skip navigation

More signal. Less noise.

How are companies actually using machine learning for threat intelligence?

Artificial intelligence, and in particular machine learning, has seen huge strides in recent years and is now impacting all aspects of society and business. Learn the four ways machine learning is powering smarter threat intelligence with Recorded Future's latest white paper. Download your copy now.

The Week that Was.

Turla returns with a quiet man-in-the-middle campaign.

According to research published by ESET this week, Russian cyber-espionage threat group Turla is back, upgraded with a sophisticated man-in-the-middle campaign (We Live Security).

What did you learn from the 2017 cybersecurity landscape?

2017 was filled with cybersecurity meltdowns. With threats on the rise, is your organization’s security posture ready for 2018? Join LookingGlass VP of Customer Support, James Carnall and VP of Intelligence Operations, Eric Olson for a 2017 cybersecurity in review webinar on Jan. 17 @ 2PM ET so you can better prepare for 2018. Sign up now!

Spectre and Meltdown updates.

Vendors address chip-level vulnerabilities surrounding speculative execution (Malwarebytes). Some patches had a rocky rollout, but remediation proceeds apace (Help Net Security). Although ARM and AMD processors have been shown to suffer from Spectre too, Intel has borne the brunt of criticism (SIGNAL). It's become clearer how patches will affect device performance (Ars Technica).

Thursday AMD announced that its chips were more affected than it had earlier believed (CRN). White House cybersecurity coordinator Rob Joyce said this week NSA had been unaware of Spectre and Meltdown (Tom's Guide).

Cyber Job Fair, January 23, San Antonio visit ClearedJobs.Net for details.

Cleared and non-cleared cybersecurity pros make your next career move at the Cyber Job Fair, January 23 in San Antonio. Meet leading cyber employers including Engility, IPSecure, Mission Essential and more. Visit ClearedJobs.Net for info.

Aadhaar troubles.

India's government denied at the end of last week that the Aadhaar national identity database had been breached, but it seems the breach of a billion individuals' records did indeed occur, probably through abuse of admin accounts (Naked Security). The government has revoked some 5000 officials' access to the database (Computing). Many regard Aadhaar as a cautionary tale of the risks involved in systematically collecting personal information in a single database, all the digital eggs in one large online basket (Times of India). Some observers of Aadhaar think secure identity systems may be inherently dual-use, as adaptable to surveillance as is anti-virus software (Daily O).

The journalist who reported finding Indian citizens' personal information for sale in the dark web has received police attention. The Unique Identification Authority of India (UIDAI), the organization responsible for Aadhaar, said it filed a First Information Report (FIR) as required by law, but that it was up to police to decide what action to take. The FIR was initiated by the reporter's interaction with the offer of stolen data (Hindu).

Implement these seven cybersecurity best practices for 2018.

Is your organization prepared for the threat landscape of 2018? In this article, ObserveIT takes a look at seven cybersecurity best practices—ranging from preparing for GDPR to testing backup systems to leveling up user training—that will better prepare you for everything from spearphishing to insider threats. Rather than dwell on the past, take stock of where your organization stands today and put these best practices in place, and you’ll be well-prepared for the coming year.

Lessons from a Department of Homeland Security breach.

Observers mull the significance of a 2014 breach of employee records at the US Department of Homeland Security (DHS). A secure database from the Department's Office of Inspector General (OIG) Case Management System was found in the possession of a former OIG employee. Data pertained to 247,167 employees. It also included information on subjects, witnesses, and complainants from investigations conducted between 2002 and 2014. DHS disclosed the breach on January 2nd, characterizing it as a privacy issue and saying it had notified affected individuals that such information as date of birth, position, grade, duty station, and social security account number had been compromised (Department of Homeland Security).

The incident is under criminal investigation. Three individuals are suspected of being interested in the case management software, not the data; they may have intended to modify the software and sell it back to other agencies (Federal News Radio). Some observers think it significant that DHS called the breach a privacy and not a security incident. They hope quibbling over disclosure requirements won't impede building trustworthy systems (The Hill).

Shake your MoneyTaker with Research Saturday.

On this week’s episode of Research Saturday, we talk about MoneyTaker, the hacking group that has been attacking banks in the US & Russia. This group of Russian-speaking hackers have stolen nearly $10 million from banks around the world, and joining us to talk about it is Nicholas Palmer and Dmitry Volkov of Group-IB.

Standards for botnet-fighting.

From the US Departments of Commerce and Homeland Security comes a draft report on "Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats" (NIST). Comments are open through February 12th; reaction has been generally positive (Search Security).

Alt-coin bubble continues to inflate.

Russia and Venezuela plan to introduce their own versions of a blockchain-based cryptocurrency. How these will function in practice remains to be seen, as their central banks may simply be putting distributed ledger lipstick on fiat money (NPR).

Businesses continue to attract irrational exuberance when they associate themselves with blockchain technology. Post-bankruptcy, post-film Kodak said this week it was introducing KODAKcoin, and its share price jumped 125% (CNN Money). Line, the chat app, is said to be considering introducing its own cryptocurrency (TechCrunch). One company whose share price exploded after announcing a blockchain rebranding, the Long Island Iced Tea Company, is now reconsidering whether it will actually pivot into cryptocurrency (Ars Technica).

Not everyone is enamored of cryptocurrency. Stodgy Redmond, for one, has removed Bitcoin from the payment options in the Microsoft store. Microsoft had been an early adopter, but the company appears to have concluded that Bitcoin's volatility and associated risks are more than it cares to deal with (Cointelegraph).Cryptocurrency volatility (not Bitcoin's) may be seen, according to Motherboard's "ad hoc study," in John McAfee's apparent ability to move the markets for niche altcoin with just a single tweet. 

So a kind of speculative madness continues to surround anything with a claim to being anchored with a blockchain. The cryptocurrency Dogecoin, for example, was half-to-two-thirds intended as a kind of goof that would be fun to fool around with for awhile, but which would run its course and quietly expire. It hasn't been actively developed in about a year. Nonetheless last weekend Dogecoin reached a temporary market cap of $2 billion before a correction sent it back to $1.7 billion (Ars Technica). As they say in Doge, "So fun! Much coin! Very risk! Amaze!"

If you're still determined to dabble in altcoin, Northrop Grumman has advice on how to keep your holdings safer. Such encrypt! Much hardware! Many caution! Wow!

Mine your own business.

Oh, and there are still coin miners gurgling around in public Wi-Fi: witness CoffeeMiner (Naked Security). CoffeeMiner isn't alone, of course: the SANS Institute has a rundown on some mining code that seems especially popular in China (Internet Storm Center), and Monero miners afflict unpatched Oracle WebLogic servers (Computing). SANS and Morphus say the hackers who installed the Monero miners made $226 thousand (Bleeping Computer).

Microsoft renews calls for a cyber Geneva Convention.

Microsoft President Brad Smith uses his conviction ("enormous self-belief") that North Korea was responsible for WannaCry to renew Redmond's calls that nations assemble to adopt a "digital Geneva Convention" (Prosyscom).

US Cyber Command gets a second deputy commander.

US Cyber Command will receive a second deputy commander (a three-star general or flag officer) as the newly independent command undergoes a quiet reorganization (Fifth Domain)

Information operations, content moderation, and censorship.

US Senate Democrats report burgeoning Russian influence ops in Europe (Federal Times). Russia calls their conclusions "unfounded" (Federal Times), but there may have been a Fancy Bear sighting around the US Senate (Washington Times).

Iranian repression has prompted increased interest in firewall circumvention app Psiphon, which dissenters use to evade the regime's Internet crackdown (Motherboard). Iran has also devoted considerable resources domestically not only to online messaging, but also to electronic surveillance and computer network attack. The latter two, coupled with widespread blocking and censorship, have undermined the government's messaging: citizens mistrust information received from official channels (Motherboard) as elites look increasingly fragile (Foreign Policy).

ISIS, effectively crushed in Syria and Iraq, is attempting to reconstitute itself in Pakistan (Voice of America). It's premature to assess how successful it's likely to be, but the US has put Pakistan on warning that it doesn't intend to turn a blind eye to any official collusion with ISIS (Foreign Affairs). International affairs experts haven't ruled out a resurgence of the group, however down it now appears to be (Foreign Affairs). Somalia announced a new information operations center designed to counter propaganda from the regional Islamist militant group al-Shabab (Voice of America).

Terrorist groups in general and ISIS in particular have shown little ability to successfully hack, have enjoyed dismaying success in online recruiting and inspiration. This has led many to call for an attempt to defeat ISIS and others like it in cyberspace with a combination of kiss and kill: counter-messaging to win hearts and minds, and intelligence collection to serve kinetic targeting (Los Angeles Times).

Others, and not only authoritarian states like Iran, also look to simple blocking as a tool of information operations. Authorities in Europe especially seem disinclined to let social media platforms and Internet service providers off the hook as far as permitting extremist content is concerned. The companies will be increasingly held to legal account for allowing such content to be carried by their services, and pleas of content neutrality are likely to fall on deaf ears (TechCrunch). The European Court of Justice will decide how accountable tech companies will be for "hate speech" and extremist communication their services carry (TechCrunch). Last month's decision by the US Court of Appeals for the Federal Circuit, in which the panel found against the Government that a trademark application containing "immoral and scandalous" elements (including "extreme nihilism" and "anti-social imagery") couldn't be denied on those grounds, may suggest how much daylight there is between European and American notions of permissible expression (In re: Brunetti).

But moderating content isn't easy.

Information operations are no novelty (Times), and concern over how, what, and who communicates aren't new, either (Idle Words, Foreign Policy).

Various technical approaches to content moderation have been tried, but all have been found wanting. An automated tool designed to recognize extremist memes—it's called "NEMESIS"—received some positive attention this week, but seems to offer recognition of known memes at best, not recognition that some new content falls into the class "extremist content." Thus it can tell you that the odd white supremacist symbol (or badge? image? dog-whistle? hijacked cartoon? tough to say...) Pepe the Frog appeared in a post, but it wouldn't have spotted Pepe as trouble before he was a well-recognized meme. How it would handle such items within contexts that might be innocent (like, for instance, our mention of Pepe in this discussion you're reading) is also unclear. Still, you'll be able to find Pepe and similar images if you know what you're looking for (Naked Security). 

Thus policing content seems for the foreseeable future to require a large investment in human curation, and that too is problematic. Google's forays into fact-checking have shown mixed and allegedly tendentious results (Daily Caller). Twitter has faced its own difficulties. It blocked, for example, a photo of an icicle on some guy's window (Motherboard). Now that we know the picture was flagged as inappropriate, we can kind of get why, maybe, but we would've missed it completely had not Twitter's 21st century Hays Office told us that something just wasn't right. On the other hand, sometimes an icicle is just an icicle.

Cryptowars flare, again.

FBI Director Wray echoed his predecessor's reservations about encryption, calling encryption strong enough to be unbreakable by law enforcement "an urgent public safety issue" (Lawfare). He said, at the International Conference on Cyber Security in New York Tuesday, that the Bureau supported strong encryption, but that such encryption must be designed in such a way as to not interfere with properly conducted law enforcement investigations (HackRead). 

The Bureau has had difficulty with encrypted devices seized during investigations, and iPhones are apparently a particular burr under their saddle. Speaking at the same conference the Director addressed, FBI forensic expert Stephen Flatley woofed at Apple for making the G-Men's job harder: they are, he said, "jerks" and "evil geniuses."

Section 702 renewal update.

The US House of Representatives voted Thursday to renew Section 702 of the FISA Amendments Act of 2008 (Motherboard). The Senate will now consider its own version of reauthorization; if it passes, the two bills will be reconciled in conference. Critics argue that Section 702 represents a threat to domestic civil liberties, specifically in the form of warrantless surveillance (Intercept). The US Intelligence Community has long argued that Section 702 is indispensable to foreign intelligence collection (the CyberWire).

Industry notes.

AT&T had been close to an agreement to sell Huawei phones in the US, but that deal has been called off (New York Times). Sources cite Congressional concerns about alleged Huawei involvement in Chinese espionage (consistently denied by Huawei) as the deciding factor in the cancellation (Ars Technica). Huawei isn't happy with American telcos (TechCrunch). Congress at mid-week began serious consideration of a bill that would ban Federal agencies and their contractors from using Huawei and ZTE products (The Hill). 

Russian security companies express concern that Western mistrust of Kaspersky Lab's products will have a chilling effect on their own business (Moscow Times).

Cyxtera on Monday announced its acquisition of Immunity, an "offense-oriented" shop that offers vulnerability research, exploit development, and penetration testing. The deal is expected to close by the end of the present quarter (PR Newswire). NEC has announced acquisition of Northgate Public Services (NPS), a software company with close ties to British police organizations. NPS, which was purchased for £475 million, will continue to business under its familiar name. The acquisition is seen as NEC's play for a larger share of the international public safety market (CRN). On Tuesday, IT service provider UST Global announced its acquisition of Israel-based startup Bisec for some $5.8 million (CTECH). On Friday FireEye announced its acquisition of big data shop X15 Software for $20 million. X15 is expected to give FireEye more capacity to analyze machine-generated data (CRN).

TD Bank has acquired artificial intelligence shop Layer 6. The bank's interest seems to lie in improving customer service by anticipating needs and recognizing patterns of complaint. Some comments by TD Bank executive Michael Rhodes suggest how financial services are setting the bar for AI: "What we hope to gather from AI is the ability to kind of know and understand our customers, in the same way that store manager knew back in the 1970s" (BNN). Australian IoT shop Connexion announced its acquisition of Security Shift, with a price somewhere around $5 million (CRN). 

Arctic Wolf has received a $15 million in funding to further develop its security-operations-center-as-a-service business (BusinessWire). Bugsnag, a software bug detection shop whose tools offer a vulnerability score, secured $9 million in Series B (TechCrunch). Industrial cybersecurity specialist Nozomi Wednesday announced a $15 million Series B round led by the Invenergy Future Fund.

Investors are taking an interested look at start-up Polyverse's code-scrambling, "controlled crash" approach to security (Barron's).

Not to be confused with Polyverse, PolySwarm is engaged in an initial coin offering as it seeks to establish a decentralized marketplace intended to enable customers to pull together defenses from competing anti-virus solutions developed by various providers (Bankless Times, CoinDesk).

Telegram, the encrypted messaging app company, is entering the cryptocurrency world with an ICO and its own coin (TechCrunch).

Zuul, an industrial Internet-of-things start-up with a particular interest in the transportation sector, has secured its first customer, TEDCO, and $300 thousand in seed money from the MasterPeace LaunchPad and other angel investors (BusinessWire). Alkami has raised $70 million to fund its mobile banking software business (TechCrunch). Threatcare announced $1.4 million in seed funding from Moonshot Capital (ReadITQuik).

Shareholder activism at Akamai is thought unlikely to produce a takeover (Benzinga).

ThreatQuotient reports that 2017 was a very good year, with the company enjoying a fivefold increase in bookings. High-Tech Bridge also shares some good news, in its case recognition by SC Magazine for innovative security solutions. KnowBe4 also reporting solid results: a year-over-year sales increase of 225% for the fourth quarter of 2017 (Benzinga).

Computer Business Review names five cybersecurity startups to watch in 2018: Darktrace, ThreatInformer, Illumio, Source Defense, and Attivo.


Today's issue includes events affecting Austria, China, European Union, France, Germany, India, Iran, Iraq, Pakistan, Russia, Somalia, Syria, United Kingdom, United States.

A note to our readers: we'll be observing Martin Luther King Day tomorrow. If you are too, enjoy the holiday, and spare a thought for the work of Dr. King. We'll return to our regular publication schedule on Tuesday.

Our Research Saturday podcast features a long talk with Group IB, who tell us about their investigation of the MoneyTaker banking Trojan that's troubling the Russian-speaking world.

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.