The CyberWire Daily Briefing 08.13.15

Cyber Attacks, Threats, and Vulnerabilities

Australians exposed in I.S. cyber attack (Sky News) The details of a Victorian MP, NSW public servants and defence force workers and their relatives have been published by hackers claiming to be from Islamic State, Fairfax Media reports

Cyber-security expert says IS-linked data dump shows reach of cyber-extremists (Australian Broadcasting Corporation) The head of a technology company which provides software to help agencies identify security threats says this latest hacking attack illustrates the reach of cyber-criminals and extremists

Isis 'hacking division' releases details of 1,400 Americans and urges attacks (Guardian) Spreadsheet lists names, email addresses, phone numbers and passwords of US military and government staff, but marines say information is out-of-date

ISIS hacking group tweets support for 'lone wolf' attacks on military personnel (Military Times) A group calling itself the "Islamic State Hacking Division" released personal information for hundreds of U.S. military and government personnel via Twitter on Tuesday, urging group members to carry out attacks

ISIL's most important anniversary is coming up and it's not what you think (War on the Rocks) How the Islamic State tells its own history is critical to understanding everything important about it. And if we cannot understand the Islamic State, we are unlikely to defeat it

Kerry Just Proved That US Cyberdefenses Are Too Weak (Value Walk) U.S. Secretary of State John Kerry said that Russian and Chinese hackers are most likely reading his emails, and he writes things "with that awareness"

Tinba Trojan Sets Its Sights on Romania (IBM Security Intelligence) While Romania is widely suspected of being home to a large amount of cybercriminals — even with one city dubbed by some as "Hackerville" — we seldom see it targeted by those who attack Western countries

CVE-2015-5699 — Cumulus Linux's Switch Configuration Tools Backend, clcmd_server, Vulnerable to Local Privilege Escalation (Bot24) Cumulus Linux's Switch Configuration Tools Backend, clcmd_server, is vulnerable to local privilege escalation via Command Injection. Cumulus Linux's clcmd_server, when receiving commands that end in user supplied labels, will execute any other command appended to the end of it whether it is in the Rosetta or not. And it will do so using its own running credentials which are root

OS X Zero-days on the Rise — A 2015 Midyear Review and Outlook on Advanced Attack Surfaces (TrendLabs Security Intelligence Blog) 2015 has so far been a very busy year for security researchers. The data leaked from Hacking Team shocked many, thanks to the multiple zero-days that were disclosed, as well as emails discussing the unscrupulous trade in exploits and "tools"

VOIP Fraud: Brute Force & Ignorance (Team Cymru) The topic of VoIP fraud seems to ebb and flow within the IT-industry press, but struggle to break the surface of mainstream media. Specialist publications report flaws in commonly-used home routers and widespread campaigns against corporate VoIP PBXes while these stories are bypass the general public completely

Hack Satellite Connection and Surf Anonymously with High-speed Internet (Security Affairs) A Spanish-based security analyst demonstrated new satellite capturing traps that could allow to surf anonymously with High-speed Internet

Yes Virginia, Stored XSS's Do Exist! (Internet Storm Center) When you go through website security, Cross Site Scripting (XSS) is almost always discussed. Almost exclusively, Reflected XSS is the main topic, and it almost always covers the lion's share of the demonstrations and vulnerabilities found. Mainly because Stored or Persistent XSS is harder to find

Securing OS X: Apple, Security Vendors Need To Up Their Game (Dark Reading) To date, OS X malware is pretty lame, but it's easy to write better malware to bypass current defenses, security researcher Patrick Wardle told a Black Hat audience last week

RFID Susceptible to Cloning, Other Hacks (eSecurity Planet) As RFID usage grows, so too do tools to clone and abuse RFID signals

Scammers exploit mobile ads for easy profit (Help Net Security) Pop-up ads targeting mobile device users are, arguably, one of the most annoying things in existence. But did you know that they could also make you inadvertently spend small amounts of money for effectively accessing a website you never wanted to visit in the first place?

Would you click on this? (Graham Cluley) I've received an email, apparently from a PR agency based in San Francisco. The PR agency is real, with real clients, and real offices. But the email is bogus

How to disable a car's brakes just by sending an SMS (Hot for Security) Last month, security researchers grabbed the headlines dramatically by demonstrating how they had found a way to remotely hack into a Jeep as it drove down the highway at 70mph, mess with its controls, and cut its engine. Car manufacturer Chrysler was compelled to recall 1.4 million cars for a security update in response

Security Patches, Mitigations, and Software Updates

Salesforce Closes Door to Hack Attacks (Top Tech News) An injection vulnerability that could have opened the door to hackers has been patched by Salesforce after security Relevant Products/Services researchers notified the company of their discovery. The vulnerability, which existed in a subdomain of the Salesforce.com cloud-based CRM Relevant Products/Services platform, could have paved the way for phishing e-mails that looked legitimate because they would have appeared to come from within the application itself

Lenovo Service Engine (LSE) BIOS Vulnerability (US-CERT) Certain Lenovo personal computers contain a vulnerability in LSE (a Lenovo BIOS feature). Exploitation of this vulnerability may allow a remote attacker to take control of an affected system

Lenovo's Service Engine marks yet another bloatware blunder for the company (PCWorld via CSO) By preventing laptops and desktops from performing a truly clean install of Windows, Lenovo may have left users open to attack

Evolution in Attacks Against Cisco IOS Software Platforms (Cisco) Cisco PSIRT has contacted customers to describe an evolution in attacks against Cisco IOS Classic platforms. Cisco has observed a limited number of cases where attackers, after gaining administrative or physical access to a Cisco IOS device, replaced the Cisco IOS ROMMON (IOS bootstrap) with a malicious ROMMON image

SAP Security Patch Day — August 2015 (SAP Community Network) This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visit the Support Portal and apply patches on a priority to protect his SAP landscape

SAP Security Notes August 2015 (ERPScan) SAP has released the monthly critical patch update for August 2015. This patch update closes 22 vulnerabilities in SAP products, 15 have high priority, some of them belong to the SAP HANA security area. The most popular vulnerability is Cross Site Scripting (XSS). This month, three critical vulnerabilities found by ERPScan researchers Dmitry Chastuhin, Vahagn Vardanyan, Roman Bejan were closed

Microsoft Patches USB-Related Flaw Used in Targeted Attacks (Threatpost) It used to be that dropping a USB stick in a parking lot in the hope that someone plugs the malicious peripheral into an important computer was the realm of penetration testers and ambitious nation-state actors

Five years after Stuxnet, your USB drive is still being patched (Lumension) Yesterday was Patch Tuesday, and — as Optimal Security's Russ Ernst described — Microsoft released fixes for a smorgasbord of vulnerabilities

New Docker crypto locker is a blocker for Docker image mockers (Register) Verison 1.8 adds container signing to prevent man-in-middle attacks

Cyber Trends

Momentum Builds for Killing Flash (Infosecurity Magazine) What is the source of the greatest security risk facing companies and individuals today? A recent survey suggests that it's those gadgets and various screens with which we spend an inordinate amount of time — followed by one main software piece: Adobe Flash

Emerging hacking trends worry seasoned security professionals (TechTarget) What's the scariest thing about hackers right now?

Revisiting takedown wins: Are users in the developing world getting left behind? (Help Net Security) We have all seen the headlines: another botnet dismantled, and we can all rest easy that the threat that has been plaguing us for all those years is now no longer an issue. After the headlines, however, the hardest task begins — a task that garners no headlines and really typifies the challenge that all of us within the information security industry face

Citrix Poll: Majority of Employees Use Work Devices Without Security Software (ExecutiveBiz) A Citrix-commissioned survey says 88 percent of the American workforce use company-issued computers and mobile devices that are not equipped with corporate security software

Looks like mobile device security is on nobody's mind (Help Net Security) Despite recent high-profile data theft attacks, much of the American workforce has not taken action to protect information on their personal and corporate-issued devices. Citrix found that the majority of people have not installed security software on personal devices, strengthened their Wi-Fi password or changed their passwords more frequently

Marketplace

Why Even Startups Need to Care About Security (AlleyWatch) Startups beware: Security is not just for established companies. One big data breach could cost you your business

BIMCO to focus on cyber security and maritime casualty crisis (Ship Technology) Shipping association BIMCO is taking initiatives to increase awareness about cyber security in a bid to prepare ship owners to avoid commercial, safety and environmental risks

4 Cyber Security Stocks that Posted Solid Q2 Earnings (Nasdaq) The second-quarter earnings season is almost over with less than 10% of the companies left to report their results. In the broader technology sector, cyber security stocks stole the show as most of the players beat our earnings and revenue estimates, and issued upbeat guidance

Insider Buys Are Telling Something: A10 Networks Inc (NYSE:ATEN), Apollo Investment Corp. (NASDAQ:AINV), AmerisourceBergen Corp. (NYSE:ABC) (Wall Street Point) Insider Trading is the buying or selling of a security by someone who has access to material, nonpublic information about the security. Insider trading is legal once the material information has been made public, at which time the insider has no direct advantage over other investors. The SEC, however, still requires all insiders to report all their transactions. So, as insiders have an insight into the workings of their company, it may be wise for an investor to look at these reports to see how insiders are legally trading their stock

Cisco CEO: Cybersecurity acquisitions are coming (CNBC) Networking giant Cisco Systems reported its first quarter with CEO Chuck Robbins at the helm, since the retirement of long-time CEO John Chambers. And while the stock has been stalled recently, Jim Cramer thinks that the company is moving in the right direction

Cyber security startup Tanium raising new VC at $2.5 billion valuation (Fortune) Tanium is raising a big new funding round, and expanding its investors base beyond Andreessen Horowitz

Startup Zscaler Raises $100M for Cloud Security Technology (The VAR Guy) Security startups continue to cash in with Zscaler being the latest to join companies like BitSight, Menlo Security and CounterTack on the list of new firms being funded to bolster their respective security strategies

CloudLock: The Sky is the Limit for this Leader of Cloud Security (Venture Fizz) With breaches and hacks of all kinds taking place across the globe these days, IT security is no longer an option… it's flat out mandatory

Why Oracle CSO attempt to shoot the messenger is misguided (CSO) Mary Ann Davidson, CSO of Oracle, unleashed a firestorm of controversy this week thanks to a misguided and ill-advised blog post. Davidson ranted about customers doing independent vulnerability scans to detect flaws in Oracle code and stressed that any poking around in the Oracle code is a violation of the licensing terms of service

Security industry reacts to Oracle's CSO missive (CSO) Reactions to the controversial post diverse and emotional

Facebook Awards $100,000 for New Class of Vulnerabilities and Detection Tool (Threatpost) Facebook tonight awarded a $100,000 prize to a team of Georgia Tech researchers who found a new class of browser-based memory-corruption vulnerabilities and built a corresponding detection technique. The award brings the social media giant on par with Microsoft and its six-figure payouts for mitigation bypasses and new defensive techniques for those bypasses

BlackBerry Joins the National Cyber Security Alliance (NCSA) (MarketWatch) The National Cyber Security Alliance (NCSA), a nonprofit public-private partnership focused on helping all digital citizens stay safer and more secure online, today announced that BlackBerry Corporation, a global leader in mobile communications, has joined the organization

JDL Technologies Joins InfraGard Member Alliance (NASDAQ) FBI InfraGard program fosters information-sharing between private and public sectors to protect nation's critical infrastructure

Products, Services, and Solutions

This cybersecurity startup is sending 'crawlers' into the dark web to find hacked data (Technical.ly Baltimore) Matchlight, the first product from South Baltimore-based Terbium Labs, can find data faster than products currently in use, says CEO Danny Rogers

SAP Security Awareness: vulnerabilities are changing the SAP Security market (ERPScan) SAP Security Awareness is constantly growing. First of all, at the BlackHat's Pwnie Awards, on August 6, vulnerability in SAP Compression algorithm won the first prize for Best Server-Side vulnerability. This is the second time SAP vulnerability highlighted in the Pwnie awards. In 2013, the vulnerability in SAP Router identified by ERPScan's Researcher was nominated for best server-side vulnerability

Sookasa Announces Platform Integration with Google Drive (PRWeb) Sookasa's holistic cloud security solution makes it possible for businesses to safely adopt the SaaS platform and securely synchronize files across unmanaged devices

BitSpray® — The Last Line of Defense (Sys-Con Media) Data-level protection when all else fails

Napatech Deploys Pandion to U.S. Government Market (IT Business Net) Company accelerates time-to-market for network management and security solutions with high-speed capture-to-disk platform

Putting Hardware Hacking on the OEM Radar (EBN) In a world with an increasingly complex security landscape, hacking has gone well beyond corporate web sites and consumer's computers. More than ever before electronics OEMs need to be aware of the complex and multinational nature of hardware hacking, and plan their supply chain accordingly

Bastille promises to find malicious wireless devices in corporate networks (Network World) Continuous wireless scanning reveals where unauthorized IoT devices are located and what they are doing

Fortinet introduces new cloud-managed WLAN access points (FierceEnterpriseCommunications) Fortinet launched a new series of wireless LAN access points that are managed by its FortiCloud management system. The new FortiAP-S series of APs are being touted as secure Wi-Fi APs with Fortinet's cybersecurity technology running right on them

Getting better results from threat intelligence analysis and management (Help Net Security) LookingGlass have been in the threat intelligence analysis and management market for 10 years now, and have a proven track record in the space

Three Years Running, Contrast Security Named a Visionary in Gartner Magic Quadrant for Application Security Testing (PRNewswire) Contrast Security advances Runtime Application Self-Protection (RASP) technology

WhiteHat Security Named a Leader in Gartner’s Magic Quadrant for Application Security Testing for Third Straight Year (My Host News) WhiteHat Security, the Web security company, today announced it has once again been positioned by Gartner, Inc. in the Leaders quadrant of the Magic Quadrant for Application Security Testing (AST). This is the third year in a row that WhiteHat Security has been included in the upper right quadrant of this Magic Quadrant

Technologies, Techniques, and Standards

Threat intelligence needs to grow up (CSO) Security teams are overwhelmed with a massive amount of threat data

Former White House Advisor, Paul Kurtz, On Info Sharing & Government Action (Dark Reading) Former cybersecurity advisor to the White House talks to Sara Peters at Black Hat about information sharing, the complications of attribution, cybersecurity legislation, and his new start-up

DISA evaluates SDN to guard mission-critical networks (C4ISR & Networks) The network is mission critical for members of the defense and intelligence communities. Software-defined networking (SDN), an emerging technology that brings the application and network layers closer together to create an entirely new architecture, is fundamentally changing the way networks are built and configured

How to do wireless for safety systems (Control Global) ISA TR 84.00.08 offers some important guidelines for making it work

ERM: Discussing Fatness of Tails in Risk Models (WillisWire) Most decision makers are familiar with the statistical average and standard deviation measures. But risk management typically focuses on unlikely "tail" events. The financial crisis helped popularize the term "fat tails" to represent the idea that these extreme events are more likely than we might have believed. To move beyond "thin tailed" models, we need a way to describe the fatness of the tail

IoT Working Group Crafts Framework For Security, Privacy (Dark Reading) Microsoft, Symantec, Target, home security system vendor ADT and others team up and issue security recommendations for some consumer Internet of Things things — but embedded firmware remains a wildcard

Hacker Disables House Arrest Ankle Bracelet (Softpedia) William Turner presented a talk at the DEF CON 2015 security conference in Las Vegas, detailing a method through which ankle tracking bracelets used by police forces around the globe can be disabled and allow criminals to get away

How to Save Time and Money with Cyber Security. 6 Efficient Tips to Follow (Heimdal) I know what you must be thinking right now: Is it really true that cyber security can actually be a time-saver instead of a time-waster?

How can businesses secure against unknown security threats? (IT Security Guru) Harness machine data, that's how

Cybersecurity expert shares back to school safety tips with parents (WBTV) One of the nation's leading experts in cybersecurity and IT strategy, Theresa Payton, joined WBTV to give parents some cyber safety tips during the back-to-school season

Design and Innovation

Hacking: Part of the Tech Cycle? (EE Times) It may be time to find a way to embrace hacking as another stage of the technology life cycle, says a veteran embedded systems designer

Research and Development

IEEE Spotlights Clarkson University Professor's Research on Cyber-Attack Risk Mitigation (Clarkson University) The Institute of Electrical and Electronics Engineers (IEEE) is highlighting the work of a Clarkson University professor for his leading research on cyber-attack risk mitigation

Academia

NSA helping place students from this New Mexico school into jobs (Albuquerque Business Journal) The University of New Mexico isn't the only school whose students are landing jobs in cybersecurity

Legislation, Policy, and Regulation

A season for cyber (FCW) The Senate plans to debate a major cybersecurity bill when it returns from its August recess, after failing to move the legislation before leaving town

China Cybersecurity Fears Prompt Business Groups to Press Obama (Wall Street Journal) Ahead of Xi Jinping’s visit, U.S. firms say Beijing’s policies are hurting their ability to operate in China

DoD's Cyber Perfect Storm: The Growing Threat Meets The Evolving Network (Lexington Institute) Yesterday's report that the Department of Defense had to shut down the Joint Chiefs of Staff's unclassified e-mail system should come as no surprise to anyone. DoD networks are under continuous attack, 250,000 a day by some estimates, ranging from curious teens to the advanced persistent threat and malicious insiders

What Was This Texas Congressman Doing at the Hacking Conference Def Con? (Motherboard) Among the almost 20,000 people who went to this years' Def Con — perhaps the world's premiere hacking conference — were hackers, cybersecurity professionals, lawyers, activists, and also an unexpected guest: the former CIA agent turned Republican Congressman Will Hurd

FTC: Bridging the divide between hackers and the 'flip phone caucus' (Christian Science Monitor Passcode) Ashkan Soltani, chief technologist of the Federal Trade Commission, and commissioner Terrell McSweeny spoke with Passcode while in Las Vegas for the Black Hat and DEF CON hacker conferences

It's time to break down the regulation barriers to cloud adoption (CloudTech) There is no doubt that cloud computing has now achieved mainstream deployment in the UK. Recent research from the Cloud Industry Forum (CIF) found that some 78% of UK organisations have adopting at least one cloud based service, an increase of 15% over previous figures. More telling is that turning to the cloud is now not just the reserve of large blue-chip organisations, with 75% of SMEs also embracing cloud technology

Litigation, Investigation, and Law Enforcement

SEC charges 32 in press release hacking, stock trading scheme (CSO) Indictments unsealed Tuesday in the district courts for New Jersey and Eastern New York accused the DOJ defendants of stealing approximately 150,000 confidential press releases from the servers of Marketwired, PR Newswire Association and Business Wire

SEC's Catching of PR Hackers is a Compelling Story (Equities) For any of you who have written or issued confidential press releases, there is always that moment where you observed how easy it would be to access this information and how little security there was protecting this information

Bitcoin's Dark Side Could Get Darker (Technology Review) Investors see riches in a cryptography-enabled technology called smart contracts — but it could also offer much to criminals

N.S.A. Used Phone Records Program to Seek Iran Operatives (New York Times) The National Security Agency has used its bulk domestic phone records program to search for operatives from the government of Iran and "associated terrorist organizations" — not just Al Qaeda and its allies — according to a document obtained by The New York Times

'Top Secret' emails found as Clinton probe expands to key aides (McClatchy) As pressure builds on Hillary Clinton to explain her official use of personal email while serving as secretary of state, she faced new complications Tuesday. It was disclosed her top aides are being drawn into a burgeoning federal inquiry and that two emails on her private account have been classified as "Top Secret"

Why Hillary's email server is important (Graham Cluley) US Presidential candidate Hillary Clinton has found herself the subject of an investigation into emails that she sent from a personal mail server — clintonemail.com — while she was Secretary of State

Report: John Brennan drafted apology to senators for CIA hacking (Politico) Last July, CIA Director John Brennan nearly apologized to Senate Intelligence Committee Chairwoman Dianne Feinstein (D-Calif.) and ranking member Saxby Chambliss (R-Ga.) in a letter for the CIA’s hacking into the computer network of committee staffers

How a $218K HIPAA fine could have been avoided with secure file transfer (HealthCareIT) 'Organizations must pay particular attention to HIPAA's requirements when using internet-based document sharing applications'

Attacks on Fiber Networks in California Baffle FBI (Wall Street Journal) Authorities have yet to nail down a motive or culprit for more than a dozen breaches in the Bay Area

Crackdowns Haven't Stopped the Dark Web's $100M Yearly Drug Sales'' (Wired) After more than four years and two giant law enforcement busts, the Dark Web's drug market is still just as robust as it was during the Silk Road’s heyday. In fact, according to a new study, it's now moving well over $100 million of illegal substances a year, and it's recovering from every new scam-induced setback and government crackdown faster than the last one

Man calls police 'slackers' on Facebook, falls foul of Spain's new 'gag law' (Naked Security) Protesters involved in Spain's anti-austerity movement have tried to prevent housing evictions, taped over their mouths, projected holograms of virtual protesters on the portico of the main Parliament building, and climbed atop a construction crane to hold up a sign protesting the country's new gag law, which specifically prohibits protesters from scaling buildings or monuments without permission

Activist DeRay Mckesson’s Social Media Has Been Monitored by Department of Homeland Security: Report (The Root) Emails from DHS show that agents have monitored Mckesson, whom they called a "professional demonstrator-protester known to law enforcement"

New FBI-DOD Biometric Center Will Help Combat Threat of Terrorism (FBI) This week, the FBI dedicated its new 360,000-square-foot Biometric Technology Center (BTC), located on the campus of our Criminal Justice Information Services (CJIS) Division in Clarksburg, West Virginia. The BTC, an enhancement of the ongoing collaboration between the FBI's Biometric Center of Excellence and the Department of Defense's Forensics and Biometrics Agency, will — once fully operational — encourage even more joint biometric investigations, along with additional research and development

Facial Recognition Software Moves From Overseas Wars to Local Police (New York Times) Facial recognition software, which American military and intelligence agencies used for years in Iraq and Afghanistan to identify potential terrorists, is being eagerly adopted by dozens of police departments around the country to pursue drug dealers, prostitutes and other conventional criminal suspects. But because it is being used with few guidelines and with little oversight or public disclosure, it is raising questions of privacy and concerns about potential misuse

For a complete running list of events, please visit the Event Tracker.

Upcoming Events

USENIX Security (Washington, D.C., USA, Aug 12 - 14, 2015) The USENIX Security Symposium reunites researchers, practitioners, system administrators, system programmers, and others specialists interested in the latest advances in the security and privacy of computer systems and networks

5th Annual Cyber Security Training & Technology Forum (CSTTF) (Colorado Springs, Colorado, USA, Aug 19 - 20, 2015) The Information Systems Security Association (ISSA) Colorado Springs Chapter and FBC, Inc. will once again co-host the 5th Annual Cyber Security Training & Technology Forum (CSTTF). CSTTF 2015 will bring together cyber experts from the DoD, federal government, business, research, and academia to address a variety of current cyber topics

Decepticon 2015 (Cambridge, England, UK, Aug 24 - 26, 2015) Decepticon brings together researchers and practitioners in the detection and prevention of deception. Previously, deception research has been fragmented across conferences in many different disciplines, sub-disciplines and countries. To cover the great diversity of approaches to deception research, our scientific committee has members covering several domains

AFCEA OKC Technology & Cyber Security Day (Oklahoma City, Oklahoma, USA, Aug 27, 2015) FBC and the Armed Forces Communications & Electronics Association (AFCEA) Oklahoma City Chapter will be partnering once again to host the annual Technology Day & "Scholarship" Golf Tournament at Tinker AFB. This is the only Technology Day held at Tinker AFB each year. The annual Technology Day allows exhibitors the opportunity to have access to information technology, communications, cyber, engineering, and contracting personnel at Tinker AFB. Over 300 attendees participated in the 2014 Technology Day and we expect the same level of attendance in 2015

Power Grid Cyber Security Exchange 2015 (San Diego, California, USA, Aug 30 - Sep 1, 2015) The Power Grid Cyber Security Exchange will take a deep dive into the cyber security strategies, innovative approaches and strategic planning necessary to balance the competing priorities of today's technology and information security executives. This program is tailored to utility executives and industry stakeholders that are responsible for addressing threat intelligence, analysis and monitoring; network architecture; and cyber incident response

2015 HTCIA International Conference & Training Expo (Orlando, Florida, USA, Aug 30 - Sep 2, 2015) Bringing together experts from all over the world to share their latest research and techniques related to cybersecurity, incident response and computer forensics

ICFP 2015 (Vancouver, British Columbia, Canada, Aug 31 - Sep 2, 2015) ICFP 2015 provides a forum for researchers and developers to hear about the latest work on the design, implementations, principles, and uses of functional programming. The conference covers the entire spectrum of work, from practice to theory, including its peripheries