The CyberWire Daily Briefing 12.07.15

Cyber Attacks, Threats, and Vulnerabilities

Islamic State adds smartphone app to its communications arsenal (Christian Science Monitor Passcode) An independent group monitoring the Islamic State online says it discovered the militant group is distributing its own mobile app, signaling a shift in how the jihadists communicate

The Kardashian Look–Alike Trolling for Assad (Daily Beast) Maram Susli calls ISIS an American puppet, compares Nazis to Zionists — and is quickly gaining a global following, including one of MIT's most storied professors

Anonymous wants December 11th to be 'Isis trolling day' (Neowin) Anonymous, the on and offline hacktivist movement, is declaring December the 11th to be "Isis trolling day". This is part of the movement's ongoing effort to disrupt and discredit the terrorist's organizations online presence

Social media companies step up battle against militant propaganda (Reuters) Facebook, Google and Twitter are stepping up efforts to combat online propaganda and recruiting by Islamic militants, but the Internet companies are doing it quietly to avoid the perception that they are helping the authorities police the Web

Sofacy APT hits high profile targets with updated toolset (Securelist) Sofacy (also known as "Fancy Bear", "Sednit", "STRONTIUM" and "APT28") is an advanced threat group that has been active since around 2008, targeting mostly military and government entities worldwide, with a focus on NATO countries. More recently, we have also seen an increase in activity targeting Ukraine

Russian spy group adopts new tools to hack defense contractor networks (Computerworld) Pawn Storm uses air-gap defeating malware

Russian "Pawn Storm" expands, rains hell on NATO, air-gapped PCs (Register) Group cooks zero days, malware modules, and hacks anything it likes

China blamed for cyber attack on Australian government (TV Newsroom) A major cyber attack on a Bureau of Meteorology supercomputer has been blamed on China

China's hacking attacks are more than just a nuisance (WA Today) The Chinese cyber attack on the Bureau of Meteorology last week might have been big, but it is in no way exceptional. It's part of a much bigger problem

Hacker Holds United Arab Emirates Bank to Ransom, Demands $3 Million (Tripwire: the State of Security) A malicious hacker that successfully breached the IT systems of a large bank in the United Arab Emirates (UAE) demanded nearly $3 million worth of cryptocurrency or the financial information of hundreds of its customers would be leaked online

Hacker Leaks Customer Data After a United Arab Emirates Bank Fails to Pay Ransom (Wired) A hacker who broke into a large bank in the United Arab Emirates made good on his threat to release customer data after the bank refused to pay a bitcoin ransom worth about $3 million

DD4BC, Armada Collective, and the Rise of Cyber Extortion (Recorded Future) DD4BC, a group that named itself after its extortion method of choice — DDoS "4" Bitcoin — has attacked over 140 companies since its emergence in 2014. Other groups, inspired by their success, are jumping on the bandwagon. Is this form of extortion here to stay?

Infostealers, Exploit Kits & Ransomware, Just Your Typical Malware Campaign (Softpedia) In an optimal scenario, when you get infected with malware, you think it's only one virus. Unfortunately, in the real world it's not so, and security analysts from Heimdal Security have unveiled details about a malware campaign that starts with infostealers, goes through exploit kits, and finishes with computers being locked down with ransomware

Pony, Angler and CryptoWall mixed into dangerous cyberthreat cocktail (Computerworld) Cybercrime group combines Pony, Angler and CryptoWall 4.0 in a single campaign

Why Ransomware Is Not Going Away Any Time Soon (SecurityWeek) 2015 has been an eventful year in the world of malware, and few threats have risen more dramatically than ransomware

When Undercover Credit Card Buys Go Bad (KrebsOnSecurity) I recently heard from a source in law enforcement who had a peculiar problem

US cyber criminal underground a shopping free-for-all (CSO) The North American cyber criminal underground isn't buried as deep as in other geographies

Advisory (ICSA-15-309-02) Honeywell Midas Gas Detector Vulnerabilities (US-CERT) Independent researcher Maxim Rupp has identified two vulnerabilities in Honeywell's Midas gas detector. Honeywell has produced firmware versions to mitigate these vulnerabilities

Cash machines in malware risk as embedded Windows XP reaches end of life (SC Magazine) Banks are strictly Lastminute.com when it comes to updating embedded Windows XP operating systems in their ATMs, leaving 65,000 cash cows vulnerable to malware milking

Bitcoin stolen via malware infected pirated copy of Fallout 4 (Silicon Angle) Various industry bodies over the years have tried all sorts of scare tactics in relation to piracy, up to and including taking people to court, but what if your pirated item ended up stealing Bitcoin?

PornHub caught in Malvertising Row — Again (Check & Secure) Malvertising is nothing new. Malvertising in Porn is nothing new. Malvertising on PornHub, again, is nothing new. However the threat of malicious banner ads on adult entertainment websites is not going away and as a result of this, ever more visitors become infected

Despite recent hack, TalkTalk customers are still at risk of cyber attack (Computer Business Review) Unencrypted services are leaving customer data out in the open

The TalkTalk hack — is cyber security more complicated than we think? (Legal Futures) The recent hacking of phone and broadband provider TalkTalk has raised plenty of questions among lawyers about how safe the internet really is. Is our information, stored in distant silicon towers, really protected?

Elf on the Shelf and 'nextgen' surveillance toys (CSO) It is that time of year again where people have their thoughts start to turn to happier scenarios of family gatherings, parties and exchanging gifts

Bulletin (SB15-341) Vulnerability Summary for the Week of November 30, 2015 (US-CERT) The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week

Security Patches, Mitigations, and Software Updates

Industrial gas detectors vulnerable to a remote 'attacker with low skill' (Naked Security) Users of Honeywell's Midas and Midas Black gas detectors are being urged to patch their firmware to protect against a pair of critical, remotely exploitable vulnerabilities

High-impact DoS flaw patched in Node.js, update as soon as possible (Help Net Security) The Node.js Foundation has pushed out a patch for its eponymous open source, cross-platform runtime environment for developing server-side web applications

Yahoo Mail fixed against evil emails you didn't need to open (Naked Security) Yahoo Mail has fixed a bug in its software that left hundreds of millions of users vulnerable to specially crafted emails that could have been used to steal data or spread malware on a huge scale

Millions of Microsoft Windows users face major security issues within weeks (Daily Star) Microsoft is giving Internet Explorer users a few weeks to upgrade their browser or become vulnerable to cyber attacks

Cyber Trends

How safe is the Internet of Things? (Toronto Star) We're living in homes and buying toys that are connected but how well-protected are they from hackers?

A New Security Paradigm Needed to Support the Internet of Things (Cisco Blog: Innovation) This "incident response" approach to cyber security was designed primarily for enterprise networks, data centers, and consumer electronics. It companies [sic] perimeter-based protection that uses firewalls, intrusion detection systems (IDS) and intrusion prevention systems (IPS) to prevent security threats

Research — The Real IoT Value By 2025 (WT VOX) McKinsey & Company's Global Institute conducted a research with the reason of exploring the "real" IoT value on the global economy

Robert Samuelson: Will Cybergeddon nightmare materialize? (Telegram) When it comes to cyberwar and cyberterrorism, we need to think the unthinkable, says veteran TV journalist Ted Koppel

Mayer's Raj De on The Next Cyber Stage (Legaltech News) Former NSA GC says organizations are not thinking broadly enough about risks

IG [Information Governance] Still a Problem for Many Organizations: Report (Legaltech News) The report analyzes IG issues and discusses ways to bring things under control

John McAfee: Hacking a major corporation is so easy even a grandma could do it (Yahoo! News) The percentage of the population that has some form of tech savvy is higher than it has ever been

A third of UK finance industry logins risks customer data (SC Magazine) Many industry personnel are not assigned unique login and password details resulting in the risk of customer's personal and financial data

Canadian Companies Poorly Prepared to Navigate Harsh Cybersecurity Landscape (TechVibes) A majority of Canadian companies consider themselves prepared for a cyber attack, yet barely one-third of businesses have effective procedures and technologies in place to protect critical assets

Security Predictions for 2016 (Information Security Buzz) As enterprise perimeters expand, so will security vulnerabilities

9 Cyber Security Threat Predictions For 2016 (CXO today) The year 2015 has been full of data breaches from Ashley Madison to Anthem and JPMorgan Chase & Co and the list goes on

Cyber Pearl Harbor: A date that will live in infamy, and the marketing machine that hijacked it (CSO) 74 years ago, citizens of the United States learned of an attack that eventually led 16 million people to war

Marketplace

How to Get the C-Suite Fired in the 21st Century (Dark Matters) Hola readers! (Being in Panama, I need to improve my Española) Hoping everyone had a safe and joyous Thanksgiving. Before launching my own company in July, I worked with a Defense Contractor in Virginia. Oddly enough, one of the things I worked on was how to assess risk during Mergers and Acquisitions (M&A) activities because we were evaluating it as a service offering

Top 10 Reasons To Invest In Cyber Security (DDOS Today) Cyber attacks and major cyber crimes are happening on a daily basis

Want job security? Try cybersecurity (CNBC) Even as employers added 211,000 jobs in November, prospective employees still have trouble finding jobs — unless you work in cybersecurity

Virginia turns attention to the cyber talent shortage (GCN) Virginia Gov. Terry McAuliffe is aiming to make cybersecurity an economic pillar in his state — but to do so, he'll need to find a lot more trained and talented workers

US Army awards 1 billion deal to Booz Allen Hamilton (Consultancy.uk) In an attempt to stay ahead in the traditional and cybercrime battlefield, several US military commands a while ago launched a massive programme aimed at identifying and managing global threats to the US, the so-called the Global Threat Mitigation Program (GTMP)

IBM signs security pact with Federal Bank for mobile app (Economic Times) IBM has signed a deal for an undisclosed amount with Federal BankBSE 1.32 % to provide a security layer on the Kochibased lender's mobile application which will also warn the users in case they attempt a transaction over an insecure network or through an infected device

Engility's big cyber win shows TASC acquisition is paying off (Washington Business Journal) Chantilly-based Engility Holdings Inc. (NYSE: EGL) is reaping the rewards of its recent TASC Inc. acquisition, announcing Thursday it scored a cybersecurity award from the U.S. Air Force

Inside the new Raytheon&#124Websense venture (Computer Business Review) Analysis: Big announcement to come early in the new year

What Our B-Round Means for the Growth of Social Media Security (ZeroFOX) Here at ZeroFOX, we are excited to close a $27 million Series B funding round. Highland Capital led the round with the support of NEA, Genacast, Core Capital and Silicon Valley Bank. Needless to say, we're looking forward to the future of ZeroFOX and the growth of social media security

Products, Services, and Solutions

Koolspan Announces Release of TrustCall 4.0 with December Availability; Providing Flexible, Interoperable, Secure Mobile Calling and Text Messaging Across Popular Smartphones (Koolspan) TrustCall combines the security of hardware with the ease of software to deliver the most secure and easy-to-use mobile communications as a fully-hosted global service or on-premise solution

Simply Secure offers free usability design help to developers of privacy, security tools (Help Net Security) It is a truth universally acknowledged that privacy and security tools that are easy to use will be more popular that those that aren't

Let's Encrypt Initiative Enters Public Beta (Threatpost) The Let's Encrypt initiative reached yet another milestone this week when it entered public beta, something it claims should help make it easier for website owners to embrace HTTPS encryption

Technologies, Techniques, and Standards

There is no one-stop-shop for cyber security standards — ICC BASIS tells Internet governance forum (International Chamber of Commerce) International Chamber of Commerce (ICC) Business Action to Support the Information Society (BASIS) urged stakeholders to recognize that cyber security standards must be globally accepted, industry led and recognized by the broadest community possible in a main session on cyber security and digital trust at the Internet governance forum (IGF) in Joa Pessoa Brazil

Health Insurers Test Their Security Capability With Cyber Exercise (eWeek) A dozen health insurance providers covering 60 percent of the U.S. population took part in CyberRX 2.0, a cyber exercise aimed at minimizing the impact of a breach

Medical device security? Forget hackers, think 'hand-washing' (Healthcare IT News) 'This is not rocket science; this is basic hygiene'

More Understanding PCI DSS Scanning Requirements (Tenable Network Security) Yes, Virginia, there are internal network scanning requirements for PCI

Opinion: Cybersecurity collaboration needs a toolkit. So we built a prototype (Christian Science Monitor Passcode) Instead of drafting yet another report saying collaboration is important for improving cybersecurity, we built a prototype, Web-based toolkit that provides cybersecurity pros a way to start more multidisciplinary cooperation

Tracking hackers with their own digital shadow (IT Pro Portal) The age of digital business has, for the most part, been positive. It has increased the ease and speed of communication while at the same time as reducing the cost

The Enterprise Strikes Back: Finding a New Hope in the Fight against Data Breaches (Legaltech News) Experts discuss the nature of data breaches and how companies can equip to battle them

CyberSecure: Using a Crisis as an Opportunity to Protect and Enhance the Company's Reputation (Legaltech News) The realization that all companies will inevitably experience a data breach at some point exposes the need for a strong communication strategy to preserve a company's reputation

Future of Policing: 4 Factors to Consider When Deploying New Technologies (Government Technology) Law enforcement administrators would be well-advised to consider a number of factors before deploying such new technologies as body cameras, drones and data analytics

Procuring Security Tech a Hassle? These 9 Tips Will Help (eSecurity Planet) Procuring enterprise security technology can be tricky. A government CISO offers nine tips that will help the procurement process go smoothly

Continuous Monitoring for Random Strings (Internet Storm Center) Greeting ISC readers. Mark Baggett here. Back in August I released a tool called freq.py that will help to identify random characters in just about any string by looking at the frequency of occurrence of character pairs

Advent tip #5: Change default passwords on baby monitors and webcams (Naked Security) Whether it's a baby monitor, a home surveillance system, or any other internet-enabled camera, it probably has a default pasword

Advent tip #6: A padlock *inside* a web page? Ignore it! (Naked Security) By now, you probably know the difference between HTTP and HTTPS

Advent tip #7: Do I really still need Flash? No. No you don't. (Naked Security) Want to do one single, simple thing to drastically improve your security during advent?

Research and Development

A Search Engine for the Internet's Dirty Secrets (Technology Review) Google is helping to power a new search engine built on a daily scan of the whole Internet

Data Storage on DNA Can Keep It Safe for Centuries (New York Times) Computer data has been depicted as microscopic magnetic smudges, electric charges and even Lilliputian patterns of dots that reflect laser beams

DHS S&T Awards $7.8 Million for Cyber Physical System Security Research (TXK Today) The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) today announced the award of five contracts totaling $7.8 million for research on technologies to help defend against attacks on cyber physical systems

Academia

Students win $25,000 at National Cyber Analyst Competition (Iowa State Daily) Cyber security is one of the largest concerns in the United States and around the world

Legislation, Policy, and Regulation

France looking at banning Tor, blocking public Wi-Fi (Ars Technica) Leaked docs from Ministry of Interior show worryingly illiberal trend for France

French police want to ban Tor, public Wi-Fi (IT World) As legislators debate new anti-terror laws, police are lobbying for unprecedented powers to decrypt communications

Obama wants help from tech firms to fight terrorism (IDG via CSO) The use of encryption by tech companies has come under criticism from U.S. law enforcement agencies

California Attack Has U.S. Rethinking Strategy on Homegrown Terror (New York Times) The day before Thanksgiving, President Obama reassured Americans there was "no specific and credible intelligence indicating a plot on the homeland." Seven days later came an explosion of gunfire and the deadliest terrorist attack in America since Sept. 11, 2001

Encryption Battle Heating Up on the Hill in Light of Terror Events (FBRFlash) In light of the tragic events in Paris and the potential terrorist investigation around the San Bernardino attacks, there are starting to be louder calls and renewed debate around encryption and "back door" government access to consumer/enterprise data

San Bernardino Shooting Revives NSA Surveillance Debate (Huffington Post) Some Republicans think shutting down the program diminished national security

Lawmakers want proof China is honoring hacking pledge (The Hill) The clock is ticking on the Obama administration to determine whether China is adhering to a September pledge to eradicate corporate hacking

US, China cybersecurity hotline offers no guarantees (IDG via CSO) Speaking at the New England Cybercrime Conference the nation's top lawyer for national security also addressed the threat of cyber terrorists. He doesn't think they have advanced cyber weapons because if they did they would have used them

DHS pushing for more public-private partnership on cyber (FCW) The Department of Homeland Security is looking to further expand its cooperation with Israel on cyberspace over the coming year, DHS Deputy Secretary Alejandro Mayorkas said on Dec. 4

Hackers to Pentagon: You're Doing Cyber Wrong (GovTechWorks) What happens when you bring together some of the nation's leading hackers, the Pentagon's chief of training and an Air Force Academy professor who teaches cyber skills to cadets? They all agree on one thing: The government's approach to cyber security is coming up short

Cyber Security at the Speed of Bureaucracy (Ricochet) The Office of Personnel Management's (OPM) security clearance files were hacked 20 months ago. It is just now notifying the people whose personal identification information was stolen

CBI & FBI join hands to reduce time required to fulfil requests on information and evidence (Economic Times) Guess how much time does it take for a criminal investigation in India to get information stored in a server in America? On an average, 40 months. That is likely to come down soon to a few months, if recent efforts between Indian and US criminal investigation agencies bear fruit

Improving Cyber and Supply Chain Security in GSA Schedule Contracting (Bloomberg BNA: Federal Contracts Report) The federal government purchases more than $30 billion of goods and services annually through various General Services Administration (GSA) Multiple Award Schedule (MAS) contracts

EU data protection fines could reach four per cent of business turnover (Computing) Businesses could be fined up to four per cent of their annual global turnover for breaching new EU data protection laws, under leaked plans that are up for consideration by the European Parliament and European Commission

Banks must tighten cybersecurity — BSP (Manila Bulletin) The Bangko Sentral ng Pilipinas (BSP) has called on the banking industry to tighten and strengthen cybersecurity amid a growing cyber-threat landscape

Litigation, Investigation, and Law Enforcement

US can't access NSA phone records in California terror case (WIVB 4) The U.S. government's ability to review and analyze five years' worth of telephone records for the married couple blamed in the deadly shootings in California lapsed just four days before the attack, when the National Security Agency's controversial mass surveillance program was formally shut down

FBI won’t discuss how shuttered NSA program would have affected San Bernardino investigation (The Hill) FBI Director James Comey is declining to say whether the recent shuttering of a National Security Agency (NSA) surveillance program that collected phone records on millions of Americans had any effect on the investigation into the suspects of this week's San Bernardino, Calif., shooting

Technology Provides 'Digital Trail' of Evidence as Authorities Investigate California Mass Shooting (Legaltech News) Questions arise how and when to subject technology and social media data to searches

Bank lawyers balk at rush for Home Depot, MasterCard breach settlement (Business Insurance) Plaintiff attorneys representing financial institutions in litigation over Home Depot Inc.'s 2014 cyber breach are angrily denouncing a contingent settlement reached with MasterCard they say was secretly negotiated, and recommending their clients reject it

Variety Jones, Alleged Silk Road Mentor, Arrested in Thailand (Wired) More than two years after Ross Ulbricht was arrested in a San Francisco and accused of creating and running the Dark Web drug bazaar known as the Silk Road, a manhunt on the other side of the world has found the man believed to be Ulbricht's closest adviser and mentor: Variety Jones

Company told to stop Facebook naming and shaming overdue customers (Naked Security) Canada's privacy commissioner has ordered a small cable TV company in the Northwest Territories to stop naming and shaming overdue account holders on Facebook

Cyberporn goes mobile to evade authorities (Inquirer) Cyberporn operators have found a way of avoiding detection from law enforcers: mobile phones

For a complete running list of events, please visit the Event Tracker.

Upcoming Events

Program on Cyber Security Studies (PCSS) (Garmisch-Partenkirchen, Germany, Dec 2 - 17, 2015) The Marshall Center has developed a comprehensive program to explore the increasing domestic, international and transnational challenges in cyber security. Our goal is to provide a comprehensive, policy-focused, non-technical cyber security program that emphasizes and teaches senior key leaders how to best make informed decisions on cyber policy, strategy and planning within the framework of whole-of-government cooperation and approaches

2015 Cyber Security Exchange (Orlando, Florida, USA, Dec 6 - 8, 2015) This dynamic, three-day event will provide Cyber Security executives with valuable insights to reach their full potential by exploring security leadership strategies, heightened data privacy concerns, the ever-changing advanced threat landscape, efficient identity access management and more

Disrupt London 2015 (London, England, UK, Dec 7 - 8, 2015) TechCrunch Disrupt is one of the most anticipated technology conferences of the year. Join us at this iconic startup and thought leadership event in London on December 7 and 8. What happens at Disrupt? We start each day with panels and one-on-one discussions featuring TechCrunch writers and editors, special guest speakers, leading venture capitalists and fascinating entrepreneurs addressing the most important topics facing today's tech landscape. Each afternoon, we host the Startup Battlefield competition which culminates in six finalists taking the stage at the end of the event for a shot at winning the Disrupt Cup

Passwords 2015 (University of Cambridge, England, UK, Dec 7 - 9, 2015) More than half a billion user passwords have been compromised over the last five years, including breaches at internet companies such as Target, Adobe, Heartland, Forbes, LinkedIn, Yahoo, and LivingSocial. Yet passwords, PIN codes, and similar remain the most prevalent method of personal authentication. Clearly, we have a systemic problem. This conference gathers researchers, password crackers, and enthusiastic experts from around the globe, aiming to better understand the challenges surrounding the methods personal authentication and passwords, and how to adequately solve these problems. The Passwords conference series seek to provide a friendly environment for participants with plenty opportunity to communicate with the speakers before, during, and after their presentations

ACSAC (Annual Computer Security Applications Conference) (Los Angeles, California, USA, Dec 7 - 11, 2015) ACSAC is one of the most important cyber security conferences in the world, and the oldest information security conference held annually. Researchers, government representatives, academia and security professionals of all types gather at ACSAC to discuss the latest developments in the infosec industry. The core mission of this conference is investigating practical solutions for computer security technology. This year's edition will especially focus on security and privacy in the Internet of Things era

Cyber Risk Wednesday: 2016 Threat Landscape (Washington, DC, USA, Dec 9, 2015) To discuss how 2016 will likely challenge today's security thinking and what we can learn from the past year's developments and these trends, please join the Atlantic Council's Cyber Statecraft Initiative on Wednesday, December 9 from 4:00 p.m. to 5:30 p.m. for a moderated panel discussion with a group of prominent cybersecurity experts

NSA RCTCON (Fort Meade, Maryland, USA, Dec 9, 2015) The NSA RCTCON industry exposition will be attended by 250-300 IC (Intelligence Community) cyber personnel working on solutions to the current cyber threats that face the U.S

SANS Institute: Information Security Training (Las Vegas, Nevada, USA, Sep 12 - 21, 2015) Information security training in Las Vegas from SANS Institute, the global leader in information security training. At SANS Network Security 2015, SANS offers more than 40 hands-on, immersion-style security training courses taught by real-world practitioners. The site of SANS Network Security 2015, September 12 - 21, is Caesars Palace, the majestic Las Vegas hotel

cyberSecure (New York, New York, USA, Dec 15 - 16, 2015) Today's business leaders recognize that a multi-disciplinary approach is critical to protecting the bottom line. What's too often missed is a vision that incorporates best practices that allow you add value to your company and shareholders DURING and POST breach. Enter ALM cyberSecure. A unique professional event providing an all-encompassing view and the relationships necessary to protect enterprises during all phases, across all departments while keeping revenue on track