Late yesterday Yahoo disclosed that the company was breached in August 2013, with a billion customer accounts compromised. This incident is said to be distinct from the breach disclosed in September of this year that affected 500 million customers. “The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers,” Yahoo said.
The company doesn't know how the breach was accomplished, but thinks the culprits were "state-sponsored." Who the sponsoring state might be remains unspecified, but Yahoo says it's the same one responsible for the breach disclosed earlier. Other observers who've looked into the matter (notably InfoArmor) take issue with that conclusion, saying the breaches look like the work of criminals, albeit criminals who may have had nation-states among their customers. Yahoo! says it's working with appropriate law enforcement agencies, and that it's notifying affected customers. Observers expect this latest breach disclosure to affect Verizon's planned acquisition of Yahoo's core assets.
The ShadowBrokers, who've been trying with small success to auction Equation Group code are changing their sales model, now offering it for retail. They chew syllables in improbable broken-English with Motherboard, explaining (sort of) "TheShadowBrokers is giving 'responsible parties' opportunity to making things right.”
Microsoft reports finding "FinFisher-like" spyware in APTs on European and Turkish systems.
US investigation of Russian election hacking continues. Homeland Security says the vote wasn't manipulated, but that's consistent with doxing to influence public opinion.
Today's issue includes events affecting China, European Union, India, New Zealand, Russia, Turkey, United Kingdom, United States.
A note to our readers: The new Star Wars film, Rogue One, is out this week. It's billed as "the epic tale of a scrappy group of rebels and their daring mission to steal the plans for the Death Star." Given what's generally known about information security, however, one wonders if perhaps the plans might actually have been compromised in a different way.
ON THE PODCAST
The CyberWire's regular daily Podcast will be out later this afternoon, with interviews, educational tips, and more on the stories of the day.
A special edition of our Podcast up is up as well—the topic is venture capital. In it we examine the current state of investment in cyber security, speak to experts in the field, and learn from top cyber security-focused venture capitalists about what they expect before they invest.
As always, if you enjoy the podcasts, we invite you to please consider giving it an iTunes review.
Cyber Attacks, Threats, and Vulnerabilities
Important Security Information for Yahoo Users(Yahoo!) Following a recent investigation, we’ve identified data security issues concerning certain Yahoo user accounts. We’ve taken steps to secure those user accounts and we’re working closely with law enforcement
Yahoo's Record-Setting Breach Disclosure(The CyberWire) Yesterday Yahoo disclosed that more than a billion customer accounts were compromised in August 2013. This incident is distinct from the breach of 500 million accounts the company disclosed on September 22, 2016. Yahoo! said in its announcement that how the breach was accomplished is not yet known, and that the company is working with law enforcement to investigate. Security industry experts have weighed in with their views on what happened and how such attacks might be prevented or mitigated
Yahoo: One Billion More Accounts Hacked(KrebsOnSecurity) Just months after disclosing a breach that compromised the passwords for a half billion of its users, Yahoo now says a separate incident has jeopardized data from at least a billion more user accounts. The company also warned attackers have figured out a way to log into targeted Yahoo accounts without even supplying the victim’s password
Hack Brief: Hackers Breach a Billion Yahoo Accounts. A Billion(Wired) IIn September, Yahoo had the unfortunate distinction of disclosing an enormous 500 million-account breach. Tough stuff. Somehow, though, the company seems to have topped even that staggering figure. Yahoo announced on Wednesday that hackers, in what’s likely a separate attack, compromised one billion of the company’s user accounts in August 2013. One billion. That makes this the biggest known hack of user data ever, and it’s not really close
Yahoo discloses hack of 1 billion accounts(TechCrunch) The company disclosed today that it has discovered a breach of more than one billion user accounts that occurred in August 2013. The breach is believed to be separate and distinct from the theft of data from 500 million accounts that Yahoo reported this September
Newly Uncovered Site Suggests NSA Exploits for Direct Sale(Motherboard) The Shadow Brokers—a hacker or group of hackers that stole computer exploits from the National Security Agency—has been quiet for some time. After their auction and crowd-funded approach for selling the exploits met a lukewarm reception, the group seemingly stopped posting new messages in October
A Brief Interview with The Shadow Brokers, The Hackers Selling NSA Exploits(Motherboard) In August, a group calling themselves The Shadow Brokers publicly released a cache of NSA hacking tools, and promised to sell more. After a failed crowd-funding and auction attempt, the group now appears to be offering a wealth of trojans, exploits, and implants directly to potential customers
DDoS attacks via WordPress now come with encryption(Help Net Security) Kaspersky Lab experts have noted an emerging trend – a growth in the number of attacks using encryption. Such attacks are highly effective due to the difficulty in identifying them amongst the overall flow of clean requests. Recently, the company encountered yet more evidence of this trend – an attack exploiting vulnerabilities in WordPress via an encrypted channel
The State of Wordpress Security(Ripstech) Does Wordpress really need an introduction? It is by far the most popular blogging software on the planet and it is also abused for other tasks frequently. A large percentage of the World Wide Web is Wordpress
Crowdsourced DDoS Extortion – A Worrying Development?(Digital Shadows) We all know about DDoS extortion – the process is straightforward. Contact the company, threaten to launch a crippling DDoS attack that will happen unless the company pays a ransom. But what if the actors do not target the company itself to pay the ransom, but its customers? That’s one of the wildcard scenarios outlined in our latest paper, Mirai and the Future: Forecasting the DDoS Landscape in 2017.
Cerber Ransomware Spreads via Fake Credit Card Email Reports(Bleeping Computer) Just in time for the Christmas holiday shopping spree, the group behind the Cerber ransomware has launched a spam campaign that uses fake credit card reports to trick users into opening a Word file that under certain circumstances will download and install the deadly Cerber ransomware
Code Reuse a Peril for Secure Software Development(Threatpost) The amount of insecure software tied to reused third-party libraries and lingering in applications long after patches have been deployed is staggering. It’s a habitual problem perpetuated by developers failing to vet third-party code for vulnerabilities, and some repositories taking a hands-off approach with the code they host
Sailors’ personally identifiable information stolen by Ricky Ninja(SOFREP News) On October 27, 2016, an unknown person or persons of interest stole 134,386 names and social security numbers of US Navy sailors from a laptop of a contractor working for Hewlett Packard and under contract by the Navy. The exfiltrated data derives from the Career Waypoints database (C-WAY). The C-WAY database is used to for re-enlistment submission and request for Navy Occupational Specialties. The last time the Navy suffered a breach of this scale was when the Iranians hacked into unclassified Navy systems in 2014
How Secure Is the Technology Protecting Your Home?(Insurance Quotes) What if burglars could break into your home without ever smashing a window or picking the lock? Say the front door swung wide open to let them in, but the only one there to greet them was your jewelry box?
Risky sites have never been easier to exploit(Help Net Security) 46% of the Internet’s top 1 million web sites, as ranked by Alexa, are risky. This is largely due to vulnerable software running on web servers and on underlying ad network domains, according to Menlo Security
Centrify And Rapid7 Trends And Predictions(Information Security Buzz) It’s that time of year again. The festive season is upon us and with it, online shopping will no doubt take another bite out of traditional bricks-and-mortar sales. With a colourful new president taking office shortly, 2017 promises to be an interesting year. But before we get to predictions, let’s take a look at the year that was
Healthcare IT professionals are overconfident(Help Net Security) A Dimensional Research study evaluated the confidence of IT professionals regarding the efficacy of seven key security controls, which must be in place to quickly detect a cyber attack in progress. Study respondents included 763 IT professionals from various industries, including 101 participants from the healthcare sector
On the Ninth Day of Christmas, the Industry Predicted…GDPR Compliance(Infosecurity Magazine) Deck the halls with boughs of money, tra la la. Why boughs of money? If you suffer a data breach after June 2018 you could face a fine of up to €20 million or 4% of your global annual turnover for the preceding financial year, whichever is the greater. So if data security is not your thing, best enjoy the cash while it is still in your possession
What are NZ’s cybersecurity threats? – Expert Q&A(Science Media Centre) With the 14th annual Privacy, Security and Trust conference held in Auckland this week, the Science Media Centre asked cybersecurity experts about the biggest threats facing New Zealand. Please feel free to use these comments in your reporting
Yahoo Security Breach Adds Element of Insecurity to Its Purchase offer from Verizon(Inquisitr) Yahoo released a statement Wednesday confirming a massive security breach in August of 2013, which likely compromised the private user data of over 1 billion account holders. In a statement about the breach on its website, Yahoo, who in September of this year reported a separate breach of its systems in 2014, which affected 500 million users, explains that in November of this year it received data files from law enforcement that an unnamed third party claimed were Yahoo user data files
Why FireEye Is An Excellent Bargain Right Now(Seeking Alpha) The Company is operating and free cash flow positive, which suggests a successful completion of the restructuring phase. Previous takeover bids give the stock a conservative value of $19 per share. The market for security products is growing and I believe FEYE will benefit from this
TopSpin Security Gaining Traction in Financial Services Market(CIO Today) Financial services organizations select TopSpin Security Intelligent Deception Solutions to protect private data from cyber attackers -- Chicago trading company and other financial firms leverage DECOYnet™ intelligent deception and detection platform to meet compliance and protect private financial data
New DIA acquisition process invites tech firms to show their stuff to senior leaders(Federal News Radio) For the past three years, the Defense Intelligence Agency has been experimenting with a rapid technology acquisition project called “Needipedia,” in which it publishes the technology gaps it wants to fill, lets industry respond with short white papers, then buys new capabilities in as little as a month. This week, DIA plans to take the concept a step further
DoD Battles to Train Enough Cyber Practitioners(GovTechWorks) A new report from the Presidential Commission on Enhancing National Cybersecurity calls for national workforce programs to train 100,000 cyber practitioners by 2020 and a national cybersecuirty apprenticeship program to train 50,000 more
Checkmarx Joins German Cyber Security Council(BusinessWire) The German Cyber Security Council and Checkmarx, a global leader in cyber and application security testing, announced today the induction of Checkmarx into the German Cyber Security Council. This exciting new membership approval was delivered by key council member, General Secretary of the Council Mr. Hans-Wilhelm Dünn, at the 2016 HLS & Cyber Conference, which took place mid-November in Tel Aviv, Israel
Promisec Appoints New CEO Simo Kamppari(PRNewswire) Promisec, a pioneer in Endpoint Detection and Response, today announced that its Board of Directors has appointed Simo Kamppari as CEO and President, effective immediately
Virtual StrongBox's 4th Patent Protects File Transfer Between Devices(PRNewswire) Virtual StrongBox, Inc. has received a fourth patent for its state-of-the-art software, which safeguards clients' data (and that of their customers) at all times. Whether consumers are dealing with their financial institution, healthcare provider or insurance agent, they demand convenience – but not at the expense of security. For these and other high-risk enterprises, ensuring safety and positive customer experiences can be challenging
NSS Labs Expands Research Offerings with new Breach Prevention System (BPS) Test(Yahoo! Finance) NSS Labs, Inc., the world's leading cyber security product research, testing, and advisory company, today released a new technology overview and a "Call-to-Test" for Breach Prevention Systems. Breach Detection Systems (BDS) have been deployed to provide enhanced detection of advanced malware, zero-day attacks, and targeted attacks to combat more skilled threat actors who are capable of evading traditional security technologies
150 Filmmakers Ask Nikon and Canon to Sell Encrypted Cameras(Wired) In the summer of 2013, when documentary filmmaker Laura Poitras was shooting a still-secret NSA leaker named Edward Snowden in a Hong Kong hotel room, she took security seriously. She’d periodically transfer her footage to encrypted hard drives, and would later go so far as to destroy the SD cards onto which her camera recorded. But as she watched Snowden through her lens, she was haunted by the possibility that security agents might barge through the door at any moment to seize her camera. And the memory card inside of it remained dangerously unencrypted, full of unedited confessions of a whistleblower who hadn’t yet gotten his secrets out to the world
ENISA says crypto backdoors are a bad idea(Help Net Security) “History has shown that technology beats legislation, and criminals are best placed to capitalise on this opportunity,” the European Network and Information Security Agency (ENISA) noted in a recently released opinion paper on encryption
The Folly of Encryption Backdoors(Digital Guardian) In the aftermath of the election, many people in the security and privacy communities have expressed renewed concerns about the possibility the federal government might again try to implement backdoors or otherwise weaken encryption. It will likely be months before we see any movement on that front, but for now, a new report from the European Union’s information security agency says in no uncertain terms that backdoored encryption is bad for users and undermines the security of the network for everyone
Opinion: Congress needs to check government hacking powers(Christian Science Monitor Passcode) Now that law enforcement has more leeway to hack computers and surveil suspects due to changes in criminal procedure, Congress needs oversee these powers to protect Americans' civil liberties and privacy
Air Force: Cyber security extends beyond IT(Defense Systems) The Air Force is working to “operationalize” cybersecurity initiatives by widening the aperture regarding what systems and platforms need to be examined and protected, service leaders said
Here's the Public Evidence Russia Hacked the DNC – It's Not Enough(Intercept) There are some good reasons to believe Russians had something to do with the breaches into email accounts belonging to members of the Democratic party, which proved varyingly embarrassing or disruptive for Hillary Clinton’s presidential campaign. But “good” doesn’t necessarily mean good enough to indict Russia’s head of state for sabotaging our democracy
Google Discloses Contents of Eight National Security Letters(Threatpost) Google on Tuesday disclosed the contents of eight National Security Letters it received between 2010 and 2015, becoming the latest company under reforms afforded by the USA Freedom Act to do so. The requests made by United States Federal Bureau of Investigation were made to Google to identify 21 customer accounts and related account data
Flynn investigated by Army for wrongly sharing intelligence(AP via KLTV) The retired Army general chosen by Donald Trump to be national security adviser was investigated for inappropriately sharing classified information with foreign military officers while he was serving as an intelligence commander in Afghanistan
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
SANS Cyber Defense Initiative 2016(Washington, DC, USA , December 10 - 17, 2016) Make plans to attend SANS Cyber Defense Initiative 2016 (CDI). SANS is the one educational organization known for developing the cybersecurity skills most in need right now. SANS Cyber Defense Initiative...
CES® CyberSecurity Forum(Las Vegas, Nevada, USA, January 5, 2017) Now in its second year, the CES® CyberSecurity Forum presented by CyberVista is designed to ensure all stakeholders in developing high tech solutions understand the complexity and the need for action in...
SANS Security East 2017(New Orleans, Louisiana, USA, January 9 - 14, 2017) Start the year off right by choosing from outstanding, cutting-edge courses presented by our top-rated instructors. SANS is looking forward to an exciting kickoff of 2017 with SANS Security East 2017 in...
Cybersecurity of Critical Infrastructure Summit 2017(College Station, Texas, USA, January 11 - 13, 2017) An inaugural event to convene thought-leaders, experts, and strategic decision makers from government, industry, and academia to discuss the technology and policy implications of the ever-evolving cyber-threats...
ShmooCon 2017(Washington, DC, USA, January 15 - 17, 2017) ShmooCon is an annual east coast hacker convention hell-bent on offering three days of an interesting atmosphere for demonstrating technology exploitation, inventive software and hardware solutions, and...
SANS Las Vegas 2017(Las Vegas, Nevada, USA, January 23 - 28, 2017) Attend SANS Las Vegas 2017, where SANS will provide outstanding courses in IT security, forensics, and security management presented by the best cybersecurity teachers in the country. At SANS events you...
BlueHat IL(Tel Aviv, Israel, January 24 - 25, 2017) Announcing BlueHat IL – a special edition of Microsoft's leading cyber security conference for top professionals, to be held for the very first time in Tel Aviv, Israel.
Over the past 10 years, BlueHat conferences have drawn the brightest minds in security to discuss key industry challenges. And now, BlueHat IL is here to crank it up by exploring and creating new cyber security thoughts and boundaries. This exclusive, by invitation only, single track event will host top cyber security professionals from around the world, who will come together to tackle the present and peek into the future. It will feature brilliant speakers and focus on breakthrough research, key trends and emerging threats in the field. Registration closes December 28.
SANS Cyber Threat Intelligence Summit & Training 2017(Arlington, Virginia, USA, January 25 - February 1, 2017) Join SANS at this innovative Summit as we focus on enabling organizations to build effective cyber threat intelligence analysis capabilities. Most organizations are familiar with threat intelligence, but...
Blockchain Protocol and Security Engineering(Stanford, California, USA, January 26 - 27, 2017) This conference will explore the use of formal methods, empirical analysis, and risk modeling to better understand security and systemic risk in blockchain protocols. The conference aims to foster multidisciplinary...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.