The CyberWire Daily Briefing 09.08.15

Summary

By The CyberWire Staff

Researchers independently find significant zero-days in Kaspersky and FireEye products. Kaspersky is working on a patch; FireEye has contacted the researchers for information that might help it determine whether remediation is necessary. The two incidents raise interesting issues concerning responsible disclosure and the payment of bug bounties. All the parties involved say they're in favor of responsible disclosure, but FireEye and those who discovered its systems' issues differ, apparently, over bounties. (Comments to the linked articles are worth more attention than usual.)

Damballa notes the reappearance of the TVSPY threat actors, whose stock in trade is exploitation of vulnerabilities in the Teamviewer remote administrator tool.

Mozilla finds that a bad actor compromised Bugzilla and may have lurked there since 2013 with the apparent aim of obtaining information on Firefox vulnerabilities.

Android and iOS vulnerabilities continue to receive researchers' attention.

The campaign to map infosec professional networks on LinkedIn again shows the risk sockpuppets and catphish pose (and how difficult it can be to recognize bogus personae). Meanwhile TrendLabs takes a look at Ashley Madison and asks a good question: how did their honeypots wind up with adulterous dating accounts? TrendLabs is pretty sure their honeypots wouldn't have signed up on their own…

Microsoft and BlackBerry make security acquisitions.

China and Russia maintain and tighten their policy of close Internet control, with Chinese attention going to VPN restriction, Russian to general surveillance (Snowden notices, disapproves of the latter).

The US (or at least its State Department) gropes toward a cyber "playbook."

Notes.

Today's issue includes events affecting Australia, Austria, Belarus, Brazil, Canada, China, Estonia, European Union, Germany, Hungary, India, Iran, Israel, Japan, Democratic Peoples Republic of Korea, Republic of Korea, Latvia, Malaysia, Moldova, Netherlands, New Zealand, Nigeria, Norway, Oman, Russia, Singapore, United Kingdom, United States, and and Zimbabwe.

This Thursday we'll be covering two events: the second annual Senior Executive Cyber Security Conference at the Johns Hopkins University in Baltimore, and GovConnect's Cyber 6.0 in Howard County, Maryland. Watch for live tweets and full conference reports.

Selected Reading

Cyber Trends

End-to-end encryption is key for securing the Internet of Things (Help Net Security) The Internet of Things (IoT) is one of the hottest buzzwords these days

Black Hat survey reveals a disconnect between losses and security program focus (CSO) The Black Hat study focused on the concerns of practitioners, including how they actually spent their times and the losses that they incurred

Money can't buy you love or security (ITSecurity) Every year we spend tons more money on security

Inside threats enable vast majority of cybercrimes (Betanews) No less an authority than colorful cybersecurity pioneer John McAfee firmly believes that the now infamous hack of the US-based Ashley Madison sex-cheating website was an inside job

Security Focus Shifts to Detection (InfoRiskToday) Gartner's Pingree: market emphasis now on detection, response

APT Attacks Will Seek Smaller Targets (InfoRiskToday) Gartner's Ahlm: SMBs beware — launching targeted attacks getting easier

Cyber Security — Getting the Message (Team Cymru) There is a concept in the health and safety industry known as 'sign blindness'

Legislation, Policy and Regulation

China Continues Its Crackdown On VPN Services (TechCrunch) China is showing no sign of letting up on internet users who seek to hurdle its censorship system after it began imposing new restrictions on a popular censorship avoidance service in the country

EU, U.S. clinch data-sharing deal for security, terrorism cases: document (Reuters via Yahoo! News) The European Union and the United States have clinched a deal protecting personal data shared for law enforcement purposes such as terrorism investigations

America And United Kingdom To Participate In Cyber Attack War Games (Daily News) First exercise scheduled for later part of the year

How The Rules Of Cyber Engagement Have Changed (TechCrunch) A series of recent breaches at United Airlines, Anthem and, most recently, Sabre Corp. and American Airlines are reportedly tied to state-sponsored cyber attackers

Cyber crime: states use hackers to do digital dirty work (Financial Times) A new breed of sophisticated hacker is emerging as one of the most worrisome digital adversaries for western intelligence chiefs: cyber privateers

State Department Wants to Compile Cybersecurity 'Playbook' (Nextgov) The State Department, fresh off the heels of a highly publicized cyberintrusion, is picking industry's brain for tactics to block and perhaps strike back at hackers, according to new contracting documents

As the U.S. government faces cyber attack, 'there's no playbook' for fighting back (PCWorld) Nice nations don't retaliate, but the more hackers steal, the harder it is to maintain that stance

Redacted: This is how the government 'informs' you about critical software flaws (Russia Today) The US government has released a document describing the process it undertakes when deciding whether or not to inform the public about critical vulnerabilities it discovers in software. However, important details remain redacted

On Cyber Information Sharing, It's the Medium Not the Message (Council on Foreign Relations) When Senators return to Washington, DC this fall, they will take up work on legislation to make it easier for companies to share cybersecurity information with each other and with the government

Is It Time to Appoint a Data Security Czar? (RAND Blog) The increasingly alarming news about government-held data security breaches should cause Americans to seriously question whether the U.S. government at all levels is doing everything it could — and should — to protect the data it collects

More info on OPM breach insurance fails to comfort skeptics (Federal Times) Federal employees have been disappointed in breach protection company CSID's response to the first hack of Office of Personnel Management's network

Products, Services, and Solutions

Webroot takes aim at IoT with new security toolkit (SecurityWatch) Webroot has launched a security toolkit to help protect the internet of things, with cloud-based, real-time threat intelligence

SolarWinds adds threat intelligence feed to its SIEM software (NetworksAsia) SolarWinds has introduced the addition of a threat intelligence feed to SolarWinds Log & Event Manager, a security information and event management (SIEM) product designed for resource-constrained IT organizations

HyTrust Claims Advances In Virtual Data Center Ops (InformationWeek) VMware security partner HyTrust has been pushing new steps in virtual machine and virtual network operations, including role-based access

Technologies, Techniques, and Standards

Cyber Intelligence: Competitive Intelligence By Any Other Name… (SecurityWeek) The current environment around cybercrime is quickly becoming a forcing function that's causing businesses to begin evaluating how they're doing cybersecurity across the board

The Real Inhibitors of Risk Management (SecurityWeek) Over the past two years, risk management has gained a lot of attention in the media and among practitioners

COSO–Guided Cybersecurity: Risk Assessment (Wall Street Journal) As cyber risk continues to be a critical topic of discussion in the C-suite and boardroom, organizations should consider how to adapt cyber security strategies, processes and technologies to meet this significant and constantly evolving threat

Four Non-Technical Measures for Mitigating Insidious Insiders (Dark Matters) Even the best technology will be useless if the non-technical basics aren't correct

Cloud Security: You can't protect what you can’t see (Trend Micro: Simply Security) Last time we discussed how the shared responsibility model works to enhance your overall security

Sun Tzu-as-a-Service: How to protect the hybrid cloud (TechRepublic) The hybrid cloud brings unique security challenges to the enterprise

Encrypted Communication Has Never Been Easier — Security Never More Challenging (Blogs of War) Just over two years ago I decided to spend some time digging into an emerging class of encryption tools that were making a solid run at simplifying the notoriously cumbersome use of PGP

Hunting for IOC's with ioc-parser (Internet Storm Center) Threat intelligence became a hot topic for a while

The Cost of Poor Test Data Management (Information Security Buzz) If there's one thing that's going to make a business sit up and listen — it's money, especially when it comes to avoidable fines

Cognitive Research: Learning Detectors of Malicious Network Traffic (Cisco Blogs) Malware is constantly evolving and changing

HDD firmware: Hacking in the dark (HP Security Research Blog) In light of the recent publicity around malware that can remain persistent in hard drive firmware, it seems reasonable to seek a better understanding of what actually happens inside the hard drive

Rudra: Framework for automated inspection of network capture files (Help Net Security) In this podcast recorded at Black Hat USA 2015, Ankur Tyagi, Malware Research Engineer at Qualys, talks about Rudra, a framework for automated inspection of network capture files

Enterprise IT Security Compliance In Five Simple Steps (Lifehacker) Maintaining IT security is a constant struggle for enterprises in both the public and private sectors

Marketplace

Cyber liability insurance must for entrepreneurs (Business Standard) Extent of cover will depend on volume, sensitivity of data with the company

Survey: Legal Security Spending on the Rise (Legaltech News) The ILTA and InsideLegal survey noted that security management is now seen as the biggest challenge facing legal IT departments

IT Security Applications Will Drive Growth in Enterprise Adoption of Biometrics Technology During the Next 10 Years, According to Tractica (BusinessWire) Enterprise biometrics devices and software licenses to reach 142 million annually by 2024

Global cyber weapon market growing at a CAGR of 4.4% from 2015 to 2021 (Whatech) A cyber weapon is an information technology (IT)-based system consisting of hardware, software, and communication medium that is designed to damage operations or structures of other information technology-based system

Funding into security increases as hacks show no let up (PE Hub) So long as high-profile hacking events and security breaches occur, funding into cyber security companies will also continue to rise

Startup Spotlight: BitSight Technologies' Risk Management (eSecurity Planet) BitSight Technologies helps companies manage risks associated with third-party suppliers with a ratings service modeled on those offered by credit bureaus

BlackBerry agrees to acquire EMM competitor Good for $425M in cash (FierceMobileIT) Despite financial troubles that are forcing it to cut jobs, BlackBerry has enough cash in hand to acquire Good Technology for $425 million

Microsoft Confirms Purchase Of Cloud Security Firm Adallom (TechCrunch) Microsoft announced this morning that it purchased cloud security firm Adallom

HP looking to sell off its cyber security unit: Report (First Post) Hewlett-Packard Co (HPQ.N) is exploring a sale of computer network security solutions unit TippingPoint ahead of a corporate split later this year, according to people familiar with the matter

Building a New Silicon Valley in a Post-Soviet Dictatorship (Wired) With Riga in the rearview mirror, the bus plods north. Latvia's flat pine forests flash past under low grey clouds, but Oleg Kuryan, seated towards the back, is interested in neither

Trident Capital Cybersecurity Announces Sean Cunningham, Formerly of Intel Capital, Joins as Managing Director (Marketwired) Cunningham — listed as a top cyber investor by market analyst firm CB Insights — will utilize deep marketing and sales expertise to help build cybersecurity startups

WatchGuard boosts exec ranks (CSO) WatchGuard® Technologies has boosted their global executive team with three new appointments

Research and Development

DB Networks Issued Structured Data Extraction Patent (IT Business Net) Latest patent covers extraction of layer 7 database traffic information

Security Patches, Mitigations, and Software Updates

Chrome Suddenly Crashing On Startup? Comodo Releases Fix (News for Shoppers) "Google Chrome has stopped working" If you just got that message when opening your Chrome browser, you're not alone

Cyber Attacks, Threats, and Vulnerabilities

Kaspersky And FireEye Security Products Cracked By Researchers (International Business Times) As the world becomes ever more digital, it is a great time to be in the cybersecurity business with everything from our cars to our most critical infrastructure being controlled by computers and therefore at risk of attack

Researcher discloses zero-day vulnerability in FireEye (CSO) The researcher says that there are three other undisclosed flaws, and each one is for sale

Researcher to FireEye: If you're not paying, I'm not talking (CSO) Hermansen will let FireEye sit in silence until they implement a paid bug bounty or rewards process

Gloves on as Googler deposits foul zero-day on Kaspersky lawn (Register) Global patch makes for laborious long weekend

Zero-day vulnerabilities reportedly found in Kaspersky and FireEye security products (Graham Cluley) Sounds like it's going to be a busy few days for R&D and PR departments at least two security companies

TVSPY — Threat Actor Group Reappears with Teamviewer Malware Package (Damballa) TVSPY is a malware that takes advantage of a vulnerability in Teamviewer software version 6, a legitimate tool used for remote PC administration

Mozilla's bug tracking portal compromised, reused passwords to blame (CSO) Attacker used compromised Bugzilla account to obtain details on Firefox flaws

Security Alert: Over 142 Million Legitimate Websites Could Deliver Ransomware Because of Script Injection Compromise (Heimdal Security) Heimdal Security has observed an increase in malicious scripts injected into legitimate websites that redirect Internet users to the Neutrino exploit kit server when accessed

Seagate wireless hard drives open wide to attack (Help Net Security) Several Seagate wireless hard-drives have been found to be affected by multiple vulnerabilities

An Example of Common String and Payload Obfuscation Techniques in Malware (IBM Security Intelligence) I've recently investigated malware that we received from a customer

Sinking into the iOS Quicksand Vulnerability (TrendLabs Security Intelligence Blog) Our investigation on the iOS Quicksand vulnerability (designated with CVE-2015-5749) leads us to the conclusion that this security gap, despite its serious risks to confidential data, is difficult to exploit due to its required specific conditions

The Promise of Pwned Android is Fulfilled (PC Magazine) Hackers have already been exploiting Android's vulnerable mobile remote support tools

Sexy sock puppets seduce security suckers (Register) Eager types 'endorse' LinkedIn infosec probers wearing models' photos as avatars

'Why I fell victim to a LinkedIn scam — and why I would do so again tomorrow' (Graham Cluley) A number of fake LinkedIn accounts have been used to target security researchers

How Security Awareness Can Prevent Romance Fraud (Infosec Institute) Today, in the age of the Internet, looking for an online love affair is a normal everyday practice

Ashley Madison, Why Do Our Honeypots Have Accounts On Your Website? (TrendLabs Security Intelligence Blog) She is 33 years old, from Los Angeles, 6 feet tall, sexy, aggressive, and a "woman who knows what she wants", according to her profile. She is intriguing. However, her intrigue doesn't end there: her email address is one of Trend Micro's email honeypots. Wait— what?

Porn used as lure for mobile ransomware attacks, Zscaler warns (ComputerWeekly) Adult Player app is the latest example of a growing list of mobile ransomware

ReverbNation — Colossal Data Breach at Music Firm (Check & Secure) Another day, another breach

Anonymous Knocks Down Zimbabwe Herald Website (HackRead) Zimbabwe government's websites are apparently in great danger yet again since the infamous hacktivist group is using DDoS this time to get its message through

Beware! A Nigerian group targeting Indian firms in payment scam (First Post) FireEye has discovered an active online payment-diversion campaign which targets small and medium businesses in non-English-speaking countries, including India

The American Library Association Lost Control Of Their Facebook Page This Weekend (TechCrunch) Getting hacked is bad news… unless you'e a bunch of librarians

Customers of UK's Metro Bank targeted by Twitter fraudsters (We Live Security) When Metro Bank opened its doors five years ago, it was reportedly the first new high street bank to launch in the UK for over 150 years

A Close Look at PayPal Overpayment Scams That Target Craigslist Sellers (Internet Storm Center) My hope is that when people become familiar with the tactics employed by scammers, they will be less likely to get ripped off

Driverless cars vulnerable to paralysis through laser hack attack (V3) Hackers can paralyse a driverless car by exploiting its laser navigation systems and sensors to trick it into thinking it will collide with another car, person or obstacle, according to security research

First Report of Simulated Human Being Hacked — But Don't Panic (Tripwire: the State of Security) Yes, simulated humans exist

The Business Of Fraud (TechCrunch) When you visualize a hacker, what do you see?

Cyber War: a guide to state-sponsored digital assaults (Catch) Not a month goes by without reports of a new cyber attack

Academia

UT San Antonio wins DHS grant for info sharing standards (Federal Times) While the Senate is expected to take up information sharing this fall, the Department of Homeland Security is moving ahead with preparations for the Information Sharing and Analysis Organizations (ISAOs)

Cybersecurity: 6 schools with the right stuff (FCW) For all of the finger-pointing and blame-shifting that followed the massive hacks of the Office of Personnel Management, lawmakers and officials agree on this much: The federal government needs more cybersecurity professionals

Litigation, Investigation, and Enforcement

Internet of Things Will Lead to Complex Legal Questions (Legaltech News) The issue of risk management is 'potentially enormous' with the IoT and it will pop up in 'unexpected ways'

The mission and capabilities of the FBI Cyber Division (CSO) Ira Winkler and Araceli Treu Gomes interviewed Donald Good, deputy assistant director of the Federal Bureau of Investigation, after his presentation at the Black Hat CSO Forum

Delayed European Legal Opinion On Facebook NSA/PRISM Coming Later This Month (TechCrunch) A European legal opinion regarding Facebook's alleged data-sharing co-operation with the NSA/PRISM dragnet surveillance program that's due to be issued by the Advocate General (AG) of Europe's top court is now slated to be delivered on September 23

Edward Snowden attacks Russia rights curbs, would prefer to go home (Live Mint) The whistleblower described restrictions on the Internet as part of a wider problem in Russia

Second Review Says Classified Information Was in Hillary Clinton's Email (New York Times) A special intelligence review of two emails that Hillary Rodham Clinton received as secretary of state on her personal account — including one about North Korea's nuclear weapons program — has endorsed a finding by the inspector general for the intelligence agencies that the emails contained highly classified information when Mrs. Clinton received them, senior intelligence officials said

Has Twitter traced escaped Mexican drug baron 'El Chapo' to Costa Rica? (Naked Security) There's been quite a buzz in the media lately about Twitter geolocation

Norwegian Pirate Party provides DNS server to bypass new Pirate Bay blockade (Ars Technica) Pirate Party fights back against court-ordered blockade of file-sharing sites

Hacking Team Tried to Sell Smartphone Viruses to South Florida Cops (Miami New Times) Back in early July, an Italian-based company called Hacking Team — which had been criticized for profiting by selling malware to regimes with poor human rights records — was itself ironically hacked

Arrests Tied to Citadel, Dridex Malware (KrebsOnSecurity) Authorities in Europe have arrested alleged key players behind the development and deployment of sophisticated banking malware, including Citadel and Dridex

Ex-Tesla worker charged with posting confidential material on Web (Reuters) A former Tesla Motors engineer has been charged in federal court with felony computer intrusion

Design and Innovation

Apple Reportedly Staffs Up Machine Learning Team (TechCrunch) Apple is trying to hire at least 86 artificial intelligence and machine learning experts

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

newly Noted Events

MeriTalk: Cyber Security Brainstorm (Washington, DC, USA, September 23, 2015) Co-locating with the NIST Cloud Security Working Group, this MeriTalk Brainstorm has an excellent program lined up, featuring keynote speakers Allison Tsiumis (Section Chief, Cyber Intelligence Section, FBI), and the father of the internet, Vint Cerf

2015 Government Cybersecurity Forum (Washington, DC, USA, October 20, 2015) The Government Cybersecurity Forum was created three years ago a result of the complexity of today’s global threat environment. As more devices connect to the Internet and data breaches continue to escalate, the hottest debate in cybersecurity revolves around the balance between privacy, anonymity, technology and security. For the first time ever, join leading government, military, technology and policy experts as they gather in one room to help solve this urgent issue facing the government and industry in securing infrastructure

Data Breach Summit Asia 2015 (Mumbai, India, October 28, 2015) As Cyber Security continues to become a challenge for all industries, ISMG's Data Breach Summit a unique, one-day event will focus on the issues to help the participants learn more about how to prevent cyber security breaches as well as how to mitigate the situation should a breach occur. The summit will provide an unparalleled platform to the attendees to engage in dialogue on real-world solutions protecting their organisations

FedCyber 2015 (Tyson's Corner, Virginia, USA, November 10, 2015) This conference, orchestrated by cyber practitioners Matt Devost and Bob Gourley, is designed to advance the state of cyber defense. The FedCyber.com Threat Expo will bring together thought leaders who know the cyber mission in a venue designed to enhance our collective understanding of the threat, build on existing strategies to mitigate challenges, and leverage the nation's greatest technologies to enhance our defense in depth

upcoming Events

SIN ACM (the International Conference on Security of Information and Networks) (Sochi, Russia, September 8 - 10, 2015) The 8th International Conference on Security of Information and Networks will feature contributions from all types of specialists in the cyber security field, from papers and special sessions to workshops and tutorials on both theory and practice. If you want to gain up to date knowledge on the latest developments in information security, then don't miss this conference

SIN 2015 (Sochi, Russia, September 8 - 10, 2015) The 8th International Conference on Security of Information and Networks (SIN 2015) provides an international forum for presentation of research and applications of security in information and networks. SIN 2015 features contributed as well as invited papers, special sessions, workshops, and tutorials on theory and practice. It seeks to convene a high-quality, well-attended, and up-to-date conference on scientific and technical issues of security in information, networks, and systems

NSPW (New Security Paradigms Workshop) (Twente, Netherlands, September 8 - 11, 2015) Although NSPW is more of a workshop than a conference, it has earned its right to be included in this list. Since 1992, NSPW has been offering a unique forum for cyber security specialists involved in researching high-risk, high-opportunity paradigms to present their ideas. The discussions always challenge the current limitations of information security tools and technology, while disputing ng-held beliefs or the very foundations of security. You're bound to get fresh, new ideas from attending this workshop

Global Cyberspace Cooperation Summit VI (New York, New York, USA, September 9 - 10, 2015) An invitation-only event, this meeting of international actors aims to coordinate and consolidate progress, showcase results and promote collective action. The annual cyber summits provide a crucial forum for building international, private-public action to foster international cooperation in cyberspace. Breakthrough groups, aligned with the initiative's objectives of economic and political development, digital security and stability, and sound governance and management, carry the program forward

Intelligence and National Security Summit (Washington, DC, USA, September 9 - 10, 2015) AFCEA International (AFCEA) and the Intelligence and National Security Alliance (INSA) are pleased to host the second Intelligence and National Security Summit to provide the platform for this essential discussion. This two-day, unclassified Summit will feature five plenary sessions with top federal agency leaders and policymakers sharing their assessments and priorities for U.S. national, defense and homeland security intelligence. In addition, thought leaders from government, industry and academia will explore emerging issues and solutions related to intelligence policy, cyber threats, and technology and innovation over nine breakout sessions

Cybersecurity Innovation Forum (Washington, DC, USA, September 9 - 11, 2015) The 2015 Cybersecurity Innovation Forum is a three-day event hosted by the National Institute of Standards and Technology, and planned with the National Security Agency, and the Department of Homeland Security. This event brings government and industry together to focus on current, emerging, and future challenges, technologies, projects, solutions, and research in trusted computing, security automation, and information sharing

[New Date] Cyber 6.0 (Laurel, Maryland, USA, September 10, 2015) The mission of the Cyber Conference is to provide a forum for small and mid-sized businesses in Howard County and the region to access industry and government leaders with current information on cybersecurity that will improve their market position, enhance their corporate security policies and infrastructure, identify potential business opportunities, and provide a take away of information and contacts for follow-up that assists businesses in understanding the role they play in national cybersecurity and how they can address those challenges. All businesses have a role to play in protecting the national security of our infrastructure. Note: this is a change in date

2nd Annual Senior Executive Cyber Security Conference (Baltimore, Maryland, USA, September 10, 2015) The one-day symposium will examine the potential advantages and pitfalls of an information-sharing strategy from the technological, business and regulatory perspectives

BSides Augusta 2015 (Augusta, Georgia, USA, September 12, 2015) Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening

SANS Institute: Information Security Training (Las Vegas, Nevada, USA, September 12 - 21, 2015) Information security training in Las Vegas from SANS Institute, the global leader in information security training. At SANS Network Security 2015, SANS offers more than 40 hands-on, immersion-style security training courses taught by real-world practitioners. The site of SANS Network Security 2015, September 12 - 21, is Caesars Palace, the majestic Las Vegas hotel

Gulf Cooperation Council Cyber Security Summit (Abu Dhabi, United Arab Emirates, September 13 - 15, 2015) The GCC Cyber Security Summit will bring together regional and international thought leaders and decision-makers to examine one of the most vital threats to the region's future well-being: cyber-attack. Penetration of national and company security, criminal fraud and identity theft are now big business worldwide among a shadowy fraternity that is only growing in power and size. Recent incidents with film studios, healthcare providers and global banks continue to resonate in cabinet offices and boardrooms everywhere

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listens all over the world, companies trust the CyberWire to get the message out. Learn more.