The CyberWire Daily Briefing 12.22.15

Summary

By The CyberWire Staff

New Yorkers react to yesterday's report that Iranian hackers in 2013 gained access to control systems at a small dam in the downstate town of Rye. The New Yorkers aren't happy. The Department of Homeland Security has declined to comment on this incident, but did note its continuing work with private and public sector partners to secure infrastructure.

An AP report has also fingered Iranian cyber operators with multiple intrusions into the US electrical grid. These appear to have amounted to reconnaissance and data theft as opposed to attempts to manipulate control systems.

Administrators should patch the backdoor in Juniper ScreenOS firewalls immediately, if they haven't already done so. Unpatched systems are being actively scouted in the wild, and attacks have begun hitting honeypots. No one yet knows (or at least no one's saying) how the backdoor got there in the first place. Observers see potential for serious exploitation.

As debates over surveillance policy continue in several countries, analysts regard the Juniper backdoor as a cautionary tale for advocates of crypto backdoors as an aid to law enforcement and counter-terrorism. US presidential candidate Clinton called Saturday for "a Manhattan-like project" by government and industry that would enable law enforcement and intelligence services to access secure messages without compromising privacy or civil liberties. Few observers think such a project feasible, but some current and aspiring policy makers repose great confidence in the tech community's powers of innovation.

Manhattan-like project or not, Ed Snowden thinks secure app Telegram isn't really that secure.

Notes.

Today's issue includes events affecting China, France, Germany, Iran, Iraq, Russia, Syria, United Kingdom, and United States.

The CyberWire will be taking Thursday and Friday off for the Christmas holidays. We'll resume normal publication on Monday, December 28.

Selected Reading

Cyber Trends

Botnet trafffic in 2015 — the invisible force that wants to eat the Internet (Computerworld via CSO) It sounds counter-intuitive but a new analysis from Imperva's Incapsula division has confirmed one of the Internet's most surprising secrets: a large proportion of website traffic isn't generated by human beings

Predictive Analytics Tools Confront Insider Threats (SIGNAL) Defeating the new normal is the mission of advanced software

Legislation, Policy and Regulation

France, Russia To 'Strengthen' Information Exchange on IS (Agence France-Presse via Defense News) Russia and France have agreed to bolster efforts to share intelligence relating to the Islamic State jihadist group after the two countries vowed to cooperate militarily on the issue

Controversial China anti-terror law looks set to pass this month (Reuters) China's controversial anti-terrorism law could be passed as soon as the end of this month, state news agency Xinhua said on Monday, legislation that has drawn concern in Western capitals for its cyber provisions

Final Thoughts on China's World Internet Conference (Council on Foreign Relations) The big takeaway from the second annual World Internet Conference was Xi's speech and his promotion of cyber sovereignty, which I wrote about here

CISA becomes law, privacy takes a hard hit (FierceBigData) Oh, what a difference a change in political winds make

US Must Adapt New Laws to Combat Terrorism in Social Media — Senator (Sputnik News) US lawmakers must pass legislation that aims to modernize the way the federal government tracks and deciphers the social media methods of terror groups and terror suspects, US Senator Charles Schumer said in a statement on Monday

Tech companies are slamming a proposed UK terrorism law. Here's why. (Washington Post) The world's biggest tech firms — including Apple, Microsoft and Yahoo — are pressing for changes to a proposed British law aimed at expanding the government's electronic surveillance powers

Our Cybersecurity Problem Is A Lack Of Working Safe Harbor Rules (Forbes) You can't manage what you can't measure

Army gears up to build out cyber headquarters (C4ISR & Networks) The Army is preparing for the planning and construction of the Fort Gordon, Georgia, headquarters that will house Army Cyber Command and the service's Joint Forces Headquarters

Iowa officials forging strategy to improve cybersecurity (Gazette) Branstad asks state agency leaders for recommendations by July 1

Presidential Candidates Must Articulate Decisive Cybersecurity Plans (TechCrunch) Traditionally, physical security and cybersecurity have been considered two separate entities

Hillary Clinton wants "Manhattan-like project" to break encryption (Ars Technica) US should be able to bypass encryption — but only for terrorists, candidate says

Products, Services, and Solutions

Firm sees growing market for building shields (Baltimore Sun) It looks like an entirely ordinary conference room — white walls, rectangular table, window overlooking a parking lot. But an Owings Mills company has shielded the space with a kind of electromagnetic invisibility cloak designed to protect it against hackers

A10 Networks extends multi-vector DDoS protection with Thunder TPS 3.2 and Verisign's DDoS protection service (CSO) A10 Networks (NYSE: ATEN), the leader in application networking and security, today announced a collaboration with Verisign to enable hybrid DDoS mitigation strategies for customers

Technologies, Techniques, and Standards

New date for migrating off vulnerable SSL and early TLS encryption (Help Net Security) Following significant feedback from the global PCI community and security experts, the Payment Card Industry Security Standards Council (PCI SSC) announced a change to the date that organizations who process payments must migrate to TLS 1.1 encryption or higher. The previous date of June 2016 has been moved to June 2018

Facebook scandal or can bug bounties replace traditional web security? (CSO) Can crowd-sourcing approach to web security testing work for your corporate applications?

Security Tip (ST05-017) Cybersecurity for Electronic Devices (US-CERT) When you think about cybersecurity, remember that electronics such as smartphones and other internet-enabled devices may also be vulnerable to attack. Take appropriate precautions to limit your risk

Gute Vorsätze für 2016: G DATA gibt sechs Tipps für ein sicheres neues Jahr (Pressebox) IT-Security-Hersteller ruft Internetnutzer zur Überprüfung der eigenen digitalen Sicherheit auf

Advent tip #22: Got a new gadget for Christmas? Stop. Think. Connect. (Naked Security) We've already reminded you about the importance of updates, back in Advent tip #10

Marketplace

Survey Reveals Challenges Facing Cybersecurity Profession (Security Magazine) Lack of talent, skills and recruiting are among the challenges facing the cybersecurity profession, according to a new survey

2016 Technology, Media & Telecom Outlook: Mixed with Pockets of Opportunity in M&A, Cloud, and Cybersecurity (FBR Capital) Our TMT team believes our specific subsectors will have varying degrees of success in 2016 against a choppy macroeconomic backdrop

Symantec, Carlyle now expect Veritas sale to close on Jan. 29 (Seeking Alpha) Symantec (NASDAQ:SYMC) and Carlyle previously expected Carlyle's $8B purchase of Symantec's storage software unit to close on Jan. 1. The delay follows November reports stating banks had postponed marketing $5.5B in debt meant to finance Carlyle's purchase of Veritas amid greater risk-aversion among corporate debt buyers

FireEye, Inc. is Dominating This Cyber Security Market (Motley Fool) The fast-growing firm leads the market for specialized threat analysis and protection

CyberArk: Increasingly Dominant Player In A Niche Cybersecurity Industry (Seeking Alpha) CyberArk is cementing its lead in the promising privileged account security market. While privileged account security is only a subset of the general cybersecurity industry, its market potential is enormous. CyberArk's growth momentum and technological lead in the privileged account security arena should allow the company to maintain its dominance for the foreseeable future. Competition in the privileged account security market will likely intensify in the coming years

Research and Development

Entangling Different Kinds of Atoms Could Be the Way Forward for Quantum Computers (IEEE Spectrum) Last week two research groups, one at the National Institute of Standards and Technology (NIST) in Boulder, Col., and one at the University of Oxford reported experiments in which particles of different species were entangled for the first time

Security Patches, Mitigations, and Software Updates

Microsoft to ban man-in-the-middle adware from March 31 (ZDNet) As part of its move to give consumers control, Microsoft has made the decision to remove MiTM adware as it opens up users to security risks

Google joins Mozilla, Microsoft in pushing for early SHA-1 crypto cutoff (PCWorld) The browser makers are worried about research that shows SHA-1 is even weaker than previously believed

Cyber Attacks, Threats, and Vulnerabilities

Former official: Iranians hacked into New York dam (CNN) Iranian hackers breached a dam outside of New York in 2013, according to a former official, managing to get control of the flood gates

Iranian Hackers Targeting U.S. Electrical Grid (Tower) Iranian cyber-attackers have been targeting the U.S. electrical grid's networks and stealing highly sensitive data, an Associated Press investigation revealed on Monday

Attackers are hunting for tampered Juniper firewalls (IDG via ITWorld) A 'honeypot' mimicking a Juniper firewall is seeing login attempts

First Exploit Attempts For Juniper Backdoor Against Honeypot (Internet Storm Center) We are detecting numerous login attempts against our ssh honeypots using the ScreenOS backdoor password. Our honeypot doesn't emulate ScreenOS beyond the login banner, so we do not know what the attackers are up to, but some of the attacks appear to be "manual" in that we do see the attacker trying different commands

Juniper NetScreen firewall should be patched now (CSO) As experts predicted, the flawed code and exploits are already available

Juniper Backdoor Password Goes Public (Threatpost) Researchers from two security firms have uncovered the password guarding one of the backdoors discovered in Juniper Networks' ScreenOS, the operating system behind its NetScreen enterprise-grade firewalls

Security Alert: Fileless Kovter Teams Up with Modular CoreBot Malware in IRS Spam Campaign (Heimdal Security) As tax season approaches, cyber criminals start getting ready to exploit every vulnerability in your system. And it all starts with a spam email

Security sweep firm links botnet infestation and file sharing (Register) Public sector apparently suffers most from idle P2Pers

How BitTorrent activity impacts security ratings (Help Net Security) BitSight examined BitTorrent P2P file sharing activity of over 30,700 companies. They looked at the percentage of P2P downloads containing malware, the top torrented applications and games on corporate networks and the correlation between file sharing and compromised machines via botnet infections

Revelations behind the Democratic Party data breach kerfuffle (FierceBigData) In case you missed it, there was a brief brouhaha about a data breach in the Democratic Party over the weekend

Snowden Doubts Security Of Telegram (Daily Capital) NSA whistleblower Edward Snowden has flagged Telegram over its security on Twitter, a rate that the app's founder has denied

Linux Grub massive flaw: Was it made by NSA in 2009? (Computerworld) GNU/Linux has a massive flaw in Grub, its ubiquitous bootloader. Just by hitting a few keys, you can completely pwn a Linux box — including many embedded devices

Litigation, Investigation, and Enforcement

Cock[dot]li e-mail server seized by German authorities, admin announces (Ars Technica) Vincent Canfield: "I will say that I have the utmost respect for law enforcement"

Oracle settles with FTC over Java's "deceptive" security patching (Ars Technica) Commission faults Oracle's Java SE update process with making consumers' computers insecure

Oracle, LifeLock Settle FTC Deception Charges (KrebsOnSecurity) The U.S. Federal Trade Commission this past week announced it reached settlements with software giant Oracle and identity protection firm LifeLock over separate charges of allegedly deceiving users and customers about security

Exclusive — U.S. Justice Dept probes data breach at Uber: sources (Reuters) The U.S. Department of Justice is pursuing a criminal investigation of a May 2014 data breach at ride service Uber, including an examination of whether any employees at competitor Lyft were involved in the episode, sources familiar with the situation said

Design and Innovation

Bank of America is trying to load up on patents for the technology behind bitcoin (Quartz) Bankers may not think bitcoin will ever go fully mainstream, but they clearly believe there is value in the technology that powers such cryptocurrencies, known as blockchain

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

newly Noted Events

Insider Threat Program Development Training Course — Georgia (Atlanta, Georgia, USA, January 12 - 14, 2016) The National Insider Threat Special Interest Group website has some very "eye opening" examples of how "damaging and costly" an "insider threat incident" can be. The FBI Insider Threat Alert states companies victimized by current or former employees incur costs from $5,000 to $3 million. bring? Is your company required to establish an Insider Threat Program per the requirements of NISPOM Conforming Change 2? Insider Threat Defense has trained a substantial number of U.S. Government Agencies (DoD, IC), Defense Contractors, Critical Infrastructure Providers, Aviation Security Professionals, large and small businesses on Insider Threat Program Development and Insider Threat Risk Mitigation

Insider Threat Program Development Training — California (Carlsbad, California, USA, February 8 - 10, 2016) The National Insider Threat Special Interest Group website has some very "eye opening" examples of how "damaging and costly" an "insider threat incident" can be. The FBI Insider Threat Alert states companies victimized by current or former employees incur costs from $5,000 to $3 million. bring? Is your company required to establish an Insider Threat Program per the requirements of NISPOM Conforming Change 2? Insider Threat Defense has trained a substantial number of U.S. Government Agencies (DoD, IC), Defense Contractors, Critical Infrastructure Providers, Aviation Security Professionals, large and small businesses on Insider Threat Program Development and Insider Threat Risk Mitigation

Insider Threat Program Development Training Course — Maryland (Annapolis, Maryland, USA, February 23 - 25, 2016) The National Insider Threat Special Interest Group website has some very "eye opening" examples of how "damaging and costly" an "insider threat incident" can be. The FBI Insider Threat Alert states companies victimized by current or former employees incur costs from $5,000 to $3 million. bring? Is your company required to establish an Insider Threat Program per the requirements of NISPOM Conforming Change 2? Insider Threat Defense has trained a substantial number of U.S. Government Agencies (DoD, IC), Defense Contractors, Critical Infrastructure Providers, Aviation Security Professionals, large and small businesses on Insider Threat Program Development and Insider Threat Risk Mitigation

Artificial Intelligence and Autonomous Robotics (Clingendael, the Netherlands, March 23 - 24, 2016) Artificial Intelligence (AI) has been a feature of science fiction writing for almost a century, but it is only in more recent years that the prospect of truly autonomous robotics — even those that have only limited functionality — have become viable. While this potentially will provide great opportunities, the development of AI is likely to impact upon the very functioning of society. In this context, the specialized training on AI and autonomous robotics aims to provide media and public relations professionals with an in-depth understanding of the implications that the rapid advancement of AI technology may affect the global community in both the physical and structural spheres and the potential impact of the future evolution of such technology, especially in terms of security. Emphasis will be given to the way in which AI and autonomous robotics can be represented and communicated in the media

Insider Threat Summit (Monterey, California, USA, March 29 - 30, 2016) The focus of the Insider Threat Summit is to discuss personnel security issues including cyber security challenges and capabilities, continuous evaluation of privileged identities and ethical physical security considerations. A heightened awareness of insider threats due to numerous newsworthy attacks and unauthorized leaks has brought us together for one main purpose: to better understand security challenges in order to better defend against insider threats

upcoming Events

cybergamut Tech Tuesday: The Threat Landscape and the Path Forward: Fundamentals of a Risk-Aware Orgnaization (Elkridge, Maryland, USA, January 5, 2016) John McLaughlin of IBM Security provides a quantitative analysis of the attacks seen by IBM and the thousands of IBM customers in the preceding year. Specific attention will be paid to the protocols engaged, attack patterns, and trends seen in these attacks. In addition, these attacks are characterized by targets, time, and degree of success. Following the quantitative reporting, the remainder of the presentation focuses on an actionable plan for securing the enterprise. Simply describing the problem is no longer sufficient. This plan consists of a multi-step roadmap, a product independent approach to securing the enterprise against the previously described attack vectors

cybergamut Tech Tuesday: The Threat Landscape and the Path Forward: Fundamentals of a Risk-Aware Organization (Elkridge, Maryland, USA, January 5, 2016) John McLaughlin of IBM Security provides a quantitative analysis of the attacks seen by IBM and the thousands of IBM customers in the preceding year. Specific attention will be paid to the protocols engaged, attack patterns, and trends seen in these attacks. In addition, these attacks are characterized by targets, time, and degree of success. Following the quantitative reporting, the remainder of the presentation focuses on an actionable plan for securing the enterprise. Simply describing the problem is no longer sufficient. This plan consists of a multi-step roadmap, a product independent approach to securing the enterprise against the previously described attack vectors

CES CyberSecurity Forum (Las Vegas, Nevada, USA, January 6, 2016) Premiering at CES 2016 — the global stage for next generation technologies — The CyberSecurity Forum will bring together security experts and technology visionaries with executives and policymakers to tackle current and looming cyber security challenges. Registration is limited to ensure a highly interactive experience and opportunities for networking

FloCon 2016 (Daytona Beach, Florida, USA, January 11 - 14, 2016) The FloCon network security conference provides a forum for large-scale network flow analytics. Showcasing next-generation analytic techniques, FloCon is geared toward operational analysts, tool developers, researchers, and others interested in applying the latest analytics against large volumes of traffic

Cyber Security Breakdown: Chicago (Chicago, Illinois, USA, January 12, 2016) This half day session will provide you with the critical information you need to start formulating an effective response in the eventuality of a cyber security event. Rather than try and handle the breach during the chaos of the event, you'll understand how to build in advance, the best practices to respond effectively. Attend the Cyber Security Breakdown event that is focused on the unique issues and threats facing legal professionals

Breach Planning & Incident Response Summit: Proactive Collaboration Between Private Industry and Law Enforcement to Mitigate Damage (Odenton, Maryland, USA, January 12, 2016) The Cybersecurity Association of Maryland, Inc.(CAMI), Chesapeake Regional Tech Council, Maryland Chamber of Commerce, Chesapeake Innovation Center, Tech Council of Maryland are partnering together to host this event designed to attract and educate CIO's, CISO's, CEO and Compliance officials from small to mid-sized commercial firms on the practical actions taken by the government, firms and organizations post-hack

FTC PrivacyCon (Washington, DC, USA, January 14, 2016) The Federal Trade Commission will in January hold a wide-ranging conference on security and privacy issues lead by all manner of whitehat security researchers and academics, industry representatives, consumer advocates

POPL 2016 (St. Petersburg, Florida, USA, January 20 - 22, 2016) The annual Symposium on Principles of Programming Languages is a forum for the discussion of all aspects of programming languages and programming systems. Both theoretical and experimental papers are welcome, on topics ranging from formal frameworks to experience reports

Automotive Cyber Security Summit — Shanghai (Shanghai, China, January 21 - 22, 2016) The conference, which brings together automakers, suppliers, various connected-services providers and security specialists, will focus on government regulations, emerging automotive cyber security standards and new products and solutions designed to deal with the growing threats

Sponsor & Support

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.