Controlled unclassified information requirements affect federal contractors.
Cleared Defense Contractors will see DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, compliance requirements appear in DoD contracts. These requirements must be implemented within 30 days of contract award. The Information Security Oversight Office (ISOO) is responsible for one of those requirements, implementing the NIST SP 800-171. Learn more about CUI compliance in this joint webinar presented by ISOO and SecureStrux.
The Week that Was.
October 13, 2018.
By The CyberWire Staff
Waking up from a nightmare. (Probably. For now...)
Bloomberg's report of a Chinese hardware seeding attack on the IT supply chain came in for additional criticism this week. Both Apple and Amazon immediately denied the truth of the report as soon as it was published. The UK's National Cyber Security Centre said it had no reason to doubt the denials, and the US Department of Homeland Security followed suit: "Like our partners in the UK...at this time we have no reason to doubt the statements from the companies named in the story."
Bloomberg offered partial corroboration Tuesday. Norway's National Security Authority said that it has been "aware of an issue" with respect to Supermicro devices since June, but couldn't confirm Bloomberg's report. A Maryland security firm, Sepio Systems, told Bloomberg it had found the Chinese spy chips on some Supermicro components in a client's servers. A nondisclosure agreement prevented them from saying which client it was, but they did say it was a telecommunications company (Bloomberg). Motherboard says it hasn't been able to find an affected telco.
Rob Joyce, NSA's senior advisor for cybersecurity strategy, said Wednesday he's seen no evidence the campaign happened. He pointed out that denials by Apple, Amazon, and others matter. Their directness and specificity would expose the companies to considerable legal risk if they proved untrue. "What I can't find are any ties to the claims in the article... If somebody has first-degree knowledge, can hand us a board, and point to somebody in a company that was involved in this as claimed, we want to talk to them" (RealClearPolitics). Congress is preparing its own investigations (Washington Post).
This supply chain attack would be a "nightmare," wrote the Daily Beast, but the world may be waking to realize that (this time) it was all a bad dream. There's been considerable skepticism across the security industry, and two of the story's sources clarified their statements in ways that undermine the account (Malwarebytes). Many observers point to an a priori implausibility: if China had these chips, why would they resort to the other techniques so often seen (Ars Technica)?
Sophos has suggestions about what to do against the possibility that the nightmare might come true. First, partition networks. Second, use two-factor authentication. And third, keep logs and use them (Naked Security).
Find out what midsized enterprises are doing right to hit the cybersecurity “sweet spot.”
Despite having bigger budgets and greater resources, large enterprises aren't better protected from cyberattacks than are their smaller counterparts. The sweet spot for cybersecurity is found among midsized businesses, which testing finds performed best at protecting their assets and mitigating their security risks. That's the conclusion of Coalfire's inaugural Coalfire Penetration Risk Report, based on more than 300 penetration tests in 148 companies worldwide. Download the report to gather data-driven insights and make informed decisions based on Coalfire’s innovative analysis.
Developing a cyber retaliatory capability.
The UK is developing, and exercising, a cyber retaliatory capability to be used as deterrence (or reprisal, should deterrence fail) against Russia. Reports suggest that the British capability would be directed against selected portions of Russian infrastructure (like Moscow's power grid) (Quartz).
Both the Netherlands and the UK are asking the European Union to institute more effective sanctions regimes against misbehavior in cyberspace. Russia and China are the particular focus (Bloomberg).
The Five Eyes and some of their allies, notably Germany and Japan, have agreed to cooperate more closely against Chinese cyber operations (Reuters).
Through the LookingGlass™: Top Trends to Keep Your Organization Cyber Aware
It’s 2018 and threat actors continue to leverage the same tactics – phishing, ransomware, social engineering – against their targets. The best way to fight these threats is to start with the basics. Join LookingGlass on Wednesday, October 24 @ 2PM ET for a discussion on how cyber criminals are leveraging ‘old’ tactics in ‘new’ ways. We’ll give you tips and tricks to avoid being a victim to the same old schemes. Sign up now!
Russia says the GRU officers the Netherlands expelled over a week ago were just ordinary travelers (AP).
ESET has tracked Industroyer and NotPetya to a common origin. Telebots and DarkEnergy are apparently the same threat actor (We Live Security). That actor is by consensus Russia.
Optimize your security teams with threat intelligence.
At Recorded Future, we believe every security team can benefit from threat intelligence. That's why we've launched our new Threat Intelligence Grader — so you can quickly assess your organization's threat intelligence maturity and get best practices for improving it. Get your Threat Intelligence Score™.
Google+ and disclosure.
The People API used with soon-to-be-defunct Google+ overshared, exposing an unknown number (but not more than 500 thousand) of users' Gmail data to developers (Naked Security). The issue is less the exposure than the perceived lack of transparency. Senators asked Google Thursday why it decided not to disclose the privacy issues when it discovered them (CRN).
App developers have liked the ready access they've enjoyed to information ;from Google's Gmail service, but to forestall another privacy gaffe, Mountain View is cutting them off. Effective January 9th, no data for you (Wall Street Journal).
2017 cyberattacks proved more numerous, sophisticated, and ruthless than in years past.
WannaCry, NotPetya, ransomware-as-a-service, and fileless attacks abounded. And, that’s not everything. The victims of cybercrime ranged from private businesses to the fundamental practices of democracy. Read The Cylance Threat Report: 2017 Year in Review Report and learn about the threat trends and malware families their customers faced in 2017.
Chinese intelligence officer to stand trial in Cincinnati.
In the first incident of its kind, an officer of China's Ministry of State Security (MSS), is in US custody facing hacking charges. Yanjun Xu, a Deputy Division Director in MSS’s Jiangsu State Security Department, Sixth Bureau, was apprehended by Belgian authorities in April and extradited to the US on Tuesday (Wall Street Journal). The US Department of Justice says he'll be tried for "conspiring and attempting to commit economic espionage and steal trade secrets from multiple U.S. aviation and aerospace companies."
Mr. Xu would attempt to recruit US agents by offering them invitations to academic conferences at Jiangsu, and then work on them to deliver information to MSS. US officers lured him to Belgium, where authorities arrested him on a US warrant (Washington Post).
China's Foreign Ministry denounced the indictment as "made of thin air," and said they expect the US to deal with Xu "fairly in accordance with law," respecting his "legitimate rights and interests" (Washington Post). Some observers suggest that the arrest, trial, and extradition of a Chinese intelligence officer will prompt strong Chinese retaliation in cyberspace (ZDNet). Perhaps it already has: US officials this week have been naming China as the principal cyber threat, worse than Russia, which is itself pretty bad (Telegraph). The incident has prompted escalation in the ongoing Sino-American trade conflict (Times).
Notes from underground.
Crime and espionage are multicultural, too. A Recorded Future study of hacker fora finds the Russian underworld is crooked, the Chinese geeky. There are different styles of information operations, too. As Foreign Policy put it, "Russia is 4chan, China is Facebook."
Facebook continued to purge accounts for what it judges "coordinated inauthenticity." The company admits that inauthentic content is "often indistinguishable from legitimate political debate," and is trying to develop that distinction on the basis of behavior as opposed to content. The social network has banned 559 pages and 251 accounts, and the behavior it's singled out is clickbaiting people into ad farms. This round of bans affects Americans, not Russians (Telegraph).
Elsewhere, police are establishing and using fake Facebook accounts as part of undercover and sting operations. It's technically a violation of Facebook policies to do so, but perhaps there are law enforcement exceptions (NBC News)?
This month's Patch Tuesday saw its customary volume of fixes (Help Net Security). A Windows 10 update initially deleted users' files. That's been fixed, and Microsoft is offering to help customers recovered data that the update unintentionally schmeered (Ars Technica). MIcrosoft also fixed the JET Database Engine bug and a Win32 privilege escalation issue. The Win32 flaw has been exploited in the wild (TrendLabs Security Intelligence Blog).
One warning: some fake Adobe Flash updates are serving cryptominers (Threatpost).
Crime and punishment.
Hacktivist Billy Ribeiro Anderson, noms de hack "Anderson Albuquerque" and "AlfabetoVirtual," took a guilty plea to two Federal counts of computer fraud causing damage to a protected computer. He attacked and defaced the New York City Comptroller's website as well as a site belonging to the Center for Countering Terrorism at the US Military Academy (West Point). He is also said to have obtained persistent administrative access to "thousands" of web servers around the world (SecurityWeek).
Gary Davis, an Irish national, admitted serving as the admin for the Silk Road online contraband emporium. He faces up to twenty years in prison (SecurityWeek).
Italy's Postal Police have taken an unnamed man into custody in connection with hacking eight NASA domains in 2013 and about sixty Italian sites at other times. He was a member of the "Master Italian Hackers Team," and, as one would expect, he was caught in part because of a lot of boasting in social media (AP).
A Romanian national, Romeo Vasile Chita, is in custody and preparing to face trial in a US Federal Court. He's charged with four counts of racketeering, wire fraud conspiracy, conspiracy to launder money, and conspiracy to traffic in counterfeit services. Of the eight other defendants named in the indictment, two, Daniel Mihai Radu, and Manuel Tudor are in custody. The other five remain at large (US Department of Justice).
Online drug trafficker Gal Vallerius, he of the the very large beard and the screen handle "OxyMonster," has been sentenced to twenty years and forfeiture of some $700 thousand in cryptocurrency by a US Federal court (Ars Technica). He was arrested while visiting the US for a beard competition (HackRead).
In a cyberstalking case, Ryan S. Lin, 25, of Newton, Massachusetts, has been sentenced to seventeen-and-a-half years in prison. He took a guilty plea in April to seven counts of cyberstalking, five counts of distribution of child abuse imagery, nine counts of making hoax bomb threats, three counts of computer fraud and abuse, and one count of aggravated identity theft. The target of his stalking was a young woman and former housemate, and he organized various online mobs to assist in her persecution (Naked Security).
Courts and torts.
Google dodged a litigation bullet in the UK Monday. It could have faced a judgment amounting to some £3.3 billion in a suit alleging illegitimate data collection involving its harvesting of information from Apple's Safari browser (the "Safari Workaround") between August 2011 and February 2012. But the High Court threw the case out. Google said in its defense that it didn't share personal details of the estimated 4.4 million British iPhone users whose data it collected, and that in any case it was impossible to identify who'd been affected. Mountain View has settled various US claims over the same incident for a total of $39.5 million (Computing).
Google is also appealing the €4.3 billion fine the European Union levied in its Android anti-trust case (CRN). There's predictable litigation looming over the Google+ disclosures as well. The Schall Law Firm announced that it's "investigating" on behalf of investors in Google's parent, Alphabet (Yahoo!).
Merger objection lawsuits are up, and driving director's and officer's (D&O) insurance rates up with them (Business Insurance).
Policies, procurements, and agency equities.
The US Treasury Department announced new rules, required to implement recently passed legislation, that will bring a great many more investments into the scope of CFIUS (Committee on Foreign Investment in the US). CFIUS reviews such investments for their national security implications. The interagency body figured prominently in the news earlier this year when it put on hold on Broadcom's attempted takeover of Qualcomm. Many early stage foreign investments in US companies working in IT, AI, and cybersecurity had hitherto escaped CFIUS review. Such transactions will now receive close scrutiny (Wall Street Journal).
California's sweeping data privacy law will require companies to comply by 2020. A PWC study indicates that half the companies surveyed think that will be impossible (PWC). There's a growing mood in Congress, especially since the Google+ disclosure, to develop national privacy standards (Wall Street Journal).
Fortunes of commerce.
Google is shutting down Google+ (Bleeping Computer). The company acknowledged that its social network never performed as hoped, and the hushed-up potential for data leakage just disclosed is also a bad look for Mountain View (Engadget). The revelation was ill-timed in other respects: it overshadowed Mountain View's big launch event on Tuesday (SecurityWeek). Google pressed on nonetheless; among its new offerings were two Pixel phones, a Slate tablet, and Home Hub. The company touted the superior privacy of the camera-less Home Hub. Industry observers took away an unintended message: the lack of a camera amounts to an admission that Big Tech can't keep your data private. That's surely not what Google intended (Telegraph).
Jeanette Manfra, National Protection and Programs Directorate assistant secretary for the Office of Cybersecurity and Communications at the US Department of Homeland Security, looks to increased cooperation between the Government and the private sector to redress cybersecurity workforce shortfalls (Federal News Radio).
The US Army is looking for civilian cyber operators willing to put on the uniform. It's offering direct commissions up to the rank of colonel (FCW). This is an unusually high rank for a direct commission, but the shortage of cybersecurity talent in Government generally is a perennial problem now being framed as a national security issue (Help Net Security).
A look at the GRU's recruiting success suggests that a career in military intelligence is for many a way out of the "gloom and poverty of rural Russia" (AP). But immiseration isn't a strategy likely to be emulated elsewhere.
Mergers and acquisitions.
Cheating at online games is at least first cousin to hacking, and Epic Games (purveyor of Fortnite) has announced its acquisition of Kamu, a Finnish company Epic Games has long used for anti-cheating services (IGN).
Centrify will spin out its identity-as-a-service offering in a new company, Idaptive. Centrify will focus on its zero-trust, privileged access business, the better to compete with Bomgar and CyberArk (Infosecurity Magazine).
Imperva has agreed to be acquired by Thoma Bravo. The firm will maintain its current headquarters and executive team, and will continue operations as a privately held company (BusinessWire). The pricetag is reported to be $2.1 billion (CRN). Thoma Bravo has recently been building a portfolio of cybersecurity companies (Investor's Business Daily). One of its holdings is Barracuda Networks, which says it likes being privately held, and that leaving the New York Stock Exchange was the right move for the company (Silicon Valley Business Journal).
Singtel's Australian subsidiary, Optus Cyber Security, is in the process of acquiring Victoria-based Hivint. The price is expected to be up to AUS$23.3 million. Hivint's consulting services are thought to provide a good complement to Optus's offerings (Business Times).
AppRiver has acquired Long Island-based Total Defense, whose subscription-based endpoint security and small business focus AppRiver sees as a complement to its existing cloud-based services, and especially to its threat intelligence data (Channel e2e). AppRiver is itself a portfolio company of Marlin Equity Partners (PEHub).
Thales really does want to close its acquisition of Gemalto, and it's sweetening the EU's pot to make that likelier (Euro News).
Investments and exits.
Egnyte has attracted a $75 million investment led by Goldman Sachs. Egnyte's file storage and sharing business has grown to encompass data protection and compliance services as well (TechCrunch).
CybelAngel has raised $12 million in a funding round led by technology growth equity investors Bpifrance and Serena. Paris-based CybelAngel intends to use the funding to expand the presence of its AI-based threat intelligence offering in North American markets (Cision).
Demisto announced a Series C funding round led by Greylock Partners. Demisto intends to use the funding to accelerate go-to-market efforts for its Security Orchestration, Automation and Response (SOAR) technology (VentureDreams).
Italy's Generali, the large general insurance company, announced the formation of a wholly-owned subsidiary, GeneraliCyberSecurTech, through which it will offer cybersecurity solutions in Europe, Asia, and the Americas (ITIJ).
Microsoft has donated sixty-thousand of its patents to open source as it announced its intention to join the Open Innovation Network (Computing).
VMware says what most people think: there are too many security products in use by the average enterprise, including by VMware (Business Insider).
Today's issue includes events affecting Australia, Canada, China, European Union, France, Germany, Ireland, Italy, Japan, Netherlands, New Zealand, Romania, Russia, Ukraine, United Kingdom, United States.
ON THE PODCAST
The latest episode of Research Saturday is up. In this one, we hear about GPS manipulation. Researchers at Virginia Tech are investigating possible ways to manipulate GPS signals and send drivers to specific locations without their knowledge. Gang Wang is Assistant Professor of Computer Science at Virginia Tech, and he joins us to share his team's findings.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.