The CyberWire Daily Briefing 08.11.15
Notes on Chinese intelligence surveillance of US "senior trade and security officials'" personal email accounts. The campaign is being called "Dancing Panda," and has been in progress since 2010 (and known to US security agencies for some time).
Android security sustains another unpleasant wave of vulnerability discoveries, beyond Stagefright. IBM describes a serialization vulnerability that gives unprivileged applications "super" privileges, and also exposes several third-party software development kits designed to give attackers control over apps. G Data reports that Android malware instances observed in the wild have soared to record levels.
Researchers demonstrate a mobile point-of-sale exploit: Square is said to be vulnerable.
The Darkhotel cyber espionage group is said to have sharpened its game with the help of leaked Hacking Team exploits.
Seculert reports botnet-for-hire DGA.Changer, used mainly in clickfraud scams, has deployed a way of escaping sandboxes by, essentially, depositing a dummy version of itself, then quietly departing.
Recorded Future, while a conceptual fan of blacklisting malicious sites, looks at traditional blacklists and finds them wanting: hidden link analysis suggests that some 92% of suspect sites actually escape most blacklisting.
More automotive hacks are demonstrated, included a wireless hack of keyless entry and a way of tampering with a Corvette's brakes.
Scarcity of cyber talent remains the sector's principal concern: artificial intelligence offers at best a partial amelioration.
Symantec sells Veritas to Carlyle for $8 billion.
US Cyber Command prepares a $460 million IDIQ RFP.
MobileIron faces a shareholder class action suit alleging failure to disclose a breach.
Today's issue includes events affecting Australia, Bangladesh, Cameroon, China, Germany, India, Israel, Japan, Democratic Peoples Republic of Korea, Republic of Korea, Mexico, Mozambique, Russia, Saudi Arabia, Thailand, Turkey, United Kingdom, and United States.
Cyber Attacks, Threats, and Vulnerabilities
China used 'Dancing Panda' cyber operation to spy on Obama administration (Telegraph) For the past five years, the personal email accounts of top American security and trade officials have been compromised in a Chinese cyber espionage operation
Chinese spies targeting personal emails of top Obama admin officials (Washington Times) The personal email accounts of several high-ranking White House officials have been directly targeted by Chinese cyberspies — and some are still actively under attack, according to U.S. intelligence reports
One Class to Rule Them All: New Android Serialization Vulnerability Gives Underprivileged Apps Super Status (IBM Security Intelligence) Over 55 percent of Android phones are at risk of a high-severity serialization vulnerability that IBM's X-Force Application Security Research Team found in the Android platform. In a nutshell, advanced attackers could exploit this arbitrary code execution vulnerability to give a malicious app with no privileges the ability to become a "super app" and help the cybercriminals own the device. In addition to this Android serialization vulnerability, the team also found several vulnerable third-party Android software development kits (SDKs), which can help attackers own apps
Over 55% of all Androids at risk of high severity vulnerability ( Graham Cluley) We've only just got over the news of the Stagefright vulnerability, that allows attackers to infect Android devices with just a maliciously-crafted MMS message and the shocking (and welcome) news that Google and other leading manufacturers will be releasing regular security updates for millions of smartphones from now on
Android Certifi-Gate remote access security hole exploited (ZDNet) A security hole in several Android's remote support tools is being exploited in the wild
HTC phone stores fingerprints in easily accessible plaintext (Help Net Security) Pressing a finger on your mobile phone's fingerprint scanner has to be the easiest, most seamless way to unlock the device, and this is why more and more manufacturers equip their mobile products with it. In fact, it is predicted that by 2019, 50% of all shipped smartphone will have a fingerprint sensor
G Data zählt 4 Millionen Schädlinge — die Rekordmarke für Trojaner und Android Malware ist erreicht (Yelling News) Aufgrund der intelligent konzipierten Schädlinge werden Android Trojaner und Android Malware immer schwerer aufzuspüren. Die G Data verzeichnet 4 Millionen Einträge
Researchers Unveil Square Reader Mobile POS Hacks (Threatpost) It wasn't long ago when hacking a point-of-sale system meant deploying a RAM scraper at a retailer, sitting back and watching the credit card numbers roll in. Now that POS has gone mobile with vendors such as Square, Intuit, Revel and others using hardware fobs connected to smartphones and tablets to process credit card transactions, hackers are sure to follow the money trail there
"Darkhotel" Cyberespionage Group Boosts Attacks with Exploit Leaked from Hacking Team (PRNewswire) Following the public leak of files belonging to Hacking Team — the company known for selling "legal spyware" to some governments and law enforcement agencies — a number of cyberespionage groups have started using, for their own malicious purposes, the tools Hacking Team provided to its customers to carry out attacks. This includes several exploits targeting Adobe Flash Player and Windows OS. At least one of these has been recruited recently by the powerful cyberespionage actor, "Darkhotel"
Darkhotel's attacks in 2015 (SecureList) Darkhotel APT attacks dated 2014 and earlier are characterized by the misuse of stolen certificates, the deployment of .hta files with multiple techniques, and the use of unusual methods like the infiltration of hotel Wi-Fi to place backdoors in targets' systems. In 2015, many of these techniques and activities remain in use. However, in addition to new variants of malicious .hta, we find new victims, .rar attachments with RTLO spearphishing, and the deployment of a 0day from Hacking Team
Do You Want To Build A Snowman? (Duo Security) In case you haven't already heard the news, Google and Adobe just killed a popular information leak technique in the most recent version of Flash (v18.104.22.168). Mozilla went so far as to block Flash entirely. This was hot on the tails of two previously unknown, unpatched (0day) vulnerabilities in Flash, which were publicly disclosed as part of the enormous reams of information stolen from Hacking Team
.COM.COM Used For Malicious Typo Squatting (Internet Storm Center) Today, our reader Jeff noted how domains ending in ".com.com" are being redirected to what looks like malicious content. Back in 2013, A blog by Whitehat Security pointed out that the famous "com.com" domain name was sold by CNET to known typo squatter dsparking.com . Apparently, dsparking.com paid $1.5 million for this particular domain. Currently, the whois information uses privacy protect, and DNS for the domain is hosted by Amazon's cloud
DGA.Changer Gets Anti-Detection Upgrade (Dark Reading) New 'imitation game' feature helps botnet-for-rent fool security tools that use sandboxing
Asprox botnet, a long-running nuisance, disappears (IDG via CSO) The Asprox botnet, whose malware-spamming activities have been followed for years by security researchers, appears to be gone
UK job recruiters network hit by hacker, user info dumped online (Help Net Security) TEAM (The Employment Agents Movement), the largest network of independent recruiters in the UK, has been hit by a Saudi Arabian hacker that goes by the online handle JM511
Retailer Fred's found payment card malware on two servers (IDG via CSO) Retailer Fred's said Monday it found malware that collected payment card details on two of its servers, but it doesn't appear the data was removed from its systems
Anonymous Hacks Mexican Govt Website, Demand Justice For Rubén Espinosa (Hack Read) The online hacktivist Anonymous attacked the Mexican government website against the murder of Rubén Espinosa, a local photojournalist
Hidden Link Analysis Reveals 92% of Suspicious IPs Not Blacklisted (Recorded Future) Blacklists are a useful and common tool for enterprises actively looking to keep suspicious IP addresses and URLs off their network and away from their infrastructure. Traditional blacklists are populated with information from intelligence feeds, intrusion detection systems, honeypots, and log files. But we at Recorded Future posit that traditional blacklists can be bettered by incorporating threat intelligence from deep and dark Web sources
How this hacker can virtually 'kill' you, and what to do about it (Christian Science Monitor Passcode) At the DEF CON hacker conference, Kustodian CEO Chris Rock demonstrated how fraudsters could artificially 'kill' someone for a profit or prank due to vulnerabilities in most countries' death registration processes
Health Data Breaches From Theft, Improper Disposal (HealthITSecurity) As often discussed on this site, health data breaches can stem from numerous areas. Covered entities and their business associates need to ensure they have a comprehensive data security plan, and are able to implement the necessary physical, administrative, and technical safeguards. However, accidents still happen, which is what two facilities are currently experiencing
How Identity Theft Sticks You With Hospital Bills (Wall Street Journal) Thieves use stolen personal data to get treatment, drugs, medical equipment
Facebook users: Make sure your mobile phone number is private (Graham Cluley) If you've got a Facebook account, chances are that you have told them an awful lot of information about yourself: your name, your location, your email address, your network of friends, your photos, your likes and dislikes… the list goes on
Why was Carphone Warehouse keeping customer passwords in plain text, just months after it was hacked? (Computing) When Carphone Warehouse was hacked at the end of 2014, the company was keen to reassure customers. "As part of our ongoing approach to security, we constantly test our systems and processes using external security consultants," it told customers
Carl Woerndle's business was ruined by a random cyber attack [audio] (Australian Broadcasting Corporation) Carl spent 10 years building a profitable IT business, and it took only a fortnight to tear it down
No one is safe: This tiny $30 device can break into your car and home (BGR) Not everyone wants to accept this simple truth, but that doesn't make it any less real: hackers outpace security advancements. When it comes to both online security and real-world security, hackers have already devised 10 new tools by the time security researchers come up with an effective way to block one old tool. As a result, no one is ever truly safe — and a new device recently shown off by a well-known security researcher is yet another example of just how vulnerable we really are
Hackers Cut a Corvette's Brakes Via a Common Car Gadget (Wired) Car hacking demos like last month's over-the-internet hijacking of a Jeep have shown it's possible for digital attackers to cross the gap between a car's cellular-connected infotainment system and its steering and brakes. But a new piece of research suggests there may be an even easier way for hackers to wirelessly access those critical driving functions: Through an entire industry of potentially insecure, internet-enabled gadgets plugged directly into cars' most sensitive guts
Connected cars not hacking it on all security fronts (Business Day) The morning after Laura Capehorn parked her Saab 9-3 estate, all she could find of it was a car-shaped hole in the snow. The interior designer had left the vehicle outside a house in London one evening last January
Cyber-physical attacks: Hacking a chemical plant (Network World) Def Con 23 included a talk about 'hacking chemical plants for competition and extortion.' Researchers released their Damn Vulnerable Chemical Process framework; using it, you can hack a chemical plant (simulation model) like an attacker and learn to spot cyber-physical attacks like a defender
Security Patches, Mitigations, and Software Updates
Windows 10 continually rebooting? It could be a buggy update ( Graham Cluley) Windows 10As ZDNet reports, some Windows 10 users have found themselves in possession of a continually rebooting computer after their PC downloaded a buggy cumulative update from Microsoft
Here's exactly why Microsoft needs to let users control the update process (FierceCIO) Some users are stuck in an update/reboot loop due to a flaw in a forced Windows 10 update
Verizon, T-Mobile Roll Out Stagefright Patch for Samsung Galaxy S5, Galaxy Note Edge and Galaxy Note 4 (Softpedia) Two more carriers roll out patches for Samsung phones
Black Hat 2015 — 5 security vulnerabilities that have researchers worried (TechWorld) Abstruse, sometimes informative and occasionally sensational, the Black Hat show's security presentations don't always describe the attacks that are happening today so much as what might be coming down the pike. In that sense, it's a sort of early warning system — as long as you can separate the far-fetched theoretical hacks and attacks from the ones that might actually come to pass
Black Hat: Talent Scarce, Firms Look to Automation and AI (Security Ledger) In-brief: with security talent scarce, experts at the Black Hat Briefings say that security automation fueled by machine learning and data analytics is going to play an increasing role in security operations
Smart Machines Still Need Smart People (Wall Street Journal) Smart machines are now capable of replicating many human capabilities. In a Deloitte Twitter chat, experts weighed in on the enterprise implications
The threat landscape runneth over, here's what we need to do (Digital News Asia) Automation needed to keep up, but people are still crucial in the security equation. The skills shortage and a culture of secrecy make Asia ripe for the picking
Don't Ignore Dark Web Dangers (eSecurity Planet) Many businesses do not think they need to worry about the Dark Web, says tech analyst Stephen George. But they are wrong
At Black Hat, Hottest Cyber Product Didn't Have a Booth (Council on Foreign Relations) Ah, Vegas in August. 100-degree heat, pool parties, and thousands upon thousands of hackers. Every summer the cybersecurity world takes over Sin City for a week. Black Hat, growing ever more corporate and responsible, is paid for on expense accounts. DEF CON? Well DEF CON is paid with cash at the door
Use Security as a Deal Maker (The VAR Guy) Every solution provider now needs to be able to address security issues just to land the deal — a change from IT security being the realm of a few specialists. In effect, every solution provider now needs to be an IT security solution provider
U.S. Cyber Command planning $460M IDIQ RFP in September (Washington Technology) The U.S. Cyber Command plans to set up a five-year, $460 million multiple-award contract to provide it and the Cyber Mission Force with cyber operations and planning support
Investors pour billions in to cybersecurity firms (CSO) Venture capital firms and corporate investors have put a record amount of money in to cybersecurity companies over the past year, and there's no end in sight
Mapping Israel's Cyber-Security Startups (TechCrunch) As Orson Welles put it in The Third Man, "In Italy, they had warfare, terror, murder, and bloodshed, but they produced Michelangelo, Leonardo da Vinci, and the Renaissance"
Symantec Corporation (SYMC — $22.91*) The Veritas Nightmare Finally Over-Sells for $8 Billion to Carlyle (FBR Capital) This morning, August 11, Symantec, in conjunction with reporting June results, officially announced the sale of its information management segment Veritas to Carlyle Group for $8 billion and roughly $6.3 billion in cash proceeds. While this potential transaction has been discussed in recent media reports, today's news should come as a relief to investors as Symantec finally unloads this "decade of agita" since the Veritas acquisition was done and now can laser-focus efforts on beefing up its legacy security platform through aggressive M&A with cash from this transaction
Symantec's Outlook Is Insecure as Its Competitors Gain Ground (The Street) Investors should avoid shares of security and enterprise software services company Symantec (SYMC - Get Report) ahead of its release of fiscal first-quarter 2016 earnings results Tuesday after the closing bell
The KEYW Holding Corporation (KEYW — $7.11*) Company Update (FBR Capital) Last night, August 10, KEYW delivered generally in-line June results that showed a decent rebound from a soft 1Q. While we were pleased to see stabilization at the government segment, the Street will be disappointed as KEYW's all-important commercial cyber solutions revenue came in at $2.5M, below the Street's $4.2M estimate as the company continues to struggle with converting pipeline into deal flow on this front
Kaspersky Lab: Based In Russia, Doing Cybersecurity In The West (NPR) Given Russia's cyber skills, it's not surprising that a Russian entrepreneur, Eugene Kaspersky, runs one of the world's leading companies offering protection from malware and online crime
A New Company Called Alphabet Now Owns Google (Wired) Google has reorganized itself into multiple companies, separating its core Internet business from several of its most ambitious projects while continuing to run all of these operations under a new umbrella company called Alphabet
Gemalto, Pas Si Sû… Pour le Cameroun (Camer.be) La structure passe pour être le leader mondial de la sécurité numérique. Pourtant, elle traîne des casseroles
Oracle's Chief Security Officer thinks the company can do security better than you (The Next Web) Oracle's Chief Security Officer, Mary Ann Davidson, took to her corporate blog today to rant about security, and how Oracle has been pursuing its own clients that break its license terms to ensure software security
whiteCryption Listed in Gartner Hype Cycle 2015 as Vendor of Mobile Application Hardening, Application Shielding and Application Obfuscation (Sys-Con Media) whiteCryption®, leading provider of mobile security software code and data protection, is honored to announce recognition as a sample vendor in the Mobile Application Hardening, Application Shielding and Application Obfuscation sections of the recently published Gartner report "Hype Cycle for Application Security, 2015"
Why is Nike partying in Vegas with hackers? (New Zealand Herald) "Can y'all make some noise for Nike?" a DJ shouted across the packed dance floor of a Las Vegas club
Tesla Looking to Recruit Hackers to Strengthen its Cars Against Cyber-Attacks (iDigital Times) During the annual Def Con event this past Saturday in Las Vegas, carmaker Tesla recruited hackers in the event in an effort to protect its vehicles from possible cyber-attacks. This news comes after the exposure of how vulnerable to hacking automobiles from Fiat Chrysler and GM are, and its lack of cybersecurity knowhow
Tesla Increases Bug Bounty Payout After Experts Hack Model S (SecurityWeek) Shortly after researchers disclosed a series of vulnerabilities found in Tesla Model S, the electric car maker announced increasing its maximum bug bounty payout to $10,000
Microsoft Puts A Bigger Bounty On Bugs (TechWeek Europe) The company promises bigger payouts for security researchers who find authentication exploits and submit ideas to strengthen Windows' defences
Thycotic Names James Legg President and Chief Operating Officer (Sys-Con Media) IT security industry veteran joins senior executive team at one of the fastest growing privately held companies in the US
Exabeam Selects New Channel, Technology Partner Strategies VP, Adds Resellers (Channel Partners) Computer security service provider Exabeam has selected Ted Plumis, formerly of Imperva, to lead its channel and technology partner strategies
Products, Services, and Solutions
Windows 10 hardening and enterprise security (ComputerWorld) Lots to like, but with some caveats
Wary Of Kaspersky? Consumer Choices In Computer Security Abound (NPR) NPR reviews the consumer choices in the anti-virus and anti-malware market
Watchful Software: Watchful Software Releases RightsWATCH 7.0 for Enhanced Security and Compliance (Bloomberg Business) RightsWATCH 7.0 more tightly integrates data classification and DLP strategies while enhancing the ability to securely share information with external users in collaboration with Azure RMS
Lockheed Martin Receives Enhanced Cybersecurity Services Accreditation from DHS (PRNewswire) Accreditation enables Lockheed Martin to use sensitive and classified data to defend customers
Someone At DEF CON Made a Drone That Hacks Computers (Defense One) You can buy it for $2,500 — and turn it into a flying malware injector
Technologies, Techniques, and Standards
Mobile threat intelligence is a boon, but beware of information overload (Tech Republic) As threat intelligence joins with mobile security to protect enterprise mobile devices it won't be without some pros and cons
Data Loss: The Business Challenge (InfoRiskToday) Websense's Singh on getting the best out of your DLP investment
Breach Prep: The Need for Pen Testing (InfoRiskToday) PwC's Veugelen on protecting businesses by assessing defences
Cybersecurity in Hospitals: Protecting Electronic Patient Devices from the Risk of Hacking (MD News) Almost every day there are reports of hackers breaching security protocols in banks, major chain stores and government offices to steal private, personal information. While these stories generally focus on the risk to one's credit score and the prevalence of identity theft, little attention has been paid to the threats to electronic medical devices with wireless capabilities
Pinpointing Your Security Risks (IT Security) Vulnerability scanning got its start as a tool for the bad guys; now it's helping companies find exposed network ports and at-risk applications
Design and Innovation
Kaminsky Creates Clickjacking-Killer (Dark Reading) Famed white-hat hacker proposes a fix for longtime Web attack vector
Research and Development
Quantum Computing — Tiny Particles, Big Problems (Team Cymru) Quantum computing — sounds like something ripped straight out of a Star Trek episode doesn't it? One can just hear Scotty on the Enterprise, "Cap't, the Quantum Computer has gone offline, I canna' make the calculations!"
Legislation, Policy, and Regulation
Pan-European cyber-security law includes digital in critical services (SC Magazine) A Pan-European cyber-security law may hold companies like Google and Amazon to stricter security requirements
Presidential hopefuls touch on data breaches, spying and other federal IT issues in GOP debate (FierceGovernmentIT) As expected, Republican presidential hopefuls in two separate debates last week debated major hot topics like immigration, terrorism and the economy, but they also touched on a handful of federal technology concerns such as government's electronic surveillance programs, cyberespionage and attacks from terrorist- and state-sponsored hackers
DHS cyber center gets new leadership (Federal Times) The National Cybersecurity and Communications Integration Center — Homeland Security's main processing center for threat information sharing and response — got new leadership Monday
Litigation, Investigation, and Law Enforcement
OPM officials hindering scrutiny of hacked computer systems, watchdog says (Washington Post) The Office of Personnel Management's inspector general has accused the agency's information technology office of trying to thwart scrutiny of how well OPM protected the security clearance and federal employee personnel files that were hacked and how well it responded to those breaches
FBI: When It Comes To @ISIS Terror, Retweets = Endorsements (Huffington Post) Which makes Twitter one of the bureau's best informant
Main Russian IS Recruiter 'Identified In Turkey,' But Who Is One-Legged Akhmet? (Radio Free Europe/Radio Liberty) Russia's security services claim to have established the identity of the main recruiter of Russian nationals to the Islamic State (IS) militant group, according to the Russian tabloid Life News, which has close ties to the country's security services
Data Security Firm Hit With Suit Over Cyberattack (Recorder) A Silicon Valley company that touted the security of its mobile platform is facing a shareholder class action related to a 2014 data breach
For a complete running list of events, please visit the Event Tracker.
Newly Noted Events
National Insider Threat Special Interest Group Meeting (Laurel, Maryland, USA, Jul 16, 2015) Topics to be discussed at the meeting; Insider Threat Program Development & Implementation, Behavioral Indicators Of Concern, Legal Considerations When Developing & Managing An Insider Threat Program. There is no cost to attend this meeting
ACFCS 2015 Cyber Financial Crime Summit (Washington, DC, USA, Oct 5 - 6, 2015) From massive data breaches to cyber fraud, hacktivism to cyber warfare, the threat landscape of cyber financial crime now reaches every part of public and private sector organizations. Yet too often the response has been fragmented, and in many cases key stakeholders — compliance professionals, investigators, security officers and others — haven't sat together at the same table. Financial crime compliance programs, including AML, fraud and others, play a key role in safeguarding against cyber threats. Over two days packed with practical guidance and networking, the Summit hones in on the knowledge, skills and awareness professionals need to be effective on the latest front against financial crime
3rd Annual Psyber Behavioral Analysis Symposium (Fort Meade, Maryland, USA, Aug 11, 2015) The 3rd Annual Psyber Behavioral Analysis Symposium is hosted by the NSA/CSS Threat Operations Center and the FBI Behavioral Analysis Unit-2/Cyber Behavioral Analysis Center. The goal of the Symposium is to provide U.S. and Second Party Intelligence Communities (IC) a forum to present and collaborate on Human Science-based projects and research. This event attracts a multi-disciplinary government audience from across the IC and Second Party Partner organizations
USENIX Security (Washington, D.C., USA, Aug 12 - 14, 2015) The USENIX Security Symposium reunites researchers, practitioners, system administrators, system programmers, and others specialists interested in the latest advances in the security and privacy of computer systems and networks
5th Annual Cyber Security Training & Technology Forum (CSTTF) (Colorado Springs, Colorado, USA, Aug 19 - 20, 2015) The Information Systems Security Association (ISSA) Colorado Springs Chapter and FBC, Inc. will once again co-host the 5th Annual Cyber Security Training & Technology Forum (CSTTF). CSTTF 2015 will bring together cyber experts from the DoD, federal government, business, research, and academia to address a variety of current cyber topics
Decepticon 2015 (Cambridge, England, UK, Aug 24 - 26, 2015) Decepticon brings together researchers and practitioners in the detection and prevention of deception. Previously, deception research has been fragmented across conferences in many different disciplines, sub-disciplines and countries. To cover the great diversity of approaches to deception research, our scientific committee has members covering several domains
AFCEA OKC Technology & Cyber Security Day (Oklahoma City, Oklahoma, USA, Aug 27, 2015) FBC and the Armed Forces Communications & Electronics Association (AFCEA) Oklahoma City Chapter will be partnering once again to host the annual Technology Day & "Scholarship" Golf Tournament at Tinker AFB. This is the only Technology Day held at Tinker AFB each year. The annual Technology Day allows exhibitors the opportunity to have access to information technology, communications, cyber, engineering, and contracting personnel at Tinker AFB. Over 300 attendees participated in the 2014 Technology Day and we expect the same level of attendance in 2015
Power Grid Cyber Security Exchange 2015 (San Diego, California, USA, Aug 30 - Sep 1, 2015) The Power Grid Cyber Security Exchange will take a deep dive into the cyber security strategies, innovative approaches and strategic planning necessary to balance the competing priorities of today's technology and information security executives. This program is tailored to utility executives and industry stakeholders that are responsible for addressing threat intelligence, analysis and monitoring; network architecture; and cyber incident response
2015 HTCIA International Conference & Training Expo (Orlando, Florida, USA, Aug 30 - Sep 2, 2015) Bringing together experts from all over the world to share their latest research and techniques related to cybersecurity, incident response and computer forensics
ICFP 2015 (Vancouver, British Columbia, Canada, Aug 31 - Sep 2, 2015) ICFP 2015 provides a forum for researchers and developers to hear about the latest work on the design, implementations, principles, and uses of functional programming. The conference covers the entire spectrum of work, from practice to theory, including its peripheries