The CyberWire Daily Briefing 06.24.15

Cyber Trends

Why the next World War will be a cyberwar first, and a shooting war second (ZDNet) Opinion: The US already has lost the first battles, and may not have the national will to defend itself in the inevitable global conflict to come. David Gewirtz looks at the geopolitical implications of cyberwarfare

How more joined-up security thinking could save billions in data breach costs (Sophos Blog) A new study from the Centre for Economics and Business Research (CEBR) has found that data breaches are costing UK businesses £34 billion a year. The report suggests this is made up of £18 billion in lost revenue and £16 billion in added security measures after breaches have occurred

Only Seven Percent of Malicious Mobile Applications Apparent to Users: ESET (Jakarta Post) Data from ESET on malicious mobile applications shows that only seven percent of reported incidents on mobile applications are caused by straightforward malware

Combating Maritime Cyber Security Threats (MarineLink) The U.S. Executive Branch has declared that the cyber threat is one of the most serious economic and national security challenges we face as a nation, and that America's economic prosperity in the 21st century will depend on effective cyber security. Before the maritime industry sounds the danger signal, it needs to monitor other industries and branches of the government and take proactive preventative measures. There is no better place to prepare future and current mariners for these challenges than in maritime simulators

Legislation, Policy and Regulation

Why an Arms Control Pact Has Security Experts Up In Arms (Wired) Security Researchers say a proposed set of export rules meant to restrict the sale of surveillance software to repressive regimes are so broadly written that they could criminalize some research and restrict legitimate tools that professionals need to make software and computer systems more secure

U.S. airs deep concerns over cybersecurity in China meetings (Reuters) The United States on Tuesday said cyber theft sponsored by the Chinese government was a major problem and stressed the need to keep Asian sea lanes open at annual talks with China

Despite recent hacks, US hesitant to confront China about cyber spying (Tribune News Service via Stars and Stripes) For nearly a year, starting in June 2014, hackers thought to be Chinese accessed security clearance information on millions of current and past federal employees

Carly Fiorina: Cybersecurity 'Has To Be a Central Part of Any Homeland Security Strategy' (BloombergPolitics) The former Hewlett-Packard CEO and presidential candidate says the U.S. government needs to centralize all its cybersecurity operations

Feds propose rule regarding data collection under corporate wellness programs (FierceMobileIT) Data collected by wearables could be in the EEOC's crosshairs

New Pentagon manual declares journalists can be enemy combatants (Washington Times) The Pentagon's new thick book of instructions for waging war the legal way says that terrorists also can be journalists

FCC Reappoints IID's Rod Rasmussen to Its Communications Security, Reliability and Interoperability Council (Digital Journal) IID, the source for clear cyberthreat intelligence, today announced that the FCC (Federal Communications Commission) has reappointed IID President and CTO Rod Rasmussen to its Communications Security, Reliability and Interoperability Council (CSRIC)

Products, Services, and Solutions

Facebook Helps Combat Apple XARA Vulnerabilities With Osquery (Threatpost) Apple may still be in the process of patching XARA, the series of weaknesses that surfaced in its authentication infrastructure last week, but Facebook has stepped up and made it easier for organizations to detect whether their system is being exploited by the vulnerabilities

IBM eases mobile data sharing for police, emergency response agencies through new cloud offerings (FierceMobileIT) IBM is expanding its cloud offerings to ease mobile data sharing and improve data analytics for police, public safety and emergency management agencies

Intel provides free Android app to remotely control PC with smartphone or tablet (FierceMobileIT) Android users can now use their mobile devices to control their PCs with a free application from Intel, reported PCWorld

Cisco selects Radware's DDoS mitigation technology (F.Business) Cisco has selected Radware, a provider of application delivery and application security solutions for virtual and cloud data centres, to provide its distributed denial of service (DDoS) mitigation technology for the new Cisco Firepower 9300 appliance designed for service providers

Facebook implements security tool (Kaspersky) to fight malicious software (Lauderdale Daily News) A Facebook security engineer, Trevor Pottinger told [us], "Thanks to the collaboration with these companies, in the past three months we have helped clean up more than two million people's computers that we detected were infected with malware when they connected to Facebook"

Keeping your Website Secure just got Easier with Acunetix 10 (Acunetix) Automated Scanning of login protected pages, extended support for Java Frameworks and Ruby on Rails, and the detection of vulnerabilities in WP core and WP plugins

How To Securely Share Your Private Docker Registry With External Clients and Partners (Conjur) Today Docker announced their new "Trusted Registry", which is a commercial version of the open-source Docker Registry image storage and distribution service. Teams can run a Trusted Registry to control how their images are physically stored and enhance their ability to fully own their image distribution pipeline

Barracuda announces next-gen firewall, web security integrations (eSchool News) New additions are intended to improve deployment choices for integrating content and network security functions

The Secret Of War Lies In The Communications — Napoleon (Dark Reading) DXL helps organizations keep an eye on external and internal threats using relevant information in real time

Haystax Technology Demonstrates Next-Generation Insider Threat Detection at GEOINT 2015 (GISuser) New enhancements for Carbon threat management system on display including new user interface and integration with case management workflows

Centrify Clears First FedRAMP Hurdle, On Track to Attain Full Compliance in 2015 (BusinessWire) Centrify accelerates its commitment to offering federally accredited solutions for government customers

SyncDog announces mobile device security solution for utilities sector. (PRWeb) Leading independent software vendor (ISV) for containerized application security for enterprise mobile computing begins push into Oil & Gas industry to help secure critical utilities assets

G Data Multi Device Security: Höchste Flexibilität für digitales Leben (PresseBox) Umfassende Sicherheitslösung für Windows, Mac und Android schützt bis zu zehn Geräte

Technologies, Techniques, and Standards

The Dark Web: An Untapped Source For Threat Intelligence (Dark Reading) Most organizations already have the tools for starting a low-cost, high-return Dark Web cyber intelligence program within their existing IT and cybersecurity teams. Here's how

Data security and HIPAA guidelines: A delicate balance (FierceHealthIT) Data security expert discusses two sides of the healthcare data security coin

TLS security: What really matters and how to get there (Help Net Security) Deploying TLS securely is getting more complicated, rather than less. One possibility is that, with so much attention on TLS and many potential issues to consider, we're losing sight of what's really important

7 Considerations to Reduce the Cyber Attack Surface (SecurityWeek) Most cyber attacks and breaches are not manifested as bad actors storming the data center or network perimeter. Threats typically move from the data center out, whether as malware or an insider undertaking some form of exfiltration. Indeed, today's network perimeter is increasingly not a single physical or virtual place, yet much of the industry debate is still focused on the perimeter

Lessons from the Sony Hack: The Importance of a Data Breach Response Plan (National Law Review) In a decision emphasizing the need for employers to focus on data security, on June 15, 2015, the U.S. District Court for the Central District of California refused to dismiss a lawsuit filed by nine former employees of Sony Pictures Entertainment who allege the company's negligence caused a massive data breach. Corona v. Sony Pictures Entm't, Inc., Case No. 2:14-cv-09600 (C.D. Ca. June 15, 2015)

The Benefits, Value of Crisis Simulations (Wall Street Journal) Industries and individual organizations are benefiting from the rigor and realism of crisis simulations

BBB encourages parents to check children's online security (Superior Telegram) June is Internet Safety Month, and the Better Business Bureau Serving Wisconsin advises parents to not only check their own online security habits, but also their children's

Marketplace

Business needs hamper financial services cyber security, says Websense report (ComputerWeekly) The requirement for financial services businesses to maintain real-time connection to the global economy impairs security precautions, says Websense

Stop indulging in cyber security technology without a clear business case (ComputerWeekly) Financial institutes are boosting their expenditure on cyber security technology due to increasing levels of hacking activity, but this investment

Why Most Cybersecurity Activity Happens Outside the CISO's Office (Wall Street Journal) Most corporate cybersecurity efforts happen outside the official security department, says James Kaplan, a partner at McKinsey & Co. and co-author of "Beyond Cybersecurity: Protecting Your Digital Business." Critical cybersecurity work touches all areas of a company, including risk management and application development, Mr. Kaplan said. He stopped by The Wall Street Journal's office to discuss the current state of cybersecurity and how it can be more effective

Cybersecurity Stocks Head-to-Head: FireEye (FEYE) vs. CyberArk (CYBR) (Nasdaq) FireEye (FEYE) and CyberArk Software (CYBR) are two of the biggest names in a growing cybersecurity market. As reported recently by us here at Zacks, the cybersecurity industry is growing due to increasing public demand and widely publicized security breaches

Fundraising values Palantir at $20bn (Financial Times) Palantir, the big data start-up that began life catering for the intelligence services, is raising funds at a $20bn valuation, more than doubling its worth in a year and a half

Palantir goes from CIA-funded start-up to big business (Financial Times) In Lord of the Rings, a Palantir is a seeing stone, a device through which those who gaze can see hidden truths and track events from anywhere in the world

HackerOne Bags $25M As Security Info Sharing Mainstreams (TechCrunch) HackerOne, makers of a bug bounty platform where companies pay hackers to find vulnerabilities in their products, announced a $25 million Series B round today

DigiCert Buys CyberTrust Enterprise Business of Verizon (GovConWire) DigiCert has acquired Verizon Enterprise's (NYSE:VZ) CyberTrust Enterprise SSL business for an undisclosed amount

U.S. Air Force Awards SRA with the NETCENTS 2 NetOps and App Services Contract (PRNewswire) SRA International, Inc., a leading provider of IT solutions and professional services to government organizations, announced the United States Air Force (USAF) awarded SRA two contracts under the Network Centric Solutions 2 (NETCENTS 2) multiple award vehicle

Q&A: Symantec CEO on Planned Split, New Products, and Misconceptions (Wall Street Journal) The new Symantec isn't the old Symantec

Symantec to cut 24 more tech jobs in Springfield (Register-Guard) The elimination of 24 more positions at the company's Springfield site follows a reduction of 175 jobs

Why DC's Non-Profit Organizations Are Big Targets for Hackers (DCInno) Here's What One D.C. Startup Is Doing About it

Behavioral Analytics Security Innovator Interset Named as One of Canada's Most Promising Startups by C100 48 Hours in the Valley (Digital Journal) The C100, a San Francisco-based non-profit focused on connecting Canadian companies with the Silicon Valley, has selected Interset as one of Canada's most promising startups and a participant in the 48 Hours in the Valley event, to be held this week in San Francisco

NTT Com shuffles senior management pack as Church departs (MicroScope) NTT Com Security has been forced to make some senior personnel changes following the departure of its CEO and CFO

DDoS Security and Mitigation Expert Shawn Marck Joins Nexusguard as Executive Vice President, Product (MyHost News) Nexusguard, the Worldwide Leader in Distributed Denial of Service (DDoS) Security Solutions, today announced the appointment of DDoS industry pioneer Shawn Marck to the post of Executive Vice President, Product

Damballa Appoints Stephen Newman as CTO (BusinessWire) Damballa, a leader in advanced threat detection and containment, today announced the promotion of Stephen Newman to chief technology officer. Newman succeeds former CTO Brian Foster, who joins Damballa's Strategic Advisory Board. Newman was previously vice president of products for the company. With the appointment, the company also announced that Joseph Ward has been promoted to vice president of products

ProtectWise Appoints Former Commander Of Army Cyber Command To Advisory Board (Dark Reading) Lieutenant General Rhett A. Hernandez, U.S. Army (Retired) Named Company's First Strategic Advisor

Oracle Chief Marketing Officer Judith Sim Joins Fortinet Board of Directors (Channel EMEA) Fortinet (NASDAQ: FTNT), the global leader in high-performance cyber security solutions, today announced that Judith Sim, chief marketing officer (CMO) at Oracle Corporation, has joined Fortinet's Board of Directors, effective June 22, 2015

Research and Development

Morgan State University Professor Kevin Kornegay is leading new Internet of Things Initiative (Black Engineer) Dr. Kornegay, professor, Electrical and Computer Engineering Department, Morgan State University's Mitchell School of Engineering Internet-connected cameras that allow you to post photos to Facebook or Instagram with a single click; home systems that turn on your porch light when you leave work; and wearable technology that easily track daily fitness results are just a few of the millions of "things" connected to the Internet

Security Patches, Mitigations, and Software Updates

Security updates available for Adobe Flash Player (Adobe Security Bulletin) Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux. These updates address a critical vulnerability (CVE-2015-3113) that could potentially allow an attacker to take control of the affected system

Emergency Patch for Adobe Flash Zero-Day (KrebsOnSecurity) Adobe Systems Inc. today released an emergency update to fix a dangerous security hole in its widely-installed Flash Player browser plugin. The company warned that the vulnerability is already being exploited in targeted attacks, and urged users to update the program as quickly as possible

eBay Fixes Security Gap in Magneto eCommerce Platform (PYMNTS) It's not the first time eBay has had to patch security holes on its eCommerce platform, Magento, but the online marketplace company has once again cleaned up vulnerabilities that could have provided hackers the opportunity to steal data

It wasn't malware that disabled Windows Update on your PC, it was Samsung (Graham Cluley) When Microsoft MVP Patrick Barker tried to help a user with a computer problem, he stumbled across something curious

iOS 9, Android M Place New Focus On Security, Privacy (InformationWeek) Google and Apple have publicly challenged calls from law enforcement agencies to weaken encryption on consumer devices. In turn, iOS 9 and Android M will sport a string of new security and privacy features for users

iOS 9 will Delete Your Existing Apps to Make Room for Updates (HackRead) A MacRumors Forum user has stumbled upon the fact that when installing the iOS 9 (beta version), the operating system will delete your third-party apps as a way of making space for the update

Microsoft won't fix Internet Explorer zero-day (SC Magazine via IT News) HP researchers release exploit code after Microsoft declines to issue patch

Cyber Attacks, Threats, and Vulnerabilities

ISIL spreads its web in South-East Asia (The National) Brandishing AK-47s, the group of men march along the shoreline with religious music playing and a voice-over calling on followers to join their cause

ISIS Is Begging for Your Attention — by Killing People With Rocket Launchers (Daily Beast) The terror army is getting more and more desperate to steer the media narrative. So it's coming up with more and more baroque ways to murder on camera

Europol to Hunt Extremists Spreading ISIS Propaganda on Social Media (HackRead) Europol is going after people using social media platforms to spread ISIS propaganda

Does alleged NSA hack of Kaspersky signal new front in cyberwar? (Christian Science Monitor Passcode) Newly released documents reveal a systematic campaign to reverse-engineer anti-virus software produced by firms like Russia's Kaspersky Labs, allowing intelligence agencies to uncover vulnerabilities that could help subvert them

Security Vendors Push Back After NSA Documents Highlight Government Targeting Antivirus, Security Software (CRN) The gloves are coming off in the backlash against the NSA, with security vendors pushing back after a report Monday showed the agency targeted antivirus and security software vendors

Nos révélations sur l'espionnage de l'Elysée: ce qu'il faut savoir (Libération) En collaboration avec WikiLeaks, «Libération« a publié des notes prouvant l'espionnage par la NSA des trois présidents entre 2006 et 2012 et d'autres personnalités françaises

France Summons U.S. Ambassador Following Spying Allegations (Wall Street Journal) Move comes after publication of documents alleging NSA spied on Hollande and predecessors

US spying: Don't expect France to do anything (The Local (France)) While the French political world reacted with anger and shock — at least publicly — to the revelations that the US spied on the country's presidents, and demanded firm action, the reality is nothing will happen

Why China Wants Your Sensitive Data (Dark Reading) Since May 2014, the Chinese government has been amassing a 'Facebook for human intelligence.' Here's what it's doing with the info

Hundreds of .Gov Credentials Found In Public Hacker Dumps (Wired) It's no surprise that careless government employees use their .gov email addresses to sign up for all sorts of personal accounts. But when those insecure third party services are breached by hackers — and if those employees were foolish enough to reuse their .gov passwords, too — that carelessness can offer a dead-simple backdoor into federal agencies, with none of the usual "sophisticated Chinese attackers" required

New Report Identifies Government Credentials on the Open Web (Recorded Future) Recorded Future identified the possible exposures of login credentials for 47 United States government agencies across 89 unique domains

Exclusive: Signs of OPM Hack Turn up at Another Federal Agency (Nextgov) The National Archives and Records Administration recently detected unauthorized activity on three desktops indicative of the same hack that extracted sensitive details on millions of current and former federal employees, government officials said Monday. The revelation suggests the breadth of one of the most damaging cyber assaults known is wider than officials have disclosed

First on CNN: U.S. data hack may be 4 times larger than the government originally said (CNN) The personal data of an estimated 18 million current, former and prospective federal employees were affected by a cyber breach at the Office of Personnel Management — more than four times the 4.2 million the agency has publicly acknowledged. The number is expected to grow, according to U.S. officials briefed on the investigation

OPM Tries to Calm Hacking Fears (US News and World Report) Theft of personal employee data adds tension to diplomatic talks with suspect China

Cybersecurity Sprint: Federal CIO Orders 'Dramatic Increase' in Use of Two-Factor Authentication (Duo Security) In response to the OPM hack that leaked four million records of personal data (and potentially more information, including classified employee security clearance data), the U.S. Chief Information Officer (CIO) launched a 30-day Cybersecurity Sprint, another name for the baseline security requirements that every federal agency must take steps toward implementing in the next thirty days

OPM stands by security upgrade amid critiques (The Hill) Office of Personnel Management Director Katherine Archuleta pushed back against a recent government "flash audit" that admonished the agency's much-touted network modernization plan as poorly budgeted and managed

OPM head: 'I'm as angry as you' about poor fraud protection (The Hill) Office of Personnel Management (OPM) Director Katherine Archuleta told senators Tuesday "I'm as angry as you are" about reports that credit monitoring firm CSID has offered substandard service to the millions of victims of the recent federal data breach

Senators leave classified OPM brief wanting details (The Hill) Senators gleaned little from a classified briefing the Obama administration held Tuesday night on the recent Office of Personnel Management (OPM) data breach that has exposed millions of federal workers' information

Federal agencies are wide open to hackers, cyberspies (Phys.org) Passwords written down on desks. Outdated anti-virus software. "Perceived ineptitude" in information technology departments

Breached Network's Security Is Criticized (Wall Street Journal) System that failed to prevent millions of sensitive government files from being hacked is largely unable to stop the most sophisticated attacks

Why Can't We Play This Game? (Cipher Brief) Jimmie Breslin borrowed a line from manager Casey Stengel to title his chronicle of the worst team in baseball history, the 1962 Mets. Stengel plaintively asked, "Can't Anybody Here Play This Game?" Given recent events, Americans could be asking the same question about their government's cyber performance

OPM hack shines light on abysmal state of US federal systems' security (Help Net Security) With each passing day, newly revealed details about the US Office of Personnel Management (OPM) hack show an ugly picture of the security situation in the OPM, and other US government departments and agencies

Cyberattack on USIS may have hit even more government agencies (Washington Post) The massive cyberattack last year on the federal contractor that conducted background investigations for security clearances may have been even more widespread than previously known, affecting the police force that protects Congress and an intelligence agency that helped track down Osama bin Laden

Computer glitch at State Department causes havoc for foreign visitors (Washington Post) A computer glitch in the State Department system for conducting security checks on foreign visitors has virtually halted the issuing of visas at embassies worldwide this month, upending the travel plans of hundreds of thousands of people seeking to come to the United States for business and pleasure

Mystery surrounds "hack" that grounded 1400 air passengers — Updated (Lumension Blog) So, here is what we know

LOT airline hack signals the first in emerging cyberthreat trend (ZDNet) An aviation security researcher says the LOT cyberattack is likely to be a signal of a new trend rather than an isolated incident

Did The Aviation Industry Fail Cybersecurity 101? (Tripwire: the State of Security) Most of us in the cybersecurity industry are familiar with a recent "tweet heard around the world." Yes, I'm referring to the infamous tweet that caused Chris Roberts to be removed from a United Airlines flight. This incident has undoubtedly generated much criticism aimed at both Roberts and the airline industry

New Adobe Zero-Day Shares Same Root Cause as Older Flaws (TrendLabs Security Intelligence Blog) Earlier we talked about the out-of-band update for Flash Player that was released by Adobe (identified as APSB15-14) that was released to fix CVE-2015-3113. This update raised the Flash Player version to 18.0.0.194

US Healthcare Organizations Most Affected by Stegoloader Trojan (TrendLabs Security Intelligence Blog) Most victims of the Stegoloader Trojan, which has recently been making its rounds in the news, are observed to come from healthcare organizations in North America. The malware known as TROJ_GATAK has been active since 2012 and uses steganography techniques to hide components in .PNG files

Pita bread helps researchers steal encryption keys (Naked Security) We've written about unintentional information disclosure thanks both to stray sounds and to power usage

Anonymous Hacks Montreal Police Union, Transportation Systems Websites (HackRead) The online hacktivist Anonymous hacked and defaced the the official website of Montreal Police Union (Fraternité des policiers et policières de Montréal) website against the approval of anti-terror law C-51 that weakens Internet privacy

Phishers target middle management (CSO) Phishing scammers have infiltrated the enterprise and they're finding easy prey, but it's not in the C-suite as previously thought. Attackers are exploiting the multitasking, often overloaded middle management ranks, according to research by security and compliance firm Proofpoint

Criminals Continue to Defraud and Extort Funds from Victims Using Cryptowall Ransomware Schemes (Internet Crime Complaint Center (IC3) ) Data from the FBI's Internet Crime Complaint Center (IC3) shows ransomware continues to spread and is infecting devices around the globe

Cyber-extortionists are liars (CSO) The good news about cyber criminals who go in for extortion is that they also tend to be liars

The Malware Economy (Heimdal Security) With more and more activity happening within the hacking industry and the malware market, you might wonder: How can it scale so much and where does it end?

Proofpoint Researchers Expose Underground Cybercrime Economy Triggering Surge in Malicious Macros (Nasdaq) Leader in advanced threat protection uncovers the cybercriminal ecosystem supporting the recent rise of malicious macros, providing new insight on economic and technical drivers

Litigation, Investigation, and Enforcement

FBI Says Cryptowall Cost Victims $18 Million Since 2014 (Threatpost) In a little more than a year, consumers affected by the Cryptowall ransomware have reported to the FBI more than $18 million in losses related to infections from the malware

Uber wants even more customer data — EPIC asks FTC to slam on the brakes (Naked Security) A leading privacy group has asked the US Federal Trade Commission (FTC) to put the brakes on Uber's upcoming new privacy plan — a plan that sets the ride-hailing app maker up to collect even more customer data than it already does

Child Exploitation & Assassins For Hire On The Deep Web (Dark Reading) 'Census report' of the unindexed parts of the Internet unearths everything from Bitcoin-laundering services to assassins for hire

Most-Wanted Cybercriminal Extradited to U.S. From German Prison (BloombergPolitics) The U.S. will get a rare chance to prosecute one of the world's most-wanted cybercriminal suspect

Blackshades malware hacker gets 5 years in prison (New York Post) The mastermind behind the malicious software "Blackshades" that infected a half-million computers worldwide was sentenced to almost 5 years in prison Tuesday as the federal judge bashed him for "spreading misery to the lives of thousands"

West Point cadet guilty of child porn possession (Army Times) A West Point cadet was convicted Tuesday of amassing a collection of child pornography and sharing it over the Internet

Design and Innovation

Barclays partners with bitcoin tech vendor Safello on proof of concept (FierceFinanceIT) Barclays has reportedly signed a proof of concept with European bitcoin retailer Safello aimed at working together to explore how blockchain technologies could be used in the financial sector. The partnership came after Safello completed participation in Barclays' 13-week accelerator program

NOT OK, Google! Privacy advocates take on the Chromium team and win... (Naked Security) An intriguing, interesting and ultimately influential privacy campaign has just this day reached a successful conclusion