The CyberWire Daily Briefing 12.29.15

Summary

By The CyberWire Staff

ISIS/Daesh adherents appear to be attempting collaboration toward cyber attack capabilities. Consensus among observers is that Daesh hasn't progressed beyond low-grade, script-kiddie levels, and that any serious offensive capacity remains aspirational. Still, their efforts will bear watching.

Elsewhere, Jammat-ud-Dawah, nominal charitable and political arm of the south-Asian Islamist group Lashkar-e-Taiba, barked an announcement that a "24/7" cyber operations cell has been established to hold Indian targets under threat.

Turkey continues recovery from the recent denial-of-service campaign it sustained. The government talks up its tighter security measures and reaffirms its commitment to building up a cyber security workforce.

Abode patches Flash Player in response to Huawei's discovery of a zero-day being exploited in the wild. Analysts regard the out-of-band patch worth immediate attention.

Researcher Chris Vickery has found data for 191 million registered US voters — essentially all of them — exposed online thanks to an "incorrectly configured database." No one really knows who's responsible, but early speculation points toward an unidentified customer of political campaign service provider NationBuilder.

A presentation at the Chaos Computer Club says flaws in payment communication protocols Poseidon and ZVT could compromise PINs and otherwise enable banking and payment fraud.

Widespread US adoption of chip-and-pin payment cards in 2016 is expected to shift cyber criminals toward card-not-present fraud, with the sharing economy most heavily affected.

Forbes reviews the "hottest cybersecurity startups" of 2015.

New Chinese anti-terrorist legislation is characterized as requiring firms to decrypt on demand. It's unclear how different this will prove to be from requiring backdoors.

Notes.

Today's issue includes events affecting China, European Union, India, Iraq, Pakistan, Syria, Turkey, United States

the CyberWire will be taking this Thursday and Friday off for the New Year holidays. We'll be back as usual on Monday, January 4.

Selected Reading

Cyber Trends

How the Internet of Things Got Hacked (Wired) There was once a time when people distinguished between cyberspace, the digital world of computers and hackers, and the flesh-and-blood reality known as meatspace

What Will The Internet Of Things Be When It Grows Up? (TechCrunch) An old proverb advises, "Keep a thing seven years, and you'll find a use for it"

Will IT security be different next year? (Help Net Security) It is that time of the year again where we delve into the back of the cupboard and dust off the crystal ball as we make our predictions for the year ahead

6 Cybersecurity Insights from SC Congress (eSecurity Planet) Cyber insurance and new approaches to security patches were among topics on the agenda at the recent SC Congress

Cybersecurity in 2016 (Cipher Brief) In 2016, the gap between threat actors and the cybersecurity industry will continue to expand

15 Cybersecurity Lessons We Should Have Learned From 2015, But Probably Didn't (Dark Reading) Another infosec year is almost in the books. What did all the breaches, vulnerabilities, trends, and controversies teach us?

The Rise Of Community-Based Information Security (Dark Reading) The more vendors, service providers, and companies' band together to fight security threats, the more difficult it will become for attacks to succeed

The Splinternet: A New Era of Censorship, Surveillance, and Cyberwarfare (The Takeaway) For more than a decade, the internet has become a seemingly borderless land of free flowing information. It began as a not so open U.S. military data system decades ago, but it evolved over time into the public digital domain it has become

Healthcare Shows High Risk From Brute Force Attacks According To Industry Report (Business Solutions) As we enter 2016 and more of the healthcare industry depends on the cloud, security specifically in this area will become even more important to your clients

Major Misconceptions About Cloud Security in European Financial Sector, New Survey Shows (IBM Security Intelligence) The ENISA report titled "Secure Use of Cloud Computing in the Finance Sector," published in December 2015, showed just how far European banks and other financial institutions lag behind with respect to perceptions and usage of cloud computing in their businesses

Cyber response mechanism: The 'achilles heel' of corporate India (India Times) As the competitiveness and need for excellence increases in the business arena, many companies are now seeing information technology (IT) seep into the DNA of their business operations

Legislation, Policy and Regulation

Engaging the International Community on Cybersecurity Standards (The White House) The administration releases a new strategy to improve the U.S. government's participation in the development and use of international standards for cybersecurity

Data Security Regulations Leave Organizations Struggling with Response Methods: Survey (Legaltech News) About 52 percent of respondents think the pending EU GDPR will result in business fines for their company, and two-thirds expect it to force changes in their European business strategy

China's New Anti-Terrorism Law May Call on Foreign Tech Firms (BloombergBusiness) China passed an anti-terrorism law that has drawn U.S. criticism for the assistance that foreign technology companies may be required to give to snooping by the Chinese authorities

China's new anti-terror law: No backdoors, but decryption on demand (Ars Technica) Companies must provide "decryption and other technical support assistance"

China's Military Intelligence System is Changing (War on the Rocks) As American families dined on turkey and stuffing, China's Central Military Commission (CMC) was hard at work in Beijing hammering out military reforms

Lawmakers push for commission on encryption (The Hill) Congress should create a national commission to investigate the difficulties encryption has created for law enforcement, a bipartisan pair of lawmakers argued Monday in a Washington Post op-ed

A modest response to a real cyberthreat (Washington Post) "Omnibus funding bill is a Privacy and Cybersecurity Failure," the Open Technology Institute declared on Dec. 16 . "Last-Minute Budget Bill Allows New Privacy-Invading Surveillance in the Name of Cybersecurity," the Intercept blared. Why did Congress, in its massive year-end budget deal, slip in a measure that Gizmodo once called "the worst privacy disaster our country has ever faced"? Because it's not

Six cybersecurity lawmakers to watch in 2016 (The Hill) On the heels of passing its most significant cybersecurity legislation in years, Congress is poised to tackle a slate of fresh digital issues in 2016

Nonprofits assail IRS for charitable-giving rules (The Hill) Nonprofit organizations and charities are sounding the alarm about a new regulatory proposal from the IRS that would encourage them to collect the Social Security numbers of their donors

Products, Services, and Solutions

Raspberry Pi Foundation Says 'No' To Malware (InformationWeek) The Raspberry Pi Foundation was reportedly offered cash to put malware on its latest boards. The organization declined the offer

RiskAnalytics Tool Unites Employees Around Cybersecurity (Legaltech News) The company's enhancements to its RiskTool dashboard allow for greater oversight in employee cybersecurity training and prevention

Technologies, Techniques, and Standards

New Years Resolutions (Internet Storm Center) No, not eating more broccoli, or going to the gym… I'm referring to security related resolutions only

A Prediction of Protection: How to Protect Your Digital Assets with E-Discovery Know-How (Legaltech News) Corporations can begin safeguarding information by repurposing some of the e-discovery best practices and know-how they already have in place

6 Ways Your Smartphone Could Get You Into Legal Trouble (Legaltech News) Big law firm lawyers say these practices can cause a bit of a headache… and more

Marketplace

Top Board Priorities for 2016 (Harvard Law School Forum on Corporate Governance and Financial Regulation) Organizations are faced with many critical challenges — including rapidly changing technology, environmental risks, regulatory and legal requirements, major shifts in markets, ethical breaches, and big data and cybersecurity issues — that threaten their long-term success and sustainability

Hacking attacks hand cyber security firms the limelight (Proactive Investors) In the world of investment, one person's problem is another's opportunity

Why One Cybersecurity Investor Says No Company Is Safe (PYMNTS) In March 2015, addressing a crowd at Innovation Project 2015, retired four-star General Keith Alexander, the former director of the National Security Agency, quieted the crowd with his rather sober reality of the future of cybercrime and cybersecurity

Cyber-security and operational risk converge, says study (Banking Technology) Operational risk and cyber-security concerns are converging as a topic for risk managers, who also face a changing agenda resulting from the digital transformation of baking and financial services

Upcoming trends in the SIEM market (Help Net Security) AccelOps identified the need for a convergence of today's disparate Network Operations Center (NOC) and Security Operations Center (SOC) departments, a shift to outsource to security service providers and a desire for tools that map and analyze network infrastructure from a single-pane-of-glass view into both network operations and security

Cisco Closes $452.5M Lancope Buy; Boosts Network Security (Zacks) Cisco Systems recently completed the acquisition of network security provider Lancope, Inc. The $452.5 million cash and stock deal was announced in October

The Hottest Cybersecurity Startups Of 2015 (Forbes) In 2015, there were few hotter areas in Silicon Valley than cybersecurity

My Conversation With IBM (Seeking Alpha) IBM reached out to me after a couple of recent articles

How Akamai Survived The Darkest Era Of The Web To Become A Backbone Of The Internet (ARC) An unassailable network 17 years in the making

Security Patches, Mitigations, and Software Updates

Security updates available for Adobe Flash Player (Adobe Security Bulletin) Adobe has released security updates for Adobe Flash Player. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system

Adobe Fixes Flash Zero-Day Bug Discovered by Huawei (Softpedia) Adobe releases out-of-band security update

Flash Player Patch Fixes 0-Day, 18 Other Flaws (KrebsOnSecurity) Adobe has shipped a new version of its Flash Player browser plugin to close at least 19 security holes in the program, including one that is already being exploited in active attacks

Cyber Attacks, Threats, and Vulnerabilities

Watch: Hafiz Saeed launches 24X7 cyber cell, mobile app to attack India (Zee News) One of the most wanted terrorists in India for masterminding 26/11 Mumbai terror attacks, Jammat-ud-Dawah chief Hafiz Saeed has now created a 24-hour cyber cell to launch attacks on India

ISIS Hackers Sharpen Skills Used For Cyber Terror In Secret Forum (Vocativ) The forum reflects ISIS hackers' growing desire to wage war online

Turkey to Increase Security Following Cyberattacks (Voice of America) A spokesman for Turkey's president says the country will increase security following a spate of cyberattacks last week that affected government websites and some banks

Is the Turkish state ready to hire nerds for cyber wars? (Hurriyet Daily News) "From a military standpoint, it would be fair to say that a high-profile cyber weapon is the combination of a nuclear weapon, a biological weapon, a time bomb, an anti-radiation missile, special forces and a medieval sword"

Patch now! Flash-exploitin' PC-hijackin' attack spotted in the wild by Huawei bods (Register) Adobe squeezes out one last batch of security fixes for 2015

Database of 191 million U.S. voters exposed on Internet: researcher (Reuters) An independent computer security researcher uncovered a database of information on 191 million voters that is exposed on the open Internet due to an incorrectly configured database, he said on Monday

191 Million US Voter Registration Records Leaked In Mystery Database (Forbes) A whitehat hacker has uncovered a database sitting on the Web containing various pieces of personal information related to 191 million American citizens registered to vote

Security Sense: When is a Leak a Hack — and Does It Even Matter? (WindowsITPro) Today I woke up to news of 191 million US voter records having made a public appearance somewhere online. At first glance this appeared to be the same old story: someone hacked into a system and dumped everything either publicly or via a reporter. Same old, same old. But then it took an unexpected turn — it wasn't a hacker (at least in the traditional sense) breaking into a system somewhere, it was someone who was referred to as a "researcher"

AVG Forcibly Installs Vulnerable Chrome Extension That Exposes Users' Browsing History (Softpedia) The AVG Web TuneUp Chrome extension, forcibly added to Google Chrome browsers when users were installing the AVG antivirus, had a serious flaw that allowed attackers to get the user's browsing history, cookies, and more. The vulnerability was discovered by Google Project Zero researcher Tavis Ormandy, who worked with AVG for the past two weeks to fix the issue

Common payment processing protocols found to be full of flaws (Ars Technica) Stealing PINs and pillaging bank accounts are both trivial

The Fraud Tsunami Heads To The Sharing Economy (Dark Reading) When it comes to cyberfraud, online marketplaces like AirBnB can expect an uphill battle in the wake of the rollout of new chip card technology in 2016

Data breach reaches Pantex workers (Amarillo Globe-News) The National Nuclear Security Administration has confirmed a federal data breach affected some employees at Pantex Plant, potentially leaking background investigation details, fingerprints, mental health and financial history information

Veterans' information potentially compromised (Statesman Journal) The Oregon Department of Veterans' Affairs (ODVA) mailed notification on Monday, Dec. 28, to 967 Oregon veterans whose personal information may have been compromised

USCG Cyber Command warns of ransomware threat (Marine Log) Ransomware is a type of malicious software (malware) that infects a computer and restricts access to it until a ransom is paid to unlock it — and occurrences have been cropping up in the maritime domain

The next wave of cybercrime will come through your smart TV (IDG via CSO) Always on and vulnerable, smart TVs are waiting to be attacked

Tech Gifts That Security Pros Will Probably Return (Dark Reading) Insecure gifts that CISOs and other security pros are likely returning as we speak

Academia

NIIT University, PwC India inks pact for cyber security training (Hindu Business Line) NIIT University (NU) today said it has partnered consultancy firm PwC India for creating a trained talent pool of cyber security professionals in India

Cyberthon welcomes student applications (Pensacola News-Journal) Like football players getting ready for a bowl game, Angela Irby's students at Pine Forest High School Cybersecurity Academy are gearing up for Cyberthon 2016, a competition where students act as information technology professionals fending off simulated hacker attacks

Litigation, Investigation, and Enforcement

Silk Road founder was tracked down by a Googling tax agent (Naked Security) FBI forensics! DEA investigation! Sophisticated Tor-cracking techniques squeezed (or bought?) out of Carnegie Mellon!

Data Collection, Verification a Top-of-Mind Issue for Anti-Money Laundering Officers (Legaltech News) The LexisNexis Risk Solutions and ACAMS survey found data issues in customer-enhanced due diligence and AML risk assessments

Design and Innovation

5 ways developers can exploit geospatial tech in 2016 (Venture Beat) Since the rise of geospatial technology, applications like Facebook, Uber, and Grindr (where I work), have enabled users to engage with their surroundings to connect with friends, book a room, or set up a date

Experts untangle old, new codes as encryption is eyed to fight terrorism (TribLive) Like a computer hacker for 15th century texts, Thomas Ernst sees meaning where others find only gibberish

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

upcoming Events

cybergamut Tech Tuesday: The Threat Landscape and the Path Forward: Fundamentals of a Risk-Aware Orgnaization (Elkridge, Maryland, USA, January 5, 2016) John McLaughlin of IBM Security provides a quantitative analysis of the attacks seen by IBM and the thousands of IBM customers in the preceding year. Specific attention will be paid to the protocols engaged, attack patterns, and trends seen in these attacks. In addition, these attacks are characterized by targets, time, and degree of success. Following the quantitative reporting, the remainder of the presentation focuses on an actionable plan for securing the enterprise. Simply describing the problem is no longer sufficient. This plan consists of a multi-step roadmap, a product independent approach to securing the enterprise against the previously described attack vectors

cybergamut Tech Tuesday: The Threat Landscape and the Path Forward: Fundamentals of a Risk-Aware Organization (Elkridge, Maryland, USA, January 5, 2016) John McLaughlin of IBM Security provides a quantitative analysis of the attacks seen by IBM and the thousands of IBM customers in the preceding year. Specific attention will be paid to the protocols engaged, attack patterns, and trends seen in these attacks. In addition, these attacks are characterized by targets, time, and degree of success. Following the quantitative reporting, the remainder of the presentation focuses on an actionable plan for securing the enterprise. Simply describing the problem is no longer sufficient. This plan consists of a multi-step roadmap, a product independent approach to securing the enterprise against the previously described attack vectors

CES CyberSecurity Forum (Las Vegas, Nevada, USA, January 6, 2016) Premiering at CES 2016 — the global stage for next generation technologies — The CyberSecurity Forum will bring together security experts and technology visionaries with executives and policymakers to tackle current and looming cyber security challenges. Registration is limited to ensure a highly interactive experience and opportunities for networking

FloCon 2016 (Daytona Beach, Florida, USA, January 11 - 14, 2016) The FloCon network security conference provides a forum for large-scale network flow analytics. Showcasing next-generation analytic techniques, FloCon is geared toward operational analysts, tool developers, researchers, and others interested in applying the latest analytics against large volumes of traffic

Cyber Security Breakdown: Chicago (Chicago, Illinois, USA, January 12, 2016) This half day session will provide you with the critical information you need to start formulating an effective response in the eventuality of a cyber security event. Rather than try and handle the breach during the chaos of the event, you'll understand how to build in advance, the best practices to respond effectively. Attend the Cyber Security Breakdown event that is focused on the unique issues and threats facing legal professionals

Breach Planning & Incident Response Summit: Proactive Collaboration Between Private Industry and Law Enforcement to Mitigate Damage (Odenton, Maryland, USA, January 12, 2016) The Cybersecurity Association of Maryland, Inc.(CAMI), Chesapeake Regional Tech Council, Maryland Chamber of Commerce, Chesapeake Innovation Center, Tech Council of Maryland are partnering together to host this event designed to attract and educate CIO's, CISO's, CEO and Compliance officials from small to mid-sized commercial firms on the practical actions taken by the government, firms and organizations post-hack

Insider Threat Program Development Training Course — Georgia (Atlanta, Georgia, USA, January 12 - 14, 2016) The National Insider Threat Special Interest Group website has some very "eye opening" examples of how "damaging and costly" an "insider threat incident" can be. The FBI Insider Threat Alert states companies victimized by current or former employees incur costs from $5,000 to $3 million. bring? Is your company required to establish an Insider Threat Program per the requirements of NISPOM Conforming Change 2? Insider Threat Defense has trained a substantial number of U.S. Government Agencies (DoD, IC), Defense Contractors, Critical Infrastructure Providers, Aviation Security Professionals, large and small businesses on Insider Threat Program Development and Insider Threat Risk Mitigation

FTC PrivacyCon (Washington, DC, USA, January 14, 2016) The Federal Trade Commission will in January hold a wide-ranging conference on security and privacy issues lead by all manner of whitehat security researchers and academics, industry representatives, consumer advocates

POPL 2016 (St. Petersburg, Florida, USA, January 20 - 22, 2016) The annual Symposium on Principles of Programming Languages is a forum for the discussion of all aspects of programming languages and programming systems. Both theoretical and experimental papers are welcome, on topics ranging from formal frameworks to experience reports

Automotive Cyber Security Summit — Shanghai (Shanghai, China, January 21 - 22, 2016) The conference, which brings together automakers, suppliers, various connected-services providers and security specialists, will focus on government regulations, emerging automotive cyber security standards and new products and solutions designed to deal with the growing threats

CyberTech 2016 (Tel Aviv, Israel, January 26 - 27, 2016) Cybertech is the most significant conference and exhibition of cyber technologies outside of the United States. Cybertech provided attendees with a unique and special opportunity to get acquainted with the latest innovations and solutions featured by the international cyber community. The conference's main focuses are on networking, strengthening alliances and forming new connections. Cybertech also provided an incredible platform for Business to Business interaction

Global Cybersecurity Innovation Summit (London, England, UK, January 26 - 27, 2016) SINET presents the Global Cybersecurity Innovation Summit, which focuses on providing thought leadership and building international public-private partnerships that will improve the protection of our respective homeland's critical infrastructures, national security and economic interests. Our objective is to advance innovation and the growth of the cybersecurity sector by providing a platform for cybersecurity businesses, particularly small and medium enterprises (SMEs), to connect with key UK, US, and international decision makers, system integrators, investors, government policy makers, academia and other influential business executives

Fort Meade IT & Cyber Day (Fort Meade, Maryland, USA, January 27, 2016) The Ft. Meade IT and Cyber Day is a one-day event held at the Officers' Club (Club Meade) on base. The event is held on-site, where industry vendors will have the opportunity to display their products and services to IT, Communications, Cyber and Intelligence personnel

ESA 2016 Leadership Summit (Chandler, Arizona, USA, January 31 - February 3, 2016) The electronic security industry is rapidly changing and continuously evolving. It's not enough to just survive. Businesses looking to thrive need to adapt to ensure their people, products, services and practices stay ahead of the curve. The Summit is a three-day conference filled with networking and educational opportunities dedicated to delivering business intelligence to electronic security companies and professionals that are ready to embrace innovation and grow

SANS Cyber Threat Intelligence Summit & Training 2016 (Alexandria, Virginia, USA, February 3 - 10, 2016) This Summit will focus on specific analysis techniques and capabilities that can be used to properly create and maintain Cyber Threat Intelligence in your organization. Attend this summit to learn and discuss directly with the experts who are doing the CTI analysis in their organizations. What you learn will help you detect and respond to some of the most sophisticated threats targeting your networks

Sponsor & Support

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter’s financial reach, or it might just not be the right time for you to do those things. That’s why we launched our new Patreon site, where we’ve created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you’ll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.