Issues with Android's Stagefright media playback engine, reported yesterday by Zimperium researchers, lead today's news. The Stagefright vulnerability is being called "Heartbleed for Mobile," and could be exploited via MMS requiring no user interaction. The basic problem is said to be Stagefright's "overprivileged" status. Both Silent Circle and Mozilla have patched their Android platforms; Google is expected to push out a fix soon. But in the meantime, see early notes on device protection from LIFARS and Sophos.
A vulnerability in Apple's App Store and iTunes is also reported (by researchers at Vulnerability Lab). Apple has issued a patch.
Symantec publishes a comprehensive report on the "Black Vine" cyberespionage group, watering-hole specialists implicated in the Anthem breach (and several other intrusions at energy, healthcare, and aerospace companies). Symantec connects Black Vine to the Beijing-based IT-security organization Topsec.
PHP File Manager seems "riddled with vulnerabilities," including a backdoor.
Cyphort reports an upsurge in malvertising infections.
New phishing campaigns are targeting Google Drive users, some with persuasive spoofing, reports Elastica.
New York magazine, hacked by some guy who seems to dislike the Big Apple, gets applauded for the resiliency of its response, much enabled by its social media presence.
The diverse vulnerabilities disclosed this week might prompt some reflection on how to handle such discoveries. Contrast Arbor Networks (more mainstream) commentary with Zerodium's (a minority, if arguably defensible, view). Also consider recent disclosures in the light of proposed Wassenaar implementation.
Companies face increasing data breach liability; insurers seek surrogates for historical actuarial data.
Today's issue includes events affecting Australia, China, Israel, Pakistan, United Kingdom, United States.
Cyber Attacks, Threats, and Vulnerabilities
Android Stagefright Flaws Put 950 Million Devices at Risk(Threatpost) Vulnerabilities discovered in the Stagefright media playback engine that is native to Android devices could be the mobile world's equivalent to Heartbleed. Almost all Android devices contain the security and implementation issues in question; unpatched devices are at risk to straightforward attacks against specific users that put their privacy, data and safety at risk
imple Android Hack Leaves 95% Devices Vulnerable(LIFARS Blog) Researchers have discovered a critical vulnerability that may affect nearly all Android devices including phones and tablets. The vulnerability in the Android operating system could potentially allow the attacker to take complete control of the phone
The Black Vine cyberespionage group(Symantec) Black Vine has been actively conducting cyberespionage campaigns since 2012 and has been targeting several industries, including aerospace, energy, and healthcare
Points for consistency, but not for originality(Adaptive Mobile Blog) The use of over-the-top (OTT) messaging services has grown exponentially over the past few years. New data from mobile research specialists, Juniper Research, has found that the overall messaging market will fall in value by $600 million by 2019, while mobile and online messaging traffic will reach 160 trillion per annum by 2019, up from 94.2 trillion this year. Within Ireland alone, over 43% of smartphone owners use OTT applications to connect with friends and family — including Skype, WhatsApp, Viber and Facebook Messenger. Yet while this growth is significant, with it comes an increase in reported cases of spam messages
Over 5,000 mobile apps found performing in-app ad fraud(Help Net Security) Of the $20 billion projected to be spent by advertisers on mobile advertising in 2015, $1 billion will effectively be lost due to in-app ad fraud, warns ad fraud detection and prevention company Forensiq
The state of cyber hacking into cars(BMW Blog) Imagine driving down the highway at 70 mph and then suddenly losing control of certain functions one by one. First, it starts out as the
Is Your Car Broadcasting Too Much Information?(TrendLabs Security Intelligence Blog) Car hacking is a reality the general public will have to deal with. Nothing can be as intrusive and dangerous as strangers taking over your car while you are driving it. Last week, Valasek and Miller's digital car-jacking stunt using 3G connectivity on a Jeep Cherokee's infotainment system illustrated how life-threatening this situation can get. The discovery of the bug has since led to the recall of of 1.4 million vehicles. A similar hack — but off-road this time — was also demonstrated a few days after, but this time via digital audio broadcasting (DAB) radio signals
A data security guy's musings on the OPM data breach train wreck(Help Net Security) Despite all the media attention to breaches, there is still way too much apathy when it comes to data-centric security. Given the sensitive data the OPM was tasked with protecting, it should have had state-of-the-art data protection, but instead it has become the poster child for IT security neglect. While its dismal security posture is unjustifiable, the people and process challenges that hindered the implementation of appropriate security measures are pervasive
This Website Will Steal Your Photos and Then Hack Your Computer(Fstoppers) The website WallPart (intentionally not linked to) claims to be "the world's largest online shop of posters…with over 10 billion images." What they do not tell you is that their database is filled with stolen and copyrighted images from photographers around the world. If this wasn't bad enough, the Poster Shop might actually be using these images to spam photographers who use their copyright take down form in what might be the most diabolical phishing scam of all time
Security Patches, Mitigations, and Software Updates
iTunes and AppStore remote exploit fixed by Apple(Naked Security) A serious remote vulnerability has been uncovered in Apple's AppStore and iTunes web applications that posed "a significant risk to buyers, sellers or Apple website managers/developers"
Subject: Radio Software Security Vulnerabilities(National Highway Traffic Safety Administration (letter)) This letter serves to acknowledge Chrysler (FCA US LLC)'s notification to the National Highway Traffic Safety Administration (NHTSA) of a safety recall which will be conducted pursuant to Federal law for the product(s) listed below. Please review the following information to ensure that it conforms to your records as this information is being made available to the public. If the information does not agree with your records, please contact us immediately to discuss your concerns
Balancing The Internet of Things (IoT) In The Supply Chain(Forbes) Imagine a world in which you know not only where your cargo is, but whether it's still at the right temperature, whether it was dropped, whether the truck driver braked hard or got stuck in traffic, and exactly who handled it and when. That's the world of the Internet of Things (IoT), and it's here now: providing deep insights and actionable information that boosts efficiency , improves safety and fuels the supply chain. But it also increases risk. According to the World Economic Forum's "Global Risks 2015" report, with the IoT, "There are more devices to secure against hackers, and bigger downsides from failure"
Most employees don't understand the value of data(Help Net Security) New research from Fujitsu has revealed that only 7% of employees rate their business data higher than their personal information. The results highlight how employees don't understand the value of data with over half (52%) of employees admitting that they value their own data more than their work data. In addition, 43% of employees either somewhat or completely agree that they have no idea of the value of business data
Why Cybersecurity Is So Difficult to Get Right(Harvard Business Review) It seems like hardly a week goes by without news of a data breach at yet another company. And it seems more and more common for breaches to break records in the amount of information stolen. If you're a company trying to secure your data, where do you start? What should you think about? To answer these questions, I talked to Marc van Zadelhoff, VP of IBM Security, about the current state of cybersecurity and the Ponemon Institute's 2015 study of cybersecurity around the world, which IBM sponsored
Cyber Claims Landscape: Companies Face Increasing Data Breach Liability(Willis Wire) The cyber risk landscape is rapidly evolving. Governments are facing an unprecedented level of cyber attacks and threats with the potential to undermine national security and critical infrastructure. Similarly, businesses across a wide range of industry sectors are exposed to potentially enormous physical losses as well as liabilities and costs as a result of cyber attacks and data breaches
The View from Davos: Bootstrapping a Cyber Insurance Market(CyVaR Blog) What's your risk? The World Economic Forum has been thinking about the implications of the Internet for the global economy ("a hyperconnected world") and in particular how cyber risks should be managed. Its studies ratify what's become the conventional wisdom — traditional network perimeter defenses are a dead-end, closed off by the unmanageable connectivity of BYOD practices and the Internet of Things — and counsel instead that the proper aim of cyber security is resilience, the ability to operate successfully even while under cyber attack
FireEye Growing But Burning Through Cash(Seeking Alpha) FireEye experienced a solid first quarter to start 2015. The relatively new company is still struggling with cash flows, but strong demand for FireEye's services provides potential for a bright future. Let's take a look at FireEye's recent performance and derive a fair value estimate for shares
The Reasoning Behind Massive Backing for Darktrace(Inside Bitcoins) Darktrace, a cyber security company, backed by Mike Lynch, was recently valued at an estimated 100 million dollars. This was surprising to many as the company has been open for a mere two years, yet it is working with big companies such as Virgin Trains. The reasoning behind Darktrace's success is a mystery to many. However, there is a safe and sound reasoning to the company's success, but first, perhaps we need a little backstory on the creation of Darktrace. Surprisingly, it was created at the University of Cambridge due to their research in the field of Mathematics. Since the moment the algorithm was seen by Andy France, former head of defense at Britain's cyber security agency GCHQ, he quit the agency to be at the helm of the company's development. Now, Darktrace is filled with analysts who used to work for NASA or the GCHQ. This was the first step in defining the success Darktrace would soon receive
EY Announces iSIGHT Partners CEO John Watters as EY Entrepreneur Of The Year® 2015 Award Winner in the Southwest(Digital Journal) EY today announced that John Watters, CEO of iSIGHT Partners, the leading provider of cyber threat intelligence for global enterprises, received the EY Entrepreneur Of The Year® 2015 Award in the Services category in the Southwest region. The award recognizes outstanding entrepreneurs who demonstrate excellence and extraordinary success in such areas as innovation, financial performance and personal commitment to their businesses and communities. John Watters was selected by an independent panel of judges and the award was presented at a special gala event on June 27, 2015
SentinelOne Launches First Certified Enterprise Anti-Virus Replacement and Next Generation Endpoint Protection Platform(SentinelOne) SentinelOne today announced SentinelOne EPP (EndpointProtection Platform), the first and only AV-TEST certified next generation endpoint security solution that combines prevention, detection, mitigation, remediation and forensic capabilities for Windows, OS X and Android devices. AV-TEST, a leading independent anti-virus research institute, has awarded SentinelOne EPP the Approved Corporate Endpoint Protection certification which validates its effectiveness for detecting both advanced malware and blocking known threats. SentinelOne now enables enterprises to replace their existing corporate AV suites and still meet compliance requirements
Dmail promises self-destructing Gmail messages(Naked Security) Google recently promoted its little-known "Undo Send" option for Gmail users: a feature that buys us up to 30 seconds in which we can stop the delivery of whatever e-embarrassment we concocted from escaping into the wild
ESET: How your business can recover from a hack(IT Brief) Recent high-profile data breaches at the US Office of Personnel Management (OPM), Adult Friend Finder and the European Parliament illustrate criminals' insatiable appetite for data and financial reward
Re-Imagining Breach Defense(InfoRiskToday) Many enterprises believe that they have done everything right, and yet still they are hacked. What more needs to be done to protect against data breaches? Where are the security shortcomings?
Design and Innovation
Beyond the Basics of ICS Security — Getting It Right From the Start(Tripwire: the State of Security) The Internet of Things is gradually but very surely creeping in to impact every sphere of modern life. And that goes as much for people as for business, as much for new industries as for incumbent sectors. This network of physical objects has the ability to play havoc with security and is significantly increasing the challenge of securing Industrial Control Systems (ICSs). Threats to ICSs for players in the utilities, energy and nuclear sectors can have life-threatening consequences
Delaware's Cybersecurity Elite Complete Week-long Boot Camp (US Cyber Challenge) U.S. Cyber Challenge (USCC) is proud to announce the winners of the 6th Annual Delaware Cyber Camp competition. Following a week of intensive classroom instruction on a variety of cybersecurity topics, over 60 participants competed in the camp's final activity, the "Capture the Flag" (CTF) competition that took place last Friday morning, July 24th at Delaware Technical Community College in Dover. Those who came out on top and won the competition include Alyssia Bates, Jon Butler, Rauni Kangas and Tim Plimpton
Cyber Conflict in DOD's Law of War Manual(Just Security) Law of cyber warfare practitioners surely breathed a sigh of relief when they found that only 15 of the 1,176 pages in DOD's new Law of War Manual addressed cyber warfare. DOD appears to have concluded that the law in this area is still developing (or, perhaps, not developing), and that trying to capture it precisely would lead to the creation of a chapter that would soon be irrelevant. As a result, the cyber warfare chapter sticks broadly to the application of the principles of the law of armed conflict to cyber warfare — although it "inconveniently" introduces a new legal concept that seems inconsistent with other sections of the manual
Statement by the ODNI on Retention of Data Collected Under Section 215 of the USA PATRIOT Act(IC on the Record) On June 29, 2015, the Foreign Intelligence Surveillance Court approved the Government's application to resume the Section 215 bulk telephony metadata program pursuant to the USA FREEDOM Act's 180-day transition provision. As part of our effort to transition to the new authority, we have evaluated whether NSA should maintain access to the historical metadata after the conclusion of that 180-day period
Litigation, Investigation, and Law Enforcement
The insider data hack: A legal perspective(IT Pro Portal) Data security is a critical risk area for businesses of all sizes. Yet one aspect of a company's data security strategy that is often considered in less detail is the threat posed by employees — the insider threat
Cyber insecurity: Hacking back(Financial Times) Companies are seeking to use more aggressive tactics to neutralise hackers. But the law limits how far active defence can go
The Wheels of Justice Turn Slowly(KrebsOnSecurity) On the evening March 14, 2013, a heavily-armed police force surrounded my home in Annandale, Va., after responding to a phony hostage situation that someone had alerted authorities to at our address. I've recently received a notice from the U.S. Justice Department stating that one of the individuals involving in that "swatting" incident had pleaded guilty to a felony conspiracy charge
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
Newly Noted Events
3rd Annual Psyber Behavioral Analysis Symposium(Fort Meade, Maryland, USA, August 11, 2015) The 3rd Annual Psyber Behavioral Analysis Symposium is hosted by the NSA/CSS Threat Operations Center and the FBI Behavioral Analysis Unit-2/Cyber Behavioral Analysis Center. The goal of the Symposium...
Intelligence and National Security Summit(Washington, DC, USA, September 9 - 10, 2015) AFCEA International (AFCEA) and the Intelligence and National Security Alliance (INSA) are pleased to host the second Intelligence and National Security Summit to provide the platform for this essential...
Cybersecurity Innovation Forum(Washington, DC, USA, September 9 - 11, 2015) The 2015 Cybersecurity Innovation Forum is a three-day event hosted by the National Institute of Standards and Technology, and planned with the National Security Agency, and the Department of Homeland...
Cyber Risk Wednesday: Rethinking Commercial Espionage(Atlantic Council: Brent Scowcroft Center on International Security, July 29, 2015) Join the Atlantic Council's Cyber Statecraft Initiative on July 29 from 4:00 p.m. to 5:30 p.m. for a discussion on new ideas on commercial cyber espionage and intellectual property theft
CyberMontgomery 2015(Rockville, Maryland, USA, July 30, 2015) Montgomery County, Maryland, is home to the National Institute of Standards and Technology (NIST), the National Cybersecurity Center of Excellence (NCCoE), the FDA, NIH, NOAA, NRC and more than a dozen...
PragueCrunch IV: The Enpraguening(Prague, Czech Republic, July 31, 2015) Here it comes, Central Europe: PragueCrunch IV! This annual celebration of all things startup is coming to your town on Friday, July 31, 2015 from 7:00 PM to 11:00 PM (CEST). We'll be holding the event...
Black Hat USA(Las Vegas, Nevada, USA, August 1 - 6, 2015) Black Hat — built by and for the global InfoSec community — returns to Las Vegas for its 18th year. This six day event begins with four days of intense Trainings for security practitioners...
ISSA CISO Forum: Third Party Oversight(Las Vegas, Nevada, USA, August 2 - 3, 2015) The CISO Executive Forum is a peer-to-peer event. The unique strength of this event is that members can feel free to share concerns, successes, and feedback in a peer only environment. Membership is by...
BSides Las Vegas(Las Vegas, Nevada, USA, August 4 - 5, 2015) BSides Las Vegas is an Information/Security conference that's different. We're a 100% volunteer organized event, put on by and for the community, and we truly strive to keep information free. There is...
Defcon 23(Las Vegas, Nevada, USA, August 4 - 7, 2015) DEF CON has been a part of the hacker community for over two decades. See the organization's website for more information
USENIX Security(Washington, D.C., USA, August 12 - 14, 2015) The USENIX Security Symposium reunites researchers, practitioners, system administrators, system programmers, and others specialists interested in the latest advances in the security and privacy of computer...
5th Annual Cyber Security Training & Technology Forum (CSTTF)(Colorado Springs, Colorado, USA, August 19 - 20, 2015) The Information Systems Security Association (ISSA) Colorado Springs Chapter and FBC, Inc. will once again co-host the 5th Annual Cyber Security Training & Technology Forum (CSTTF). CSTTF 2015 will bring...
Decepticon 2015(Cambridge, England, UK, August 24 - 26, 2015) Decepticon brings together researchers and practitioners in the detection and prevention of deception. Previously, deception research has been fragmented across conferences in many different disciplines,...
AFCEA OKC Technology & Cyber Security Day(Oklahoma City, Oklahoma, USA, August 27, 2015) FBC and the Armed Forces Communications & Electronics Association (AFCEA) Oklahoma City Chapter will be partnering once again to host the annual Technology Day & "Scholarship" Golf Tournament at Tinker...
Power Grid Cyber Security Exchange 2015(San Diego, California, USA, August 30 - September 1, 2015) The Power Grid Cyber Security Exchange will take a deep dive into the cyber security strategies, innovative approaches and strategic planning necessary to balance the competing priorities of today's technology...
2015 HTCIA International Conference & Training Expo(Orlando, Florida, USA, August 30 - September 2, 2015) Bringing together experts from all over the world to share their latest research and techniques related to cybersecurity, incident response and computer forensics
ICFP 2015(Vancouver, British Columbia, Canada, August 31 - September 2, 2015) ICFP 2015 provides a forum for researchers and developers to hear about the latest work on the design, implementations, principles, and uses of functional programming. The conference covers the entire...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.