skip navigation

More signal. Less noise.

Daily briefing.

Al Qaeda and Daesh escalate virtual swipes at one another, but without so far upping the ante beyond insults.

FireEye points out that data lost in the US OPM breach have yet to turn up in the black market, which seems to confirm that the threat actor was, as generally believed, a state intelligence service, not a criminal gang. Signs still of course indicate China. (US DNI Clapper, asked if the CIA pulled its officers from Beijing, answers tersely, "No.")

More notes appear on Russian cable-cutting capabilities, and the range of possible US Navy responses.

Zerodium announced yesterday that it's going to pay some researchers $1million for an iOS 9 exploit, which Zerodium characterizes as a "jailbreak." Zerodium will share the vulnerability with its customers ("major corporations in defense, technology, and finance," who are presumably looking for protection, and "government organizations in need of specific and tailored cybersecurity capabilities," widely assumed to be looking for offensive capabilities).

Criminals are tailoring ad-blockers to accomplish drive-by attacks: Irish advertising analytics company PageFair appears to be target zero (and claims to have quickly contained the attack).

Good news, bad news for Microsoft ESET: it gets very high reviews in tests of security products; on the other hand it can apparently be bypassed using Microsoft compatibility tools.

"KeeFarce" hacking tool is said to be able to compromise KeePass password manager.

Data stolen from TalkTalk has turned up for sale in the black market.

UK surveillance legislation advances: a "license to operate" (not to kill).

Notes.

Today's issue includes events affecting Australia, Bahrain, China, Germany, India, Iraq, Ireland, Japan, Republic of Korea, Kuwait, Oman, Qatar, Russia, Saudi Arabia, Syria, United Arab Emirates, United Kingdom, United States.

We'll be Washington this afternoon and tomorrow to cover the SINET Showcase 2015. Full reports will appear Wednesday and Thursday.

Cyber Attacks, Threats, and Vulnerabilities

The dispute between al-Qaeda and the Islamic State has devolved to name-calling (Washington Post) In a new 26-minute-long video statement, al-Qaeda in the Arabian Peninsula (AQAP) and al-Qaeda in the Islamic Maghreb (AQIM) said the Islamic caliphate declared by the Islamic State was illegitimate, dismissively referring to that militant organization as "Baghdadi's group," a reference to its leader, Abu Bakr al-Baghdadi

Data from U.S. agency cyber breach not on black market, researcher says (Reuters via Business Insurance) Data stolen in a massive breach of the U.S. Office of Personnel Management has not shown up on the black market, a sign that a foreign government launched the attack, a researcher with U.S. cyber security firm FireEye Inc. said Monday

U.S. intelligence head: CIA did not pull officers from Beijing after OPM hack (Washington Post) The CIA did not pull officers from Beijing in the wake of the Chinese hack of millions of sensitive personnel records disclosed earlier this year, the nation's top intelligence official said Monday

The Real Story Behind the Undersea Cable Caper (Technology and Security) When the latest Russian ocean surveillance ship, the Yantar (Amber) sailed off the coast of Florida, US Navy senior officials sounded an alarm

A New Cold War Deep Under the Sea? (World Post) Virtually all of the world's information moves deep under the sea

iOS 9 Can Now Finally Be Remotely Jailbroken — but YOU Can't Do It (Intego) Bad news iOS 9 users. Someone has developed a way of jailbreaking your iPhone or iPad and spying on you, in a way that is currently unstoppable

Hackers use anti-adblocking service to deliver nasty malware attack (Ars Technica) Drive-by malware attacks: They're not just for porn sites anymore

PageFair says small percentage of users were at risk from attack (IDG via CSO) Although antivirus programs may not have detected the malware, users would have had to approve running it

WoW! Want to beat Microsoft's Windows security defenses? Poke some 32-bit software (Register) Two chaps claim to have discovered how to trivially circumvent Microsoft's Enhanced Mitigation Experience Toolkit (EMET) using Redmond's own compatibility tools

Latest EMET Bypass Targets WOW64 Windows Subsystem (Threatpost) Backwards compatibility, a necessary evil for Microsoft in its need to support so many legacy applications on Windows, may be its undoing as researchers have found a way to exploit this layer in the operating system to bypass existing mitigations against memory-based exploits

Hacking tool swipes encrypted credentials from password manager (Ars Technica) "KeeFarce" targets KeePass, but virtually all password managers are vulnerable

Don't count on STARTTLS to automatically encrypt your sensitive e-mails (Ars Technica) TLS stripping and DNS attacks allow eavesdropping on protected messages

Stanford researchers identify potential security hole in genomic data-sharing network (Help Net Security) Sharing genomic information among researchers is critical to the advance of biomedical research

The Kids are Still at Risk: Update to Citizen Lab's "Are the Kids Alright?" Smart Sheriff report (Citizen Lab) A second audit of the Smart Sheriff application reveals that there are numerous unresolved security vulnerabilities that put minor children and parental users of the application at serious risk

TalkTalk breach: Third arrest, data already for sale, criminals targeting pensioners (Help Net Security) News about the TalkTalk breach and the investigation of it are coming fast and thick

Post-hack, TalkTalk treats defrauded customers poorly (Graham Cluley) There's lots that can be said, and has been said, about the hack of UK telecoms firm TalkTalk

Researcher Finds Information Disclosure and Hardware Misconfiguration Flaws in ATMs Used by German Bank (SecurityWeek) German savings bank Sparkasse has started patching its ATMs and self-service terminals after a researcher discovered that the machines can be tricked into revealing a lot of sensitive information during software updates

Aussie Farmers Direct hacked, user details posted online (IT News) Attackers publish data on more than 5000 shoppers

Cyber attack hits Salt Lake City School District's website, phones, grading system (Deseret News) A cyber attack that began Friday afternoon overwhelmed the Salt Lake City School District's website, phone system, and PowerSchool grading and homework tool off and on through Monday morning, according to district officials

A Tangled Web: Exploring the World of the Dark Web (Cyveillance) Compromised personal data, criminal services, drug and weapons markets, and illegal pornography are all part of the network of hidden sites now commonly referred to as the "Dark Web," also known as the "Dark Net" (or "Darknet")

These are the three most common cyber security mistakes that employees make (Australian Anthill) With Cyber Security month well underway, there is no better time for businesses to start educating employees on the risks of sloppy online practices

Mobile Malware Makes Mobile Banking Treacherous (Dark Reading) Kaspersky Lab report shows rate of mobile malware occurrence exploding in Q3

Making IP Secure (Semiconductor Engineering) The semiconductor ecosystem is beginning to identify security holes, what tools can be used to plug them, and what else is needed

Security Patches, Mitigations, and Software Updates

Google patches critical media processing flaws in Android (IDG via CSO) The November security update for Nexus devices fixes seven vulnerabilities, two of them critical

Monthly Android Security Update Patches More Stagefright Vulnerabilities (Threatpost) The Stagefright vulnerabilities are the gifts that keep on giving

Cyber Trends

Cyber adds several new dimensions to warfare (Federal Times) The face of war is changing as the world's infrastructure is interconnected and the cyber theater becomes a focus for militaries around the world

Preparing For The Cyber Battleground Of The Future — Analysis (Eurasia Review) For space and cyber Airmen, tomorrow's fight will be determined largely by the concept of cyberspace dependency

The Changing Cyber Threat Landscape — Securonix Chats with Chris Inglis (Securonix) In this first video of a four-part series, Chris Inglis, former deputy director at the NSA and current Chairman of the Securonix advisory board, sits down with Securonix CEO Sachin Nayyar for a candid conversation about cyber security strategy. How is the threat landscape changing?

The Evolution of Technical Capabilities to Battle Cyber Threats — Securonix Chats with Chris Inglis (Securonix) In this second video of a four-part series, Chris Inglis, former NSA deputy director and current Securonix advisory board chair, joins Securonix CEO Sachin Nayyar to discuss the evolution of technological capabilities to defend organizations against increasingly complex cyber attacks

The Insider Threat — Securonix Chats with Chris Inglis (Securonix) "Organizations vastly underestimate the likelihood of an insider attack," says Inglis. "It only takes one in a company of thousands. The proper estimation is one, as in 100 percent likely"

The Role of The Government — Securonix Chats with Chris Inglis (Securonix) "Individuals, organizations and societies are adopting new technologies at a breathtaking pace, without understanding the vulnerabilities inherent to them." Says Inglis, "The threats in this space only continue to exceed our expectations. As the scope and scale of attacks become increasingly alarming, it's only natural that we wonder if government should intervene, as if there is a singular point of accountability for cyber security"

The value in vulnerability management platforms (Help Net Security) A study conducted by Forrester Consulting assessed IT decision makers' satisfaction with their current vulnerability management platforms and the challenges companies face in securing their cloud environments against exposure

Most consumers believe cloud-based apps can be hacked (Help Net Security) Consumers often don't realize that the applications they depend upon daily live in the cloud and therefore many may be unaware of the threat of breach to their personal data, according to Radware

Why Modern IT Security Is Like Aviation — 100 Years Ago (eWeek) Accomplished pilot and former Black Hat GM Trey Ford details the lessons the aviation industry learned "in blood" that can be applied to IT security

The Australian Cyber Security Centre Threat Report 2015 (Australian Cyber Security Center) The cyber threat to Australian organisations is undeniable, unrelenting and continues to grow. If an organisation is connected to the internet, it is vulnerable. The incidents in the public eye are just the tip of the iceberg

Marketplace

Security Must Speak the Language of Risk (InfoRiskToday) Bharti Airtel's Dr. Sivasubramanian on why security is misunderstood

DISA splitting big data cyber program into two contracts (C4ISR & Networks) The Defense Information Systems Agency is getting ready to release two requests for proposals for big data capabilities to help the Department of Defense maintain a better understanding of its networks' security postures

Hackers Claim Million-Dollar Bounty for iOS Zero Day Attack (Wired) Hacking Apples's iOS isn't easy. But in the world of cybersecurity, even the hardest target isn't impossible — only expensive

Secret Apple iPhone zero-day exploit earns $1,000,000! Well, maybe… (Naked Security) A controversial hacking company recently ran a competition offering $3m for up to three click-to-own exploits against Apple's iOS. The exploits would be sold on to "eligible customers" only

Akamai buys network security firm Bloxx to bolster enterprise cloud offerings (ZDNet) With the acquisition, Akamai said it hopes to bring a new suite cloud-based security services to market sometime in 2016

EMC May Float Pivotal in IPO Next Year in a Plan Blessed by Dell (Re/code) EMC and Dell are speeding up plans to take the software company Pivotal public and are now studying the option of an IPO in early 2016, sources familiar with the deliberations tell Re/code

Secretive cyber warfare firm NSO Group explores sale: sources (Reuters) NSO Group Ltd, a company that helps governments spy on mobile phones and is so secretive that it regularly changes its name, is exploring a sale that could value it at close to $1 billion, including debt, according to people familiar with the matter

FireEye Drags Qualys, CyberArk Up Ahead Of Earnings (Investor's Business Daily) ireEye (NASDAQ:FEYE) stock climbed Monday on Wall Street ahead of its late Wednesday Q3 earnings report, pulling up shares of online security firms CyberArk Software (NASDAQ:CYBR), Qualys (NASDAQ:QLYS) and Symantec (NASDAQ:SYMC) with it

CyberArk: A Key Player In A Fast-Growing Industry (Seeking Alpha) Cyber security industry is growing at a rapid pace due to the nature of cyber attacks

Interview: Advanced Threat Protection has potential to change Symantec's enterprise security play (First Post) Security giant Symantec has finally unveiled its ambitious product — Advanced Threat Protection (ATP). With the ATP launch, the company hopes to disrupt the advanced persistent threat market which already sees companies like FireEye and Trend Micro; and begin a new journey as a "full security company"

CrowdStrike CEO George Kurtz Awarded ISSA President's Award for Public Service (BusinessWire) CrowdStrike Inc., a cybersecurity technology firm pioneering next-generation endpoint protection, today announced that George Kurtz has been awarded the 2015 ISSA President's Award for Public Service by the Information Systems Security Association (ISSA)

Products, Services, and Solutions

Resurgence of innovation driving glut of new security tools (CSO Australia) Security vendors are showing new confidence against malware attackers as they launch new classes of products designed to take the fight back to malware authors that have recently been overwhelming many companies' traditional defences

Startup Spotlight: SentinelOne's Endpoint Security (eSecurity Planet) The endpoint is the 'scene of the crime' in enterprise security, so startup SentinelOne targets endpoint security holes left by traditional AV solutions

Microsoft Security Essentials Scores Incredibly Well in New Antivirus Tests (Softpedia) It's generally believed that Microsoft Security Essentials isn't the best antivirus solution out there, but only a basic product that can protect your computer until you install a more advanced security app, but a new series of tests conducted by Dennis Technology Labs claim otherwise

Snapchat reassures users that photo messages are still totally private (C|Net) The photo-sharing service has disputed claims that changes to its privacy policy will allow it to store and share users' messages

T-Mobile's network extender lets anyone use your Internet bandwidth (Ars Technica) Like Comcast, T-Mobile boosts its network by borrowing your bandwidth

Facebook finally changes real-name policy (Naked Security) Facebook on Friday finally changed the real-name policy that has made using the service difficult for drag queens, the LGBTQ community, Native Americans, those who use pseudonyms, and persecuted groups

ThreatConnect Announces Enhanced ThreatConnect App for Splunk (BusinessWire) ThreatConnect, Inc.®, creator of the most widely adopted Threat Intelligence Platform (TIP), today announced the availability of the ThreatConnect App for Splunk

Methodist Healthcare Ministries Leads Regional HIPAA Compliance with Continuous Network Monitoring from Tenable Network Security (BusinessWire) SecurityCenter Continuous View helps not-for-profit healthcare provider strengthen security effectiveness to better protect patient data across the entire South Texas healthcare network

Signal, the Snowden-Approved Crypto App, Comes to Android (Wired) Since it first appeared in Apple's App Store last year, the free encrypted calling and texting app Signal has become the darling of the privacy community, recommended — and apparently used daily — by no less than Edward Snowden himself

Free Phish Alert Add-In For Outlook To Debut (Dark Reading) Button for reporting suspicious emails to the security team works with Microsoft's email software

Kaspersky Lab Releases Free Decryption Keys For Victims Of CoinVault and Bitcryptor Ransomware 0 (TechWorm) 14,000 decryptor keys For CoinVault, Bitcryptor ransomware released By Kaspersky for ransomware victims

LightCyber game lets IT pros become the attacker (Network World) A better appreciation of how adversaries think can lead to better security

Technologies, Techniques, and Standards

Visa's Perez on Why PCI Still Matters (BankInfo Security) Even with shift to EMV, PCI compliance remains a priority

Laying a crypto foundation: Four steps to effective encryption (FedScoop) To comply with NIST encryption standards and better manage cryptographic keys, agencies need a solid "crypto foundation"

Software-Defined Perimeter enables application-specific access control (Help Net Security) Back in the early 1990s enterprises migrated away from proprietary protocols such as DECnet, SNA, and Novell IPX to common standards such as IP

How to fight back against reputation damaging Internet monsters (CSO) In today's world people make up stuff to damage reputations for both individuals and companies, either because they are paid to or just because they are bad people

150 ideas for better cybersecurity in government (FCW) As the government gears up for a second "cybersecurity sprint" and begins to absorb the Office of Management and Budget's just-released strategy, a group of industry and agency leaders has been canvassing the federal IT community for ideas on how to do cybersecurity better

Disruptive by Design: How to Evolve Federal Cloud Security (SIGNAL) In 2011, then-U.S. Chief Information Officer Vivek Kundra set the stage for federal agencies to take full advantage of cloud computing benefits through the Cloud First initiative, which mandates that agencies evaluate cloud options before making any new information technology investments

How to earn the trust of millennials concerned with security (CIO via CSO) Millennials are growing increasingly weary of data and security when it comes to their favorite brands. And that means it's vital that companies include a strong cybersecurity message in their marketing plan to help rebuild trust

Design and Innovation

How your voice can protect you from credit card fraud (CNN) That call to your bank is being recorded for more than just "quality assurance purposes"

Research and Development

How IARPA predicts the unpredictable (Federal Times) The Intelligence Advanced Research Projects Activity is where the intelligence community turns to solve some of its toughest programs — it's billed as the IC's high-risk, high-payoff science lab

Academia

New Special Report Highlights NSF-Funded Cybersecurity Research And Education (ECN) Cybersecurity is one of the defining issues of our time. Can we keep our networks, devices and critical systems open, safe and secure, while maintaining personal privacy? How do we develop tomorrow's cybersecurity solutions?

IUP ranks high in cyber defense education (The Penn) Out of 102 national universities eligible to be named a Center for Academic Excellence in Cyber Defense, Indiana University of Pennsylvania became one of just six state colleges to earn the designation

Raspberry Pi Foundation And U.K.'s Code Club Merge For Global Push To Get Kids Coding (TechCrunch) Make way for 'Pi Club' (not its real name)

Legislation, Policy, and Regulation

Governments 'must realise that they cannot control social media' (National) GCC governments must realise that they cannot control social media, and put more effort into fighting extremist ideology through providing more positive content

Hi, um, hello, US tech giants. Mind, um, mind adding backdoors to that crypto? — UK govt (Register) Call Me Dave wants to know what's in your calls

A new licence for spies and police? (BBC) Despite the recent release of the latest James Bond film, what really worries Britain's spies at the moment is not the cinematic licence to kill but what they call their "licence to operate"

Is The U.S.-China Cyber Security War Ending? (Value Walk) Cyber security has been at the forefront of the debate on Sino-American ties for several years now

Cyber Legislation Moves To Conference; White House Issues Cyber Strategy (National Law Review) Last week, the Senate passed the Cybersecurity Information Sharing Act (CISA/S. 754) by a 74-21 vote

Everything You Need to Know About the Recently Passed, Privacy-Decimating CISA Bill (Vice) Last Tuesday, the United States Senate passed the Cybersecurity Information Sharing Act, or CISA, by a vote of 74-21

US cybersecurity plan won't stop the government getting hacked — but it's a start (Naked Security) This week, the White House unveiled a new strategy for modernizing the US government's cybersecurity, and there's a lot of work to be done

House passes bill to prevent security 'insider threats' (The Hill) The House passed legislation on Monday to mandate the Department of Homeland Security to establish a program to identify and mitigate insider threats from rogue employees

Bill introduced to criminalize warrantless cell phone surveillance (Ars Technica) Bill from Rep. Jason Chaffetz would require warrant, but it has big exemptions

Tight budgets, cyber threats driving DISA's path forward (C4ISR & Networks) The one-two punch of a tense budgetary climate and a proliferation of cyber threats is changing how the federal government does business, particularly at the agency charged with much of the Defense Department's IT service

Mustang officers in Info Dominance Corps to get new designators (Navy Times) Warrants and limited duty officers in the Information Dominance Corps are getting new designators

Hacked Opinions: The legalities of hacking — Katie Moussouris (CSO) Katie Moussouris, from HackerOne, talks about hacking regulation and legislation with CSO in a series of topical discussions with industry leaders and experts

Litigation, Investigation, and Law Enforcement

Battle Heats Up Over Exports of Surveillance Technology (New York Times) Ayman Ammar and Rashid Albuni claimed to be computer technology distributors, operating through multiple corporations in Dubai, in the United Arab Emirates

Opinion: Why the Supreme Court should side with data brokers (Christian Science Monitor Passcode) The Supreme Court hears arguments Monday in Spokeo v. Robins, a case in which a Virginia man claims he was wronged because an Internet data broker portrayed him incorrectly. If the court sides with the alleged victim, any tech company that collects and aggregates personal data could be subjected to devastating lawsuits

New Strategies for Battling Cybercrime (InfoRisk Today) Front-line practitioners outline top challenges, strategies

The Policing Challenges of Breach Response (InfoRisk Today) Experts: law enforcement needs to adopt a risk-based approach

CSC, NetCracker IT staff worked on US military telecoms 'without govt security clearance' (Register) Outsourcers cough up $12m in tussle with DoJ over claims

Where Does Volkswagen’s Road of Deceit End? (Supply Chain 24/7) Volkswagen used devices to cheat air pollution tests in diesel luxury vehicles in model years 2014 through 2016, U.S. and California environmental regulators said on Monday, widening their investigation into the carmaker's emissions scandal

The Mt. Gox Bitcoin Debacle: An Update (IEEE Spectrum) More than 18 months after the MtGox bitcoin exchange filed for bankruptcy in February 2014, little is still known about what happened to the 850,000 missing bitcoins

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Upcoming Events

Inside Data Science 2015 (Monterey, California, USA, November 3 - 4, 2015) At the Inside Data Science 2015 Conference (IDS2015) our focus is not on the storage or volume of data, but rather the importance of what you do with it. To synchronize the processing, exploitation and...

NICE 2015 Conference and Expo (San Diego, California, USA, November 3 - 4, 2015) Cybersecurity has emerged as one of the leading creators of jobs and opportunity for all economic sectors. The demand for cybersecurity positions in both the public and private sector is large and growing,...

SINET Showcase 2015: "Highlighting and Advancing Innovation" (Washington, DC, USA, November 3 - 4, 2015) SINET Showcase provides a platform to identify and highlight "best-of-class" security companies that are addressing industry and government's most pressing needs and requirements. The chosen SINET 16 Innovators...

4th International Internet-of-Things Expo (Santa Clara, California, USA, November 3 - 5, 2015) With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo in Santa Clara. Learn what is going on, contribute to the discussions, and...

RSA Conference 2015 Abu Dhabi (Abu Dhabi, United Arab Emirates, November 4 - 5, 2015) Join your fellow information security professionals at RSA Conference 2015 Abu Dhabi, where we'll be discussing security issues from a global perspective

ICMC (the International Cryptographic Module Conference) (Washington, D.C., USA, November 4 - 6, 2015) ICMC core focus includes cryptographic modules, FIPS 140-2, ISO/IEC 19790 and cryptographic algorithms. Specialists from all over the world gather in Washington to discuss about commercial cryptography...

2nd Annual Journal of Law and Cyber Warfare Conference (New York, New York, USA, November 5, 2015) The 2015 symposium speakers represent an unparalleled group of cyber security experts with a wide variety of industry expertise and knowledge. Attendees will hear from experts on cybersecurity and cyber...

Start with Security (Austin, Texas, USA, November 5, 2015) This one-day conference will continue the FTC's work to provide companies with practical tips and strategies for implementing effective data security. Aimed at start-ups and developers, this event will...

After the Shift: Securing Tomorrow's Payment Technology (Washington, DC, USA, November 5, 2015) From encryption to tokenization, what does the future hold for keeping consumer data safe? Policymakers, industry leaders, and technology experts will explore the cutting edge of cyber technology and discuss...

University of Phoenix® Technology Conference (Arlington, Virginia, USA, November 7, 2015) At the University of Phoenix® Technology Conference 2015, a free event hosted by the University of Phoenix College of Information Systems and Technology, you will be introduced to cyber security,...

Cyber³ Conference: Crafting Security in a less Secure World (Nago City, Okinawa, Japan, November 7 - 8, 2015) An international conference on cyber security hosted by the Government of Japan with the support of the World Economic Forum. At this conference, multi-stakeholders, including policymakers, business leaders,...

FedCyber 2015 (Tyson's Corner, Virginia, USA, November 10, 2015) This conference, orchestrated by cyber practitioners Matt Devost and Bob Gourley, is designed to advance the state of cyber defense. The FedCyber.com Threat Expo will bring together thought leaders who...

First International Conference on Anti-Cybercrime (ICACC-2015) (Riyadh, Saudi Arabia, November 10 - 12, 2015) Al Imam Mohammad Ibn Saud Islamic University is organizing this international conference to establish a forum where discussions on vital issues related to anti-cybercrime can occur. This conference will...

Black Hat Europe (Amsterdam, the Netherlands, November 10 - 13, 2015) Black Hat prides itself with being "the most technical and relevant global information security event series in the world." For the past 16 years, the Black Hat events have given their attendees the opportunity...

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.