More notes attributing Wikileaks' Saudi cables to Iranian hackers.
ISIS online recruiting prompts a sad but instructive case study of retail information operations.
Effects of the US OPM (Office of Personnel Management) hack continue to spread. The Daily Beast offers an account of what was lost (a bit too lurid — security investigations aren't, as one might conclude from the story, detailed, book-length compendia of shocking personal confessions — but nevertheless sobering). Observers see the episode as the most serious instance of widespread US Federal negligence with respect to security (the Guardian points out the IRS personnel can use "password" as their password). The Federal CIO's security "sprint" gets generally positive reviews (Passcode, for example, sees signs that one positive effect will be tighter management of privileged accounts), but that CIO's defense of OPM leaders' security record finds fewer takers: Federal workers want a Presidential task force appointed to clean up the breach, and calls for the firing of OPM's Director and CIO get louder in Congress.
Energy sector executives express a high degree of confidence in their companies' ability to detect and swiftly contain cyber attacks. Research by Dell and Inteller, however, on the frequency of SCADA attacks and the black-market trade in SCADA credentials might give one pause.
Researcher Paul Moore offers a cautionary example of homographic phishing: using bogus urls typographically indistinguishable from genuine ones: IIoyd'sbank (bad) versus lloyd'sbank (good). The first uses uppercase "i," the second "l."
The Department of Homeland Security offers interesting advice on cyber insurance.
Today's issue includes events affecting Australia, Canada, China, Iran, Iraq, Democratic Peoples Republic of Korea, Netherlands, New Zealand, Romania, Russia, Saudi Arabia, Syria, United Kingdom, United States.
ISIS and the Lonely Young American(New York Times) Alex, a 23-year-old Sunday school teacher and babysitter, was trembling with excitement the day she told her Twitter followers that she had converted to Islam
OPM hack Q&A: What we know and what we don't(USA Today) The biggest and most devastating cyber attack against the U.S. government was revealed this month when the Office of Personnel Management announced that hackers had compromised the personal data of millions of current and former federal employees
FBI Cyber Division Bulletin on Tools Reportedly Used by OPM Hackers(Office of Inadequate Securtiy) The following bulletin was released to private industry partners June 5, 2015. According to an article from Reuters, one of the remote access tools (RAT) described in the bulletin, called Sakula, is directly linked to the hack of the Office of Personnel Management (OPM) that was disclosed earlier this month. Other publications have directly linked the bulletin to the OPM hack, though have not made the bulletin available publicly
Cyber Attack Reveals Weakness in Government Security(Social Times) The concept of a cyberwar is no longer relegated to the pages of science fiction. Many states may have already built weapons to fight this war, and the U.S. government is working to secure online resources to protect against cyber attacks. However, attacks are still slipping through, including a recent attack on U.S. Office of Personnel Management, that may have exposed the data of millions
We're Losing the Cyber War(Wall Street Journal) The huge theft from the Office of Personnel Management comes after years Obama administration passivity despite repeated digital attacks
IRS employees can use 'password' as a password? No wonder we get hacked(Guardian) The public is finally starting to learn what security experts have been warning for years: the US government has no idea what it's doing when it comes to cybersecurity. Worse, the government's main "solutions" may leave all our data even more vulnerable to privacy violations and security catastrophes
The State of the ESILE/Lotus Blossom Campaign(TrendLabs Security Intelligence Blog) The Esile targeted attack campaign targeting various countries in the Southeast Asian region has been discussed in the media recently. This campaign — which was referred to by other researchers as Lotus Blossom — is believed to be the work of a nation-state actor due to the nature of the stolen information, which is more valuable to countries than either private companies or cybercriminals
Recent Flash Player 0-day Exploit Goes Mainstream(Malwarebytes Unpacked) On June 23rd, security firm FireEye released a report about targeted attacks leveraging a Flash Player zero-day vulnerability (CVE-2015-3113) in Adobe Flash Player up to version 188.8.131.52. The firm stated that some users would receive a phishing email containing a link to a site hosting the zero-day exploit
Right to reply: Protests or Profiteering — The Hack Remains in Same(Net Imperative) What is the difference between 'hacktivism' and 'cyber terrorism'? Despite sharing a singular purpose — to cause damage to an entity, organisation or group — what sets there two categories of hackers apart? Is the answer in the motivation or is it simply in the eye of the beholder? Stephen Coty, chief security evangelist, Alert Logic argues why the motivation ultimately doesn't matter and the importance of threat intelligence groups to work together to stay ahead of hacktivists
Are Cracks in the Digital Foundation of the Internet Crumbling the Core?(IBM Security Intelligence) Today we released the first edition of the 2015 IBM X-Force Threat Intelligence Quarterly, where we focus on a year-end review of all the attack and breach activity that occurred in the previous year, along with some interesting new twists to the methodology of how vulnerabilities are disclosed
The Problem with Putting all the Worlds Code in Github(Wired) The ancient library of Alexandria may have been the largest collection of human knowledge in its time, and scholars still mourn its destruction. The risk of so devastating a loss diminished somewhat with the advent of the printing press and further still with the rise of the Internet. Yet centralized repositories of specialized information remain, as does the threat of a catastrophic loss
Is Your Next Flight Safe From Hackers?(Benzinga) Now that one airline has been forced to ground its flights, consumers are starting to wonder: is it still safe to fly? And if it is, what's being done to ensure these hacks aren't repeated?
Penn State says it was victim of cyber attack(Pittsuburgh Post-Gazette) Following two cyberattacks on Penn State University's College of Liberal Arts, the university is resetting passwords on its college-issued accounts, but school officials said they believe no personal identifiable information, such as Social Security numbers, or research data has been compromised
OPM hack may finally end overuse of 'privileged' user access(Christian Science Monitor Passcode) Office of Personnel Management attackers entered the agency's network with a username and password belonging to an external contractor. As a result, security experts are renewing calls for stricter limits on this kind of privileged access
Energy security pros: More competent, or just naive?(Help Net Security) Energy security professionals are extremely confident in their ability to detect a cyberattack on critical systems, with 86 percent stating they could detect a breach in less than one week
Think shoppers forget retail data breaches? Nope(CNBC) The recent data breach involving four million government workers is an unpleasant reminder of how vulnerable our digital information has become. On the consumer side, high-profile breaches at Target and Home Depot are just two examples of dozens of similar cases. Surprisingly, many retail and financial-services executives think that data breaches have become so common that consumers will quickly forget. That's anything but true
How companies can regain consumer trust after a data breach(Help Net Security) Americans have strong feelings about data breach notification, with 84 percent stating that the best way a company can regain their trust after a breach occurs is to notify them right away and provide a high level of contact
Local firms feel the cyber menace(Business Review) As cyber-attacks become more vicious, more extensively planned and ingeniously hidden, most security experts agree there is no "one-size-fits-all" solution for dealing with the menace. With global outlay on informatics security solutions increasing, Romanian companies are waking up to the looming threat and spending more money on protection
Who are you going to call to prevent a hack attack?(Independent) The spectacular North Korean hack of Sony last year, and other high-profile corporate security breaches, have put a rocket under the valuations of firms that offer cyber protection. But are they really worth it?
Security Provider Sophos Goes Public on London Exchange(The VAR Guy) There's a new tech unicorn on the public market and this one's in the U.K. Security specialist Sophos said it hopes to raise $125 million by selling about 35 percent of its shares priced at 225 pence per share in a public offering on the London Stock Exchange that would set its valuation at about $1.6 billion
AIS acquires D.C.-area cyber firm to further its growth(Central New York Business Journal) Assured Information Security, Inc. (AIS), a growing Mohawk Valley technology company, recently closed on the acquisition of the assets of Information Security Solutions, Inc. (ISS), a tech firm based in the Washington, D.C. area
CACI Secures SEC Investigation Support Task Orders(ExecutiveBiz) CACI International has received two task orders worth $29.8 million combined to provide investigation support and legal assistance services for the U.S. Securities and Exchange Commission
Barracuda Upgrades Web Security Tools, Especially for Schools(Top Tech News) Campbell, Calif.-based Barracuda Networks said it has enhanced its suite of firewall products, improving support for transparently redirecting traffic and thus enabling easier integration between discrete firewall and Web security Relevant Products/Services appliances
YC-Backed Cymmetria Uses Virtual Machines To Decoy And Detect Hackers(TechCrunch) YC-backed Cymmetria, which is uncloaking from stealth now after around a year working its cyber security startup business, wants to tilt the traditional security odds so it's hackers who are left feeling vulnerable and on their guard — by giving the businesses whose systems are under attack a 'home advantage'
Technologies, Techniques, and Standards
IETF Officially Deprecates SSLV3(Threatpost) Attacks such as POODLE and BEAST not only caused some sleepless nights for server admins having to patch against the respective weaknesses, but they also accelerated SSLV3 deprecation
Cybersecurity Insurance(Department of Homeland Security) Cybersecurity insurance protects businesses and individuals from Internet-based risks and from risks relating to information technology infrastructure and activities. The Department of Homeland Security National Protection and Programs Directorate (NPPD) has engaged key stakeholders to address this emerging cyber risk area
The cloud, FedRAMP and FISMA compliance(Help Net Security) Many federal agencies and government contractors are migrating to cloud-based computing, a trend that will pick up speed as the cloud becomes more efficient, more affordable, and more secure
How to survive a compliance audit(Help Net Security) Ipswitch polled 313 IT professionals in United States with 59 percent noting that they were not fully prepared to undergo an audit. Additionally, 75 percent of respondents lacked confidence that colleagues authorized to work with sensitive information are adequately protecting it
How to Deal with the Rise of Digital Abuse(Tripwire: the State of Security) On my way to a client site, I was listening with interest to a report on Radio 4 discussing a news article covering the rise of offences against women, including offences associated with the cowardly utilisation of the Internet to target, stalk, and to impose mental anguish and misery on the intended target of abuse. However, to maintain the correct balance, we should not forget that whilst it may be to some lesser extent, such despicable offences are also leveraged against the male populace
U.S., China agree to cybersecurity code of conduct(SC Magazine) After a tumultuous couple of years of exchanging accusations and expressing distrust over cyberespionage and spying — most recently with Director of National Intelligence (DNI) John Clapper laying responsibility for the Office of Personnel Management (OPM) breaches squarely at the feet of the Chinese — the U.S. and China said they've reached an accord of sorts, a code of conduct for cybersecurity going forward
OPM Attack Raises Delicate Political Questions(Defense News) In public remarks, US officials appear to be split over whether to blame China for a pair of major breaches that compromised deeply personal data for millions of federal employees, suggesting a potential policy gap and uncertainty about how best to respond
Federal CIO Tony Scott backs OPM approach to cyber fixes(Federal News Radio) Federal Chief Information Officer Tony Scott wants the bandwagon of lawmakers to slow down and reconsider their calls for Office of Personnel Management Director Katherine Archuleta and CIO Donna Seymour to resign
Turns Out the US Launched its Zero-Day Policy in Feb 2010(Wired) A newly released document from the FBI sheds a little more light on the government's controversial policy around the use of zero-day exploits. Though there is still much we don't know, the question of when the secretive policy was put into place is finally answered: February, 2010
DOD Interpretation of The Laws of War Allow Botnet Creation?(Lawfare) I was struck by Charlie Dunlap's take on the DOD Law of War manual regarding cyber operations, especially on how cyberattacks are carried out. Charlie notes the manual's instruction that "remote harms and lesser forms of harm, such as mere inconveniences or temporary losses, need not be considered in applying the proportionality rule." The manual also states that the "military advantage anticipated from an attack" indicated in the proportionality rule "is intended to refer to an attack considered as a whole, rather than only from isolated or particular parts of an attack"
Sloppy Cyber Threat Sharing Is Surveillance by Another Name(Just Security) Imagine you are the target of a phishing attack: Someone sends you an email attachment containing malware. Your email service provider shares the attachment with the government, so that others can configure their computer systems to spot similar attacks. The next day, your provider gets a call. It's the Department of Homeland Security (DHS), and they're curious. The malware appears to be from Turkey. Why, DHS wants to know, might someone in Turkey be interested in attacking you? So, would your email company please share all your emails with the government? Knowing more about you, investigators might better understand the attack
A Busy Week for Ne'er-Do-Well News(KrebsOnSecurity) We often hear about the impact of cybercrime, but too seldom do we read about the successes that law enforcement officials have in apprehending those responsible and bringing them to justice. Last week was an especially busy time for cybercrime justice, with authorities across the globe bringing arrests, prosecutions and some cases stiff sentences in connection with a broad range of cyber crimes, including ATM and bank account cashouts, malware distribution and "swatting" attacks
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
Newly Noted Events
National Insider Threat Special Interest Group Meeting(Laurel, Maryland, USA, July 16, 2015) Topics to be discussed at the meeting; Insider Threat Program Development & Implementation, Behavioral Indicators Of Concern, Legal Considerations When Developing & Managing An Insider Threat Program.
Cyber Security Exchange(Florida, USA, December 6 - 8, 2015) This dynamic, three-day event will provide Cyber Security executives with valuable insights to reach their full potential by exploring security leadership strategies, heightened data privacy concerns,...
NSA Information Assurance Symposium (IAS) 2015(Washington, DC, USA, June 29 - July 1, 2015) The NSA Information Assurance Directorate (IAD)'s Information Assurance Symposium (IAS) is a biannual forum hosted by the National Security Agency (NSA). IAS events of the past have proven to be the preferred...
US News STEM Solutions: the National Leadership Conference(San Diego, California, USA, June 29 - July 1, 2015) San Diego offers the perfect backdrop for the 4th annual U.S. News STEM Solutions National Leadership Conference, June 29 — July 1, 2015 in San Diego, CA. Please make your plans now to join fellow...
Information Assurance Symposium(Washington, DC, USA, June 29 - July 1, 2015) The NSA Information Assurance Directorate (IAD)'s Information Assurance Symposium (IAS) is a biannual forum hosted by the National Security Agency (NSA). IAS events of the past have proven to be the preferred...
Cyber Security for Healthcare Summit(Philadelphia, Pennsylvania, USA, June 29 - July 1, 2015) Our IQPC Cyber Security for Healthcare Summit will help Hospitals and Medical Device manufacturers to prepare and manage risks by viewing cybersecurity not as a novel issue but rather by making it part...
TakeDownCon Rocket City(Huntsville, Alabama, USA, July 20 - 21, 2015) TakeDownCon is a highly technical forum that focuses on the latest vulnerabilities, the most potent exploits, and the current security threats. The best and the brightest in the field come to share their...
CyberMontgomery 2015(Rockville, Maryland, USA, July 30, 2015) Montgomery County, Maryland, is home to the National Institute of Standards and Technology (NIST), the National Cybersecurity Center of Excellence (NCCoE), the FDA, NIH, NOAA, NRC and more than a dozen...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.