The CyberWire Daily Briefing 06.03.15

Summary

By The CyberWire Staff

China's expansive island-building in the South China Sea has attracted hacktivist groups to that country's maritime and security authorities. China complains that this goes to show it's a victim in cyberspace.

Japan continues to recover from its recent pension system breach. Lieberman Software looks at the episode and sees an instance of an Asia-Pacific country's resistance to implementation of modern security measures.

The long-familiar "Microsoft Tech Support" is evolving, says Blue Coat — its approaches have grown marginally more plausible, and now extend to bogus provision of Mac help.

OpenDNS finds signs that clouds "in bad neighborhoods" are proving a potential source of IoT infections.

Users prove more easily fooled by phishing than they would like to think, and there are signs of terrorist groups phishing ways of striking their targets.

Britain's GCHQ warns UK businesses of a heightened tempo of cyber attack.

In industry news, Sophos prepares for an initial public offering on the London Stock Exchange. ARM considers buying Sansa as an IoT security play. F-Secure consolidates its position in the European market with acquisition of nSense. SpaceX's intellectual property self-defense efforts spawn Spikes Security, a new company in the cyber sector.

In the US, Congress passes (and the President signs) legislation enabling electronic surveillance in a curtailed form. Agencies will henceforth require court orders for bulk collection. Observers differ over how well the compromise will please any side, but some see the fundamental problem as one of trust.

Home Depot asks that breach lawsuits against it be dismissed.

Notes.

Today's issue includes events affecting Australia, China, Japan, New Zealand, United Kingdom, and United States.

We're down in Northern Virginia today, Tweeting from TechExpo's DC Metro Cyber Security Summit.

Selected Reading

Cyber Trends

The drivers and inhibitors of cyber security evolution (ComputerWeekly) A study shows a shift in IT security spending to detection and response — but why are most organisations falling way behind the more enlightened front runners?

The Cyber Threats Hiding Beneath the Surface (PYMNTS) "The battle between the 'good guys' and the cybercriminals will continue to intensify with consumers' personally identifiable information in the wild"

Priority-based patching extending lifespan of outdated equipment: Dimension Data (CSO Online) Recent equipment refreshes have not prevented Australia's network infrastructure from being vulnerable to failure and security breaches, a new study has warned

Cyber attacks hit wide array of UK businesses, says GCHQ (ComputerWeekly) UK security agency GCHQ surprised by the extent and variety of organisations subject to cyber intrusions, says director general for cyber security

Legislation, Policy and Regulation

Congress approves overhaul of NSA surveillance (Baltimore Sun) Congress gave final approval Tuesday to the most sweeping rollback of government surveillance powers in the post-Sept. 11-era, clearing the way for a new program that bans the National Security Agency from collecting and storing Americans' telephone dialing records

U.S. Surveillance in Place Since 9/11 Is Sharply Limited (New York Times) In a significant scaling back of national security policy formed after the Sept. 11, 2001, terrorist attacks, the Senate on Tuesday approved legislation curtailing the federal government's sweeping surveillance of American phone records, and President Obama signed the measure hours later

Why Americans Hate Government Surveillance but Tolerate Corporate Data Aggregators (Lawfare) When I was first elected to the Senate, I was fortunate to be appointed to the Intelligence Committee. There I saw up close the dedication and commitment of the men and women of our intelligence agencies

Why We Can't Trust the NSA (And Why That's a Crisis) (National Journal) A greater threat than Iran, ISIS, and "lone wolf" attacks: government lies

How Export Controls Can Hurt National Security (Forbes) The federal government regulates the export of items with potential military uses to assure they are not shipped to hostile countries, terrorists, or human-rights abusers

Are agencies really ready for the Internet of Things? (FCW) It's a hydra-headed opportunity and test — and it's not something agencies can afford to ignore

Products, Services, and Solutions

Security startup finds stolen data on the 'Dark Web' (IDG via CSO) Finding stolen data on the Internet is often the first sign of a breach, and a Baltimore-based startup says it has developed a way to find that data faster and more securely

Google Creates One-Stop Privacy and Security Shop (Commerce Times) Google has launched a new hub to gather privacy and security settings in one place

Akamai and Trustwave unite to protect businesses from online threats (Help Net Security) Akamai Technologies, provider of content delivery network services, and managed security services firm Trustwave announced at Infosecurity Europe 2015 a new strategic alliance designed to help businesses more effectively fight a wide range of malicious online activities through vulnerability assessment, denial of service prevention and incident response

Lookout takes consumer mobile security expertise to the enterprise (FierceMobileIT) Whether operating in a BYOD or corporate-owned mobile device environment, companies face mobile security risks every day from existing and previously unknown threats

USMobile launches Scrambl3 mobile app that creates 'Dark Internet Tunnel' (FierceMobileIT) In an era where companies have to keep information confidential from criminals, competitors and their own governments, mobile security is uppermost in the minds of IT security execs

Airbus to launch new cyber sensor to fight advanced persistent threats (Army-Technology) Airbus Defence and Space is set to present a new cyber sensor for combating advanced persistent threats (APT) at the upcoming Infosecurity Europe exhibition in London, UK

Vectra To Demonstrate Real-Time Cyberattack Detection (CIO Today) Vectra Networks today announced that it will provide a live demonstration of its differentiated solution that delivers real-time Relevant Products/Services detection of cyber Relevant Products/Services attacks in-progress at the Gartner Relevant Products/Services Security & Risk Management Summit next week

Technologies, Techniques, and Standards

5 ways to stop a DDoS attack (FierceITSecurity) Distributed denial of service attacks continue to grow larger and more sophisticated as they claim more reputable victims, but that does not mean smaller websites are left defenseless

Bug hunting without much tech knowledge or many tools (Help Net Security) Bas Venis has been programming since he was 14 years old. After gaining some experience as a web developer, this 18-year-old self-taught security researcher got into IT security and aimed his sights at browsers. Specifically, at logic flaws that could be exploited

Marketplace

Sophos to raise £100m from stock market float (Telegraph) The cyber security company is targeting a premium listing, while Cairn Homes also confirms float plans

ARM Looks to Buy Sansa for IoT Security (Wireless Week) Chip maker ARM may be looking to get into the mobile security space

F-Secure acquisition bolsters firm's European position (PCR) F-Secure has announced its acquisition of nSense, Nordic's top cybersecurity provider

SpaceX's anti-hacker tech powers UK launch of security startup (Register) Spikes Security plays Night's Watch to the Wildlings beyond the firewall

Army kicks in retention bonuses for cyber warriors (Defense Systems) The Army, which is making a concerted push to recruit and retain cyber warriors, is for the first time offering selective retention bonus specifically to cyber personnel

CSG Invotas Delivers Automated Threat Response Solution to Independent U.S. Government Agency (Virtual Strategy Magazine) CSG Invotas, the leader in security orchestration and automation, today announced an independent United States government agency has implemented Invotas' flagship solution, Security Orchestrator, to increase response times to potential threats and reduce operational costs

Infoblox wins 'Emerging Security Vendor of the Year' at NME Innovation Awards (Security Mideast) Infoblox Inc., the automated network control company, has announced that it has been named Emerging Security Vendor of the Year by Network Middle East (NME), the region's leading magazine for networking industry

Cybersecurity Veteran Doug Wylie Joins NexDefense Executive Team (PRWeb) NexDefense, a leading authority on cybersecurity for industrial control systems (ICS), today announced that critical infrastructure cybersecurity veteran Doug Wylie has joined the executive team as vice president of product marketing and strategy…In addition, former U.S. Senator Sam Nunn has joined the company?s investor and advisory groups, bringing a wealth of experience in defending national critical assets

Dean Bakeris Joins ICF International as Cybersecurity VP (GovConWire) Dean Bakeris, formerly director of business development at BAE Systems, has joined ICF International (Nasdaq: ICFI) as vice president of the cybersecurity team

Cyber Attacks, Threats, and Vulnerabilities

China responds to report on cyber attack (Xinhua) If overseas hacking organization OceanLotus is proven guilty for stealing government information, it will further evidence that China falls victim to hacker attacks, a Chinese spokeswoman said on Tuesday

Lessons from Japan Pension System Hack (TopTechNews) Hackers have hit Japan's pension system, getting away with over 1.25 million files of personally identifying information

Getting the Word Out About Fake Tech Support Scams (Blue Coat Blogs) This is a post to support the excellent work of another researcher (@malekal_morte), who posted several screenshots from his research today, focusing on Tech Support Scams

Phony Tech Support Scams Now Target Macs (Blue Coat Blogs) This is essentially Part Two of yesterday's post on phony tech support scams. (For those too lazy to click, a hat tip to @malekal_morte for his tweets yesterday about these attacks)

New Rombertik Sample has originated in Nigeria (Security Affairs) ThreatConnect has conducted further investigations on the Rombertik malware and traced a malicious sample they analyzed to a Nigeria-based man

IoT Devices Hosted On Vulnerable Clouds In 'Bad Neighborhoods' (Dark Reading) OpenDNS report finds that organizations may be more susceptible to Internet of Things devices than they realize

Insecure mobile cloud backups leave millions of credentials exposed (TechTarget) Researchers find that insecure implementation of cloud backups by mobile apps may affect hundreds of thousands of apps and leave as many as 56 million credentials exposed

Future attacks: Hiding exploit code in images (Help Net Security) Successfully hiding messages in images has already been done, but is it possible to deliver an exploit in one — and run it?

Malvertising Gets Jacked with 3 Zero-Days (Infosecurity Magazine) Cyber-criminals are turning to malvertising in ever-greater numbers, as recent huge hits on porn sites and a range of media properties illustrates. There's no end in sight though, and Malwarebytes said that it intends to use Flash to gain easy access to millions of consumers this year

Woolworths' Self-Inflicted Breach A Clear Example Of Insider Negligence (Dark Reading) Australian grocer sent master spreadsheet of customer information and redeemable codes for thousands of gift cards to hundreds of customers

Self-Driving Cars Vulnerable to Cyber-Attack, Warn Experts (AFP via NDTV Gadgets) Hackers pose a real danger to self-driving vehicles, US experts are warning, and carmakers and insurers are starting to factor in the risk

Social media gives clues to security questions (USA TODAY) What was your high school mascot?

Test shows 97% fooled in phishing test; terrorists now using popular criminal hacking trick (Bob Sullivan) Plenty of folks think they could never be outsmarted by a hacker; plenty of them are wrong. In fact, perhaps 97% are wrong

Litigation, Investigation, and Enforcement

Home Depot says to breach victims, 'You can't do it, we won't help' (FierceITSecurity) Home Depot is asking a federal court to dismiss lawsuits by consumers who claim they suffered financial harm as a result of last year's massive data breach at the home improvement retailer

Debunking the Myths over Big Data and Antitrust (Comptetition Policy International Antitrust Chronicle) What are the implications of big data on competition policy?

The Art of Cyberwarfare (Legal Tech News) As data breach liabilities escalate, general counsel must address a minefield of cybertroops, weak partnership loops and regulatory groups

Daniel Ellsberg credits Edward Snowden with catalysing US surveillance reform (Guardian) Prominent US whistleblowers applaud Snowden's Patriot Act revelation for inciting Congress to take action, though they doubt he can ever return to the US

Ex-NBA All Star Chris Gatling accused of being ID theft kingpin (Naked Security) Former NBA All-Star Chris Gatling was arrested in Scottsdale, Arizona on Saturday and charged with being the kingpin in a credit card and identity theft scam

SIS spies to Kim Dotcom: We're sorry for calling you fatty (New Zealand Herald) Security Intelligence Service chief Rebecca Kitteridge has apologised to Kim Dotcom for the behaviour of her spies, who swapped emails about the internet entrepreneur's weight and wife while mocking his chances of getting New Zealand residency

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

newly Noted Events

Gartner Security & Risk Management Summit (National Harbor, Maryland, USA, June 8 - 11, 2015) Gartner Security & Risk Management Summit 2015 provides you with best practices and strategies so you can maintain cost-effective security and risk programs in order to support digital business and drive enterprise success

cybergamut Technical Tuesday: Using EMET to Defend Against Targeted Attacks (Elkridge, Maryland, Middletown, June 9, 2015) 0-day vulnerabilities that are able to bypass platform level exploit mitigation technologies such as DEP and ASLR are becoming increasingly common. Knowledge workers are being increasingly targeted by adversaries seeking to gain a foothold in your enterprise via spear-phishing and watering hole style attacks leveraging 0-day vulnerabilities in commonly used applications such as Internet Explorer, Adobe Reader and Oracle's Java. Many organizations are still running Windows XP which no longer receives security updates as of April 2014. This presentation discusses a free exploit mitigation toolkit called EMET that can be installed on all currently supported versions of Windows to significantly raise the bar for attackers by offering new and novel exploit mitigation techniques that have been pioneered by the Microsoft Trustworthy Computing division and independent security researchers from around the world

Cybersecurity Outlook 2016 (Tysons Corner, Virginia, USA, June 26, 2015) Cybersecurity Outlook 2016 is a breakfast event by Potomac Tech Wire and Billington CyberSecurity that brings together senior executives in the Mid-Atlantic to discuss technology issues in a conversational, roundtable environment moderated by the editor of Potomac Tech Wire and the founder of Billington CyberSecurity. The panel will focus on the overall outlook for cybersecurity, including technology trends, business issues, start-up issues, government needs and predictions

upcoming Events

Techno Security & Forensics Investigations Conference (Myrtle Beach, South Carolina, USA, May 31 - June 3, 2015) The Seventeenth Annual International Techno Security & Forensics Investigations Conference will be held May 31 ? June 3 in sunny Myrtle Beach at the Myrtle Beach Marriott Resort. This conference promises to be the international meeting place for IT Security professionals from around the world. The conference will feature some of the top speakers in the industry and will raise international awareness towards increased education and ethics in IT security

Mobile Forensics World (Myrtle Beach, South Carolina, USA, May 31 - June 3, 2015) The Eighth Annual Mobile Forensics World will also be held May 31 ? June 3 in sunny Myrtle Beach at the Myrtle Beach Marriott Resort. The Mobile Forensics World is specifically dedicated to Federal, State and Local LE Forensic Specialists, Corporate and Private Forensic Examiners, Industry Leaders, and Academic Researchers performing Mobile Device Forensics. With topics such as Mobile Device Forensics (Cell Phone, PDA, Smart Phone, Satellite Phone, GPS), Advanced Techniques of Mobile Forensics, SIM/USIM Card Analysis, TDMA/CDMA/GSM/iDEN Handset Analysis, Cell Site Analysis, Call Data Record Analysis, Mobile Forensics Applications, and Mobile Forensics Research, this event will be a perfect start to an ongoing relationship for many members of this great community

International Techno Security & Forensics Investigations Conference (Myrtle Beach, South Carolina, USA, May 31 - June 3, 2015) The Seventeenth Annual International Techno Security & Forensics Investigations Conference will be held May 31 to June 3 in sunny Myrtle Beach at the Myrtle Beach Marriott Resort. This conference promises to be the international meeting place for IT Security professionals from around the world. The conference will feature some of the top speakers in the industry and will raise international awareness towards increased education and ethics in IT security

School on Computer-aided Cryptography (College Park, Maryland, USA, June 1 - 4, 2015) The goal of the school is to provide participants with an overview of computer-aided cryptography with a special focus on computer-aided cryptographic proofs using the EasyCrypt tool. Lectures discussing the theoretical aspects of computer-aided cryptography will be complemented by hands-on lab sessions, covering all aspects of the tool, from the basic aspects of formalizing cryptographic schemes and properties to advanced code-based proof techniques. The school is free of charge for participants, but the number of places is limited

AusCERT2015: Smarten up (RACV Royal Pines Resort, Gold Coast, Queensland, June 1 - 5, 2015) This year's conference theme explores how we need to smarten up to manage information security risks better. We need to "smarten up" by focusing on information security essentials; by taking advantage of threat intelligence to improve our security posture; and by adapting and applying smarter ways to prevent, detect and respond to information security risks

NSA SIGINT Development Conference 2015 (Fort Meade, Maryland, USA, June 2 - 3, 2015) This classified conference will focus on the preeminent intelligence issues facing those who are tasked with SIGINT as part of their mission. Over 1500 participants from the US intelligence community and throughout the world will attend this conference

ASIA (Annual Symposium on Information Assurance) (Albany, New York, USA, June 2 - 3, 2015) ASIA is an event held jointly with the 18th Annual New York State Cyber Security Conference (NYSCSC), aiming to attract researchers and practitioners alike for engaging talks about information security in all sectors. For a challenging industry such as the cyber security field is, getting up to speed with the latest developments is crucial and that's exactly what ASIA does

Infosecurity Europe 2015 (London, England, UK, June 2 - 4, 2015) Infosecurity Europe is the largest and most attended information security event in Europe. It is a free exhibition featuring not only over 325 exhibitors and the most diverse range of new products and services but also an unrivaled free education program with over 13,000 unique visitors from every segment of the industry

Cyber Security Summit: DC Metro Area (Tysons Corner, Virginia, USA, June 3, 2015) The Cyber Security Summit provides an exclusive business environment to meet with Senior Executives who are seeking innovative solutions to protect their business & critical infrastructure. Delegates at the Cyber Security Summit are prequalified based on their willingness to meet with Solution Providers and proven ability to purchase products and services

7th Annual Southeastern Cyber Security Summit (Huntsville, Alabama, USA, June 3 - 4, 2015) Cyber training, education, and workforce development for the evolving threat

Seventh Annual Information Security Summit (Los Angeles, California, USA, June 4 - 5, 2015) Information Security has become top of mind for companies and this conference is a must for IT staff, CISOs, Board members and CEOs. The Seventh Annual Information Security Summit offers comprehensive, cutting-edge educational sessions presented by a world-class line up of keynote and featured presenters. There will be three forums to choose from: Healthcare Privacy and Security Forum, Executive Forum, CISO Executive Forum

ShowMeCon 2015 (St. Louis, Missouri, USA, June 8 - 9, 2015) This highly technical forum showcases eye-opening presentations from world-renown ethical hackers and security experts that will leave you amazed and frightened at the same time. By giving you access into the mind of a hacker, you will better understand how to protect your networks and critical data. ShowMeCon pulls back the curtain and exposes how hackers are winning the war on physical and cyber security. Whether you're a large corporation or a small business, you should attend this mind-blowing event as you witness the cream of the crop unveil the latest attacks, techniques, tactics and practices of today's hackers. Plus, gain insight and understanding into ways to effectively protect yourself and your business

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listens all over the world, companies trust the CyberWire to get the message out. Learn more.