skip navigation

More signal. Less noise.

Daily briefing.

Intra-jihadist information ops competition flares in South and Southwest Asia, as Al Qaeda and ISIS compete for mindshare. ISIS may have begun an online market in hostages.

Observers tally up the numbers after the latest US health insurance provider breach and conclude that, from Anthem to Excellus, more than 100 million records have been stolen.

By consensus most of that theft appears, like the OPM breach, to be the work of state espionage services, and the US at least expects to sustain more such incidents. But senior members of the US Intelligence Community sensibly continue to distinguish such espionage — troubling as it is — from "attacks," that is, acts of war. That said, the US Director of National Intelligence wants to see "costs imposed" on those responsible for cyber espionage. (Senior Chinese Foreign Ministry officials, resenting being thus mentioned in dispatches, decry "baseless" US accusations and think the two countries should cooperate more in cyberspace.)

The nature of such costs continues to be a matter of debate in the US, as will the fate and effects of strong encryption — observers see rekindling of the 1990s' crypto-wars.

Researchers find troubling Android malware in the wild.

Those interested in responsible disclosure will find two stories noteworthy. FireEye is suing ERNW over the latter's disclosure of a vulnerability, and Wired thinks it took GM years (as opposed to Chrysler's days) to respond to a proof-of-concept hack because GM wasn't named.

The global market for cyber insurance is expected to exceed $20 billion by 2025.

Notes.

Today's issue includes events affecting Afghanistan, China, India, Iraq, Democratic Peoples Republic of Korea, Republic of Korea, Pakistan, Russia, Syria, United Kingdom, United States.

Today, of course, is the fourteenth anniversary of the 9/11 attacks. Spare a thought for the victims of that violence, and for all who've suffered since.

Dateline Cyber 6.0 and the Second Annual Executive Cyber Security Conference

Cyber 6.0 (GovConnects) The mission of the Cyber Conference is to provide a forum for small and mid-sized businesses in Howard County and the region to access industry and government leaders with current information on cybersecurity that will improve their market position, enhance their corporate security policies and infrastructure, identify potential business opportunities, and provide a take away of information and contacts for follow-up that assists businesses in understanding the role they play in national cybersecurity and how they can address those challenges. All businesses have a role to play in protecting the national security of our infrastructure

Cloud Security: Challenges and Problems, Opportunities and Solutions (The CyberWire) Thought leaders from the cyber security industry convened in Howard County on September 10, 2015, to consider the rapidly evolving nature of the cloud, and the way it's shaping cyber security

2nd Annual Senior Executive Cyber Security Conference (Johns Hopkins Whiting School of Engineering) Is information sharing an invitation for governments to siphon data that is meant to be private, or can effective limitations be enforced so that the private sector and the government can work together to combat data breaches and other attacks? In this one-day event, we will explore these questions in depth, with presentations from government officials, representatives from industry, and academicians. We will examine the potential advantages and pitfalls of an information-sharing strategy from the technological, business, legal, legislative, and regulatory points of view

"The Quandary of Information-Sharing and Data Privacy": Report from the Johns Hopkins University (The CyberWire) The Senior Executive Cyber Security Conference took up questions raised by information sharing measures currently under consideration by the US Congress. Not only did the conference organizers see the tension between information sharing and privacy as a "quandary," but the symposiasts also looked at other implications of information sharing, including its prerequisite: collection

Cyber Attacks, Threats, and Vulnerabilities

Islamic State Publishes 'Prisoner for Sale' Messages (Newsweek) The Islamic State is apparently aiming to sell two hostages via its propaganda magazine

Pakistani Taliban spokesman says reports of joining Islamic State are 'lies' (Long War Journal) There are frequent rumors that various jihadist groups are going to defect from the Taliban-al Qaeda axis and join the Islamic State

North Korea may have used unpatched word processor bug to attack South Korea (Daily Dot) North Korea might have exploited a popular word processor to attack South Korea

With latest BlueCross breach, a whopping 102.6 million records stolen (FierceITSecurity) Yes, it's true. There has been another major breach at a BlueCross BlueShield health insurer. This time it's Rochester, NY-based Excellus BCBS and its affiliate Lifetime Healthcare Companies

Report: Healthcare accounts for 21 percent of data breaches worldwide (FierceHealthIT) In the first half of 2015, there were more than 245.9 million records breached worldwide — with the largest impacting consumers of health insurance company Anthem

DoE Cyber Attacks Not Surprising, Experts Say (Homeland Security Today) The revelation this week that the Department of Energy (DoE) Joint Cybersecurity Coordination Center recorded more than 1,000 hacks into department computer systems from 2010 to 2014, including more than 150 successful intrusions into systems containing sensitive data about the nation's electric power grid, cybersecurity experts said they aren't at all surprised

Another OPM-like breach 'inevitable,' says DHS cyber response director (FierceITSecurity) The Office of Personnel Management data breaches that affected 21.5 million people and left federal agencies searching for answers may not be the last of their kind

Chinese and Russian Cyber Espionage: the Kaiser Would be Jealous (War on the Rocks) After the OPM hack, there were suggestions that the Chinese might be building digital dossiers on every U.S. government official, or even on all Americans. More recent reports have the Russian and Chinese intelligence services exploiting personally identifiable information about Americans from security clearance databases, airline records, medical records and many other sources on a massive scale

Newest cyber threat will be data manipulation, US intelligence chief says (Guardian) James Clapper calls data deletion or manipulation 'next push of the envelope'

Lockerpin ransomware steals PINs, locks Android devices permenantly (ZDNet) Researchers have discovered what is believed to be the first example of ransomware capable of truly locking an Android mobile device

Aggressive Android ransomware spreading in the USA (We Live Security) We have been following the evolution and mass spreading of Android ransomware for a while now

Android's Stagefright is back! Here’s what you need to know (Naked Security) The Android vulnerability known as Stagefright is back in the limelight

Security Alert: Antivirus Detection Low on New Spam Campaign that Infects PC with CryptoWall 3.0 (Heimdal) It's only been 2 months since the latest CryptoWall 3.0 spam campaign, which used Google Drive to in a drive-by campaign to abuse vulnerabilities in various popular third-party products and encrypt the victim's data, holding is hostage for ransom

Series of Buffer Overflows Plague Many Yokogawa ICS Products (Threatpost) There is a series of stack buffer overflows in nearly 20 ICS products manufactured by Japanese vendor Yokogawa that can lead to remote code execution

Ashley Madison data breach escalates with password encryption failure (ComputerWeekly) At least 15 million improperly encrypted Ashley Madison passwords are reported crackable, with enormous implications for members and their employers

Finance firms targeted by cyber extortion gang (BBC) Banks, media groups and gaming firms are being hit with extortion demands by a cyber gang who threaten to knock them offline unless they pay up

Aggressive tactics from DD4BC extortionist group revealed (Help Net Security) Akamai shared details of an increase in DDoS attacks from the Bitcoin extortionist group DD4BC, based on observation of attack traffic targeted at customers from September 2014 through August 2015

Indians hit worst in HawkEye keylogger attacks: Trend Micro (Digit) More Indian businesses have fallen prey to a solo hacker's keylogger attacks than any other country, according to the report

Visual hacking and the iPhone 6s's new camera (Graham Cluley) The announcement of Apple's new iPhone 6s revealed some impressive advancements in technology for such a small device

PayPal helpfully disables two-factor authentication via Twitter DM (CSO) In screenshots posted to Imgur, a PayPal user who was having problems accessing their account had received assistance from support representatives via direct message on Twitter

GM Took 5 Years to Fix a Full-Takeover Hack in Millions of OnStar Cars (Wired) When a pair of security researchers showed they could hack a Jeep over the Internet earlier this summer to hijack its brakes and transmission, the impact was swift and explosive: Chrysler issued a software fix before the research was even made public

Security Patches, Mitigations, and Software Updates

Apple adds security features to iOS 9 that will appeal to enterprises (FierceITSecurity) Lost in the noise of Apple's launch of iPhone 6s, iPad Pro and Apple TV was the unveiling of Apple's new mobile operating system, iOS 9, which will be available as a free update on Sept. 16

Cyber Trends

Just Like Old Days: IOT Security Pits Regulators Against Market (Threatpost) Listening to today's privacy panel at the Security of Things Forum, you might have thought you were beamed back to the early 2000s: government people hinting that legislation might be the ultimate solution for security and privacy concerns when it comes to embedded computers and connected things, with enterprise security officers countering that market pressures will dictate the integrity of devices, software and data

Internet of Things: Security misconceptions, expectations, and the future (Help Net Security) What are the most significant misconceptions people have when it comes to IoT security, even in the information security community?

Continuing the march: The past, present, and future of the IoT in the military (Deloitte University Press) Military commanders have always lived and died by information — both quantity and quality. No surprise, then, that the US military has been an early adopter of the Internet of Things and is looking to expand its applications. But this new technology brings with it organizational and security challenges that present both opportunities and obstacles

Marketplace

Global cyber insurance market to grow to over $20 billion by 2025 (Help Net Security) Cyber risk is a major and fast-increasing threat to businesses with cyber-crime alone costing the global economy approximately $445 billion a year, with the world's largest 10 economies accounting for half this total and the U.S. accounting for $108 billion, according to Allianz Global Corporate & Specialty (AGCS)

AIG, Axis provided Ashley Madison insurance: Report (Business Insurance) American International Group Inc. and Axis Capital Holdings Ltd. have provided insurance coverage for the Ashley Madison website, Bloomberg reported Thursday

No Slowdown Yet For Palo Alto Networks (Seeking Alpha) Palo Alto Networks has a history of spectacular revenue growth, which has propelled the stock higher in recent years

Okta combines big data and two-factor authentication in new security product (FierceITSecurity) Company plans to use $75M in new funding to speed product development, expand globally and acquire companies

Argus Cyber Security Secures $26M Series B Funding (PRNewswire) New investors include Magna International, Allianz SE, the SBI Group, with participation of existing investors Magma Venture Partners, Vertex Venture Capital and the Co-Founder of the RAD Group, Mr. Zohar Zisapel. Funding will accelerate the development of Argus' automotive cyber security solutions

Cisco reorg consolidates IoE, cloud ops (CIO) Cisco has announced another organizational restructuring to streamline its Internet of Everything and Cloud operations, expanding the roles of two executives and reassigning another

Trust Kaspersky to Root Out Russian Spyware (BloombergView) If you think U.S. tech companies have a hard time convincing their customers that they don't pass on data to U.S. intelligence services, consider the case of Kaspersky Lab, the Moscow-based cybersecurity company

Raytheon bets big on cybersecurity as it seeks to fill 'hundreds of jobs' (Boston Business Journal) Raytheon, the Waltham-based defense contractor and technology firm, has invested $3.5 billion in cybersecurity initiatives over the past decade. It's a number that's expected to grow — rapidly — in the years ahead

NSA wants millennial talent without millennial perks (C4ISR & Networks) Got talent? The kind of whiz-kid computer skills that could help the government get ahead of hacker adversaries? The National Security Agency wants you. But you can't bring your smartphone

Soderlund: Imperva Technology 'Perfect Fit for Time and Market' (The VAR Guy) Karl Soderlund is about a month into his new job as vice president of Channels and Alliances at Imperva

Tech startups need to get serious about security (CIO) Federal Trade Commission chair takes her message about security by design to the Bay Area, urging young companies not to let the rush to market overshadow critical consumer protections

Internet Bug Bounty Helps Secure Open Source and the Internet [VIDEO] (eSecurity Planet) HackerOne co-founder and CTO Alex Rice discusses what the Internet Bug Bounty is all about

Products, Services, and Solutions

Palo Alto Networks Aims to Sharpen Security with AutoFocus (Enterprise Networking Planet) AutoFocus and Aperture technologies expected to drive future growth as Palo Alto Networks FY2014 revenue tops $928 million

Next-generation device protects plants against cyber-attacks (Drives and Controls) Eaton has announced a new generation of the Tofino industrial security technology that it sells under its MTL brand

Fortinet Earns Numerous Department of Defense Cybersecurity Certifications (MarketWatch) Fortinet delivers broad cybersecurity solutions for critical defense infrastructures

RiskVision Helps Retailers Minimize Cyber Risk Exposure (BusinessWire) New PCI DSS 3.1 content pack tightens controls around secure communications

DEFCON CYBER Scores YOUR Risk Posture based on NIST Cybersecurity Framework (IT Business Net) Rofori Corporation is announcing the availability of its DEFCON CYBER software solution based on the NIST Cybersecurity Framework (CSF). DEFCON CYBER enables an organization to significantly reduce incident response times and measure its cybersecurity risk posture through the execution of its cybersecurity risk management strateg

Fama Helps Businesses Find Social Media “Red Flags” Before Hiring Someone (TechCrunch) Fama Technologies aims to help companies screen potential employees by analyzing their social media posts

Technologies, Techniques, and Standards

Cybersecurity experts: 'Brittle' security systems need overhaul (TechTarget) Cybersecurity experts urge enterprises to embrace new tools, including micro-virtualization and intelligence-led security

Where are you reading this? Can anyone else see your screen? (Dealer) If you travel by train or sometimes work from a coffee shop, is there any chance someone could have overlooked your on-screen information, whether on your laptop, tablet or smartphone?

Michelin Stars and Cybersecurity Intelligence (IBM Security Intelligence) One of the terms that is very current in the industry is security intelligence. There are many pseudo-definitions communicated to clients, but the true meaning of this term often remains vague

Design and Innovation

Xerox PARC's self-destructing chip explodes on demand (IDG via CSO) A new chip developed by Xerox PARC under a DARPA program can self-destruct on command

Research and Development

Why We Must Build an 'Immune System' to Ward Off Cyber Threats (Op-Ed) (LiveScience) People work best when they talk to each other. So do information systems and modern infrastructures

Government-backed IoTUK programme launches (ComputerWeekly) IoTUK programme is backed by £40m of government funding and will explore how the internet of things can be used to enable growth and improve quality of life

Academia

This Could Be The Year Of The University Hack (TechCrunch) You're a college freshman relishing your newfound freedom

MIT, Cambridge, Other Universities Get D's In Internet Security (Dark Reading) Colleges — especially large, high-profile institutions — are facing more cybercrime and nation-state activity

Georgia Tech: Fighting Cyber terrorism (Atlanta Journal Constitution) Georgia Tech plays a critical role in efforts to combat cyber terrorism

Legislation, Policy, and Regulation

International governance of the Internet urged to promote resilience (Business Insurance) A strong and resilient Internet will be governed by the private sector and supported by governments when needed, says a report issued Thursday by Zurich Insurance Group Ltd. and the Washington-based Atlantic Council think tank

Clapper: US Must Prepare for 'A Large, Armageddon-Scale' Cyber Attack (Washington Free Beacon) Director of National Intelligence James Clapper said the U.S. must be prepared for a "large, Armageddon-scale" cyber attack during remarks Thursday at an annual conference of U.S. intelligence community members, but he said that was not likely

Intelligence chief: Little penalty for cyber attacks (Military Times) Cyber attacks against American interests are likely to continue and grow more damaging, in part because hackers face a low risk of consequences, the director of national intelligence told Congress Thursday

U.S. urged to tighten cyber security to counter Chinese hacking (Reuters) The United States must beef up cyber security against Chinese hackers targeting a broad range of U.S. interests to raise the cost to China of engaging in such activities, America's top intelligence official said on Thursday

China tells U.S. to stop 'groundless' hacking accusations (Reuters) China reacted angrily on Friday following a call by America's top intelligence official for cyber security against China to be stepped up, and said the United States should stop "groundless accusations"

China, US can cooperate on cybersecurity, says Chinese top diplomat, amid hacking claims (South China Morning Post) China and the United States can cooperate on cybersecurity and could work together with other countries on rules governing the issue in a spirit of respect, China's top diplomat was quoted on Friday as saying

US braces for WW3 with Cyber Command 'Vision' of integrated cyberops (Register) No mention of Skynet or WOPR as yet

Sanctions For Hacking: Good or Bad Idea? (TrendLabs Security Intelligence Blog) Last week, news reports said the United States government was considering enacting sanctions against individuals and organizations in China and Russia for their involvement in hacking incidents targeting US companies

Intel officials: OPM breach wasn't an attack (Washington Examiner) Intelligence officials have said that the seizing of information from the Office of Personnel Management wasn't severe enough to be considered an attack

ODNI responds to cyber hacks with new counterintelligence campaign (Federal News Radio) Responding to cyber penetrations into federal IT systems at the Office of Personnel Management and elsewhere, the Office of the Director of National Intelligence said Wednesday that it was launching a "comprehensive" and governmentwide counterintelligence campaign

FBI, intel chiefs decry "deep cynicism" over cyber spying programs (Ars Technica) Admit tough questions about things like backdoors have no easy answers

FBI director: Ability to unlock encryption is not a 'fatal' security flaw (Washington Post) In the tug of war between the government and U.S. companies over whether firms should hold a key to unlock encrypted communications, a frequent argument of technologists and privacy experts is that maintaining such a key poses a security threat

The 'Crypto Wars' of the 1990s are brewing again in Washington (Washington Post) A debate over data security is brewing in Washington. On one side, law enforcement officials warn that new deployments of encryption, the technology that protects our communications and stored data from prying eyes, is leaving the government without the insight it needs to track down criminals and terrorists

Blast from the Past: Learning Lessons from Previous Panics Over Ubiquitous Strong Encryption (Disruptive Competition Project) Over the past several months, the tech industry has been experiencing a terrible bout of déjà vu. In a campaign led by FBI Director James Comey, law enforcement and intelligence community voices have argued against the proliferation of ubiquitous strong encryption in consumer devices and communication platforms

Cybersecurity Pros Knock Congress as Security Bill Stalls (DC Inno) The Cybersecurity Information Sharing Act receives heat from the industry

Surplus lines lobbyists to keep Congress focused on cyber (Business Insurance) Congress is still trying to get a handle on cyber risk, which is going to remain a major focus at least through 2020, the year the Terrorism Risk Insurance Act comes up for reauthorization

US CIO Tony Scott: We've sometimes failed at even the most basic preventative measures (FierceCIO) U.S. CIO Tony Scott said he has seen ubiquitous problems in the way some government agencies are building their IT programs

Clapper tries to shield intelligence community workforce from sequestration (Federal News Radio) As the threat of a reignited sequestration nears, Director of National Intelligence James Clapper said his first priority is protecting the intelligence workforce

Different Intelligence Organizations Confront Varying Threats (SIGNAL) The players may be the same on each side, but their methods may not coincide

DoD Committed to Maintaining Strong Bonds with Industry (DoD News) The Defense Department is committed to maintaining the strong bonds between innovators and the department "because going forward, we need the best people, the best technology, and the best innovation to remain the world's finest fighting force," Defense Secretary Ash Carter said in St. Louis today

Litigation, Investigation, and Law Enforcement

Exclusive: Top Senators Investigating Cooked ISIS Intel (Daily Beast) The heads of the armed services and intelligence committees all pledged to get to the bottom of a ?revolt? by U.S. military analysts, uncovered by The Daily Beast

Officials deny ISIS intelligence reports were altered (C4ISR & Networks) After a damning Daily Beast report and the launch of an inspector general investigation, Pentagon officials are hitting back on implications that intelligence reports on ISIS and al Qaeda threats were skewed to favor U.S. dominance

Pentagon Intel Chief Responds to Inquiry Into Islamic State Data (Wall Street Journal) Head of Defense Intelligence Agency defends 'rough and tumble' process of collecting information

Pentagon chief demands honest war intelligence (Navy Times) Defense Secretary Ash Carter has reminded the Pentagon's senior intelligence corps that they are expected to give him their unvarnished views, amid allegations that the military command overseeing the war against the Islamic State distorted or altered intelligence assessments to exaggerate progress against the military group, officials said Thursday

FireEye takes security firm to court over vulnerability disclosure (CIO) ERNW contends it thought it had responsibly cooperated with FireEye

Security company sues to bar disclosure related to its own flaws (Ars Technica) Some vulnerabilities compounded by FireEye software running as root on Apache

Ex-Ashley Madison CTO Threatens Libel Suit (KrebsOnSecurity) Last month, KrebsOnSecurity posted an exclusive story about emails leaked from AshleyMadison that suggested the company's former chief technology officer Raja Bhatia hacked into a rival firm in 2012. Now, an attorney for the former executive is threatening a libel lawsuit against this author unless the story is retracted

Sep 9 Old-School Law Enforcement vs The Deep Web (TrendLabs Security Intelligence Blog) The Deep Web is back in the news. Agora, one of the biggest darknet marketplaces, announced last week that it will go offline to bolster its defenses against law enforcement agencies who want to take them down

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Upcoming Events

NSPW (New Security Paradigms Workshop) (Twente, Netherlands, September 8 - 11, 2015) Although NSPW is more of a workshop than a conference, it has earned its right to be included in this list. Since 1992, NSPW has been offering a unique forum for cyber security specialists involved in...

Cybersecurity Innovation Forum (Washington, DC, USA, September 9 - 11, 2015) The 2015 Cybersecurity Innovation Forum is a three-day event hosted by the National Institute of Standards and Technology, and planned with the National Security Agency, and the Department of Homeland...

BSides Augusta 2015 (Augusta, Georgia, USA, September 12, 2015) Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of...

SANS Institute: Information Security Training (Las Vegas, Nevada, USA, September 12 - 21, 2015) Information security training in Las Vegas from SANS Institute, the global leader in information security training. At SANS Network Security 2015, SANS offers more than 40 hands-on, immersion-style security...

Gulf Cooperation Council Cyber Security Summit (Abu Dhabi, United Arab Emirates, September 13 - 15, 2015) The GCC Cyber Security Summit will bring together regional and international thought leaders and decision-makers to examine one of the most vital threats to the region's future well-being: cyber-attack.

Hacker Halted 2015 (Atlanta, Georgia, USA, September 13 - 18, 2015) EC-Council Foundation's flagship information security conference, Hacker Halted, will unite some of the greatest minds in information security, as industry experts address the latest threats and vulnerabilities...

EnergySec 11th Annual Security & Compliance Summit (Washington, DC, USA, September 14 - 16, 2015) For more than 10 years the EnergySec Security Summit has been the premier gathering for stakeholders in the energy sector focused on physical and cyber security. Our summits give each attendee a rare opportunity...

Fraud Summit San Francisco (San Francisco, California, USA, September 15, 2015) ISMG's Fraud Summit is a one-day event focused exclusively on the top fraud trends impacting organizations and the mitigation strategies to overcome those challenges. Among the areas to be discussed are...

Borderless Cyber 2015 (Washington, DC, USA, September 15 - 16, 2015) OASIS, in collaboration with The World Bank, will bring together public and private sector security professionals from around the world to evaluate, debate, and collaborate on cyber security best practices...

Detroit Secure World (Detroit, Michigan, USA, September 16 - 17, 2015) Join your fellow security professional for affordable, high-quality cybersecurity training and education at a regional conference near you. Earn CPE credits while learning from nationally recognized industry...

Cyber Security Summit: New York (New York, New York, USA, September 17, 2015) The Cyber Security Summit provides an exclusive business environment to meet with Senior Executives who are seeking innovative solutions to protect their business & critical infrastructure. Delegates at...

6th Annual Billington Cybersecurity Summit (Washington, DC, USA, September 17, 2015) Join key leaders and decision makers from government, military and the private sector at this one-day intensive networking event as participants focus on the next generation of solutions to ensure this...

Hacker Halted (Atlanta, Georgia, USA, September 17 - 18, 2015) Hacker Halted is a global series of computer and information security conferences presented by EC-Council. The objective of the Hacker Halted conferences is to raise international awareness towards increased...

Cyber Security Summit: New York (New York, New York, USA, September 18, 2015) The Cyber Security Summit provides an exclusive business environment to meet with Senior Executives who are seeking innovative solutions to protect their business & critical infrastructure. Delegates...

Data Breach Investigation Summit (Dallas, Texas, USA, September 21 - 26, 2015) Data Breaches are occurring at an alarming rate and increasing in their scope, frequency and impact and they don't discriminate by industry, geography or organization size. When a breach occurs, organizations,...

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.