The CyberWire Daily Briefing 08.07.15
Recent intrusions into the Joint Staff's networks, US officials think, were the work of Russian actors.
In other news of Russian espionage operations, few will be surprised to learn that (alleged) cyber mob boss "Slavik" Bogachev (allegedly) made his services available to the Russian organs. Bogachev, (alleged) kingpin of GameoverZEUS capers, is thought to have facilitated collection against Georgia, Turkey, and Ukraine.
Researchers disclose several new vulnerabilities. Check Point discovers an exploitable "Certifi-Gate" bug in Android devices manufactured by LG, Samsung, HTC and ZTE. Context Information Security shows how malicious insiders can exploit Windows Server Update Services. Battelle shows how design flaws in x86 processor architecture render devices vulnerable to firmware rootkits. Ben-Gurion University describes GSMem malware's threat to some air-gapped devices.
FireEye reiterates warnings that even non-jailbroken iOS devices are vulnerable to exploits that escaped into the wild after the Hacking Team breach. Other FireEye researchers show how Android users could have their fingerprints (the prints, of course, not the actual whorls on their actual fingers) stolen without noticing.
Symantec looks at the Internet-of-things and glumly sees it as the next big field for ransomware. (TrendLabs finds ransoms rising and deadlines closely enforced.)
OPM get the Pwnie at Black Hat amid growing realization that effects of its breach are probably worse than suspected.
Tesla Motors gets good reviews for swift patching.
Sounding like Jack Daniel (the whiskey manufacturer, not the security guru) circa 1919, many Black Hat symposiasts see (now pulled) Wassenaar implementation as a harbinger of cyber prohibition.
Notes.
Today's issue includes events affecting Australia, China, Georgia, Germany, Russia, Turkey, Ukraine, and United States.
Cyber Attacks, Threats, and Vulnerabilities
U.S. suspects Russia in hack of Pentagon computer network (Washington Post) U.S. military officials said Thursday that they suspect Russian hackers infiltrated an unclassified Pentagon e-mail system used by employees of the Joint Chiefs of Staff, the latest in a series of state-sponsored attacks on sensitive U.S. government computer networks
GameOver ZeuS criminals spied on Turkey, Georgia, Ukraine and OPEC (CSO) The criminals behind the GameOver ZeuS Botnet didn't just steal $100 million from banks — they also spied on several countries on behalf of Russia, according to a Black Hat presentation Wednesday by an FBI agent and two other security experts
Easily exploitable Certifi-gate bug opens Android devices to hijacking (Help Net Security) Check Point's mobile security research team discovered a vulnerability in Android that affects phones, tablets and devices made by major manufacturers including LG, Samsung, HTC and ZTE
Windows Update vulnerability puts corporate networks at risk from malicious insiders, warn researchers (Computing) A Windows Update vulnerability can be abused by insiders to perpetrate internal attacks on corporate networks by exploiting insecurely configured enterprise implementations of Windows Server Update Services (WSUS)
Design flaw in Intel processors opens door to rootkits, researcher says (IDG via CSO) A design flaw in the x86 processor architecture dating back almost two decades could allow attackers to install a rootkit in the low-level firmware of computers, a security researcher said Thursday. Such malware could be undetectable by security products
New malware turns your computer into a cellular antenna (IDG via CSO) A group of Israeli researchers have improved on a way to steal data from air-gapped computers, thought to be safer from attack due to their isolation from the Internet
Risk of Data Loss From Non-Jailbroken iOS Devices Real, Security Firm says (Dark Reading) Data from the Hacking Team reveals actively used exploit for breaking into and stealing data from registered iOS systems, FireEye says
Mac OS X Bug Opens A Pathway For Adware (InformationWeek) An exploit of privilege settings in Apple's Mac OS 10.10 can leave users vulnerable to adware
Hackers can remotely steal fingerprints from Android phones (ZDNet) Researchers outline how hackers can attack your smartphone to steal your fingerprint on a "large scale" — without anybody noticing
Crypto-Ransomware Attacks: The New Form of Kidnapping (Trend Micro: Simply Security) The evolution of crime continues to push itself into the cyber world. Physical criminal operations are now learning to walk again as our generation continues to get its feet wet in the digital age. The low risk, high reward incentive involved with cybercrime opens the flood gates for criminal pioneers to evolve their financially motivated heists. In this blog I will discuss the evolution of ransomware, which is essentially just kidnapping information and extorting money from the vulnerable, technology-dependent citizens of society
Report: IoT is the next frontier for ransomware (CSO) The growth of the Internet of Things will offer new ransomware opportunities for cybercriminals, according to a report released Thursday by Symantec
Price Hikes and Deadlines: Updates in the World of Ransomware (TrendLabs Security Intelligence Blog) During the first quarter of 2015, we saw how ransomware variants have evolved to do more than just encrypt valuable system files. CryptoFortress targeted files in shared network drives while TeslaCrypt targeted gamers and mod users. Now we are seeing another feature rapidly gaining ground in the world of ransomware: the ability to increase the ransom price on a deadline
BlackHat 2015: Cyber controls enable physical attacks, says researcher (ComputerWeekly) Cyber attackers can usually find specific physical attacks that engineers typically would not anticipate, says a security researcher
Why Cyber-Physical Hackers Have It Harder Than You (Dark Reading) Before you pout about having to learn a new infosec application, remember you don't need to also know physics, chemistry, engineering and how to make a pipeline explosion look like an accident
Symantec exposes Butterfly hacking group for corporate espionage (Tech Republic) Symantec is hot on the digital trail of Butterfly, a group of hackers who have successfully exfiltrated corporate secrets from 49 organizations in more than 20 countries
Hackers getting better at cracking passwords and accessing corporate data (Help Net Security) Hackers are getting better at cracking passwords and using those passwords as keys to the corporate network and data, researchers from penetration testing firm Crowe Horwath told an audience here Thursday at the BlackHat conference
US Government OPM Cyber Breach Much Worse Than Reported (CloudTweaks) The much publicized breach at the US government Office of Personnel Management (OPM) in May this year was much more serious than initially reported, in terms of the number of people affected, the quality of information breached, as well as the probable cost to American taxpayers
OPM Wins Pwnie for Most Epic Fail at Black Hat Awards Show (eWeek) The annual Pwnie Awards at the Black Hat USA conference here celebrate the best security vulnerabilities found by researchers and also ridicule the worst security responses. The Pwnies are a somewhat satirical event that doesn't take itself all that seriously, but it does represent a snapshot of the year that was in security
Jeep hackers: Only a dramatic stunt could force a Chrysler recall (+video) (Christian Science Monitor Passcode) At this week's Black Hat security conference, researchers Charlie Miller and Chris Valasek said hacking a reporter's car on a highway — which some called needlessly reckless — was the only real way to effect change
Are These Airline Hacks Related? (IBM Security Intelligence) Organizations are beginning to change the way they handle the revelation that their IT systems have been attacked. In a rare public admission, LOT, the Polish national airline, readily admitted on June 21, 2015, that 20 flight cancellations and delays were the direct result of an IT attack. Initially, the airline released a statement that the flight problems were caused by an IT systems failure. However, shortly thereafter, it issued a second press release that stated that the cancellations and delays were the direct result of hacks of the ground operations system. The hack prevented the creation of flight plans for planes scheduled to depart Warsaw Chopin Airport. The airline has not shared information on the full nature of the attack
Security Patches, Mitigations, and Software Updates
Mozilla Foundation Security Advisory 2015-78: Same origin violation and local file stealing via PDF reader (Mozilla) Security researcher Cody Crews reported on a way to violate the same origin policy and inject script into a non-privileged part of the built-in PDF Viewer. This would allow an attacker to read and steal sensitive local files on the victim's computer
Tesla says update for security flaws found by hackers sent (Reuters via Business Insurance) Tesla Motors Inc. on Thursday said it has sent a software patch to address security flaws in the Tesla Model S sedan that could allow hackers to take control of the vehicle
Tesla Patches Faster than Chrysler … and than Android (Emptywheel) Wired's hack-of-the-day story reports that researchers hacked a Tesla (unlike the Chrysler hack, it required access to the vehicle once, though the Tesla also has a browser vulnerability that might not require direct access)
Stagefrightened Google, Samsung to push out monthly Android fixes (Naked Security) Stagefright is a nasty security hole in Android that can be triggered by a booby-trapped multimedia file — the sort of content that can be delivered via an MMS message
Cyber Trends
Shadow IT: It's Much Worse Than You Think (InformationWeek) The number of unauthorized cloud apps being used in the enterprise is 15 to 20 times higher than CIOs predicted, according to a Cisco report. What's a CIO to do?
Zero-day vulnerabilities on the rise, says Secunia (FIerceITSecurity) Hundreds of security holes uncovered in major vendors' IT infrastructure products
Facebook calls for cyber security in emerging markets (Financial Times) Facebook's new security chief has called on the internet industry to go beyond securing the web "for the 1 per cent" and create cyber security defences that will work across emerging markets
Black Hat 2015: Salted Hash live blog (Day 2) (CSO Salted Hash) They're a concern, but not something that's being funded
Enterprise security spending less on skills, more on technology (CSO) Why are enterprises spending more on tools, and less on people? Good question
How to Accelerate Cyber-Security Progress (Baseline) There are significant differences between companies that have made major improvements to their security effectiveness and those that have not
Akana 2015 Survey Points to API Security Becoming a CXO Level Concern (BusinessWire) Findings reveal API security gaining priority but implementation and maturity disparities continue
Many firms still failing to test and secure web applications, says Rapid7 (ComputerWorld) Web application security is not getting the focus and attention it needs because of a lack of awareness of the risks by security professionals and developers alike, says Rapid7
All Australian mobile phones at risk of foreign hacking, says US intelligence committee head Devin Nunes (Sydney Morning Herald) Australians have been warned that all mobile phone and email communications are constantly vulnerable to being hacked by "foreign adversaries
Marketplace
Cyber space: The new frontier (PropertyCasualty360) It's one of the fastest growing product lines in the commercial insurance sector — and it's frustrating as hell
Tech firms seek to beat the hackers with 'bug bounties' (Irish Examiner) Microsoft's announcement that it is doubling its reward for reporting potentially exploitable vulnerabilities in its software to $100,000 (€92,000) makes it the latest of a number of the world's top companies to offer "bug bounties"
FireEye wants to transition to a world class partner organization (ChannelWorld) FireEye held its first ever Momentum partner conference in Sydney, which saw the security company's global reps pushing its new channel focus, including incentives, rebates, tools, and new incentive programmes
The Pentagon Wants a Secretive Cyber Arms Dealer To Hack Its Networks (DefenseOne) The company, Endgame, is part of a legal but controversial industry that sells governments hacking tools called 'zero days' to pinpoint vulnerabilities
Government contractor Chiron Technology Services expands to commercial sector (Baltimore Business Journal) Columbia government contractor Chiron Technology Services, Inc. is expanding its cybersecurity services to the commercial sector, a move that will diversify the company's revenue streams and draw in a new kind of client
Leading Analyst Firm Data Identifies Fortinet as Security Market Leader (MarketWatch) Fortinet has shipped more than two-million appliances since inception to global customers looking for the very best in cyber threat protection
Cyberwarrior Demand Outpaces Supply (TechNewsWorld) There aren't enough cybersoldiers to fight the good fight. Cybersecurity jobs have grown three times faster than IT jobs generally in the last five years and that growth doesn't seem to be letting up, noted Burning Glass CEO Matt Sigelman. "This is not a flash-in-the-pan phenomenon, and the level of skill required to get cyberjobs makes this a tough problem to solve"
Products, Services, and Solutions
Windows 10, Privacy 0? ESET deep dives into the privacy of Microsoft’s new OS (We Live Security) The title of this article is "Windows 10, Privacy 0: ESET deeps dives into the privacy of Microsoft's new OS" and in it I will be providing analysis of Microsoft's privacy plans for Windows 10, some of the reasoning behind those changes, and also theorize about who else besides Microsoft might be interested. But as my first blog post on We Live Security since Windows 10 was released, there are two topics I would first like to address before we dive in. The first of these is a short discussion of what Windows 10 needs to accomplish, both for Microsoft and for its customers
Check Point Launches Mobile Threat Prevention to Secure the Mobile Enterprise (MarketWatch) New solution provides an unparalleled layer of security and protection for mobile devices
Identify and track sensitive corporate data in real-time (Help Net Security) InfoGPS Networks revealed at Black Hat USA 2015 software able to identify, classify, and track sensitive data in real-time across the organization
WhiteHat partners with Prevoty to enable self-protection for apps using RASP (FierceITSecurity) WhiteHat Security announced at the this week's BlackHat security conference that it has formed a partnership with Prevoty, under which WhiteHat's Sentinel customers will be able to combat app bugs and defects using Prevoty's application monitoring and protection product using runtime application self-protection
IOActive Speeds Ahead to Secure the Transportation Industry (BusinessWire) New research extends company's position in connected transportation; helps partners and automotive manufacturing clients better secure customers
Technologies, Techniques, and Standards
The Value of Intelligence to Businesses — And Bad Actors (Forbes) Steve Hunt is an executive strategist with expertise in information security, physical security, confidential information protection, critical infrastructure protection, technology, risk management and regulatory compliance
Defining the Need for Threat Intelligence, Part 1 (Cyveillance Blog) Creating a security budget can be challenging for even experienced security professionals. In many cases, the practitioners who see the day-to-day value of threat intelligence — cyber threat analysts, security analysts, and others — are not the stakeholders who control the budget. In fact, a recent PricewaterhouseCoopers survey found that 49 percent of boards view cybersecurity as only an IT risk, and not an overall corporate risk
Protecting trade secrets in the era of the data breach (Lexology) The prevalence of data breaches cannot be ignored. New data breaches continue to occur one after another. In the first half of 2015 alone there were reports of large scale data breaches involving multiple companies in the healthcare industry, the United States Office of Personnel Management (OPM), the IRS, a telecommunications provider, an online console gaming provider, and a transportation company
A secure employee departure checklist (CSO) What steps should a business take when an employee is leaving the company in order to minimize threats to your data? Here's a checklist to securely see departing employees out the door
Top five security threats to data centres — and how to counter them (ITWire) Every day, attackers conspire to take down applications and steal data, leaving data centre infrastructure in the crosshairs. Storing an organisation's most valuable and most visible assets — its web, DNS, database and email servers — data centres have become the number one target of cyber criminals, hacktivists and state-sponsored attackers
Proper Data Breach Incident Response (LIFARS) We read about data breaches almost on a daily basis (think recent Hacking Team, Ashley Madison breaches), but most of us do not quite know what happens before you read about the data breach in our favorite news source. How is a breach discovered and handled? Who responds to major data breaches?
The Anatomy of a Cyber Attack: Prevention, Response and Postmortem (Part 4 of 6) (Privacy Compliance & Data Security) This blog post is the fourth entry of a six-part series discussing the best practices relating to cyber security. The previous post discussed the initial steps that a business should take once a cyberattack has been identified. This post will discuss further steps that a business should take after an attack
Defending Industrial Ethernet Switches Is Not Easy, But Doable (Dark Reading) Attacks and vulnerabilities against ICS and SCADA can be detected and monitored if operational folks know their network infrastructure
Global hacker competition challenges penetration testers (Help Net Security) More than 500 players have registered for an exciting global online hacker challenge taking place this week during Black Hat USA 2015 and DEF CON
Cyberguard15 — Train, advise, assist (DVIDS) Members from the 218th Intelligence Surveillance and Reconnaissance Group (ISRG) participated in Cyber Guard 15, a three week exercise in Suffolk, Virginia. The joint exercise, co-led by U.S. Cyber Command, DHS, and the FBI, included participation from the private sector, DoD, international allies, and U.S. federal and state government entities to include National Guard elements from multiple states. Participants exercised a whole-of-nation approach to identify, defend, and protect our domestic critical infrastructure
What Should the Users of Ashley Madison Do? (Dark Reading) Security-minded professionals offer their advice at Black Hat party
Design and Innovation
Three top tips to keep connected cars safe from hackers (ZDNet) As auto manufacturing dips a toe into the computing realm, how can consumers be protected?
Cyber attacks 'as big a threat to new warships as missiles and torpedoes' (Telegraph) The new Type-26 Global Combat Ship has been designed to protect its weapons, engines and systems from cyber warfare
Artificial Intelligence is Already Wierdly Inhuman (Nautilus) What kind of world is our code creating?
Academia
ISU's cybersecurity education center receives national Academic Excellence award (Illinois State University) Doug Twitchell, associate professor in the School of Information Technology and director of the Center for Information Assurance and Security Education (CIASE), and Mary Elaine Califf, director of the School of Information Technology, accepted the Center of Academic Excellence award at the Colloquium for Information Systems Security Education 2015 conference. The award extends the CIASE's designation as a National Center of Academic Excellence in Cyber Defense Education through 2020
Concordia University, Nebraska Launches M.S. in Computer Science (BusinessWire) Online program with cyber operations concentration helps stem tide of security attacks
Legislation, Policy, and Regulation
'Prohibition Era' of Security Research May Be Ahead (Threatpost) Export controls have become a dirty phrase in the security community, especially among researchers, pen testers, and others who rely on vulnerability information and exploits to do their jobs. And if the Wassenaar Arrangement rules proposed by the United States aren't modified significantly before they're implemented, dark days may lie ahead for the research community, experts say
Deloitte calls for cyber security health checks (Computerworld) Checks would create a benchmark of where Australian businesses are today
Here's What the Chinese Media Is Saying About A U.S. Response to the OPM Hack (Council on Foreign Relations) Last Saturday, the New York Times reported that the Obama administration has decided to retaliate for the theft of millions of personnel records from the databases of the Office of Personnel Management. While administration officials are still debating what measures can be taken without risking escalation, one response reportedly being considered is breaching the Great Firewall
Homeland Security secretary pleads with Black Hats for trust (Stuff) A top Obama administration official says the government and the data security community need to focus on building trust so information about cyber threats can be shared between them for the greater good
Senate bill seeks to boost cyber oversight (The Hill) A bipartisan pair of senators wants to boost cybersecurity oversight at federal agencies after a series of mammoth digital thefts that have rattled the government
Senate Leaders Vow September Vote on Cybersecurity Bill (Insurance Journal) The U.S. Senate will not vote on a cyber security bill until September, after lawmakers return from a four-week recess and consider the nuclear agreement with Iran, the chamber's leaders said on Wednesday
The Automotive Industry and the Dawn of IoT Security Regulation (Legaltech News) The SPY Car Act would regulate how manufactures install precautions in vehicles, but as more devices are connected, it's only the beginning
Litigation, Investigation, and Law Enforcement
German Justice Minister Fires Top Prosecutor for Treason Probe of Bloggers (Wall Street Journal) Dismissal of federal prosecutor general marks crescendo in debate over press freedom
Should Software Companies Be Legally Liable For Security Breaches? (TechCrunch) It's a truism that all software has bugs and security holes. It's another that license agreements invariably make software vendors immune to liability for damage or losses caused by such flaws. But, to my surprise, Black Hat's founder and keynote speaker are arguing that software product liability, presumably mandated by governments, is inevitable. If they're right, a seismic change is on the horizon
First a Jeep gets hacked, now the class-action suit (Graham Cluley) One of the hottest security stories of the year was the (frankly terrifying) demonstration by Charlie Miller and Chris Valasek, where they remotely hijacked a Jeep being driven by a journalist at 70mph down a busy highway
Law enforcement is learning to navigate the Dark Web (Naked Security) Law enforcement agents in recent years have been crawling all over the Dark Web to track down its seediest denizens: terrorists, paedophiles, gun-runners, drug dealers, sex traffickers and other serious criminals
"PING SUSP PHONE" — An Oakland shooting reveals how cops snoop on cell phones (Ars Technica) An undercover operation is going very, very wrong for local and federal authorities
Judge Flags Redaction in Cybersecurity Program (Courthouse News Service) E-privacy advocates concerned that the government's industrial cybersecurity program violates wiretap laws have vaulted a hurdle in their federal case
As patent reform stalls, "non-practicing entity" nabs a $40 million verdict (Ars Technica) Jury validates patents on cybersecurity and detecting "hostile downloadables"
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
Defcon 23 (Las Vegas, Nevada, USA, Aug 4 - 7, 2015) DEF CON has been a part of the hacker community for over two decades. See the organization's website for more information
3rd Annual Psyber Behavioral Analysis Symposium (Fort Meade, Maryland, USA, Aug 11, 2015) The 3rd Annual Psyber Behavioral Analysis Symposium is hosted by the NSA/CSS Threat Operations Center and the FBI Behavioral Analysis Unit-2/Cyber Behavioral Analysis Center. The goal of the Symposium is to provide U.S. and Second Party Intelligence Communities (IC) a forum to present and collaborate on Human Science-based projects and research. This event attracts a multi-disciplinary government audience from across the IC and Second Party Partner organizations
USENIX Security (Washington, D.C., USA, Aug 12 - 14, 2015) The USENIX Security Symposium reunites researchers, practitioners, system administrators, system programmers, and others specialists interested in the latest advances in the security and privacy of computer systems and networks
5th Annual Cyber Security Training & Technology Forum (CSTTF) (Colorado Springs, Colorado, USA, Aug 19 - 20, 2015) The Information Systems Security Association (ISSA) Colorado Springs Chapter and FBC, Inc. will once again co-host the 5th Annual Cyber Security Training & Technology Forum (CSTTF). CSTTF 2015 will bring together cyber experts from the DoD, federal government, business, research, and academia to address a variety of current cyber topics
Decepticon 2015 (Cambridge, England, UK, Aug 24 - 26, 2015) Decepticon brings together researchers and practitioners in the detection and prevention of deception. Previously, deception research has been fragmented across conferences in many different disciplines, sub-disciplines and countries. To cover the great diversity of approaches to deception research, our scientific committee has members covering several domains
AFCEA OKC Technology & Cyber Security Day (Oklahoma City, Oklahoma, USA, Aug 27, 2015) FBC and the Armed Forces Communications & Electronics Association (AFCEA) Oklahoma City Chapter will be partnering once again to host the annual Technology Day & "Scholarship" Golf Tournament at Tinker AFB. This is the only Technology Day held at Tinker AFB each year. The annual Technology Day allows exhibitors the opportunity to have access to information technology, communications, cyber, engineering, and contracting personnel at Tinker AFB. Over 300 attendees participated in the 2014 Technology Day and we expect the same level of attendance in 2015
Power Grid Cyber Security Exchange 2015 (San Diego, California, USA, Aug 30 - Sep 1, 2015) The Power Grid Cyber Security Exchange will take a deep dive into the cyber security strategies, innovative approaches and strategic planning necessary to balance the competing priorities of today's technology and information security executives. This program is tailored to utility executives and industry stakeholders that are responsible for addressing threat intelligence, analysis and monitoring; network architecture; and cyber incident response
2015 HTCIA International Conference & Training Expo (Orlando, Florida, USA, Aug 30 - Sep 2, 2015) Bringing together experts from all over the world to share their latest research and techniques related to cybersecurity, incident response and computer forensics
ICFP 2015 (Vancouver, British Columbia, Canada, Aug 31 - Sep 2, 2015) ICFP 2015 provides a forum for researchers and developers to hear about the latest work on the design, implementations, principles, and uses of functional programming. The conference covers the entire spectrum of work, from practice to theory, including its peripheries