skip navigation

More signal. Less noise.

Daily briefing.

Earlier reports that US Federal employee data stolen from the Office of Personnel Management (OPM) have shown up for sale on the black market appear to be quite false. KrebsOnSecurity's investigation suggests that the data being traded by criminals appears to have come from a different agency: Federal Prison Industries (that is, Unicor.gov). The AP notes the absence of OPM data from the black market (for now — it's unwise to expect them to stay out of criminal hands indefinitely) as further evidence that the breach is the work of an intelligence service as opposed to crooks. That would also account for the relatively muted US diplomatic response: the Americans have long distinguished legitimate intelligence collection from industrial espionage. The OPM hack strikes many as the former; thus outrage is directed against OPM, not the Chinese government.

A side note on industrial espionage: many see the St. Louis Cardinals' (alleged, low-grade) hack of the Houston Astros as indicating widespread corporate hacking of competitors. Others are less sure: US professional sports are different, and have a signal-stealing tradition.

Wikileaks, dumping 276,394 stolen documents, reminds us that Sony Pictures was hacked last year.

Repeat-offending skid "Mufasa," who'd earlier said he Australia's iiNEt ISP, hacks US pharmaceutical company Akorn "to teach them a security lesson," a motive belied by his offering stolen data for sale to the highest bidder.

Interesting discussions of OS X and iOS vulnerabilities, as well as accounts of SAP static encryption issues.

The US Treasury Department sees an ISIS-Bitcoin-social-media nexus.

A note to our readers: the CyberWire will be covering SINET's Innovation Summit in New York next week. We'll live-tweet the proceedings and devote at least one special issue to the conference.

Notes.

Today's issue includes events affecting Australia, China, France, Germany, Netherlands, Romania, Russia, Turkey, Ukraine, United Kingdom, United States, and Vietnam.

Cyber Attacks, Threats, and Vulnerabilities

OPM's Database for Sale? Nope, It Came from Another US .Gov (KrebsOnSecurity) A database supposedly from a sample of information stolen in the much publicized hack at the Office of Personnel Management (OPM) has been making the rounds in the cybercrime underground, with some ne'er-do-wells even offering to sell it as part of a larger package. But a review of the information made available as a teaser indicates that the database is instead a list of users stolen from a different government agency — Unicor.gov, also known as Federal Prison Industries

U.S. wonders: Why stolen data on federal workers not for sale? (AP via the Military Times) The Obama administration is increasingly confident that China's government, not criminal hackers, was responsible for the extraordinary theft of personal information of about as many as 14 million current and former federal employees and others, The Associated Press has learned. One sign: None of the data has been credibly offered for sale on underground markets popular among professional identity thieves

China cyber attack stole data dating back 25 years, may have impacted military and intelligence officials (World Tribune) China's recent hacking of the U.S. Office of Personnel Management (OPM) included millions of personnel files that go back at least 25 years

Could OPM have prevented the breach? (Federal Times) No, probably not. There were a number of failures on the part of the Office of Personnel Management that allowed hackers to steal the personal information on millions of current and former federal employees. But it is unlikely the agency would have been able to prevent the breach entirely

WikiLeaks dumps 276,000 more documents from Sony hack (Phys.org) WikiLeaks on Thursday released 276,394 new documents from the hack of Sony Pictures in what could be a further embarrassment for the Japanese media and electronics group

Akorn Inc. has customer database stolen, records offered to highest bidder (CSO) Hacker responsible says they compromised the company to teach them a lesson in security

Google Chrome Listening In To Your Room Shows The Importance Of Privacy Defense In Depth (Privacy Online News) Yesterday, news broke that Google has been stealth downloading audio listeners onto every computer that runs Chrome, and transmits audio data back to Google. Effectively, this means that Google had taken itself the right to listen to every conversation in every room that runs Chrome somewhere, without any kind of consent from the people eavesdropped on. In official statements, Google shrugged off the practice with what amounts to "we can do that"

Hotword behaviour in chromium v43 (binary blob download) (Chromium) Thanks for bringing this issue to our attention. I have been following this on Hacker news [1] and the Debian bug tracker [2]. I'd like to clear up a couple of misconceptions

So Long, and Thanks for All the Domains (SWITCH Security Blog) While Trojans like Dyre and Dridex are dominating malware-related news, we take the time to have a closer look at Tinba (Tiny Banker, Zusy, Illi), yet another Trojan which targets Windows users. In the first part of this post, we give a short historical review, followed by hints about how to detect (and remove) this threat on an infected system. In the second part, we have a look at a portion of the Trojan's code which enhances its communication resilience, and how we can leverage these properties for defensive purposes

Favicon Bug Can Crash Chrome, Firefox and Safari (Softpedia) Don't use 10GB files as your website's favicon

New Apple iOS, OS X Flaws Pose Serious Risk (Dark Reading) Security vulnerabilities could expose passwords for Apple iCloud, email, and bank accounts, and other sensitive information, researchers say

OS X and iOS Unauthorized Cross Application Resource Access (XARA) (Internet Storm Center) The last couple of days, a paper with details about XARA vulnerabilities in OS X and iOS is getting a lot of attention [1]. If you haven't seen the term "XARA" before, then this is probably because cross-application-resource-access was normal in the past. Different applications has access to each other's data as long as the same user ran them. But more recently, operating systems like OS X and iOS made attempts to "sandbox" applications and isolate applications from each other even if the same user is running them

Unpatchable Android? (Trend Micro: Simply Security) There's another vulnerability affecting the Android platform that this week once again raises the question: am I vulnerable?

How to hack into an email account, just by knowing your victim's mobile number (Graham Cluley) Symantec has issued a warning about what appears to be a successful scam being perpetrated against users of webmail services such as Gmail, Outlook and Yahoo

Of Non-Nexus Devices and the Android Security Rewards Program (Threatpost) Google's decision to limit its Android Security Rewards program to newer Nexus devices clearly puts the Google phones on the top tier of secure mobile devices

Exclusive — Voidsec disclosed a number of flaws affecting Minds.com Platform (Security Affairs) Security expert at Voidsec have analyzed the popular social networking minds.com disclosing a number of security vulnerabilities

The Swine Flu Wants to Infect Your PC (SenseCy) Russian underground forums often serve as a marketplace for talented coders of sophisticated malware who develop attack tools to target the financial industry

Researchers Disclose SAP Default Encryption Key Vulnerabilities (Dark Matters) Dmitry Chastukhin, Director of Professional Services at ERPScan, presented a report on the latest SAP security trends at the Black Hat Sessions conference in the Netherlands this week, examining problems related to the use of static encryption keys by SAP in their products

Static encryption keys as the latest trend in SAP security (ERPScan) Today, on the 18th of June, Dmitry Chastukhin, Director of Professional Services at ERPScan, presented a report on the latest SAP security trends at the Black Hat Sessions conference in the Netherlands. It covers multiple problems related to encryption algorithms and static keys used by SAP in their products

Weaponized Word docs, spyware and malvertising sprouting in May (CSO) Weaponized Word documents have been getting past standard defenses

Top 10 botnet targets in the U.S. and worldwide (Network World via CSO) Level 3's research report analyzes botnet activity around the world

As IPv6 rollout proceeds, security controls remain lacking, warns Rapid7 (FierceITSecurity) IPv6's ability to provide security to connected devices is not as good as IPv4's ability, said H.D. Moore, chief research officer at Rapid7, at the UNITED Security Summit being held here this week

Navy challenged by spear phishing, software patches (FCW) Of the myriad cybersecurity challenges facing the Navy, two stand out: spear phishing and more swiftly deploying software patches. That was the gist of a June 18 update on Navy defensive cyber operations given by Capt. David Bondura, U.S. Fleet Cyber Command's assistant chief of staff for operations

The Dark Web as You Know it is a Myth (Wired) The 'Dark Web' may be close to becoming a household name. After the conviction of Ross Ulbricht, the owner of the drug marketplace Silk Road, and a stream of articles claiming that the Islamic State is using secret websites to plan out attacks, this hidden part of the Internet is being talked about more than ever

Security Patches, Mitigations, and Software Updates

Critical Drupal vulnerability patched — update your website now (Naked Security) The Drupal Security Team has released a critical software update for the Drupal Content Management System (CMS)

Cyber Trends

Major US data breaches have commonalities to look out for, says Secret Service official (FierceITSecurity) Most major data breaches in the United States have three things in common, Matt Noyes, Secret Service cyber policy advisor, told an audience Wednesday at the UNITED Security Summit sponsored by security firm Rapid7

The devastating breach of US government data highlights an illusory cybersecurity paradox (Business Insider) Computer scientists love paradoxes, especially ones rooted in brain-twisting logical contradictions

Shadow data report underscores the need for strong cloud app security (TechRepublic) Cloud app security firm Elastica's Q2 2015 Shadow Data Report notes an almost 300% increase from last year in the average number of files shared per user. Enterprise users share roughly 25% of files owned, a big jump from the average rate of sharing in Q4 2014, which was 9%. In addition, 12.5% of files shared contain compliance-related data; this is a potential cybersecurity headache for organizations, since that means over 3% of files per user are at risk of sensitive data exposure

New Survey Reveals Limited Enterprise Ability to Respond to Attacks on the Trust Provided by Keys and Certificates (Information Security Buzz) RSA survey of nearly 850 it security professionals finds they don't know how to detect and respond to key and certificate vulnerabilities

Reddit, Wikipedia, Bing and the FBI agree — an encrypted web is a safer web (Graham Cluley) Reddit, the so-called "front page of the internet", is the latest in a series of popular websites to announce that it will be switching to HTTPS by default, protecting their visitors with secure connection

Houston Astros' Breach A 'Wake-Up Call' On Industrial Cyber Espionage (Dark Reading) The St. Louis Cardinals' alleged breach of the Astros' proprietary database raises concern over the possibility of US companies hacking their rivals for intel

Marketplace

IT Professionals lack confidence in board's cyber security literacy (IT Pro Portal) Tripwire, Inc., the global provider of advanced threat, security and compliance solutions, today announced the results of a study on cyber literacy challenges faced by organisations. The study, which was carried out in May 2015, evaluated the attitudes of executives as they relate to cyber security risk decision-making and communication between IT security professionals, executive teams and boards. Study respondents included 101 C-level executives and directors as well as 176 IT professionals from both private and public U.K. organisations

How about renting a CSO? (Channel World) How about renting a CSO? At a time when cyber security threats continue to increase in sophistication and prevalence, there's a real shortage of experienced, skilled security leaders. What's a company to do? One thing to consider is "renting" a CISO or other senior security executive

Nine Silicon Valley firms get highest marks for best practices around consumer privacy (SC Magazine) Noting that "it is time to expect more from Silicon Valley." the Electronic Frontier Foundation (EFF) found that nine of the 24 companies reviewed for its fifth annual "Who Has Your Back" report "show that it is practical for major technology companies to adopt best practices around transparency and stand by their users when the government comes knocking"

Cryptzone Secures $15M Series B Funding Led by Kayne Anderson (Cryptzone) Growth capital to help rapidly growing cybersecurity company accelerate sales, expansion

EdgeWave Appoints U.S. Navy/DOD Cyber Security Expert To Lead Security Analytics (PR Newswire) David Bell previously managed U.S. Navy red team operations

Willis Strengthens Cyber Team (Globe Newswire) Key appointments deliver cyber risk expertise across North America platform

Products, Services, and Solutions

Former Googler fights adblockers with adblocker blocker (Naked Security) There are dozens of adblockers to choose from, from the market dominator Adblock Plus to the new Silicon Valley darling - open-source uBlock - as well as those that block out practically everything but the sun

DuckDuckGo search traffic soars 600% post-Snowden (Naked Security) When Gabriel Weinberg launched a new search engine in 2008 I doubt even he thought it would gain any traction in an online world dominated by Google

SecureRF Selected to Present its Algebraic EraserTM Method at NIST Lightweight Cryptography Workshop (SecureRF) A lightweight, efficient asymmetric key agreement protocol for the Internet of Things

New security product for Microsoft Office 365 includes 'kill switch' to prevent data leakage (FierceITSecurity) Chief information security officers and other IT security pros are losing sleep worrying about the security of sensitive corporate data stored in the cloud

Reddit's ex-CEO supports banning online harassment that harms people in real life (Quartz) Last year, after reddit was used to spread hacked private photos of celebrities, then CEO Yishan Wong was heavily criticized by users for taking down the subreddits doing so, only to insist that the platform was committed to free speech, no matter how unsavory. Last week, after a negative reaction to a policy change by new CEO Ellen Paot that included banning five subreddits (including the very popular "/r/fatpeoplehate") because they caused real-life harassment, Wong wrote a post on Quora about why he supports her move

Technologies, Techniques, and Standards

Security CheatSheets — A collection of cheatsheets for various infosec tools and topics (KitPloit) These security cheatsheets are part of a project for the Ethical Hacking and Penetration Testing course offered at the University of Florida. Expanding on the default set of cheatsheets, the purpose of these cheatsheets are to aid penetration testers/CTF participants/security enthusiasts in remembering commands that are useful, but not frequently used. Most of the tools that will be covered have been included in our class and are available in Kali Linux

Cybersecurity Advice From A Former White House CIO (Dark Reading) Today's playbook demands 'human-centered' user education that assumes people will share passwords, forget them, and do unsafe things to get their jobs done

Breach Defense Playbook, Part 5: Reviewing Your Cybersecurity Program (Part 2) (Dark Reading) Cybersecurity requires a combination of people, process, and technology in a coordinated implementation leveraging a defense-in-depth methodology

Legislation, Policy, and Regulation

Israel To Consolidate Cyber Spending, Ops (DefenseNews) The Israeli military aims to consolidate cyber-related investment, training and planning for defensive and offensive operations under a unified Cyber Command to be stood up within two years

Opinion/Editorial: U.S. security fails again (Daily Progress) The irony is obvious, but worth repeating: On the one hand, we have federal agencies that are turning their vast powers of surveillance against potentially innocent Americans — agencies such as the NSA and the FBI, with their sophisticated electronic intelligence technologies and methods of skirting the Fourth Amendment

Why the US Hasn't Pinned the OPM Hack on China (Defense One) Getting China to stop this activity is at the top of Washington's diplomatic agenda. Stopping foreign intelligence services from spying, however, is not

Comments on 2 year Snowden anniversary (Information Security Buzz) "Two years after the Snowden leaks, it?s clear that the vast majority of the IT security community doesn't believe that the level of government surveillance has changed

Blog: Commanding and Controlling the Cyber Domain (SIGNAL) The DISA director dispels the number one myth about the agency's new operational role

Blog: Speed Dating With DISA (SIGNAL) Agency officials propose a closer relationship with industry and with warfighters

Litigation, Investigation, and Law Enforcement

Terrorists eyeing Bitcoin and social media to fund jihad: US (Business Standard) "A number of online fundraisers explicitly advertise that collected funds are being used to purchase weapons"

St Louis Cardinals foul out in hacking escapade (CSO) Who is on first? I've found it difficult t get back into watching baseball since the last strike

Poor password practices appear behind Cardinals' hack of Astros' database (FierceITSecurity) It appears poor password practices were behind the alleged St. Louis Cardinals' breach of the Houston Astros secretive Ground Control database, which contains sensitive player information including medical reports, trade talks, statistics and scouting reports

Cardinals, MLB Lawyer Up in Astros Hacking Probe (American Lawyer) On the cleated heels of Deflategate and soccer's global corruption crisis, the scandal-prone pro sports community is in need of legal advice yet again — this time related to alleged Major League foul play involving the St. Louis Cardinals. The New York Times reported Tuesday that the Federal Bureau of Investigation is probing Cardinals personnel for allegedly hacking into Houston Astros databases that house team strategies, including information on scouting and trades

Secret Service agent who stole $820K from Silk Road pleads guilty (Ars Technica) Shaun Bridges' stealing spree was the impetus for DPR's first murder-for-hire

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Upcoming Events

2015 Community College Cyber Summit (3CS) (North Las Vegas, Nevada, USA, June 17 - 19, 2015) The second annual Community College Cyber Summit (3CS), hosted by the College of Southern Nevada, is organized and produced by the five cybersecurity-related Advanced Technological Education (ATE) centers...

Suits and Spooks All Stars 2015 (New York, New York, USA, June 19 - 20, 2015) Unlike our typical "collision" event, our All Stars will have at least 60 minutes each for their talks. Seating will be limited because we're going to hold it in one of our most popular venues —...

REcon 2015 (Montréal, Québec, Canada, June 19 - 21, 2015) REcon is a computer security conference with a focus on reverse engineering and advanced exploitation techniques. It is held annually in Montreal, Canada. The conference offers a single track of presentations...

Nuit du Hack 2015 (Paris, France, June 20 - 21, 2015) The "Nuit Du Hack" conference was initiated in 2003 by the French hacking group: HackerZvoice. This event has been gathering people willing to learn and share their knowledge around lectures and challenges...

Fifth Annual International Cybersecurity Conference (Tel Aviv, Israel, June 22 - 25, 2015) The conference, held jointly this year by the Yuval Ne'eman Workshop for Science, Technology and Security, the National Cyber Bureau, the Prime Minister's Office, the Blavatnik Interdisciplinary Cyber...

Cybersecurity Executive Roundtable (Blacksburg, Virginia, USA, June 23, 2015) experts from across the country will convene at Virginia Tech to meet with rising cybersecurity talent to discuss solutions for the country's cyber workforce shortage in an executive roundtable titled...

Cyber Security for Defense (Augusta, Georgia, USA, June 24 - 26, 2015) This conference serves as an opportunity for solution providers to break through the background noise and present their unique ideas and products in an environment specifically tailored to highlighting...

Innovation Summit: Connecting Wall Street, Silicon Valley & the Beltway (New York City, New York, USA, June 25, 2015) Innovation Summit connects America's three most powerful epicenters and evangelizes the importance of industry, government and academic collaboration on joint research initiatives. The opportunity to bring...

AFCEA PNC Tech & Cyber Day (Tacoma, Washington, USA, June 25, 2015) The Armed Forces Communications & Electronics Association (AFCEA) - Pacific Northwest Chapter (PNC) will once again host the 5th Annual Information Technology & Cyber Day at Joint Base Lewis-McChord (JBLM)...

Cybersecurity Outlook 2016 (Tysons Corner, Virginia, USA, June 26, 2015) Cybersecurity Outlook 2016 is a breakfast event by Potomac Tech Wire and Billington CyberSecurity that brings together senior executives in the Mid-Atlantic to discuss technology issues in a conversational,...

NSA Information Assurance Symposium (IAS) 2015 (Washington, DC, USA, June 29 - July 1, 2015) The NSA Information Assurance Directorate (IAD)'s Information Assurance Symposium (IAS) is a biannual forum hosted by the National Security Agency (NSA). IAS events of the past have proven to be the preferred...

US News STEM Solutions: the National Leadership Conference (San Diego, California, USA, June 29 - July 1, 2015) San Diego offers the perfect backdrop for the 4th annual U.S. News STEM Solutions National Leadership Conference, June 29 — July 1, 2015 in San Diego, CA. Please make your plans now to join fellow...

Information Assurance Symposium (Washington, DC, USA, June 29 - July 1, 2015) The NSA Information Assurance Directorate (IAD)'s Information Assurance Symposium (IAS) is a biannual forum hosted by the National Security Agency (NSA). IAS events of the past have proven to be the preferred...

Cyber Security for Healthcare Summit (Philadelphia, Pennsylvania, USA, June 29 - July 1, 2015) Our IQPC Cyber Security for Healthcare Summit will help Hospitals and Medical Device manufacturers to prepare and manage risks by viewing cybersecurity not as a novel issue but rather by making it part...

Cybergamut Tech Tuesday: The Truth About Security Your System (Elkridge, Maryland, USA, June 30, 2015) What does it take to secure a system? What is the logical approach to successfully achieve this endeavor? First, an understanding of who wants access and why is a necessary baseline to form a strategic...

TakeDownCon Rocket City (Huntsville, Alabama, USA, July 20 - 21, 2015) TakeDownCon is a highly technical forum that focuses on the latest vulnerabilities, the most potent exploits, and the current security threats. The best and the brightest in the field come to share their...

CyberMontgomery 2015 (Rockville, Maryland, USA, July 30, 2015) Montgomery County, Maryland, is home to the National Institute of Standards and Technology (NIST), the National Cybersecurity Center of Excellence (NCCoE), the FDA, NIH, NOAA, NRC and more than a dozen...

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.