The CyberWire Daily Briefing 01.06.15
Sony's CEO speaks publicly about the hack his Hollywood unit sustained. (Risk Based Security is keeping a running timeline of the entire episode.) Some observers see the US response, which appears to target North Korea's arms trade as opposed to its cyber activities (well, fair enough — sanctions needn't be directly tailored to a specific capability), as showing limitations of current cyber doctrine.
Morgan Stanley fires an employee who improperly accessed and posted information on some 900 of the firm's wealth management clients.
Reports indicate a group of hackers ("H4LT") have accessed Xbox One's software development kit.
Indonesian hackers of "Gantengers Crew" deface more EC-Council sites — they appear interested merely in counting coup against security advocates.
Google's decision to release information on an unpatched zero-day vulnerability in Microsoft Windows 8.1 receives decidedly mixed reviews.
Carnegie Mellon's CERT/CC warns of vulnerabilities in the UEFI systems and BIOS of some Intel chipsets.
Personalized card company Moonpig pulls its API after reports that vulnerabilities therein left customers exposed for seventeen months.
iCloud's vulnerability to brute-forcing is patched.
Trend watchers predict a surge in cyber-reconnaissance during 2015. Others note the reuse of familiar exploits and attack tactics, and remind all that recognizing a risk doesn't mean you've dealt with it.
Cyber labor shortages are seen driving a "spooks-as-a-service" market.
An alumnus of Russian information operations describes those operations from the inside. (Cyber conflict is both intensional and extensional.) Intel shutters its Russian developers forum.
Lawyers wonder: are the Feds really serious about prosecuting "hacking back?"
Today's issue includes events affecting China, Indonesia, Israel, Democratic Peoples Republic of Korea, Republic of Korea, Moldova, Russia, United Kingdom, and United States.
Cyber Attacks, Threats, and Vulnerabilities
A Breakdown and Analysis of the December, 2014 Sony Hack (Risk Based Security) Note: This article is being updated almost daily with new developments regarding the leaks from the Sony Pictures breach
CES 2015: Sony condemns 'vicious' cyber attack (BBC) Sony has condemned the "vicious" cyber attack that led to it suspending the release of its film The Interview
Sony's Hirai praises staff in hack, hails freedom of speech (IDG via CSO) Sony CEO Kazuo Hirai called the hack of Sony Pictures vicious and malicious
A Morgan Stanley Employee Stole And Posted Data On 900 Clients (Business Insider) Morgan Stanley said it has fired an employee who had stolen data from 900 of the firm's wealth management clients
H4LT hacking team leaks secret Xbox One SDK, accesses unreleased games (SC Magazine) Xbox One's software development kit (SDK) was reportedly accessed by a hacking group known as H4LT, which released the proprietary information that could allow unapproved developers to create homemade games for the console
Hackers Deface Two More EC-Council Sub-Domains (HackRead) On January 1st, 2015, a sub-domain of International Council of Electronic Commerce Consultants (EC-Council) website was defaced by Indonesian Gantengers Crew hackers. Now two more sub-domains of the EC-Council has been defaced by same group
Hoax! Don't copy and paste that 'Copyright' Facebook message (USA TODAY) You may have noticed a "Privacy Alert Notice" in your Facebook feed. It claims that if you copy and paste a certain notice into your Facebook feed, it will protect your privacy
Medical File Hack Affected Nearly Half a Million Postal Workers (Nextgov) Network intruders compromised health information on current and former U.S. Postal Service employees who filed for workers' compensation, USPS officials say
Google shows hackers how to exploit Windows 8.1 (Lumension) If I told that you that a bunch of hackers had found a zero-day vulnerability in Microsoft Windows 8.1 you would probably be concerned
Unpatched security hole has left millions of Moonpig customers at risk for 17 months (We Live Security) Moonpig, the online personalised card company, has been accused of a shockingly sloppy attitude to security, after apparently leaving a serious hole in its security unpatched
GoGo in-flight WiFi creates man-in-the-middle diddle (Register) Join the mile-high club by getting screwed with fake certs
Gogo Denies Using Fake Google Certificate to Spy on Passengers (SecurityWeek) Inflight Internet service provider Gogo has been caught using a fake Google SSL certificate, but the company says the certificate's role is to prevent video streaming
CERT Warns of UEFI Hardware Vulnerabilities (Threatpost) The CERT/CC at Carnegie Mellon University today released three advisories warning of vulnerabilities that affect some unified extensible firmware interface (UEFI) systems and the BIOS of some Intel chipsets
HTTPS can be set as your super-cookie (Register) Even your security can be abused
Phish out WPA networks' password with Wifiphisher (Help Net Security) Greek computer geek George Chatzisofroniou has released a stable version of Wifiphisher, a tool aimed at automating phishing attacks against WPA networks in order to discover the password needed to access them
Hackers are gonna hack, but can the enterprise do jack? (ITPro) With Lizard Squad offering up their DDoS tools to others, Davey Winder wonders why the enterprise isn't doing more to protect itself?
MWR InfoSecurity sounds mobile security alarm (MicroScope) The new year has barely started but already users are being urged to be on their guard against security threats they are introducing to their mobile phones via downloading free apps
Identity theft for dummies (Help Net Security) It happened again. Checking into the hotel, I was asked if I can provide my credit card to cover additional expenses (not unusual). However, the receptionist simply wrote my credit card information down on a piece of paper and put it into an unlocked drawer. This, of course, led to a very awkward conversation in my best Spanglish regarding Principle 9 of the PCI-DSS standard
Held for ransom by the digital 'mob' (CSO) Experts say ransomware is the future of consumer cybercrime. But you don't have to be a helpless victim, if you are willing to invest in security
Social Engineering: The dangers of positive thinking (CSO) The assumption that everything's okay is a risky one
Security Patches, Mitigations, and Software Updates
iCloud hole closed following brute force attack (SC Magazine) A hole in iCloud's security allowed attackers to access any iCloud account via a brute force attack that side-stepped blocks — but it is now reported to have been patched
Moonpig pulls API after ignoring vulnerability reports (CSO) API pulled hours after vulnerability was made public
Reconnaissance is the name of the game in 2015 (SC Magazine) I was in an airport lounge waiting for my flight to the Middle East when the news broke. Millions of credit card numbers had been exposed over a number of months. How about you? Where were you when you heard about Target? It was just a year ago when the Target breach broke into mainstream media, becoming a reference point for cyber thefts exposing personal financial information. 2014 has been a wakeup call for those outside the world of cybersecurity
Four cyber security risks not to be taken for granted (Help Net Security) It's pretty difficult to make information security predictions, and even more difficult to verify them afterwards: we can only judge the effectiveness of information security by the number of public security incidents that were uncovered, while the majority of data breaches remain undetected
The Biggest Security Threats We'll Face in 2015 (Wired) As the clock strikes midnight on the new year, so begins the countdown to a new round of security threats and breaches that doubtless will unfold in 2015. But this year will be a little different. In the past, when we've talked about threat predictions, we've focused either on the criminal hackers out to steal credit card data and banking passwords or on the activist hackers out for the lulz (and maybe to teach corporate victims a lesson)
The Cyber Threat in 2015: 10 Twists on Hackers' Old Tricks (Nextgov) Hacking trends are not like fashion fads. They don't go in and out each year. They withstand defenses by advancing, in terms of stealth and scope
Don't let "breach fatigue" leave you vulnerable to hackers and malware (Consumer Affairs) Everyone's sick and tired of all these hackings — except the hackers themselves
Nico Sell: 'To me, the NSA and Edward Snowden are just the tip of the iceberg' (Guardian) The founder of secure messaging app Wickr on privacy, why she always wears dark glasses in public and why girls make great hackers
Are Nonprofit Hospitals Especially Vulnerable to Internet Hacking? (Nonprofit Quarterly) The implementation of electronic health records (EHR) in hospitals across the U.S. has been accompanied by unauthorized access to patient records. Data security firm Websense reports a 600 percent increase in web-based attacks on hospitals in the past ten months. Websense believes that attacks on hospitals will increase in 2015 as more hospitals use EHR more widely and as more patient information is available online
Why Healthcare Cybersecurity Measures Must Evolve (HealthITSecurity) Without current healthcare cybersecurity measures, facilities could be vulnerable to online attacks
One in 8 users do not believe in cyberthreats: Kaspersky Lab Survey (Times of India) According to a survey carried out jointly by B2B International and Kaspersky Lab, internet users do not believe that cyber-attacks are real. They feel that the threat is exaggerated by Internet security companies. However, this complacency leaves them without any protection against a risk that threatens their data and virtual lives every day
How an acute shortage of cyber talent gave rise to 'spooks as a service' (IT World) At the RSA Security Conference last year, companies large and small were trumpeting the spy agency connections of senior staff as never before. Startups in areas like 'threat intelligence' and endpoint protection touted their executives' experience at three-letter agencies as a precursor to conversations about the scourge of advanced threats and attacks
BAE Systems plans to take on 710 apprentices (Works Management) The number surpasses the record set in the previous year by 142 places and includes 45 places for apprentices who will eventually join companies in BAE Systems' supply chain or work in local engineering companies. The latter are funded under the Government's Employer Ownership Programme
Belden Completes Tripwire Acquisition (GovConWire) Belden Inc. (NYSE: BDC) has wrapped up the acquisition of security and compliance services provider Tripwire for $710 million
Colorado Springs tech company grows again with Philly-area acquisition (Colorado Springs Gazette) Braxton Science & Technology Group has acquired Gnostech, a 75-employee engineering and consulting company based in the Philadelphia area. It's the second in a series of acquisitions the Colorado Springs-based aerospace firm hopes to make over the next few years
Palo Alto Networks, Fortinet and Check Point Software: 3 Security Stocks to Watch in 2015 (The Street) With chronic complaints from corporate America that cyber thieves are winning the battle to keep customers' personal and financial information under lock and key, as well as company information secure, three security software vendors are poised to outperform their rivals in 2015
iSIGHT Partners Raises $30 Million Series C Round to Fuel Rapid Growth in Enterprise Security and Cyber Threat Intelligence Market (Marketwired) iSIGHT Partners, Inc., the leading provider of cyber threat intelligence for global enterprises, today announced it has closed a $30 million Series C equity-financing round with Bessemer Venture Partners
From Federal Hill, federal contractor patrols social networks for spies (Baltimore Sun) For years, the group of hackers took on assumed names on popular sites such as Facebook and LinkedIn to lure their targets — defense and other government workers here and abroad
Year in Review: MTN Government (Milsat Review) Commercial companies offering satellite capacity to the U.S. government had a challenging year in 2014, with budget cutbacks and military force reductions overseas combining to reduce demand for bandwidth and end-to-end services
As Vistronix Expands in the National Intelligence Community, John Hassoun Adds CEO to Title (Virtual Strategy Magazine) Vistronix, a leading provider of intelligence and technology solutions to national security agencies in the federal space, is pleased to announce that, effective immediately, John Hassoun will take on the role of Chief Executive Officer (CEO) in addition to his role as Corporate President. Former CEO, Deepak Hathiramani, will retain the role of Chairman of the Board
Products, Services, and Solutions
BAE Systems launches Corporate Social Risk Monitoring and Security Analysis Service (GSN) Mclean, VA-based BAE Systems is launching a new Corporate Security Analysis service to assist companies with social risk monitoring and regional security analysis
Soteria Intelligence Combats Social Media Threats to Shopping Malls (Businesswire) Soteria Intelligence is pleased to announce that due to an increase in social media threats related to shopping malls, the company has expanded its research into finding more ways social media can be used to keep mall customers, employees, and property safe
CheckPoint, Watchguard earn top spots in UTM shootout (Network World) UTM appliances for SMB security are getting smaller, more powerful and more feature rich
Nice Systems launches fraud-prevention tech using speech analytics (Finextra) NICE Systems (NICE) today launched its Real-Time Fraud Prevention solution, which enables contact centers to detect and prevent fraud in real time using voice biometrics and both speech and desktop analytics
ThinkUp: How You Really Look On Social Networks (InformationWeek) How do you look to recruiters and hiring managers based on social activity? This service aims to make you more aware of your Facebook and Twitter activity
This is the insanely fast, alien-like router of the future (Quartz) D-Link's new wireless routers look like the future, and they act like it, too
Technologies, Techniques, and Standards
The Coder War: Approaches to cybersecurity defense (InfoWorld) Looking inside the history of cyberdefense and how NIST is moving the government forward
Intrusion Detection Systems: a Primer (eSecurity Planet) Intrusion detection systems can be a key tool in protecting data. This primer can help you determine which kind of IDS is right for you
Why Commercial Clouds Are More Secure than Federal Data Centers (Nextgov) Ever since the Office of Management and Budget issued its cloud first strategy in 2010, the security of cloud offerings has been a major concern for federal IT managers. It is the primary reason the largest share of cloud expenditures in government has been on private clouds
The SBC & BYOD: Helping With Mobile Device Security (No Jitter) An SBC can play several key roles in securing mobile endpoint devices
The big password mistake that hackers are hoping you'll make (State of the Net.Net) You're smart. You don't use passwords like the perennial 123456 and qwerty. Or even slightly better ones, like Cassie86 or Cubs1908. Because you put some thought into them, your passwords are better than those, right?
The argument for moving SSH off port 22 (Internet Storm Center) An interesting discussion is occurring on reddit on whether Secure Shell (SSH) should be deployed on a port other than 22 to reduce the likelihood of being compromised
Design and Innovation
Lavabit founder wants to make "dark" e-mail secure by default (Ars Technica) Drop-in SMTP and IMAP replacements will wrap messages in layers of encryption
Legislation, Policy, and Regulation
Inside Putin's Information War (Politico) I spent years working for Russian channels. What I saw would terrify the West
The nexus of 2015's geopolitical risks will be found in…Moldova? (Quartz) When the analysts at the Eurasia Group mull the risks ahead in 2015, their spinning globe stops at one spot: Moldova. You know, Moldova
State bolsters online security (China Daily) National strategy rolled out to deal with cyberthreats both at home and abroad
"Quite a few Terrorists lost their lives owing to Big Data" (Isreal Defense) A first-ever interview with the Head of the Information Technology Division of ISA, Ronen Horowitz, upon his retirement. How intelligence information is utilized in the era of the Internet, cellular telephones and social networks?
S. Korea, China to hold security talks (Korea Times) South Korea and China were to hold working-level security talks in Seoul Monday to discuss an array of bilateral and regional security issues such as the situation with North Korea, the foreign ministry said
Who's the true enemy of internet freedom — China, Russia, or the US? (Guardian) Beijing and Moscow are rightly chastised for restricting their citizens' online access — but it's the US that is now even more aggressive in asserting its digital sovereignty
U.S. Sanctions Target N. Korean Arms Trade, Not Cyber Terrorism (Forbes) The sanctions imposed by President Obama have almost nothing to do with cyber terrorism but instead show U.S. concern with North Korea as an arms exporter to regimes that Washington detests
Response to Sony hack reveals limits of U.S. cyber doctrine (Fedscoop) The Obama administration imposed additional sanctions on North Korea Friday in response to the November cyber attack against Sony Pictures Entertainment. The sanctions, which block access to the U.S. financial system, target 10 North Korean government officials, as well as the reclusive regime's military intelligence bureau and state-run arms dealer
Cyber Terrorism as a Strategy (Fabius Maximus) Much as defense experts in 1913 thought more about cavalry than airplanes, today's experts think more about the aircraft carriers and 5th generation fighters (e.g., F-35) than cyberwar and cyberterrorism. But that's changing. To help you stay current about these developments, here's the first chapter in another series about cyberterrorism
What Should the 114th Congress Do About Cybersecurity in 2015? (Network World) Bellicose rhetoric and intelligence sharing aren't enough, the U.S. needs a comprehensive cybersecurity strategy ASAP
FBI Seeks Cyber Special Agents (eSecurity Planet) The aim, according to the Bureau, is to 'protect our nation and the American people from the rapidly evolving cyber threat'
FBI wants cyber sleuths with some muscle (FCW) Applicants heeding the FBI's recent call for new cybersecurity experts had better get to the gym soon, as the agency isn't changing its physical requirements for the new positions
Litigation, Investigation, and Law Enforcement
Hunting the hackers: Tough and getting tougher, but more important than ever (ZDNet) ZDNet's Monday Morning Opener: Working out who is really behind hacking attacks is already painful and tricky -- but the consequences of not acting are far worse
FBI says search warrants not needed to use "stingrays" in public places (Ars Technica) Feds' position on decoy cell-site towers continues anti-privacy theme
Attkisson sues government over computer intrusions (Washington Post) For months and months, former CBS News investigative correspondent Sharyl Attkisson played an agonizing game of brinkmanship regarding her privacy: She strongly suggested that the federal government was behind a series of intrusions into her personal and work computers, though she has consistently hedged her wording to allow some wiggle room
NSA Reports to the President's Intelligence Oversight Board (IOB) (National Security Agency) Following a classification review, the National Security Agency (NSA) is releasing in redacted form NSA reports to the President's Intelligence Oversight Board (IOB). The release includes quarterly reports submitted from the fourth quarter of 2001 to the second quarter of 2013. The materials also include four annual reports (2007, 2008, 2009, 2010) which are consolidations of the relevant quarterly reports
FBI Waking Up To The Fact That Companies With Itchy Trigger Fingers Want To Hack Back Hacking Attacks (TechDirt) from the dangerous-ideas dept It's no secret that some in the computer security world like the idea of being able to "hack back" against online attacks. The simplest form of this idea is that if you're a company under a denial-of-service attack, should you be able to "hack" a computer that is coordinating those attacks to stop them? More than two years ago, an LA Times article noted that some cybersecurity startups were marketing such services. Related to this, when the terrible CISPA legislation was being debated, one concern was that it would legalize such "hack backs" because, among other things, CISPA would grant immunity to companies "for decisions made based on cyber threat information." Some interpreted that to mean that companies would have immunity if they decided to hack back against an attacker
Would the U.S. Really Crack Down on Companies That Hack Back? (Bloomberg) Officially, the U.S. government warns companies not to hack, even when done as retaliation against attacks on their systems. Unofficially, the FBI may let it slide, according to cyber-security experts
Intel Shuts Down Russian Developer Forums To Comply With Russia's 'Blogger Law' (TechCrunch) Add Intel to the growing list of U.S. tech companies that are changing up some of their policies and business in Russia as a result of the government's tightening reign on Internet use. Citing Russia's new "Blogger Law" that was first introduced last year, Intel has shut down all of its popular Russian-language developer forums
Former US cybersecurity official gets 25 years for child porn charges (Ars Technica) Even though Timothy DeFoggi used Tor, the feds got him via admin's poor opsec
GamerGate critic 'swatted', about 20 cops go to old address (Naked Security) An 8chan forum thread (since removed) detailing a plan to swat "pixel artist" and game developer Grace Lynn led to about 20 police officers surrounding a home in the US city of Portland, Oregon on Friday night
A Bot Just Purchased Fake Passports and Ecstasy (Popular Mechanics) European art collectives got more than they bargained for in their new show: A bot they programmed to make automatic purchases on the Darknet sent back Ecstasy pills and a fake Hungarian passport
For a complete running list of events, please visit the Event Tracker.
Cybersecurity World Conference (New York, New York, USA, Jan 9, 2015) Welcome to Cyber Security World Conference 2015 where renowned information security experts will bring their latest thinking to hundreds of senior business executives and officials focused on protecting the information of today's enterprises and government agencies, respectively. Cyber security experts will discuss topics such as protecting individuals and companies against cyber-attacks, cyber security in the Internet of Things age, biometrics as the future of security, risks brought by mobile computing, and protecting corporate and national infrastructure against foreign attacks
U.S. Commercial Service Market Briefings on Europe's Cyber Security & IT Market (Washington, DC, USA, Jan 12, 2015) Join the U.S. Commercial Service Market Briefings on Europe's Cyber Security & IT Market. The value of the global cyber security market is expected to grow by 11.3% each year, reaching $120 billion by 2017. The Western Europe region alone is estimated to contribute $28.1 billion to this industry, driven by changing threats and technologies. These briefings aim to provide the latest information on Cyber Security & IT markets in Europe
FloCon 2015 (Portland, Oregon, USA, Jan 12 - 15, 2015) FloCon is an open network security conference organized by Carnegie Mellon University
National Cybersecurity Center Of Excellence (NCCOE) Speaker Series: Security In A Cyber World (Rockville, Maryland, USA, Jan 14, 2015) The National Cybersecurity Center of Excellence (NCCoE) Speaker Series showcases global thought-leaders to highlight critical cybersecurity issues of national importance. The keynote speaker will be Chris Inglis, former Deputy Director of the National Security Agency
California Cybersecurity Task Force Quarterly Meeting (Walnut Creek, California, USA, Jan 20, 2015) The California Cyber Security Task Force serves as an advisory body to California's senior government administration in matters pertaining to Cyber Security. Quarterly Cybersecurity Task Force meetings address State and Federal cyber legislation; provide updates on Task Force efforts to improve California's cyber workforce and education; promulgate critical information to enhance California's cyber awareness and preparedness; discuss state advances in cybersecurity and digital forensics; and grant residents an opportunity to share cyber information and innovation
FIC 2015 (Lille, France, Jan 20 - 21, 2015) The International Cybersecurity Forum (FIC) forms part of a thinking and exchange process that aims at promoting a pan-European vision of cybersecurity and strengthening the fight against cybercrime, a priority for the European Union as stated in the Stockholm Programme for 2010–2015. Its objective is to open up the cybersecurity debate by bringing together security and risk management experts with non-specialists to enable them to compare viewpoints and lessons learnt
IARPA Proposers' Day for the Cyber-attack Automated Unconventional Sensor Environment (CAUSE) Program (Washington, DC, metropolitan area, Jan 21, 2015) The Intelligence Advanced Research Projects Activity (IARPA) will host a Proposers' Day Conference for the Cyber-attack Automated Unconventional Sensor Environment (CAUSE) Program on January 21, 2015, in anticipation of the release of a new solicitation in support of the Program. The Conference will be held from 9:00 AM to 4:00 PM EDT in the Washington, DC metropolitan area. The purpose of the Conference will be to provide introductory information on CAUSE and the research problems that the Program aims to address, to respond to questions from potential proposers, and to provide a forum for potential proposers to present their capabilities and identify potential team partners
4th Annual Human Cyber Forensics Conference: Exploring the Human Element for Cloud Forensics (Washington, DC, USA, Jan 21 - 22, 2015) The Human Cyber Forensics Conference addresses the human element of cyber. Presentations will look at the tradecraft and efforts required to identify, understand, navigate, and possibly influence human behavior within and across networks. The conference will bring together subject matter experts to discover and share new means of recognizing human related cyber indicators, and the evolution of these human indicators in the coming decades. The Human Cyber Forensics Conference will focus on such topics as insider threat, next generation social engineering, progressive communications, neuroscience, social cognition, social media, and neuro-ethics
Cyber Security for Critical Assets: Chemical, Energy, Oil, and Gas Industries (Houston, Texas, USA, Jan 27 - 28, 2015) Cyber Security for Critical Assets Summit will connect Corporate Security professionals with Process Control professionals and serve to provide a unique networking platform bringing together top executives from USA and beyond. They are coming together not only to address the continuing cyber threats and set precautions framework, but most importantly to provide necessary tools, insights and methodological steps in constructing a successful secure policy. These policies will after all protect the critical assets needed to safeguard their company assets
Data Privacy Day San Diego — The Future of IoT and Privacy (San Diego, California, USA, Jan 28, 2015) Join the Lares Institute, Morrison & Foerster, and the National Cyber Security Alliance for Data Privacy Day in San Diego. DPD San Diego will bring together privacy luminaries to discuss fundamental issues facing consumers and business, including in-depth panel discussions on privacy, the Internet of Things (IoT), and many other critical topics