The CyberWire Daily Briefing 11.03.15

Cyber Trends

Cyber adds several new dimensions to warfare (Federal Times) The face of war is changing as the world's infrastructure is interconnected and the cyber theater becomes a focus for militaries around the world

Preparing For The Cyber Battleground Of The Future — Analysis (Eurasia Review) For space and cyber Airmen, tomorrow's fight will be determined largely by the concept of cyberspace dependency

The Changing Cyber Threat Landscape — Securonix Chats with Chris Inglis (Securonix) In this first video of a four-part series, Chris Inglis, former deputy director at the NSA and current Chairman of the Securonix advisory board, sits down with Securonix CEO Sachin Nayyar for a candid conversation about cyber security strategy. How is the threat landscape changing?

The Evolution of Technical Capabilities to Battle Cyber Threats — Securonix Chats with Chris Inglis (Securonix) In this second video of a four-part series, Chris Inglis, former NSA deputy director and current Securonix advisory board chair, joins Securonix CEO Sachin Nayyar to discuss the evolution of technological capabilities to defend organizations against increasingly complex cyber attacks

The Insider Threat — Securonix Chats with Chris Inglis (Securonix) "Organizations vastly underestimate the likelihood of an insider attack," says Inglis. "It only takes one in a company of thousands. The proper estimation is one, as in 100 percent likely"

The Role of The Government — Securonix Chats with Chris Inglis (Securonix) "Individuals, organizations and societies are adopting new technologies at a breathtaking pace, without understanding the vulnerabilities inherent to them." Says Inglis, "The threats in this space only continue to exceed our expectations. As the scope and scale of attacks become increasingly alarming, it's only natural that we wonder if government should intervene, as if there is a singular point of accountability for cyber security"

The value in vulnerability management platforms (Help Net Security) A study conducted by Forrester Consulting assessed IT decision makers' satisfaction with their current vulnerability management platforms and the challenges companies face in securing their cloud environments against exposure

Most consumers believe cloud-based apps can be hacked (Help Net Security) Consumers often don't realize that the applications they depend upon daily live in the cloud and therefore many may be unaware of the threat of breach to their personal data, according to Radware

Why Modern IT Security Is Like Aviation — 100 Years Ago (eWeek) Accomplished pilot and former Black Hat GM Trey Ford details the lessons the aviation industry learned "in blood" that can be applied to IT security

The Australian Cyber Security Centre Threat Report 2015 (Australian Cyber Security Center) The cyber threat to Australian organisations is undeniable, unrelenting and continues to grow. If an organisation is connected to the internet, it is vulnerable. The incidents in the public eye are just the tip of the iceberg

Legislation, Policy and Regulation

Governments 'must realise that they cannot control social media' (National) GCC governments must realise that they cannot control social media, and put more effort into fighting extremist ideology through providing more positive content

Hi, um, hello, US tech giants. Mind, um, mind adding backdoors to that crypto? — UK govt (Register) Call Me Dave wants to know what's in your calls

A new licence for spies and police? (BBC) Despite the recent release of the latest James Bond film, what really worries Britain's spies at the moment is not the cinematic licence to kill but what they call their "licence to operate"

Is The U.S.-China Cyber Security War Ending? (Value Walk) Cyber security has been at the forefront of the debate on Sino-American ties for several years now

Cyber Legislation Moves To Conference; White House Issues Cyber Strategy (National Law Review) Last week, the Senate passed the Cybersecurity Information Sharing Act (CISA/S. 754) by a 74-21 vote

Everything You Need to Know About the Recently Passed, Privacy-Decimating CISA Bill (Vice) Last Tuesday, the United States Senate passed the Cybersecurity Information Sharing Act, or CISA, by a vote of 74-21

US cybersecurity plan won't stop the government getting hacked — but it's a start (Naked Security) This week, the White House unveiled a new strategy for modernizing the US government's cybersecurity, and there's a lot of work to be done

House passes bill to prevent security 'insider threats' (The Hill) The House passed legislation on Monday to mandate the Department of Homeland Security to establish a program to identify and mitigate insider threats from rogue employees

Bill introduced to criminalize warrantless cell phone surveillance (Ars Technica) Bill from Rep. Jason Chaffetz would require warrant, but it has big exemptions

Tight budgets, cyber threats driving DISA's path forward (C4ISR & Networks) The one-two punch of a tense budgetary climate and a proliferation of cyber threats is changing how the federal government does business, particularly at the agency charged with much of the Defense Department's IT service

Mustang officers in Info Dominance Corps to get new designators (Navy Times) Warrants and limited duty officers in the Information Dominance Corps are getting new designators

Hacked Opinions: The legalities of hacking — Katie Moussouris (CSO) Katie Moussouris, from HackerOne, talks about hacking regulation and legislation with CSO in a series of topical discussions with industry leaders and experts

Products, Services, and Solutions

Resurgence of innovation driving glut of new security tools (CSO Australia) Security vendors are showing new confidence against malware attackers as they launch new classes of products designed to take the fight back to malware authors that have recently been overwhelming many companies' traditional defences

Startup Spotlight: SentinelOne's Endpoint Security (eSecurity Planet) The endpoint is the 'scene of the crime' in enterprise security, so startup SentinelOne targets endpoint security holes left by traditional AV solutions

Microsoft Security Essentials Scores Incredibly Well in New Antivirus Tests (Softpedia) It's generally believed that Microsoft Security Essentials isn't the best antivirus solution out there, but only a basic product that can protect your computer until you install a more advanced security app, but a new series of tests conducted by Dennis Technology Labs claim otherwise

Snapchat reassures users that photo messages are still totally private (C&#124Net) The photo-sharing service has disputed claims that changes to its privacy policy will allow it to store and share users' messages

T-Mobile's network extender lets anyone use your Internet bandwidth (Ars Technica) Like Comcast, T-Mobile boosts its network by borrowing your bandwidth

Facebook finally changes real-name policy (Naked Security) Facebook on Friday finally changed the real-name policy that has made using the service difficult for drag queens, the LGBTQ community, Native Americans, those who use pseudonyms, and persecuted groups

ThreatConnect Announces Enhanced ThreatConnect App for Splunk (BusinessWire) ThreatConnect, Inc.®, creator of the most widely adopted Threat Intelligence Platform (TIP), today announced the availability of the ThreatConnect App for Splunk

Methodist Healthcare Ministries Leads Regional HIPAA Compliance with Continuous Network Monitoring from Tenable Network Security (BusinessWire) SecurityCenter Continuous View helps not-for-profit healthcare provider strengthen security effectiveness to better protect patient data across the entire South Texas healthcare network

Signal, the Snowden-Approved Crypto App, Comes to Android (Wired) Since it first appeared in Apple's App Store last year, the free encrypted calling and texting app Signal has become the darling of the privacy community, recommended — and apparently used daily — by no less than Edward Snowden himself

Free Phish Alert Add-In For Outlook To Debut (Dark Reading) Button for reporting suspicious emails to the security team works with Microsoft's email software

Kaspersky Lab Releases Free Decryption Keys For Victims Of CoinVault and Bitcryptor Ransomware 0 (TechWorm) 14,000 decryptor keys For CoinVault, Bitcryptor ransomware released By Kaspersky for ransomware victims

LightCyber game lets IT pros become the attacker (Network World) A better appreciation of how adversaries think can lead to better security

Technologies, Techniques, and Standards

Visa's Perez on Why PCI Still Matters (BankInfo Security) Even with shift to EMV, PCI compliance remains a priority

Laying a crypto foundation: Four steps to effective encryption (FedScoop) To comply with NIST encryption standards and better manage cryptographic keys, agencies need a solid "crypto foundation"

Software-Defined Perimeter enables application-specific access control (Help Net Security) Back in the early 1990s enterprises migrated away from proprietary protocols such as DECnet, SNA, and Novell IPX to common standards such as IP

How to fight back against reputation damaging Internet monsters (CSO) In today's world people make up stuff to damage reputations for both individuals and companies, either because they are paid to or just because they are bad people

150 ideas for better cybersecurity in government (FCW) As the government gears up for a second "cybersecurity sprint" and begins to absorb the Office of Management and Budget's just-released strategy, a group of industry and agency leaders has been canvassing the federal IT community for ideas on how to do cybersecurity better

Disruptive by Design: How to Evolve Federal Cloud Security (SIGNAL) In 2011, then-U.S. Chief Information Officer Vivek Kundra set the stage for federal agencies to take full advantage of cloud computing benefits through the Cloud First initiative, which mandates that agencies evaluate cloud options before making any new information technology investments

How to earn the trust of millennials concerned with security (CIO via CSO) Millennials are growing increasingly weary of data and security when it comes to their favorite brands. And that means it's vital that companies include a strong cybersecurity message in their marketing plan to help rebuild trust

Marketplace

Security Must Speak the Language of Risk (InfoRiskToday) Bharti Airtel's Dr. Sivasubramanian on why security is misunderstood

DISA splitting big data cyber program into two contracts (C4ISR & Networks) The Defense Information Systems Agency is getting ready to release two requests for proposals for big data capabilities to help the Department of Defense maintain a better understanding of its networks' security postures

Hackers Claim Million-Dollar Bounty for iOS Zero Day Attack (Wired) Hacking Apples's iOS isn't easy. But in the world of cybersecurity, even the hardest target isn't impossible — only expensive

Secret Apple iPhone zero-day exploit earns $1,000,000! Well, maybe… (Naked Security) A controversial hacking company recently ran a competition offering $3m for up to three click-to-own exploits against Apple's iOS. The exploits would be sold on to "eligible customers" only

Akamai buys network security firm Bloxx to bolster enterprise cloud offerings (ZDNet) With the acquisition, Akamai said it hopes to bring a new suite cloud-based security services to market sometime in 2016

EMC May Float Pivotal in IPO Next Year in a Plan Blessed by Dell (Re/code) EMC and Dell are speeding up plans to take the software company Pivotal public and are now studying the option of an IPO in early 2016, sources familiar with the deliberations tell Re/code

Secretive cyber warfare firm NSO Group explores sale: sources (Reuters) NSO Group Ltd, a company that helps governments spy on mobile phones and is so secretive that it regularly changes its name, is exploring a sale that could value it at close to $1 billion, including debt, according to people familiar with the matter

FireEye Drags Qualys, CyberArk Up Ahead Of Earnings (Investor's Business Daily) ireEye (NASDAQ:FEYE) stock climbed Monday on Wall Street ahead of its late Wednesday Q3 earnings report, pulling up shares of online security firms CyberArk Software (NASDAQ:CYBR), Qualys (NASDAQ:QLYS) and Symantec (NASDAQ:SYMC) with it

CyberArk: A Key Player In A Fast-Growing Industry (Seeking Alpha) Cyber security industry is growing at a rapid pace due to the nature of cyber attacks

Interview: Advanced Threat Protection has potential to change Symantec's enterprise security play (First Post) Security giant Symantec has finally unveiled its ambitious product — Advanced Threat Protection (ATP). With the ATP launch, the company hopes to disrupt the advanced persistent threat market which already sees companies like FireEye and Trend Micro; and begin a new journey as a "full security company"

CrowdStrike CEO George Kurtz Awarded ISSA President's Award for Public Service (BusinessWire) CrowdStrike Inc., a cybersecurity technology firm pioneering next-generation endpoint protection, today announced that George Kurtz has been awarded the 2015 ISSA President's Award for Public Service by the Information Systems Security Association (ISSA)

Research and Development

How IARPA predicts the unpredictable (Federal Times) The Intelligence Advanced Research Projects Activity is where the intelligence community turns to solve some of its toughest programs — it's billed as the IC's high-risk, high-payoff science lab

Security Patches, Mitigations, and Software Updates

Google patches critical media processing flaws in Android (IDG via CSO) The November security update for Nexus devices fixes seven vulnerabilities, two of them critical

Monthly Android Security Update Patches More Stagefright Vulnerabilities (Threatpost) The Stagefright vulnerabilities are the gifts that keep on giving

Cyber Attacks, Threats, and Vulnerabilities

The dispute between al-Qaeda and the Islamic State has devolved to name-calling (Washington Post) In a new 26-minute-long video statement, al-Qaeda in the Arabian Peninsula (AQAP) and al-Qaeda in the Islamic Maghreb (AQIM) said the Islamic caliphate declared by the Islamic State was illegitimate, dismissively referring to that militant organization as "Baghdadi's group," a reference to its leader, Abu Bakr al-Baghdadi

Data from U.S. agency cyber breach not on black market, researcher says (Reuters via Business Insurance) Data stolen in a massive breach of the U.S. Office of Personnel Management has not shown up on the black market, a sign that a foreign government launched the attack, a researcher with U.S. cyber security firm FireEye Inc. said Monday

U.S. intelligence head: CIA did not pull officers from Beijing after OPM hack (Washington Post) The CIA did not pull officers from Beijing in the wake of the Chinese hack of millions of sensitive personnel records disclosed earlier this year, the nation's top intelligence official said Monday

The Real Story Behind the Undersea Cable Caper (Technology and Security) When the latest Russian ocean surveillance ship, the Yantar (Amber) sailed off the coast of Florida, US Navy senior officials sounded an alarm

A New Cold War Deep Under the Sea? (World Post) Virtually all of the world's information moves deep under the sea

iOS 9 Can Now Finally Be Remotely Jailbroken — but YOU Can't Do It (Intego) Bad news iOS 9 users. Someone has developed a way of jailbreaking your iPhone or iPad and spying on you, in a way that is currently unstoppable

Hackers use anti-adblocking service to deliver nasty malware attack (Ars Technica) Drive-by malware attacks: They're not just for porn sites anymore

PageFair says small percentage of users were at risk from attack (IDG via CSO) Although antivirus programs may not have detected the malware, users would have had to approve running it

WoW! Want to beat Microsoft's Windows security defenses? Poke some 32-bit software (Register) Two chaps claim to have discovered how to trivially circumvent Microsoft's Enhanced Mitigation Experience Toolkit (EMET) using Redmond's own compatibility tools

Latest EMET Bypass Targets WOW64 Windows Subsystem (Threatpost) Backwards compatibility, a necessary evil for Microsoft in its need to support so many legacy applications on Windows, may be its undoing as researchers have found a way to exploit this layer in the operating system to bypass existing mitigations against memory-based exploits

Hacking tool swipes encrypted credentials from password manager (Ars Technica) "KeeFarce" targets KeePass, but virtually all password managers are vulnerable

Don't count on STARTTLS to automatically encrypt your sensitive e-mails (Ars Technica) TLS stripping and DNS attacks allow eavesdropping on protected messages

Stanford researchers identify potential security hole in genomic data-sharing network (Help Net Security) Sharing genomic information among researchers is critical to the advance of biomedical research

The Kids are Still at Risk: Update to Citizen Lab's "Are the Kids Alright?" Smart Sheriff report (Citizen Lab) A second audit of the Smart Sheriff application reveals that there are numerous unresolved security vulnerabilities that put minor children and parental users of the application at serious risk

TalkTalk breach: Third arrest, data already for sale, criminals targeting pensioners (Help Net Security) News about the TalkTalk breach and the investigation of it are coming fast and thick

Post-hack, TalkTalk treats defrauded customers poorly (Graham Cluley) There's lots that can be said, and has been said, about the hack of UK telecoms firm TalkTalk

Researcher Finds Information Disclosure and Hardware Misconfiguration Flaws in ATMs Used by German Bank (SecurityWeek) German savings bank Sparkasse has started patching its ATMs and self-service terminals after a researcher discovered that the machines can be tricked into revealing a lot of sensitive information during software updates

Aussie Farmers Direct hacked, user details posted online (IT News) Attackers publish data on more than 5000 shoppers

Cyber attack hits Salt Lake City School District's website, phones, grading system (Deseret News) A cyber attack that began Friday afternoon overwhelmed the Salt Lake City School District's website, phone system, and PowerSchool grading and homework tool off and on through Monday morning, according to district officials

A Tangled Web: Exploring the World of the Dark Web (Cyveillance) Compromised personal data, criminal services, drug and weapons markets, and illegal pornography are all part of the network of hidden sites now commonly referred to as the "Dark Web," also known as the "Dark Net" (or "Darknet")

These are the three most common cyber security mistakes that employees make (Australian Anthill) With Cyber Security month well underway, there is no better time for businesses to start educating employees on the risks of sloppy online practices

Mobile Malware Makes Mobile Banking Treacherous (Dark Reading) Kaspersky Lab report shows rate of mobile malware occurrence exploding in Q3

Making IP Secure (Semiconductor Engineering) The semiconductor ecosystem is beginning to identify security holes, what tools can be used to plug them, and what else is needed

Academia

New Special Report Highlights NSF-Funded Cybersecurity Research And Education (ECN) Cybersecurity is one of the defining issues of our time. Can we keep our networks, devices and critical systems open, safe and secure, while maintaining personal privacy? How do we develop tomorrow's cybersecurity solutions?

IUP ranks high in cyber defense education (The Penn) Out of 102 national universities eligible to be named a Center for Academic Excellence in Cyber Defense, Indiana University of Pennsylvania became one of just six state colleges to earn the designation

Raspberry Pi Foundation And U.K.'s Code Club Merge For Global Push To Get Kids Coding (TechCrunch) Make way for 'Pi Club' (not its real name)

Litigation, Investigation, and Enforcement

Battle Heats Up Over Exports of Surveillance Technology (New York Times) Ayman Ammar and Rashid Albuni claimed to be computer technology distributors, operating through multiple corporations in Dubai, in the United Arab Emirates

Opinion: Why the Supreme Court should side with data brokers (Christian Science Monitor Passcode) The Supreme Court hears arguments Monday in Spokeo v. Robins, a case in which a Virginia man claims he was wronged because an Internet data broker portrayed him incorrectly. If the court sides with the alleged victim, any tech company that collects and aggregates personal data could be subjected to devastating lawsuits

New Strategies for Battling Cybercrime (InfoRisk Today) Front-line practitioners outline top challenges, strategies

The Policing Challenges of Breach Response (InfoRisk Today) Experts: law enforcement needs to adopt a risk-based approach

CSC, NetCracker IT staff worked on US military telecoms 'without govt security clearance' (Register) Outsourcers cough up $12m in tussle with DoJ over claims

Where Does Volkswagen’s Road of Deceit End? (Supply Chain 24/7) Volkswagen used devices to cheat air pollution tests in diesel luxury vehicles in model years 2014 through 2016, U.S. and California environmental regulators said on Monday, widening their investigation into the carmaker's emissions scandal

The Mt. Gox Bitcoin Debacle: An Update (IEEE Spectrum) More than 18 months after the MtGox bitcoin exchange filed for bankruptcy in February 2014, little is still known about what happened to the 850,000 missing bitcoins

Design and Innovation

How your voice can protect you from credit card fraud (CNN) That call to your bank is being recorded for more than just "quality assurance purposes"