The CyberWire Daily Briefing 12.08.15

Cyber Trends

How will billions of devices impact the Privacy of Things? (Help Net Security) The Internet of Things (IoT) will create the single largest, most chaotic conversation in the history of language

Average age of cyber-attack suspects drops to 17 (Guardian) Experts say 'kudos' of committing crime is luring more teenagers, as average age of suspects falls by seven years in the space of 12 months

BAE: Suppliers could be your weakest cyber security link (IT Wire) Cyber attackers are increasingly using their target organisation's supply chain as a route to attack them and access their data or internal systems

The lesser-known security threat concerning a Symantec exec most (Government Health IT) We hear a lot about the evolving threat landscape, hacktavists, nation-state attackers, ransomware, et al. But what are some of the lesser known threats?

HHS, HITRUST, Deloitte 'attack' healthcare orgs to test cyber preparedness (SC Magazine) Many healthcare organizations still lack a concrete response plan for cyber incidents, the Health Information Trust Alliance (HITRUST) found in a recent series of mock attacks on 12 organizations

Cyberattack Simulation Finds Little Data Sharing Among Plans (Bloomberg NBA) Health care organizations aren't effectively collaborating to ward off cybercriminals, security executives concluded after a major breach simulation

2015 Security Review: Top Hacks, Breaches and Cyber Scams (Redmond Channel Partner) The stakes were high in security this year with attacks designed not only to steal credit-card numbers but also to shame, spy on or extort their victims

Storm clouds hover over data security in year ahead (IT WIre) The cloud is the number one area of risk where security of data is likely to come under a greater number of attacks and breaches in the next 12 months from hackers, according to enterprise security vendor Blue Coat Systems

Cyber Security Knowledge Gap in Vietnam Could Be Putting Users at Risk, Reports ESET (Jakarta Post) Vietnam has lowest levels of cybersecurity awareness when compared with six other Asia-Pacific markets

Legislation, Policy and Regulation

EU lawmakers, countries agree on bloc's first cyber-security law (Reuters) EU lawmakers and member states struck a deal on the bloc's first cyber-security law on Monday that will require Internet firms such as Google and Amazon to report serious breaches or face sanctions

You know you've lost if terrorism means you start banning public Wi-Fi (Graham Cluley) After terrorists killed 130 people in Paris last month, it's no surprise to see law enforcement looking to find "easy wins" to curb future attacks

Obama Stokes Crypto Debate (GovInfoSecurity) 'Make it harder for terrorists to use technology to escape from justice,' Obama urges

Obama wants help from tech firms to fight terrorism (CIO) The use of encryption by tech companies has come under criticism from U.S. law enforcement agencies

Week ahead: Path clear for cyber sharing talks (The Hill) A conference to bring together cybersecurity bills in the House and Senate could begin as soon as next week, according to multiple people tracking the discussions

Last-minute scramble over cybersecurity bill (The Hill) The House Homeland Security Committee is working to alter the compromise text of a major cybersecurity bill prepared by the House and Senate Intelligence committees, according to multiple people tracking the negotiations

Legislation requiring tech industry to report terrorist activity may be revived (IDG via CSO) The provision was dropped previously after opposition from lawmakers and the tech industry

Carly Fiorina Warns of Threat She Says the U.S. Is 'Woefully Unprepared' to Handle: Cyberterrorism (Blaze) After terror attacks in Paris and San Bernardino turned the focus of the 2016 presidential race to national security, Republican candidate Carly Fiorina warned voters today that the U.S. remains vulnerable to massive, crippling cyberattacks

Paul: 'Authoritarians' like Christie want to reinstate data collection (CNN) Rand Paul said Monday that voters should be wary of "authoritarians" like New Jersey Gov. Chris Christie who want to reinstate bulk data collection in the wake of recent terrorist attacks

AP FACT CHECK: GOP candidates exaggerating impact of new law on NSA access to US phone records (US News and World Report) In the wake of the California shootings, Republican presidential candidates Marco Rubio, Jeb Bush, Chris Christie and Lindsey Graham are complaining that U.S. intelligence agencies have lost their authority to collect phone records on Americans under a controversial National Security Agency surveillance program

DOD CIO winners honored for security, savings (GCN) This year's winners of the Defense Department's CIO Award for Cyber and IT Excellence were honored at a Pentagon ceremony Dec. 1 for their work protecting the warfighter, securing government networks and identifying millions of dollars in savings

Savannah River Remediation named National Cyber Security Champion (Live 5 News) The Savannah River Remediation is part of a growing effort among business and government agencies to promote online safety awareness

Products, Services, and Solutions

Ziften Announces Ziften ZFlow™ Compatibility with Linux to Enable Cloud Visibility Initiative (Yahoo! Finance) Provides unprecedented public cloud infrastructure and east-west visibility

Attivo Networks Announces Real-Time Cyber Attack Detection for SCADA Devices (EIN News) Nuclear, electrical power generation, oil and gas and other control facilities gain continuous visibility into inside-the-network threats

TRUSTe and PactSafe Partner to Help Companies Maintain EU Data Protection Compliance (Legaltech News) Contract distribution will be done by PactSafe, while TRUSTe will provide privacy assessment against the requirements under the EU Data Protection Directive 95/46/EC

Thycotic Announces Secret Server Express: Free Privileged Account Management for IT Admins (Sys-Con Media) Password management solution provides IT teams with a centralized vault featuring advanced security features for privileged credentials

BankVault uses cloud desktops to thwart banking hackers hijacking mobile phone accounts (Sydney Morning Herald) The rise of sophisticated online banking attacks, defeating two-factor authentication via identity theft, is the driver behind the Australian-based BankVault security system

Gemalto Enables Strong Authentication on Any Device Via Bluetooth(R) Smart Technology (CNN Money) Gemalto Bluetooth Smart Solutions extend Open Public Key Cryptographic strong authentication to all devices, in particular all portable computers, tablets and mobile devices

Could Microsoft's early support cutoff date for Windows 10 Mobile signal mobile second thoughts? (FierceMobileIT) Having just launched its Windows 10 Mobile operating system on its Lumia 950 series phones, Microsoft is providing an early cutoff date for supporting the operating system — January 2018

Liquid metal Turing Phone delayed to Q1 2016 (Venture Beat) The so-called Turing Phone, whose alleged tight security and all-liquid metal enclosure have earned it considerable buzz, has been delayed beyond its scheduled December 18 shipping deadline

Technologies, Techniques, and Standards

Tips for managing and securing SSH keys (Help Net Security) A new NIST report raises awareness of the major vulnerabilities associated with SSH user key management and provides concrete steps for securing and protecting SSH systems and environments

MIT hacking institute to vet mHealth apps, tools (FierceMobileHealthcare) The Massachusetts Institute of Technology, via its nonprofit health tech start-up, will begin issuing reviews of connected medical devices, mHealth services and apps researched by Harvard University physicians and experts from MIT's Hacking Medicine Institute

Should risk management planning include root cause analysis? (TechTarget) Incorporating root cause analysis in risk management planning could be beneficial to developing a security plan, but is it the best time for it?

How to Bolster Data, Physical Security to Make Threats Go Elsewhere (eWeek) There are events in today's society that you simply can't control or prevent, no matter how much you try. But it is possible to help convince the bad guys to go elsewhere

Fines for non-compliance with data regulations are just the tip of the iceberg (SC Magazine) ICO fines should be the least of a company's worries should it suffer a data breach according to Nigel Hawthorn who says on-going and potentially business-fatal repercussions of a data-breach that should be the main concern

Advent tip #8: (Don’t) click here for a free iPhone! (Naked Security) Would you like free tickets to a One Direction concert? How about a free iPhone?

Marketplace

Cyber security: do CEOs need to step up? (Security Watch) Despite the risks associated with cyber breaches less than half (49%) of CEOs around the world are fully prepared for a future cyber event, according to a new study from KPMG International

Cyber Security Stocks Tumble, FireEye Inc (FEYE), Cyberark Software Ltd (CYBR) Hit a Fresh Low (Bidness Etc.) FireEye Inc. (NASDAQ:FEYE) stock plunged more than 5% in the opening hours of trading today, and fizzled down to its 52-week low of $19.76, amid a sharp decline in cyber security stocks. Cyberark Software Ltd. (NASDAQ:CYBR), its Israel based peer in cyber security, also fell more than 4% today. Meanwhile, Palo Alto Networks Inc. (NYSE:PANW) dipped only 1%

FireEye jumps on Citi upgrade; PANW, SPLK, IMPV favorably mentioned (Seeking Alpha) Stating an IT security survey involving 51 CIOs turned up "exceptional strength" for FireEye (FEYE +7.5%), Citi's Walter Pritchard has upgraded shares to Buy and hiked target hiked by $4 to $35

High-paying Cybersecurity Jobs Go Begging Across the World (Fortune) First step to solving this problem: telling workers that such a field exists

Cybersecurity experts earning up to £10,000 per day says ManpowerGroup (International Business Times) Cybersecurity experts are hot in the UK. A record demand for the professionals has led to a surge in their salaries as well, with some earning up to £10,000 a day as companies scrambled to protect themselves from embarrassing data breaches, according to a study

L-3 Agrees on $550M Gov't Services Segment Sale to CACI (GovConWire) New York City-based defense contractor L-3 Communications (NYSE: LLL) has agreed to sell its government services business segment to Arlington, Virginia-headquartered public sector services company CACI International (NYSE: CACI) for $550 million cash, the companies said Tuesday

Yahoo's Fate: Could There Be a Deal With Verizon? (Bloomberg Video via Yahoo! Finance) Verizon would explore a possible acquisition of Yahoo if a deal made sense, Verizon Chief Financial Officer Fran Shammo said

Cyber security firm Blue Coat Systems in IPO talks: source (Reuters) Network security company Blue Coat Systems Inc is interviewing banks for an initial public offering, according to a person familiar with the matter who requested anonymity because the deliberations are confidential

Magnet Forensics Announces Strategic Partnership with U.S. Intelligence Community's Strategic Investor (Magnet Forensics) Co-development of digital forensic tools will support law enforcement and national security agencies' recovery and analysis of digital evidence

BlackBerry: 8 Ways It Can Be Saved (InformationWeek) BlackBerry continues to underwhelm. Here are eight ways CEO John Chen can turn things around

This Va. Cybersecurity Startup Is So Hot Right Now (DCInno) PhishMe's CEO talks about the company's strong growth and plans for 2016

Small business advocates wary about impact of new DoD cyber rules (Federal News Radio) The Defense Department has an understandable preoccupation with the cybersecurity practices of its vendors, especially since a preponderance of the successful cyber thefts of Defense information involve private IT systems, not government ones

AF seeks security solutions with kill chain integration, spectrum awareness (GCN) The Air Force is inviting industry to help it boost security through kill chain integration and full spectrum awareness of emerging threats

GSA, DHS begin march toward cyber shared services (Federal News Radio) The Homeland Security Department is taking a different, and maybe somewhat surprising path, for its latest task order under the continuous diagnostic and mitigation (CDM) program

DHS ramps up outreach around Internet of Things (FierceGovernmentIT) The Homeland Security Department will host an industry day in the heart of Silicon Valley this week in an effort to better understand and respond to the security challenges associated with the Internet of Things

CenturyLink awarded DHS EINSTEIN 3 Accelerated service expansion contract (CenturyLink) CenturyLink, Inc. (NYSE: CTL) was recently awarded a service expansion contract from the U.S. Department of Homeland Security (DHS) to provide EINSTEIN 3 Accelerated (E3A) protections to U.S. federal civilian agencies that cannot access E3A services through their existing Internet service provider

The big data technology behind online threat detection at Symantec (ZDNet) Over recent years, Symantec has had to implement a new analytics platform in order to enhance its security operations team's ability to prevent, detect, and respond to online attacks

IBM's Chairman Appoints Field General To Lead Security Troops In Battle Against Cyber Crime (Forbes) Ginni Rometty, IBM Corp.'s Chairman, President and CEO, says that cyber crime is the greatest threat to every company in the world

Hexis Cyber Solutions Named to CRN 2015 Tech Innovator List (Nasdaq) Next generation endpoint detection and response platform HawkEye G takes top honor in the 2015 Security category

The Baltimore Sun Media Group Names Chiron Technology Services, Inc. A Winner Of The Baltimore Metro Area 2015 Top Workplaces Award (Sys-Con) The Baltimore Sun Media Group recently recognized Chiron Technology Services, Inc., as one of its Top Workplaces for 2015

Tenable Network Security Recognized as a 'Top Workplace' by The Baltimore Sun for Second Consecutive Year (BusinessWire) Employee feedback earns leading cybersecurity software company a place on The Baltimore Sun's 2015 list of Top Workplaces

Research and Development

Galois Awarded $6.3M DARPA Contract To Research Private Data As A Service (PRWeb) Galois' Jana project selected by DARPA Brandeis program to break logjam between maintaining data privacy and tapping into full potential of big data

DHS Picks 5 Recipients for Cyber Physical Systems Security Contracts (ExecutiveBiz) The Department of Homeland Security's science and technology directorate has awarded five contracts worth $7.8 million combined to universities and other institutions to perform research and develop tools designed to safeguard cyber physical networks from cyber attacks

Cyber Attacks, Threats, and Vulnerabilities

Iran-based hackers may be tracking dissidents and activists, Symantec says (IDG via CSO) The hackers may have had access to "an enormous amount of sensitive information," the security firm says

Iran-based attackers use back door threats to spy on Middle Eastern targets (Symantec.Connect) Two Iran-based attack groups that appear to be connected, Cadelle and Chafer, have been using Backdoor.Cadelspy and Backdoor.Remexi to spy on Iranian individuals and Middle Eastern organizations

Hack helped anti-Semitic spammer target four million mobile users (Graham Cluley) In April, someone tried to send anti-Semitic spam SMS messages to four million mobile customers in the United Arab Emirates (UAE) by using data that had been compromised in a 2013 breach

ISIS Loyalists Mock Obama's "Fear" After Oval Office Speech (Vocativ) Islamic State adherents said Obama's reluctance to put boots on the ground shows ISIS' power

U.S. Seeks to Avoid Ground War Welcomed by Islamic State (New York Times) As the debate on how best to contain the Islamic State continues to rage in Western capitals, the militants themselves have made one point patently clear: They want the United States and its allies to be dragged into a ground war

Anonymous Plans 'Trolling Day' Against ISIS (Time) They will hack social media networks and protest on the streets on Dec. 11

Anonymous hacks UN climate conference officials (SC Magazine) Anonymous has hacked and released the private details of nearly 1,500 UN officials in retaliation against last week's arrest of protestors at a climate march in Paris

"Backstabbing" malware steals mobile backups via infected computers (Help Net Security) In this day and age, our mobile devices carry more personal and business information than any other electronic device. Is it any wonder, then, that attackers want to have access to them?

'BackStab' the latest vulnerability in Apple's iOS security (FierceMobileIT) Apple's iOS devices have become the mobile device of choice for many enterprises, partly because of the mobile operating system's solid security reputation

East Africa: New Twist On Old Cyber-Attack Method Targeting Mobile Devices - Palo Alto Networks (All Africa) Palo Alto Networks, the next-generation security company, today revealed details of a new "BackStab" attack used to steal private information from mobile device backup files stored on a victim's computer.

Windows' Nemesis: Pre-boot malware pwns payment processors (Register) Infosec bods finger Russian hacking crews

TeslaCrypt — New CryptoTrojan on the March (Check and Secure) Cases of cyber "hostage taking" have reached new heights over the last couple of years, with ever more attention being paid to the causes and effects of this new illegal trend

Cyber Extortion, DDoS-For-Bitcoin Campaigns Rise (Dark Reading) Now that the model is proven, more cyber-extortionists are entering the scene, stealing their predecessors' ideas and even their names

Millions of smartphones, IoT devices risk compromise due to 3-year-old bug (Help Net Security) Can you believe that an estimated 6.1 million smart phones, routers, and smart TVs are vulnerable to remote code execution attacks due to security bugs that have been fixed back in 2012?

McAfee Enterprise Security Manager failed to manage own security (SC Magazine) Hard-coded username allowed access to the McAfee Enterprise Security Manager as master user without authentication or password

Hello Barbie's POODLE problem, and other security issues with internet-connected doll (Graham Cluley) Hello Barbie, the internet-connected talking doll from toymaker Mattel, isn't receiving the best publicity at the moment

Vtech breach: Passwords 'not securely stored' (BBC) Toy giant Vtech has been accused of not securely storing customer passwords in its database, security experts say — with one calling it "unforgivable"

Cybercriminals using fake LinkedIn accounts to scam users: Symantec (Times of India) Cybercriminals are using fake LinkedIn profiles to map out the networks of business professionals to scrape contact information and later use these to send spear-phishing emails, security solutions firm Symantec today said

The Pre-Holiday Retail Risk Report (Bay Dynamics) In 2015, retailers are expected to hire 775,000 workers to deal with the holiday shopping demand. As retailers focus on customers and sales, information security often gets pushed to the backburner

Adventszeit sorgt bei Online-Kriminellen für Hochkonjunktur (Presseportal) Ob per Smartphone, Tablet oder PC — der Onlineeinkauf der Weihnachtsgeschenke boomt

Hackers announce WWE's Jim Ross is dead, after wrestling control of his Twitter account (We Live Security) If you're a fan of watching grown men in spandex, pretending to knock seven bells out of each other in front of a baying crowd, then chances are you will know Jim Ross

Academia

CBA, UNSW team up to train cyber security experts (Australian) Australia's biggest bank and one of its largest computer science schools have joined forces to bolster Australia's web defences, as the need for cybersecurity specialists goes viral

Commonwealth Bank’s $1.6 million plan to turn us all into hackers (News.com) If you were born before 1985, you probably remember the cult film Hackers, starring a pixie-haired Angelina Jolie and her soon-to-be husband Jonny Lee Miller

Eric Simonaire Wins Council on CyberSecurity’s National Cyber Quests Competition (US Cyber Challenge) Rolling Meadows, Illinois resident gets $1,000 scholarship

Fourth annual Maryland Cybersecurity Center Symposium attracts 150 (Diamondback) At the fourth annual Maryland Cybersecurity Center Symposium on Monday, visitors arrived at the Samuel Riggs IV Alumni Center to learn about cybersecurity issues such as security certificate removal from hacked sites and bitcoin

Litigation, Investigation, and Enforcement

Sens. Ron Johnson, Tom Carper Ask DOJ, DHS Chiefs on Anti-Ransomware Efforts (ExecutiveGov) Sens. Ron Johnson (R-Wis.) and Tom Carper (D-Del.) have issued letters to inquire about the efforts the departments of Homeland Security and Justice launched to counter attacks related to ransomware

Cybercrime investigations strain Secret Service, risk duplicative efforts, says House committee (FierceGovernmentIT) Cybercrime is a top priority of the Secret Service's investigative mission, according to a new report, but a House committee is concerned that the agency is focusing too much on combating cybercrime and may be venturing into work that overlaps with federal partners

United States Secret Service: An Agency in Crisis (Committee on Oversight and Government Reform: US House of Representatives) The United States Secret Service (USSS) is tasked with a zero-failure mission: to protect the President and other protectees at all costs

Former Secret Service agent sentenced for corruption in Silk Road investigation (IDG via CSO) Shaun W. Bridges was one of two corrupt federal agents involved in the Silk Road investigation

Trend Micro releases North American Deep Web Cybercrime report (ITWire) Trend Micro has released its North American cybercriminal underground report, 'North American Underground: The Glass Tank,' where its underground 'encourages cybercriminal activity amongst novices and seasoned pros alike'

FBI, Interpol, and Microsoft coordinated on Dorkbot takedown (SC Magazine) A coalition of law enforcement agencies partnered with technology companies and security vendors, including Microsoft, CERT.PL and ESET to take down a ring of over 1 million infected computers

Finjan Provides Litigation Update in Proofpoint Case; Claim Construction Order and Significant Motions (MarketWired) The Court entered two substantive orders, both in Finjan's favor

Alleged hit-and-run foiled after driver's car calls the cops on her (Naked Security) "There was no accident," Cathy Bernstein stressed to the emergency response dispatcher who had called her