The CyberWire Daily Briefing 11.13.15

Cyber Attacks, Threats, and Vulnerabilities

More Ransomware Being Spread Via Malvertising (Dark Reading) Magnitude exploit kit has popped up in new malvertising campaign and dropping CryptoWall

New Ransomware business cashing in on CryptoLocker's name (CSO) Program takes a 10 percent cut of the ransom payment

FastMail the latest victim of a sustained DDoS offensive (We Live Security) FastMail has been subjected to a number of distributed denial of service (DDoS) attacks, the premium email provider has revealed

I wrote about DDoS attacks, and my website got DDoS attacked (Graham Cluely) I would like to apologise to readers who may have found that their regular grahamcluley.com fix has been disrupted since last Sunday, after my site suffered a significant distributed denial-of-service (DDoS) attack

Cherry Picker POS Malware Has Remained Hidden For Four Years (Dark Reading) Sophisticated obfuscation techniques have allowed malware to evade AV systems and security vendors for a long time, says Trustwave

Researchers Discover Two New Strains of POS Malware (Threatpost) Point of sale malware has gotten more sophisticated as we inch closer to the two-year anniversary of the Target data breach. Now, two weeks from the biggest shopping day of the year, two new and different strains of point of sale malware have come to light, including one that's gone largely undetected for the past five years

Hacker claims Comcast breach linked to unpatched Zimbra vulnerability noted by NullCrew (Office of Inadequate Security) There's a new claim in the Comcast breach first reported by Steve Ragan. Darren Pauli reports that a hacker claiming responsibility for the breach notes that it was NullCrew's hack and taunting of Comcast in 2014 that set the stage for the theft of hundreds of thousands of users' information

TalkTalk hired BAE Systems' infosec bods before THAT hack (Register) Plus: Police told us not to answer questions, says telco

Instagram password stealer app yanked from App Store and Google Play (Naked Security) Here's a question: Would you install a mobile app that offered smartphone access to a popular online service?

Apps Permissions in the Google Play Store (Pew Research Center) Analysis of over 1 million apps in Google's Android operating system in 2014 shows apps can seek 235 different kinds of permissions from smartphone users. The average app asks for five permissions

Healthcare Apps, WordPress Most Popular Web Attack Targets (Dark Reading) No application escaped without a Shellshock attack in 2015, either, report finds

Spam and phishing in Q3 2015 (Securelist) Spam: features of the quarter. Online dating. The dating theme is typical for spam emails, but in the third quarter of 2015 we couldn't help but notice the sheer variety appearing in these types of mailings

Webcam Hacking: Recent Uptick in IP Camera Trolling Highlights Potential Risks of IP Devices (Cyveillance) A new doll from Mattel, the "Hello Barbie," available in December, demonstrates just how ubiquitous Internet-connected webcams and microphones are becoming

The cyber elephant in the room (Security Systems News) I've spent several days recently with two major camera companies, Hikvision and Axis Communications

Tool Controls Botnet With Twitter Direct Messages (Dark Reading) 'Twittor' exploits the expanded capacity of Twitter DMs to replace traditional botnet command-and-control server infrastructure

Snooping Samsung S6 calls with bogus base stations (Security Affairs) A duo of security researchers, Daniel Komaromy of San Francisco and Nico Golde of Berlin, demonstrated how to intercept calls using bogus base stations

One Bad Barcode Spoils Whole Bunch (Threatpost) Barcodes' pervasiveness in retail, health care and other service industries notwithstanding, hackers really haven't paid much attention to these tiny lines of data

Efficient multivariate statistical techniques for extracting secrets from electronic devices (Computer Lab, University of Cambridge) In 2002, Suresh Chari, Rao Josyula and Pankaj Rohatgi presented a very powerful method, known as the 'Template Attack', to infer secret values processed by a microcontroller, by analysing its power-supply current, generally known as its 'side-channel leakage'… In this thesis, I describe efficient implementations of this template attack, that can push its limits further, by using efficient multivariate statistical analysis techniques

Security Patches, Mitigations, and Software Updates

Microsoft surreptitiously reissues botched patch KB 3097877 for Windows 7 (InfoWorld) The new, fixed patch has the same KB number as the old, bad patch that crashed Outlook and busted network logon

Adobe Flash Bug Discovery Leads To New Attack Mitigation Method (Dark Reading) Prototype aims to prevent exploits that employ 'use after free' bugs in Windows, Linux, OS X software

Exploit Writing and Mitigation Going Hand in Hand (Threatpost) More and more white hats who practice offensive security and exploit writing are simultaneously talking about exploit mitigation

Security Audit: Scrapyd (SPECT Research) In this post I'll write about the vulnerabilities discovered in scrapyd, the scrapy daemon. It's a full review of security issues and measures to take in order to run scrapyd safely

LinkedIn algorithms will know how many spammy email notifications you want (Naked Security) If you've been getting more email notifications from LinkedIn than you'd like, there's some good news from the social network: you're going to see a lot less of them

Cyber Trends

Slush Helsinki: IoT security on the rise, physical security becoming more prevalent (SC Magazine) As this year's Slush conference opens, securing The Internet of Things has become a hot topic with many of the exhibiting companies tackling the issue head on

There is No Such Thing as the Internet of Things — at Least Not Yet! (Legaltech News) The invention of thousands of individual smart products does not equate to the development of a unified Internet of Things, one that allows for the interoperation of all of these Wi-Fi connected objects

The Lingering Mess from Default Insecurity (KrebsOnSecurity) The Internet of Things is fast turning into the Internet-of-Things-We-Can't-Afford

McAfee forecasts growing cyber threats for the next five years (Fedscoop) For hackers, a more pervasive Internet means more targets and a larger attack surface, the company warns

Are connected medical devices a disaster waiting to happen? (MedCityNews) Remember in late July when the Food and Drug Administration issued an advisory warning of security flaws in Hospira's Symbiq smart infusion pumps?

It Only Takes One Hour to Detect APTs on Network, Apparently (InformationSecurityBuzz) Survey reveals unmanaged credentials are the biggest security issue for organisations and IT professionals are unrealistic about time it takes to identify threats

Cybercriminals turn to automation to profit from Web app attacks (FierceITSecurity) Cybercriminals are increasingly using automation to ramp up the magnitude and velocity of attacks intended to compromise Web applications and steal sensitive data, according to security firm Imperva's annual Web Application Attack Report released on Thursday

Videology and White Ops Report Shows That Blocking Bots on Video Ads Can Increase Brand Engagement by 22% (Sys-Con Media) Videology, a leading software provider for converged TV and video advertising, and White Ops, the leader in online fraud detection for digital advertising, today released the findings from a new whitepaper entitled "Eradicating Bot Fraud: The Path to Zero-Tolerance." This joint report is designed to help advertisers better understand the issue of ad fraud in video advertising and the viable options available to fight back against this $7 billion problem

Federal Government Most Prone To Repeat Breaches (Dark Reading) It isn't just the White House that gets compromised more than once. Also, in a shifting trend, malicious insider attacks don't cut quite as deep as outsiders' do, report finds

Australia vulnerable to a cyber-attack disaster (Sydney Morning Herald) Australian government agencies and organisations are increasingly vulnerable to a major cyber attack yet security has not evolved in more than 20 years, according to an international cybercrime expert

Marketplace

CFOs Reveal Their Top Issues for 2016 (CFO) What will CFOs be spending their time on next year? Preserving margins and sustaining or improving earnings performance top the list, says Protiviti

UK firms look to threat intelligence to focus security efforts (ComputerWeekly) Performance, skills and costs remain biggest hurdles to true data-driven security, reveals an IDC study

Thoughts on Cisco's Results; Implications for Rest of Tech Space — Choppy Environment Remains into 2016 (FBRFlash) Last night Cisco delivered headline results which beat the Street, but all eyes for investors this morning will be around the company's softer outlook and macro comments

Despite Record $250 Million Tenable Investment There Is 'No Cybersecurity Bubble' (Forbes) Venture capitalists have declared there is no cybersecurity bubble despite some epic investments in industry start-ups this year, peaking with a huge $250 million round raised by Tenable. It's believed to be a record round for a cybersecurity firm

Columbia cyber firm VOR Technology to grow staff more than 200 percent (Baltimore Business Journal) Columbia cybersecurity firm VOR Technology LLC plans grow its workforce by more than 220 percent after landing multiple contracts from the U.S. Department of Defense

Israel's Cymmetria, Which Deceives Hackers, Raises $9 Million (Wall Street Journal) Cymmetria Inc., an Israeli start-up whose software lures hackers into cyber traps within organizations' networks has raised around $9 million, the latest sign that investors are flocking to one of cyber-security's hottest trends: deceiving hackers and catching them red handed

Hill-Based OPSWAT Provides Cybersecurity (Potrero View) In our interconnected and device-laden world, cybersecurity has become a hot topic, especially after recent data breaches at the Sony and Target corporations

Cybersecurity firm offers 'premium' cash rewards to hackers who can break Tor (Daily Dot Politics ) A big pay day is coming to the hacker who can break the Tor anonymity network and reveal the identity of users around the world

How CloudLock Became the Nation's Fastest-Growing Cybersecurity Startup (BostInno) The Waltham firm is entirely focused on securing cloud applications

Why Microsoft Corporation Bought Secure Islands (Motley Fool) The software titan has purchased its third Israeli security firm within a year

G DATA ist Launch-Partner der deutschen Microsoft Cloud (FinanzNachrichten) 83 Prozent der deutschen Unternehmen erwarten laut Bitkom, dass sich das von ihnen genutzte Rechenzentrum in Deutschland befindet und dem deutschen Recht unterliegt

Products, Services, and Solutions

Five Cloud-based Vulnerability Management Solutions for Enterprise (Information Security Buzz) Cloud-based vulnerability management solutions have the advantage of being up and running quickly and are often more cost effective than in-house solutions

GasPot Integrated Into Conpot, Contributing to Open Source ICS Research (TrendLabs Security Intelligence Blog) In August of this year, we presented at Blackhat our paper titled The GasPot Experiment: Unexamined Perils in Using Gas-Tank-Monitoring Systems

Utility Takes a Holistic Approach to Security (Baseline) The Lower Colorado River Authority deploys a cloud-based security solution that identifies more forms of malware and addresses zero-day threats more effectively

Technologies, Techniques, and Standards

Cyber security vital to insurers as 'treasure chests' of personal data (Business Insurance) Cyber security is "arguably the single most important issue" facing the insurance industry, according the chair of the National Association of Insurance Commissioners' Cybersecurity Task Force

Federal CFO: Using Military Strategy to Improve Response and Resilience to Cyber Incidents (Wall Street Journal) At a recent cyber wargame simulation, executives from diverse corporate functions worked through a major cybersecurity breach at a fictitious company

US and UK test financial sector response to cyber attack (Reuters via CNBC) Britain and the United States carried out a planned drill with leading global firms on Thursday to see how they would respond to a cyber incident in the financial sector

Pentagon purges HTML from .mil emails (FCW) The Pentagon is tightening the screws on its campaign to improve email security

The dark side of layered security (CSO) Sometimes, layered security can have unintended consequences and even make a company less secure than before

Google Reconnaissance, Sprinter-style (Internet Storm Center) When doing security assessments or penetration tests, there's a significant amount of findings that you can get from search engines

Using Privacy to Enhance Security (Infosec Daily News) Two concepts that have been a source of debate since the emergence of the Internet are privacy and security

'We take your security seriously' (Engadget) Anyone who has even the slightest amount of contact with the internet is familiar with the scenario: An email or actual piece of mail arrives from a company who apparently handles some part of your connected life

Security 101 for CEOs (Tripwire: the State of Security) There are important security lessons for CEOs following the embarrassing revelation that a teenager hacked into the personal email accounts of CIA Director John Brennan and Homeland Security Secretary Jeh Johnson. This isn't the first nor will it be the last time that people hack into accounts using a variety of techniques; it illustrates the lengths to which amateurs and bad actors will go

When you realize security isn't a sprint (CSO) A different way to think about security than quick sprints and finish lines

Design and Innovation

Solving Security: If You Want Something New, Stop Doing Something Old (Dark Reading) Black Hat Europe keynoter Haroon Meer tells security pros to work smarter, think out of the box, and speak out to the C-suite

Keeping Data Secure: A Happy Marriage of Hardware & Software (Infosec Island) We've all heard the stories about being hacked — and perhaps even experienced this ourselves — whether by rogue individuals or organized criminal organizations

Academia

UMD Honors Students Participate in Parsons-Hosted Cyber Contest (GovConExecutive) Parsons has led a cyber contest for University of Maryland students in an effort to improve the cybersecurity skills of the future workforce

Jacksonville State expanding its cybersecurity focus (Jacksonville News) Jacksonville State is delving deeper into cybersecurity

Hacking Contests Drive Millennials to Cybersecurity (IBM Security Intelligence) It's no secret that the cybersecurity talent shortage is one of the biggest challenges facing our industry, with experts predicting 1.5 million open and unfilled global security positions over the next five years

Legislation, Policy, and Regulation

EU wants to mandate US firms disclose intelligence requests (The Hill) European negotiators want a new U.S.-EU data transfer pact to require U.S. businesses to report intelligence agency requests for information on European citizens, according to EU Justice Commissioner Vera Jourova

China, US Discuss Law Enforcement Cooperation on Cybercrimes (Diplomat) A U.S. delegation is in Beijing to follow up on an cybersecurity agreement made during Xi Jinping's visit

Cyber 'War Games' Against China, Iran and North Korea Set for 2016 (Nextgov) It's 2020 and Russian forces are seizing the Arctic, partly by hacking the FedEx networks that handle shipping orders for U.S. troops

DISA Director Forecasts Future Cybersecurity Safeguards (SIGNAL) Lt. Gen. Alan Lynn, USA, calls on industry to help the Defense Department safeguard its networks

Why governments need to take the lead in cybersecurity (Help Net Security) Time and time again we hear people lament about the impact cybercrime has on our businesses, our individual lives, the economy, and on society

A journalist at the forefront of combating terrorism (Poynter) Rick Stengel used to assign stories on terrorism and U.S. foreign policy. Now he helps to combat one and shape the other

Ben Carson on Cybersecurity. Not. (CSO) A call out to Ben Carson from the cybersecurity community

Litigation, Investigation, and Law Enforcement

What lies behind the JPMorgan Chase cyber-attack (Economist) The criminal economy is developing faster than the lawful one can defend itself

JP Morgan Breach Only One Piece Of Vast Criminal Enterprise, Indictments Reveal (Dark Reading) Three men at the head of 'diversified criminal conglomerate' used hacking to commit and enhance their securities fraud, illegal online gambling, illegal Bitcoin exchange, and illegal payment processing businesses, 23-count indictment alleges

AI Could Tell When Your Dark Web Drug Dealer Is About to Scam You (Motherboard) The dark web, despite all the attention police have been giving it lately, is still the wild west of the internet

AI could alert Dark Web buyers to drug dealer scams (Naked Security) Two weeks of trudging out to an empty mailbox

Tor Project says FBI paid Carnegie Mellon $1m to unveil Tor users (Naked Security) In November 2014, a far-flung, multi-nation bust, dubbed Operation Onymous, snared 410+ supposedly hidden services running 27 markets, including Silk Road 2.0, stripping away the concealing layers of the Tor anonymizing service to lay identities bare

Database of 70 million prisoner phone calls breached, leaked (Help Net Security) A vast collection containing metadata of over 70 million records of phone calls placed by prisoners to at least 37 US states and links to actual recordings for each call has been leaked to reporters of The Intercept by an anonymous hacker

Oz railway lets newspaper photograph train keys (Register) Your opsec slip is showing, Metro Rail

Ohio man arrested for soliciting the murder of U.S. military members (Military Times) An Akron man was arrested today on federal charges that he solicited the murder of members of the U.S. military

Jail for British DDoS attacker, who said too much on Twitter (We Live Security) He isn't the first and he certainly won't be the last

Anonymous Exposes Identity of Alleged Halifax Rapist, Police Reopens The Case (Hack Read) Halifax police forced to re-open investigation in a sexual assault case after Anonymous exposes the identity of the alleged culprit

For a complete running list of events, please visit the Event Tracker.

Newly Noted Events

cybergamut Tech Tuesday: The Threat Landscape and the Path Forward: Fundamentals of a Risk-Aware Orgnaization (Elkridge, Maryland, USA, Jan 5, 2016) John McLaughlin of IBM Security provides a quantitative analysis of the attacks seen by IBM and the thousands of IBM customers in the preceding year. Specific attention will be paid to the protocols engaged, attack patterns, and trends seen in these attacks. In addition, these attacks are characterized by targets, time, and degree of success. Following the quantitative reporting, the remainder of the presentation focuses on an actionable plan for securing the enterprise. Simply describing the problem is no longer sufficient. This plan consists of a multi-step roadmap, a product independent approach to securing the enterprise against the previously described attack vectors

cybergamut Tech Tuesday: Neuro Cyber Analytics: Understanding the Patterns of Human Cognition in the Cyber Domain (Elkridge, Maryland, Middletown, Feb 23, 2016) This presentation will discuss Neuro Cyber Analytics. Humans use context-specific neurocognitive patterns for receiving and processing internal and external sensory information. Stated differently, people interact with the world around them primarily by seeing, hearing, and feeling, and make decisions about what to do next depending upon the context of what is happening in their environment. People often do not realize that their decision making process triggers certain unconscious behaviors that can be read as indicators of how their thoughts were formulated and sequenced

Upcoming Events

Black Hat Europe (Amsterdam, the Netherlands, Nov 10 - 13, 2015) Black Hat prides itself with being "the most technical and relevant global information security event series in the world." For the past 16 years, the Black Hat events have given their attendees the opportunity to explore the latest research and developments in information security, while also taking into account the concrete needs of the participants

Pen Test Hackfest Summit & Training (Alexandria, Virgina, USA, Nov 16 - 23, 2015) SANS Pen Test Hackfest Training Event and Summit is coming back to Washington DC, bigger and better than ever! The Hackfest is an ideal way to learn offensive techniques so you can better defend your environment. Whether you are a penetration tester, a forensics specialist, or defender, the techniques covered at the Hackfest represent the latest and most powerful attacks every organization needs to thwart

cybergamut Technical Tuesday: Hackproof Signal Processing for Wireless Communications ("Central Maryland, " USA, Nov 17, 2015) Conventional computing and communications expose myriad attack surfaces because of the Turing-equivalence of the instruction set architectures and the mathematical impossibility of forming a complete set of monitor functions to protect the contents of the registers from insightfully designed malware such as what NIST terms Advanced Persistent Threats. This talk describes how to throw out the general purpose computers via dataflow computing on FPGAs. Contact the conference organizers for instructions on how to attend

Cybersecurity, the SEC and Compliance (New York, New York, USA, Nov 18, 2015) The recent SEC CyberSecurity Examination Initiative focuses on information safeguards for financial services organizations. Are you prepared? Please join us for a panel discussion on what cybersecurity means to your business and how the new SEC requirements affect your firm. The panel consists of professionals from the Cyber Security, Legal, Insurance and IT systems management industries. (RSVP as seating will be limited)

CyberCon 2015 (Pentagon City, Virginia, USA, Nov 18, 2015) CyberCon 2015 is the forum for dialogue on strategy and innovation to secure federal and defense networks, as well as private sector networks that hold their sensitive data

Internet-of-Things World Forum 2015 (London, England, UK, Nov 18 - 19, 2015) This conference features speakers from leading IoT companies and their customers. Learn how the Internet-of-Things is creating new markets for products, services, and solutions

2015 U.S. Cyber Crime Conference (National Harbor, Maryland, USA, Nov 14, 2015) The 2015 U.S. Cyber Crime Conference (Formerly the DoD Cyber Crime Conference) has brought world-class forensics and incident response training combined with outstanding community networking for over 15 years. The conference covers the full spectrum of topics facing defenders as well as law enforcement responders

CyberPoint 2nd Annual Women in Cyber Security Reception (Baltimore, Maryland, USA, Nov 19, 2015) CyberPoint International announces its 2nd Annual Women in Cyber Security Reception to be held on November 19, 2015. Bringing together women from across the region and all different points on the career spectrum, this event is a great opportunity to get together and share what we are all passionate about — empowering women to succeed in the cyber security field

DefCamp6 (Bucharest, Romania, Nov 19 - 20, 2015) Why DefCamp? Because it's the most important conference on Hacking & Information Security in Central Eastern Europe, bringing hands-on talks about the latest research and practices from the INFOSEC field, gathering under the same roof security specialists, entrepreneurs and developers, managers from both private and public sector