The CyberWire Daily Briefing 07.01.15

Cyber Trends

Destructive Cyber Attacks Increase in Frequency, Sophistication (SIGNAL) A more diverse group of players is generating a growing threat toward all elements of the critical infrastructure through cyberspace. New capabilities have stocked the arsenals of cybermarauders, who now are displaying a greater variety of motives and desired effects as they target governments, power plants, financial services and other vulnerable sites

Understanding Digital and Cyber Topography Is Critical to Successful Military Operations (SIGNAL) Nontechnical personnel must be able to conceptualize the digital demons the Signal Corps faces

Which industries best safeguard your personal information? Security perceptions vs. reality (Computerworld) When it comes to your personal information, which industries do you trust most, or least, with your data? How do some of the recent, highly publicized breaches such as those at Target, Home Depot and the Office of Personnel Management affect your opinion in terms of which industries are most vulnerable, and how does this compare to reality?

US still lags on chip and pin for card security (SC Magazine) More than a decade after Europe and much of the rest of the world moved to Chip and Pin credit card authentication, Jerome Powell, speaking at a US Federal Reserve Bank of Kansas City conference, called EMV card deployment a step forward but questioned the security of cards that still use signatures, not PINs, for authentication

Why vulnerability disclosure shouldn't be a marketing tool (Help Net Security) There have been many arguments within the security community on how researchers should disclose the existence of a security vulnerability. Some argue that full disclosure is the best approach as it makes defenders aware of the security issue and they can take steps to reduce their exposure to it. Full disclosure advocates also say that this approach embarrasses large corporates and motivates them into taking action to address the security vulnerability

Report: Every company is compromised, but most infections not yet at critical stage (CSO) In a recent analysis of a quarter-million endpoint devices in 40 enterprises, every single corporate network showed evidence of a targeted intrusion but most of the activity was not yet at the most-dangerous data exfiltration stage

IT Pros Believe Cyberattacks Are Under-reported (Infosecurity Magazine) Despite devastating cyber-attacks being reported daily in today's media, most IT professionals believe that the true state of affairs is being significantly underreported

Majority of healthcare organizations have recently seen 'significant' data security incident (MedCityNews) Think healthcare data security is a bigger problem now than it was a year ago? Insiders would agree

5 Ways Lax Security Makes Small Businesses Cyber-Morsels for Computer Criminals (Entrepreneur) Most small businesses don't have the budget, expertise, staff or time to manage security programs on their own. It's a longstanding problem, as pointed out in a survey of small businesses conducted by the Ponemon Institute, which found that 55 percent of respondents experienced a data breach in 2013 and 53 percent of those experienced more than one breach in the same year

Bromium Survey Finds Increased Concern About Legacy Solutions and Users Among InfoSec Pros (Virtual Strategy Magazine) Bromium®, Inc., the pioneer of threat isolation to prevent data breaches, today announced the results of a new survey, "Enterprise Security Confidence Report." For the survey, more than 125 information security professionals were asked about the greatest risks facing organizations today and the effectiveness of different solutions and architectures. The results show that while concern for end-user risk persists, confidence is waning in traditional detection-based security solutions, such as antivirus and firewalls. Instead, interest is shifting toward prevention-based security solutions, such as endpoint threat isolation

New Pulse Secure CEO on what mobile security lacks (TechTarget) IT has many mobile security options, but the new CEO of Pulse Secure thinks we've barely scratched the surface to keep corporate data secure

What We Call Security Isn't Really Security (Dark Matters) You put in your login and your password. Then you do it again but a different way. Maybe this time it sends you an unencrypted SMS. Or maybe you need to look up some numbers on a card you have

Security concerns continue to dog the cloud industry (Help Net Security) Executives at major North American companies believe conventional network security solutions aren't enough to protect their cloud computing environments, especially when it comes to visibility into impending cyber attacks

European businesses use an average 897 cloud services (CloudPro) Firms download a new cloud service every day, but security is still a major concern

Companies 'can't determine risk of 58% of cloud data' (CloudPro) And only 25 per cent of companies have a process for dealing with cloud data

When It Comes to Cybersecurity, Millennials Throw Caution to the Wind (US News and World Report) Studies show young adults' risky online behaviors leave them more prone to cyber threats

Legislation, Policy and Regulation

China adopts new security law to make networks, systems 'controllable' (Reuters) China's legislature adopted a sweeping national security law on Wednesday that covers everything from territorial sovereignty to measures to tighten cyber security, a move likely to rile foreign businesses

After employee hack, the White House has failed to report on its own cyber defenses, senators say (Washington Post) With the Chinese hack of employee records underscoring weaknesses in federal computer security, two senior GOP senators say the White House has failed to tell Congress what it's doing to protect its own networks from intruders

It's Time to Shutter The President's Intelligence Advisory Board (Overt Action) The latest on the Office of Personnel Management's data breach is staggering, with some 18 million federal employees affected by the attack. Director of National Intelligence James Clapper minced no words: he called China as the "leading suspect" in the massive digital assault on U.S. government computers. But absent from the public discussion is what exactly the President thinks on this issue — and what the assessment was of his dedicated intelligence advisory board

Securing Critical Infrastructure (Dark Reading) Protecting the Industrial Internet of Things from cyberthreats is a national priority

Building a Capability Development Work Force For the Cyber Age (SIGNAL) Greater agility, flexibility and imagination will help field capabilities to meet the "speed of need"

US, Brazil to restart long dormant Internet working group (The Hill) The U.S. and Brazil have pledged to restart a long-dormant Internet policy working group in the fall

Products, Services, and Solutions

OnePlus unveils fingerprint sensor for its latest smartphone that's 'faster than Touch ID' (FierceMobileIT) Mobile security is an ongoing IT concern when it comes to BYOD, while convenience is a priority for users

Leidos Named Managed Security Services Provider for RSA Security (IT Business Net) Leidos (NYSE: LDOS), a national security, health and engineering solutions company, and RSA, The Security Division of EMC (NYSE: EMC), have joined forces to deliver security solutions through managed security service offerings for their joint customers

'Personal' Dark Web service removes corporate cyberthreat blindness (ZDNet) The new service dives into the murky Dark Web to track your stolen data, hacktivism, insider threats and hackers willing to break into your network

Palo Alto Networks Joins the Retail Cyber Intelligence Sharing Center in Newly Launched Associate Member Program (PR Newswire) Expands actionable threat intelligence sharing and research aimed at preventing data breaches for retailers

Distil Networks will soon shield property search apps from data theft (Inman) Website security company Distil Networks has kept "bad bots" from stealing multiple listing service data from property search websites

This Online Anonymity Box Puts You a Mile Away from Your IP Address (Wired) In the game of anonymity-versus-surveillance online, the discovery of the user's IP address usually means game over. But if Ben Caudill has his way, a network snoop who successfully hunts a user through layers of proxy connections to a final IP address would be met with a dead end — while the anonymous user remains safe at home more than a mile away

PayPal backpedals on awful robocalling policy (Naked Security) PayPal on Monday backpedaled on what looked like a horrifying new User Agreement that was worded to let it freely robocall and autotext users

Technologies, Techniques, and Standards

NIST revises security publication on random number generation (Help Net Security) In response to public concerns about cryptographic security, the National Institute of Standards and Technology (NIST) has formally revised its recommended methods for generating random numbers, a crucial element in protecting private messages and other types of electronic data. The action implements changes to the methods that were proposed by NIST last year in a draft document issued for public comment

Cyber UL Could Become Reality Under Leadership of Hacker Mudge (Threatpost) One of the longstanding problems in security — and the software industry in general — is the lack of any universally acknowledged authority on quality and reliability. But the industry moved one step closer to making such a clearinghouse a reality this week when Peiter Zatko, a longtime researcher and hacker better known as Mudge in security circles, announced he's leaving Google to start an initiative designed to be a cyber version of Underwriters' Laboratory

No more customisation? Cloud Security Alliance calls for Open APIs (Register) Vendors press-ganged into working group service

Enhancing Resilience Through Cyber Incident Data Sharing and Analysis: The Value Proposition for a Cyber Incident Data Repository (Department of Homeland Security) This paper outlines the potential benefits of a trusted cyber incident data repository that enterprise risk owners and insurers could use to anonymously share, store, aggregate, and analyze sensitive cyber incident data. Optimally, such a repository could enable a novel information sharing capability among the Federal government, enterprise risk owners, and insurers that increases shared awareness about current and historical cyber risk conditions and helps identify longer-term cyber risk trends

Mirosław Maj, Vice Chair of the CYBERSEC Organizing Committee: Effective incident management response is key (Heimdal Security) Like all things, cyber security too is dependent on the cultural and social environment

Getting To Yes: Negotiating Technology Innovation & Security Risk (Dark Reading) As enterprises look for ways to leverage the cloud, mobility, Big Data, and social media for competitive advantage, CISOs can no longer give blanket refusals to IT experimentation

The Future of Mobile Forensics (Belkasoft Reasearch via Forensic Focus) Most would agree that the golden age of mobile forensics is over. There is no longer an easy way to get through the passcode in new iOS devices running the latest version of iOS. Chip-off acquisition is dead for iOS devices due to full-disk encryption, while physical acquisition of Apple hardware is dead since the introduction of 64-bit devices and versions of iOS 8 that cannot be jailbroken. Blackberries were highly resistant to chip-off acquisition from the beginning, and Android is getting there quickly. In this whitepaper, we will look into the current state of mobile forensics for the different platforms and devices, analyze current trends and attempt to predict how mobile forensics will look in the years ahead

Key to HIPAA compliance is understanding your data center and cloud risks (TechRepublic) Hosting protected healthcare data in the cloud, says Connectria's David Pollard, means you have to find a solid partner and know your on-premise and cloud risks

Considerations in Drafting Limitations of Liability for Data Breaches (JDSupra) Until very recently, it was considered matter of course in a services agreement for any data disclosure or loss, regardless of cause, to be excluded from any and all limitations of the vendor's liability. However, as data breaches continue to change the risk landscape of the business world, third-party vendors increasingly insist on limiting their liability for damages related to data breaches. In light of this, many transactions now include a "super cap" — a separate, higher limitation of liability specifically setting forth the circumstances, types of damages, and amount of damages for which a vendor may be liable in the event of a data breach

Marketplace

4 Signs Your Board Thinks Security Readiness Is Better Than It Is (Dark Reading) Ponemon Institute survey shows a gap in perception between boards of directors and IT executives when it comes to IT risk posture

Worldwide IT spending to decline 5.5 percent in 2015 (Help Net Security) Worldwide IT spending is on pace to total $3.5 trillion in 2015, a 5.5 percent decline from 2014, according to the latest forecast by Gartner, Inc. Analysts attribute the decline to the rising U.S. dollar. In constant-currency terms, the market is projected to grow 2.5 percent

Cisco buys cloud security firm OpenDNS for $635 million (F.Business) Cisco Systems Inc said on Tuesday it would buy OpenDNS, a privately held cloud-based security firm, for $635 million, the latest move to boost its security business as cyber attacks increase in number and sophistication

Synopsys Buys Elliptic to Expand Security Product Portfolio (Zacks Equity Research) Synopsys Inc. (SNPS - Analyst Report) recently announced the buyout of Elliptic Technologies, in keeping with its strategy of growing through acquisitions. Elliptic is a leading provider of security IP cores and software solutions that address a wide range of security requirements for applications including mobile, automotive, digital home, Internet of Things and cloud computing. However, the financial terms of the deal have not been disclosed

Intel Corporation Venture Arm Helps Raise $39 Million For Web Security Firm Venafi (Bidness Etc) Intel Capital and other venture capital firms are headed Venafi's latest funding round to expand security tools and enter the burgeoning Internet of Things market

Distil Networks' $21M Round Signals a 'Meteoric Rise' in Cybersecurity (DCInno) Arlington, Va.-based cybersecurity firm Distil Networks has raised a $21 million Series B led by a new investor, Bessemer Venture Partners. The funding round represents yet another milestone for Distil Networks, which has experienced "a meteoric rise" in growth since being founded in 2011, Distil Networks CEO and co-founder Rami Essaid told DC Inno. Distil has raised $38 million to date from investors including local firm Militello Capital

This big-data analytics startup just launched in Baltimore, and they're hiring (Technical.ly Baltimore) Former LookingGlass CEO Derek Gabbard is at the helm of FourV. Here's why he kept his new company in Baltimore

AXON Ghost Sentinel to invest $1.5 million to expand cybersecurity operation in Harrisonburg (Axon Ghost Sentinel) Governor Terry McAuliffe announced today that AXON Ghost Sentinel, Inc. (AGS), a portfolio company of AXON Connected, LLC that provides swarm-based cybersecurity products, will invest $1.5 million to expand its operation in the City of Harrisonburg. Virginia successfully competed against Michigan and New Jersey for the project, which will create 29 new jobs paying well above the average prevailing wage in the region

Will Red Hat Enter the Security Market? (eSecurity Planet) Red Hat CEO Jim Whitehurst discusses the role that security plays at the Linux vendor and whether it's a business he plans on entering with a new product

DataPath Named in 20 Most Promising Cyber Security Solutions of 2015 by CIO Review Magazine (PRNewswire) DataPath, Inc. a leading provider of remote field communications and information technology solutions to the aerospace, government, broadcast, and infrastructure markets announced today that the company's Cyber Security Solutions were recognized by CIO Review as one of the 20 Most Promising Cyber Security Solutions of 2015

Bishop Fox Named "Top Company To Work" Second Year In A Row (Virtual Strategy Magazine) For the second consecutive year, Bishop Fox has been named a top company to work for in Arizona by CareerBuilder and the Arizona Republic

GlobalFoundries gets go-ahead for IBM acquisition (WCAX) Big Blue's big deal is almost a done deal. IBM is paying GlobalFoundries $1.5 billion to take its chipmaking division off its hands. GlobalFoundries is financially backed by the government of Abu Dhabi and needed government clearance

Ahead of Split, HP Executives Veghte and Gilliland Depart Company (Re/code) Hewlett-Packard, the soon-to-split computing giant, today announced an executive shake-up under which Bill Veghte, a former Microsoft exec who briefly served as both COO and chief strategy officer, will be leaving the company

ThreatStream Appoints Nancy Bush as Chief Financial Officer (Marketwired) ThreatStream, the leading provider of an enterprise-class threat intelligence platform, today announced that Nancy Bush has joined the company as chief financial officer (CFO)

Hexis Cyber Solutions' Strategic Executive Changes Prepare Company for Increased Market Opportunity and Corporate Growth (The Wall Street Transcript) Hexis Cyber Solutions, Inc. (Hexis), a wholly-owned subsidiary of The KEYW Holding Corporation (NASDAQ:KEYW), and a provider of advanced cybersecurity solutions for commercial companies and government agencies, today welcomes Jan Manning as the company's Vice President of IT Operations. The company is also pleased to appoint Chris Carlson as its new Vice President of Product Management, HawkEye G. These organizational changes, coupled with strong industry demand for innovative cybersecurity solutions, help to position Hexis for growth and demonstrate the company's commitment to innovation and customer success in combating sophisticated threats

Research and Development

Arbor Networks Secures Three New Patents for DDoS Detection & Mitigation (Press Release Point) Arbor Networks, Inc., a leading provider of DDoS and advanced threat protection solutions for enterprise and service provider networks, today announced three additional patents for different aspects of DDoS attack detection and mitigation. Arbor has now secured 25 patents focused on DDoS defense

Security Patches, Mitigations, and Software Updates

Apple Releases Security Updates for QuickTime, Safari, Mac EFI, OS X Yosemite, and iOS (US-CERT) Apple has released security updates for QuickTime, Safari, Mac Extensible Firmware Interface (EFI), OS X Yosemite, and iOS. Exploitation of some of these vulnerabilities may allow an attacker to obtain elevated privileges or crash applications

Apple lets rip with update spate: OS X, iOS, Safari, iTunes, QuickTime (Naked Security) Apple just opened the stopcocks and released a Hoover Dam's worth of security-related updates

Amazon releases open source cryptographic module (CSO) Potentially saving the world from another online security disaster like last year's Heartbleed, Amazon Web Services has released as open source a cryptographic module for securing sensitive data passing over the Internet

Cyber Attacks, Threats, and Vulnerabilities

CSIS website falls victim to yet another cyberattack (CBC News) 'Aerith' claims responsibility to protest Bill C-51 and swatting trial in Ottawa

Researchers expose Dino, espionage malware with a French connection (Ars Technica) Software tied to "Animal Farm" group, state-sponsored hackers who hit Syria

Pro-Palestinian Group AnonGhost Hacks United Nations Jordan Website (HackRead) The famous hacktivist group AnonGhost hacked and defaced the official website of United Nations designated for the Kingdom of Jordan, leaving a message in support of free Palestine

Iran and Saudi Arabia Heading Toward A Cyber War? (International Business Times) Iran and Saudi Arabia, regional rivals in the Middle East, may be engaged in cyber warfare, according to a new report by threat intelligence firm Recorded Future. As the two powers vie for influence over the civil wars in Yemen and Syria and regional dominance, Tehran and Riyadh have begun using cyber attacks to release critical intelligence

FBI alert discloses malware tied to the OPM and Anthem attacks (CSO) Memo reveals 312 different hashes for the Sakula malware

Spies Warned Feds About OPM Mega-Hack Danger (Daily Beast) U.S. intelligence agencies initially refused to share data with OPM, the now-infamously insecure arm of the government. Then the spies apparently handed over their files anyway

OPM Identity-Protection Phishing Campaigns (US-CERT) US-CERT is aware of phishing campaigns masquerading as emails from the Office of Personnel Management (OPM) or the identity protection firm CSID. For those affected by the recent data breach, the legitimate domain used for accessing identity protection services is

Hundreds of Dark Web sites cloned and "booby trapped" (Naked Security) Traps The founder of one of the Dark Web's fledgling search engines is warning Tor users about the presence of hundreds of fake and booby trapped .onion websites

Tor network exit nodes found to be sniffing passing traffic (SC Magazine) If you are routing your traffic through the Tor network, don't make the assumption that it is always providing end-to-end security

New ways to attack iPhones exposed — make sure you update to iOS 8.4 (Graham Cluley) This week Apple has released the latest version of iOS for iPhone and iPad users — iOS 8.4 — introducing Apple Music

Multiple holes in Amazon Fire phone, says MWR Labs (SC Magazine) If you aren't rocking OS 4.6.1 on your Amazon Fire phone, then you could be hacked to bits, says MWR Labs' Bernard Wagner

Trusting, lazy humans a common theme in recent security vulnerabilities (CSO) The persistence of a new iOS vulnerability, affecting the estimated one-third of iOS devices that haven't been updated in the past five months, is the latest in a string of vulnerabilities whose discovery by various vendors highlights the ongoing role of careless and unquestioning humans opening the door to potentially damaging vulnerabilities

Reversing Prince Harming's kiss of death (Reverse Engineering Mac OS X) The suspend/resume vulnerability disclosed a few weeks ago (named Prince Harming by Katie Moussouris) turned out to be a zero day. While (I believe) its real world impact is small, it is nonetheless a critical vulnerability and (another) spectacular failure from Apple. It must be noticed that firmware issues are not Apple exclusive. For example, Gigabyte ships their UEFI with the flash always unlocked and other vendors also suffer from all kinds of firmware vulnerabilities

DDoS Attackers Exploiting '80s-Era Routing Protocol (Dark Reading) Latest wave of DDoS attacks abuses small office-home routers via the 27-year-old, outdated Routing Information Protocol Version 1 (RIPv1)

Lordfenix: 20-year-old Brazilian Makes Profit Off Banking Malware (TrendLabs Security Intelligence Blog) A 20-year-old college student whose underground username is Lordfenix has become one of Brazil's top banking malware creators. Lordfenix developed his underground reputation by creating more than a hundred online banking Trojans, each valued at over US$300. Lordfenix is the latest in a string of young and notorious solo cybercriminals we're seeing today

Fake Twitter verification profiles trick victims into sharing personal, payment card info (Help Net Security) A little over 18,000 Twitter users looking for a way to get their accounts verified have been duped by a single fake account promising to provide the service into visiting a phishing page

Outage in Sacramento, Rocklin result of 'coordinated attack' (KCRA) Internet, TV outage may affect other carriers

Android Malware On The Rise (Dark Reading) By the end of 2015, researchers expect the number of new Android malware strains to hit 2 million

Academia

TaaSera Launches TaaSera Labs in Partnership with Penn State Erie, The Behrend College (PR Newswire) In tandem with university researchers, TaaSera Labs conducting pivotal studies on countering advanced cyber threats and securing sensitive IT systems

Litigation, Investigation, and Enforcement

America's cyber sentinel asleep on guard duty (CNN) During the past few weeks, much of the nation was mesmerized by the daring escape of two convicted murderers from a maximum-security prison in upstate New York. The saga ended with one of the fugitives dead from gunshot wounds while the other convict is in custody recovering from wounds of his own. Two prison employees have been charged with aiding and abetting in the escape

NSA can resume bulk collection of Americans' phone records, says court (ZDNet) The secretive Washington, DC-based court determined that the Freedom Act, passed earlier this month, would allow the data collection to begin once more

Black Monday: SCOTUS refuses to hear Google vs Oracle case (ITWorld) While Google has to prepare a fair use defense, the rest of the software industry is in serious trouble

Setback For European Facebook Privacy Class Action, As Austrian Court Rules Lawsuit Inadmissible (TechCrunch) An ongoing Facebook class action suit in Europe over alleged privacy violations took a significant step back today. A regional court in Austria, where the suit was originally filed, ruled the it inadmissible, with the court saying it has "no jurisdiction" over the matter

FBI investigating 11 attacks on San Francisco-area Internet lines (USA Today) The FBI is investigating at least 11 physical attacks on high-capacity Internet cables in California's San Francisco Bay Area dating back a year, including one early Tuesday morning

Europol and Barclays shack up for steamy security shenanigans (Register) Classic tale of crime-agency-meets-bank-to-tackle-cybercrime

New code of conduct on data protection for cloud service providers being scrutinised by EU privacy watchdogs (Out-Law) EU privacy watchdogs are assessing a proposed new code of conduct on data protection for cloud service providers that the European Commission hopes will help to boost the uptake of cloud services by EU businesses

District Attorney’s Office to hold press conference on child cyber crimes sting (Courier of Montgomery County) The Montgomery County Internet Crime Against Children Task Force (ICAC) is completing an extended period of sting operations where more than 25 individuals were arrested for alleged felony offenses of soliciting minors online, child pornography possession and other related charges, officials said

Design and Innovation

Cybersecurity's future will require humans and machines to work symbiotically (VentureBeat) In yesterday's world of enterprise security, there were a few well-known points of weakness for the bad guys to target in their attacks, which made defending against threats, well, much simpler. But today's mobile and cloud-enabled world offers thousands, if not millions, of touch points for attacks

Cybersecurity is the killer app for big data analytics (CSO) Big data analytics tools will be the first line of defense to provide holistic and integrated security threat prediction, detection, and deterrence and prevention programs

Why security must be top focus of mHealth wearable data exchange strategy (FierceMobileHealthcare) The explosive growth of mHealth wearables, illustrated by Fitbit's recent IPO and the debut of Apple's Watch earlier this year, isn't happening without serious worries about user security. To that end, providers and payers must put security front-and-center before allowing data exchange from patient and consumer devices, according to a security expert

Medium's not terribly sensible password-less way to log in (Graham Cluley) Blogging platform Medium thinks it has come up with a really clever idea