The CyberWire Daily Briefing 12.07.16

Cyber Trends

Crime as a Service' a Top Cyber Threat for 2017 (BankInfo Security) Steve Durbin of Information Security Forum on the latest threats posed by crime rings

A new era of cybercrime – Symantec’s predictions for 2017 and beyond (IT Wire) Rogue nations will be financed by cybercrime, the used of undetectable file-less malware (firmware) will grow, IoT devices are fair and easy game, HTTPS/SSL will be abused – these are a few of Symantec’s emerging trends and predictions for paddling in cyberspace

Terabit-Scale Multi-Vector DDoS Attacks to Become the New Normal in 2017, Predict DDoS Experts (BusinessWire) Recent Mirai botnet foreshadows DDoS threats growing in size, scale and complexity in the coming year; businesses and governments to take heed due to increasing vulnerabilities in IoT Infrastructure

Big Brother state, or Little Brother society: How healthy is our data-sharing culture? (Computing) Peter Cochrane weighs up the relative usefulness or harm of the information we give away as the IoT looms into view

Top 4 global security threats businesses will face in 2017 (Help Net Security) The Information Security Forum (ISF) has announced their outlook for the top four global security threats that businesses will face in 2017

Information Security Forum Forecasts 2017 Global Security Threat Outlook (PRNewswire) Supercharged connectivity, crime-as-a-service, government sponsored terrorism and the global impact of data breaches top list of key threats to businesses

Small businesses underestimate the cyber threats of irresponsible employee actions (Deccan Chronicle) Only 36 per cent of small businesses worry about staff’s carelessness while the medium and large enterprises takes it a major concern

Corporate data left unprotected in the wild (Help Net Security) A new survey conducted by YouGov has highlighted the risks to corporate data from poor encryption, and employee use of unauthorised and inadequately protected devices. The survey of British office workers found that 42% use devices not provided by their employer to work with corporate e-mails and files. Half (52%) also use personal online accounts, such as Enterprise File Sharing Services (EFSS) to store or access work files – with only 34% saying they have never done so

Governments are behind on data encryption in the public cloud (Help Net Security) A HyTrust survey of 59 government and military organizations found that nearly 20 percent of those respondents do not implement data security or encryption solutions in the public cloud

Legislation, Policy and Regulation

Putin moves to step up Russia’s cyberdefenses (Naked Security) Stung by a recent wave of attacks against the sites of his country’s biggest banks, Russian President Vladimir Putin has endorsed a new infosec doctrine to raise online defenses, according to media reports. Among other things, it calls for Russia to develop “a national system of managing the Russian segment of the internet”

Cybersecurity Panelist on Recommendations to Trump (InfoRisk Today) Audio report: ISMG Editors analyze the latest developments

Presidential Cybersecurity Commission Issues Ambitious Policy Roadmap for Next Administration (JD Supra) On Thursday, December 1, the nonpartisan Commission on Enhancing National Cybersecurity, established pursuant to an Executive Order in February, issued its report, outlining more than 50 recommendations for the next Administration

US communications agency plans cybersecurity boost to protect Internet of Things (RT) A US communications regulator aims to beef up cybersecurity for smart devices and make it more difficult for hackers to hit network-connected homes. The federal agency has a plan penned, but further steps are on hold due to the Trump transition

Inside the Bizarre Movement to Make John McAfee Cyber Czar (Motherboard) On Monday afternoon, as Donald Trump continued finalizing his cabinet from his transition base atop Trump Tower, a group of thirty demonstrators gathered below to make a very specific recommendation: “That Donald Trump put America first and name John McAfee, the most qualified expert, to be our nation’s Cybersecurity Czar”

Trump fires a member of his transition team for tweeting fake news (TechCrunch) So-called fake news has real consequences, and everyone in the U.S. keeps learning that the hard way. Not just executives at social networks like Facebook, Reddit and Twitter. Or disgruntled and brilliant Weather Channel meteorologists

Server Location, Jurisdiction, and Server Location Requirements (Technology and Marketing Law Blog) At the recent “Law, Borders, and Speech” conference at Stanford, several participants debated the relevance of server location in determining jurisdiction. Some Silicon Valley attorneys at the conference argued that the location of a server should not be just one of the factors in a jurisdictional inquiry, but that it should be the determinative factor for jurisdiction

Products, Services, and Solutions

ESG Report Illustrates the Case for Secure Virtual Browsers (Ntrepid) Research indicates that as employees continue to demolish traditional enterprise perimeters, organizations will need to think beyond traditional web browsers

Bromium's Growth Triggers Launch of New Premium Support Services (Marketwired) Rapid expansion in enterprise market drives need for enhanced services to accelerate time-to-value for customers

WinPatrol to Match Donations for Charities, Schools and Religious Organizations (OpenPR) WinPatrol, the maker of WinPatrol WAR the only anti-ransom solution that also protects against malware and zero day attacks, today announced their WinPatrol Holiday Challenge. During this challenge, which lasts through the end of December 2016, WinPatrol will match license for license all donations of our software to charitable, religious and educational institutions

Virtual Forge Assembles Starter Package for SAP Enterprise Threat Detection (Virtual Forge) The fast way to get started with SAP’s new real-time solution for identifying attacks

IBM’s Watson Now Fights Cybercrime in the Real World (Wired) You may know Watson as IBM’s Jeopardy-winning, cookbook-writing, dress-designing, weather-predicting supercomputer-of-all trades. Now it’s embarking on its biggest challenge yet: Preventing cybercrime in finance, healthcare, and other fields

IBM names 40 companies in IBM Watson for Cyber Security beta (V3) IBM to trial cognitive computing for security

Interfocus Technologies and Cylance Announce OEM Partnership and New Product Release (BusinessWire) Now available in North America: Interfocus Advanced Threat Prevention Solution combines endpoint management with CylancePROTECT malware threat protection

Onapsis Joins IBM Security App Exchange Community (Onapsis) Onapsis Security Platform part of collaborative development to stay ahead of evolving threats

Barracuda Networks and High-Tech Bridge Join Efforts to Improve Web Application Security (BusinessWire) Barracuda Networks Inc. (NYSE:CUDA) and High-Tech Bridge SA announced a technology alliance and integration of High-Tech Bridge’s ImmuniWeb® Web Security Testing Platform and Barracuda’s Web Application Firewall from version 9.0 and above. The integration will allow customers to deploy virtual patching of web application vulnerabilities in just a few clicks

Centrify’s Identity Broker streamlines secure use of hybrid cloud (CSO) Centrify, the leader in securing enterprise identities against cyberthreats, has announced new hybrid cloud capabilities to speed and secure adoption of Infrastructure-as-a-Service (IaaS)

Nintendo offers up to $20,000 for bug info (Help Net Security) Video game giant Nintendo has set up a bug bounty program through HackerOne’s platform, and is asking researchers to find and flag vulnerabilities in the Nintendo 3DS family of handheld game system

A look at the top HackerOne bug bounties of 2016 (ZDNet) Everyone from porn providers to the US Army utilizes the platform -- but what are the most lucrative programs that have been hosted this year?

Hackers hunting for energy-tech flaws see cash on the horizon (Energywire) Equipment suppliers to the power grid, water utilities and other U.S. infrastructure are warming up to a cybersecurity strategy once viewed as heretical: paying hackers who find security flaws in their products

NIKSUN Awarded U.S. Department of Defense UC APL Status (BusinessWire) NIKSUN’s security products receive Unified Capabilities (UC) Approved Products List (APL) certification by the Defense Information Systems Agency (DISA)

This App Wants to Be Your Encrypted, Self-Destructing Slack (Wired) If you use a workplace collaboration tool like Slack or Hipchat, it’s easy to fall into an assumption of privacy, throwing around gossip and even sensitive business as if it were normal cubicle chatter. It’s not. Anything you write in one of those collaborative chatrooms can be stored, and is potentially vulnerable to government surveillance, hacking, or a subpoena in a run-of-the-mill lawsuit

KnowBe4 Phishing Tool Looks To Take Down CEO Fraud (PYMNTS) KnowBe4, a security awareness training and simulated phishing platform provider, launched a new tool designed to help IT managers combat CEO fraud, or Business Email Compromise (BEC) as it is referred to by the FBI

TAG Awards First Group of "Certified Against Fraud" Seals to Companies Meeting Strict Anti-Fraud Standards (Street Insider) Initial recipients to complete process include Google, WPP's GroupM, Interpublic Group, Omnicom, Horizon Media, OpenX Technologies

The security gift guide (CSO) Give the gift of security, so people will give you the gift of not asking for help and advice

Technologies, Techniques, and Standards

The Passwords You Should Never Use (SANS Internet Storm Center) New releases of bad or weak passwords lists are common[1][2] on the Internet

Avast launches four new ransomware decryptors (Windows Report) The rise of ransomware has given a whole new world of meanings to cyber threat. It’s now one of the dangerous malware forms in that it locks users out of their computer and important files using robust encryption tools. Unless you pay the amount demanded by attackers, you’ll have to look for other ways to recover your data. Fortunately, some of the major security vendors got your back with free decryption tools

Playing cyber defense is not enough to win (CSO) Sometimes offensive attacks are a necessary part of the game

Hacking Attacks Raise Fears As U.S. Military Increasingly Outsources IT (Business Solutions) Security must extend to affiliated entities to ensure protection of sensitive data

Web Gateways: 5 Big Security Challenges (Dark Reading) Overreliance on Web gateways is putting data, users, customers, organizations, and reputation in harm's way

Why security leaders need to embrace the concept of reasonable security now (CSO) Vanessa Henri explains the legal definition of reasonable security and why now is the time to embrace the concept and prepare

Top 6 breach response best practices for 2017 (Help Net Security) Cybercrime costs are expected to rise to $2 trillion by 2018, according to Juniper Research, in large part because the increase in cyber threats is resulting in a surge in data breaches, exposing millions of individuals and their sensitive information

When the Boundary Isn’t Enough: Accelerating Discovery, Investigation and Response (Infosecurity Magazine) Depending on which study you are citing, anywhere between 50% and 95% of companies have already been breached. If you consider the money that has been invested in preventive security, that’s a major fail. Once the cybercriminals are inside, finding and stopping them must be a priority – and the faster that happens, the fewer the losses, both economically and in terms of reputation

Lessons on Setting Cybersecurity Priorities (InfoRisk Today) Insights from ISMG's GovInfoSec Summit Asia Conference

The Hidden Cost of ‘Pay-to-Play’ AV Testing (Cylance) It must be said: some of the top players in the third-party antivirus (AV) testing industry have recently revealed themselves to be nothing more than pay-to-play capitulators who seek to line their pockets by perpetuating outmoded technologies while keeping more effective and innovative solutions out of the hands of the users who need them

What is the Blockchain? (Nasdaq) These days it is impossible to read the financial press without often stumbling upon intriguing hints that something called "the blockchain" is going to disruptively revolutionize banking and financial services. So, in this first of a series of introductory articles, we try to explain clearly and simply what blockchain technology is, and why it is considered highly relevant to the future of finance and banking

Cyber Intelligence and Defense for the Public Sector, Part 2: The Growth and Importance of Threat Intelligence (CTOvision) As attested to in our previous post in this series, the dynamic nature of today’s cyber threats has led to the evolution of cyber threat intelligence as an essential component of every enterprise’s cyber risk reduction strategy

Marketplace

Cyber-insurance: What will you be able to claim for and is it worth it? (SC Magazine) The sharp rise in cyber-crime has caused big business to look seriously at how the insurance industry can help mitigate business risks associated with a data breach. But lack of actuarial data, and the inability to put a price on a risk with so many moving parts leads SC's Roi Perez to ask, is cyber-insurance worth it?

What is Cyber Insurance and Do You Really Need It? (CSO) Cyber insurance seems to be a popular new buzzword for many businesses. Roughly 70% of companies are now trying to transfer the risk to a third party insurance company. Out of these, roughly 25% were spending $500,000 or more on premiums. When asked in the RIMS cyber security survey why they made this decision, 82% of companies said they were concerned about how having a breach can cause harm to their reputation. 76% were concerned about business interruption and 75% were concerned about data loss

The Best Cybersecurity Stocks of 2016 (Fox Business) Despite a stream of high-profile data hacks on enterprises, this hasn't been a great year for the cybersecurity industry. Spending growth slowed as large companies decided to delay purchase decisions, pinching profit results for the biggest players

Optiv Security to Be Acquired By KKR (BusinessWire) Leading global investment firm to support Optiv’s continued business growth and accelerate global expansion

Cisco Systems Inc. Is Running out of Room to Grow...What's Next? (Motley Fool) Will SDN-optimized hardware, cybersecurity solutions, and a new IoT platform lift the aging tech giant’s top line growth?

5 Reasons Palo Alto Networks Inc Stock Could Fall (Fox Business) Next-gen firewall vendor Palo Alto Networks (NYSE: PANW) shed nearly 30% of its value over the past year due to ongoing concerns about its slowing sales growth, widening losses, and rising competition. But as Palo Alto hovers near its 52-week low, investors might be tempted to start a position in this high-growth stock. However, I believe that the stock could still fall further for five main reasons

Podcast: What it takes to succeed in the cybersecurity business (Christian Science Monitor Passcode) This episode of the Cybersecurity Podcast features Sunil James, a Silicon Valley venture capitalist who invests in information security companies for Bessemer Venture Partners

Meerah Rajavel joins Forcepoint as new Chief Information Officer (Voice and Data) Global cybersecurity leader Forcepoint has announced Meerah Rajavel joins the company as its new chief information officer (CIO)

ThreatConnect Names John Lyons Senior Vice President, Global Sales (ThreatConnect) Announcing the hiring of John Lyons Senior Vice President, Global Sales

RiskIQ Appoints Security Industry Leader Scott Gordon as Chief Marketing Officer (RiskIQ) Distinguished tech marketing veteran to fortify company’s success in the disruptive digital threat management market

Cybersecurity Attorney and Former State of Texas Chief Information Security Officer Edward Block Joins Gardere (Gardere) Gardere Wynne Sewell LLP is pleased to welcome information security expert Edward H. Block as a senior attorney in its Austin office. Mr. Block joins the Firm from the Texas Department of Information Resources, where he served as the chief information security officer (CISO) and the cybersecurity coordinator for the state of Texas

Research and Development

Raytheon scores $9M in contracts to support power grid cybersecurity (Washington Technology) Raytheon BBN Technologies has won a number of contracts totaling $9 million to research and develop technologies that will detect and respond to cyber attacks on the U.S. power grid infrastructure

Security Patches, Mitigations, and Software Updates

Backdoor accounts found in 80 Sony IP security camera models (CSO) Sony released firmware updates to remove the accounts that could give hackers full access to the cameras

New Flavor of Dirty COW Attack Discovered, Patched (TrendLabs Security Intelligence Blog) Dirty COW (designated as CVE-2016-5195) is a Linux vulnerability that was first disclosed to the public in October 2016. It was a serious privilege escalation flaw that allowed an attacker to gain root access on the targeted system. It was described as an “ancient bug” by Linus Torvalds and was quickly patched once it was disclosed, with most Linux distributions pushing the patch to their users as soon as possible

Microsoft's Windows 10 Creators Update Will Go All-In on Security (PC Magazine) Just one month after patching 68 Windows 10 security vulnerabilities, Microsoft drops a raft of new enterprise security features

App developers not ready for iOS transport security requirements (CSO) Many iOS apps opt out of Apple's App Transport Security (ATS) feature or deliberately weaken it

Cyber Attacks, Threats, and Vulnerabilities

North Korea steals classified military data in latest cyber attack on South Korea (International Business Times) North Korea hacked South Korea's cyber command in the latest cyberattack against Seoul, the South Korean military said

Flash Exploit Found in Seven Exploit Kits (Threatpost) A nasty Adobe Flash zero-day vulnerability that was remediated in an emergency update in October 2015 was thereafter co-opted by seven exploit kits, according to an analysis published today by researchers at Recorded Future

Petya Ransomware Returns with GoldenEye Version, Continuing James Bond Theme (Bleeping Computer) The author of the Petya-Mischa ransomware combo has returned with a new version that uses the name GoldenEye Ransomware, continuing the malware's James Bond theme

Crucial information about VO_ ransomware virus (2-Spyware) The good news is that VO_ virus might not be as dangerous as Locky which recently rampaged on the social media

Pennsylvania State Prosecutor's Office Paid Ransom In 'Avalanche' Ransomware Attack (Dark Reading) Allegheny County state prosecutor's office paid attackers $1,400 in Bitcoin to free its data

Malicious online ads expose millions to possible hack (CSO) The attack campaign, called Stegano, has been spreading from malicious ads hosted by news websites

Millions exposed to malvertising that hid attack code in banner pixels (Ars Technica) Manipulated images are almost impossible to detect by the untrained eye

Readers of popular websites targeted by stealthy Stegano exploit kit hiding in pixels of malicious ads (We Live Security) Millions of readers who visited popular news websites have been targeted by a series of malicious ads redirecting to an exploit kit exploiting several Flash vulnerabilities. Since at least the beginning of October, users might have encountered ads promoting applications calling themselves “Browser Defence” and “Broxu” using banners similar to the ones below

Researchers Find Fresh Fodder for IoT Attack Cannons (KrebsOnSecurity) New research published this week could provide plenty of fresh fodder for Mirai, a malware strain that enslaves poorly-secured Internet of Things (IoT) devices for use in powerful online attacks. Researchers in Austria have unearthed a pair of backdoor accounts in more than 80 different IP camera models made by Sony Corp. Separately, Israeli security experts have discovered trivially exploitable weaknesses in nearly a half-million white-labeled IP camera models that are not currently sought out by Mirai

Backdoor vulnerability (SEC Consult Vulnerability Lab Security Advisory) Attackers are able to completely takeover the Sony IPELA ENGINE IP Camera products over the network

Hackers Gamify DDoS Attacks With Collaborative Platform (Threatpost) A Turkish hacking crew is luring participants to join its DDoS platform to compete with peers to earn redeemable points that are exchangeable for hacking tools and click-fraud software. The goal, security researchers say, is to “gamify” DDoS attacks in order to attract a critical mass of hackers working toward a unified goal

The early IoT gets the worm (Help Net Security) Five days after the start of World War I, Sir Edward Grey, British Foreign Secretary, remarked to a close friend, “The lights are going out all over Europe, we shall not see them lit again in our lifetime"

Standards body warned SMS 2FA is insecure and nobody listened (Register) Duo Security says NIST's advice to deprecate out-of-band passwords has been ignored

Dailymotion urges users to reset passwords in wake of possible breach (Help Net Security) Breach notification service LeakedSource has added information about over 87 million Dailymotion users to its search index

Charter Savings Bank Computer Theft Sparks ID Fraud Fears (Infosecurity Magazine) A Wolverhampton-based bank has come under fire after thieves stole PCs containing the personal details of tens of thousands of customers, exposing them to identity theft

Over 400,000 phishing sites have been observed each month during 2016 (Help Net Security) 84 percent of phishing sites observed in 2016 existed for less than 24 hours, with an average life cycle of under 15 hours. The data collected by Webroot shows that today’s phishing attacks have become increasingly sophisticated and carefully crafted in order to obtain sensitive information from specific organizations and people

Webroot Quarterly Threat Update: 84% of Phishing Sites Exist for Less Than 24 hours (Webroot) Report demonstrates phishing attacks have grown in prevalence and sophistication

We Went Looking for Russian Hackers and Met a Bunch of Sketchy People (Motherboard) On the internet, Russian hackers have reached an almost a mythical aura. They seem to have unfathomable hacking powers, and they appear untouchable

The 7 Most Sensational Breaches Of 2016 (Dark Reading) The biggest hacks, data exposures, and thefts that left companies and government entities reeling

Litigation, Investigation, and Enforcement

Dutch police get OK to exploit zero-days: So will that just mean more surveillance? (ZDNet) Despite its previously tough stance against encryption backdoors, the Netherlands has now given the green light for its secret services and police to exploit zero-day software vulnerabilities

Be Prepared for Jail Time if You Post Fake News on Social Media in Saudi Arabia (HackRead) The orders came after fake news about Prince Abdullah sacked as president of the General Authority of Sports

Facebook and Twitter Need to Shut Down Hate Speech Within 24 Hours, Europe Warns (Motherboard) Facebook, Twitter, YouTube and Microsoft aren’t responding to cases of online hate speech fast enough, according to the European Commission, which demands the technology companies review reports of hate speech less than 24 hours after they were first reported

US Tech Firms Promise Terror Content Crackdown (GovInfo Security) YouTube, Facebook, Twitter and Microsoft will target images and videos

Google Is Fighting Global Search Censorship In Canada's Supreme Court (Motherboard) A legal battle over the future of online censorship is raging in snowy Canada

Marine major who warned of danger before insider attack wins court case (Marine Corps Times) A federal judge has overturned a Marine Corps decision to discharge Marine Maj. Jason Brezler, who was accused of mishandling classified information after he warned Marines in Afghanistan about an Afghan police chief days before a deadly insider attack in August 2012

Settlement in Tampa General Hospital Insider Breach Lawsuit (HealthcareInfo Security) Plaintiffs alleged a 'history of poor data protection'

Derivative Suit Against Home Depot For 2014 Data Breach Dismissed (Dark Reading) Judge says defendants may have been slow to spike up network security, but did not fail to act

Former Expedia IT support worker spied on company executives (Help Net Security) A computer support technician formerly employed at Expedia offices in San Francisco pleaded guilty to securities fraud. Jonathan Ly, 28, admitted he used his position in tech support at Expedia to access emails of Expedia executives so that he could trade in Expedia stock and illegally profit from non-public information

Samsung victorious at Supreme Court fight with 8-0 opinion against Apple (Ars Technica) Apple can't automatically get Samsung's full profits due to patent infringement

Design and Innovation

How the human factor can actually increase your cyber security (IT Business Net) Cyber security is the number one problem for most organizations nowadays. According to new statistics the cost of cybercrime increased to $400 billion worldwide in 2014, and about one million attacks occurred every day in 2015. National Cyber Security Alliance estimates that around 60% of businesses close in the six months after a cyber-attack. Whats more, human error is estimated to cause 37% of all those security incidents

Are you human or a bot? Google’s invisible reCAPTCHA will decide (Naked Security) A few years ago, Google simplified its prove-you’re-a-human reCAPTCHA test. To prove we’re not automated bots, it gave us a single, hopefully quivery “I’m not a robot” click to replace the previous deciphering of blobby melted characters and mathematical problems that made our brains hurt

‘Rich irony’ as Facebook blocks extension to highlight fake news (Naked Security) Well, now, this is meta, said the creator of a fake-news labeling extension that Tech Crunch incorrectly identified as a new Facebook extension

How Carriers Can Help Solve IoT Insecurity (Wireless Week) Through our research and work with carriers, partners, and others, AdaptiveMobile has predicted up to 80 percent of devices connected on the IoT do not have appropriate security measures in place. To put it plainly, four in five of IoT devices on the market are vulnerable to malicious activity, inadvertent attacks, and data breaches

Microsoft takes another shot at an AI chatbot with Zo (ZDNet) Microsoft has fielded a preview of another AI chatbot, Zo.ai, but so far is limiting the topics it is able to address

Will Zo suffer the same fate as Tay? Microsoft launches its latest artificial intelligence chatbot on Kik (Daily Mail) Microsoft had to shut down its chatbot, Tay, after the system was corrupted. But its newest chatbot, Zo, has now launched with early access on Kik. The bot can reply to questions, use emoji and even deliver puns. Microsoft has not made an official announcement about the chatbot yet

North Korean cyber espionage. Patched Adobe zero-days found in exploit kits. Ransomware updates. New IoT vulnerabilities discovered (and addressed). Steganographic malvertising. National cyber strategies, and laws requiring content filtering.