skip navigation

More signal. Less noise.

Is your malware lab a pain to use? Want a ridiculously easy to use malware lab?

Security teams who use a cloud browser can reduce the time spent investigating cases by more than 50%. Instead of wasting time spinning up a VDI, using Tor or connecting to a jumpbox, get online in seconds with Authentic8 Silo, a secure cloud browser and egress from hundreds of points of presence around the world.

The Week that Was.

Foreshadow: a new speculative execution vulnerability.

A new speculative execution issue has been identified in Intel central processing units. The flaws, collectively called "Foreshadow," join the well-known family of Spectre and Meltdown. Foreshadow is in the process of being mitigated. There's so far no known instance of Foreshadow exploitation in the wild, and it seems unlikely that hackers could easily make use of it to attack systems (Bleeping Computer).

Learn how to identify the four types of threat detection.

There is a considerable amount of market confusion around the types of threat detection, how they are derived, and the uses for each. In this whitepaper, Sergio Caltagirone and Robert M. Lee of Dragos, Inc., address those challenges by identifying the four types of threat detection and offering sample use-cases focused on industrial control system (ICS) and industrial internet of things (IIoT) environments. Learn more about identifying the best threat detection method for your ICS organization.

Securing the vote.

The states, which under the US system are responsible for conducting elections, remain concerned about the integrity of the ballot. Thirty-six  states have now deployed Albert sensors on their voting infrastructure to allow the Department of Homeland Security to observe state systems that manage either voter information or voting devices (Reuters).

The states also want the Feds to share more threat intelligence. Forty-four states and the District of Columbia took part in a Department of Homeland Security exercise this week  (US Department of Homeland Security). The states appear to have gained enough insight into the value of threat intelligence to decide that they want more of it (Reuters). Some advocate Federal standards for the conduct of elections, perhaps even mandatory standards (Atlantic Council).

The National Guard Bureau says several state governors have asked their Guard to review cybersecurity in advance of the midterm elections (C4ISRNET).

Election hacking...

MIT's Technology Review published a useful guide to the electoral attack surface, which they divide into quadrants. The first comprises voter registration systems that maintain records of who's authorized to vote. These systems tend to be old, accessed by many, and susceptible to hacking. The potential risk is a technically advanced version of having the dead cast ballots. 

The second involves voter check-in. Where poll workers use tablets instead of paper books, these networked devices are in principle vulnerable to compromise. A voter might be told—falsely—that they'd already voted and can't do so again.

The voting machines themselves resent the third attack surface. These tend to be either optical scanning devices that read and record paper ballots, or direct-recording electronic systems, for which a paper record may or may not be generated. There's some movement away from the more advanced and convenient (but more hackable) direct-recording electronic systems and back to paper, but thirteen states still use paperless machines, and five of them use nothing but.

Finally are the systems that tally and report votes. It would be more difficult to cook up a desired election result than many seem to think, but widespread hacking of these systems could cast doubt on results. There may be one historical case of this being done: some suspect that the Russian government deleted essential files from Ukraine's central election commission in ways that mucked up the 2014 vote. But in the US there are generally checks on outcomes done on a precinct-by-precinct basis. 

Any of these four families of technology, of course, could be hit with irritating malicious encryption in the form of ransomware or, more probably, distributed denial-of-service attacks. Such incidents are the usual coin of commodity cyberattacks, whether criminal or state-run.

Don’t let threats SOC you where it counts.

Protecting your organization from an attack involves much more than the traditional “block & tackle” tactics of the past. A good boxer doesn’t just block the punch they see coming, they move against the next anticipated punch. The modern Security Operations Center (SOC) requires a combination of automation and human tradecraft to successfully repel the adversary. Learn more about the modern SOC in LookingGlass’ webinar featuring guest IDC, August 29 @ 2pm ET.

...and election-focused influence operations.

It's worth distinguishing the hacking of electronic voting systems from malicious influence exerted online. Call these, respectively, cyberattack and information operations. There's been evidence over the last three years of foreign probing of US state voter databases. This can be considered the reconnaissance phase of a potential cyberattack, but much of what gets called "election hacking" involves influence operations. This is the sort of activity that's put pressure on social media, which in turn has prompted a civil libertarian backlash about censorship.

You will recall Facebook's removal of some thirty-two pages that were engaged in what the social medium called "inauthentic behavior." The inauthentic users were accounts created with bogus or at least dubious personae that were heavily involved in pushing various inflammatory political memes. Facebook didn't say it was a Russian trolling operation, but it strongly hinted so, and others have noted the similarity between their content and kinds of lines pushed by Moscow and St. Petersburg troll farms (Washington Post).

The Associated Press talked about this with various academic experts in communications and marketing and concluded that the Facebook pages the social medium recently expunged were following typical advertising playbooks, with affinity marketing supplemented by a heavy dose of moralistic aversion. The goal is discord, the method rumor, and the amplification is all on the regular people clicking, sharing, and liking. So there's nothing new here, but the skill shown by the presumably Russian persuaders is striking. They've demonstrated a solid understanding of their market, accurately hitting American social fissures. The endgame is mistrust. It's not so much that they want you to vote one way as opposed to another. They'd apparently rather you just stayed home, going out only to riot, because elections are, the troll farmers would suggest, nothing more than a sham (Buzzfeed).

Facebook continues to receive adverse scrutiny for its intensely targeting marketing capabilities. Sarah Golding of the Institute of Practitioners in Advertising says that Facebook "has essentially weaponized ad technology designed for consumer products and services.” The kind of "microtargeting" the platform can deliver, addressing cohorts as small as twenty with content specifically devised for them, is found as disturbing by the Institute and some members of both the UK's Parliament and the US Congress as it was found attractive by the Presidential campaigns of Presidents Obama and Trump (New York Times). Some form of regulation is under early consideration on both sides of the Atlantic. Last month the Information Commissioner's Office in Britain called for an "ethical pause" in microtargeting and some serious reflection on the implications of the technology for democratic systems (ICO). US Senator Warner (Democrat of Virginia) has a white paper addressing various approaches to election security (Axios).

The Mueller investigation into Russian hacking and influence operations during the 2016 US election continues (Bloomberg). President Trump, after stripping former Director of Central Intelligence Brennan of his security clearance over what the President characterizes as Brennan's complicity in a bogus witch hunt for Russian collusion (Wall Street Journal), is said to be considering taking away other former officials' clearances too (Washington Post). Brennan calls it all "hogwash" born of desperation (Military Times). FBI Special Agent Peter Strzok was fired by the Bureau this week. He was formerly involved in the Mueller investigation until his dismissal over texts appearing to suggest that political considerations were shaping investigations into Russian election meddling (New York Times).  

Is your company passionate about empowering women to succeed in the cyber security industry?

The CyberWire’s 5th Annual Women in Cyber Security reception is a networking event that highlights and celebrates the value and successes of women in the cyber security industry. Leaders from the private sector, academia, and government from across the region and at varying points on the career spectrum can connect with each other to strengthen relationships while building new ones. Consider sponsoring the event. Limited sponsorships are available. Visit our website to learn more.

Crypto-wars update, Australian edition. 

There's a fresh offensive in the crypto wars, and this one comes out of Australia. The Government has announced its proposed regulations that would address encrypted communications used for criminal or espionage purposes, but explicitly ruled out any intention of backdooring systems. Instead, in cases of criminal investigations, national security matters, or significant threats to the financial system, the Government would be able to require individuals and companies to render various forms of assistance (Gizmodo). 

This hasn't mollified opponents of the measure, who don't see how the regulations could accomplish their purpose without unacceptable compromises of end-to-end encryption (Ars Technica).

Obtain full visibility into your security team with Cybrary.

It’s easy to track, measure, improve and grow your security team with Cybrary’s business platform. Not only will your team have access to an expansive catalog of IT and Cyber Security learning resources, you can operate more efficiently with full visibility, without compromising company standards. Start your team's free training pilot today!

Be careful when downloading Fortnite.

Epic Games, makers of the wildly popular Fortnite, pulled their signature game from Google Play as a business move to avoid Google's thirty-percent cut of downloads—understandable, because that's a lot of Vbucks by any standard. Cybercriminals have noticed this, and are using bogus Fortnite download sites to spread various forms of malware. If you want to upgrade your skin from Recon Specialist to Whiteout, be sure you're downloading the genuine article (WIRED).

You go on one little trade mission and now they're hacking you...

There are fresh signs of renewed Chinese industrial espionage. On Thursday Recorded Future blogged that much of the online spying is being staged through Tsinghua University infrastructure. While taking a look at Chinese government cyber surveillance of Tibetan groups, the company observed what it called a "novel Linux backdoor," called "ext4," in use. Their analysis of ext4 led the researchers to discover connection attempts to a compromised Tsinghua University CentOS server.

The operations run through university infrastructure served economic development as well as domestic security goals. Chinese intelligence services took a particular interest in the US state of Alaska, targeting Alaskan state government sites, including the Alaska Department of Natural Resources. Alaskan extraction industries are major exporters to China, selling timber, lead and gold ores, petroleum byproducts, and—the biggest category of export—seafood. A noticeable spike in attention to Alaska appeared after a May trade mission the state sent to China (Reuters).

Patch notes.

August's Patch Tuesday occurred this week. Microsoft addressed sixty flaws, two zero-days among them (KrebsOnSecurity). The zero-days were CVE-2018-8414 and CVE-2018-8373

CVE-2018-8414 involves the use of SettingContent-ms files, and these are Windows 10 control panel shortcuts, to distribute malware. Signs of this sort of exploitation began to appear early last month, and Redmond has now upgraded Windows 10 so that Windows Shell now validates file paths when SettingContent-ms files are executed.

CVE-2018-8373 is a remote code execution vulnerability that arises from the scripting engine's problematic handling of objects in memory in Internet Explorer.

Among other vulnerabilities attracting attention is CVE-2018-8340, discovered by researchers at Okta. This one is a security bypass exploit that's made possible when Active Directory Federation Services (ADFS) mishandling of multi-factor authentication requests. Okta's account suggests the vulnerability would be most easily used by a malicious insider interested in achieving elevated privileges or in spoofing another legitimate user's account. An outside threat could also exploit the issue, although in this case they'd need to support their effort with more ambitious phishing or other forms of social engineering. But such efforts have been successful in the past, and organizations should patch, especially organizations that use ADFS as an identity gatekeeper (SecurityWeek).

Adobe also patched, fixing eleven problems in its products. The breakdown is as follows: five issues were fixed in Adobe Flash Player, three in Adobe Experience Manager, two in Adobe Acrobat and Adobe Reader, and one in the Adobe Creative Cloud Desktop Application. The potential impact of unpatched systems' exploitation includes information compromise, privilege escalation, arbitrary code execution, and unauthorized data manipulation or alteration (SecurityWeek).

Crime and punishment. 

A teenager in Melbourne, Australia, appeared in Children's Court Thursday to plead guilty to charges of hacking Apple servers and obtaining some 90 Gb of material he shouldn't have had, including customer information. His name is being withheld because he's a minor, and so are details of the hack, which defense counsel says would lead to his being identified, since he's become "well-known in the international hacking community" (The Age).

Courts and torts.

A cryptocurrency speculator is suing AT&T over his loss of $24 million in alt-coin due to a sim-swap fraud. He's also seeking $200 million in punitive damages, alleging that an AT&T employee was responsible for the loss, and that the company was indifferent to this form of criminality (Globe Newswire).

Policies, procurements, and agency equities.

The National Defense Authorization Act (NDAA) for Fiscal Year 2019, passed by Congress at the beginning of the month and signed into law by the President on Monday, contains some direction for more American assertiveness in cyberspace. The bill states that the Secretary of Defense has authority to conduct military operations in cyberspace in defense of the US and its allies. "All instruments of national power," including particularly cyber offensive capabilities, are available for use against foreign powers operating against American interests in cyberspace.

The NDAA also addresses deterrence, saying that the US "must develop and, when appropriate, demonstrate to adversaries the existence of cyber capabilities to impose costs on any foreign power targeting the United States." Congress is specifically interested in hearing about specific plans for imposing costs on adversaries, and it wants the Administration to tell it when it needs regulatory or legislative action in support of cyber deterrence. The NDAA desires progress in "advancing technologies for attribution, inherently secure technology and artificial intelligence society-wide" (SIGNAL).

Congressional action anticipated Presidential action. On Tuesday Administration officials acknowledged that the President has rescinded his predecessor's Presidential Policy Directive 20, presumably in the direction of greater delegation of authority to conduct offensive cyber operations, particularly in response to foreign cyber attacks on the US. Those who welcomed the news think it's a sign of greater US agility in cyberconflict. Critics are of two minds. Hawks fear it won't go far enough to deter adversaries and would like to see an even more active posture (Fifth Domain). Skeptics who liked PPD 20 fear that scrapping it will make a muddle of coordination and target selection (Washington Post).

The US Securities and Exchange Commission has issued more stringent rules about breach disclosure (Forbes). 

In a generally well-reviewed move, the FBI appointed Amy Hess Executive Assistant Director of the Criminal, Cyber, Response, and Services Branch (FBI). Hess, a veteran of the FBI's science and technology arm, is among other things regarded as relatively speaking a crypto-wars dove, at least by Bureau standards (Washington Post). 

Fortunes of commerce.

Kaspersky Lab and the Government have filed their final briefs in the security company's law suit challenging Congressional and Administration action banning it from US Government networks. Kaspersky contends, essentially, that the ban amounts to an unconstitutional bill of attainder, illegitimate legislative punishment. A judicial panel will hear the case on September 14th (Nextgov).

Google employees aren't happy about their company's flirtation with a censored search engine for the Chinese government (New York Times).

The labor market.

That Australian teenager who hacked Apple servers supposedly did so because he was a huge fan of the company and hoped to work there some day. Pro-tip, kids: this isn't the best way of getting a recruiter to put your resume at the top of the pile (Naked Security).

Mergers and acquisitions.

Comodo CA has acquired website disaster recovery shop CodeGuard (CRN).

EZShield has acquired IdentityForce for its identity protection capabilities (BusinessWire).

Cisco beat earnings this week. Analysts attribute the good results to the company's focus on security, and they like its recent acquisition of Duo (TechCrunch).

Investments and exits.

Exabeam, aspiring to "be the next Splunk," has raised $50 million in a Series D round led by Lightspeed Venture Partners, with participation by Cisco Investments, Norwest Venture Partners, Aspect Ventures, Icon Ventures, and Shlomo Kramer (Venture Beat).

Portland, Oregon, based Twistlock, specializing in container security, has raised a Series C round of $33 million led by ICONIQ Capital (SecurityWeek).

Safe-T is going public. The company, which will trade on the Nasdaq, intends to use the proceeds for R&D, and for scaling up sales and marketing (StreetInsider)

And security innovation.

IARPA's new director wants to invest in research that could lead to methods of predicting cyberattacks (Fifth Domain).

Israel is investing the equivalent of $24 million to support cybersecurity innovation (Reuters).

Facebook awarded a total of $200 thousand to the top three winners of its Internet Defense Prize at USENIX in Baltimore this week (Facebook Research).


Today's issue includes events affecting Australia, China, Israel, Russia, United Kingdom, United States.

Research Saturday is up. Bitdefender have been tracking a bit of complex rootkit malware called Zacinlo that they suspect has been operating virtually undetected for over six years. Bogdan Botezatu is a senior cyber security analyst with Bitdefender, and he describes what they've found.

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.