The CyberWire Daily Briefing 10.26.15

Cyber Trends

Why IoT Security Is So Critical (TechCrunch) Twenty years ago, if you told me my phone could be used to steal the password to my email account or to take a copy of my fingerprint data, I would've laughed at you and said you watch too much James Bond

As more devices go online, hackers hunt for vulnerabilities (Baltimore Sun) The hack was simple. Terry Dunlap tapped out a few commands on his laptop and within seconds a message popped on the screen: "Done!" With a few more keystrokes, he could see what the security camera could see and swivel it at will

The Internet of Things: Stop the things, I want to get off! (Naked Security) Last week was week four of Cybersecurity Awareness Month (CSAM) and the theme was Your Evolving Digital Life

Cyber-Vulnerability Of Physical Security Systems: Lessons From 2008 Turkish Pipeline Explosion (SourceSecurity) Discussions in our industry about cyber-threats to physical security systems, including IP video, often center around hypotheticals

Five Ways Shadow IT in the cloud hurts your enterprise (Network World) According to the Skyhigh Networks Cloud Adoption & Risk Report Q2 2015, the average enterprise now uses 1,083 cloud services. That astounding figure is almost 50% higher than this time last year, and up 100% from two years ago

The Dark Web for Dummies, Part Two: Why the Dark Web Matters (ZeroFOX) In our last installment we learned about the dark web and where it came from. If you missed it, you can catch it here. In short, the dark web, as most people know it in the form of The Onion Router (or TOR), was created by the United States government as a way to help people connect to the internet anonymously

Over half of worldwide news media outlets have suffered some form of cyber-attack (The Drum) Over 50 per cent of media companies across the world have been victim to some sort of cyber-attack according to a global study by Newscycle Solutions

Australia falling behind in cyber-attack protection, report says (SBS News) A new report has found Australia is falling behind countries like Japan and South Korea in its ability to protect itself from cyber attacks

Legislation, Policy and Regulation

Four things to know about new net neutrality rules (Help Net Security) Net neutrality is crucial to the future development of the Internet. It is the principle that all online traffic should be treated equally, regardless of the type of content or platforms involved

Seoul seeks hacker troops to fend off North Korean cyberattacks (Washington Post) A new army of South Korean soldiers was intently focused on fending off the enemy attack. Where were they coming from? What tactics were they using? And how best to neutralize them?

South Korea's defence ministry to welcome tech-savvy 'white-hat' hackers team to fight cyber warfare (International Business Times) The South Korean defence ministry has undertaken a new initiative to fight against cyber-attacks, which are prominent in the 21st century, by conducting a "White Hat" hacking competition to select the best hackers across the nation

'Indian enterprises not doing enough to share information on cyber attacks' (Economic Times) Indian enterprises have done little to share information on cyber attacks, at a time when the US is in the middle of deciding on the Cyber Security Information Sharing Act that would make the process easier

White House backs CISA despite privacy groups' concerns (Daily Dot) The White House and the Department of Homeland Security have endorsed a controversial cybersecurity bill that the Senate is expected to pass early next week

Battle Continues Over Information-Sharing Bill (eWeek) The Cybersecurity Information Sharing Act pits privacy-focused consumer advocates against government efforts to open the door to information sharing

Five players to watch in Senate cyber fight (The Hill) The final battle over the Senate's biggest cybersecurity bill in years is slated to take place Tuesday on the floor of the upper chamber

American Watchdog Imposes New Cybersecurity Regulations (Finance Magnates) The newly approved information protection program includes several measures meant to prevent identity theft and hacking

Health and Human Services Raises Bar for Risk Analysis with latest HITECH Rules (Digital Guardian) Organizations will need to match features to security mitigations in qualifying electronic health records systems

Hacked Opinions: The legalities of hacking — Simon Crosby (CSO) Simon Crosby, from Bromium, talks about hacking regulation and legislation

Products, Services, and Solutions

Government Acquisitions, Inc. Launches New Hyperconverged Analytics Platform Solution (Government Acquisitions) Government Acquisitions, Inc. (GAI), a leading Federal Information Technology (IT) solutions provider and small business, today announced the launch of their Hyper Converged Analytics Platform (HyperCAP) — an end-to-end data analytics solution. Integrated and optimized with best-of-breed commercial-off-the-shelf (COTS) technologies from Dell, Palo Alto Networks, Nutanix, and Splunk Inc., the HyperCAP solution enables Federal agencies to harness powerful analytics for IT and security operations

Dell extends end-to-end security offerings (ChannelWorld) Dell announced a new, full range of security solutions that enable customers to implement a comprehensive enterprise security strategy to protect their organization from evolving threats while strengthening business agility

Microsoft doesn't see Windows 10's mandatory data collection as a privacy risk (IDG via CSO) Exec says telemetry data is key to improving the operating system

Google Expert on Windows 10 Security: Two Steps Forward, One Step Back (Softpedia) Microsoft has improved some features but failed with others

Fortinet's New Solution To Thwart Cloud-Security Breaches (CSO Today) After posting a strong financial third quarter, Fortinet has strengthened focus on cybersecurity to remain profitable

Technologies, Techniques, and Standards

NIST rides identity, privacy momentum with two new projects (FierceGovernmentIT) The National Institute of Standards and Technology is collaborating on two new projects that aim to foster the development of privacy-enhancing technologies

NSA's Divorce from ECC Causing Crypto Hand-Wringing (Threatpost) The National Security Agency has long cuddled up to Elliptic Curve Cryptography, swaying standards bodies away from RSA crypto and toward ECC in the late 1990s, as well as recommending it as a strong enough solution for sensitive government agencies to use in guarding their biggest secrets

New Approaches to Vendor Risk Management (Dark Reading) The key to managing partner security risk is having truly verifiable evidence

Social engineering: Employees could be your weakest link (Computerworld) Business leaders should be aware of the risks that social engineering can pose to their operations, reputation and customers

Are mobile persistent cookies a threat to enterprise data security? (TechTarget) While cookies can be helpful, mobile persistent cookies can pose a serious threat to users and enterprises

Marketplace

Machine learning key to 'rethinking everything' at Google, says CEO Pichai (FierceCIO) Google's new CEO Sundar Pichai called the company's efforts in machine learning a "priority" during Alphabet's financial call Thursday

Why Corporate Boards Are Picking Women to Fill Cybersecurity Posts (Bloomberg Business) Earlier this year, American International Group Inc. added Linda Mills to its board, attracted partly by her expertise in cybersecurity. In February, Wells Fargo & Co. selected Suzanne Vautrinot for its board for similar reasons. Before that, Walgreens Boots Alliance Inc. picked Janice Babiak

How the government tries to recruit hackers on their own turf (Washington Post) Alejandro Mayorkas, a high-ranking Department of Homeland Security official, opened a speech over the summer in Las Vegas before hundreds of hackers with a dare

Cybersecurity Startups Are Raising $2.5 Billion a Year (Inc.) The industry is on pace to equal last year's staggering funding numbers, with U.S. companies grabbing the majority of the money

DISA Seeks Development, Sustainment Support Sources for Data Discovery Platform (ExecutiveBiz) The Defense Information Systems Agency wants information on potential contractors that can provide development, engineering, infrastructure and sustainment support for a data discovery service that DISA uses to acquire open source-based information from content providers

Security consulting firms find niche in breach detection platforms (TechTarget) Channel partners, particularly those with IT security experience, may find new opportunities in the emerging field of breach detection technology

Ex-NSA Chief's Cybersecurity Startup Draws Funding (Wall Street Journal) Infusion of $32.5 million in IronNet highlights ties between Silicon Valley and Washington

Former intel officials take new approach to cyber-defense (CBS News) The revelation this week that hackers broke into the personal e-mail accounts of two of the nation's top national security officials has put new focus on the importance of cyber security

Sophos hits Gartner Leaders Quadrant seven times (IT-Online) Sophos has announced that it has once again been positioned in the "Leaders" quadrant of Gartner's 8 October 2015 "Magic Quadrant for Mobile Data Protection Solutions"

Security researcher has last laugh over Oracle (CRN) 'The best way to make researchers mad is to tell them you don't need them', says ERPScan as Oracle plugs six vulnerabilities it discovered in its code

Security Company's Cryptography Play Aims at Tech Firms, Finance (Fast Company) A new suite of tools by startup Dyadic can stop a cybersecurity breach in progress

Artificial intelligence fuelled cyber security firm Cylance targets Australian launch (FInancial Review) Australians will soon be fighting fire with fire, as artificial intelligence cyber security firm Cylance prepares to open up operations in Sydney

Yahoo Hires Bob Lord as its CISO (Threatpost) Yahoo has filled the vacancy in its CISO office, today announcing the hiring of former Twitter and Rapid7 security executive Bob Lord

Research and Development

DISA looks to DARPA for 'quantum leap' in cybersecurity (C4ISR & Networks) The Defense Department's primary IT organization is partnering with its advanced research arm in a partnership aimed at accelerating military technology into the future

NSF grantees conclude phase one of insider threat research project (FierceGovernmentIT) Cybersecurity experts from State University of New York at Buffalo and University of Texas at Arlington have concluded the first phase of research around insider threat protection under an almost $500,000 grant from the National Science Foundation

Cyber Attacks, Threats, and Vulnerabilities

The Real Power of ISIS (Daily Beast) The West has failed utterly to understand the appeal of the ISIS narrative, much less to develop effective counter narratives

Russian Ships Near Data Cables Are Too Close for U.S. Comfort (New York Times) Russian submarines and spy ships are aggressively operating near the vital undersea cables that carry almost all global Internet communications, raising concerns among some American military and intelligence officials that the Russians might be planning to attack those lines in times of tension or conflict

TalkTalk CEO admits security fail, says hacker emailed ransom demand (Register) 'We've invested significantly in security'. Was it enough?

TalkTalk Hackers Demanded £80K in Bitcoin (KrebsOnSecurity) TalkTalk, a British phone and broadband provider with more than four million customers, disclosed Friday that intruders had hacked its Web site and may have stolen personal and financial data

TalkTalk hires BAE Systems to investigate cyber attack (Reuters) British broadband provider TalkTalk said on Sunday it had hired defense company BAE Systems to investigate a cyber attack that may have led to the theft of personal data from its more than 4 million customers

TalkTalk cyber-attack not as bad as first thought, company says (Guardian) Firm says customer data stolen 'materially lower' than thought and would not allow money to be taken from bank accounts

TalkTalk set to face '£75 million losses' after devastating cyber attack (Metro) TalkTalk is set to face devastating losses of £75 million as the fallout from the cyber-attack on the network continues

TalkTalk cyber-attack sparks calls for new regulatory powers (Guardian) Warning that telecom firm's security breach could cause problems that will last for years, including identity theft risks

TalkTalk hack: Institute of Directors says cyberhacking is biggest threat to UK businesses (International Business Times) The Institute of Directors has called for action in the wake of the TalkTalk hacking scandal singling out the hacking of customer data as one of "the biggest threats facing businesses and their customers". The organisation said that only "serious breaches" make the headlines, but attacks on UK businesses "happen constantly"

TalkTalk's problems go beyond cyber security (Financial Times) Sir Charles Dunstone has a knack for extracting extraordinary value from ordinary businesses

TalkTalk criticised for poor security and handling of hack attack (Guardian) Security experts say telecom firm let down customers with slow and poor reaction, and failure to encrypt and secure data

TalkTalk Hacked…Again (Check & Secure) For the third time in a year, the UK internet and telephone provider TalkTalk is in the spotlight following a cyber incident

Cambridge's Darktrace comments on TalkTalk attack (Cambridge News) The cyber attack on TalkTalk has prompted Cambridge firm Darktrace to put its head above the parapet

TalkTalk cyberattack: am I liable for fraud losses if I don't inform my bank? (Telegraph) Ask an expert: concerned customers are being told to scrupulously monitor their bank details — but if they do lose money, who is to blame?

TalkTalk was hacked. But it's silly to ask if the data was encrypted (Graham Cluley) TalkTalk has announced that they've been hacked. The details of four million customers are in play

TalkTalk's CEO offers some poor advice, following hack (Graham Cluley) Four million TalkTalk customers are worried that *their* details might be amongst the information stolen by hackers

Why do companies keep getting hacked? (BBC) Police are investigating a sustained attack on the TalkTalk website that might have let hackers get at details of the firm's four million customers

Hackers Are Using CCTV Cameras to Create Botnet network to launch DDoS attacks (Techworm) CCTV cameras have now become a norm for maintaining security

Possible Ashley Madison extortion campaign identified (SC Magazine) A cyber-security company says it may have spotted a round of extortions on Ashley Madison customers from a notorious hacking group

New ransomware delivered via Windows Remote Desktop Services (Help Net Security) A new type of ransomware — dubbed LowLevel04 — is hitting users in Greece and Bulgaria. It is apparently delivered on the affected computers manually by the attackers, via Windows' built-in Remote Desktop Services (RDS) or Terminal Services

How To Stop Ransomware, The Cyberattack That Holds Your Computer Hostage Until You Pay (International Business Times) Russian hackers are bringing a whole new meaning to "disruptive"

Report: IRS' tax refund fraud detection system vulnerable to hackers (Tampa Tribune) The new computer system the IRS is using to detect identity theft refund fraud may be vulnerable to hackers, according to a recent inspector general report, which cited delays in patching known cyber security issues

CIA director hack by teen spotlights US cyber-frailty (Al Jazeera via Yahoo! News) Back in May 2009, a freshly inaugurated US President Barack Obama launched a crackdown on "spoofing and phishing and botnets" in a government-wide web security overhaul

Are Microsoft and Google better at cybersecurity than the CIA? (Quartz) Who knew people still used AOL?

Serious Flaws Found in Janitza Power Analyzers (SecurityWeek) Researchers have uncovered several vulnerabilities in power quality measurement products from Janitza Electronics, a Germany-based company that specializes in the development of energy efficiency systems

That Little USB of Horrors (Digital Guardian) Beware USBs promising a quick recharge of your mobile device; they might also be leeching data as well

After fending off cyber attack, FirstEnergy says government coordination lacking (Utility Dive) Hackers attempted a denial of service attack on FirstEnergy's servers this week, but while information on the unsuccessful attempt was quickly shared with the industry and the U.S. government, company officials say there was no response from federal officials, EnergyWire reports

How real is the risk of visual hacking? (Information Age) For many organisations, visual hacking — or 'shoulder surfing' — is a forgotten risk, but awareness is growing

Train rider has his contactless card e-pickpocketed (Naked Security) It could have been just another one of those jostlings that happen on the train: a man bumped into a writer for SC Magazine

Car's Safety Bags Unsafe As Hackers Find A Way To Disable Them As Well (WCCF Tech) Vehicles that can have their safety bags disabled are usually those whose functions are electronically controlled

Barclays hit by 'network problems' at the weekend (ComputerWeekly) Barclays service disruptions raise cyber security concerns, but the bank says the problem was purely internal

City computer hacking was just a test (Las Vegas Review-Journal) On the morning of Aug. 13, armed men disguised as janitors strolled into Las Vegas City Hall, made their way to the city's data center and started hacking into computer servers

Police force blames hacker after #CyberAware tweet sent out containing bogus security advice (We Live Security) Normally, the boys in blue at UK police forces do a fantastic job on social media — offering advice to the local community on how to fight crime, and putting a human face on the officers who protect us

Bulletin (SB15-299) Vulnerability Summary for the Week of October 19, 2015 (US-CERT) The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week

Academia

CMU Partners with NSA Day of Cyber Program (Carnegie Mellon University News) Not much is known about a typical day at the National Security Agency (NSA), but a new initiative aims to provide U.S. middle school, high school and college students with an inside look

National Cyber Quests Competition Challenges Top Cybersecurity Talent (US Cyber Challenge) Winner to receive $1,000 scholarship from the Center for Internet Security

German-speaking nations dominate in European Cyber Security Challenge (Engineering and Technology) Austria has won the first European Cyber Security Challenge, followed by Germany and Switzerland

Schools Learn Lessons From Security Breaches (Education Week) When an employee of the Provo, Utah, school district mistakenly clicked on a phishing link in an email last year, the private data of about 500 employees were put at risk

Colleges are spying on prospective students by quietly tracking them across the internet (Quartz) "So, where else are you applying?"

Litigation, Investigation, and Enforcement

The European Court of Justice Decision on United StatesEuropean Union Safe Harbor Framework: Policy Highlights and Business Implications (Chertoff Group Point of View) On October 6, 2015 the European Court of Justice (ECJ) ruled in the case of Schrems v. Data Protection Commissioner, calling into question the utility of the United States-European Union (U.S.-E.U.) Safe Harbor Framework

SEC Potentially Targets CCOs for Cybersecurity Lapses (Legaltech News) CCOs would be well advised to carefully review and implement where appropriate the SEC's latest cybersecurity guidance

Precise policy language needed to cover affiliated businesses (Business insurance) Broad wordings can lead to narrow coverage rulings in court

Federal Government Sued Again For OPM Breach (Legaltech News) The plaintiff wants to be compensated for current and future losses and wants to see injunctive relief to fix OPM's security protocol

Bitcoin Alliance Aims to Boost Reputation of Digital Currency (Legaltech News) Blockchain Alliance formed to establish and build trust between the industry and government

Judge dismisses Wikimedia lawsuit over NSA surveillance — report (Reuters via Yahoo!) A federal judge has dismissed a lawsuit by Wikimedia and other groups challenging one of the U.S. National Security Agency's mass surveillance programs, the Baltimore Sun reported

ACLU lawsuit against NSA mass surveillance dropped by federal court (Guardian) Judge TS Ellis III dismissed the suit because it relied on 'subjective fear' that National Security Administration collects information that is innately harmful

Iran slams U.S. jailing of engineer for documents smuggling (Military Times) The Iranian government has criticized a U.S. court's decision to sentence an engineer with dual citizenship to more than eight years in prison for trying to send sensitive military documents to Iran, the official IRNA news agency reported Sunday

Nine arrested in UK investigation of criminal network defrauding bank customers (Help Net Security) Detectives investigating an organized criminal network responsible for defrauding bank customers across the UK out of approximately £60 million have arrested nine people

Design and Innovation

Computer vs. Lawyer? Many Firm Leaders Expect Computers To Win (American Lawyer) Junior lawyers are used to feeling like cogs in a machine. According to a new report, a surprising number of law firm leaders expect to be able to replace them with actual machines — and soon

This 11-year-old is selling cryptographically secure passwords for $2 each (Ars Technica) Girl makes Diceware passwords, rolled with real dice, written by hand, sent by mail

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

newly Noted Events

Moving Beyond Breaches: The Practice and Potential of Cyber Insurance (New York, New York, USA, October 26, 2015) Join Just Security and New America's Cybersecurity Initiative for conversations with leading experts in cyber security policy and practice to discuss the mechanics of cyber insurance and how to reinvigorate a moribund insurance marketplace

cybergamut Technical Tuesday: Hackproof Signal Processing for Wireless Communications ("Central Maryland, " USA, November 17, 2015) Conventional computing and communications expose myriad attack surfaces because of the Turing-equivalence of the instruction set architectures and the mathematical impossibility of forming a complete set of monitor functions to protect the contents of the registers from insightfully designed malware such as what NIST terms Advanced Persistent Threats. This talk describes how to throw out the general purpose computers via dataflow computing on FPGAs. Contact the conference organizers for instructions on how to attend

cybergamut Technical Tuesday: It's a Target Rich Environment: Understanding the IIoT Attack Surface (Elkridge, Maryland, USA, December 1, 2015) The Internet of Things (IoT) has received an incredible amount of press as of late. But, most of that has been associated with consumer electronics in the form of wearables and home monitoring devices like the Nest Thermostat. While those are worthwhile markets, the majority of the money will be involved with machine-to-machine communications in the Industrial Internet of Things (IIoT). What is the nature of the IIoT? How is it different from the consumer IoT? And, what makes it such a big target? In this session, Mike Anderson of The PTR Group will discuss the flow of data from the edge devices to the cloud and why the big industry players like Intel, IBM and others are so interested in this market

upcoming Events

2015 North American International Cyber Summit (Detroit, Michigan, USA, October 25 - 26, 2015) The North American International Cyber Summit 2015 hosted by Michigan Governor Rick Snyder, is set to take place in the heart of Downtown Detroit at the newly remodeled Cobo Center for the second straight year. As in the previous three sold-out summits, this year's event will bring together experts from across the globe to address a variety of cybersecurity issues impacting the world of business, education, information technology, economic development, law enforcement and personal use

ICS Cyber Security Week (Atlanta, Georgia, USA, October 26 - 29, 2015) ICS Cyber Security Week is the longest-running cyber security-focused conference dedicated to the industrial control systems sector. The event caters to critical infrastructure organizations in the following sectors: energy, utility, chemical, transportation, manufacturing, and many more

Cyber Awareness & Technology Days (Colorado Springs, Colorado, USA, October 27 - 28, 2015) The Information Systems Security Association (ISSA) Colorado Springs Chapter http://www.issa-cos.org will once again host the 6th Annual Cyber Security & Information Technology Days set to take place at Peterson AFB on Tuesday, October 27, 2015 and at Ft Carson on Wednesday, October 28, 2015. Both events are being conducted in October to coincide with National Cyber Security Awareness Month as a way to encourage collaboration between local military personnel and industry partners. Government and Industry experts will be on hand to brief attendees on the latest trends, best practices and remediation strategies, in the cyber security field. These one day forums will offer Cyber Security & Information Technology personnel a unique, local opportunity to get up-to-date informaton on rapidly evolving security security challenges

Designing Secure Healthcare Systems (Long Branch, New Jersey, USA, October 27 - 29, 2015) Designing Secure Healthcare Systems is a three day intensive and immersive workshop…by healthcare hackers for healthcare technologists. Over the three days you will go from the basics of SQL injection to the over the top advanced concepts used to break code — you will learn not just by watching — but by doing. Regardless of your programming background or technical focus, you will walk away much better prepared to design and develop secure healthcare information technology systems

Technology & Cyber Awareness Day (Aurora, Colorado, USA, October 28, 2015) The Buckley Air Force Base Technology & Cyber Security Day is a one-day event held on-site, where industry vendors will have the opportunity to display their products and services to IT, Comm, Cyber and Intelligence personnel. FBC will invite personnel from all major units and tenants at Buckley AFB, including ADF personnel

Cloud Security Alliance Summit NYC 2015 (New York, New York, USA, October 28, 2015) The full-day Cloud Security Alliance NYC Summit is a standalone event in Manhattan. Co-hosted by the CSA NY Metro and CSA Delaware Valley chapters, some 200 well-qualified attendees are expected. The theme is "Enterprise Lessons Learned in Cloud Security," with experts from financial services and other key industries. Viney Patel, Director, Global Head of Information Security at Citi Technology Infrastructure and Dan Reynolds, VP, Chief of Security and Information Architecture at Omnicom Media Group will be keynote speakers

Data Breach Summit Asia 2015 (Mumbai, India, October 28, 2015) As Cyber Security continues to become a challenge for all industries, ISMG's Data Breach Summit a unique, one-day event will focus on the issues to help the participants learn more about how to prevent cyber security breaches as well as how to mitigate the situation should a breach occur. The summit will provide an unparalleled platform to the attendees to engage in dialogue on real-world solutions protecting their organisations

CyberMaryland 2015 (Baltimore, Maryland, USA, October 28 - 29, 2015) Now entering its 5th year, the Federal Business Council is proud to bring you the CyberMaryland 2015 Conference. The conference theme this year is "Collaborate.Educate.Innovate"

Cyber Security World 2015 (Washington, DC, USA, October 28 - 29, 2015) Cyber Security World 2015 brings together security experts, practitioners, and researchers who will share their firsthand knowledge and open the discussion to information sharing between public and private sector attendees. Join us in Washington, D.C. for two days of deep dive discussion on cybersecurity management and strategy, operations, cybercrime, and privacy. You're sure to walk away with new ideas you can implement in your organization to combat the cyber threat

Hackito Ergo Sum (Paris, France, October 29 - 30, 2015) No commercial content, no vendor talk. First time presenters welcome. Highly technical talks only. Bonus point for offensive and weird ideas. Areas and domains: systems hacking & security, network hacking, non-x86 exploitation, mobile hacking, offensive forensics, hardware & firmware hacking, brain hacking, automated hardware reverse engineering

8th Annual Space, Cyber, and Telecommunications Washington DC Conference (Washington, DC, USA, October 29 - 30, 2015) The Space, Cyber, and Telecommunications Law team hosts an impressive lineup of the world?s greatest minds annually at conferences in Washington DC and in Lincoln, Nebraska and at occasional events around the world. Explore our past conferences and learn about our upcoming events below