1 million credentials fall into criminal hands every single day.
That's just one of the findings from the 2018 Credential Spill Report, which analyzed all of the usernames and passwords that were reported as compromised last year. The report also studied credential stuffing attack data across four major industries, finance, airlines, retail, and hotels, finding that retailers were by far the most targeted for account takeover. Read the report to learn about new ways attackers disguise credential stuffing and the total cost of attacks.
December 11, 2018.
By the CyberWire staff
Italian oil-service company Saipem's Middle Eastern servers have sustained a cyberattack. Developing; details remain sparse (Bloomberg).
Cisco Talos finds secure instant messaging apps WhatsApp, Signal, and Telegraph vulnerable to side-channel attacks that could expose messages to hackers. Data may be secure in transit, but during processing or on a user's device, not so much.
Symantec notes the persistence of the Seedworm espionage group in the oil and gas sector.
Supermicro says a third-party audit of its hardware found none of the "Chinese spy-chips" a Bloomberg report said were there (TechCrunch).
French authorities investigate possible Russian influence over ongoing yellow vest unrest (Sydney Morning Herald). RT objects that "covering the news" isn't meddling. A fair point, but investigators are looking into whether fictitious personae are trolling #giletsjaunes in social media.
Huawei CFO Meng's bail hearing continues (CNN). She's proposed electronic monitoring as an alternative to custody, and has offered to arrange security. The proffered oversight by her husband and private security seems unlikely to convince the Supreme Court of British Columbia (Quartz). It's worth noting that Ms Meng is wanted by the US for alleged sanctions violations, not, as one might think from much coverage, on espionage or IP theft charges (CNBC).
CEO Sundar Pichai makes his appearance before the House Judiciary Committee today to discuss Google's "data collection, use, and filtering practices." His prepared remarks emphasize the company's American family romance. He may be asked about yesterday's disclosure of a Google+ breach: an API exposed 52 million users' data (SecurityWeek).
Today's issue includes events affecting Afghanistan, Armenia, Australia, Brazil, Canada, China, France, Germany, Iraq, Jordan, Netherlands, Pakistan, Russia, Saudi Arabia, Turkey, United Arab Emirates, United Kingdom, United States.
How Are You Responding to Threats? Find Out Now in the SANS 2018 Incident Response Survey
What new and continuing threats were uncovered in investigations and how are organizations dealing with those threats? In this SANS 2018 Incident Response Survey, learn how IR teams are coping with organizational structures, resources and IR implementation in an ever-changing threat environment. Find out how they have structured their incident response functions, what systems they’re conducting investigations on, the threats they’re uncovering and how they're uncovering them. Then apply these findings in your 2019 programs.
And the latest Recorded Future podcast, produced in cooperation with the CyberWire, is also up. This episode, "Bringing Collaboration to Real-Time Data Feeds," features King & Union's Aaron Gee-Clough discussing the benefits and challenges of bringing actionable threat intelligence to small and mid-sized organizations.
DreamPort Event: The Red Hat OpenShift Container Platform Bootcamp(Columbia, Maryland, United States, January 3, 2019) DreamPort, in conjunction with the Maryland Innovation & Security Institute and USCYBERCOM, is hosting the Red Hat OpenShift Container Platform Bootcamp. This is all about Containers, DevOps, & Agile Development. Attendees will learn, hands on, how to create, develop, use, deploy, and access containers as DevOps & Agile Development tools.
Rapid Prototyping Event: The Wolf in Sheep's Clothing(Columbia, Maryland, United States, January 29 - 31, 2019) DreamPort, in conjunction with the Maryland Innovation & Security Institute and USCYBERCOM, is hosting a Rapid Protoyping Event which is interested in identifying UAM solutions that employ advanced real-time analysis of multiple data sources for detecting unauthorized activities.
New Exploit Kit "Novidade" Found Targeting Home and SOHO Routers(TrendLabs Security Intelligence Blog) We identified a new exploit kit we named Novidade that targets home or small office routers by changing their Domain Name System (DNS) settings via cross-site request forgery (CSRF), enabling attacks on a victim’s mobile device or desktop through web applications in which they’re authenticated with. Once the DNS setting is changed to that of a malicious server, the attacker can execute a pharming attack, redirecting the targeted website traffic from all devices connected to the same router.
Large Ursnif campaign hitting UK using Brexit as lure(My Online Security) We are seeing a fairly large Ursnif /Gozi /ISFB campaign hitting the UK since Yesterday. The criminals are using the theme of Brexit which is very topical in UK ( and the rest of Europe) at the moment.
Were pilots of doomed Lion Air flight baffled by safety system?(South China Morning Post) Causes of October 29 crash, which killed 189 people, still being investigated by teams from Indonesia, Boeing and the US National Transportation Safety BoardBoeing has been well known in aviation world for design philosophy that gives pilots significant authority over the aircraft’s flight controls
How Internet Savvy are Your Leaders?(KrebsOnSecurity) Back in April 2015, I tweeted about receiving a letter via snail mail suggesting the search engine rankings for a domain registered in my name would suffer if I didn’t pay a bill for some kind of dubious-looking service I’d never heard of.
Delete All Your Apps(Motherboard) It's not just Facebook: Android and iOS’s App Stores have incentivized an app economy where free apps make money by selling your personal data and location history to advertisers.
Security Predictions for the New Year and Beyond(DigiCert) These security predictions are based on industry standards initiatives, represented by organizations involved in the industry, thought leaders, and other stake holders in the security market. While it is fairly safe to predict that some security areas will see improvement in the coming year, others will become more problematic. It is these areas of continuing …
Online shoppers more vulnerable to spam as the holidays inch closer(Global Security Mag Online) New research from cyber security provider F-Secure points to spam as an attack vector to watch out for this holiday season. Spam campaigns disguised as delivery notifications or online shopping invoices have been popular with cyber criminals all year long, and researchers say these tactics can prove even more effective around the holidays.
The Manipulation of the Human Factor: Email Security Explored(Tech Wire Asia) The mission of cybercriminals has largely remained the same - exploit vulnerabilities within an organisation for financial gain - but their methods continue to evolve to maximise their gains. Rather than targeting a business’ network or its endpoints in hopes of identifying a weakness, cybercriminals are capitalising
NSA/CSA Honors Leaders in Cryptology(Meritalk) The National Security Agency and Central Security Service inducted five new individuals to the NSA/CSS Hall of Honor on Nov. 28, according to a Dec. 7 NSA/CSS press release.
The Guidelines on Cyber Security Onboard Ships(BIMCO, CLIA, ICS, INTERCARGO, INTERMANAGER, INTERTANKO, IUMI, OCIMF and World Shipping Council) Ships are increasingly using systems that rely on digitisation, digitalisation, integration, and automation, which call for cyber risk management on board.
The blockchain…not as secure as you think(Rambus) With fraud, breaches and threats reaching pandemic proportions across the entire digital ecosystem, the blockchain is hyped as an instant fix to resolve security challenges for use-cases spanning financial services, retail, real estate, healthcare and insurance. The potential is powerful, but the blockchain needs help to be truly secure. Given the high-value and safety-critical nature …
DHS S&T Awards $1.14M for New Cyber Data Privacy Tools(American Security Today) Cyber-threats are rapidly shifting and privacy-related breaches are increasing in frequency and impact. To address these concerns, the Department of Homeland Security (DHS) Science and Technology Directorate (S&T), a multiple Platinum Honoree in the 2018 ‘ASTORS’ Awards Program, has awarded a total of $1,149,900 to the Regents of the University of Colorado, and Galois, Inc., to develop new research …
Legislation, Policy, and Regulation
US tech giants decry Australia’s ‘deeply flawed’ new anti-encryption law(TechCrunch) A group of U.S. tech giants, including Apple, Google and Microsoft, have collectively denounced the new so-called “anti-encryption” law passed by the Australian parliament last week. The bill was passed less than a day after the ruling coalition government secured the votes from opposit…
Facebook is polarising our politics(Times) You leave the house angry after an argument. Also you hardly slept because of your bastard noisy neighbours. In the car your boss calls, because he’s a bastard too, and he wants you at your desk...
Germany Is Soft on Chinese Spying(Foreign Policy) Huawei has deep ties to the Chinese government. Berlin might let it build the country’s next generation of communications infrastructure anyway.
Defining 'harm' emerges as major to-do in drafting national data privacy legislation(Inside Cybersecurity) Clarifying a definition of “harm” has emerged as a critical element for policymakers working on drafting federal privacy and data security legislation, which could include granting the Federal Trade Commission greater enforcement authority, as lawmakers seek to balance privacy interests with industry innovation.
California imposes new regulations on ‘internet of things’ devices(ABA Journal) As people shop for loved ones this holiday season, internet-enabled gadgets are often at the top of the list. These gifts may be an automated vacuum cleaner, a doorbell with a camera or a Furbacca, a toy that combines Furby and Chewbacca and interacts with a smart device. These contraptions—collectively referred to as the “internet of things”—are ubiquitous. However, they often have weak security features, which can open up vulnerabilities in people’s homes and make a gift’s recipient an unwitting participant in a hacker’s attack.
NYC City Council Member Proposes Dedicated Cyber Agency(GovTech) The Office of Cyber Command would be tasked with setting cybersecurity and practices for New York City agencies, providing security guidance, and directing response to any cyberattacks or other digital threats.
Supermicro says investigation firm found no spy chips(TechCrunch) Supermicro has sent a letter to its customers saying that it has found no evidence of malicious chips on its motherboards. The company asked third-party company Nardello & Co to audit Supermicro’s hardware. On October 4, a Bloomberg report claimed that China’s spies managed to conceal tiny mali…
Huawei CFO Case Hinges on an Offshore Puzzle(Wall Street Journal) Meng Wanzhou’s lawyer said Huawei cut ties to Skycom—which is shrouded in mystery in part because of its opaque ownership and its dealings with Iran—in 2009. The U.S. says it didn’t.
Equifax Breach Was Just as Dumb as You Thought, House Report Finds(Gizmodo) House Republicans spent 14 months investigating the 2017 Equifax breach only to reach the same conclusions that virtually everyone else with a brain did in the immediate aftermath of the company’s disclosure. The breach was “entirely preventable,” lawmakers found, and the credit reporting agency’s shit management did absolutely nothing to shield consumers from this mess.
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
2018 Cloud Security Alliance Congress(Orlando, Florida, USA, December 10 - 12, 2018) Today, cloud represents the central IT system by which organizations will transform themselves over the coming years. As cloud represents the future of an agile enterprise, new technology trends, such...
Wall Street Journal Pro CyberSecurity Executive Forum(New York, New York, USA, December 11, 2018) The WSJ Pro Cybersecurity Executive Forum will bring together senior figures from industry and government to discuss how senior executives can best prepare for hacking threats, manage breaches, and work...
National Cyber League Fall Season(Chevy Chase, Maryland, USA, December 15, 2018) The NCL is a defensive and offensive puzzle-based, capture-the-flag style cybersecurity competition. Its virtual training ground helps high school and college students prepare and test themselves against...
SINET Global Institute CISO Series(Scottsdale, Arizona, USA, January 15 - 16, 2019) By invitation only. These intimate CISO workshops address the challenges that Board of Directors are placing on security and risk executives, and how to successfully manage and communicate today’s enterprise...
CPX Asia 360 2019(Bangkok, Thailand, January 21 - 23, 2019) CPX 360 - the industry’s premier cyber security summit and expo - brings together the world’s leading cyber security experts to one venue. Gain a deep understanding of current challenges cyber security...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.