When 95% of breaches are human error, why is it on the last line of our security budget?
Probably because until now, you haven’t found a solution that works. NINJIO produces 3-4-minute-long animated Episodes that teach your end-users how not to get hacked. This is done through Hollywood story telling. A new Episode is produced every 30 days on the most current breaches. Your end-users emotionally connect with the first scene of every Episode, so they’re engaged throughout the Episode. NINJIO tells stories, not lectures and has a 98.5% renewal rate. NINJIO works. See a free in person demo.
The Week that Was.
December 3, 2017.
By The CyberWire Staff
Mole hunt updates.
It's still unclear who the Shadow Brokers' source was, but a third NSA employee entered a guilty plea Friday to willful retention of classified information. Nghia Hoang Pho removed classified material from NSA between 2010 and March 2015. Pho's computer is the much-discussed one whose Kaspersky software pulled highly classified files. Sources say Pho took the classified material home so he could use it to help rewrite his resume (New York Times).
Another alleged mole in custody, Reality Winner, was this week denied pre-trial release. Ms Winner, former Air Force, former NSA, and former NSA contractor, faces Federal charges related to her alleged attempt to pass highly classified material to the Intercept (Military Times).
An inspector general's report this week found that US Defense Department programs for monitoring and controlling privileged access to sensitive information are still wanting, even post-Snowden (Fifth Domain). The report may be read in its entirety here. Challenge 4, "Increasing Cybersecurity and Cyber Capabilities," and Challenge 8, "Ensuring Ethical Conduct," are particularly interesting.
Whether you're focused on IT or national security, exploits and data loss incidents put your mission at risk. Your current tools assess and analyze content after it's breached your network - they all work right of boom. It's only a matter of time until boom happens to you. Don't let it. getleftofboom.com
Unsecured AWS S3 bucket contained sensitive US Army INSCOM data.
Researchers at UpGuard found the insecurely configured database contained Red Disk material. Red Disk, an adjunct to the US Army's Distributed Common Ground System (DCGS) was intended to provide multi-level security, centralized data ingestion and handling, and readily sharable information for tactical operations. It's generally regarded as an unsuccessful program, unpopular with its intended users. Failed or not, Red Disk information still shouldn't have leaked. The US Army's Intelligence and Security Command (INSCOM) is a component of NSA's Central Security Service.
Another major exposure hit the private sector, too: 111GB of sensitive information, including credit histories, were in a misconfigured National Credit Federation bucket (Infosecurity Magazine).
What is the state of WPA2, are public WiFis safe now?
On October 16, it was announced that WPA2, most popular WiFi encryption standard, had been cracked. Since then most of the router vendors have created patches. Remotely managed routers were updated automatically the next day. However, it is now more obvious that public WiFis are no longer secure, one must always use VPN while navigating Internet in public networks. Learn how to use VPN to protect internet access in public WiFis.
Former US National Security Advisor pleads guilty.
Michael Flynn, who also said he's cooperating with Special Counsel Robert Mueller's investigation, on Friday entered a guilty plea to charges he lied to the FBI about his conversations with the Russian ambassador (New York Times).
DevSecOps experts from Visa and CYBRIC talk cyber threat survival.
How can you protect yourselves against breaches like Equifax? Swapnil Deshmukh, Sr. Director of Emerging Technologies Security, Visa and Mike D. Kail, CTO, CYBRIC weigh in. Rapid innovation and continuous delivery via DevOps exposes organizations to a constant, evolving cyber threat. Seamlessly embedding continuous security within existing ecosystems will enforce security across the production environment. In this webinar, you’ll learn cultural changes needed for true DevSecOps. Register for this webinar December 12 at 1PM ET.
Carelessness or misdirection?
The Cobalt Group, thieves who specialize in financial institutions, have been exploiting Windows systems that remain unpatched for an old Office vulnerability. They've also apparently leaked a list of their targets by making the rookie mistake of putting the marks' email addresses in the open "To" field of their spam, as opposed to the more customary "BCC" field, which would have obscured the addressees. But there's some speculation that the apparent lapse may be deliberate, wolf-meat tossed to security researchers as misdirection to cover the real targets, which Cobalt is quietly working elsewhere (Bleeping Computer).
The team matters in the world of industrial security.
No single piece of software can secure society, and no single person—or organization—can guard against the unforeseen. That’s why it’s critical to bring together the leading experts from across industries, and from both the public and private intelligence communities to address the critical challenges of industrial security. Learn more about Dragos, builders of the first industrial cybersecurity ecosystem, and the team of leading practitioners they put together.
The Uber hack.
Nobody really believes the hackers who told Uber that if paid, they'd delete the data they stole, actually deleted what they took (Ars Technica). We also now know roughly what the hacking discount is for a stake in Uber. Judging from SoftBank's offer, it looks like a 30% markdown (TechCrunch). The ride-share company has posted another large quarterly loss: $1.5 billion for the third quarter of 2017 (Ars Technica). The company also faces a growing number of lawsuits (Dark Reading).
Among the new security measures Uber's CEO Dara Khosrowshahi has instituted is a crackdown on employee use of secure messaging apps like Wickr and Telegram (Mashable). His intent is to keep discussion of business matters out of difficult-to-monitor side channels. The policy has been in place since soon after Khosrowshahi took the CEO's job, but he tweeted about it Wednesday. The policy is relevant because of criticism of Uber's security practices that's surfaced in current litigation over self-driving-car intellectual property that involves Uber, Google's parent Alphabet, and Waymo (Recode). A memo came to light that may indicate it was Uber's practice to conceal discussion and (allegedly) poaching of intellectual property over "ephemeral communications, non-attributable devices, and false attorney-client privilege designations with the specific intent of preventing the discovery of devices, documents, and communications in anticipated litigation" (Roadshow).
The tally of people in the UK affected by the Uber breach is now placed at 2.7 million (TechCrunch). Internationally, the incident continues to prompt calls for more stringent regulation of data handling and breach disclosure (Daily Star). There's also speculation that the ride-sharing firm's departed security chief might not be out of work for much longer (Outline).
Equifax breach update.
Equifax Canada has more than doubled its estimate of the number of Canadian citizens' whose data were caught up in the credit bureau's breach: the firm now places its estimate at 19,000, up from 8,000 (CTV News).
Shipbroker declines to pay ransom.
Clarksons, a major shipping firm based in London, disclosed Wednesday that it was hit by cybercriminals who accessed its networks, apparently through one authorized user's stolen credentials. The attackers obtained sensitive company data which they threatened to release if they weren't paid ransom (Reuters). This wasn't a ransomware attack, but rather more conventional blackmail. Clarksons declined to pay, disabled the affected account, and is working closely with law enforcement (Logistics Management).
Relationship building vs. relationship breaking as an influence strategy.
Venezuela's government, evidently having no domestic challenges left to engage its energies, has been assisting the Russian organs with information operations aimed at keeping Catalan independence controversy in Spain on the boil (Daily Beast).
Trolling from Moscow (or St. Petersburg) has been less than edifying. While there may be a high-minded pose of self-determination and national aspiration long-deferred in Catalan-themed engagements, this was not the case with the activity reported during the last US election cycle. In that campaign the content was scurrilous: violent, racist, and cunningly depraved, as befits an operation devoted to fomenting resentment, mistrust, and chaos (NBC). For their part, Russian leaders see the US Government as engaged in driving a wedge between the Kremlin and Russian oligarchs (Washington Examiner)
The head of the UK's MI6 is said to have identified Russia as the principal threat to British security (Times) and US Secretary of State Tillerson denounced Russia's "malicious tactics" (Washington Post).
By way of contrast, Chinese influence operations in the US appear to be more honey than vinegar, seeking to build relationships through grants, partnerships, and so forth (Foreign Policy).
Social networking by other means.
NATO, tired of being slapped around in cyberspace, is in an increasingly hawkish mood with respect to its eastern neighbor, which has played a weak hand with considerable skill. Informed by the experience of its new members from the Near Abroad, the Atlantic Alliance is considering assuming an active defense to push back against Russian cyber offensives (Business Insider).
Social media in particular are now seen as an essential adjunct of combat power (Motherboard), perhaps warranting critical infrastructure designation (Security Week).
Autarchy as a defensive strategy.
Russia says it will build its own DNS, a response, Moscow says, to American cyber aggression (Defense One). The projected system represents an attempt to bring large sections of the Internet into Russia's virtual sphere of influence. The new DNS, which Russian planners hope to bring online by August of next year, is designed to attract the other BRICS countries (Brazil, Russia, India, China, and South Africa) into the system (Bleeping Computer).
AI isn't always quite as A as it seems.
Expensify uses a lot of human talent to sift through the receipts submitted to the corporate expense accounting service (WIRED).
Giving the Tin Man a heart.
Or, if you prefer, turning Pinocchio into a real, live boy. Facebook says it will soon deploy an artificial intelligence to determine, from near-realtime scanning of content, whether someone presents a suicide risk (TechCrunch).
Facebook also has said it's disabled targeting of ads to specific ethnic groups, which a trial by Pro Publica seemed to indicate amounted to a subtle form of redlining. Facebook cites a "technical failure" in its system for the problem. The social media platform had employed various algorithms to infer ethnicity and other characteristics of interest to advertisers (BBC).
But the Tin Man may be up against a Terminator.
McAfee warns of a coming machine-learning "arms race" between criminals and defenders (Datanami). Comodo, RiskIQ, and Malwarebytes see a rapidly expanding attack surface, inflated by cryptocurrency adoption, the rise of data lakes, and the quick growth of the Internet-of-things, as providing a strong incentive for criminals to become increasingly "strategic." That means attackers can be expected to take advantage of more sophisticated black markets and to bring artificially intelligent technologies into their operations (CSO). Forbes offers a survey of what AI can be realistically expected to accomplish in network defense.
Three Chinese nationals are indicted for hacking.
They're not in custody, nor are they likely to be taken into custody. The US Department of Justice returned indictments against three Chinese nationals employed by Boyusec, a cybersecurity company that was disestablished earlier in November. They're said to have hacked into Siemens, Moody's Analytics, and Trimble to steal intellectual property. As the US Attorney points out, individuals were charged, not the Chinese government, but it's not difficult to see the indictment as a shot at Beijing's state-directed industrial espionage program (Foreign Policy).
The US has indicted people for hacking who were out of reach before: Russians, Chinese, and Iranians in particular. It's been part of a "naming and shaming" approach to deterring crime. Eventually it's likely that some of those under indictment may travel to a place where they can be arrested and extradited. It happened, after all, to Roman Seleznev, son of a prominent member of Russia's Duma, who incautiously vacationed in the Maldives with his girlfriend in 2014. He'd been indicted in 2011, in April of this year received a twenty-seven year sentence from a US Federal District Court in Seattle (New York Times). Just this week a Federal Court in Georgia tacked on fourteen more years for racketeering and bank fraud (Infosecurity Magazine).
The approach has its fans, and we extend congratulations to the FBI's Pittsburgh Field Office for their solid investigatory work in the Boyusec case, but not everyone is convinced Department of Justice's indictments are necessarily a good idea. It's not only the US that can name and shame, and the Americans have their cyber operators, too, and it's not unreasonable that they might worry about international retaliation (WIRED).
Credit card fraud down over Black Friday.
As the holiday shopping season opens, there's some perhaps unexpected good news: credit card fraud has dropped. An Iovation quick study indicates that credit card fraud dropped 29% over 2016's Black Friday weekend. The reasons are not too complication: retailers have been able to do a better job of detecting fraud, with wider adoption of chip-and-pin technology credited with giving them a big assist (Help Net Security).
Apple fixed a bug that exposed MacOS High Sierra machines to rooting (TechCrunch). The patch is an important one; there's plenty of advice on how best to apply it (Naked Security). Cisco has patched six vulnerabilities in its widely used WebEx players (Threatpost).
Annals of creative slacking: Michael Faraday, call your office when you get to the 19th hole.
Were you aware that a (presumably mostly empty) snack-food bag could serve as an impromptu but effective Faraday cage? Mr. Tom Colella, a "Twisties" puffs fancier, was. He used an empty Twisties bag to enclose his PDA, thereby blocking the ability of his employer, the Western Australia water management outfit Aroona Alliance, to discern that he was not on the job, but rather on the links playing a few rounds of golf. Apparently 140 or so rounds of golf. Twisties come in an aluminized Mylar bag, which apparently did the trick as long as it was closed and grounded. Aroona managers were aware that Mr. Colella liked to keep his PDA wrapped in a Twisties bag, but seem to have regarded this as a harmless eccentricity until they twigged to the whole Faraday cage thing, and then all that time on the course. (Ars Technica). Would this work with an Utz potato chip bag? The Old Bay seasoned kind? We're asking for a friend.
Akamai completed its acquisition of Nominium this week (Multichannel News). Trend Micro announced that it was buying application security firm Immunio. The company intends to use the acquisition to move its hybrid cloud security into the devops market (Dark Reading). Qualys on Wednesday said it had agreed to acquire assets of Netwatcher in a cash transaction (Qualys).
Nokia was rumored to be in talks directed at an acquisition of Juniper Networks (CRN), but Nokia has said there's nothing to the scuttlebutt, and they're not talking about buying anything (CRN). BlackBerry's security expertise and strong intellectual property portfolio are said to be making it an attractive takeover target (Investor Place).
Proofpoint has offered investors $60 million in cash for Weblife (TechCrunch). The acquisition would represent a play for the market in personal email security for corporate networks (Silicon Valley Business Journal).
McAfee announced its acquisition of cloud security specialists Skyhigh Networks. Terms of the deal haven't been announced, but recent estimates of Skyhigh's valuation have run to about $400 million (TechCrunch).
Another major acquisition's terms are known. Private equity firm Thoma Bravo is taking Barracuda Networks private for $1.6 billion (TechCrunch). Observers think Barracuda had been undervalued by the market, and that being taken private will render it more agile (CRN). Observers see this and other recent M&A activity as evidence of a sector-wide trend toward consolidation (Silicon Angle).
Terbium Labs picked up $6 million in a new funding round led by Glasswing Ventures (Street Insider). Pwnie Express names a board member, Todd DeSisto, its new CEO as the company announces an $8 million investment (xConomy). Reversing Labs made the biggest investment score of the week, however, with a $25 million Series A funding round (Digital Journal).
While there are more privately-held unicorns than ever, observers see a curious contraction in early-stage venture capital (TechCrunch).
A retirement prompts an executive shuffle at Booz Allen Hamilton. Joseph Logue will retire from effective June 30th. Executive Vice President Karen Dahut will succeed him as head of the defense business. Executive Vice President Christopher Ling will lead the intelligence business, and Executive Vice President Kristin Martin Anderson will direct the civil business. The changes will take effect on April 1st, 2018, fiscal new year's day at Booz (Washington Business Journal).
ManTech also has some new leadership: Rick Wagner has been appointed to lead the company's Mission, Cyber, and Intelligence Solutions Group, replacing long-time head Bill Varner, who retires at the end of this year (Washington Technology).
Eugene Kaspersky doubles down on his insistence that Kaspersky Lab was emphatically not spying for the Kremlin. He said this week he and his firm would quit Moscow if the Russian government asked them to conduct cyber espionage on its behalf (ZDNet). The US accusations are, he said, a put-up job, deliberately orchestrated by the US Government (Guardian). All US Government agencies are now said to have completed scanning their enterprises for Kaspersky software. About 15% of the Federal agencies were using it; that percent should shortly drop to essentially zero (Axios).
Today's issue includes events affecting Australia, Brazil, China, Denmark, Germany, India, Netherlands, Norway, Russia, Singapore, South Africa, Spain, United Kingdom, United States.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.