The CyberWire Daily Briefing 05.20.15

Summary

By The CyberWire Staff

Debate over both the reality and morality of the alleged airliner hack the US FBI's investigating continues. The emerging consensus seems to hold that white-hat proof-of-concept hacking of flight control systems, however well-intentioned, is too risky. (What other consensus could reasonably be reached?) Observers note that United's bug bounty program, for example, explicitly excludes such probing. Coincidentally Aviation Week publishes a sad, sobering story: the magazine's sources tell them that buggy fuel-transfer and trim-control software may have contributed to the engine failure seen in the recent, lethal loss of an Airbus A400M military transport being tested prior to delivery to Turkey.

Islamist messages continue to appear on small, poorly defended networks in the New World. The Cyb3r CommandOS deface sites in Minnesota; they seem at least as animated by a (somewhat gloomy) form of the lulz as they do zeal for jihad. The Bahamas' government — sites in the country were recently vandalized — is urged by citizens to take the threat as seriously as possible.

Ransomware continues to take its toll. Costs are in the tens of thousands (but victims' begging with the criminals is poignant).

In industry news, CSC's board indicates it will split the company in two. Analysts look at Symantec's prospects once it completes its own planned split.

Cyber legislation advances in the US Congress. There appears considerable support for aspects of the measures that will foster increased information sharing. Quartz publishes a long analysis from TruSTAR on why such sharing is as welcome as it is "overdue."

Notes.

Today's issue includes events affecting Bahamas, China, France, Philippines, Russia, Saudi Arabia, Turkey, and United States.

The CyberWire is covering the third annual Georgetown Cybersecurity Law Institute in Washington, DC, today and tomorrow. Watch for special issues Thursday and Friday.

Selected Reading

Cyber Trends

The cybersecurity domino effect (Help Net Security) RedSeal unveiled its survey of high-ranking executives that illustrates widespread concern regarding the potential effects of cyberattacks in corporate America

New Ponemon Institute Survey Reveals Time to Identify Advanced Threats is 98 Days for Financial Services Firms, 197 Days for Retail (Yahoo! Finance) 83 percent of financial services, 44 percent of retail firms experience more than 50 incidents per month

Can you afford to wait 197 days to detect a threat? (Help Net Security) Financial services and retail organizations agree, advanced threats are the most serious security challenge facing their organizations, shows a new Ponemon Institute study

Too many false positives in traditional security approaches (IT Pro Portal) According to 62 per cent of IT professionals traditional security approaches produce too many alerts and false positives for them to handle

Why Companies Need to Learn How to Share (Information Security Buzz) For many years, members of this industry have been wary about sharing their intellectual property with others. They believed doing so would jeopardize their competitive differentiation and business opportunities

'The user is today's new corporate security perimeter (CIO) 'The security perimeter in organisations is dissolving - IT and security management can no longer count on well-defined network security perimeters to protect their organisations,' according to the latest Global Threat Intelligence report

Enterprise employees choose adult content, app downloads over security (ZDNet) Research suggests despite knowing otherwise, workers worldwide regularly ignore IT policies and place businesses at risk

Legislation, Policy and Regulation

Saudi Arabia committed to increase cyber security measures (Zawya) Over the last several years, it has become clear that the short list of the world's principal challenges includes cybersecurity and the threat of cyber-crime to governments and private organizations and citizens alike

Are We Exaggerating China's Cyber Threat? (Diplomat) A new Harvard report suggests that China may not be much of a threat to U.S. cybersecurity. Is that really the case?

Cyber security bills focus on info sharing (Banking Exchange) Congress likely to consider three measures this month

Congress wants companies facing cyber attacks to share data, and it's not a moment too soon (Quartz) Successful executives know that putting together the right team is a key element in achieving goals and overcoming challenges. In fact, walk into any CEO's office and you are likely to find a number of books on teamwork sitting on the bookshelf. But corporate managers aren't the only ones who recognize the value of collaboration. We've learned the hard way that hackers and other bad actors in cyberspace have become proficient in finding ways to collaborate and share information in real-time on exploits and other offensive strategies

The importance of good threat intelligence (Help Net Security) The cyber-threats our organizations face are continuing to evolve, partly in respect to the broadening motivations behind attacks, and partly due to the increased sophistication of the attacks themselves

McConnell: Senate to vote on bill to end NSA bulk collection (NorthJersey.com) The Senate will vote on legislation that ends the National Security Agency's bulk collection of millions of Americans' phone records as Congress scrambles to renew the Patriot Act before it expires on June 1

As Congress Haggles Over Patriot Act, We Answer 6 Basic Questions (NPR) The rest of the month is setting up to be pretty dramatic in the Senate

Survey finds most US residents want changes to Patriot Act surveillance (IDG via CSO) U.S. residents have major problems with government surveillance, and six in 10 want to see the records collection provisions of the Patriot Act modified before Congress extends it, according to a survey commissioned by a civil rights group

ACLU, Tea Party take on federal spying: 'They've gone too far' (The Hill) The American Civil Liberties Union (ACLU) and a top Tea Party organization are teaming up to pressure lawmakers to oppose renewing controversial parts of the Patriot Act that undergird National Security Agency (NSA) operations

Please no non-consensual BACKDOOR SNIFFING, Mr Obama (Register) Major tech firms against vulnerability by default

Snowden Sees Some Victories, From a Distance (New York Times) For an international fugitive hiding out in Russia from American espionage charges, Edward J. Snowden gets around

Products, Services, and Solutions

How a Small Taiwanese Software Company Can Impact the Security of Millions of Devices Worldwide (SEC Consult Blog) Today the SEC Consult Vulnerability Lab released an advisory regarding a vulnerability in a software component called NetUSB. This post intends to give some background information about this vulnerability

ThreatConnect, Inc. Announces Free Edition for ISACs and ISAOs (BusinessWire) Industry's most widely adopted and comprehensive threat intelligence platform is available immediately to all ISACs, ISAOs, and their members

Catbird Releases Catbird For OpenStack (BusinessWire) First and only solution to enable security policy to move across on- and off-premises infrastructure and leading cloud platforms

Technologies, Techniques, and Standards

What every CSO should be doing now about the Starbucks potential hack (CSO) The potential hack of the Starbucks' app is now a major news story

8 Android security tips for IT, corporate users (CIO via CSO) A set of security experts shares actionable tips for IT departments and users to help reduce the risk associated with the popular mobile OS

Healthcare's 'Internet of Things' should be the 'Security of Things' (Healthcare IT News) There are six fundamental questions to ask about connected devices

CISO: Compliance Is Wrong InfoSec Focus (HealthcareInfoSecurity) Tips for building stronger information security programs

What combination locks teach us about encryption weakness (CSO) Attacking the implementation of a cryptographic algorithm can be much easier than attacking the algorithm itself

Secure smart devices for the holiday season (Help Net Security) Summer is almost here and many are currently considering taking their beloved smart devices with them on their travels. However, the risks of doing so are sizeable

NARA records management guidance should have addressed metadata, says GAO (FierceGovernment) National Archives and Records Administration guidance on how agencies should manage digital records failed to address metadata, which is information that describes a digital asset, according to a May 14 report from the Government Accountability Office

Marketplace

The Benefits and Limits of Cyber Value-at-Risk (Wall Street Journal) Many CIOs across industries struggle to answer questions about cyber risk posed by their executive teams and boards of directors: How likely are we to experience a damaging attack?

CSC Board Approves Plan for Separate Commercial-, US Public Sector-Focused Companies (GovConWire) The board of directors at Computer Sciences Corp. (NYSE: CSC) has approved a plan to divide the Falls Church, Va.-based technology and services contractor into two separate publicly-traded companies: one solely focused on the U.S. public sector, with another for commercial enterprises and non-U.S. government agencies

Symantec Security Has A Growth Problem (Seeking Alpha) Symantec will soon be splitting up into two standalone companies. The security division is suffering from weak sales, and does not seem to be profiting from surging enterprise demand. At the moment, the prospects of the standalone security company don't look particularly good

Sources: Sophos To Acquire Email Security Player Reflexion Networks (CRN) Sophos this week will acquire SMB email security and archiving powerhouse Reflexion Networks, CRN has learned

Will AVG Sustain Its Impressive Growth? (Guru Focus) AVG Technologies (AVG) is a Czech company that specializes in computer security software

Security Startup vArmour Hires Experienced Tech Team, Plans ‘Healthy’ Channel Program (VaR Guy) A data security startup is arming itself with a raft of tech-industry veterans in its mission to provide the latest technology to help secure the enterprise data center with substantial help from the channel

Research and Development

Navy Needs Help Making Sure Its Drones are Hack-Proof (Nextgov) The Navy says it's not sure what kind of cyber threats its drones, sensors and missiles are up against

Security Patches, Mitigations, and Software Updates

Stable Channel Update (Chrome Releases) The Chrome team is happy to announce the promotion of Chrome 43 to the stable channel for Windows, Mac and Linux. Chrome 43.0.2357.65 contains a number of fixes and improvements. A list of changes is available in the log

Cyber Attacks, Threats, and Vulnerabilities

Software Cut Off Fuel Supply In Stricken A400M (Aviation Week) The crash of an Airbus A400M airlifter that killed four people on May 9 may have been caused by new software that cut off the engine-fuel supply, industry sources have said

Hacking Airplanes: No One Benefits When Lives Are Risked To Prove A Point (Dark Reading) In the brave new world of self-driving cars and Wifi-enabled pacemakers, everything we do as information security professionals, everything we hack, every joke we make on Twitter, has real, quantifiable consequences

Who's flying the plane? The latest reason to never ignore security holes (Computerworld) Companies make excuses for not addressing security holes that seem unlikely to be exploited. The problem is that they often do get exploited. Just ask United

Should airlines offer bounties to hackers who find security flaws in avionics? (tnooz) The FBI has issued a search warrant for a hacker who controversially claims to have used his laptop to briefly seize control of a plane during flight, tilting it briefly

Their View: Don't punish plane hacker: Learn from him (Centre Daily TImes) Bringing down a plane carrying hundreds of passengers doesn't require a suicidal pilot, a missile or a terrorist bomb. Apparently, a guy with a computer may be able to pull it off by hacking into the airliner's entertainment system

Arvig Hackers: 'We Did This for Islam' (Velley News Live) Lisa Green with Arvig Communications confirms their website was attacked Tuesday morning. She says the homepage was replaced with a picture from a group called Cyb3r CommandOS

Bishop Urges Government To Take Hacking Incident Seriously (Tribune 242) Bishop Simeon Hall yesterday urged the government to "exercise the highest seriousness" in its response to the recent hacking of two government websites

PHL likely targeted by China-backed cyberspies since 2005, security group warns (GMA News) The Philippines may have been the target of a cyber-espionage campaign likely sponsored by the Chinese government, a cybersecurity company said Tuesday

Vulnerability found in IBM statistical analysis suite (IT World Canada) CISOs worry about vulnerabilities in the most commonly-attacked platforms in their inventory — Web servers, password databases, Flash, operating systems and productivity software. They rarely think about other applications

Fake PayPal payment reversal notification leads to phishing (Help Net Security) PayPal phishing attempts take many forms, and one of the most often used techniques is fake emails containing a warning and a prompt to act quickly

'Los Pollos Hermanos' ransomware — what will they think of next? (Naked Secuirty) Cryptoransomware isn't a new topic any more, but it's intriguing to look at what the crooks are up to these days

How much money do cyber crooks collect via crypto ransomware? (Help Net Security) FireEye researchers have calculated that the cybercriminals wielding TeslaCrypt and AlphaCrypt have managed to extort $76,522 from 163 victims in only two months

Many ransomware victims plead with attackers (CSO) The shamelessness of ransomware pushers knows no bounds

Steganography and Malware: Final Thoughts (TrendLabs Security Intelligence Blog) Steganography will only become more popular, especially among the more industrious malware groups out there. For an attacker, the ability to hide stuff in plain sight is like peanut butter on chocolate: it makes their favorite thing even better

DDoS attackers testing tools on IPv6 (FierceITSecurity) Attackers are beginning to test their ability to launch distributed of denial of service attacks over the new IPv6 Internet protocol

DDoS attacks double, old web application attack vectors still active (Help Net Security) Akamai Technologies analyzed thousands of DDoS attacks as well as nearly millions of web application attack triggers across the Akamai Edge network

St. Louis Federal Reserve forces password change after DNS attack (IDG via CSO) A branch of the U.S.'s central bank is forcing a password reset after a cyberattack briefly redirected visitors to parts of its website to bogus Web pages

Hard-coded credentials placing dental offices at risk (CSO) Full Disclosure: US-CERT has known about the issue in Dentrix for more than a year and has remained silent

Group Health customers affected by Premera cyber attack (Puget Sound Business Journal) The effects of a data breach at Washington state's third-largest insurance company are spilling over to customers elsewhere

Litigation, Investigation, and Enforcement

MicroTech sues HP over Autonomy debacle (MicroScope) It was revealed on Monday that MicroTech is suing Hewlett-Packard for $16.6m in unpaid invoices from Autonomy. Invoices that HP claims never actually existed

Design and Innovation

A lockbox in the cloud: Microsoft research project reveals new method for keeping data private (Next at Micrfosoft) Microsoft researchers have created a new system that keeps data stored in the cloud safe from prying eyes or malicious players even when it is being accessed to make calculations

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

newly Noted Events

Cyber Risk Wednesday: How Will Our Cyber Future Be Different from Today? (Washington, DC, USA, May 20, 2015) Join the Atlantic Council's Cyber Statecraft Initiative on May 20, from 4:00 p.m. to 5:30 p.m. for a panel discussion on the future of cyberspace and the game-changing scenarios that could transform it to be far better, or perhaps more likely, far worse, than today. Register to watch it live online

upcoming Events

FS-ISAC & BITS Annual Summit (Miami Beach, Florida, USA, May 17 - 20, 2015) The Financial Services Information Sharing and Analysis Center (FS-ISAC), is a non-profit association comprised of financial institution members, that is dedicated to protecting the global financial services sector from physical and cyber threats that impact the resilience, integrity and stability of member institutions through dissemination of trusted and timely information. The FS-ISAC & BITS Annual Summit will feature sessions of interest to both security professionals and the financial sector

2015 Honeynet Project Workshop (Stavanger, Norway, May 18 - 20, 2015) Each year the Honeynet Project annual workshop brings together top information security experts from around the globe to present their latest research efforts and discuss insights and strategies to combat new threats. The project workshop provides participants and sponsors with significant exposure to world-class professionals and a diverse range of information security topics

NCCOE Speaker Series: The Cyber Danger: Problems of Strategic Adaptation (Rockville, Maryland, USA, May 20, 2015) Lucas Kello (Senior Lecturer in International Relations / Director of Cyber Studies Program, Oxford University, and Associate of the Science, Technology & Public Policy Program, Belfer Center for Science & International Affairs, Harvard University, Kennedy School of Government) will deliver the keynote address. The contemporary world confronts an enormous cyber threat. The U.S. intelligence community rates this threat higher than global terrorism. It warns of the severity of the damage a cyber attack could produce. Yet there is no consensus among scholars and decision makers on how to characterize the strategic instability of cyber interactions or on what to do about it. The range of conceivable cyber conflict is poorly understood. It is unclear how conventional security mechanisms such as deterrence and collective defense apply to this phenomenon. Principles of cyber defense and cyber offense remain rudimentary. The growth of cyber arsenals, in short, is outpacing the design of doctrines to limit their risks. This presentation will review problems of strategic adaptation to current cyber realities, applying insights from technological revolutions in previous eras

3rd Annual Georgetown Cybersecurity Law Institute (Washington, DC, USA, May 20 - 21, 2015) In 2015, it is more important than ever that in-house and outside counsel stay abreast of the most current developments and best practices in cybersecurity. Those lawyers who ignore cyber threats are risking millions of dollars for their companies or their clients. Recent reports by Cisco and the World Economic Forum both highlight the paramount importance of cyber risk management. You have an important role to play in cybersecurity leadership, especially in keeping corporate officials and the board of directors informed. Too often, well-meaning officials don't know what they don't know! At our 2015 Institute you will receive insights on the best governance, preparedness, and resilience strategies from experienced government officials, general counsels, and cybersecurity practitioners who face these issues on a daily basis

AFCEA Spring Intelligence Symposium 2015 (Springfield, Virginia, USA, May 20 - 21, 2015) The Symposium will be a one-of-a-kind event designed to set the tone and agenda for billions of dollars in IC investment. Leaders from all major IC agencies, from the ODNI, IARPA, and the National Intelligence Council will explore where that investment is being directed and how industry, Federally Funded R&D Centers, and academia can best contribute to the IC's R&D effort

SOURCE Conference (Boston, Massachusetts, USA, May 25 - 28, 2015) SOURCE is a computer security conference happening in Boston, Seattle, and Dublin that is focused on offering education in both the business and technical aspects of the security industry. The event's vision is to bridge the gap between technical excellence and business acumen and bring the best of both worlds together

HITBSecConf2015 Amsterdam (De Beurs van Berlage, Amsterdam, The Netherlands, May 26 - 29, 2015) This year's event will feature a new training courses. Keynote speakers include Marcia Hofmann and John Matherly. To encourage the spirit of inquisitiveness and innovation, Haxpo will showcase cutting edge technology and security solutions for industry professionals alongside fun, hands-on tinkering and hacking exhibits

7th International Conference on Cyber Conflict (Tallinn, Estonia, May 26 - 29, 2015) CyCon is the annual NATO Cooperative Cyber Defence Centre of Excellence conference where topics vary from technical to legal, strategy and policy. The pre-conference workshop day, 26 May, features a variety of talks and hands-on training. The 7th International Conference on Cyber Conflict (CyCon 2015) held on 27-29 May 2015 in Tallinn, Estonia, will focus on the construction of the Internet and its potential future development. This year's topic — "Architectures in Cyberspace" — asks what cyberspace is and will be in the coming years as well as what are its characteristics relevant for cyber security

1st Annual Billington Corporate Cybersecurity Summit (New York, New York, USA, May 27, 2015) Join Billington CyberSecurity's unparalleled network of cybersecurity professionals as they provide hard-earned insights and education to a high level and exclusive group of attendees from the corporate and financial sector and their portfolio companies. Don't miss this must-attend event

Time for a Refresh: Technology & Policy in the Age of Innovation (East Palo Alto, California, USA, May 27, 2015) On May 27th, join technology leaders and innovators, along with industry and government experts, for a dynamic discussion around today's cyber challenges and key decisions to be made around the intersect of technology, policy and innovation. With insightful keynotes and comprehensive panel discussions, you will hear different points of view relating to the role of government and private sector and how we can come together to achieve common goals

Atlanta Secure World (Atlanta, Georgia, USA, May 27 - 28, 2015) Join your fellow security professional for affordable, high-quality cybersecurity training and education at a regional conference near you. Earn CPE credits while learning from nationally recognized industry experts on many diverse topics such as: Risk Mitigation, Malware Detection, Digital Forensics, Cloud Security, Privacy, Big Data, PCI Compliance, Security Metrics, Encryption, Mobile Device Management, Incident Response, and much more. Keynotes by Dr. Marjie T. Britz (Professor of Criminal Justice, Clemson University) and Demetrios Lazarikos (IT Security Researcher & Strategist, Blue Lava Consulting)

Techno Security & Forensics Investigations Conference (Myrtle Beach, South Carolina, USA, May 31 - June 3, 2015) The Seventeenth Annual International Techno Security & Forensics Investigations Conference will be held May 31 ? June 3 in sunny Myrtle Beach at the Myrtle Beach Marriott Resort. This conference promises to be the international meeting place for IT Security professionals from around the world. The conference will feature some of the top speakers in the industry and will raise international awareness towards increased education and ethics in IT security

Mobile Forensics World (Myrtle Beach, South Carolina, USA, May 31 - June 3, 2015) The Eighth Annual Mobile Forensics World will also be held May 31 ? June 3 in sunny Myrtle Beach at the Myrtle Beach Marriott Resort. The Mobile Forensics World is specifically dedicated to Federal, State and Local LE Forensic Specialists, Corporate and Private Forensic Examiners, Industry Leaders, and Academic Researchers performing Mobile Device Forensics. With topics such as Mobile Device Forensics (Cell Phone, PDA, Smart Phone, Satellite Phone, GPS), Advanced Techniques of Mobile Forensics, SIM/USIM Card Analysis, TDMA/CDMA/GSM/iDEN Handset Analysis, Cell Site Analysis, Call Data Record Analysis, Mobile Forensics Applications, and Mobile Forensics Research, this event will be a perfect start to an ongoing relationship for many members of this great community

Sponsor & Support

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.