The CyberWire Daily Briefing 09.15.15

Summary

By The CyberWire Staff

In the UK, post mortems of the ISIS hack of certain Cabinet emails continue, with the emerging consensus being that the incident was "avoidable."

Russian authorities report, without attribution or further characterization, that the President's website came under a "massive cyber attack" on election day, which Russian defenses successfully parried.

FireEye discloses (evidently with Cisco's approval) that a novel attack, "SYNful Knock," has succeeded in taking control of Cisco-manufactured routers in at least four countries — India, Mexico, the Philippines, and Ukraine. Cisco informed customers of the attack in August and provided mitigation for the malicious implants.

Bitdefender reports that about a third of business and government enterprises in Hungary, Romania, and Ukraine are still running the outdated and notoriously vulnerable Windows XP.

Neustar again warns that denial-of-service campaigns are increasingly likely to serve as misdirection for more serious, sophisticated attacks.

Tor is getting its own top-level domain: [dot]onion.

More evidence appears that insurance markets are increasingly looked to — by both boards and regulators — as the coming source of cyber standards of care.

In industry news, Cisco, Symantec, and GE adjust their cyber market positions. Onapsis and IronNet each attract significant new venture capital. Flexera acquires Secunia. AVG issues a one-page privacy policy, and challenges its peers to be similarly terse.

US President Obama has apparently decided against sanctioning China for cyber espionage. Observers perceive an uncertainty in the Administration over how to deal with this complex issue.

US companies read OMB's proposed cyber guidance; they don't like what they see.

Notes.

Today's issue includes events affecting China, European Union, Hungary, India, Iraq, Mexico, NATO, Philippines, Romania, Russia, Syria, Ukraine, United Arab Emirates, United Kingdom, United Nations, United States

This week the CyberWire will cover two events. Today and tomorrow we're at Borderless Cyber (organized by OASIS and the World Bank). Thursday we'll be covering the Sixth Annual Billington Cybersecurity Summit on Thursday. We'll live-tweet from both events (our hashtag today and tomorrow will be #BorderlessCyber), with full coverage published in the CyberWire as the week progresses.

Selected Reading

Cyber Trends

The brave new world of cyber insurance (FCW) Perimeter defenses have been penetrated the world over, and the modern cybersecurity conversation is all about how to mitigate the damage once your organization is inevitably breached

Emerging risks, mitigation focus of Guy Carpenter report (Business Insurance) A new report identifies cyber, technology, longevity and casualty catastrophe as four main emerging risks and discusses how insurers can use modeling and analytics to manage them

Kaspersky Lab: Businesses report losing up to half a million US dollars due to a security breach (BizTechAfrica) A worldwide survey of more than 5500 companies in 26 countries

137 major incidents disrupted EU telephony and Internet access in 2014 (Help Net Security) ENISA publishes its Annual Incidents report which gives the aggregated analysis of the security incidents causing severe outages in 2014

Legislation, Policy and Regulation

Obama Won't Sanction China for Cyber Spying… Yet (Daily Beast) The White House is reportedly holding off on sanctions against Chinese companies for cyber spying on American corporations, at least until President Xi Jinping completes his stateside visit

Cyberthreat Posed by China and Iran Confounds White House (New York Times) A question from a member of the Pentagon's new cyberwarfare unit the other day prompted President Obama to voice his frustration about America's seeming inability to deter a growing wave of computer attacks, and to vow to confront the increasingly aggressive adversaries who are perpetrating them

Bad News: Cyber Norms Probably Won't Constrain Cyber Conflict (Council on Foreign Relations) The U.S. government has put the promotion of its cyber norms at the forefront of its cyber diplomacy with the hopes that it will constrain pervasive cyberattacks. Past experience with norm promotion efforts provide insight on whether the United States is likely to be successful. Unfortunately, the future is bleak

Microsoft-NATO Team Aims to Address Cyber Threats Through Gov't Security Program (ExecutiveBiz) Microsoft and NATO's Communications and Information Agency have signed an agreement to promote partnerships and transparency among government agencies and help them protect their computer infrastructure from potential cyber threats

4 hard-earned lessons about cyber ops (Foreign Policy) Integrating cyber effects into traditional military operations is an emerging and potentially high payoff field

A Cybersecurity Bill Light on Security, Heavy on Corporate Protection (Foreign Policy) Congress is poised to pass legislation that would hand businesses legal immunity for sharing cyber-intelligence with the government. Privacy activists call it a surveillance bill. Security experts call it a half-measure

PSC: OMB's Cybersecurity Acquisition Guidance Lacks Uniformity (ExecutiveGov) The Professional Services Council has called on the Office of Management and Budget to revise or withdraw the agency's draft guidance entitled "Improving Cybersecurity Protections in Federal Acquisitions"

Contractors urge OMB to pull cybersecurity acquisition guidance (FedScoop) Advice to agencies "too little, too late and too flexible," says the Professional Services Council

How the intelligence community can move toward a more predictable acquisitions system (FedScoop) Officials said they want industry to weigh in on how to improve the solicitations they officer

FTC says data and privacy are top security concerns (CSO) Enterprises need to address privacy issues when dealing with security issues

New cyber threat center to hit initial stride in October (Federal News Radio) Just in time for cybersecurity awareness month in October, the White House will launch the initial operating capability of the cyber threat intelligence integration center (CTIIC)

How OPM hopes to cultivate cyber talent (FCW) Feds are becoming eligible for retirement in waves, and cybersecurity skills are in desperately short supply

A deeper dive into Energy's cyber defenses (Federal News Radio) The Energy Department's cybersecurity is awful — well, at least that's what many people believe based on the recent USA Today story

State has second thoughts about cyber playbook (Federal News Radio) The State Department's idea of creating a series of cyber playbooks got "86'ed" rather quickly

Five predictions for cybersecurity's role in the 2016 presidential race (Christian Science Monitor Passcode) There might be more than 400 days before Election Day, but the 2016 presidential campaign is well under way

Products, Services, and Solutions

Microsoft throws crypto foes an untouchable elliptic curveball (Register) Redmond's new, free, crypto library dubbed FourQ leaves P-256 swinging and missing

LexisNexis Managed Technology Services Obtains Updated Cybersecurity Certification (Legaltech News) The business has been awarded International Quality System Standard ISO 27001:2013 certification

Gemalto launches IoT tamper-resistant component (StockMarketWire) Digital security Gemalto is introducing the Cinterion Secure Element, a tamper-resistant component embedded in industrial Internet of Things (IoT) solutions to enable advanced digital security and lifecycle management

Unicon and Duo Security Collaborate to Develop Multifactor Authentication Extension for Shibboleth 3.x IDP (Benzinga) Unicon, Inc., a leading IT consulting, services, and support provider specializing in open source for the education technology market, today announced that it has collaborated with Duo Security, a leading provider of two-factor authentication solutions for higher education institutions, in the development of a multifactor authentication solution for the newly released Shibboleth 3.x IDP. The extension was developed on behalf of Unicon clients, including major universities. It has been donated back to the open source community, making it available for all universities and colleges to implement to add an extra layer of security for protection of applications and resources

Cyber security collaboration gives way to up-to-date risk model (Business Insurance) Two cyber security risk providers will collaborate with AIR Worldwide Corp., a Boston-based catastrophe risk modeling software provider, to an up-to-date cyber risk model for insurers, AIR said in a Monday news release

Comodo launches Windows 10 Antivirus Software (Security Newsdesk) Comodo Internet Security suite is all set to defend Windows 10 PC users from Malware, Viruses and Zero-Day Attacks

LogRhythm Extends Threat Analytics Suite with Endpoint Module (Integration Developer News) Security intelligence firm LogRhythm is looking to help IT more quickly detect intruders with its latest offering Endpoint Threat Analytics Module

AVG Business Launches Managed Workplace 9.2 for its Channel Partners, Adding Premium Remote Control to its RMM Platform (PRNewswire) Partners with ISL Online to provide an integrated remote access solution from one platform at no additional cost

Spirent adds Robust PNT Test Framework to evaluate security issues (Telecom Lead) Telecom network testing firm Spirent Communications has launched its Robust PNT Test Framework that evaluates GPS and GNSS security vulnerabilities for Positioning, Navigation and Timing (PNT) systems

Blue Coat enriches support portal and search infrastructure (Knowledge Management World) To improve its search experience and its customer, partner and employee support portal, Blue Coat Systems, an enterprise security company, has enlisted the help of the Google Search Appliance (GSA), and Search Technologies

SentinelOne Receives Top Score in SC Magazine Review of Endpoint Security Products (BusinessWire) Next generation endpoint protection vendor receives perfect five star rating for completeness of platform

Invincea Receives Five-Star Rating From SC Magazine, Recommended for Advanced Endpoint Protection (MarketWatch) Perfect score follows company's recent selection to 2015 CRN Emerging Vendors List

DeviceLock® Endpoint DLP Software Achieves SC Magazine 5-Star "Recommended" Rating (Digital Journal) DeviceLock, Inc., a worldwide leader in endpoint data leak prevention (DLP) software, today announced that SC Magazine has designated the DeviceLock Endpoint DLP Suite a perfect 5-Star rating across all measured criteria as well as earning their prestigious "Recommended" endorsement for the Endpoint Security category

Darktrace wins major US award (Cambridge News) Darktrace, the Cambridge company set up to keep digital raiders at bay, was presented with a Gold Stevie Award in the New Product and Technology category at the 13th annual American Business Awards ceremony in San Francisco this month

Technologies, Techniques, and Standards

12 Questions About Security That Boards Must Ask (Baseline) With the ever-growing number of data breaches companies face, a corporate board must elevate its presence as a watchdog to ensure enterprisewide accountability in the interest of cyber-security

REVIEW: Threat Intelligence could turn the tide against cybercriminals (Network World) In recent reviews, we looked at the advancements in endpoint security, including new ways companies are employing technology like virtual machines to get a leg up on potential attackers

Marketplace

UK groups rush to profit from cyber security concerns (Financial Times) This summer, companies ranging from adultery website Ashley Madison to carmaker Fiat Chrysler and retailer Dixons Carphone have been hit by cyber attacks

Cisco leads security appliance market in Q2: IDC (Infotech Lead) Cisco continued to lead the security appliance market in the second quarter of 2015, International Data Corporation said Monday

Symantec: Partners can expect unified security strategy (TechTarget) In the wake of the Veritas buyout, Symantec aims to appeal to channel partners with a unified security strategy and stronger cloud focus

As Security Booms, Onapsis Gets Cash to Stop Corporate Cyber Attacks (Xconomy) Another day, another cybersecurity company to have on your radar — especially if you are concerned about things like corporate espionage, financial fraud, and international hackers stealing your intellectual property

Keith Alexander-led IronNet Cybersecurity raises $7.5 million (Baltimore Business Journal) IronNet Cybersecurity Inc., a Fulton-based firm led by former National Security Aagency Director Keith Alexander, has raised $7.5 million in equity

Flexera Software Acquires Secunia, Adding Software Vulnerability Management Solutions That Reduce Cybersecurity Risks (RealWire) Flexera Software, the leading provider of next-generation software licensing, compliance, security and installation solutions for application producers and enterprises, announced today the acquisition of Secunia, a leading provider of Software Vulnerability Management solutions that protect organizations against cybersecurity risks

Government contractor SRA Companies withdraws IPO; acquired by CSC in $1.4 billion deal (Nasdaq) SRA Companies, an IT services contractor for US health, civil and national security agencies, withdrew its plans for an initial public offering on Monday. The company originally filed in July for an IPO that we estimated could have raised $300 million

General Electric (GE) Forms GE Digital; Will Integrate Software Center, IT Teams, Wurldtech (StreetInsider) General Electric (NYSE: GE) announced the creation of GE Digital, a transformative move that brings together all of the digital capabilities from across the company into one organization

ThreatTrack Security Appoints Alan Rizek Chief Financial Officer (PRNewswire) Veteran technology CFO brings extensive financial and operational leadership to ThreatTrack

Research and Development

DARPA Protecting Software From Reverse Engineering Through Obfuscation (Threatpost) Researchers with a DARPA-led team are looking into new ways to combat reverse engineering by using obfuscation to tidy up shoddy commercial and government security

Intel Creates Automotive Security Review Board to Promote Vehicular Cybersecurity Research (Legaltech News) Security experts will be given access to Intel's smart-car development platform, most impactful findings will win a new car

Security Patches, Mitigations, and Software Updates

New Debian Releases Fix PHP, VirtualBox Bugs (Threatpost) The maintainers of Debian have released new versions of the operating system to fix several vulnerabilities, including a number of bugs in PHP and an unspecified flaw in Oracle's VirtualBox application

Tor security improves as .onion becomes a special-use domain name (Help Net Security) The .onion domain has been officially designated by the Internet Assigned Numbers Authority (IANA) as a special-use domain name. The move, initiated by the Internet Engineering Task Force (IETF), is meant to make the use of Tor safer

Cyber Attacks, Threats, and Vulnerabilities

Jihadist cyber-attack on Cabinet was entirely avoidable, say experts (SC Magazine) The news that top government ministers may have been hacked by the Cyber-Caliphate has set alarm bells ringing among security experts

Kremlin website became target of massive cyber attack on election day (Trend News Agency) Russian president's official website was targeted by a massive hacker attack during country-wide local elections, but the Kremlin's cyber defenses managed to cope with the situation, spokesman Dmitry Peskov said on Monday

Cisco router attacks duck cyber defenses, hit four countries (Reuters) Security researchers say they have uncovered previously unknown attacks on routers which direct traffic around the Internet, allowing hackers to harvest vast amounts of data while going undetected by existing cyber security defenses

Cisco routers vulnerable to new attack, cyber firm FireEye says (Reuters) Security researchers say they have uncovered previously unknown attacks on the core devices used to route traffic around the Internet, allowing hackers to harvest vast amounts of data while going undetected by existing cybersecurity defences

Windows XP still running on a third of business, public sector PCs in some Eastern European countries (ZDNet) Security company Bitdefenders says many of its clients in Ukraine, Hungary, and Romania continue to rely on the outdated operating system

IT Security Stories to Watch: CVS Confirms Data Breach (MSPMentor) CVS has confirmed its photo website, CVSphoto.com, was breached this summer

Travel apps riddled with security flaws (CSO) The top 10 travel apps in the iOS and Android app stores are all riddled with security flaws, according to a new report from Bluebox Security

Online extortionists reset Android PINs, take data on virtual drives hostage (Lumension Blog) In the last few years extortion has hit computer users, big time

Heartbleed is far from dead. 200,000+ vulnerable devices on the internet (Graham Cluley) Remember Heartbleed? Of course you do. After all, it was the first serious security vulnerability to have a really cool logo

Most DDoS attacks hiding something more sinister, Neustar warns (ComputerWeekly) Smaller DDoS attacks can be more dangerous than a powerful attack that knocks a company offline but does not install malware or steal data, warns Neustar

New malware can make ATMs not give users' card back (Help Net Security) A new type of malware that can be used to compromise ATMs independently of who their manufacturer is, and can make the machine steal card data but also the cards themselves, has been spotted by FireEye researchers

Tracking Bluetooth Skimmers in Mexico, Part II (KrebsOnSecurity) I spent four days last week in Mexico, tracking the damage wrought by an organized crime ring that is bribing ATM technicians to place Bluetooth skimmers inside of cash machines in and around the tourist areas of Cancun

Researchers find backdoor bug in NASA rovers' real-time OS (Help Net Security) A critical, remotely exploitable vulnerability in VxWorks, the world's most popular real-time operating system (RTOS), can be exploited by attackers to gain backdoor access to the systems using it

Smartwatch sensors can be used to eavesdrop on the keys you're typing (Naked Security) Researchers have shown that a smartwatch's motion sensors can be used to detect what keys you're pressing with your left hand (or whatever hand the watch is on) and thus guess at the words you're typing

Study names the five most hackable vehicles (Computerworld via CSO) Intel creates Automotive Security Review Board to look into vehicle cyber threats

Survey: Many agencies suffer frequent insider hacking attempts (Federal Times) In the realm of cybersecurity, insider threats are one of the most potentially dangerous forms of network compromise. As agencies purchase and develop tools to track where their employees go on the network and what they are accessing, a new report shows almost half were targeted by insiders over the last 12 months

Targeted Attacks versus APTs: What's The Difference? (TrendLabs Security Intelligence Blog) A few weeks ago I appeared on the RedZone podcast hosted by Bill Murphy, where I talked about (among other topics) the differences between targeted attacks and what our competitors called Advanced Persistent Threats (APTs)

Academia

Colleges vie to entice students with NSA cyber program (FedScoop) Fourteen colleges are now designated National Centers of Academic Excellence in Cyber Operations by the National Security Agency, a rigorous program started in 2012

Litigation, Investigation, and Enforcement

Tech company: No indication that Clinton's e-mail server was 'wiped' (Washington Post) The company that managed Hillary Rodham Clinton's private e-mail server said it has "no knowledge of the server being wiped," the strongest indication to date that tens of thousands of e-mails that Clinton has said were deleted could be recovered

Homeland Security Shuts Down Library's TOR Node Citing "Situational Awareness" (TechCrunch) In a move that is sure to end well for the Department Of Homeland Security and the police in Lebanon, New Hampshire, officials have asked a New Hampshire public library to shut down its TOR node to prevent terrorism and other mean, nasty things

Public library shelves plans to become part of Tor (Naked Security) The Kilton Public Library in the US town of West Lebanon, New Hampshire is only 5 years old, and its modern sensibilities show: for one thing, it brags about sustainable technologies such as ground source heat pumps and radiant floor slabs throughout

Traders pay $30m to settle newswire hacking case (IDG via CSO) Two defendants settle after a multi-million dollar asset freeze

State looked into hacking software (Des Moines Register) A computer expert with Iowa's executive branch inquired about the cost of Italian-made hacking software used by intelligence and police agencies worldwide to monitor communications, a leaked email shows, but didn't buy the product

Omani on trial for spreading rumours that harmed UAE (The National) An Omani man who is on trial at the Federal Supreme Court for publishing harmful material on social media has claimed he is mentally ill

Dad sues Facebook after 11-year-old shared photos and messages with men (Naked Security) The father of a young girl has sued Facebook for failing to enforce its age restriction policy after claiming his daughter was exposed to sexual predators when she signed up for an account at age 11

Design and Innovation

AVG Releases One-Page Privacy Policy and Challenges Industry to Follow (MarketWatch) Updated one-page policy for AVG's apps designed to be simpler, shorter, and easier to understand

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

upcoming Events

SANS Institute: Information Security Training (Las Vegas, Nevada, USA, September 12 - 21, 2015) Information security training in Las Vegas from SANS Institute, the global leader in information security training. At SANS Network Security 2015, SANS offers more than 40 hands-on, immersion-style security training courses taught by real-world practitioners. The site of SANS Network Security 2015, September 12 - 21, is Caesars Palace, the majestic Las Vegas hotel

Gulf Cooperation Council Cyber Security Summit (Abu Dhabi, United Arab Emirates, September 13 - 15, 2015) The GCC Cyber Security Summit will bring together regional and international thought leaders and decision-makers to examine one of the most vital threats to the region's future well-being: cyber-attack. Penetration of national and company security, criminal fraud and identity theft are now big business worldwide among a shadowy fraternity that is only growing in power and size. Recent incidents with film studios, healthcare providers and global banks continue to resonate in cabinet offices and boardrooms everywhere

Hacker Halted 2015 (Atlanta, Georgia, USA, September 13 - 18, 2015) EC-Council Foundation's flagship information security conference, Hacker Halted, will unite some of the greatest minds in information security, as industry experts address the latest threats and vulnerabilities plaguing the virtual world. Hacker Halted will also feature several highly technical and advanced workshops that cover the most current security topics and will include EC-Council's most sought after certification classes. Hacker Halted runs concurrently with the invitation-only Global CSO Forum

EnergySec 11th Annual Security & Compliance Summit (Washington, DC, USA, September 14 - 16, 2015) For more than 10 years the EnergySec Security Summit has been the premier gathering for stakeholders in the energy sector focused on physical and cyber security. Our summits give each attendee a rare opportunity to mingle with asset owners, government agencies, researchers, consultants, vendors and academia under one roof

Fraud Summit San Francisco (San Francisco, California, USA, September 15, 2015) ISMG's Fraud Summit is a one-day event focused exclusively on the top fraud trends impacting organizations and the mitigation strategies to overcome those challenges. Among the areas to be discussed are the fraud ecosystem, trends in consumer fraud awareness (what's working and what's not), and threat intelligence

Borderless Cyber 2015 (Washington, DC, USA, September 15 - 16, 2015) OASIS, in collaboration with The World Bank, will bring together public and private sector security professionals from around the world to evaluate, debate, and collaborate on cyber security best practices and tools. Hosted at The World Bank headquarters in Washington, DC, the conference will generate dialogue across government and business, combining high-profile guest speakers, interactive roundtable sessions, and moderated debates. Additional networking events will complement each day's agenda, offering opportunities for real-time collaboration

Detroit Secure World (Detroit, Michigan, USA, September 16 - 17, 2015) Join your fellow security professional for affordable, high-quality cybersecurity training and education at a regional conference near you. Earn CPE credits while learning from nationally recognized industry experts on many diverse topics such as: Risk Mitigation, Malware Detection, Digital Forensics, Cloud Security, Privacy, Big Data, PCI Compliance, Security Metrics, Encryption, Mobile Device Management, Incident Response, and much more. Risk management and enterprise cyber defense strategies figure among the agends

Cyber Security Summit: New York (New York, New York, USA, September 17, 2015) The Cyber Security Summit provides an exclusive business environment to meet with Senior Executives who are seeking innovative solutions to protect their business & critical infrastructure. Delegates at the Cyber Security Summit are prequalified based on their willingness to meet with Solution Providers and proven ability to purchase products and services

6th Annual Billington Cybersecurity Summit (Washington, DC, USA, September 17, 2015) Join key leaders and decision makers from government, military and the private sector at this one-day intensive networking event as participants focus on the next generation of solutions to ensure this nation's cybersecurity

Hacker Halted (Atlanta, Georgia, USA, September 17 - 18, 2015) Hacker Halted is a global series of computer and information security conferences presented by EC-Council. The objective of the Hacker Halted conferences is to raise international awareness towards increased education and ethics in IT security

Cyber Security Summit: New York (New York, New York, USA, September 18, 2015) The Cyber Security Summit provides an exclusive business environment to meet with Senior Executives who are seeking innovative solutions to protect their business & critical infrastructure. Delegates at the Cyber Security Summit are prequalified based on their willingness to meet with Solution Providers and proven ability to purchase products and services

Data Breach Investigation Summit (Dallas, Texas, USA, September 21 - 26, 2015) Data Breaches are occurring at an alarming rate and increasing in their scope, frequency and impact and they don't discriminate by industry, geography or organization size. When a breach occurs, organizations, agencies and individuals need to learn how to more effectively, identify/detect that the breach has occurred, respond to the breach in an effective and timely manner, investigate the breach, and prevent/defend the organization from future breaches

St. Louis SecureWorld 2015 (St. Louis, Missouri, USA, September 22 - 23, 2015) Join your fellow security professional for affordable, high-quality cybersecurity training and education at a regional conference near you. Earn CPE credits while learning from nationally recognized industry experts on many diverse topics such as: Risk Mitigation, Malware Detection, Digital Forensics, Cloud Security, Privacy, Big Data, PCI Compliance, Security Metrics, Encryption, Mobile Device Management, Incident Response, and much more. The security implications of the Internet-of-things will be among the topics discussed

OWASP APPSECUSA (San Francisco, California, USA, September 22 - 25, 2015) The premier gathering of developers, security experts and technologists to discuss cutting edge approaches to secure web applications

MeriTalk: Cyber Security Brainstorm (Washington, DC, USA, September 23, 2015) Co-locating with the NIST Cloud Security Working Group, this MeriTalk Brainstorm has an excellent program lined up, featuring keynote speakers Allison Tsiumis (Section Chief, Cyber Intelligence Section, FBI), and the father of the internet, Vint Cerf

Sponsor & Support

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter’s financial reach, or it might just not be the right time for you to do those things. That’s why we launched our new Patreon site, where we’ve created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you’ll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.