Anonymous claims to have breached the US Census Bureau, releasing US Government officials' personal information. (Not all affected officials are from the Census Bureau.) Opposition to the Trans-Pacific Partnership Agreement (TPP) and Transatlantic Trade and Investment Partnership (TTIP) motivated the hack, Anonymous tells HackRead. The collective's self-described representative also says getting in (by SQL injection) was "a piece of cake," and that this will "hurt a lot of people."
HP's TippingPoint announces four execution-code vulnerabilities it found affecting smartphones using Microsoft's Internet Explorer. TippingPoint disclosed these privately to Microsoft some months ago; their self-imposed embargo on public discussion expired over the past weekend. The bugs remain unpatched. Microsoft says it's monitoring the situation, and has observed no attacks in the wild.
More malicious apps are found in the Google Play Store.
As the US OPM restores access to its e-QUIP system (noting security enhancements and testing) bills to extend breach victims' support advance in Congress. Observers say (Fox News breathlessly reports) that the incident is much bigger than generally appreciated, and that its effects aren't fully contained. More calls for deterrence appear, some of which recognize the complex relationship between combat and intelligence collection. The inevitable scams persist: the Federal Trade Commission wants you to know they're not calling you about OPM; OPM warns against continued phishing.
In industry news, public and private cyber companies attract investors. Raytheon, unlike other big defense integrators, seems committed to the commercial cyber market.
Patching, vital to security, must, SANS warns, be done deliberately.
Today's issue includes events affecting China, France, Israel, Pakistan, Russia, United States.
Bug in OS X Yosemite allows attackers to gain root access(Help Net Security) Security researcher Stefan Esser has revealed the existence of a privilege escalation vulnerability affecting OS X 10.10 (Yosemite), and has provided a working proof of concept local exploit that installs a root shell on the target machine
Another Day, Another Patch(Team Cymru) FreeBSD users were treated this week to an interesting new denial of service attack vector. All supported versions of the OS are affected by the bug, which has now been patched. Junos OS, which is based on FreeBSD, is also affected. If you're a FreeBSD admin and you haven't patched, feel free to disappear now and do so. Don't worry, we'll be here when you're done
It's NOT the FTC calling about the OPM breach(FTC) If you're an OPM data breach victim, you probably know to look out for identity theft. But what about imposter scams? In the latest twist, imposters are pretending to be the FTC offering money to OPM data breach victims
Important message concerning Email Scams(USAJobs (Office of Personnel Management)) Please be advised that the USAJOBS system is not sending out email notifications asking users to revalidate account login information such as Username and Password; by clicking a link within the email. Do not click on any links in the email. This is a phishing attempt to capture the USAJOBS user's login information. Any emails received on that subject should be deleted immediately
What You Need To Know About Ransomware and Exploit Kits(Cyveillance) After a brief lull, ransomware infections appear to be on the rise again. In June, there was a spike in Crypt-based infections, and security experts estimate one million systems have already been compromised
Catch Me If You Can: How APT Actors Are Moving Through Your Environment Unnoticed(TrendMicro: Simply Security) Companies that have experienced data breaches often wonder the same thing — "How were the hackers able to move through my environment for that long without being detected?" The average amount of dwell time during a data breach is 205 days, according to a report by Mandiant. Behind each breach there are one, or more, actors driving the campaign, and catching that person is becoming increasingly more difficult
Chris Valasek on Car Hacking(Threatpost) Dennis Fisher talks with Chris Valasek of IOActive about the new research he did with Charlie Miller on remotely hacking a Jeep, how the disclosure process worked, what auto makers can do to secure their vehicles' on-board systems, and how much of a threat these attacks pose to drivers
Security Patches, Mitigations, and Software Updates
Cisco Releases Security Updates(US-CERT) Cisco has released security updates to address vulnerabilities in its Application Policy Infrastructure Controller, IOS software, and the Unified MeetingPlace Conferencing products. Exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access, cause a denial-of-service condition, or take control of the affected application
Several Critical Flaws Patched in Drupal Module(Threatpost) There are several critical vulnerabilities in a middleware layer used in Drupal, including both cross-site scripting and cross-site request forgery bugs, that can be exploited remotely
Too Much Innovation: The Cyber Challenge(Lifehacker) "Electronic warfare is the same as cyber. If you put it crudely, you basically shoot pulses at a system to take it out. In cyber, you shoot bits at the system to take it out". Peshin told us the cyber security market is very busy with a huge number of start ups and established companies pushing their cyber credentials. However, such a vibrant market has created a massive challenge for companies
Have Our Security Rock Stars Failed Us?(SecurityWeek) In almost any endeavor, success usually comes with additional responsibility. For example, a promotion into a management or executive position comes with the additional responsibilities associated with that position
The Chief Risk Officer: When a Triangle Becomes a Square(Willis Wire) The traditional shape for the apex of a pyramid is a triangle, right? Translate that into an organogram for any large organisation and you can be sure that the three corners will be occupied respectively by the Chief Executive, the Chief Financial Officer and the Chairman
Do CISOs deserve a seat at the leadership table?(Help Net Security) A ThreatTrack security survey of C-level executives at U.S. enterprises employing a CISO found that despite a rash of high-profile data breaches in the last year, many in the C-suite still fail to fully appreciate their CISO's contributions and view them primarily as scapegoats in the event of a data breach
Cybersecurity Is a Huge Risk; Fortinet Is Capitalizing on It(The Street) Last year saw a record number of cybersecurity attacks, with hackers stealing emails, financial data and personal information from firms including Target (TGT), Sony (SNE) and even the White House. Among those benefiting most from this unpleasant trend is Fortinet (FTNT - Get Report), a cybersecurity firm that has seen its shares jump more than 75% over the past 12 months
Cybersecurity stocks rally on Fortinet's results/guidance(Seeking Alpha) As was the case 3 months ago, security tech plays are up strongly (HACK +3.6%) after Fortinet (FTNT +12%) beat estimates, reported strong billings, and delivered above-consensus top-line guidance. The Nasdaq is up 0.3%
Will Qualys, Inc. (NASDAQ:QLYS) Surprise this Quarter?(Investor Newswire) An Earnings surprise occurs when a company reports earnings that differ from what analysts had expected. An earnings surprise in either a positive or negative direction can often result in significant stock price movement immediately after the earnings announcement, but can also have a long-term effect as well
Vupen Launches New Zero-Day Acquisition Firm Zerodium(Threatpost) In the weeks since the Hacking Team breach, the spotlight has shone squarely on the small and often shadowy companies that are in the business of buying and selling exploits nd vulnerabilities. One such company, Netragard, this week decided to get out of that business after its dealings with Hacking Team were exposed. But now there's a new entrant in the field, Zerodium, and there are some familiar names behind it
Symantec is Already Planning for a Safer Cyber Monday(PYMNTS) While Cyber Monday is still months away, information protection company Symantec is challenging eCommerce retailers to make this year's annual online shopping event, which takes place on the Monday following Thanksgiving and Black Friday, the safest on record
Mac security software gets put to the test(IT Pro Portal) Not so long ago most Mac users would have told you that their systems didn't need any form of protection as they were inherently safe. But the world has become a more dangerous place and last year the iWorm malware is thought to have recruited some 18,000 Macs into a botnet
WatchGuard visibility tools take fight to hackers(BDaily) WatchGuard have announced a variety of visibility and ease-of-use enhancements to its award-winning threat intelligence platform, WatchGuard Dimension®. This release also allows customers to preview several brand new network control features designed to make it possible for IT administrators to translate network visibility into immediate action
Akamai Identified as a Leader in DDoS Services by Independent Research Firm(MarketWatch) Akamai Technologies, Inc. AKAM, +1.04% the global leader in content delivery network (CDN) services, today announced the company has been identified by Forrester Research, Inc. as a Leader in The Forrester Wave™: DDoS Services Providers, Q3 20151. Akamai received the highest score in Market Presence and tied for the highest score in Strategy
Splunk Named a Leader in 2015 Gartner Magic Quadrant for SIEM(MarketWatch) Splunk Inc. SPLK, -0.76% provider of the leading software platform for real-time Operational Intelligence, today announced it has been named a leader in Gartner's 2015 Magic Quadrant for Security Information and Event Management (SIEM)* for the third straight year
Patching in 2 days? - "tell him he's dreaming"(Internet Storm Center) With all the patching you have been doing lately I thought it would be opportune to have a look at what can and can't be done within two days. Why two days? Well quite a few standards want you to, I guess that is one reason, but the more compelling reason is that it takes less and less time for attacks to be weaponised in the modern world. We have over the past year or so seen vulnerabilities released and within hours vulnerable systems are being identified and in many cases exploited. That is probably a more compelling reasons than "the standard says to". Mind you to be fair the standard typically has it in there for that reason
The challenges of implementing tokenization in a medium-sized enterprise(Help Net Security) We have seen a concerning pattern in the recent data breaches, including the breach at the Internal Revenue Services (IRS) and other US government agencies in that the primary target was Social Security Numbers (SSN) and other Personal Identifying Information (PII). Criminals typically started by stealing data from smaller, less protected organizations and then used that data to attack larger but better protected organizations
New Patent granted Keypasco in China(Scribd) The patented core technology with device authentication in a two-channel structure is already implemented in Keypasco products, which mitigates phising, man-in-the-middle, man-in-the-browser, and more
Legislation, Policy, and Regulation
ISI Sought Sweeping Data Collection Tools: Report(Newsweek) Pakistani intelligence sought to tap worldwide Internet traffic via underwater cables that would have given the country a digital espionage capacity to rival the U.S., according to a report by Privacy International
France gets its own 'Patriot Act' in wake of 'Charlie Hebdo' attack(Engadget) Liberté, égalité, fraternité? Maybe strike the first one off that list. While some US lawmakers are trying to pare down the Patriot Act, the French constitutional court has just allowed police to monitor pretty much anyone they want without a warrant. The "Loi Renseignement," or Surveillance Act was first proposed in the wake of the Charlie Hebdo shootings in Paris, and approved by legislators in May. It's now the law of the land, and Prime Minister Manuel Valls tweeted that "France now has a security framework against terrorism that respects liberties." However, many folks disagree with that sentiment, and France's constitutional court itself strongly opposed the lack of oversight
It's time to take cyberattacks seriously and install a deterrence plan(Washington Post) As a member of the House Select Committee on Intelligence, I am reminded every day that we live in a dangerous world. It is violent and chaotic, and it's becoming more so all the time. But among the many national security threats that we face, in no area are we more vulnerable, and do we face so great a destructive potential, than the cyber realm. Our power grid, banking system, energy pipelines, air traffic control and other critical systems all are at risk. The recent cyberattack on the Office of Personnel Management is a clear demonstration of our vulnerabilities
How the cyber domain blurs the lines on warfare(Defense Systems) U.S. leaders are still wrestling with the complicated questions of how best to respond to cyber attacks. For evidence, look no further than the breach of records at the Office of Personnel Management. Privately, officials say they're certain China was behind the hack. But publicly, it spears the United States will not point the finger at China or retaliate, primarily for two reasons: ongoing economic relations and the fear of revealing intelligence methods
OPM Says Background Check System Now Back Online After Security Tweaks(Nextgov) The Office of Personnel Management on Thursday afternoon announced it's beginning to restore access to an online system used to process background investigations. Officials had yanked the system offline last month after uncovering a vulnerability during a security review
Senate Panel Approves 10 Years of Protection Services for Hack Victims(Government Executive) A Senate panel on Thursday approved a measure to give current and former federal employees and contractors affected by the hack of data maintained by the Office of Personnel Management protection services for 10 years, more than three times longer than OPM originally offered
Cyber leadership void in Congress(The Hill) With August recess and the end of the fiscal year looming, congressional leaders say they are focused on cyber security. They are focused on the private sector as they work to collaborate on legislation, which would bolster information sharing between the government and corporations. They are focused on the executive branch as they review the results of the White House's 30-day "cybersecurity sprint." But to truly address our cybersecurity vulnerabilities Congress must turn its focus within
DoD's greatest challenge is defending from cyber attack(Lexington Institute via ECN) The Department of Defense is not merely dependent on networks; networks provide critical military advantage across virtually all warfighting domains. These networks are constantly changing, growing, reconfiguring. There are now more than 7 million devices connected on the DoD networks. There are multiple networks at different levels of classification, supporting individual Services, operating in different parts of the world
U.S. Postal Service Cyber Security Functions: Audit Report IT-AR-15-008(Office of Inspector General, United States Postal Service) Cybersecurity is the body of processes, practices, and technology designed to protect networks, computers, programs, and data from attack, damage, or unauthorized access. In November 2014, the U.S. Postal Service announced a significant cyber intrusion had occurred that compromised large amounts of data. This report addresses cybersecurity functions of the Postal Service at the time the intrusion was identified. Our objective was to determine whether the Postal Service's structure, operations, and resourcing of cybersecurity functions aligned with industry best practices to support the enterprise. We examined Corporate Information Security Office processes and other Postal Service cybersecurity functions
Drones and Spyware: The Bizarre Tale of a Brutal Kidnapping(Wired) The press called it the "Gone Girl" kidnapping. But the bizarre story of a former Marine and Harvard-trained lawyer who allegedly masterminded the abduction of a California woman is notable for more than the twists and misdirections that made it fodder for CNN. It's a rare kidnapping-for-ransom scheme that availed itself fully of the riches of the Internet age, providing a glimpse of a future where brutal, physical crime and its digital analog merge into one
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
Newly Noted Events
Cyber Risk Wednesday: Rethinking Commercial Espionage(Atlantic Council: Brent Scowcroft Center on International Security, July 29, 2015) Join the Atlantic Council's Cyber Statecraft Initiative on July 29 from 4:00 p.m. to 5:30 p.m. for a discussion on new ideas on commercial cyber espionage and intellectual property theft
CyberMontgomery 2015(Rockville, Maryland, USA, July 30, 2015) Montgomery County, Maryland, is home to the National Institute of Standards and Technology (NIST), the National Cybersecurity Center of Excellence (NCCoE), the FDA, NIH, NOAA, NRC and more than a dozen...
PragueCrunch IV: The Enpraguening(Prague, Czech Republic, July 31, 2015) Here it comes, Central Europe: PragueCrunch IV! This annual celebration of all things startup is coming to your town on Friday, July 31, 2015 from 7:00 PM to 11:00 PM (CEST). We'll be holding the event...
Black Hat USA(Las Vegas, Nevada, USA, August 1 - 6, 2015) Black Hat — built by and for the global InfoSec community — returns to Las Vegas for its 18th year. This six day event begins with four days of intense Trainings for security practitioners...
ISSA CISO Forum: Third Party Oversight(Las Vegas, Nevada, USA, August 2 - 3, 2015) The CISO Executive Forum is a peer-to-peer event. The unique strength of this event is that members can feel free to share concerns, successes, and feedback in a peer only environment. Membership is by...
BSides Las Vegas(Las Vegas, Nevada, USA, August 4 - 5, 2015) BSides Las Vegas is an Information/Security conference that's different. We're a 100% volunteer organized event, put on by and for the community, and we truly strive to keep information free. There is...
Defcon 23(Las Vegas, Nevada, USA, August 4 - 7, 2015) DEF CON has been a part of the hacker community for over two decades. See the organization's website for more information
USENIX Security(Washington, D.C., USA, August 12 - 14, 2015) The USENIX Security Symposium reunites researchers, practitioners, system administrators, system programmers, and others specialists interested in the latest advances in the security and privacy of computer...
5th Annual Cyber Security Training & Technology Forum (CSTTF)(Colorado Springs, Colorado, USA, August 19 - 20, 2015) The Information Systems Security Association (ISSA) Colorado Springs Chapter and FBC, Inc. will once again co-host the 5th Annual Cyber Security Training & Technology Forum (CSTTF). CSTTF 2015 will bring...
Decepticon 2015(Cambridge, England, UK, August 24 - 26, 2015) Decepticon brings together researchers and practitioners in the detection and prevention of deception. Previously, deception research has been fragmented across conferences in many different disciplines,...
AFCEA OKC Technology & Cyber Security Day(Oklahoma City, Oklahoma, USA, August 27, 2015) FBC and the Armed Forces Communications & Electronics Association (AFCEA) Oklahoma City Chapter will be partnering once again to host the annual Technology Day & "Scholarship" Golf Tournament at Tinker...
Power Grid Cyber Security Exchange 2015(San Diego, California, USA, August 30 - September 1, 2015) The Power Grid Cyber Security Exchange will take a deep dive into the cyber security strategies, innovative approaches and strategic planning necessary to balance the competing priorities of today's technology...
2015 HTCIA International Conference & Training Expo(Orlando, Florida, USA, August 30 - September 2, 2015) Bringing together experts from all over the world to share their latest research and techniques related to cybersecurity, incident response and computer forensics
ICFP 2015(Vancouver, British Columbia, Canada, August 31 - September 2, 2015) ICFP 2015 provides a forum for researchers and developers to hear about the latest work on the design, implementations, principles, and uses of functional programming. The conference covers the entire...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.