The CyberWire Daily Briefing 02.17.16

Cyber Trends

Report: Breaches responsible for increasing amount of collateral damage (CSO Online) 2015 was the "Year of Collateral Damage," according to a report released this morning by Hewlett Packard Enterprise. Attackers targeting companies or other organizations are not only affecting the lives of people who are customers or employees of those organizations, but also affect people who have no direct business relationships.

Smart buildings security: Who's in charge? (Help Net Security) As the Internet of Things became an accepted reality, and the security community realized that they have to get involved in securing it, days without news

Legislation, Policy and Regulation

White House misses deadline to deliver Islamic State strategy to Capitol Hill (Washington Examiner) The chairman of the House Armed Services Committee said Tuesday that the administration is essentially sending troops into the "wilderness with a compass, but no map" after it failed to deliver a strategy to defeat the Islamic State by Monday's deadline.

Exclusive: Whistleblowers Warned Top Spy About Skewed ISIS Intel (The Daily Beast) It wasn’t just the generals who were warned that ISIS intelligence assessments were overly rosy. The office of the director of national intelligence knew, too.

Now it’s Nigeria’s authorities who want to regulate apps like Whatsapp and Facebook (Quartz Africa) The NCC says the rise of OTT services has resulted in lower revenues accrued from traditional telephony.

Canadian security agencies under strain while threats have ‘seldom been so high,’ former senior officials say (National Post) The experts noted that since the October 2014 killings of two Canadian Forces members, seven more Canadians have died in terror attacks in Jakarta and Burkina Faso

Are you ready for EU General Data Protection Regulation changes? (Computer Business Review) Tony Pepper, CEO, Egress Software Technologies, looks at how the upcoming GDPR will impact businesses.

Mandated encryption backdoors? Such a bad idea, says cybersecurity agency (ZDNet) EU security agency ENISA has warned policy makers against limiting any security features in software, even if that makes lawful interception harder.

EU ISP Talks: Let’s Make the Most of It! (TrendLabs Security Intelligence Blog) The Internet has no borders, countries do. And that’s what makes it so difficult for law enforcement to chase cybercriminals. Trend Micro works with these bodies for years and we see how painful and long these processes are, once the cybercriminal is somewhere else. We not only work close with local police but also with Europol and INTERPOL, which helps when it comes to international crime. They do a great job, but the bad guys clearly have an advantage as their flexibility and speed makes it easy for them to jump around in cyberspace and build up systems everywhere. And pretty often, they go to countries where cybercrime is not a crime or chasing them is low priority.

Stuxnet Part Of Widespread Cyber-Intrusion Of Iranian Infrastructure, New Film Claims (Dark Reading) New Stuxnet documentary that debuts tomorrow in Berlin reportedly reveals how Israel blew its cover, and the worm just one element of a much larger US-Israel cyber spy operation in Iran.

US developed detailed cyberattack plan for Iran (TheHill) The plan, code-named “Nitro Zeus," included a range of attacks targeting Iran’s infrastructure.

The NSA's Terrorist-Hunting Computer for Pakistan May Have Targeted Innocents (Defense One) A new report suggests that the agency has been using a machine-learning program to identify potential terrorists, but thousands of Pakistanis may have been mislabeled.

Safeguarding cybersecurity (The Washington Times) Anyone who has locked the front door and hidden the key under a flowerpot has dealt with the dilemma of how to maintain both security and access. It’s the quandary facing cybersecurity professionals who must guard the wall around personal online data while managing the demands of law enforcement agencies.

N.S.A. Gets Less Web Data Than Believed, Report Suggests (NYTimes) A new report suggests that the government is receiving far less data than privacy advocates have long suspected.

The President's NSA Advisory Board Finally Gets a Tech Expert (WIRED) Columbia University computer science professor Steve Bellovin says one thing he'll be looking at is the collection of data authorized under the mysterious EO12333 authority.

Katie Moussouris on the Latest Wassenaar Arrangement Rules (Threatpost) Threatpost editor Mike Mimoso talks to HackerOne chief policy officer Katie Moussouris about the U.S. implementation of the Wassenaar Arrangement rules and where things stand close to seven months after the initial draft was pulled off the table for a rewrite.

Washington Senate passes Brown’s Cybersecurity Jobs Act (Tri-City Herald) A bill to develop a strategy to make Washington state a national leader in cybersecurity has been passed unanimously by the Washington state Senate.

Products, Services, and Solutions

How Shari Steele aims to take the Tor Project mainstream (The Daily Dot) The Tor Project has an image problem. Shari Steele knows how to fix it.

Comodo Launches New Advanced Endpoint Protection Solution (PRNewswire) Comodo Launches New Advanced Endpoint Protection Solution

Cisco claims security boost with firewall focused on threat defence (V3) Firepower system designed to fight breaches not just protect applications,Security,Business Software ,Cisco,Hacking,malware,antivirus

IBM Launches Super-Secure Mainframe for Encrypted Hybrid Clouds (Leader Call) IBM also says that the z13s offers faster processing speeds than some of its previous mainframes in this price range, but the focus of the z13s is clearly on security

IBM goes all in on blockchain, offers cloud-based service (InfoWorld) IBM offers a cloud-based service to help businesses set up blockchain networks and test and deploy apps

Nakina Announces Enhancements to its Cybersecurity Portfolio (BusinessWire) Nakina Announces Enhancements to its Cybersecurity Portfolio. Security Policy Orchestration and Analytics to be showcased at #MWC16 with demo involvin

The threat from within (iTWire) Regardless of how good your end-point security may be all security companies agree that the human element is the weakest link. Most cyberattacks rely...

Wombat Security Launches PhishAlarm Analyzer (Marketwire) Wombat Security Technologies (Wombat) today announced the launch of PhishAlarm Analyzer, a software-based e-mail phishing triage solution that uses machine learning to check emails against multiple security sources to identify and prioritize reported phishing emails for incident response teams. Quick identification and categorization...

Microassist Offers New-to-Market CyberSAFE, an End-User Focused Training Program Aimed at Thwarting Cyber-Attacks (Marketwire) Microassist, a leading training provider, announces the addition of CyberSAFE to its public training schedule. This end-user cybersecurity training course and corresponding assessment were developed by Logical Operations with the goal of helping organizations combat cybersecurity threats through educating end-users.End-users play a critical...

InfoArmor VigilanteATI(SM) Wins the Computer Technology Review MVP Award in the Security Category (Marketwire) InfoArmor, Inc., an industry-leading provider of elite cyber intelligence services, today announced that its (sm) platform has won a 2015 Most Valuable Product Award from Computer Technology Review in the Security category. As one of a select number of notable IT companies receiving CTR's MVP...

Rook Security Named ‘Pioneer’ in CRN’s 2016 Managed Service Provider 500 (BusinessWire) Rook Security is named a ‘Pioneer’ in CRN’s 2016 Managed Service Provider 500, recognizing the company's excellence in managed IT services.

Technologies, Techniques, and Standards

The Great EMV Fake-Out: No Chip For You! (KrebsOnSecurity) Many banks are now issuing customers more secure chip-based credit cards, and most retailers now have card terminals in their checkout lanes that can handle the "dip" of chip-card transactions (as opposed to the usual swipe of the card's magnetic stripe)

HIPAA and mHealth: OCR unveils new guidance on role of developers (FierceMobileHealthcare) The federal government is continuing its push to help plays in the healthcare industry better understand HIPAA regulations--most recently releasing guidance focusing on mHealth.

Navy Finalizes Eight Cybersecurity Standards, Now Available to Industry (CHIPS) To ensure critical warfighting capabilities can operate, fight and win in a contested cyber environment, the Navy has finalized the first eight in a series of more than two dozen planned foundational cybersecurity standards that govern the vast majority of the sea services' systems and programs

Government data breaches are in the news and on people’s minds (Infosecurity Magazine) Adopting more efficient technologies to detect and protect files may often be easier said than done

4 Rules for Successful Threat Intelligence Teams (Recorded Future) Managing threat intelligence isn’t easy, so here are four simple rules that will help you build and maintain a successful threat intelligence team.

FBI/DHS hack shows need for role-based security awareness programs (CSO Online) When a hacker released the contact information of 9,000 DHS employees, it was the result of several awareness failings. The reality is that these are failed awareness programs that are typical of industry as a whole.

Marketplace

It’s time the c-suite took data privacy seriously (IT Pro Portal) Data privacy and security has been one of the biggest issues in business and technology over the past decade or so. Since the 2006 Nationwide Building Society incident, when a stolen unencrypted laptop put at risk the personal data of 11 million savers, there has been a regular stream of data breaches.You only have to turn on the news or go online and you will almost inevitably see reports of these breaches, ranging from retailers to major FS organisations, and often, government departments. Just last year, telecoms provider Talk Talk reported its third data breach in the previous twelve months, with more than 150,000 customers affected after a teenager exploited a weakness in Talk Talk’s website.The type of information that is personally identifiable varies greatly from one organisation to the next. For some, it is staff records, and for others, it is customer information, transaction records, and even patient data. This is causing management at all levels to focus on their security

20 Cybersecurity Startups To Watch In 2016 (Dark Reading) Some of the most intriguing security startups flush with funds, talent and ideas.

Why the Cybersecurity Space Could See Consolidation in 2016 (Market Realist) Lower valuations and increased interest from leading players will increase M&As in the cybersecurity space

Cylance Finds New Funding From In-Q-Tel - socaltech.com (SoCalTech) Irvine-based cybersecurity software developer Cylance said today that it has entered into a strategic partnership with In-Q-Tel, the investment arm of the U.S. intelligence community. Financial detai

Baltimore-based Protenus raises $4 million (Maryland Daily Record) The Baltimore-based health tech startup Protenus has raised $4 million in Series A financing, executives announced Tuesday. Founded by a pair of Johns Hopkins medical students, the company offers p…

Quick Heal to list shares on stock exchanges (https://www.livemint.com/) The equity shares will be listed on the NSE as well as on the BSE

Wynyard Group cancels share placement (NZ Herald) Wynyard Group says a planned share placement is no longer viable and is considering other capital raising options including a rights offer.

Army Requests Info on Consortium for DoD’s C4, Cyber Platform Development (ExecutiveBiz) The U.S. Army Contracting Command has sought information on a consortium with the capability to research and develop prototypes of command, control, communications, computer and cyber platforms for the Defense Department. The service branch said in a FedBizOpps notice posted Feb. 3 the consortium will build prototypes under the “other transaction” agreement in order to reduce DoD’s dependence...

Code Dx Receives Whirlwind of Accolades in Cybersecurity Industry (StreetInsider.com) Recent recognition in Forbes and recipient of three awards in 2016 validate Code Dx as a cybersecurity industry innovator and leader

DigiCert Hires Michael Olson as Chief Financial Officer (PRNewswire) Olson brings 20 years' experience in corporate finance leading high-growth companies

Research and Development

Whitewood Encryption Systems Announces the Awarding of a Third Patent Arising From Los Alamos National Laboratory Technology Transfer (BusinessWire) Whitewood received a Notice of Allowance for a patent application that addresses issues that arise when employing quantum communications techniques to

Security Patches, Mitigations, and Software Updates

Use Linux? Stop what you're doing and apply this patch (CIO) A buffer-overflow vulnerability uncovered Tuesday in the GNU C Library poses a serious threat to countless Linux users.

Security Patch Woes: Windows 10 Update Resets Default Settings, Office Fix Crashes Word (Redmondmag) Microsoft's February security update is causing issues for Windows 10 and Word 2013 users.

Xen forgets recent patches in new maintenance release (Register) Is this any way to run a supposedly cloud-grade hypervisor?

Kotlin programming language for JVM and Android reaches version 1.0 (Help Net Security) Kotlin is an open source programming language for JVM and Android that combines OO and functional features and is focused on interoperability, safety,

Cyber Attacks, Threats, and Vulnerabilities

Anonymous Hacks Turkish National Police Server, Leaks A Trove of Data (HackRead) The online hacktivist Anonymous hacked Turkish National Police and leaked a huge amount of data The year 2015 was a difficult year for Turkey due to the

Anonymous’ #OpAfrica Claims 64,000 Workers Data of Tanzanian Telecom Firm (HackRead) The online hacktivist Anonymous has breached into the server of a Tanzanian Telecom Firm and leaked personal data of about 64,000 employees. OpAfrica is

Attackers try to compromise Magento with a fake patch (CSO Online) Attackers are still trying to find Magento installations that haven't patched a particularly bad vulnerability, this time trying to trick people into downloading a fake patch.

Fake SUPEE-5344 Patch Steals Payment Details (Sucuri Blog) Update 2/17: This post is not about hackers tricking webmasters into installing fake Magento security patch. It's about malware that pretends to be an applied security patch. In case you don't know, SUPEE-5344 is an official security

Dridex Malware Infections Rise: Symantec (Credit Union Times) Cybercriminals send millions of spam emails daily with the goal of stealing consumers banking credentials.

Is Dridex the Most Dangerous Banking Trojan? (BankInfoSecurity) Kevin Haley, a researcher at Symantec, says the moneymakers behind Dridex are successfully infecting thousands of users worldwide on a monthly basis, purely through

'Locky' ransomware, which infects like Dridex, hits the unlucky (CSO Online) A new flavor of ransomware, similar in its mode of attack to the notorious banking software Dridex, is causing havoc with some users.

“Locky” ransomware – what you need to know (Naked Security) “Locky” feels like quite a cheery-sounding name. But it’s also the nickname of a new strain of ransomware that could cost you $400…

glibc Linux remote code execution vulnerability (Threatpost) A critical vulnerability in glibc, the GNU C library, affects all Linux machines and many web frameworks, opening the door to remote code execution.

VoIP phones can be turned into spying or money-making tools (Help Net Security) A security vulnerability present in many enterprise-grade VoIP phones can easily be exploited by hackers to spy on employees and management, says security

Instagram bug could have allowed others to read your direct messages (Naked Security) Before you get too worried about this Instagram security bug: it’s just been fixed. So let’s just call this a cautionary tale.

Akamai Detected Over 400 Reflection DDoS Attacks Leveraging DNSSEC Protocol (softpedia) DDoS attacks can reach an amplification factor of 8

How to bypass this LG smartphone's fingerprint security in just 30 seconds (WeLiveSecurity) A troubling vulnerability has been uncovered that may make you think twice about ever even temporarily allowing a friend, partner or acquaintance to use your new LG V10 Android smartphone.

Turning back Time on your iPhone can “Brick” the Device- Don’t Fall for the 1970 Scam (HackRead) Turning back Time on your iPhone can “Brick” the Device- Don’t Fall for the 1970 Trick Apple is just not “sure” why it's happening but it's a fact that if

10 Years of Mac Malware: How OS X Threats Have Evolved [Infographic] (The Mac Security Blog) This infographic timeline highlights the nastiest, most prevalent Mac OS X security threats to demonstrate just how Mac malware has evolved over the past 10 years.

Patients diverted to other hospitals after ransomware locks down key software (Ars Technica) Crypto-extortion increasingly targets bigger victims; most stay silent about it.

WA's Parliament House shut down by a cyber attack (WAtoday) A cyber attack on WA's Parliament House on Wednesday morning has shut down all communications.

Article 29 Working Party still not happy with Windows 10 privacy controls (SC Media) The EU privacy watchdog has told Microsoft despite changes to the install screen, there is still no clear message of how Microsoft plans to process users' data.

Academia

Service Academy CyberStakes Proves Worth as Learning Tool (US Department of Defense) Three years into a program for building cyber proficiency in service academy midshipmen and cadets, the annual CyberStakes competition has proven its worth as an important learning tool for these high-tech skills, a senior Defense Department official said

Litigation, Investigation, and Enforcement

Apple vows to resist FBI demand to crack iPhone linked to San Bernardino attacks (Washington Post) The Apple CEO claims the federal order seeks a security bypass “too dangerous to create.”

Some notes on Apple decryption San Bernadino phone (Errata Security) Today, a judge ordered Apple to help the FBI decrypt the San Bernadino shooter's iPhone 5C. Specifically: disable the auto-erase that hap...

This is why the FBI can’t hack into iPhones (Quartz) This one incredibly simple setting has baffled the FBI.

Apple vs. The FBI: Why Apple Is Screwed (TGDaily) Apple vs. The FBI: Why Apple Is Screwed

Apple is openly defying US security orders, but in China it takes a very different approach (Quartz) It creates the impression that Apple has different security standards for different markets.

An Open Letter to Founders (Fortune) An investor in VC funds has a (repeat) message for entrepreneurs.

Bomb threats for sale from as little as $5 (Naked Security) Meanwhile, French police arrested a young man in connection with a Dark Web service where you can buy anonymized phone threats.

Alertes à la bombe dans les lycées : le jeune homme placé sous le statut de témoin assisté (Le Monde.fr) Vincent L., lycéen dijonnais de 18 ans, n’a été mis en examen que pour avoir refusé d’aider les enquêteurs à déchiffrer son ordinateur.

Teacher’s sex tape stolen from hacked Dropbox, posted on school site (Naked Security) After being told the video was on the school site, “I went to the bathroom and threw up,” says Brian Cody Bray.

Design and Innovation

Digital health app reviews: Time to get it right (FierceMobileHealthcare) There are many challenges in mHealth, but one of the most important hasn't gotten necessary attention: the need for a verifiable methodology to evaluate and assess the growing wave of mHealth apps. An accredited and trustworthy evaluation is a win-win for everyone: developers, app sellers, consumers, clinicians and providers. Its top of mind this week, in part due to a new study.

IBM and Microsoft Will Let You Roll Your Own Blockchain (WIRED) They call it the Hyperledger. And it can be yours.

IBM thinks blockchain is the future of transactions for multiple industries (FierceCIO) Bitcoin and other cryptocurrencies haven't had the revolutionary effect on the finance industry some proponents were hoping for

Gemalto Sees Two Waves of Blockchain Adoption Forming (CoinDesk) Gemalto discusses its recent partnership with Symbiont, what it calls its "first step" in engaging in business opportunities in the blockchain space.