skip navigation

More signal. Less noise.

Daily briefing.

The US would, in the name of better information operations, like news organizations to refrain from running ISIS-supplied b-roll. Observers think ISIS is "disrupting" (in the business-school sense of the word) the Internet as a terrorist tool, essentially replacing tight command-and-control with inspiration and general communication of intent. (Scharnhorst would have recognized this as a version of Auftragstaktik.)

root9B makes a large claim: early detection and exposure induced a Russian cyber-mob to call off a major attack on Western banks.

Other security companies turn their attention to Chinese cyber operations, said to be showing fresh zeal in targeting nations around its coveted South China Sea. (Nepal figures on some target lists, which suggests "vicinity" is understood expansively, as if one called Slovakia a Baltic nation.) Onapsis thinks SAP exploitation figured in last year's hack of security-investigation contractor USIS. Cylance reports the reappearance of Chinese threat-actor SPEAR (and offers some glum Darwinian reflections on selection pressures driving threat adaptation).

The VM-escape-enabling bug VENOM received due scrutiny. While anything that permits what VENOM allows is a serious vulnerability and must be addressed, consensus holds that panic is unwarranted. No exploitation has been observed in the wild, and a VENOM attack would require either compromised administrator accounts or a rogue administrator. (Both compromised admin accounts and rogue insiders happen, of course, so take prudent steps as outlined in discussions linked below.)

The former chair of the US House Intelligence Committee seeks to make everyone's flesh creep by warning of a Sino-Russian "alternative Internet."

Notes.

Today's issue includes events affecting Cambodia, China, Indonesia, Iran, Iraq, Laos, Malaysia, Myanmar, Nepal, Philippines, Russia, Singapore, Syria, Thailand, Ukraine, United Arab Emirates, United States, and Vietnam.

Cyber Attacks, Threats, and Vulnerabilities

How the Islamic State Is Disrupting Online Jihad (Defense One) The Islamic State group's use of social media for messaging has drawn plenty of attention. But their use of the web to mount terrorist attacks is just as revolutionary

Stop using ISIL footage, Obama administration asks networks (Politico) U.S. bombing campaign has militants on the run, U.S. officials say

Russian hacking group was set to hit U.S. banks (The Hill) A Russian hacking group was poised to launch a cyber assault on U.S. banks, but may have withdrawn those plans after being discovered

Targeted Cyber-Attacks to Infiltrate Nations around the South China Sea (Foreign Affairs) From setting up spying infrastructure within a country's borders for real-time connections and data mining, to spying tools with 48 commands, a new report by Kaspersky Lab shows how the threat actor Naikon has spent the last five years successfully infiltrating national organisations around the South China Sea

Cybersecurity Companies Point To More Aggressive Hacking By China (BuzzFeedNews) New types of attacks led by groups based out of China have been highlighted in reports by Kaspersky and FireEye

Chinese most likely using one of top three most common SAP exploits, as identified by Onapsis, to compromise US agencies (Onapsis: the Business Critical Application Security Blog ) The Hill publication reported on November 3, 2014 that Chinese hackers roamed around unnoticed for months inside the network of USIS, is the biggest commercial provider of background investigations to the federal U.S. government. In fact, two of the company's biggest customers were the Department of Homeland Security (DHS) and the Office of Personnel Management (OPM)

SPEAR: A Threat Actor Resurfaces (Cylance Blog) Attackers typically shut down campaigns or halt activity after they are exposed by security researchers, thereby creating the impression they have dropped off the map. This often leads to a false sense of security within the community and perpetuates the idea that public exposure makes us all safer. While the exposed activity is no longer observed, attackers simply continue in the background — evolving or altering their tactics to seamlessly continue operations with increasingly advanced malware. So while potentially making us safer in the short-term, exposure often forces a Darwinian evolution in malware

Aggressive Malware Pushers: Prolific Cyber Surfers Beware (Cyphort Labs Blog) On April 19, Cyphort hardware sandbox trolled over a site www.49lou.com that served up 83 pieces of Windows executable files (EXE and DLL binaries) with zero user interaction. By now, most of the malware researchers are used to seeing drive-by infections that serve up a handful of malware, from droppers to payloads. However, getting 83 pieces in one shot is way too "generous" by any account and it surely peaked the interest of our researchers. For the security minded: How did this happen? What are those binary pieces? What does this tell us and what can we do for better protection? In this article, we share all our findings along these lines

VENOM: Virtualized Environment Neglected Operations Manipulation (CrowdStrike) Vendor advisories, patches, and notifications available below in Q&A section

The VENOM "virtual machine escape" bug — what you need to know (Naked Security) Plenty of vulnerabilities have been fixed in the past week, with at least Adobe, Microsoft, Mozilla and Apple delivering dozens of critical security fixes for software that includes three of the Big Four browsers

Venom VM bug called "perfect" for NSA, or for stealing bitcoins and passwords (Ars Technica) Attack code exploiting virtualization flaw could be available soon, researcher says

VENOM hype and pre-planned marketing campaign panned by experts (CSO) The vulnerability itself is unique and interesting, but the marketing makes it look bigger than it is

Some brief technical notes on Venom (Errata Security) Like you, I was displeased by the lack of details on the "Venom" vulnerability, so I thought I'd write up what little I found

VENOM Vulnerability Threatens Virtual Machines (Tenable Blog) Today the VENOM (Virtualized Environment Neglected Operations Manipulation) vulnerability, CVE 2015-3456, was announced. VENOM originates in a legacy virtual floppy disk controller from QEMU. If an attacker sends specially crafted code to the controller, it can crash the hypervisor and allow the attacker to break out of the VM to access other machines. VENOM impacts several popular virtualization platforms that include the QEMU controller, including Xen, KVM, and Oracle's VirtualBox. Patches for QEMU and Xen are already available. To date, no exploit has been observed in the wild. Other virtual machine platforms such as VMware, Microsoft Hyper-V, and Bochs hypervisors are not affected

Xen Security Advisory CVE-2015-3456 / XSA-133 version 2: Privilege escalation via emulated floppy disk drive (Xenbits) The code in qemu which emulates a floppy disk controller did not correctly bounds check accesses to an array and therefore was vulnerable to a buffer overflow attack

[Qemu-devel] [PULL 1/1] fdc: force the fifo access to be in bounds of the allocated buffer (Gnu) During processing of certain commands such as FD_CMD_READ_ID and FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could get out of bounds leading to memory corruption with values coming from the guest

[VENOM] Vulnerability Summary: What is the Impact to FireEye Products and Services? (FireEye) FireEye's hypervisor is among many technologies that leverage the open source component that was publicly disclosed today as having a critical vulnerability (CVE-2015-3456). FireEye employs many measures in its products to limit the impact of these types of issues through secure development practices and operational processes that ensure we respond quickly to security issues. Because of this, we can — and have — responded to VENOM by ensuring immediate availability of patches to customers for all of our major products

Important Notice — QEMU "VENOM" Vulnerability (Rackspace Support Network) Earlier this week, we were notified of a potential hypervisor vulnerability (Xen Security Advisory 133: … and ) that affects a portion of our First and Next Generation Cloud Servers fleet, as well as Cloud Big Data. Please note that OnMetal Cloud Servers are not affected

VENOM (CVE-2015-3456) Vulnerability and Linode (Linode Blog) A new security advisory, CVE-2015-3456 called VENOM (Virtualized Environment Neglected Operations Manipulation), was released today. Our Security Team has thoroughly reviewed this vulnerability and we wanted to take a moment to reassure Linode customers that this vulnerability does not affect any part of the Linode infrastructure and no action is required on your part

XSA Security Advisory CVE-2015-3456 (Amazon Web Services) We are aware of the QEMU security issue assigned CVE-2015-3456, also known as "VENOM," which impacts various virtualized platforms. There is no risk to AWS customer data or instances

New 'Breaking Bad' ransom Trojan is no laughing matter, says Symantec (Techworld via CSO) Windows users across the English-speaking world have been warned to be on the lookout for a new Trojan campaign that borrows imagery from the TV show Breaking Bad as part of a not-so-amusing attempt to extort money from anyone infected by it

Ex-NSA security bod fanboi: Apple Macs are wide open to malware (Register) 'I love Apple products, I just wish they were secure'

'Hound of Hounslow' highlights need for surveillance says Nasdaq (Banking Technology) As greater convergence between asset classes and the unification of trading desks and trading strategies across multiple asset classes becomes more common, the opportunities for sophisticated market abuse may be on the rise. That may mean that the need for surveillance is greater than ever, according to Tony Sio, head of SmartsTrade Surveillance, exchange and regulators at Nasdaq

The scariest cyber threat of all? How hackers are hijacking planes (Information Age) he aviation industry is a growing target for hackers who can gain control of critical ICT systems. Cyber attacks on the aviation industry are becoming a sensitive issue. Considering that cyberspace provides a low-cost haven for carrying out a broad range of disruptive activities, it is reasonable to conclude that hackers will consider the aviation sector as one of their targets

United Airlines Bug Bounty — Find Vulnerabilities, Win Airmiles! (Tripwire: the State of Security) It seems more and more companies are beginning to understand the benefits of running a bug bounty program, encouraging vulnerability researchers to report security flaws responsibly (for a reward) rather than publishing details on the web or selling a flaw to potentially malicious parties

The Overhyping of Iran's Cyberarmy (Daily Beast) They said an Iran deal would supercharge Tehran's hacking brigade. But when they showed their data to U.S. intelligence analysts, they were told to get lost

Data breaches lead to surge of spoofing attacks (Help Net Security) The number of attacks on businesses is trending up as crimeware tools gain traction providing tools to fraudsters to automate cybercrime attacks leveraging the customer data made available from breaches

How to Become an Internet Supervillain in Three Easy Steps (Arbor Networks IT Security Blog) One of the truisms of comic books and graphic novels is that nothing is immutable — both heroes and villains are rebooted, retconned, featured as radically (or subtly) different versions in alternate timelines, etc. The Marvel Cinematic Universe, which so far includes the Captain America, Thor, Hulk, Iron Man, and Avengers films, is a good example. DC are doing the same with The Flash and Green Arrow, and the latest cinematic incarnations of Batman and Superman are set to do battle with one another in a projected summer blockbuster movie next year

Cyber Attack Halts State Assessment Testing Again (CBS Minnesota) It was an all-too-familiar situation for the Minnesota Department of EducationWednesday

Cyber Trends

Internet of Things cannot remain a security blind spot (Beta News) The network is more exposed than ever before with the expanded attack surface IoT brings, leading to increasing support for securing interconnected devices. As the Industrialization of Hacking evolves, so does the number of vulnerable end points on the network including physical systems, mobile devices and wearable technologies

Good Morning Monday — Hello Cyber Attack (BusinessWire) Drop in detected malware attacks in organisations coincides perfectly with weekends

Do ethics get in the way of security professionals? (Help Net Security) While it's convenient to think that the information security industry is made up of highly ethical individuals who make the right decision every time, a stressful situation can turn things around faster than you can say black hat

Marketplace

Cyber threats one of top risks to financial markets, study shows (ComputerWeekly) Most financial institutions cite cyber threats as a top five risk, the latest Systemic Risk Barometer Study shows

Security Service Providers Misaligned with Customer Needs (Infosecurity Magazine) Asked where managed security offerings should improve, IT departments are most keen to see better email security; better web protection; and better antivirus. Managed security providers on the other hand are planning on prioritizing security consultancy and offering more proactive system updates and patching — indicative of the misalignment in the relationship

Intel executive on why management of privacy is ripe for innovation (Chicago Tribune) You probably wouldn't share your house keys, private conversations or spending habits with just anyone. Yet if you use digital devices, credit cards, Wi-Fi and mobile apps, you're giving away more personal information than you think to strangers, companies and even the government. But you can regain some control, says Michelle Finneran Dennedy, vice president and chief privacy officer for California-based Intel Security Group

You'll Shudder When You See What Google Knows About Your Web Searches (Intego Blog) Google probably knows more about you than your mother, your partner, your boss… but chances are that you have no idea of just how much it knows

Defense Department's tech investing signals Silicon Valley's importance in cyberwarfare (San Jose Mercury News) As more conflicts shift from land to cyberspace, the nation's defense agencies are relying less on missiles and tanks and more on Silicon Valley technology entrepreneurs and startups to secure the country's porous Internet battlefield

Defense Security Information Exchange Formalized As Named Information Sharing And Analysis Organization (PRNewswire) Following President Obama's signature of Executive Order 13961 on cyber intelligence sharing, the Defense Security Information Exchange (DSIE) has officially incorporated as the Defense Industrial Base Information Sharing and Analysis Organization, the nation's first organization named as an Information Sharing and Analysis Organization (ISAO) since the release of the Executive Order

Defense Contractor 'Reinvents Itself' to Operate Under Foreign Ownership (National Defense) At a time of heightened concern about attacks on U.S. computer networks, the federal government might be expected to frown on a foreign takeover of one its cybersecurity contractors

Colorado man claims controversial hacker-for-hire site HackersList.com (Denver Post) A southern Colorado man stepped out from behind a mysterious veil this week to claim responsibility for a controversial — and popular — computer hacker-for-hire website raising eyebrows around the globe

Vorstack Names New Executives, Broadens Security Experience of Leading Threat Intelligence Platform Provider (Digital Journal) Vorstack, a leading Threat Intelligence Platform provider for automation, curation and sharing of threat intelligence to fight cyber threats, today announced it has named former McAfee (now Intel Security) senior vice president Jill Kyte as senior vice president of marketing, and former Q1 Labs (now IBM) and F5 Networks sales executive Jon Fraleigh as senior vice president of worldwide sales

Products, Services, and Solutions

Bitdefender Dictates New Standard for Virtualized Infrastructure Security (BusinessWire) Bitdefender defeats long-exploited advanced threat vectors in virtualized environments

Software detects fake mobile, Wi-Fi networks (IDG via Computerworld) CoroNet aims to address growing concerns around mobile phone spying

BitTorrent brings its Bleep secure messaging app out of alpha mode (Guardian) Company promises 'there is no server for hackers to target' messages and metadata, but app is entering a crowded market

Global Cybersecurity Leader Fox-IT Launches Web and Mobile Event Analytics Platform for U.S. Financial Services Industry (Nasdaq) Today, global cybersecurity leader Fox-IT launched its Web and mobile event analytics platform DetACT for the U.S. financial services industry

Technologies, Techniques, and Standards

Encrypting Your Email: What Is PGP? Why Is It Important? And How Do I Use It? (Re/code) In the summer of 2013, the U.S. woke up one morning to learn that NSA subcontractor Edward Snowden had dumped some of the federal government's biggest secrets on the front pages of newspapers worldwide. As we would later learn, Snowden's revelations became headlines because he was able to reach out to journalists using encrypted communications under the now-infamous nom de guerre "Citizenfour"

Testing yields best security results (IT Web) Trying to solve security problems using products alone is a mistake companies make over and over again

Why I make my kids read privacy policies (Christian Science Monitor Passcode) It's like teaching them to look both ways before crossing the street. Reading privacy policies for apps is about learning basic safety tips in the Internet Age and gives parents an opportunity to teach kids about responsibility and self awareness on the Web

Sometimes, Perception is Just as Important as Reality (SecurityWeek) In the world of security, there is often a significant difference between perceived reality and what is actually happening

The slow death of static security detections: Beginning of SIEM deployments (Help Net Security) Machines both mechanical and electric have always been good at counting things. Ask anyone from an earlier generation who still uses a Victor Champion adding machine from the early 1950s, even though replacement paper rolls and ink ribbon are required. One may wonder someone wouldn't just use a battery operated calculator, but we all know that letting go of the old familiar paradigms is hard

Can you correctly identify phishing emails? (Help Net Security) An Intel Security quiz presented ten emails and asked respondents to identify which of the emails were phishing attempts designed to steal personal information and which were legitimate. Of the approximately 19,000 survey respondents from 144 countries, only 3% were able to correctly identify every example correctly and 80% of all respondents misidentified at least one of the phishing emails, which is all it takes to fall victim to an attack

America's supply of IP addresses is about to run out (The Week) Back in 1981, when volunteer engineers designed the internet, they created 4.3 billion Internet Protocol (IP) addresses, assuming the gigantic number would more than suffice. About 20 years later, Europe and Asia exhausted their supply, and America's remaining allotment — about 3.4 million — will likely dry up this summer

Research and Development

Quantum computing is about to overturn cybersecurity's balance of power (Washington Post) "Spooky action at a distance" is how Albert Einstein described one of the key principles of quantum mechanics: entanglement. Entanglement occurs when two particles become related such that they can coordinate their properties instantly even across a galaxy

Legislation, Policy, and Regulation

China, Russia seeking their own Internet, warns former Intel chairman (The Hill) The cyber pact that China and Russia signed on Friday threatens online freedom and represents a "real, concrete step" toward an alternative Internet, according to former House Intelligence Committee Chairman Mike Rogers (R-Mich.)

Beijing to Troops: Wearables Represent a National Security Risk (Infosecurity Magazine) The Chinese authorities have warned People's Liberation Army (PLA) troops that wearable technology represents a national security risk as it could be tracked and used to reveal military secrets

The State Department's Weary Soldier in America's Cyber War (Foreign Policy) From Ukraine to Sony, cyber attacks are spooking governments and private companies — and leaving officials like Christopher Painter scrambling to help devise rules of the road for how to respond

House votes to end NSA bulk phone data collection program; Senate likely won't (CNN via WTVR CBS 6) The House of Representatives approved a bill on Wednesday that ends the bulk collection of data under federal surveillance programs and creates a more targeted system for monitoring communications potentially impacting national security

Few Americans Support Clean Reauthorization of Patriot Act (Morning Consult) Fewer than one in six Americans support reauthorizing the Patriot Act without making changes to the National Security Agency's surveillance practices

What the End of Bulk Metadata Collection Would Mean for Intelligence Collection (Defense One) Americans may not trust spies with their data. Will they trust spy machines?

Businesses need more guidance on trigger for data breach notifications, says expert (Out-Law) Businesses need more guidance from policy makers on when the requirement to report data breach incidents is triggered, an expert has said

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Upcoming Events

QuBit 2015 Cybersecurity Conference (Prague, Czech Republic, May 13 - 15, 2015) QuBit brings together top experts and leaders in the field, from the private sector, to academia, to government. The main topics this year are APTs, the Internet of Things, and Digital Forensics, which...

Michgan InfraGard 2015 Great Lakes Regional Conference: Securing Our Critical Infrastructures (Novi, Michigan, USA, May 14, 2015) Learn all about the risks to critical infrastructures and key resources and the efforts underway to protect them. Private and public sectors will be represented. The conference will include four breakout...

THOTCON 0x6 (Chicago, Illinois, USA, May 14 - 15, 2015) THOTCON (pronounced \ˈthȯt\ and taken from THree - One - Two) is a hacking conference based in Chicago IL, USA. This is a non profit non-commercial event looking to provide the best conference possible...

International Conference on Cyber Security (ICCS) 2015 (Redlands, California, USA, May 16 - 17, 2015) The ICCS 2015 serves as a platform for researchers and practitioners from academia, industry, and government to present, discuss, and exchange ideas that address real-world problems with CYBER SECURITY.

FS-ISAC & BITS Annual Summit (Miami Beach, Florida, USA, May 17 - 20, 2015) The Financial Services Information Sharing and Analysis Center (FS-ISAC), is a non-profit association comprised of financial institution members, that is dedicated to protecting the global financial services...

2015 Cyber Risk Insights Conference — Chicago (Chicago, Illinois, USA, May 18, 2015) Advisen again brings its acclaimed Cyber Risk Insights Conference series to Chicago with a full-day event addressing the critical privacy, network security and cyber insurance issues confronting risk professionals...

2015 Honeynet Project Workshop (Stavanger, Norway, May 18 - 20, 2015) Each year the Honeynet Project annual workshop brings together top information security experts from around the globe to present their latest research efforts and discuss insights and strategies to combat...

IEEE Symposium on Security and Privacy (San Francisco, California, USA, May 19 - 22, 2013) Since 1980, the IEEE Symposium on Security and Privacy has been the premier forum for the presentation of developments in computer security and electronic privacy, and for bringing together researchers...

Fraud Summit Chicago (Chicago, Illinois, USA, May 19, 2015) ISMG's Fraud Summit is a one-day event focused exclusively on the top fraud trends impacting organizations and the mitigation strategies to overcome those challenges. Highlights of the Chicago event include...

NCCOE Speaker Series: The Cyber Danger: Problems of Strategic Adaptation (Rockville, Maryland, USA, May 20, 2015) Lucas Kello (Senior Lecturer in International Relations / Director of Cyber Studies Program, Oxford University, and Associate of the Science, Technology & Public Policy Program, Belfer Center for Science...

3rd Annual Georgetown Cybersecurity Law Institute (Washington, DC, USA, May 20 - 21, 2015) In 2015, it is more important than ever that in-house and outside counsel stay abreast of the most current developments and best practices in cybersecurity. Those lawyers who ignore cyber threats are risking...

AFCEA Spring Intelligence Symposium 2015 (Springfield, Virginia, USA, May 20 - 21, 2015) The Symposium will be a one-of-a-kind event designed to set the tone and agenda for billions of dollars in IC investment. Leaders from all major IC agencies, from the ODNI, IARPA, and the National Intelligence...

SOURCE Conference (Boston, Massachusetts, USA, May 25 - 28, 2015) SOURCE is a computer security conference happening in Boston, Seattle, and Dublin that is focused on offering education in both the business and technical aspects of the security industry. The event's...

7th International Conference on Cyber Conflict (Tallinn, Estonia, May 26 - 29, 2015) CyCon is the annual NATO Cooperative Cyber Defence Centre of Excellence conference where topics vary from technical to legal, strategy and policy. The pre-conference workshop day, 26 May, features a variety...

Time for a Refresh: Technology & Policy in the Age of Innovation (East Palo Alto, California, USA, May 27, 2015) On May 27th, join technology leaders and innovators, along with industry and government experts, for a dynamic discussion around today's cyber challenges and key decisions to be made around the intersect...

HITBSecConf2015 Amsterdam (De Beurs van Berlage, Amsterdam, The Netherlands, May 26 - 29, 2015) This year's event will feature a new training courses. Keynote speakers include Marcia Hofmann and John Matherly. To encourage the spirit of inquisitiveness and innovation, Haxpo will showcase cutting...

1st Annual Billington Corporate Cybersecurity Summit (New York, New York, USA, May 27, 2015) Join Billington CyberSecurity's unparalleled network of cybersecurity professionals as they provide hard-earned insights and education to a high level and exclusive group of attendees from the corporate...

Atlanta Secure World (Atlanta, Georgia, USA, May 27 - 28, 2015) Join your fellow security professional for affordable, high-quality cybersecurity training and education at a regional conference near you. Earn CPE credits while learning from nationally recognized industry...

Techno Security & Forensics Investigations Conference (Myrtle Beach, South Carolina, USA, May 31 - June 3, 2015) The Seventeenth Annual International Techno Security & Forensics Investigations Conference will be held May 31 ? June 3 in sunny Myrtle Beach at the Myrtle Beach Marriott Resort. This conference promises...

Mobile Forensics World (Myrtle Beach, South Carolina, USA, May 31 - June 3, 2015) The Eighth Annual Mobile Forensics World will also be held May 31 ? June 3 in sunny Myrtle Beach at the Myrtle Beach Marriott Resort. The Mobile Forensics World is specifically dedicated to Federal, State...

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.