Survey says: frameworks are good, compliance could be better.

How does the public sector view the state of cyber risk management, IT modernization, and the role of cybersecurity standards in improving our nation’s cyber posture?  A survey of government and industry attendees at the 2017 AWS Public Sector Summit provides a unique window into the perceptions, challenges and opportunities for cyber risk management. Download your copy of the 2017 Public Sector Cyber Risk Management Report.

The week that was.

AWS buckets are again left exposed; credentials are again compromised and exploited.

Another major consultancy has suffered data exposure. UpGuard reports that on September 17 their researchers found sensitive Accenture data exposed in four unsecured Amazon Web Services S3 buckets (Infosecurity Magazine). It's unclear whether the data, now secured, were obtained by bad actors. Accenture says the only unauthorized scan they've detected came from UpGuard, and that the material exposed, including keys and credentials, was related to decommissioned systems (and which therefore poses relatively little risk) (Engadget).

Deloitte's breach may be worse than initially believed. The Guardian reports three-hundred-fifty clients (including US Government agencies and multinational corporations) suffered exposure. Deloitte, which had put the number of affected clients at six, disputes the report. New York State's Attorney General is investigating (Financial Times).

Are you confident your employees can protect your valuable information?

Negligent employees are the No.1 cause of data breaches at small and medium-sized businesses (SMBs). We all need to take steps to ensure our cyber security, and it starts with the collective workforce. Our 31 days of cyber security tips is a helpful guide for companies. View the infographic.

Credit bureau websites served users malicious pop-up.

Experian and its rival credit bureau TransUnion were both victims of malicious third-party code they'd been using to monitor website performance. The companies learned at midweek that some of their websites were serving users a bogus Flash update with a malicious payload. Both Experian and TransUnion say they've corrected the problem, and that their core systems were unaffected (Ars Technica).

Your cyber security posture is right of boom.

Whether you're focused on IT or national security, exploits and data loss incidents put your mission at risk. Your current tools assess and analyze content after it's breached your network - they all work right of boom. It's only a matter of time until boom happens to you. Don't let it. getleftofboom.com

Cyber espionage follows international tension.

Palo Alto Networks reports that the OilRig threat group, prominently involved in hacking Middle Eastern targets, is back, with an enhanced set of Trojans in its tool-bag. The OilRig group is widely believed to be operating on behalf of the Iranian government against regional and other rivals. They're using new infection documents and a new injection Trojan.

Iran has also been implicated in this summer's brute force attacks against the UK's Parliament. Earlier, apparently erroneous, suspicions had centered on Russia. Observers believe this to be the first significant Iranian cyber attack against a British target (Times)

North Korean operators are reported to have successfully exfiltrate sensitive South Korean defense planning files (New York Times). Approximately 235 gigabytes of sensitive data accessed in September 2016 are believed to have included detailed war plans to be used in the event of a North Korean attack, including plans for a decapitation strike against North Korean leadership (Security Week). The revelations have sharpened controversy in South Korea over allegations of domestic political meddling by the country's intelligence services (KBS).

Microsoft said (with "high confidence") at week's end that WannaCry was a DPRK operation (Independent).

Sometimes motive and attribution are unclear. A hacker going by "Alf" (an apparent homage to a character from the soap opera Home and Away) obtained about 30 GB of unclassified but commercially sensitive data on defense programs including the F-35 Joint Strike Fighter, the C-130 cargo aircraft, the P-8 Poseidon maritime surveillance aircraft, the JDAM guided bomb, and various Australian naval vessels. It's unknown whether Alf was working for anyone or just in it for the lulz (Technology Decisions).

There was also a suspicious distributed denial-of-service attack against Sweden's rail service (Bleeping Computer). On Wednesday Trafikverket, a  transportation agency, sustained a DDoS attack on its booking system that forced it to delay or cancel some trains. Trafikverket recovered within hours (Trafikverket), but on Thursday another transport administration, Transportstyrelsen, and Västtrafik, a public operator providing multi-modal surface transportation in western Sweden, were hit by similar attacks. The coincidence suggests a probe of Swedish transportation infrastructure, and many observers suspect Russia (Bleeping Computer). 

How do you take the guesswork out of evaluating anti-malware products in-house?

Anti-malware protection is a cornerstone of information security, so when it comes to testing, don’t take the vendor’s word for it. Test for yourself.

The rest of the story (apparently) on why the US Government banned Kaspersky.

Israeli intelligence services monitoring Russian activity saw Russian organs using Kaspersky software as "an improvised search engine" to locate highly classified American intelligence files improperly stored on a contractor's device (New York Times). The Israelis notified their American colleagues, and, the Times reports, this is the background to the US Government's decision to ban Kaspersky products from its networks. Israeli intelligence services penetrated Kaspersky in 2014, sources say. Kaspersky discovered (and disclosed, without attribution) Israeli presence on its networks in 2015, connecting the activity to the Duqu family of espionage tools (Washington Post). 

Antivirus software's system access makes it an attractive target for exploitation. Kaspersky's products have the reputation of being particularly aggressive in scanning the devices they're installed to protect. Of course, should such scanning be compromised, it can be exploited to look for sensitive material on the devices it's protecting, and that's what sources in the US Government say happened in this case: Russian intelligence services who knew exactly what they wanted, and got it (Register). 

The US Government banned Kaspersky security software from its networks on September 13th,, when the Department of Homeland Security issued Binding Operational Directive 17-01, which "calls on departments and agencies to identify any use or presence of Kaspersky products on their information systems in the next 30 days, to develop detailed plans to remove and discontinue present and future use of the products in the next 60 days, and at 90 days from the date of this directive, unless directed otherwise by DHS based on new information, to begin to implement the agency plans to discontinue use and remove the products from information systems."

The Directive came after months of quiet warnings by the FBI and others of the risks Kaspersky software presented. Kaspersky Lab itself denied that its products were being used to collect intelligence on behalf of Russian or any other national intelligence services, and demanded the US Government lay out its evidence. These developments appear to provide what Kaspersky challenged the US to present.

Kaspersky's precise relationship to the alleged exploit remains unclear. If their software were indeed exploited, one can take one of the following positions, any one of which alone or in combination might be true. Either Kaspersky cooperated with Russian intelligence services and delivered its products up for espionage purposes, or the Russian services hacked Kaspersky without its knowledge, or the Russian services succeeded in infiltrating agents into the company without the company's executives' knowledge. 

Russian state-aligned media say it's all a case of American anti-Russian animus, with the company caught in a geopolitical crossfire (RT), but few others are buying this as the whole story. Germany's Bundesamt für Sicherheit in der Informationstechnik (BSI) says it's can't confirm Russian services exploited Kaspersky software for espionage (Deutsche Welle). (But "made in Germany" remains an official selling point, and we've noticed that German security companies are especially clear about where they work, and above all that they're not Kaspersky.) Most observers think the American ban has serious foundation (Foreign Policy).

Join us at 2017 ICS Cyber Security Conference.

As the largest and longest-running cyber security-focused conference for the ICS/SCADA sector, SecurityWeek’s ICS Cyber Security Conference caters to the energy, utility, chemical, transportation, manufacturing, and other industrial and critical infrastructure organizations, including military. Join us October 23-26 in Atlanta.  

Influence operations.

Facebook initially seemed uncertain that Russia had been behind some of the election-season influence operations the social media company found itself enmeshed in last year, at first pulling attribution to Russia from early versions of its report, issued in April. The company now has said there were Russian advertising purchases (Ars Technica). The Facebook ads tended toward various hot-button and divisive issues (gun control, immigration, Black Lives Matter, etc.) without much consistency of emphasis (New York Post).

Google is also facing renewed scrutiny over Russian ad buys. The amounts bought seem small—"sub-hundred-thousand-dollar purchases," as people are saying, not particularly significant in the context of campaign spending. The reports on where the ad money from Russia went are interesting, and probably instructive. They had no consistent political line, with anti-Trump ads purchased alongside ads suggesting that President Obama should resign (New York Times). The messages supported Donald Trump, but also insurgent independent-running-as-a-Democrat Bernie Sanders and Green candidate Jill Stein. Some reports suggest that the buyers regarded all three as probable also-rans (Philadelphia Inquirer).

There seem to be at least three lessons these looks back at the 2016 US elections are teaching people. First, Russian information operations appear directed toward discrediting American institutions, with or without the complicity of the institutions themselves (Federalist). The point is opportunistic erosion of trust, not necessarily the production of any particular electoral outcome. Second, like it or not, companies like Facebook and Google will have to come to grips with their de facto role as media outfits, not just neutral technology platforms (WIRED). And third, any available stick can be used to beat remaining conceptions of a common civic good: even Pokémon-Go was apparently exploited by Russian operators in an attempt to increase racial tension and ill will (CNN, Variety).

The future of ISIS inspiration.

ISIS control over its core territories in Syria and Iraq continues to decline, and the major combat operations against the Caliphate seem to be in their endgame, with many fighters surrendering and prominent leaders being killed. The British-born White Widow, a native of Kent, is thought to be among the recent dead, killed in a US drone strike. She had been an unusually strident and vicious proponent of the murder of otherwise innocent infidels. But her twelve-year-old son was killed along with her, and the matter-of-fact notice his death received is sad evidence of the morally coarsening effects of any war, even an otherwise just one, on those who wage or describe it (Guardian).

Those who think the loss of its territory will hush ISIS in cyberspace will probably be disappointed. There are early signs that ISIS is already recasting defeat into a narrative of heroic strategic withdrawal while fighting to the last, like the Prophet's hegira from Mecca to Medina in AD 622 (War on the Rocks).

One ISIS inspiration campaign seems not to have panned out. No evidence has emerged of the Las Vegas shooter's connection with ISIS, or indeed with any group at all (Foreign Affairs).

October's Patch Tuesday.

We received an overview of Patch Tuesday from Ivanti's Chris Goettl, who last week offered his predictions as to what we might expect from Microsoft and others this month. Here's how they turned out:

Microsoft resolved a total of 62 vulnerabilities including two public disclosures and one vulnerability that have been both exploited in the wild and publicly disclosed.  Public Disclosures are an indicator of risk. An attacker could have had enough information to build an exploit prior to release of the update giving them an advantage. 

CVE-2017-8703 | Windows Subsystem for Linux Denial of Service Vulnerability (Publicly Disclosed)- An attacker can execute a specially crafted application to affect an object in memory allowing them to cause the system to become unresponsive.

CVE-2017-11777 | Microsoft Office SharePoint XSS Vulnerability (Publicly Disclosed) – An attacker can send a specially crafted request to an affected SharePoint server.  The attacker would have the same security context as the current user allowing them to read data they should not have access to, use the victim’s identity to take actions on the SharePoint site on behalf of the user, and inject malicious content in the browser of the user.

CVE-2017-11826 | Microsoft Office Memory Corruption Vulnerability (Publicly Disclosed\Exploited) – An attacker could exploit this vulnerability by sending a specially crafted file to the user and convincing them to open it.  An attacker could also host a website containing specially crafted files designed to exploit the vulnerability. If exploited the attacker would have the same context as the user.  In this case, least privilege would mitigate the impact of an exploited system. 

Oracle will release its quarterly update next week, on October 17th. Critical updates are expected for Java JRE and JDK, as well as for other Oracle products. (Pre-release notes are here). The update for Adobe Flash didn't include any critical security patches, just a priority-3 bug fix.

There were some problems with the Microsoft patches. Enterprise users and those not getting the patches through Windows Update suffered some blue screens-of-death. It was a publishing issue Microsoft says it fixed the afternoon of October 10. If you were among those affected, clear your Windows Server Update Services cache and reinstall the latest versions (Computing).

Google says it's issued a fix for Google Home's Mini smart speaker, which apparently under some circumstances was recording and reporting back to Mountain View things it heard in the homes of users, whether or not those users said the magic words "OK Google" or "Hey Google" (Verge). In fairness to Google, the affected devices are early, pre-release versions. The device's official release is set for this coming Thursday, October 19th, and it's pleasant to hear that things should be fixed by then (Google Home Support). OK, Google?

Industry Notes.

Guidewire has concluded a "definitive agreement" to acquire Cyence (New Kerala). Marlin Equity Partners has purchased a majority share in App River (PE Hub). Terms haven't been disclosed, but the company plans to remain in its Florida panhandle location (Gulf Breeze). Parsons, with an eye on increasing its cybersecurity capabilities for the company's work with the US Army Corps of Engineers, has acquired Williams Electric. The acquisition is expected to enhance Parson's broader ability to deliver critical infrastructure protection (Washington Technology). DCX, Vencore, and KeyPoint announced merger plans. The combined company will become one of the top Government services contractors in the US (Washington Business Journal).

Cloud-to-cloud backup and cloud security shop Spinback has received its first round of funding from an institutional investor, AVentures (PR.com). Attivo Networks has raised $21million to support its development of cyber deception solutions (eSecurity Planet). Security Scorecard, the cyber risk monitoring and grading company, has raised $27.5 million from investors in a Series C round (Venture Beat). Akamai announced Wednesday that it had agreed to acquire Nominium, the DNS security shop, and that it plans to integrate Nominium's products into Akamai's offerings (Security Week).

The Mach37 accelerator has opened applications for its next class of cybersecurity start-ups (GlobeNewswire). Earlier this month RunSafe, a start-up offering cyber hardening technology, announced that it had joined Mach37's portfolio.

Icon Ventures, an investment group that specializes in supporting mid-stage start-ups, has raised a new $265 million fund. Icon is known for having invested in some well-known cybersecurity companies, including FireEye and Palo Alto Networks (Bloomberg).

PE Hub has an interesting consideration of what an IPO could look like for intelligence unicorn Palantir.

Northrop Grumman and Marvel Entertainment had a brief but intense flirtation that was stopped by the swift intervention of Comic Con chaperones. The two companies were set to announce a jointly produced comic (with various ancillary material) designed to support science, technology, engineering, and math (STEM) education. The concept was built around a team of heroes, NGEN ("Northrop Grumman Elite Nexus," acronym pronounced "engine") that would work gloved-hand-in-gloved-hand with Marvel's Avengers (Defense News). The idea was coldly received by Comic Conners assembled in New York who take their pacifism at least as seriously as their cosplay, and so Marvel cancelled the deal just as it was set to announce it. It seems surprising that Marvel was caught on the hop by fandom's reaction: the House that Stan Lee Built is certainly no stranger to work with the defense, security, and aerospace sector (Screenrant). So NGEN may never be, but the two companies made amicable noises about their mutual commitment to STEM (Marvel's odd spinning of "Asgardian technology" as its universal scientific McGuffin notwithstanding). Well, Comic Con may not like NGEN, but Stark Industries and Pym Technologies would surely understand.

[2500]

 

This CyberWire look back at the Week that Was discusses events affecting Australia, Germany, Iraq, Iran, Israel, the Democratic Peoples Republic of Korea, the Republic of Korea, Russia, Saudi Arabia, Syria, the United Kingdom, and the United States.

THE CYBERWIRE
Compiled and published by the CyberWire editorial staff. Views and assertions in linked articles are those of the authors, not the CyberWire.
The CyberWire is published by Pratt Street Media and its community partners. We invite the support of other organizations with a shared commitment to keeping this informative service free and available to organizations and individuals across the globe.