The Pesky Password Problem: Red and Blue Team Battle featuring Kevin Mitnick
The week that was.
Midterm elections: a preliminary cybersecurity retrospective.
The US Department of Homeland Security has said that Tuesday’s elections went off without disruption by cyberattack (TheHill), and that seems a fair assessment. Preparations are underway to bring comparable levels of security forward into the 2020 election cycle (AP News).
So hacking proper appears to have been a fizzle, but there were some influence operations in play. DHS notes that disinformation about election security and the effects of influence operations is still being actively distributed (CBS). It’s hogwash from St. Petersburg, whose Internet Research Agency (IRA) cries victory for its trolls.
DHS cybersecurity leader Christopher Krebs points out that the influence ops from Russia right now are filled with “noise” and “garbage,” stuffing people up with phony stories about compromised systems and voting having been cyber-rigged. Expect this to continue, and remember that Moscow’s record suggests that it has a fairly simple and achievable goal: erode adversary populations’ trust in their governments’ institutions, and in one another (Daily Beast).
For all of that trolling noise and garbage, Russia sent two election observers to the US to keep an eye out for irregularities in the voting on behalf of the Organisation for Security and Co-operation in Europe, because who better to certify good-government, free-and-fair elections than two members of the Duma (Washington Post)? The two observers looked in at two polling places in DC and seven in adjacent Maryland, and assured the OSCE that they saw no irregularities (TASS). (Of course, that's what Moscow would have the OSCE believe. Kidding. On to 2020.)
Take this security survey for a chance to win 1 of 3 prizes.
The strange case of traffic routed through China.
An Oracle researcher has outlined the odd history of US domestic Internet traffic being rerouted through China by China Telecom. He commendably doesn't speculate about motivation, and has no evidence that might lead one to decide between explanations in terms of espionage as opposed to explanations in terms of simple error. But he does offer a convincing account that for some three and a half years "networks peering with China Telecom" found themselves sending US domestic traffic via mainland China (Ars Technica). Military Cyber Affairs recently published a paper alleging BGP hijacking by China Telecom. That paper is worth rereading in the light of this latest account.
Confused about zero trust?
Banks skimmed and breached.
Banks in Pakistan sustained a major incident involving payment card systems (Payments Source). It affected most of the country's larger banks, but appears to have been a criminal skimming campaign as opposed to a breach.
HSBC has warned customers that "unauthorized entry" into some accounts has exposed statements and other data (BankInfo Security).
North Korea's Lazarus Group has also been active, looting ATMs with some relatively new attack code. Symantec has published an analysis of what the state-sponsored cybercriminals have been up to. The researchers call the Trojan the Lazarus Group is using "FASTcash." It works by targeting the banks' switch application servers that handle ATM transactions, and it's been going on since 2016.
Free 2018 User Risk Report: Find Out What End Users Know About Phishing, Ransomware, Password Safety, And More In Our International Survey.
Son of Stuxnet? And a promise of retaliation.
Rumors of a "second Stuxnet" were reinforced Monday when Iran's Telecommunications Minister accused Israel of having attacked Iran's telecommunications infrastructure. The Minister said the attack was unsuccessful and vowed unspecified retaliation (Reuters). It's worth noting that the original Stuxnet targeted a specific set of programmable logic controllers connected to centrifuges at Iran's Natanz nuclear research facility, and that the recent Iranian claims of a cyberattack involve what sounds like alleged spyware, so perhaps "Stuxnet" in this context is best understood as meaning "attack by Israel or the US" as opposed to expressing a relationship between two sets of attack code.
Cisco Talos research has outlined the activities of "Persian Stalker," an Iranian domestic covert surveillance campaign that relies on spoofed Telegram and Instagram apps to keep an eye on possible dissent.
Business Insider notes that observers think Iranian cyber operations against US oil production capabilities are a growing possibility as the US tightens sanctions against Tehran over alleged nuclear cheating. Renewed sanctions have begun to bite, economically, and there are signs that Tehran may be turning to Pyongyang-style cybercrime to redress financial shortfalls.
Get your copy of the definitive guide to threat intelligence.
Holiday shopping tips.
They're for Diwali, but they work equally well for Christmas, Chanukah, the Winter Solstice, New Year's Day, Super Sunday, etc. Fortinet advises that you use good digital hygiene and keep your wits about you (Elets Banking and Finance). Specifically, they recommend:
- Using strong passwords, and changing them periodically.
- Storing important data securely, that is, backed up to removable media.
- Encrypting files, and using full-disk encryption on devices.
- Installing reliable anti-virus software and keeping it up to date.
- Maintaining a firewall to restrict inbound and outbound traffic.
Cisco has patched two of three recently disclosed critical flaws, and offered a workaround for the third (SC Magazine).
Drone manufacturer DJI has fixed vulnerabilities in its product line that could have enabled hackers to steal customer data or take control of the drones themselves (Fortune).
Chrome 71, due out next month, is expected to incorporate at least two interesting security features. First, it will give buyers of questionable, dodgy advertisements thirty-days to clean up their act, or else the ad gets it (Daily Beast). Second, it will warn users about to visit shady mobile subscription offers (Help Net Security).
Crime and punishment.
An unnamed Austrian colonel is under suspicion of having spied for Russia. The alleged espionage, which has been referred to prosecutors, is thought to have been conducted over the past two decades (Reuters).
Well-known criminal skid Austin Thompson (nom-de-hack "DerpTrolling") copped a guilty plea in San Diego this week to a Federal charge of damaging a protected computer. He mounted distributed denial-of-service attacks against online gaming companies (including some big ones like Sony and EA) and Twitch streamers during 2013 and 2014. Mr. Thompson, who will be sentenced in March, faces a maximum penalty of ten years in prison, a quarter-of-a-million-dollar fine, and three years of supervised release (US Department of Justice).
Turkish police have arrested eleven people and charged them with SIM-swapping and cryptocurrency theft. Istanbul's Cybercrime Division found them by following their spoor through the IP addresses they used in their interactions with the crypto exchanges (HackRead).
The headmaster of a school in China's Hunan province has been fired for stealing his school's electricity. Mr. Lei Hua set up his own Ethereum-mining rig and plugged it into the school's sockets. He was discovered when people noticed that the electric bill was more than $2000 higher than it should have been, and that the high bills coincided with this odd whirring of fans and hard-drives the teachers were finding so distracting (South China Morning Post).
Courts and torts.
The US Securities and Exchange Commission is thought to be prepared to increase its tempo of cyber-related enforcement actions (Cooley).
Hong Kong's privacy commissioner has opened an inquiry into the Cathay Pacific breach (Reuters). The airline lost control over data affecting about 9.4 million passengers.
Advocacy group Privacy International has filed GDPR complaints affecting data handling by, among others, Oracle, Experian, and Equifax. Also involved in the group's action are one data broker, Acxiom, and three ad-tech firms: Criteo, Quantcast and Tapad (Infosecurity Magazine).
Policies, procurements, and agency equities.
US Attorney General Sessions resigned at midweek, at President Trump's request (Federal News Network).
US Cyber Command has begun to upload unclassified samples of malware it's obtained to VirusTotal. The National Cyber Mission Force contributed two instances of Lojack malware this week (Decipher). Cyber Command's new participation in Virus Total has been widely applauded in the industry. It's worth noting that a decision to share unclassified malware samples has little or nothing to do with the Vulnerability Equities Process, which determines what zero-days the Government will share.
If you, vendor, are going to pitch something to the US Defense Information Systems Agency (DISA), tailor your pitch to the agency and its needs. If you're just going to tell them what you did for commercial customers, then DISA's not interested (Nextgov).
The US Office of Personnel Management intends to make it easier to classify Government jobs for cybersecurity. In particular, it will enable wider use of the "IT Cybersecurity Specialist" job title within the IT 2210 Management Series (Fifth Domain).
The week saw the hundredth anniversary of the birth of Russia's G[R]U military intelligence service. President Putin said during an observance of the centennial that he thought they should put the "R" back in GRU (Bloomberg). We think so too. (And coincidentally, we note, this week also saw the twenty-ninth anniversary of the fall of the Berlin Wall.)
Fortunes of commerce.
Huawei is not out of the North Woods yet. Ottawa is reconsidering whether to exclude the telecom equipment maker on security grounds from participation in Canada's 5G network (Globe and Mail). Huawei denies it's any kind of security risk (Nikkei Asian Review). The UK, a large market for Huawei kit, is also reconsidering the security implications of the company's presence in British networks (Wall Street Journal).
Certificate authority Comodo CA has rebranded itself as Sectigo. The New Jersey based company has also added support for IoT security and website backup to its offerings. The name change was motivated by the company's expansion into lines of business that might bring them into competition with security firm Comodo, the parent company that sold Comodo CA to Francisco Partners about a year ago (Enterprise Times).
(ISC)2's Cybersecurity Workforce Study 2018 takes a more nuanced approach to measuring the shortage of cyber workers, but it still finds that shortage to be very significant indeed. It's also, in the view of many organizations, affecting their security: 59% of the organizations surveyed think that cybersecurity staff shortages place them at "extreme or moderate risk" (SecurityWeek).
CompTIA and Burning Glass Technologies have released CyberSeek, a picture in the form of a heat map of the US cyber labor market. CyberSeek was prepared with the support of a grant from NIST and the assistance of NIST's National Initiative for Cybersecurity Education (Help Net Security).
Amazon is expected to open a second headquarters in Crystal City, Virginia, right across the Potomac from the District of Columbia. The new operation, should it become a reality, will introduce significant new pressures on an already tight labor market (Washington Business Journal).
Do cybersecurity careers require cybersecurity degrees? The answer is complicated, but in brief it seems to be "not necessarily." People without degrees in the field often have well-developed and marketable skills, whereas many with degrees aren't ready to step into the workforce in a serious way (Acumin). This is by no means to suggest out that degrees are futile, but rather that the profession as a whole is not a highly credentialed one, that autodidacts and those with serious on-the-job-training have a very real and important place in the industry, and, finally, that colleges and universities might give some thought to how their curricula prepare students for practice.
Mergers and acquisitions.
Private equity firm Thoma Bravo has acquired application security shop Veracode Software from Broadcom for $950 million in cash (PRNewswire). Thoma Bravo's not through, either. They've long been rumored to be in the market for a large publicly traded company, and Reuters this week said that the private equity shop was making a run at Symantec.
On Monday Broadcom closed its acquisition of CA Technologies for $18.9 billion, welcoming CA's employees to the family (Computing). By Friday it had begun sending lay-off notices to more than two thousand of those new family members (Register).
Symantec has been on its own acquisition run, announcing the acquisition of both Appthority and Javelin Networks. Mobile application security shop Appthority was already a Symantec Ventures portfolio company, and its technology has already figured in Symantec's endpoint protection offerings. Javelin Networks, which specializes in intrusion detection and corporate domain protection, will also be rolled into Symantec's endpoint protection business. No terms were disclosed for either acquisition (SecurityWeek).
IoT security company ForeScout has acquired operational technology network protection shop SecurityMatters for $113 million in cash. The acquisition is expected to enhance ForeScout's agentless device visibility and control offerings (Globe Newswire).
Threat Stack has bought Bluefyre, seeing in Bluefyre's application security capabilities a complement to its intrusion detection solutions. Threat Stack sees this as a cloud-native security play, and expects its combined offerings to enable developers to build applications capable of detecting and blocking threats at runtime. Terms of the acquisition were not available (Help Net Security).
Israel-based Checkmarx, which specializes in automatic code scanning to detect security issues, has bough Ontario-based Custodela for its "expertise in software security architecture and software development." Terms of the acquisition were not disclosed (CTECH).
Investments and exits.
Anti-fraud start-up Fraugster has raised $14 million in a Series B round led by CommerzVentures (Commerzbank's VC unit) with participation by existing investors Earlybird, Speedinvest, Seedcamp, and Rancilio Cube. Munich Re/HSB Ventures also invested in the Berlin-based company, which suggests strong interest on the part of the insurance sector in Fraugster's approach to detecting and blocking online retail fraud (TechCrunch). Those unfamiliar with the European venture capital ecosystem might profit from a closer look at Fraugster's investment round.
Industrial cybersecurity shop Dragos continues to raise investment. SEC filings indicate that the firm has raised $30 million en route to a projected $38-million Series B. There are seven investors (not identified in the filing) on board in the current round (Baltimore Business Journal).
Uniken, a "customer-first" cybersecurity firm, has raised $10 million. The company will use the funds to meet demand for its REL-ID platform, which aims to give customers easy, authenticated and verified e-commerce transactions (AP News).
And security innovation.
MasterPeace Solutions is sharing osMUD with a coalition led by NIST's National Cybersecurity Center of Excellence (NCCoE). The open-source Manufacturer Usage Description (MUD) will facilitate definition of safe operating conditions for IoT devices (BusinessWire).
DreamPort continues to establish itself as an innovation incubator in close cooperation with US Cyber Command (Baltimore Business Journal). Northrop Grumman is prepping for the next round of rapid prototyping at the center (GovConWire). Another Maryland innovation center, Cyber Town USA, under construction in Baltimore's Inner Harbor, is expected to open in 2020 (Baltimore Business Journal).
The New York Mayor’s Office of the Chief Technology Officer’s NYCX Cyber Moonshot Challenge is well launched. NYCX is partnering with Jerusalem Venture Partners (JVP), NYC Cyber Command (C3) and the New York City Economic Development Corporation (NYCEDC). JVP has committed to evaluating the winner for a $1 million investment.
Monday is the US Federal observance of Veterans Day, and the CyberWire won't be publishing. We'll be back as usual Tuesday.
The day proper, tomorrow, November 11th, is observed variously as Veterans Day, Armistice Day, and Remembrance day. And this year November 11th marks the hundredth anniversary of the end of World War One. The Great War has now receded from living memory: no one who served is left with us, although many of us grew up knowing First World War veterans. Spare a thought or a prayer for those who served, suffered, and sacrificed, under whatever flag they marched.
On a less elegaic note, today, November 10th, is the US Marine Corps birthday. To America's Corps of Marines, established this day in 1775 at Tun Tavern, Philadelphia, and crossing water uninvited ever since, happy birthday and semper fidelis.
This CyberWire look back at the Week that Was discusses events affecting Canada, China, Iran, Israel, Democratic Peoples Republic of Korea, Luxembourg, Russia, United Kingdom, United States.
On the Podcast
Research Saturday is up. In this week's edition, "Establishing international norms in cyberspace," we speak with Joseph Nye, former dean of the Harvard's Kennedy School of Government. He served as Chair of the National Intelligence Council, and as Assistant Secretary of Defense for International Security Affairs under President Clinton. He serves as a Commissioner for the Global Commission on Internet Governance, and is the author of over a dozen books, including, Soft Power: The means to success in work politics, and The future of power.
© 2018 CyberWire, Inc.
Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story.