The CyberWire Daily Briefing 12.29.16

Cyber Trends

How Artificial Intelligence Will Solve The Security Skills Shortage (Dark Reading) Unlike industries that fear the intrusion of AI, the infosec world is embracing this revolutionary technology, and the seismic changes it will bring to threat detection and mitigation

Four New Normals for 2017 (Threatpost) Let’s not talk about cybersecurity predictions for 2017. Let’s talk instead about new normals, things that have ceased to be novel because, well, they happen all the time and everywhere

What's Ahead for 2017: Predictions from the RSAC Advisory Board (RSA Conference) After an eventful year, it can be comforting to put a framework around the uncertainty of the future and try to look ahead at what next year may bring. And it’s in that spirit that we talked to the RSA Conference Advisory Board to find out what they think will happen in the world of cybersecurity as we enter 2017

Encryption in 2016: Small victories add up (Computerworld) The move from SHA-1 to SHA-2, a Congressional victory over backdoors, and the rise of encrypted communications are leading us toward a more secure world

Burrowing Bad? Ransomworms Deepen Crypto-Ransomware Threats in 2017 (IBM Security Intelligence Blog) What’s worse than ransomware? Ransomworms. According to CSO Online, 2017 may be a rough year for information security teams. Combined with evolving cryptography and ransomware techniques, cybercriminals are hoping to burrow even deeper into corporate networks. Here’s a look ahead

Gemalto Index highlights credentials concern (Planet Biometrics) Gemalto has released the findings of its Authentication and Identity Management Index, which revealed that 90% of enterprise IT professionals are concerned that employee reuse of personal credentials for work purposes could compromise security. However, with two thirds (68%) saying they would be comfortable allowing employees to use their social media credentials on company resources, Gemalto’s research suggests that personal applications (such as email) are the biggest worry to organisations

2017 – the tipping point for data being outside your control? (IT Pro Portal) More companies are betting on public Cloud services and applications

66 Percent of U.S. Consumers Have Given Their Phone Passcodes to Others (eSecurity Planet) One in four said something embarrassing has popped up on their phone while someone else was holding it, a recent survey found

Legislation, Policy and Regulation

China’s Cybersecurity Law Seeks Scrutiny Of Technology (Dark Reading) Country's top internet regulator releases framework for stricter cyberspace laws, including review of local and foreign technology

China renews calls for tighter cyberspace security (Pakistan Observer) China’s top cy-bersecurity body reaffirmed its commitment to height-ened cybersecurity surveil-lance on Tuesday, calling for increased scrutiny of local and foreign technology used in industries deemed critical to the national interest

‘Meltdown’ over international cybersecurity agreement (Naked Security) How do you keep dangerous exploit software away from bad guys (and countries) and still let the good guys (security researchers, white-hat pentesters) have it when they need it? It’s never been easy – and it’s even tougher when 41 countries need to agree. They’ve been trying all year… and, for the moment, they’ve just given up

Obama's options on Russian hacks range from covert to military (Bloomberg via the Chicago Tribune) President Barack Obama has vowed that the U.S. will respond to Russian hacking undertaken during the U.S. presidential campaign. Yet the public may never hear about it

U.S. senator says Russia can expect sanctions after cyber attacks (Reuters) Russia and its president Vladimir Putin should expect tough sanctions after cyber attacks during the presidential election won by Donald Trump, U.S. Republican Senator Lindsey Graham said on Wednesday

U.S. losing cyberwar, security chief tells NJ-Israel Commission (New Jersey Jewish News) Christopher Rodriguez, the director of New Jersey’s Office of Homeland Security and Preparedness, warned members of the New Jersey-Israel Commission Dec. 20 that the United States is losing battles of cyberwarfare with “our adversaries"

CMAI Association of India emphasises the need for digital payment laws to check e-frauds (Tech2) As digital payments go up post-demonetisation, the country needs separate digital payment laws and digital payment courts should be established across India along with an appropriate legal framework, the CMAI Association of India (CMAI) said on Wednesday

Products, Services, and Solutions

5 Great 'Starter' Cybersecurity Certifications (Business News Daily) Looking for a career change in the new year? There's no better time to consider a career in cybersecurity: U.S. businesses and government agencies are spending billions of dollars each year to protect their data and assets from malicious attacks, with Forbes reporting that $170 billion will be spent worldwide by 2020

Secure your Chrome browser with the Avast Online Security extension (Windows Report) Google Chrome is the most popular browser among Windows users. Nowadays, hackers are extremely clever and use every possible gateway to reach their goals. In many cases, the main malware entry point is your browser

Here’s North Korea’s Totalitarian Android Tablet (Motherboard) When you think of North Korea, the first thing that springs to mind is probably not a well-featured tablet PC. But that's just what researchers at the Chaos Communication Congress hacking festival revealed on Tuesday

Technologies, Techniques, and Standards

FDA issues new security guidelines so that your pacemaker won’t get hacked (TechCrunch) This week, the US Food and Drug Administration issued a set of recommendations for securing medical devices that could jeopardize the safety and privacy of their users. The report, titled “Postmarket Management of Cybersecurity in Medical Devices,” focuses on security throughout the lifecycle of a device, emphasizing that robust cybersecurity is an ongoing process that requires maintenance and regular software updates, just like any non-medical piece of hardware would

Postmarket Management of Cybersecurity in Medical Devices: Guidance for Industry and Food and Drug Administration Staff (US Food and Drug Administration) The Food and Drug Administration (FDA) is issuing this guidance to inform industry and FDA staff of the Agency’s recommendations for managing postmarket cybersecurity vulnerabilities for marketed and distributed medical devices. In addition to the specific recommendations contained in this guidance, manufacturers are encouraged to address cybersecurity throughout the product lifecycle, including during the design, development, production, distribution, deployment and maintenance of the device

The Non-Refundable Fundamentals: Estimating the Cost of a Data Breach (Infosecurity Magazine) Quantifying the financial impact of a data breach before it occurs is like assuming you can win roulette using insider trading. How is that? The average cost of a breach per record stolen today is roughly $221, according to research released earlier this year by the Ponemon Institute. Of that figure, one-third is a predictable direct measurement. When estimating the monetary ramifications of a data breach, calculating the direct costs for resolution matters – such as technical services and notifications – is easier than predicting indirect expenditures such as customer retention and employee loss

What is ISR in non-physical domains? (C4ISRNET) Ask commanders what they want more of, and one of the top responses is more intelligence, surveillance and reconnaissance. ISR has become a critical asset in planning operations and understanding trends within a commander’s battlespace. Non-physical domains and maneuver spaces are becoming more prominent in emerging and future conflicts. But how will commanders be able to “see” in cyberspace or the electromagnetic spectrum?

Are APT Reports Still Valuable or Have They Become Marketing Fluff? (LookingGlass) Now that APT reports have been exposed, the “thrill” of discovering and calling out suspected nation state actors engaged in clandestine cyber activity has become almost routine. Excitement over what was once considered a difficult thing to do (detecting “advanced” cyber adversaries) is now expected. And therein lies the problem. The rush to attribute and increase marketing visibility in the wake of such incidents has taken the place of adding value through the exchange of actionable information

33C3: Understanding Mobile Messaging and Its Security (Hackaday) If you had to explain why you use one mobile messaging service over another to your grandmother, would you be able to? Does she even care about forward secrecy or the difference between a private and public key is? Maybe she would if she understood the issues in relation to “normal” human experiences: holding secret discussions behind closed doors and sending letters wrapped in envelopes

PayThink 'Threat intelligence' technology can fight big box data breaches (Payments Source) Financial institutions and e-commerce merchants have become targets of massive financial fraud as cyber criminals have used stolen payment card data from major data breaches, such as the ones involving Wendy’s restaurants in 2015, Home Depot in 2014, and Target in 2013 to make illegal purchases online

Marketplace

Cyber attack will topple major company next year, business lobby group warns (Belfast Telegraph) A cyber attack will topple a major company next year as firms face a growing threat to their security systems from online hackers, according to an influential business lobby group

How Companies Need to Address Cybersecurity Risks in 2017 (Wall Street Journal) Peter Beshar, executive vice president and general counsel of Marsh & McLennan Companies, a global professional services firm that includes Marsh, an insurance brokerage and risk advisor, speaks about the current state of cyberthreats, what companies should be doing to protect themselves and the potential impact the Trump administration will have on cybersecurity

FireEye Inc's Best Moves in 2016 (Fox Business) I've generally been bearish on FireEye (NASDAQ: FEYE), the once-promising cybersecurity firm that lost over 40% of its value in 2016. The company's declining revenue growth, widening GAAP losses, unstable cash flow, and executive exodus all indicate that the stock could fall further next year. However, those challenges shouldn't completely overshadow its accomplishments this year. Let's take a look back at three of FireEye's smartest moves in 2016

Machine learning and artificial intelligence to get massive VC boost – FX automation generation nearing? (Finance Feeds) Pitango is a specialist in financing very successful FX industry ventures. Now the VC firm has launched a $175 million fund for machine learning and artificial intelligence. We take a close look at why this matters and where it will help firms develop and grow

Agencies embrace bug bounty programs (Government Matters) Federal Times editor Aaron Boyd discussed the proliferation of bug bounty programs across government and the January launch of Sightline Media Group’s new cybersecurity hub, FifthDomain.com

US Air Force Awards Satellite Anti-jamming Contract to Raytheon (Defense News) Raytheon has been awarded a $37 million Air Force contract to support anti-jamming efforts for satellite communications

illusive networks named 'Industry Innovator' by SC Magazine (GSN Magazine) illusive networks today announced that its pioneering Deceptions Everywhere® cybersecurity was selected by SC Magazine as a Next-Generation Security Monitoring and Analytic Innovator in its award-winning annual Reboot '16 Innovators issue

Former FCI Exec Julie Mehan Named MetroStar Systems Director of Cybersecurity Strategy and Alignment (GovConExecutive) Julie Mehan, former Femme Comp Inc. principal cybersecurity analyst, has been appointed as MetroStar Systems‘ new director of cybersecurity strategy and alignment as part of that company’s push to expand its cybersecurity capacity and thought leadership

Security Patches, Mitigations, and Software Updates

Critical PHP 7 flaws detected and patched, Check Point (SC Magazine) Security researchers found three zero-day vulnerabilities in PHP 7, all of which could prove extremely dangerous to any site using the web programming language

Cyber Attacks, Threats, and Vulnerabilities

La Russie soupçonnée d’être responsable d’un piratage informatique contre l’OSCE (Le Monde) L’organisation basée à Vienne, chargée notamment d’observer le cessez-le-feu en Ukraine, a été la cible d’une attaque de grande ampleur attribuée à Moscou

OSCE victim of cyber attack (Reuters) The Organisation for Security and Cooperation in Europe has been the target of a cyber attack, a spokeswoman said on Wednesday

Group That Monitors Ukraine Conflict Suffers Cyber-Attack (ABC News) The organization charged with monitoring the Russia-fomented conflict in eastern Ukraine confirmed on Wednesday that it suffered a data breach “compromising the confidentiality” of its computer network

Is Russia Responsible for a Cyber Attack Against the OSCE? (Foreign Policy) The Organization for Security and Cooperation in Europe, a rights watchdog that for more than two years has monitored the ground war between Ukrainian forces and Russian-backed separatists, acknowledged Wednesday it had been hacked. The likely culprit, according to Le Monde: Russia

Malware in Ukraine armed forces app linked to DNC hackers (SC Magazine) A malicious remote access toolkit recently found in an app used by Ukrainian military forces is an Android version of the same proprietary malware that helped hackers steal files from the Democratic National Committee, researchers from CrowdStrike have reported

Another Massive DDoS Closes Out 2016, But Mirai Not To Blame (Dark Reading) Using a new malware variant called Leet, the 650 Gbps DDoS attack matched Mirai's floods of traffic

650Gbps DDoS Attack from the Leet Botnet (Imperva Incapsula) As the end of the year approaches, it’s natural to contemplate the future and look for signs of things to come. Sometimes, however, you don’t have to search too hard. Sometimes, these “signs” hit you like a ton of bricks

Switcher Android Malware Hacks TP-Link Routers, Changes DNS Settings (Bleeping Computer) An Android trojan named Switcher (Trojan.AndroidOS.Switcher) targets Android devices in order to take over local WiFi routers and hijack the web traffic passing through them

Android Trojan Switcher Infects Routers via DNS Hijacking (Threatpost) A new Android Trojan uses a victims’ devices to infect WiFi routers and funnel any users of the network to malicious sites. The malware doesn’t target users directly – instead its goal is to facilitate further attacks by turning victims into accomplices

LG Smart TV Screen Bricked After Android Ransomware Infection (HackRead) The victims have been asked to pay $500 to get their TV unlocked

Android Ransomware Infects LG Smart TV (Bleeping Computer) Security firms have been warning us for more than a year about the possibility of Android malware jumping from phones and tablets to other Android-powered devices, such smart TVs

Ransomware Economics: Why the Threat is Here to Stay (Infosecurity Magazine) The concept of extorting a victim for money is nothing new; in fact it’s older than the internet by many centuries. Over the years, however, malware has evolved from spying on users and harvesting information, to promoting malicious links for clickbait, to the current straight forward tactic of ‘give us your money'

Security Alert: GootKit and Godzilla Infostealers Target Victims’ Financial Information (Heimdal Security) These examples show how cyber attackers operate to collect & steal your financial data

Updated Sundown Exploit Kit Uses Steganography (Trend Micro) This year has seen a big shift in the exploit kit landscape, with many of the bigger players unexpectedly dropping out of action. The Nuclear exploit kit operations started dwindling in May, Angler disappeared around the same time Russia’s Federal Security Service made nearly 50 arrests last June, and then in September Neutrino reportedly went private and shifted focus to select clientele only. Now, the most prominent exploit kits in circulation are RIG and Sundown. Both gained prominence shortly after Neutrino dropped out of active circulation

'Frequent flyer points put at risk by website flaws' (BBC News) Airline booking systems lack basic security checks that would stop attackers changing flight details or stealing rewards, warn experts

Holiday Inn Parent IHG Probes Breach Claims (KrebsOnSecurity) InterContinental Hotels Group (IHG), the parent company for more than 5,000 hotels worldwide including Holiday Inn, says it is investigating claims of a possible credit card breach at some U.S. locations

Agent applications for Nevada’s medical marijuana program exposed (CSO) Altering the URL enables anyone to view submitted applications

Facebook Doesn’t Tell Users Everything It Really Knows About Them (Pro Publica) The site shows users how Facebook categorizes them. It doesn’t reveal the data it is buying about their offline lives

Academia

Georgetown research center adds Farsight Security to industry member roster (GSN) The Security and Software Engineering Research Center at Georgetown University (S2ERC ) announced today that Farsight Security, Inc., provider of the world’s only real-time DNS intelligence, has become an affiliate member as S2ERC continues to expand its base of industry members

Litigation, Investigation, and Enforcement

The 2016 Election Wasn’t Hacked, But the 2020 Election Could Be (Motherboard) After partial vote recounts in certain states, US election officials found no evidence that votes had been manipulated by a cyberattack on voting machines, security researchers told an audience at the Chaos Communication Congress hacking festival on Wednesday. But, the researchers called for a vast overhaul in voting machine security and related legislation, warning that an attack is still possible in a future election

Lawmakers urge Pentagon to probe Huawei deal (Washington Times) Three Republican members of Congress are urging Defense Secretary Ash Carter to investigate the security risks to American facilities and military forces in South Korea posed by a Chinese telecommunications company’s role in a new wireless network in the country

Trio charged with $4m insider trading by hacking merger lawyers (Register) Up to seven New York law firms targeted, say Manhattan prosecutors

Macau Resident Held In US For Hacking, Insider Trading (Dark Reading) Iat Hong and two others allegedly breached computers of major US law firms and stole confidential exchange on M&A transactions

Germany: Suspected contact of Berlin attacker arrested (Military Times) German prosecutors said Wednesday that they have detained a Tunisian man they think may have been involved in last week's truck attack on a Christmas market in Berlin

Islamic State arrests reveal jihadi threat near seat of U.S. government (Washington Times) Law enforcement agencies have arrested nine Northern Virginia residents on charges of aiding the Islamic State since the terrorist group rose to power in Syria and Iraq in 2014 and launched social media propaganda to attract followers, a government message to police states

Police ask: “Alexa, did you witness a murder?” (Ars Technica) Drowning in hot tub was followed by 140-gallon hose-down recorded by utility

Business Man Pleads Guilty for Operation Resume Hoard (Bleeping Computer) David W. Kent pleaded guilty last week of hacking his former company to boost his current business, which he then tried to sell back to his former firm, together with the stolen data

Sultry Sextortion Sisters Meet Their Match In Nigerian Oil Billionaire (HackRead) Jyoti Matharoo and Kiran Matharoo messed with the wrong Nigerian business tycoon

21 Biggest Cybercriminal Busts Of 2016 (Dark Reading) This year has been a tornado of major cyberattacks and hacker arrests. Here, we look back on the 21 most interesting 'cyberbusts' of 2016

Design and Innovation

Mixing biology with technology: what could possibly go wrong? (Naked Security) If you were in the security business a dozen years ago, you’ll remember all the speculation around cellphone malware. The iPhone and other smartphones weren’t yet ubiquitous and attacks against such devices were discussed in the context of some distant future

Ford hits milestone in path to steering-wheel-less, pedal-less autonomous cars (Ars Technica) Company wants to mass-produce self-driving cars for ride-sharing services by 2021

OSCE hacked (Fancy Bear is the animal-of-interest). US still mulling retaliation for Russian network intrusions, influence operations. Leet offers Mirai some DDoS competition. New Android threats.