The CyberWire Daily Briefing 12.10.15
Marketers look at why people join ISIS/Daesh, and their findings aren't too surprising: recruits want status, identity, revenge, redemption, responsibility, thrills, ideological triumph, justice, or death (roughly in that order). And those motives shape Daesh information operations.
An unusual DDoS amplification attack last week on the thirteen Internet root name servers, now disclosed and under discussion, puzzles observers. How it was carried out isn't too mysterious (probably through a large botnet), but why it was undertaken remains unknown. Few users would have noticed the attack, but Root Server Operations certainly did.
Bugsec and Cynet describe a vulnerability (they're calling it "FireStorm") in next-generation firewalls. It appears to enable an attacker to extract data through the firewall with only a TCP handshake.
Several companies, mostly in the travel or tourism business, are "scrambling" to encrypt the mobile apps their customers used for payment. Reports suggest that as many as half-a-million people a day have been losing their credit card information.
Singapore banks warn that a bogus WhatsApp update is stealing paycard information.
British universities are still working to mitigate the DDoS attack that's been interfering with their Janet network.
Chinese authorities defend censorship as international talks on Internet governance approach.
Passcode looks at Iran's cyber operational capabilities and sees long-term preparation for asymmetric warfare. Politico looks at corresponding American capabilities, thinks they're really good, and wonders when the Americans are going to start really using them.
Governments in Europe and North America show uneasy tension between aspirations for security and surveillance.
Today's issue includes events affecting Australia, China, European Union, Iran, Iraq, Japan, Democratic Peoples Republic of Korea, Republic of Korea, Nigeria, Singapore, South Africa, Syria, United Kingdom, United Nations, and United States.
Cyber Attacks, Threats, and Vulnerabilities
Why Do People Join ISIS? Here's What They Say When You Ask Them (Defense One) A marketing communications company gets the Pentagon's attention by identifying nine reasons
Pentagon blasts ISIS proposals that would lead to 'apocalyptic war' (The Hill) The Pentagon on Wednesday criticized proposals to fight the Islamic State in Iraq and Syria (ISIS) that it says would fuel the terrorist group's recruitment abilities
Attack floods Internet root servers with 5 million queries a second (Ars Technica) Unusually large torrents renew calls to better protect vital Internet resource
Internet Root Name Servers Survive Unusual DDoS Attack (Threatpost) An unusual DDoS amplification attack was carried out 10 days ago against many of the Internet's 13 root name servers, the authoritative servers used to resolve IP addresses
Events of 2015-11-30 (Root Server Operations) On November 30, 2015 and December 1, 2015, over two separate intervals, several of the Internet Domain Name System's root name servers received a high rate of queries. This report explains the nature and impact of the incident
BugSec, Cynet Uncover Large-scale Vulnerability on Next Generation Firewalls Code-Named FireStorm (Virtual Strategy Magazine) Hundreds of millions of enterprise networks worldwide open to attack
FireStorm: Severe Security Flaw Discovered in Next Generation Firewalls (Bugsec Blog) BugSec Group and Cynet discovered a severe vulnerability in Next Generation Firewalls. Head of Offensive Security Stas Volfus uncovered the vulnerability, code-named FireStorm, which allows an internal entity or malicious code to interact and extract data out of the organization, completely bypassing the firewall limitation. It was discovered that the firewalls are designed to permit full TCP handshake regardless of the packet destination
Airline Customers' Data Exposed by HTTPS Hole — Report (Infosecurity Magazine) Serious security holes have been found in the mobile sites and apps of several big name airline and rail companies, exposing payment data and sensitive personally identifiable information (PII)
These are the Mobile Sites Leaking Credit Card Data for up to 500,000 People a Day (Fast Company) Security firm says companies such as EasyJet and the San Diego Zoo weren't using basic encryption, affecting half a million daily users
Aer Lingus, easyJet and Chiltern Railways accused of exposing credit card data (V3) Flaws in the mobile websites of major firms operating in the UK including easyJet, Aer Lingus and Chiltern Railways have resulted in sensitive user data being transmitted without encryption, according to mobile security firm Wandera
Companies scramble to bolster encryption on mobile apps (IDG via Computerworld) Their mobile apps were transmitting payment card information without encryption
Phony WhatsApp update could cost you much more than a dollar (Naked Security) A bank industry group in Singapore is warning customers about malware hitting Android phones that can steal credit card numbers and other customer details for fraudulent purchases
DDoS attack disrupting Janet network (Jisc) We have been experiencing a targeted and sustained set of attacks on the Janet network
No, you don't have to be ISIS to pull off a DDoS attack (Graham Cluley) For a couple of days Janet, the academic computer network used by universities and colleges up and down the UK, has been hit by a significant distributed denial-of-service attack
New Targeted Attack Group Buys BIFROSE Code, Works in Teams (TrendLabs Security Intelligence Blog) Recently, we uncovered a new cyber-espionage attack by a well-funded and organized group targeting companies close to governments and in key industries mostly in Asia
Sea Craft Voyage Data Systems Vulnerable To Tampering, Spying (Dark Reading) Remote attackers could snoop on or corrupt the systems that collect and store radar images, vessels' position and speed, and audio recorded in the ships' bridge or engine room
Malware Targeting Steam Traders Banks on New Escrow System (Malwarebytes Unpacked) "Steam escrow" —This is the term some video game players are familiar with, but officially, it's known as the "Steam trade hold" system
Watch out for malware disguised as unpaid invoices! (Hot for Security) Once again email users are being warned to be wary of unsolicited attachments arriving in their inboxes after online criminals spammed out a malware campaign designed to infect recipient's computers
Cyber attackers using bitcoin, despite traceability (CNBC) It's been used for illicit dark web drug deals, it may well be the future of banking, and it's driving speculators on a wild ride — bitcoin is many things to many people. For an increasing number, however, the cryptocurrency is a tool for extortion
Cyber Crime Underground Runs Like Regular Business (LowCards) The North American cybercriminal underground is not hidden or exclusive, as it is in other countries
Hacker Lexicon: Malvertising, the Hack That Infects Computers Without a Click (Wired) Malvertising is when hackers buy ad space on a legitimate website, and, as the name suggests, upload malicious advertisements designed to hack site visitor's computers
Security Patches, Mitigations, and Software Updates
SAP Security Notes December 2015 — Review (ERPScan) SAP has released the monthly critical patch update for December 2015. This patch update closes 26 vulnerabilities in SAP products (19 Patch Day Security Notes and 7 Support Package Security notes), 16 of which are high priority
US named 'least trusted' nation on data privacy, data security (FierceBigData) According to a just released Ovum survey [reg. req.], a global technology research and advisory firm, conducted on behalf of SaaS provider Intralinks, the U.S. is the "least-trusted nation" in regards to data privacy and secure data storage practices
UK and US Bankers fear cyber attack more than economic crisis (Independent) The survey found that criminality is now ranked second globally, because of the alarming rise in cybercrime and fraud
DDoS attacks increase in number, endanger small organizations (IDG via CSO) The power of DDoS attacks decreased in recent months, but their number rose significantly
Top IoT concerns? Data volumes and network stress (Help Net Security) The scaling out to many thousands of devices per organization represents a wealth of new opportunities, according to a report by Quocirca
Retailers are unaware of sensitive data leaks (Help Net Security) A significant amount of retailers assign the same login credentials to employees and do not know if employees have leaked sensitive data — in spite of the majority claiming full confidence that their sensitive information is sufficiently protected
Demand for new malicious programs reaches saturation point (Help Net Security) According to Kaspersky Lab, the number of new malware files detected by its products in 2015 decreased to 310,000 a day, falling 15,000 from the 2014 number of 325,000
Forecast 2016: Security takes center stage (Computerworld via CSO) After a year of high-profile hacks, security is top of mind for tech execs in 2016
Coalfire's 2016 Cybersecurity Predictions (BusinessWire) CEOs fired, Securing IoT, and Cyber Insurance to Dominate Headlines in 2016
Cyberattacks will compromise 1-in-3 healthcare records next year (Computerworld via CSO) Virtual care to become the norm
Cyber Risk to Healthcare Sector Continues to Grow, FBI Says (Health Data Management) Hackers are targeting the healthcare industry because of the abundance of personally identifiable information and protected health information, as well as inherent cybersecurity vulnerabilities, and the trend will continue to grow
CloudLock's Q4 Cybersecurity Report Reveals Excessive Sharing in the Cloud Is Top Concern for 83 Percent of Technology Firms (Cloudlock) New data breaking down cloud risk by industry reveals that only 5 percent of organizations on average take active steps towards protecting credentials
SANS report finds data science, machine learning improve traditional security methods (FierceBigData) Many InfoSec pros scoff at the notion that big data, data science, behavioral analysis and machine learning have any appreciable effect on security
IoT and the Supply Chain: The Complexity of Staying Connected (Supply Chain 24/7) The tech world is abuzz with how the Internet of Things (IoT) will change everything — usually for the better; it could be the dawn of incredible connectivity, speed and efficiency
ACC Study: Almost One-Third of In-House Counsel Say They Have Had Data Breach (Legaltech News) Employee error is the most likely cause of a breach, the study shows
The Employee Password Habits That Could Hurt Enterprises (Dark Reading) While education and efforts around online credentials are improving, password hygiene still has problems
Opinion: When it comes to privacy, youth sports strike out (Christian Science Monitor Passcode) Youth sports teams collect lots of personal information about kids — addresses, photos, birthdays — but often don't do a good job of protecting the data. Parents can change that by trying to ensure leagues properly collect, store, and eventually delete young players' details
Cyber Insurance Underwriting Moves from 'Toddler' to 'Teen' As Insurers Learn from Claims (Insurance Journal) Given the fact that the insurance industry paid out more than $400 million in highly publicized cyber liability insurance claims in 2014 alone, one might think that insurers would be shying away from the line
Courion acquires Boston's Core Security (Atlanta Business-Chronicle) Identity and access management technology company Courion has acquired Boston-based Core Security for an undisclosed sum
L-3 Communications (LLL) to Shed NSS Business for $550M (Zacks) Aerospace and defense company L-3 Communications Holdings Inc. (LLL – Analyst Report) announced that it has signed a definitive agreement to sell its National Security Solutions ("NSS") business to CACI International Inc. (CACI – Analyst Report) for $550 million in cash
Another Cybersecurity Firm Looks To Go Public (PYMNTS) Bloomberg Business is reporting that Blue Coat Systems has been taking pitches from investment banks for an initial public offering. This comes just nine months after the Internet security provider was acquired by private equity firm Bain Capital Partners LLC
Data Analysis Firm Palantir Technologies Discloses $129M In New Funding (TechCrunch) Palantir Technology, the data analytics firm whose clients include the U.S. Government, has raised $129 million in new funding
IBM Security's new signal caller announces a West Coast offense (CSO) Marc van Zadelhoff has an exciting new strategy for IBM Security
AhnLab breeds software specialists (Korea Times) AhnLab, the computer security software provider, said Thursday that it has put together an education course to train more software specialists
Solutionary Renames Consulting Practice Professional Security Services (CNN Money) Name change reflects focus on advisory services for entire security lifecycle
Tenable Network Security Recognized as a 2016 'Best Place to Work' by Glassdoor (Tenable Network Security) Leading producer of next-generation cybersecurity software wins Employees' Choice Award based on reviews, employee satisfaction, career opportunities, benefits and company culture
CloudLock Named #3 Best Place to Work in the U.S. by Glassdoor (MarketWired) Perfect 5.0 rating based on employee feedback secures Top 3 Employees' Choice Award
Illumio's PJ Kirner Named an Innovator of the Year (MarketWired) Illumio CTO and founder PJ Kirner has been named a silver winner in the Innovator of the Year category by Best in Biz Awards, the only independent business awards program judged by members of the press and industry analysts
Products, Services, and Solutions
RiskIQ Makes Facebook Threat Intelligence Accessible to Security Researchers (VAR Guy) Security and visibility and intelligence provider RiskIQ has integrated its PassiveTotal threat analytics platform with Facebook's threat intelligence sharing platform, giving its customers broader access to data that could help them prevent and protect against Internet security threats and improve their overall security posture, the company said
Airbus Defence and Space to provide cyber security services for TV5MONDE (Airbus) Following the cyber attack on the worldwide French-speaking television channel on 8 April, Airbus Defence and Space implemented the Keelback Net cyber sensor in record time
Insurer now offering "troll insurance" for victims of online harassment (Ars Technica) Claims of up to $75,000 can be made for counseling, relocation, or missed work
Technologies, Techniques, and Standards
Proactive Cybersecurity: Inside the Evolution and Risks of an Offensive Strategy (Legaltech News) Panelists at ALM cyberSecure will discuss what makes a successful strategy, and the things that can easily go wrong
Defining a Data Breach Response Plan Starts with Understanding (Legaltech News) Upcoming cyberSecure panel discusses the baseline for a plan and the trigger points of a response
Turn the Cyber Kill Chain against your attacker (Help Net Security) As businesses move to the cloud, the rapid adoption of Infrastructure as a Service (IaaS) is no surprise. Unfortunately, securing the cloud and the data within it is no easy task
Detect and respond security too little too late: Palo Alto Networks (ZDNet) Palo Alto Networks believes that the best method for protecting a business from a cyber breach is prevention and that security vendors should not succumb to idea of cleaning up the mess after it has happened
IT Support to Ensure Data Security is Vital (Information Security Buzz) Even with the increase of awareness and development of sophisticated technology used to counter these attacks, hackers still manage to find their way into confidential data
Managed security service providers: Weighing the pros and cons (TechTarget) Using a managed security service provider can be an appealing option to enterprises, but there are many factors to consider before making the move to outsourcing
Thinking outside the product box (CSO) The dynamic nature of the cyber threat landscape guarantees that the threats and the actors behind them are always evolving, increasing in sophistication in order to circumvent the most robust security devices
Security Think Tank: Pen testing must be followed by action (ComputerWeekly) How can an organisation ensure they get value from penetration and security testing services?
Uninstalling Problem Applications using Powershell (Internet Storm Center) In my last story, we went over winnowing through a Nessus scan to determine which apps you might want to patch
Advent tip #10: Don't put off those updates! (Naked Security) Lots of us do it. We know there's an update available, and we know perfectly well that it serves a vital security purpose
Design and Innovation
NASA stays mum on its quantum computer security (Computerworld) Agency quickly deflects talk of anti-hacker measures
Can you solve the British spy agency's ridiculously difficult Christmas puzzle? (Quartz) What better way to celebrate the holidays than to agonize over a really difficult brainteaser? Britain's spy agency, better known as GCHQ, has stuck a puzzle in its Christmas card this year
Research and Development
Air Force wants smarter data mining (C4ISR & Networks) The Air Force is looking for analytical techniques that can perform smarter data mining
New CSUF center elevates cybersecurity studies (Orange County Register) When a stranger is at your door, do you casually step aside and allow them to enter your home without knowing anything about them or their reason for visiting?
Legislation, Policy, and Regulation
China's cyber chief defends censorship ahead of Internet conference (Reuters) China's cyber chief rejected criticism on Wednesday that the country's Internet was too censored, arguing ahead of a major state-sponsored Internet conference that order was a means to online freedom
Bull in a china shop approach to fighting bane of cyber crime (Times Live) As it did with the infamous "Secrecy Bill", which criminalises journalists and whistle-blowers for possessing and disseminating state information, the government has adopted a hopelessly broad and overzealous approach in its attempt to combat the growing scourge of cyber crime
The Imperatives of Cyber Security (This Day Live) Given the new dimension of global cyber attacks, Emma Okonji writes on the need for Nigeria to align with the rest of the world to address insecurity in cyberspace
Opinion: Why Iran is sharpening its cyberarms arsenal (Christian Science Monitor Passcode) It's not because of Stuxnet. Iran has been developing cyberweapons long before the cyberattack as nation-states have moved toward strategies of asymmetric warfare
America's secret arsenal (Politico) It's one of the biggest secrets in the government: The U.S. has the most powerful cyberweapons on Earth. So what are they? And when will we use them?
Cleaning Up U.S. Cyberspace (Council on Foreign Relations) The U.S. government's effort to persuade other countries to adopt norms of responsibility for cyberspace faces a significant obstacle: computers located in the United States host much of the malicious software used to carry out cyberattacks
Australia needs calibrated deterrence against cyber attacks (Interpreter) Another day sees yet another announcement of a major cyber breach at a government agency, this time unfortunately on Australian soil at the Bureau of Meteorology (BoM)
The European Union's case of doublethink: New cybersecurity rules and backdoor dreams (ZDNet) The EU wants critical service providers to ramp up their security — while in the same breath members are fighting encryption and considering mandatory backdoors in software
Costs And Risks Of UK's Draft Surveillance Powers Probed (TechCrunch) A U.K. parliamentary committee tasked with scrutinizing the new surveillance powers contained in the draft Investigatory Powers Bill has heard several contradictory views on the proposed legislation
After terrorist attacks, the debate over encryption gets new life (Washington Post) In the wake of the terrorist attacks in Paris and California, there is growing sentiment among security hawks on Capitol Hill for legislation to ensure that law enforcement has access to encrypted communication
FBI Director: Silicon Valley's encryption is a "business model problem" (Ars Technica) "Makers of phones that today can't be unlocked — a year ago they could be"
Bill requiring reporting of social media terrorist content is back (Naked Security) A pledge of allegiance to the Islamic State (IS) — otherwise known as Daesh — that might have been posted to Facebook by suspected terrorist Tashfeen Malik has prompted US lawmakers to revive a bill that would require technology companies such as Facebook and Twitter to report suspected online terror activity
Privacy concerns delay final passage of cybersecurity info-sharing bill (USA Today) Privacy concerns delay final passage of cybersecurity info-sharing billFinal passage of legislation to thwart hack attacks is being delayed as lawmakers clash over how best to protect the privacy of Americans' personal information
White House reviewing cyber compromise (The Hill) The White House is reviewing a near-final draft of major cybersecurity legislation that would encourage companies to share more data on hackers with the government, according to multiple people with direct knowledge of the negotiations
FBI: Too soon to tell if NSA reform is hurting investigations (The Hill) It's too early to tell whether new limits on federal surveillance powers are affecting the government's ability to track terrorists, the head of the FBI said Wednesday
Homeland Security's role in cybersecurity (CSO) Watch an exclusive interview with Homeland Security Deputy Secretary Alejandro N. Mayorkas
Survey: Majority of agencies follow NIST Cybersecurity Framework (GCN) With the rising tide of cybersecurity threats to government networks, one good sign is that the overwhelming majority of federal agencies are following guidance provided by the National Institute of Standards and Technology's cybersecurity framework
Security pro urges prez candidates to prioritize cybersecurity (SC Magazine) Although the overflow of rhetoric early in the political season has left very little room for numerous issues in the runup to next year's presidential election, Bit9+Carbon Black Chief Security Strategist Ben Johnson is hoping to raise the profile of cybersecurity and put it on candidates' docket in time for the next debate
DoD CIO Says Spectrum May Become Warfighting Domain (Breaking Defense) Pentagon officials are drafting new policy that would officially recognize the electromagnetic spectrum as a "domain" of warfare, joining land, sea, air, space, and cyberspace
Air Force activates five new cyber squadrons (Defense Systems) The Air Force is putting its expanding cyber workforce in place, with the service's cyber wing announcing that several new cyber groups were activated at the beginning of the month
Michigan Air National Guard base beefing up cyber defense (Daily Press) The U.S. Defense Department has announced the Battle Creek Air National Guard base will host a team to support the military's cyber defense efforts
Nebraska will be home to one of Army National Guard's new cyber protection teams (Omaha.com) Nebraska will soon be home to one of the Army National Guard's new cyber protection teams, the National Guard Bureau announced Wednesday
Litigation, Investigation, and Law Enforcement
San Bernardino killers not part of larger cell, US top prosecutor says (Al Jazeera) Attorney General Loretta Lynch says radicalization of the couple appears to have gone on for some time
FBI says it is refocused on movement of Islamic State recruits into U.S. (Los Angeles Times) The deadly rampages in Paris and San Bernardino have added new urgency to Obama administration efforts to prevent fighters who trained with Islamic State or other extremist groups in Iraq and Syria from launching terrorist attacks when they return home
FBI won't confirm or deny buying cyberweapons from Hacking Team, but yeah they did (BoingBoing) Back in July, a hacker dumped the emails and other files from Hacking Team, Italy's notorious cyber-arms dealer. Coincidentally, Vice had recently filed a Freedom of Information Act request with the FBI, asking if they were buying cyberweapons from Hacking Team
Wyndham settles U.S. data breach charges, in an FTC first (Reuters) The Federal Trade Commission has settled a lawsuit accusing hotel group Wyndham Worldwide Corp (WYN.N) of failing to properly safeguard customer information, in a case arising from three data breaches affecting more than 619,000 customers
Home Depot counterattacks financial institutions over MasterCard issues (Business Insurance) The Home Depot Inc. has fired back a response to last week's filing by plaintiffs attorneys representing financial institutions in litigation over its 2014 cyber breach
'Pedo hunter' who posed as teen to extort others accepted payment in Amazon vouchers (Naked Security) A 48-year-old man from South Wales was jailed in June for planting child abuse images on the computers of other men and then extorting a total of £40,000 from them
Former US Embassy staffer pleads guilty to all counts in sextortion scheme (Ars Technica) Michael C. Ford, from his London desk, targeted hundreds of women
For a complete running list of events, please visit the Event Tracker.
Program on Cyber Security Studies (PCSS) (Garmisch-Partenkirchen, Germany, Dec 2 - 17, 2015) The Marshall Center has developed a comprehensive program to explore the increasing domestic, international and transnational challenges in cyber security. Our goal is to provide a comprehensive, policy-focused, non-technical cyber security program that emphasizes and teaches senior key leaders how to best make informed decisions on cyber policy, strategy and planning within the framework of whole-of-government cooperation and approaches
ACSAC (Annual Computer Security Applications Conference) (Los Angeles, California, USA, Dec 7 - 11, 2015) ACSAC is one of the most important cyber security conferences in the world, and the oldest information security conference held annually. Researchers, government representatives, academia and security professionals of all types gather at ACSAC to discuss the latest developments in the infosec industry. The core mission of this conference is investigating practical solutions for computer security technology. This year's edition will especially focus on security and privacy in the Internet of Things era
SANS Institute: Information Security Training (Las Vegas, Nevada, USA, Sep 12 - 21, 2015) Information security training in Las Vegas from SANS Institute, the global leader in information security training. At SANS Network Security 2015, SANS offers more than 40 hands-on, immersion-style security training courses taught by real-world practitioners. The site of SANS Network Security 2015, September 12 - 21, is Caesars Palace, the majestic Las Vegas hotel
cyberSecure (New York, New York, USA, Dec 15 - 16, 2015) Today's business leaders recognize that a multi-disciplinary approach is critical to protecting the bottom line. What's too often missed is a vision that incorporates best practices that allow you add value to your company and shareholders DURING and POST breach. Enter ALM cyberSecure. A unique professional event providing an all-encompassing view and the relationships necessary to protect enterprises during all phases, across all departments while keeping revenue on track