Onapsis has found that at least thirty-six enterprises are vulnerable to exploitation of their SAP business applications.
Pawn Storm's back, and according to Trend Micro is going after critics of the Russian Government. The current target is Germany’s Christian Democratic Union, Chancellor Merkel’s political party.
“Getting the common people’s data is as easy as buying cabbage,” tweeted someone using the (now-frozen) handle Shenfenzheng. Shenfenzheng (roughly, “Personal Data”) was also able to get, and tweet, the data of some uncommon people in China, including Communist Party bigwigs and industrial leaders. The leaker’s declared motive is to show up lax security practices.
Anonymous persists in its campaign to bring down the world financial system—LIFARS has a summary (and suggests in a cartoon that the world’s common people wouldn’t necessarily benefit from such a crash).
Turkish hacktivists who leaked data from QNB and InvestBank move on to banks in Nepal and Bangladesh. (Some of their leaks, however, may be old and recycled.)
Recently discovered Flash and IE zero-days are being exploited in the wild.
Cyber criminals increasingly profit from business disruption. Proofpoint says Locky’s got an update, IBM looks at interaction-free ransomware infections, and Palo Alto Networks describes criminals’ business models.
In industry news, Thoma Bravo is rumored to have offered to buy out Infoblox.
Cybersecurity Hall-of-Famers weigh in on the crypto wars.
The FBI says it would buy the iPhone exploit again, and Mozilla sues to have the Bureau tell it about any Firefox zero-days it may have up its sleeve.
Today's issue includes events affecting Australia, Bangladesh, China, Egypt, Germany, India, Iraq, Latvia, Libya, Mexico, Nepal, Netherlands, Russia, Spain, Syria, Turkey, Ukraine, United Kingdom, United Nations, United States, and Uzbekistan.
ON THE PODCAST
Catch the CyberWire's Podcast later this afternoon, with interviews, educational tips, and more on the stories of the day. If you've wondered what to do with suspicious-looking emails, Johns Hopkins' Joe Carrigan has some advice for you. And we have a talk with Caleb Barlow from IBM, who fills us in on Big Blue's plans to send Watson to school for a cyber security education.
Hackers try to attack Merkel's party, security consultants say(Reuters) A group of hackers that cyber-security experts say targets critics of the Russian government has been trying since April to attack the computer systems of German Chancellor Angela Merkel's Christian Democratic Union party, a security research firm said on Wednesday
Chinese Tycoons, Party Officials' Data Leaked on Twitter(Bloomberg News ) Personal information on dozens of Chinese Communist Party officials and captains of industry from Jack Ma to Wang Jianlin may have been exposed on Twitter in one of the country’s biggest online leaks of sensitive information
The Tip of the Iceberg: Wild Exploitation & Cyber-Attacks on SAP Business Applications(Onapsis) On May 11, 2016, the first-ever US-CERT Alert for cybersecurity of SAP business applications was released by the Department of Homeland Security (DHS) to forewarn the cybersecurity community about the significance and implications of an SAP vulnerability, which was patched by SAP over five years ago, that is being leveraged to exploit SAP systems of many large-scale global enterprises. Below are some resources to help you better understand this vulnerability, the potential impact to an organization if it is exploited, as well as the mitigation steps to ensure your organization is not at risk
SAP bug returns to cause mischief(CSO) After spending about two decades in the trenches I ran across all sorts of IT implementations. One of the ones that always caused me some heartburn was SAP. The running joke that I heard more than a few times was that when you purchase SAP you receive a large box. When you would open that box several hundred consultants would step out
Act surprised: There’s a new zero-day Flash exploit you need to fix right now(BGR) Flash zero-day vulnerabilities are a dime a dozen these days, so you won’t be surprised to learn there’s another one in the wild. Microsoft and Adobe have independently found two distinct zero-day vulnerabilities for Internet Explorer and Flash, respectively, which means it’s time to update Windows and Flash. Apparently, exploits exist for both that allow for remote code execution
Spanish-Language Infostealer Trojan Uses Legitimate Libraries(IBM Security Intelligence) In April, security researchers at Zscaler came across malware that targets a specific bank and steals user credentials. This infostealer Trojan seems to be Spanish in origin, and so far has targeted users in the U.S. and Mexico
Multiple 7-Zip Vulnerabilities Discovered by Talos(Talos) 7-Zip is an open-source file archiving application which features optional AES-256 encryption, support for large files, and the ability to use “any compression, conversion or encryption method”. Recently Cisco Talos has discovered multiple exploitable vulnerabilities in 7-Zip
Disruption is big business for cybercrims(CSO) The cybercrime landscape is changing as threat actors adopt increasingly targeted and sophisticated tools to attack businesses that are undergoing significant change
Infection Minus Interaction? New Android Ransomware Delivers(IBM Security Intelligence) What’s worse than ransomware? Ransomware that installs without any kind of user interaction. It’s a malware-maker’s holy grail — the ability to bypass users entirely and gain access to device functions, files and settings
Insidious malware cripples school district websites in Region 11 cyber attack(Wichita Falls Times-Record News) A cyber attack that paralyzed the websites of at least two area school districts for several days — and sidelined the websites of many more in the region — appears to have been quelled. The attack was just one in a disturbing trend of rising ransomware attacks that, locally, also have struck government offices
Kiddicare.com Security Breach(Information Security Buzz) Following a security breach like the recent ‘Kiddicare.com’ hack, the security impact of such exposure isn’t limited to an individual’s personal details; it can also have serious financial and reputational implications for the company. Customers that entrust their private information to an online provider should be able to rest safely in the knowledge it is kept in a secure manner; and all companies who handle private data have a duty to secure it
Lego robot outfitted with Play-Doh finger hacks swipe-screen security(Naked Security) Lately, the authentication wizards have been focusing on gesture recognition: the interpretation of gestures – typically from the face or hand – that can be turned into algorithms to identify people by how they do things like make a face (that would be gurning to you Brits!) or swipe
Wendy’s: Breach Affected 5% of Restaurants(KrebsOnSecurity) Wendy’s said today that an investigation into a credit card breach at the nationwide fast-food chain uncovered malicious software on point-of-sale systems at fewer than 300 of the company’s 5,500 franchised stores
US Congress Dumps Yahoo Mail Over Phishing Attacks(Hack Read) Symantec’s newest threat report claims that email phishing scams have substantially declined in the last three years but incidences where crypto-ransomware was used to encrypt data and demand payment in exchange to unlock it has increased by 35% just in 2015. This means, instead of phish attacks, we must now fear our data being stolen by malicious actors and then having to pay a hefty sum of cash or digital currency to get the unlocking key so that we become able to access the information
Security Patches, Mitigations, and Software Updates
Microsoft Disabling Controversial Wi-Fi Sense Feature in Windows 10(Hack Read) Windows 10 users can breathe a sigh of relief because their Wi-Fi passwords will not be shared with other users, which so far was a default feature of the latest version of their favorite operating system. As per the official statement from Gabe Aul, this feature will no more be a part of its default settings
Japanese users not proactive enough about cybersecurity: survey(Japan Today) ESET, a global pioneer in proactive protection for more than two decades, on Wednesday released the ESET Japan Cyber-Savviness Report 2016 showing that while users in Japan are knowledgeable about cybersecurity and take few risks online, they still have some way to go in ensuring that they are adequately protected when they access the Internet
Cyber, M&A and more at PSA-TEC(Security Info Watch) Mergers, acquisitions, cyber security and more were major themes as part of a lively opening day at PSA-TEC that included several panel discussions and the integrator group’s vendor awards ceremony
Axway, à nouveau reconnu comme un acteur clé de l’économie digitale(Sys-Con Media) Porté par une croissance soutenue, s’appuyant sur une stratégie de développement à l’international marquée par des acquisitions externes, dont la société Appecelerator en 2016, Axway (Euronext : AXW.PA) s’est hissé au rang de leader du marché de solutions d'accompagnement à la transformation digitale des entreprises
CIA veteran joins Darktrace advisory board(Business Weekly) Fast growing Cambridge UK cyber security business Darktrace has added intelligence muscle to its advisory board with the appointment of a former CIA veteran
Facebook CTF platform is now open source(Help Net Security) Capture the Flag competitions are a good – not to mention legal – way for hackers to build and hone their skills. But, quality CTF environments are difficult and expensive to build and run
Interview: Mike Tierney, Veriato(Infosecurity Magazine) As insider threats rise, the technologies to spot and defend against them increase, and it is for this reason why user behavior analytics and activity monitoring software become more popular
How Visa Threat Intelligence Is Keeping An ‘Eye’ On Cybercrime(PYMNTS) Cybercriminals often work in teams; why shouldn’t the companies that are fighting back against them? That’s the thought process made reality by Visa and FireEye, whose first product together — Visa Threat Intelligence — launched last month
Review: An Undetectable Android Spying Software that No One Can Perceive(Hack Read) In the wake of the latest report that shows that Jihadist groups are using Telegram, Signal, and WhatsApp for chatting, and Gmail for correspondences and clearly declaring that they prefer it to Yahoo Mail, parents and businesspeople need to become more vigilant. One cannot be too sure about risks lurking around, which is why using an undetectable spy app can be the first step in the right direction
NIST Guidance takes on Cyber Physical Systems(Security Ledger) In-brief: The National Institute for Standards and Technology (NIST) released a draft publication that recommends ways to improve the security of systems during the engineering phase, including so-called cyber physical systems on the Internet of Things
The Minimum(CyberPoint) "If the minimum weren't good enough, it wouldn't be the minimum"
How to Tell if Your iPhone Has Been Secretly Hacked(Tripwire: the State of Security) You know you’re living in interesting times when an app designed to tell you if your iOS device has been jailbroken is outselling the likes of Minecraft and Grand Theft Auto
Cyber Beat Live: I'm In! When insiders threaten our security(IBM Big Data & Analytics Hub) How does your organization work to prevent insider threats? Listen as leading cybersecurity experts discuss the following questions while describing how companies can reorient their security posture to thrive in an age in which trust seems inadequate
Why Cyber Protection Needs to be at the Scene of the Crime(Infosecurity Magazine) The modus operandi of the new generation of cyber-attackers is best defined by two key facets. The first is that they are using stealthy and more advanced techniques that disguise known malware against static-based detection means such as signatures. The second is that attacks increasingly avoid use of the more traditional file-based delivery mechanisms that all anti-virus, and even some of the newer behavioral-based solutions, focus on
IBM to Drill Watson in Cybersecurity(TechNewsWorld) IBM on Tuesday announced Watson for Cyber Security, a cloud-based version of its AI technology, trained in cybersecurity as part of a year-long research project
NSA, DHS Recognize Top Cyber Defense Schools(Homeland Security Today) Multiple colleges and universities were recently designated National Centers of Academic Excellence in Cyber Defense Education by the National Security Agency (NSA) and the Department of Homeland Security (DHS)
UC School of IT awarded exclusive national designation for cybersecurity program(Soapbox Cincinnati) The University of Cincinnati’s Information Technology School was recently designated by the National Security Administration and Department for Homeland Security as a Center for Academic Excellence in Cyber Defense Education (CAE-CDE), a title awarded to just nine U.S. universities so far. The designation will last until 2021, and in addition to prestige it gives UC’s IT program access to special funding and grants open only to schools with CAE-CDE designation
Class of 2016: UVA Army ROTC Cadet Joins New U.S. Cyber Command(UVA Today) Battlefields are changing. Joseph Weate will fight on one in cyberspace. A fourth-year computer engineering major and a United States Army ROTC cadet, Weate is the first from the University of Virginia to be accepted into the U.S. Army’s Cyber Command
America is ‘dropping cyberbombs’ – but how do they work?(Conversation) Recently, United States Deputy Defense Secretary Robert Work publicly confirmed that the Pentagon’s Cyber Command was “dropping cyberbombs,” taking its ongoing battle against the Islamic State group into the online world. Other American officials, including President Barack Obama, have discussed offensive cyber activities, too
Don’t Panic Making Progress on the “Going Dark” Debate(Berkman Center for Internet & Society at Harvard University) In the last year, conversations around surveillance have centered on the use of encryption in communications technologies. The decisions of Apple, Google, and other major providers of communications services and products to enable end-to-end encryption in certain applications, on smartphone operating systems, as well as default encryption of mobile devices, at the same time that terrorist groups seek to use encryption to conceal their communication from surveillance, has fueled this debate
Dear Senator Wyden(Office of the Director of National Intelligence, Director of Legislative Affairs) At the 9 February 2016 testimony before the Senate Select Committee on Intelligence, you asked that the Intelligence Community (IC) review and provide our assessment of the then-recently released Berkman Center "Don't Panic" report
Setting up a Straw Man: ODNI's Letter in Response to "Don't Panic"(Lawfare) As Paul has noted, the ODNI has responded to the Harvard study "Don't Panic" by observing that widespread use of encryption provides an "impediment that cannot be fully mitigated by other means" (full disclosure: I participated in the study). His Lawfare post says "The IC Thinks Harvard Study is Wrong about Encryption," but instead, it looks to me like ODNI's letter got it wrong
Warning Signs: A Checklist for Recognizing Flaws of Proposed “Exceptional Access” Systems(Lawfare) In the eighteen months since FBI Director James Comey raised alarm bells about encryption and surveillance, there have been many calls for the technology community to solve the problem. Director Comey’s call to action was a genuine statement of law enforcement concern but sparse on operational details. However, technical security analysis of any proposal necessarily relies on such details. Some technologists have begun to offer ideas on how to solve the exceptional access problem
Industry Asks Hill for Foreign Sales Reforms(Defense News) Warnings from top representatives of the US defense industry that the foreign military sales process needs an efficiency upgrade faced scrutiny and skepticism on Capitol Hill on Wednesday from a top Democrat of the House Armed Services Committee
Agencies try to predict the future of cybersecurity(Federal News Radio) With the advent of cloud and mobile technology forcing a paradigm shift in IT, leaders in cybersecurity are finding themselves in the position of fortune-tellers, hovering over crystal balls trying to guess what the next big thing is going to be and how to prepare for it
FBI Head: Islamic State Brand Losing Power in US(AP) Fewer Americans are traveling to fight alongside the Islamic State and the power of the extremist group's brand has significantly diminished in the United States, FBI Director James Comey said Wednesday
Comey defends FBI’s purchase of iPhone hacking tool(Washington Post) FBI Director James B. Comey said Wednesday that the bureau did not purposely avoid a government process for determining whether it should share with Apple the way it cracked a terrorist’s iPhone
Mozilla fights in court to get info about potential Firefox flaw(Help Net Security) Mozilla has asked a Washington State District Court to compel FBI investigators to provide details about a vulnerability in the Tor Browser with them before they share it with the defendant in a lawsuit, so that they could fix it before the knowledge becomes public
The Ukrainian Hacker Who Became the FBI’s Best Weapon—And Worst Nightmare(Wired) One Thursday in January 2001, Maksym Igor Popov, a 20-year-old Ukrainian man, walked nervously through the doors of the United States embassy in London. While Popov could have been mistaken for an exchange student applying for a visa, in truth he was a hacker, part of an Eastern European gang that had been raiding US companies and carrying out extortion and fraud. A wave of such attacks was portending a new kind of cold war, between the US and organized criminals in the former Soviet bloc, and Popov, baby-faced and pudgy, with glasses and a crew cut, was about to become the conflict’s first defector
Ex-Skype Crew Sued Developers Of WhatsApp Encryption Over '$2m Extortion'(Forbes) As the fight between Apple and the FBI attested, we’re in the midst of Cryptowars 2.0. But it would be reductive to claim it’s technologists facing off against the government over how to best protect the public from criminal hackers and terrorists. On both sides there are internecine battles being fought, as shown in a quickly-dismissed case between two developers of secure messaging and call services, Wire Swiss and Open Whisper Systems, the organization behind WhatsApp’s end-to-end encryption rollout
First Circuit and FTC Address Definitions of “PII,” While Michigan Amends Privacy Law to Remove Statutory Damages(Davis Wright Tremaine LLP) On April 29, 2016, the U.S. Court of Appeals for the First Circuit handed down its widely anticipated opinion in Yershov v. Gannett Satellite Information Network, Inc., in which it expanded the reach of the Video Privacy Protection Act (“VPPA” or “Act”) by endorsing a considerably expanded view of how the statute applies in the digital media context. In its decision, the court held that (1) “personally identifiable information” (“PII”) includes the GPS coordinates of a device; and (2) a user of a mobile application – even one who does not pay or otherwise register to use the app – qualifies as a “consumer” entitled to the protections of the Act
Germany set to end copyright liability for open Wi-Fi operators(Help Net Security) People who travel to Germany are often surprised at the lack of public, open Wi-Fi networks. That’s because German law (Störerhaftung – “liability of duty”) holds operators of public hotspots liable for everything their users do online, especially when these actions are against the law, and even if the operators weren’t aware of them
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
Newly Noted Events
SINET Innovation Summit 2016(New York, New York, USA, July 14, 2016) “Connecting Wall Street, Silicon Valley and the Beltway.“ SINET Innovation Summit connects America’s three most powerful epicenters and evangelizes the importance of industry, government and academic collaboration...
hardwear.io Security Conference(The Hague, the Netherlands, September 20 - 23, 2016) hardwear.io Security Conference is a platform for hardware and security community where researchers showcase and discuss their innovative research on attacking and defending hardware. The objective of...
IP EXPO Nordic 2016(Stockholm, Sweden, September 27 - 28, 2016) IP EXPO Nordic is part of Europe’s number ONE enterprise IT event series, designed for those looking to find out how the latest IT innovations can drive business growth and competitiveness. The event showcases...
Guarding the Grid(Washington, DC, USA, May 12, 2016) Protecting the power grid from today's cyber threats has become one of the nation's top national security priorities. Nowhere was this more evident than in the aftermath of the cyberattack in Ukraine that...
Telegraph Cyber Security(London, England, UK, May 17, 2016) The Telegraph Cyber Security conference will provide the key components to create a cutting-edge cyber security plan, regardless of your organisation’s size or sphere of activity
DCOI 2016(Washington, DC, USA, May 18 - 19, 2016) DCOI 2016 is a concerted effort of the state of Israel and the Institute for National Security Studies (INSS) of Tel-Aviv University, a non-profit organization that aims towards enhancing collaboration...
ISSA LA Eighth Annual Information Security Summit(Universal City, California, USA, May 19 - 20, 2016) The ISSA-LA Information Security Summit is the only educational forum in the great Los Angeles area specifically designed to attract an audience from all over Southern California as a means to encourage...
HITBSecConf2016 Amsterdam(Amsterdam, the Netherlands, May 23 - 27, 2016) The event kicks off with all new 2 and for the first time, 3-day training sessions held on the 23rd, 24th and 25th. Courses include all new IPv6 material by Marc 'van Hauser' Heuse of THC.org, an in-depth...
Enfuse 2016(Las Vegas, Nevada, USA, May 23 - 26, 2016) Enfuse is a three-day security and digital investigations conference where specialists, executives, and experts break new ground for the year ahead. It's a global event. It's a community. It's where problems...
Cybersecurity Law Institute(Washington, DC, USA, May 25 - 26, 2016) Those lawyers who ignore cyber threats are risking millions of dollars for their companies or their clients. Recent reports by Cisco and the World Economic Forum both highlight the paramount importance...
4th Annual Cybersecurity Law Institute(Washington, DC, USA, May 25 - 26, 2016) At our 4th annual Institute, in the capital where cybersecurity regulations and enforcement decisions are made, you will be able to receive pragmatic advice from the most knowledgeable legal cybersecurity...
SecureWorld Atlanta(Atlanta, Georgia, USA , June 1 - 2, 2016) Join your fellow security professionals for affordable, high-quality cybersecurity training and education. Earn 12-16 CPE credits through 60+ educational elements learning from nationally recognized industry...
Innovations in Cybersecurity Education Workshop 2016(Halethorpe, Maryland, USA, June 3, 2016) Innovations in Cybersecurity Education is a free regional workshop on cybersecurity education from high school through post-graduate. It is intended primarily for educators who are teaching cybersecurity...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.