The CyberWire Daily Briefing 09.17.15

Cyber Trends

The new art of war: How trolls, hackers and spies are rewriting the rules of conflict (Tech Republic) Cyberwar isn't going to be about hacking power stations. It's going to be far more subtle, and more dangerous

Industrial security awareness continues to remain low (Help Net Security) While traditional manufacturing industries were not designed with security in mind, the proliferation of networks and devices, disparate communication channels, and the use of off-the-shelf software has thrust cybersecurity into the spotlight

Encryption: Whose keys are they, anyway? (Help Net Security) Over the past year, encryption has been showing up in a number of unlikely places

Users want data leakers hit by fines and compensation claims (MicroScope) The channel should be at the forefront of leading efforts to encourage users to get on top of data breaches as users express frustration with current situation

Cyber Attacks From Middle East Increasing (National Defense) Cyber attacks originating from Middle Eastern countries such as Syria and Iran are expected to increase over the next several years, said one defense expert Sept. 16

Australia a top-10 attacker as cybercrims target mobile-commerce growth (CSO) Mobile usage surged in the second quarter to the point where mobile devices accounted for 31 percent of all transactions, according to new research that pegged Australia in the global top 10 for attack origins and warns of an increased mobile-security threat as cybercriminals respond to changing usage patterns with intense targeted attacks

'Hackers' at 20 (Christian Science Monitor Passcode) How a 20-year-old, mostly inaccurate flop predicted the future, reshaped sci-fi, and won over the real hacker community

Legislation, Policy and Regulation

China is trying to get US tech companies to agree to a strange pledge (Reuters via Business Insider) China is asking some U.S. technology firms to directly pledge their commitment to contentious policies that could require them to turn user data and intellectual property over to the government

David Thompson: Adversaries Aware of US' Space, Cyberspace Dependence (ExecutiveGov) Maj. Gen. David Thompson, vice commander for Air Force Space Command, has discussed the growing role of space and cyberspace in military operations with Air Force Times in an interview published Saturday

FBI, DOJ want tech industry to find workaround to 'warrant-proof' encryption (Christian Science Monitor Passcode) At an event in Washington Tuesday hosted by Passcode, a top FBI official asked the tech sector to develop solutions for law enforcement to access secure data with a warrant — a notion technologists said would weaken security for everyone

Obama faces growing momentum to support widespread encryption (Washington Posgt) White House officials have backed away from seeking a legislative fix to deal with the rise of encryption on communication devices, and they are even weighing whether to publicly reject a law requiring firms to be able to unlock their customers' smartphones and apps under court order

Why the U.S. Doesn't Deserve a Back Door to Your Data (Slate) Because it can barely keep its own data safe

SEC to Start Second Round of Cyber Exams, Issues Risk Alert (ThinkAdvisor) OCIE exams to include 'more testing to assess implementation of firm procedures and controls'

Senators ask automakers for cyber security details (Business Insurance) Two U.S. senators have asked the world's biggest automakers for information on steps they have taken

Federal CIOs see silver lining in OPM data breach (Federal News Radio) After more than a decade of trying to convince, cajole and warn non-IT executives and employees about the dangers of not paying close attention to cybersecurity, the Office of Personnel Management's massive data breach may have just done the trick

Army surges cyber team development (C4ISR & Networks) The Army's cyber evolution continues with the fielding of cyber protection teams: highly trained groups of soldiers that will target emerging threats

Jeb Bush says people need to stop "demonizing" the NSA (Naked Security) Among the Republican candidates for US president, Jeb Bush is something of a cybersecurity policy wonk

Dateline

Borderless Cyber 2015 (OASIS) OASIS, in collaboration with The World Bank, will bring together public and private sector security professionals from around the world to evaluate, debate, and collaborate on cyber security best practices and tools

Challenges and Opportunities: Information Sharing in a Borderless Domain (Day Two) (The CyberWire) Borderless Cyber 2015 concluded at the World Bank in Washington, DC, yesterday. Organized by OASIS, the not-for-profit open standards organization, the conference addressed the challenges and opportunities cyber information sharing presents internationally. Of particular interest in the second day's proceedings were discussions of obstacles to information sharing, the successful transition of STIX/TAXII to non-governmental governance, and the complex security implications of the Internet-of-things

Products, Services, and Solutions

FS-ISAC Announces Arrangement with Federal Reserve Banks to Share Threat Intelligence (Dark Reading) The Financial Services Information Sharing and Analysis Center (FS-ISAC) today announced an arrangement with the Federal Reserve Banks to provide direct access to FS-ISAC security threat information to over 10,000 of their financial institution customers

BT Tests Banks with New Ethical Hacking Service (Infosecurity Magazine) Global telecoms and services giant BT has launched its first ethical hacking service for financial institutions, backed by non-profit information assurance body CREST

ObserveIT Intros Insider Threat Platform (Channel Partners) Today, ObserveIT, the leader in user activity monitoring and analytics, announced the release of ObserveIT 6.0, which provides the first insider threat platform to protect enterprises from data loss, fraud and IP theft across third-parties, privileged users and business users

Optiv Security Goes Vertical With Launch Of Dedicated Financial Services Practice (CRN) Optiv Security has launched a dedicated practice to tackle the continued cybersecurity challenges faced by the financial services industry, the company said Wednesday

IID Launches 'Rapid Insight,' Safe Browsing Tool (Dark Reading) Fortune 100 companies and government agencies already using Rapid Insight to gather contextual information about threats

iovation Launches Enhanced Search and Reporting Capabilities for Online Fraud Detection (Sys-Con Media) Centralizes and correlates iovation's threat intelligence with customer transactional data; ensures faster and more effective fraud determination

DomainTools' Iris interface speeds up cybercrime investigations (IDG via CSO) The vast amount of data collected by the company will be easier to sort through with the new platform

Secude announces a new release of halocore, its flagship data protection solution for SAP users (EIN News) Halocore enables SAP customers to identify sensitive data exports with context-aware classification, track and analyze all download activity from SAP applications, and prevent potential data loss

Koolspan announces reseller agreement with Samsung Electronics America (Koolspan) KoolSpan, Inc., a leading provider of interoperable secure voice and messaging solutions for mobile devices, today announced that Samsung Electronics America, Inc. has selected KoolSpan to further enhance enterprise mobility for business customers in the U.S

Encryption project issues first free SSL/TLS certificate (IDG via CSO) Let's Encrypt plans to distribute certificates more widely in the next couple of months

Trustwave Unveils New Cloud-Based Secure Mobility Platform (MarketWired) Delivers security to proactively protect and defend businesses' fleets of mobile devices

Technologies, Techniques, and Standards

What the military learned from OPM (FCW) In the wake of the mammoth Office of Personnel Management breach, the Defense Department joined the rest of the federal government in some serious cybersecurity introspection and improvement

8 Lessons to Learn from the Sony Breach (Security Magazine) Last year, Sony Pictures Entertainment suffered one of the largest and most public cybersecurity breaches in history

Forecasting a Breach Is Like Finding a Needle in a Haystack — Not That Tough (IBM Security Intelligence Blog) This year has seen plenty of breaches, and it's not even over yet. Numerous reports show that the number of breaches in 2015 has rivaled 2014, but not many of them are making the evening news — other than the recent hack of Ashley Madison — because breaches are sadly becoming commonplace

Should risk management planning include root cause analysis? (TechTarget) Incorporating root cause analysis in risk management planning could be beneficial to developing a security plan, but is it the best time for it?

DDoS prevention: The latest means and methods (Tech Target) Last year distributed denial-of-service attacks, also known as DDoS, rose to record levels of not just frequency but also strength

The cost of a data breach and how to avoid paying it (SC Magazine) As cyber-attacks become increasingly common, it's important that businesses understand the true cost of data breaches

Why background screening is vital for IT security (Help Net Security) Which security controls are the most important in thwarting cyber crime against businesses? Anti-malware? Physical security? According to a recent survey, people are a main concern

Marketplace

Cyberinsurance: Protective or Perilous? (Legaltech News) While it's not a replacement for IT security, cyberinsurance creates a second line of defense to mitigate cyber incidents. But it can also pose new problems

HP to lay off 30,000 employees, turn to more automation and outsourcing (FierceCIO) HP announced Tuesday that it will be cutting 25,000 to 30,000 jobs in the Hewlett Packard Enterprise division

Kaspersky, Prodata win Belgian govt security contract (Telecompaper) Kaspersky Lab and integrator Prodata Systems have won a contract to provide security services to Belgian state institutions such as the police and public prosecutors

TRU Staffing Partners Expands Cybersecurity Practice, Acquires Kennett Group (Legaltech News) TRU Cyber, led by Jeff Scarpitti, will focus explicitly on cybersecurity staffing and career management

Research and Development

Galois to Support DARPA's Data Privacy Research Program (GovConWire) Galois in Portland, Oregon, has won a $6.8 million contract to help the Defense Advanced Research Projects Agency conduct data privacy and privacy science studies

Security Patches, Mitigations, and Software Updates

Cisco Releases Security Updates (US-CERT) Cisco has released updates to address vulnerabilities in Prime Collaboration Assurance, Prime Collaboration Provisioning, and TelePresence Server software. Exploitation of these vulnerabilities could allow a remote attacker to escalate privileges, obtain sensitive information, or cause a denial-of-service condition

Apple Releases Security Updates for OS X Server, iTunes, Xcode, and iOS (US-CERT) Apple has released security updates for OS X Server, iTunes, Xcode, and iOS to address multiple vulnerabilities. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system

Internet Systems Consortium (ISC) Releases Security Updates for BIND (US-CERT) ISC has released security updates to address vulnerabilities in BIND. Exploitation of these vulnerabilities may allow a remote attacker to cause a denial-of-service condition

VMware Releases Security Update (US-CERT) VMware has released a security update to address a Lightweight Directory Access Protocol (LDAP) certificate validation vulnerability in vCenter Server. Exploitation of this vulnerability may allow an attacker to obtain sensitive information

WordPress 4.3.1 Security and Maintenance Release (WordPress) WordPress 4.3.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately

Persistent XSS flaw in SharePoint 2013 revealed, patched (Help Net Security) Among the vulnerabilities patched earlier this month by Microsoft is an important one that endangers users of Microsoft SharePoint 2013, a web application platform in the Microsoft Office server suite that combines a variety of capabilities

Microsoft details how Device Guard fights malware in Windows 10 (Help Net Security) As Windows 10 was being prepared for release, Microsoft presented many new security features (and we've written about some) to be included in the new version of the popular OS

Microsoft expands identity security through new Azure AD features (Windows IT Pro) Today Microsoft's Brad Anderson, Corporate Vice President for Enterprise Client and Mobility, announced over on his In The Cloud blog two new capabilities that the company is making available through its Azure Active Directory service

Cyber Attacks, Threats, and Vulnerabilities

Chinese Cyber Attacks On US Military Interests Confirmed As Advanced, Persistent And Ongoing (Forbes) A high-level hacking group dubbed Iron Tiger has been observed stealing trillions of bytes of confidential data from the United States government, US defense contractors and related companies in the United States and abroad, security company Trend Micro reports

DNI: Russians Hacked U.S. Industrial Control Nets (Washington Free Beacon) Moscow setting up cyber command, warfare units

Russia has been using the Duke malware family to spy on other countries since 2008, says F-Secure (Graham Cluley) The Russian Federation has been in cahoots with a cyberespionage gang tasked with collecting intelligence from foreign governments and affiliated organisations via "smash-and-grab" hacking attacks designed to steal as much data as possible in the shortest period of time

ATM malware for stealing payment cards discovered (Engineering and Technology) A new piece of malware designed to infect cash machines to steal payment cards and card-holders' information has been discovered by American cyber-security researchers

To hack an Android phone, just type in a really long password (CNN Money) The latest Android phone flaw is sheer stupidity

The rise of repeated "low and slow" DDoS attacks (Help Net Security) There's been a significant change in the nature of DDoS attacks that is leaving businesses exposed to data breaches and malware

Container security concerns escalate (Help Net Security) 86% of IT decision makers say their companies already deploy containers, or they plan to do so within a year, according to Twistlock. Of these, 35% said containers are already broadly deployed across their networks

230,000 new malware samples detected each day (Help Net Security) PandaLabs has confirmed a record increase in the creation of new malware samples

Significant Threats to Data Security Lurk Within, Professionals Say (BusinessWire) Poll of human resource experts shows widespread concern of internal threats to cybersecurity

What happens when the hackers get hacked: inside the hackers-for-hire business (Information Age) Data from the Hacking Team breach provides a fascinating glimpse into the highly secretive world of the professional surveillance industry

Litigation, Investigation, and Enforcement

Data Breach Liability and Outsourcing Relationships (New York Law Journal) In August 2015, a group known as the "Impact Team" leaked the customer records of some 32 million users of AshleyMadison.com, the "most famous website for discrete encounters between married individuals"

Overview of Requirements for Responding to a Data Breach (National Law Review) With the ever-changing complexity of state data breach notification laws, companies facing a data breach need resources that will help them understand the issues

With Clinton's Private Server, 'Didn't Break Laws' Doesn't Mean 'Kept Top Secret Emails Safe' (Huffington Post) One can abide by the law and simultaneously behave in an immoral or unwise manner

Google found guilty of violating antitrust laws (Naked Security) Yandex — the "Google of Russia" — has prevailed in getting the country's antimonopoly watchdog agency to rule that Google has abused its dominant position in the market with Android

Russian national pleads guilty to breaking into corporate networks, stealing 160M credit cards (FierceGovernmentIT) In what the Justice Department says is the largest scheme of its kind ever prosecuted in the United States, a Russian national pleaded guilty Sept. 15 to breaking into the corporate computer networks of NASDAQ, Dow Jones, 7-Eleven and JetBlue, among others, and compromising more than 160 million credit card numbers that resulted in hundreds of millions of dollars in losses

I must not tweet defamatory comments… I must not tweet defamatory comments… I must not.… (Naked Security) When I was a lad — a long time ago now — my school still employed corporal punishment

Kim Dotcom of Megaupload will finally face the music over extradition (Naked Security) It seems like ages since we last wrote about Kim Dotcom

Cyber attack testing case closed by FDLE, no suspects identified (Orlando Sentinel) The cyber attacks against Florida's school testing system this spring likely were orchestrated by computer hackers outside the United States, though the state's top law enforcement agency has closed its investigation without identifying any suspects

Design and Innovation

Here's why complex security and endusers don't mix (Sophos) Security is really all about your endusers. And that's a problem, because when one user does something wrong, it has the potential to bring down the whole company