The CyberWire Daily Briefing 05.19.15

Summary

By The CyberWire Staff

The claimed hacking of an airliner's flight systems — specifically engine controls (claimed by either the FBI, journalists, or the alleged hacker himself — there are lot of claims circulating) continues to dominate our sector's news. Boeing doesn't believe it happened (because Boeing thinks it couldn't have happened as described) and most observers are dubious. Ars Technica reasonably poses its take as a dilemma: either the researcher exaggerated his stunt, or the researcher did something breathtakingly reckless.

The affair prompts reflection on hacking of both the "stunt" and "ethical" varieties, with application to whistleblowing breach disclosures, gray- (and white-) hat vulnerability disclosures, etc.

Panda Security says it's detected a threat to different transportation mode — oil tankers: "Operation Oil Tanker," a.k.a. "the Phantom Menace."

Allegations surface that Germany's BND snooped on Austrian, French, and Dutch targets in cooperation with the US NSA.

Penn State continues to recover from a persistent attack on its engineering school. The objective may have been intellectual property. Observers put the cost of remediation at $2.85M ($485K for outside help, the rest for replacing compromised hardware).

In the US, the St. Louis Federal Reserve discloses that it suffered a DNS breach, apparently a criminal as opposed to state-sponsored attack.

IEEE issues standards for medical device security. Malware appears in a cardiac catheterization lab, researchers describe how an artificial pancreas might be hacked, and a Pittsburgh medical center suffers a data breach.

Cisco's not buying FireEye (yet, anyway), so it gets plenty of advice on what it should buy instead.

Notes.

Today's issue includes events affecting Austria, China, France, Germany, Italy, Republic of Korea, Netherlands, New Zealand, Romania, Russia, Ukraine, United Kingdom, and United States.

The CyberWire will be covering the third annual Georgetown Cybersecurity Law Institute in Washington, DC, this Wednesday and Thursday. Watch for special issues Thursday and Friday.

Selected Reading

Cyber Trends

Bad Ads and Zero Days: Reemerging Threats Challenge Trust in Supply Chains and Best Practices (TrendLabs Security Intelligence Blog) Best practices are failing. No matter how good you are at sticking to them, they can no longer guarantee your safety against the simplest threats we saw last quarter

G-Data Security Labs Malware Report (G-Data Security Labs) The number of new malware strains increased enormously in the second half of the year (H2); 4,150,068 were counted. There were 1,848,617 instances in the first half of 2014, meaning that the experts recorded an increase of around 125%

50 shades of grey hat: When is it right to go public about a security breach? (ZDNet) The ethics of IT security are still evolving: one in five security professionals say they have worked for a company that covered up a data breach

Adblockers are immoral and mobile networks should know better (The Next Web) As an editor, I feel resentful of people who enjoy my work but proudly run an ablocker to starve my content of revenue. Now the Financial Times reports that European mobile networks are planning to offer ad-blocking as a service to their customers. If true, those networks should be ashamed

Clients demand more of firms on data security (Global Legal Post) The increasing focus on data security and privacy, which permeates all levels of the business community, is starting to force the pace of change in the legal profession

What does the "post-Sony" world mean for IT security? (IT Pro Portal) The Sony pictures hack last November was both shocking and unexpected. Beginning with an ominous warning that the entertainment company had been "hacked by GOP." large amounts of private and sensitive information was subsequently leaked

Legislation, Policy and Regulation

Tech Giants Tell Obama To Resist Calls For Backdoor Access To Encrypted Data (TechCrunch) Apple, Google, Yahoo and more than 140 other tech industry companies have written to President Obama urging him to shoot down demands for 'backdoor' access to user data on smartphones and other communication devices and platforms

Opinion: The Pentagon's troubling new battle against Internet anonymity (Christian Science Monitor Passcode) With its updated cybersecurity strategy, the Department of Defense redoubles a campaign against Web anonymity. But without anonymity, the expression and political activity that it protects may vanish, too

The US and a spiral of cyberfear (Christian Science Monitor) In a newly revealed strategy, the Pentagon poses the threat of a digital counterattack on those who launch a cyberattack on the US. This offensive capability, however, might trigger a cyber arms race. Is the US fear well founded to justify a possible escalation of fear?

10th Fleet's the Charm? US Navy Looks to Beef Up Cyber Capabilities (Diplomat) The U.S. Navy's nascent 10th fleet plans to beef up its ability to fight off cyber intruders. Will that be enough?

Rhetoric flies as deadline looms to renew bulk phone metadata surveillance (Ars Technica) Spying program Snowden exposed expires June 1 unless reauthorized by Congress

Chris Christie: Edward Snowden Is a Criminal and NSA Fears Are 'Baloney' (Government Executive) New Jersey Gov. Chris Christie will condemn Edward Snowden as a "criminal" and charge civil libertarians with drumming up "baloney" concerns about the National Security Agency's spying practices Monday during a foreign policy speech to be delivered in New Hampshire

America Needs an Open Source Intelligence Fusion Center (Cicero) The humanitarian world often has a healthy suspicion of the military. This is understandable. It can be very dangerous for humanitarian organizations and USAID personnel to be conflated with the military, which skeptical locals sometimes consider the same thing as the CIA overseas

Spyware — required by law on South Korean teenagers' smartphones (Graham Cluley) It seems it's not that much fun being a teenager in South Korea

Products, Services, and Solutions

In Ambitious Security Play, Skyport Launches The Next Generation of Secure Infrastructure (TechCrunch) Winter is coming to the icy land of IT departments. Ferocious cyberattacks against corporate IT infrastructures are proliferating, and it seems like every day we hear about another company that has had a critical data breach

Microsoft clarifies again that its free Windows 10 upgrade is not for pirates (FierceCIO) Microsoft clarifies again that pirated versions of its Windows operating system will not be transformed into genuine copies with Windows 10 update

L'analyse du comportement utilisateur, nouvel eldorado de la sécurité (LeMagIT) Quel est le point commun entre Fortscale et SentinelOne, finalistes de l'édition 2015 de l'Innovation Sandbox de RSA Conference, et HP? L'analyse du comportement des utilisateurs, ou User Behavior Analytics (UBA)

Intercede enables secure payments and banking for financial technology specialist Interpay (IT Security Guru) Korean m-payments specialist Interpay has signed up to use Intercede's MyTAM to protect third party payment and banking apps running on the Android platform. The service allows Interpay to utilise the Trusted Execution Environment (TEE) to ensure sensitive consumer data is isolated from potential threats on the main operating system

Lastline Adds Rapid Host Breach Verification, Bridging Network and Endpoint Security (BusinessWire) Evasive malware detection pioneer expands platform to verify endpoint compromises

ThreatConnect, Inc. Announces STIX Integration (GlobeNewsWire) ISAC and ISAO members better able to share and aggregate threat intelligence into existing security processes to defend organizations

Marsh and FireEye collaborate on service to assess vulnerability to cyber attacks (Property Casualty 360) Cyber attacks appear to be proliferating around the world, and a major issue for companies is detecting the attacks before they wreak havoc with the organization's data

FireEye and ACE Group Announce Strategic Alliance to Mitigate Cyber Risk (MarketWatch) New offering pairs leading technical expertise from FireEye with pioneering cyber insurance from ACE to more effectively manage cyber risk for organizations worldwide

Dropbox for Business achieves ISO 27018 for cloud privacy (FierceCIO) Dropbox for Business has achieved certification with ISO 27018, an emerging standard for privacy and data protection in the cloud

Technologies, Techniques, and Standards

IEEE Cybersecurity Initiative Releases "Building Code for Medical Device Software Security" (BusinessWire) Establishes baseline requirements for secure software development & production of medical devices

5 common misconceptions about DDoS protection (IT Pro Portal) Defending organisations networks against DDoS attacks has long been a daunting challenge — but now cybercriminals are making it even more so; headlines today are rife with news of another DDoS attack, data breach or other security incidents

How to make life difficult for Internet of Things hackers (Beta News) The "Internet of Things" is a buzzword which is becoming more and more prevalent in today's society. This is mostly due to the rise of crowd funding schemes and an insurgence of low power, highly capable microcontroller platforms such as Arduino

Part 4 — How to Prevent Phishing: Setting up WiFi and Instant Messaging Protections (Trend Micro: Simply Security) If you've ever been "phished," you've experienced the dangers of receiving phony emails, downloaded files, instant messages, or links to false websites masquerading as real ones

Marketplace

A Tidal Wave Of Cybersecurity Jobs (Homeland Security Today) Crime involving computers and networks costs the world economy more than $445 billion annually, according to a 2014 report by the Center for Strategic and International Studies. And, all indications are that cybercrime will continue trending up in 2015. This escalation in cybercrime is fueling an explosive cybersecurity job market

Partners To Cisco: Forget FireEye, Look At Palo Alto, Splunk (CRN) The Cisco partner community was abuzz last week following rumors that the networking giant had put in a whopping $9 billion bid to acquire advanced threat detection company FireEye

Cisco is not acquiring FireEye, but there are other potential targets for acquisition (FierceEnterpriseCommunications) Recent rumors indicated Cisco was making a play to purchase network threat prevention vendor FireEye, but those rumors were quashed not only by Cisco, but also by FireEye. Sources at the FireEye told Re/Code the company wouldn't even be up for sale until revenue hit $1 billion

How AT&T Is Virtualizing Security (Wall Street Journal) AT&T Inc.T -1.06% is rethinking how it approaches security as it upgrades its data centers and network to better handle growing data and video traffic

Avast Opens North Carolina Office (Digital Journal) Avast Software, maker of the most trusted mobile and PC security in the world, today announced the opening of its Charlotte, North Carolina office bringing 60 new IT, marketing, business development and tech support jobs to the area

Splunk Appoints Snehal Antani as Chief Technology Officer (MarketWatch) Former GE Capital CIO and long-time Splunk customer to drive strategy and innovation

Cyber Attacks, Threats, and Vulnerabilities

Did a hacker really make a plane go sideways? (Christian Science Monitor Passcode) A FBI affidavit in a case involving security researcher Chris Roberts claims that he took over the navigation system of an airliner. But if those claims are indeed true, they raise troubling questions about the state of airline security

Alleged plane hacker said he pierced Boeing jet's firewall in 2012 (Ars Technica) Chris Roberts also claimed to access International Space Station system

Hacker says he took over a flight's engine controls; Boeing casts doubt on claim (Fox 13 News) A cybersecurity consultant told the FBI he hacked into computer systems aboard airliners up to 20 times and managed to control an aircraft engine during a flight, according to federal court documents

FBI Claims Banned Researcher Admitted Hacking Plane Controls… But Is Someone Lying? (Forbes) Chris Roberts is not happy with the FBI officers who interviewed him last month. The security researcher was questioned for four hours after being removed from a United Airlines flight on 15 April and his equipment seized for a tweet he said was a joke, though it indicated he was able to tinker with in-flight communications to compromise the oxygen supply on the flight

Hacker Chris Roberts told FBI he took control of United plane, FBI claims (Washington Post) A hacker who allegedly said he took over the controls of a plane in mid-flight has been investigated by the FBI — even as he pokes fun at the agency, saying he is only out to improve airline security

Security experts concerned that planes can be hacked through in-flight entertainment network (Techspective) The little TV screens on the back of the headrest on every seat on many commercial planes are awesome

Is there such a thing as ethical hacking? (Computerworld) A recent news report about hacking into a commercial jet raises concerns about how we view ethical hacking

Lets Call Stunt Hacking What it is, Media Whoring. (Carnal0wnage) I recently read this article: [linked in original] and it brought to mind some thoughts that have been percolating for quite a while

Operation "Oil Tanker": The Phantom Menace (Panda Labs) Everything started on a cold January day in a coastal town in the North East of England, an area with a strong presence of petrochemical companies

'BND en NSA tapten internetverkeer Nederland' (NU) De Duitse inlichtingendienst BND en het Amerikaanse NSA zouden met medewerking van het telecombedrijf Deutsche Telecom internetverkeer naar Nederland, Oostenrijk en Frankrijk hebben afgetapt

Cyberattacks mine universities for intellectual-property data (FierceBigData) Penn State's College of Engineering was cyberattacked and security experts expect more universities to be actively mined by cyberattackers in the near future if they aren't already under attack. But these attacks are looking for more than the usual data payoff. Much more

How hackers used Microsoft TechNet to run their botnet (Win Beta) A report released by FireEye, a California based network security firm, exposed an obfuscation tactic a group of Chinese hackers employed that used Microsoft's TechNet web portal to cloak their botnet from standard counter measures

FireEye helps Microsoft fight hackers in its own backyard (IT Pro) Security firm teams up with Redmond to detect malware on TechNet forum

Anonymous Italy Steals 1TB of Data from Best Union Ticketing Service During Expo 2015 Attacks (Freedom Hacker) Anonymous Italy has continued to target Expo 2015 with a series of high-scale Distributed Denial of Service (DDoS) Attacks under the collectives Operation Italy (#OpItaly). Anonymous hackers have targeted Expo 2015's systems and supporting organizations with a series of high-profile cyberattacks for the past few weeks and show no sign of stopping

St. Louis Federal Reserve Suffers DNS Breach (KrebsOnSecurity) The St. Louis Federal Reserve today sent a message to those it serves alerting them that in late April 2015 attackers succeeded in hijacking the domain name servers for the institution

Can Hackers Commit the Perfect Murder By Sabotaging an Artificial Pancreas? (IEEE Spectrum) Robotic systems are, at last, beginning to take over some of the burden of managing the fluctuations in blood glucose in patients with Type 1 diabetes. But a new report warns that as the systems get adopted more widely, the risk of criminal eavesdropping and sabotage will also increase

MetroHealth reports data breach affecting select heart patients (19 Action News) On March 17, 2015, The MetroHealth System discovered malware on three computers in its Cardiac Cath Lab

UPMC alerts 2,200 patients to data breach (Pittsburgh Post-Gazette) UPMC is alerting 2,200 patients treated at its hospital emergency departments that information from their medical records may have been disclosed by an outside contractor

Rombertik's disk wiping mechanism is aimed at pirates, not researchers (Help Net Security) Rombertik, the information-stealing malware that was recently analyzed by Cisco researchers and which apparently tries to prevent researchers from doing so by rewriting the computer's Master Boot Record, is actually a newer version of an underground crimeware kit known as Carbon FormGrabber (or Carbon Grabber), Symantec researchers have found

Address spoofing vulnerability in Safari Web Browser (Internet Storm Center) A new vulnerability arised [sic] in Safari Web Browser that can lead to an address spoofing allowing attackers to show any URL address while loading a different web page

"Failure In Parcel Delivery" Fake Email Drops Malware On USPS Customers? PC (HackRead) Please note that the email that appears to be sent by USPS informing that due to incorrect address the firm has failed to deliver a parcel to the recipient is actually a malicious message

SPSS Vulnerability Is Tough To Exploit But Stakes Are High For Client Base (Fortinet Blog) SPSS is one of the most widely used statistical analysis packages in the world. It was first released in 1968 and gained considerable traction among social sciences researchers

Uber in hot water again — this time over plaintext passwords in emails (Naked Security) Isabelle Berner has been taking a lot of Uber rides in the UK lately, for somebody who lives in New York City

Florida EOC testing delays caused by outside cyber attack again, officials say (Tampa Bay Times) Interruptions in Florida's end-of-course biology, civics and U.S. history exams last week came courtesy of outside hackers, a Florida Department of Education spokeswoman told the Gradebook on Monday

Investigation underway after cyber attack against ODU student newspaper (ABC 13 News Now) Old Dominion University's student-run newspaper, The Mace and Crown, was hacked this weekend

About the supposed factoring of a 4096 bit RSA key (Hanno's Blog) Keystl;dr News about a broken 4096 bit RSA key are not true. It is just a faulty copy of a valid key

Global black markets and the underground economy (Help Net Security) What are currently the most vital global black markets and how do cybercriminals access them?

Why Thieves Would Rather Steal Your Apple Watch Than Your iPhone (Intego Blog) There's something important you need to know about the Apple Watch

Academia

La. Tech honored for cyber education (News Star) The National Security Agency (NSA) and the U.S. Department of Homeland Security (DHS) have designated Louisiana Tech University as a National Center of Academic Excellence in Cyber Defense Education

New Degree in Cybersecurity Available at URock (Penobscot Bay Pilot) The University of Maine at Augusta and University College have announced that the University of Maine System (UMS) Board of Trustees approved a new Bachelor of Science in Cybersecurity

Litigation, Investigation, and Enforcement

A court ruling on "The Innocence of Muslims" is a big win for Google — and for Hollywood studios (Quartz) A panel of federal judges in San Francisco has overturned a decision that required Google to pull the controversial film The Innocence of Muslims from its video-hosting site YouTube

Ulbricht's lawyer: Silk Road was "the most responsible" drug market in history (Ars Technica) DPR paid a doctor $500 per week to give advice on "harm reduction"

Design and Innovation

Alibaba Reveals a New Kind of QR Code to Fight Counterfeits (Wired) Chinese e-commerce giant Alibaba has a fake goods problem. The company knows it, and the Chinese government has made abundantly clear it knows, too. Now, to combat counterfeits, the company has come up with a solution: Slap unique QR code-like tags on every product

Wanted: Better designed systems for operators (Control) Operators responding to abnormal situations need better designed systems. The challenge is not inundating the operator while being sure to wake them up

Decoding the Enigma of Satoshi Nakamoto and the Birth of Bitcoin (New York Times) It is one of the great mysteries of the digital age

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

newly Noted Events

Cyber Risk Wednesday: How Will Our Cyber Future Be Different from Today? (Washington, DC, USA, May 20, 2015) Join the Atlantic Council's Cyber Statecraft Initiative on May 20, from 4:00 p.m. to 5:30 p.m. for a panel discussion on the future of cyberspace and the game-changing scenarios that could transform it to be far better, or perhaps more likely, far worse, than today. Register to watch it live online

Cybergamut Tech Tuesday: Using EMET to Defend Against Targeted Attacks (Elkridge, Maryland, USA, June 9, 2015) 0-day vulnerabilities that are able to bypass platform level exploit mitigation technologies such as DEP and ASLR are becoming increasingly common. Knowledge workers are being increasingly targeted by adversaries seeking to gain a foothold in your enterprise via spear-phishing and watering hole style attacks leveraging 0-day vulnerabilities in commonly used applications such as Internet Explorer, Adobe Reader and Oracle's Java. Many organizations are still running Windows XP which no longer receives security updates as of April 2014. This presentation discusses a free exploit mitigation toolkit called EMET that can be installed on all currently supported versions of Windows to significantly raise the bar for attackers by offering new and novel exploit mitigation techniques that have been pioneered by the Microsoft Trustworthy Computing division and independent security researchers from around the world. Presented by: Robert Hensing of Microsoft

REcon (Montréal, Québec, Canada, June 15 - 21, 2015) REcon is a computer security conference with a focus on reverse engineering and advanced exploitation techniques. The conference offers a single track of presentations over the span of three days along with technical training sessions held before the presentation dates. Technical training varies in length between two and four days

Cybergamut Tech Tuesday: The Truth About Security Your System (Elkridge, Maryland, USA, June 30, 2015) What does it take to secure a system? What is the logical approach to successfully achieve this endeavor? First, an understanding of who wants access and why is a necessary baseline to form a strategic approach. Next, an understanding of the critical assets in the organization is a must. Finally, an understanding of how to implement a risk-based approach sums up the discussion. Presented by: Dr. Susan Cole

SecTor (Toronto, Ontario, Canada, October 19 - 21, 2015) Illuminating the Black Art of Security. Now entering its 9th year, SecTor has built a reputation of bringing together experts from around the world to share their latest research and techniques involving underground threats and corporate defences. The conference provides an unmatched opportunity for IT Professionals and Managers to connect with their peers and learn from their mentors

upcoming Events

FS-ISAC & BITS Annual Summit (Miami Beach, Florida, USA, May 17 - 20, 2015) The Financial Services Information Sharing and Analysis Center (FS-ISAC), is a non-profit association comprised of financial institution members, that is dedicated to protecting the global financial services sector from physical and cyber threats that impact the resilience, integrity and stability of member institutions through dissemination of trusted and timely information. The FS-ISAC & BITS Annual Summit will feature sessions of interest to both security professionals and the financial sector

2015 Honeynet Project Workshop (Stavanger, Norway, May 18 - 20, 2015) Each year the Honeynet Project annual workshop brings together top information security experts from around the globe to present their latest research efforts and discuss insights and strategies to combat new threats. The project workshop provides participants and sponsors with significant exposure to world-class professionals and a diverse range of information security topics

Fraud Summit Chicago (Chicago, Illinois, USA, May 19, 2015) ISMG's Fraud Summit is a one-day event focused exclusively on the top fraud trends impacting organizations and the mitigation strategies to overcome those challenges. Highlights of the Chicago event include the 2015 faces of fraud, science and insider fraud detection, EVM and pay card security, mobile banking risks and their mitigation, and threat information exchange

NCCOE Speaker Series: The Cyber Danger: Problems of Strategic Adaptation (Rockville, Maryland, USA, May 20, 2015) Lucas Kello (Senior Lecturer in International Relations / Director of Cyber Studies Program, Oxford University, and Associate of the Science, Technology & Public Policy Program, Belfer Center for Science & International Affairs, Harvard University, Kennedy School of Government) will deliver the keynote address. The contemporary world confronts an enormous cyber threat. The U.S. intelligence community rates this threat higher than global terrorism. It warns of the severity of the damage a cyber attack could produce. Yet there is no consensus among scholars and decision makers on how to characterize the strategic instability of cyber interactions or on what to do about it. The range of conceivable cyber conflict is poorly understood. It is unclear how conventional security mechanisms such as deterrence and collective defense apply to this phenomenon. Principles of cyber defense and cyber offense remain rudimentary. The growth of cyber arsenals, in short, is outpacing the design of doctrines to limit their risks. This presentation will review problems of strategic adaptation to current cyber realities, applying insights from technological revolutions in previous eras

3rd Annual Georgetown Cybersecurity Law Institute (Washington, DC, USA, May 20 - 21, 2015) In 2015, it is more important than ever that in-house and outside counsel stay abreast of the most current developments and best practices in cybersecurity. Those lawyers who ignore cyber threats are risking millions of dollars for their companies or their clients. Recent reports by Cisco and the World Economic Forum both highlight the paramount importance of cyber risk management. You have an important role to play in cybersecurity leadership, especially in keeping corporate officials and the board of directors informed. Too often, well-meaning officials don't know what they don't know! At our 2015 Institute you will receive insights on the best governance, preparedness, and resilience strategies from experienced government officials, general counsels, and cybersecurity practitioners who face these issues on a daily basis

AFCEA Spring Intelligence Symposium 2015 (Springfield, Virginia, USA, May 20 - 21, 2015) The Symposium will be a one-of-a-kind event designed to set the tone and agenda for billions of dollars in IC investment. Leaders from all major IC agencies, from the ODNI, IARPA, and the National Intelligence Council will explore where that investment is being directed and how industry, Federally Funded R&D Centers, and academia can best contribute to the IC's R&D effort

SOURCE Conference (Boston, Massachusetts, USA, May 25 - 28, 2015) SOURCE is a computer security conference happening in Boston, Seattle, and Dublin that is focused on offering education in both the business and technical aspects of the security industry. The event's vision is to bridge the gap between technical excellence and business acumen and bring the best of both worlds together

HITBSecConf2015 Amsterdam (De Beurs van Berlage, Amsterdam, The Netherlands, May 26 - 29, 2015) This year's event will feature a new training courses. Keynote speakers include Marcia Hofmann and John Matherly. To encourage the spirit of inquisitiveness and innovation, Haxpo will showcase cutting edge technology and security solutions for industry professionals alongside fun, hands-on tinkering and hacking exhibits

7th International Conference on Cyber Conflict (Tallinn, Estonia, May 26 - 29, 2015) CyCon is the annual NATO Cooperative Cyber Defence Centre of Excellence conference where topics vary from technical to legal, strategy and policy. The pre-conference workshop day, 26 May, features a variety of talks and hands-on training. The 7th International Conference on Cyber Conflict (CyCon 2015) held on 27-29 May 2015 in Tallinn, Estonia, will focus on the construction of the Internet and its potential future development. This year's topic — "Architectures in Cyberspace" — asks what cyberspace is and will be in the coming years as well as what are its characteristics relevant for cyber security

Sponsor & Support

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.