skip navigation

More signal. Less noise.

Daily briefing.

Saudi Arabia's foreign ministry may have suffered a breach, possibly at the hands of the "Yemen Cyber Army," an Anonymous-flavored dissident outfit. (And see Passcode's discussion of why Anonymous still gives of more of a prankster vibe than an anarcho-syndicalist one.)

The Australian heartland joins the American heartland in ISIS cyber crosshairs. Self-declared adherents of the Caliphate expand their harvest of low-hanging fruit to a Canberra school, vandalizing its website.

FireEye announces discovery of new point-of-sale malware, "NitlovePOS," which uses spam as an infection tool and encrypted comms in its exfiltration of stolen data.

McAfee Labs finds a free ransomware kit, "Tox," being distributed on the dark web. Tox enables users to achieve a degree of anonymity through Tor and Bitcoin; researchers say Tox "works as advertised."

Post mortems on the mySpy, CareFirst, and AdultFriendFinder breaches continue. One thing they have in common: the stolen data's usefulness in extortion.

In the US, NSA domestic bulk collection approaches sunset.

Another call is issued for a cyber security "Manhattan Project." We heard this a few times at RSA, sometimes as a call for a cyber "Project Apollo". But the metaphor — well intended though it may be in a cry for priority, commitment, and resources — isn't entirely convincing. Consider Archilochus's epigram: the fox knows many things, but the hedgehog knows one big thing. The Apollo and Manhattan hedgehogs set out to solve, and solved, one big thing. But cyber security is one of the foxiest collections of problems most of us have seen.

Notes.

Today's issue includes events affecting Australia, Canada, Germany, Isle of Man, Israel, Malaysia, Poland, Saudi Arabia, Thailand, United Arab Emirates, United States of America, and Yemen.

The CyberWire will be in New York tomorrow, covering the inaugural Billington Corporate Cybersecurity Summit. Watch for interviews and special issues.

Cyber Attacks, Threats, and Vulnerabilities

Riyadh confirms hacking of Foreign Ministry servers (PressTV) Riyadh has confirmed the internal Internet network belonging to the Saudi Foreign Ministry has come under a cyber-attack

Yemeni Hackers Reveal Top Secret Docs in Saudi Government Cyber Attack (Sputnik News) Yemeni hackers reveal top secret docs in Saudi government cyber attack

St Clare's College website hacked with Islamic messages (Canberra Times) The St Clare's College website was hacked to display white Arabic text on a black background with "scary" music playing in an apparent reference to Islamic State over the weekend

New Point-of-Sale Malware NitlovePoS Sends Card Data via Encrypted Connection (Softpedia) Security researchers identified a fresh malware piece targeting point-of-sale (PoS) systems that relies on encrypted communication to exfiltrate payment card info from the memory of the payment processing machines

Attackers use email spam to infect point-of-sale terminals with new malware (CSO) They're likely counting on some employees misusing such terminals to browse the Web or check their personal email at work

Meet 'Tox': Ransomware for the Rest of Us (McAfee Labs Blog) The packaging of malware and malware-construction kits for cybercrime "consumers" has been a long-running trend. Various turnkey kits that cover remote access plus botnet plus stealth functions are available just about anywhere. Ransomware, though very prevalent, has not yet appeared in force in easy-to-deploy kits

New research suggests that hackers can track subway riders through their phones (Daily Dot) Underground subways offer no place to hide from hackers

Could thieves use jamming technology to steal your car? (Guardian) Theoretical attack becomes real as criminals begin using jammers to block remote locking car keys

mSpy finally admits they've been hacked (Help Net Security) After having first denied that they suffered a breach and had their customer's data stolen and leaked on the Dark Web, mobile spyware maker mSpy has finally admitted that the incident happened, but they claim that only 80,000 customers (and not 400,000) have been affected

CareFirst breach demonstrates how assumptions hurt healthcare (CSO) Assumptions related to criminals, security posture, and remediation are hurting healthcare

3 Critical Takeaways From The Damaging CareFirst Hack That Exposed Millions (DCInno) On Wednesday, District-based not-for-profit insurer CareFirst BlueCross BlueShield announced it had been hacked in June 2014

The human cost of the Adult Friend Finder data breach (CSO) This Friday the news hit that 3.5 million personally identifiable records were leaked from systems belonging to the adult oriented website, AdultFriendFinder

Recent Breaches a Boon to Extortionists (KrebsOnSecurity) The recent breaches involving the leak of personal data on millions of customers at online hookup site Adult Friend Finder and mobile spyware maker mSpy give extortionists and blackmailers plenty of ammunition with which to ply their trade. And there is some evidence that ne'er-do-wells are actively trading this data and planning to abuse it for financial gain

Insider Data Breach at Medical Billing Company Hits Patients at Several Hospitals (eSecurity Planet) A call center employee at billing company Medical Management, LLC stole thousands of patients' names, birthdates and Social Security numbers

Isle of Man taxpayers' info leaked due to email error (Help Net Security) Email addresses of approximately 5000 customers of the Income Tax Division (ITD) of the Isle of Man — a self-governing British Crown dependency and a tax haven for the rich — have been leaked via email

Hackers Target Bitcoin Exchange BitFinex’ Hot Wallet (HackRead) Reportedly BitFinex was hacked but due to strict security measures implementation just minimal amount was lost

Scareware: Fake Minecraft apps Scare Hundreds of Thousands on Google Play (We Live Security) ESET has discovered over 30 scareware applications available for download from the Google Play store

Researcher who exploits bug in Starbucks gift cards gets rebuke, not love (Ars Technica) Plenty of poor manners to go around in fraudulent $1.70 purchase

With all its political bluster, Anonymous can't shake its 'prankster' past (Christian Science Monitor Passcode) A study shows that the media regards the online collective as 'pranksters' even though its various elements take part in social action and political causes

Social Engineering: Even Shakespeare understood security's weakest link (CSO) What do Shakespearean tragedies and security issues have in common? Both are overwhelmingly the result of human error. Othello is one Shakespeare greatest plays, and Iago is one of literature's first social engineers

Bulletin (SB15-145) Vulnerability Summary for the Week of May 18, 2015 (US-CERT) The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week

Cyber Trends

Is security really stuck in the Dark Ages? (CSO) Amit Yoran's colleagues didn't agree with everything the RSA President said at his keynote last month. But most say he got the essentials right — things are bad and getting worse, and the industry needs a new mindset

Plane safe? Hacker case points to deeper cyber issues (Reuters) Security researcher Chris Roberts made headlines last month when he was hauled off a plane in New York by the FBI and accused of hacking into flight controls via his underseat entertainment unit

Will our future Internet be paradise or dystopia? (Christian Science Monitor Passcode) What we learned from an Atlantic Council event discussing digital trends and possible scenarios for the world?s online future

More bad news: The bad guys are getting better (GCN) If there's one lesson to be gained from all the security breaches and revelations of major bugs in security protocols in 2014, it?s that attackers are upping their game and finding more opportunities. That?s only reinforced by several new studies

MIT CIO Symposium: Outdated security assumptions put companies at risk (TechTarget) It's a digital world, and as much of a good thing as this is, a digital world is also infested with cybercriminals who eat enterprise security for lunch. That was the message from Roland Cloutier, chief security officer (CSO) at HCM provider ADP, at this year's MIT CIO Sloan Symposium

What the security industry can learn from the World Health Organization (Christian Science Monitor Passcode) The discovery of computer bugs can be marketing boons for cybersecurity firms. But one critic says the industry should take a page from the health profession and select names for flaws that aren't designed to stoke fear or generate buzz

Cyber Threat Analysis: A Call for Clarity (Dark Reading) The general public deserves less hyperbole and more straight talk

Malware is not only about viruses — companies preinstall it all the time (Guardian) Since I started free software in the 80s, developers have grown to routinely mistreat users by shackling behaviour and snooping — but we have ways to resist

Top lessons from data breach investigations (Betanews) Data breaches are an all too common part of our landscape today, but are we learning the lessons from them to make our systems more secure?

20% of IT professionals have witnessed a security breach cover-up (IT Security Guru) Research conducted by AlienVault has shown that 20% of IT security professionals have witnessed a breach being hidden or covered up. The survey also found that in the event of a breach, only 25% of professionals would see the best course of action as telling the regulator and paying the fine

Breaches Cost Healthcare $6 Billion Annually (Health IT Outcomes) A Ponemon Institute report indicates cyber criminals have increased their attacks on healthcare 125 percent, costing the industry $6 billion annually

Employees Engaging in Risky Cyber-Security Activities (eWeek) The majority of global survey participants admitted understanding the obvious cyber-threats when downloading email attachments from an unknown sender

Threats in Polish networks — CERT Polska 2014 report (CERT Polska) Today, we published the annual CERT Polska report in its English version. This report presents the most important trends and observations that we think shaped Polish cybersecurity in 2014. This includes new, upcoming threats, their evolution and our responses to them

Marketplace

Confronting the widening infosec skills gap (CSO) Estimates of the shortage of qualified information security professionals needed to fill available jobs in the next several years range into the multiple millions. A number of organizations are trying to change that. But they say it will likely be years before the gap is closed

Blackberry Acquisition: Apple, Microsoft, Xiaomi & Lenovo Are In $7B Acquisition Race — Reports (Trak.in) Blackberry is back in demand, and be assured that this is not 2010

BlackBerry Ltd Laying off Device Employees to Increase Software Development (Viral Global News) After another significant loss in their fiscal fourth quarter of 32 percent, BlackBerry is making some harsh choices

Jim Cramer: Why FireEye's Losses Are Actually a Good Sign (The Street) What opportunities are so great that you have to be willing to lose money to grab them all? What kind of business willingly loses money in order to capture all the business out there? I can think of only one: cyber security

Why small firms mean big business for cybersecurity (Fortune) Small firms, especially in finance, need cybersecurity companies that can provide affordable solutions

Israel emerges as global cyber superpower (Haaretz) Sales by Israeli companies reached 10% of world total, figures show

Woolworths hires first-ever CISO (IT News) KPMG exec to head IT security ranks

Products, Services, and Solutions

Microsoft ATA: Worthy Successor To Patch Tuesday (InformationWeek) Tight integration with Active Directory gives Microsoft's new Advanced Threat Analytics appliance a powerful claim to stake in enterprise IT security

Huawei unveils APT big data security solution (IT Brief) Huawei has released a new solution designed to protect against Advanced Persistent Threat (APT) and denial-of-service (DdoS) attacks

Enterprise Level Cyber Security from Digital Shadows (Tech.Co) "You can no longer assume you're never going to be hacked. You have to assume that you will be," says James Chappell, co-founder of cyber threat intelligence company, Digital Shadows

Technologies, Techniques, and Standards

Identifying Fake Social Media Profiles Possible With Google Image Search (HackRead) Creating fake social media accounts has been the favorite trick of hackers and scammers for interacting with potential victims. However, thanks to Google Search now you can identify if such an account is real or fake by searching the profile picture

Info sharing best defence against cyber threat (Gulf News) Organisations have to start thinking of concerted actions rather than go it alone

Best Practices for Deterring Cyber Hackers (MSPMentor) eFax Corporate recently hosted a webinar to inform covered entities in healthcare of the dangers that today?s sophisticated cyber hackers pose to their electronic protected health information (ePHI) and other intellectual property

Stripping back security with 'less is more' approach (IT Pro Portal) Today's businesses have never spent more on cyber security, yet they've never been less protected. While the global security spend races towards $30 billion, breaches in UK businesses alone have shot up by almost 25 per cent in the past three years

13 must-have security tools (Network World via CSO) The experts weigh in on their top picks for protecting enterprise networks

Have You Been Hacked? How to Recover from a Data Breach (Business Daily) It's every modern business's worst nightmare: You discover there's been a security breach, and your sensitive business and customer data has ended up in the hands of hackers

5 security questions to ask before clicking on a link (We Live Security) URLs used to be a nice and simple way to link to an online destination without a long and fiddly URL, but in today's world of advancing cybercrime they can lead to password and data theft, even drive-by-download malware attacks. So ask yourself these five questions before clicking on that shortened link

Travel smart: Tips for staying secure on the road (Help Net Security) Whether you're taking a personal holiday or a business trip, traveling by car or by plane, planning a quick jaunt or preparing for an extended stay, make sure your security best practices are coming along for the ride

8 Android security tips for IT, corporate users (CIO via CSO) A set of security experts shares actionable tips for IT departments and users to help reduce the risk associated with the popular mobile OS

Incorporating Threat Intelligence Into Cyber Risk Scoring (T3 — Tieu's Tech Tidbits) Most approaches to cyber security risk scoring are based on findings on assets against various defect checks, e.g. vulnerabilities, compliance, configurations, etc. With the growing availability of threat intelligence, this risk scoring should be enhanced to incorporate threat intelligence so that known threats can be taken into account

Compliance is Like Asking Your Kids to Clean Their Room (Dark Matters) I just received an email from a new friend of mine who was telling me about her troubles with bringing a company up to compliance standards. She was performing security compliance testing. Testing?

Do elected officials encrypt their email? (CSO) Let me know when you're done laughing. It's OK…I can wait. So, this was a thought that occurred to me one night as I was fighting through some rather nasty heartburn

Design and Innovation

Why we need a standardized IoT tech stack (Venture Beat) Everyone is talking up IoT (the Internet of Things) as the next mega trend. Analysts are predicting that IoT will be a multi-trillion dollar category, and thousands of companies, from GE to Evernote, are redefining themselves as IoT companies

NSA Trying to Track Your Smartphone Finger Strokes (Defense One) Smartphone technology built by Lockheed Martin promises to verify a user's identity based on the swiftness and shape of the individual's finger strokes on a touch screen

Bitcoin's baby: Blockchain's 'tamper-proof' revolution (BBC) For Bitcoin, 2014 was not a good year. The virtual currency's value slumped as scandal after scandal struck, resulting in many people losing significant amounts of money

Windows and OS X are malware, claims Richard Stallman (Register) 'Resist gratification', says super-GNU-man freedom fighter

Research and Development

Manhattan Project for Cybersecurity R&D (GovInfoSecurity) Employing ISAO to get researchers to collaborate

Hacking Virginia State Trooper Cruisers (Dark Reading) Working group of federal agencies and private industry launched by the state of Virginia is studying car vulnerabilities and building tools to detect and protect against vehicle hacking and tampering

Academia

Which students get to have privacy? (Ars Technica) There's a push to protect student data, but those in need are the ones being left behind

University of Houston Recognized For Its Cybersecurity, Cyber Defense Program (University Herald) The National Security Agency and the Department of Homeland Security has recognized the University of Houston's educational and research programs in cybersecurity and cyber defense, school officials announced

CIC fills first phase, eyes future (Shreveport Times) With four buildings on its 66-acre footprint in Bossier City just east of Bossier Parish Community College, the Cyber Innovation Center has filled its phase one acreage and is looking toward expansion

Legislation, Policy, and Regulation

Fiercely critical of NSA, Germany now answering for its own spy practices (Christian Science Monitor Passcode) Germany is embroiled in a spying controversy that is causing political upheaval and sparking a national debate about surveillance

Press Digest: Government urged to establish special agency dealing with cyber attacks (Sun Daily) The government has been urged to create an agency specialising in handling cyber attack which is becoming a threat to national security

National Security Agency begins winding down collection of American phone records (Economic Times) The National Security Agency has begun winding down its collection and storage of American phone records after the Senate failed to agree on a path forward to change or extend the once-secret program ahead of its expiration at the end of the month

The Senate Fails to Reform NSA Spying, Votes Against USA Freedom Act (Wired) A last-minute bid to reform NSA spying before lawmakers break for a week-long recess failed early Saturday morning after hours of debate and filibuster overnight when Senate lawmakers voted 57-42 against the USA Freedom Act

Senate blocks House surveillance bill, 2-month extension (AP via Yahoo! Tech) The Senate struggled unsuccessfully to prevent an interruption in critical government surveillance programs early Saturday, blocking a House-passed bill and several short-term extensions of the USA Patriot Act

Opinion: An ex-NSA chief and ACLU adviser can agree on surveillance reform. Why can't Congress? (Christian Science Monitor Passcode) Former National Security Agency Director Keith Alexander and law professor Geoffrey Stone say it's time for Congress to put politics aside and act quickly to reform surveillance laws in order to protect American privacy and maintain an intelligence edge

NIST Official: Businesses Need to Take More Responsibility for Cybersecurity (Nextgov) When it comes to cybersecurity, the relationship between businesses and the government has been mostly all carrot and no stick

US spy agency: 'Intelligence doesn't always equal secrecy' (http://www.businessinsider.com/r-intelligence-agency-opening-up-to-a-changing-world-2015-5#ixzz3b9TtVNO5) Much about the National Geospatial-Intelligence Agency remains classified, but the U.S. spy agency that maps and analyzes the earth is opening up more than ever, from sharing computer source code on a public website to tapping new sources of intelligence

How one mayor struggles with balancing privacy and surveillance (Ars Technica) Oakland must determine limits on LPRs, stingray use, "and we have not done that"

Litigation, Investigation, and Law Enforcement

The Hacker, the Plane and the TSA (Silicon Angle) Last month my good friend and security researcher, Chris Roberts of One World Labs, was detained by FBI agents after a United Airlines flight from Chicago to Philadelphia, about which he tweeted comments regarding the network security on his plane

Don't let a cyber-attack put you 'undersea': implications of the Pacnet security breach (Lexology) Pacnet experienced a cyber-attack in April, compromising the personal details of thousands of customers. Despite the fact that under the current Privacy Act there is no requirement to notify affected individuals or the Office of the Australian Information Commissioner (OAIC) of a serious data breach, organisations should nevertheless take measures to reduce their risk of a cyber-attack and limit the impact of an attack that has been detected

VA fails cybersecurity audit for 16th straight year (FierceHealthIT) CIO Stephen Warren: 'There were areas where the intensity wasn't where it needed to be'

County sheriff has used stingray over 300 times with no warrant (Ars Technica) San Bernardino Sheriff's Department doesn't tell judges it's using spy device

Before sentencing, Ulbricht begs for leniency: "please leave me my old age" (Ars Technica) "Silk Road turned out to be a very naive and costly idea that I deeply regret"

High schooler allegedly hired third party to DDoS his school district (Naked Security) A 17-year-old high school boy may face state and federal charges for allegedly having paid a third party to launch a distributed denial of service (DDoS) attack that crippled the West Ada school district in Idaho, US, for a week and a half earlier this month

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Newly Noted Events

Suits and Spooks All Stars 2015 (New York, New York, USA, June 19 - 20, 2015) Unlike our typical "collision" event, our All Stars will have at least 60 minutes each for their talks. Seating will be limited because we're going to hold it in one of our most popular venues —...

2015 Cyber Risk Insights Conference (New York, New York, USA, October 20, 2015) The world's largest cyber risk event for P&C professionals. Save-the-date for Advisen's 5th annual Cyber Risk Insights Conference in New York City with a full-day program that takes place on October 20,...

Upcoming Events

SOURCE Conference (Boston, Massachusetts, USA, May 25 - 28, 2015) SOURCE is a computer security conference happening in Boston, Seattle, and Dublin that is focused on offering education in both the business and technical aspects of the security industry. The event's...

HITBSecConf2015 Amsterdam (De Beurs van Berlage, Amsterdam, The Netherlands, May 26 - 29, 2015) This year's event will feature a new training courses. Keynote speakers include Marcia Hofmann and John Matherly. To encourage the spirit of inquisitiveness and innovation, Haxpo will showcase cutting...

7th International Conference on Cyber Conflict (Tallinn, Estonia, May 26 - 29, 2015) CyCon is the annual NATO Cooperative Cyber Defence Centre of Excellence conference where topics vary from technical to legal, strategy and policy. The pre-conference workshop day, 26 May, features a variety...

1st Annual Billington Corporate Cybersecurity Summit (New York, New York, USA, May 27, 2015) Join Billington CyberSecurity's unparalleled network of cybersecurity professionals as they provide hard-earned insights and education to a high level and exclusive group of attendees from the corporate...

Time for a Refresh: Technology & Policy in the Age of Innovation (East Palo Alto, California, USA, May 27, 2015) On May 27th, join technology leaders and innovators, along with industry and government experts, for a dynamic discussion around today's cyber challenges and key decisions to be made around the intersect...

Atlanta Secure World (Atlanta, Georgia, USA, May 27 - 28, 2015) Join your fellow security professional for affordable, high-quality cybersecurity training and education at a regional conference near you. Earn CPE credits while learning from nationally recognized industry...

Techno Security & Forensics Investigations Conference (Myrtle Beach, South Carolina, USA, May 31 - June 3, 2015) The Seventeenth Annual International Techno Security & Forensics Investigations Conference will be held May 31 ? June 3 in sunny Myrtle Beach at the Myrtle Beach Marriott Resort. This conference promises...

Mobile Forensics World (Myrtle Beach, South Carolina, USA, May 31 - June 3, 2015) The Eighth Annual Mobile Forensics World will also be held May 31 ? June 3 in sunny Myrtle Beach at the Myrtle Beach Marriott Resort. The Mobile Forensics World is specifically dedicated to Federal, State...

International Techno Security & Forensics Investigations Conference (Myrtle Beach, South Carolina, USA, May 31 - June 3, 2015) The Seventeenth Annual International Techno Security & Forensics Investigations Conference will be held May 31 to June 3 in sunny Myrtle Beach at the Myrtle Beach Marriott Resort. This conference promises...

TakeDownCon: Capital Region 2015 (East Hyattsville, Maryland, USA, June 1 - 2, 2015) TakeDownCon is a highly technical forum that focuses on the latest vulnerabilities, the most potent exploits, and the current security threats. The best and the brightest in the field come to share their...

School on Computer-aided Cryptography (College Park, Maryland, USA, June 1 - 4, 2015) The goal of the school is to provide participants with an overview of computer-aided cryptography with a special focus on computer-aided cryptographic proofs using the EasyCrypt tool. Lectures discussing...

AusCERT2015: Smarten up (RACV Royal Pines Resort, Gold Coast, Queensland, June 1 - 5, 2015) This year's conference theme explores how we need to smarten up to manage information security risks better. We need to "smarten up" by focusing on information security essentials; by taking advantage...

NSA SIGINT Development Conference 2015 (Fort Meade, Maryland, USA, June 2 - 3, 2015) This classified conference will focus on the preeminent intelligence issues facing those who are tasked with SIGINT as part of their mission. Over 1500 participants from the US intelligence community and...

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.