The CyberWire Daily Briefing 12.09.15
Daesh/ISIS issues new instructions to its followers over Telegram, warning of a tougher fight to come and offering nervous advice (sounding almost like a chamber of commerce during October) about how to stay safe online. Daesh online activity is expected to continue to focus on information operations. Spanish police arrest two Daesh recruiters, and US prosecutors proceed against an Ohio man tweeting jihadist death threats.
Citizen Lab reports on "Packrat," a cyber threat actor Citizen Lab says has targeted South American journalists for several years. As its name suggests, the actor makes much use of RATs (remote-access Trojans). Observers speculate that Packrat is state-sponsored.
Trend Micro warns that the Independent's blog has been compromised to serve visitors TeslaCrypt ransomware.
The criminal black market continues growth and maturation.
Yesterday was Patch Tuesday, with security updates from Adobe (for Flash Player), Apple (for iOS, tvOS, OS X, watchOS, Safari, and Xcode), Google (for Android and Chrome), and Microsoft (for Windows, IE, Edge, Silverlight, Skype for Business, Microsoft Lync, .NET Framework, and Office). Microsoft rates eight of its seventy-one (71!) patches "critical." Of Google's nineteen Android fixes (actually pushed out Monday), four address "critical" issues.
As the US encryption debate unfolds, some see Kazakhstan's new law requiring backdoors as an international precedent.
Wired thinks it's found hemi-semi-demi-mythical Bitcoin creator "Satoshi Nakamoto": he is, says Wired, an Australian named Craig Steven Wright. Hours after Wired publishes its profile (much disputed since in Twitter and elsewhere) Australian police raid Wright's home on a tax beef.
Today's issue includes events affecting Argentina, Australia, Brazil, China, Ecuador, France, Germany, Iraq, Kazakhstan, Luxembourg, Morocco, Netherlands, Singapore, Spain, Syria, United Kingdom, United States, and and Venezuela.
Cyber Attacks, Threats, and Vulnerabilities
ISIS Hackers Issue Marching Orders To Loyalists (Vocativ) A new warning for the group's supporters: "The war is getting tougher than before"
Americans Attracted to ISIS Find an 'Echo Chamber' on Social Media (New York Times) When a lonely Virginia teenager named Ali Amin got curious about the Islamic State last year and went online to learn more, he found a virtual community awaiting
This is how the Islamic State will exploit cyberterrorism (MarketWatch) Recruiting and funding will be done online, and not necessarily in the Middle East
South America hacker team targets dissidents, journalists (AP via KIII TV) A shadowy cyber-espionage group that sent malware to the prosecutor whose mysterious death transfixed Argentina early this year has been hitting targets in left-leaning nations across South America, the Internet watchdog group Citizen Lab reported Wednesday
Packrat: Seven Years of a South American Threat Actor (Citizen Lab) This report describes an extensive malware, phishing, and disinformation campaign active in several Latin American countries, including Ecuador, Argentina, Venezuela, and Brazil
Millions of websites managed by WordPress, Drupal and Joomla could be vulnerable to XSS, SQLi attacks (FierceITSecurity) Millions of websites managed by WordPress, Drupal and Joomla could be vulnerable to cross-site scripting and SQL injection attacks, warned app security firm Veracode
Known Security Flaw Found In More Antivirus Products (Dark Reading) A vulnerability discovered earlier this year in AVG software also spotted in Intel McAfee, Kaspersky Lab AV products
Four Out of Five Applications Written in Web Scripting Languages Fail OWASP Top 10 Upon First Assessment (Veracode) Veracode, a leader in protecting enterprises from today's pervasive web and mobile application threats, today released a supplement to the 2015 State of Software Security: Focus on Application Development, a report based on benchmarking analytics from its cloud-based platform
Inadvertently Disclosed Digital Certificate Could Allow Spoofing (Microsoft Security TechCenter) Microsoft is aware of an SSL/TLS digital certificate for *.xboxlive.com for which the private keys were inadvertently disclosed. The certificate could be used in attempts to perform man-in-the-middle attacks. It cannot be used to issue other certificates, impersonate other domains, or sign code. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue
Microsoft's New Windows 10 IoT Core Pro Could Spell Trouble For Security (TechTimes) Microsoft's Windows 10 IoT Core Pro version is designed to allow OEMS to defer and control updates through Windows Server Update Services (WSUS)
Personal info of 12+ million Dutch mobile phone owners easily accessible to hackers (Help Net Security) Sijmen Ruwhof, a freelance IT security consultant and ethical hacker from Utrecht, recently stumbled across what turned out to be an example of how poor security practices of business partners can result in the compromise of a company's customer data — in this case, the compromise of personal data of basically all Dutch citizens who own a mobile phone
This Bot Is Out for Brains: ElasticZombie Exploiting Elasticsearch Vulnerabilities (Recorded Future) While recently mining our Recorded Future alerts (event, entity, and keyword matches on the Web) for new attacker TTPs (techniques, tactics, and procedures) we came across an interesting and trending text fragment — ElasticZombie Botnet
The German Underground: Buying and Selling Goods via Droppers (TrendLabs Security Intelligence Blog) The recent Paris attacks were carried out with both guns and explosives. While the perpetrators probably made the latter themselves, they could not do the same for their guns. So where did they turn to? One option may have been: the Deep Web
Attackers are building big data warehouses of stolen credentials and PII (CSO) Attackers are swapping, selling, and associating increasing stores of linked PII and credentials to run deeper, broader, and more stealthy information invasions
North America's Cyber 'Underground' Still Relies on Surface Web (Infosecurity Magazine) Forget the Deep Web; North America's Cybercrime underground is as open and free-to-enter as they come, but no less stocked with stolen data, contraband and illegal services, according to a new Trend Micro report
For sale: Hacking expertise (Channelnomics) Cyber criminals gain traction with 'as-a-service' hacking operations
Universities suffer cyber-attack (BBC) University students across the UK have been unable to submit work, after the academic computer network known as Janet came under cyber-attack
Blog of News Site "The Independent" Hacked, Leads to TeslaCrypt Ransomware (TrendLabs Security Intelligence Blog) The blog page of one of the leading media sites in the United Kingdom, The Independent has been compromised, which may put its millions of readers at risk of getting infected with ransomware. We have already informed The Independent about this security incident. However, the site is still currently compromised and users are still at risk
MaineGeneral, FBI probe cyber attack (Healthcare IT News) 'We continue to investigate precisely what happened'
Hello Barbie, Can We Talk About Your Security Issues? (TechNewsWorld) New security issues that surfaced last week in connection with Mattel's Hello Barbie doll, which talks back to kids, have heightened fears that hackers could use the toy to steal information about its owners and their families
Child's Play: Hacking the Internet of Things (PD&D) A company called VTech based in Hong Kong makes smart toys for kids. One of their tablet products can connect to a parent's smartphone with a service called KidConnect, allowing children to send photos and text messages to their parents
Facebook hoax alert! No, Mark Zuckerberg is not giving $4.5m to people like YOU and ME (Naked Security) OMG!! Did you hear that new dad Mark Zuckerberg is giving away $45 billion of Facebook stock and that for some reason none of the news articles about it have mentioned the fact that 10% of it is being given to Jane and Joe Schmoes like you and me if we just copy and paste this message about it which has a smiley face that makes me feel all warm and fuzzy and trusting?
100,000 laptops and phones left in UK bars each year (Help Net Security) UK bars guzzle up a staggering 138,000 mobile phones and laptops each year, and alarmingly 64 percent of the devices do not have any security protection installed, which means anyone can gain access to the contents they hold
Security Patches, Mitigations, and Software Updates
Adobe, Microsoft Each Plug 70+ Security Holes (KrebsOnSecurity) Adobe and Microsoft today independently issued software updates to plug critical security holes in their software
Microsoft Patches 71 Flaws, Two Under Attack; Warns of Leaked XBox Live CERT (Threatpost) Forgive your local Windows admin if they're a little shy on holiday cheer in the coming days. Blame instead Microsoft for foisting upon them on Tuesday 71 security patches, including two for vulnerabilities in Office and the Windows kernel currently under attack
Microsoft Security Bulletin Summary for December 2015 (Microsoft SecurityTech Center) This bulletin summary lists security bulletins released for December 2015
Security updates available for Adobe Flash Player (Adobe Security Bulletin) Adobe has released security updates for Adobe Flash Player. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system
Apple Releases Multiple Security Updates (US-CERT) Apple has released security updates for iOS 9.2, tvOS 9.1, OS X, watchOS 2.1, Safari 9.0.2, and Xcode 7.2 to address multiple vulnerabilities, one of which could allow a remote attacker to take control of an affected system
Stable Channel Update (Chrome Releases) The stable channel has been updated to 47.0.2526.80 for Windows, Mac, and Linux. This release contains an update to Adobe Flash Player (126.96.36.199) and security fixes
Four critical Android bugs patched, one could lead to permanent device compromise (Help Net Security) Google's December security update for Android has been pushed out to Nexus devices on Monday, and it contains fixes for 19 vulnerabilities, four of which are deemed "critical"
Pearl Harbor Should Remind Us What Real War Looks Like; Cyber Attack Isn't It (Forbes) Yesterday, Americans remembered that day that still lives in infamy, the day in 1941 when the Imperial Japanese Navy carried out a devastating surprise attack on the U.S. Navy base at Pearl Harbor, Hawaii
DirectTrust predicts the end of Meaningful Use (FierceHealthIT) Interoperability, "freed" health data, patient engagement and data security among trends to watch in 2016
Retailers Inadequately Secured Against Risks From Temporary Workers (Dark Reading) Retailers recognize temps are higher-risk, but have lower visibility into their activity
All those scary hacks are creating a lot of demand for certain computer experts (Boston.com) According to the 2015 Global Information Security Workforce Study
When Ethical Hacking Can't Compete (Atlantic) Companies are paying "white hat" hackers to probe their cybersecurity systems for weaknesses — but some say that so far, they aren't paying enough
Yahoo Is Reportedly Not Going To Spin Off Stake In Alibaba (TechCrunch) Yahoo is not going to spin off its 15% stake in e-commerce giant Alibaba, according to sources cited by CNBC. Instead, Yahoo is going to look into selling its core Internet business
General Dynamics unit to partially fund Va. cybersecurity accelerator (Washington Post) Since accepting its first class of start-ups at the beginning of 2013, cybersecurity start-up incubator Mach37 has been run entirely on public funding. That's about to change
Symantec Invests $50M in Cyber Security (CCM) Symantec has announced its plan to invest more than $50 million in its global cyber security services
Tech Five: FireEye jumps off upgrade (USA Today) Shares of security company FireEye are up in early trading off a recent stock upgrade
The future of LastPass — what is next for the Internet's top password manager? (Computerworld via CSO) LogMeIn seems to be attracted to the value in retaining the large user base that LastPass built over many years
Products, Services, and Solutions
F-Secure Launched New Version of SAFE to Deliver a Simplified User Experience for the Whole Family (MarketWired) F-Secure redesigns SAFE to help users protect themselves and each other with a single security service
Bromium vSentry and LAVA 3.0 Deliver Complete Threat Protection (MarketWired) Company doubles revenue in response to enterprise demand to prevent targeted attacks that bypass traditional security solutions
Exostar Launches Cybersecurity Risk Assessment Solution (BusinessWire) Partner Information Manager allows organizations to identify and address vulnerabilities throughout their global, multi-tier supply chains
Fighting back against DNS based zero-day attacks (Computer Business Review) Infoblox aims to cut down on DNS data exfiltration
IBM opens SIEM security analytics platform to custom app development (FierceCIO) IBM today opened up its security analytics platform IBM Security QRadar to developers looking to build custom security apps
Technologies, Techniques, and Standards
The Problem with Email: The Security and Challenges of Corporate's Favorite Communication Method (Legaltech News) While email is still the primary method of business communication, it brings with it tremendous cybersecurity risks
Seven Steps for Making Identity Protection Part of Your Routine (US-CERT) The Internal Revenue Service (IRS) has released the third in a series of tips intended to increase public awareness of how to protect personal and financial data online and at home
Enforcing USB Storage Policy with PowerShell (Internet Storm Center) In a previous diary, I presented the CIRCLean (USB sanitizer) developed by the Luxembourg CERT (circl.lu). This tool is very useful to sanitize suspicious USB sticks but it lacks of control and enforcement. Nevertheless, how to prevent the user to insert the original USB stick in a port of his computer?
Study Finds More Companies Have Data Breach Response Plan, But Still Lack Crucial Steps (IT Business Edge) Amidst today's threat landscape, it is a positive sign that businesses have acknowledged data breaches as a corporate issue they must prepare for
IT personnel and executives: Worst at security (TechRepublic) It's not always external attacks that can hinder network performance and put data at risk. Sometimes the problem exists with your users — especially the ones who should know better
Advent tip #9: Think before you share on social media (Naked Security) Maybe it sounds obvious, but oversharing on social media is a BAD idea
Design and Innovation
Symantec to say goodbye to passwords with biometric technology (ZDNet) In an effort to improve security, Symantec will be releasing a host of capabilities next year that will feature biometric technology instead of relying on passwords
Security Issues that Deserve a Logo, Part 1: Glimpse (Tenable Network Security Blog) Since April 2014, a new trend in security has experienced a meteoric rise, with headlines grabbed in both mainstream media and the tech press
Perimeter Inversion: Turning Digital Security Inside Out (Dark Reading) We need security solutions that are designed from the ground up to operate in today's dynamic environment
Research and Development
NASA, Google reveal quantum computing leap (ITWorld) In an experiment, a quantum computer outperformed a conventional machine by 100 million times
IBM tapped by US intelligence agency to grow complex quantum computing technology (Network World) Intelligence Advanced Research Projects Activity filling out its quantum systems development program
Australian university launches cyber security master's degree (ComputerWeekly) The University of New South Wales in Canberra has launched a master's course in cyber security, strategy and diplomacy
Legislation, Policy, and Regulation
Kazakhstan's New Encryption Law Could Be a Preview of US Policy (Defense One) The Central Asian country will require 'back doors' that will allow the government to surveil and censor Internet traffic
UN plans special meeting on technology and counter-terrorism (FierceGovernmentIT) A counter-terrorism committee established by the United Nations Security Council in the wake of the Sept. 11 attacks will hold a special meeting on preventing and combating abuse of Internet and communications technology for terrorist purposes
US-Singapore Defense Agreement Eyes Collaboration on Cyber, Disaster Relief (ExecutiveGov) The U.S. and Singaporean governments have signed an agreement that aims to expand bilateral defense relations between the two countries, DoD News reported Monday
Senators revive bill requiring tech sector to report online terror activity (Ars Technica) Feinstein says bill will help authorities "identify and prevent terrorist attacks"
Lawmakers still at impasse over cyber bill (The Hill) Lawmakers seeking a compromise on the final text of major cybersecurity legislation are still at an impasse, a co-sponsor of one of the bills said Tuesday afternoon
3 Ways Silicon Valley Could Help Fight Terrorism (Time) Disrupting ISIS is complicated, and doing so could create other problems
Tech sector denounces bill requiring firms report terrorist activity (Christian Science Monitor Passcode) In the wake of terrorist attacks in California and Paris, Sens. Dianne Feinstein and Richard Burr are reviving a controversial proposal requiring social media sites report terrorist activity to federal authorities
Cyber jobs open for junior enlisted who want to reclassify (Army Times) The Army has posted a "help wanted" sign for qualified junior enlisted soldiers interested in reclassifying to MOS 17C, cyber operations, a specialty with good promotion opportunity and career prospects for the future
Army Implements Online Storefront for Tactical Communication Security Tools (ExecutiveGov) The U.S. Army has implemented a virtual storefront that works to help soldiers obtain cryptographic tools for the security of laptops, radio systems and other communication platforms used in the battlefield
Litigation, Investigation, and Law Enforcement
Suspected 'Islamic State' recruiters arrested in Spain (Deutsche Welle) Spanish police have arrested two people on suspicion of forming an 'Islamic State' (IS) group cell and recruiting and indoctrinating Islamic militants. The pair had made specific threats against Spain and France
San Bernardino shooting planned a year in advance: report (The Hill) Last week's mass shooting in San Bernardino, Calif., that killed 14 was reportedly planned up to a year in advance
Bulk Phone Records Collection & San Bernardino (Overt Action) The recent terrorist attack in San Bernardino has kicked up yet another round of debate regarding NSA's bulk phone records collection program, which was officially ended on November 29th, in accordance with requirements of the USA FREEDOM Act
California terror attack shows difficulty ID'ing terrorists (Military Times) By the time the married couple who carried out the deadly San Bernardino terrorist attack came to the attention of police, it was far too late
Meet the woman in charge of the FBI's most controversial high-tech tools (Washington Post) In the aftermath of Wednesday's shooting rampage in San Bernardino, FBI teams recovered computer hard drives, flash drives and crushed cellphones left by the attackers
FBI admits it uses stingrays, zero-day exploits (Ars Technica) The "queen of domestic surveillance" inches closer to hot-button topics
Ohio man accused of making threats against military members (Military Times) An Ohio man who prosecutors say was sympathetic to the Islamic State posted the names and addresses of 100 members of the military on social media and called for them to be killed, according to a federal indictment issued Tuesday
Ex-IBM employee from China arrested in U.S. for code theft (Reuters) A former software engineer for IBM Corp in China has been arrested by U.S. authorities for allegedly stealing proprietary source code from his former employer, prosecutors announced on Tuesday
Police target UK's young cybercriminals (BBC) Teenagers committing crimes online are being targeted by the National Crime Agency
Bitcoin's Creator Satoshi Nakamoto Is Probably This Unknown Australian Genius (Wired) Even as his face towered 10 feet above the crowd at the Bitcoin Investor's Conference in Las Vegas, Craig Steven Wright was, to most of the audience of crypto and finance geeks, a nobody
Australian police raided the home of the man who may have created bitcoin (Quartz) Hours after a long profile was published in Wired magazine naming Craig Steven Wright, a relatively obscure Australian, as the secretive creator of the digital currency bitcoin, police are reportedly raiding his home over a tax investigation
Sophos settles legal claims with US rival (fastFT) Sophos, the recently-listed UK cyber security group, has settled with US competitor Fortinet following a lawsuit that accused it of stealing patents and staff
Find My iPhone Search Ends in Violence (Intego) As we have detailed in the past, there are many examples of cases where "Find my iPhone" has helped save lives or helped law enforcement agencies locate criminals too dumb to disable it
For a complete running list of events, please visit the Event Tracker.
Newly Noted Events
Billington CyberSecurity INTERNATIONAL Summit (Washington, DC, USA, Apr 5, 2016) On April 5, in Washington, D.C., join leading cybersecurity officials from across the globe at the Billington CyberSecurity INTERNATIONAL Summit to engage in an intensive information exchange between leading US and global corporate and government executives
Program on Cyber Security Studies (PCSS) (Garmisch-Partenkirchen, Germany, Dec 2 - 17, 2015) The Marshall Center has developed a comprehensive program to explore the increasing domestic, international and transnational challenges in cyber security. Our goal is to provide a comprehensive, policy-focused, non-technical cyber security program that emphasizes and teaches senior key leaders how to best make informed decisions on cyber policy, strategy and planning within the framework of whole-of-government cooperation and approaches
Passwords 2015 (University of Cambridge, England, UK, Dec 7 - 9, 2015) More than half a billion user passwords have been compromised over the last five years, including breaches at internet companies such as Target, Adobe, Heartland, Forbes, LinkedIn, Yahoo, and LivingSocial. Yet passwords, PIN codes, and similar remain the most prevalent method of personal authentication. Clearly, we have a systemic problem. This conference gathers researchers, password crackers, and enthusiastic experts from around the globe, aiming to better understand the challenges surrounding the methods personal authentication and passwords, and how to adequately solve these problems. The Passwords conference series seek to provide a friendly environment for participants with plenty opportunity to communicate with the speakers before, during, and after their presentations
ACSAC (Annual Computer Security Applications Conference) (Los Angeles, California, USA, Dec 7 - 11, 2015) ACSAC is one of the most important cyber security conferences in the world, and the oldest information security conference held annually. Researchers, government representatives, academia and security professionals of all types gather at ACSAC to discuss the latest developments in the infosec industry. The core mission of this conference is investigating practical solutions for computer security technology. This year's edition will especially focus on security and privacy in the Internet of Things era
Cyber Risk Wednesday: 2016 Threat Landscape (Washington, DC, USA, Dec 9, 2015) To discuss how 2016 will likely challenge today's security thinking and what we can learn from the past year's developments and these trends, please join the Atlantic Council's Cyber Statecraft Initiative on Wednesday, December 9 from 4:00 p.m. to 5:30 p.m. for a moderated panel discussion with a group of prominent cybersecurity experts
NSA RCTCON (Fort Meade, Maryland, USA, Dec 9, 2015) The NSA RCTCON industry exposition will be attended by 250-300 IC (Intelligence Community) cyber personnel working on solutions to the current cyber threats that face the U.S
SANS Institute: Information Security Training (Las Vegas, Nevada, USA, Sep 12 - 21, 2015) Information security training in Las Vegas from SANS Institute, the global leader in information security training. At SANS Network Security 2015, SANS offers more than 40 hands-on, immersion-style security training courses taught by real-world practitioners. The site of SANS Network Security 2015, September 12 - 21, is Caesars Palace, the majestic Las Vegas hotel
cyberSecure (New York, New York, USA, Dec 15 - 16, 2015) Today's business leaders recognize that a multi-disciplinary approach is critical to protecting the bottom line. What's too often missed is a vision that incorporates best practices that allow you add value to your company and shareholders DURING and POST breach. Enter ALM cyberSecure. A unique professional event providing an all-encompassing view and the relationships necessary to protect enterprises during all phases, across all departments while keeping revenue on track