The CyberWire Daily Briefing 06.22.15

Cyber Trends

The Real Dawn of the Age of Cyber Warfare (Diplomatic Courier) World War IV, Cyber War, digital Pearl Harbor or cyber 9/11 — people talk about catastrophic scenarios in cyberspace, whereas academics and other experts point out that there is a danger in the overuse of the cyberwar rhetoric. But is the overuse premise still valid? What if recent events in cyberspace make it no longer correct? Should states brace themselves for the age of cyber warfare?

What does it mean to 'win' a cyberwar? (Christian Science Monitor Passcode) What we learned from an Atlantic Council event discussing the dynamics of global cyberconflict

The Right to Strike Back (Dark Matters) Last week, at the HiP Conference in Paris, there was a debate on whether or not it should be allowed to strike back when you are being hacked. Currently, criminal law in most countries does not allow it. But is this tenable in today's highly digitized society rife with cybercrime?

'Threat intelligence' is the latest buzz word in cyber security (Newsweek) Are you "threat intelligent"? Is your government "threat intelligent"? If you are an American, especially an American civil servant, you might conclude from the recent "massive" cyber attack on the federal agency responsible for collecting data on employees and issuing security clearance that your government is not threat intelligent at all

Report: Vulnerability Risk Correlates to Exposure on Social Media (Tripwire: the State of Security) The type of coverage a vulnerability receives on social media often correlates to that threat's level of risk, reveals a recent report

Security Slice: Fighting Security Stereotypes (Tripwire: the State of Security) The Telegraph recently published an article profiling six hacker "tribes": secret agents, voyeurs, hacktivists, white hats, glory hunters, and cyber thieves. The article made some broad assumptions about cybercriminals that were not well-received by industry experts

Why We Decided Not to Say the Astros Were 'Hacked' (Motherboard Vice) On Tuesday, the St. Louis Cardinals were accused by federal investigators of accessing proprietary information on a database owned by the Houston Astros. The Cards allegedly got into the Astros' data because a former employee didn?t change his password. Immediately, the Motherboard team began debating: Was this a hack?

Misplaced confidence in the corporate perimeters (CSO) Remember the infamous Maginot Line of the 1930's? Nazi Germany just went around them

Fighting Insider Attacks Is Tough: Survey (eSecurity Planet) Only 21 percent of respondents continuously monitor user behavior to thwart insider attacks, finds a Crowd Research Partners survey

Sites that don't offer HTTPS encryption are running out of excuses (ZDNet) The barriers that once stood in the way of a fully secure web don't exist anymore

Websites Need to Guard Against More Vulnerabilities Than Just DDoS (eWeek) Distributed denial-of-service attacks continue to hammer Websites, but software vulnerabilities and poor passwords continue to be the biggest worries

Why are there still so many website vulnerabilities? (CSO) The cracks in the armor of most enterprise websites are many including recurring holes in OpenSSL, PHP, and WordPress and are largely due to a combination of extensive customizations paired with a shortage of testing and fixing of vulnerabilities when compared with that of long-standing commercial OS software

Container Deployment Grows, Security Concerns Linger: Survey (SecurityWeek) While container adoption is likely to surge over the next few years, concerns around security, certification and adequate skills remain, according to a recent survey commissioned by Red Hat

"Cheap and simple" causing problems for SMB security (Networks Asia) SMBs and their staff are still falling prey to social engineering attacks

'Boring' companies just as much fun for hackers (FierceCIO) Smaller organizations may often feel they can "hide in plain sight" when it comes to cyberdefense. After all, they're probably too 'boring' and 'insignificant' to be on any hacker's hit list

Valuing cybersecurity outcomes instead of oversight (FCW) Every day, new technologies and applications offer opportunities to change how we work, live and play. This frenetic pace is rivaled only by the ever increasing number and sophistication of the cybersecurity threats we face

Consumers Trust Energy Providers to Safeguard Personal Data (Infosecurity Magazine) In today's digital world of connected devices, energy consumers are nearly twice as likely to trust their energy providers to safeguard their personal data than to advise them on energy consumption, according to new research by Accenture

Cyber war: Is the Middle East prepared? (Gulf Business) From the dark net to increased vulnerability through smart city adoption, is the Middle East ready to fight the next phase of cyber crime?

Legislation, Policy and Regulation

Australia seeks rules for 'peacetime norms' in cyberspace (ZDNet) What cyber activities are legitimate to conduct in peacetime? What cyber activities should count as an act of war? Australia's defence minister wants some rules on cybering

Australia passes controversial anti-piracy web censorship law (Ars Technica) Based on a bogus justification, and easily circumvented using VPNs

Teaching Encryption Soon to Be Illegal in Australia (Bitcoinist) Under the Defence Trade Control Act (DTCA), Australians could face up to ten years in prison for teaching encryption. Criminal charges will go into effect next year. The new legislation will make it illegal for Australians to teach or provide information on encryption without having a permit

Jailing of security czar Zhou turning point in Chinese politics (Gulf News) Zhou Yongkang was no ordinary Chinese politician, but the third ranking member since 2007 of the Politburo Standing Committee (PBSC). The Standing Committee members are the real rulers of China. His responsibility — the control and supervision of the vast internal security apparatus, including the criminal justice system — gave him immense power and prestige

Upcoming U.S.-China talks may be strained by recent cyber attack (PBS) Tensions between the U.S. and China are growing over its island-building in the South China Sea and over suspicions that Beijing was behind a massive hack into a federal government server that resulted in the theft of personnel and security clearance records of 14 million employees and contractors

US to abandon Chinese-owned Waldorf at UN General Assembly (Fox News) The State Department will abandon decades of tradition this fall at the annual U.N. General Assembly by setting up shop in a hotel other than New York's iconic Waldorf-Astoria, which was purchased last year by a Chinese company

Guest commentary: Cyber security lessons from President Gerald Ford, yes, Gerald Ford (Contra Costa Times) The executive branch has feared a data breach like the recent hacking of the Office of Professional Management for more than 40 years. Looking back to the administration of President Gerald Ford, it is instructive to compare federal policy now and then

Web warfare 'No. 1 threat' (Boston Herald) Experts say U.S. must act decisively

House Intel panel, White House spar over new cyber agency (FCW) The White House and the House Intelligence Committee are sparring over the resources and responsibilities allotted to a cyber intelligence agency the White House announced in February

New Teams to Battle Cyber Vulnerabilities in Nation's 'Most Important Mission' (SIGNAL) In what has become one of the White House's highest priorities, the federal government is forming digital services teams to address the mounting number of cybersecurity breaches threatening the nation's security and coffers, according to government's top chief information officer (CIO)

Cybersecurity legislation requires consolidation (Crain's Detroit Business) In January's State of the Union address, President Barack Obama called for cyber information sharing legislation

Multi-Layer or Multi-Factor? Assessing IRS Fraud Fixes (Duo Security) With its online filing system badly abused by online scammers, the IRS is beefing up online checks to protect the integrity of online tax filing. Will multi-factor authentication be part of the mix?

Expanding the Economic and Innovation Opportunities of Spectrum Through Incentive Auctions, GN Docket No. 12-268 (National Association of Manufacturers) On behalf of the National Association of Manufacturers (NAM), the largest industrial trade association in the United States representing more than 14,000 small, medium and large manufacturers in all 50 states, thank you for your efforts to address spectrum issues that impact the manufacturing community as you move forward with finalizing the upcoming incentive auction rules

FCC: Subsidize Rural Broadband, Block Robocalls (InformationWeek) The FCC voted 3-2 to extend and reform a program that would help low-income Americans gain access to the Web through subsidies. The commission is also allowing customers to block spam and robocalls

FCC allows for automated calls and text messages for data breach notifications (FCW) Although the Telephone Consumer Protection Act (TCPA) requires consumers to provide consent before receiving non-emergency robocalls on their wireless phones, the Federal Communications Commission (FCC) has clarified the act's ramifications to allow for automated data breach notifications

DOD looks to better data for better security (FCW) Pentagon officials are trying to do a better job of reaping the low-hanging fruit of cyberattack data to make their networks more secure, according to Richard Hale, the Defense Department's deputy chief information officer for cybersecurity

Poll Says Americans Hate New Government Agency That Monitors Their Spending (Liberty News Now) Hidden away in President Barack Obama's first term legislative achievements — somewhere between ObamaCare and his $700 billion drunken sailor stimulus spending law — was the creation of a new federal agency with the nice sounding name "Consumer Financial Protection Bureau" (CFPB)

'We need accountability': Security firm warns that we needs mandatory data breach disclosure laws (The Age) Cyber security firm FireEye says the Abbott government needs to introduce mandatory data breach disclosure laws sooner rather than later after more than 30,000 iiNet customers had their passwords hacked

Couch commandos: Defence force flags lower fitness standards for cyber soldiers (Canberra Times) The Australian military and Defence Department says it will have to accept out-of-shape couch commandos into the ranks as it tries to recruit a new generation of cyber soldiers

Products, Services, and Solutions

Waratek Can Automatically Fix Security Flaws In Java Apps (Forbes) Waratek, which came to light in Accenture's London FinTech Innovation Lab with its software to run multiple Java apps on a single server, has found its technology also provides protection against even previously unknown threats, so-called zero day attacks

Swimlane's Security Operations Automation Platform Receives Gold Global Excellence Award (IT Business Net) Arizona start-up recognized by Info Security Products Guide for new products and services

NSA Contributes Security Tools For Puppet (Enterprise Tech) IT automation specialist Puppet Labs has announced a new partner: The U.S. National Security Agency

Trend Micro and Booz Allen Take the Offensive on Cybersecurity (Trend Micro: Simply Security) Organizations today hold a massive amount of highly sensitive information that is being targeted for cybercrime, corporate espionage and beyond. In this era of highly sophisticated attacks by well-funded and aggressive adversaries, it's incumbent upon organizations to have proper procedures and mechanisms in place to keep data secure. The stakes are high with legal and civil liabilities, as well as corporate reputations on the line

Technologies, Techniques, and Standards

Irony: NIST releases InfoSec guidelines for government contractors (CSO) Publication aimed at offering recommendations for protecting sensitive data

Opinion: Paper, the least terrible password management tool (Christian Science Monitor Passcode) With password management app LastPass possibly compromised, a stowed away pad of paper seems more secure than storing sensitive credentials in the cloud

Breach Defense Playbook, Part 5: Reviewing Your Cybersecurity Program (Part 2) (Dark Reading) Cybersecurity requires a combination of people, process, and technology in a coordinated implementation leveraging a defense-in-depth methodology

7 things to do when your business is hacked (CSO) Hint: Success of the incident response team will depend heavily on the preparation done before the breach

15 signs you've been hacked (GFI Blog) Hardware, software, wetware, bloatware, crapware… and the newest piece of shiny is on sale now! Far too often users think slow or unreliable performance is just part of the fun of using computers, and when the Internet is slow, it's because someone in another office is probably watching Netflix

Linux Enumeration And Privilege Escalation — LinEnum (CyberPunk) LinEnum will automate many Local Linux Enumeration & Privilege Escalation checks documented in this cheat sheet. It’s a very basic shell script that performs over 65 checks, getting anything from kernel information to locating possible escalation points such as potentially useful SUID/GUID files and Sudo/rhost mis-configurations and more

How to evaluate the efficiency of a Data Loss Prevention solution (Help Net Security) How do you measure the Return of Investment on Data Loss Prevention (DLP) technologies? How do you know that your DLP solution is efficient?

Marketplace

Digital security is a boardroom problem (Technology Spectator) Digital attacks can threaten an organisation's global reputation and at its very worst, its ability to operate, making online security a key business governance issue. Business leaders who relegate security to the IT department risk significant business damage: the results of a successful attack can include financial loss, loss of Intellectual Property (IP), Privacy Act non-compliance and sabotage

CIOs And Security: Time To Rethink The Processes? (InformationWeek) Businesses need to develop new security responses to address gigantic attacks, and the CIO is in the best position to lead the way

Relying on your insurer for security? Think again! (Help Net Security) Data breaches are a regular occurrence, one need simply look at the papers to read about the myriad of breaches that have occurred over the last year. From the Sony attack in late 2014, to the more recent breach on Government employees in the US, it is clear that security breaches will continue to happen; and the threat landscape, as opposed to "going away", will continue to evolve at a pace as fast as those working to prevent it

Cyber Insurance — Pathway to the Silver Clouds of Cyber Risk Transference (Information Security Buzz) Earlier this year Lloyd's of London reported a remarkable figure that the cyber insurance market grew by 50% in Q1. Despite this growth, the Corporate Executive Programme (CEP), found that 40% of major US companies have cyber insurance cover compared to 13% of UK businesses

Are shipowners ready to prevent cyber attacks? (Marine Electronics & Communications) Shipowners should be prepared to battle cyber threats to their assets, and the industry should be doing more to prevent successful hacking. Cyber security is becoming an increasingly important issue for the maritime industry as ships are open to a growing number of threats. As more onboard systems are run by computers, hackers may gain access to key equipment, including navigation, steering, engineroom and cargo handling systems

Lieberman: Mandiant and Verizon wrong on unstoppable threats (CSO) Mandiant, Verizon and other cyber-forensics firms profit from so-called unstoppable threats

3 Defense & Cybersecurity Stocks That Could Get Some Federal Love (Investor Place) SAIC, MANT and BAH should benefit from increased government cybersecurity spending

Meet the Israeli companies leading the fight against cyber attacks (Haaretz) Israeli firms are among the leaders in the cyber-attack sector: What do they make, and are they making crime pay?

Raytheon Sells Cyber At Air Show; Websense Acquisition Spurs Push (Breaking Defense) Of course, there's no law against selling anything at an air show, but defense companies traditionally do sell planes, sensors, avionics, support equipment, et al

HYPR Corp. appoints Dimitri Sirota as board advisor (Biometric Update) HYPR Corp. announced it has named Dimitri Sirota as a board advisor

Security Patches, Mitigations, and Software Updates

Samsung announces fix for major Galaxy keyboard security flaw (Tripwire: the State of Security) There is good news today for many of the 600 million Samsung Galaxy users who have been put at risk by a security flaw in the pre-installed SwiftKey keyboard

Samsung Galaxy phones may have a massive security flaw — here's how to protect your phone (Telegraph) Security company NowSecure has discovered a potential breach related to the Swift keyboard installed on Samsung's Android devices

Phishing gone: eBay patches to block session-jacking Magento holes (Register) Vulnerability Lab researcher Hadji Samir says eBay has squashed three vulnerabilities in its Magento shopping platform that could permit session hijacking and man-in-the-middle attacks

Google Chrome "bad link" detection bypass — found, fixed (Naked Security) We get some interesting correspondence here at Naked Security. Sometimes we write about the spam we receive, whether in email or as comments

Cyber Attacks, Threats, and Vulnerabilities

Hackers target Polish airline LOT, ground 1,400 passengers (AFP via Business Insider) A cyber attack against Polish flagship carrier LOT grounded more than 1,400 passengers at Warsaw's Frederic Chopin Airport on Sunday, a spokesman said

Hackers Ground Polish LOT Airline Flights (CSO) The Polish national airline, LOT, announced on Sunday that they cancelled 10 flights as a result of the airline's ground computer systems at Warsaw's Okecie airport being subject to attack by hackers. The airline's ground computer systems are used to manage the flight plans for the airline. LOT stated that no ongoing flights or other airport computer systems were affected and that flights already in the air or scheduled to land at Warsaw were not at risk

UK at risk: Putin's Russia 'funding cyber terrorists targeting West under guise of ISIS' (Express) Islamic State hacking groups funded by Vladimir Putin's Russia pose a serious threat to some of the UK's largest organisations, a cyber security expert has warned

"EPIC" fail how OPM hackers tapped the mother lode of espionage data (Ars Technica) Two separate "penetrations" exposed 14 million people's personal info

China's hackers got what they came for (The Hill) The Chinese hackers who are believed to have cracked into the federal government's networks might not be back for a while

Michael Hayden Says U.S. Is Easy Prey for Hackers (Wall Street Journal) Former CIA and NSA chief says 'shame on us' for not protecting critical information better

U.S. Employee Data Breach Tied to Chinese Intelligence (Reuters via Newsweek) The Chinese hacking group suspected of stealing sensitive information about millions of current and former U.S. government employees has a different mission and organizational structure than the military hackers who have been accused of other U.S. data breaches, according to people familiar with the matter

FireEye Identifies Chinese Group Behind Federal Hack (Re/code) Computer security firm FireEye has identified a Chinese group that may have carried out a devastating hacking attack against the U.S. Office of Personnel Management last year, leading to the theft of information on millions of federal employees and retirees. The hack was first disclosed earlier this month

Hunt for Deep Panda intensifies in trenches of U.S.-China cyberwar (Reuters) Security researchers have many names for the hacking group that is one of the suspects for the cyberattack on the U.S. government's Office of Personnel Management: PinkPanther, KungFu Kittens, Group 72 and, most famously, Deep Panda

Attack Gave Chinese Hackers Privileged Access to U.S. Systems (New York Times) For more than five years, American intelligence agencies followed several groups of Chinese hackers who were systematically draining information from defense contractors, energy firms and electronics makers, their targets shifting to fit Beijing's latest economic priorities

The massive Chinese hack of US security clearance info keeps getting worse (Business Insider) We may be witnessing 'the worst breach of personally identifying information ever' Why China wants as much personal data from US government servers as possible Recently retired CIA senior officer: 'I'm really glad to be out of the game' Hackers who infiltrated the Office of Personnel Management (OPM) had access to the agency's security clearance computer system for over a year, giving them ample time to steal as much information as possible from OPM's database of military and intelligence officials

Reacting to Chinese hack, the government may not have followed its own cybersecurity rules (Washington Post) In responding to China's massive hack of federal personnel data, the government may have run afoul of computer security again

No excuse for security breach (Standard Examiner) Despite repeated and urgent warnings from the Inspector General (IG) dating back to 2007, the Office of Personnel Management (OPM) failed to remedy major system vulnerabilities to protect federal employees against cyber attacks. The agency's decision not to encrypt personally identifiable information exposed the data of at least 4.2 million people — with some reports estimating as many 14 million people compromised. In Utah, the breach could affect as many 35,000 people, many of whom hold security clearances and handle classified information

Saudi foreign ministry: cyber attack won't affect "state transparent policies" (Kuwait News Agency) Saudi Foreign Ministry said the cyber attack it has recently witnessed, which reportedly caused leakage of documents, would not affect State transparent policies

Wikileaks Reveals Saudi Intrigue and Unpaid Limo Bills (AP) At the Saudi Embassy in Tehran, diplomats talked about airing the grievances of disenchanted local youth using Facebook and Twitter. At the embassy in Khartoum, they reported anxiously on Iran's military aid to Sudan

Cables Released by WikiLeaks Reveal Saudis' Checkbook Diplomacy (New York Times) It seems that everyone wants something from Saudi Arabia

Overlayfs flaw in Ubuntu (Internet Storm Center) There was a vulnerability released earlier this week that has quite the potential to be a biggie. It is worth noting mainly because Ubuntu is quite prevalent and the propensity to patch systems is quite low, or at least slow. Ubuntu is also used as part of the underlying infrastructure for many a VPS provider

Your Phone Ain't as Safe as You Think (Wired) Another week chock-full of hacks and vulns, and if you thought your password manager and cell phone were safe, you'll want to pay close attention to the LastPass breach

CyberUnited LIFARS Raises Additional Concerns About LastPass Breach (Marketwired via Digital Journal) Enterprises are also vulnerable following this week's breach of LastPass, according to CyberUnited LIFARS, a joint venture between two of the nation's top cyber consulting firms. They are recommending that organizations, not just consumers, take action to prevent their own breaches based on the LastPass break in

Infamous hacker Kevin Mitnick sniffs fiber, reads email (ZDNet) Kevin Mitnick demonstrates how easy it is for a hacker to tap into your network and read your email messages, even if it's a fiber optic network

DLP policy violations highlight cloud storage security concerns (TechTarget) A new report from Netskope finds copious DLP violations in enterprises' cloud apps due to insufficient cloud storage security

Students concerned after apparent cyber attack on college (UpNorthLive) A North Central Michigan College Student was attempting to check her grades online last Saturday but says she couldn't because the school's student portal had been hacked, by a "cyber army"

Katie Hopkins has her Twitter account hacked, bogus 'sex tape' tweets issued (Naked Security) Outspoken TV personality Katie Hopkins is no stranger to controversy but on Sunday the tables were turned when the former Celebrity Big Brother contestant's Twitter account was hacked

Bulletin (SB15-173) Vulnerability Summary for the Week of June 15, 2015 (US-CERT) The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week

Academia

Cyber Boot Camp: a head start for tomorrow's cyber workforce (We Live Security) What is Cyber Boot Camp? Every June, a select group of students from high schools and middle schools in San Diego County, California, get five days of intense education in the art of defending computer systems, organized by the unique community-wide security awareness non-profit, Securing Our eCity, and sponsored by a variety of organizations, including security solutions-provider, ESET. This year more than 50 students will experience a week of hands-on instruction, plus lectures from leading cyber security experts from San Diego companies as well as local and national law enforcement. The 2015 Cyber Boot Camp starts Monday, June 22

Litigation, Investigation, and Enforcement

GCHQ's surveillance of two human rights groups ruled illegal by tribunal (Guardian) Agency violated its own procedures by retaining emails, investigatory powers tribunal rules in case brought forward following Edward Snowden revelations

Surveillance court judge: No need for opposing view in 'simple' cases (Washington Post) The nation's surveillance court this month faced for the first time the issue of whether the newly minted USA Freedom Act requires that a technical expert be appointed in a case involving a novel or significant issue, and the court ruled that it doesn't

Spy court clears path to renewing NSA powers (The Hill) The secretive federal court that oversees the nation's spies is laying the groundwork for temporarily reauthorizing the National Security Agency's (NSA) sweeping collection of U.S. phone records

OPM hack raises questions about security of government contractors (USA Today) The massive hack of the Office of Personnel Management has raised questions about whether government contractors may have inadvertently made the agency more vulnerable to attack

The OPM Hack and the New DOD Law of War Manual (Just Security) Last Friday was a big day in cybersecurity news. OPM announced that, in addition to the compromise of the personnel information of federal employees revealed on June 4, Chinese hackers also breached a database containing millions of security clearance forms. Meanwhile, on the other side of the Potomac, the Department of Defense released its new Law of War Manual — the first since 1956 — including a new chapter on "Cyber Operations." Considering the OPM hack in light of the Law of War Manual shows why, as a legal matter, the U.S. government is in a tough spot in responding to the hack

Opinion: #CyberDeflategate and the beginning of sports hacking (Christian Science Monitor Passcode) It was only a matter of time before American sports added hacking to its tricks for gaining the upper hand. But unlike other cheating scandals that have led to suspensions and fines, computer crimes can lead to prison time

Millions of fake online reviews are gumming up the joy of buying stuff (Naked Security) The UK Competition and Markets Authority (CMA) announced on Friday that it's opened an investigation into the problem of what it says are millions of fake online reviews, be they "This changed my LIFE!" bogosity or disgruntled employees who post fake negative reviews — just two of the many flavors of fake reviews out there

Teens Charged with Cyber Attack on Baby Formula Website (AP via KTUL) Authorities say three Rio Rancho, New Mexico, teenage boys orchestrated a cyber attack on the Enfamil baby formula website, attracting the attention of the FBI and Secret Service

Sussex businesses hit by cybercrime (Chicester Observer) Almost half of all small and micro businesses in the south East report having experienced cybercrime, according to new research from the Association of Accounting Technicians

Design and Innovation

Cyber attack: arming the UK against the hackers (Telegraph) As national infrastructure networks become more integrated. Andrew Cooke reveals how Atkins engineers are preparing to prevent cyber attacks