The CyberWire Daily Briefing 07.09.15
Yesterday's New York Stock Exchange shutdown continues to look like the result of a glitch as opposed to an attack, but investigation continues. The same-day occurrence of problems at United Airlines (which also seem the result of a glitch) and the Wall Street Journal (briefly inaccessible because of a spike in traffic as people looked for news on the NYSE trading suspension) prompted widespread speculation about coordinated attacks on the US economy ("Diehard" references duly noted). But evidence of attacks is so far thin, based on either evergreens (Anonymous tweets threatening Wall Street) or a priori possibility (China's stock market crash giving a motive to halt trading everywhere, etc.).
Another story inducing lightly sourced heebie-jeebies claims hackers took control of a Bundeswehr air defense battery. Germany's Defense Ministry calls Quatsch on the reports. All of us are well-acquainted with cautions against premature attribution; it's equally good counsel to avoid premature detection: information isn't intelligence until it's understood, confirmed, and analyzed.
Pro-ISIS hacktivists are reported to have vandalized a Syrian human rights watch site and some US Department of Energy pages at Argonne National Laboratory. FBI Director Comey continues to testify on the ISIS threat and its use of strong encryption in command-and-control operations. Others offer counterpoint in favor of strong encryption — see both Passcode and Lawfare for the pro-encryption side.
Adobe patches the Flash zero-day revealed by stolen Hacking Team data. Trend Micro points out that criminals have exploited that vulnerability since July 1, before the Hacking Team document dump.
Today's issue includes events affecting Canada, China, Colombia, Germany, Iraq, Italy, Japan, Republic of Korea, Syria, Turkey, United Arab Emirates, and United States.
Cyber Attacks, Threats, and Vulnerabilities
NYSE Trading Suspended by Nearly Four-Hour Outage (Fox Business) The New York Stock Exchange resumed trading shortly after 3:10 p.m. ET Wednesday after a nearly four-hour long outage caused all trades to be re-routed to other exchanges
Simultaneous downing of NY Stock Exchange, United, and WSJ.com rattles nerves (Ars Technica) No, the outages weren't part of some cyber attack, White House officials say
NYSE, United Airlines Shutdowns Spark Paranoia (InformationWeek) United Airlines and the New York Stock Exchange both experienced massive outages this morning. The causes are slowly coming to light
NYSE halts trading and United Airlines flights grounded (Graham Cluley) There are a lot of people panicking right now
Anonymous issued cryptic tweet on eve of NYSE suspension (The Hill) International hacking group Anonymous wished Wall Street ill the night before the New York Stock Exchange temporarily suspended trading on all securities
Context On The NYSE, WSJ and United Airlines Issues (Threatbrief) The computer security industry has long had a philosophical debate on how to define a cyber threat. For many of us, the use of the term Threat is reserved for hostile actors: organizations and individuals that mean to cause harm. But cybersecurity professionals and enterprise CTO's, CIO's and business executives must lead in ways that keep the IT up and running and it is sometimes very helpful to have a broader definition of the threat. There are threats to IT that come from natural disasters, for example. There is also the threat of cascading failures due to complexity. And there is the threat of system failure due to overloading
NYSE, WSJ and United Down: Coincidence? (TechZone360) Coincidence is a strange thing these days. Today, three incidents occurred that may or may not be related but certainly introduce the question: Is this a coincidence? Coincidence or not, we live in a computerized, connected world and this just highlights how vulnerable society is when bad things happen to software
Is Cyberarmageddon Upon Us? 3 Glitches Today Have Some Saying Yes (Wired) A trio of cyber incidents this morning had some people seeing cyberarmageddon. We're looking at you, Senator Bill Nelson (D-Florida)
Cyberattack Can't Be Ruled Out for New York Stock Exchange Outage, Say Analysts (Epoch Times) Trading in securities was suspended on the New York Stock Exchange on Wednesday at 11:32 a.m. "All open orders will be canceled. Additional information will follow as soon as possible," stated a brief message on its websit
"It's like a stampede." Chinese investors despair as the markets continue to drop (Quartz) Chinese investors and observers are not optimistic about their government's ability to rescue the country's plunging stock market. Investors scrambled to sell of their remaining shares as the market rout continued today
Steuerten Hacker Raketenstationen der Bundeswehr? (Die Welt) Hacker haben womöglich das Flugabwehrsystem Patriot geknackt: In der Türkei stationierte Raketenstationen der Bundeswehr hätten "unerklärliche" Befehle ausgeführt, berichtet eine Fachpublikation
Did hackers remotely execute 'unexplained' commands on German Patriot missile battery? (Computerworld) Oh good, just what we need, vulnerable weapon systems being breached. Hackers purportedly gained access to a German Patriot missile battery and issued 'unexplained commands.' Yikes! Whether the story is pure FUD or a truth that embarrassed German officials into playing word games, authorities scoffed at the missile battery hijack report, calling it 'extremely unlikely'
Subdomain of U.S. Dept. of Energy's Argonne National Lab Hacked by ISIS Hackers (HackRead) Did you notice the pro-ISIS hackers are targeting high-profile websites without any restriction?
Islamic State supporters hack website of Syria rights watchdog (Reuters via Yahoo! News) Purported supporters of the hardline Islamic State group hacked the website of the Syrian Observatory for Human Rights watchdog on Wednesday and threatened its Syrian director who has documented abuses on all sides of Syria's war
FBI Chief: ISIS Is Relying on Encryption to Recruit Americans (National Journal via Government Executive) FBI Director James Comey said Wednesday that the Islamic State terrorist network is using Twitter and encryption to recruit thousands of English-language followers and send out kill orders
Hacking Team claims terrorists can now use its tools (IDG via CSO) Hacking Team has warned that a devastating data breach it suffered will allow its spying tools to be used by criminals and terrorists
Hacking Team Flash Zero-Day Tied To Attacks In Korea and Japan… on July 1 (TrendLabs Security Intelligence Blog) Earlier this week several vulnerabilities were disclosed as part of the leak of information from the Italian company Hacking Team. We've noted that this exploit is now in use by various exploit kits. However, feedback provided by the Smart Protection Network also indicates that this exploit was also used in limited attacks in Korea and Japan. Most significantly, these took place before the Hacking Team leak took place; we first found this activity on July 1
Hacking Team 0-Day Shows Widespread Dangers Of All Offense, No Defense (Dark Reading) While the Italian surveillance company sells government agencies high-end zero-day proof-of-concept exploits, it secures root systems with the password 'P4ssword.' What's vulnerability commoditization got to do with it?
Despite Hacking Team's poor opsec, CEO came from early days of PGP (Ars Technica) But by 2015, David Vincenzetti was "skeptical about encrypted" e-mail with clients
The DEA Is Tracking All Internet Traffic in Colombia, Hacked Email Shows (Vice) All of Colombia's internet traffic is monitored by the US Drug Enforcement Administration, according to a hacked email circulated on Twitter on Monday night, signaling widespread American surveillance of electronic communications in the country considered the longtime central battlefield in the global war on drugs
Multi-billion dollar corporations hit by mystery hacking gang (Tripwire: the State of Security) Back in 2013, technology giants Apple, Microsoft, Facebook and Twitter all suffered a serious security breach
Hacker group that hit Twitter, Facebook, Apple and Microsoft intensifies attacks (PC World) The group has been stealing confidential information from large companies worldwide for the past three years
Bug in Android ADB Backup System Can Allow Injection of Malicious Apps (Threatpost) There's a severe vulnerability in the way that all versions of Android handle the restoration of backups that can allow an attacker to inject a malicious APK file into the backup archive. The bug is the result of an issue with the ADB command-line tool for Android and the researchers who discovered it say there is no fix for it right now
Ransomware Campaign Alters Variants to Evade Detection (Threatpost) A recently uncovered operation has been mutating versions of ransomware to better avoid getting detected
Bitdefender uncovers global spam campaign (SecurityWatch) Bitdefender has discovered a global spam campaign spreading banking Trojan Dyre. The threat uses various approaches to maximise damage, according to Bitdefender malware analysts
Despite warnings, majority of firms still run some Windows Server 2003 (CSO) Enterprises are still heavily dependent on Windows Server 2003 even though support is coming to an end on July 14
Cyber Attack on Power Grid Could Cost $1 Trillion: Report (Reuters via NBC News) A cyber attack which shuts down parts of the United States' power grid could cost as much as $1 trillion to the U.S. economy, according to a report published on Wednesday
Security Patches, Mitigations, and Software Updates
Security updates available for Adobe Flash Player (Adobe Security Bulletin) Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of a report that an exploit targeting CVE-2015-5119 has been publicly published
Patch Adobe Flash now — Hacking Team zero-day exploit fix included in emergency update (Graham Cluley) While the world freaks out about the zombie apocalypse New York Stock Exchange and United Airlines suffering computer problems, there's some important news on the security front
Apple fixes VoiceOver bugs in update to iWork suite for iOS (AppleInsider) Apple in a rare overnight update on Tuesday issued what appears to be critical fixes to accessibility features in all three iOS iWork apps, returning full VoiceOver navigation and editing functionality to Pages, Numbers and Keynote
Never underestimate the impact of a data breach (Help Net Security) The growth of cyber-crime and the impact of successful attacks on an organization's bottom-line should not be underestimated; it is anticipated that data breaches will cost businesses up to £1.3tn by 2019, with new threats emerging at the astonishing rate of 390,000 per day. As the threat landscape continues to grow, the responsibility for guarding against damaging cyber attacks and protecting corporate data will lie with all employees
Why location-based social media data is critical for security (Help Net Security) Sports games at stadiums, hurricanes along the coast, protests on city streets, guest complaints at hotels, customer praise at restaurants, bullying at schools… Things happen at specific places. These human experiences impact all of us, everywhere, everyday
Universities are at risk of data breaches: is it possible to protect them? (ERPScan Blog) Last Wednesday Harvard University announced that on June 19 an intrusion on Faculty of Arts and Sciences and Central Administration information technology networks was discovered. According to the announcement on Harvard website, this breach affected eight different schools and thought to have exposed students' log-in credentials. University IT staff denied that any personal data or information from internal email system had been exposed
Does My Job Even Matter? A Dose of InfoSec Career Perspective (Tripwire: the State of Security) If you work in an enterprise defense role, chances are your day is comprised of coffee, email, meetings, crises, coffee, interruptions, coffee, and meetings (and, most likely, alcohol). The meetings seem useless and the interruptions unceasing. Your stress piles up while your family time dwindles, and you find yourself wondering at the end of the day (or during it) if your job is having any impact in terms of your organization's information security
Dot-dash-diss: The gentleman hacker's 1903 lulz (New Scientist) A century ago, one of the world's first hackers used Morse code insults to disrupt a public demo of Marconi's wireless telegraph
US Chamber of Commerce Unveils Cyber Group; Howard Schmidt Comments (ExecutiveBiz) The U.S. Chamber of Commerce has introduced a new group that will aim to facilitate collaboration between the industry and government on cybersecurity practices and policies
How to Get Startups in on the Military-Industrial Complex (Wired) Despite the pace of global technological change, the United States military-industrial complex may never be truly "disrupted"
SRA Files to Go Public, Sets $100M Fundraising Target (GovConWire) The holding company of Fairfax, Va.-based government services contractor SRA International has filed a registration statement with the Securities and Exchange Commission for an initial public offering, SRA said in its filing with the SEC posted Wednesday
Startup offers unique solution to BYOD security worries (FierceMobileIT) The security of employee-owned mobile devices is an ongoing concern for CIOs and IT departments
Digital Guardian Strengthens Management Team with Two New Executive Appointments (Sys-Con Media) Digital Guardian, the only endpoint security platform purpose built to stop data theft, today announced the appointment of Ed Durkin as its new chief financial officer and Craig Hansen as its new vice president of federal sales
Products, Services, and Solutions
Versasec Releases vSEC:CMS T4.1 Smart Card Lifecycle Management (BusinessWire) New virtual smart card, improved user interface, and better management of certificates added to leading smart card management system
ThreatMetrix Named a Winner in Three Categories at 10th Annual 2015 Hot Companies and Best Products Awards (Benzinga) Context-based security and advanced fraud prevention provider recognized for its TrustDefender Cybercrime Protection Platform and ThreatMetrix Digital Identity Network
FireEye Combines Industry Leading Email Protection With Threat Intelligence (MarketWatch) New solution blocks and contains email attacks while providing actionable intelligence with rich context
Palo Alto Networks Traps Protects From Latest Flash Zero-Day Vulnerability CVE-2015-5119 (Palo Alto Networks) Following this week's headline-grabbing breach, we all learned of an exploit utilizing CVE-2015-5119, a zero-day vulnerability in Adobe Flash. Successful exploitation of this vulnerability allows an attacker to take control of an affected endpoint, making it a critical threat. Various security researchers have since reported that the zero-day was indeed exploited in active attacks
Cyber-crooks are automated; you need to be, too (Computerworld) It's time to automate security response, says the CSO of a $1.6 billion company, who swears by a new tool he has deployed
WestconGroup Expands Security Practice with Incident Response and Analytics Solutions from Guidance Software (PRNewswire) WestconGroup, a leading value-added global distributor of security, unified communication, network infrastructure, and data center solutions, today announced that it has inked a distribution agreement with Guidance Software to bolster its portfolio with best-in-class EnCase cybersecurity products
An incubator for innovation (Channelnomics) FireMon is the first to join WestconGroup's latest initiative to bolster emerging vendors' global channel networks
DHS Launches eFOIA App (US Department of Homeland Security) Submit a FOIA request anytime, anywhere
Technologies, Techniques, and Standards
Detecting Random — Finding Algorithmically chosen DNS names (DGA) (Internet Storm Center) Most normal user traffic communicates via a hostname and not an IP address. So looking at traffic communicating directly by IP with no associated DNS request is a good thing do to. Some attackers use DNS names for their communications
Phishing — What does it look like in machine data? (Digital Guardian) In this post we take a look at how Digital Guardian and Splunk can correlate data events in real time to identify phishing attacks
They see me scannin'; they hatin' (Heisenbugs and other unobservables) One hour into your pentest and you're already getting calls from the Blue Team: "We see your Nmap scans. Do you want to just give up now, or…" Impossible, I used "SYN Stealth scan" and scanned really slowly! It's not impossible: Nmap out-of-the-box is really not that hard to spot if you know what you are looking for. Here are the most-common ways that Nmap scans get detected by IDS
Tunneling Data and Commands Over DNS to Bypass Firewalls (Lenny Zeltser) No matter how tightly you restrict outbound access from your network, you probably allow DNS queries to at least one server. Adversaries can abuse this "hole" in your firewall to exfiltrate data and establish stealthy Command and Control (C2) channels that are very difficult to block. To understand the use of DNS for C2 tunneling, let's take a look at Ron Bowes's tool dnscat2, which makes it relatively easy to experiment with such attack techniques
Staff Side-stepping Security Protocols Could Leave Your Business Vulnerable, Says ESET (Jakarta Post) For those who are less familiar with the cybersecurity space, some of the rules proposed by businesses trying to stay safe, can seem like they are designed just to make life difficult
Heartbleed and beyond: Marine Corps 'cyber range' trains to fight off hackers (Washington Post) A virtual training range developed for the Marine Corps to prepare troops for cyber operations has been adapted to do everything from prepare for offensive actions to secure networks defensively against hacking threats like the Heartbleed security bug, Marine officials said
The Importance of Building an Information Security Strategic Plan (IBM Security Intelligence) Some say that strategic planning is no longer practical or necessary in today's rapidly changing technical environment, but strategy still remains an essential part of defining clear companywide goals and how to achieve them. Strategic planning is about setting long-term goals, establishing the directions and constraints that will guide the tactical achievement of these aims and identifying the assets and capabilities that the organization needs to execute the plan
G DATA: Rundum geschützt Urlaub machen (Pressebox) Deutscher IT-Security-Hersteller gibt Tipps für den sicheren Urlaub mit Smartphone, Tablet und Notebook
Research and Development
How the audacious Pentagon agency that invented the Internet is now trying to save it (Washington Post) So far, the cybersecurity war has been a lopsided rout. And it's the bad guys who are on an epic winning streak
IBM may have just extended the lifespan of Moore's Law (Quartz) Since 1965, we have held onto the belief that computing power will double every two years, as argued in a paper by Gordon Moore, the eventual founder of Intel. But in recent years, scientists have been straining to keep Moore's Law alive, as we start to approach the physical limit of how small we can make silicon chips
Steven LaFountain: Working to increase the cybersecurity talent pipeline (Washington Post) This summer, approximately 1,300 middle and high school students plus a number of K-12 teachers will attend cybersecurity camps at universities in 18 states, learning about online threats, basic cyber defenses and the ethics of operating in the virtual world
What I learned at Cyber Boot Camp (Instructor Edition) (We Live Security) One reason cybercrime is on the rise is a lack of "capable guardians", people with the appropriate skills and personal ethics to defend networks against attack. Recently I participated in a program that aims to change that situation: Cyber Boot Camp, a place where young people can develop the skills, mindset, and moral code required defend networks against criminal abuse. I have already written about some of the lessons learned by students who attended the camp, but like any good educational experience, the instructors also learned things, and I wanted to share the most worrying thing I learned: there's a big hole in computer education in America today. While Cyber Boot Camp takes place in California, I suspect that this problem exists in a lot of other states as well (I would be very happy to hear from anyone who can show me I'm wrong on this)
National Security Agency funds UC Berkeley cybersecurity summer camp for high school students (Daily Californian) National Security Agency staff will visit a camp developed to teach high school students about cybersecurity — hosted for the first time this year by UC Berkeley — this week to evaluate the program and decide whether to continue its funding
Legislation, Policy, and Regulation
U.S., U.A.E. launch anti-ISIS messaging center in Dubai (CBS News) The U.S. and Emirati governments launched a new Mideast digital communications center Wednesday focused on using social media to counter Islamic State of Iraq and Syria (ISIS) propaganda efforts online
Opinion: Why strong encryption is elementary (Christian Science Monitor Passcode) The case against encryption 'back doors' simplified so even a child can understand it
Keys Under Doormats: Mandating Insecurity (Lawfare) Two decades ago US law enforcement sought laws requiring communication providers to be able to decrypt communications when served with a court order. The proposed technology to accomplish this was escrowed encryption — keys stored by the government — and the methodology is the now infamous Clipper chip
Report: UL in talks with White House on IoT certification (FCW) The White House's interest in a security certification for Internet of Things (IOT) products appears to be gaining steam with standards firm Underwriters Laboratories in talks with the administration on how to develop such a program
Litigation, Investigation, and Law Enforcement
Second union sues government over China hack, alleging constitutional failures (Washington Post) A second prominent union representing federal employees is suing the government over the Chinese hack of employee data, underscoring the growing legal and political fallout from the breach
Finnish Decision is Win for Internet Trolls (KrebsOnSecurity) In a win for Internet trolls and teenage cybercriminals everywhere, a Finnish court has decided not to incarcerate a 17-year-old found guilty of more than 50,000 cybercrimes, including data breaches, payment fraud, operating a huge botnet and calling in bomb threats, among other violations
U.S. one step closer to extraditing accused spy (Canadian Press via Metro News Vancouver) The United States has vaulted another hurdle in its bid to extradite a Chinese national living in British Columbia who is accused by the FBI of pilfering American military trade secrets
Silk Road creator Ulbricht, an "eternal optimist," writes a letter from prison (Ars Technica) "Unfortunately, the worst case scenario has played out for me"
For a complete running list of events, please visit the Event Tracker.
National Insider Threat Special Interest Group Meeting (Laurel, Maryland, USA, Jul 16, 2015) Topics to be discussed at the meeting; Insider Threat Program Development & Implementation, Behavioral Indicators Of Concern, Legal Considerations When Developing & Managing An Insider Threat Program. There is no cost to attend this meeting
National Cybersecurity Center of Excellence (NCCoE) Speaker Series: Janet Levesque, Chief Information Security Officer at RSA (Rockville, Maryland, USA, Jul 16, 2015) Traditional security models are failing. While the idea of a shift from prevention to detection has gained traction, most current approaches to detection rely heavily on the same techniques that have rendered preventative tools ineffective. The ultimate goal — disrupting and stopping attacks — has continued to elude security experts. The next stage in the industry's evolution is to move to a stance of "dynamic defense," which combines the ability to detect an attack and fully understand its scope and potential impact on the business, and then use the information to disrupt the attack before adversaries can accomplish their goals
TakeDownCon Rocket City (Huntsville, Alabama, USA, Jul 20 - 21, 2015) TakeDownCon is a highly technical forum that focuses on the latest vulnerabilities, the most potent exploits, and the current security threats. The best and the brightest in the field come to share their knowledge, giving delegates the opportunity to learn about the industry's most important issues. With two days and two dynamic tracks, delegates will spend Day 1 on the Attack, learning how even the most protected systems can be breached. Day 2 is dedicated to Defense, and delegates will learn if their defense mechanisms are on par to thwart nefarious and persistent attacks
CyberMontgomery 2015 (Rockville, Maryland, USA, Jul 30, 2015) Montgomery County, Maryland, is home to the National Institute of Standards and Technology (NIST), the National Cybersecurity Center of Excellence (NCCoE), the FDA, NIH, NOAA, NRC and more than a dozen other Federal agencies, plus regional State and local agencies, educational institutions (such as Montgomery College, the Universities at Shady Grove, a satellite campus of Johns Hopkins, and the Bethesda-based SANS Institute), plus scores of cyber companies, ranging from start-ups to multinational corporations such as Lockheed Martin, employing upwards of 37,000 people in cyber-related jobs. With cybersecurity constituting a major growth engine in the region for many years to come, and with leading Federal government, industry and academic assets already in place in the region, the annual CyberMontgomery conference serves to bring them together so that they can coalesce and elevate the cyber ecosystem to a level of national prominence. In that light, CyberMontgomery provides clear direction on finding business opportunities, contracting, forecasted demand areas, workforce development, recruiting & staffing, legal responsibilities for businesses, updates on technologies being developed in the County, and summary updates regarding our NCCoE neighbors, federal civilian agencies and commercial sector leaders
Career Discovery in Cyber Security: A Women's Symposium (New York, New York, USA, Jul 30, 2015) Our annual conference brings together some of the best minds in the industry, with the goal of guiding women with a talent and interest in cyber security into top-flight careers