The CyberWire Daily Briefing 12.23.16

Summary

By The CyberWire Staff

More people look at the compromised Android fire direction app that enabled Russian forces to locate and destroy Ukrainian artillery during hybrid combat in eastern Ukraine. The Ukrainian officer who developed the app and provided it to his comrades has said reporting on the hack contains "rotten information." But he also advises users to delete older versions and download the app only from him. Some commentators think the risks CrowdStrike reported overblown, because devices using the app wouldn't be Internet-connected, but video of Ukrainian gunners using the tool appears to show them connecting wirelessly to something.

The incident, the clearest instance yet of lethal tactical hacking (apart from some targeting of ISIS operators), is seen by many as a harbinger of the intersection of the cyber and kinetic domains.

CrowdStrike attributes the hack to Fancy Bear, Russia's GRU, and says the code is relevantly similar to that found in the US Democratic National Committee networks. Russian President Putin again denied meddling with US elections and expressed hope for better relations. The US still presumably has some retaliatory options in the barrel, but what those might be remains to be seen. There's not much hint of them in recent high-minded harrumphing from Director of Central Intelligence Brennan, who would decline to sink to the adversary's level, deplores "skullduggery," etc. The Council on Foreign Relations says people at Fort Meade told them that US Cyber Command likes the idea of "loud" cyber weapons, so retaliation, if it comes, may be noisily obvious.

Learn how Cylance silences cyber attacks with Artificial Intelligence.

Notes.

Today's issue includes events affecting Australia, Brazil, Ireland, Russia, Ukraine, and United States.

A note to our readers: Since this year both Christmas and New Year's Day fall on Sunday, we'll take a break on Monday, December 26th, and again on Monday, January 2nd. Other than that we'll publish on our normal schedule. Best wishes for the holidays from all of us at the CyberWire.

You can find information security lessons everywhere. We think we can see some in the new Star Wars flick, "Rogue One." Here's a thought: the Empire's contractors on Eadu were apparently less than fully NISPOM compliant. Didn't Director Krennic require them to self-certify? (For background on NISPOM, see this account of a CRTC symposium, and lawyer up, padawans. Even the Empire has privacy and employment laws. We're pretty sure...although Krennic's HR policies seem a little strict...)

On the Podcast

The CyberWire's regular daily Podcast will be out later this afternoon, with interviews, educational tips, and more on the stories of the day. Today we'll hear from our partners at Lancaster University, as Awais Rashid explains how advanced persistent threats exfiltrate data. Our guest is FBI Special Agent Keith Mularski, who'll give us the straight skinny on the big Avalanche takedown.

You may also find the special edition of our Podcast of interest—the topic is venture capital. In it we examine the current state of investment in cyber security, speak to experts in the field, and learn from top cyber security-focused venture capitalists about what they expect before they invest.

The podcast will take a holiday break on December 26th and January 2nd. Next week, December 27th through December 30th, we'll be running special best-of-episodes from 2016, including new material in extended interviews with some of our most interesting partners and guests. We'll return to our normal programming on January 3rd. If you've enjoyed the podcasts, please consider giving us an iTunes review.

Selected Reading

Cyber Trends

Here’s Why We Should Expect More Ransomware Attacks Next Year (Fortune) Making cybersecurity predictions about the year ahead is generally an exercise in pessimism. Intrusions will continue, yes. Hacks ain't going anywhere, for sure. More secrets will leak, no doubt

Cybersecurity Researchers To Corporates: You’re Being Naïve (PYMNTS) Corporates large and small are “naïve” about their cybersecurity risks, according to a new report

University of Phoenix Survey Shows Convenience Outweighs Cybersecurity Fears for Majority of Americans (BusinessWire) Cybersecurity expert offers tips to stay secure online while wrapping up this holiday shopping season

Major Cyberattacks On Healthcare Grew 63% In 2016 (Dark Reading) US hospitals lack new technologies and best practices to defend against threats, new report says

Experts: Internet of Things Security Will Affect 2017 in Many Ways (IT Business Edge) When I asked security experts for their 2017 predictions, ransomware was mentioned more often than anything else. But close on ransomware’s heels were the security concerns surrounding the Internet of Things (IoT)

More Than 50% Of Biggest Holiday Retailers May Not Be PCI-Compliant (Dark Reading) Security Scorecard warns while the industry has made progress, many are still not covering the basics of security

Inside The Vulnerability Disclosure Ecosystem (Dark Reading) Report released by NTIA stakeholders offers new information on how organizations respond to security vulnerabilities - and what researchers think

Legislation, Policy and Regulation

Putin says Democrats lost U.S. election on their own, asserts desire for positive relations with Trump (MarketWatch) At annual year-end news conference, Putin says he hopes to have a constructive relationship with U.S. President-elect Donald Trump

CIA director: US should not 'resort' to Russian tactics in hack retaliation (Washington Examiner) How the U.S. retaliates against Russian hacking in the recent election matters, according to CIA Director John Brennan

U.S. was reportedly more prepared for Russian cyber attacks than disinformation campaign (Reuters via Venture Beat) The U.S. government spent more than a decade preparing responses to malicious hacking by a foreign power but had no clear strategy when Russia launched a disinformation campaign over the internet during the U.S. election campaign, current and former White House cyber security advisers said

How the U.S. Could Retaliate against Russia’s Information War (Scientific American) Obama promised a response to hacking and other election interference, but what are his options?

Blog: Greater Integration Across the EMS Needed for Battlefield Dominance (SIGNAL) There’s no disputing technology’s role in the rapidly changing face of modern warfare. The convergence of commercial services with military applications, such as delivery of real-time data from anywhere using various devices, has changed the physical nature and understanding of what constitutes a combat environment. The U.S. military seeks to define a strategic approach to these converged operations

Exclusive: NY financial regulator to delay cyber security rules (Reuters) New York's financial regulator will delay an anticipated Jan. 1 deadline for banks and insurers doing business in the state to comply with controversial cyber security rules, a person familiar with the matter said

Products, Services, and Solutions

Comodo Internet Security 10 Now Available for Download (Softpedia) New version of the security suite released today

Veris to use Endgame solution to enhance detection, eliminate threats (GSN) Endgame, a leading endpoint security platform to close the protection gap against advanced attackers, today announced that Veris Group's Adaptive Threat Division (ATD), an industry-leading provider in adversary simulation and detection services, will utilize Endgame's endpoint detection and response platform to enhance detection, response, and threat hunting capabilities to eliminate security threats faster and with greater accuracy for customers

Technologies, Techniques, and Standards

NIST Guide Provides Way to Tackle Cybersecurity Incidents with Recovery Plan, Playbook (NIST) “Defense! Defense!” may be the rallying cry from cybersecurity teams working to thwart cybersecurity attacks, but perhaps they should be shouting “Recover! Recover!” instead. Attackers are increasingly racking up points against their targets, so the National Institute of Standards and Technology (NIST) has published the Guide for Cybersecurity Event Recovery (link is external) to help organizations develop a game plan to contain the opponent and get back on the field quickly

NIST Special Publication 800-184: Guide for Cybersecurity Event Recovery (NIST) In light of an increasing number of cybersecurity events, organizations can improve resilience by ensuring that their risk management processes include comprehensive recovery planning. Identifying and prioritizing organization resources helps to guide effective plans and realistic test scenarios. This preparation enables rapid recovery from incidents when they occur and helps to minimize the impact on the organization and its constituents

Blog: Codebreakers Report: NIST Needs Solutions for Looming Quantum Computer Threat (SIGNAL) Cryptographers have until Nov. 30 to submit algorithms to protect encryption codes

NIST crowdsources quantum-proof encryption (The Stack) The National Institute of Science and Technology has called for cryptographers to create the next generation of cryptography keys, intended to withstand attack by a quantum computer

CDM: A Government Program Worth Emulating and Fully Funding (Lawfare) The federal government isn’t often held up as a model for IT innovation and efficiency, but there are areas where they should be. An example of a policy directive that has paid dividends is the Continuous Diagnostics and Mitigation (CDM) program, whose aim is to give civilian government agencies a sensible, cost-effective way to upgrade their cybersecurity posture

Before You Pay that Ransomware Demand… (KrebsOnSecurity) A decade ago, if a desktop computer got infected with malware the chief symptom probably was an intrusive browser toolbar of some kind. Five years ago you were more likely to get whacked by a banking trojan that stole all your passwords and credit card numbers. These days if your mobile or desktop computer is infected what gets installed is likely to be “ransomware” — malicious software that locks your most prized documents, songs and pictures with strong encryption and then requires you to pay for a key to unlock the files

Password expiry is a ‘blunt instrument’ that rarely delivers, says cyber security expert (Public Technology) The use of automatic password expiry as a security mechanism is “outdated and ineffective” that increases organisations’ costs, reduces productivity and makes accounts more vulnerable, according to the National Cyber Security Centre

Password Alternatives: How to Secure your Enterprise's Data (Infosecurity Magazine) Passwords are still a popular target for hackers. While small password hacks that go unnoticed, they can still have a catastrophic effect. Take for example this year’s Yahoo password leak that compromised more than 500 million accounts, and affected the likes of Dropbox, LinkedIn, KFC, the Office of Personnel Management and many more

5 Doubts You Should Clarify About Threat Intelligence (Recorded Future) Threat intelligence can be one of the most valuable tools in your information security toolbox, especially when it comes to providing visibility into potential attackers’ strategies and tactics

How to Protect and Harden a Computer against Ransomware (Bleeping Computer) 2016 is almost over and it definitely taught us one thing; Ransomware is here to stay and it's only going to get worse. With even the smaller ransomware developers earning a lot of money, the ransomware explosion is going to continue with more innovative techniques used in 2017

Marketplace

Amid Yahoo hacks, a churn of security officers (San Francisco Chronicle) When Yahoo experienced the nation’s largest hacking attack, with information stolen from more than 1 billion user accounts in August 2013, it lacked a permanent information security chief

Cyber Security ETFs in Focus After Yahoo Hack Report (Nasdaq) Cyber security continues to be in the limelight as we approach the end of 2016 owing to numerous data breaches. While there were speculations of the Russian government resorting to hacks and sending contents to WikiLeaks to help Trump get to the White House, the biggest was probably Yahoo YHOO admitting to a high-profile data-security breach earlier this month

FireEye, Inc.'s Biggest Failure in 2016 (Motley Fool) The cybersecurity company's strategy stopped working, leading to sluggish growth and a major layoff

What is Peter Thiel's Endgame for Palantir? (Vanity Fair) Thiel’s start-up has millions of dollars in government contracts—and now, a friend in the White House, too

Why Palo Alto Networks, Symantec Corporation Received Positive Feedback from Resellers (Country Caller) Andrew Nowinski issued highlights from an investor event with a number of security consultants and resellers

RedSeal CEO: Executives need 'visualization' to help determine cybersecurity effectiveness (GSN) The past two weeks have been affirming ones for Ray Rothrock and his team at RedSeal

SC Media Names Onapsis an “Industry Innovator” for 2016 (Onapsis) Global experts in SAP cybersecurity recognized for excellence in industry leadership

SentinelOne Honored as 2016 Industry Innovator by SC Media (Yahoo!) SentinelOne, the company transforming endpoint security by delivering real-time protection powered by machine learning and dynamic behavior analysis, today announced that it was recognized as an Innovator in the Data Protection category in SC Magazine's December 2016 Reboot issue. The company's next-generation Endpoint Protection Platform was recognized for its innovative threat detection technology and groundbreaking product guarantee against ransomware. SC Magazine's Innovator designation recognizes cybersecurity companies that have shown extraordinary innovation in the last year, not just in their technology but in their approach to the market as well

Security Patches, Mitigations, and Software Updates

Siemans Patches Insufficient Entropy Vulnerability in ICS Systems (Threatpost) German industrial giant Siemens has provided a firmware update addressing vulnerabilities that are found in a popular line of its Desigo PX industrial control hardware used in controlling primarily HVAC systems in commercial buildings

Firefox to Expand Sandbox Security Feature (Bleeping Computer) Mozilla announced plans to expand the Firefox sandbox security features with the introduction of a second sandboxing system for working with the browser's new multi-process e10s (Electrolysis) feature

Facebook kills off exact location sharing in Nearby Friends, adds “Wave” (TechCrunch) Nearby Friends didn’t turn into the Foursquare-killer it could have been, but Facebook is still trying to help people meet up in person… with a few changes. Facebook has removed the precise location-sharing feature from Nearby Friends, which now only lets you opt-in to broadcasting your approximate distance from friends and current neighborhood

Cyber Attacks, Threats, and Vulnerabilities

The group that hacked the DNC infiltrated Ukrainian artillery units (CSO) The group distributed a trojanized version of an Android app used by Ukrainian artillery personnel

In Ukraine, more evidence of a hacking group's Kremlin ties (Military Times) For those searching for stronger evidence of Russia's connection to the hack of the Democratic National Committee, the tale of an infected Ukrainian Android app used for cellphones or tablets may help, according to a cybersecurity firm

This Android Malware Ties Russian Intelligence To The DNC Hacks (Forbes) The most convincing evidence yet tying Russia's GRU intelligence agency to the hack of the Democratic National Committee has been found in a bizarre tale involving an Android app developed by a Ukrainian military officer, security firm CrowdStrike claimed today

Fancy Bear Hack of Ukrainian Artillery Fighters Shows Future of War (Motherboard) Hackers believed to be working for the Russian military were able to track the position of Ukrainian fighters thanks to a booby-trapped Android app originally used to improve the aim and accuracy of Ukraine’s own artillery units, according to a new report

Cyber attack takes down power grid, 60 substations (SecureID) Experts suggest Ukrainian hack likely portends future attacks

Cerber Ransomware Doesn't Delete Shadow Volume Copies Anymore, Prioritizes Office Docs (Bleeping Computer) Recent versions of the Cerber ransomware are behaving somewhat different from older variants, with the ransomware not deleting shadow volume copies, prioritizing specific folders and ignoring others

New attacks on wallets and AdWords correlate with Bitcoin price surge (Cisco Umbrella) Over the past year as cryptocurrency has steadily increased well past $800, OpenDNS Labs has been diligently tracking Bitcoin wallet phishing campaigns. With this most recent uptick in price we have observed a recent rise during this holiday season in phishing domains to steal access to online wallets

Beware: Android Super Mario Run is Actually Malware; Don’t Download It (HackRead) Cyber Criminals are taking advantage of newly released Super Mario Run gaming app on iOS

Pow! Captain America and other Marvel heroes defeated by bad passwords (Naked Security) The hacker group OurMine has turned its firepower on the Twitter accounts of some of our favorite heroes from the Marvel Comics universe, as well as Netflix

Marvel, Captain America, NFL Twitter Accounts Also Hacked by OurMine (Softpedia) OurMine hackers breach more Twitter accounts

Groupon frauds blamed on third-party password breaches (Register) Been re-using passwords again, bud123?

Alice in ATM-land: Security company identifies dangerous new malware threat (ATM Marketplace) Trend Micro, a security software company based in Los Angeles, has discovered Alice, a new family of ATM malware that the company described in its blog as "the most stripped down ATM malware family we have ever encountered"

Uber explains why it looks like its app is still tracking your location, long after drop-off (TechCrunch) Uber responded today to reports that its app continues to check users’ locations even when they hadn’t used the ride-hailing service for days or weeks. The company explained that the issue is being caused by the iOS operating system itself, not direct tracking by its app

Facebook already has a Muslim registry—and it should be deleted (Ars Technica) Facebook stands alone in the breadth and depth of personal data it collects

Black market medical record prices drop to under $10, criminals switch to ransomware (CSO) The black market value of stolen medical records dropped dramatically this year

Cork City Council Averts Cyber Attack (Evening Echo) Cork City Council has revealed that it was targeted by hackers in a recent cyber attack

Litigation, Investigation, and Enforcement

Inquiry says Snowden in contact with Russia’s spy services (Washington Times) Former National Security Agency contractor Edward Snowden remains in contact with Russian intelligence services, according to a bipartisan congressional report released at a time when Russia is considered a top national security concern

Moscow: It's much easier to vilify Russia than to consider election results (The Hill) Russian President Vladimir Putin's press secretary criticized the U.S. response to the alleged Russian interference in the 2016 election, accusing the White House of purposefully demonizing the country rather than considering the results of the election

Commentary: Where's the evidence that Russia hacked the Democrats? (CBS News) Have you seen any conclusive evidence that Russia hacked Democratic email servers in order to get Donald Trump elected president?

Australian Police Thwart Christmas Day Terrorist Attack in Melbourne (Atlantic) Australian police arrested five men who were plotting a terrorist attack in Melbourne on Christmas Day

Berlin Attack Suspect Is Killed by Police Near Milan (New York Times) Anis Amri, the chief suspect in the deadly terrorist attack on a Christmas market in Berlin this week, was killed by the police in a shootout outside Milan around 3 a.m. Friday, ending a brief but intense manhunt across Europe, Italian officials announced

Brazilian Police Identiy Culprit in Celebrity Cyber Racism Case (Plus55) Turns out the culprit behind cyber racism attacks on Brazilian celebrity's transracial adoptee is a black girl herself

US collects social media handles from select visitors (CSO) The move had been criticized as encroaching on the privacy of the visitors

Alibaba is back on U.S. blacklist of “notorious marketplaces” (TechCrunch) The USTR dropped its annual blacklist calling out marketplaces that are rife with counterfeit and pirated goods this week

Design and Innovation

Most Autopilot features could come to Teslas with updated hardware next week (TechCrunch) Newer Tesla Model S and Model X owners get a big benefit vs. their predecessors – all the sensors and computing power onboard needed to achieve full self-driving when the software’s ready

Autonomous cars seen as smarter than human drivers (TechCrunch) PwC released the results of its latest survey on the future of automotive technology, and it seems Americans are coming around to the idea of autonomous cars, ride hailing and car sharing. So much so that 66 percent of respondents said they think autonomous cars are probably smarter than the average human driver

Glitch art: Meet the artist who knitted Stuxnet into a scarf (Ars Technica) Ars investigates the nascent domain of turning source code and errors into art

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

upcoming Events

CES® CyberSecurity Forum (Las Vegas, Nevada, USA, Jan 5, 2017) Now in its second year, the CES® CyberSecurity Forum presented by CyberVista is designed to ensure all stakeholders in developing high tech solutions understand the complexity and the need for action in the cybersecurity arena. The IoT, connected cars, new payment systems, VR and AR, wearables and our mobile devices all add new levels of concern to protecting our personal and corporate data. In this day-long conference, we’ll tackle the world of cybersecurity that demands we go far beyond the simple passwords and anti-virus protection of yesterday.

SANS Security East 2017 (New Orleans, Louisiana, USA, Jan 9 - 14, 2017) Start the year off right by choosing from outstanding, cutting-edge courses presented by our top-rated instructors. SANS is looking forward to an exciting kickoff of 2017 with SANS Security East 2017 in the "Big Easy" in January. Now is the time to improve your information security skills and laissez les bons temps rouler!

Global Institute CISO Series Accelerating the Rise & Evolution of the 21st Century CISO (Scottsdale, Arizona, USA, Jan 11 - 12, 2017) These intimate workshops address the challenges that Board of Directors are placing on security and risk executives, and how to successfully manage and communicate today’s enterprise and organizational threats. These are an intense “roll your sleeves up” thought leadership discussions on How Cyber is Driving the New Board Perspective on Enterprise Risk Management. Attendance is limited to 30 Security and Risk Executives from Global 2000 corporations. For Chief Security Information Officers, Chief Information Officers, and Chief Risk Officers, by invitation only (apply to attend).

Cybersecurity of Critical Infrastructure Summit 2017 (College Station, Texas, USA, Jan 11 - 13, 2017) An inaugural event to convene thought-leaders, experts, and strategic decision makers from government, industry, and academia to discuss the technology and policy implications of the ever-evolving cyber-threats to critical infrastructures. This summit will focus on two sectors that are among those at greatest risk, the energy and manufacturing sectors. Highlighting emerging technologies and policy initiatives, this event will foster the development of high impact strategies to address the many interrelated cybersecurity challenges we face in the protection of our nation’s critical infrastructures.

ShmooCon 2017 (Washington, DC, USA, Jan 15 - 17, 2017) ShmooCon is an annual east coast hacker convention hell-bent on offering three days of an interesting atmosphere for demonstrating technology exploitation, inventive software and hardware solutions, and open discussions of critical infosec issues. The first day is a single track of speed talks called One Track Mind. The next two days bring three tracks: Build It, Belay It, and Bring It On.

SANS Las Vegas 2017 (Las Vegas, Nevada, USA, Jan 23 - 28, 2017) Attend SANS Las Vegas 2017, where SANS will provide outstanding courses in IT security, forensics, and security management presented by the best cybersecurity teachers in the country. At SANS events you get the kind of hands-on, immersion training that you can put to work immediately.

BlueHat IL (Tel Aviv, Israel, Jan 24 - 25, 2017) Announcing BlueHat IL – a special edition of Microsoft's leading cyber security conference for top professionals, to be held for the very first time in Tel Aviv, Israel. Over the past 10 years, BlueHat conferences have drawn the brightest minds in security to discuss key industry challenges. And now, BlueHat IL is here to crank it up by exploring and creating new cyber security thoughts and boundaries. This exclusive, by invitation only, single track event will host top cyber security professionals from around the world, who will come together to tackle the present and peek into the future. It will feature brilliant speakers and focus on breakthrough research, key trends and emerging threats in the field. Registration closes December 28.

SANS Cyber Threat Intelligence Summit & Training 2017 (Arlington, Virginia, USA, Jan 25 - Feb 1, 2017) Join SANS at this innovative Summit as we focus on enabling organizations to build effective cyber threat intelligence analysis capabilities. Most organizations are familiar with threat intelligence, but have no real concept of how to create and produce proper intelligence. The 2017 Summit will focus on specific analysis techniques and capabilities that can be used to properly create and maintain Cyber Threat Intelligence in your organization. Attend this summit to learn and discuss directly with the experts who are doing the CTI analysis in their organizations. What you learn will help you detect and respond to all ranges of adversaries including some of the most sophisticated threats targeting your networks

Blockchain Protocol and Security Engineering (Stanford, California, USA, Jan 26 - 27, 2017) This conference will explore the use of formal methods, empirical analysis, and risk modeling to better understand security and systemic risk in blockchain protocols. The conference aims to foster multidisciplinary collaboration among practitioners and researchers in blockchain protocols, distributed systems, cryptography, computer security, and risk management.

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listens all over the world, companies trust the CyberWire to get the message out. Learn more.

Update on Fancy Bear's gunnery hacking. US and Russian cyber tensions, with an excursus on noisy cyber weapons.