The CyberWire Daily Briefing 10.23.15

Summary

By The CyberWire Staff

The curtain parts a bit on the implausibly deniable Russian espionage operation "Pawn Storm." It apparently established rogue VPN and SFTP servers to monitor Netherlands Safety Board employees investigating the crash of MH17, the Malaysian 777 shot down over Eastern Ukraine in July of last year. The airliner is widely thought to have been destroyed by nominal separatists operating under Russian military direction. (Russian authorities deny the charge.)

Wikileaks' DCI document dump continues to strike observers as pointless (and the CIA as illegal): NBC News, for example, describes the material as "neither classified nor revelatory." The "Crackas with Attitude" who claimed responsibility for the socially engineered caper remain at large, for now...straight outta...Nutley? Ronkonkoma?

TalkTalk suffers a breach which the major UK telecom calls "significant, and may affect several million customers. An Islamist group based in Russia claims credit, but it's early for attribution. Much of the material compromised may have been unencrypted.

More British online retailers join Aria in facing denial-of-service disruptions. Aria's offer of a reward for action against the extortionists prompts much discussion. Some observers remind the community that there are well-understood mitigations for DDoS attacks.

A major malvertising campaign is targeting German users of popular services including eBay and T-Online.

Joomla patches an SQLi flaw. Users find issues in recent Apple upgrades of El Capitan (Office for Mac problems) and Google's "tweaks" to Google App Engine for Java (sandbox escapes).

China moves to consolidate its cyber organizations as it negotiates a cyber deal with the UK.

Notes.

Today's issue includes events affecting China, Iraq, Netherlands, Russia, Syria, United Kingdom, and United States.

We'll be covering CyberMaryland next week. Watch for special issues devoted to the conference and some of the other events planned for Baltimore next week, including the induction of the National Cyber Security Hall of Fame's class of 2015.

Selected Reading

Cyber Trends

Ventured: Cyber Hacking Is The New Global Battlefield (TechCrunch) Kevin Mandia and his security company, Mandiant, are probably most well known for their 2013 report exposing APT-1, one of China's espionage units

Space age perils: hackers find a new battleground on the final frontier (Reuters) Space, the 'final frontier', is rapidly becoming an extra-terrestrial battleground for corporate espionage and other types of cyber attack as hackers seek to gain commercial advantage from rival networks operating in the $330-billion space economy

Tech-savvy users are actually the worst offenders (Help Net Security) Even as businesses and the federal government have made cybersecurity a high priority, 93% of office workers engage in some form of unsafe online habits that could jeopardise their employer or their customers, according to Intermedia

Businesses are over-confident when it comes to data breach defences (IT Pro Portal) A new piece of research has raised further worries about data breaches, and specifically, the perception gap between the number of businesses who believe they've experienced a breach, and the actual numbers of data breaches occurring

New Technology Won't Remove Endpoint From The Bullseye (Dark Reading ) Dark Reading Radio guests from endpoint security vendor Tanium and Intel Security/McAfee may have different product views, but they concur on the problems plaguing end user machines

Experts urge caution when putting health data in the cloud (Dark Reading ) Health care has become a favorite target for criminals

SA surfers underestimate cyber vulnerability (ITWeb) Many consumers underestimate how vulnerable they can be online and behave accordingly — they fail to properly protect devices and data from theft or loss

Legislation, Policy and Regulation

UK/China cyber security deal: National security attacks still OK, it seems (Register) Adds to the pageantry of Xi Jinping's visit, if nothing else

Britain's Former Spy Chief Talks Terrorism, Mass Surveillance (Here and Now) Sir John Sawers led MI6, the United Kingdom's government intelligence agency from 2009 to 2014. Now chairman of Macro Advisory Partners, Britain's former top spy talks with Here & Now's Jeremy Hobson about terrorism, mass surveillance and geopolitics

China Military Seeks to Bring Cyber Warfare Units Under One Roof (Bloomberg) China's military chiefs are seeking to unify the country's cyber warfare capabilities as they build a modern fighting force that relies less on ground troops

Controversial cyber security bill advances in Senate (Reuters via Business Insurance) A long-delayed bill that would make it easier for corporations to share information about cyber attacks with each other or the government without fear of lawsuits advanced in the U.S. Senate with strong support from members of both parties on Thursday

Tech Giants Oppose US Threat Intel Sharing Bill (Infosecurity Magazine) Apple and Dropbox have joined a long list of big name tech companies opposed to a new cyber security information sharing bill passing through Congress

How a law making car hacking illegal could make us all less safe (Naked Security) Two troublesome words tucked into proposed US legislation related to cybersecurity for cars and trucks could have some unintended consequences for vehicle security if it ever becomes the law of the land

OMB proposes major update to policy for acquiring, managing and securing IT (FierceGovernmentIT) After 15 years, the Office of Management and Budget issued a draft update to the major policy that governs how agencies plan, budget, acquire, manage personnel, secure, share and maintain information technology resources

A 'Cyber Party' with John McAfee and the White House Cybersecurity Czar (New America) For October's National Cybersecurity Awareness Month, The Cybersecurity Podcast team is bringing you an hour-long special episode featuring White House Cybersecurity Coordinator Michael Daniel, and John McAfee, the security pioneer who just founded his own political party — the Cyber Party — and is running for President of the United States

Products, Services, and Solutions

Versasec Introduces vSEC:CMS v4.2 Smart Card Lifecycle Management (PRLog) Versasec creates two distinct products, adds increased speed and scalability features and simplifies pricing

Free PCI and NIST compliant SSL test (Help Net Security) High-Tech Bridge announced a free online service designed to check SSL/TLS security of a web server. It performs four distinct tests

Chase's tweet backing PIN credit cards was a mistake, bank says (CSO) Bank has no plans to back chip-and-PIN credit cards

Check your Facebook settings to make sure your posts aren't searchable (Naked Security) Back in December last year, Facebook introduced keyword searching on your or your friends' past posts

Synack Hydra Is Designed to Help Security Researchers Find Threats (eWeek) Synack announced Hydra, a new tool designed to enable its researchers to work faster to find new threats

Hexis Cyber Solutions Releases HawkEye G 3.1 with Extended Support Coverage for Windows 10 and Linux Platforms (Nasdaq) Hexis Cyber Solutions Inc. (Hexis), a wholly-owned subsidiary of The KEYW Holding Corporation (NASDAQ:KEYW), and a provider of advanced cybersecurity solutions for commercial companies and government agencies, today announced significant enhancements to its integrated cybersecurity platform, HawkEye G

Privacy Advocates Launch Anonymous Calling App (Hack Read) For those who seek privacy while working online, you now have a solution in "Warble," an anonymous calling app for Android, iOS and Windows OS

Technologies, Techniques, and Standards

NSA advisory sparks concern of secret advance ushering in cryptoapocalypse (Ars Technica) Once elliptic curve crypto was viewed as a savior. Now its future looks doomed

3 Points on Managing Service Providers for Data Security (Legaltech News) Mayer Brown webinar examines the data security risks compounded by reliance on contractor networks, and the best ways to mitigate those risks

Data breach strategies and cyber risk management for the enterprise (Enterprisers Project) Data breach strategies and cyber risk management for the enterprise

Passing the Sniff Test: Security Metrics and Measures (Dark Reading) Cigital dishes dirt on top security metrics that don't work well, why they're ineffective and which measurable to consider instead

Compliant does not equal protected: our false sense of security (CSO) Being compliant does not mean your organization is safe, nor does it mean that your organization is immune to repercussions at the hands of a data breach

The Scary Truth About Data Breach Fatigue: It's Here to Stay (Credit.com) Increasingly, in the aftermath of a big news data security item — whether it takes the form of a high-profile mega breach (think: Office of Personnel Management, Anthem, Sony Pictures, Home Depot, Target) or a low-tech data grab — an odd phenomenon happens

Engage all levels of employees to achieve effective cyber security (Business Insurance) As emerging technologies introduce new security risks to businesses, risk managers should have a solid plan in place to both prevent and respond to a potential cyber attack, according to a recent panel of insurance industry experts

Marketplace

On the hunt for merger or acquisition? Make sure your target is secure (CSO) Given numerous examples of catastrophic security risks from third-party relationships, the merger and acquisition industry needs to get caught up

Raytheon Posts 3Q Profit Decline on Websense Costs, Boosts Full-Year Revenue Guidance (GovConWire) Raytheon (NYSE: RTN) — one of 30 companies listed on Executive Mosaic's GovCon Index — has reported third quarter earnings of $1.47 per share, a 10.9 percent decline from the same period in 2014 and 4 cents above Wall Street expectations

Fortinet —12.2% due to Q4 guidance; PANW, FEYE, CYBR also drop (Seeking Alpha) …Fortinet has fallen to $37.95 after hours. Rival Palo Alto Networks (NYSE:PANW), which is also dealing with high expectations, is down 3.3%. FireEye (NASDAQ:FEYE) is down 2%, and CyberArk (NASDAQ:CYBR) down 1.8%.

Fortinet, Inc. (FTNT — $43.24) Company Update: Delivers Good, But Not Great, 3Q Results; Prove-Me (FBRFlash) From a headline perspective, Fortinet beat the Street's top line, bottom line, and billings estimates

In run-up to splitsville, HP sells TippingPoint to Trend Micro for $300M (FierceITSecurity) In the run-up to its split into two companies, HP is selling its intrusion prevention system and network security provider TippingPoint to Trend Micro for $300 million

Iceberg, dead ahead! VMware investors jump ship (MicroScope) The jewel in the Federation's crown appears to be drifting slowly towards the seabed, as Dell and EMC announce cloud plans

Citrix CEO departs as EUC industry shakeup continues (TechTarget) Mark Templeton's tenure as Citrix CEO has abruptly come to an end, leaving Citrix users to wonder what's in store for the company's future

Research and Development

DARPA sets its sights on image manipulation (Naked Security) Thank goodness TMZ revealed that the Hollywood Life UNTOUCHED AND PRE-PHOTOSHOP images of Kim Kardashian's butt-baring photo from Paper magazine last year were fake

Security Patches, Mitigations, and Software Updates

Joomla releases patch for serious SQLi flaw (IDG via CSO) The secure version is 3.4.5

High Severity Flaws Found in iniNet ICS Software (SecurityWeek) Swiss-based visualization and automation solutions provider iniNet Solutions GmbH has released updates to address several vulnerabilities identified by Positive Technologies researchers in some of the company's products

Apple closes a raft of "drive-by download" holes in OS X and iOS (Naked Security) If you're one of those people who waits for the first update to an update before you install it…and you're also an OS X or an iOS user, then your number's just been called

After Wednesday's El Capitan update, some users report lingering problems with Office for Mac (FierceCIO) There are high hopes that Apple's release yesterday of OS X version 10.11.1 will fix problems with Office for Mac that have plagued some users for about a month, although some early reports suggest issues remain

Custom Google App Engine Tweak Still Leads to Java Sandbox Escapes (Threatpost) A tweak carried out by Google in the Google App Engine for Java continues to stir up security concerns

Cyber Attacks, Threats, and Vulnerabilities

Russian cyberspies targeted the MH17 crash investigation (CSO) The Pawn Storm cyberespionage group set up rogue VPN and SFTP servers to target Dutch Safety Board employees

WikiLeaks Releases Second Batch From CIA Boss John Brennan's Email (NBC News) WikiLeaks released two more documents and a list of contacts from CIA Director John Brennan's personal email account on Thursday — and again the material was neither classified nor revelatory

TalkTalk discloses possible breach, admits some data not encrypted (CSO) This marks the second time TalkTalk has been targeted this year

TalkTalk cyber-attack: Website hit by 'significant' breach (BBC) Police are investigating a "significant and sustained cyber-attack" on the TalkTalk website, the UK company says

Online accounting software Xero tells users to reset passwords, after accounts breached (Graham Cluley) Cloud-based accounting service Xero has told its customers to reset their passwords after a "small number" of users had their accounts compromised

Kampagnen Malvertising Campaign Goes After German Users (Malwarebytes Unpacked) A large malvertising campaign is currently targeting German users on some popular web sites such as eBay.de or T-Online.de, the latter being a top ISP

More e-tailers suffer disruption after Aria DDoS sting (CRN) Overclockers becomes latest UK e-tailer to suffer website disruption this week

Can bounty hunters stop the DDoS gangs? (SC Magazine) Is the idea of putting a cash bounty on hackers an effective way to disrupt or stop DDoS attacks, or a vigilante action that takes time and money from the business of protecting networks?

Tech support scammers put Mac owners in crosshairs (Computerworld via CSO) Browsing to dodgy sites trigger fake warnings that urge users to call for support

Think twice about Android root (Help Net Security) In recent years the practice of Android rooting, that is the process of allowing an Android phone or tablet to bypass restrictions set by carriers, operating systems or hardware manufacturers, has become increasingly popular

Smartwatch — A Fashionable and Dangerous Gadget (Infosec Institute) Although the market for smartwatches is still in its infancy, there has been a steady increase in the popularity of this sophisticated technological gadget

Chattering Wi-Fi devices are a short hop away from the crown jewels of your network (Graham Cluley) The revelation that security failures had been uncovered in a Wi-Fi Kettle, and that they could be exploited to break into your home network, made big headlines this week

Analysis: How Malware Creators Use Spam to Maximize Their Impact (Heimdal) If it works, why change it?

Malware on a multi-year tear, says G DATA report (FIerceITSecurity) Security researchers at German antivirus firm G DATA have found a 64.8 percent spike in new malware strains for the first half of 2015 compared to the first half of 2014

In testimony, GAO warns of cyber vulnerability in the nation's power grid (Fedscoop) While the federal watchdog identified that progress has been made, it contended that "continued attention" is necessary to secure power infrastructure

Nuclear, grid regulators compare notes on cyberdefense (E&E News) Regulators of the nation's nuclear plants and high-voltage power lines met yesterday for a top-level review of threats and hurdles each faces from cyberattacks, natural disasters and the grid's disruptive transitions

Researchers Prove Connected Cars Can Be Tracked (IEEE Spectrum) Connected cars that communicate with other vehicles or transport systems to improve safety and traffic flow can easily be tracked, a security researcher has shown

Litigation, Investigation, and Enforcement

Data-Security Assessments? You're Going to Want a Lawyer for That (JDSupra) These days, data breaches and cybersecurity attacks abound

FBI director dodges questions about Clinton's email (Washington Examiner) Federal Bureau of Investigation Director James Comey appeared before a House Judiciary Committee Thursday morning, but refused to answer questions pertaining to the FBI's investigation into Hillary Clinton's use of a private email server

FBI's Advice on Cryptolocker? Just Pay The Ransom. (Security Ledger) The nation's top law enforcement agency is warning companies that they may not be able to get their data back from cyber criminals who use Cryptolocker and other malware without paying a ransom

Federal agents will no longer use 'Stingray' cellphone trackers without warrants (USA Today) Immigration, Secret Service, and Homeland Security investigators must now obtain search warrants before using "Stingray" trackers that reveal the locations of scores of cellphone users, a Department of Homeland Security official told a House panel Wednesday

Should C-level execs face prison for data breaches? (IT Pro Portal) As data theft disclosures hit the headlines in 2015, organisations' dependence on security professionals and senior managers to protect their networks and business critical data has come under serious scrutiny

New charge in Minnesota Islamic State case (KIMT) Five Minnesota men accused of plotting to join the Islamic State group are charged with a new count of conspiracy to commit murder outside the United States, according to a superseding indictment filed Wednesday that offers new details about steps the men took as they allegedly planned to get to Syria

Design and Innovation

The problem with 'pumpkin spice' security bugs (Engadget) When asked, "Why give a vulnerability a website, logo and brand image?" many infosec professionals will confidently answer that flamboyant bugs raise awareness toward fixes

Privacy by Design Does Not Sacrifice Security (eSecurity Planet) Big Data needs big privacy, says privacy expert at SecTor Security conference

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

newly Noted Events

Moving Beyond Breaches: The Practice and Potential of Cyber Insurance (New York, New York, USA, October 26, 2015) Join Just Security and New America's Cybersecurity Initiative for conversations with leading experts in cyber security policy and practice to discuss the mechanics of cyber insurance and how to reinvigorate a moribund insurance marketplace

Cybersecurity, the SEC and Compliance (New York, New York, USA, November 18, 2015) The recent SEC CyberSecurity Examination Initiative focuses on information safeguards for financial services organizations. Are you prepared? Please join us for a panel discussion on what cybersecurity means to your business and how the new SEC requirements affect your firm. The panel consists of professionals from the Cyber Security, Legal, Insurance and IT systems management industries. (RSVP as seating will be limited)

upcoming Events

Cyber Defense San Diego 2015 (San Diego, California, USA, October 19 - 24, 2015) Cyber security training in San Diego CA from SANS Institute, the global leader in Information Security training. SANS Cyber Defense San Diego 2015 features hands-on, immersion-style training courses for security professionals at all levels. Many of these security courses have Certifications that are aligned with DoD Directive 8570/8140 and most courses at this event are associated with GIAC Certifications. SANS delivers unparalleled security training with world-class Instructors

Ruxcon 2015 (Melbourne, Australia, October 24 - 25, 2015) Ruxcon is a computer security conference that aims to bring together the best and the brightest security talent within the Aus-Pacific region. The conference is a mixture of live presentations, activities and demonstrations presented by security experts from the Aus-Pacific region and invited guests from around the world. Ruxcon is widely regarded as a leading computer security conference within Australia attracting all facets of the security landscape from industry, academics, to enthusiasts

2015 North American International Cyber Summit (Detroit, Michigan, USA, October 25 - 26, 2015) The North American International Cyber Summit 2015 hosted by Michigan Governor Rick Snyder, is set to take place in the heart of Downtown Detroit at the newly remodeled Cobo Center for the second straight year. As in the previous three sold-out summits, this year's event will bring together experts from across the globe to address a variety of cybersecurity issues impacting the world of business, education, information technology, economic development, law enforcement and personal use

ICS Cyber Security Week (Atlanta, Georgia, USA, October 26 - 29, 2015) ICS Cyber Security Week is the longest-running cyber security-focused conference dedicated to the industrial control systems sector. The event caters to critical infrastructure organizations in the following sectors: energy, utility, chemical, transportation, manufacturing, and many more

Cyber Awareness & Technology Days (Colorado Springs, Colorado, USA, October 27 - 28, 2015) The Information Systems Security Association (ISSA) Colorado Springs Chapter http://www.issa-cos.org will once again host the 6th Annual Cyber Security & Information Technology Days set to take place at Peterson AFB on Tuesday, October 27, 2015 and at Ft Carson on Wednesday, October 28, 2015. Both events are being conducted in October to coincide with National Cyber Security Awareness Month as a way to encourage collaboration between local military personnel and industry partners. Government and Industry experts will be on hand to brief attendees on the latest trends, best practices and remediation strategies, in the cyber security field. These one day forums will offer Cyber Security & Information Technology personnel a unique, local opportunity to get up-to-date informaton on rapidly evolving security security challenges

Designing Secure Healthcare Systems (Long Branch, New Jersey, USA, October 27 - 29, 2015) Designing Secure Healthcare Systems is a three day intensive and immersive workshop…by healthcare hackers for healthcare technologists. Over the three days you will go from the basics of SQL injection to the over the top advanced concepts used to break code — you will learn not just by watching — but by doing. Regardless of your programming background or technical focus, you will walk away much better prepared to design and develop secure healthcare information technology systems

Technology & Cyber Awareness Day (Aurora, Colorado, USA, October 28, 2015) The Buckley Air Force Base Technology & Cyber Security Day is a one-day event held on-site, where industry vendors will have the opportunity to display their products and services to IT, Comm, Cyber and Intelligence personnel. FBC will invite personnel from all major units and tenants at Buckley AFB, including ADF personnel

Cloud Security Alliance Summit NYC 2015 (New York, New York, USA, October 28, 2015) The full-day Cloud Security Alliance NYC Summit is a standalone event in Manhattan. Co-hosted by the CSA NY Metro and CSA Delaware Valley chapters, some 200 well-qualified attendees are expected. The theme is "Enterprise Lessons Learned in Cloud Security," with experts from financial services and other key industries. Viney Patel, Director, Global Head of Information Security at Citi Technology Infrastructure and Dan Reynolds, VP, Chief of Security and Information Architecture at Omnicom Media Group will be keynote speakers

Data Breach Summit Asia 2015 (Mumbai, India, October 28, 2015) As Cyber Security continues to become a challenge for all industries, ISMG's Data Breach Summit a unique, one-day event will focus on the issues to help the participants learn more about how to prevent cyber security breaches as well as how to mitigate the situation should a breach occur. The summit will provide an unparalleled platform to the attendees to engage in dialogue on real-world solutions protecting their organisations

CyberMaryland 2015 (Baltimore, Maryland, USA, October 28 - 29, 2015) Now entering its 5th year, the Federal Business Council is proud to bring you the CyberMaryland 2015 Conference. The conference theme this year is "Collaborate.Educate.Innovate"

Cyber Security World 2015 (Washington, DC, USA, October 28 - 29, 2015) Cyber Security World 2015 brings together security experts, practitioners, and researchers who will share their firsthand knowledge and open the discussion to information sharing between public and private sector attendees. Join us in Washington, D.C. for two days of deep dive discussion on cybersecurity management and strategy, operations, cybercrime, and privacy. You're sure to walk away with new ideas you can implement in your organization to combat the cyber threat

Hackito Ergo Sum (Paris, France, October 29 - 30, 2015) No commercial content, no vendor talk. First time presenters welcome. Highly technical talks only. Bonus point for offensive and weird ideas. Areas and domains: systems hacking & security, network hacking, non-x86 exploitation, mobile hacking, offensive forensics, hardware & firmware hacking, brain hacking, automated hardware reverse engineering

Sponsor & Support

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.