The CyberWire Daily Briefing 12.16.15

Cyber Trends

One Third of CEOs Aren't Regularly Briefed on Cyber Security Issues (eSecurity Planet) And 61 percent of global IT security pros think their CEOs don't know enough about cyber security, a recent survey found

State of the Network study: How security tasks are dominating IT staff (TechTarget) The majority of networking teams are regularly involved in enterprise security tasks. Expert Kevin Beaver explains the phenomena and how to embrace it

Oil and Gas Cyber Security — Interview (Infosec Institute) In the recent presentation at BlackHat, you mentioned that oil and gas is one of the industries most plagued by cyber-attacks. What makes oil and gas an attractive target?

Should we be worried if our homes are soon smarter than we are? (Guardian) Coming our way are houses run by networked kits . But this will have grave implications for privacy and security

2015 Cost of Cyber Crime Study (Help Net Security) Discover the most salient findings of this enterprise security and intelligence study and learn what you can do to protect your organization

What security pros want for the new year (CSO) It's that time of year when we ask security executives in a variety of industries what they would like to include on their holiday wish lists

Lost devices account for bulk of healthcare security incidents (CSO) Lost and stolen devices account for 45 percent of all breaches in Verizon's new health care data breach report

Connected Cars: Threat Intelligence Hits the Road (Recorded Future) As a species, humans have evolved our environment faster than our instincts to sense danger. In caveman days we had to be alert to the presence of predatory animals: saber toothed tigers, swooping pterodactyls, the daggered maw of a T-rex

Legislation, Policy and Regulation

Europe Approves Tough New Data Protection Rules (New York Times) European officials approved long-awaited data protection regulations on Tuesday, the latest effort in the region to give people a greater say over how their digital information is collected and managed

EU privacy law to require opt-in and make data processors share in responsibility (IDG via CSO) Businesses breaching new privacy rules could face fines of up to 4 percent of annual revenue

An Ill 'Wynd' Blowing But No Safe Harbor (Dark Reading) What will state-of-the-art for cybersecurity look like in 2016? The regulatory headwinds on both sides of the Atlantic portend big changes

Ban under-16s from social media? Europe says no! (Naked Security) Europe has said no to banning permission-less kids under the age of 16 from the electronic world they call home

Nigeria: Cyber Security Experts Condemns Move to Gag Social Media (All Africa) The Cyber Security Experts Association of Nigeria (CSEAN) said the plans by the Nigeria Senate to gag social media would increase cybercrime in the country

Chile joins Microsoft Government Security Program (BNAmericas) Microsoft has reached a cyber security agreement with the Chilean government allowing the state access its software code in to help

China's President Calls for Cooperation on Internet Regulation (Time) Xi Jinping called for creating a global "governance system"

Xi Jinping calls for 'cyber sovereignty' at internet conference (BBC) China's President Xi Jinping has called on countries to respect one another's "cyber sovereignty" and different internet governance models

Police could hack any device, even toys, under UK surveillance draft bill (Naked Security) Internet-connected toys, cars, TVs and other smart devices of the rapidly expanding Internet of Things (IoT) bring up a host of privacy concerns, as more data is created and shared across the internet from "things" that lack basic security

Encryption used by terrorists provides lively GOP debate fodder (Computerworld via CSO) The ongoing political discourse over encrypted Internet communications used by potential terrorists sparked some major fireworks in last night's GOP presidential debate

No, you can't shut down parts of the Internet (Errata Security) In tonight's Republican debate, Donald Trump claimed we should shutdown parts of the Internet in order to disable ISIS. This would not work. I thought I'd create some quick notes why

Former national security officials urge government to embrace rise of encryption (Washington Post) A number of former senior national security officials are urging that the government embrace the move to strong encryption by tech companies — even if it means law enforcement will be unable to monitor some phone calls and text messages in terrorism and criminal investigations

A key under the doormat isn't safe. Neither is an encryption backdoor. (Washington Post) Cryptography, when used properly, is a critically important tool for securing data on the notoriously vulnerable networks that we rely on for almost every aspect of daily life

Cyber to hitch a ride on must-pass spending bill (FCW) A landmark cybersecurity bill covering information sharing between government and the private sector is going to be included in the omnibus appropriations bill to fund the government through the end of fiscal year 2016

Cyber data-sharing shield may be part of big U.S. spending bill (Reuters via Business Insurance) Companies that share cyber data with the U.S. government in its fight against hackers would get broadened legal immunity, under a precedent-setting proposal likely to become part of a major spending bill being developed in Congress, sources close to the negotiations said on Tuesday

Republicans in Congress let net neutrality rules live on (for now) (Ars Technica) Year-end spending bill agreed to without anti-net neutrality provisions

Senate Dems: Visa background checks should include social media (The Hill) Senate Democrats want the administration to hand over details of its background check process for visas to enter the U.S., suggesting that applicants' use of social media should be scrutinized as a routine part of vetting

Key homeland security priorities to watch in 2016 (Federal Times) 2015 was a year that brought homeland security back into the limelight, with increased terror threats both domestic and globally, and alarmingly sophisticated cyberattacks against government, its workforce and citizens. Readiness levels are again paralleling the post 9/11 environment

National Guard to stand up 13 new cyber units in 23 states (Army Times) The National Guard will activate 13 new cyber units across 23 states as part of ongoing efforts to grow its cyber force

Products, Services, and Solutions

ThreatConnect Selected by NorSec ISAO for True Threat Intelligence (BusinessWire) NorSec ISAO to use industry's most widely adopted threat intelligence platform for intelligence aggregation, analysis and member collaboration

JotForm Builds A Solution To The Safe Harbor Ruling (Teksocial) In the recent ruling against the Safe Harbor Agreement, JotForm, a popular online form building tool, released a solution for their European users

Metadefender Offers Secure Transfer of Scanned Portable Media Files (PRWeb) OPSWAT's portable media security solution Metadefender now offers a secure file transfer add-on to safely move threat-free data from portable devices to high security networks

CensorNet makes progress in Middle East (Security Middle East) CensorNet, the complete cloud security company, announces it has partnered with Progress Distribution to expand its footprint in the Middle East region and address the concerns posed by the increased use of cloud-based applications in the business environment

AVAST will continue to support Windows XP for home and business users (Spoked Blog) AVAST will continue to support Windows XP users by creating protection modules and detections to cover vulnerabilities and other security problems for at least the next three years

Facebook rolls out Security Checkup tool to Android users (Naked Security) Following the successful rollout of its Security Checkup tool for desktops, Facebook is now making this feature available to its Android users. With over 1.39 billion active mobile users as of September 2015, it was just a matter of time before this feature found its way on to phones and tablets

GCHQ open sources Gaffer, a data collection and mining framework (Help Net Security) GCHQ, the UK equivalent of the US National Security Agency (NSA), has released on Monday the source code of Gaffer, a graph database that optimised for "retrieving data on nodes of interest"

5 Key New Features in Nmap Network Security Tool (eSecurity Planet) The open source network security tool's latest version offers significant improvements

RallyPoint/6 collaborates with SANS Institute to provide Cybersecurity training (Suburban Times) The quest for critically needed cyber talent brings a world leader in information security training and certification to Tacoma. SANS Institute, in collaboration with local nonprofit RallyPoint/6 (RP/6), Washington's largest nonprofit, one-stop resource center for transitioning military members and their families, announces the launch of the SANS VetSuccess Immersion Academy in Tacoma

SecureData Selects TrapX Security's DeceptionGrid for Its Managed Security Services Portfolio (Digital Journal) TrapX Security™, a global leader in advanced cybersecurity defense, today announced that SecureData, the leading end-to-end cybersecurity managed service provider specializing in threat intelligence, has entered into a partnership to utilize the TrapX DeceptionGrid™ as part of its expanding portfolio of managed services offerings

Microsoft's Edge browser continues to shed market share (FierceCIO) In what feels like a slow–motion train–wreck, December saw the release of another bunch of third–party statistics that show the adoption of Microsoft's Edge browser on Windows 10 continuing on an inexorable downward trend

Technologies, Techniques, and Standards

3 continents, 8 countries and one cyber attack on a fake petrol company (Register) National Crime Agency: International test proves everything's just hunky-dory

City of Seattle pays for friendly hacking to reveal credit card system security issues (KIRO7) The City of Seattle was intentionally hacked by a company it hired to expose vulnerabilities in its payment card processing system

Playing With Sandboxes Like a Boss (Internet Storm Center) Last week, Guy wrote a nice diary to explain how to easily deploy IRMA to analyze suspicious files

Securing Home and Small Business Routers (US-CERT) Home and Small Business routers have become the ideal target for attackers seeking to gain control over a user's gateway to the Internet

Security Tip (ST15-002) Securing Your Home Network (US-CERT) A router comes configured with many vendor default settings. Many of these settings are public knowledge and make your router susceptible to attacks. Remember to change your router default log-in password during your initial setup

Security Tip (ST15-003) Before You Connect a New Computer to the Internet (US-CERT) Computers are an important part of everyday life. In order to keep your computer and information secure, it is important to properly set up your computer before connecting to the Internet

My Employees Are in a Data Breach! What Now? (IBM Security Intelligence) There have been many articles written on what organizations should do if someone connected to them is the source of a data breach, covering aspects from the costs associated with a breach and how to mitigate the effects to analyses of several of the more prominent attacks

Reputation Recovery: Using a Cybersecurity Crisis as an Opportunity (Legaltech News) ALM cyberSecure session focuses on reputation management in the wake of a cyber-incident

When Basic Security Training MIGHT Be Enough (Infosec Institute) When there are people who still open attachments willy-nilly, who click on links with reckless abandon and who let their guard down even though legitimate-looking emails can potentially be fraudulent, companies need to do all they can to ensure that workers are cybersecurity aware

How to eliminate encryption silos (Help Net Security) Working in the encryption business, you'll quickly learn that there are a number of problems that organizations can run into while deploying the technology

Defining the New 'Active Defense' in Cybersecurity (Legaltech News) The opening panel of ALM cyberSecure examined current strategies for engaging cyber attackers proactively

An IT lesson from Anonymous: Even lawless groups need rules (Computerworld via CSO) Recruit a bunch of anarchists and — surprise, surprise — you get anarchy

All the Actionable Tips You Need to Safely Shop Online (Heimdal Security) Make sure your confidential data is safe from cyber criminals

Advent tip #16: Logout when you're done. Yes, even from Facebook! (Naked Security) We'll be honest. Today's Advent tip is a harder sell than most of the others we've done so far

Marketplace

Cyber: The 'Big Picture' Depends on Understanding the Details (Willis Wire) Despite spending a ton of money on consultants and technology to address cyber vulnerabilities, financial directors still find themselves unable to quantify their residual cyber exposure

Palestinian Security Intelligence Startup Accepted to Google's Prestigious Blackbox Connect Program (Huffington Post) There's no shortage of startup ecosystems in the developing world and conflict areas, but it's not everyday that startups coming from those areas attract the attention of tech giants like Google

Israeli startup says encryption needs a new paradigm (FierceFinanceIT) Recent studies show that cybercrime is rising as one of the banking industry's most pressing threats. An Israeli startup said that's because the prevalent method of encryption has been around long enough for cybercriminals to have perfected ways for exploiting its weaknesses

Elbit Bucks Declines as Israel Defense Exporters Seek Help (Bloomberg) Israel's Elbit Systems Ltd. has managed to thrive in a shrinking global arms market through international acquisitions and branching out into cyber security

Waltham cybersecurity firm gears up for expansion, possible IPO in 2016 (Boston Globe) Waltham cybersecurity firm Digital Guardian has landed $66 million in a new round of venture funding, money that will help the company add dozens of jobs next year and potentially prepare for an initial public offering

Symantec +3.5%; Morgan Stanley upgrades, likes security positioning (Seeking Alpha) "With close to 175 million endpoints, Symantec retains significant incumbency advantages as the industry focus shifts back towards next gen endpoints and security analytics," writes Morgan Stanley's Keith Weiss, upgrading Symantec (NASDAQ:SYMC) to Overweight and hiking his target from $24 to $26 ahead of the expected January closing of the Veritas (storage software) sale

2 Stocks to Watch in Securities Services: FireEye Inc. and CyberArk Inc. (Motley Fool) These two cyber security stocks are worth watching

Cyphort Gains Market Momentum, Expands Channel Operations (BusinessWire) With a 100% channel focus, Cyphort grows channel business by 300%

Air Force to Hunt Cyber Threats With Endgame's Automated Cyber Ops Platform (ExecutiveBiz) Cybersecurity software vendor Endgame has received a sole-source contract to provide its automated Cyber Operations Platform to help the U.S. Air Force detect, hunt and respond to cyber adversaries

ManTech Receives $34M Army Intell System Services Contract (ExecutiveBiz) ManTech International Corp. has received a $34 million contract to support a U.S. Army initiative to modernize its intelligence component

Duo Security opens London office to serve EMEA (ChannelBiz) The cloud security firm says it has around 300 UK customers, which include the makers of Candy Crush and York University

SecureRF Establishes Presence in Silicon Valley (Digital Journal) In response to the growth of their customer base in the semiconductor, software and systems communities, SecureRF, a leading provider of security solutions for the Internet of Things (IoT), announced today the opening of their new office in Morgan Hill, CA

BeyondTrust Welcomes Seasoned Business Development Executive to Serve as VP of Strategic Alliances (BusinessWire) Joseph Schramm joins BeyondTrust executive team to further develop channel program and strategic partnerships

Former Sophos CEO Steve Munford Appointed to Teradici Board of Directors (Sys-Con Media) Newest board member brings rich legacy of information security leadership and business strategy experience to Teradici

Research and Development

DARPA Seeks Proposals for $77M Power Grid Cyber Detection Program (ExecutiveBiz) The Defense Advanced Research Projects Agency has asked industry to submit proposals for a potential four-year, $77 million program that aims to develop systems that will work to detect and respond to cyber attacks on the U.S. power grid

Security Patches, Mitigations, and Software Updates

Google researchers find remote execution bug in FireEye appliances (IDG via CSO) FireEye has patched the problem, which could allow full network access

Network management vendors patch SQLi and XSS flaws (CSO) Rapid7 discloses six flaws, covering four different vendors

Symantec Endpoint Encryption Client Memory Dump Information Disclosure (Symantec) Symantec's Endpoint Encryption (SEE) Client is susceptible to information disclosure if a user with access to a system hosting a client is able to force a client memory dump and access the content of the memory dump. This could result in unauthorized exposure of such things as stored credentials used by the client in communicating with components of the SEE management server (SEEMS)

Stable Channel Update for Chrome OS (Chrome Releases) The Stable channel has been updated to 47.0.2526.106 (Platform version: 7520.63.0) for all Chrome OS devices. This build contains a number of bug fixes and security fixes. Systems will be receiving updates over the next several days

Mozilla Releases Security Updates for Firefox and Firefox ESR (US-CERT) The Mozilla Foundation has released security updates to address vulnerabilities in Firefox and Firefox ESR. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system

Internet Systems Consortium (ISC) Releases Security Updates for BIND (US-CERT) ISC has released security updates to address vulnerabilities in BIND. Exploitation of these vulnerabilities may allow a remote attacker to cause a denial-of-service condition

Google No Longer Trusts Symantec's Root Certificate (IBM Security Intelligence) Earlier this month, Symantec announced that it will stop using the VeriSign G1 root certificate (Class 3 Public Primary CA) it had previously been using to issue public code signing and TLS/SSL certificates. In response, Google said it would not recognize the newly unsupported certificate in Chrome, Android and other products

Cyber Attacks, Threats, and Vulnerabilities

ISIS Loyalists Taunt Saudi-Led Coalition: "Come Over, You Cowards" (Vocativ) Supporters of the Islamic State are egging on a new counterterrorism campaign that involves 34 nations

UK Government Department Links Back To ISIS Twitter Handles (Hack Read) Nowadays, every individual who uses the internet is well aware of IP and MAC addresses but for those who don't, MAC address is a specific alpha-numeric number assigned to every electronic gadget

When a single e-mail gives hackers full access to your network (Ars Technica) Google researchers find code-execution bug in FireEye threat-prevention device

'Devastating flaws' in Kerberos authentication protocol (SC Magazine) Security watchers warn of authentication and authorisation flaws in Windows network environments

Attacks Ramp Up Against Joomla Zero Day (Threatpost) Update: Attacks are accelerating against a now-patched Joomla zero-day vulnerability, putting pressure on site administrators to update quickly

iOS Trojan "TinyV" Attacks Jailbroken Devices (Palo Alto Networks) In October 2015, we discovered a malicious payload file targeting Apple iOS devices. After investigating, we believe the payload belongs to a new iOS Trojan family that we're calling "TinyV"

Comcast users hit with malvertising, malware and tech support scam all in one go (Help Net Security) Another tech support scam / ransomware campaign combo has been launched at users, but this time the order of delivery is reversed

13 million MacKeeper users exposed in data breach (Help Net Security) The company pushing MacKeeper, the security and utility software suite for Macs many consider to be scareware, has confirmed that the database containing passwords and personal information of its 13 million users was accessible to anyone who knew what to look for

13 Million MacKeeper Users Exposed (KrebsOnSecurity) The makers of MacKeeper — a much-maligned software utility many consider to be little more than scareware that targets Mac users — have acknowledged a breach that exposed the usernames, passwords and other information on more than 13 million customers and, er…users

HIV dating app leaks sensitive user data, threatens infection when alerted (Naked Security) A dating app for HIV-positive people that was leaking sensitive user data apparently threatened to infect the admin for a site that planned to write about it

Fake "account verification" email targeting Alibaba.com users (Help Net Security) Businesses who use Alibaba.com to connect with Chinese manufacturers are being targeted in a recently discovered phishing campaign, Comodo warns

Wish list app from Target springs a major personal data leak (Ars Technica) Database is available over the Internet, no password necessary, researchers say

At least 10 major loyalty card schemes compromised in industry-wide scam (Register) CyberInt: This is a 'significant' and growing problem

Skimmers Found at Some Calif., Colo. Safeways (KrebsOnSecurity) Sources at multiple financial institutions say they are tracking a pattern of fraud indicating that thieves have somehow compromised the credit card terminals at checkout lanes within multiple Safeway stores in California and Colorado. Safeway confirmed it is investigating skimming incidents at several stores

OFFICIAL! Good passwords more difficult than rocket science (Naked Security) It's official! Picking proper passwords is harder than rocket science

These cloud-connected devices are totally spying on you (or just letting others do it) (Tech Republic) The internet of nosy things

NHS has 'alarming' lack of cybersecurity measures in place for mobile devices (FierceMobileHealthcare) England's health system aims to go paperless in three years

2020 Census will be more vulnerable to fraud, disruption, says report (FierceGovernmentIT) The 2020 Decennial Census will be the first that directs resident to use the Internet to respond rather than paper-based forms, and that raises a host of security concerns, according to a report published last month by JASON, an independent advisory group which consults with the government on science and technology

11 Ongoing Anonymous Operations You Must Know About (Hack Read) Anonymous is known for conducting cyber attacks against injustice but not every operation makes it to the news

Litigation, Investigation, and Enforcement

LA schools to open Wednesday; were closed due to credible 'threat' (Al Jazeera America) Authorities defend move to keeo 640,000 students kept as other cities dismiss similar email threats as a hoax

Sources: Review affirms Clinton server emails were 'top secret,' despite department challenge (Fox News) EXCLUSIVE: An intelligence community review has re-affirmed that two classified emails were indeed "top secret" when they hit Hillary Clinton's unsecured personal server despite a challenge to that designation by the State Department, according to two sources familiar with the review

In hot water: EPA social media violated propaganda, anti-lobbying rules, Antideficiency Act, says GAO (FierceGovernmentIT) The Environmental Protection Agency violated propaganda and anti-lobbying rules with a social media campaign intended to garner public support for a water rule that has been the subject of fierce debate on the Hill and in courtrooms

U.S. Government Unsure of Mailing Addresses for Some Impacted by Massive OPM Breach (Legaltech News) The OPM claims 'significant time and effort was spent to collect appropriate contact information for impacted individuals'

Judge grants banks discovery in proposed Home Depot breach settlement (Business Insurance) A judge has sided with plaintiff attorneys for financial institutions that want more information about a settlement agreement between Home Depot Inc. and MasterCard Inc. over a 2014 cyber breach, which the attorneys argue was secretly negotiated and unfair

TalkTalk cyber attack: Police told telecoms company to keep hack secret, says chief executive (Independent) Baroness Harding says Scotland Yard advised firm not to warn customers so detectives could track down culprits

U.S. arrests 3 men over hacking scheme targeting 60 million people (Reuters via Business Insurance) Three men were arrested on Monday for engaging in a wide-ranging hacking and spamming scheme that targeted personal information of 60 million people including Comcast Corp. customers, U.S. prosecutors announced Tuesday

Bitcoin Creator's Mysterious Identity Beguiles Cryptography World (NPR) NPR's Audie Cornish talks to Andy Greenberg, a senior writer at Wired, about the mysterious founder of Bitcoin. He explains what the leading theories are about the true identity of the founder