The CyberWire Daily Briefing 12.15.16

Cyber Trends

Gemalto study reveals security concerns over convergence of personal and workplace identities (Gemalto) 90% of IT professionals are concerned about employees using their personal credentials for work purposes. 62% of enterprises feel increasing pressure to match consumer authentication methods in the workplace.The use of two-factor authentication is on the rise, with 40% of organizations’ employees using it

Centrify And Rapid7 Trends And Predictions (Information Security Buzz) It’s that time of year again. The festive season is upon us and with it, online shopping will no doubt take another bite out of traditional bricks-and-mortar sales. With a colourful new president taking office shortly, 2017 promises to be an interesting year. But before we get to predictions, let’s take a look at the year that was

Health Data Security: A Tipping Point (HealthcareInfo Security) Finally, protecting patient data Is on list of priorities

Healthcare IT professionals are overconfident (Help Net Security) A Dimensional Research study evaluated the confidence of IT professionals regarding the efficacy of seven key security controls, which must be in place to quickly detect a cyber attack in progress. Study respondents included 763 IT professionals from various industries, including 101 participants from the healthcare sector

Security Scorecard: Where Are Consumers Most Engaged? (BankInfo Security) Aite's Julie Conroy on latest research into how far consumers will go to protect themselves

Smart devices abandoned on the road to nowhere (Naked Security) Contrast and compare these two scenarios

On the Ninth Day of Christmas, the Industry Predicted…GDPR Compliance (Infosecurity Magazine) Deck the halls with boughs of money, tra la la. Why boughs of money? If you suffer a data breach after June 2018 you could face a fine of up to €20 million or 4% of your global annual turnover for the preceding financial year, whichever is the greater. So if data security is not your thing, best enjoy the cash while it is still in your possession

What are NZ’s cybersecurity threats? – Expert Q&A (Science Media Centre) With the 14th annual Privacy, Security and Trust conference held in Auckland this week, the Science Media Centre asked cybersecurity experts about the biggest threats facing New Zealand. Please feel free to use these comments in your reporting

Legislation, Policy and Regulation

Turkey: Silencing the Media (Human Rights Watch) Ruthless assault on press freedom shields state from scrutiny

ENISA says crypto backdoors are a bad idea (Help Net Security) “History has shown that technology beats legislation, and criminals are best placed to capitalise on this opportunity,” the European Network and Information Security Agency (ENISA) noted in a recently released opinion paper on encryption

The Folly of Encryption Backdoors (Digital Guardian) In the aftermath of the election, many people in the security and privacy communities have expressed renewed concerns about the possibility the federal government might again try to implement backdoors or otherwise weaken encryption. It will likely be months before we see any movement on that front, but for now, a new report from the European Union’s information security agency says in no uncertain terms that backdoored encryption is bad for users and undermines the security of the network for everyone

Trump, tech leaders avoided encryption and surveillance talk at summit (CSO) Similar summits could take place as often as once per quarter

Snowden sends strong anti-surveillance message to Donald Trump (Business Standard) In a clear message to US President-elect Donald Trump, the famed National Security Agency (NSA) whistleblower Edward Snowden has said that government surveillance programmes will create "vulnerabilities" for social media users

Opinion: Congress needs to check government hacking powers (Christian Science Monitor Passcode) Now that law enforcement has more leeway to hack computers and surveil suspects due to changes in criminal procedure, Congress needs oversee these powers to protect Americans' civil liberties and privacy

New Law's Impact on IT Security and Privacy Protections (GovInfo Security) Audio report: ISMG editors analyze the latest developments

Air Force: Cyber security extends beyond IT (Defense Systems) The Air Force is working to “operationalize” cybersecurity initiatives by widening the aperture regarding what systems and platforms need to be examined and protected, service leaders said

CYBERCOM evaluating cyber mission force (C4ISRNET) The Defense Department and Cyber Command continue to evaluate the effectiveness and construct of the newly established cyber force

FCC Chairman Tom Wheeler, Net Neutrality Champion, Says He’ll Step Down (Motherboard) Tom Wheeler, the former telecom industry lobbyist who became an unlikely internet hero by passing the Federal Communications Commission’s landmark net neutrality policy, announced plans to step down from the agency in January

California DMV Calls Uber’s Autonomous Autos ‘Illegal’ (Wall Street Journal) Company rolled out the self-driving vehicles in San Francisco on Wednesday

California DMV orders Uber to stop self-driving car tests on SF roads [Updated] (Ars Technica) After smaller test in Pittsburgh, the ride-hailing company takes to Silicon Valley

Social media sites may need to apply age checks under UK anti-porn law (TechCrunch) Social media sites such as Twitter face being regulated in the UK under anti-porn proposals, as part of the government’s Digital Economy bill proposal

Products, Services, and Solutions

Online Clothing Retailer N Brown Chooses Website Protection from Imperva (GlobeNewswire) N Brown deploys Imperva Incapsula for improved website security with DDoS Protection and Web Application Firewall

OPSWAT Releases Complimentary Technology to Strip Common Documents Of Potential Cyber Threats (IT Business Net) OPSWAT today released data sanitization (CDR) for all web and API users of their cloud-based threat intelligence platform, Metadefender Cloud, allowing them to sanitize common document types to remove potential threats

Virtual StrongBox's 4th Patent Protects File Transfer Between Devices (PRNewswire) Virtual StrongBox, Inc. has received a fourth patent for its state-of-the-art software, which safeguards clients' data (and that of their customers) at all times. Whether consumers are dealing with their financial institution, healthcare provider or insurance agent, they demand convenience – but not at the expense of security. For these and other high-risk enterprises, ensuring safety and positive customer experiences can be challenging

NSS Labs Expands Research Offerings with new Breach Prevention System (BPS) Test (Yahoo! Finance) NSS Labs, Inc., the world's leading cyber security product research, testing, and advisory company, today released a new technology overview and a "Call-to-Test" for Breach Prevention Systems. Breach Detection Systems (BDS) have been deployed to provide enhanced detection of advanced malware, zero-day attacks, and targeted attacks to combat more skilled threat actors who are capable of evading traditional security technologies

Hexadite Teams With Carbon Black and Others to Automate Cybersecurity (Xconomy) A new alliance between cybersecurity companies from across the U.S. aims to more tightly integrate their products and advance efforts to automate key security processes

University of San Diego Chooses Thycotic to Protect Student Data From Cyberattacks (PRNewswire) Secret Server Cloud solution supports university's efforts surrounding cloud-first mentality

During Cybercriminals’ Most Wonderful Time of Year, Varonis Offers Free Course on Personal Internet Security (Econotimes) While consumers are online shopping for presents and new connected gadgets this season, cybercriminals are online stealing their information and hijacking their Internet of Things (IoT) devices

Kaspersky Lab presents new version of its flagship consumer security solution with enhanced data protection features (Tempo) Kaspersky Lab has presented the new version of its flagship security solution Kaspersky Internet Security, which provides users with additional opportunities to manage their Internet protection and to ensure their data safety

Technologies, Techniques, and Standards

The Invisible Costs of Cyber Weapons (Defense One) For kinetic weapons like tanks, production costs generally outweigh research and development. For cyber weapons, R&D is almost everything

ThreatConnect CEO: Cybersecurity's Only Way Forward in 2017 is Collaboration (DCInno) DNC hack fallout highlights importance of cyber attack info sharing

Protecting Utilities from Cyber Security Risks Introduced By Smart Meters (Industry Today) Most utilities understand and recognise the potential cyber security risks smart meters present, but not all have the infrastructure in place to detect and respond to cyber security incidents effectively

Panopticon Labs Urges Video Game Industry to Self-Regulate on Cybersecurity Before Government Intervenes (PRWeb) New whitepaper from first and only cybersecurity company for video game publishers explains why and how cyber criminals attack games and explores the unintended consequences of regulation

New PCI Guidance on Simplifying Network Segmentation (InfoRisk Today) Troy Leach of PCI Security Standards Council discusses steps to protect card data

Contactless Payments: Addressing the Security Issues (InfoRisk Today) PCI Council's Jeremy King on authenticating mobile payments with biometrics

RBI Eases Some Card-Not-Present Authentication Requirements (InfoRisk Today) But some critics fear the move could increase fraud

How to Make Sure Your Business's Social Media and Collaboration Tools Are Secure (BizTech) Businesses are increasingly embracing social media and in-office collaboration tools, but they need to educate users on social engineering and bake in several layers of security protections

Marketplace

Yahoo Discloses New Breach of 1 Billion User Accounts (Wall Street Journal) Verizon, which has struck a deal to buy company’s core business, will review impact of new breach

Yahoo Security Breach Adds Element of Insecurity to Its Purchase offer from Verizon (Inquisitr) Yahoo released a statement Wednesday confirming a massive security breach in August of 2013, which likely compromised the private user data of over 1 billion account holders. In a statement about the breach on its website, Yahoo, who in September of this year reported a separate breach of its systems in 2014, which affected 500 million users, explains that in November of this year it received data files from law enforcement that an unnamed third party claimed were Yahoo user data files

Vendor Accountability & The Security Supply Chain (Dark Reading) A large majority of security leaders say they would switch to suppliers that offer product and service guarantees, according to a new survey

Bug Hunters Prefer Communication Over Compensation (Threatpost) Unlike their criminal counterparts, it turns out that white hats aren’t necessarily as financially motivated when it comes to bug hunting

Why FireEye Is An Excellent Bargain Right Now (Seeking Alpha) The Company is operating and free cash flow positive, which suggests a successful completion of the restructuring phase. Previous takeover bids give the stock a conservative value of $19 per share. The market for security products is growing and I believe FEYE will benefit from this

TopSpin Security Gaining Traction in Financial Services Market (CIO Today) Financial services organizations select TopSpin Security Intelligent Deception Solutions to protect private data from cyber attackers -- Chicago trading company and other financial firms leverage DECOYnet™ intelligent deception and detection platform to meet compliance and protect private financial data

Marine Corps awards cyber, IT contracts to three firms (C4ISRNET) The Marine Corps has awarded cyber and IT contracts to three companies

New DIA acquisition process invites tech firms to show their stuff to senior leaders (Federal News Radio) For the past three years, the Defense Intelligence Agency has been experimenting with a rapid technology acquisition project called “Needipedia,” in which it publishes the technology gaps it wants to fill, lets industry respond with short white papers, then buys new capabilities in as little as a month. This week, DIA plans to take the concept a step further

DoD Battles to Train Enough Cyber Practitioners (GovTechWorks) A new report from the Presidential Commission on Enhancing National Cybersecurity calls for national workforce programs to train 100,000 cyber practitioners by 2020 and a national cybersecuirty apprenticeship program to train 50,000 more

Checkmarx Joins German Cyber Security Council (BusinessWire) The German Cyber Security Council and Checkmarx, a global leader in cyber and application security testing, announced today the induction of Checkmarx into the German Cyber Security Council. This exciting new membership approval was delivered by key council member, General Secretary of the Council Mr. Hans-Wilhelm Dünn, at the 2016 HLS & Cyber Conference, which took place mid-November in Tel Aviv, Israel

Promisec Appoints New CEO Simo Kamppari (PRNewswire) Promisec, a pioneer in Endpoint Detection and Response, today announced that its Board of Directors has appointed Simo Kamppari as CEO and President, effective immediately

Security Patches, Mitigations, and Software Updates

Joomla vulnerability can be exploited to hijack sites, so patch now! (Help Net Security) If you’re running a website on Joomla, you should update to the newly released 3.6.5 version as soon as possible – or risk your site being hijacked

Macs get critical updates, including patches against drive-by malware (Naked Security) Apple followed up its recent iOS 10.2 update with a related slew of security fixes for macOS, bringing the current laptop and desktop flavour of its operating system up to 10.12.2

Blue-Screen-of-Death occurs when installing Deep Security Agent and OfficeScan Agent on the same host (Trend Micro Business Support) Installing both Deep Security Agent (DSA) and OfficeScan (OSCE) agent on the same host triggers a Blue-Screen-of-Death (BSoD). This causes driver conflict and crash

Cyber Attacks, Threats, and Vulnerabilities

Important Security Information for Yahoo Users (Yahoo!) Following a recent investigation, we’ve identified data security issues concerning certain Yahoo user accounts. We’ve taken steps to secure those user accounts and we’re working closely with law enforcement

Yahoo's Record-Setting Breach Disclosure (The CyberWire) Yesterday Yahoo disclosed that more than a billion customer accounts were compromised in August 2013. This incident is distinct from the breach of 500 million accounts the company disclosed on September 22, 2016. Yahoo! said in its announcement that how the breach was accomplished is not yet known, and that the company is working with law enforcement to investigate. Security industry experts have weighed in with their views on what happened and how such attacks might be prevented or mitigated

Yahoo: One Billion More Accounts Hacked (KrebsOnSecurity) Just months after disclosing a breach that compromised the passwords for a half billion of its users, Yahoo now says a separate incident has jeopardized data from at least a billion more user accounts. The company also warned attackers have figured out a way to log into targeted Yahoo accounts without even supplying the victim’s password

Hack Brief: Hackers Breach a Billion Yahoo Accounts. A Billion (Wired) IIn September, Yahoo had the unfortunate distinction of disclosing an enormous 500 million-account breach. Tough stuff. Somehow, though, the company seems to have topped even that staggering figure. Yahoo announced on Wednesday that hackers, in what’s likely a separate attack, compromised one billion of the company’s user accounts in August 2013. One billion. That makes this the biggest known hack of user data ever, and it’s not really close

Stolen Yahoo Data Includes Government Employee Information (Bloomberg Technology) FBI, CIA, NSA, White House workers among hacking victims. Former intelligence officers say leak could aid foreign spies

Yahoo Admits to Second Data Breach That Exposed Over 1 Billion User Records (Bleeping Computer) Yahoo Chief Information Security Officer (CISO) Bob Lord admitted today that Yahoo suffered a second data breach during which an unknown third-party had stolen information on more than one billion Yahoo users

Hackers stole data from 1 billion users accounts from Yahoo, company says (CBS News) Yahoo says it believes hackers stole data from more than one billion user accounts in August 2013

Yahoo discloses hack of 1 billion accounts (TechCrunch) The company disclosed today that it has discovered a breach of more than one billion user accounts that occurred in August 2013. The breach is believed to be separate and distinct from the theft of data from 500 million accounts that Yahoo reported this September

Yahoo sets hack record at 1 billion accounts (C|Net) A new breach revealed Wednesday by troubled internet pioneer compromised twice as many user accounts as the record hack it disclosed in September

Yahoo breach means hackers had three years to abuse user accounts (PC World) Elite hackers-for-hire or state-sponsored actors may have been involved, according to experts

Yahoo hack: Tech industry responds (Computing) Yahoo has discovered an even larger breach whilst investigating another. Here's what the tech industry makes of the farce

Newly Uncovered Site Suggests NSA Exploits for Direct Sale (Motherboard) The Shadow Brokers—a hacker or group of hackers that stole computer exploits from the National Security Agency—has been quiet for some time. After their auction and crowd-funded approach for selling the exploits met a lukewarm reception, the group seemingly stopped posting new messages in October

A Brief Interview with The Shadow Brokers, The Hackers Selling NSA Exploits (Motherboard) In August, a group calling themselves The Shadow Brokers publicly released a cache of NSA hacking tools, and promised to sell more. After a failed crowd-funding and auction attempt, the group now appears to be offering a wealth of trojans, exploits, and implants directly to potential customers

Hacktivists vs Faketivists: Fancy Bears in Disguise (ThreatConnect) What is a faketivist?

FinFisher-like government spyware found in APT attacks (IT News) Specific users targeted in Europe and Turkey

Malvertising campaign targets routers and every device connected to router (Computerworld) Researchers warned that cyber-savvy crooks are using a malvertising campaign that infects routers and Android devices. Any devices connected to an infected router will also be infected

DDoS attacks via WordPress now come with encryption (Help Net Security) Kaspersky Lab experts have noted an emerging trend – a growth in the number of attacks using encryption. Such attacks are highly effective due to the difficulty in identifying them amongst the overall flow of clean requests. Recently, the company encountered yet more evidence of this trend – an attack exploiting vulnerabilities in WordPress via an encrypted channel

Developer raises concerns about MD5 hashing algorithm in Wordpress (SC Magazine) As Wordpress plugin developer Wordfence raises concerns about security, Davey Winder asks if there isn't a bigger problem with the continued use of MD5 hashing

The State of Wordpress Security (Ripstech) Does Wordpress really need an introduction? It is by far the most popular blogging software on the planet and it is also abused for other tasks frequently. A large percentage of the World Wide Web is Wordpress

Mirai Giving DDoS-as-a-Service Industry a Boost (Threatpost) The availability of the Mirai malware source code online isn’t a guarantee that just anyone can quickly convert it into a money-making IoT-based DDoS botnet

Crowdsourced DDoS Extortion – A Worrying Development? (Digital Shadows) We all know about DDoS extortion – the process is straightforward. Contact the company, threaten to launch a crippling DDoS attack that will happen unless the company pays a ransom. But what if the actors do not target the company itself to pay the ransom, but its customers? That’s one of the wildcard scenarios outlined in our latest paper, Mirai and the Future: Forecasting the DDoS Landscape in 2017.

Cerber Ransomware Spreads via Fake Credit Card Email Reports (Bleeping Computer) Just in time for the Christmas holiday shopping spree, the group behind the Cerber ransomware has launched a spam campaign that uses fake credit card reports to trick users into opening a Word file that under certain circumstances will download and install the deadly Cerber ransomware

Corporate Office 365 users hit with clever phishing attack (Help Net Security) Corporate Office 365 users are being targeted by phishers using a clever new trick to bypass email filters and the default security protections of the Microsoft service

Flash Bug Allows Attackers to Spy on Users via Camera, Microphone (Bleeping Computer) In yesterday's monthly security patch, Adobe fixed a bug in Flash Player that would have allowed an attacker to hijack permissions granted to other Flash applets and spy on users via their camera or microphone

Netgear router remote control bug – what you need to know (Naked Security) On Monday, we wrote about a Netgear router bug that opened up a gaping remote access hole

Code Reuse a Peril for Secure Software Development (Threatpost) The amount of insecure software tied to reused third-party libraries and lingering in applications long after patches have been deployed is staggering. It’s a habitual problem perpetuated by developers failing to vet third-party code for vulnerabilities, and some repositories taking a hands-off approach with the code they host

New 'Giveaways' Target Shoppers Searching For Hatchimals And Other Hot Toys (Forbes) During the holiday season, parents scrambling at the last minute to purchase toys at the top of their children’s wish lists will often go to great lengths to deliver

Sailors’ personally identifiable information stolen by Ricky Ninja (SOFREP News) On October 27, 2016, an unknown person or persons of interest stole 134,386 names and social security numbers of US Navy sailors from a laptop of a contractor working for Hewlett Packard and under contract by the Navy. The exfiltrated data derives from the Career Waypoints database (C-WAY). The C-WAY database is used to for re-enlistment submission and request for Navy Occupational Specialties. The last time the Navy suffered a breach of this scale was when the Iranians hacked into unclassified Navy systems in 2014

How Secure Is the Technology Protecting Your Home? (Insurance Quotes) What if burglars could break into your home without ever smashing a window or picking the lock? Say the front door swung wide open to let them in, but the only one there to greet them was your jewelry box?

Risky sites have never been easier to exploit (Help Net Security) 46% of the Internet’s top 1 million web sites, as ranked by Alexa, are risky. This is largely due to vulnerable software running on web servers and on underlying ad network domains, according to Menlo Security

Bye, privacy: Evernote will let its employees read your notes (Network World) Consumers can't opt out of being snooped on for the purpose of training algorithms

Litigation, Investigation, and Enforcement

Intelligence Community Statement on Review of Foreign Influence on U.S. Elections (IC on the Record) Senior Administration Officials have regularly provided extensive, detailed classified and unclassified briefings to members and staff from both parties on Capitol Hill since this past summer and have continued to do so after Election Day

DHS Chief: 'No Evidence' Hacking Affected Ballot Count on Election Night (Townhall) Contrary to the CIA’s assessment that Russian cyberattacks helped Donald Trump win the election, the head of the Department of Homeland Security said there was no evidence to indicate anything of the sort happened

Here's the Public Evidence Russia Hacked the DNC – It's Not Enough (Intercept) There are some good reasons to believe Russians had something to do with the breaches into email accounts belonging to members of the Democratic party, which proved varyingly embarrassing or disruptive for Hillary Clinton’s presidential campaign. But “good” doesn’t necessarily mean good enough to indict Russia’s head of state for sabotaging our democracy

Hurd to lawmakers on Russian hacking intel: ‘We need to be really careful’ (CyberScoop) The only sitting member in the House of Representatives to have served in the CIA is advising fellow lawmakers to tread carefully with the information they collect during ongoing investigations focused on Russian hacking related to the recent presidential campaign

Here's some questions Congress should ask about the election-related hacks (CSO) President-elect Donald Trump remains skeptical Russia was involved, despite U.S. intelligence findings

NBC News: Intelligence officials say Putin personally involved in election hack (USA Today) Russian President Vladimir Putin was personally involved in efforts to intervene in the 2016 U.S. presidential election, NBC News reported, citing two unnamed "senior U.S. intelligence officials"

Donald Trump 'obviously aware' Russia was involved in US election hacking, White House says (Independent) Mr Trump is facing growing pressure to respond to the alleged hack

Obama’s Deep Dive Into Putin’s Intent (Geopolitical Futures) Was Russia meddling in U.S. elections, or is it just politics?

Minister reassures MPs over Scottish independence referendum cyber attack concern (Herald Scotland) Ministers have been asked by a Labour MP if the UK's security services have considered whether the Scottish independence referendum was affected by a cyber attack

Google Discloses Contents of Eight National Security Letters (Threatpost) Google on Tuesday disclosed the contents of eight National Security Letters it received between 2010 and 2015, becoming the latest company under reforms afforded by the USA Freedom Act to do so. The requests made by United States Federal Bureau of Investigation were made to Google to identify 21 customer accounts and related account data

Flynn investigated by Army for wrongly sharing intelligence (AP via KLTV) The retired Army general chosen by Donald Trump to be national security adviser was investigated for inappropriately sharing classified information with foreign military officers while he was serving as an intelligence commander in Afghanistan

Michael Flynn Called Hillary Unfit, but Spilled Classified Info Himself (Daily Beast) Michael Flynn loved to chant ‘Lock Her Up’ at Trump rallies. But during his tenure in the Army, he mishandled classified information—just like Hillary

University Professor and Co-Defendants Respond to Defamation Charge From Medical Device Maker (Chicago Maroon) His warning about the devices was sent on University letterhead

American Hacker Arrested For 2014 JP Morgan Chase Breach (Dark Reading) Joshua Aaron and his two accomplices are charged with massive hacking of US financial organizations, securities fraud and money laundering

Ashley Madison settles charges over its massive data breach (Engadget) The payout is small, but the reforms could make a big difference for the infidelity service

Design and Innovation

150 Filmmakers Ask Nikon and Canon to Sell Encrypted Cameras (Wired) In the summer of 2013, when documentary filmmaker Laura Poitras was shooting a still-secret NSA leaker named Edward Snowden in a Hong Kong hotel room, she took security seriously. She’d periodically transfer her footage to encrypted hard drives, and would later go so far as to destroy the SD cards onto which her camera recorded. But as she watched Snowden through her lens, she was haunted by the possibility that security agents might barge through the door at any moment to seize her camera. And the memory card inside of it remained dangerously unencrypted, full of unedited confessions of a whistleblower who hadn’t yet gotten his secrets out to the world

New York exhibition puts us – and our data – on display (Naked Security) Ever get that feeling, walking down a busy city street, that somebody’s following you?

Yahoo discloses record breach. The ShadowBrokers abandon auctions for retail. "FinFisher-like" APT found in Europe, Turkey. US investigations of Russian influence operations continue.