The CyberWire Daily Briefing 10.29.15
news from CyberMaryland 2015
The first day of CyberMaryland featured keynotes from Government officials: NSA's Philip Quaid and the Secret Service's Stuart Tryon presented respectively a national security and a law enforcement perspective. Of particular interest were Quaid's remarks on resiliency and regeneration, and Tryon's observations of the vulnerabilities that emerge from the ill-coordinated corporate IT and marketing functions.
We attended breakout panels on risk management and corporate espionage, and have included a summary of the conference's first day below. Tomorrow's issue with wrap up our coverage of CyberMaryland, and will include interviews with several of the CEOs who participated in the conference.
Symantec reports that the Republic of Korea's manufacturing sector is under heavy attack by a threat actor using the backdoor Trojan Duuzer. The campaign's goal appears to be intellectual property theft, and its controllers use quite a bit of stick-and-rudder in their command and control practices. They also show considerable familiarity with defenses.
Symantec also warns of another campaign, "Chikdos," that's been infecting MySQL servers and using them in large-scale distributed denial-of-service attacks.
New breaches are disclosed. The free web hosting service 000webhost has sustained a breach of a database on its main server. Optimal Payments, a British mobile payment firm, is investigating reports that some customers' data have been compromised and exposed online. Also in the UK, energy company British Gas warns 2200 customers that their passwords may have been stolen.
Analysts estimate the damage from the TalkTalk breach. While the company's claims that the incident wasn't as bad as feared gain some traction, the damage seems far from negligible.
In industry news, Intel Security sells off some of its product lines as it repositions itself in the market. HP will split, as planned, this Sunday.
Observers react to the passage of CISA in the US. Where they stand depends largely on whether their concerns are on risks to privacy (thumbs down) or on the possibility that more information sharing will restore advantages to the defenders (thumbs up).
Breach lawsuits increasing frequency suggest that if industry can't set cyber standards of care, the plaintiff's bar will fill the void.
Notes.
Today's issue includes events affecting Argentina, Chile, China, India, Republic of Korea, Mexico, Peru, Russia, United Kingdom, and United States.
Baltimore: the latest from CyberMaryland
CyberMaryland 2015: Collaborate, Educate, Innovate (National Cyber Security Hall of Fame and the Federal Business Council) The CyberMaryland Conference is an annual two-day event presented jointly by The National Cyber Security Hall of Fame and Federal Business Council (FBC) in conjunction with academia, government and private industry organizations
CyberMaryland Day One (The CyberWire) CyberMaryland's first day, understandably, opened with the state showcasing its cyber security ecosystem — a big (biggest?) Government cyber customer, university and Government research capabilities, corporate capability (from the biggest integrators to the youngest startups), a regulatory climate that aspires to be business-friendly, and a growing venture capital community
TEDCO invests in 6 cybersecurity startups (Baltimore Daily Record) The Maryland Technology Development Corporation announced Wednesday that six new Maryland companies received funding from its Cybersecurity Investment Fund. Jedvice, Point 3 Security, Topaz Research, Efflux Systems, Bricata and QI Solutions were each awarded $100,000 through CIF
Md. cybersecurity experts say Senate bill is a positive step (Baltimore Daily Record) While many technology giants and privacy advocacy groups have been lobbying against a cybersecurity bill passed by the Senate on Tuesday, local cybersecurity experts believe the bill is a step in the right direction for data protection
NSA "Day of Cyber," a National Initiative, to be unveiled at CyberMaryland 2015 (PRNewswire) Day of Cyber provides schools, colleges/universities, and organizations a powerful online tool to introduce Cybersecurity directly into the classroom
Cyber Attacks, Threats, and Vulnerabilities
Hackers target manufacturing industry in South Korea (FierceITSecurity) Attackers are targeting organizations in South Korea — particularly those in the manufacturing industry — with a backdoor Trojan called Duuzer, reported security vendor Symantec
Chikdos malware infecting MySQL servers to launch massive DDoS attacks (FierceITSecurity) Cyberattackers have been using malware dubbed "Chikdos" to compromise MySQL servers in order to conduct massive distributed denial of service attacks against other websites, including a U.S. hosting provider and a Chinese IP address, warned Symantec researchers
Web hosting service 000webhost confirms breach that could have leaked 13 million passwords (FierceITSecurity) Free web hosting service 000webhost confirmed Wednesday that it suffered a breach of a database on its main server
U.K. mobile payments firm says investigating data breach allegations (Business Insurance) British mobile payments company Optimal Payments P.L.C. said it was investigating allegations that personal data belonging to some of its customers had been compromised and was available in the public domain
British Gas in "password breach" quandary (Naked Security) According to the BBC, UK energy provider British Gas has just contacted 2200 customers to warn them that their passwords may have been exposed
TalkTalk back under pressure over cyber attack (Financial Times) TalkTalk was back under pressure on Wednesday as analysts began adding up the cost of last week's cyber attack
Hack to the future: why industry should fear the rise of cyber-espionage (The Engineer) Fortunately, initial investigations into last week's Talk Talk hack suggest that the incident wasn't as bad as was initially feared, with the network provider claiming that just a fraction of its four million customers are affected
OPM notifies 3.7 million cyber attack victims about data protection services (Federal News Radio) The Office of Personnel Management has mailed out 3.7 million notification letters to cyber breach victims in the month since the agency announced it would begin notifying those impacted by the hack
Curious people can't resist plugging in random flash drives (Naked Security) Quiz time: You're waiting for your train. You spot a flash drive on a bench
Avast Experiment: What Happens to a Lost Smartphone (BusinessWIre) Avast "lost" and tracked 20 phones In the U.S. to find out where they went
Ponemon Institute study demonstrates the impact of visual hacking (Infosecurity Magazine) Ponemon Institute study demonstrates the impact of visual hacking
Cyber Trends
The average organization experiences 9 insider threats each month (Help Net Security) After analyzing actual cloud usage across over 23 million employees, Skyhigh Networks uncovered how user behaviours put companies at risk and how catching and managing this behaviour can be the proverbial "canary in the coal mine" in reducing the risk of data loss
Cybersecurity in the IoT age (Enterprise Innovation) As we move into the age of the Internet of Things (IoT) and millions of physical objects become connected
CIA Director: Possibility of a Cyber Attack 'Worries Me at Night' (GWToday) 21st-century challenges take center stage at conference on ethos and profession of intelligence
Half of IT Security Pros Believe They're an Unlikely Target for Attack, Finds Ponemon Institute Study (Dark Reading) 61 percent of it security pros lack confidence in their ability to detect advanced threats
Brazil major target of cyberattacks in Latin America (Telecompaper) Brazil is the biggest target of cyber attacks in Latin America, according to an advanced threat report by global IT security firm FireEye for Latin America. Chile is second, followed by Mexico, Peru and Argentina.
Brazil's economic and political crisis aggravating cyber risks (BNAmericas) Brazil's economic and political crisis is exacerbating cyber risks, according to a panel of specialists at the 11th International Seminar on Risk Management and Insurance
Marketplace
Thoughts on HP Split and Potential Ramifications Across the Tech Space in 2016 and Beyond (FBRFlash) Effective this Sunday, November 1, Hewlett Packard Enterprise and HP Inc. will officially separate as the split finally takes place more than a year after the strategic split was first announced
Ellison: Oracle has fixed security (IDG via CSO) Oracle Chairman Larry Ellison has put better security at the heart of his pitch for the company's new products
Intel to sell Stonesoft network security unit to Raytheon-Websense (Fortune) Intel is selling Stonesoft, the Finnish cybersecurity company it bought two years ago for $389 million, to Raytheon-Websense
Intel Security To Sell McAfee NGFW, Firewall Enterprise Businesses To Raytheon|Websense (CRN) As part of the company's new strategic direction, Intel Security has signed its intention to sell its McAfee Next-Generation Firewall and McAfee Firewall Enterprise businesses to Raytheon|Websense, CRN has learned
Intel Security Sets Its Sights on Use-Case-Driven Technology (eWeek) Intel Security, which announced an updated endpoint security product and new active response technology, is redefining its leadership and direction
InteliSecure Acquires UK-Based Pentura, Establishing a Managed Security and Professional Services Powerhouse Across North America and Europe (MarketWired) InteliSecure now protects the critical assets of more than 500 enterprise customers worldwide with anticipated 2015 revenues in excess of $35m; forecasts a 50 percent annual sales growth rate in the next three consecutive years
Why FireEye Should Be Considered on the Pullback (Guru Focus) Investors should ignore the COO's departure and focus on company's growth and raised guidance
Data security firm Gemalto's revenue rises on strong U.S. demand (Reuters) Digital security company Gemalto NV (GTO.AS) said third-quarter revenue grew 23 percent as sales rose at its payment and identity business and its acquisition of U.S.-based SafeNet boosted demand from the United States
St. Louis Opens Cyber Center of Excellence (Government Technology) The Midwest Cyber Center of Excellence will serve private business that want to beef up their cybersecurity systems, help train workers in the field and serve as a research institution to combat hackers
Former RSA Executive Chairman Art Coviello Joins Bugcrowd Board of Directors (MarketWired) Coviello brings over 20 years of security domain expertise
Duo Security Names Raffaele Mautone Chief Information Officer (MarketWired) Supporting growth and developing strategic plans for further expansion
Flashpoint Adds Cybersecurity Expert Lance James as Chief Scientist (PRNewswire) World-renowned security expert joins company illuminating the Deep and Dark Web
Products, Services, and Solutions
Gemalto protects against card-not-present fraud (IT Online) Gemalto has launched Dynamic Code Verification, a comprehensive payment security solution that protects against card-not-present (CNP) fraud on-line and ensures an easy user-experience cardholders have come to expect
Wombat Security Announces Enhanced CyberStrength Assessment Solution to Assess Security Knowledge Across All Threat Areas (MarketWire) New solution automates and streamlines process for administrators to assess employee knowledge on key security concerns covering all threat vectors
Delivering Forensic Value in the Age of Encryption (IBM Security Intelligence) IBM recently announced the latest addition to its QRadar line of products: incident forensics
LightCyber Creates Cyber Attack Training System to Address Educational Gap About Advanced Attacks (BusinessWire) LightCyber launches an attack education program, including an online seminar co-hosted with SANS Institute and a Hacker Simulation Challenge
Webroot and Laplink Make Cybersecurity and File Transfer Easy (MarketWatch) Webroot, the market leader in intelligent cybersecurity for endpoints and collective threat intelligence, today announced a partnership with Laplink, a global market leader in PC migration
Microsoft Shows Off Windows 10 Credential Guard (Redmond Magazine) Microsoft published a demo this week of Credential Guard, a Windows 10 security virtualization feature designed to ward off credential theft
Hexis Cyber Solutions releases HawkEye G 3 (Security News Desk) Expanded platform support and capabilities strengthen next generation endpoint security
Technologies, Techniques, and Standards
A basis for all cryptography (R&D Magazine) "Indistinguishability obfuscation" is a powerful concept that would yield provably secure versions of every cryptographic system we?ve ever developed and all those we?ve been unable to develop. But nobody knows how to put it into practice
Don't wait 'til a cyber attack. Practice your managerial response now. (Federal News Radio) Vince Lombardi famously said, "Practice does not make perfect. Only perfect practice makes perfect"
Using Intelligence to Outsmart Cyberthieves (PYMNTS) Intelligence is key in any business process, but perhaps among the most urgently necessary when it comes to protecting an organization and its data
Companies Pick Security Tools to Suit Varied Needs (BizTech) Some businesses take a best-of-breed approach, while others deploy a range of features from a single manufacturer
Improving Cyber Risk Management (GovInfoSecurity) Digital Risk Management Institute's Koilpillai on building a new approach
Legislation, Policy, and Regulation
Private sector's involvement in cybersecurity policy making critical: Symantec's Cheri McGuire (FirstPost) Cyber threats are no less a nightmare for the Indian government than terrorist attacks as it embarks on ambitious and high-profile projects such as Digital India. With new digital initiatives and the government's renewed focus on cyber security, Symantec sees huge opportunity in India
Senate Approves Cybersecurity Bill: What You Need To Know (WNYC) he latest clash in the cybersecurity vs. privacy debate played itself out in Congress on Tuesday when the Senate passed the Cybersecurity Information Sharing Act
IT security leaders split on CISA passage (FierceITSecurity) Although the Cybersecurity Information Sharing Act — or CISA — is touted as vital for strengthening the nation's cybersecurity, some IT security leaders are coming out against the bill
CISA Could Lead To Privacy Issues And Abuse, Security Channel Fears (CRN) A new Senate bill that gives businesses that suffer cybersecurity breaches immunity from provisions barring the sharing of information is causing great concern among the IT security channel because of the potential for abuse
CISA legislation would lift liability for businesses sharing cyber threat information (Network World) Privacy advocates still opposed, some gray areas remain for corporations
HITRUST Applauds Senate Action to Improve Nation?s Ability to Defend Against Cyber Attacks (BusinessWire) The Health Information Trust Alliance (HITRUST), the leading organization supporting the healthcare industry in advancing the state of information protection, announced today that it continues to fully support S.754, the Cybersecurity Information Sharing Act (CISA) of 2015
DHS bills wrapped into major cyber legislation (The Hill) Language from two hefty bills that would bolster the Department of Homeland Security?s cybersecurity role were quietly tacked onto a major cyber bill that passed the Senate late Tuesday
DNI brings intel community a little out of its shell (Federal News Radio) The intelligence community is making an effort to increase transparency
US says it's ok to hack cars and medical devices (sometimes) (CSO) Researchers will be able to look for flaws in software running on cars and medical devices without fearing legal action
Marine Corps willing to make sacrifices for cyber (Federal News Radio) The Marine Corps is willing to make reductions in the capacity of its forces to grow its capabilities in cyber and information warfare
Litigation, Investigation, and Law Enforcement
Did the FBI really say "pay up" for ransomware? Here's what to do… (Naked Secuity) A comment made by an FBI agent at a little-noticed cybersecurity conference in Boston last week is all of a sudden making big headlines, many of them suggesting that the FBI is telling victims of ransomware to "just pay" the ransom
Report: Data breach cases coming from all directions (Legal Newsline) Federal and state regulators, along with plaintiffs attorneys, are focusing more and more on the data security practices of companies, a new report says
For a complete running list of events, please visit the Event Tracker.
Newly Noted Events
After the Shift: Securing Tomorrow's Payment Technology (Washington, DC, USA, Nov 5, 2015) From encryption to tokenization, what does the future hold for keeping consumer data safe? Policymakers, industry leaders, and technology experts will explore the cutting edge of cyber technology and discuss how government and industry can work together to protect American consumers
Upcoming Events
ICS Cyber Security Week (Atlanta, Georgia, USA, Oct 26 - 29, 2015) ICS Cyber Security Week is the longest-running cyber security-focused conference dedicated to the industrial control systems sector. The event caters to critical infrastructure organizations in the following sectors: energy, utility, chemical, transportation, manufacturing, and many more
Cyber Awareness & Technology Days (Colorado Springs, Colorado, USA, Oct 27 - 28, 2015) The Information Systems Security Association (ISSA) Colorado Springs Chapter http://www.issa-cos.org will once again host the 6th Annual Cyber Security & Information Technology Days set to take place at Peterson AFB on Tuesday, October 27, 2015 and at Ft Carson on Wednesday, October 28, 2015. Both events are being conducted in October to coincide with National Cyber Security Awareness Month as a way to encourage collaboration between local military personnel and industry partners. Government and Industry experts will be on hand to brief attendees on the latest trends, best practices and remediation strategies, in the cyber security field. These one day forums will offer Cyber Security & Information Technology personnel a unique, local opportunity to get up-to-date informaton on rapidly evolving security security challenges
Designing Secure Healthcare Systems (Long Branch, New Jersey, USA, Oct 27 - 29, 2015) Designing Secure Healthcare Systems is a three day intensive and immersive workshop…by healthcare hackers for healthcare technologists. Over the three days you will go from the basics of SQL injection to the over the top advanced concepts used to break code — you will learn not just by watching — but by doing. Regardless of your programming background or technical focus, you will walk away much better prepared to design and develop secure healthcare information technology systems
CyberMaryland 2015 (Baltimore, Maryland, USA, Oct 28 - 29, 2015) Now entering its 5th year, the Federal Business Council is proud to bring you the CyberMaryland 2015 Conference. The conference theme this year is "Collaborate.Educate.Innovate"
Cyber Security World 2015 (Washington, DC, USA, Oct 28 - 29, 2015) Cyber Security World 2015 brings together security experts, practitioners, and researchers who will share their firsthand knowledge and open the discussion to information sharing between public and private sector attendees. Join us in Washington, D.C. for two days of deep dive discussion on cybersecurity management and strategy, operations, cybercrime, and privacy. You're sure to walk away with new ideas you can implement in your organization to combat the cyber threat
Hackito Ergo Sum (Paris, France, Oct 29 - 30, 2015) No commercial content, no vendor talk. First time presenters welcome. Highly technical talks only. Bonus point for offensive and weird ideas. Areas and domains: systems hacking & security, network hacking, non-x86 exploitation, mobile hacking, offensive forensics, hardware & firmware hacking, brain hacking, automated hardware reverse engineering
8th Annual Space, Cyber, and Telecommunications Washington DC Conference (Washington, DC, USA, Oct 29 - 30, 2015) The Space, Cyber, and Telecommunications Law team hosts an impressive lineup of the world's greatest minds annually at conferences in Washington DC and in Lincoln, Nebraska and at occasional events around the world. Explore our past conferences and learn about our upcoming events below
NICE 2015 Conference and Expo (San Diego, California, USA, Nov 3 - 4, 2015) Cybersecurity has emerged as one of the leading creators of jobs and opportunity for all economic sectors. The demand for cybersecurity positions in both the public and private sector is large and growing, but the talent pool of cybersecurity workers is not yet able to keep up. The NICE 2015 Conference and Expo features thought leaders from education, government, industry and non-profits who are addressing the cybersecurity education, training, and workforce needs of the nation
Inside Data Science 2015 (Monterey, California, USA, Nov 3 - 4, 2015) At the Inside Data Science 2015 Conference (IDS2015) our focus is not on the storage or volume of data, but rather the importance of what you do with it. To synchronize the processing, exploitation and dissemination of information you must leverage the proper organization, extraction and analysis of data. In today's data-driven society, your best offense to stay ahead of the game is to become scientific in your approach and systematic in your execution
4th International Internet-of-Things Expo (Santa Clara, California, USA, Nov 3 - 5, 2015) With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo in Santa Clara. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be
RSA Conference 2015 Abu Dhabi (Abu Dhabi, United Arab Emirates, Nov 4 - 5, 2015) Join your fellow information security professionals at RSA Conference 2015 Abu Dhabi, where we'll be discussing security issues from a global perspective
ICMC (the International Cryptographic Module Conference) (Washington, D.C., USA, Nov 4 - 6, 2015) ICMC core focus includes cryptographic modules, FIPS 140-2, ISO/IEC 19790 and cryptographic algorithms. Specialists from all over the world gather in Washington to discuss about commercial cryptography and share their expertise on the subject. Conference topics may include the underlying the implementation of a cryptographic module including physical security, key management, side-channel analysis, cryptographic algorithm implementation testing, standardization, validation programs and more
2nd Annual Journal of Law and Cyber Warfare Conference (New York, New York, USA, Nov 5, 2015) The 2015 symposium speakers represent an unparalleled group of cyber security experts with a wide variety of industry expertise and knowledge. Attendees will hear from experts on cybersecurity and cyber warfare from the military, government, private industry, and the public sector. Our panels are designed to provide attendees with thought leadership from a diverse group of experts who will share their experience and knowledge-base regarding topical cyber security issues
Start with Security (Austin, Texas, USA, Nov 5, 2015) This one-day conference will continue the FTC's work to provide companies with practical tips and strategies for implementing effective data security. Aimed at start-ups and developers, this event will bring together experts to provide information on security by design, common security vulnerabilities, strategies for secure development, and vulnerability response
University of Phoenix® Technology Conference (Arlington, Virginia, USA, Nov 7, 2015) At the University of Phoenix® Technology Conference 2015, a free event hosted by the University of Phoenix College of Information Systems and Technology, you will be introduced to cyber security, explore best practices for securing the Internet of Things, and examine trends around how to convert data into actionable intelligence
Cyber³ Conference: Crafting Security in a less Secure World (Nago City, Okinawa, Japan, Nov 7 - 8, 2015) An international conference on cyber security hosted by the Government of Japan with the support of the World Economic Forum. At this conference, multi-stakeholders, including policymakers, business leaders, and researchers from around the world, will discuss the new reality of Cyber Connection, Cyber Security, and Cybercrime (together, Cyber³) and their implications for the future of the Internet
FedCyber 2015 (Tyson's Corner, Virginia, USA, Nov 10, 2015) This conference, orchestrated by cyber practitioners Matt Devost and Bob Gourley, is designed to advance the state of cyber defense. The FedCyber.com Threat Expo will bring together thought leaders who know the cyber mission in a venue designed to enhance our collective understanding of the threat, build on existing strategies to mitigate challenges, and leverage the nation's greatest technologies to enhance our defense in depth
First International Conference on Anti-Cybercrime (ICACC-2015) (Riyadh, Saudi Arabia, Nov 10 - 12, 2015) Al Imam Mohammad Ibn Saud Islamic University is organizing this international conference to establish a forum where discussions on vital issues related to anti-cybercrime can occur. This conference will also help Saudi policy makers and authorities to improve and revolutionize their efforts to tackle this serious problem by providing them opportunities to review existing use of technology in the country
Black Hat Europe (Amsterdam, the Netherlands, Nov 10 - 13, 2015) Black Hat prides itself with being "the most technical and relevant global information security event series in the world." For the past 16 years, the Black Hat events have given their attendees the opportunity to explore the latest research and developments in information security, while also taking into account the concrete needs of the participants
Pen Test Hackfest Summit & Training (Alexandria, Virgina, USA, Nov 16 - 23, 2015) SANS Pen Test Hackfest Training Event and Summit is coming back to Washington DC, bigger and better than ever! The Hackfest is an ideal way to learn offensive techniques so you can better defend your environment. Whether you are a penetration tester, a forensics specialist, or defender, the techniques covered at the Hackfest represent the latest and most powerful attacks every organization needs to thwart
cybergamut Technical Tuesday: Hackproof Signal Processing for Wireless Communications ("Central Maryland, " USA, Nov 17, 2015) Conventional computing and communications expose myriad attack surfaces because of the Turing-equivalence of the instruction set architectures and the mathematical impossibility of forming a complete set of monitor functions to protect the contents of the registers from insightfully designed malware such as what NIST terms Advanced Persistent Threats. This talk describes how to throw out the general purpose computers via dataflow computing on FPGAs. Contact the conference organizers for instructions on how to attend
Cybersecurity, the SEC and Compliance (New York, New York, USA, Nov 18, 2015) The recent SEC CyberSecurity Examination Initiative focuses on information safeguards for financial services organizations. Are you prepared? Please join us for a panel discussion on what cybersecurity means to your business and how the new SEC requirements affect your firm. The panel consists of professionals from the Cyber Security, Legal, Insurance and IT systems management industries. (RSVP as seating will be limited)
CyberCon 2015 (Pentagon City, Virginia, USA, Nov 18, 2015) CyberCon 2015 is the forum for dialogue on strategy and innovation to secure federal and defense networks, as well as private sector networks that hold their sensitive data
Internet-of-Things World Forum 2015 (London, England, UK, Nov 18 - 19, 2015) This conference features speakers from leading IoT companies and their customers. Learn how the Internet-of-Things is creating new markets for products, services, and solutions
2015 U.S. Cyber Crime Conference (National Harbor, Maryland, USA, Nov 14, 2015) The 2015 U.S. Cyber Crime Conference (Formerly the DoD Cyber Crime Conference) has brought world-class forensics and incident response training combined with outstanding community networking for over 15 years. The conference covers the full spectrum of topics facing defenders as well as law enforcement responders
DefCamp6 (Bucharest, Romania, Nov 19 - 20, 2015) Why DefCamp? Because it's the most important conference on Hacking & Information Security in Central Eastern Europe, bringing hands-on talks about the latest research and practices from the INFOSEC field, gathering under the same roof security specialists, entrepreneurs and developers, managers from both private and public sector