The CyberWire Daily Briefing 12.23.15

Summary

By The CyberWire Staff

ISIS opens up a new recruitment tool: a first-person shooter game, "Call of Jihad." An obvious "Call of Duty," knock-off, it remains to be seen how successfully gaming can bear the jihadist message. That message's expression can be complicated: see, for example, Brookings' thought on how it's refracted through social media.

Westchester County officials say it's news to them that the Feds detected Iranian probing of that small dam in Rye, New York. Their reaction suggests (unsurprisingly) that inter-government cyber threat information sharing may still suffer implementation issues.

Investigation into the Juniper backdoor now points toward a less-than-satisfactory random number generator once advocated by NSA. Cisco is inspecting its own code for similar issues (and finds none, so far) and observers expect other companies to undertake comparable self-examination.

The Spy Banker Trojan courses through Brazil via Facebook and Twitter accounts.

Joomla 2.3.7 is out, and includes important security patches.

You may soon see a new error code in your browser. Joining 403 ("Forbidden") and 404 ("Not found"), 451 will tell you that "legal obstacles" (essentially, if not exclusively, censorship) prevent you from viewing content.

Internet privacy, censorship, and surveillance rules are enacted or mooted in China, the EU, the UK, and the US.

As Christmas approaches, the Hello Kitty and VTech hacks give parents the willies. And security companies offer much holiday-specific advice. You should, for example, make sure that any old device you're replacing with a new gift is securely wiped before you sell, toss, or give it away.

Notes.

Today's issue includes events affecting Australia, Bahamas, Brazil, China, European Union, Iraq, New Zealand, Syria, United Kingdom, and United States.

The CyberWire will be taking Thursday and Friday off for the Christmas holidays. We'll be back as usual on Monday, December 28. In the meantime, our best wishes for the holidays.

Selected Reading

Cyber Trends

5 Leaks that Shook the World in 2015 (Legaltech News) LTN revisited some of the hacks that may have gotten your data stolen this year and got experts to weigh in

2015 Ransomware Wrap-Up (Dark Reading) Here's a rundown of the innovative ransomware that frightened users and earned attackers big bucks this year

Seven astounding technology trends for 2016 (SecurityInfoWatch) 2015 was a transformative year for technological innovation. 2106 continues that technology trend with more disruption in sight. Below is a short list of my predicted trends for the coming year

5 Data Breach Predictions for 2016 (Legaltech News) In its third annual Data Breach Industry Forecast, Experian makes five sobering predictions based on recent events and new and emerging trends

Expect Phishers to Up Their Game in 2016 (KrebsOnSecurity) Expect phishers and other password thieves to up their game in 2016: Both Google and Yahoo! are taking steps to kill off the password as we know it

Cyber security: Attack of the health hackers (FInancial Times) Breach of Anthem database, probably from China, is part of a 2015 wave of 100m hacked medical records

IoT attacks and new evasion techniques can be the emerging threats in 2016 (Financial Express) As in years past, the Internet of Things (IoT) and cloud play heavily in the predictions but new malicious tactics and strategies will create unique challenges for vendors and organizations alike

The Industrial Cyber Myth: It's No Fantasy (Dark Reading) As threats become more sophisticated, the industry is still playing catch-up

"Physical Security Professionals Must Work Closely With Cyber Experts": Nuix CTO Stuart Clarke on Combating the Cyber Threat (IFSEC Global) "The message I always give to organisations is that against a sufficiently motivated individual, your network really doesn't stand a chance," according to Stuart Clarke, CTO of Nuix

1 in 4 people will be hit by a data breach by 2020 — what are you doing to secure yourself (Naked Security) In a world where it seems like a new data breach is announced every other day, there are still plenty of people who don't think it'll happen to them

Cyber criminals gearing up for Christmas data bonanza (CRN) Data left on old devices will provide rich pickings if not wiped and disposed of correctly, Kroll Ontrack warns

Legislation, Policy and Regulation

What the EU's Data Privacy Ruling Really Means: Part One (Legaltech News) Legal tech experts weigh in on what the GDPR decision really means going forward

What the EU's Data Privacy Ruling Really Means: Part Two (Legaltech News) Legal tech experts weigh in on what the GDPR decision really means going forward

Two of the Most Important Pieces of Cyber Legislation Ever (Willis Wire) A bit like London buses — you wait for ages and then two come along — two of the most significant pieces of European legislation ever affecting cyber liability have been announced by the European Commission in the last week

Explaining U.S. Surveillance Law Protections for an EU Audience (Lawfare) In October, the European Court of Justice and its Advocate General struck down as unlawful the EU/US Safe Harbor, which since 2000 has been a major way that US-based businesses could comply with the relatively strict EU privacy laws. Concerns about the weak protections in the US surveillance system were a major basis for striking down the Safe Harbor

China says tech firms have nothing to fear from anti-terror law (Business Insurance) Technology companies have nothing to fear from China's new anti-terrorism law which aims to prevent and probe terror activities and does not affect their copyright, China's Foreign Ministry said on Wednesday, rebuffing U.S. criticism as unwarranted

Tech Sector Fights Back as U.S. Approves CISA, UK, China Consider Proposals (Legaltech News) New intelligence gathering initiatives have led to a chorus of concern from the tech sector and privacy advocates

Apple disses British surveillance bill (Deutsche Welle) Apple is opposing provisions in a draft UK law that would weaken online encryption by requiring built-in cyber "backdoors" for government spies. The US e-gadgets company says backdoors harm rather than help security

Debate Likely to Continue Into 2016 on Companies Providing Info to Law Enforcement (Legaltech News) It is likely legislators will continue to debate proposals requiring companies to provide info to law enforcement and intelligence officials — if suspected terrorism is involved

U.S., European Aviation Authorities at Odds Over Cybersecurity (Wall Street Journal) U.S. and European aviation authorities are at odds over one of the industry's hot-button issues: devising ways to protect an array of aircraft from potential cyberattacks

FAA Finally Admits Names And Home Addresses In Drone Registry Will Be Publicly Available (Forbes) The FAA finally confirmed this afternoon that model aircraft registrants' names and home addresses will be public

FAA takes drone registration offline for maintenance ahead of surge in demand (ITWorld) The FAA said the site would be offline during the night hours of Tuesday and Wednesday

The Pentagon's Law of War for Cyberspace (The Diplomat) Beyond the targeting of civil nuclear power plants

E.W. Priestap Named FBI HQ Counterintelligence Division Assistant Director (ExecutiveGov) E.W. Priestap, formerly deputy assistant director of the FBI intelligence directorate's intelligence operations branch, has received appointment as assistant director of the counterintelligence division at the bureau's headquarters

Australian government tells citizens to turn off two-factor authentication (Ars Technica) When going abroad, turn off additional security. What could possibly go wrong?

Products, Services, and Solutions

5 Big Improvements in Wireshark (eSecurity Planet) It's now even easier to use the open source Wireshark tool to analyze network traffic at the packet level, thanks to a recent upgrade

Securing the Security Companies: Protecting the Cloud With Real-Time Threat Intelligence (Recorded Future) When a cyber defense company wants to make sure its clients are safe from cyber intrusions, they turn to Recorded Future

Technologies, Techniques, and Standards

Should you buy cyber insurance? (Network World) With the number breaches reaching an all-time high in 2014 many businesses are looking to mitigate risk with insurance

NIST practice guide shows agencies how to establish trusted geolocation in the cloud (FierceGovernmentIT) Earlier this month, the National Institute of Standards and Technology issued an interagency report that effectively serves as a practice guide for agencies looking to establish trusted geolocation for cloud computing systems

How to have yourself a merry cyber-safe Christmas (BBC) In 2000, Scott Culp wrote a terrific essay on computer security

Advent tip #23: Check that Java is turned off in your browser (Naked Security) You've heard of Java

Marketplace

Cybersecurity And Risk Management To Gain Traction In Security Market During 2016 (SourceSecurity) Cybersecurity is a fast-changing field and 2015 was no exception

Finance teams becoming involved in cyber risk mitigation oversight (Help Net Security) CFOs and their finance teams are toughening policies on suppliers and increasing insurance coverage as they are asked take on a larger role in defending their companies from emerging cyber risks, according to a new survey of Chartered Global Management Accountant (CGMA) designation holders

Research and Development

Mobile health data security focus of $10 million NSF research project (FierceMobileHealthcare) A $10 million National Science Foundation research project aims to shore up patient data security and user confidentiality when it comes to mobile health tools

Security Patches, Mitigations, and Software Updates

Joomla! 3.4.7 Released (Joomla!) Joomla! 3.4.7 is now available. This is a security release for the 3.x series of Joomla which addresses a critical security vulnerability and one low level security vulnerabilities. We strongly recommend that you update your sites immediately

Yahoo to Warn Users of State-Sponsored Attacks (Threatpost) Yahoo has announced it will follow in the footsteps of Twitter and Facebook and begin warning users when it believes their accounts have been targeted by a state-sponsored actor

New Microsoft adware rules could stop another Superfish security scare (Guardian) From March, adware on Windows will have to be easily removable and not able to hijack users' connections

Cyber Attacks, Threats, and Vulnerabilities

'Call of Jihad': ISIS Turns to Video Games, Hollywood to Reach Recruits (Defense One) This video shows how ISIS is increasingly appropriating images of western pop culture, portraying terror as glamorous

Social media screening for terrorism needs multiple lenses (Brookings) Since the recent tragic terrorist attack in San Bernardino, California — where a radicalized Muslim couple gunned down 14 people at a holiday office party — much attention has been focused on the wife, Tashfeen Malik, a Pakistani national. She was allowed into the US in 2014 on a type of visa for people who plan to marry American citizens

Astorino says county was never told of cyber attack on dam (Iohud Journal News) Westchester County officials were never told by their federal partners on a joint terrorism task force about a 2013 cyber attack on a dam owned by the city of Rye, County Executive Rob Astorino said Tuesday

The Juniper VPN backdoor: buggy code with a dose of shady NSA crypto (CSO Online) Or, how one backdoor was actually two

Juniper Backdoor Picture Getting Clearer (Threatpost) The NSA's subversion of encryption standards may have come home to roost

Cisco launches code review after Juniper's spyware disclosure (IDG via CSO) No unauthorized code has been found yet but the review continues

Cisco reviews code after Juniper breach; more scrutiny expected (Reuters) Networking equipment maker Cisco Systems Inc said on Monday it has launched a product review to look for tampering after rival Juniper Networks Inc's disclosure found code in firewall software that made it vulnerable to cyber attacks

Cybercriminals using Facebook to push Spy Banker trojan (SC Magazine) Cybercriminals are using the friendly face of Facebook and Twitter to distribute banking trojans that are specifically targeting Brazilians

VTech hack exposes parent's nightmare: The Internet of broken toys (Parallax) Toys are supposed to bring a sense of fun and wonder to a child's playtime, but as November's VTech Kids hack demonstrated, toys these days can also bring threats from the Internet

Torrenting Still A Thorn In Enterprise Networks (Dark Reading) A quarter of enterprises still see torrenting activity and among those, 43 percent of apps contain malicious elements

A Hidden Insider Threat: Visual Hackers (Dark Reading) Ponemon experiment shows how low-tech white-hat hackers, posing as temps, captured information from exposed documents and computer screens in nearly nine out of ten attempts

Academia

SecureRF Collaborates with University at Buffalo Mathematics Doctoral (SecureRF) Students to study Algebraic Eraser. Partnership made possible with $600,000 grant from the National Science Foundation

Litigation, Investigation, and Enforcement

First on CNN: Newly discovered hack has U.S. fearing foreign infiltration (CNN) A major breach at computer network company Juniper Networks has U.S. officials worried that hackers working for a foreign government were able to spy on the encrypted communications of the U.S. government and private companies for the past three years

Wyndham settlement: No fine, but more power to the FTC (CSO) On the face of it, Wyndham Hotels and Resorts dodged a major bullet from the Federal Trade Commission (FTC)

Oracle ordered to admit it deceived users over Java security updates for years (Hot for Security) We all know that one of the pillars of computer security is keeping your software up-to-date

Clinton campaign sweats out data breach damage (Politico) Hillary Clinton's team is unsettled by what Bernie Sanders' staffers might have seen in their sneak peek

Bank of America gets Twitter to delete journalist's joke, says he violated copyright (Ars Technica) "I have no way of guessing what the objection was really about"

Kim Dotcom Ruled Eligible For Extradition to US, Will Appeal (Wired) After a ten week trial and more than 3 years after the raid on Kim Dotcom's mansion, a New Zealand judge has denied an extradition stay for Kim Dotcom and his three business associates

Bahamas man accused of hacking celebs, stealing movie scripts & sex tapes (Ars Technica) Suspect offered "a very popular celebrity SSN along with 30 unreleased tracks"

Cops crush claimed karaoke copyright crooks' conspiracy (Naked Security) 'Twas the night before Christmas, and all through the station, London police couldn't give a figgy pudding about anybody's plans for a homemade karaoke sing-along

IT manager has his bikes stolen after cycling app reveals his home address (We Live Security) Hopefully by now, many of us have woken up to the danger of revealing too much personal information on social networks

Grindr being used to target and rob gay men (Naked Security) Thieves are using the popular gay dating app Grindr to target and rob men

Keller Rohrback Investigates Hello Kitty Database Cyber Attack (BusinessWIre) Attorney Advertising. Keller Rohrback L.L.P. is investigating recent reports that the popular website SanrioTown[dot]com — the official website for Hello Kitty and other Sanrio (OTC Pink:SNROF) toy brands — fell victim to a cyber attack that left over three million users' personal information at risk. The majority of users are children

Design and Innovation

Error 451 is the new Ray Bradbury-inspired HTTP code for online censorship (PCWorld) Error code 451 tells you when content you want to see is blocked due to "legal obstacles"

Google Wants To Eliminate Password Login (InformationWeek) Google has begun testing a password-free login method that enables users to log in using their smartphones

Secure email could be the prescription for improved chronic care outcomes (FiercePracticeManagement) New survey results point to improved outcomes and more cost-effective patient contact

CyberPoint wants the Force to be with you when thinking about your firm's cyber security (Baltimore Business Journal) In a galaxy far, far away, there could be hackers trying to steal your employees' personal data or hack your company's bank accounts

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

upcoming Events

cybergamut Tech Tuesday: The Threat Landscape and the Path Forward: Fundamentals of a Risk-Aware Orgnaization (Elkridge, Maryland, USA, January 5, 2016) John McLaughlin of IBM Security provides a quantitative analysis of the attacks seen by IBM and the thousands of IBM customers in the preceding year. Specific attention will be paid to the protocols engaged, attack patterns, and trends seen in these attacks. In addition, these attacks are characterized by targets, time, and degree of success. Following the quantitative reporting, the remainder of the presentation focuses on an actionable plan for securing the enterprise. Simply describing the problem is no longer sufficient. This plan consists of a multi-step roadmap, a product independent approach to securing the enterprise against the previously described attack vectors

cybergamut Tech Tuesday: The Threat Landscape and the Path Forward: Fundamentals of a Risk-Aware Organization (Elkridge, Maryland, USA, January 5, 2016) John McLaughlin of IBM Security provides a quantitative analysis of the attacks seen by IBM and the thousands of IBM customers in the preceding year. Specific attention will be paid to the protocols engaged, attack patterns, and trends seen in these attacks. In addition, these attacks are characterized by targets, time, and degree of success. Following the quantitative reporting, the remainder of the presentation focuses on an actionable plan for securing the enterprise. Simply describing the problem is no longer sufficient. This plan consists of a multi-step roadmap, a product independent approach to securing the enterprise against the previously described attack vectors

CES CyberSecurity Forum (Las Vegas, Nevada, USA, January 6, 2016) Premiering at CES 2016 — the global stage for next generation technologies — The CyberSecurity Forum will bring together security experts and technology visionaries with executives and policymakers to tackle current and looming cyber security challenges. Registration is limited to ensure a highly interactive experience and opportunities for networking

FloCon 2016 (Daytona Beach, Florida, USA, January 11 - 14, 2016) The FloCon network security conference provides a forum for large-scale network flow analytics. Showcasing next-generation analytic techniques, FloCon is geared toward operational analysts, tool developers, researchers, and others interested in applying the latest analytics against large volumes of traffic

Cyber Security Breakdown: Chicago (Chicago, Illinois, USA, January 12, 2016) This half day session will provide you with the critical information you need to start formulating an effective response in the eventuality of a cyber security event. Rather than try and handle the breach during the chaos of the event, you'll understand how to build in advance, the best practices to respond effectively. Attend the Cyber Security Breakdown event that is focused on the unique issues and threats facing legal professionals

Breach Planning & Incident Response Summit: Proactive Collaboration Between Private Industry and Law Enforcement to Mitigate Damage (Odenton, Maryland, USA, January 12, 2016) The Cybersecurity Association of Maryland, Inc.(CAMI), Chesapeake Regional Tech Council, Maryland Chamber of Commerce, Chesapeake Innovation Center, Tech Council of Maryland are partnering together to host this event designed to attract and educate CIO's, CISO's, CEO and Compliance officials from small to mid-sized commercial firms on the practical actions taken by the government, firms and organizations post-hack

Insider Threat Program Development Training Course — Georgia (Atlanta, Georgia, USA, January 12 - 14, 2016) The National Insider Threat Special Interest Group website has some very "eye opening" examples of how "damaging and costly" an "insider threat incident" can be. The FBI Insider Threat Alert states companies victimized by current or former employees incur costs from $5,000 to $3 million. bring? Is your company required to establish an Insider Threat Program per the requirements of NISPOM Conforming Change 2? Insider Threat Defense has trained a substantial number of U.S. Government Agencies (DoD, IC), Defense Contractors, Critical Infrastructure Providers, Aviation Security Professionals, large and small businesses on Insider Threat Program Development and Insider Threat Risk Mitigation

FTC PrivacyCon (Washington, DC, USA, January 14, 2016) The Federal Trade Commission will in January hold a wide-ranging conference on security and privacy issues lead by all manner of whitehat security researchers and academics, industry representatives, consumer advocates

POPL 2016 (St. Petersburg, Florida, USA, January 20 - 22, 2016) The annual Symposium on Principles of Programming Languages is a forum for the discussion of all aspects of programming languages and programming systems. Both theoretical and experimental papers are welcome, on topics ranging from formal frameworks to experience reports

Automotive Cyber Security Summit — Shanghai (Shanghai, China, January 21 - 22, 2016) The conference, which brings together automakers, suppliers, various connected-services providers and security specialists, will focus on government regulations, emerging automotive cyber security standards and new products and solutions designed to deal with the growing threats

CyberTech 2016 (Tel Aviv, Israel, January 26 - 27, 2016) Cybertech is the most significant conference and exhibition of cyber technologies outside of the United States. Cybertech provided attendees with a unique and special opportunity to get acquainted with the latest innovations and solutions featured by the international cyber community. The conference's main focuses are on networking, strengthening alliances and forming new connections. Cybertech also provided an incredible platform for Business to Business interaction

Global Cybersecurity Innovation Summit (London, England, UK, January 26 - 27, 2016) SINET presents the Global Cybersecurity Innovation Summit, which focuses on providing thought leadership and building international public-private partnerships that will improve the protection of our respective homeland's critical infrastructures, national security and economic interests. Our objective is to advance innovation and the growth of the cybersecurity sector by providing a platform for cybersecurity businesses, particularly small and medium enterprises (SMEs), to connect with key UK, US, and international decision makers, system integrators, investors, government policy makers, academia and other influential business executives

Fort Meade IT & Cyber Day (Fort Meade, Maryland, USA, January 27, 2016) The Ft. Meade IT and Cyber Day is a one-day event held at the Officers' Club (Club Meade) on base. The event is held on-site, where industry vendors will have the opportunity to display their products and services to IT, Communications, Cyber and Intelligence personnel

Sponsor & Support

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.