
The CyberWire Daily Briefing 11.04.15
news from the SINET Showcase
The SINET Showcase opened yesterday with afternoon workshops on matters of interest to cyber security startups and their customers. We were able to attend some of those sessions, and have prepared a summary. We're continuing to provide live coverage of this event today, including the presentations of the SINET 16. Tomorrow's issue will feature a full report of today's sessions.
The anti-ISIS hacktivists of GhostSec talk to the Irari Report about the soi-disant caliphate's operations in cyberspace. Of interest are ISIS's efforts to evade disruption (not so much detection, since so much of their operations are directed to recruiting and developing mindshare among the disaffected) because these involve hiding in plain sight as opposed to using technically sophisticated cloaking.
A vBulletin breached, swiftly patched by the company, arouses fears of a more general zero-day campaign.
The post-mortem of the PageFair hack continues. Threatpost explains how the service was exploited to serve as the vector for bogus (and malicious) Flash updates.
The Tinba banking Trojan is seeing a surge in activity against Russian targets. The Angler and Nuclear exploit kits are observed integrating PawnStorm.
Mixed news on ransomware: the good news is that Dutch police have taken down CoinVault and Bitcryptor (with an assist from Kaspersky, who extracted the encryption keys); the bad news is that German companies are being hit with Chimera.
XcodeGhost is circulating again, now affecting iOS9 devices.
Dark Matters takes a dive into the metaphysics of identity, which it sees as necessarily a social artifact. (A defensible position, but contrast the work of a classical metaphysician, John Duns Scotus, particularly in Ordinatio II.)
Some journalists covering the cyber beat listen to psychologists advising a Freudian look at hacking motivations. Understanding motives is surely a good thing, but turning to psychoanalysis for insight seems like advising a chip fab to think about how it handles phlogiston during lithography.
Notes.
Today's issue includes events affecting Germany, Iran, Iraq, Ireland, Kenya, Malaysia, Netherlands, Sudan, Syria, United Kingdom, and United States.
Washington, DC: the latest from the SINET Showcase
SINET Showcase 2015 (SINET) SINET Showcase provides a platform to identify and highlight "best-of-class" security companies that are addressing industry and government's most pressing needs and requirements
SINET Announces 2015 Top 16 Emerging Cybersecurity Companies (CTO Vision) Winners to Introduce Innovative Technologies at SINET Showcase in Washington, DC, November 3 & 4, 2015
SINET Day One: Workshops on Risk (and its Transfer), and on the Challenges of Cyber Law Enforcement (The CyberWire) The SINET Showcase opened yesterday with an afternoon of workshops on topics the cyber sector is following closely. We were able to attend three of them; here are a few of the highlights.
Cyber Attacks, Threats, and Vulnerabilities
Irari Report: ISIS using U.S. hosting services to avoid intelligence agencies (CSO) In the first segment of The Irari Report interview with WauchulaGhost, leader of the hacktivist group GhostSec, which has been taking down ISIS operations and actually credited with stopping terrorist attacks, Ira Winkler and Araceli Treu Gomes learn that ISIS has purposefully been using Google and Amazon Web Services to avoid US and international intelligence agencies
British jihadists appear in Shabaab propaganda video (Long War Journal) Shabaab, al Qaeda's branch in East Africa, has released a propaganda video that appears to feature several British fighters and others from the West
vBulletin password hack fuels fears of serious Internet-wide 0-day attacks (Ars Technica) Software maker issued security patch hours after reports surfaced it was breached
PageFair Hack Serves Up Fake Flash Update to 500 Suites (Threatpost) More than 500 users of a free analytics service may have had their websites compromised over the weekend after a hacker was able to execute malicious JavaScript through the service
Trick-or-treat, the PageFair breach (Dark Matters) PageFair, an advertising system provider that displays ad-block friendly ads to users who use adblockers; and also an analytics service allowing publishers to measure how many users block ads was hacked on Halloween night
Angler and Nuclear Exploit Kits Integrate Pawn Storm Flash Exploit (TrendLabs Security Intelligence Blog) When it comes to exploit kits, it's all about the timing
Chimera crypto-ransomware is hitting German companies (Help Net Security) A new piece of crypto-ransomware is targeting German companies: it's called Chimera, and the criminals behind the scheme are threatening to release sensitive corporate data on the Internet if the targets don't pay the ransom
Top Russian Banks, Payment Service Providers Targeted By Tinba (Dark Reading) Infamous banking Trojan with Eastern European ties now being used to to steal Russian bank account information
A Tale of Breaking SAP's SuccessFactors's XSS Filter (Respect XSS) '-confirm(1)-' was enough to break SAP's SuccessFactors's XSS filter and were able to make hundreds of web applications vulnerable
Updated XcodeGhost Adds iOS9 Support (Threatpost) New samples of XcodeGhost, malware targeting iOS devices, have surfaced beyond the borders of China with new support for iOS9 and obfuscation techniques making it that much harder to detect
Many US enterprises still running XcodeGhost-infected Apple apps, FireEye says (PC World) A new version of XcodeGhost has also appeared that tries to defeat defenses built into iOS 9
New Wave of Pay-at-Pump Skimming Attacks (BankInfo Securuty) Organized crime steals millions in advance of EMV
Google Hackers Battle One Another To Uncover 'Serious' Flaws In Samsung Galaxy 6S Edge (Forbes) Members of Google's Project Zero team had themselves a little competition this week: Americans vs. Europeans
There's a Good Chance Your Mobile Device Is Vulnerable to Data Thieves (The Street) Talk about risky business
How Carders Can Use eBay as a Virtual ATM (KrebsOnSecurity) How do fraudsters "cash out" stolen credit card data?
NFC: The Next Big Fraud Vector? (B2C) Google Wallet, Apple Pay. These are services most people nowadays are pretty familiar with even if they're not using them
Security Patches, Mitigations, and Software Updates
Security update kills several critical bugs in Android Marshmallow (Help Net Security) Google's November Android security update carries fixes for seven vulnerabilities, including two remote code execution flaws that are rated "critical" (CVE-2015-6608, CVE-2015-6609), and an elevation of privilege vulnerability (CVE-2015-6610) that would also be rated as such were it not for a lower likelihood that it can be exploited remotely
Firefox 42 — The End of Cross Domain Tracking? (Check & Secure) With the theme of adblockers becoming increasingly more topical and controversial issues — given the news regarding Pagefair yesterday — it would seem that some of the internet's largest players have turned on the providers of loud, noisy ads, as well as websites who store data about visitors against their will
Cyber Trends
Why Security Doesn't Know You (Dark Matters) If I learn about you from your neighbor, who would they say you are? How close would that be to what your co-worker says about you? What about a sibling, your parents, your children, or your lovers?
Diverse Threats Challenge U.S. Intelligence Community (SIGNAL) Both the players and the field have changed, and they continue to evolve
Security report: Industry and online presence drive your cyberthreat profile (TechRepublic) The Alert Logic 2015 Cloud Security Report found that there is a wide divergence of threats by industry, hackers view cloud targets as easier prey, and more
Online bank accounts targeted over 5m times (Biztech Africa) In its global Q3 IT Threat Evolution Report, Kaspersky Lab has published the details of the key security incidents of the quarter
Get used to it?: Mega breaches (SC Magazine) How can we overcome data breach fatigue and restore trust in business and government's ability to protect personal data?
Marketplace
Security Takes Center Stage (Security Magazine) With rising risks and tumultuous business climates, the spotlight is shining on the enterprise's next leader: the security executive
Security acquisitions reach a fever pitch (InfoWorld) Consolidation in IT security ran rampant in October, with more acquisitions on the way to feed the demand for integrated solutions
More companies form data breach response plans (Business Insurance) More companies are introducing data breach response plans, but relatively few have confidence in their effectiveness, says a study issued Tuesday by the Ponemon Institute L.L.C
Carlyle Group Cuts Booz Allen Ownership Stake to 20% (GovConWire) Global investment firm Carlyle Group will reduce its ownership stake in consulting services provider Booz Allen Hamilton (NYSE: BAH) to 20 percent through a sale of 13 million shares to Credit Suisse for 388,440,000
ClearSky Data Raises $27 Million Series B Funding Led by Polaris Partners, Strategic Investment by Akamai Technologies (MarketWatch) Funding to accelerate growth, build out global storage network, allow enterprises to plug into new model for on-demand primary storage
FireEye Can Secure Long-Term Profits for Investors (The Street) Preventing cybercriminals and hackers from stealing sensitive data remains a top priority for business executives
MetaIntelli Changes Company Name to Mi3 Security (BusinessWire) MetaIntelli, Inc., announced today that it has changed its name to "Mi3 Security, Inc.™"
WashingtonExec Annual GovCon Awards Interview Series: Haystax CEO Bill Van Vleet (WashingtonExec) The clock is ticking. With just a few days away from the "Oscars of the Government Contracting Community"
Qualys Hires Mark Hutnan as Vice President and General Manager, US Federal Operations to Accelerate Expansion Into Federal Space (Marketwired via CNN Money) Hutnan brings over 15 years of business, technical and DoD / Intelligence Community experience
vArmour hires former U.S. government cyber official (Reuters) Silicon Valley computer security startup vArmour has hired former senior U.S. Department of Homeland Security official Mark Weatherford as its chief cyber security strategist
Products, Services, and Solutions
Fortscale 2.0 Turns the Tables on Insider Threats (BusinessWire) Precise anomaly detection coupled with immediate analyst insights provide unmatched user behavior analytics to eliminate data breaches
Bay Dynamics and Skyhigh Networks Unite to Uncover Risky Behaviors of Business Cloud Users (Street Insider) Partnership helps businesses identify how insiders are using cloud-based applications so that they can minimize risk of a data breach
Cisco Extends Security Everywhere with Broader Visibility, Control, and Protection for Shadow IT, Endpoints, and the Cloud (Cisco: the Network) Threat awareness service gives organizations the upper hand in securing the network
Centrify Partners with Leading Cloud Access Security Brokers to Enhance Cloud Security for SaaS Applications (Centrify) Joint solution extends end user and privilege user security for cloud and mobile application access with new CASB partners Cloudlock, Elastica, Imperva, Netskope and Skyhigh Networks
Software Automation Company Chef Cooks Up New Compliance Software (Legaltech News) Chef now offers automation in four different phases of the software production lifecycle
Deep Instinct Launches First Commercially Available, Real-Time Cybersecurity Solution Based on Deep Learning (Marketwired via EIN) The only solution that instantly detects and prevents zero-day and APT attacks across all endpoints and mobile devices
'Deep Learning' Technology Sees Through Security Software Blind Spots (eWeek) There are many things that your current security software simply can't see and stopping emerging threats requires a new approach
Imperva Skyfence Delivers New Data Governance Capabilities to Discover and Protect Sensitive and Regulated Data Stored in File-Sync Services (Nasdaq) Imperva, Inc., (NYSE:IMPV), committed to protecting business-critical data and applications in the cloud and on-premises, today unveiled a new release of its Imperva Skyfence Cloud Gateway, a Cloud Access Security Broker (CASB) solution
Signal for Android finally out, offers end-to-end encrypted calls and messages (Help Net Security) Open Whisper Systems (formerly Whisper Systems) has finally released the Android version of its popular free, open source iOS app for end-to-end encrypted voice calls
Technologies, Techniques, and Standards
Enhancing pentesting recon with nmap (Internet Storm Center) You might have used nmap several times for recon using the conventional portscan functionality
Data Breach Planning in 10 Easy Steps: How to Think Like A Litigator (National Law Review) For the first Monday in November, we have 10 easy steps to make sure that your data breach incident response planning is viewed from that pesky point of view of a litigator
Design and Innovation
Bitcoin: Discussing Code Changes Is Half The Battle (Bitcoinist) Discussions about changing the dynamic code that runs the Bitcoin blockchain should constantly be happening
Research and Development
Facebook Aims Its AI at the Game No Computer Can Crack (Wired) In the miod-'90S, a computer program called Chinook beat the world's top player at the game of checkers
Legislation, Policy, and Regulation
Surveillance bill to include internet records storage (BBC) Internet firms will have to store details of every website visited by UK citizens in the past 12 months, under planned new surveillance laws
Tech firms between rock and hard place (New Zealand Herald) Oh dear. It looks like Britain has painted itself into a corner with proposed new legislation that will give tech firms in the country major headaches
What the Cybersecurity Information Sharing Act Means for Organizations (Legaltech News) While CISA would offer some limited protections to organizations who utilize it, pooling data is never without risk
House bill would get DHS to help states fight hackers (The Hill) A Texas Republican is trying to get state and local governments the federal tools they sorely need to fight cyber crime
The U.S. Still Doesn't Know Who's In Charge if Massive Cyber Attack Strikes Nation (Defense One) Cyber physical attacks on infrastructure may be an unlikely sneak attack, but if it happens, the chain of command is far from clear
Top Priority: Federal Government must get cybersecurity right (SC Magazine) It's been called a watershed event, a wakeup call, a punch in the gut, and the highest risk to national security since the 9/11 terrorist attacks
U.S. grapples with controlling 'cyber-munitions' while recruiting 6,000 new cyber-warriors (TechRepublic) The U.S. government is ramping up its digital defenses by recruiting new military coders and examining how best to handle the proliferation of digital weapons
DISA: Automation key to cyber defense (C4ISR & Networks) As the Defense Department continues to fortify its networks and data, officials say they are automating some cyber defenses that can be triggered and respond to threats without manual maneuvers
All the Deadlines in the White House's New Cyber To-Do List (Nextgov) The White House last week issued a broad new action plan for closing persistent cybersecurity gaps that have plagued federal agencies for years
From behind bars, Manning pens sweeping surveillance reform bill (The Hill) Imprisoned government leaker Chelsea Manning spent months behind bars writing draft legislation to overhaul the nation's spying powers, she revealed on Tuesday
Litigation, Investigation, and Law Enforcement
Kicking Off A New Era For Policing Cybersecurity (Dark Reading) In the wake of FTC v. Wyndham, government agencies are becoming more aggressive about protecting corporate data and customer privacy. But the new rules are very much a work in progress
CoinVault and Bitcryptor, R.I.P. (SC Magazine) Kaspersky and Dutch police have shut down these two strains of ransomware in a joint effort, arresting the authors and seizing the decryption keys
Teenager arrested in Norwich over TalkTalk cyber-attack (Guardian) 16-year-old boy is fourth person to be held in investigation into alleged theft of telecom firm's data
No arrests made following investigations into Vodafone cyber attack (Mobile News) No arrests have been made in connection to a cyber attack that threatened the personal of under 2,000 Vodafone UK customers on October 28
Try to hire a hacker on CraigsList to wipe out your court fines? Get sent to prison (Graham Cluley) A judge in Lancaster County, Pennsylvania, has sentenced a man to prison for having attempted to solicit the assistance of a hacker on Craigslist with the intent to wipe his legal fines from a court's computer system
Irish cyberpsychologist inspiring CSI show tells Web Summit: We should learn from kids in cybercrime (Independent) The world is "sleepwalking its way into a new and evolving world" without understanding why people commit cybercrime, according to leading cyberpsychologist Mary Aiken
Putrajaya dodges question on alleged spyware buy (Malay Mail) The federal government evaded today from answering a question from an opposition lawmaker, who wanted to know if it had bought software from foreign security vendor Hacking Team in July to spy on Malaysians
Iran: Lebanese-born technology envoy with 'ties' to U.S. military is arrested (Washington Post) A Lebanese-born technology expert whose group has a Washington branch has been arrested in Iran and accused of links to the U.S. military and intelligence agencies, Iranian state TV reported Tuesday
F-35 Data Smuggler Sentenced to Jail (Defense News) A former Connecticut resident has been sentenced to 97 months in jail for attempting to send sensitive technical data on the F-35 engine to Iran
MPAA Takes Down Pirating Group And Popcorn Time Fork (TechCrunch) There are corks popping around the MPAA offices today. The American trade organization is claiming responsibility for shutting down several pirating services including a popular version of Popcorn Time, you know, the Netflix for pirates
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
NICE 2015 Conference and Expo (San Diego, California, USA, Nov 3 - 4, 2015) Cybersecurity has emerged as one of the leading creators of jobs and opportunity for all economic sectors. The demand for cybersecurity positions in both the public and private sector is large and growing, but the talent pool of cybersecurity workers is not yet able to keep up. The NICE 2015 Conference and Expo features thought leaders from education, government, industry and non-profits who are addressing the cybersecurity education, training, and workforce needs of the nation
Inside Data Science 2015 (Monterey, California, USA, Nov 3 - 4, 2015) At the Inside Data Science 2015 Conference (IDS2015) our focus is not on the storage or volume of data, but rather the importance of what you do with it. To synchronize the processing, exploitation and dissemination of information you must leverage the proper organization, extraction and analysis of data. In today's data-driven society, your best offense to stay ahead of the game is to become scientific in your approach and systematic in your execution
4th International Internet-of-Things Expo (Santa Clara, California, USA, Nov 3 - 5, 2015) With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo in Santa Clara. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be
RSA Conference 2015 Abu Dhabi (Abu Dhabi, United Arab Emirates, Nov 4 - 5, 2015) Join your fellow information security professionals at RSA Conference 2015 Abu Dhabi, where we'll be discussing security issues from a global perspective
ICMC (the International Cryptographic Module Conference) (Washington, D.C., USA, Nov 4 - 6, 2015) ICMC core focus includes cryptographic modules, FIPS 140-2, ISO/IEC 19790 and cryptographic algorithms. Specialists from all over the world gather in Washington to discuss about commercial cryptography and share their expertise on the subject. Conference topics may include the underlying the implementation of a cryptographic module including physical security, key management, side-channel analysis, cryptographic algorithm implementation testing, standardization, validation programs and more
After the Shift: Securing Tomorrow's Payment Technology (Washington, DC, USA, Nov 5, 2015) From encryption to tokenization, what does the future hold for keeping consumer data safe? Policymakers, industry leaders, and technology experts will explore the cutting edge of cyber technology and discuss how government and industry can work together to protect American consumers
2nd Annual Journal of Law and Cyber Warfare Conference (New York, New York, USA, Nov 5, 2015) The 2015 symposium speakers represent an unparalleled group of cyber security experts with a wide variety of industry expertise and knowledge. Attendees will hear from experts on cybersecurity and cyber warfare from the military, government, private industry, and the public sector. Our panels are designed to provide attendees with thought leadership from a diverse group of experts who will share their experience and knowledge-base regarding topical cyber security issues
Start with Security (Austin, Texas, USA, Nov 5, 2015) This one-day conference will continue the FTC's work to provide companies with practical tips and strategies for implementing effective data security. Aimed at start-ups and developers, this event will bring together experts to provide information on security by design, common security vulnerabilities, strategies for secure development, and vulnerability response
University of Phoenix® Technology Conference (Arlington, Virginia, USA, Nov 7, 2015) At the University of Phoenix® Technology Conference 2015, a free event hosted by the University of Phoenix College of Information Systems and Technology, you will be introduced to cyber security, explore best practices for securing the Internet of Things, and examine trends around how to convert data into actionable intelligence
Cyber³ Conference: Crafting Security in a less Secure World (Nago City, Okinawa, Japan, Nov 7 - 8, 2015) An international conference on cyber security hosted by the Government of Japan with the support of the World Economic Forum. At this conference, multi-stakeholders, including policymakers, business leaders, and researchers from around the world, will discuss the new reality of Cyber Connection, Cyber Security, and Cybercrime (together, Cyber³) and their implications for the future of the Internet
FedCyber 2015 (Tyson's Corner, Virginia, USA, Nov 10, 2015) This conference, orchestrated by cyber practitioners Matt Devost and Bob Gourley, is designed to advance the state of cyber defense. The FedCyber.com Threat Expo will bring together thought leaders who know the cyber mission in a venue designed to enhance our collective understanding of the threat, build on existing strategies to mitigate challenges, and leverage the nation's greatest technologies to enhance our defense in depth
First International Conference on Anti-Cybercrime (ICACC-2015) (Riyadh, Saudi Arabia, Nov 10 - 12, 2015) Al Imam Mohammad Ibn Saud Islamic University is organizing this international conference to establish a forum where discussions on vital issues related to anti-cybercrime can occur. This conference will also help Saudi policy makers and authorities to improve and revolutionize their efforts to tackle this serious problem by providing them opportunities to review existing use of technology in the country
Black Hat Europe (Amsterdam, the Netherlands, Nov 10 - 13, 2015) Black Hat prides itself with being "the most technical and relevant global information security event series in the world." For the past 16 years, the Black Hat events have given their attendees the opportunity to explore the latest research and developments in information security, while also taking into account the concrete needs of the participants
Data Privacy, Data Security, and Business Risks — What Lawyers Should Know (Baltimore, Maryland, USA, Nov 12, 2015) Continuing Legal Education presented by the Baltimore Bar Association. The sessions will include "An Overview of Data Privacy Laws Issues for Lawyers,? ?Obligations to Keep Data Secure? Cyber Insurance?? and ?Post-breach, Breach Notifications, and Now What?
Pen Test Hackfest Summit & Training (Alexandria, Virgina, USA, Nov 16 - 23, 2015) SANS Pen Test Hackfest Training Event and Summit is coming back to Washington DC, bigger and better than ever! The Hackfest is an ideal way to learn offensive techniques so you can better defend your environment. Whether you are a penetration tester, a forensics specialist, or defender, the techniques covered at the Hackfest represent the latest and most powerful attacks every organization needs to thwart
cybergamut Technical Tuesday: Hackproof Signal Processing for Wireless Communications ("Central Maryland, " USA, Nov 17, 2015) Conventional computing and communications expose myriad attack surfaces because of the Turing-equivalence of the instruction set architectures and the mathematical impossibility of forming a complete set of monitor functions to protect the contents of the registers from insightfully designed malware such as what NIST terms Advanced Persistent Threats. This talk describes how to throw out the general purpose computers via dataflow computing on FPGAs. Contact the conference organizers for instructions on how to attend
Cybersecurity, the SEC and Compliance (New York, New York, USA, Nov 18, 2015) The recent SEC CyberSecurity Examination Initiative focuses on information safeguards for financial services organizations. Are you prepared? Please join us for a panel discussion on what cybersecurity means to your business and how the new SEC requirements affect your firm. The panel consists of professionals from the Cyber Security, Legal, Insurance and IT systems management industries. (RSVP as seating will be limited)
CyberCon 2015 (Pentagon City, Virginia, USA, Nov 18, 2015) CyberCon 2015 is the forum for dialogue on strategy and innovation to secure federal and defense networks, as well as private sector networks that hold their sensitive data
Internet-of-Things World Forum 2015 (London, England, UK, Nov 18 - 19, 2015) This conference features speakers from leading IoT companies and their customers. Learn how the Internet-of-Things is creating new markets for products, services, and solutions
2015 U.S. Cyber Crime Conference (National Harbor, Maryland, USA, Nov 14, 2015) The 2015 U.S. Cyber Crime Conference (Formerly the DoD Cyber Crime Conference) has brought world-class forensics and incident response training combined with outstanding community networking for over 15 years. The conference covers the full spectrum of topics facing defenders as well as law enforcement responders
DefCamp6 (Bucharest, Romania, Nov 19 - 20, 2015) Why DefCamp? Because it's the most important conference on Hacking & Information Security in Central Eastern Europe, bringing hands-on talks about the latest research and practices from the INFOSEC field, gathering under the same roof security specialists, entrepreneurs and developers, managers from both private and public sector