The CyberWire Daily Briefing 07.07.15
Observers continue to pick through the files pulled from recently doxed Hacking Team, reading customer lists (which appear to confirm longstanding views of the company's business), pricing, emails, etc. The same hacker ("PhineasFisher") who claimed responsibility for last year's breach at Gamma International tells Motherboard he (or she) is also behind this one.
Among the lessons and observations being drawn from the leaks are two obvious ones that bear repeating (1) use strong passwords (not, e.g. "P4ssword") and (2) offensive cyber tools are effectively indistinguishable from defensive ones (if for no other reason than the role they play in testing and vulnerability research). Control of such tools is a tough problem, as may be seen in the case of a University of Northumbria student dissertation, apparently redacted (says Threatpost) in the name of Wassenaar compliance.
Russian cyber operations appear to continue in the hybrid war against Ukraine.
MalwareMustDie reports finding a KINS malware builder being distributed in the underground, and predicts a surge in KINS Trojan infestations.
Team GhostShell's self-described community-spirited (but obviously unwelcome) hacks of universities reach several institutions in Hong Kong.
US state and Federal authorities investigate hacks of New Jersey online casinos.
Several sources warn enterprises to expect a major patch of OpenSSL this Thursday.
Mozilla patches Firefox.
Not-for-profits are warned of risks their collection of personally identifiable information pose. Some such collection is probably inevitable, but it exposes them, their donors, and their clients to cyber risk.
FBI Director Comey calls for debate over strong encryption.
Notes.
Today's issue includes events affecting Azerbaijan, Bahrain, China, Ethiopia, Israel, Italy, Kazakhstan, Romania, Russia, Saudi Arabia, Sudan, Ukraine, United Arab Emirates, United States, and and Uzbekistan.
Cyber Attacks, Threats, and Vulnerabilities
Surveillance software maker Hacking Team gets taste of its own medicine (Reuters) Italy's Hacking Team, which makes surveillance software used by governments to tap into phones and computers, found itself the victim of hacking on a grand scale on Monday
Massive leak reveals Hacking Team's most private moments in messy detail (Ars Technica) Imagine "explaining the evilest technology on earth," company CEO joked last month
Hacker Claims Responsibility for the Hit on Hacking Team (Motherboard) An online anti-surveillance crusader is back with a bang
Hacking Team hacked: firm sold spying tools to repressive regimes, documents claim (Guardian) Cybersecurity firm has 400GB of what purport to be its own documents published via its Twitter feed after hack
Leaked Documents Suggest Hacking Team Sold Tech To Sanctioned Russian Conglomerate (BuzzFeed) According to hacked data, the Italian company may be in violation of European Union sanctions
Leaked Emails: How Hacking Team And US Government Want To Break Web Encryption Together (Forbes) Get ready America: one of the most notorious surveillance providers on the planet, Hacking Team, is expanding in earnest on US shores. And, if it hasn't collapsed as a result of a hugely embarrassing attack on its servers, the likes of the FBI, Drug Enforcement Agency and a slew of other US government departments will welcome the controversial company with open arms as they seek to break common encryption across mobiles and desktops
The FBI Spent $775K on Hacking Team's Spy Tools Since 2011 (Wired) The FBI is one of the clients who bought hacking software from the private Italian spying agency Hacking Team, which was itself the victim of a recent hack. It's long been suspected that the FBI used Hacking Team's tools, but with the publication yesterday of internal documents, invoices, emails and even product source code from the company, we now have the first concrete evidence that this is true
Someone Just Leaked The Price List for Cyberwar (DefenseOne) A controversial cyber arms dealer gets hacked, revealing sales to the US military and less savory customers around the world
Hacking Team's Dingy Laundry Hung Out Online (E-Commerce Times) Fireworks of a different kind rocked the security world this Fourth of July weekend, when news surfaced that hackers breached Hacking Team, an Italy-based firm that develops malware for sale to governments and law enforcement. The attackers exposed 400 GB of data stolen from its servers, including sales records, according to reports
U.S. Hired Dictators' Favorite Hackers (Daily Beast) New documents reveal that a firm that helps authoritarian governments like Russia, and Saudi Arabia is also connected to the U.S. military's burgeoning cyber warfare apparatus
Unpatched Flash Player Flaws, More POCs Found in Hacking Team Leak (TrendLabs Security Intelligence Blog) Earlier this week the Italian company Hacking Team was hacked, with more than 400GB of confidential company data made available to the public. The company was known for selling what it described as tools used to lawfully intercept communications that could be used by governments and law enforcement agencies. The company has stated they do not do business with oppressive countries in the past
Lesson #1 from the Hacking Team hack: Choose strong passwords ( Graham Cluley) Italy's controversial Hacking Team, which supplies spyware and surveillance technology to countries and law enforcement agencies around the world, hasn't been having the best of times
Hacking Team Couldn't Hack Your iPhone (Threatpost) More than 36 hours after the huge cache of data from Hacking Team's corporate network was dumped online, researchers are continuing to find surprising bits and pieces in the documents. Among them is evidence that the company had an enterprise developer certificate from Apple, allowing it to develop internal apps, but could not get its malware onto iOS devices
Hacking Team's Equipment Got Stolen in Panama (Motherboard) A surveillance system sold by the infamous surveillance software developer Hacking Team went "missing" after presidential elections in Panama at the end of 2014
Six Degrees Of 3rd Party Risk From Russian Cyber Ops (HS Today) Six degrees of separation is a theory that everyone in the world is six, or fewer steps, from any other person in the world. This theory was popularized through Kevin Bacon, who has been in so many movies, that it's believed he can be linked to any actor in a maximum of six links
KINS Malware Builder Leaked on numerous crime forums (SecurityAffairs) Researchers at MalwareMustDie group have discovered a KINS Malware builder leaked online, it is easy to predict a rapid diffusion of the banking trojan
Old MS Office feature can be exploited to deliver, execute malware (Help Net Security) A Microsoft Office functionality that has been in use since the early 1990s can be exploited to deliver malicious, executable files to users without triggering widely used security software, claims security researcher Kevin Beaumont
New "Porn Droid" ransomware hits Android (Cybersecurity Place) Researchers at ZScaler have discovered a new variationof the "Porn Droid" ransomware that affects Android devices. Once the device is infected, the malware sends the user a message, apparently from the FBI, accusing the user of watching child pornography. It then demands a $500 ransom to restore the device to normal. Infection: After masquerading as a Google patch update, the malware then asks for a number of powerful permissions including "Erase all data" and "set storage encryption"
Fraudulent Batterybot Pro App Yanked from Google Play (Threatpost) A malicious Android app spoofing the popular BatteryBot Pro app has been pulled from Google Play
Notes from SophosLabs: Poisoning Google search results and getting away with it (Naked Security) SophosLabs researchers recently uncovered a hack being used by unscrupulous web marketers to trick Google's page ranking system into giving them top billing, despite Google's ongoing efforts to thwart this sort of search poisoning
Top Hong Kong universities caught up in major hack attack on more than 100 global institutions (South China Morning Post) A number of major educational institutions in Hong Kong were allegedly affected by a major hack attack encompassing more than 100 universities and government agencies worldwide
Cyber-attack hits N.J. gambling sites (NJ.com) State and federal authorities are investigating a cyber-attack on four Atlantic City online casino gaming sites, which were apparently targeted by a hacker who promised more disruption unless a ransom was paid in Bitcoin, officials said today
The Rise Of Social Media Botnets (Dark Reading) In the social Internet, building a legion of interconnected bots — all accessible from a single computer — is quicker and easier than ever before
Malware as a service — cyber crime's new industry (IT Pro Portal) Organised criminal gangs (OCGs) are increasingly using software services of the type more usually associated with legitimate corporations to grow their operations. By offering 'malware as a service', OCGs are employing business models similar to those developed by legitimate companies in order to extend their global reach
Security Patches, Mitigations, and Software Updates
Awoogah: Get ready to patch 'severe' bug in OpenSSL this Thursday (Register) Heads up for July 9 security vulnerability fix
Get ready. Mystery high severity bug in OpenSSL to be patched on Thursday (Graham Cluley) OpenSSLA new version of OpenSSL, the open-source software widely used to encrypt internet communications using SSL/TLS, is due to be released this Thursday 9th July, patching a single "high severity" vulnerability
Firefox 39 bites four critical bugs (Register) Set phasers to Frag, says Mozilla, in gaming roadmap for future browsers
Security Updates for Node.js and io.js (US-CERT) Networking applications using Node.js or io.js contain a vulnerability in the V8 JavaScript engine. Exploitation of this vulnerability may allow a remote attacker to cause a denial-of-service condition
Bitcoin glitch expected to abate as software upgrades continue (IDG via Network World) Bitcoin experienced a glitch over the weekend that is expected to be resolved as software clients that handle transaction data are upgraded
Cyber Trends
Cyber War Is Hell (eSecurity Planet) Think cyber war is bad now? It is only going to get worse — much worse — says security expert Bruce Schneier
IoT Flaw Discoveries Not Impactful — Yet (Dark Reading) As flaws announced at Black Hat USA and elsewhere highlight IoT weaknesses, the impact of these vulns still remains low in the face of vast distribution. But that could change with market consolidation
Data Privacy Risks And Cyber Liability: The digital age is filled with 404 Errors and plenty of theft (NonProfit Times) Managers at nonprofits across the U.S. collect and store — in filing cabinets, networked servers and in rented "cloud" space — vast amounts of personal information. And despite the increasing frequency of data breaches affecting public, private and nonprofit organizations, most nonprofit leaders admit knowing too little about the risks and consequences of failing to adequately protect personal information collected from employees, volunteers, clients and donors
Marketplace
How the Cybersecurity Industry Became a House Divided (DCInno) A one-on-one interview with Invincea CEO Anup Ghosh
The start-up catching white-collar criminals in the web's darkest places (Telegraph) Digital Shadows hunts through the deep, dark web for the hidden threats that could topple global businesses
Radware Announces CFO Transition (Nasdaq) After 16 years as Radware's CFO, Meir Moshe stepping down. Will be replaced by Mr. Doron Abramovitch
Products, Services, and Solutions
Data-centric security with RightsWATCH (Help Net Security) The fact that sensitive data seems to increasingly follow a pattern of being leaked, loss or stolen, has forced security professionals to rethink how their organizations can keep their most valuable assets safe
Bivio Networks Provides Network Threat Visibility on Integrated Cyber Intelligence Platform for Department of Defense Exercise (Bivio) High-performance network security configuration featuring Symantec, Proofpoint and OISF software strengthens Joint Cyber Operations emphasis at JUICE 2015
Technologies, Techniques, and Standards
Underwriters Laboratories To Launch Cyber Security Certification Program (Dark Reading) Meanwhile, UL is also in discussion with the White House on its plans to foster standards for Internet of Things security
The best way to prevent data breaches? It's not what you think (Help Net Security) Data security breaches seem to be popping up almost daily. From the 2015 IRS breach, to the hacking of federal government employees' data by China, it's clear much of our most important data are at risk. Yet, one of the most obvious frontline defenses is often overlooked
Steer clear of low-tech hacks: How to keep your information safe (CNET) It doesn't take a coding genius to steal your Social Security number, but you can be smarter than identity thieves
Proxy Services Are Not Safe. Try These Alternatives (Wired) Millions of people across the world use free proxy services to bypass censorship filters, improve online security, and access websites that aren't available in their country. But an analysis has found those free services come at an unexpected cost for users: their privacy and security. Christian Haschek, an Austria-based security researcher, wrote a script that analyzed 443 open proxies, which route web traffic through an alternate, often pseudo-anonymous, computer network. The script tested the proxies to see if they modified site content or allowed users to browse sites while using encryption. According to Haschek's research, just 21 percent of the tested proxies weren't "shady"
The Phases of a Data Breach: Detecting an Attack Before the Damage is Done (Legaltech News) A new report from security firm Vectra looks at the strategic phases of a cyberattack and what companies can do to shore up their defenses
Understanding the Threat Intelligence Lifecycle (Dark Matters) Everyone is interested in Threat Intelligence (TI). There is a race to the top of the mountain with regards to providing 'Intelligence' on the 'latest threats'; but, what does that really mean for information consumers?
SMS & Authentication: Security Concerns (InfoRisk Today) India's high mobile penetration has meant a widespread adoption of SMS as a channel for two-factor authentication. Unlike developed economies, where the cost of text-based notification services may be high, India's competitive and booming telecom sector has ensured that SMS is the preferred channel for mobile banking and one-time passwords — even in the pre-smartphone era
Design and Innovation
Verisart Plans To Use The Blockchain To Verify The Authenticity Of Artworks (TechCrunch) Verifying the authenticity of a fine art work has become almost the raison d'être of the art world itself. Without either, an art work can be entirely worthless. For instance, in this year's respected Hiscox Online Art Trade Report, "Certificates of Authenticity and Condition Reports" are the top two services people want when buying art and collectibles online. But with the rise of the Blockchain — a decentralised permanent ledger — verifying the truth of something has come within reach of just about anything
Inside the WhiteHat Aviator Web browser controversy (TechTarget) When they originally conceived Whitehat Security's Aviator Web browser, little did Robert "Rsnake" Hansen and his team know what they were getting into
Research and Development
Pre-Crime Startup BioCatch Authenticates Users Via Touch And Your Phone’s Accelerometer (TechCrunch) It's not often that I write about a startup being granted a patent. However, the latest successful filing from Israeli startup BioCatch caught my attention. Essentially it offers a way for app developers to authenticate users based on how they interact with their phone's touch screen and accelerometer
Internet, smartphones cause 'digital amnesia' (ITWeb) Consumers today remember far less than before, because of a growing reliance on the Internet and smartphones, according to research conducted by Kaspersky Lab
Academia
Hacker High: Why We Need to Teach Hacking in Schools (Tripwire: the State of Security) We're in the midst of a national cybersecurity crisis. Breaches, such as the ongoing OPM breach, are continuing at an alarming rate; organizations are building their security infrastructure, but are lacking staff. We need more skilled cybersecurity professionals, yet we don't have a consolidated plan for building the cybersecurity skills pipeline
Legislation, Policy, and Regulation
Digital India Raises Security Concerns (InfoRisk Today) On July 1, India's Prime Minister Narendra Modi launched 'Digital India,' to connect all gram panchayats by broadband internet, promote e-governance and transform India into a digital knowledge economy
Encryption, Public Safety, and "Going Dark" (Lawfare) I am worried we are talking past each other with respect to "Going Dark," so let me try to frame it in a way that I hope is fair-minded and provides a basis for healthy discussion
White House sprints to patch security flaws (The Hill) The White House is nearing the end of a 30-day "cyber sprint" aimed at plugging the most gaping holes in the government's network security
Hillary Clinton: China hacks 'everything that doesn't move' in the US (Naked Security) US presidential hopeful Hillary Clinton has accused China of state-sponsored hacking designed to steal both trade secrets and government information
Christie: Paul should be 'in front of hearings' if US is attacked (The Hill) New Jersey Gov. Chris Christie says Sen. Rand Paul (R-Ky.) will be responsible if the U.S. is ever again hit by a major terrorist attack
The private-sector focus of the Pentagon's annual cyber exercise (FCW) An annual cyber defense exercise held last month by the departments of Defense and Homeland Security and the FBI simulated a "whole-of-nation response" to attacks on critical infrastructure, with an emphasis on the private sector, where most of the potential targets reside
Military looks to private sector to build cyber mission force (Defense Systems) The U.S. is continuing to build its cyber force with hopes of eventually gaining over 6,000 civilian and military personnel and 133 teams. While not quite there yet, the military recently released a few proposals looking for help from the private sector in building its new force
Senate advances secret plan forcing Internet services to report terror activity (Ars Technica) Legislation modeled on 2008 law requiring Internet companies to report child porn
DHS IG: NPPD's lack of law enforcement authority could hinder internal criminal probes (FierceHomelandSecurity) The Homeland Security Department's watchdog said it has "serious questions" concerning the National Protection and Programs Directorate's authority to conduct criminal investigations, potentially hampering inquiries and prosecutions of employees accused of wrongdoing
NSA's XKeyscore collects router data, Skype conversations, webcam images (Naked Security) We've been thinking of the National Security Agency's (NSA's) XKeyscore search engine on the wrong scale
Pell Center Senior Fellow Appointed to State Cybersecurity Panel (Newport Patch) The new commission is tasked with developing a clear strategy to make Rhode Island more secure and resilient to cyber threats
Litigation, Investigation, and Law Enforcement
UK Student's Research a Wassenaar Casualty (Threatpost) U.S.-based security researchers may soon be championing the case of Grant Wilcox, a young U.K. university student whose work is one of the few publicly reported casualties of the Wassenaar Arrangement
Cyber Heist on Romanian Banks Thwarted (Softpedia) Crooks access sensitive info but fail to steal money
How to Deal with Reverse Domain Name Hijacking (Infosec Institute) The fact that one owns a trademark which is identical or confusingly similar to a domain name does not necessarily mean that she is entitled to that domain name. For example, under the Uniform Domain-Name Dispute-Resolution Policy (UDRP) managed by the Internet Corporation for Assigned Names and Numbers (ICANN), a trademark holder will also need to prove that the domain name owner: (1) has no rights or legitimate interests in respect of the domain name; and (2) registered and uses the domain name in bad faith. The term "bad faith" can be broadly defined as "intent to deceive"
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
National Insider Threat Special Interest Group Meeting (Laurel, Maryland, USA, Jul 16, 2015) Topics to be discussed at the meeting; Insider Threat Program Development & Implementation, Behavioral Indicators Of Concern, Legal Considerations When Developing & Managing An Insider Threat Program. There is no cost to attend this meeting
National Cybersecurity Center of Excellence (NCCoE) Speaker Series: Janet Levesque, Chief Information Security Officer at RSA (Rockville, Maryland, USA, Jul 16, 2015) Traditional security models are failing. While the idea of a shift from prevention to detection has gained traction, most current approaches to detection rely heavily on the same techniques that have rendered preventative tools ineffective. The ultimate goal — disrupting and stopping attacks — has continued to elude security experts. The next stage in the industry's evolution is to move to a stance of "dynamic defense," which combines the ability to detect an attack and fully understand its scope and potential impact on the business, and then use the information to disrupt the attack before adversaries can accomplish their goals
TakeDownCon Rocket City (Huntsville, Alabama, USA, Jul 20 - 21, 2015) TakeDownCon is a highly technical forum that focuses on the latest vulnerabilities, the most potent exploits, and the current security threats. The best and the brightest in the field come to share their knowledge, giving delegates the opportunity to learn about the industry's most important issues. With two days and two dynamic tracks, delegates will spend Day 1 on the Attack, learning how even the most protected systems can be breached. Day 2 is dedicated to Defense, and delegates will learn if their defense mechanisms are on par to thwart nefarious and persistent attacks
CyberMontgomery 2015 (Rockville, Maryland, USA, Jul 30, 2015) Montgomery County, Maryland, is home to the National Institute of Standards and Technology (NIST), the National Cybersecurity Center of Excellence (NCCoE), the FDA, NIH, NOAA, NRC and more than a dozen other Federal agencies, plus regional State and local agencies, educational institutions (such as Montgomery College, the Universities at Shady Grove, a satellite campus of Johns Hopkins, and the Bethesda-based SANS Institute), plus scores of cyber companies, ranging from start-ups to multinational corporations such as Lockheed Martin, employing upwards of 37,000 people in cyber-related jobs. With cybersecurity constituting a major growth engine in the region for many years to come, and with leading Federal government, industry and academic assets already in place in the region, the annual CyberMontgomery conference serves to bring them together so that they can coalesce and elevate the cyber ecosystem to a level of national prominence. In that light, CyberMontgomery provides clear direction on finding business opportunities, contracting, forecasted demand areas, workforce development, recruiting & staffing, legal responsibilities for businesses, updates on technologies being developed in the County, and summary updates regarding our NCCoE neighbors, federal civilian agencies and commercial sector leaders
Career Discovery in Cyber Security: A Women's Symposium (New York, New York, USA, Jul 30, 2015) Our annual conference brings together some of the best minds in the industry, with the goal of guiding women with a talent and interest in cyber security into top-flight careers