The CyberWire Daily Briefing 11.18.15

Cyber Attacks, Threats, and Vulnerabilities

Anonymous just might make all the difference in attacking ISIS (Computerworld via CSO) The hacking group's activities have always seemed dubious, but in this case, success will be quite welcome

Anonymous Declares Cyber War on ISIS. Why It Matters (Fortune) When it comes to cyber war, Anonymous is good at what it does

How Islamic State Teaches Tech Savvy to Evade Detection (Wall Street Journal) Paris attacks raise possibility that extremists have found ways around western surveillance

A Belgian Father Works To Prevent Kids From Joining The Jihad (NPR) The Paris attacks have brought new attention to Dimitri Bontinck, a member of Belgium's Dutch-speaking majority

An ISIS Militant From Belgium Whose Own Family Wanted Him Dead (New York Times) When the family of Abdelhamid Abaaoud received word from Syria last fall that he had been killed fighting for the Islamic State, it rejoiced at what it took to be excellent news about a wayward son it had come to despise

Turkey soccer fans boo moment of silence for Paris attacks (SFGate) Before today's Greece vs. Turkey friendly match in Istanbul both teams shared a moment of silence to honor the victims of the Paris attacks

Attackers Exploit vBulletin Flaw to Hack Servers (SecurityWeek) Malicious actors have been targeting servers running vulnerable installations of the vBulletin forum software via a security hole patched by the developer earlier this month, Symantec warned on Monday

Security Alert: New Dyreza variant supports Windows 10 & Edge (Heimdal) Cyber criminals are very good at keeping up with the times. Here's the proof

Police body cameras pre-infected with Conficker malware (SC Magazine) Lax cyber-security protocols in Chinese factories identified by one commentator as possible source of infection which could impact many other IoT devices

Windows BitLocker Full Disk Encryption Can Be Bypassed (Softpedia) A study conducted by Synopsys security researcher Ian Haken shows that Microsoft's BitLocker disk encryption system used to secure data on computers running Windows can be bypassed using a simple trick

FortiGuard Labs Discloses Another WordPress WooCommerce Plug-in Cross-Site Scripting Vulnerability (Fortinet) WooCommerce is an open source e-commerce plugin for WordPress. It is designed for small to large-sized online merchants using WordPress. According to WooCommerce, the plugin now powers over 30% of all online stores running WordPress with over one million downloads

Android Gmail bug lets you spoof your email address (Naked Security) Security researcher Yan Zhu is reporting a flaw in Gmail's Android app that lets a sender pretend to have someone else's email address

Risk Of Deadly IS Hack Attack 'Is Real' (Sky News) One academic says rogue staff could be used to compromise the control systems of gas plants and air traffic control systems

The Internet of Things Is Making Oil Production Vulnerable to Hacking (Motherboard) The world's oil and gas industry is caught in a slump, with oil prices going up and down and profits in decline

Data center fire kills Internet in Azerbaijan (Data Center Dynamics) About 90 percent of the country's networks went down on Monday

Young, impulsive, IT savvy — greater cybersecurity risk (Phys.org) Researchers from the University of Adelaide say Australian businesses should start to think outside the square when it comes to preventing cybersecurity threats in the workplace — such as profiling their staff's computer behaviour

Security Patches, Mitigations, and Software Updates

Adobe Releases Security Updates for ColdFusion, LiveCycle Data Services, and Adobe Premiere Clip (US-CERT) Adobe has released security updates to address multiple vulnerabilities in ColdFusion, LiveCycle Data Services, and Adobe Premiere Clip. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system

Docker Tightens Security Over Container Vulnerabilities (InformationWeek) Docker unveils three ways to make containers more secure, especially when code is changed during its update cycle

dnscat2: now with crypto! (Skull Security) Hey everybody, live from the SANS Pentest Summit, I'm excited to announce the latest beta release of dnscat2: 0.04! Besides some minor cleanups and UI improvements, there is one serious improvement: all dnscat2 sessions are now encrypted by default!

Cyber Trends

2016 Global Cybersecurity Assurance Report Card (Tenable Network Security) Tenable Network Security's inaugural Global Cybersecurity Assurance Report Card measures how enterprise IT security professionals view their organization's ability to assess cybersecurity risks and to mitigate threats that can exploit those risks

Data Breach Prevention Series: Weaponized Documents are Dominant Malware Delivery Vector (Invincea) Welcome to the October edition of Invincea's advanced threat report series, in which we reveal the key threat trends encountered and stopped in the wild by Invincea

2015 Cyberthreat Defense Report (CyberEdge Group) CyberEdge Group's second annual Cyberthreat Defense Report provides a penetrating look at how IT security professionals perceive cyberthreats and plan to defend against them

Exploit kit activity up 75 percent in third quarter 2015 (CSO) In a sign of the increasing professionalization of the space, exploit kit activity increased 75 percent in the third quarter of this year compared to the same period last year, based on DNS activity, according to the latest edition of the Infoblox DNS Threat Index

Extortion is the future of cyber crime (V3) Extorting money from unwitting internet users through sophisticated social engineering and targeted ransomware is the future of cyber crime, according to Sean Sullivan, a lead researcher at security firm F-Secure

The Fraud Report: How Fake Users Are Impacting Business (Telesign) 82% of companies struggle with fake users yet 43% admit allowing them in to reduce registration friction

Many enterprises still come up short on mobile security, study finds (FierceITSecurity) More than 20 percent of companies do not lock out mobile users based on number of access attempts and more than 70 percent of companies do not require two-factor authentication for mobile devices, according to a survey of 447 IT decision-makers across industries by Champion Solutions Group for cloud-based document sharing service MessageOps

Cross-device tracking via imperceptible audio beacons threatens user privacy (Help Net Security) As consumers use multiple devices through the day, and tracking cookies become increasingly less effective, the advertising industry is looking for new ways to track users' online behavior

Unsafe password policies leave shoppers vulnerable (Help Net Security) Dashlane examined password security policies on 25 of the most popular online retailers

Utica College's Center for Identity Management and Information Protection Releases Report: "The New Face of Identity Theft" (PRNewswire) Study finds offenders generally older, acting in groups, targeting strangers

Security and the Need for Speed (InfoRiskToday) Deloitte's Viswanathan: Security must adapt to changing environment

Changing the Economics of Cybersecurity (SecurityWeek) It's almost a cliche to talk about how often breaches occur—in 2015 alone, we've seen high-profile breaches from everyone from Anthem, the popular work collaboration tool Slack, and even the federal government thanks to the recent US Office of Personnel Management attack

Security issues cause some to be named top tech turkeys of 2015 (CSO) Just in time for Thanksgiving, here's our annual rundown of the tech industry's "turkeys" for the year

Meet Passcode's Influencers (Christian Science Monitor Passcode) Big thinkers vote on the most critical issues in security and privacy

Marketplace

Can Cyber Literacy Create a Competitive Advantage? (Tripwire: the State of Security) IT security has gone from being a backroom IT issue to an executive boardroom topic of discussion

DHS issues first 2 cyber solicitations under 5-year BAA (FierceGovernmentIT) The Homeland Security Department last week issued the first two contract solicitations under a five-year broad agency announcement for cybersecurity tools and services the department launched last year

Reuters: Banks pull financing for Carlyle's $8B purchase of Symantec's Vertitas (Seeking Alpha) Reuters reports banks have withdrawn financing for the $8B sale (announced in August) of Symantec's (SYMC -0.2%) Veritas storage software unit to Carlyle (CG +0.1%). The sale has been expected to close by Jan. 1

FireEye: Promising Long-Term Prospects Despite Near-Term Headwinds (Seeking Alpha) FireEye's recent underperformance is an indicator of the growing competitiveness in the cybersecurity industry

Microsoft's Nadella adds security-first to his mobile-first, cloud-first vision (FierceITSecurity) Looks like you can add security-first to the mobile-first, cloud-first strategy that Microsoft CEO Satya Nadella is pursuing

GSN announces Winners and Finalists In 2015 Homeland Security Awards (GSN) Government Security News is pleased to announce the Winners and Finalists in its seventh annual Homeland Security Awards

Baltimore Artists Anna and Caroline Zellhofer, Selected to Create New Work for Annual Women in Cyber Security Reception (PRNewswire) CyberPoint International announced today that Baltimore artists Anna and Caroline Zellhofer were selected for a special commission to create a work of art for the 2nd Annual Women in Cyber Security reception

Cigital Achieves Record Growth for Seventh Consecutive Year (BusinessWire) Demand for application security testing services and solutions drives talent growth, international partnerships and worldwide momentum

PivotPoint Risk Analytics Appoints Christopher Washington as Vice President of Engineering and Expands with New Virginia Office (Nasdaq) Company hires former Senior Director of Engineering at RSA to innovate Cyber-Value-at-Risk

Products, Services, and Solutions

Bivio Networks Introduces Industry's Most Compact 10 Gbps Cyber Security Application Platform (CBS8) Bivio 6110 delivers unprecedented performance, consolidation and agility in minimal 1U rack space

Ziften Unveils New Modular Extension Platform for On-Demand Detection and Response (Yahoo! Finance) Ziften Open Visibility™ evolves to further endpoint controls

Gigamon Adds Context-Aware Visibility to Standard NetFlow Metadata Generation (PRNewswire) Newest release extends NetFlow/IPFIX metadata records, enabling stronger security

Google VirusTotal — now with autoanalysis of OS X malware (Naked Security) Back in April 2015, at the RSA conference, Google did a strange thing. The makers of Android as good as denied the existence Android malware by re-defining it into a category called PHAs, or Potentially Harmful Applications

Huntsman Security unveils machine-learning security system to reduce time enterprises are at risk (FierceITSecurity) Huntsman Security, a Sydney, Australia-based cybersecurity software provider, unveiled Monday a machine-learning-based automated threat verification system to reduce the time that enterprises are at risk from a breach

Microsoft announces new Cyber Defense Operations Center to bolster enterprise security credentials (Venture Beat) Microsoft has laid out plans to bolster enterprise security and help its customers "evolve their security" for what it calls the "mobile-first, cloud-first world"

Wynyard Group signs Telstra in AU$3.2m cybersecurity deal (ZDNet) New Zealand forensic analytics software company Wynyard Group has launched its Advanced Cyber Threat Analytics solution, signing Telstra as its first public customer in a AU$3.2 million, three-year deal

FDA approves, Medtronic launches the first remote monitoring pacemaker app (FierceMedicalDevices) Now it's official: Smart devices can do everything

Technologies, Techniques, and Standards

Point of Sale malware gaining momentum as holiday shopping season approaches (Help Net Security) Point of sale (POS) systems — what consumers often call the checkout system — are often the weak link in the chain and the choice of malware

Research and Development

Nigerian mathematician claims to have solved 156-year-old riddle (The Week) Dr Opeyemi Enoch could win $1m if his solution to the Riemann Hypothesis is proved to be correct

Galois Subsidiary, Partners Work on IoT-Enabled Smart Home, Transit Systems Under NIST Grant (ExecutiveBiz) Galois has received a $1.86 million grant from the National Institute of Standards and Technology's National Strategy for Trusted Identities in Cyberspace to provide a data storage system with privacy and Internet of Things functions

Legislation, Policy, and Regulation

Fighting talk from Great Britain as it says it will hit back against internet attacks (We Live Security) In speeches yesterday, UK chancellor George Osborne didn't just announce that the British government would be investing £1.9 billion to enhance its cybersecurity capabilities.

Chancellor's speech to GCHQ on cyber security (HM Treasury) Chancellor lays out new plan for £1.9 billion cyber investment, and details seven more departments that have settled ahead of the Spending Review

Paris Attacks Fuel Debate Over Spying (Wall Street Journal) Growing belief that terrorists behind assaults used encrypted communications prompts re-examination of U.S. policy on surveillance

Paris Attacks Reignite Encryption Debate (BankInfoSecurity) Would backdoor access have helped law enforcement foil ISIS assault?

Restricting Encryption Would Not Have Prevented the Paris Attacks (DefenseOne) Despite what intelligence officials say, limiting information security would do little to thwart terrorism

After Paris attacks, lawmakers seek greater access to encrypted data (Christian Science Monitor Passcode) However, some senators want to avoid a 'knee-jerk' response to give law enforcement and intelligence agencies a power they say could harm all consumers' security and privacy

In wake of Paris attacks, legislation aims to extend NSA program (IDG via CSO) The proposed bill would extend bulk collection of phone metadata to January 2017

After Paris Attacks, Beware Rush to Weaken Crypto (BankInfoSecurity) Rational debate required, says Europol adviser Brian Honan

Paris attacks demand 'wake-up call' on smartphone encryption (Computerworld via CSO) Expert sees the need for an update to U.S. wiretap law

Blaming Cryptography (and Snowden) Again (Center for Internet and Society) Less than 2 days after the Daesh attacks in Paris, technology was, predictably, named as an accomplice — if not an enabler — of terrorism, crime, and other nefarious outcomes

Ex-NSA chief: ISIS fight "under-resourced and over-regulated" (CBS This Morning) The fight against ISIS in Syria and Iraq is "under-resourced and over-regulated," former National Security Agency and CIA director Michael Hayden said, the latest veteran among the U.S. intelligence community to weigh in on the series of terror attacks in Beirut and Paris

Encryption and Cyber Security at the Center of a Battle between the Beltway and the Valley (FBRFlash) In light of the tragic events in Paris Friday night, November 13, and the terrorist investigation/manhunt since, there is starting to be renewed debate around encryption and "back door" government access to consumer/enterprise data

'Going dark,' cybersecurity among DOJ's most pressing challenges, says IG (FierceGovernmentIT) Enhancing cybersecurity at a time when threats are increasing in number and complexity is the second most pressing challenge facing the Justice Department, according to a Nov. 10 memo to the Justice Department's attorney general and deputy attorney general

Most Powerful Nations Ban Hacking for Commercial Gain (NBC News) China, Russia, the United States and other countries attending the G-20 conference in Turkey agreed on Monday to not engage in cyber espionage for commercial gain

Litigation, Investigation, and Law Enforcement

Appeals court lets NSA continue phone surveillance despite district judge’s ruling (Washington Times) The National Security Agency has been given the go-ahead to continue compiling the telephone records of a California-based law firm, despite a District Court judge's decision last week to ban the NSA from conducting further surveillance through its controversial metadata collection program

OPM, DHS, White House Declined to Brief House Armed Services Panel on Historic Hack (Nextgov) The Office of Personnel Management, Department of Homeland Security and White House backed out of a closed-door congressional briefing on the OPM hack at the eleventh hour, according to the head of the House Armed Services Committee

IG: New IRS data storage system needs better security controls (FierceGovernmentIT) Data security controls are lacking in a new Storage-as-a-Service approach at the Internal Revenue Service, a new report found

OIG: Education Department's IT is weak in 4 security areas (FierceGovernmentIT) The Education Department has made improvements in strengthening its information security; however, continuous monitoring, configuration management, incident response and reporting, and remote access management remain weak

Operating a music piracy site gets man three years in prison (Washington Post) The operator of a major music piracy site was sentenced to three years in prison Tuesday

Cyber thief who stole nude images for revenge porn king gets 2 years (Naked Security) $250 for nude images stolen from "6 guys and 6 girls": that's the kind of fee that Charles "Gary" Evens charged revenge porn king Hunter Moore

Ex-Knox County first lady accused of cyber attack on wife of multimillionaire boyfriend (Times Free Press) A judge today set a new status hearing after a woman accused in a cyberattack on her multimillionaire boyfriend's estranged wife did not appear in court

For a complete running list of events, please visit the Event Tracker.

Upcoming Events

Cybersecurity, the SEC and Compliance (New York, New York, USA, Nov 18, 2015) The recent SEC CyberSecurity Examination Initiative focuses on information safeguards for financial services organizations. Are you prepared? Please join us for a panel discussion on what cybersecurity means to your business and how the new SEC requirements affect your firm. The panel consists of professionals from the Cyber Security, Legal, Insurance and IT systems management industries. (RSVP as seating will be limited)

CyberCon 2015 (Pentagon City, Virginia, USA, Nov 18, 2015) CyberCon 2015 is the forum for dialogue on strategy and innovation to secure federal and defense networks, as well as private sector networks that hold their sensitive data

Internet-of-Things World Forum 2015 (London, England, UK, Nov 18 - 19, 2015) This conference features speakers from leading IoT companies and their customers. Learn how the Internet-of-Things is creating new markets for products, services, and solutions

2015 U.S. Cyber Crime Conference (National Harbor, Maryland, USA, Nov 14, 2015) The 2015 U.S. Cyber Crime Conference (Formerly the DoD Cyber Crime Conference) has brought world-class forensics and incident response training combined with outstanding community networking for over 15 years. The conference covers the full spectrum of topics facing defenders as well as law enforcement responders

CyberPoint 2nd Annual Women in Cyber Security Reception (Baltimore, Maryland, USA, Nov 19, 2015) CyberPoint International announces its 2nd Annual Women in Cyber Security Reception to be held on November 19, 2015. Bringing together women from across the region and all different points on the career spectrum, this event is a great opportunity to get together and share what we are all passionate about — empowering women to succeed in the cyber security field

Pen Test Hackfest Summit & Training (Alexandria, Virgina, USA, Nov 16 - 23, 2015) SANS Pen Test Hackfest Training Event and Summit is coming back to Washington DC, bigger and better than ever! The Hackfest is an ideal way to learn offensive techniques so you can better defend your environment. Whether you are a penetration tester, a forensics specialist, or defender, the techniques covered at the Hackfest represent the latest and most powerful attacks every organization needs to thwart

Energy Tech 2015 (Cleveland, Ohio, USA, Nov 30 - Dec 2, 2015) Now in its 5th year, EnergyTech 2015 seeks the convergence of the best minds in policy, systems engineering and applied technology to address some of the critical issues of our time. In addition to its strong systems and technology focus, this year's theme, "Securing Our Energy Future" will address broad policy issues and big picture topics related to Energy and Critical Infrastructure. Experts from Industry, Academia, and Government present a wide range of perspectives on these challenges

cybergamut Technical Tuesday: It's a Target Rich Environment: Understanding the IIoT Attack Surface (Elkridge, Maryland, USA, Dec 1, 2015) The Internet of Things (IoT) has received an incredible amount of press as of late. But, most of that has been associated with consumer electronics in the form of wearables and home monitoring devices like the Nest Thermostat. While those are worthwhile markets, the majority of the money will be involved with machine-to-machine communications in the Industrial Internet of Things (IIoT). What is the nature of the IIoT? How is it different from the consumer IoT? And, what makes it such a big target? In this session, Mike Anderson of The PTR Group will discuss the flow of data from the edge devices to the cloud and why the big industry players like Intel, IBM and others are so interested in this market

IoT Security Foundation Conference (London, England, UK, Dec 1, 2015) The is the first official conference of IoTSF. It follows on from the IoT Security Summit earlier in the year, maintaining the momentum of the theme. Delegates can expect a similar level of quality of talks as we move from illustrating problems to exploring solutions

Public Sector Cybersecurity Summit 2015 (Reston, Virginia, USA, Dec 1 - 2, 2015) The Raytheon|Websense 6th Annual Public Sector Cybersecurity Summit is a unique opportunity to learn about the state of cybersecurity and how to prepare for future threats from many thought provoking government and industry leaders across Defense, Intelligence, Federal, Civilian, State and Local Government, Industry and the broader Cybersecurity Community

Enterprise Security and Risk Management (London, England, UK, Dec 2, 2015) Whitehall Media's 4th ESRM conference will bring together hundreds of leading InfoSec, cyber security and risk management professionals to discuss the latest industry developments and identify the most pressing security risks of tomorrow. The event offers unrivalled networking opportunities and insights on how to design, implement and embed

Cargo Logistics America (San Diego, California, USA, Dec 2 - 3, 2015) Cargo Logistics America (CLA) connects freight owners with freight movers, fostering multimodal synergy between diverse stakeholders in import, export and domestic supply chains. This year's conference will have a heavy cyber security component

NG Security Summit US (Austin, Texas, USA, Dec 2 - 4, 2015) The NG Security Summit US will bring together 65 senior decision makers and business leaders from across the region. The event aims to solve key business challenges. In particular, the ability to network and learn from industry peers through essential business conversation. Working in partnership with our network of senior executives we identify the key industry themes. These form the foundation of our summit and permeate every layer of the content-rich program. These three core themes represent the business critical challenges driving your conversations at the summit: (1) Governance, Risk and Compliance, (2) Processes and Technology, and (3) Identity and Access Management

Cyber Security Opportunities for U.S. Firms in Japan, S. Korea, and Taiwan (Online, Dec 2, 2015) Listen to experts from Japan, S. Korea and Taiwan and learn how to position your company for success in these countries. Sponsored by the US Department of Commerce

Program on Cyber Security Studies (PCSS) (Garmisch-Partenkirchen, Germany, Dec 2 - 17, 2015) The Marshall Center has developed a comprehensive program to explore the increasing domestic, international and transnational challenges in cyber security. Our goal is to provide a comprehensive, policy-focused, non-technical cyber security program that emphasizes and teaches senior key leaders how to best make informed decisions on cyber policy, strategy and planning within the framework of whole-of-government cooperation and approaches

Cloud Security Alliance Summit Los Angeles 2015 (Los Angeles, California, USA, Dec 3, 2015) The full day Cloud Security Alliance LA Summit is a standalone event in the greater Los Angeles area. Hosted by the CSA LA/SoCal chapter, some 200 well-qualified attendees are expected. The theme is "Enterprise Lessons Learned in Cloud Security," with experts from entertainment and other key industries. Wendy Frank, Chief Security Officer and Leader Content Security Program at Motion Picture Association of America, will deliver the keynote address

2015 Cyber Security Exchange (Orlando, Florida, USA, Dec 6 - 8, 2015) This dynamic, three-day event will provide Cyber Security executives with valuable insights to reach their full potential by exploring security leadership strategies, heightened data privacy concerns, the ever-changing advanced threat landscape, efficient identity access management and more

Disrupt London 2015 (London, England, UK, Dec 7 - 8, 2015) TechCrunch Disrupt is one of the most anticipated technology conferences of the year. Join us at this iconic startup and thought leadership event in London on December 7 and 8. What happens at Disrupt? We start each day with panels and one-on-one discussions featuring TechCrunch writers and editors, special guest speakers, leading venture capitalists and fascinating entrepreneurs addressing the most important topics facing today's tech landscape. Each afternoon, we host the Startup Battlefield competition which culminates in six finalists taking the stage at the end of the event for a shot at winning the Disrupt Cup

Passwords 2015 (University of Cambridge, England, UK, Dec 7 - 9, 2015) More than half a billion user passwords have been compromised over the last five years, including breaches at internet companies such as Target, Adobe, Heartland, Forbes, LinkedIn, Yahoo, and LivingSocial. Yet passwords, PIN codes, and similar remain the most prevalent method of personal authentication. Clearly, we have a systemic problem. This conference gathers researchers, password crackers, and enthusiastic experts from around the globe, aiming to better understand the challenges surrounding the methods personal authentication and passwords, and how to adequately solve these problems. The Passwords conference series seek to provide a friendly environment for participants with plenty opportunity to communicate with the speakers before, during, and after their presentations

ACSAC (Annual Computer Security Applications Conference) (Los Angeles, California, USA, Dec 7 - 11, 2015) ACSAC is one of the most important cyber security conferences in the world, and the oldest information security conference held annually. Researchers, government representatives, academia and security professionals of all types gather at ACSAC to discuss the latest developments in the infosec industry. The core mission of this conference is investigating practical solutions for computer security technology. This year's edition will especially focus on security and privacy in the Internet of Things era

NSA RCTCON (Fort Meade, Maryland, USA, Dec 9, 2015) The NSA RCTCON industry exposition will be attended by 250-300 IC (Intelligence Community) cyber personnel working on solutions to the current cyber threats that face the U.S

SANS Institute: Information Security Training (Las Vegas, Nevada, USA, Sep 12 - 21, 2015) Information security training in Las Vegas from SANS Institute, the global leader in information security training. At SANS Network Security 2015, SANS offers more than 40 hands-on, immersion-style security training courses taught by real-world practitioners. The site of SANS Network Security 2015, September 12 - 21, is Caesars Palace, the majestic Las Vegas hotel

cyberSecure (New York, New York, USA, Dec 15 - 16, 2015) Today's business leaders recognize that a multi-disciplinary approach is critical to protecting the bottom line. What's too often missed is a vision that incorporates best practices that allow you add value to your company and shareholders DURING and POST breach. Enter ALM cyberSecure. A unique professional event providing an all-encompassing view and the relationships necessary to protect enterprises during all phases, across all departments while keeping revenue on track