The CyberWire Daily Briefing 08.12.15

Cyber Trends

The impact of the IoT on access control (Security InfoWatch) The IoT represents a fundamental change to the access control industry that not only impacts the kinds of tools we use and how we use them, but who makes the decisions on the customer side of the table

Corporate Encrypt–Everything Policies Gain Interest (Infosecurity Magazine) With tale after tale of data breaches and cyber-espionage making its way into the headlines, encryption by default has been a hot topic of late — and enterprises are beginning to respond. A large majority (84%) of respondents in a recent survey said that they had considered a security strategy of encrypting all sensitive data

Why you should stop worrying about online privacy (PCWorld via CSO) Experts say the personal data we most commonly give up online promotes our privacy in other ways, but the kicker remains: Can we trust how that data will be used?

3 Steps to Evaluate Your Supply Chain Preparedness (Security Magazine) Your supply chain is the lifeline of your business, but it also can be a significant vulnerability during a hurricane or a natural catastrophe or other event such as a cyber-attack, strike or delay. With hurricane season underway, it might be a good time to review your supply chain to understand critical dependencies and identify alternate sources in the event of a failure

VARs must add more value in security (CRN) Value-added resellers are perfectly placed to step in and help customers as the global threat landscape continues to escalate, argues Performanta Ltd CTO Lior Arbel

Asean organizations braced for cyber attack (ComputerWeekly) As an emerging economic power bloc, Asean is bracing itself for an influx of cyber crimes as hackers look for lucrative targets

Australian businesses under cyber attack (ComputerWeekly) What are the cyber security risks facing businesses in Australia and New Zealand and how are organisations addressing them?

Top 10 U.S. cities for online fraud (Help Net Security) Data reveals Tampa as the top hot spot for online fraud and ThreatMetrix found a correlation between top cities for fraud and those home to hosted data centers

UK councils suffer over 4,000 sensitive data breaches in three years (V3) UK councils have recorded thousands of data breaches over the past three years, according to a report released by privacy group Big Brother Watch

Driving Your Car Will Soon Be Illegal (TechCrunch) Driving a car will be illegal by 2030. Our economy will be severely impacted as millions of truck drivers, cabbies and delivery people are put out of work. In this era of endless innovation, man's century-long relationship with the automobile is about to be permanently disrupted

Legislation, Policy and Regulation

DEF CON 23: Two major roadblocks to cyber diplomacy, says former US diplomat (ComputerWeekly) The problem of attribution and the disclosure dilemma continue to hamper cyber diplomacy, but the US might just have cracked the former, according to David An

Senators have clear choices on CISA in the fall (Washington Examiner) The Senate fumbled on cyber legislation as it headed out the door for a month-long recess, but perhaps set the stage for success in the fall by separating the debate on information-sharing from assorted "poison pills" that had varying degrees of relevance to cybersecurity

Obama Asks for 72 Percent Increase in IRS Cyber Funding to Combat ID Thieves (National Journal) To protect data and taxpayers, the Obama administration asks for $242 million

White House issues cybersecurity rules for contractors (The Hill) The Obama administration has released draft guidelines that would require government contractors handling sensitive data to meet baseline security requirements and report digital intrusions to authorities

Contractors ask White House to stop regulations (Federal Times) Four federal trade associations have penned a letter asking the White House to stem the tide of executive orders on contracting

Phreaker, Maker, Hacker, Ranger: One Vision for Cyber Support to Corps and Below in 2025 (Small Wars Journal) The operationalization of the Cyberspace Domain at the tactical-level continues to exacerbate both tactical theorists and practitioners alike. For theorists, much of this stress and anxiety stems from a deficiency in unclassified historical examples and the abstractness of cyberspace as a warfighting domain. The lack of historical examples and cross-domain nature of cyberspace makes it difficult to fit cyber-related tactical concepts into traditional doctrine. For tactical practitioners who employ troops on the battlefield, the lack of a concise and communicable Mission Essential Task List (METL) to assist commanders in understanding, visualizing, and describing operational concepts to their staffs continues to limit cyberspace integration into maneuver. The purpose of this paper is not to provide a concrete solution on which to base the tactical-level operationalization of cyberspace off of, but rather to establish an intellectual target reference point for Army thinkers to "adjust fire" off of as they develop the Army's cyber way-ahead for the next decade

Sen. Warren Worried About Banks' New Encrypted Messaging Platform (Theatpost) The list of politicians in Washington wringing their hands over the increasing use of encryption by consumers and businesses is growing longer by the day. Sen. Elizabeth Warren added her name to that list on Monday

Hacking-enabled insider trading underlines need for cyber legislation (ComputerWeekly) The latest insider trading case highlights the need for legislation to strengthen cyber security, according to an international cyber security expert

Products, Services, and Solutions

Kali Linux 2.0 released: New 4.0 kernel, improved hardware and wireless driver coverage (Help Net Security) Kali Linux, the open source penetration testing platform, has reached version 2.0

Sophos Wins All Three Security Categories in 2015 CRN® Annual Report Card (Consumer Electronics) First time one company is voted 'Best In Class' for Network Security Software, Network Security Appliances and Client Security Software by solution providers

Frost & Sullivan Recognizes WatchGuard's APT Blocker with the 2015 New Product Innovation Award (ADVFN) WatchGuard® Technologies, a leader in multi-function integrated security appliances, today announced that its advanced malware and zero-day threat protection solution, APT Blocker, has been named a recipient of Frost & Sullivan's 2015 New Product Innovation Award. This recognition is based on an extensive and independent analysis by Frost & Sullivan of the worldwide small and midsize business (SMB) market for advanced persistent threat (APT) protection solutions

Code Dx® and Checkmarx Partner to Enhance Software Security (Sys-Con Media) Partnership enables organizations to easily scan code and eliminate software risk

DB Networks Provides Non-intrusive and Continuous Database Discovery as a Superior Solution to Traditional Database Port Scanning (IT Business Net) There's a large hidden attack surface at the center of many organizations' IT infrastructures and legacy security mechanisms are powerless to sniff out the danger. Specifically, the risk is undocumented and unmanaged databases. DB Networks is addressing the problem through continuous yet non-intrusive database discovery

CRN Exclusive: Verizon Rolls Out Rapid Response Retainer Program To The Channel (CRN) Verizon is rolling out its cybersecurity portfolio into the channel. The carrier's Rapid Response Retainer program will now be available for its VAR and master agent partners to sell to their end customers, Adam Famularo, Verizon's global channel vice president told CRN

Elcomsoft Phone Breaker Targets Popular Password Keepers (PRNewswire) ElcomSoft Co. Ltd. updates Elcomsoft Phone Breaker, the company's mobile forensic tool for logical and over-the-air acquisition of mobile devices. Version 4.10 decrypts passwords stored in 1Password containers and becomes an industry first tool to instantly unlock BlackBerry Password Keeper for BlackBerry 10. The tool integrates the extraction of iCloud authentication tokens into the user interface

DEF CON Wall of Sheep Gets a DNStap (Enterprise Networking Planet) Not all network taps are a bad thing. DNS luminary Paul Vixie talks DNStap and its security applications

U.S. Army Renews Certificate of Networthiness for Cryptzone's Compliance Sheriff (Cryptzone) Compliance Sheriff meets strict security and compatibility standards for deployment throughout the U.S. Army's IT infrastructure

Napatech Deploys Pandion to U.S. Government Market (PRNewswire) Company accelerates time-to-market for network management and security solutions with high-speed capture-to-disk platform

IBM Watson Applied to Intelligence Problems (National Defense) IBM's cognitive computer system, Watson, which once beat Jeopardy's top human players, can assist in situations specific to defense and intelligence communities, product officials said

Cloud security: Integrated global CDN with DDoS mitigation and WAF (Help Net Security) Applications are becoming more accessible on the web across all industries including gaming, e-commerce, software, and media. This is great for reaching new customers around the globe, but along with new opportunities comes the threat of increasingly complex attacks against web applications

Technologies, Techniques, and Standards

Winning the Online Banking War (TrendLabs Security Intelligence Blog) Detecting banking malware has become part and parcel of the security industry, so cybercriminals are continuously looking to gain the upper hand in the battle against the financial industry and security vendors. In the BlackHat presentation Winning the Online Banking War last August 5, Sean Park proposed the use of a new online banking security framework for banks and web app developers called "Malware Inject Prevention System"

Managing Reputational Risks Across the Enterprise (Wall Street Journal) Too often, managing reputational risk is a task left for individual functions, without a unified channel to the board and C-suite executives. Social media, however, is creating an imperative for many organizations to take a consistent, broader and strategic approach to managing reputational issues, starting with a fully dedicated chief risk officer (CRO). Henry Ristuccia, a Deloitte Advisory partner in Deloitte & Touche LLP, and Global Governance, Regulatory and Risk leader, Deloitte Touche Tohmatsu Limited, discusses the importance of viewing reputation as an asset that contributes value and what the C-suite can do to protect it

Improving Healthcare Data Security With a Single View of the Patient (B2C) According to the Department of Health and Human Services, medical information about more than 120 million people has been compromised in more than 1,100 separate breaches since 2009, and sadly the number is rising as healthcare data breaches continue to occur at alarming rates. Healthcare industry data theft accounts for 42.5 percent of all data breaches since 2012, followed by the business sector with 33% of breach activity and the government with 11.7 percent

Win against ransomware — with free staff Wi-Fi! (Naked Security) We've all heard horror stories of encrypting ransomware chewing through the core digital assets of a business, and holding them at the mercy of the attackers

Email Security Awareness: How To Get Quick Results (Infosec Institute) Phishing and spear phishing attacks on the rise

Windows Service Accounts — Why They're Evil and Why Pentesters Love them! (Internet Storm Center) Windows Service Accounts have been one of those enterprise "neccessary evils" — things that you have to have, but nobody ever talks about or considers to be a problem. All too often, these service accounts are in the Domain Admins group, with passwords like "Service123", "S3rvic3" or something equally lame. And all too often, application vendors that use these services insist on just such a configuration

How to prevent insider threats in your organization (Help Net Security) Time and again, organizations of all sizes and in all industries fall victim to insider threats: disgruntled, malicious insiders — employees, former employees, contractors or business associates — who want to hurt the company or make money, or, more often, bumbling or indifferent employees who accidentally put sensitive company information at risk

Marketplace

Getting to Cyber Value-at-Risk (While We're Still Young) (CyberPoint Risk Analytics) In the Wall Street Journal's CIO Journal, Deloitte writes, after a thoughtful consideration of the World Economic Forum's Partnering for Cyber Resilience, "It took the financial services industry 30 years to refine value-at-risk to the point where it's useful and trustworthy." Deloitte offers some useful interim measures that could contribute to risk mitigation, but their conclusion seems to be that a comprehensive solution remains to be achieved: we need "a large set of real-world historical data regarding the frequency and severity of risk events that's not yet widely available"

CSC is acquiring Fixnetix and Fruition Partners (ZDNet) The company announced the acquisitions on top of its first quarter earnings and revenue report, which was mostly in line with expectations

Salient Federal Solutions and CRGT Announce Merger (BusinessWire) Salient CRGT Positioned for Leadership in IT Modernization and Business Intelligence for Government Customers, Backed by Bridge Growth Partners and Frontenac

Newton cybersecurity firm acquires Israeli company (Boston Business Journal) CyberArk, a Newton-based security software firm, said Tuesday that it acquired an Israeli-based cybersecurity company

CyberArk Software (CYBR) Stock Gains in After-Hours Trading on Earnings Beat (TheStreet) Shares of CyberArk Software (CYBR) were gaining 1.8% to $60 after-hours Tuesday after the information security firm beat analysts' estimates for earnings and revenue in the second quarter

Symantec (SYMC) Michael A. Brown on Q1 2016 Results — Earnings Call Transcript (Seeking Alpha) Please stand by, we're about to begin. Good day and welcome to Symantec's First Quarter 2016 Earnings Conference. Today's conference is being recorded. At this time, I'd like to turn the conference over to Sean Hazlett

KEYW up 11% in spite of EPS miss, new Hexis guidance cut (Seeking Alpha) With shares down 32% YTD going into earnings in spite of a major rally in security tech names, KEYW Holding is up strongly after missing Q2 EPS estimates and slightly beating on revenue

Cisco Systems, Inc. (NASDAQ:CSCO) shares loses Shine after Glomy Data with Juniper Networks, Inc. (NYSE:JNPR), Palo Alto Networks, Inc. (NYSE:PANW) (Street Wise Report) Shares of Cisco Systems, Inc. (NASDAQ:CSCO) plunged 1.19% after the company reported that fiscal 1Q earnings could turn out when the firm reported the earnings on August 12. In fiscal for 1Q, Cisco attained Open DNS for $635 million

In cybersecurity, workers must think on feet, culture czar says (Dallas Morning News) When Trend Micro, one of the world's biggest cybersecurity companies, reorganized its leadership, co-founder Jenny Chang wasn't sure she had a place in the company anymore

Malwarebytes partners unsettled by two-tier change (CRN) US security vendor to turn off online ordering portal for partners in September with price rises also expected

Oracle CSO: You 'Must Not Reverse Engineer Our Code' (Threatpost) Oracle, never the most researcher-friendly software vendor, has taken its antagonism to another level after publishing a blog post by CSO Mary Ann Davidson that rails against reverse engineering and saying that the company has no need for researchers to look at Oracle's code for vulnerabilities because "it's our job to do that, we are pretty good at it"

Oracle to 'sinner' customers: Reverse engineering is a sin and we know best (ZDNet) Opinion: Stop sending vulnerability reports already. Oracle's chief security officer wants to go back to writing murder mysteries

Adobe and PageFair claim ad blockers will cost business $22 billion in 2015 (Naked Security) The rapid growth of people using ad blockers is costly to publishers and advertisers (according to publishers and advertisers). The trend has got the advertising industry rattled and looks set to grow worse as ad blocking comes to mobile devices

Compete for Funding for your Cyber Startup at CyberMaryland 2015 (Sys-Con Media) CyberMaryland to host venture capital sessions to create funding opportunities for Early Stage and Emerging Growth Cyber Companies

Rook Security Growing Indy HQ (Inside Indiana Business) Rook Security Inc. has announced plans to expand its Indianapolis headquarters and create more than 130 jobs by 2024. The company, which moved to Indianapolis from Silicon Valley in 2010, says the move will help it keep pace with sales growth

Comilion Appoints James Nyfeler Vice President of Sales (MarketWatch) Former RSA and IBM security executive joins cybersecurity collaboration vendor to drive global business

Norse Names David Weier as Senior VP Global Sales (BusinessWire) Accomplished sales executive to take threat intelligence solution sales to the next nevel

Meet Sundar Pichai, Google's new CEO (IT World) As part of a corporate reshuffle announced Monday, Sundar Pichai has been named the CEO of Google as it becomes a subsidiary of a new company called Alphabet. It's yet another step up for the 43-year-old executive who has been on a meteoric rise through Google's corporate structure

Research and Development

The NSA is funding a 'safer' Internet of Things (Naked Security) The National Security Agency (NSA) is paying to build <strike>backdoors</strike> security into the Internet of Things (IoT)

Security Patches, Mitigations, and Software Updates

Patched Android 'Serialization' Vulnerabilty Affects 55 Percent of Devices (Threatpost) Google has patched a severe Android vulnerability that researchers at IBM said impacts more than 55 percent of devices. As with most Android vulnerabilities, users are reliant on handset makers and carriers to push patches downstream to devices, something they've not always been diligent about

Microsoft Security Bulletin Summary for August 2015 (Microsoft Security TechCenter) This bulletin summary lists security bulletins released for August 2015

Microsoft fixes four critical security flaws in August's Patch Tuesday (ZDNet) Even Windows 10 wasn't left out of this month's bumper round of security updates

Mozilla Releases Security Updates for Firefox, Firefox ESR, and Firefox OS (US-CERT) The Mozilla Foundation has released security updates to address critical vulnerabilities in Firefox, Firefox ESR, and Firefox OS. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system

Security updates available for Adobe Flash Player (Adobe Security Bulletin) Adobe has released security updates for Adobe Flash Player. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system

Using Adobe Flash? You should patch it pronto (Graham Cluley) If you still have Adobe Flash installed on your computer, you should patch it pronto — regardless of whether you are running Windows, OS X or Linux

OpenSSH 7.0 Fixes Authentication Vulnerability, Other Security Bugs (SecurityWeek) The developers of OpenSSH announced on Tuesday the availability of version 7.0. The latest release includes new features, security and bug fixes, and cryptography improvements

Cyber Attacks, Threats, and Vulnerabilities

ISIS Group Claims to Have Hacked Information on U.S. Military Personnel (NBC News) A hacker group claiming to be affiliated with the terror organization ISIS on Tuesday posted what it said was the personal information of hundreds of members of the military and government personnel, and urged terrorists to carry out attacks

'ISIS leak HACKER'S GUIDE to hundreds of US military personnel' (Express) Hundreds of military personnel and embassy staff could be at risk after Islamic State (ISIS) leaked what is believed to be their names, email addresses and passwords online

Taliban Condemns IS Video Of Afghan Prisoners Being Blown Up (Radio Free Europe/Radio Liberty) Afghanistan's Taliban has condemned a video that appears to show militants loyal to the Islamic State (IS) group blowing up bound and blindfolded Afghan prisoners with explosives

The Songs Of The Islamic State — A Major Tool For Reinforcing Its Narrative, Spreading Its Message, Recruiting Supporters (MEMRI) Alongside its military successes, the Islamic State (ISIS) has made considerable achievements in the media and propaganda domain. Its members and supporters utilize social media and online forums to further their various goals, such as recruiting fighters and funds, spreading the organization's message and waging psychological warfare

Smile! The malware is taking a picture of you (Fortinet Blog) The malware claims it has detected "forbidden pornographic" pictures on your device, says it has reported it to the FBI and asks you to pay a fine of $500. To make the (fake) report appear even more scary, the malware displays your IP address and a picture of you. It says those were sent in the report to the FBI

Chip Card ATM 'Shimme' Found in Mexico (KrebsOnSecurity) Fraud experts in Mexico have discovered an unusual ATM skimming device that can be inserted into the mouth of the cash machine's card acceptance slot and used to read data directly off of chip-enabled credit or debit cards

IoT devices: The good, the bad and the ugly (Help Net Security) Cognosec has revealed critical security flaws in ZigBee, one of the most popular wireless communication standards used by Internet of Things (IoT) devices today

June Was 'Worst Month Of Malvertising Ever' (Dark Reading) Flash zero-days made it easier to deliver ransomware and banking Trojans, and commit click fraud

Did Carphone Warehouse hackers use a DDoS attack as camouflage? (Graham Cluley) There's an interesting story in The Telegraph today about the hack of mobile phone retailer Carphone Warehouse which became public at the weekend, and saw the personal and banking details of 2.4 million customers put in danger

BlackBerry challenges report that its QNX Neutrino OS was implicated in Jeep hack (FierceITSecurity) BlackBerry is disputing a claim on Seeking Alpha that its QNX Neutrino operating system was somehow implicated in the recent hack of a Jeep Cherokee by two security researchers who were able to take control of the vehicle

Academia

Hitting the Cyber Skills Shortage Head On (IBM Security Intelligence) The low availability of professionals with specialized cyber skills is one of the biggest issues facing organizations looking to defend their core business systems against cyberattacks. A recent report from Information Systems Audit and Control Association (ISACA), titled "The Growing Cybersecurity Skills Crisis," estimated that there are as many as 1 million unfilled security jobs worldwide, as shown below

HCC offers 2-year program in burgeoning cybersecurity (Honolulu Star Advertiser) Are you considering a career in cybersecurity? There were more than 75,000 information security analyst positions available in 2012, and it is projected that the number will climb to over 100,000 jobs by 2022, according to the U.S. Department of Labor's Occupational Outlook Handbook. Reports from Cisco and Symantec indicate a shortage of talent with over 1 million unfilled openings globally. Fortunately, formal education programs are available on Oahu

Litigation, Investigation, and Enforcement

32 hackers and traders charged with $100m in "insider trading" using stolen press releases (Naked Security) What a difference half an hour can make!

Nine Charged in Insider Trading Case Tied to Hackers (New York Times) Federal authorities announced on Tuesday that they had broken up a five-year scheme in which rogue traders gave overseas hackers a "shopping list" of confidential corporate news releases to steal, generating more than $100 million in illegal profits

Hackers who breached corporate wires made millions off insider trading (Washington Post) An international hacking ring armed with tens of thousands of corporate secrets pocketed more than $100 million from illicit trades, targeting a core vulnerability of the financial system in one of the digital age's most sprawling insider-trading schemes, federal investigators said Tuesday

Feds charge hackers in massive insider trading scheme (The Hill) Federal authorities say they have busted a massive, global ring of hackers and traders who allegedly conspired to access financial press releases before they were published, making more than $100 million in profits off illegal trades based on the information

U.S. to Charge That Hackers Tapped Early Deal News (Wall Street Journal) Prosecutors plan to charge several people with securities fraud in connection with alleged scheme

Defense Stocks Involved in Hacking Scheme (Defense News) Three major US defense firms were among the victims of an alleged hacking ring based in Ukraine that accessed and leaked press releases to co-conspirators who traded on the information before it became public

Hacking charges show merger of finance and cybercrime (AP) Companies can spend millions of dollars on state-of-the-art cybersecurity to protect their most precious information, but that could all be for naught if outside companies with access to it don't adhere to the same high security standards

Stingray-like phone spying machine used to blackmail and rig state tenders (Naked Security) South African law enforcement agents arrested three men for allegedly getting their hands on a phone spying device and using it to bug and track members of the bid adjudication committee of the Airports Company South Africa, which decides on contracts worth hundreds of millions

FBI Details Takedown of Gameover Zeus Botnet (eSecurity Planet) FBI agent explains how law enforcement worked with security vendors to bring down a major botnet operation

Hackers in chains: Class of 2015 (FierceITSecurity) Should a hacker spend as much time in prison as a person who, say, robs a bank? Are crimes as devastating in the virtual world as they can be in the physical world? These are questions that pop up often when cybercriminals get caught

UCLA Health faces lawsuit for privacy breach in recent cyber attack (Daily Bruin) A Los Angeles man filed a class action lawsuit against UCLA Health, alleging the health care provider did not adequately store private medical information of about 4.5 million patients during the recent cyber attack, a law firm announced Tuesday

Class action sought by lawsuits in massive Indiana health care data breach (Health Care Business) A pair of lawsuits in a massive Indiana health care records hacking case is just the latest turmoil for health care providers facing an ongoing onslaught of black-hat thieves targeting the rich lode of EHR data

Twitter Adds Email Privacy Data to Transparency Report (Theatpost) The number of information requests Twitter is receiving from the United States government is increasing steadily, having risen roughly 50 percent in the first six months of this year compared to the last six months of 2014

After "you can't catch a hacker" boast, FBI makes easy work of swatting teen (Ars Technica) From Texas, Zachary Lee Morgenstern, 19, swatted innocents in Minnesota town

Threat to American soldiers was a hoax (11 Alive) A National Guard soldier was arrested for filing a false report of a threat that took social media by storm and created fear among local military personnel

Design and Innovation

New IP address blacklist based on Web chatter (CSO) Traditionally, blacklists of malicious IP addresses are assembled using honeypots and intrusion detection systems but a new approach, analyzing chatter on the dark and open Web, can find malicious addresses that would have been otherwise missed

How Uber Could Contribute to the Future of Spycraft (Nextgov) The intelligence community this month quietly released an unprecedented, unclassified five-year-roadmap charting the future of data analysis it wants commercial startups like ride-sharing firm Uber to read