skip navigation

More signal. Less noise.

Daily briefing.

The New York Times has an account of how cooperation between law enforcement agencies (notably the FBI) and US and UK military forces have enabled the arrest—or, in many cases, the battlefield killing—of ISIS social media operators. In a separate action, French security services have rolled up an alleged ISIS terror ring.

There's no word yet on how last week's denial-of-service attack on the European Commission was accomplished. Radio Free Europe/Radio Liberty notes that the attack coincided with a meeting in Brussels between Ukraine's president and EU officials.

Two hoods using the noms-de-hack "Popopret" and "BestBuy" (the latter unconnected with the electronics retailer) are leasing a Mirai botnet said to contain 400,000 devices. They offer a variety of rental levels, of which this come-on provides a representative sample: "price for 50,000 bots with attack duration of 3600 secs (1 hour) and 5-10 minute cooldown time is approx 3-4k per 2 weeks." Popopret and BestBuy are thought to have been responsible for the GovRAT Trojan which InfoArmor identified in November 2015.

In other DDoS news, router vulnerabilities have been exploited to disrupt service to some 400,000 Eir webmail users in Ireland.

KrebsOnSecurity offers another glimpse into the criminal underground with sales videos for ATM inset card skimmers.

Over the weekend San Francisco's Muni public transportation system was hit with HDDCryptor ransomware. The ask is a relatively low 100 Bitcoin, but until the attack on scheduling and payment systems is remediated, the Muni decided to let people ride for free.

Notes.

Today's issue includes events affecting European Union, France, Ghana, Iraq, Ireland, Japan, Democratic Peoples Republic of Korea, Republic of Korea, Norway, Russia, Syria, Ukraine, United Kingdom, United States.

The CyberWire's regular daily Podcast will be out later this afternoon, with interviews, educational tips, and more on the stories of the day. Today we hear from our partners at Terbium Labs, whose Emily Wilson describes how the Dark Web community celebrates the holidays. We'll also hear from a guest, Brad Medairy from Booz Allen Hamilton, who'll take us through their report on what actually happened to the power grid in Western Ukraine last December. If you enjoy the podcast, we invite you to please consider giving it an iTunes review.

AlienVault USM Webcast (Live Webcast, December 1, 2016) Find threats lurking on your systems with host-based intrusion detection and AlienVault USM.

NCCoE Speaker Series: Understanding, Detecting & Mitigating Insider Threats (Rockville MD, USA, December 6, 2016) Your employees could be your biggest cybersecurity risk. Join us to learn more.

Cyber Attacks, Threats, and Vulnerabilities

One by One, ISIS Social Media Experts Are Killed as Result of F.B.I. Program (New York Times) In the summer of 2015, armed American drones over eastern Syria stalked Junaid Hussain, an influential hacker and recruiter for the Islamic State

European Commission Hit By 'Large-Scale' Cyberattack (Radio Free Europe / Radio Liberty) The European Union's executive body says it was hit by a "large-scale" cyberattack that reportedly disabled its access to the Internet for several hours

DDoS-for-hire service now advertising renting out a 400,000 bot-strong Mirai botnet (International Business Times) Security researchers believe that the hackers most likely are operators of the largest known Mirai botnet

Mirai DDoS botnet for rent (My Broadband) A massive Mirai botnet, which promises over 400,000 bots which can carry out DDoS attacks, is for rent on the Internet

ATM Insert Skimmers: A Closer Look (KrebsOnSecurity) KrebsOnSecurity has featured multiple stories about the threat from ATM fraud devices known as “insert skimmers,” wafer-thin data theft tools made to be completely hidden inside of a cash’s machine’s card acceptance slot. For a closer look at how stealthy insert skimmers can be, it helps to see videos of these things being installed and removed. Here’s a look at promotional sales videos produced by two different ATM insert skimmer peddlers

Cyber attack stalls access for Eir webmail users (RTE) The 400,000 users of Eir's webmail service are experiencing intermittent access to their accounts due to a Distributed Denial-of-Service (DDoS) attack on the company

Eir Router Flaw Allows Hackers to Compromise Whole Networks (Best Security Search) A computer security expert has discovered a security vulnerability in Eir routers which allows hackers to compromise the router and the whole internal network

So, just how were those MailChimp accounts hacked? (Graham Cluley) Password-stealing malware a possible culprit

Fraudsters eat for free as Deliveroo accounts hit by mystery breach (Naked Security) Food delivery network Deliveroo has suffered a mysterious security breach that has left dozens of UK users picking up large bills for food they never ordered

Verizon Wireless customers shouldn't fall for this scam (WLTX) A scam is going around where cyber criminals are telling mobile customers to open a link to fix a breach of security on their phone, according to the Newberry County Sheriff's Department

US Navy breach highlights third-party cyber risk (ComputerWeekly) The personal details of more than 130,000 current and former US Navy personnel have been exposed in a breach linked to the compromise of third-party supplier’s laptop

Ransomware forces SFMTA to give free rides, $73,000 demanded by attackers (CSO) The trains are running, but the systems maintaining fares and schedules are not

Passengers ride free on SF Muni subway after ransomware hits 2,100 systems, demands $73k (Register) Workstations, servers, ticket machines derailed by malware

‘You Hacked,’ Cyber Attackers Crash Muni Computer System Across SF (CBS SF Bay Area) ‘You Hacked, ALL Data Encrypted.’ That was the message on San Francisco Muni station computer screens across the city, giving passengers free rides all day on Saturday

Security experts from the CheckPoint firm discovered two different variants of the new Cerber 5.0 ransomware in a few weeks. (Security Affairs) Security experts have spotted a new variant of the dreaded Cerber ransomware, the Cerber 5.0. This is the third version of the malware released this week that is able to encrypt files on all accessible network shares

Black Friday and Cyber Monday Spam Messages Distribute Ransomware (Best Security Search) Microsoft has warned users that computer criminals are distributing dangerous ransomware as part of the Black Friday and Cyber Monday sales

The malicious iPhone video with a silver lining (Naked Security) Anyone here old enough to remember MS-DOS?

CNN, RCN Deny Reports of Porn Airing on Channel in Boston (Variety via Yahoo!) CNN and cable operator RCN are denying reports that 30 minutes of pornography aired on the channel designated for CNN in the Boston area on Thursday night

Security Patches, Mitigations, and Software Updates

cURL security audit learns the lessons of Heartbleed (Naked Security) You may not have heard of cURL but you’ve probably made use of it. It’s one of those pieces of software that does something everybody needs, that everybody uses but almost nobody pays any attention to

Adobe Flash Player Latest Update Download Available with More Patches (Neurogadget) A few weeks ago, Adobe has rushed out an emergency patch for a zero day vulnerability. Well, it seems that the company has just released a new security update for the mentioned software. The new release has patched 9 vulnerabilities, all of them which could allow remote code execution

Cyber Trends

Silencing the Messenger: Communication Apps Under Pressure (Freedom House) Internet freedom around the world declined in 2016 for the sixth consecutive year. Two-thirds of all internet users – 67 percent – live in countries where criticism of the government, military, or ruling family are subject to censorship. Social media users face unprecedented penalties, as authorities in 38 countries made arrests based on social media posts over the past year. Globally, 27 percent of all internet users live in countries where people have been arrested for publishing, sharing, or merely “liking” content on Facebook. Governments are increasingly going after messaging apps like WhatsApp and Telegram, which can spread information quickly and securely

Study: Industry slow to implement information security measures (Automotive IT) Industrial companies are aware that information security and risk management are crucial in today’s data-driven and connected world. But, according to a new study, they also are relatively slow in implementing policies to fend off threats

We’re all screwed, but let’s not be nihilists (TechCrunch) We are so doomed it’s almost funny, and always have been. Don’t worry, I’m not being political! …well, not exactly. I’m talking about the State of Internet Security, which is, as always, disastrous-verging-on-cataclysmic. Are you worried about Russian hackers? Hah! You should be so lucky as to be hacked. We should all be so lucky as to have a functional Internet they can use to hack us

Marketplace

Diversification Is Drowning Barracuda (Seeking Alpha) Barracuda is rebounding after several quarters of trading at a low premium. Valuation still factors in the slow growth rate. Is diversification helping CUDA?

Why and when technology vendors lose a deal - research (Computing) Exclusive in-depth research from Computing and CRN reveals that vendors are too slow to engage, and are failing to match their solution to an end users' needs

French Defense Ministry Considering a Small Company Investment Fund (Defense News) Defense ministry officials are in talks with the finance ministry to set up a government investment fund of “several million euros” to invest in small high technology companies, which carry a national sovereignty interest, Defense Minister Jean-Yves Le Drian said on Thursday

Products, Services, and Solutions

AlgoSec Delivers Intelligent, Zero-Touch Automation to Support Business-Driven Security Policy Management (Yahoo! Finance) AlgoSec, the leading provider of business-driven security policy management solutions, today released the AlgoSec Security Management solution version 6.10. This latest version reinforces AlgoSec's commitment to supporting business driven security management by delivering the visibility, automation and management that organizations need to accelerate their business application deployments into production -- in the cloud or on-premise

Microsoft Says It’s Not Sharing Windows 10 Telemetry Data with Anyone (Softpedia) We’ll just keep this data for ourselves, the company claims

Fingbox: Network security and Wi-Fi troubleshooting (Help Net Security) Fingbox allows you to secure and troubleshoot your home network. It plugs in to your existing router, alerting you when it senses anything out of the ordinary – from new devices on your network, changes in your Internet performance, or unidentified devices that could be an unwelcome intruder

Brace Yourself for Kaspersky’s “Hack-proof” Operating System (HackRead) Kaspersky says their “secure operating system” will be released soon

Technologies, Techniques, and Standards

Protecting smart hospitals: A few recommendations (Help Net Security) The European Union Agency for Network and Information Security (ENISA) has released a new report to help IT and security officers of healthcare organizations implement IoT devices securely and protect smart hospitals from a variety of threats

New Compliance Regimens Will Drive Insider Threat Awareness (Trustifier) Finally! Taking the Insider Threat (Semi-) seriously

National Insider Threat Policy (NCSC) The National Insider Threat Policy aims to strengthen the protection and safeguarding of classified information by: establishing common expectations; institutionalizing executive branch best practices; and enabling flexible implementation across the executive branch

Hacker Lexicon: What Is Perfect Forward Secrecy? (Wired) Encryption keeps your secrets, until it doesn’t. When you use an encryption tool like the venerable software PGP, for instance, your most sensitive communications are only as secure as a single, secret piece of data known as a private key. If that key gets stolen, it’s not just all your future messages that have been compromised. An eavesdropper could crack all your past encrypted correspondence with that stolen key as well

.zzzzz file extension virus. How to Remove? (Uninstall Guide) (2-Spyware) Bad news: Locky hides under .zzzzz file extension

How Carriers Can Help Solve IoT Insecurity (Wireless Week) Through our research and work with carriers, partners, and others, AdaptiveMobile has predicted up to 80 percent of devices connected on the IoT do not have appropriate security measures in place. To put it plainly, four in five of IoT devices on the market are vulnerable to malicious activity, inadvertent attacks, and data breaches

Best of both worlds: Swift and secure financial transactions (Raconteur) As sophisticated cyber criminals become increasingly aggressive and collaborate with offline criminals, banks face a greater threat than ever before. However, one simple innovation can enormously improve their security

Buffer Overflow (BOF) (MS Black Hat) In computer security and programming, a buffer overflow, or buffer overrun, is an anomalous state where a process tries to save information beyond the boundaries of a fixed-length buffer. The result is that next memory locations are overwritten by the additional information. The overwritten data can sometimes include other buffers, variants and application flow info, and might lead to unpredictable program behavior, a memory access exception, application termination (a crash), wrong results or particularly if deliberately the result of a malicious user a potential violation of system security

Time For Security & Privacy To Come Out Of Their Silos (Dark Reading) By working separately, these two teams aren't operating as efficiently as they could and are missing huge opportunities

It's not just cyber criminals who will comprise your valuable data (Security Brief) It may be a cliché but it can’t be said enough: where security breaches are concerned, it’s not if but when. Breaches are splashed across the front pages of the news on an almost daily basis, with some of the world’s biggest companies falling victim. But the story behind these latest breaches to hit the headlines is different

Online Christmas shoppers could be under cyber attack as experts warn of "Wild West" conditions (Mirror) Bargain hunters should stay alert online during the Cyber Monday sales frenzy

Design and Innovation

Your science-fiction ideas could shape the future of the Army (Army Times) If you’ve ever wanted to be the next H.G. Wells, this is your chance

Academia

Guest post: Cybersecurity school to open at Bletchley Park, home of the wartime codebreakers (Naked Security) Great news that a cybersecurity college is going to be set up at Bletchley Park to teach 16-19 year olds cybersecurity skills along with maths, physics, computer science and economics. What better place for the college to be located than at Bletchley Park, the UK’s hub of codebreaking during the second world war?

Legislation, Policy, and Regulation

Secret Trade Proposal Would Give Facebook Free Reign to Censor by Algorithm (Motherboard) Facebook has long drawn ire over its tendency to censor users’ posts based on its opaque standards. But under leaked proposals from a controversial European trade deal, the social network and other online services could be granted legal immunity when censoring any content, as long as it’s deemed “harmful or objectionable”

Intelligence-sharing pact between South Korea, Japan takes effect (Military Times) An intelligence-sharing agreement between South Korea and Japan took effect Wednesday after the countries signed the pact to better monitor North Korea, Seoul officials said

US Navy, Cybersecurity, and Distributed Lethality: A Conversation With Adm. Rowden (Diplomat) An exclusive interview with Vice Admiral Thomas S. Rowden, commander of Naval Surface Forces

Officials celebrate start of Army Cyber Command construction Tuesday (Augusta Chronicle) The Pentagon’s announcement to move Army Cyber Command to Fort Gordon – Dec. 19, 2013 – was a ground-shaking event

Microsoft partners state agencies to fight piracy (Citifmonline) Microsoft has partnered with some government agencies to promote Cyber safety and anti-piracy awareness in Ghana

Litigation, Investigation, and Law Enforcement

France claims Islamic State links to ‘imminent’ terror plot uncovered (Washington Post) French authorities claimed Friday the Islamic State had a direct hand in helping five suspected militants plot “imminent attacks” against possible targets including Paris police hubs and Euro Disney

Obama admin defends vote integrity after hacking fears (The Hill) The Obama administration has defended the integrity of the presidential election despite fears of Russia attempting to undermine the vote

Norway’s highest court refuses to grant Snowden no-extradition guarantees (RT) Norway’s Supreme Court has rejected Edward Snowden’s request for guarantees that he will not be extradited to the US if he enters the country to receive the Ossietzky Prize for outstanding efforts in the field of freedom of expression

Can a Number Be Illegal? (Motherboard) If information can be illegal, a number can be illegal. It's an obvious statement—numbers are information—but one that might lead to absurd conclusions, as a computer scientist named Phil Carmody attempted to demonstrate in 2001 with the discovery and publication of a stupidly long prime number representing a section of forbidden computer code implementing a DVD decoding algorithm known as DeCSS

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Newly Noted Events

Cyberspies: The Secret History of Surveillance, Hacking, and Digital Espionage (Washington, DC, USA, November 29, 2016) From Bletchley Park to cyber-attacks in the 21st century, the computer was born to spy. Gordon Corera, BBC News Security Correspondent and author of Cyberspies, will trace the previously untold and highly...

Upcoming Events

Insider Threat Program Development Training For NISPOM CC 2 (Aberdeen, Maryland, USA, August 10 - 11, 2016) Insider Threat Defense will hold a two-day training class on Insider Threat Program Development (National Insider Threat Policy-NISPOM Conforming Change 2). For a limited time the training is being offered...

Internet of Things (IoT) (Elkridge, Maryland, USA, November 29, 2016) This cybergamut Technical Tuesday features Dr. Susan Cole, currently the Cybersecurity Lead for a Federal Information Systems Controls Audit Management (FISCAM) preparation team and also provides consulting...

CIFI Security Summit (Toronto, Ontario, Canada, November 30 - December 1, 2016) The Annual CIFI Security Summit takes place all over the world, Asia, Europe, Australia & North America. These summits are essential 2 day conferences and exhibitions bringing together leading security...

AlienVault USM Webcast (Online, December 1, 2016) Host-based intrusion detection systems (HIDS), work by monitoring activity that is occurring internally on a host. HIDS look for unusual or nefarious activity by examining logs created by the operating...

Cyber Threats Master Class (Turin, Italy, December 1 - 2, 2016) The UNICRI Masterclass on Cyber Threats aims to provide media and public relations professionals, as well as those planning a career in public information and communication, with a deeper understanding...

Disrupt London (London, England, UK, December 3 - 6, 2016) TechCrunch Disrupt is the world’s leading authority in debuting revolutionary startups, introducing game-changing technologies, and discussing what’s top of mind for the tech industry’s key innovators.

US Department of Commerce Cyber Security Trade Mission to Turkey ( Ankara and Istanbul, Turkey, December 5 - 8, 2016) Now is the time to expand in Turkey! The growth and frequency of cyber-attacks in recent years has increased the demand to protect critical data and infrastructure of governments and businesses. Turkey...

NCCoE Speaker Series: Understanding, Detecting & Mitigating Insider Threats (Rockville, Maryland, USA, December 6, 2016) Insider threats are growing at an alarming rate, with medium-to-large company losses averaging over $4 million every year. Smaller businesses are at risk too, and it is estimated that in 2014, over half...

Weaponizing Data Science for Social Engineering: Automated E2E Spear Phishing on Twitter (Elkridge, Maryland, USA, December 6, 2016) This cybergamut Technical Tuesday features ZeroFox data scientist John Seymour, who will present a recurrent neural network that learns to tweet phishing posts targeting specific users. Historically, machine...

Practical Privacy Series 2016 (Washingto, DC, USA, December 7 - 8, 2016) This year, the Practical Privacy Series will return to Washington, DC, with its rapid, intensive education that arms you with the knowledge you need to excel on the job. We’re programming some stunningly...

CISO Southern Cal (Los Angeles, California, USA, December 8, 2016) A data breach is not only a PR nightmare, but cause for customers to turn to competitors, exposing sensitive company information and racking up fines from industry regulators. In order for organizations...

SANS Cyber Defense Initiative 2016 (Washington, DC, USA , December 10 - 17, 2016) Make plans to attend SANS Cyber Defense Initiative 2016 (CDI). SANS is the one educational organization known for developing the cybersecurity skills most in need right now. SANS Cyber Defense Initiative...

Privacy, Security and Trust: 14th Annual Conference (Auckland, New Zealand, December 12 - 14, 2016) This year’s international conference focuses on the three themes of Privacy, Security and Trust. It will provide a forum for global researchers to unveil their latest work in these areas and to show how...

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.