skip navigation

More signal. Less noise.

Free 2018 User Risk Report: Find Out What End Users Know About Phishing, Ransomware, Password Safety, And More In Our International Survey.

What do today’s employees really know about cybersecurity topics and best practices that protect data and network security? To find out, we surveyed over 6,000 working adults across the US, UK, France, Germany, Italy, and Australia about their personal security habits. You might find the results heartening, perplexing, or terrifying — but always enlightening. Download our 2018 User Risk Report to see how employees shaped up on cybersecurity awareness issues that are impacting organizations worldwide.

Daily briefing.

TASS is authorized to disclose that Russian election observers told the Organisation for Security and Co-operation in Europe they watched two polling places in DC and seven in Maryland but found no irregularities with the US midterms. Thanks, guys, but up your game: nine locations are nothing, don't even cover one Congressional district.

The Internet Research Agency, a.k.a. Fancy Bear’s St. Petersburg troll farm, seems to have conducted an odd ask-me-anything Reddit with itself. The Daily Beast noticed that the IRA used questions the Beast posed to develop an illustrated auto-interrogation suffused with hipster irony.

National Cyber Security Centre deputy director Peter Yapp warned again that Britain hadn’t yet experienced a devastating Category One cyberattack, but that such an attack is likely (Forbes). In the US the Department of Homeland Security and the National Institutes of Standards and Technology (NIST) are working with private industry on a wide range of industrial control system and IoT security measures to prevent or mitigate such an attack on their side of the Atlantic (NCCoE, Nextgov).

Symantec has dissected and described the FASTcash Trojan North Korea’s Lazarus Group has been using to loot ATMs.

Microsoft renews its pleas for an international accord that would bring formal norms to cyberspace (Dark Reading).

NSA cyber strategist Joyce describes how China has circumvented an agreement concluded under Presidents Obama and Xi that would have precluded industrial espionage in cyberspace (TheHill).

MIT studies conclude that people fall for fake news because they’re careless and want to believe (WIRED).

Notes.

Today's issue includes events affecting Austria, China, Democratic Peoples Republic of Korea, Luxembourg, Russia, Saudi Arabia, United Kingdom, United States.

A note to our readers: This coming Monday, November 12th, we will observe the US Veterans Day holiday and not publish. We'll be back as usual on Tuesday. And on Sunday, spare a thought for veterans everywhere, and the service they rendered.

A year in, companies unsure of risk under China's Cyber Security Law, says Control Risks.

Over a year into China’s Cyber Security Law, Control Risks experts say its vague definition and application leaves multinational companies struggling to understand their risk. Further, how strictly the government will crack down and the extent of penalties for non-compliance remain open questions. Nonetheless, companies operating in China must understand their unique exposure and specific cyber, physical and procedural requirements. Let Control Risks help you make the critical decisions to seize your opportunities in China.

In today's podcast, out later this afternoon, we speak with our partners at the University of Bristol, as Awais Rashid offers thoughts on placing trust in blockchain systems. And we have as our guest  Bruce Schneier, discussing his latest book, Click Here to Kill Everybody.

The Pesky Password Problem: Red and Blue Team Battle featuring Kevin Mitnick (Online, November 14, 2018) Kevin Mitnick and Roger Grimes debate one of security's most controversial issues: passwords. Hear the truth regarding effective passwords, password management and more in this unique webinar. Save your spot!

Cyber Security Summit: November 29 in Los Angeles (Los Angeles, California, United States, November 29, 2018) Sr. Level Executives are invited to learn about the latest threats & solutions in Cyber Security from experts from The CIA, The City of Los Angeles, Verizon, CenturyLink and more. Register with promo code cyberwire95 for $95 VIP admission (Regular price $350) https://CyberSummitUSA.com

Cyber Attacks, Threats, and Vulnerabilities

Russian OSCE observers find no irregularities in US elections (TASS) "There have been no irregularities at the nine polling stations (two in Washington and seven in the state of Maryland) visited by Russian OSCE PA observers," MP Alexey Korniyenko said

Russian Troll Farm Internet Research Agency Held a Bizarre Reddit AMA With Itself (The Daily Beast) The Mueller-indicted troll farm solicited questions for a tell-all Q&A that never happened. Except that it did. And virtually no one ever saw it.

DNC tech chief: No successful hacks seen during midterms (TheHill) The chief technology officer for the Democratic National Committee (DNC) said Thursday that the group isn't aware of any successful hacks during Tuesday's midterm elections.

What 2018 election security teaches us about 2020 (POLITICO) Dems begin to unveil House cyber oversight plans — Russia says U.S. election went a-OK

What an unhacked election means for election security (Axios) It could make election security improvements seem less urgent for 2020.

'UK Will Be Hit By Category One Cyber-Attack,' Says Government Director (Forbes) With an increase in nation state cyberattacks, the UK should be wary of a category one assault in the coming years and needs to act accordingly, according to Peter Yapp, deputy director of NCSC, which is a part of the UK government's intelligence agency GCHQ.

Lazarus Group Targets Bank Networks to Rob ATMs (Infosecurity Magazine) Symantec uncovers Trojan.Fastcash malware used by N. Korean hacker group in ATM attacks

FASTCash: How the Lazarus Group is Emptying Millions from ATMs (Symantec) Symantec uncovers tool used by Lazarus to carry out ATM attacks.

In online ruse, fake journalists tried to hack Saudi critic (AP NEWS) Hackers impersonating journalists tried to intercept the communications of a prominent Saudi opposition figure in Washington, The Associated Press has found. One attempt involved the fabrication of a fake BBC secretary and an elaborate television interview request; the other involved the impersonation of slain Washington Post columnist Jamal Khashoggi to deliver a malicious link. Media rights defenders denounced the hacking effort, which they said would make it harder for genuine reporters to do their jobs.

Attackers breach web analytics service, go on to target Bitcoin platform (WeLiveSecurity) Latest ESET research details how attackers compromised a leading web analytics service with the ultimate aim of stealing bitcoin from customers of one specific virtual currency exchange.

Active Exploitation of Newly Patched ColdFusion Vulnerability (CVE-2018-15961) (Volexity) If your organization is running an Internet-facing version of ColdFusion, you may want to take a close look at your server.

Inception Attackers Target Europe with Year-old Office Vulnerability (Palo Alto Networks Blog) Inception targets Europe with year old office vulnerability. Read the full report.

AP: Video expert says White House clip of CNN reporter was likely doctored [updated] (Ars Technica) Analysis: Video is sped up to make reporter's actions look more aggressive.

Doctored Jim Acosta video shows why fakes don’t need to be deep to be dangerous (CSO Online) White House promotion of an allegedly doctored press conference video shows how "shallow fakes" can manipulate opinion.

Don’t Want to Fall for Fake News? Don’t Be Lazy (WIRED) An MIT professor argues that misinformation boils down to one simple thing: mental laziness, exacerbated by social media.

How email fraud tactics continue to find new life (Help Net Security) Almost as soon as email became widely used, crooks and scammers began using it as a means to defraud people, according to Vircom.

Hackers go spear phishing on Grambling’s campus (Gramblinite) This is the screenshot of the email that was sent out to Dr.

Chesapeake Public Schools’ computer network affected by malware from phishing emails (WTKR.com) Officials with Chesapeake Public Schools said Thursday the district's computer system has been hacked.

A Sexual Predator Is Allegedly Extorting Kids for Explicit Photos in 'Fortnite' (Motherboard) Montreal police reported four cases of sextortion using the popular game.

Security Patches, Mitigations, and Software Updates

Round two: Microsoft prepares to release Windows 10 October 2018 Update... again! (Help Net Security) Thanksgiving comes early this year, but the Microsoft Windows 10 October 2018 Update is coming late. Should we be thankful?

Cisco fixes two critical bugs, recommends workaround for a third (SC Magazine) Cisco Systems yesterday issued 17 security advisories, disclosing vulnerabilities in multiple products, including at least three critical flaws.

Oops: Cisco accidentally leaked in-house Dirty COW exploit code with biz conf call software (Register) Critical bugs patched in switches, messaging, analytics

Several Vulnerabilities Patched in nginx (SecurityWeek) Several DoS vulnerabilities have been patched in nginx, the open source web server software used by hundreds of millions of websites

Chrome will start warning users about shady mobile subscription pages (Help Net Security) Chrome 71 users will be warned when attempting to visit pages that try to trick them into signing up for mobile subscription services.

Dropbox strengthens security ecosystem with Google Cloud Identity and expanded partnerships (Help Net Security) Integrations will keep customer content protected and secure with tools for controlling identity access, governing data, and managing devices.

Cyber Trends

Though 2018 Will Likely Not Surpass 2017 Numbers – Still Significant Year For Breach Activity (Risk Based Security) The number of publicly reported breaches keeps pace with recent years while a staggering 3.6 billion records are exposed.

Subscriber Only: Have we reached a tipping point towards a better internet? (The Irish Times) Tim Berners-Lee may feel he created a monster, but there are grounds for optimism

The Growing Menace of Cyber Attacks in the Asia-Pacific region (Entrepreneur) A Frost & Sullivan study commissioned by Microsoft revealed that a large-sized organization in the Asia Pacific region can possibly incur an economic loss of $30 million, more than 300 times the average economic loss for a mid-sized organization.

Marketplace

Opinion | Google was working on two ethically questionable projects. It quit the wrong one. (Washington Post) A censored search engine for China is much more evil than working with the U.S. military.

Broadcom axes CA Technologies staff in large-scale layoffs following $19bn acquisition (Computing) Monday: Broadcom CEO welcomes CA staff into the Broadcom family. Friday: Mass layoffs reported,Software,Cloud and Infrastructure ,CA Technologies,broadcom,layoffs,reduandancies

ForeScout Acquires SecurityMatters (GlobeNewswire News Room) Accelerates ForeScout’s momentum by enabling the industry’s first, and only, end-to-end agentless device visibility and control platform across the extended enterprise...

Threat Stack acquires runtime application security vendor Bluefyre (Help Net Security) Addition of Bluefyre's runtime application security gives Threat Stack customers stack security observability for cloud infrastructure.

Cybersecurity Company Checkmarx Buys Ontario-based Custodela (CTECH) Israel-based Checkmarx develops and markets cybersecurity technology that automatically scans code to detect security breaches

Hotshot, Mobile Security Solution For Business, Announces Partnership With Government of Luxembourg and Acceptance Into Technoport® Business Incubation Program (PR Newswire) Hotshot today announced a partnership with the Government of Luxembourg and acceptance into the...

Novetta Reports $410M in 2018 Contract Wins Year-to-Date; Tiffanny Gates Quoted (GovCon Wire) Novetta closed third quarter having booked $410M in contract awards in 2018 and expects to close the

CACI Awarded $194 Million Task Order to Provide End-to-End Enterprise IT Support to the Transportation Security Administration (AP NEWS) CACI International Inc ( NYSE:CACI ) announced today that it has been awarded a $194 million task order to provide end-to-end enterprise information technology infrastructure, integration, and support to the Transportation Security Administration (TSA). The three-year, single-award task order falls under the Department of Homeland Security’s Enterprise Acquisition Gateway for Leading-Edge Solutions II (EAGLE II) contract vehicle and represents new work in CACI’s Enterprise IT market.

The Cybersecurity Marketing Engagement Index (Team Lewis US) Tracking the top 10 funded DC-area security companies

Exostar names new member to Board of Directors (Compliance Week) Exostar, a secure information sharing company, named Philip E. Goslin to its Board of Directors. Goslin serves as vice president of global supply chain for Lockheed Martin’s Rotary and Mission Systems (RMS) business area. In that role, Goslin’s responsibilities span all aspects of supply chain strategy, supply chain operations, and subcontract program management for RMS.

Allure Security Expands Its Team With a Proven Cybersecurity Marketing Executive (BusinessWire) Allure Security has added cybersecurity marketing veteran Mikala Vidal as its new VP of Marketing.

Products, Services, and Solutions

New infosec products of the week: November 9, 2018 (Help Net Security) DFLabs open framework enables integration of SOAR and security tools DFLabs launched a new version of the IncMan SOAR platform that provides an open

Axio launches cyber risk management platform to enable utilization of NIST-CSF (Help Net Security) Axio’s plaform measures cyber program maturity, establishes a baseline for cyber readiness, and provides a risk reduction roadmap for ongoing improvement.

ISACA partners with national threatcasting initiative and releases its threatcasting labs (Help Net Security) Collaboration with Arizona State University’s Threatcasting Lab and partners such as Army Cyber Institute help to model threats and design solutions.

Technologies, Techniques, and Standards

Capabilities Assessment for Securing Manufacturing Industrial Control Systems (NIST NCCoE) The NCCoE has released a draft NISTIR Capabilities Assessment for Securing Manufacturing Industrial Control Systems and is requesting your feedback. The public comment period for this report will close on December 6, 2018.

NIST, CyberX, and Industry Partners Collaborate to Secure Manufacturing Industrial Control Systems (GlobeNewswire News Room) CyberX, the IIoT and industrial control system (ICS) security company, today announced its industrial cybersecurity platform was used by NIST to recommend new ways of securing manufacturing industrial control systems.

Aspen Cybersecurity Group: Internet of Things (IoT) Security First Principles (Aspen Institute) The Aspen Cybersecurity Group is a cross-sector public-private forum comprised of former government officials, Capitol Hill leaders, industry executives, and respected voices from academia, journalism, and civil society that have come together to translate pressing cybersecurity conversations into action.

DHS Wants to Expand the Reach of Its Critical Infrastructure Cyber Training (Nextgov.com) The department wants to be able to provide cyber training webinars to 5,000 simultaneous users.

Vulnerabilities in our Infrastructure: 5 Ways to Mitigate the Risk (Dark Reading) By teaming up to address key technical and organizational issues, information and operational security teams can improve the resiliency and safety of their infrastructure systems.

User Behavior Analytics Could Find a Home in the OT World of the IIoT (Dark Reading) The technology never really took off in IT, but it could be very helpful in the industrial world.

To Fight This Generation of Hackers, Companies Take a Cue from Spies (Wall Street Journal) Threat-intelligence services give companies a clearer view of the dangers they’re facing.

When your Instagram account has been hacked, how do you get it back? (Graham Cluley) Travel blogger Delaine Maria D’Costa had her account wiped after she failed to pay an extortionist $200. That was bad enough, but then she had to try to convince Instagram to let her have it back again.

Academia

A Brief History of Higher Education Insecurity (Edguards) Educational institutions play a major role in the US economic, political, and intellectual well-being. Ironically, the security of the software and data systems used in such organizations on an everyday basis is far from perfect.

CSM students take part in Cyber Fast Track Maryland (SoMdNews.com) College of Southern Maryland students recently participated in the launch of Cyber Fast Track Maryland, a new program established to help close a widening gap of job openings in the

Does a Career in Cyber Security Require a Degree? (Acumin) Last month we attended Cyber Re:coded, Europe’s largest cyber security recruitment event, focussing on school and graduate attendees.

Legislation, Policy, and Regulation

Microsoft President: Governments Must Cooperate on Cybersecurity (Dark Reading) Microsoft's Brad Smith calls on nations and businesses to work toward digital peace and acknowledge the effects of cybercrime.

China Violated Obama-Era Cybertheft Pact, U.S. Official Says (Wall Street Journal) China has violated an accord it signed with the U.S. three years ago pledging not to engage in hacking for the purpose of economic espionage, a senior U.S. intelligence official said Thursday.

NSA official: China violating agreement on cyber economic espionage (TheHill) Senior National Security Agency official Rob Joyce said Thursday that he believes China is violating a 2015 agreement with the U.S. to end cyber economic espionage.

With elections over, DHS maintains ‘heightened’ posture (FCW) As the National Risk Management Center winds down its work on 2018 election security, it is turning its attention to securing other critical infrastructure sectors.

First Came GDPR, Then Comes ePrivacy - What to Expect with Global Data Regulations (SecurityWeek) ePrivacy takes GDPR's approach a step further by ensuring personal and family privacy in relation to data collection, storage and usage.

California’s new IoT security law is not nearly enough - We need a GDPR for IoT…NOW! (SC Media) By Sudhakar Ramakrishna, CEO, Pulse Secure After years of undisclosed breaches, stolen identities and negligent data handling, Europe’s General Data

OPM authorizes use of new cyber job title (Fifth Domain) Federal agencies now have more options for classifying employees that perform cybersecurity duties.

Cyber War Requires Cyber Marines (U.S. Naval Institute) To ensure Marine Corps competitiveness in the cyber domain, personnel reforms must address policy, training, and organization, without compromising a warrior ethos.

Litigation, Investigation, and Law Enforcement

Google plans to send a top executive to Congress after facing criticism (Washington Post) Google CEO Sundar Pichai agreed to participate in the unscheduled hearing in response to a request from House Majority Leader Kevin McCarthy (Calif.), who like other Republicans has said Google silences right-leaning news, views and users.

SEC Poised to Ramp up Cybersecurity Enforcement (Cooley) On October 16, 2018, the Securities and Exchange Commission (SEC) issued an investigative report signaling its intent to use sections 13(b)(2)(B)(i) and (iii) of the Securities Exchange Act of 1934…

Alabama U.S. Attorney chosen to pursue Chinese economic espionage and trade secret cases (al.com) U.S. Attorney for the Northern District of Alabama Jay E. Town is one of five U.S. Attorney's named appointed to the China Initiative, according to U.S. Assistant Attorney General for National Security John Demers. The other federal prosecutors named to the China Initiative are from Massachusetts, California, New York and Texas.

Austrian colonel spied for Russia for decades, Vienna says (Reuters) A senior Austrian military officer is believed to have spied for Moscow for deca...

Notorious "DerpTrolling" Pleads Guilty to DDoS Attacks on EA & Sony (BleepingComputer) A Utah resident named Austin Thompson has pleaded guilty in federal court in San Diego for performing DDoS attacks against multiple victims from 2013 to 2014. These victims ranged from small Twitch streamers to major gaming companies such as EA, Sony, and Microsoft.

Chinese headmaster fired after setting up his own secret... (HOTforSecurity) A Chinese headmaster has lost his job after it was discovered he was stealing the school's electricity to power a secret cryptocurrency-mining rig. As the South China Morning Post reports, Lei Hua, the head teacher of a school in the central province of Hunan... #china #cryptojacking #cryptomining

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Upcoming Events

Infosecurity North America (New York, New York, USA, November 14 - 15, 2018) With 23+ years of global experience creating leading information security events, Infosecurity Group is coming to New York in November 2018. Infosecurity North America will provide a focussed business...

Kingdom Cyber Security (Riyadh, Saudi Arabia, November 20 - 21, 2018) Setting a game plan to boost cyber resilience at the national level.

API Security Summit (London, England, UK, November 21, 2018) The API Security Summit, taking place in London on the 21st of November 2018 will bring together the financial services community, regulators, fintechs, TPPs and associations from across UK and Europe to find solutions to the current lack of standardisation, debate what standards/legislation may emerge in 2019, and how to plan with these in mind.

Army Autonomy and Artificial Intelligence Symposium and Exposition (Detroit, Michigan, USA, November 28 - 29, 2018) This symposium will explore and showcase innovative ways the U.S. Army is developing critical capabilities in robotics, autonomy, machine learning, and artificial intelligence. The goals are to explore...

The Cyber Security Summit: Los Angeles (Los Angeles, California, USA, November 29, 2018) This event is an exclusive conference connecting Senior Level Executives responsible for protecting their company’s critical data with innovative solution providers & renowned information security experts.

Securing Digital ID 2018 (Alexandria, Virginia, USA, December 4 - 5, 2018) As an increasing number of transactions move online and are mobile-enabled, the conference will explore today’s complex world of digital identities and how they are used for strong authentication and remote...

First Annual Maryland InfraGard Cybersecurity Conference (College Park, Maryland, USA, December 5, 2018) InfraGard is a partnership between the FBI and members of the private sector. The InfraGard program provides a vehicle for seamless public-private collaboration with government that expedites the timely...

International Cyber Risk Management Conference (Hamilton, Bermuda, December 6 - 7, 2018) Now in its fourth year in Canada, the International Cyber Risk Management Conference (ICRMC) has earned a reputation as one of the world’s most trusted cyber security forums. We are proud to bring ICRMC...

2018 Cloud Security Alliance Congress (Orlando, Florida, USA, December 10 - 12, 2018) Today, cloud represents the central IT system by which organizations will transform themselves over the coming years. As cloud represents the future of an agile enterprise, new technology trends, such...

Wall Street Journal Pro CyberSecurity Executive Forum (New York, New York, USA, December 11, 2018) The WSJ Pro Cybersecurity Executive Forum will bring together senior figures from industry and government to discuss how senior executives can best prepare for hacking threats, manage breaches, and work...

National Cyber League Fall Season (Chevy Chase, Maryland, USA, December 15, 2018) The NCL is a defensive and offensive puzzle-based, capture-the-flag style cybersecurity competition. Its virtual training ground helps high school and college students prepare and test themselves against...

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.