The CyberWire Daily Briefing 01.26.16
The video ISIS released over the weekend appears to contain some fakery — not, alas, the murders, but rather the claimed encryption. The encrypted email is patently faked, according to informed observers. Speculation about the fakery's motive varies: internal morale building, posturing, or even provocation intended to push governments toward policies weakening encryption.
Trolls are circulating a link to "crashmysafari[dot]com," which site induces browsers to process a memory-clogging string of characters, forcing devices to reboot. OS X, iOS, and Android devices are said to have been affected. Beware in particular of shortened urls that may be less immediately recognizable.
There are reports of active attempts to exploit the now fixed FortiOS SSH vulnerability.
Versions 1 and 2 of the popular e-commerce platform Magneto have been found vulnerable to cross-site scripting. A patch is available; analysts recommend applying it as soon as possible.
In other patch news, Oracle issues some Java patches. FreeBSD fixes a kernel panic vulnerability, and Apple update tvOS. OpenSSL is expected to issue two patches later this week.
A study of corporate risk disclosures in US Security and Exchange Commission filings finds such disclosures — including those pertaining to cyber risk — generic and uninformative. The insurance market moves toward more rigorous characterization of cyber risk: a variety of approaches are on offer, ranging from traditional consulting interviews to various scans of the external environment.
Venture capital continues to flow into cyber security start-ups.
Proofpoint says it's not for sale.
US Cyber Command warns of technological "peer competitors" in cyberspace.
Notes.
Today's issue includes events affecting Australia, China, European Union, France, Iraq, Israel, Syria, Thailand, United Kingdom, and United States.
Cyber Attacks, Threats, and Vulnerabilities
ISIS's Much Hyped Paris Attacks Video Deemed Fake by Edward Snowden (Hack Read) The video shows nine suspected terrorists prior to carrying out the attacks in Paris on Friday, November 13th, 2015
Do not share the link that crashes iPhones and Mac browsers (Naked Security) Don't try this at home
Avoid Clicking CrashSafari.com! It Crashes Android, iOS Devices + Web Browsers (Hack Read) Some trolls have been using short URLs to trick users into clicking the link CrashSafari[dot]com that crashes and reboots Android, iOS devices and web browsers — So DON'T FALL FOR IT
Critial XSS flaws in Magento leave millions of ecommerce sites at risk (Naked Security) Critical XSS (Cross-Site Scripting) vulnerabilities have been found in both version 1 and 2 of the popular Magento ecommerce platform
Facebook Now the Subject of New Malware Attack (Comodo Blog) Earlier this month, the Comodo Threat Research Lab team identified a new malware attack targeted specifically at businesses and consumers who might use WhatsApp
SSH backdoor found in more Fortinet devices, exploit attempts spotted in the wild (Help Net Security) In case you missed it, Fortinet announced last week that the recently discovered FortiOS SSH backdoor — or, as they call it, "a management authentication issue" — has been found by its Product Security Incident Response team also on some versions of FortiSwitch, FortiAnalyzer and FortiCache
Fortinet on SSH vulnerabilities: look, this really isn't a backdoor, honest (SC Magazine) Security firm goes full disclosure on mechanics of SSH issue and finds three more vulnerabilities
Versatile Linux backdoor acts as downloader, spyware (Help Net Security) Another Linux Trojan has been discovered by researchers, and this one is pretty versatile: it opens a backdoor into the infected device, can download and run additional malicious files, and can spy on users by logging keystrokes and making screenshots. Dr. Web researchers dubbed it Xunpes
CTB Locker Virus Blocks Access To Data For Ransom (Business Computing World) Encryption is widely used by dark web actors these days
Exposed HP LaserJet printers offer Anonymous FTP to the public (CSO) Exposed printers are a soft target, researcher says
Hackers 'Dox' Miami Police Officers With Data Stolen From Government Database (Motherboard) A group of hackers has dumped the names, phone numbers and email addresses of more than 80 police officers from Miami, Florida, in what appears to be an attempt to "dox" the agents
Hacker Claims Breaching FBI Server, Exposes Details of 80 Miami Police Officers (Hack Read) A hacker linked with the "Cracka [sic] with Attitude" group claims to hack FBI's service and steal personal information of over 80 Miami Police Officers
The Anonymous Group: What is it and How big is it (Hack Read) Research proved that Anonymous hacktivists group is relatively much bigger than you anticipated and become quite popular among people all over the world but how did it all start?
Health insurer Centene missing data drives with client information (Reuters) Health insurer Centene Corp said on Monday it is missing six hard drives containing the personal and health information of about 950,000 people
Alaska orthopedic group notifies patients of data sent to employee's personal email (Becker's Health IT & CIO Review) Anchorage-based Alaska Orthopedic Specialists has reported a data breach stemming from a former non-physician employee who sent themselves electronic copies of patient information to a personal email address
Phishing email leads to data breach at University of Virginia (Help Net Security) Personally identifiable and financial information of some 1,400 University of Virginia employees has been compromised by attackers in a breach that dates back to early November 2014
Network outages disrupt Patriots' Surface tablets during critical drive (FierceMobileIT) Problem highlights need for enterprises to have backup connectivity for mobile workforce
Security Patches, Mitigations, and Software Updates
Oracle Pushes Java Fix: Patch It or Pitch It (KrebsOnSecurity) Oracle has shipped an update for its Java software that fixes at least eight critical security holes
Magento plugs XSS holes that can lead to e-store hijacking, patch immediately! (Help Net Security) Last week, Magento released a very important bundle of patches for their eponymous e-commerce platform that should be implemented as soon as possible
Magento Update Addresses XSS, CSRF Vulnerabilities (Threatpost) Magento patched 20 vulnerabilities last week, including a stored cross-site scripting (XSS) flaw in the e-commerce platform that could have let an attacker take over a site and create new admin accounts
FreeBSD Patches Kernel Panic Vulnerability (Threatpost) FreeBSD has patched a denial-of-service vulnerability affecting versions configured to support SCTP and IPv6, the default configurations on later version of the open source OS
OpenSSL to Patch Two Vulnerabilities This Week (Threatpost) OpenSSL is scheduled to update two versions of the software this week, patching a pair of vulnerabilities in the process
Apple Releases Security Update for tvOS (US-CERT) Apple has released a security update for tvOS to address multiple vulnerabilities. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system
Cyber Trends
Data security advances on the corporate agenda (Help Net Security) Glasswall Solutions issued its top five predictions for 2016
Broad use of cloud services leaves enterprise data vulnerable to theft, report says (Network World) Workers excessively sharing documents in the cloud is a security problem. IT needs to get more on top of it, a new report says
Cybercriminals Making Computer Malware at a Record Rate: Researchers (NBC News) Last year was a particularly bad year for hacks and computer intrusions, and it looks like 2016 will only get worse, Panda Security says
Marketplace
The corporate risk factor disclosure landscape (Help Net Security) Corporate risks disclosed by public companies in SEC filings often are generic and do not provide investors with clear, concise and insightful information that is company-specific
Insurers Getting Smarter About Assessing Cyber Insurance Policy Risks (Dark Reading) 2016 shaping up to be a year of greater maturity in how insurance companies underwrite their cyber insurance policies
How Microsoft Plans to Bea tGoogle and Facebook to the Next Tech Breakthrough (Bloomberg Business) The company behind Windows and Office is remaking its research arm to ensure its greatest inventions actually find their way into people's hands
Venture Capitalists Chase Rising Cybersecurity Spending (Technology Review) Investors have been pouring money into companies selling "next-generation" security products
Surge in launches of Israeli cyber security companies (Financial Times) Israeli cyber security companies are being launched at an accelerating pace and increasingly by founders with no direct ties to the military, according to research released on the eve of the country's main showcase event for the sector
Proofpoint Top Exec Maintains Security Vendor Won't Be Acquired Anytime Soon (CRN) If you recently read a prediction naming blockbuster acquisition deals that could happen in 2016, it is likely that Proofpoint was one of the companies on the list
How the Latest FireEye Acquisition Bodes Well for Staffing 360 Solutions (Small Cap Network) FireEye Inc. (NASDAQ:FEYE) may have subtly pointed to what the next phase of the cybersecurity market will look like… and it was pointing at Staffing 360 Solutions Inc
Army Awards Cybersecurity Contract to Parsons (ExecutiveBiz) Parsons will provide cybersecurity services to the U.S. Army under the awarded Deployable Defensive Cyberspace Operations Infrastructure contract
F5 Networks (FFIV) Appoints Mike Convertino as Chief Information Security Officer (Street Insider) F5 Networks (NASDAQ:FFIV) today announced the hire of Mike Convertino to lead its Information Security team. As the company's first Chief Information Security Officer (CISO)
Products, Services, and Solutions
ThreatConnect Upgrades the Most Advanced Threat Intelligence Platform with Release of ThreatConnect 4.0 (BusinessWire) Threat intelligence platform adds comprehensive reporting for security management and the C-suite, enhanced customization features and faster analysis; available both on-premises and in the cloud
PacketSled and Interface Masters Partner to Provide Sophisticated Network Forensics and Visibility Solution (Interface Masters) Scalable passive solution for network monitoring and breach detection with PacketSled Sensor and Niagara 4248 Network Packet Broker
Microsoft's Cortana To Spy On Email To Keep You On Track (InformationWeek) Microsoft plans to make Cortana smarter with the ability to scan emails and set alerts for commitments you may forget
A Solution to Cyber Risk Assessment (Risk and Insurance) A new schema will create a standard way for insurers to gather data on cyber exposure
Technologies, Techniques, and Standards
Battling Business Email Compromise Fraud: How Do You Start? (TrendLabs Security Intelligence Blog) What will you do if an executive in your company gives you instructions to wire money for a business expense? On email?
7 Habits of Smart Threat Intelligence Analysts (Recorded Future) A day in the life of a threat intelligence analyst is often hectic and ever-changing. Threats and related data abound, and an analyst must look at all angles and scenarios before making recommendations
10 Stupid Moves That Threaten Your Company's Security (InformationWeek) As you walk through the door of your company each morning, you are potentially poised to be the weakest link in your organization's defense against hackers and malicious attackers. Here are the 10 boneheaded moves you make — often without realizing the security risk
The key ingredient to cybersecurity: Layers (FierceHealthIT) Firewalls, intrusion detection among necessary tools
Why Cultural Values are Key to Security (Information Security Buzz) As Managing Director of Layer 8 Ltd, a security company dedicated to using conversations to change culture, I often find myself being asked what the 'return' would be on investing in security culture — lots of security professionals still see it as a nice 'add-on' but not a priority
Pentest Time Machine: NMAP + Powershell + whatever tool is next (Internet Storm Center) Early on in many penetration test or security assessment, you will often find yourself wading through what seems like hundreds or thousands of text files, each seemingly hundreds or thousands of pages long (likely because they are)
Research and Development
The Pentagon's plan to defend the power grid against hackers (Christian Science Monitor Passcode) Amid increased attention on the critical infrastructure security from the Obama administration and industry, the Defense Advanced Research Projects Agency is working on a new plan to safeguard the grid
Legislation, Policy, and Regulation
EU opens new counterterrorism center (AP) The European Union on Monday launched a new law enforcement center to coordinate the fight against violent extremism, saying Europe faces the most significant terrorist threat in over 10 years
Australia, Thailand Mull New Terror Pact Amid Islamic State Fears (The DIplomat) Bangkok and Canberra plan to boost counterterrorism cooperation
U.S. privacy 'ombudsman' idea floated in EU-U.S. data pact talks (Reuters) The United States has proposed creating an "ombudsman" to deal with EU citizens' complaints about U.S. surveillance as part of talks to clinch a new EU-U.S. data transfer pact, four people familiar with the talks said
US faces technological 'peer competitors' in cyberspace, says USCYBERCOM (FierceGovernmentIT) The military arm of the government's efforts in cyberspace recently released a document admitting that despite a considerable edge at the beginning of the cyber age, it now faces experts outside the country who possess capabilities on par with the U.S
Cybercom: OPM Hack Highlights China Big Data Spying (Washington Free Beacon) Pentagon moves to protect records from future attacks
DoD to Design Security Clearance Systems (GovInfoSecurity) Mixed reviews for plans to shift some responsibilities away from OPM
Analytics needed to improve security clearance process (Federal News Radio) Security clearances are aimed at ensuring that only those who demonstrate they can be trusted, have access to classified information
The Espionage Economy U.S. firms are making billions selling spyware to dictators. (Foreign Policy) U.S. firms are making billions selling spyware to dictators
GOP candidate Carson pitches new federal cybersecurity agency (Fedscoop) The proposed National Cyber Security Administration would consolidate cyber programs that "operate disjointedly throughout the government," according to the plan
BSIA To Become Challenge Group Member To Help Shape The Security Industry Authority Review (Source Security) The British Security Industry Association (BSIA) has accepted an invitation by the Home Office to become a member of the Challenge Group that will help to steer the direction of the review of the Security Industry Authority (SIA) commencing in January 2016
Litigation, Investigation, and Law Enforcement
International relationships more important than ever in cybercrime investigations, says DOJ official (FierceGovernmentIT) The Internet is not simply a domestic platform, and so prosecuting and preventing cybercrime is increasingly "a world issue," said a senior Justice Department official
Appeals court: Evidence stands against man who used Tor-enabled child porn site (Ars Technica) Legal experts: Technical misunderstanding points to large problem in hacking cases
Verizon Releases Report on Government Info Demands (Broadcasting and Cable) Almost 140,000 targeted at TV, phone, Internet customers
How David Petraeus avoided felony charges and possible prison time (Washington Post) Inside a secure conference room on the sixth floor of the Justice Department in early 2014, top federal law enforcement officials gathered to hear what criminal charges prosecutors were contemplating against David H. Petraeus, the storied wartime general and former CIA director whose public career had ended about 15 months earlier over an extramarital affair
Why "find my phone" apps keep sending people to one couple's house (Naked Security) People searching for their lost and stolen smartphones in the vicinity of Atlanta, Georgia, keep turning up at the home of Christina Lee and Michael Saba
For a complete running list of events, please visit the Event Tracker.
Newly Noted Events
Interop Las Vegas (Las Vegas, Nevada, USA, May 6 - 10, 2013) Attend Interop Las Vegas, May 6-10, and attend the most thorough training on Apple deployment at the NEW Mac & iOS IT Conference. Join us in Las Vegas for access to 125+ workshops and conference classes, 350+ exhibiting companies and the latest technology.
Upcoming Events
SANS Institute: Information Security Training (Las Vegas, Nevada, USA, Sep 12 - 21, 2015) Information security training in Las Vegas from SANS Institute, the global leader in information security training. At SANS Network Security 2015, SANS offers more than 40 hands-on, immersion-style security training courses taught by real-world practitioners. The site of SANS Network Security 2015, September 12 - 21, is Caesars Palace, the majestic Las Vegas hotel
CyberTech 2016 (Tel Aviv, Israel, Jan 26 - 27, 2016) Cybertech is the most significant conference and exhibition of cyber technologies outside of the United States. Cybertech provided attendees with a unique and special opportunity to get acquainted with the latest innovations and solutions featured by the international cyber community. The conference's main focuses are on networking, strengthening alliances and forming new connections. Cybertech also provided an incredible platform for Business to Business interaction
Global Cybersecurity Innovation Summit (London, England, UK, Jan 26 - 27, 2016) SINET presents the Global Cybersecurity Innovation Summit, which focuses on providing thought leadership and building international public-private partnerships that will improve the protection of our respective homeland's critical infrastructures, national security and economic interests. Our objective is to advance innovation and the growth of the cybersecurity sector by providing a platform for cybersecurity businesses, particularly small and medium enterprises (SMEs), to connect with key UK, US, and international decision makers, system integrators, investors, government policy makers, academia and other influential business executives
Fort Meade IT & Cyber Day (Fort Meade, Maryland, USA, Jan 27, 2016) The Ft. Meade IT and Cyber Day is a one-day event held at the Officers' Club (Club Meade) on base. The event is held on-site, where industry vendors will have the opportunity to display their products and services to IT, Communications, Cyber and Intelligence personnel
ESA 2016 Leadership Summit (Chandler, Arizona, USA, Jan 31 - Feb 3, 2016) The electronic security industry is rapidly changing and continuously evolving. It's not enough to just survive. Businesses looking to thrive need to adapt to ensure their people, products, services and practices stay ahead of the curve. The Summit is a three-day conference filled with networking and educational opportunities dedicated to delivering business intelligence to electronic security companies and professionals that are ready to embrace innovation and grow
SANS Cyber Threat Intelligence Summit & Training 2016 (Alexandria, Virginia, USA, Feb 3 - 10, 2016) This Summit will focus on specific analysis techniques and capabilities that can be used to properly create and maintain Cyber Threat Intelligence in your organization. Attend this summit to learn and discuss directly with the experts who are doing the CTI analysis in their organizations. What you learn will help you detect and respond to some of the most sophisticated threats targeting your networks
BSides Tampa 2016 (MV Royal Caribbean Brilliance of the Seas, Tampa to Mexico, Feb 4 - 8, 2016) BSides Tampa is an annual IT security/hacking conference featuring hands on training classes and lectures from some of the greatest minds in the industry and academia
The Law and Policy of Cybersecurity Symposium (Rockville, Maryland, USA, Feb 5, 2016) This one-day symposium will cover the critical legal and policy issues, challenges, and developments in cybersecurity. Legal professionals, professionals who develop cybersecurity strategies and policies, and anyone who assists organizations in preparing for and responding to cyber incidents should attend. Attendees will gain a comprehensive understanding of the legal and policy issues that they need to know when they represent clients, develop their organization's cyber strategy and policies, or respond to cyber incidents
National Cybersecurity Center of Excellence to Celebrate Opening of Newly Remodeled Facility (Rockville, Maryland, USA, Feb 8, 2016) The National Cybersecurity Center of Excellence is celebrating its dedication on February 8, 2016 at the center's newly remodeled facility at 9700 Great Seneca Highway
Insider Threat Program Development Training — California (Carlsbad, California, USA, Feb 8 - 10, 2016) The National Insider Threat Special Interest Group website has some very "eye opening" examples of how "damaging and costly" an "insider threat incident" can be. The FBI Insider Threat Alert states companies victimized by current or former employees incur costs from $5,000 to $3 million. bring? Is your company required to establish an Insider Threat Program per the requirements of NISPOM Conforming Change 2? Insider Threat Defense has trained a substantial number of U.S. Government Agencies (DoD, IC), Defense Contractors, Critical Infrastructure Providers, Aviation Security Professionals, large and small businesses on Insider Threat Program Development and Insider Threat Risk Mitigation
Secure Rail (Orlando, Florida, USA, Feb 9 - 10, 2016) The first conference to address physical and cyber rail security in North America
Cyber Security Breakdown: Dallas (Dallas, Texas, USA, Feb 10, 2016) This half day session will provide you with the critical information you need to start formulating an effective response in the eventuality of a cyber security event. Rather than try and handle the breach during the chaos of the event, you'll understand how to build in advance, the best practices to respond effectively. Attend the Cyber Security Breakdown event that is focused on the unique issues and threats facing legal professionals
Suits and Spooks (Washington, DC, USA, Feb 4 - 5, 2015) Suits and Spooks DC (Feb 4-5, 2015) is moving to the Ritz Carlton hotel in Pentagon City! We're expanding our attendee capacity to 200 and for the first time will be including space for exhibitors. We have an international panel of speakers from the public and private sectors and we'll be adding live-streaming via Webex for those who cannot attend in person
2016 Cyber Security Division R&D Showcase and Technical Workshop (Washington, DC, USA, Feb 17 - 19, 2016) The cybersecurity threat continues to evolve and in order to keep ahead of the threat; new cutting-edge cybersecurity technologies are needed. The Cyber Security Division (CSD) within the Department of Homeland Security (DHS), Science and Technology Directorate (S&T) is funding many R&D efforts through academia, small businesses, industry and government and national labs. This year, we are excited to include an R&D Showcase featuring nine innovative transition-ready solutions and two collaboration projects with the private sector selected from our portfolio that address a variety of complex challenges and have the potential for transition into the marketplace
Department of the Navy (DON) IT Conference, West Coast 2016 (San Deigo, California, USA, Feb 17 - 19, 2016) The purpose of the DON IT conference is to: (1) Explain the new and invigorated DUSN (M), DON/AA, and DON CIO organization and its business and IT transformation priorities. (2) Share information that supports the SECNAV's vision laid out in the DON Transformation Plan to achieve business transformation priorities, leverage strategic opportunities, and implement DON institutional reform initiatives by changing the culture, increasing the use of data-driven decision-making, and effective governance
ICISSP 2016 (Rome, Italy, Feb 19 - 21, 2016) The International Conference on Information Systems Security and Privacy aims at creating a meeting point for researchers and practitioners that address security and privacy challenges that concern information systems, especially in organizations, including not only technological issues but also social issues. The conference welcomes papers of either practical or theoretical nature, presenting research or applications addressing all aspects of security and privacy, that concerns to organizations and individuals, thus creating new research opportunities
Interconnect2016 (Las Vegas, Nevada, USA, Feb 21 - 25, 2016) IBM InterConnect 2016 is for those who are building new business models, transforming industries, and creating better outcomes. Whether you're a C-suite executive, IT leader, developer, designer, architect, or cloud expert, we all have one thing in common — we strive to build better businesses. The relationship between IT and business is changing. As a leader, builder or innovator of technology, the decisions you make today will have an increasingly greater impact on your company's bottom line tomorrow. To remain successful, it's critical that you transform along with this ever-changing environment
CISO Canada Summit (Montréal, Québec, Canada, Feb 21 - 23, 2016) Tactics and best practices for taking on enterprise IT security threats. The CISO Summit will bring together C-level IT security executives, industry analysts and solution providers to discuss challenges and best practices in a relaxed, yet focused business setting
cybergamut Tech Tuesday: Neuro Cyber Analytics: Understanding the Patterns of Human Cognition in the Cyber Domain (Elkridge, Maryland, Middletown, Feb 23, 2016) This presentation will discuss Neuro Cyber Analytics. Humans use context-specific neurocognitive patterns for receiving and processing internal and external sensory information. Stated differently, people interact with the world around them primarily by seeing, hearing, and feeling, and make decisions about what to do next depending upon the context of what is happening in their environment. People often do not realize that their decision making process triggers certain unconscious behaviors that can be read as indicators of how their thoughts were formulated and sequenced
Insider Threat Program Development Training Course — Maryland (Annapolis, Maryland, USA, Feb 23 - 25, 2016) The National Insider Threat Special Interest Group website has some very "eye opening" examples of how "damaging and costly" an "insider threat incident" can be. The FBI Insider Threat Alert states companies victimized by current or former employees incur costs from $5,000 to $3 million. bring? Is your company required to establish an Insider Threat Program per the requirements of NISPOM Conforming Change 2? Insider Threat Defense has trained a substantial number of U.S. Government Agencies (DoD, IC), Defense Contractors, Critical Infrastructure Providers, Aviation Security Professionals, large and small businesses on Insider Threat Program Development and Insider Threat Risk Mitigation
CISO New York Summit (New York, New York, USA, Feb 25, 2016) A data breach is not only a PR nightmare, but cause for customers to turn to competitors, exposing sensitive company information and racking up fines from industry regulators. In order for organizations to operate smoothly, CISOs and IT security executives need to be ahead of the hackers, and kept abreast of the latest IT security topics and trends. Agenda sessions include panel discussions, think tanks, analyst Q&A sessions and much more
BSides San Francisco (San Francisco, California, USA, Feb 28 - 29, 2016) BSides San Francisco is an Information / Security conference that's different. We're a 100% volunteer organized event, put on by and for the community, and we truly strive to keep information free. There is no charge to the public to attend BSides SF. Our costs are covered by our generous donors and sponsors, who share our vision of free dissemination of information. The conversations are getting more potent and the "TALK AT YOU" conferences are starting to realize they have to change. BSides SF is making this happen by shaking-up the format
CISO Summit Europe (London, England, UK, Feb 28 - Mar 1, 2016) With the media covering the latest data breaches, cloud computing security questions going unanswered and hackers developing more sophisticated attacks, the IT department has a growing responsibility to protect customer and company data. The CISO Summit will bring together C-level IT security executives, industry analysts and solution providers to discuss challenges and best practices in a relaxed, yet focused business setting. Agenda sessions include engaging Keynote Presentations, Thought Leadership sessions, CISO Think Tanks, Analyst Q&As and much more
RSA Conference 2016 (San Francisco, California, USA, Feb 29 - Mar 4, 2016) Celebrating its 25th anniversary, RSA Conference continues to drive the information security agenda forward. Connect with industry leaders at RSA Conference 2016