Earlier reports that US Federal employee data stolen from the Office of Personnel Management (OPM) have shown up for sale on the black market appear to be quite false. KrebsOnSecurity's investigation suggests that the data being traded by criminals appears to have come from a different agency: Federal Prison Industries (that is, Unicor.gov). The AP notes the absence of OPM data from the black market (for now — it's unwise to expect them to stay out of criminal hands indefinitely) as further evidence that the breach is the work of an intelligence service as opposed to crooks. That would also account for the relatively muted US diplomatic response: the Americans have long distinguished legitimate intelligence collection from industrial espionage. The OPM hack strikes many as the former; thus outrage is directed against OPM, not the Chinese government.
A side note on industrial espionage: many see the St. Louis Cardinals' (alleged, low-grade) hack of the Houston Astros as indicating widespread corporate hacking of competitors. Others are less sure: US professional sports are different, and have a signal-stealing tradition.
Wikileaks, dumping 276,394 stolen documents, reminds us that Sony Pictures was hacked last year.
Repeat-offending skid "Mufasa," who'd earlier said he Australia's iiNEt ISP, hacks US pharmaceutical company Akorn "to teach them a security lesson," a motive belied by his offering stolen data for sale to the highest bidder.
Interesting discussions of OS X and iOS vulnerabilities, as well as accounts of SAP static encryption issues.
The US Treasury Department sees an ISIS-Bitcoin-social-media nexus.
A note to our readers: the CyberWire will be covering SINET's Innovation Summit in New York next week. We'll live-tweet the proceedings and devote at least one special issue to the conference.
Today's issue includes events affecting Australia, China, France, Germany, Netherlands, Romania, Russia, Turkey, Ukraine, United Kingdom, United States, and Vietnam.
Cyber Attacks, Threats, and Vulnerabilities
OPM's Database for Sale? Nope, It Came from Another US .Gov(KrebsOnSecurity) A database supposedly from a sample of information stolen in the much publicized hack at the Office of Personnel Management (OPM) has been making the rounds in the cybercrime underground, with some ne'er-do-wells even offering to sell it as part of a larger package. But a review of the information made available as a teaser indicates that the database is instead a list of users stolen from a different government agency — Unicor.gov, also known as Federal Prison Industries
U.S. wonders: Why stolen data on federal workers not for sale?(AP via the Military Times) The Obama administration is increasingly confident that China's government, not criminal hackers, was responsible for the extraordinary theft of personal information of about as many as 14 million current and former federal employees and others, The Associated Press has learned. One sign: None of the data has been credibly offered for sale on underground markets popular among professional identity thieves
Could OPM have prevented the breach?(Federal Times) No, probably not. There were a number of failures on the part of the Office of Personnel Management that allowed hackers to steal the personal information on millions of current and former federal employees. But it is unlikely the agency would have been able to prevent the breach entirely
Google Chrome Listening In To Your Room Shows The Importance Of Privacy Defense In Depth(Privacy Online News) Yesterday, news broke that Google has been stealth downloading audio listeners onto every computer that runs Chrome, and transmits audio data back to Google. Effectively, this means that Google had taken itself the right to listen to every conversation in every room that runs Chrome somewhere, without any kind of consent from the people eavesdropped on. In official statements, Google shrugged off the practice with what amounts to "we can do that"
So Long, and Thanks for All the Domains(SWITCH Security Blog) While Trojans like Dyre and Dridex are dominating malware-related news, we take the time to have a closer look at Tinba (Tiny Banker, Zusy, Illi), yet another Trojan which targets Windows users. In the first part of this post, we give a short historical review, followed by hints about how to detect (and remove) this threat on an infected system. In the second part, we have a look at a portion of the Trojan's code which enhances its communication resilience, and how we can leverage these properties for defensive purposes
OS X and iOS Unauthorized Cross Application Resource Access (XARA)(Internet Storm Center) The last couple of days, a paper with details about XARA vulnerabilities in OS X and iOS is getting a lot of attention . If you haven't seen the term "XARA" before, then this is probably because cross-application-resource-access was normal in the past. Different applications has access to each other's data as long as the same user ran them. But more recently, operating systems like OS X and iOS made attempts to "sandbox" applications and isolate applications from each other even if the same user is running them
Unpatchable Android?(Trend Micro: Simply Security) There's another vulnerability affecting the Android platform that this week once again raises the question: am I vulnerable?
The Swine Flu Wants to Infect Your PC(SenseCy) Russian underground forums often serve as a marketplace for talented coders of sophisticated malware who develop attack tools to target the financial industry
Researchers Disclose SAP Default Encryption Key Vulnerabilities(Dark Matters) Dmitry Chastukhin, Director of Professional Services at ERPScan, presented a report on the latest SAP security trends at the Black Hat Sessions conference in the Netherlands this week, examining problems related to the use of static encryption keys by SAP in their products
Static encryption keys as the latest trend in SAP security(ERPScan) Today, on the 18th of June, Dmitry Chastukhin, Director of Professional Services at ERPScan, presented a report on the latest SAP security trends at the Black Hat Sessions conference in the Netherlands. It covers multiple problems related to encryption algorithms and static keys used by SAP in their products
Navy challenged by spear phishing, software patches(FCW) Of the myriad cybersecurity challenges facing the Navy, two stand out: spear phishing and more swiftly deploying software patches. That was the gist of a June 18 update on Navy defensive cyber operations given by Capt. David Bondura, U.S. Fleet Cyber Command's assistant chief of staff for operations
The Dark Web as You Know it is a Myth(Wired) The 'Dark Web' may be close to becoming a household name. After the conviction of Ross Ulbricht, the owner of the drug marketplace Silk Road, and a stream of articles claiming that the Islamic State is using secret websites to plan out attacks, this hidden part of the Internet is being talked about more than ever
Security Patches, Mitigations, and Software Updates
Shadow data report underscores the need for strong cloud app security(TechRepublic) Cloud app security firm Elastica's Q2 2015 Shadow Data Report notes an almost 300% increase from last year in the average number of files shared per user. Enterprise users share roughly 25% of files owned, a big jump from the average rate of sharing in Q4 2014, which was 9%. In addition, 12.5% of files shared contain compliance-related data; this is a potential cybersecurity headache for organizations, since that means over 3% of files per user are at risk of sensitive data exposure
IT Professionals lack confidence in board's cyber security literacy(IT Pro Portal) Tripwire, Inc., the global provider of advanced threat, security and compliance solutions, today announced the results of a study on cyber literacy challenges faced by organisations. The study, which was carried out in May 2015, evaluated the attitudes of executives as they relate to cyber security risk decision-making and communication between IT security professionals, executive teams and boards. Study respondents included 101 C-level executives and directors as well as 176 IT professionals from both private and public U.K. organisations
How about renting a CSO?(Channel World) How about renting a CSO? At a time when cyber security threats continue to increase in sophistication and prevalence, there's a real shortage of experienced, skilled security leaders. What's a company to do? One thing to consider is "renting" a CISO or other senior security executive
Nine Silicon Valley firms get highest marks for best practices around consumer privacy(SC Magazine) Noting that "it is time to expect more from Silicon Valley." the Electronic Frontier Foundation (EFF) found that nine of the 24 companies reviewed for its fifth annual "Who Has Your Back" report "show that it is practical for major technology companies to adopt best practices around transparency and stand by their users when the government comes knocking"
Former Googler fights adblockers with adblocker blocker(Naked Security) There are dozens of adblockers to choose from, from the market dominator Adblock Plus to the new Silicon Valley darling - open-source uBlock - as well as those that block out practically everything but the sun
Reddit's ex-CEO supports banning online harassment that harms people in real life(Quartz) Last year, after reddit was used to spread hacked private photos of celebrities, then CEO Yishan Wong was heavily criticized by users for taking down the subreddits doing so, only to insist that the platform was committed to free speech, no matter how unsavory. Last week, after a negative reaction to a policy change by new CEO Ellen Paot that included banning five subreddits (including the very popular "/r/fatpeoplehate") because they caused real-life harassment, Wong wrote a post on Quora about why he supports her move
Technologies, Techniques, and Standards
Security CheatSheets — A collection of cheatsheets for various infosec tools and topics(KitPloit) These security cheatsheets are part of a project for the Ethical Hacking and Penetration Testing course offered at the University of Florida. Expanding on the default set of cheatsheets, the purpose of these cheatsheets are to aid penetration testers/CTF participants/security enthusiasts in remembering commands that are useful, but not frequently used. Most of the tools that will be covered have been included in our class and are available in Kali Linux
Israel To Consolidate Cyber Spending, Ops(DefenseNews) The Israeli military aims to consolidate cyber-related investment, training and planning for defensive and offensive operations under a unified Cyber Command to be stood up within two years
Opinion/Editorial: U.S. security fails again(Daily Progress) The irony is obvious, but worth repeating: On the one hand, we have federal agencies that are turning their vast powers of surveillance against potentially innocent Americans — agencies such as the NSA and the FBI, with their sophisticated electronic intelligence technologies and methods of skirting the Fourth Amendment
Comments on 2 year Snowden anniversary(Information Security Buzz) "Two years after the Snowden leaks, it?s clear that the vast majority of the IT security community doesn't believe that the level of government surveillance has changed
Cardinals, MLB Lawyer Up in Astros Hacking Probe(American Lawyer) On the cleated heels of Deflategate and soccer's global corruption crisis, the scandal-prone pro sports community is in need of legal advice yet again — this time related to alleged Major League foul play involving the St. Louis Cardinals. The New York Times reported Tuesday that the Federal Bureau of Investigation is probing Cardinals personnel for allegedly hacking into Houston Astros databases that house team strategies, including information on scouting and trades
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
2015 Community College Cyber Summit (3CS)(North Las Vegas, Nevada, USA, June 17 - 19, 2015) The second annual Community College Cyber Summit (3CS), hosted by the College of Southern Nevada, is organized and produced by the five cybersecurity-related Advanced Technological Education (ATE) centers...
Suits and Spooks All Stars 2015(New York, New York, USA, June 19 - 20, 2015) Unlike our typical "collision" event, our All Stars will have at least 60 minutes each for their talks. Seating will be limited because we're going to hold it in one of our most popular venues —...
REcon 2015(Montréal, Québec, Canada, June 19 - 21, 2015) REcon is a computer security conference with a focus on reverse engineering and advanced exploitation techniques. It is held annually in Montreal, Canada. The conference offers a single track of presentations...
Nuit du Hack 2015(Paris, France, June 20 - 21, 2015) The "Nuit Du Hack" conference was initiated in 2003 by the French hacking group: HackerZvoice. This event has been gathering people willing to learn and share their knowledge around lectures and challenges...
Fifth Annual International Cybersecurity Conference(Tel Aviv, Israel, June 22 - 25, 2015) The conference, held jointly this year by the Yuval Ne'eman Workshop for Science, Technology and Security, the National Cyber Bureau, the Prime Minister's Office, the Blavatnik Interdisciplinary Cyber...
Cybersecurity Executive Roundtable(Blacksburg, Virginia, USA, June 23, 2015) experts from across the country will convene at Virginia Tech to meet with rising cybersecurity talent to discuss solutions for the country's cyber workforce shortage in an executive roundtable titled...
Cyber Security for Defense(Augusta, Georgia, USA, June 24 - 26, 2015) This conference serves as an opportunity for solution providers to break through the background noise and present their unique ideas and products in an environment specifically tailored to highlighting...
AFCEA PNC Tech & Cyber Day(Tacoma, Washington, USA, June 25, 2015) The Armed Forces Communications & Electronics Association (AFCEA) - Pacific Northwest Chapter (PNC) will once again host the 5th Annual Information Technology & Cyber Day at Joint Base Lewis-McChord (JBLM)...
Cybersecurity Outlook 2016(Tysons Corner, Virginia, USA, June 26, 2015) Cybersecurity Outlook 2016 is a breakfast event by Potomac Tech Wire and Billington CyberSecurity that brings together senior executives in the Mid-Atlantic to discuss technology issues in a conversational,...
NSA Information Assurance Symposium (IAS) 2015(Washington, DC, USA, June 29 - July 1, 2015) The NSA Information Assurance Directorate (IAD)'s Information Assurance Symposium (IAS) is a biannual forum hosted by the National Security Agency (NSA). IAS events of the past have proven to be the preferred...
US News STEM Solutions: the National Leadership Conference(San Diego, California, USA, June 29 - July 1, 2015) San Diego offers the perfect backdrop for the 4th annual U.S. News STEM Solutions National Leadership Conference, June 29 — July 1, 2015 in San Diego, CA. Please make your plans now to join fellow...
Information Assurance Symposium(Washington, DC, USA, June 29 - July 1, 2015) The NSA Information Assurance Directorate (IAD)'s Information Assurance Symposium (IAS) is a biannual forum hosted by the National Security Agency (NSA). IAS events of the past have proven to be the preferred...
Cyber Security for Healthcare Summit(Philadelphia, Pennsylvania, USA, June 29 - July 1, 2015) Our IQPC Cyber Security for Healthcare Summit will help Hospitals and Medical Device manufacturers to prepare and manage risks by viewing cybersecurity not as a novel issue but rather by making it part...
Cybergamut Tech Tuesday: The Truth About Security Your System(Elkridge, Maryland, USA, June 30, 2015) What does it take to secure a system? What is the logical approach to successfully achieve this endeavor? First, an understanding of who wants access and why is a necessary baseline to form a strategic...
TakeDownCon Rocket City(Huntsville, Alabama, USA, July 20 - 21, 2015) TakeDownCon is a highly technical forum that focuses on the latest vulnerabilities, the most potent exploits, and the current security threats. The best and the brightest in the field come to share their...
CyberMontgomery 2015(Rockville, Maryland, USA, July 30, 2015) Montgomery County, Maryland, is home to the National Institute of Standards and Technology (NIST), the National Cybersecurity Center of Excellence (NCCoE), the FDA, NIH, NOAA, NRC and more than a dozen...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.