The CyberWire Daily Briefing 12.17.15
news from Kessel
We know you, our readers, and we know that you're interested in things that happened long ago, in a galaxy far, far away. So we share some of the background uncovered during vulnerability assessments conducted pursuant to the Death Star's accreditation onto Imperial networks. You'll find excerpts of the relevant report here (and may the Force be with you).
HackRead reports that a number of apps devoted to Biblical or Quranic study or devotion are infested with malware. Their story suggests the perpetrators are probably criminals engaged in a post-modern version of affinity scamming.
CloudSek finds an interesting wrinkle in the criminal markets. An "unnamed South Asian company" seems to be not only selling legitimate security products and services (employee monitoring software among them), but malware with data exfiltration capabilities as well. CloudSek calls the outfit in its malicious aspect "Santa APT," since much of its crimeware is Christmas-themed.
Last Christmas, you may recall, LizardSquad skidded into the holiday by DDoSing Xbox Live and Playstation Network. This week PhantomSqaud [sic] makes the naughty list with a similar threat. For the children's sake, let Microsoft and Sony look to their networks.
Damballa and Proofpoint offer accounts of, respectively, Pony and Angler. Damballa outlines in considerable detail Pony's evolution, and Proofpoint explains how domain shadowing is being used to facilitate the Angler exploit kit's dissemination.
Linux administrators take note: researchers at Universitat Politècnica de València have demonstrated a technique that bypasses password protection on the Grub2 bootloader. The method (which involves backspacing 28 times) seems depressingly simple.
The National Science Foundation has released a "roadmap" for experimental cyber security research.
Reaction to pending US cyber legislation continues to pour in. Opinions are divided between those who applaud it for promoting information sharing, and those who warn of incipient threats to privacy.
Governments from Brazil to China move to restrict social media.
Notes.
Today's issue includes events affecting Australia, Bulgaria, Canada, China, Germany, Ghana, Russia, Saudi Arabia, United Kingdom, and United States.
Kessel: the latest from Kessel Cyber Security Consulting
Assessment Report for HIM Palpatine 05.25.1977 (Kessel Cyber Security Consulting) Executive Summary: The Galactic Empire contracted Kessel Cyber Security Consulting (Kessel) to assess the security of its new "Death Star" campus before accepting it for accreditation to Imperial networks. We did so in three series of assessments and tests, the findings of which are presented in the body of this report
Cyber Attacks, Threats, and Vulnerabilities
Bible and Quran Apps Infected with Malware Capable of Spying (HackRead) There are a hundred types of malware hidden inside the Bible and Quran apps, most of which are available all over the Android play store and some on iOS
Asian company is the newest APT threat (Help Net Security) An unnamed South Asian software development consultancy that creates software for employee monitoring is also an APT player and, according to CloudSek CTO Rahul Sasi, it appears to be conducting widespread intellectual property theft for economic gain
PhantomSquad threatens to take down XBox Live and PSN this Christmas (Graham Cluley) Remember last Christmas when a group of hackers calling themselves LizardSquad ruined the holidays for many video game lovers by knocking the XBox Live and PlayStation Network offline with a distributed denial-of-service (DDoS) attack?
Crimeware / APT Malware Masquerade as Santa Claus and Christmas Apps (CloudSek) CloudSek monitors were researching the activities of an APT [Advanced persistent threat ] that is targeting software companies globally
Pony Up! Eight Months of Evolution (Damballa) Cyber criminals frequently move their infrastructure. Domains stay online for a few days or hours, which makes it challenging for defenders to leverage security tools that rely on blacklists and other known-bad indicators. Damballa's Threat Discovery Center has been monitoring Pony for eight months, and has captured all instances
The shadow knows: Malvertising campaigns use domain shadowing to pull in Angler EK (Proofpoint) Most online ads are displayed as a result of a chain of trust, from the publishers to the malicious advertiser via ad agencies and/or ad networks
Vulnerability in popular bootloader puts locked-down Linux computers at risk (IDG via CSO) The flaw can allow attackers to modify password-protected boot entries and deploy malware
Over 650 terabytes of data up for grabs due to publicly exposed MongoDB databases (IDG via CSO) Security researchers sound alarm on "very serious" privacy problem
At least 10 major loyalty card schemes compromised in industry-wide scam (Register) CyberInt: This is a 'significant' and growing problem
Avast investigation into shopping apps reveals another Target security blunder (Techspot) Security researchers with Avast recently took a look at several shopping apps to see just how much retailers know about their shoppers. What the team found was a bit alarming, to say the least
VA to Congress: Cybersecurity & data breach update (Becker's Health IT and CIO Review) The Department of Veterans Affairs has released its Monthly Report to Congress on Data Incidents for the month of November
No, IKEA is NOT selling a swastika-shaped table called Hadolf (Naked Security) A viral Facebook post is making the rounds showing an image of a dinner table shaped like a Nazi swastika, alongside claims that Swedish furniture giant IKEA is selling the offensive item in its 2016 catalog
Why Identity is A Major Asset Online (HackRead) Why loss of identity online can lead to severe consequences, no matter how solid and reliable your preventive measures for security are
Cybersecurity Researchers Are Hunted from All Sides (Motherboard) Cybersecurity researcher Peter Kruse, founder of CSIS Security Group in Denmark, thought his mother was calling. Her number appeared on his phone, but when he answered, it wasn't her. Instead, a male voice told him to stop what he was doing as a computer expert
Security Patches, Mitigations, and Software Updates
Microsoft streamlines Windows 10 Mobile update process, fails badly on first update (FierceMobileIT) While Microsoft has streamlined the process for getting Windows 10 Mobile updates to users, it hasn't worked out the kinks so that the updates actually work
Symantec Responds to Google in HTTPS Certificate Scandal (Softpedia) Symantec has finally shed some light on the events that surrounded the "distrusting" of some of its certificates inside Google's products, blaming everything on the lack of a clear communication between its representatives and Google's staff
Facebook throttles antagonistic, drive-by 'fake name' reporting (Naked Security) After getting slammed by critics for over a year with regards to its real-name policy, Facebook on Tuesday hugged it tight, saying yet again that the policy's not going away
Cyber Trends
New threats will demand new approaches such as micro-segmentation and quantum encryption (Help Net Security) Leading security professionals around the world will adopt a new mindset in 2016, embracing advanced approaches such as micro-segmentation to counter increasingly sophisticated attacks by cyber criminals, according to security experts at Unisys
Securing the Digital Infrastructure (InfoRiskToday) Security and privacy imperatives for enterprises in the digital age
Healthcare Cloud Adoption Slow Due to HIPAA, Survey Finds (HealthITSecurity) "Security has been a major barrier to cloud adoption in many verticals, but it's especially critical in heavily regulated industries"
Research — The Real IoT Value By 2025 (WT Vox) McKinsey & Company's Global Institute conducted a research with the reason of exploring the "real" IoT value on the global economy
Q&A: Distributed Computing and the Evolving CISO with Susan Mauldin of Equifax (IoT Evolution) Enterprise adoption of big data and cloud infrastructure is presenting new challenges for Chief Information Security Officers (CISO). I recently sat down with Susan Mauldin, CISO, Equifax, to get her thoughts about the evolving role of the CISO, perhaps into Chief Information Risk Officers, and how to secure the cloud
Marketplace
Agencies Get Marching Orders for Filling 'Major' Cyber Talent Shortage (Defense One) "We still have the fundamentals wrong," says Office of Management and Budget's Trevor Rudolph
Microsoft Unveils Plans for China Joint Venture (Wall Street Journal) Microsoft will set up a jointly owned entity with China Electronics Technology Group
Russia's Kaspersky Labs signs deal with China Cyber Security Company as Beijing and Moscow call for end to US domination of internet (South China Morning Post) Russian software security giant Kaspersky Lab has formed a strategic partnership with a Chinese state-own company as Beijing and Moscow work more closely in policing their cyberspace
Oracle Corporation: Generally In-Line November Results; Softer Outlook with Massive Challenges Ahead — Maintain MP (FBR Capital) Last night, December 16, ORCL delivered F2Q16 (Nov) results essentially in line on revenue and beating slightly on the bottom line, a dynamic we would characterize as "better than feared," given a painful cloud transition coupled with ongoing challenges for Oracle's traditional license business
Trustlook raises $17 mln (PE Hub Network) Trustlook Inc., a leading global mobile security provider for the Android platform, today announced that it has closed a $17 million Series A round of funding
Former Kaspersky Exec Looks To Transform Carbonite To Channel-Focused Model (CRN) After helping launch Sophos fully into the channel and driving growth at Kaspersky Lab, Christopher Doggett said he's turning his sights to transforming Carbonite into a channel-focused sales organization
NATO builds up cyber alliance with Symantec tie-in (IT Pro) Symantec has signed a deal with NATO Communications and Information (NCI) Agency to boost information sharing between the IT security firm and the military organisation
Navy Seeks NAVAIR Cyber Warfare Detachment Support Through Basic Ordering Agreement (ExecutiveBiz) The U.S. Navy has announced plans to award potential five-year basic ordering agreements to contractors that can provide support services for the Naval Air Systems Command's Cyber Warfare Detachment
Columbia MD Tech Company, Convergence Technology, Named Baltimore Sun's Top Workplace for the Third Time (Baltimore Sun) Top Workplace '12, '13, '15
LightCyber Receives SC Magazine 2015 Security Industry "Innovator" Recognition (BusinessWire) Company also designated Top 10 "Coolest Security Startups" by CRN
eGlobalTech Appoints Sal Fazzolari as COO (Washington DC City Biz List) eGlobalTech (eGT), a leading provider of management and IT consulting services for the Federal Government, is excited to announce the appointment of Sal Fazzolari as Chief Operating Officer (COO). In this capacity, Fazzolari will oversee eGT's strategic vision and continued growth
Products, Services, and Solutions
Triumfant and Bay Dynamics Announce Key Integration (Triumfant) Strategic partnership allows both companies to strengthen their offerings through a seamless integration delivering industry-leading analytics and remediation
FireStorm: Mitigating the Vulnerability That Can Completely Bypass Firewalls and Exfiltrate Data (Cyveillance Blog) Looking Glass and Cyveillance have joined forces to deliver the most advanced and comprehensive threat intelligence driven solutions. Today, A.J. Shipley, Looking Glass' Vice President of Product Management, discusses how Looking Glass and Cyveillance solutions can help protect an organization from DNS threats, such as the FireStorm vulnerability
ThreatStream Announces FED Exchange for Federal, State & Local Government (Power Engineering) ThreatStream®, the pioneer of an enterprise-class threat intelligence platform, today announced the availability of the ThreatStream FED Exchange
Ntrepid Announces General Availability of Passages Enterprise (BusinessWire) Secure virtual browser provides complete protection from web-based attacks, isolating all browsing activity from the user's computer and enterprise network
ESET Introduces Banking and Payment Protection for Asia Pacific Consumers (Jakarta Post) ESET®, a global pioneer in proactive protection for more than two decades, today announced the release of its ESET Smart Security 9 and ESET NOD32 Antivirus 9
Bitdefender to Protect Charities Worldwide as First Security Software Provider in TechSoup Global Expansion (BusinessWire) Bitdefender, a leading Internet security technology company protecting 500 million users worldwide, is the first global security partner of the TechSoup global donation initiative
Lieberman Software and Sailpoint Partner to Provide a Unified Privileged Identity Access Control Layer for the Enterprise (MarketWired via EIN) Enterprise Random Password Manager™ and IdentityIQ™ integrate to control provisioning and access of both privileged and end-users through a unified identity governance platform
Technologies, Techniques, and Standards
Sorry for the Inconvenience (IEEE Spectrum) After looking back at the project failures chronicled in the Risk Factor for our recent set of interactive features "Lessons From a Decade of IT Failures," I became intrigued by the formulaic apologies that organizations put out in their press releases when something untoward happens involving their IT systems
Driving an industry towards secure code (Help Net Security) The German government made an unprecedented move this week by issuing requirements for all new vehicles' software to be made accessible to country regulators to ensure that emissions loopholes aren't exploited
Security can't be left behind at a rapidly growing company (CSO) Ginna Raahauge, senior vice president and CIO at Informatica, is focused on speed
Brains: The final frontier in information governance (FierceContentManagement) Companies frequently struggle with managing content in a way that's unified and accessible to all the workers who need it
Social Engineering: How an Email Becomes a Cyber Threat (SecurityWeek) Social Engineering has been a staple of fraud since the dawn of time
Offense Informs Defense: Minimizing the Risk of a Targeted Attack (Legaltech News) This ALM cyberSecure session focused on the nature of hacking and what should be done about it
Rackspace CSO on security: It's time to go back to the fundamentals (Help Net Security) We no longer need to spend time discussing the sophistication and persistence of the threat; the risk associated with IoT and mobile devices, the devolution of the perimeter; the need for deterrence over prevention and the value of security versus compliance
How do you know if your smartphone has been compromised? (We Live Security) Little by little, smartphone users are beginning to understand how important it is to protect their devices so malware can't be installed on them
Advent tip #17: "Reply All" is probably not what you want (Naked Security) It's holiday season, so it's likely you'll be emailing groups of friends, friends of friends, and so on
Design and Innovation
The Secret Secret to Secrets (Electronic Engineering Journal) Generating random numbers is harder than it looks
Research and Development
Two atoms make quantum memory, processing gate, and test of entanglement (Ars Technica) Entangling atoms from different elements does it all, quantum-wise
Uncrackable quantum cryptography over 'doubled' distances (NTT) Making it possible in the near future to link metropolises within an 800 km radius in an all-photonic way without quantum repeaters
Roadmap to safer cyberspace (National Science Foundation) Report offers a vision for a new generation of experimental cybersecurity research
Cybersecurity Experimentation of the Future (CEF): Catalyzing a New Generation of Experimental Cybersecurity Research (Cyber Experimentation) This report presents a strategic plan and enabling roadmap intended to catalyze generational advances in the field of experimental cybersecurity research. These results represent the conclusions of a study conducted under NSF auspices by SRI International and USC Information Sciences Institute throughout calendar year 2014
Academia
Deloitte supports cyber security MSc programme at DMU (Consultancy) The threat to companies from cyber-crime is on the increase. To help combat this hazard, Deloitte, Airbus, BT and Rolls-Royce will provide their expertise to students of the newly developed cyber security MSc from De Montfort University Leicester (DMU), which aims to develop holistic approaches to cyber security
Legislation, Policy, and Regulation
Government IT security under the spotlight after BoM cyber attack (CSO) The recent cyber attack on Australia's Bureau of Meteorology (BOM) has raised fresh concerns about the ability of government departments to withstand sophisticated cyber attacks
Bulgaria to join Microsoft's program against cyber attacks (Xinhua) Bulgaria will join Microsoft's Government Security Program (GSP) in a bid to establish an effective prevention against cyber attacks, the country's Council of Ministers decided here on Wednesday
Encryption And Censorship In A Globalized World (Forbes) Over the Thanksgiving holidays I offered a practical guide to the current encryption debate from the standpoint of what could realistically be accomplished through the proposals being circulated by Western governments
Fact-Checking the Debate on Encryption (Pro Publica) The existence of coded communications is a reality and the U.S. may not be able to do much about it
In debate, Republicans call on tech sector to aid terrorism fight (Christian Science Monitor Passcode) In the wake of the terrorist attacks in Paris and San Bernardino, most Republican candidates are betting that public worries over national security may supersede concerns over free speech and privacy issues
Secrecy Shuts Down a National-Security Debate (Atlantic) On Tuesday night, Ted Cruz and Marco Rubio clashed over NSA surveillance — but they can't tell the public what they're arguing about
Opinion: From Internet shutdowns to 'the encryption problem,' rating the Republicans on tech policy (Christian Science Monitor Passcode) Tuesday's Republican presidential debate in Las Vegas touched on some of the hottest issues in tech but many candidates are way off base when it comes to understanding the Internet
Cybersecurity bill to thwart hackers added to big 2016 spending deal (USA Today) A cybersecurity bill aimed at thwarting huge hack attacks was slipped at the last minute into a massive $1.1 trillion federal spending bill that Congress is poised to pass this week
Controversial Cybersecurity Bill Poised to Pass in Massive Spending Package (National Journal) Congress is about to take its biggest step yet to bolster cybersecurity, but privacy advocates fear it could expand surveillance
9 ways business will benefit from Congress' tax and spending deal (The Business Journals) Congress is closing the year with a bang: Two bills, totaling more than 2,200 pages, that fund the federal government and extend various tax breaks that are important to individuals and businesses
Private Sector Hack-Backs and the Law of Unintended Consequences (Center for Democracy and Technology) Congress is considering legislation to authorize companies to use countermeasures against cyber attacks. However, the legislation could undermine cybersecurity by authorizing victims to "hack back" and cause harm to a third party
U.S. Cyber Commands Launches 13 New Cyber Protection Teams (Government Technology) Federal cyber protection efforts grow this month with new soldiers being deployed across the nation to protect America's digital borders
National Security Agency to Unveil Workforce Restructuring in January (Government Executive) Come January, employees of the National Security Agency will see the fruits of a 10-month "director's charge" review of the top-secret organization's structure, its leader, Adm. Mike Rogers, said on Tuesday night
Air Force closes in on new directive for IT governance (FCW) Air Force officials are drafting a directive that would update the role of the CIO, more clearly aligning it within the service's broader organizational structure, according to a spokesman
The 'electronic Pearl Harbor' (Politico) Eighteen years ago I was the first to use that term publicly. It was the wrong analogy then. Not anymore
The Black Chamber (Economist) The man who made Edward Snowden inevitable
Litigation, Investigation, and Law Enforcement
Brazilian Judge Shuts Down WhatsApp And Brazil's Congress Wants To Shut Down The Social Web Next (TechCrunch) A judge in Sao Paulo has ordered WhatsApp to shut down for 48 hours, starting at 9pm Eastern tonight
Facebook, Google and Twitter agree to German demand to delete hate speech within 24 hours (Naked Security) Facebook, Twitter, and Google have agreed with Germany and will delete hate speech from their services within 24 hours to fight a rising tide of online racism
B.C. government IT systems vulnerable: AG (CBC News) Government risks loss of public trust to safeguard data, says auditor general
Fewer Resources Meets Emerging Technologies: Examining the Next Big Cybercrime (Legaltech News) Panelists at ALM cyberSecure say that the nature of cyber attacks — and how the government defends against them — is shifting
Financial crimes threaten global economy (GhanaWeb) The Director of Public Prosecutions of the Federation (DPPF), Federal Ministry of Justice, Mr. Mohammed Saidu Diri has said that organised crimes and financial crimes are the major threats to the global economic system
Teen Steals $150,000 by Hacking Into Airline's Website (Yahoo! Travel) Most teenagers make money by flipping burgers at McDonalds
For a complete running list of events, please visit the Event Tracker.
Newly Noted Events
National Insider Threat Special Interest Group Meeting (Laurel, Maryland, USA, Jul 16, 2015) Topics to be discussed at the meeting; Insider Threat Program Development & Implementation, Behavioral Indicators Of Concern, Legal Considerations When Developing & Managing An Insider Threat Program. There is no cost to attend this meeting
Upcoming Events
Program on Cyber Security Studies (PCSS) (Garmisch-Partenkirchen, Germany, Dec 2 - 17, 2015) The Marshall Center has developed a comprehensive program to explore the increasing domestic, international and transnational challenges in cyber security. Our goal is to provide a comprehensive, policy-focused, non-technical cyber security program that emphasizes and teaches senior key leaders how to best make informed decisions on cyber policy, strategy and planning within the framework of whole-of-government cooperation and approaches
SANS Institute: Information Security Training (Las Vegas, Nevada, USA, Sep 12 - 21, 2015) Information security training in Las Vegas from SANS Institute, the global leader in information security training. At SANS Network Security 2015, SANS offers more than 40 hands-on, immersion-style security training courses taught by real-world practitioners. The site of SANS Network Security 2015, September 12 - 21, is Caesars Palace, the majestic Las Vegas hotel
cybergamut Tech Tuesday: The Threat Landscape and the Path Forward: Fundamentals of a Risk-Aware Organization (Elkridge, Maryland, USA, Jan 5, 2016) John McLaughlin of IBM Security provides a quantitative analysis of the attacks seen by IBM and the thousands of IBM customers in the preceding year. Specific attention will be paid to the protocols engaged, attack patterns, and trends seen in these attacks. In addition, these attacks are characterized by targets, time, and degree of success. Following the quantitative reporting, the remainder of the presentation focuses on an actionable plan for securing the enterprise. Simply describing the problem is no longer sufficient. This plan consists of a multi-step roadmap, a product independent approach to securing the enterprise against the previously described attack vectors
CES CyberSecurity Forum (Las Vegas, Nevada, USA, Jan 6, 2016) Premiering at CES 2016 — the global stage for next generation technologies — The CyberSecurity Forum will bring together security experts and technology visionaries with executives and policymakers to tackle current and looming cyber security challenges. Registration is limited to ensure a highly interactive experience and opportunities for networking
FloCon 2016 (Daytona Beach, Florida, USA, Jan 11 - 14, 2016) The FloCon network security conference provides a forum for large-scale network flow analytics. Showcasing next-generation analytic techniques, FloCon is geared toward operational analysts, tool developers, researchers, and others interested in applying the latest analytics against large volumes of traffic
Cyber Security Breakdown: Chicago (Chicago, Illinois, USA, Jan 12, 2016) This half day session will provide you with the critical information you need to start formulating an effective response in the eventuality of a cyber security event. Rather than try and handle the breach during the chaos of the event, you'll understand how to build in advance, the best practices to respond effectively. Attend the Cyber Security Breakdown event that is focused on the unique issues and threats facing legal professionals
FTC PrivacyCon (Washington, DC, USA, Jan 14, 2016) The Federal Trade Commission will in January hold a wide-ranging conference on security and privacy issues lead by all manner of whitehat security researchers and academics, industry representatives, consumer advocates
POPL 2016 (St. Petersburg, Florida, USA, Jan 20 - 22, 2016) The annual Symposium on Principles of Programming Languages is a forum for the discussion of all aspects of programming languages and programming systems. Both theoretical and experimental papers are welcome, on topics ranging from formal frameworks to experience reports
Automotive Cyber Security Summit — Shanghai (Shanghai, China, Jan 21 - 22, 2016) The conference, which brings together automakers, suppliers, various connected-services providers and security specialists, will focus on government regulations, emerging automotive cyber security standards and new products and solutions designed to deal with the growing threats
SANS Institute: Information Security Training (Las Vegas, Nevada, USA, Sep 12 - 21, 2015) Information security training in Las Vegas from SANS Institute, the global leader in information security training. At SANS Network Security 2015, SANS offers more than 40 hands-on, immersion-style security training courses taught by real-world practitioners. The site of SANS Network Security 2015, September 12 - 21, is Caesars Palace, the majestic Las Vegas hotel
CyberTech 2016 (Tel Aviv, Israel, Jan 26 - 27, 2016) Cybertech is the most significant conference and exhibition of cyber technologies outside of the United States. Cybertech provided attendees with a unique and special opportunity to get acquainted with the latest innovations and solutions featured by the international cyber community. The conference's main focuses are on networking, strengthening alliances and forming new connections. Cybertech also provided an incredible platform for Business to Business interaction
Fort Meade IT & Cyber Day (Fort Meade, Maryland, USA, Jan 27, 2016) The Ft. Meade IT and Cyber Day is a one-day event held at the Officers' Club (Club Meade) on base. The event is held on-site, where industry vendors will have the opportunity to display their products and services to IT, Communications, Cyber and Intelligence personnel