The CyberWire Daily Briefing 11.02.15

Cyber Trends

Critical gov't infrastructures become targets (Manila Bulletin) In developed economies, a recent study by Trend Micro showed that critical government infrastructures are increasingly compromised to cyber threats Read more at http://www.mb.com.ph/critical-govt-infrastructures-become-targets/#1ecyxv7BJ4MWUuBj.99

The coming smart-thing apocalypse (Engadget) Like some people I know familiar with the ins and outs of digital surveillance (and startle like housecats when an app makes a geolocation request) I don't own any "smart" home items

The Internet of Things: Groundbreaking tech with security risks (We Live Security) he Internet of Things (IoT) is the latest buzzword taking hold of the technology industry, but what does it mean exactly and how does it impact citizens and businesses?

Machine Learning Is Cybersecurity's Latest Pipe Dream (Dark Reading) Rather than waste money on the unproven promises of ML and AI, invest in your experts, and in tools that enhance their ability to search for and identify components of a new attack

Hacking of "Unregulated Data" Poses Big Risk to Firms (Wall Street Journal) When Sony Pictures Entertainment was hacked last year, some of the most damaging data released were emails revealing movie scripts, gossip and personal details on Hollywood stars, as well as discussions about internal investigations into potential corporate wrongdoing

5 common small business cyber-security myths (Grand Rapids Business Journal) It'd be difficult to find a business today that doesn't use at least one computer based or online system

Internet malwares threaten PH industries (Standard) All over the world, the threat of a digital infrastructure crashing is as valid as an earthquake decimating a 50-story building or a series of typhoons striking without any preamble, ruining everything on their path

Legislation, Policy and Regulation

Safe Harbor: Grounds for Optimism Around a New Framework (Legaltech News) Good privacy practices will always put an organization in good standing in the eyes of a regulator (and vendors)

Businesses braced for bout of regulation on cyber security (Financial Times) Companies around the world are bracing themselves for an avalanche of cyber security regulation, as governments scramble to introduce rules forcing corporate groups to build stronger defences against catastrophic hacks

Thai military stresses need for cyber vigilance (Thai Visa News) The military yesterday stressed the need for cybersecurity readiness at the national level, as the country still only maintains preparedness at the military and ministry level

Can the US and China Cooperate on the First (and Last) Line of Cyber Defense? (Diplomat) Deeper China-U.S. CERT cooperation will be beneficial for both countries

New U.K. Comms Data Capture Bill Incoming This Week (TechCrunch) Reminder: The U.K. government is preparing to publish a draft bill aiming to strengthen and shore up the intelligence and security agencies' capabilities in the digital era

New plan to torpedo UK's grab for everyone's browsing history (Naked Security) UK police are after cyber snooping powers equivalent to what, in an analog world, would be knowing what magazines you read but not which articles or page numbers

Digital Minister demands "Kite Marks" for Websites (Check & Secure) Since the colossal data breach that has brought TalkTalk to its knees in recent weeks, the first voices of discontent can be heard ringing from the front benches of the House of Commons. Something must be done, say the government, to improve the nation's cyber security. Surely, the answer is regulation and standardisation of website security measures. Or is it?

Theresa May says 'contentious' parts of web surveillance plan dropped (BBC) Police will be able to see websites people have visited but not the specific pages they have viewed without a warrant, under new government plans

US readies new rules for nuclear reactors (The Hill) The government is moving forward with new cybersecurity requirements for nuclear power plants

Where is America’s cyberdefense plan? (Washington Post) To begin, a conclusion: The Internet, whatever its many virtues, is also a weapon of mass destruction

Federal cyber strategy plan released (Federal Times) Cybersecurity has become a central focus for the federal government and now agencies have new guidance on where their cybersecurity posture should be and how to get there

Modernizing Federal Cybersecurity (The White House) Today, the Administration directed a series of actions to continue strengthening Federal cybersecurity & modernizing the government's technology infrastructure

White House cyber plan sets tough deadlines (FedScoop) The Office of Management and Budget's five-point plan pushes federal agencies to move faster then ever before to prevent major breaches

The impact of the Senate's passage of the CISA (Security InfoWatch) On Tuesday, the U.S. Senate overwhelmingly passed the Cybersecurity Information Sharing Act (CISA), which, in short, is designed to fight the growing problem of corporate data breaches by allowing individual companies to share their cybersecurity threat data with the government, which would theoretically use it to defend the target company and others facing similar attacks

Smooth sailing for cyberbill? Not so fast (Washington Examiner) The Senate's overwhelming passage of cybersecurity legislation last week should set the stage for quick final action on an issue of vital importance to the nation's economy and security

CISA won't do much to turn threat intelligence into action (CSO) Sorting through a wealth of threat intelligence takes lots of resources — capital, services and personnel

CISA: The new security law doesn't help security (InfoWorld) The bill gives government access to a new trove of personal data but does nothing to improve its poor track record in safeguarding the data it already has

Stop CISA! (Network World) Fundamentally flawed cybersecurity legislation will have a marginal impact of risk mitigation while further eroding privacy protection and U.S. credibility abroad

Real-world roadblocks to implementing CISA (Help Net Security) The recent approval of CISA (the Cybersecurity Information Sharing Act) by the US Congress and Senate is paving the way for broader security collaboration

Sen. Carper says cybersecurity bill will thwart hackers (Delaware News Journal) After years working of on cybersecurity bills, Sen. Tom Carper said he changes his online passwords more often than he ever imagined he would

Crypto is For Everyone — and American History Proves It (EFF) Over the last year, law enforcement officials around the world have been pressing hard on the notion that without a magical "backdoor" to access the content of any and all encrypted communications by ordinary people, they'll be totally incapable of fulfilling their duties to investigate crime and protect the public

What new DMCA rules mean for medical device research (Christian Science Monitor Passcode) This week the Library of Congress issued exemptions to the Digital Millennium Copyright Act that pave the way for independent researchers to begin examining medical devices for software flaws

Gen. Breedlove: Intelligence Community Changing How it Handles Russia (Defense News) The US intelligence community has begun changing how it handles the government of Russian President Vladimir Putin, according to the top American general in Europe

Cyber Support to Corps and Below to join upcoming training rotation (FierceGovernmentIT) An Army pilot program called the Cyber Support to Corps and Below will take an important step forward in demonstrating cyber effects at corps and echelons below

Pop Quiz: Which Navy N00bs Have a Gift for Stopping Hacks? (Nextgov) The Navy is preparing to experiment with an exam aimed at predicting the types of sailors capable of grasping cybersecurity skills without ever having picked up a book or keyboard

US Military Should Hire Cyber Mercenaries, Cadet Says (DefenseTech) Scott Seidenberger, an undergraduate at Cornell University and an Air Force ROTC cadet, in a recent TEDx talk raised some provocative ideas for the U.S. military's cyberwarrior force

DNI Releases Budget Figure for the 2015 National Intelligence Program (IC on the Record) Consistent with 50 U.S.C. 3306(b), the Director of National Intelligence is disclosing to the public the aggregate amount of funds appropriated by Congress to the National Intelligence Program for Fiscal Year 2015 not later than 30 days after the end of the fiscal year

Hacked Opinions: The legalities of hacking — Chris Doggett (CSO) Kaspersky's Chris Doggett talks about hacking regulation and legislation

The European Parliament is Wrong on Edward Snowden and National Security (Daily Signal) On Oct. 29, the European Parliament approved a resolution (passed by 285 votes to 281) calling "on European Union Member States to drop any criminal charges against Edward Snowden, grant him protection and consequently prevent extradition or rendition by third parties, in recognition of his status as whistleblower and international human rights defender"

Products, Services, and Solutions

Verizon accelerates IoT push with ThingSpace platform (TotalTelecom) U.S. telco aims to reduce complexity, fragmentation, cost associated with deploying, scaling Internet of Things services

FireEye Summit unveils series of security products (Saudi Gazette) FireEye Cyber Defense Summit announced a series of products for improved endpoint, malware detection and threat intelligence during FireEye Summit 2015 held in Washington DC recently

Why The Time Has Come For Penetration Testing On IBM i (IT Jungle) Home Depot's point of sale (POS) system was breached in 2014, comprising information on 53 million accounts. A year before, Target's POS was breached, putting data from at least 40 million customers in jeopardy. In both cases, the retailers were deemed "compliant" with Payment Cardholder Initiative (PCI) data security standards. But obviously there's a big difference between complying with security regulations and actually having good security, and that's true whether your shop runs on IBM i or any other platform

Avast launches free mobile security for Android phones; track lost phones, wipe data clean (International Business Times) Even as mobile users in India are going online with their smartphones for various purposes such as banking, social networking, browsing sites and more, there are some risks that tag along

Technologies, Techniques, and Standards

Bank of England and US authorities to simulate cyber-attack (Telegraph) The British and American financial systems will be tested to see how well they stand up to attacks by hackers, in the wake of the TalkTalk scandal

Cross-Training Empowers Cyber Experts (SIGNAL) Security professionals are taught it takes an online thief to catch an online thief

U.S. retailers push banks to use PINs on credit cards as confusion reigns (Reuters) Some big U.S. retailers are stepping up efforts to use personal identification numbers, or PINs, with new credit cards embedded with computer chips in a bid to prevent counterfeit card fraud

How Lockheed Martin sold employees on an insider threat program (Federal News Radio) Since a contract employee shot and killed 12 colleagues at the Washington Navy Yard two years ago, the government has inched cautiously toward fulfilling a key recommendation: establish insider threat programs

Security tools' effectiveness hampered by false positives (CSO) Thanks to technologies such as intrusion detection systems, services such as threat intelligence and other emerging sources of information, security programs today are gathering unprecedented amounts of data about threats and attacks

Protecting Against Data Breaches Is as Easy as 1 – 2 (Entrepreneur) There are ways you can protect yourself or your company from a data breach

Three baseline IT security tips for small businesses (TechRepublic) Millions of small businesses are vulnerable to cybersecurity attacks that can cost an average of $20,000 per attack. Here is some basic wisdom to help SMBs protect themselves

How to win the cyber security arms-race (Manchester Evening News) As shares in TalkTalk are beginning to recover following a serious security breach, we speak to north west IT firms on how to win the war again cyber attacks

Three Questions about Online Security (Talkin' Cloud) When you give your personal information to a financial institution, government or insurance company, you have a certain level of trust that they will do everything in their power to keep it safe

7 Tips for Conducting Effective Cybersecurity Due Diligence in M&A Transactions (JDSupra) 1. Start Early. Buyers should begin conducting cybersecurity risk assessments early in the engagement process

As companies mature in their cyber risk management practices, what are the key governance practices and behaviors of a successful program? (Conference Board) Based on best practices from leading global companies and lessons from cyber-risk cases gone wrong, this report outlines a practical strategic and tactical roadmap with both architectural and substantive recommendations for effective cyber-risk governance by boards, the c-suite and functional leaders

Is short-term thinking jeopardizing the future prosperity of business? (Conference Board) How can public company CEOs and boards effectively balance short and long term performance in the face of pressures to increase stock price performance over the short term?

7 Elements Of Modern Endpoint Security (Dark Reading) What it takes to secure and tap into the 'source of the truth' in today's threatscape

Disaster Recovery Starts with a Plan (Internet Storm Center) One of the security questions being asked of security professionals, by business executives these days, from both internal and external entities, is "What is the status of our Disaster Recovery plan?"

Marketplace

CSOs demanding more from cybersecurity tech (CSO) CSOs and CISOs are becoming more powerful, and their wielding that power to demand more from their technology vendors, to throw out underperforming tech, and to take more risks on new and innovative approaches

Glitches to riches: The hackers who make a killing off software flaws (Christian Science Monitor Passcode) Selling information about software vulnerabilities was a quirky idea a decade ago. But today there's a global vulnerability marketplace where the world's top bug bounty hunters can reap handsome rewards

Army Wants Integrated Platform for Cyber, EW Operations (ExecutiveBiz) The U.S. Army seeks vendors that can offer situational awareness tools designed for cyberspace and electromagnetic spectrum environments as part of an effort to build a converged CEM SA platform

Cyber warriors newly eligible for special duty pay (Air Force Times) For the first time, the Air Force has added cyber warfare operations to its list of career fields eligible for special duty pay, effective Oct. 1

Hewlett Packard Enterprise: think of us as a startup (ComputerWeekly) As Hewlett Packard Enterprise and HP Inc finally part ways, UK managing director Andy Isherwood shares some insight on what the future holds for the newly minted enterprise business

'HPE will be about speed', says UK boss (CRN) Andy Isherwood admits separation has been so smooth, it has been "bizarre"

U.S. Tech Giants May Blur National Security Boundaries in China Deals (New York Times) One Chinese technology company receives crucial technical guidance from a former People's Liberation Army rear admiral. Another company developed the electronics on China's first atomic bomb. A third sells technology to China's air-to-air missile research academy

Pentagon Creates Cybersecurity Exchange Program With Industry (Bloomberg) The U.S. Defense Department is sending career personnel on tours with private cybersecurity companies and bringing in specialists from those companies to gain the skills necessary to defend military networks from hackers, the Pentagon's chief information officer said

Cyber security stocks get filip from Talk hack attack (Reuters) The hacking scandal at broadband provider TalkTalk has heightened interest in stocks and companies dealing in cyber security, with some fund managers betting on more growth in the sector

Raytheon Company To Purchase Intel Corporation Finnish Unit (Bidness Etc) Raytheon Company (NYSE:RTN) announced that its Websense Security Software unit will be purchasing Intel Corporation's (NASDAQ:INTC) Finnish Stonesoft firewall unit

Avast worth 'upwards of $2 billion'; no IPO before 2017 (Reuters) Antivirus software developer Avast Software is now worth "upwards of $2 billion", its chief executive said on Thursday, but it will be at least 2017 before the company goes public

Hacking Team Is Back with a Bold Pitch to Police (Motherboard) For more than a year, the FBI has been complaining that the rise of encryption technologies will make its investigators "go dark" and help criminals get away

Why Imperva Inc. Stock Soared on Friday (Motley Fool) Data security threats are boosting the security vendor's top and bottom lines

FireEye Inc (FEYE) Stock Is a Gamble…NOT a Bargain! (Investor Place) The company is still unprofitable and the space is increasingly crowded

Why cyber firms are prime targets for mergers and acquisitions (Baltimore Business Journal) Cybersecurity startups that want to attract an investor or buyer will have to show more than high growth potential

British cybersecurity startup goes from hiring former spies to students as it looks to grow to the size of Autonomy (Business Insider) Darktrace, a UK cybersecurity company backed by Autonomy founder and billionaire Mike Lynch, has revealed it is hiring fewer former spies and more graduates as it starts to scale towards being a billion dollar company

Strategic Focus and Superior Engineering Fueling Secure Data Technologies' Unprecedented Growth (PRNewswire) Earlier this month, Secure Data Technologies, Inc. (Secure Data) moved into a sprawling new headquarters in O'Fallon, Illinois, just 15 miles outside of downtown St. Louis, Missouri

Security Startup Illumio Inks Deal With Cloud Hardware Maker Nutanix (Re/code) Security startup Illumio says it has signed a deal to have its technology added to products from Nutanix, a company that makes cloud computing hardware

Rich A. Fennessy Appointed CEO of Kudelski Security (BusinessWire) The Kudelski Group (SIX:KUD.S), the world's leading independent provider of media content protection and value-added service technology, announced today the appointment of Rich A. Fennessy as Group Senior Vice President — and CEO of Kudelski Security

Fidelis Cybersecurity Appoints Richard Darer as Chief Financial Officer and Senior Vice President (BusinessWire) Respected industry leader brings finance and global business expertise to lead Fidelis Cybersecurity's growth

Research and Development

Researchers use Wi-Fi to see gestures, identify individuals through walls (Naked Security) MIT has created a device that can discern where you are, who you are, and which hand you're moving, from the opposite side of a building, through a wall, even though you're invisible to the naked eye

Security Patches, Mitigations, and Software Updates

Microsoft's Windows 10 to 'automatically download' from next year (Independent) Microsoft users will have Windows 10 automatically downloaded onto their computers without their knowledge, the software giant said this week

How to solve a problem like security update apathy? (SC Magazine) When a high percentage of users have unpatched systems and unpatched programs, as found in a recent Secunia report, can you protect them from themselves?

Cyber Attacks, Threats, and Vulnerabilities

In New Video ISIS Calls Prison Raid A Failure, Executes Prisoners (Vocativ) ISIS releases its own version of the raid in which an American commando lost his life

Navy grapples with Russian threats to undersea cables (Navy Times) U.S. leaders are increasingly worried that Russia's submarines could sever the communication arteries that drive global commerce

Operation KKK Is Beginning To Unmask Hate Group Members (TechCrunch) Operation KKK, an Anonymous-led effort to shut down the Ku Klux Klan, has begun in earnest

Hackers release info on Obama's national security transition team (C4ISR & Networks) The slow drip of information allegedly stolen from CIA Director John Brennan's personal email account continues to find its way onto WikiLeaks, with a list of personal information about 20 members of President Obama's transition team added to the leak in the most recent post on Oct. 26

Vodafone UK fights–off breach attempts, blocks 1,800 accounts in aftermath (CSO) The attackers were using information obtained externally, the telecom says

Vodafone warns some customer accounts were breached, potential for fraud and phishing attacks (Graham Cluely) UK telecoms operator Vodafone has revealed that the personal details of some 1,827 customers have had their personal information accessed by hackers, who broke into accounts between midnight on Wednesday 28 October and noon the following day

Experts say TalkTalk had 11 serious website vulnerabilities (Financial Times) TalkTalk had at least 11 separate serious vulnerabilities in its website and may have enticed criminals to target it after revealing security weaknesses in a public tweet two months ago, according to cyber security experts with detailed knowledge of the hack attack on the telecoms group

TalkTalk cyber-attack: third person arrested and released on bail (Guardian) 20-year-old man arrested in Staffordshire in connection with attack on telecoms firm, following arrest of two teenagers

TalkTalk cyber attack: chief Dido Harding rejects pressure to resign (Telegraph) Chairman and founder Sir Charles Dunstone backs chief executive as PwC is brought in to review causes of security breach

Android infostealer masquerading as MS Word document (Help Net Security) A clever Android information-stealing piece of malware is lurking on third-party app markets popular with Chinese users

New Reflection DDoS Attacks Spotted Using NetBIOS, RPC, and Sentinel Technology (Softpedia) Three new types of reflection DDoS attacks were observed by Akamai SIRT (Security Intelligence Response Team) being used in the wild from March to September 2015, utilizing three new amplification channels, namely NetBIOS name servers, Sentinel licensing servers, and RPC portmaps

FortiGuard Labs Discloses XSS Vulnerability in MantisBT (Fortinet Blog) MantisBT is an open source issue tracker with nearly 110,000 downloads so far this year from its SourceForge repository. It is known for its ease of use and rapid collaboration capabilities

Setting the Record Straight on Moplus SDK and the Wormhole Vulnerability (TrendLabs Security Intelligence Blog) A vulnerability known as Wormhole that reportedly affected the software development kit (SDK), Moplus by Baidu is making waves due to the severity of the impact once successfully exploited. The said vulnerability was discovered by WooYun.og, a vulnerability reporting platform in China

EFF Discovers More Leaky ALPR Cameras Accessible Via The Web (TechDirt) Not only are automatic license plate readers (ALPRs) in use all over the nation, but the companies behind them are less interested in securing their systems than selling their systems

Bulletin (SB15-306) Vulnerability Summary for the Week of October 26, 2015 (US-CERT) The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week

Litigation, Investigation, and Enforcement

Full 4th Circuit will hear cellphone tracking appeal (Daily Record) In a case involving convicted Baltimore bank robbers, the full 4th U.S. Circuit Court of Appeals said it will consider whether police need a search warrant to get the cellphone-tower records of suspected criminals in an effort to track down their whereabouts when the crime was committed

Feds explain (sort of) why they really want data on seized iPhone 5S (Ars Technica) DOJ: the search warrant remains active, so Apple should help us

Divorce lawyer who thought he could beat NSA in court, couldn't (Ars Technica) Just like many cases before him, Elliott Schuchardt could not prove standing

How FBI Cyber Division helps agencies investigate intrusions (Federal Times) The FBI takes the lead investigating cyberattacks against federal agencies and coordinating the National Cyber Investigative Joint Task Force

Socially Acceptable: The Perils of Social Media Discovery (Legaltech News) Social media discovery requests are increasing, but courts are still arguing profile authentication and where privacy expectations stop

Time Is Precious with Computer-Hacking Claims (JDSupra) A recent ruling shows that plaintiffs must act fast when using a federal criminal statute for a civil suit

Lessons learned from Target's data breach discovery win, five strategies for maintaining privilege in the aftermath of a data breach (Lexology) A thousand questions immediately flood any lawyer's mind when they first hear that their client may have been affected by a data breach

Design and Innovation

Deloitte Partners With Blockchain Startup Colu (CoinDesk) Coloured coins startup Colu has revealed it is embarking on a partnership with multinational consulting firm Deloitte

The day is not far for four factor authentication: Gemalto (CIOL) Atul Singh, Regional Director, India sub-continent, Banking, Transport & Telecom Solutions, Gemalto, in a free-wheeling interview with CIOL, discusses newer demands from the BFSI segment on security vendors, and the importance of four factor authentication