These by now are surely dog-bites-man stories, and fast on their way to becoming evergreens, but they remain worthy of attention. Forbes summarizes the activity of Iron Tiger, a Chinese cyber espionage operation discovered and named by Trend Micro. Iron Tiger's activity against US military targets is called "advanced, persistent, and ongoing." And as the US DNI claims that Russia is preparing a campaign against US industrial control networks, F-Secure reports that the Russian services have used Duke malware for espionage since at least 2008. (Duke is another dog-bites-man story: Russian security services are collaborating with criminal gangs to accomplish espionage goals.)
A large number of significant patches have been released, including fixes from Cisco, Apple, WordPress, ISC, and VMWare (and a hat tip to US-CERT for noting these).
The still immature cyber insurance market draws more attention, this week from lawyers noting that cyber policies, while they have an upside for businesses, also bring with them new risks.
In industry news, HP announces 30,000 layoffs. The company is looking for cost savings through automation and outsourcing.
FS-ISAC announces a cyber threat information sharing agreement with US Federal Reserve Banks.
The crypto wars proceed apace in US policy circles: Justice wants backdoors, but almost no one else seems to agree, and the White House is beginning to feel pro-encryption pressure.
US Federal CIOs see a "silver lining" in the OPM hack: it's easier to get resources. (The hundreds of millions whose data were exposed may see this as tarnished silver.)
Today's issue includes events affecting Australia, Belgium, China, Estonia, Iran, Iraq, New Zealand, Russia, Syria, United Kingdom, United States.
Today we're covering the Sixth Annual Billington Cybersecurity Summit. Full coverage of the proceedings will appear in tomorrow's CyberWire. We're also live-tweeting the event, #cyber6th.
Dateline Borderless Cyber 2015
Borderless Cyber 2015(OASIS) OASIS, in collaboration with The World Bank, will bring together public and private sector security professionals from around the world to evaluate, debate, and collaborate on cyber security best practices and tools
Challenges and Opportunities: Information Sharing in a Borderless Domain (Day Two)(The CyberWire) Borderless Cyber 2015 concluded at the World Bank in Washington, DC, yesterday. Organized by OASIS, the not-for-profit open standards organization, the conference addressed the challenges and opportunities cyber information sharing presents internationally. Of particular interest in the second day's proceedings were discussions of obstacles to information sharing, the successful transition of STIX/TAXII to non-governmental governance, and the complex security implications of the Internet-of-things
ATM malware for stealing payment cards discovered(Engineering and Technology) A new piece of malware designed to infect cash machines to steal payment cards and card-holders' information has been discovered by American cyber-security researchers
Container security concerns escalate(Help Net Security) 86% of IT decision makers say their companies already deploy containers, or they plan to do so within a year, according to Twistlock. Of these, 35% said containers are already broadly deployed across their networks
Security Patches, Mitigations, and Software Updates
Cisco Releases Security Updates(US-CERT) Cisco has released updates to address vulnerabilities in Prime Collaboration Assurance, Prime Collaboration Provisioning, and TelePresence Server software. Exploitation of these vulnerabilities could allow a remote attacker to escalate privileges, obtain sensitive information, or cause a denial-of-service condition
VMware Releases Security Update(US-CERT) VMware has released a security update to address a Lightweight Directory Access Protocol (LDAP) certificate validation vulnerability in vCenter Server. Exploitation of this vulnerability may allow an attacker to obtain sensitive information
Persistent XSS flaw in SharePoint 2013 revealed, patched(Help Net Security) Among the vulnerabilities patched earlier this month by Microsoft is an important one that endangers users of Microsoft SharePoint 2013, a web application platform in the Microsoft Office server suite that combines a variety of capabilities
Industrial security awareness continues to remain low(Help Net Security) While traditional manufacturing industries were not designed with security in mind, the proliferation of networks and devices, disparate communication channels, and the use of off-the-shelf software has thrust cybersecurity into the spotlight
Cyber Attacks From Middle East Increasing(National Defense) Cyber attacks originating from Middle Eastern countries such as Syria and Iran are expected to increase over the next several years, said one defense expert Sept. 16
Australia a top-10 attacker as cybercrims target mobile-commerce growth(CSO) Mobile usage surged in the second quarter to the point where mobile devices accounted for 31 percent of all transactions, according to new research that pegged Australia in the global top 10 for attack origins and warns of an increased mobile-security threat as cybercriminals respond to changing usage patterns with intense targeted attacks
'Hackers' at 20(Christian Science Monitor Passcode) How a 20-year-old, mostly inaccurate flop predicted the future, reshaped sci-fi, and won over the real hacker community
Cyberinsurance: Protective or Perilous?(Legaltech News) While it's not a replacement for IT security, cyberinsurance creates a second line of defense to mitigate cyber incidents. But it can also pose new problems
BT Tests Banks with New Ethical Hacking Service(Infosecurity Magazine) Global telecoms and services giant BT has launched its first ethical hacking service for financial institutions, backed by non-profit information assurance body CREST
ObserveIT Intros Insider Threat Platform(Channel Partners) Today, ObserveIT, the leader in user activity monitoring and analytics, announced the release of ObserveIT 6.0, which provides the first insider threat platform to protect enterprises from data loss, fraud and IP theft across third-parties, privileged users and business users
What the military learned from OPM(FCW) In the wake of the mammoth Office of Personnel Management breach, the Defense Department joined the rest of the federal government in some serious cybersecurity introspection and improvement
Forecasting a Breach Is Like Finding a Needle in a Haystack — Not That Tough(IBM Security Intelligence Blog) This year has seen plenty of breaches, and it's not even over yet. Numerous reports show that the number of breaches in 2015 has rivaled 2014, but not many of them are making the evening news — other than the recent hack of Ashley Madison — because breaches are sadly becoming commonplace
Why background screening is vital for IT security(Help Net Security) Which security controls are the most important in thwarting cyber crime against businesses? Anti-malware? Physical security? According to a recent survey, people are a main concern
Obama faces growing momentum to support widespread encryption(Washington Posgt) White House officials have backed away from seeking a legislative fix to deal with the rise of encryption on communication devices, and they are even weighing whether to publicly reject a law requiring firms to be able to unlock their customers' smartphones and apps under court order
Federal CIOs see silver lining in OPM data breach(Federal News Radio) After more than a decade of trying to convince, cajole and warn non-IT executives and employees about the dangers of not paying close attention to cybersecurity, the Office of Personnel Management's massive data breach may have just done the trick
Army surges cyber team development(C4ISR & Networks) The Army's cyber evolution continues with the fielding of cyber protection teams: highly trained groups of soldiers that will target emerging threats
Data Breach Liability and Outsourcing Relationships(New York Law Journal) In August 2015, a group known as the "Impact Team" leaked the customer records of some 32 million users of AshleyMadison.com, the "most famous website for discrete encounters between married individuals"
Google found guilty of violating antitrust laws(Naked Security) Yandex — the "Google of Russia" — has prevailed in getting the country's antimonopoly watchdog agency to rule that Google has abused its dominant position in the market with Android
Russian national pleads guilty to breaking into corporate networks, stealing 160M credit cards(FierceGovernmentIT) In what the Justice Department says is the largest scheme of its kind ever prosecuted in the United States, a Russian national pleaded guilty Sept. 15 to breaking into the corporate computer networks of NASDAQ, Dow Jones, 7-Eleven and JetBlue, among others, and compromising more than 160 million credit card numbers that resulted in hundreds of millions of dollars in losses
Cyber attack testing case closed by FDLE, no suspects identified(Orlando Sentinel) The cyber attacks against Florida's school testing system this spring likely were orchestrated by computer hackers outside the United States, though the state's top law enforcement agency has closed its investigation without identifying any suspects
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
SANS Institute: Information Security Training(Las Vegas, Nevada, USA, September 12 - 21, 2015) Information security training in Las Vegas from SANS Institute, the global leader in information security training. At SANS Network Security 2015, SANS offers more than 40 hands-on, immersion-style security...
Hacker Halted 2015(Atlanta, Georgia, USA, September 13 - 18, 2015) EC-Council Foundation's flagship information security conference, Hacker Halted, will unite some of the greatest minds in information security, as industry experts address the latest threats and vulnerabilities...
Detroit Secure World(Detroit, Michigan, USA, September 16 - 17, 2015) Join your fellow security professional for affordable, high-quality cybersecurity training and education at a regional conference near you. Earn CPE credits while learning from nationally recognized industry...
Cyber Security Summit: New York(New York, New York, USA, September 17, 2015) The Cyber Security Summit provides an exclusive business environment to meet with Senior Executives who are seeking innovative solutions to protect their business & critical infrastructure. Delegates at...
6th Annual Billington Cybersecurity Summit(Washington, DC, USA, September 17, 2015) Join key leaders and decision makers from government, military and the private sector at this one-day intensive networking event as participants focus on the next generation of solutions to ensure this...
Hacker Halted(Atlanta, Georgia, USA, September 17 - 18, 2015) Hacker Halted is a global series of computer and information security conferences presented by EC-Council. The objective of the Hacker Halted conferences is to raise international awareness towards increased...
Cyber Security Summit: New York(New York, New York, USA, September 18, 2015) The Cyber Security Summit provides an exclusive business environment to meet with Senior Executives who are seeking innovative solutions to protect their business & critical infrastructure. Delegates...
Data Breach Investigation Summit(Dallas, Texas, USA, September 21 - 26, 2015) Data Breaches are occurring at an alarming rate and increasing in their scope, frequency and impact and they don't discriminate by industry, geography or organization size. When a breach occurs, organizations,...
St. Louis SecureWorld 2015(St. Louis, Missouri, USA, September 22 - 23, 2015) Join your fellow security professional for affordable, high-quality cybersecurity training and education at a regional conference near you. Earn CPE credits while learning from nationally recognized industry...
OWASP APPSECUSA(San Francisco, California, USA, September 22 - 25, 2015) The premier gathering of developers, security experts and technologists to discuss cutting edge approaches to secure web applications
MeriTalk: Cyber Security Brainstorm(Washington, DC, USA, September 23, 2015) Co-locating with the NIST Cloud Security Working Group, this MeriTalk Brainstorm has an excellent program lined up, featuring keynote speakers Allison Tsiumis (Section Chief, Cyber Intelligence Section,...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.