skip navigation

More signal. Less noise.

Get your copy of the definitive guide to threat intelligence.

We brought together a team of experts and wrote the definitive guide to everything you need to know about threat intelligence. Whether you work in vulnerability management, incident response, or another part of cybersecurity, our book has something for you. Get your free copy of “The Threat Intelligence Handbook” now.

Daily briefing.

Black Hat and Def Con

We wrap up our coverage of last week's Las Vegas conferences today with a few observations general and specific.

Building management system vulnerabilities.

During Def Con, McAfee researchers Douglas McKee and Mark Bereza detailed a critical vulnerability they discovered in building management systems made by Delta Controls. The flaw in Delta’s enteliBUS Manager (eBMGR) could allow for remote code execution leading to manipulation of physical processes.

The researchers used a fuzzing tool to find a buffer overflow vulnerability that crashed the system after they sent it exactly 97 malformed packets. Analyzing the core dump after the crash allowed them to track down the memory address where the crash occurred, which eventually led them to discover the specific function that could be overwritten to create a remote shell using Netcat.

McKee and Bereza then went to work observing all the normal functions of an eBMGR and used what they saw to write malware that performed the same functions. This approach could be used to take control of all the eBMGR’s functions remotely. While McAfee’s test case was carried out with physical access to the device, an attacker could perform all of this over the Internet starting with only the IP address of the targeted device.

The researchers emphasized that Delta Controls was commendably responsive to their disclosure, describing the company’s reaction as the “gold standard” of how an organization should conduct itself when presented with a vulnerability in one of its products. Delta actively worked with McAfee to develop a patch, which was released in June.

Although a fix is available, however, the researchers said that as of Saturday there were still around five hundred vulnerable machines connected to the Internet, and now it’s up to the owners of the products to apply the patch.

CISA and election security.

The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) put in an appearance at Def Con's Voting Village to describe how NCATS, CISA's National Cybersecurity Assessments and Technical Services is supporting election security. According to Infosecurity Magazine, NCATS offers its services free to eligible Federal, state, and local authorities. Those services include:

  1. The Cyber Hygiene service. This is an external vulnerability scan of an organization's permeter, conducted continuously and automatically.
  2. The Phishing Campaign Assessment. This six-week engagement sends a series of six different phishing emails to the organizations it supports, representing such familiar scams as the Nigerian prince scam, highly targeted spearphishing, and so on. It's a relatively light-handed way of assessing organizational gullibility and, more importantly, raising awareness about the risks of email social engineering.
  3. The Risk and Vulnerability Assessment, a two-week remote penetration test.
  4. The Critical Product Evaluation, which tests and validates equipment on behalf of the election officials it supports. The evaluations are conducted in partnership with several laboratories.

CISA is still a relatively young agency, and it's interesting to see the portfolio of services it's evolving.

Why cheap insurance may not be a good thing, in the long run.

Cyber insurance policies currently fetch a surprisingly low premium, as TechTarget notes from discussions it heard at Black Hat. The low cost is a supply-side phenomenon: a lot of insurers are working to get into the market, and they're competing on price. But the low premiums being charged probably mean that the underwriters are still working without the actuarial data and models they need to be fully comfortable with the risk they're accepting in transfer from their customers. Expect prices to change as the actuaries catch up with the consequences of cyber incidents.

Congratulations to the Plaid Parliament of Pwning.

Carnegie Mellon University's competitive hacking team took top honors for the fifth time in seven years at Def Con this year. Def Con's capture-the-flag is generally seen as the world cup of hacking. Congratulations to the Triple-P.

Notes on swag and booth diversions.

Socks continue to be a popular giveaway. If you left Black Hat barefoot, you did so by choice and not necessity. T-shirts remain another standby. CrowdStrike had a big line at their booth for shirts emblazoned with the company's cartoon representations of threat actors. And if you weren't able to get to Vegas, ask those colleagues who made the trip if they spent any time in Demisto's ball pit. (Trust us: admit it or not, they probably did.) Farewell to Las Vegas, until next year.

The UN Security Council panel studying North Korean hacking concluded, according to the AP, that Pyongyang has made at least thirty-five financially motivated cyberattacks against seventeen countries as it works to fund its weapons-of-mass-destruction programs. The most common operations are attacks against the SWIFT bank funds-transfer system, attacks against cryptocurrency exchanges, and cryptojacking to mine alt-coin directly.

Anomali says it's observed the BITTER APT operating against Chinese government targets. The apparent cyberespionage campaign is thought to operate out of India, as Help Net Security reports.

Proofpoint has released a study of PsiXbot, a modular information-stealer described early this year by FoxIT. A new version of the malware is out in the wild, turning up in both phishing campaigns and exploit kits. The malware has added additional modules and a new way of connecting to DNS servers. Proofpoint regards the upgrades as evidence of the threat actors' determination to compete in the competitive criminal-to-criminal market. They don't identify the gang responsible, but they observe without comment that PsiXbot checks a potential victim to see if that target is likely to be Russian. If it is, PsiXbot exits.

Glasswall Solutions issued a report this morning in conjunction with Forcepoint on spearphishing trends. They find that it's growing more evasive. An analysis of twenty-five-million email attachments concluded that IP theft and compromise of client confidential data represent the highest risks.

Influence operations targeting next year's US elections are arguably already underway, NextGov notes. They're inexpensive and low-risk.

It's Patch Tuesday. Fixes are inbound.

Notes.

Today's issue includes events affecting China, Costa Rica, Gambia, Guatemala, India, Democratic Peoples Republic of Korea, Republic of Korea, Kuwait, Liberia, Malaysia, Malta, Nigeria, Pakistan, Poland, Russia, Saudi Arabia, Slovenia, South Africa, Tunisia, United Kingdom, United Nations, United States, and Vietnam.

Bring your own context.

University cybersecurity programs are typically directed toward professional preparation. Academic programs are receiving feedback from the businesses who hire their graduates.

"One of the problems was [that students] didn't understand governance, for example - governance and interacting with teams and leadership - that kind of workplace rapport that's needed. So we've leaned in on governance and teaching best practice, alignment, training, risk management. And then lastly, what I heard, and very strongly, from business was that technology students were coming out, and they didn't have a grasp of how technology drives the business. They knew - they thought technology was, according to the folks we interviewed as part of building our programs, they thought technology was about technology, when really, in most businesses and most government technology operations, your job is to drive the business. There was a lack of understanding of how to communicate around the business of technology. There was a lack of ability to talk to people who weren't in the technical end of the business, for example, people in the C-suite. So we made sure that our programs are all teaching those skills, and we're doing it in a very practical way."

—Ralph Russo, director of information technology programs for Tulane University's School of Professional Advancement, on the CyberWire Daily Podcast, 8.12.19.

And that's how one university is using the feedback to shape its program.

What are the best practices and tools for SecOps in 2019?

Read the 2019 SANS Security Operations Survey report for key insights & strategies from principal SANS Instructor Christopher Crowley & SANS Director of Emerging Technologies John Pescatore. Download your copy now.

In today's podcast, out later this afternoon, we speak with our partners at the University of Maryland, as Jonathan Katz discusses Apple’s clever new cryptographic protocol. Our guest, Mike Overly from Foley and Lardner LLP, talks about the US House of Representatives' hold on the State Department’s proposal for a Bureau of Cyberspace Securities and Emerging Technologies.

CyberTexas Job Fair, August 20, San Antonio. Visit ClearedJobs.Net or CyberSecJobs.com for details. (San Antonio, Texas, United States, August 20, 2019) Cleared and non-cleared cybersecurity pros make your next career move at the free CyberTexas Job Fair, August 20 in San Antonio. Meet face-to-face with leading cyber employers. Visit our site for more details.

Cyber Warrior Women Summer Social: Sip and Paint (Columbia, MD, United States, August 21, 2019) Join the Cybersecurity Association of Maryland, Inc. (CAMI) for the annual Cyber Warrior Women Summer Social, an all-about-fun-and-networking event! We're adding an artistic element to this year's event with a wine glass painting exercise. No previous art experience required.

Second Annual DataTribe Challenge (Online, October 1, 2019) Register now for a chance to be DataTribe's next world-class company. Finalists will split a $20,000 prize, and the winner may receive $2m in funding from DataTribe. Contestants have until October 1st to apply at www.datatribe.com/challenge­.

Dateline Black Hat and Def Con

Why cyber insurance policies are so 'ridiculously cheap' (SearchSecurity) At Black Hat 2019, experts from the cyber insurance market discussed how it is growing rapidly but expressed concerns about the lack of actuarial data and proper risk assessments behind those ultra-cheap cyber insurance policies.

‘Please break things’: Hackers lay siege to voting systems to spot weaknesses in security (Washington Post) In three years since its inception, Def Con’s Voting Village has become a destination not only for hackers but also lawmakers and members of the intelligence community.

#DEFCON: How the US's CISA Works to Improve Election Security (Infosecurity Magazine) Members of NCATS outlined their mission and their challenges for election security.

Google Hackers Found 10 Ways to Hack an iPhone Without Touching It (Vice) Many of the vulnerabilities relied on using iMessage to own the rest of the phone, Google's Project Zero said.

Carnegie Mellon team flexes hacking prowess with fifth DefCon title in seven years (PR Newswire) Carnegie Mellon University's competitive hacking team, the Plaid Parliament of Pwning (PPP), just won its fifth...

Cyber Attacks, Threats, and Vulnerabilities

UN probing 35 North Korean cyberattacks in 17 countries (AP NEWS) U.N. experts say they are investigating at least 35 instances in 17 countries of North Koreans using cyberattacks to illegally raise money for weapons of mass destruction...

Anomali discovers phishing campaign targeting Chinese government agencies (Help Net Security) Anomali discovered a new phishing attack designed to steal email credentials from targets within the People’s Republic of China government.

Here’s What Foreign Interference Will Look Like in 2020 (Nextgov.com) The incentives for foreign countries to meddle are much greater than in 2016, and the tactics could look dramatically different.

Voting Machine Security: Where We Stand Six Months Before the New Hampshire Primary (Brennan Center for Justice) While there has been substantial progress in securing voting machines since 2016, there is still more to do ahead of 2020.

PsiXBot Continues to Evolve with Updated DNS Infrastructure (Proofpoint) Proofpoint researchers describe an update to PsiXBot.

Vulnerability Summary for the Week of August 5, 2019 (CISA) The CISA Weekly Vulnerability Summary Bulletin is created using information from the NIST NVD. In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available

Repurposing Mac Malware Not Difficult, Researcher Shows (SecurityWeek) Repurposing Mac malware is not a difficult task for someone with reverse-engineering skills, and it’s a far simpler approach than writing malware from scratch.

Ursnif Malware Campaign Used Multiple Anti-Analysis Tactics (Security Intelligence) Security researchers came across a new Ursnif malware campaign that used multiple anti-analysis techniques to avoid detection.

Gamers Beware: Zero-Day in Steam Client Affects All Windows Users (Threatpost) An elevation-of-privilege bug allows attackers to run any program on a target machine with high privileges.

Beware of Fake Microsoft Account Unusual Sign-in Activity Emails (BleepingComputer) In this article we take a look at a phishing campaign that pretends to be an "Unusual sign-in activity" alertfrom Microsoft that could easily trick someone into clicking on the enclosed link.

Threat Intelligence Bulletin: Evasive Spear Phishing (Glasswall) Glasswall Threat Intelligence Bulletins mine our Threat Intelligence Platform to explore the latest trends in evasive malware that bypasses the various security layers designed to protect an organization. This first part of a two part special Bulletin is a joint effort between Glasswall and Forcepoint, the Raytheon owned military provider of world class gateway security …

Unsafe At Any Speed: Multiple Vulnerabilities Afflict 5G (Breaking Defense) The coming network needed for autonomous vehicles, virtual reality, and the Internet of Things will also bring cybersecurity danger.

Is Shadow IT Really the Perilous Threat It's Made Out to Be? (Infosecurity Magazine) It's difficult for administrators to secure what they don't know exists

Experts: Embedded computers in regular office devices have vulnerabilities (Insurance Business) Caution urged as the embedded device market continues to grow

Outsourcing, Cost Cutting and the Boeing 737 Max Debacle (BlogInfoSec) When we thought that Boeing had come up with ways to mitigate the risks that resulted in two major air crashes, we learn that Boeing has been outsourcing their software development to Indian companies that hired newbie temporary programmers for as little as $9 per hour, as described in a June 28, 2019 article by Peter Robison with the title “Boeing 737 Max software outsourced to $9-an-hour engineers”

We can’t detect a cyber attack that trips a plant, but we immediately identify an outage as not being a cyber attack? (Control Global) It seems premature to immediately rule out an event being cyber-related when you don’t know the cause of the event.

Desjardins spends C$70 million related to data breach (Reuters) Canadian lender Desjardins Group said on Monday it spent C$70 million ($53 milli...

Tangipahoa Parish School System working around cyber attack on first day of school (WAFB) Faculty in Tangipahoa refuse to let a cyberattack ruin students' return to class.

Security Patches, Mitigations, and Software Updates

Tripwire Patch Priority Index for July 2019 (The State of Security) Tripwire's July 2019 Patch Priority Index (PPI) brings together important vulnerabilities from Microsoft and Oracle.

Valve updates Steam over escalation of privilege security flaw - but accused of ignoring other vulnerabilities (Computing) Gaping holes still exist in popular Steam app used by more than 90 million PC users every day, warn security researchers

Cyber Trends

Annual Research from WhiteHat Security Says Remediation Rates for App Vulnerabilities Continue to Fall (BusinessWire) WhiteHat Security has released its 2019 Application Security Stats Report,

The Front Line Of Application Security (WhiteHat Security) Using AppSec Statistics to Drive Better Outcomes

We keep falling for phishing emails, and Google just revealed why (Fast Company) Here’s what Google has learned by blocking 100 million phishing attacks on Gmail users—every day.

GUEST ESSAY: Why the next round of cyber attacks could put many SMBs out of business (The Last Watchdog) In the last year, the news media has been full of stories about vicious cyber breaches on municipal governments.  From Atlanta to Baltimore to school districts in Louisiana, cyber criminals have launched a wave of ransomware attacks on governments across the country. Related: SMBs struggle to mitigate cyber attacks As city governments struggle to recover […]

Hiscox Cyber Readiness Report 2019 (Hiscox) Our third Hiscox Cyber Readiness Report provides you with an up-to-the-minute picture of the cyber readiness of organisations, as well as a blueprint for best practice in the fight to counter the ever-evolving cyber threat.

Marketplace

Huawei Hires Trade Lobbyists as Sales Slow in US-China Fight (Transport Topics) Huawei Technologies Co. hired the law firm Sidley Austin to lobby on trade as the U.S. pressures allies to join it in blacklisting the Chinese telecom giant and the company finds itself increasingly mired in President Donald Trump’s trade war with Beijing.

Defense Intelligence Agency selects firms for $17B support contract (C4ISRNET) The Defense Intelligence Agency announced Aug. 5 it had selected 16 companies to provide military intelligence in support of the agency’s missions.

TechOperators leads $8.1 mln round for Polarity (PE Hub) Polarity, a memory augmentation platform, has secured $8.1 million in funding. TechOperators led the round with participation from other investors that included Shasta Ventures, Strategic Cyber Ventures and Gula Tech Adventures. In addition to the funding, Tom Noonan and Dan Ingevaldson will join Polarity's board while Ron Gula will come on board as an observer.

ThreatQuotient has banked millions in new funding (Washington Business Journal) ThreatQuotient CEO John Czupak said the company has closed on millions of dollars in new funding.

DHS chooses GrammaTech for software analysis tools for cyber security of critical infrastructure (Military & Aerospace Electronics) The goal of STAMP is to modernize software analysis tools to improve performance and coverage, and provide more accurate analysis of results.

Products, Services, and Solutions

Enveil Teams Recognized for Innovative Secure Data Collaboration Solution at International TechSprint Events (West) Pioneering Data in Use Security Provider Among Winners at FCA Global AML and Financial Crime TechSprint Events in UK and US

Barracuda acquires bot mitigation technology from InfiSecure to expand advanced bot protection capabilities (Barracuda Networks) Barracuda acquires bot mitigation technology from InfiSecure to expand advanced bot protection capabilities. InfiSecure solution provides seamless integration with CDNs, WAFs.

CompTIA Security+ Surpasses 500,000 Certified Milestone (CompTIA) CompTIA provides the media with unbiased insights into the myriad of issues affecting the industry including trends in technology, research, legal issues, public policy, workforce training, and business trends.

Technologies, Techniques, and Standards

Akamai CIO bets on ‘zero-trust’ approach to security (ETCIO.com) Akamai was one of the companies targeted by Aurora in 2010. An enterprise-wide initiative called the zero-trust security model was triggered post the ..

An ICS Cyber Security Storm is Brewing: How to Prevent Staff Burnout (Nozomi Networks) Building cyber resiliency puts a lot of pressure on an organization’s security team. It requires specialized knowledge that takes time to develop, and there just aren’t enough skilled cyber experts to go around. Which begs the question: are the limited number of security experts holding the front lines in danger of burnout – and what can we do about it?

How government agencies can up their cybersecurity game (Fifth Domain) In order to adopt a more robust cybersecurity posture, agencies must amend their current shortcomings by taking three steps.

Academia

MU recognized for cyber defense research (Columbia Missourian) The National Security Agency and the Department of Homeland Security sponsor the program and gave the distinction, which will last until 2024.

Legislation, Policy, and Regulation

Kashmir’s Paramilitary Lockdown Traps Locals (Foreign Policy) Witnesses say travel is nearly impossible and communications have been severed.

UK goes back to square one on Huawei as Johnson promises to re-examine 5G access (Computing) US national security advisor John Bolton claims that the British government is re-thinking its policy on Huawei

Boris Johnson could shift UK policy on Huawei after US warnings (Washington Examiner) British Prime Minister Boris Johnson’s national security team is reviewing the United Kingdom’s posture toward Huawei, a Chinese telecommunications giant that U.S. officials regard as a platform for spy agencies.

Plot Thickens as Huawei Now Linked to Chinese Intelligence and Military (CPO Magazine) Huawei’s dream of becoming a leader in 5G networks remains on hold as new study found many of its employees had prior links to Chinese intelligence and worked in projects eavesdropping on citizens or scooping up valuable data.

Opinion | The Trade War Hits China Where It Hurts (Wall Street Journal) Beijing’s doctored data shows growth has slowed to 6.2%. The actual rate is almost certainly worse.

Analysis | The Cybersecurity 202: Here's the political bind Democrats face when talking about election security (Washington Post) Eric Swalwell worries voters might stay home if they conclude hacking is inevitable.

DHS bug bounty program gets $44M price tag (FedScoop) A Department of Homeland Security bug bounty program, as proposed by legislation being considered in the House, would cost $44 million, according to the Congressional Budget Office. On July 17, the House Committee on Homeland Security requested CBO perform a cost estimate of H.R. 3710, the Cybersecurity Vulnerability Remediation Act, which calls for DHS to …

Pentagon plans to ask for more money for 5G (C4ISRNET) Pentagon leaders expect to set aside new money for 5G technology in the fiscal 2021 budget.

Are States Taking Cybersecurity Seriously Enough? (Governing) Only one has a cabinet-level official dedicated to the issue.

Litigation, Investigation, and Law Enforcement

FBI seeks to monitor Facebook, oversee mass social media data collection (ZDNet) Plans to track social media activity will potentially clash with existing privacy policies.

South Wales Police to Start Facial Recog Trial (Infosecurity Magazine) Force under fire as court case continues

King's Cross developers say facial recognition cameras 'ensure public safety', amid fears private companies are carrying out ID checks (The Telegraph) The developer of a 67-acre site in London’s King's Cross has defended its use of facial recognition technology as campaigners warned that private companies were increasingly conducting secret identity checks on the public.

Fortnite champ Bugha 'swatted' while streaming (ESPN) Kyle "Bugha" Giersdorf, a 16-year-old Pennsylvanian who last month won the $3 million grand prize in the Fortnite World Cup, was "swatted" while livestreaming on Twitch on Saturday night.

Marines should retain officer who sent classified warning to colleagues ahead of an insider attack, new panel finds (Washington Post) The decision marks a victory for Maj. Jason Brezler, who has fought Marine Corps' attempts to discharge him ever since he self-reported that he sent classified information over an unclassified email network to warn Marines of a security threat in Afghanistan.

Cyber attack on police was revenge for conviction at Warrington (Warrington Worldwide) A MAN who launched a cyber-attack on the Cheshire Police Website in retaliation for a conviction at Warrington has been jailed for 16 months.

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Upcoming Events

Cybersecurity Summit, New York (New York, New York, USA, August 13 - 14, 2019) The Cybersecurity Summit, New York, invites information security practitioners to learn about the latest trends in data breaches and frauds, and about mitigation strategies. ISMG’s Global Summit focuses...

Virginia Cybersecurity Education Conference (Fairfax, Virginia, USA, August 13 - 14, 2019) The goal of the Virginia Cybersecurity Education Conference is to get attendees thinking about ways to engage students at all grade levels in hands-on, meaningful educational activities related to cybersecurity.

AcceleRISE (Minneapolis, Minnesota, USA, August 14 - 16, 2019) Prepare for your future. Designed for young industry professionals like yourself, and presented by SIA, AcceleRISE brings together tomorrow’s security leaders for two-plus days of idea sharing, coaching, The conference, hosted by SIA’s RISE community for young professionals and those new to the industry, will present blended learning sessions featuring a mix of keynotes, panel sessions, team building exercises, peer networking and workshops.

PCI Security Standards 2019 Latin America Forum (São Paulo, Brazil, August 15, 2019) Don’t miss the data security event of the year for the payment card industry. We provide you with the information and tools to help secure payment data. We lead a global, cross industry effort to increase...

Austin Cybersecurity Conference (Austin, Texas, USA, August 15, 2019) Data Connectors brings together security professionals to discuss mitigating risk and improving their overall security posture. Eight industry speakers, an FBI/NSA/DHS keynote speaker, and a CISO Panel...

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.