The CyberWire Daily Briefing 01.26.16

Summary

By The CyberWire Staff

The video ISIS released over the weekend appears to contain some fakery — not, alas, the murders, but rather the claimed encryption. The encrypted email is patently faked, according to informed observers. Speculation about the fakery's motive varies: internal morale building, posturing, or even provocation intended to push governments toward policies weakening encryption.

Trolls are circulating a link to "crashmysafari[dot]com," which site induces browsers to process a memory-clogging string of characters, forcing devices to reboot. OS X, iOS, and Android devices are said to have been affected. Beware in particular of shortened urls that may be less immediately recognizable.

There are reports of active attempts to exploit the now fixed FortiOS SSH vulnerability.

Versions 1 and 2 of the popular e-commerce platform Magneto have been found vulnerable to cross-site scripting. A patch is available; analysts recommend applying it as soon as possible.

In other patch news, Oracle issues some Java patches. FreeBSD fixes a kernel panic vulnerability, and Apple update tvOS. OpenSSL is expected to issue two patches later this week.

A study of corporate risk disclosures in US Security and Exchange Commission filings finds such disclosures — including those pertaining to cyber risk — generic and uninformative. The insurance market moves toward more rigorous characterization of cyber risk: a variety of approaches are on offer, ranging from traditional consulting interviews to various scans of the external environment.

Venture capital continues to flow into cyber security start-ups.

Proofpoint says it's not for sale.

US Cyber Command warns of technological "peer competitors" in cyberspace.

Notes.

Today's issue includes events affecting Australia, China, European Union, France, Iraq, Israel, Syria, Thailand, United Kingdom, and United States.

Selected Reading

Cyber Trends

Data security advances on the corporate agenda (Help Net Security) Glasswall Solutions issued its top five predictions for 2016

Broad use of cloud services leaves enterprise data vulnerable to theft, report says (Network World) Workers excessively sharing documents in the cloud is a security problem. IT needs to get more on top of it, a new report says

Cybercriminals Making Computer Malware at a Record Rate: Researchers (NBC News) Last year was a particularly bad year for hacks and computer intrusions, and it looks like 2016 will only get worse, Panda Security says

Legislation, Policy and Regulation

EU opens new counterterrorism center (AP) The European Union on Monday launched a new law enforcement center to coordinate the fight against violent extremism, saying Europe faces the most significant terrorist threat in over 10 years

Australia, Thailand Mull New Terror Pact Amid Islamic State Fears (The DIplomat) Bangkok and Canberra plan to boost counterterrorism cooperation

U.S. privacy 'ombudsman' idea floated in EU-U.S. data pact talks (Reuters) The United States has proposed creating an "ombudsman" to deal with EU citizens' complaints about U.S. surveillance as part of talks to clinch a new EU-U.S. data transfer pact, four people familiar with the talks said

US faces technological 'peer competitors' in cyberspace, says USCYBERCOM (FierceGovernmentIT) The military arm of the government's efforts in cyberspace recently released a document admitting that despite a considerable edge at the beginning of the cyber age, it now faces experts outside the country who possess capabilities on par with the U.S

Cybercom: OPM Hack Highlights China Big Data Spying (Washington Free Beacon) Pentagon moves to protect records from future attacks

DoD to Design Security Clearance Systems (GovInfoSecurity) Mixed reviews for plans to shift some responsibilities away from OPM

Analytics needed to improve security clearance process (Federal News Radio) Security clearances are aimed at ensuring that only those who demonstrate they can be trusted, have access to classified information

The Espionage Economy U.S. firms are making billions selling spyware to dictators. (Foreign Policy) U.S. firms are making billions selling spyware to dictators

GOP candidate Carson pitches new federal cybersecurity agency (Fedscoop) The proposed National Cyber Security Administration would consolidate cyber programs that "operate disjointedly throughout the government," according to the plan

BSIA To Become Challenge Group Member To Help Shape The Security Industry Authority Review (Source Security) The British Security Industry Association (BSIA) has accepted an invitation by the Home Office to become a member of the Challenge Group that will help to steer the direction of the review of the Security Industry Authority (SIA) commencing in January 2016

Products, Services, and Solutions

ThreatConnect Upgrades the Most Advanced Threat Intelligence Platform with Release of ThreatConnect 4.0 (BusinessWire) Threat intelligence platform adds comprehensive reporting for security management and the C-suite, enhanced customization features and faster analysis; available both on-premises and in the cloud

PacketSled and Interface Masters Partner to Provide Sophisticated Network Forensics and Visibility Solution (Interface Masters) Scalable passive solution for network monitoring and breach detection with PacketSled Sensor and Niagara 4248 Network Packet Broker

Microsoft's Cortana To Spy On Email To Keep You On Track (InformationWeek) Microsoft plans to make Cortana smarter with the ability to scan emails and set alerts for commitments you may forget

A Solution to Cyber Risk Assessment (Risk and Insurance) A new schema will create a standard way for insurers to gather data on cyber exposure

Technologies, Techniques, and Standards

Battling Business Email Compromise Fraud: How Do You Start? (TrendLabs Security Intelligence Blog) What will you do if an executive in your company gives you instructions to wire money for a business expense? On email?

7 Habits of Smart Threat Intelligence Analysts (Recorded Future) A day in the life of a threat intelligence analyst is often hectic and ever-changing. Threats and related data abound, and an analyst must look at all angles and scenarios before making recommendations

10 Stupid Moves That Threaten Your Company's Security (InformationWeek) As you walk through the door of your company each morning, you are potentially poised to be the weakest link in your organization's defense against hackers and malicious attackers. Here are the 10 boneheaded moves you make — often without realizing the security risk

The key ingredient to cybersecurity: Layers (FierceHealthIT) Firewalls, intrusion detection among necessary tools

Why Cultural Values are Key to Security (Information Security Buzz) As Managing Director of Layer 8 Ltd, a security company dedicated to using conversations to change culture, I often find myself being asked what the 'return' would be on investing in security culture — lots of security professionals still see it as a nice 'add-on' but not a priority

Pentest Time Machine: NMAP + Powershell + whatever tool is next (Internet Storm Center) Early on in many penetration test or security assessment, you will often find yourself wading through what seems like hundreds or thousands of text files, each seemingly hundreds or thousands of pages long (likely because they are)

Marketplace

The corporate risk factor disclosure landscape (Help Net Security) Corporate risks disclosed by public companies in SEC filings often are generic and do not provide investors with clear, concise and insightful information that is company-specific

Insurers Getting Smarter About Assessing Cyber Insurance Policy Risks (Dark Reading) 2016 shaping up to be a year of greater maturity in how insurance companies underwrite their cyber insurance policies

How Microsoft Plans to Bea tGoogle and Facebook to the Next Tech Breakthrough (Bloomberg Business) The company behind Windows and Office is remaking its research arm to ensure its greatest inventions actually find their way into people's hands

Venture Capitalists Chase Rising Cybersecurity Spending (Technology Review) Investors have been pouring money into companies selling "next-generation" security products

Surge in launches of Israeli cyber security companies (Financial Times) Israeli cyber security companies are being launched at an accelerating pace and increasingly by founders with no direct ties to the military, according to research released on the eve of the country's main showcase event for the sector

Proofpoint Top Exec Maintains Security Vendor Won't Be Acquired Anytime Soon (CRN) If you recently read a prediction naming blockbuster acquisition deals that could happen in 2016, it is likely that Proofpoint was one of the companies on the list

How the Latest FireEye Acquisition Bodes Well for Staffing 360 Solutions (Small Cap Network) FireEye Inc. (NASDAQ:FEYE) may have subtly pointed to what the next phase of the cybersecurity market will look like… and it was pointing at Staffing 360 Solutions Inc

Army Awards Cybersecurity Contract to Parsons (ExecutiveBiz) Parsons will provide cybersecurity services to the U.S. Army under the awarded Deployable Defensive Cyberspace Operations Infrastructure contract

F5 Networks (FFIV) Appoints Mike Convertino as Chief Information Security Officer (Street Insider) F5 Networks (NASDAQ:FFIV) today announced the hire of Mike Convertino to lead its Information Security team. As the company's first Chief Information Security Officer (CISO)

Research and Development

The Pentagon's plan to defend the power grid against hackers (Christian Science Monitor Passcode) Amid increased attention on the critical infrastructure security from the Obama administration and industry, the Defense Advanced Research Projects Agency is working on a new plan to safeguard the grid

Security Patches, Mitigations, and Software Updates

Oracle Pushes Java Fix: Patch It or Pitch It (KrebsOnSecurity) Oracle has shipped an update for its Java software that fixes at least eight critical security holes

Magento plugs XSS holes that can lead to e-store hijacking, patch immediately! (Help Net Security) Last week, Magento released a very important bundle of patches for their eponymous e-commerce platform that should be implemented as soon as possible

Magento Update Addresses XSS, CSRF Vulnerabilities (Threatpost) Magento patched 20 vulnerabilities last week, including a stored cross-site scripting (XSS) flaw in the e-commerce platform that could have let an attacker take over a site and create new admin accounts

FreeBSD Patches Kernel Panic Vulnerability (Threatpost) FreeBSD has patched a denial-of-service vulnerability affecting versions configured to support SCTP and IPv6, the default configurations on later version of the open source OS

OpenSSL to Patch Two Vulnerabilities This Week (Threatpost) OpenSSL is scheduled to update two versions of the software this week, patching a pair of vulnerabilities in the process

Apple Releases Security Update for tvOS (US-CERT) Apple has released a security update for tvOS to address multiple vulnerabilities. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system

Cyber Attacks, Threats, and Vulnerabilities

ISIS's Much Hyped Paris Attacks Video Deemed Fake by Edward Snowden (Hack Read) The video shows nine suspected terrorists prior to carrying out the attacks in Paris on Friday, November 13th, 2015

Do not share the link that crashes iPhones and Mac browsers (Naked Security) Don't try this at home

Avoid Clicking CrashSafari.com! It Crashes Android, iOS Devices + Web Browsers (Hack Read) Some trolls have been using short URLs to trick users into clicking the link CrashSafari[dot]com that crashes and reboots Android, iOS devices and web browsers — So DON'T FALL FOR IT

Critial XSS flaws in Magento leave millions of ecommerce sites at risk (Naked Security) Critical XSS (Cross-Site Scripting) vulnerabilities have been found in both version 1 and 2 of the popular Magento ecommerce platform

Facebook Now the Subject of New Malware Attack (Comodo Blog) Earlier this month, the Comodo Threat Research Lab team identified a new malware attack targeted specifically at businesses and consumers who might use WhatsApp

SSH backdoor found in more Fortinet devices, exploit attempts spotted in the wild (Help Net Security) In case you missed it, Fortinet announced last week that the recently discovered FortiOS SSH backdoor — or, as they call it, "a management authentication issue" — has been found by its Product Security Incident Response team also on some versions of FortiSwitch, FortiAnalyzer and FortiCache

Fortinet on SSH vulnerabilities: look, this really isn't a backdoor, honest (SC Magazine) Security firm goes full disclosure on mechanics of SSH issue and finds three more vulnerabilities

Versatile Linux backdoor acts as downloader, spyware (Help Net Security) Another Linux Trojan has been discovered by researchers, and this one is pretty versatile: it opens a backdoor into the infected device, can download and run additional malicious files, and can spy on users by logging keystrokes and making screenshots. Dr. Web researchers dubbed it Xunpes

CTB Locker Virus Blocks Access To Data For Ransom (Business Computing World) Encryption is widely used by dark web actors these days

Exposed HP LaserJet printers offer Anonymous FTP to the public (CSO) Exposed printers are a soft target, researcher says

Hackers 'Dox' Miami Police Officers With Data Stolen From Government Database (Motherboard) A group of hackers has dumped the names, phone numbers and email addresses of more than 80 police officers from Miami, Florida, in what appears to be an attempt to "dox" the agents

Hacker Claims Breaching FBI Server, Exposes Details of 80 Miami Police Officers (Hack Read) A hacker linked with the "Cracka [sic] with Attitude" group claims to hack FBI's service and steal personal information of over 80 Miami Police Officers

The Anonymous Group: What is it and How big is it (Hack Read) Research proved that Anonymous hacktivists group is relatively much bigger than you anticipated and become quite popular among people all over the world but how did it all start?

Health insurer Centene missing data drives with client information (Reuters) Health insurer Centene Corp said on Monday it is missing six hard drives containing the personal and health information of about 950,000 people

Alaska orthopedic group notifies patients of data sent to employee's personal email (Becker's Health IT & CIO Review) Anchorage-based Alaska Orthopedic Specialists has reported a data breach stemming from a former non-physician employee who sent themselves electronic copies of patient information to a personal email address

Phishing email leads to data breach at University of Virginia (Help Net Security) Personally identifiable and financial information of some 1,400 University of Virginia employees has been compromised by attackers in a breach that dates back to early November 2014

Network outages disrupt Patriots' Surface tablets during critical drive (FierceMobileIT) Problem highlights need for enterprises to have backup connectivity for mobile workforce

Litigation, Investigation, and Enforcement

International relationships more important than ever in cybercrime investigations, says DOJ official (FierceGovernmentIT) The Internet is not simply a domestic platform, and so prosecuting and preventing cybercrime is increasingly "a world issue," said a senior Justice Department official

Appeals court: Evidence stands against man who used Tor-enabled child porn site (Ars Technica) Legal experts: Technical misunderstanding points to large problem in hacking cases

Verizon Releases Report on Government Info Demands (Broadcasting and Cable) Almost 140,000 targeted at TV, phone, Internet customers

How David Petraeus avoided felony charges and possible prison time (Washington Post) Inside a secure conference room on the sixth floor of the Justice Department in early 2014, top federal law enforcement officials gathered to hear what criminal charges prosecutors were contemplating against David H. Petraeus, the storied wartime general and former CIA director whose public career had ended about 15 months earlier over an extramarital affair

Why "find my phone" apps keep sending people to one couple's house (Naked Security) People searching for their lost and stolen smartphones in the vicinity of Atlanta, Georgia, keep turning up at the home of Christina Lee and Michael Saba

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

newly Noted Events

Interop Las Vegas (Las Vegas, Nevada, USA, May 6 - 10, 2013) Attend Interop Las Vegas, May 6-10, and attend the most thorough training on Apple deployment at the NEW Mac & iOS IT Conference. Join us in Las Vegas for access to 125+ workshops and conference classes, 350+ exhibiting companies and the latest technology.

upcoming Events

SANS Institute: Information Security Training (Las Vegas, Nevada, USA, September 12 - 21, 2015) Information security training in Las Vegas from SANS Institute, the global leader in information security training. At SANS Network Security 2015, SANS offers more than 40 hands-on, immersion-style security training courses taught by real-world practitioners. The site of SANS Network Security 2015, September 12 - 21, is Caesars Palace, the majestic Las Vegas hotel

CyberTech 2016 (Tel Aviv, Israel, January 26 - 27, 2016) Cybertech is the most significant conference and exhibition of cyber technologies outside of the United States. Cybertech provided attendees with a unique and special opportunity to get acquainted with the latest innovations and solutions featured by the international cyber community. The conference's main focuses are on networking, strengthening alliances and forming new connections. Cybertech also provided an incredible platform for Business to Business interaction

Global Cybersecurity Innovation Summit (London, England, UK, January 26 - 27, 2016) SINET presents the Global Cybersecurity Innovation Summit, which focuses on providing thought leadership and building international public-private partnerships that will improve the protection of our respective homeland's critical infrastructures, national security and economic interests. Our objective is to advance innovation and the growth of the cybersecurity sector by providing a platform for cybersecurity businesses, particularly small and medium enterprises (SMEs), to connect with key UK, US, and international decision makers, system integrators, investors, government policy makers, academia and other influential business executives

Fort Meade IT & Cyber Day (Fort Meade, Maryland, USA, January 27, 2016) The Ft. Meade IT and Cyber Day is a one-day event held at the Officers' Club (Club Meade) on base. The event is held on-site, where industry vendors will have the opportunity to display their products and services to IT, Communications, Cyber and Intelligence personnel

ESA 2016 Leadership Summit (Chandler, Arizona, USA, January 31 - February 3, 2016) The electronic security industry is rapidly changing and continuously evolving. It's not enough to just survive. Businesses looking to thrive need to adapt to ensure their people, products, services and practices stay ahead of the curve. The Summit is a three-day conference filled with networking and educational opportunities dedicated to delivering business intelligence to electronic security companies and professionals that are ready to embrace innovation and grow

SANS Cyber Threat Intelligence Summit & Training 2016 (Alexandria, Virginia, USA, February 3 - 10, 2016) This Summit will focus on specific analysis techniques and capabilities that can be used to properly create and maintain Cyber Threat Intelligence in your organization. Attend this summit to learn and discuss directly with the experts who are doing the CTI analysis in their organizations. What you learn will help you detect and respond to some of the most sophisticated threats targeting your networks

BSides Tampa 2016 (MV Royal Caribbean Brilliance of the Seas, Tampa to Mexico, February 4 - 8, 2016) BSides Tampa is an annual IT security/hacking conference featuring hands on training classes and lectures from some of the greatest minds in the industry and academia

The Law and Policy of Cybersecurity Symposium (Rockville, Maryland, USA, February 5, 2016) This one-day symposium will cover the critical legal and policy issues, challenges, and developments in cybersecurity. Legal professionals, professionals who develop cybersecurity strategies and policies, and anyone who assists organizations in preparing for and responding to cyber incidents should attend. Attendees will gain a comprehensive understanding of the legal and policy issues that they need to know when they represent clients, develop their organization's cyber strategy and policies, or respond to cyber incidents

National Cybersecurity Center of Excellence to Celebrate Opening of Newly Remodeled Facility (Rockville, Maryland, USA, February 8, 2016) The National Cybersecurity Center of Excellence is celebrating its dedication on February 8, 2016 at the center's newly remodeled facility at 9700 Great Seneca Highway

Insider Threat Program Development Training — California (Carlsbad, California, USA, February 8 - 10, 2016) The National Insider Threat Special Interest Group website has some very "eye opening" examples of how "damaging and costly" an "insider threat incident" can be. The FBI Insider Threat Alert states companies victimized by current or former employees incur costs from $5,000 to $3 million. bring? Is your company required to establish an Insider Threat Program per the requirements of NISPOM Conforming Change 2? Insider Threat Defense has trained a substantial number of U.S. Government Agencies (DoD, IC), Defense Contractors, Critical Infrastructure Providers, Aviation Security Professionals, large and small businesses on Insider Threat Program Development and Insider Threat Risk Mitigation

Secure Rail (Orlando, Florida, USA, February 9 - 10, 2016) The first conference to address physical and cyber rail security in North America

Cyber Security Breakdown: Dallas (Dallas, Texas, USA, February 10, 2016) This half day session will provide you with the critical information you need to start formulating an effective response in the eventuality of a cyber security event. Rather than try and handle the breach during the chaos of the event, you'll understand how to build in advance, the best practices to respond effectively. Attend the Cyber Security Breakdown event that is focused on the unique issues and threats facing legal professionals

Suits and Spooks (Washington, DC, USA, February 4 - 5, 2015) Suits and Spooks DC (Feb 4-5, 2015) is moving to the Ritz Carlton hotel in Pentagon City! We're expanding our attendee capacity to 200 and for the first time will be including space for exhibitors. We have an international panel of speakers from the public and private sectors and we'll be adding live-streaming via Webex for those who cannot attend in person

2016 Cyber Security Division R&D Showcase and Technical Workshop (Washington, DC, USA, February 17 - 19, 2016) The cybersecurity threat continues to evolve and in order to keep ahead of the threat; new cutting-edge cybersecurity technologies are needed. The Cyber Security Division (CSD) within the Department of Homeland Security (DHS), Science and Technology Directorate (S&T) is funding many R&D efforts through academia, small businesses, industry and government and national labs. This year, we are excited to include an R&D Showcase featuring nine innovative transition-ready solutions and two collaboration projects with the private sector selected from our portfolio that address a variety of complex challenges and have the potential for transition into the marketplace

Department of the Navy (DON) IT Conference, West Coast 2016 (San Deigo, California, USA, February 17 - 19, 2016) The purpose of the DON IT conference is to: (1) Explain the new and invigorated DUSN (M), DON/AA, and DON CIO organization and its business and IT transformation priorities. (2) Share information that supports the SECNAV's vision laid out in the DON Transformation Plan to achieve business transformation priorities, leverage strategic opportunities, and implement DON institutional reform initiatives by changing the culture, increasing the use of data-driven decision-making, and effective governance

ICISSP 2016 (Rome, Italy, February 19 - 21, 2016) The International Conference on Information Systems Security and Privacy aims at creating a meeting point for researchers and practitioners that address security and privacy challenges that concern information systems, especially in organizations, including not only technological issues but also social issues. The conference welcomes papers of either practical or theoretical nature, presenting research or applications addressing all aspects of security and privacy, that concerns to organizations and individuals, thus creating new research opportunities

Interconnect2016 (Las Vegas, Nevada, USA, February 21 - 25, 2016) IBM InterConnect 2016 is for those who are building new business models, transforming industries, and creating better outcomes. Whether you're a C-suite executive, IT leader, developer, designer, architect, or cloud expert, we all have one thing in common — we strive to build better businesses. The relationship between IT and business is changing. As a leader, builder or innovator of technology, the decisions you make today will have an increasingly greater impact on your company's bottom line tomorrow. To remain successful, it's critical that you transform along with this ever-changing environment

CISO Canada Summit (Montréal, Québec, Canada, February 21 - 23, 2016) Tactics and best practices for taking on enterprise IT security threats. The CISO Summit will bring together C-level IT security executives, industry analysts and solution providers to discuss challenges and best practices in a relaxed, yet focused business setting

cybergamut Tech Tuesday: Neuro Cyber Analytics: Understanding the Patterns of Human Cognition in the Cyber Domain (Elkridge, Maryland, Middletown, February 23, 2016) This presentation will discuss Neuro Cyber Analytics. Humans use context-specific neurocognitive patterns for receiving and processing internal and external sensory information. Stated differently, people interact with the world around them primarily by seeing, hearing, and feeling, and make decisions about what to do next depending upon the context of what is happening in their environment. People often do not realize that their decision making process triggers certain unconscious behaviors that can be read as indicators of how their thoughts were formulated and sequenced

Insider Threat Program Development Training Course — Maryland (Annapolis, Maryland, USA, February 23 - 25, 2016) The National Insider Threat Special Interest Group website has some very "eye opening" examples of how "damaging and costly" an "insider threat incident" can be. The FBI Insider Threat Alert states companies victimized by current or former employees incur costs from $5,000 to $3 million. bring? Is your company required to establish an Insider Threat Program per the requirements of NISPOM Conforming Change 2? Insider Threat Defense has trained a substantial number of U.S. Government Agencies (DoD, IC), Defense Contractors, Critical Infrastructure Providers, Aviation Security Professionals, large and small businesses on Insider Threat Program Development and Insider Threat Risk Mitigation

CISO New York Summit (New York, New York, USA, February 25, 2016) A data breach is not only a PR nightmare, but cause for customers to turn to competitors, exposing sensitive company information and racking up fines from industry regulators. In order for organizations to operate smoothly, CISOs and IT security executives need to be ahead of the hackers, and kept abreast of the latest IT security topics and trends. Agenda sessions include panel discussions, think tanks, analyst Q&A sessions and much more

BSides San Francisco (San Francisco, California, USA, February 28 - 29, 2016) BSides San Francisco is an Information / Security conference that's different. We're a 100% volunteer organized event, put on by and for the community, and we truly strive to keep information free. There is no charge to the public to attend BSides SF. Our costs are covered by our generous donors and sponsors, who share our vision of free dissemination of information. The conversations are getting more potent and the "TALK AT YOU" conferences are starting to realize they have to change. BSides SF is making this happen by shaking-up the format

CISO Summit Europe (London, England, UK, February 28 - March 1, 2016) With the media covering the latest data breaches, cloud computing security questions going unanswered and hackers developing more sophisticated attacks, the IT department has a growing responsibility to protect customer and company data. The CISO Summit will bring together C-level IT security executives, industry analysts and solution providers to discuss challenges and best practices in a relaxed, yet focused business setting. Agenda sessions include engaging Keynote Presentations, Thought Leadership sessions, CISO Think Tanks, Analyst Q&As and much more

RSA Conference 2016 (San Francisco, California, USA, February 29 - March 4, 2016) Celebrating its 25th anniversary, RSA Conference continues to drive the information security agenda forward. Connect with industry leaders at RSA Conference 2016

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listens all over the world, companies trust the CyberWire to get the message out. Learn more.