skip navigation

More signal. Less noise.

Daily briefing.

These by now are surely dog-bites-man stories, and fast on their way to becoming evergreens, but they remain worthy of attention. Forbes summarizes the activity of Iron Tiger, a Chinese cyber espionage operation discovered and named by Trend Micro. Iron Tiger's activity against US military targets is called "advanced, persistent, and ongoing." And as the US DNI claims that Russia is preparing a campaign against US industrial control networks, F-Secure reports that the Russian services have used Duke malware for espionage since at least 2008. (Duke is another dog-bites-man story: Russian security services are collaborating with criminal gangs to accomplish espionage goals.)

A large number of significant patches have been released, including fixes from Cisco, Apple, WordPress, ISC, and VMWare (and a hat tip to US-CERT for noting these).

The still immature cyber insurance market draws more attention, this week from lawyers noting that cyber policies, while they have an upside for businesses, also bring with them new risks.

In industry news, HP announces 30,000 layoffs. The company is looking for cost savings through automation and outsourcing.

FS-ISAC announces a cyber threat information sharing agreement with US Federal Reserve Banks.

The crypto wars proceed apace in US policy circles: Justice wants backdoors, but almost no one else seems to agree, and the White House is beginning to feel pro-encryption pressure.

US Federal CIOs see a "silver lining" in the OPM hack: it's easier to get resources. (The hundreds of millions whose data were exposed may see this as tarnished silver.)

Notes.

Today's issue includes events affecting Australia, Belgium, China, Estonia, Iran, Iraq, New Zealand, Russia, Syria, United Kingdom, United States.

Today we're covering the Sixth Annual Billington Cybersecurity Summit. Full coverage of the proceedings will appear in tomorrow's CyberWire. We're also live-tweeting the event, #cyber6th.

Dateline Borderless Cyber 2015

Borderless Cyber 2015 (OASIS) OASIS, in collaboration with The World Bank, will bring together public and private sector security professionals from around the world to evaluate, debate, and collaborate on cyber security best practices and tools

Challenges and Opportunities: Information Sharing in a Borderless Domain (Day Two) (The CyberWire) Borderless Cyber 2015 concluded at the World Bank in Washington, DC, yesterday. Organized by OASIS, the not-for-profit open standards organization, the conference addressed the challenges and opportunities cyber information sharing presents internationally. Of particular interest in the second day's proceedings were discussions of obstacles to information sharing, the successful transition of STIX/TAXII to non-governmental governance, and the complex security implications of the Internet-of-things

Cyber Attacks, Threats, and Vulnerabilities

Chinese Cyber Attacks On US Military Interests Confirmed As Advanced, Persistent And Ongoing (Forbes) A high-level hacking group dubbed Iron Tiger has been observed stealing trillions of bytes of confidential data from the United States government, US defense contractors and related companies in the United States and abroad, security company Trend Micro reports

DNI: Russians Hacked U.S. Industrial Control Nets (Washington Free Beacon) Moscow setting up cyber command, warfare units

Russia has been using the Duke malware family to spy on other countries since 2008, says F-Secure (Graham Cluley) The Russian Federation has been in cahoots with a cyberespionage gang tasked with collecting intelligence from foreign governments and affiliated organisations via "smash-and-grab" hacking attacks designed to steal as much data as possible in the shortest period of time

ATM malware for stealing payment cards discovered (Engineering and Technology) A new piece of malware designed to infect cash machines to steal payment cards and card-holders' information has been discovered by American cyber-security researchers

To hack an Android phone, just type in a really long password (CNN Money) The latest Android phone flaw is sheer stupidity

The rise of repeated "low and slow" DDoS attacks (Help Net Security) There's been a significant change in the nature of DDoS attacks that is leaving businesses exposed to data breaches and malware

Container security concerns escalate (Help Net Security) 86% of IT decision makers say their companies already deploy containers, or they plan to do so within a year, according to Twistlock. Of these, 35% said containers are already broadly deployed across their networks

230,000 new malware samples detected each day (Help Net Security) PandaLabs has confirmed a record increase in the creation of new malware samples

Significant Threats to Data Security Lurk Within, Professionals Say (BusinessWire) Poll of human resource experts shows widespread concern of internal threats to cybersecurity

What happens when the hackers get hacked: inside the hackers-for-hire business (Information Age) Data from the Hacking Team breach provides a fascinating glimpse into the highly secretive world of the professional surveillance industry

Security Patches, Mitigations, and Software Updates

Cisco Releases Security Updates (US-CERT) Cisco has released updates to address vulnerabilities in Prime Collaboration Assurance, Prime Collaboration Provisioning, and TelePresence Server software. Exploitation of these vulnerabilities could allow a remote attacker to escalate privileges, obtain sensitive information, or cause a denial-of-service condition

Apple Releases Security Updates for OS X Server, iTunes, Xcode, and iOS (US-CERT) Apple has released security updates for OS X Server, iTunes, Xcode, and iOS to address multiple vulnerabilities. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system

Internet Systems Consortium (ISC) Releases Security Updates for BIND (US-CERT) ISC has released security updates to address vulnerabilities in BIND. Exploitation of these vulnerabilities may allow a remote attacker to cause a denial-of-service condition

VMware Releases Security Update (US-CERT) VMware has released a security update to address a Lightweight Directory Access Protocol (LDAP) certificate validation vulnerability in vCenter Server. Exploitation of this vulnerability may allow an attacker to obtain sensitive information

WordPress 4.3.1 Security and Maintenance Release (WordPress) WordPress 4.3.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately

Persistent XSS flaw in SharePoint 2013 revealed, patched (Help Net Security) Among the vulnerabilities patched earlier this month by Microsoft is an important one that endangers users of Microsoft SharePoint 2013, a web application platform in the Microsoft Office server suite that combines a variety of capabilities

Microsoft details how Device Guard fights malware in Windows 10 (Help Net Security) As Windows 10 was being prepared for release, Microsoft presented many new security features (and we've written about some) to be included in the new version of the popular OS

Microsoft expands identity security through new Azure AD features (Windows IT Pro) Today Microsoft's Brad Anderson, Corporate Vice President for Enterprise Client and Mobility, announced over on his In The Cloud blog two new capabilities that the company is making available through its Azure Active Directory service

Cyber Trends

The new art of war: How trolls, hackers and spies are rewriting the rules of conflict (Tech Republic) Cyberwar isn't going to be about hacking power stations. It's going to be far more subtle, and more dangerous

Industrial security awareness continues to remain low (Help Net Security) While traditional manufacturing industries were not designed with security in mind, the proliferation of networks and devices, disparate communication channels, and the use of off-the-shelf software has thrust cybersecurity into the spotlight

Encryption: Whose keys are they, anyway? (Help Net Security) Over the past year, encryption has been showing up in a number of unlikely places

Users want data leakers hit by fines and compensation claims (MicroScope) The channel should be at the forefront of leading efforts to encourage users to get on top of data breaches as users express frustration with current situation

Cyber Attacks From Middle East Increasing (National Defense) Cyber attacks originating from Middle Eastern countries such as Syria and Iran are expected to increase over the next several years, said one defense expert Sept. 16

Australia a top-10 attacker as cybercrims target mobile-commerce growth (CSO) Mobile usage surged in the second quarter to the point where mobile devices accounted for 31 percent of all transactions, according to new research that pegged Australia in the global top 10 for attack origins and warns of an increased mobile-security threat as cybercriminals respond to changing usage patterns with intense targeted attacks

'Hackers' at 20 (Christian Science Monitor Passcode) How a 20-year-old, mostly inaccurate flop predicted the future, reshaped sci-fi, and won over the real hacker community

Marketplace

Cyberinsurance: Protective or Perilous? (Legaltech News) While it's not a replacement for IT security, cyberinsurance creates a second line of defense to mitigate cyber incidents. But it can also pose new problems

HP to lay off 30,000 employees, turn to more automation and outsourcing (FierceCIO) HP announced Tuesday that it will be cutting 25,000 to 30,000 jobs in the Hewlett Packard Enterprise division

Kaspersky, Prodata win Belgian govt security contract (Telecompaper) Kaspersky Lab and integrator Prodata Systems have won a contract to provide security services to Belgian state institutions such as the police and public prosecutors

TRU Staffing Partners Expands Cybersecurity Practice, Acquires Kennett Group (Legaltech News) TRU Cyber, led by Jeff Scarpitti, will focus explicitly on cybersecurity staffing and career management

Products, Services, and Solutions

FS-ISAC Announces Arrangement with Federal Reserve Banks to Share Threat Intelligence (Dark Reading) The Financial Services Information Sharing and Analysis Center (FS-ISAC) today announced an arrangement with the Federal Reserve Banks to provide direct access to FS-ISAC security threat information to over 10,000 of their financial institution customers

BT Tests Banks with New Ethical Hacking Service (Infosecurity Magazine) Global telecoms and services giant BT has launched its first ethical hacking service for financial institutions, backed by non-profit information assurance body CREST

ObserveIT Intros Insider Threat Platform (Channel Partners) Today, ObserveIT, the leader in user activity monitoring and analytics, announced the release of ObserveIT 6.0, which provides the first insider threat platform to protect enterprises from data loss, fraud and IP theft across third-parties, privileged users and business users

Optiv Security Goes Vertical With Launch Of Dedicated Financial Services Practice (CRN) Optiv Security has launched a dedicated practice to tackle the continued cybersecurity challenges faced by the financial services industry, the company said Wednesday

IID Launches 'Rapid Insight,' Safe Browsing Tool (Dark Reading) Fortune 100 companies and government agencies already using Rapid Insight to gather contextual information about threats

iovation Launches Enhanced Search and Reporting Capabilities for Online Fraud Detection (Sys-Con Media) Centralizes and correlates iovation's threat intelligence with customer transactional data; ensures faster and more effective fraud determination

DomainTools' Iris interface speeds up cybercrime investigations (IDG via CSO) The vast amount of data collected by the company will be easier to sort through with the new platform

Secude announces a new release of halocore, its flagship data protection solution for SAP users (EIN News) Halocore enables SAP customers to identify sensitive data exports with context-aware classification, track and analyze all download activity from SAP applications, and prevent potential data loss

Koolspan announces reseller agreement with Samsung Electronics America (Koolspan) KoolSpan, Inc., a leading provider of interoperable secure voice and messaging solutions for mobile devices, today announced that Samsung Electronics America, Inc. has selected KoolSpan to further enhance enterprise mobility for business customers in the U.S

Encryption project issues first free SSL/TLS certificate (IDG via CSO) Let's Encrypt plans to distribute certificates more widely in the next couple of months

Trustwave Unveils New Cloud-Based Secure Mobility Platform (MarketWired) Delivers security to proactively protect and defend businesses' fleets of mobile devices

Technologies, Techniques, and Standards

What the military learned from OPM (FCW) In the wake of the mammoth Office of Personnel Management breach, the Defense Department joined the rest of the federal government in some serious cybersecurity introspection and improvement

8 Lessons to Learn from the Sony Breach (Security Magazine) Last year, Sony Pictures Entertainment suffered one of the largest and most public cybersecurity breaches in history

Forecasting a Breach Is Like Finding a Needle in a Haystack — Not That Tough (IBM Security Intelligence Blog) This year has seen plenty of breaches, and it's not even over yet. Numerous reports show that the number of breaches in 2015 has rivaled 2014, but not many of them are making the evening news — other than the recent hack of Ashley Madison — because breaches are sadly becoming commonplace

Should risk management planning include root cause analysis? (TechTarget) Incorporating root cause analysis in risk management planning could be beneficial to developing a security plan, but is it the best time for it?

DDoS prevention: The latest means and methods (Tech Target) Last year distributed denial-of-service attacks, also known as DDoS, rose to record levels of not just frequency but also strength

The cost of a data breach and how to avoid paying it (SC Magazine) As cyber-attacks become increasingly common, it's important that businesses understand the true cost of data breaches

Why background screening is vital for IT security (Help Net Security) Which security controls are the most important in thwarting cyber crime against businesses? Anti-malware? Physical security? According to a recent survey, people are a main concern

Design and Innovation

Here's why complex security and endusers don't mix (Sophos) Security is really all about your endusers. And that's a problem, because when one user does something wrong, it has the potential to bring down the whole company

Research and Development

Galois to Support DARPA's Data Privacy Research Program (GovConWire) Galois in Portland, Oregon, has won a $6.8 million contract to help the Defense Advanced Research Projects Agency conduct data privacy and privacy science studies

Legislation, Policy, and Regulation

China is trying to get US tech companies to agree to a strange pledge (Reuters via Business Insider) China is asking some U.S. technology firms to directly pledge their commitment to contentious policies that could require them to turn user data and intellectual property over to the government

David Thompson: Adversaries Aware of US' Space, Cyberspace Dependence (ExecutiveGov) Maj. Gen. David Thompson, vice commander for Air Force Space Command, has discussed the growing role of space and cyberspace in military operations with Air Force Times in an interview published Saturday

FBI, DOJ want tech industry to find workaround to 'warrant-proof' encryption (Christian Science Monitor Passcode) At an event in Washington Tuesday hosted by Passcode, a top FBI official asked the tech sector to develop solutions for law enforcement to access secure data with a warrant — a notion technologists said would weaken security for everyone

Obama faces growing momentum to support widespread encryption (Washington Posgt) White House officials have backed away from seeking a legislative fix to deal with the rise of encryption on communication devices, and they are even weighing whether to publicly reject a law requiring firms to be able to unlock their customers' smartphones and apps under court order

Why the U.S. Doesn't Deserve a Back Door to Your Data (Slate) Because it can barely keep its own data safe

SEC to Start Second Round of Cyber Exams, Issues Risk Alert (ThinkAdvisor) OCIE exams to include 'more testing to assess implementation of firm procedures and controls'

Senators ask automakers for cyber security details (Business Insurance) Two U.S. senators have asked the world's biggest automakers for information on steps they have taken

Federal CIOs see silver lining in OPM data breach (Federal News Radio) After more than a decade of trying to convince, cajole and warn non-IT executives and employees about the dangers of not paying close attention to cybersecurity, the Office of Personnel Management's massive data breach may have just done the trick

Army surges cyber team development (C4ISR & Networks) The Army's cyber evolution continues with the fielding of cyber protection teams: highly trained groups of soldiers that will target emerging threats

Jeb Bush says people need to stop "demonizing" the NSA (Naked Security) Among the Republican candidates for US president, Jeb Bush is something of a cybersecurity policy wonk

Litigation, Investigation, and Law Enforcement

Data Breach Liability and Outsourcing Relationships (New York Law Journal) In August 2015, a group known as the "Impact Team" leaked the customer records of some 32 million users of AshleyMadison.com, the "most famous website for discrete encounters between married individuals"

Overview of Requirements for Responding to a Data Breach (National Law Review) With the ever-changing complexity of state data breach notification laws, companies facing a data breach need resources that will help them understand the issues

With Clinton's Private Server, 'Didn't Break Laws' Doesn't Mean 'Kept Top Secret Emails Safe' (Huffington Post) One can abide by the law and simultaneously behave in an immoral or unwise manner

Google found guilty of violating antitrust laws (Naked Security) Yandex — the "Google of Russia" — has prevailed in getting the country's antimonopoly watchdog agency to rule that Google has abused its dominant position in the market with Android

Russian national pleads guilty to breaking into corporate networks, stealing 160M credit cards (FierceGovernmentIT) In what the Justice Department says is the largest scheme of its kind ever prosecuted in the United States, a Russian national pleaded guilty Sept. 15 to breaking into the corporate computer networks of NASDAQ, Dow Jones, 7-Eleven and JetBlue, among others, and compromising more than 160 million credit card numbers that resulted in hundreds of millions of dollars in losses

I must not tweet defamatory comments… I must not tweet defamatory comments… I must not.… (Naked Security) When I was a lad — a long time ago now — my school still employed corporal punishment

Kim Dotcom of Megaupload will finally face the music over extradition (Naked Security) It seems like ages since we last wrote about Kim Dotcom

Cyber attack testing case closed by FDLE, no suspects identified (Orlando Sentinel) The cyber attacks against Florida's school testing system this spring likely were orchestrated by computer hackers outside the United States, though the state's top law enforcement agency has closed its investigation without identifying any suspects

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Upcoming Events

SANS Institute: Information Security Training (Las Vegas, Nevada, USA, September 12 - 21, 2015) Information security training in Las Vegas from SANS Institute, the global leader in information security training. At SANS Network Security 2015, SANS offers more than 40 hands-on, immersion-style security...

Hacker Halted 2015 (Atlanta, Georgia, USA, September 13 - 18, 2015) EC-Council Foundation's flagship information security conference, Hacker Halted, will unite some of the greatest minds in information security, as industry experts address the latest threats and vulnerabilities...

Detroit Secure World (Detroit, Michigan, USA, September 16 - 17, 2015) Join your fellow security professional for affordable, high-quality cybersecurity training and education at a regional conference near you. Earn CPE credits while learning from nationally recognized industry...

Cyber Security Summit: New York (New York, New York, USA, September 17, 2015) The Cyber Security Summit provides an exclusive business environment to meet with Senior Executives who are seeking innovative solutions to protect their business & critical infrastructure. Delegates at...

6th Annual Billington Cybersecurity Summit (Washington, DC, USA, September 17, 2015) Join key leaders and decision makers from government, military and the private sector at this one-day intensive networking event as participants focus on the next generation of solutions to ensure this...

Hacker Halted (Atlanta, Georgia, USA, September 17 - 18, 2015) Hacker Halted is a global series of computer and information security conferences presented by EC-Council. The objective of the Hacker Halted conferences is to raise international awareness towards increased...

Cyber Security Summit: New York (New York, New York, USA, September 18, 2015) The Cyber Security Summit provides an exclusive business environment to meet with Senior Executives who are seeking innovative solutions to protect their business & critical infrastructure. Delegates...

Data Breach Investigation Summit (Dallas, Texas, USA, September 21 - 26, 2015) Data Breaches are occurring at an alarming rate and increasing in their scope, frequency and impact and they don't discriminate by industry, geography or organization size. When a breach occurs, organizations,...

St. Louis SecureWorld 2015 (St. Louis, Missouri, USA, September 22 - 23, 2015) Join your fellow security professional for affordable, high-quality cybersecurity training and education at a regional conference near you. Earn CPE credits while learning from nationally recognized industry...

OWASP APPSECUSA (San Francisco, California, USA, September 22 - 25, 2015) The premier gathering of developers, security experts and technologists to discuss cutting edge approaches to secure web applications

MeriTalk: Cyber Security Brainstorm (Washington, DC, USA, September 23, 2015) Co-locating with the NIST Cloud Security Working Group, this MeriTalk Brainstorm has an excellent program lined up, featuring keynote speakers Allison Tsiumis (Section Chief, Cyber Intelligence Section,...

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.