishable from defensive ones (if for no other reason than the role they play in testing and vulnerability research). Control of such tools is a tough problem, as may be seen in the case of a University of Northumbria student dissertation, apparently redacted (says Threatpost) in the name of Wassenaar compliance.
Russian cyber operations appear to continue in the hybrid war against Ukraine.
MalwareMustDie reports finding a KINS malware builder being distributed in the underground, and predicts a surge in KINS Trojan infestations.
Team GhostShell's self-described community-spirited (but obviously unwelcome) hacks of universities reach several institutions in Hong Kong.
US state and Federal authorities investigate hacks of New Jersey online casinos.
Several sources warn enterprises to expect a major patch of OpenSSL this Thursday.
Mozilla patches Firefox.
Not-for-profits are warned of risks their collection of personally identifiable information pose. Some such collection is probably inevitable, but it exposes them, their donors, and their clients to cyber risk.
FBI Director Comey calls for debate over strong encryption.
Today's issue includes events affecting Azerbaijan, Bahrain, China, Ethiopia, Israel, Italy, Kazakhstan, Romania, Russia, Saudi Arabia, Sudan, Ukraine, United Arab Emirates, United States, and Uzbekistan.
Leaked Emails: How Hacking Team And US Government Want To Break Web Encryption Together(Forbes) Get ready America: one of the most notorious surveillance providers on the planet, Hacking Team, is expanding in earnest on US shores. And, if it hasn't collapsed as a result of a hugely embarrassing attack on its servers, the likes of the FBI, Drug Enforcement Agency and a slew of other US government departments will welcome the controversial company with open arms as they seek to break common encryption across mobiles and desktops
The FBI Spent $775K on Hacking Team's Spy Tools Since 2011(Wired) The FBI is one of the clients who bought hacking software from the private Italian spying agency Hacking Team, which was itself the victim of a recent hack. It's long been suspected that the FBI used Hacking Team's tools, but with the publication yesterday of internal documents, invoices, emails and even product source code from the company, we now have the first concrete evidence that this is true
Hacking Team's Dingy Laundry Hung Out Online(E-Commerce Times) Fireworks of a different kind rocked the security world this Fourth of July weekend, when news surfaced that hackers breached Hacking Team, an Italy-based firm that develops malware for sale to governments and law enforcement. The attackers exposed 400 GB of data stolen from its servers, including sales records, according to reports
U.S. Hired Dictators' Favorite Hackers(Daily Beast) New documents reveal that a firm that helps authoritarian governments like Russia, and Saudi Arabia is also connected to the U.S. military's burgeoning cyber warfare apparatus
Unpatched Flash Player Flaws, More POCs Found in Hacking Team Leak(TrendLabs Security Intelligence Blog) Earlier this week the Italian company Hacking Team was hacked, with more than 400GB of confidential company data made available to the public. The company was known for selling what it described as tools used to lawfully intercept communications that could be used by governments and law enforcement agencies. The company has stated they do not do business with oppressive countries in the past
Hacking Team Couldn't Hack Your iPhone(Threatpost) More than 36 hours after the huge cache of data from Hacking Team's corporate network was dumped online, researchers are continuing to find surprising bits and pieces in the documents. Among them is evidence that the company had an enterprise developer certificate from Apple, allowing it to develop internal apps, but could not get its malware onto iOS devices
Six Degrees Of 3rd Party Risk From Russian Cyber Ops(HS Today) Six degrees of separation is a theory that everyone in the world is six, or fewer steps, from any other person in the world. This theory was popularized through Kevin Bacon, who has been in so many movies, that it's believed he can be linked to any actor in a maximum of six links
New "Porn Droid" ransomware hits Android(Cybersecurity Place) Researchers at ZScaler have discovered a new variationof the "Porn Droid" ransomware that affects Android devices. Once the device is infected, the malware sends the user a message, apparently from the FBI, accusing the user of watching child pornography. It then demands a $500 ransom to restore the device to normal. Infection: After masquerading as a Google patch update, the malware then asks for a number of powerful permissions including "Erase all data" and "set storage encryption"
Cyber-attack hits N.J. gambling sites(NJ.com) State and federal authorities are investigating a cyber-attack on four Atlantic City online casino gaming sites, which were apparently targeted by a hacker who promised more disruption unless a ransom was paid in Bitcoin, officials said today
The Rise Of Social Media Botnets(Dark Reading) In the social Internet, building a legion of interconnected bots — all accessible from a single computer — is quicker and easier than ever before
Malware as a service — cyber crime's new industry(IT Pro Portal) Organised criminal gangs (OCGs) are increasingly using software services of the type more usually associated with legitimate corporations to grow their operations. By offering 'malware as a service', OCGs are employing business models similar to those developed by legitimate companies in order to extend their global reach
Security Patches, Mitigations, and Software Updates
Cyber War Is Hell(eSecurity Planet) Think cyber war is bad now? It is only going to get worse — much worse — says security expert Bruce Schneier
IoT Flaw Discoveries Not Impactful — Yet(Dark Reading) As flaws announced at Black Hat USA and elsewhere highlight IoT weaknesses, the impact of these vulns still remains low in the face of vast distribution. But that could change with market consolidation
Data Privacy Risks And Cyber Liability: The digital age is filled with 404 Errors and plenty of theft(NonProfit Times) Managers at nonprofits across the U.S. collect and store — in filing cabinets, networked servers and in rented "cloud" space — vast amounts of personal information. And despite the increasing frequency of data breaches affecting public, private and nonprofit organizations, most nonprofit leaders admit knowing too little about the risks and consequences of failing to adequately protect personal information collected from employees, volunteers, clients and donors
Data-centric security with RightsWATCH(Help Net Security) The fact that sensitive data seems to increasingly follow a pattern of being leaked, loss or stolen, has forced security professionals to rethink how their organizations can keep their most valuable assets safe
The best way to prevent data breaches? It's not what you think(Help Net Security) Data security breaches seem to be popping up almost daily. From the 2015 IRS breach, to the hacking of federal government employees' data by China, it's clear much of our most important data are at risk. Yet, one of the most obvious frontline defenses is often overlooked
Proxy Services Are Not Safe. Try These Alternatives(Wired) Millions of people across the world use free proxy services to bypass censorship filters, improve online security, and access websites that aren't available in their country. But an analysis has found those free services come at an unexpected cost for users: their privacy and security. Christian Haschek, an Austria-based security researcher, wrote a script that analyzed 443 open proxies, which route web traffic through an alternate, often pseudo-anonymous, computer network. The script tested the proxies to see if they modified site content or allowed users to browse sites while using encryption. According to Haschek's research, just 21 percent of the tested proxies weren't "shady"
Understanding the Threat Intelligence Lifecycle(Dark Matters) Everyone is interested in Threat Intelligence (TI). There is a race to the top of the mountain with regards to providing 'Intelligence' on the 'latest threats'; but, what does that really mean for information consumers?
SMS & Authentication: Security Concerns(InfoRisk Today) India's high mobile penetration has meant a widespread adoption of SMS as a channel for two-factor authentication. Unlike developed economies, where the cost of text-based notification services may be high, India's competitive and booming telecom sector has ensured that SMS is the preferred channel for mobile banking and one-time passwords — even in the pre-smartphone era
Design and Innovation
Verisart Plans To Use The Blockchain To Verify The Authenticity Of Artworks(TechCrunch) Verifying the authenticity of a fine art work has become almost the raison d'être of the art world itself. Without either, an art work can be entirely worthless. For instance, in this year's respected Hiscox Online Art Trade Report, "Certificates of Authenticity and Condition Reports" are the top two services people want when buying art and collectibles online. But with the rise of the Blockchain — a decentralised permanent ledger — verifying the truth of something has come within reach of just about anything
Hacker High: Why We Need to Teach Hacking in Schools(Tripwire: the State of Security) We're in the midst of a national cybersecurity crisis. Breaches, such as the ongoing OPM breach, are continuing at an alarming rate; organizations are building their security infrastructure, but are lacking staff. We need more skilled cybersecurity professionals, yet we don't have a consolidated plan for building the cybersecurity skills pipeline
Legislation, Policy, and Regulation
Digital India Raises Security Concerns(InfoRisk Today) On July 1, India's Prime Minister Narendra Modi launched 'Digital India,' to connect all gram panchayats by broadband internet, promote e-governance and transform India into a digital knowledge economy
Encryption, Public Safety, and "Going Dark"(Lawfare) I am worried we are talking past each other with respect to "Going Dark," so let me try to frame it in a way that I hope is fair-minded and provides a basis for healthy discussion
The private-sector focus of the Pentagon's annual cyber exercise(FCW) An annual cyber defense exercise held last month by the departments of Defense and Homeland Security and the FBI simulated a "whole-of-nation response" to attacks on critical infrastructure, with an emphasis on the private sector, where most of the potential targets reside
Military looks to private sector to build cyber mission force(Defense Systems) The U.S. is continuing to build its cyber force with hopes of eventually gaining over 6,000 civilian and military personnel and 133 teams. While not quite there yet, the military recently released a few proposals looking for help from the private sector in building its new force
UK Student's Research a Wassenaar Casualty(Threatpost) U.S.-based security researchers may soon be championing the case of Grant Wilcox, a young U.K. university student whose work is one of the few publicly reported casualties of the Wassenaar Arrangement
How to Deal with Reverse Domain Name Hijacking(Infosec Institute) The fact that one owns a trademark which is identical or confusingly similar to a domain name does not necessarily mean that she is entitled to that domain name. For example, under the Uniform Domain-Name Dispute-Resolution Policy (UDRP) managed by the Internet Corporation for Assigned Names and Numbers (ICANN), a trademark holder will also need to prove that the domain name owner: (1) has no rights or legitimate interests in respect of the domain name; and (2) registered and uses the domain name in bad faith. The term "bad faith" can be broadly defined as "intent to deceive"
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
National Insider Threat Special Interest Group Meeting(Laurel, Maryland, USA, July 16, 2015) Topics to be discussed at the meeting; Insider Threat Program Development & Implementation, Behavioral Indicators Of Concern, Legal Considerations When Developing & Managing An Insider Threat Program.
TakeDownCon Rocket City(Huntsville, Alabama, USA, July 20 - 21, 2015) TakeDownCon is a highly technical forum that focuses on the latest vulnerabilities, the most potent exploits, and the current security threats. The best and the brightest in the field come to share their...
CyberMontgomery 2015(Rockville, Maryland, USA, July 30, 2015) Montgomery County, Maryland, is home to the National Institute of Standards and Technology (NIST), the National Cybersecurity Center of Excellence (NCCoE), the FDA, NIH, NOAA, NRC and more than a dozen...
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.