skip navigation

More signal. Less noise.

Daily briefing.

Another US healthcare insurance provider, Excellus BlueCross BlueShield, has been breached. The compromise was detected on August 5 and disclosed yesterday, but the attack occurred on December 23, 2013. 10.5 million members' personal and financial information were exposed. Excellus says that, so far, there's no evidence of fraud.

USA TODAY looks into public records and concludes that the US Energy Department was successfully attacked some 150 times between 2010 and 2014. Attribution and other details were redacted from the records the paper obtained, but observers point with concern toward threats to the power grid.

Zimperium has released Stagefright exploit code for security testing purposes.

Palo Alto describes the long-running persistence of Gh0st malware in ongoing attack campaigns.

Manufacturers and shippers turn, increasingly, to the Internet-of-things, and implementation appears to be outrunning security.

SecureAuth's Cox looks at his industry and calls for a cyber version of the Hippocratic Oath.

In industry news, US companies are looking closely at a proposed Defense Federal Acquisition Regulation rule on commercial item acquisition (DFARS Case 2013-D034), which some fear will effectively block commercial cyber companies from Government business. (And Senator McCain thinks the rule will kill SecDef Carter's outreach to Silicon Valley.)

Palo Alto beats estimates. Ironnet raises $25 million in funding.

The UN clarifies application of the laws of armed conflict to cyberspace (and does so by extending traditional precepts into the new domain).

As debate in the US kicks up over whether ISIS intelligence was massaged, India grapples with its anti-ISIS info policy.

Notes.

Today's issue includes events affecting China, Germany, India, Iraq, Ireland, Syria, United Kingdom, United Nations, United States.

Today we're covering two events: the second annual Senior Executive Cyber Security Conference at the Johns Hopkins University in Baltimore, and GovConnect's Cyber 6.0 in Howard County, Maryland. Watch for live tweets throughout the day, and full conference reports tomorrow.

Cyber Attacks, Threats, and Vulnerabilities

Cyber attack on New York Blues plan Excellus affects 10 million (Business Insurance) Excellus BlueCross BlueShield, a Rochester, New York-based insurer, disclosed Wednesday afternoon that it was the victim of a sophisticated cyber attack by hackers who may have gained access to over 10 million personal records

Excellus BlueCross BlueShield hack puts 10M records at risk (FierceHealthPayer) Insurer says it discovered breach in early August

Records: Energy Department struck by cyber attacks (USA TODAY) Attackers successfully compromised U.S. Department of Energy computer systems more than 150 times between 2010 and 2014, a review of federal records obtained by USA TODAY finds

Zimperium unleashes Android Stagefright exploit code on world (Register) BOO! Now giddyup and get testing

Musical Chairs: Multi-Year Campaign Involving New Variant of Gh0st Malware (Palo Alto Networks) The Gh0st malware is a widely used remote administration tool (RAT) that originated in China in the early 2000s

10 Reasons Why Your Traditional Antivirus Can't Detect Second Generation Malware (Heimdal) As exposed in an article published a short while ago, on the 6 need-to-know attributes of advanced cyber attacks, one of the main ways in which second generation malware is challenging the security industry is its capacity to evade detection

Google Chrome reportedly bypassing Adblock, forces users to watch full-length video ads [Update] (Neowin) Twitter is alit today, it seems, with news of Google neutralising AdBlock Plus. The popular extension, originally created by Wladimir Palant in 2006, is used by many to bypass ads hosted on the internet, including the video ads served by Google's video streaming site

Hack attack at Cal State campuses exposes data on 80,000 students (LA.com) A data breach at eight Cal State campuses — including three in Los Angeles County — has exposed the personal information of nearly 80,000 students enrolled in an online sexual violence prevention course

11 million Ashley Madison passwords cracked in 10 days (Naked Security) Regular readers know we like silver linings here at Naked Security

Social engineering scammers exploit people's inborn desire to help others (Graham Cluley) Phone Have you ever received a phone call at work by a person who is looking for someone else?

Security pros acknowledge risks from untrusted certificates but take no action (Help Net Security) A Venafi survey of 300 Black Hat USA 2015 attendees reveals that most IT security professionals understand and acknowledge the risks associated with untrustworthy certificates and keys, but take no action

Cyber Trends

How the Internet of Things is Transforming Manufacturing Today (Supply Chain 24/7) A new study finds the manufacturing industry is ready for the Internet of Things, with 83% of surveyed manufacturers either already using IoT technologies or planning to deploy within a year

How the Internet of Things Is Improving Transportation and Logistics (Supply Chain 24/7) From passenger security and fleet management to assembly processes and delivery times, the transportation and logistics industry needs solutions that move its people and cargo safely and efficiently

Mid-Sized Organizations More Likely Targets for Cyberattackers (Legaltech News) New study finds medium-sized businesses tend to be more lax with security practices than enterprises

Cloud security challenges prevent greater federal adoption, new survey finds (FierceGovernmentIT) The vast majority of federal IT workers value security over employee convenience, and even though many believe cloud computing improves employee productivity, it's not enough of a benefit to trump the related security challenges

A necessary oath: maintaining ethics in today's cyber world (SC Magazine) Given the far-reaching implications of their work, it's time for cyber-security professionals to consider creating an oath to uphold ethical standards, says Stephen Cox

UK tops global cyber crime hit list (ComputerWeekly) UK based criminals were the second highest originators of cyber crime attacks after the US in the second quarter, according to ThreatMetrix

Marketplace

Ways to Engage Executives in Cyber Risk (Wall Street Journal) A survey of retail executives shows many retailers making progress toward strengthening their cyber risk management programs

Are Your Directors Talking Enough About Privacy and Data Security? (JDSupra) The number of companies suffering data breaches, and the average cost associated with each incident, continues to rise

Defense Market Primed for M&A Activity (DefenseNews) While the defense industry is ripe for significant M&A activity, a combination of complicating factors, including the appreciation of the US dollar, makes valuation difficult, a panel of analysts told the audience at the ComDef 2015 conference

Proofpoint CEO — Cybersecurity Needs Trump Market Volatility (TheStreet) Proofpoint's cybersecurity solutions may be able to review more than 600 million emails a day, but even they aren't powerful enough to fully shield the company's stock from the market's recent turbulence, said CEO Gary Steele

Palo Alto up 5.4% on results, guidance, billings; CyberArk up 2.1% (Seeking Alpha) Palo Alto Networks (NYSE:PANW) has risen to $174.00 after hours after beating FQ4 estimates (strongly on revenue), issuing solid FQ1 guidance, and reporting billings rose 69% Y/Y to $393.6M

Palo Alto Networks, Inc. (PANW — $165.17) Company Update: Another Rock-Solid, Cespedes-Like Performance — Major Momentum Heading into FY16--Maintain OP (FBR Capital) Last night, Palo Alto Networks reported another rock-solid quarter with F4Q15 (July) results coming in ahead of expectations on the top line, bottom line, and billings, while delivering an F1Q16 (October) outlook that also came in above the Street

Ironnet Cybersecurity $25.00 million Financing (Octa Finance) Ironnet Cybersecurity, Inc., Corporation just submitted form D about $25.00 million equity financing

FireEye dispute with security researcher raises questions (IT World Canada) The question of whether software companies should pay bounties to people who discover bugs has been a sticky one. It has again been raised by a security researcher who is demanding a reward from network security vendor FireEye for his efforts

Lockheed Martin to cut 500 information systems jobs (Denver Post) Reductions come amid shifting government business, contracts

MSSPs, The Preferred Route to Skills Challenge (InfoRiskToday) Gartner's Rajpreet Kaur on the growing dependence on MSSPs in India

HP, Symantec security vet takes over as CEO at hot Mountain View startup (Silicon Valley Business Journal) Now we know what job Art Gilliland quit for when he resigned as the head of Hewlett-Packard's security software business in June

U.S. Cyber Command Officer to Lead Cyber Division for MetroStar Systems (PRNewswire) MetroStar Systems, Inc. (MetroStar), the leading provider of IT, Web, and Creative solutions for the federal and commercial sectors has announced the appointment of Joseph "J" Kinder to the position of General Manager of Cyber Operations and Tactics

Products, Services, and Solutions

Law enforcement fights major US gang with big data (FierceBigData) Law enforcement is using advanced crime analytics, and specifically data visualization, to fight crime

Booz Allen, Triumfant Offer Combined Predictive Intell, Cyber Analytics Under Partnership (ExecutiveBiz) cyber security imageBooz Allen Hamilton and Triumfant have entered into a strategic partnership to deliver an endpoint security offering that leverages predictive intelligence and reverse engineering functions to identify potential risk areas

Wandera uses machine learning to protect against new mobile security threats (Computing) Mobile security firm Wandera is harnessing the power of automated machine learning to ensure its customers are protected against as many security vulnerabilities as possible, even those that were previously unknown

Technologies, Techniques, and Standards

Mobile data security creates big governance challenges (TechTarget) As devices are used for increasingly complex processes, data becomes more vulnerable to loss

More to Metadata Management than Cleaning (Legaltech News) Rather than a laundry list of metadata types to be cleaned, metadata management needs a unified approach to protect all users on all devices

Why Security Experts Are Using an Ancient Email Format in 2015 (Motherboard) A quarter of a century ago, checking your email meant logging onto a mainframe and using a command-line email program like elm or pine. Today, many security experts continue to use and recommend mutt, elm's bastard love child

How Do You Solve a Problem Like Attribution? (Team Cymru) There was an advert for weed-killer a while back

Using Security Metrics to Drive Action (CIO) Benjamin Franklin famously said, "An ounce of prevention is worth a pound of cure"

6 Principles of a Resilient Digital World (InfoRiskToday) Gartner's Iyengar on new strategies to Manage and Mitigate Risks

'Discovery and hygiene' is the key to IT security (ITWire) If you don't know what you've got and you don't attend to the routine chores, how can you expect to keep your IT environment secure?

The things end users do that drive security teams crazy (CSO) To protect users from public embarrassment their identities have been withheld in these true stories of failures to follow security protocol

Design and Innovation

The Man Who Wants To Encrypt Everything (Forbes) The Los Angeles Police Department has its own Eye of Providence, a 20-foot-long flat-screen mosaic in a windowless downtown control room fed by dozens of info-streams

Research and Development

Making the 'Internet of Things' configuration more secure and easy-to-use (Phys.org) With an ever increasing number of everyday objects from our homes, workplaces and even from our wardrobes, getting connected to the Internet, known as the 'Internet of Things' (IoT), researchers from the University of Southampton have identified easy-to-use techniques to configure IoT objects, to make them more secure and hence help protect them from online attacks

DARPA unveils anti-counterfeit electronics chiplet (C4ISR & Networks) DARPA has released photos of what its anti-counterfeit electronics chip might look like

Commerce awards $3.2M to 20 small businesses to address cybersecurity, other challenges (FierceGovernmentIT) The Commerce Department last week announced that it awarded $3.2 million in grants to 20 small businesses to help them develop new, innovative technologies that address a wide range of issues from climate change to cybersecurity

Algorithms bridge gap between digital and physical systems (FierceBigData) Just about everyone is focused on the Internet of Things these days. New devices and sensors will provide a deluge of data

Does quantum cryptology offer hack-proof security? (CIO) New quantum cryptology research could result in systems that are impossible to hack. But good luck trying to explain it to your boss

Academia

Utica College's Cybersecurity Program Recognized as Academic Center of Excellence (PRNewswire) Many areas of specialization place UC among elite group of colleges, universities

Legislation, Policy, and Regulation

The Rules of Cyberspace Just Got A Bit Clearer (DefenseOne) The UN's new recommendations guiding state activity in cyberspace break new ground in three important areas

Indian cyber experts targeting hackers behind the attacks on government and defence servers (IBN) India has declared war on terrorists in the cyberspace. Indian cyber experts are targeting hackers behind the attacks on government and defence servers

India Needs a Creative Strategy to Counter ISIS's Cyber Terror (New Indian Express) The media recently reported about showing of ISIS flag in Jammu and Kashmir and some other regions along with some youth returning from Syria and Iraq

Exclusive: 50 Spies Say ISIS Intelligence Was Cooked (Daily Beast) It's being called a 'revolt' by intelligence pros who are paid to give their honest assessment of the ISIS war — but are instead seeing their reports turned into happy talk

Is Germany Building the Next NSA? (National Journal) Berlin is fast becoming a center for European digital-privacy experts. Next year, it will also become the home of Germany's top spy agency

Top spy bemoans loss of key information-gathering program (Washington Post) One of the disclosures based on documents leaked by Edward Snowden, the former National Security Agency contractor, prompted the shutdown of a key intelligence program in Afghanistan, the nation's top spy said Wednesday

Opinion: Restraint is the best weapon against Chinese hacks (Christian Science Monitor Passcode) When Chinese President Xi visits the US this month, President Obama has a rare chance to forge a strategic deal with China to ease the growing cyberconflict between Washington and Beijing

Partnerships key to confronting cybersecurity challenges, say NSF and NIST officials (FierceGovernmentIT) The National Science Foundation and the National Institute of Standards and Technology separately have contributed much to improve the cybersecurity of federal agencies and the nation as a whole, but officials at a recent hearing say the credit and responsibility are shared

Security experts mostly critical of proposed threat intelligence sharing bill (CSO) This fall, the Senate is expected to take another look at the Cybersecurity Information Sharing Act, or CISA

New DoD Rule Might Cripple Silicon Valley Efforts: Sen. McCain (Breaking Defense) The day before Defense Secretary Ash Carter heads to St. Louis to promote outreach to the high tech communities

11 proposals for DoD's future cyber workforce (C4ISR & Networks) The Department of Defense is looking to develop a force of the future that will be able to defend and retaliate in cyberspace

The White House sprints to lock down data (Help Net Security) US government Chief Information Officer (CIO) Tony Scott has been working with federal agencies to complete 30-day "cyber sprints" to patch gaping holes in US Government security

State Department taps former assistant secretary to lead records management reform (FierceGovernentIT) A former State Department official is returning as its first transparency coordinator — a position meant to reform the way the department handles its records

Unpatients — why patients should own their medical data (Nature) For the benefits of digital medicine to be fully realized, we need not only to find a shared home for personal health data but also to give individuals the right to own them

Pennsylvania banking regulator creates Cybersecurity Task Force (Pennsylvania Business Daily) Pennsylvania Secretary of Banking and Securities Robin Wiessmann said Tuesday a Cybersecurity Task Force has been created to help financial services businesses address cybersecurity issues and oversee the state's financial marketplace security

Litigation, Investigation, and Law Enforcement

Microsoft due in court over warrant for emails stored in Irish data centre (Naked Security) Microsoft will appear in a federal appeals court today to argue against the US government's assertion that companies operating in the land of the free must hand over data stored in other countries when presented with a valid search warrant

Apple’s iMessage Defense Against Spying Has One Flaw (Wired) Yesterday, the New York Times mentioned a trend that's becoming more common: tech companies fighting back against government requests for user data, among them Microsoft and Apple

Military Services Turn Blind Eye to Ashley Madison Customers (Military.com) Three weeks after U.S. troops were told they could face disciplinary action if their official email addresses were found among those hacked from the adultery website Ashley Madison, the services appear ready to drop the affair

US cop goes wardriving to sniff out stolen gadgets by MAC address (Naked Security) When it comes to sniffing out unsecure Wi-Fi networks, you can take your pick of vehicle to drive around

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Upcoming Events

SIN ACM (the International Conference on Security of Information and Networks) (Sochi, Russia, September 8 - 10, 2015) The 8th International Conference on Security of Information and Networks will feature contributions from all types of specialists in the cyber security field, from papers and special sessions to workshops...

SIN 2015 (Sochi, Russia, September 8 - 10, 2015) The 8th International Conference on Security of Information and Networks (SIN 2015) provides an international forum for presentation of research and applications of security in information and networks.

NSPW (New Security Paradigms Workshop) (Twente, Netherlands, September 8 - 11, 2015) Although NSPW is more of a workshop than a conference, it has earned its right to be included in this list. Since 1992, NSPW has been offering a unique forum for cyber security specialists involved in...

Global Cyberspace Cooperation Summit VI (New York, New York, USA, September 9 - 10, 2015) An invitation-only event, this meeting of international actors aims to coordinate and consolidate progress, showcase results and promote collective action. The annual cyber summits provide a crucial forum...

Intelligence and National Security Summit (Washington, DC, USA, September 9 - 10, 2015) AFCEA International (AFCEA) and the Intelligence and National Security Alliance (INSA) are pleased to host the second Intelligence and National Security Summit to provide the platform for this essential...

Cybersecurity Innovation Forum (Washington, DC, USA, September 9 - 11, 2015) The 2015 Cybersecurity Innovation Forum is a three-day event hosted by the National Institute of Standards and Technology, and planned with the National Security Agency, and the Department of Homeland...

[New Date] Cyber 6.0 (Laurel, Maryland, USA, September 10, 2015) The mission of the Cyber Conference is to provide a forum for small and mid-sized businesses in Howard County and the region to access industry and government leaders with current information on cybersecurity...

2nd Annual Senior Executive Cyber Security Conference (Baltimore, Maryland, USA, September 10, 2015) The one-day symposium will examine the potential advantages and pitfalls of an information-sharing strategy from the technological, business and regulatory perspectives

BSides Augusta 2015 (Augusta, Georgia, USA, September 12, 2015) Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of...

SANS Institute: Information Security Training (Las Vegas, Nevada, USA, September 12 - 21, 2015) Information security training in Las Vegas from SANS Institute, the global leader in information security training. At SANS Network Security 2015, SANS offers more than 40 hands-on, immersion-style security...

Gulf Cooperation Council Cyber Security Summit (Abu Dhabi, United Arab Emirates, September 13 - 15, 2015) The GCC Cyber Security Summit will bring together regional and international thought leaders and decision-makers to examine one of the most vital threats to the region's future well-being: cyber-attack.

Hacker Halted 2015 (Atlanta, Georgia, USA, September 13 - 18, 2015) EC-Council Foundation's flagship information security conference, Hacker Halted, will unite some of the greatest minds in information security, as industry experts address the latest threats and vulnerabilities...

EnergySec 11th Annual Security & Compliance Summit (Washington, DC, USA, September 14 - 16, 2015) For more than 10 years the EnergySec Security Summit has been the premier gathering for stakeholders in the energy sector focused on physical and cyber security. Our summits give each attendee a rare opportunity...

Fraud Summit San Francisco (San Francisco, California, USA, September 15, 2015) ISMG's Fraud Summit is a one-day event focused exclusively on the top fraud trends impacting organizations and the mitigation strategies to overcome those challenges. Among the areas to be discussed are...

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.