skip navigation

More signal. Less noise.

Daily briefing.

Allegations surface of a Pakistani government cyber campaign directed against Indian targets.

Kaspersky continues to admire the Equation Group's work, today marveling at its stealth.

Also from Kaspersky comes a description of "Podec," an Android Trojan that can induce CAPTCHA to pass it as a human. Podec is crimeware: it subscribes its victims to unwanted premium services.

IBM's X-Force discovers a remotely exploitable vulnerability in Dropbox SDK for Android.

A researcher at Sakurity releases a proof-of-concept exploit that uses cross-site request forgery to hijack Facebook logins. The researcher disclosed the flaw in January, and chides Facebook for not having addressed it then. Facebook declined to do so, reports say, because it was unwilling to disrupt compatibility with sites that use the login feature.

Vulnerabilities in Nextep point-of-sale systems are said to show the importance of updating or replacing legacy systems.

Microsoft's Patch Tuesday fixes addressed, as expected, FREAK and universal cross-site-scripting vulnerabilities. More surprising is a patch for the .LNK vulnerability — a hole Stuxnet exploited — which had been thought fixed by updates in 2010. Microsoft is also teaming with Lenovo to mop up Superfish contamination in Lenovo devices.

Yahoo patches its eCommerce services.

Experts worry, again, about the greatly expanded attack surface the Internet-of-things and its associated "smart cities" present. (Kaspersky is in a particularly apocalyptic mood.)

Cyber insurance providers and their customers continue to grope toward improved risk assessment.

Bain Capital buys Blue Coat, and PayPal confirms its acquisition of CyActive.

State Department emails and "homebrew servers" raise eyebrows.

Notes.

Today's issue includes events affecting Australia, India, Israel, Democratic Peoples Republic of Korea, Isle of Man, New Zealand, Pakistan, United States.

The CyberWire will be offering special coverage of SINET's ITSEF conference in Mountain View, California, next week. We'll be live-tweeting from the event, and our editor will be moderating a panel on emerging trends in cyber attack.

Cyber Attacks, Threats, and Vulnerabilities

How Pak cyber firm sold 'salary hikes' for babus to steal govt info (Economic Times) A Pakistani cyber security firm with close ties to Islamabad has been found stealing information from Indian government and defence establishments, according to a two-year investigation by a US-based IT security firm

Equation APT Group Attack Platform a Study in Stealth (Threatpost) Spies thrive only when they're able to quietly infiltrate targets and slither away unnoticed; this principle is the same whether we're talking about the physical world, or digital

CIA spends years trying to break Apple security (ZDNet) Security researchers working for the CIA have been poking holes in Apple security as part of a multi-year campaign

Kaspersky reveals CAPTCHA-tricking Podec Trojan (ZDNet) Kaspersky has unearthed an Android-targeted Trojan, dubbed Podec, that can trick the CAPTCHA image verification system into thinking it is human

DroppedIn: Remotely Exploitable Vulnerability in the Dropbox SDK for Android (IBM Security Intelligence) The IBM X-Force Application Security Research Team has discovered a vulnerability in the Dropbox SDK for Android (CVE-2014-8889) which allows attackers to connect applications on mobile devices to a Dropbox account controlled by the attacker without the victim's knowledge or authorization

Beware of fake invites for WhatsApp's Free Voice Calling feature! (Help Net Security) Fake WhatsApp invites are actively luring users to sites where they are urged to fill out surveys and download unknown applications

Active campaigns deliver old and new ransomware families (Help Net Security) Cyber crooks' love for ransomware continues unabated, and user are warned about several active campaigns trying to deliver the malware on target computers

Tool allows account hijacking on sites that use Facebook Login (IDG via Computerworld) A new tool allows hackers to generate URLs that can hijack accounts on sites that use Facebook Login, potentially enabling powerful phishing attacks

Email Spoofing Flaw Found in Google Admin Console (SecurityWeek) Researchers have identified a security issue in the Google Apps Admin console that could have been exploited to claim any domain and use it to send out spoofed emails

8 Android Security Concerns That Should Scare IT (InformationWeek) Even though mobile operating systems such as Android are superior to PCs when it comes to protecting against security threats, there still are several concerns that IT should beware

Point-of-Sale Device Manufacturer Investigating Card Breach At Soup Franchise (Dark Reading) Are remote administration exploits or new malware strains to blame for the compromise of NEXTEP devices at Zoup! soup shops?

Point-of-sale supplier compromise highlights need to update legacy systems (ComputerWeekly) The compromise of point-of-sale (POS) system supplier Nextep highlights the need to update legacy systems, according to the information security industry

Operating System Vulnerabilities, Exploits and Insecurity (We Live Security) Hands up who believes that OS X and iOS are the most vulnerable operating systems in use today? Well, I find it a bit hard to believe, too, even though I've had a lot of hate-mail over the years for pointing out that Apple's operating systems are not invulnerable

Lack of WordPress User Education Affecting Security Posture (Dark Reading) Survey shows many users lack knowledge to effectively protect their sites

Cyber attack hits Madison, Wisconsin, after police shooting of teen (Reuters) Cyber attackers are targeting city and county computer systems in Madison, Wisconsin, in retaliation for the shooting death of a 19-year-old unarmed black man by police in the Wisconsin capital, city officials said on Tuesday

UPDATE: FBI joins in effort to combat cyber attack following shooting (AP via WMTV) The FBI is investigating a cyber attack focused on Internet resources for city and county governments in Madison that comes after a white police officer shot and killed an unarmed biracial teenager

Bulletin (SB15-069) Vulnerability Summary for the Week of March 2, 2015 (US-CERT) The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information

Security Patches, Mitigations, and Software Updates

Patch Tuesday patches FREAK, Universal XSS (Ars Technica) Two high profile and widely publicised flaws are among the many others fixed

Microsoft Security Bulletin Summary for March 2015 (Microsoft Security TechCenter) This bulletin summary lists security bulletins released for March 2015

Patched Windows Machines Exposed to Stuxnet Link Flaw All Along (Threatpost) A five-year-old Microsoft patch for the .LNK vulnerability exploited by Stuxnet failed to properly protect Windows machines, leaving them exposed to exploits since 2010

Microsoft and Lenovo work on cleaning up 60,000 Superfish infected PCs (Win Beta) In the wake of Superfish, there seems to be a BP oil spill-like taint on the Lenovo brand in the eyes of many consumers. Trust was lost, images were tarnished and the MacBook-toting crowd began their chants of superiority. Unfortunately, Lenovo didn't just ruin their name alone, as with most things that go wrong with PCs (usually driver related), Microsoft was run through the ringer for this as well. Questions of whether or not Microsoft's licensing policies lead to this sort of OEM greed or should Microsoft have built a better system to avoid this type of tampering, etc

Yahoo Patches Critical eCommerce, Small Business Vulnerabilities (Threatpost) Yahoo has fixed a handful of vulnerabilities that could have given an attacker free reign over all of its user-run eCommerce websites and caused multiple headaches for small business owners

Kik Adds Tools to Prevent Child Exploitation on Messaging App (Bloomberg) Kik Interactive Inc., which makes a messaging application popular with younger users, is taking steps to make sure they aren't exploited while using it

Cyber Trends

'Intelligence Failures' Are Inevitable. Get Over it (Cicero) The Iraq War marked the first time that secret intelligence was used in the public domain to justify America going to war

Kaspersky: "A very bad incident" awaits critical infrastructure (CSO) Organizations are slow to upgrade security while attackers are getting better

With 'smart cities' just around the corner, we need to understand the security risk first (Information Age) As the connected infrastructure of our cities grows, the potential for security disaster will grow with it

IoT, new tech pose challenges, rewards in defense (San Diego Source) The Internet of Things promises to bring enormous opportunities to the security and defense fields, but serious risks accompany every benefit as increasing the available tools also increases the threat

Businesses taking PCI compliance more seriously: Verizon (ZDNet) The 2015 Verizon PCI compliance report showed an increase in PCI compliance among businesses globally during 2014

Eighty percent of global merchants fall short on card data security compliance: report (Reuters) Four out of five global retailers and other merchants failed interim tests to determine whether they are in compliance with payment card data security standards, putting them at increased risk of cyberattacks, according to a new report by Verizon Communications Inc

No Application Is Invulnerable, Now What? (Trend Micro Simply Security) Looking back at 2014, we see an abundance of vulnerabilities in Adobe Acrobat, Java, Windows, and others. The steady stream of disclosures came as a shock to no one

The Deep Web: Shutdowns, New Sites, New Tools (TrendLabs Security Intelligence Blog) 2014 was a year in flux for the Deep Web. We briefly discussed this in our annual security roundup, but this is a topic worth exploring in some detail

Marketplace

Most SMBs are Unaware of Cyber-insurance (Infosecurity Magazine) In a business environment that seems chronically susceptible to breaches, purchasing cyber-risk insurance may sound like common sense. Yet despite the historic increase in data breaches in 2014, a new survey has revealed that more than two-thirds (67%) of small and medium-sized businesses (SMBs) are not aware that dedicated cyber-insurance even exists

Stop thinking of fraud as taboo, and start addressing this critical IT security topic (TechRepublic) How much does your business lose to fraud? If you don't know the answer, fraud is likely a taboo IT security topic at your organization. Argyle Data's CEO explains why it shouldn't be

Observations From Advisen Cyber Risk Conference March 3rd in San Francisco (Infosec Island) Advisen provides information, analytics, research, and events for the insurance industry and reaches more than 150,000 commercial insurance and risk professionals at 8,000 organizations worldwide. There were approximately 150 attendees at the Conference from insurance companies, brokers, and consultants. The following were my observations

10 young security companies to watch in 2015 (Network World) One common thread is helping to make detection and remediation easier

Cybersecurity stocks sell off; FBN remains bullish (Seeking Alpha) Security tech plays, several of which were huge gainers in February, have been hard hit (HACK -2.6%) amid a market selloff. Major decliners include FireEye (FEYE -4%), CyberArk (CYBR -6.6%), Proofpoint (PFPT -4.7%), and Vasco (VDSI -5.5%). Imperva is off sharply after announcing a 3M-share offering

Palo Alto and Fortinet gain in network security market (Infotech Lead) The network security appliance and software revenue increased 6 percent to $6.9 billion in 2014. Palo Alto Network and Fortinet were the star performers

Bain to buy Blue Coat for about $2.4 billion (Reuters) Bain Capital LLC will acquire Blue Coat Systems Inc from fellow private equity firm Thoma Bravo LLC in a deal that the network security company said on Tuesday would value it at about $2.4 billion, including debt

PayPal confirms CyActive acquisition (Globes) PayPal will open a second Israeli development center in Beersheva, based on cyber security company CyActive's offices

Our Journey from Pioneering Predictive Cybersecurity Solution to PayPal (Cyactive Blog) Since launching in 2013, we have been tirelessly developing our future-proof solution to secure networks against increasingly complex multi-pronged cyber attacks. We are excited to announce today that we have entered an agreement to be acquired by PayPal

Startup Spotlight: GuruCul's Risk Analytics (eSecurity Planet) Data breaches occur when identity is compromised or misused, which is why GuruCul focuses on identifying anomalous behavior that can point to identity issues

Wynyard is your modern day Sherlock Holmes (e27) The company uses Big Data and advanced crime analytics to fight serious crimes

Isle of Man steps up efforts to court cryptocurrency startups (ComputerWeekly) The Isle of Man (IoM) government says it's making good legislative headway on the regulation of cryptocurrencies, as it seeks to position itself as a prime location for firms dealing in digital money

Cyber pay bump: Put your security clearance to work (Military Times) Conventional wisdom holds that your security clearance lands you a bigger paycheck in the cybersecurity world. While this is true statistically, it may not be true for you. In cyber, clearance doesn't automatically mean more money

CensorNet snatches Trustwave man for tech push (CRN) Security vendor appoints Alex Kurz as new head of sales engineering

Products, Services, and Solutions

The best 5 secure browsers 2015 (TechWorld) All browsers claim to be secure these days, so is there any point in using one that majors on its security?

Cloudflare Aims to Defeat Massive DDOS Attacks with Virtual DNS (Threatpost) DDoS attacks have been a persistent problem for the the better part of 20 years, and as ISPs and enterprises have adjusted their defenses, attackers have adapted their tactics. One of the more effective tools in the attackers? arsenal now is the use of botnets to generate massive numbers of DNS queries for a target site, a technique that can be quite difficult to defend against

Threatglass has pcap files with exploit kit activity (Internet Storm Center) Threatglass is a one way to find up-to-date examples of exploit kit traffic. Not all of it is exploit kit traffic, but all of it represents some sort of malicious activity

Cyveillance, Centripetal Networks Combine Tech for Cyber Threat Intell (ExecutiveBiz) QinetiQ's Cyveillance subsidiary has partnered with Centripetal Networks to combine the former's threat intelligence streaming technology and the latter's RuleGate platform to provide customers with actionable information on cyber threats

Cryptsoft collaborates with Intel on key management approach (PRNewswire) Cryptsoft, the preferred OEM provider of technology to the enterprise key management security market today announced a collaboration with Intel focussed on standards based encryption key management using OASIS Key Management Interoperability Protocol (KMIP) conformant technology

Cyber-risk May Take a Bite Out of Apple Watch (Infosecurity Magazine) Apple has unveiled the Apple Watch — a smart wearable that will function as a Mac-on-the-wrist. It has tech-heads excited, but security researchers warn that consumers should be careful of the potential cyber-risks that the gadget's on-board connectivity represents

Technologies, Techniques, and Standards

10 Ways to Leave Cybercriminals in the Dust (Pymnts) Cybercrime is on the rise, as are its associated fraud rings that are now more immune than ever to the multitude of fraud prevention tactics out there. But is there a way to fight the criminals' intelligence with even more sophisticated intelligence?

Hack yourself first: How we can take the fight to the black hats (Help Net Security) The Internet has increased the interconnectivity of everyone and everything on the globe. From healthcare to commerce, public services and beyond, being connected has enriched our quality of life like never before. But it's also exposed businesses and consumers alike to unprecedented levels of risk

Four Critical Questions to Ask Yourself When Looking for a Cyber Threat Intelligence Partner (iSIGHT Partners Blog) When looking at the Cyber Threat Intelligence (CTI) market, you should approach your research with the idea that you're not buying technology so much as forming a partnership with your vendor. Force multiplication is a core value proposition for this segment of the security market, as is enhanced effectiveness of the team you have in place

IT Disaster or Data Breach?: 7 Must-Do Steps (Information Management) It's no secret 2014 was a notable year for enterprise IT crises, and it's safe to say 2015 will have its fair share of scares as well. Unfortunately, data breaches aren't the half of it — system and service outages can be equally (if not more) devastating to enterprises. While major IT disruptions are damaging, preserving customer trust and confidence afterward is the next challenge organizations must perfect

How CIOs can create a culture of security awareness (FierceCIO) Numerous studies have agreed that IT security is the top concern among CIOs this year, especially with the topic rising to discussions among top boards of directors. That makes it critical that CIOs be able to communicate security risk at the executive level, and obtain buy-in for security investment

Security, Know Thine Enemy (SecurityWeek) Security professionals must know the categories of threats an enterprise faces and how to respond to each

An Audit Versus an Assessment (Infosec Island) A lot of people are always calling their PCI assessment an audit. However, certified public accountants (CPA) would tell them that there is a vast difference between the two

Legislation, Policy, and Regulation

Parliament Report Dismisses Cameron Encryption Ban (Computer Business Review) Authors claim 'widespread agreement' that anonymising tech should stay

Australia could become Asian cyber security base, says CBA's security chief (CIO) But we need to get our "home front" sorted first and make Australia a hard target for cyber criminals

Guest Post: Is the Sony Hack the Dawn of Cyber Deterrence? (Council on Foreign Relations) In the confines of national security, deterrence is the act of preventing another party from taking action out of fear of the consequences. In the attack against Sony Pictures Entertainment, North Korea failed in deterring Sony from releasing the movie "The Interview," and the United States failed in deterring North Korea from attacking Sony. Why? In cyberspace, the rules of the game are different. States are not deterred and regard cyberattacks as consequence-free because adversaries have not paid a price for the attacks. That changed with the Obama's unprecedented actions against North Korea and may herald the dawn of cyber deterrence

NSA Director Adm. Michael Rogers discusses freedom, privacy and security issues at Princeton University (NJ.com) Edward Snowden is not the "whistleblower" some have labeled him to be after releasing top-secret government information, said Adm. Michael Rogers, director the U.S. National Security Agency

Government report and US senator criticises Air Traffic Control network security (Lumension Blog) New York Senator Charles Schumer held a press conference this weekend, demanding "immediate action" to improve the security of the Federal Aviation Administration's computer systems

State Says It Needs to Rebuild Classified Computer Networks After Hack (Nextgov) The State Department says it needs to reconstruct its classified computer systems after suffering a hack the agency has said only affected its unclassified networks

Litigation, Investigation, and Law Enforcement

Cyber Regulators Emphasize Process Over Products (Forbes) It has been called "the most important cybersecurity case you've never heard of," and now it's getting a second life. The core issue in the dispute between the Federal Trade Commission (FTC) and Wyndham Worldwide WYN -1.74% Corporation is whether the FTC has the authority to enforce data security standards in the US commercial sector. Last April a federal judge ruled in favor of the FTC, but Wyndham has appealed. The 3rd Circuit Court of Appeals heard oral arguments earlier this month, and regardless of how that court rules, that decision is also likely to be appealed

Wikimedia v. NSA: Wikimedia Foundation files suit against NSA to challenge upstream mass surveillance (Wikimedia Blog) Today, the Wikimedia Foundation is filing suit against the National Security Agency (NSA) and the Department of Justice (DOJ) of the United States

ACLU: Snowden proved NSA Internet spying harms Americans (AP via KLTV) The American Civil Liberties Union and other groups sued the National Security Agency and the Justice Department on Tuesday, challenging the government's practice of collecting personal information from vast amounts of data harvested directly from the Internet's infrastructure

Lawsuit seeks damages against automakers and their hackable cars (Computerworld) A Senate report backs up claims that automakers haven't addressed electronic security

Clinton: Private email had 'no breaches' (The Hill) Former Secretary of State Hillary Clinton said on Tuesday that her private email server has never been compromised by hackers

Experts are skeptical that Hillary Clinton's 'homebrew' email server could withstand cyberattacks (Business Insider) As Hillary Clinton sought to assure the public that her exclusive use of a private email account while working in the State Department was innocuous, cybersecurity experts are wondering whether she could have exposed the nation to a major security threat

Cyber expert: Hillary's press conference did not inspire confidence (Business Insider) At a press conference on Tuesday, Hillary Clinton told reporters that the private email server she used while working in the State Department "had numerous safeguards" and "there were no security breaches"

Government to Drop Charges in Federal Employee Hacking Case (AP via ABC News) A National Weather Service employee accused of illegally accessing a restricted federal computer database containing information about the nation's dams, stealing information and lying to federal investigators will have charges against her dismissed if a judge approves the prosecution's request

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Newly Noted Events

Conference on Cyber Defence in Europe (Berlin, Germany, March 25 - 26, 2015) The conference aims to address these and other issues of cyber defense in a broad audience of policy-makers, senior officials and experts from EU institutions and Member States, representatives of industry...

Black Hat USA (Las Vegas, Nevada, USA, August 1 - 6, 2015) Black Hat — built by and for the global InfoSec community — returns to Las Vegas for its 18th year. This six day event begins with four days of intense Trainings for security practitioners...

Defcon 23 (Las Vegas, Nevada, USA, August 4 - 7, 2015) DEF CON has been a part of the hacker community for over two decades. See the organization's website for more information

BSides Augusta 2015 (Augusta, Georgia, USA, September 12, 2015) Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of...

Annual Privacy Forum 2015 (Luxemburg, October 7 - 8, 2015) The distributed implementation of networks and services offers the opportunity for new Privacy Enhancing Technologies (PETs) that could support users' needs while safeguarding their personal data. Although...

Upcoming Events

OISC: Ohio Information Security Conference (Dayton, Ohio, USA, March 11, 2015) Technology First invites you to participate in the 12th Annual Ohio Information Security Conference Wednesday, March 11, at the Sinclair Community College Ponitz Center in Dayton, Ohio. The conference...

RiSK Conference 2015 (Lasko, Slovenia, March 11 - 12, 2015) In recent years RISK conference has become one of the leading events on computer security in the Adriatic region and is attended by engineering as well as executive staff of companies from the region.

B-Sides Vancouver (Vaqncouver, British Columbia, Canada, March 16 - 17, 2015) The third annual Security B-Sides Vancouver is an information security conference that will be held March 16th and 17th. We love to see brand new speakers, seasoned speakers, and everyone in between

Insider Threat 2015 Summit (Monterey, California, USA, March 16 - 17, 2015) The Insider Threat 2015 Summit is about bringing Government and Industry organizations and their cybersecurity leaders together in order to better understand the type of threats that may impact their infrastructure...

2015 North Dakota Cyber Security Conference (Fargo, North Dakota, USA, March 17, 2015) The North Dakota Cyber Security Conference brings together community members from academia, government and industry to share strategies, best practices and innovative solutions to address today's challenges...

IT Security Entrepreneurs Forum: Bridging the Gap Between Silicon Valley & the Beltway (Mountain View, California, USA, March 17 - 18, 2015) IT Security Entrepreneurs Forum (ITSEF) — SINET's flagship event — is designed to bridge the gap between the Federal Government and private industry. ITSEF provides a venue where entrepreneurs...

IT Security Entrepreneurs Forum: Bridging the Gap Between Silicon Valley & the Beltway (Mountain View, California, USA, March 17 - 18, 2015) IT Security Entrepreneurs Forum (ITSEF) — SINET's flagship event — is designed to bridge the gap between the Federal Government and private industry. ITSEF provides a venue where entrepreneurs...

Philadelphia SecureWorld (Philadelphia, Pennsylvania, USA, March 18 - 19, 2015) Join your fellow security professional for affordable, high-quality cybersecurity training and education at a regional conference near you. Earn CPE credits while learning from nationally recognized industry...

2015 Cyber Security Summit (McLean, Virginia, USA, March 19, 2015) During Congressman Mike Rogers' "The Code War in America" talk at the June 2013 POC breakfast, he challenged all of us to "recognize that every day U.S. businesses are targeted by governments like China...

BSides Salt Lake City (Salt Lake City, Utah, USA, March 20 - 21, 2015) BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.