The CyberWire Daily Briefing 07.02.15

Cyber Attacks, Threats, and Vulnerabilities

Team GhostShell hacktivists dump data from US universities and hundreds of sites (Computerworld) The hacker group GhostShell is back, claiming to have access to billions of accounts, trillions of records, hacking sites and dumping data to show that governments, educational institutions and other sites still have shoddy cybersecurity

Hacktivist group possibly compromised hundreds of websites (IDG via CSO) A hacker group known as Team GhostShell is publishing snippets of sensitive data allegedly stolen from the databases of hundreds of compromised websites

Anonymous cyber hackers hit UAE banking websites (Arabian Business) Several UAE banks were hit by a co-ordinated cyber attack, known in the trade as a distributed-denial-of-service (DDoS) attack, on Tuesday, crippling e-banking operations and websites, and leaving the unnamed institutions fearing further assaults, Arabian Business' sister website ITP.net has reported

Egypt Proudly Posts Photos of Mangled ISIS Corpses on Facebook (Daily Beast) The army's escalating military and media campaign to wipe out the terror group took a gruesome step Wednesday with two posts featuring dozens of contorted bodies clutching machine guns

Armenian Hackers Leak ID Cards, Passports of 5k Azerbaijani Citizens (HackRead) The cyber war between Armenians and Azerbaijani hackers is never ending. Just like today when Armenian hackers leaked trove of data containing personal information of Azerbaijani citizens

FBI Warns U.S. Companies to Be Ready for Chinese Hack Attacks (Daily Beast) In a message obtained by The Daily Beast, the bureau strongly implies Beijing was behind the massive hack that exposed U.S. government employees' secrets — and U.S. companies are next

The 9 Scariest Things that China Could Do with the OPM Security Clearance Data (War on the Rocks) The theft of the SF-86 security clearance records of millions of current, former, and prospective U.S. government employees and contractors from the Office of Personnel Management (OPM) probably has the Chinese government doing a happy dance. This data breach may affect up to 6 percent of the entire U.S. population. What use can the data be to China? Here are nine things that can now be done on an industrial scale

Three New Masque Attacks against iOS: Demolishing, Breaking and Hijacking (FireEye) In the recent release of iOS 8.4, Apple fixed several vulnerabilities including vulnerabilities that allow attackers to deploy two new kinds of Masque Attack (CVE-2015-3722/3725, and CVE-2015-3725). We call these exploits Manifest Masque and Extension Masque, which can be used to demolish apps, including system apps (e.g., Apple Watch, Health, Pay and so on), and to break the app data container

Über 50 Prozent der Android-Schaddateien zielen auf Finanzgeschäfte ab (FinanzNachrichten) G DATA Mobile Malware Report: Fast 5000 neue Mobile-Schädlinge täglich

Xiaomi security flaw July 2015: Could put millions of Mi4, MI smartphones at risk (MNR Daily) Since its inception in 2010, Xiaomi has grown to become the number one smartphone manufacturer in China and the number three worldwide. Xiaomi commanded a share of 13.7% in the Chinese market, beating Apple during the fourth quarter, and sold 61 million smartphones in 2014

Injection Attacks on 802.11n MAC Frame Aggregation (ACM (WiSec '15)) The ability to inject packets into a network is known to be an important tool for attackers: it allows them to exploit or probe for potential vulnerabilities residing on the connected hosts. In this paper, we present a novel practical methodology for injecting arbitrary frames into wireless networks, by using the Packet-In-Packet (PIP) technique to exploit the frame aggregation mechanism introduced in the 802.11n standard. We show how an attacker can apply this methodology over a WAN — without physical proximity to the wireless network and without requiring a wireless interface card

Another example of Angler exploit kit pushing CryptoWall 3.0 (Internet Storm Center) Angler exploit kit (EK) has been evolving quite a bit lately. Recently, this EK has been altering its URL patterns on a near-daily basis. The changes accumulate, and you might not recognize current traffic generated by Angler. After two weeks of vacation, I almost didn't recognize it. This diary provides two traffic examples of Angler EK as we enter July 2015

TorrentLocker Surges in the UK, More Social Engineering Lures Seen (TrendLabs Security Intelligence Blog) We've noticed a recent increase in TorrentLocker-related emails being sent to users in several countries, particularly the United Kingdom and Turkey. From the latter half of May until June 10, there was a relative lull in TorrentLocker-related emails. However, over a period of just over two weeks (June 10 to June 28), we saw a recurrence of this threat

Franchising Ransomware (Dark Reading) Ransomware-as-a-service is fueling cyberattacks. Is your organization prepared?

Cisco UCDM Platform Ships with Default, Static Password (Threatpost) A week after admitting that several of its security appliances ship with static SSH keys, Cisco warned customers on Wednesday that its Unified Communications Domain Manager platform has a default, static password for an account that carries root privileges

Researchers point out the holes in NoScript's default whitelist (Help Net Security) Security researchers Linus Särud and Matthew Bryant have recently discovered some pretty big holes in NoScript, a popular Firefox plugin that prevents executable web content such as JavaScript, Java, Flash, and other plugins to be loaded from sites users haven't designated as "trusted"

Wi-Fi password-sharing feature in Windows 10 raises security concerns (CSO) With the launch of Windows 10, anyone who walks into your house and gets your Wi-Fi password for their PC could potentially let all their friends onto your network, thanks to a new feature that has ignited controversy online

SAP: Juicy Target For Attackers, Opportunity For Security Research Community (HackerOne) Enterprise resource planning (ERP) suites by the likes of SAP and Oracle JD Edwards serve as the nerve center of the most business critical processes of the enterprise. They control financial planning. They support manufacturing and supply chain management. They facilitate marketing and sales activities. And they're also some of the most vulnerable systems in the enterprise. In spite of spending millions on security today, enterprises are seriously dropping the ball when it comes to their most sensitive business applications. Here's how badly: 95 percent of SAP installations contain vulnerabilities that could lead to the full compromise of an organization's business data and process

Why We Need In-depth SAP Security Training (Dark Reading) SAP and Oracle are releasing tons of patches every month, but are enterprises up to this complex task? I have my doubts

Harvard Reveals It Had An IT Breach In June Impacting 8 Colleges And Administrations (TechCrunch) A seventeenth-century university has become the victim of a twenty-first-century crime. Harvard University on Wednesday announced that on June 19, it discovered a breach in the IT systems of its Faculty of Arts and Sciences and Central Administration, currently impacting eight different schools and administrative organizations at the university

Banks: Card Breach at Trump Hotel Properties (KrebsOnSecurity) The Trump Hotel Collection, a string of luxury hotel properties tied to business magnate and now Republican presidential candidate Donald Trump, appears to be the latest victim of a credit card breach, according to data shared by several U.S.-based banks

Security Patches, Mitigations, and Software Updates

Cisco Unified Communications Domain Manager Default Static Privileged Account Credentials (Advisory ID: cisco-sa-20150701-cucdm) (Cisco Security Center) A vulnerability in the Cisco Unified Communications Domain Manager Platform Software could allow an unauthenticated, remote attacker to login with the privileges of the root user and take full control of the affected system

Microsoft goes public with more details on its Windows 10 rollout plan (ZDNet) Windows 10 Enterprise and Education will be available starting August 1. Starting July 29, those who want Windows 10 under the first-year-free deal will get the OS in waves

No support means just that for Windows Server 2003 users (MicroScope) The last few days of support for Windows Server 2003 are finally here but many users are still using the software and have yet to make moves away to an alternative

Cyber Trends

Confidence in antivirus falls to all-time low (Help Net Security) While concern for end-user risk persists, confidence is waning in traditional detection-based security solutions, such as antivirus and firewalls. Instead, interest is shifting toward prevention-based security solutions, such as endpoint threat isolation, according to a new Bromium report

Enterprise Threat Intelligence Programs are Immature (Network World) Seems like everyone is talking about threat intelligence these days. The feds are promoting public/private threat intelligence sharing across the executive and legislative branches while the industry is buzzing about threat intelligence feeds, sharing platforms, and advanced analytics

Four in five execs think conventional security is not enough for cloud environments (Cloud Tech) Earlier this week, this publication reported on a C-level study which showed a distinct lack of trust in cloud storage for fully securing corporate data. Now, a new survey from CloudPassage sheds light on the security executive perspective; 80% of security execs in North America don't believe conventional network security solutions are enough to protect their cloud computing environments

Providers grapple with cybersecurity (Healthcare IT News) Anti-virus, firewalls deployed as protection, but most recognize need for more advanced strategies

A Critical Threat (SC Magazine) Attacks on critical national infrastructure are a growing concern, not just the banking and civil infrastructure, but also control systems used in the physical delivery of services. This is set to become even more of a problem as SCADA systems become internet enabled, reports Kate O'Flaherty

Is the information security industry having a midlife crisis? (CSO) Focusing on awesomeness and a plan B can help get InfoSec out of its slump

Reverse retailing brings store traffic, online sales, cyber attacks (FierceRetail) As more merchants master the art of omnichannel retailing, they benefit from a new phenomenon called 'reverse retailing,' or intentional showrooming. However, this has led to an increase in online security problems

Middle-manager inaction the weak link in enterprise cyber-security (Engineering and Technology) Lethargic, narrow-minded middle-managers are among the biggest remaining obstacles to consolidating enterprise cyber-security, an industry expert has warned

Smart Cities' 4 Biggest Security Challenges (Dark Reading) The messiness of politics and the vulnerability of the Internet of Things in one big, unwieldy package

How a teenage hacker might start World War III (Christian Science Monitor Passcode) An excerpt from 'Ghost Fleet,' a new novel by Peter W. Singer and August Cole, that envisions what a future global cyberconflict might look like

Marketplace

Cyber security a business issue, CBI conference told (ComputerWeekly) Like any other serious threat to your company, cyber security should be firmly on the board's agenda, speakers told delegates at a CBI security conference

US Army Seeks Leap-Ahead Cyber Defense Tech (Defense News) The US Army is seeking to equip its cyber warriors with cutting-edge networking hardware, and it is going outside the traditional acquisitions system to do it

A New Battle Plan for Defeating Cyber Threats (CIO Review) The bad news is that cyber security threats are at an all-time high

Allegis Capital to Emphasize Cybersecurity With New Fund (Wall Street Journal Venture Capital Dispatch) Allegis Capital has closed on $100 million toward a new fund that will emphasize investments in cybersecurity startups

No More Snake Oil: Shifting the Information Security Mentality (CIO Review) When was the last time you made a major purchase without some type of guarantee?

No More Snake Oil: Why InfoSec Needs Security Guarantees (White Hat via SlideShare) Ever notice how everything in InfoSec is sold "as is"? No guarantees, no warrantees, no return policies. For some reason in InfoSec, providing customers with a form of financial coverage for their investment is seen as gimmicky, but the tides and times are changing. This talk discusses use cases on why guarantees are a must have and how guarantees benefit customers as well as InfoSec as a whole

Five Strategies for Better Cyber Protection and Defense (Menlo Ventures) Today, BitSight Technologies announces $23M in Series B funding to continue protecting businesses from cyber attacks with sophisticated cyber security ratings. At Menlo, we're proud to re-up our investment in BitSight. In fact, we're focusing $80M of our current $400M fund on cyber security investments, as attacks are an ever-increasing board-level threat to businesses today

Securing the Airways (CIO Review) Mobile communications are wide open to hacking. Encryption delivers a much needed solution

Why the enterprise mobility management market needs a rethink (EnterpriseAppsTech) A high-stakes battle has emerged in the rapidly-changing market for enterprise mobility management, also known as EMM

Startup BitSight Raises $23M to Advance Security-Ratings Platform Technology (The VAR Guy) Security startups have experienced a windfall of funding lately. We've told you about the cash CounterTack, Menlo Security and vArmour have all added to their wallets, and now another nascent security company BitSight Technologies — which develops a platform allowing companies to rate their own and other organizations' security — is joining the list

Thycotic Receives Significant Investment from Insight Venture Partners to Meet Growing Demand for Privileged Account Management Solutions (PRNewswire) Thycotic, a provider of smart and effective privileged account management solutions for global organizations, today announced a significant investment from New York-based private equity and venture capital firm Insight Venture Partners. The new capital will be used to fuel the company's continued global expansion and product innovation. Mike Triplett, managing director and Philip Vorobeychik, senior associate will join Thycotic's board of directors. Specific deal terms were not disclosed

Level 3 Communications (LVLT) Acquires Black Lotus (Street Insider) Global telecommunications provider Level 3 Communications, Inc. (NYSE: LVLT), announced it acquired privately held Black Lotus, a provider of global Distributed Denial of Service (DDoS) mitigation services

Two companies living the life of growth (IT Pro Portal) Digital Shadows and Growth Intelligence, both Level39 and High Growth Space members, started off in humble beginnings — small teams, small spaces but big ideas

Women in IT Security: Women of influence (SC Magazine) We enlisted a team of moderators to ask a number of prominent IT security professionals about the challenges they faced as a woman entering the field, the prejudices they deal with every day and the skills they use to navigate within their business

NIST Vet Jeremy Grant Joins Chertoff Group as Managing Director (GovConWire) Jeremy Grant, formerly senior executive adviser at the National Institution of Standards and Technology, has been appointed to a managing director role at The Chertoff Group

SECUDE Announces Joerg Dietmann as New CEO (Sys-Con Media) Former Business Executive From Ciber Joins SECUDE to Support the Company's Growing Business in the Field of SAP Security

Products, Services, and Solutions

Dashlane and Golden Frog Form Partnership to Increase Online Security for Customers (Sys-Con Media) Leading password management and personal VPN companies create special offers for their respective services

Fortscale Partners With Cloudera to Deliver Hadoop-Based User Behavior Analytics Solution (Dark Reading) Scalable solution enables enterprise customers to quickly discover and respond to insider threats

How to access Wi-Fi anonymously from miles away (ZDNet) A tiny device provides an extra layer of defense which can keep the online activities of journalists, activists and criminals hidden

Union Bank Fulfills Mobile Demands and BYOD Security Requirements with ZixOne (MarketWatch) Straightforward solution was up and running in hours

Technologies, Techniques, and Standards

Start with Security: A Guide for Business (Federal Trade Commission) When managing your network, developing an app, or even organizing paper files, sound security is no accident. Companies that consider security from the start assess their options and make reasonable choices based on the nature of their business and the sensitivity of the information involved. Threats to data may transform over time, but the fundamentals of sound security remain constant

Opinion: An Underwriters Laboratories for cybersecurity is long overdue (Christian Science Monitor Passcode) Noted security researcher Mudge left Google to launch what appears to be the cybersecurity equivalent of electronics testing outfit Underwriters Laboratories — an idea first proposed 16 years ago

How to Protect Your Company's Bottom Line Against Data Breach Losses Through Insurance (JDSupra) In the wake of what seems to be daily announcements of new data security breaches and increased regulatory oversight over company information security and privacy practices, companies are looking for ways to minimize risks associated with the seemingly inevitable data security breach

PCI Update Paves Way For Expanding Point-to-Point Encryption (Dark Reading) Move appears designed mainly for large organizations and big-box retailers looking to lock down payment card security

The Best Defence Against Targeted Threats (Information Security Buzz) Hackers' increasing sophistication means perimeter security is failing. Organisations must switch tactics and turn to tools which can stop intruders once they're inside the network, argues Tufin's Reuven Harrison

Securing Single Points of Compromise (SPoC) (SANS Institute) Securing the Single Points of Compromise that provide central services to the institution s environment is paramount to success when trying to protect the business. (Fisk, 2014) Time Based Security mandates protection (erecting and ensuring effective controls) that last longer than the time to detect and react to a compromise. When enterprise protections fail, providing additional layered controls for these central services provides more time to detect and react. While guidance is readily available for securing

Securing SAP Systems from XSS vulnerabilities Part 3: Defense for SAP NetWeaver J2EE (ERPScan) Cross-site scripting, or XSS, is one of the most popular vulnerability in all products and in SAP products with total number of 628 vulnerabilities (almost 22% of all vulnerabilities ever found in SAP during 12 years). In the previous posts, we described the general information on XSS and how to defense SAP NetWeaver ABAP from this vulnerability. Today we will give an overview of SAP NetWeaver J2EE defence

Want to know if your employees are security savvy? Run your own phishing campaign (Security Affairs) In a Q&A with ZDNet, the vice president of Cybersecurity Services at Fidelis explains why top-level management has to be the security-focused example for others to follow

Design and Innovation

The Quest to Rescue Security Research From the Ivory Tower (Wired) Stolen credit card numbers. Stolen passwords. The personal information of about 4 million federal workers hacked. We know all too well that computers are dreadfully insecure. And all too often, the people who could do the most to help make them more secure are stuck in academia with little connection to the real world

TV's newest hacker drama "Mr. Robot" is technically sound, morally ambiguous (Naked Security) "Mr. Robot," USA Network's new series about a cybersecurity engineer at the center of a plot by a group of hackers to take down an evil corporation, is good entertainment

Research and Development

Georgia Tech studies streamlined cybersecurity for Navy (C4ISR & Networks) The Georgia Institute of Technology has been awarded a $2 million Navy contract for cybersecurity research. The contract covers two projects

MIT to study persistent threats for Air Force (C4ISR & Networks) The Massachusetts Institute of Technology has been awarded a $7.1 million Air Force contract for transparent computing

DARPA picks two for WAN project (C4ISR & Networks) Two companies will aid the Defense Advanced Research Projects Agency improve wide-area networks, under contracts connected to DARPA's Edge-Directed Cyber Technologies for Reliable Mission program

What if You Trained Google's Chatbot on Mein Kampf? (Wired) Google recently built a chatbot that can learn how to talk to you. Artificial intelligence researchers Oriol Vinyals and Quoc Le trained the thinking machine on reams of old movie dialogue, and it learned to carry on a pretty impressive conversation about the meaning of life

Legislation, Policy, and Regulation

Kenya to require users of public Wi-Fi to register with government (Ars Technica) New Internet regs will require cafés, hotels to log device owner data

The Brazil-U.S. Cyber Relationship Is Back on Track (Council on Foreign Relations) Brazilian President Dilma Rousseff's was in Washington D.C. this week to meet with President Obama. The trip came two years after she had famously cancelled a state visit in 2013 in protest following allegations that the NSA had spied on Brazil and Rousseff personally. At the time, the Brazilian president was very public and vocal in her denunciations, calling the espionage "manifestly illegitimate" and expressing her outrage at the United Nations

David Cameron on a Mission to Destroy 'Strong Cryptography' (Hacked) British Prime Minister David Cameron believes that strong cryptography is a major barrier to peace, order, and justice

Pentagon Releases New National Military Strategy (Defense News) The Pentagon has released a new National Military Strategy, the first update to that document since 2011 — and one that warns non-traditional threats are on the rise

Defense cyber strategy: We can and will hit back (C4ISR & Networks) The Defense Department's new cyber strategy, just over two months old, is an outline of overarching goals fleshed out with narrower objectives and plans for implementation, hits on Pentagon cyber ambitions. Perhaps chief among them: The U.S. military has the means to retaliate in the digital realm and a willingness to do so

Bulk Phone Surveillance Lives Again, to Die in a More Orderly Fashion in Five Months (Intercept) A federal judge with the top-secret surveillance court on Monday breezily reinstated the NSA bulk domestic surveillance program that was temporarily halted a month ago, allowing the agency to go back to hoovering up telephone metadata for five months while it unwinds the program for good

An Unassuming Web Proposal Would Make Harassment Easier (Wired) The privacy of countless website owners is at risk, thanks to a proposal in front of the byzantine international organization at the heart of the Internet: ICANN. If adopted, the new proposal could limit access to proxy and privacy services, which protect domain registrants from having their home addresses exposed to everyone on the Internet

Litigation, Investigation, and Law Enforcement

Class-Action Suit Alleges OPM Officials Failed to Protect Employees' Data (Threatpost) A class-action lawsuit filed by a government employees' union against the Office of Personnel Management as a result of the massive data breach at OPM that affects more than 18 million people alleges that not only did the agency know about vulnerabilities in its network long before the attack, but that the agency's director and CIO both broke federal laws by ignoring directives to fix the weaknesses

GCHQ did spy on Amnesty International, secret tribunal admits (Ars Technica) Embarrassing admission highlights one of the many problems with secret tribunals

Intelligence agency to develop cybercrime map, pinpoint high-tech criminals (MISCO) British cybercrime fighters are to have a new tool to help thwart high-tech criminals, the BBC has reported

The FBI Most Wanted hackers. Law enforcement is willing to pay $4.2 million to get them (Security Affairs) FBI has published the lists of most wanted hackers, the rewards for their capture reach $4.2 million. They have stolen hundreds of millions of dollars

California fiber optic cable vandalism continues unabated (Ars Technica) New attack in underground vault brings to 11 the number of incidents in a year

California's physical internet cable hacking riddle sparks FBI probe (Register) Chopping up cables is one way of stopping mass surveillance

Corrupt Silk Road investigator pleads guilty, admits to $240K movie deal (Ars Technica) Carl Force was "Nob," "French Maid," and "Death from Above"

Baton Rouge man arrested in cyber attack on Georgia-Pacific computers (Advocate) A 43-year-old Baton Rouge man recently fired by Georgia-Pacific has been indicted and arrested for a cyberattack on the company's computer system, U.S. Attorney Walt Green said Wednesday

For a complete running list of events, please visit the Event Tracker.

Newly Noted Events

Career Discovery in Cyber Security: A Women's Symposium (New York, New York, USA, Jul 30, 2015) Our annual conference brings together some of the best minds in the industry, with the goal of guiding women with a talent and interest in cyber security into top-flight careers

Upcoming Events

National Insider Threat Special Interest Group Meeting (Laurel, Maryland, USA, Jul 16, 2015) Topics to be discussed at the meeting; Insider Threat Program Development & Implementation, Behavioral Indicators Of Concern, Legal Considerations When Developing & Managing An Insider Threat Program. There is no cost to attend this meeting

National Cybersecurity Center of Excellence (NCCoE) Speaker Series: Janet Levesque, Chief Information Security Officer at RSA (Rockville, Maryland, USA, Jul 16, 2015) Traditional security models are failing. While the idea of a shift from prevention to detection has gained traction, most current approaches to detection rely heavily on the same techniques that have rendered preventative tools ineffective. The ultimate goal — disrupting and stopping attacks — has continued to elude security experts. The next stage in the industry's evolution is to move to a stance of "dynamic defense," which combines the ability to detect an attack and fully understand its scope and potential impact on the business, and then use the information to disrupt the attack before adversaries can accomplish their goals

TakeDownCon Rocket City (Huntsville, Alabama, USA, Jul 20 - 21, 2015) TakeDownCon is a highly technical forum that focuses on the latest vulnerabilities, the most potent exploits, and the current security threats. The best and the brightest in the field come to share their knowledge, giving delegates the opportunity to learn about the industry's most important issues. With two days and two dynamic tracks, delegates will spend Day 1 on the Attack, learning how even the most protected systems can be breached. Day 2 is dedicated to Defense, and delegates will learn if their defense mechanisms are on par to thwart nefarious and persistent attacks

CyberMontgomery 2015 (Rockville, Maryland, USA, Jul 30, 2015) Montgomery County, Maryland, is home to the National Institute of Standards and Technology (NIST), the National Cybersecurity Center of Excellence (NCCoE), the FDA, NIH, NOAA, NRC and more than a dozen other Federal agencies, plus regional State and local agencies, educational institutions (such as Montgomery College, the Universities at Shady Grove, a satellite campus of Johns Hopkins, and the Bethesda-based SANS Institute), plus scores of cyber companies, ranging from start-ups to multinational corporations such as Lockheed Martin, employing upwards of 37,000 people in cyber-related jobs. With cybersecurity constituting a major growth engine in the region for many years to come, and with leading Federal government, industry and academic assets already in place in the region, the annual CyberMontgomery conference serves to bring them together so that they can coalesce and elevate the cyber ecosystem to a level of national prominence. In that light, CyberMontgomery provides clear direction on finding business opportunities, contracting, forecasted demand areas, workforce development, recruiting & staffing, legal responsibilities for businesses, updates on technologies being developed in the County, and summary updates regarding our NCCoE neighbors, federal civilian agencies and commercial sector leaders