The CyberWire Daily Briefing 12.08.16

Cyber Trends

Corporations Cite Reputational Damage As Biggest Cyber Risk (Dark Reading) New data analyzing SEC disclosures found 83% of publicly traded companies worry most about the risk of brand damage via hacks exposing customer or employee information

Next year, attacks will differentiate to penetrate new vulnerable surfaces (Help Net Security) The upcoming year will include an increased breadth and depth of attacks, with malicious threat actors differentiating their tactics to capitalize on the changing technology landscape, according to Trend Micro

323,000 pieces of malware detected daily (Help Net Security) According to Kaspersky Lab, the number of new malware files detected by its products in 2016 increased to 323,000 per day. This is an increase of 13,000 from the amount in 2015, and a significant jump from the 70,000 files per day identified in 2011

Fortinet predicts tipping point for cybersecurity as threats become difficult to detect (Data Quest) Fortinet has unveiled six predictions from the FortiGuard Labs threat research team about the threat landscape for 2017. These predictions reveal the methods and strategies that Fortinet researchers anticipate cyber criminals will employ in the near future and demonstrate the potential impact of cyber attacks to the global digital economy

Las Vegas, Rust Belt, Hit Hardest By Ransomware (Dark Reading) New study by Malwarebytes finds that the US has the most ransomware incidents worldwide

Finance sector urged to ramp up cyber defences (Financial Times) Deputy Treasury secretary claims basic security would have thwarted recent attacks

Conveyancing theft reported as biggest cybercrime problem for law firms (Today's Conveyancer) Figures published today by the Solicitors Regulation Authority (SRA) have shown that email hacks of conveyancing transactions are the most common cybercrime in the legal sector, with £7 million of client losses reported in the last year

Errata Security's Robert Graham on securing IoT (FedScoop) Errata Security's CEO talks about the evolving security threats around IoT

The cloud security advantage (ZDNet) Is the cloud about to shed its reputation for decreasing enterprise security - and will instead enhance it?

60 Percent of Enterprises Were Breached by Social Engineering Attacks in 2016 (eSecurity Planet) And 65 percent of those attacks compromised employees' login credentials, a recent survey found

Legislation, Policy and Regulation

Homeland Security Chair Demands ‘Consequences’ for Russia on Hacks (Washington Free Beacon) Trump national security adviser unveils comprehensive plan for U.S. security

Trump May Be On Collission Course With Congress Over Russian Hacking (Nextgov) National security leaders in Congress could be headed for conflict with President-elect Donald Trump when it comes to Russian hacking

Retired Gen. John Kelly is Trump's pick for Homeland Security secretary (Military Times) Donald Trump has picked former Marine Corps Gen. John Kelly to run the Department of Homeland Security, the third retired military officer nominated for a role in the president-elect's Cabinet

Cybersecurity Commission Urges Better Partnerships, More Training to Safeguard Networks (SIGNAL) Several recommendations mirror what AFCEA's Cyber Committee has called for

Security Industry Association Hails Passage of Power and Security Systems Act (PRWeb) Revised law would extend exemption for certain security and life safety products from “no-load” requirements in power supply energy standards

DoD plans to bolster APT security (C4ISRNET) One of the DoD's biggest cybersecurity concerns is advanced persistent threats (APTs), attacks in which an unauthorized entity gains access to a network and remains there undetected for a long period of time. An APT attack's goal is to steal data rather than to cause outright damage to the network or organization

Army Chief Supports Continuing DIUx Into Next Administration (DefenseNews) The US Army’s top officer believes the Pentagon’s engagement with the commercial tech community should continue, a major endorsement as the Pentagon prepares to transition to the administration of President-elect Donald Trump

The legal exemption making life easier for ethical hackers (Christian Science Monitor Passcode) An exemption to the Digital Millennium Copyright Act allows hackers to conduct good will research into medical devices, automobiles, and other internet-connected devices without threat of lawsuits from manufacturers

Opinion: An automotive privacy collision (Christian Science Monitor Passcode) The National Highway Traffic Safety Administration owes it to motorists to set more robust and clearer privacy standards for connected cars

Protecting Whistleblowers with Access to Classified Information (IC on the Record) Under the Third Open Government National Action Plan, issued on October 27, 2015, the Director of National Intelligence committed to develop a common whistleblower training curriculum that can be adopted by all federal agencies covered under Presidential Policy Directive 19, Protecting Whistleblowers with Access to Classified Information

Products, Services, and Solutions

Subdomain Infringement: An Unseen Threat (RiskIQ) Domain infringement is when threat actors use brand names within illegitimate web domains to imply affiliation with a brand to deceive end users about who’s behind the content they see on a site. They use this exploitation of trust as a lure to phish for sensitive data, distribute malware, promote scams, generate revenue from ads on parked domains, and drive monetizable traffic to other sites

Route1 Launches DerivID – A New Standard in Secure Mobile User Identity Validation (Route1) Innovative offering provides derived credentials for government-issued PIV and CAC cards

LookingGlass Announces New Program for Managed Security Services Providers (MSSPs) (BusinessWire) LookingGlass Cyber Solutions™, a leader in threat intelligence driven security, today announced the Cyber Guardian Network partner program has expanded to include Managed Security Services Providers (MSSPs)

LightCyber Magna Reinvents Intrusion Detection to Meet PCI DSS Compliance Requirements (LightCyber) Certified PCI assessor validates Magna Platform for PCI DSS Requirement 11.4

Thales Releases Advanced Encryption Solutions for Secure Docker Containers, Simplified Deployment and Zero Downtime (PRNewswire) Vormetric Data Security Platform expansion includes patented, non-disruptive encryption deployment and advanced Docker encryption

LockPath wins 2016 GRC Value Award for Policy Management (Lockpath) LockPath, a leader in governance, risk management and compliance (GRC) solutions, today announced the company is being honored with the 2016 GRC Value Award in Policy Management. The GRC Value Awards program recognizes real-world implementations for GRC programs and processes that have returned significant and measurable value to an organization

New Secure Data Exchange from SecureDx.net Protects Electronic & Cloud Messaging and Communications (Yahoo! Finance) SecureDx.net has announced a new product, Secure Data Exchange (SDE) that provides what's been missing with other message security systems. For example, Cloud messages are used in patient/physician PHI (Patient Health Information) exchanges. These interactions are typically achieved using unsecure email notifications and data access links to cloud, which present an easy target for intrusive hackers

Waratek Protects Against Deserialization Attacks with No Blacklisting, Whitelisting or Code Changes (BusinessWire) New capability safely mitigates vulnerabilities without breaking applications

Huntsman Security delivers on its promise to automate cyber security (ResponseSource) Huntsman Security announced today the launch of its Automated Cyber Security capability that industrialises threat management using reliable, repeatable processes to decrease an organisation’s time at risk to seconds

Radware Powers XO Communications New DDoS Mitigation Service (EconoTimes) Radware® (NASDAQ:RDWR), a leading provider of cyber security and application delivery solutions ensuring optimal service levels for applications in virtual, cloud, and software-defined data centers, announced that XO Communications (XO), a leading enterprise ISP, has launched a Distributed Denial of Service (DDoS) Mitigation Service as part of its Security Services product portfolio, based on Radware’s Attack Mitigation System. Radware will help protect XO’s data centers from network security threats and provide XO’s customers with value added DDoS Mitigation Service

BeyondTrust Announces Key Partnership with Simeio Solutions (Beyond Trust) BeyondTrust, the leading cyber security company dedicated to preventing privilege misuse and stopping unauthorized access, today announced a strategic partnership with Simeio Solutions. As BeyondTrust increases its track record of successful privileged access management (PAM) deployments, partnerships with trusted identity and access management (IAM) services providers, like Simeio, will enable more customers to expedite PAM initiatives and achieve faster ROI

Novetta Certifies EyeLock Iris Authentication Performance (PRNewswire) Independent test results affirm capabilities in accuracy, performance and usability

Unisys Brings One Touch To Cyberfraud Fighting (PYMNTS) Global IT firm Unisys Corporation launched a new software application that enables organization to fight cybercrime with enterprise-wide, micro-segmentation security that can be deployed at the touch of a button

Egnyte Launches Builder, an App Store Streamlined for Corporate Productivity (PRWeb) Empowering enterprise users to build their own digital workplace

WISeKey and Boole Server Announce a Partnership to Secure Mobile Communications and Transactions (BusinessWire) WISeKey International Holding Ltd (WIHN.SW) (“WISeKey”), a Swiss cybersecurity company and Boole Server, an Italian vendor of data-centric protection company, today announced their partnership to secure mobile communications and transactions through the new WISeID BooleBox app

Here's How Much a StingRay Cell Phone Surveillance Tool Costs (Motherboard) Rochester Police Department in New York responded to our Cell Site Simulator Census with a rare look into the pricing and packaging of the cellphone surveillance tech: a completely unredacted quote list of Harris Corporation products

Technologies, Techniques, and Standards

Announced: Independent OpenVPN security audit (Help Net Security) VPN service Private Internet Access (PIA) has just announced that they have contracted noted and well-reputed cryptographer Dr. Matthew Green to perform a security audit of OpenVPN

Optiv Security’s Top 12 Tips for More Secure Business Practices During the 2016 Holiday Season (Optiv) Optiv Security, a market-leading provider of end-to-end cyber security solutions, today shared a list of a dozen tips for implementing more secure business practices during the 2016 holiday season. Optiv’s experienced team of security experts developed these recommendations to help security and IT teams better prepare their companies and employees to address the increase in cyber threats that occur during this time of year

Mitigating Insider Threats In Cloud Environments (Cybersecurity Association of Maryland) One of the most difficult cybersecurity threats to prevent is that posed by the insider. No amount of firewalls or penetration tests can stop someone with access to sensitive corporate information from sharing documents, installing malware, or simply abusing access privileges and leaking information

5 Things Security Can Learn From Operations’ Transition Into DevOps (B2C) Over the past couple of years, a discussion has been brewing in the Security community about the future of its work. On one hand, the need for security is more urgent than ever as all areas of business and personal computing are being impacted by cyber threats. On the other hand, the process of delivering software has changed: We have significantly streamlined the development process by reducing organizational silos through various implementations of a DevOps culture

What the rise of social media hacking means for your business (CSO) A product marketing manager at your company just posted a photo on LinkedIn. The problem? In the background of the image, there’s a Post-It note that contains his network passwords. You can barely see it, but using artificial intelligence algorithms, hackers can scan for the publicly available image, determine there are network passwords, and use them for data theft

Biometric Technology Is Not A Cure-All For Password Woes (Dark Reading) No single authentication token is infallible. The only real solution is multifactor authentication

From Carna To Mirai: Recovering From A Lost Opportunity (Dark Reading) We had four years to prepare for recent DDoS attacks and failed. How can we learn from our mistakes?

Marketplace

The Private Market Is Demolishing America’s Premiere Spying Agency (Daily Caller) Employees at the National Security Agency (NSA) are leaving in droves for the private sector mainly because of low morale and low pay

Could this be you? Really Offensive Security Engineer sought by Facebook (Register) 'Here's your new password, champ – GoF*!#Urs3lf'

Soft targets (Breaking Views) Splunk, Symantec or Twitter could end up in Masayoshi Son’s hands – maybe all three. The founder of Japan’s SoftBank is amassing a $100 billion fund with the backing of Saudi Arabia. This war chest will let Son make more big bets, like his $32 billion purchase of Britain’s ARM, while keeping them off SoftBank’s books

In Optiv's next chapter with KKR, 'sky's the limit' for OP office (Kansas City Business Journal) A deal to sell a majority stake to KKR & Co. LP has Denver-based Optiv Security thinking globally — and locally with its Overland Park office

Silicon Valley Bank Provides $25 Million Line for A10 Networks (Silicon Valley Daily) Silicon Valley Bank has agreed to provide a $25 million revolving line of credit to publicly-traded A10 Networks (NYSE: ATEN), a leader in application networking and security. The credit facility provides A10 Networks with access to additional working capital when needed for general corporate purposes

Kenna Security Closes $15 Million Series B Funding (Marketwired) PeakSpan Capital led funding round, following Kenna's 300 percent growth in enterprise bookings in 2016

Cutting-edge Cybersecurity Company FHOOSH Raises $2M In Funding From Volta Global, Poised For Commercial Success (The Street) FHOOSH, the first company to pair high-speed data transmission with ultra-secure cybersecurity, recently secured a $2 million investment from Volta Global, a private investment group active in transformational venture capital, as part of FHOOSH's recent oversubscribed financing

Deloitte invests in SETL after year-long collaboration (IBS Intelligence) Deloitte has invested in blockchain startup SETL, the first time the firm has (publicly) funded the technology. The two had previously worked together, trialling a contactless payment card with Metro Bank which is expected to launch in 2017

Resolver Acquires Assets Related to Multiple Risk Management Applications of Wynyard Group; Expanding its Global Footprint, Opening Offices in London, UK and Christchurch, NZ (BusinessWire) Following the voluntary administration process of Wynyard Group Limited of Auckland, New Zealand, Resolver finalizes the acquisition of Wynyard’s Risk Management suite of products. Resolver has greatly expanded its customer base and global reach with the acquisition of the Wynyard Risk Management (WRM), Kairos Risk Management and Methodware Enterprise Risk Assessor (ERA) applications. Over 150 customers using the WRM products will be provided continual support and long-term product roadmap through Resolver

Cisco's Cash Repatriation: Next Catalyst? (Seeking Alpha) Silicon Valley executives are scheduled to meet with President-elect Trump this month. On the agenda, cash repatriation could benefit tech behemoths, like Cisco. Cisco’s overseas cash pile could drive the stock’s next leg up through M&A, buybacks and dividend increases

How Risky Is FireEye Inc Stock? (Motley Fool) Is this beaten-down cybersecurity player worth buying at a 35% discount to its IPO price?

Is Palo Alto Networks Stock Still Secure? (Investment U) It’s an exciting time to work at a cybersecurity firm like Palo Alto Networks (NYSE: PANW). Individual hackers continue to gain in numbers and sophistication. And recently, advanced state-sponsored hackers have joined the party. Amidst all these cyberthreats, demand for cybersecurity services has gone through the roof. And that should be great news for owners of Palo Alto Networks stock

Tenable Network Security Named a “Top Workplace” by The Baltimore Sun for Third Consecutive Year (BusinessWire) Maryland-based global cybersecurity leader earns top marks from employees for workplace culture and organizational health

BlackBerry hires former Coast Guard CIO for cyber center (CyberScoop) Retired Rear Admiral Robert Day, Jr., the man hired by BlackBerry last week to lead its federal certification and compliance efforts, knows all about the crisis in the cybersecurity workforce — and not just from his time as CIO of the U.S. Coast Guard

The Daily Record announces its 2016 Leading Women (Daily Record) The Daily Record has announced its 2016 Leading Women, honoring 50 women who are 40 years of age or younger for the accomplishments they have made so far in their careers [including security executive]....Tina C. Williams, president/CEO, TCecure LLC

Security Patches, Mitigations, and Software Updates

GPS receives 'major software upgrade' (C4ISRNET) Lockheed Martin has completed an upgrade of the ground control system of the Air Force's GPS satellites

AirDroid Beta 4.0.0.2 fixes major security issues, official rollout expected soon (Android Police) A few days ago, independent security firm Zimperium released details about several major security flaws in the popular AirDroid application. In summary, attackers can easily intercept insecure requests to AirDroid's servers, as well as push malicious APKs to devices which appear as AirDroid add-on updates (which AirDroid then prompts the user to accept). Granted, the user has to be on an insecure Wi-Fi network for the attack to work, but it's still a major problem

Solar Power Firm Patches Meters Vulnerable to Command Injection Attacks (Threatpost) Solar software and analytics firm Locus Energy has pushed out a patch to its residential and commercial power meters to address a vulnerability that could allow hackers to access equipment and remotely execute code

Microsoft fixes Windows 7 'Group B' security-only patching method (InfoWorld) Great news: TechNet blog eschews fixing Win7/8.1 security-only bugs with monthly rollup patches

Internet of $@!%: Google API change triggers Epson printer revolt (Ars Technica) Printers caught in reboot loop after API change causes firmware fail

Cyber Attacks, Threats, and Vulnerabilities

Why would Rouhani cyber-attack the Saudis? There's far too much at stake (Middle East Eye) Saudi Arabia suggests the digital fingerprints of Iran are on a recent virus attack. But such action is illogical – and suggests invisible hands at work

Flaw spotted in North Korea’s Red Star operating system (Naked Security) North Korea’s national Red Star operating system is surely the strangest fork of Linux ever programmed

ThyssenKrupp secrets stolen in 'massive' cyber attack (Reuters) Technical trade secrets were stolen from the steel production and manufacturing plant design divisions of ThyssenKrupp AG (TKAG.DE) in cyber attacks earlier this year, the German company said on Thursday

A Turkish hacker is giving out prizes for DDoS attacks (PCWorld) But the DDoS software comes with a hidden backdoor

Sledgehammer - The Gamification of DDoS Attacks (Forcepoint) Operation Sledgehammer translated into Turkish is Balyoz Harekâtı, which was the name of a 2003 attempted military coup d'etat in Turkey. It’s also the name of a recent Distributed Denial of Service (DDoS) attack that targeted organizations with political affiliations that the attacker deems out of line with Turkey’s current government. These organizations include the German Christian Democratic Party (CDU), The People’s Democratic Party of Turkey, the Armenian Genocide Archive and the Kurdistan Workers Party (PKK)

Floki Bot Strikes, Talos and Flashpoint Respond (Talos) Floki Bot is a new malware variant that has recently been offered for sale on various darknet markets. It is based on the same codebase that was used by the infamous Zeus trojan, the source code of which was leaked in 2011. Rather than simply copying the features that were present within the Zeus trojan "as-is", Floki Bot claims to feature several new capabilities making it an attractive tool for criminals. As Talos is constantly monitoring changes across the threat landscape to ensure that our customers remain protected as threats continue to evolve, we took a deep dive into this malware variant to determine the technical capabilities and characteristics of Floki Bot

Zeus Variant ‘Floki Bot’ Targets PoS Data (Threatpost) Researchers have observed an uptick in attacks using the banking malware Floki Bot against U.S., Canadian and Brazilian banks, and insurance firms

PoS attacks: Undetected vulnerabilities lay in wait (Help Net Security) Attivo Networks issued a report detailing severe vulnerabilities in the nation’s POS systems that could lead to large breaches during the Holiday shopping period and on into next year

“PluginPhantom” Android Trojan Uses Plugins to Evade Detection (APIDA) A recently discovered Android Trojan dubbed “PluginPhantom” abuses a legitimate plugin framework to update itself and evade static detection, Palo Alto Networks reported on Wednesday

Subdomain Infringement: An Unseen Threat That’s Cashing In (RiskIQ) Subdomain infringement is the most dangerous threat your security team may not be detecting

Dridex Targets Scotland (Infosecurity Magazine) Fujitsu CTI has been monitoring Dridex across our customers for a period of time. There have been evolving variants of the same campaigns attempting to deliver the Dridex banking trojan via malicious email attachments. Dridex recently targeted victims using a football lure in an attempt to deliver the malicious trojan

Mobile Ransomware: Pocket-Sized Badness (TrendLabs Security Intelligence Blog) A few weeks ago, I spoke at Black Hat Europe 2016 on Pocket-Sized Badness: Why Ransomware Comes as a Plot Twist in the Cat-Mouse Game

Nine in Ten NHS Trusts Still on Windows XP (Infosecurity Magazine) Security experts have warned that patient data is at risk after it was revealed that 90% of NHS Trusts in England are still running the unsupported Windows XP operating system

Crims turn to phishing-as-a-service to slash costs and max profits (Register) So says Imperva after trolling the dark web

Good Cop; Bad Cop; Domain Cop? (SANS Internet Storm Center) When investigating events, like malware or spam hitting our systems, we often send notifications to parties from which the malicious traffic originates. One the other hand, it isn't terribly unusual, for us to receive malware notifications if some of the snippets of code we post match anti-virus patterns

Hacker Steals $300,000 from Major Cryptocurrency Investor (Bleeping Computer) An unknown hacker has stolen at least $300,000 in Augur and Ether cryptocurrency from Bo Shen, the founder of venture capital firm Fenbushi Capital, and one of the early adopters of many of today's cryptocurrencies

Law School Victim Of A Cyber Attack, Applicant Data Compromised (Above the Law) The stress of applying to law school can be intense. The LSAT, the essay, the hassle of it all. Now there’s an additional stress factor — well, if you applied to the University of Wisconsin Law School in 2005-06

McDonald’s Drive-Thru Intercom Wireless Frequency System Hacked (HackRead) It happened in North Carolina where the Drive-Thru system was welcoming people with the voice of a woman moaning

Rock Star Joan Jett’s Label Left Tons of Sensitive Data Unprotected Online (Motherboard) Sometimes, there’s no need to hack into an email account or a computer to get extremely sensitive data such as credit card or social security numbers. Sometimes that data is left exposed for anyone who knows where to look—and knows how to use free internet scanning tools

Litigation, Investigation, and Enforcement

First CYBERPOL Security Operations Center to Open in USA with Protecting Tomorrow (PRNewswire) CYBERPOL, The International Cyber Policing Organization, with headquarters currently located in the United Kingdom, announces a strategic partnership with Protecting Tomorrow, a United States Cyber Protection Organization whose headquarters are established in San Diego, California

Democrats Intensify Push for Probe of Russian Meddling in 2016 Campaign (Mother Jones) House Dems call for a bipartisan commission to investigate

The Election Is Over. The Probe Into Russian Hacks Shouldn’t Be (Wired) From climate change denial to pizza-parlor pedophile conspiracy theories, 2016 has thoroughly shaken the groundwork of facts that Americans agree on. But there’s at least one story that the US can’t afford to let slide into the muck of conspiracy theories, fake news, and truthiness: whether the Russian government hacked America’s election

Cincinnati man sentenced in plot to kill feds (Federal Times) The Department of Justice has sentenced a Cincinnati-area man to 30 years in prison for plotting to kill federal officials in the name of the Islamic State group

Charities hit with fines for sharing donors’ data without consent (Naked Security) Two high-profile UK charities have been fined by the Information Commissioner’s Office (ICO) for misuse of personal information

Kids' privacy-endangering internet-connected toys should be banned, says EPIC (Graham Cluley) Don’t forget the power of the purse!

Design and Innovation

After study, Google gives keysticks two thumbs up (CyberScoop) After a two-year study, Google is lauding the use of USB cryptographic keysticks as a way to authenticate identity online, preventing phishing and man-in-the-middle attacks and securing both individual accounts and the enterprise to which they belong

Security Industry Association Opens Submissions for New Product Showcase at ISC West (PRWeb) The security industry’s leading awards program now accepting applications

Cybersecurity gamification: A shortcut to learning (Help Net Security) Cybersecurity awareness trainings are usually a boring affair, so imagine my colleagues’ surprise when I exited the room in which I participated in a demonstration of the Kaspersky Interactive Protection Simulation (KIPS) game and told them: “You have to try this!”

Gamifying DDoS. Steel manufacturing IP stolen in Germany. Floki Bot threatens PoS systems. Subdomain infringement. Dridex is back. Iranian strategic complexity or false flag? Investigating the Two Bears.