US reported ready to retaliate against Russian cyber ops. Airline booking systems said open to compromise. Some analysts think Yahoo! breaches will have little effect on deal with Verizon.
The US is said to be preparing retaliation for Russian intelligence and influence operations conducted during the 2016 election season. The nature of the response is unspecified, but it's being described as "proportionate," and as in all likelihood including some covert operations in cyberspace. Members of both major parties in Congress have been pushing the Administration to act, urging among other measures exposure of personal corruption in the Russian leadership. (This would resemble Russian doxing of the Democratic National Committee, which good-government advocate Putin has observed, without acknowledging responsibility, was actually a contribution to American political transparency. That's one way of looking at it.)
Investigation of Russian influence operations continues. The US Intelligence Community blogged on December 16 that it wouldn't share further information until the inquiry is complete and reported to Congress. Journalists who filed a Freedom of Information Act request for access to preliminary results filed suit in a Federal court seeking to require the IC to be more forthcoming.
Security Research Labs (SRL) revealed the discouraging results of their inspection of air travel booking systems yesterday at the Chaos Communications Congress. The three major services that handle some 90% of airline bookings—Amadeus, Sabre, and Travelport—were found, according to SRL, to lack meaningful authentication (not even "a first authentication factor"). Passenger itineraries and personal information are easily exposed, stolen, and manipulated.
Some financial analysts think the Yahoo! breaches will have little effect on the company's deal with Verizon: customers, they think, have grown blasé about breaches.
Notes.
Today's issue includes events affecting Botswana, Brazil, China, Democratic Republic of Congo, Germany, India, Indonesia, Iran, Israel, Italy, Kenya, Republic of Korea, Mexico, NATO/OTAN, Nigeria, Romania, Russia, South Africa, Spain, Switzerland, Taiwan, Thailand, Uganda, Ukraine, and United States.
A note to our readers: New Year's Day falls on Sunday, and so we'll take a break on Monday, January 2nd. Other than that we'll publish on our normal schedule. Best wishes for the new year from all of us at the CyberWire.
You can find information security lessons everywhere. We think we see some in the new Star Wars flick, "Rogue One." Here's a thought: the Empire's contractors on Eadu were apparently less than fully NISPOM compliant. Didn't Director Krennic require them to self-certify? (For background on NISPOM, see this account of a CRTC symposium, and lawyer up, padawans. Even the Empire has privacy and employment laws. We're pretty sure...although Krennic's HR policies seem a little strict...)
The CyberWire podcast this week offers a series of end-of-year long-form (but still brief) episodes. We're running extended interviews that include never-before aired conversations with some of our most interesting partners and guests. Our normal programming returns on January 3rd. If you've been enjoying the podcasts, please consider giving us an iTunes review.
You may also find the special edition of our Podcast of interest—the topic is venture capital. In it we examine the current state of investment in cyber security, speak to experts in the field, and learn from top cyber security-focused venture capitalists about what they expect before they invest.
Cyber Attacks, Threats, and Vulnerabilities
Iranian officials inexplicably exaggerate years old Nitro Zeus cyber threat (Space Watch Middle East) Senior officials from Iran’s Civil Defence Organisation warned a conference audience in Tehran of an imminent U.S. and Israeli cyber attack against Iran code-named Nitro Zeus. The only problem is that Nitro Zeus has been shelved by the U.S. and Israel for several years, and was even featured in an acclaimed and popular documentary
Ukrainian Power Grid Blackout Alert: Potential Hack Attack (InfoRisk Today) Takeaways from 2015 hacks, as potential new attack comes to light
Special Report: Conversations About Nation-State Adversaries (GovInfo Security) Audio Report: ISMG Editors analyze the latest developments
Ransomworm: the next level of cybersecurity nastiness (CSO) 2017 could see further evil innovations of ransomware
Fileless Malware Takes 2016 By Storm (Dark Reading) In-memory attacks are all the rage, creating a growing class of "non-malware"
'Legion' Cyberattacks Put Spotlight on Security Shortcomings (InfoRisk Today) What does India need to do to defend against emerging threats?
Android Trojan Switcher Infects Routers via DNS Hijacking (Threatpost) A new Android Trojan uses victims’ devices to infect WiFi routers and funnel any users of the network to malicious sites. The malware doesn’t target users directly – instead its goal is to facilitate further attacks by turning victims into accomplices
Firms warned to be wary of rise in DDoS attacks () Firms warned to be wary of rise in DDoS attacks – DDoS attacks are causing huge problems
Millions of Websites Vulnerable Due to Security Bug in Popular PHP Script (Bleeping Computer) A security flaw discovered in a common PHP script allows knowledgeable attackers to execute code on a website that uses a vulnerable version of the script, which in turn can allow an attacker to take control over the underlying server
Flight Booking Systems Lack Basic Privacy Safeguards, Researchers Say (Fortune) Major travel booking systems lack a proper way to authenticate air travelers, making it easy to hack the short code used on many boarding passes to alter flight details or steal sensitive personal data, security researchers warned on Tuesday
It's Incredibly Easy to Tamper with Someone's Flight Plan, Anywhere on the Globe (Motherboard) It’s easier than many people realize to modify someone else’s flight booking, or cancel their flight altogether, because airlines rely on old, unsecured systems for processing customers’ travel plans, researchers will explain at the Chaos Communication Congress hacking festival on Tuesday. The issues predominantly center around the lack of any meaningful authentication for customers requesting their flight information
Legacy booking systems disclose travelers’ private information (Security Research Labs) Travel bookings worldwide are maintained in a handful of systems. The three largest Global Distributed Systems (GDS) Amadeus, Sabre, and Travelport administer more than 90% of flight reservations as well as numerous hotel, car, and other travel bookings
Major Breach: Insurer Blames System Integrator (Healthcare Info Security) Community Health Plan of Washington says incident affected nearly 400,000
Kaspersky: Romanian government institutions are vulnerable to cyberattacks due to old IT systems (Business Review) Cyber espionage is a phenomena that will expand next year, Romania having a medium exposure to it, taking into account that the country has very good specialists, but low budgets and the vulnerabilities are present especially in the government institutions due to the old IT systems, said, Stefan Tanase, senior security researcher within the Russian producer of cybersecurity services Kaspersky Lab, according to News[dot]ro
‘5 African countries vulnerable to cyber attack’ (Vanguard) Latest study just released by Check Point has revealed that five African nations were among the top 10 most attacked countries in November 2016 as cybercriminals made increasing use of ransomware attacks using the Locky and Cryptowall viruses
Security Patches, Mitigations, and Software Updates
Microsoft Admits Serious Windows 10 Upgrade Error (Forbes) I was saying this long before it was fashionable: Microsoft MSFT +0.05% crossed the line with its Windows 10 upgrade tactics by employing seriously dirty tricks - and now, at long last, the company has admitted it
Cyber Trends
The Year Encryption Won (Wired) Between the revelations of mega-hacks of Yahoo and others, Russia’s meddling in the US electoral system, and the recent spike in ransomware, it’s easy to look at 2016 as a bleak year for security. It wasn’t all so, though. In fact, the last 12 months have seen significant strides in one of the most important aspects of personal security of all: encryption
2016 State of Business application security (ERPScan) In the wake of several high-profile incidents involving business applications over the outgoing year, there is an increasing focus on business software security. In this blog post, we gathered together the milestones of this topic for 2016
2017 Cybersecurity Predictions: The Impact of Trump Election (BankInfo Security) Tom Kellermann of Strategic Cyber Ventures on top threats and threat actors to watch
17 Security Experts Share Predictions for the Top Cyber-Trends of 2017 (eWeek) Enterprises, governments and end users faced no shortage of security challenges in 2016. As the year draws to a close, we wonder: What security trends will continue into 2017? What will be the big security stories of the year to come? Many trends emerged in 2016 that are very likely to remain key issues for organizations of all sizes and shapes in 2017. Among them is the continued and growing risk of ransomware, which emerged in 2016 as a primary attack vector for hackers aiming to cash in on their nefarious activities. In 2016, nation-states once again were identified by multiple organizations as being the source of serious cyber-threats, and there is no indication that will change in the year ahead. Among the emerging trends that could become more prominent in the new year are the widespread use of containers and microservices to improve security control
8 Boldest Security Predictions For 2017 (Dark Reading) Scary, funny and maybe even a little outlandish, these industry predictions come from prognosticators who didn't mince words
2017 — A potluck holiday feast of predictions (CyberScoop) It’s that familiar season again — chestnuts roasting on an open fire, sleigh bells jingling … and the usual round of cybersecurity predictions for the new year. We’ve been reading, so you don’t have to
SecureWorks sees 2017 held to ransom (Enterprise Times) Managed Security Provider (MSP) SecureWorks has said it expects ransomware threats to keep growing in 2017. This should come as no surprise despite some ransomware owners giving up in 2016. The number of ransomware families released in 2016 more than trebled from the previous year
Digital Shadows Report Reveals that the Mirai Botnet Isn’t Going Away (OpenPR) Digital Shadows, a provider of cyber situational awareness, released its new report Mirai and The Future, Forecasting the DDoS Landscape in 2017. The emergence of the Mirai botnet - a type of malware that automatically finds Internet of Things (IoT) devices to infect - earlier this year was hailed as a major development in malware but according to the report, this could be a tip of the iceberg as cybercriminals rush to adapt and develop the original Mirai code
The carrot and stick of data breaches (TechCrunch) Data breaches are on the rise. Just recently we saw new reports confirming Yahoo! suffered another large, embarrassing breach (this time of more than one billion user accounts in August 2013). And the story continues to unfold around whether or not Russia breached United States cyber systems in hopes of influencing the 2016 presidential election. It seems like putting personal information in a website today feels a bit like getting into a car 50 years ago — with minimal seatbelts, no airbags and no testing, you just had to hope to avoid a crash
Thai cybersecurity lagging (Bangkok Post) Thailand's cybersecurity market growth next year will lag behind that of its Asean neighbours as its investment in the sector remains low
Marketplace
Yahoo’s Data Breaches Unlikely to Derail Verizon Deal (Bloomberg) Almost 1,000 hacks occurred in the U.S. this year alone. Yahoo still helps Verizon’s mobile advertising ambitions
Huawei reportedly acquires Israeli startup Hexatier for $42 million (Geektime) This would be Huawei’s second acquisition of an Israeli company in three weeks
The World's Best Security Engineers Are Working on Flappy Bird (Inverse) Fewer people want to engage in a modern "spy vs. spy"
Can you hack? Here’s a way to make a buck – and it’s legal (Charlotte Observer) In the lingo of computer hacking, “black hat” hackers are the creeps. They steal your credit card data, hack into your email account, and take over your home router for malicious mayhem. Think Bonnie and Clyde
Products, Services, and Solutions
Data security: not an add-on, but an underyling necessity and enabler of trust and innovation (Covata) Covata Limited (ASX: CVT), a global leader in data-centric security solutions for enterprise and government, held a private event in San Francisco last week, where the Company released the alpha version of Covata Delta to a group of technologists, strategists and industry experts who showed early interest in the technology
Lockheed, Data Security Council of India Launch Online Cybersecurity Education Platform (GovConWire) Lockheed Martin (NYSE: LMT) and Data Security Council of India have launched an online portal the aims to educate small- and medium-sized businesses and vocational training institutes on cybersecurity, GovCon Executive reported Friday
Cujo adds parental controls to its home firewall device (TechCrunch) Cujo certainly felt like the right product at the right time when the smart firewall’s creators took to the Disrupt stage to debut the device back in May. Since its debut, IoT attacks have grown in prominence as users add more and more failure points to their home security ecosystem one connected device at a time
Technologies, Techniques, and Standards
6 Often-Overlooked Cloud Security Considerations (Inside Counsel) A look at some less obvious but important considerations related to cloud security and why they are often overlooked
Security Keys: The Answer For Account Takeovers? (PYMNTS) Account takeovers, even of high-profile people, has become a common occurrence in this era of sophisticated cyberattacks and hacks, but researchers think they’ve found a way to fight back against account takeovers: cryptographically based security keys
Threat Intelligence: The Difference Between Good and Bad (BankInfo Security) John Watters Of iSight Partners on how to separate signal from noise
Legislation, Policy, and Regulation
Obama administration is close to announcing measures to punish Russia for election interference (Washington Post) The Obama administration is close to announcing a series of measures to punish Russia for its interference in the 2016 presidential election, including economic sanctions and diplomatic censure, according to U.S. officials
Sanctions against Russia over election hacking forthcoming: report (The Hill) The Obama administration is reportedly finalizing a package of sanctions and diplomatic censure to punish Russia for its attempts to meddle in the 2016 U.S. election
Obama’s Options on Russian Hacks Range From Covert to Military (Bloomberg Markets) Menu includes deleting bitcoin accounts and hacking companies. U.S. response will consider ‘proportionality,’ retaliation
Top House Intel Dem to Obama: Expose Putin's corruption (The Hill) The leading Democrat on the House Intelligence Committee is endorsing a suggestion that the Obama administration quickly fire back on Russia for its alleged election interference by exposing embarrassing information about President Vladimir Putin
McCain: NATO key to stopping 'Russian misbehavior' (The Hill) Sen. John McCain (R-Ariz.) said Tuesday that a strong North Atlantic Treaty Organization (NATO), an organization President-elect Donald Trump has promised to reexamine, is crucial to stopping future Russian aggression
Senator alleges CIA intimidation of committee staff, seeks protections (Federal News Radio) Congress has passed laws to protect whistleblowers from retaliation, but what about Congress’ own staff? That’s something Sen. Sheldon Whitehouse (D-R.I.) would like his colleagues to address, to ensure Congress can perform its constitutional oversight of the executive branch
New in 2017: Marines likely to expand cyber warfare units (Marine Times) The size of the Marine Corps may grow in the coming years by as much as 12,000 Marines, as President-elect Donald Trump has called for, but that won’t necessarily translate to more grunts
Air Force rethinks cybersecurity in command and control systems (Federal News Radio) Reflecting an overall push in the Defense Department to harden weapons systems from cyber attacks, the Air Force is investing funds in securing its command and control systems
OPM lays groundwork for security clearance reform, as processing times grow longer (Federal News Radio) Federal employees and contractors waiting more than 100 days for their security clearance may not believe that the administration made some progress in 2016 for improving the process
Trump picks former Bush aide for counterterror adviser (The Hill) President-elect Donald Trump has tapped a national security aide to former President George W. Bush as his counterterrorism adviser
Trump’s counterterror pick signals potential boon for cyber contractors (Federal Times) President-elect Donald Trump’s pick to advise him on homeland security and counterterrorism issues may have telegraphed with a single quote how the scales of a public-private partnership on cybersecurity will tip under the new administration
China renews calls for tighter cyberspace security (Interaksyon) China’s top cybersecurity body reaffirmed its commitment to heightened cybersecurity surveillance on Tuesday, calling for increased scrutiny of local and foreign technology used in industries deemed critical to the national interest
Majority of Religion School Teachers in Indonesia Support Sharia Law (Voice of America) Nearly 80 percent of Islamic education teachers in five of 34 Indonesian provinces support implementing Sharia law, according to a new survey that is causing alarm among some moderate Muslim group
Wassenaar Arrangement talks collapse (SC Magazine) Uncertainty reigns as the Wassenaar cyber weapons control pact renegotiations is rejected
Litigation, Investigation, and Law Enforcement
Intelligence agencies sued for records on Russian election interference (The Hill) A lawsuit has been filed against the CIA, the FBI, the Department of Homeland Security and the Office of the Director of National Intelligence seeking records pertaining to Russia’s interference in the presidential election
A journalist is suing U.S. spy agencies for more details on Russia’s hacking of the U.S. election (Recode) The CIA, FBI, Department of Homeland Security and the Office of the Director of National Intelligence have failed to respond to a Freedom of Information Act request
U.S. accuses Chinese citizens of hacking law firms, insider trading (Reuters) Three Chinese citizens have been criminally charged in the United States with trading on confidential corporate information obtained by hacking into networks and servers of law firms working on mergers, U.S. prosecutors said on Tuesday
CERT Switzerland Temporarily Cripples Tofsee Botnet (Bleeping Computer) Last week, the Swiss Governmental Computer Emergency Response Team (GovCERT), together with SWITCH, the registrar of .ch top-level domain names, have taken action against the Tofsee malware botnet that was abusing Swiss domains to host its dynamic command and control (C&C) servers
How Would Restructuring of CFPB Affect Banks? (BankInfo Security) Cybersecurity attorney sizes up potential impact of court ruling
New in 2017: High profile Navy spy trial slated for March (Navy Times) Naval flight officer and accused spy Lt. Cmdr. Edward Lin faces court martial next year in what will be one of the most closely watched Navy criminal trials in years
An Amazon Echo may be the key to solving a murder case (TechCrunch) Internet-connected devices may start helping in criminal cases. As first reported in The Information, police in Bentonville, Arkansas have issued a warrant to Amazon, asking the company to hand over data from an Echo device to help prosecute a suspected murderer
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
CES® CyberSecurity Forum (Las Vegas, Nevada, USA, Jan 5, 2017) Now in its second year, the CES® CyberSecurity Forum presented by CyberVista is designed to ensure all stakeholders in developing high tech solutions understand the complexity and the need for action in the cybersecurity arena. The IoT, connected cars, new payment systems, VR and AR, wearables and our mobile devices all add new levels of concern to protecting our personal and corporate data. In this day-long conference, we’ll tackle the world of cybersecurity that demands we go far beyond the simple passwords and anti-virus protection of yesterday.
SANS Security East 2017 (New Orleans, Louisiana, USA, Jan 9 - 14, 2017) Start the year off right by choosing from outstanding, cutting-edge courses presented by our top-rated instructors. SANS is looking forward to an exciting kickoff of 2017 with SANS Security East 2017 in the "Big Easy" in January. Now is the time to improve your information security skills and laissez les bons temps rouler!
Global Institute CISO Series Accelerating the Rise & Evolution of the 21st Century CISO (Scottsdale, Arizona, USA, Jan 11 - 12, 2017) These intimate workshops address the challenges that Board of Directors are placing on security and risk executives, and how to successfully manage and communicate today’s enterprise and organizational threats. These are an intense “roll your sleeves up” thought leadership discussions on How Cyber is Driving the New Board Perspective on Enterprise Risk Management. Attendance is limited to 30 Security and Risk Executives from Global 2000 corporations. For Chief Security Information Officers, Chief Information Officers, and Chief Risk Officers, by invitation only (apply to attend).
Cybersecurity of Critical Infrastructure Summit 2017 (College Station, Texas, USA, Jan 11 - 13, 2017) An inaugural event to convene thought-leaders, experts, and strategic decision makers from government, industry, and academia to discuss the technology and policy implications of the ever-evolving cyber-threats to critical infrastructures. This summit will focus on two sectors that are among those at greatest risk, the energy and manufacturing sectors. Highlighting emerging technologies and policy initiatives, this event will foster the development of high impact strategies to address the many interrelated cybersecurity challenges we face in the protection of our nation’s critical infrastructures.
ShmooCon 2017 (Washington, DC, USA, Jan 15 - 17, 2017) ShmooCon is an annual east coast hacker convention hell-bent on offering three days of an interesting atmosphere for demonstrating technology exploitation, inventive software and hardware solutions, and open discussions of critical infosec issues. The first day is a single track of speed talks called One Track Mind. The next two days bring three tracks: Build It, Belay It, and Bring It On.
SANS Las Vegas 2017 (Las Vegas, Nevada, USA, Jan 23 - 28, 2017) Attend SANS Las Vegas 2017, where SANS will provide outstanding courses in IT security, forensics, and security management presented by the best cybersecurity teachers in the country. At SANS events you get the kind of hands-on, immersion training that you can put to work immediately.
BlueHat IL (Tel Aviv, Israel, Jan 24 - 25, 2017) Announcing BlueHat IL – a special edition of Microsoft's leading cyber security conference for top professionals, to be held for the very first time in Tel Aviv, Israel. Over the past 10 years, BlueHat conferences have drawn the brightest minds in security to discuss key industry challenges. And now, BlueHat IL is here to crank it up by exploring and creating new cyber security thoughts and boundaries. This exclusive, by invitation only, single track event will host top cyber security professionals from around the world, who will come together to tackle the present and peek into the future. It will feature brilliant speakers and focus on breakthrough research, key trends and emerging threats in the field. Registration closes December 28.
SANS Cyber Threat Intelligence Summit & Training 2017 (Arlington, Virginia, USA, Jan 25 - Feb 1, 2017) Join SANS at this innovative Summit as we focus on enabling organizations to build effective cyber threat intelligence analysis capabilities. Most organizations are familiar with threat intelligence, but have no real concept of how to create and produce proper intelligence. The 2017 Summit will focus on specific analysis techniques and capabilities that can be used to properly create and maintain Cyber Threat Intelligence in your organization. Attend this summit to learn and discuss directly with the experts who are doing the CTI analysis in their organizations. What you learn will help you detect and respond to all ranges of adversaries including some of the most sophisticated threats targeting your networks
Blockchain Protocol and Security Engineering (Stanford, California, USA, Jan 26 - 27, 2017) This conference will explore the use of formal methods, empirical analysis, and risk modeling to better understand security and systemic risk in blockchain protocols. The conference aims to foster multidisciplinary collaboration among practitioners and researchers in blockchain protocols, distributed systems, cryptography, computer security, and risk management.