skip navigation

More signal. Less noise.

F.A.K.E. Security Unveiled: Who was behind RSA 2018’s mystery booth?

Every year vendors showcase their products at the RSA Conference to collect sales leads.  Why did one booth have no vendor name and scan no badges? Hear the story behind the booth at RSA that pitched imaginary products from a #FakeSecurity company. 

The Week that Was.

Thrip attaches itself to satellite communications.

Symantec reported an extensive Chinese cyberespionage campaign targeting US satellite operators, telecommunications companies, and defense contractors. The campaign's goal is interception of military and civilian communications (Symantec). As trade tensions between the US and China have risen, so has Chinese espionage against American targets (WIRED).

Finding answers to lack of intrusion detection coverage on Linux.

The risks posed by compromised Linux hosts are of urgent concern for organizations all over the word because of sparse monitoring and lack of solutions that make intrusion detection simple and cost effective. New Zealand startup Sandfly allows you detect Linux intrusions, malware and rootkits on your systems all without loading agents. And their solution works with no modifications or software to load on your endpoints. Automate security and forensic investigation of your Linux architecture in seconds. Watch a demo and learn more today.

Mobile apps leak data from unsecured Firebase instances.

Developers' failure to secure Google Firebase apps has resulted in more than three-thousand leaky apps. Appthority says more than one-hundred-million records have been exposed by inattentive development (Appthority).

CyberSecJobs knows employers looking for your cyber expertise. offers opportunities for ethical hackers, intrusion analysts, malware analysts, crypto architects and more to defend critical infrastructure. These jobs are available at various locations across the United States. For more information, visit, and explore your future.

Mylobot: "never-before-seen" (until now).

Deep Instinct describes Mylobot, a new and sophisticated botnet currently active in the wild (Deep Instinct). Among its features are methods of evading sandboxes and debuggers, and of reflective execution of EXE files directly from memory. It's also patient, remaining quiescent for two weeks after installation before it makes its calls to the command-and-control servers, and it removes competing malware from systems it infects. Mylobot can establish complete control over victim devices, delivering whatever payloads its unknown masters may wish to install (ZDNet). 

When your browser's in the cloud, what's in the browser stays in the browser.

Most threats arrive through the browser. So why would you use a browser on your device? Authentic8's Silo keeps your systems clean because they never touch the Web. You're disconnected, but you can see and do whatever you need to do on the Web. With Silo, everything is on Authentic8's servers, and everything executes remotely. Each session is built fresh and destroyed at the end. It's also anonymous and encrypted. Contact Authentic8 for a trial.

Zacinlo rootkit adware masquerades as a VPN.

According to Bitdefender, the Zacinlo rootkit is out in renewed form, this time concealed within a malicious VPN product, S5Mark. It affects Windows 10 machines (PC World).

Obtain full visibility into your security team with Cybrary.

It’s easy to track, measure, improve and grow your security team with Cybrary’s business platform. Not only will your team have access to an expansive catalog of IT and Cyber Security learning resources, you can operate more efficiently with full visibility, without compromising company standards. Start your team's free training pilot today!

Olympic Destroyer may be on its way back.

Olympic Destroyer, the threat group responsible for disruptions during this past winter's PyeongChang Olympic games, is apparently back (Ars Technica). Kaspersky Lab is tracking activity directed against organizations associated with chemical and biological weapons control: targets in Germany, France, Switzerland, Russia, and Ukraine are said to have been spearphished. The evidence for Olympic Destroyer's involvement lies principally in the obfuscation and spearphishing macros recent probes employed. Kaspersky as usual offers no attribution, but US officials concluded in February that Olympic Destroyer was a Russian operation cloaked by false flags. Russia has objected to investigations linking it to chemical attacks in Salisbury and Syria; this resentment is thought to provide a motive (WIRED).

US Cyber Command receives authority for offensive operations.

US Cyber Command has been given (and is said to have used) authority to take the offensive. Actions against ISIS provide the model (Computing). Cyber Command characterizes its doctrine as one of "defending forward" (Public Technology). Industry is relieved that marque and reprisal are off the table (FedScoop).

Congress receives written testimony from Facebook. 

On the matter of Facebook and Cambridge Analytica. Which Facebook delivers in almost five-hundred pages, as if it's a EULA or something (Ars Technica).

Apparently a lawyer at Cambridge University foresaw the Cambridge Analytica scandal in 2014, warning the university of questionable practices of data collection and retention on the part of psychology researchers (WIRED). His warning was largely, and (as far as that goes) correctly, concerned with reputational risk, but what were the prevailing standards and practices of human subject research review at Cambridge while this was going on?

EU copyright policy advances.

The European Parliament passed a new copyright regulation out of committee. Critics say it will turn the Internet into a surveillance and control tool (Guardian). 

Crime and punishment.

The US Justice Department announced that Joshua Adam Schulte has been charged with "unauthorized disclosure of classified information and other offenses relating to the theft of classified material" from the CIA (US Department of Justice). This case has long been under preparation. Although Schulte was arrested in New York last August on child pornography charges, the FBI and Department of Justice have been preparing a case against him in the matter of WikiLeaks' Vault 7, a public dump of alleged CIA documents. Schulte is alleged to be a source of Vault 7's contents. The Government believes Schulte's alleged theft of classified information occurred in 2016; WikiLeaks dumped Vault 7 online in 2017 (Washington Post). WikiLeaks has published what it claims are sections of Mr. Schulte's diary (Motherboard).

NSA alumna Reality Winner will plead guilty to charges involving delivery of classified material to the Intercept (Atlanta Journal-Constitution).

A former Israeli Energy Minister, Gonen Segev, has been arrested on suspicion of spying for Iran. Segev has been in-and-out of trouble since leaving politics in the mid-1990s (Asia Times).

Europol arrested five alleged members of the Rex Mundi cybercrime gang (Infosecurity Magazine).

French authorities took down the Black Hand dark web market (HackRead).

Alleged Silk Road collaborator "Variety Jones" was extradited to the US (Ars Technica).

Argenys Rodriguez of Massachusetts pleaded guilty to ATM jackpotting.  He faces a maximum of thirty years (SecurityWeek).

Karvia Cross of Bowie, Maryland, pleaded guilty to using data stolen from the Office of Personnel Management to get fraudulent personal and vehicle loans from the Langley Federal Credit Union (US Department of Justice). The case lends momentum to proposed identity theft protection legislation (Washington Post).

The Bitcoin Baron of Apache Junction, Arizona, has received a sentence of twenty months. Randall Charles Tucker, 23 (the "Internet's most inept criminal," as Naked Security calls him) was convicted of organizing a distributed denial-of-service attack against the city of Madison, Wisconsin. His motives remain unclear, possibly because those motives lack clarity, but the best bet is that he saw himself as an idealistic hactivist in the Anonymous mold (Infosecurity Magazine). His claims of idealism have prompted either skepticism or a so-much-the-worse-for-idealism reaction among observers.

A guy who was unclear on the concepts "domain hijacking" and "brute force" will have an opportunity for twenty years of reflection thereon courtesy of Iowa's correctional system. Sherman Hopkins Jr., 43, was sentenced last week for interference and attempted interference with commerce by force or violence. He tried in 2017 to induce another man to transfer ownership of the domain "doitforstate" by holding him at gunpoint, pistol-whipping the victim and shooting him in the leg during the ensuing scuffle. The incident ended badly for Mr. Hopkins when the victim wrestled away Mr. Hopkins' piece and shot him four times in the chest. Mr. Hopkins has recovered, but why he wanted doitforstate so badly—the domain is based on an Iowa State University meme—remains unclear (Motherboard).

According to the US District Court for the District of Kansas, a machine translation that's "literal but nonsensical" doesn't count as consent for search (TechCrunch).

The Supreme Court of the US ruled that police will usually need a warrant to obtain cell-phone location data (Wall Street Journal).

Courts and torts.

Tesla Motors is suing a former employee for a million dollars, alleging he hacked them for trade secrets he subsequently gave competitors. After some preliminary email-rumbling from CEO Elon Musk, the company filed suit Wednesday in a Nevada court against Martin Tripp. Tesla alleges Tripp "admitted to writing software that hacked Tesla’s manufacturing operating system and to transferring several gigabytes of Tesla data to outside entities." Tesla says the motive was resentment over failure to be promoted (Wall Street Journal). 

Tripp denies hacking or tampering with any internal systems. He says he was a whistleblower alarmed by "some really scary things" he saw at Tesla, including a high rate of raw-material waste and installation of dangerous punctured batteries in some cars. The raw-material waste story found its way into Business Insider earlier this month; Tripp acknowledged he was the source (Washington Post). TechCrunch thinks the whole affair resembles a telenovela.

A Canadian court found in favor of a young man who said his sometime girlfriend accessed his email to decline a scholarship offer on his behalf, subsequently deleting the emails (Montreal Gazette). She feared losing him if he left McGill University to continue music studies as a Los Angeles conservatory (CSO).

The Delta Sigma Phi house at the University of Central Florida is being sued by a woman who alleges the brothers published revenge porn featuring her. The national fraternity has suspended the UCF chapter pending completion of an investigation (Ars Technica).

Fortunes of commerce.

In a bipartisan vote, the US Senate revoked the Administration's lifeline to ZTE (Quartz). The company's stock fell sharply on the news (ABC News).

Huawei faces similar unfriendly scrutiny in Australia. The company says security concerns about its products are "ill-informed and not based on facts," but press reports suggest Australian authorities were warned against Huawei by the UK's National Cyber Security Centre (Lightwave). And in the US it has come to Congressional attention that Google, which has declined on what it would characterize as principled grounds to work with the US Department of Defense, is willing to cooperate closely with Huawei. Some members of Congress would like Google to reconsider its relationship with Huawei (South China Morning Post),

Kaspersky has suspended all of its European projects in response to the EU's ban of the company's products on security grounds (CRN).

Four companies will cooperate to build the US Army's Persistent Cyber Training Environment. ManTech, Simspace, Metova and Circadence will perform the work (Fifth Domain). And Army Cyber Command has awarded Applied Insight and DV United a $6.5 million contract to manage its User Activity Monitoring Program (FedScoop).

Mergers and acquisitions.

F-Secure announced on Monday that they'd acquired privately-held threat-hunting shop MWR InfoSecurity for more than $160 million. MWR's four-hundred employees operate from offices in the UK, the US, South Africa, and Singapore (TechCrunch), which will provide increased presence in four continents. Finland-based F-Secure sees the acquisition as bringing the company important new capabilities (Help Net Security).

In a move with tangential relevance to security, Cisco announced its intent to acquire cloud-based location services shop July Systems (CRN).

Twitter has acquired Smyte, a company that specializes in anti-abuse technology (TechCrunch).

PayPal is buying AI-based anti-fraud shop Simility for $120 million (TechCrunch).

Venture investments.

CrowdStrike, specialists in endpoint protection and threat intelligence, has reached triple-unicorn status with a $3 billion valuation. The company secured a $200 million Series E financing round this week, led by General Atlantic, Accel and IVP, with participation by existing investors March Capital and CapitalG (BusinessWire). CrowdStrike is rumored to be considering an IPO (TechCrunch).

Cylance, another unicorn leader in endpoint protection and artificially intelligent malware protection, also announced a significant funding round this week: $120 million led by Blackstone Tactical Opportunities (Courier Express). Earlier this year Cylance hit the $100 million revenue mark (Wall Street Journal). Cylance and CrowdStrike are commonly bracketed together as close competitors (Reuters).

Inky Technology Corporation, the Maryland-based anti-phishing technology shop, has raised $5.6 million in a Series A round. The investment was led by ClearSky Security with participation by Gula Tech Adventures and Blackstone. Inky Phish Fence applies computer vision and anomaly detection algorithms to identify and block brand-forgery emails and spearphishing. The company intends to hire about a dozen new employees to help its growth (Inky).

Network Intelligence, based in Bengaluru, has raised $4.8 million from Helix Investments (SecurityWeek).

Start-up Truepic, whose technology is designed to recognize and expose deepfakes—images convincingly manipulated to communicate falsehoods—has closed an $8 million Series A round. It's also deploying its technology to Reddit (TechCrunch).

Agari, which specializes in applying artificial intelligence against phishing and deception, has announced a $40 million Series E round led by Goldman Sachs (Fortune).

UK-based cyber hygiene specialist Panaseer has raised $10 million in a funding round led by Evolution Equity; Panaseer intends to expand operations in North America (PRNewswire).

Israel-based Intsights Cyber has raised $17 million in a Series C round led by Tola Capital. The company's intention is to use the investment for global expansion and increased reconnaissance capability (SecurityWeek).

And industry innovation.

HP, Inc. T-Mobile, and Microsoft have joined the Center for Long-Term Cybersecurity (CLTC) at the University of California, Berkeley (CLTC), joining current members Qualcomm and Kaiser Permanente. CLTC partners gain access to Berkeley faculty and students to tackle cybersecurity problems of interest to the partners.

Last week's announcement of a cybersecurity innovation center—the CyberPoint-led DreamPort, which will operate on behalf of US Cyber Command ( Baltimore)—was this week joined by a second center, this one operated by Booz Allen.

Booz Allen Hamilton's new Central Maryland Innovation Hub opened this Tuesday (BusinessWire). We were able to attend the opening of its new Annapolis Junction facility this past Monday. After welcoming remarks from Booz Allen Hamilton's Jim Allen and Representative "Dutch" Ruppersberger (Democrat, Maryland 2nd District), we heard a panel discussion by Booz Allen's Greg Starkey, Rachel Allen, and Drew Farris, joined by Bartley Richardson of Booz Allen's partner NVIDIA. The two companies are working closely together on machine intelligence, which, the panel explained, was not the same thing as artificial intelligence. Machine intelligence is narrower, specific to particular tasks. It automates insights from data science, and augments human intelligence by automating rote tasks that lend themselves to such treatment. (Artificial intelligence, by contrast, tends toward anthropomorphism. The panel didn't quite say so, but it was clear that they wished to avoid the clouds of speculative fiction that tend to wrap themselves around discussions of AI.) NVIDIA's Richardson explained that the use cases for machine intelligence are "about how we can triage and manage data and alerts, dealing with the heterogeneity of the data."

A tour of the facility with Booz Allen Hamilton's Allen included a look at a bullpen full of undergraduate interns, working under experienced but still young Booz Allen associates. Allen explained that their vision for the Innovation Hub was to provide a place for their people to work on ideas of their own with a high degree of freedom. Their work, he said, was intended to be use-inspired but not requirements-driven, with ideas coming up from the associates' (and interns') creative intelligence, not pushed down from above. The work is intended to have real application, but the intention is that it should afford more scope for creativity that a customary statement of work.

And on Wednesday Accenture opened a new Cyber Fusion Center in the Rosslyn neighborhood of Arlington, Virginia, just across the Potomac from Washington, DC. It will provide a state-of-the-art space for collaboration with clients and university interns (BusinessWire). It's the fourth such center Accenture has opened, joining earlier facilities in Manila, Prague and Tel Aviv. It will also bring a thousand jobs to the DC area (Accenture). 

Zilliqa, the Singapore-based blockchain technology company, has announced a $5 million developer grant to help attract and accelerate the development of apps on their open-source platform (BusinessWire).

Finally, the World Economic Forum has released its Technology Pioneers Cohort for 2018. It consists of sixty-one early-stage companies that "bring cutting-edge insights and novel perspectives to world-critical discussions." Nine of the companies are in cybersecurity or digital identity: Aqua Security (Israel) "automated full-stack security for platforms and clouds;" Armis (USA) "agentless internet of things (IoT) security platform for enterprises;" Cohesity (USA) "platform for hyperconverged secondary storage solutions;" CUJO AI (USA) "software and firmware solutions for gateway and cloud infrastructure;" EVRYTHNG (UK) "digital identity and data management for consumer products;" Horizon State (Australia) "decentralized engagement and decision-making platform;" Juvo (USA) "mobile identity scoring for financial and digital access;" QuintessenceLabs (Australia) "quantum-based cybersecurity solutions;" and XM Cyber (Israel) "cybersecurity platform to identify all attack vectors." Congratulations to them all.


Today's issue includes events affecting Australia, Canada, China, European Union, France, Democratic Peoples Republic of Korea, Russia, Singapore, United Kingdom, United States.

Our Research Saturday podcast is up. This week we talk with Check Point researchers about vulnerabilities recently discovered in some LG smartphone keyboards. The bugs could have been used to remotely execute code with elevated privileges, act as a keylogger, and thereby compromise the users’ privacy and authentication details.

And, in case you missed it, Hacking Humans is up, too. This week we discuss the Ben Franklin effect, how job applicants find themselves tricked into money laundering, and a listener's tale of being fooled by an appeal to greed. Our guest is Stacey Cameron from DirectDefense who discusses her physical penetration testing work.

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.