The CyberWire Daily Briefing 01.07.16

Cyber Attacks, Threats, and Vulnerabilities

Ukrainian blackout caused by hackers that attacked media company, researchers say (Guardian) Power company suffered a major attack that led to blackouts across western Ukraine, after an attack on a Ukrainian media company

Russian hackers are suspected in a cyber attack that caused a huge blackout in Ukraine (Quartz) Experts say they have established the world's first known case of a cyber attack on a power grid, which cut power to more than 600,000 homes in Ukraine in late December. US intelligence agencies and cyber security experts are looking to Russia as the likely source of the attack

U.S. power companies told to review defenses after Ukraine cyber attack (Reuters) A quasi-governmental U.S. electric industry group last week advised members to review network defenses following reports that 80,000 customers of a Western Ukraine utility lost power for six hours following a cyber attack

Project 'Gridstrike' Finds Substations To Hit For A US Power Grid Blackout (Dark Reading) Turns out free and publicly available information can be used to determine the most critical electric substations in the US, which if attacked, could result in a nationwide blackout

Opinion: Squirrels are bigger threat than hackers to US power grid (Christian Science Monitor Passcode) While fresh reports of digital assaults on critical infrastructure facilities have stirred the cyberwar saber rattlers, it's worth remembering that squirrels cause far more destruction to the grid than rogue nation hackers

Experts: Recent Critical Infrastructure Attacks A Sign Of Major Security Challenges Coming In 2016 (CRN) Hackers rang in the new year with a slew of critical infrastructure attacks, a trend that partners and security experts said points to a tough year ahead for critical infrastructure security

US port cyber-attack thwarted (Port Strategy) The United States Coast Guard Cyber Command's (CGCYBER) latest maritime cyber bulletin has revealed that there was an attempted cyber-attack against an unknown port facility

Indian hackers deface Pakistani websites to 'pay tribute to Lt Colonel Niranjan' (Times of India) A group of Indian hackers have defaced seven Pakistani websites, including that of Pakistani Bar Council. The hacker group — Indian Black Hats, based of Kerala — said that they have dedicated the hacking to the 18-month old daughter of late Lt Col Niranjan of the National Security Guards

Yet Another Signed Malware — Spymel (Zscaler ThreatLab) ThreatLabZ came across yet another malware family where the authors are using compromised digital certificates to evade detection. The malware family in this case is the information stealing Trojan Spymel and involved a .NET executable signed with a legitimate DigiCert issued certificate

Trend Micro: Internet scum grab Let's Encrypt certs to shield malware (Register) Angler kit served via compromised HTTPS websites

Etihad Airways investigates possible data leak (The National) Etihad Airways is investigating a possible leak of data belonging to members of its loyalty programme

Second Database Exposing Voter Records Found Online (SecurityWeek) A Christian conservative organization is believed to be responsible for exposing the details of millions of U.S. citizens by failing to ensure that its databases could not be accessed by unauthorized individuals

Android-based Smart TVs Hit By Backdoor Spread Via Malicious App (TrendLabs Security Intelligence Blog) With the year-end shopping season over, many consumers now have new various smart gadgets in their homes. One particularly popular usage of this so-called Internet of Things (IoT) are smart TVs. These TVs are more than just passive display devices; many of them can even run Android apps as well. Some may find these features useful, but these capabilities bring their own risks

SLOTH Attacks Up Ante on SHA-1, MD5 Deprecation (Threatpost) If you're hanging on to the theory that collision attacks against SHA-1 and MD5 aren't yet practical, two researchers from INRIA, the French Institute for Research in Computer Science and Automation, have demonstrated new attacks that raise the urgency to move away from these broken cryptographic algorithms

Transcript Collision Attacks: Breaking Authentication in TLS, IKE, and SSH (MITIS) In response to high-profile attacks that exploit hash function collisions, software vendors have started to phase out the use of MD5 and SHA-1 in third-party digital signature applications such as X.509 certificates. However, weak hash constructions continue to be used in various cryptographic constructions within mainstream protocols such as TLS, IKE, and SSH, because practitioners argue that their use in these protocols relies only on second preimage resistance, and hence is unaffected by collisions. This paper systematically investigates and debunks this argument

Time Warner and Linode report possible password breaches (Ars Technica) Potential compromises appear to be unrelated

Time Warner Cable to contact 320,000 customers about possible account compromise (CSO) Company says that customers will be contacted by email and direct mail

Bug in Silent Circle's Blackphone let attackers remotely control device (Computerworld) A vulnerability in Silent Circle's privacy-focused Blackphone let attackers remotely take over the device's modem to send and receive texts, dial or connect calls, change call IDs, set call forwarding, force conference calls and more

A recent example of wire transfer fraud (Internet Storm Center) Do you know about any attempts of wire transfer fraud in your organization? They often start with phishing emails. These emails are used to trick an employee into wiring money to bank accounts established by the criminal. It's an old scam, but 2015 apparently saw a resurgence in wire transfer

Facebook "Page Disabled" Phish Wants your Card Details (Malwarebytes Unpacked) Fake Facebook Security pages are quite a common sight, and there's a "Your page will be disabled unless…" scam in circulation at the moment on random Facebook comment sections which you should steer clear of

Scammers target citizens filing tax returns online (Help Net Security) As ten million people prepare to complete their tax returns online in January, British citizens are being bombarded with scams. Forty per cent have received phishing emails which appeared to be from HMRC, and identity fraud is rife — with many people still unaware of the potential risks involved, according to Miracl

Don't be Deceived by a Pretty Face and a Sad Story (Team Cymru) As Christmas 2015 fades into memory, and January begins its annual onslaught of gym adverts and crash diets, we hope that Santa Claus (or Saint Nicolas, Befana, et el) brought you everything you were hoping for

Account Takeovers Fueling 'Warranty Fraud' (KrebsOnSecurity) Cybercrime takes many forms, but one of the more insidious and perhaps less obvious manifestations is warranty fraud

Flash drive missing from IU Health Arnett contains data from over 29,000 patients (Health IT & CIO Review) Indiana University Health Arnett Hospital in Lafayette is notifying patients the system became aware Nov. 20 that an unencrypted flash drive was missing from its emergency department

Security Patches, Mitigations, and Software Updates

WordPress 4.4.1 Security and Maintenance Release (WordPress) WordPress 4.4.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately

Blackphone update closes security hole (InfoWorld) SilentCircle used a third-party component that potentially exposed the secure Blackphone to attack

Drupal — Insecure Update Process (IOActive Blog) Security updates are a common occurrence once you have installed Drupal. In October 2014, there was a massive defacement attack that effected Drupal users who did not upgrade in the first seven hours after a security update was released. This means that Drupal updates must be checked as frequently as possible (even though by default, Drupal checks once a day)

Stop using Internet Explorer after next Tuesday! (Sort of) (Naked Security) Only kidding! You can keep using Internet Explorer if you like

Cyber Trends

IIoT is as real and complicated as Star War's BB-8 Droid (Control) Like BB-8, IIoT looks futuristic and fantastic, while it's largely just a mashup of existing technologies in an innovative wrapper

The rise of algorithms for your algorithms (FierceBigData) According to a new Frost & Sullivan report, this is the year when machine learning algorithms will be used to evaluate the effectiveness of other algorithms. A handful of big-data-savvy companies already started that process last year, leading the way, but the research firm says that fledgling trend will fully emerge this year

Consumerization, cybersecurity among key challenges for hospital IT execs in 2016 (FierceHealthIT) Providers increasingly expected to 'do more with less,' FierceHealthIT Advisory Board members say

6 Mobile Security Predictions for 2016 (eSecurity Planet) Big changes for mobile security are ahead in 2016, predict mobile security experts

Loose talk on social media big security risk for firms, says Kaspersky (SC Magazine) Employees are risking their organisations' IT security and their own personal data by sharing too much information on social media

Visual hacking is not hacking (CIO) There's hacking and then there's copying off of your neighbor's work like we had to worry about in grade school. Remember. That's not really hacking, is it?

Marketplace

Cybersecurity Insurance Explosion Poses Challenges (Bloomberg BNA) Cybersecurity insurers may see premiums gross income rise by 300 percent or more in the next five years, even as the product's pricing and composition continue to evolve, insurance specialists and others told Bloomberg BNA

Exclusive: Verizon launches auction to sell data centers — sources (Reuters) Verizon Communications Inc VZ.N has started a process to sell its data center assets, hoping to fetch more than $2.5 billion, people familiar with the matter said on Tuesday, as the U.S. telecommunications conglomerate focuses on its core business

Army begins industry outreach for cloud transformation project (FierceGovernmentIT) The Army wants cloud computing vendors to pitch their solutions as part of its forthcoming cloud contract vehicle, said the service in a notice posted late last month

DHS Thinks Startups Know How Best to Protect the Internet of Things (Nextgov) The Department of Homeland Security wants to be able to detect all devices connected to its network in a particular location — say, an airport — and it thinks startups will know how to do it

Popular speaker manufacturer buys auto cybersecurity firm (The Hill) Harman International, maker of the popular JBL speakers, has agreed to buy automotive cybersecurity firm TowerSec

Cisco Completes Acquisition of Lancope for Visibility, Analytics Technology (The VAR Guy) Cisco Systems (CSCO) has completed its acquisition of security startup Lancope to add continuous visibility and traffic analysis to its network security portfolio

Are Cisco, Symantec, HP Angling For Fortinet, Qualys? (Investor's Business Daily) Cybersecurity firms Qualys (NASDAQ:QLYS), Fortinet (NASDAQ:FTNT) and Proofpoint (NASDAQ:PFPT) could be on the auction block in 2016, likely pitting Cisco Systems (NASDAQ:CSCO), Microsoft (NASDAQ:MSFT), Hewlett Packard Enterprise (NYSE:HPE) and Oracle (NYSE:ORCL) in a "long overdue" M&A battle, FBR analyst Daniel Ives said Wednesday

PayPal Co-Founder Max Levchin's Bet on Cryptography (BloombergBusiness) Max Levchin, PayPal's co-founder and Affirm's chief executive officer, discusses cryptography and what's next for Yahoo with Bloomberg's Emily Chang on "Bloomberg West." Levchin is also a former Yahoo board member

Products, Services, and Solutions

Don't Believe Headlines That Claim OS X Was The "Most Vulnerable" Software of 2015 (Intego Mac Security Blog) There is an old saying that is always worth remembering: "There are three kinds of lies: lies, damned lies, and statistics"

Kali Linux NetHunter 3.0 Android Mobile Penetration Testing Platform Out Now (Softpedia) After being in development for over a year, the Kali Linux NetHunter 3.0 Android application has been released earlier today, January 6, 2016, by Offensive Security, the company behind Kali Linux, the successor to BackTrack

LastPass 4.0 features fresh UX, emergency access, sharing center (Help Net Security) The latest version of the popular password manager includes a new UX, and a host of new features

Dashlane Launches Password Defense Alert (PRNewswire) Groundbreaking product enables companies to protect their customers' account data

CensorNet Secure Web Gateway review (CloudPro) Control exactly how your employees use the cloud

Samsung Portable SSD T3 offers increased data security and portability (Help Net Security) Samsung announced the Samsung Portable SSD T3, a palm-sized, external SSD that offers multi-terabyte storage capacity

Oscobo holds privacy above all with new browser (FierceCIO) It's tough to take on the likes of Google but Oscobo, a new search engine, hopes to do just that by focusing on user privacy

Proofpoint lance une solution de sécurité pour Instagram (Global Security Mag) Proofpoint, Inc., annonce le lancement d'une solution qui identifie automatiquement les menaces de sécurité, violations de conformité et publications inappropriées sur Instagram. Proofpoint SocialPatrol™permet d'exécuter une analyse avancée des images et du texte, lui-même incorporé ou non dans une image. Les marques et les organisations soucieuses des questions de conformité peuvent ainsi surveiller et supprimer les publications et commentaires inappropriés

ArcSight vs. Splunk? Why you might want both (CSO) User reviews suggest that rather than choose between the two highly-rated SIEM products, security managers would benefit from having both

Intel Security and VMware's AirWatch partner on mobile security initiatives (V3) Intel Security and AirWatch, VMware's enterprise mobility subsidiary, are expanding their partnership in a bid to help organisations cope with the security issues posed by mobile devices and better integrate mobile security with existing enterprise security systems

Technologies, Techniques, and Standards

HaLow, is it me you're hacking for? Wi-Fi standard for IoT emitted (Register) 802.11ah could be too expensive and too late

Wi-Fi standard could make Internet of Things things even easier…for hackers (Register) HaLow somewhat less than saintly

7 Tips For Mitigating Phishing And Business Email Hacks (Dark Reading) You can't stop someone from launching a phishing attack, but there are things you can do to mitigate the threat

The secure GC: Data breach preparedness through auditing (Inside Counsel) When a data breach occurs, the immediate hours after are both chaotic and critical to an effective response. Preparation is therefore essential

Minimizing Risk in the Face of FCPA Compliance (Legaltech News) Mitratech's paper offers a way for organizations to keep afloat as compliance grows more complex, though not everyone agrees

What's your cybersecurity whistleblower strategy? (CSO) Regulators and attorneys are growing more interested in cybersecurity accountability. One likely outcome of this interest is an increase in cybersecurity whistleblower cases. This means every organization needs to rethink how to handle internal and external security problem reporting

Docker and Security: How do they fit together? (Jaxenter) While Docker images are famously simple and practical, Docker security remains a tricky maze. Docker pros Dustin Huptas and Andreas Schmidt show us the essential security features you need to know for building a secure system with Docker

The Matrix Reloaded: Security Goals v. Operational Requirements (Dark Reading) Building a matrix that measures people, process, and technology against security goals is a proven method for reducing risk in an organization. Here's how

Data Insecurity: Flawed Technology Or Outdated Business Process? (Dark Reading) When it comes to protecting critical data, legacy processes are just as vulnerable as legacy software

Design and Innovation

Pioneer In Internet Anonymity Hands FBI A Huge Gift In Building Dangerous Backdoored Encryption System (Techdirt) I first came across cryptography pioneer David Chaum about a decade ago, during the debates about online voting. Many in the technology world were insisting that such things were impossible to do safely, but Chaum insisted he had come up with a way to do online voting safely (he'd also tried to do electronic money, DigiCash… unsuccessfully). Many people disagreed with Chaum and it led to some fairly epic discussions. It appears that Chaum is again making moves that are making many of his colleagues angry: specifically creating a backdoored encryption system

AT&T, Partners Work on Internet of Things-Based 'Smart City' Framework (ExecutiveBiz) AT&T has partnered with seven other technology companies to produce a smart-city development framework intended to help local government organizations to harness Internet of Things platforms for management of their cities

Defending the smart city (Intelligent Utility) With all the hype around Smart Cities today, you'd think they are ubiquitous

Research and Development

Cryptographers honored with Levchin Prize at Real World Cryptography Conference (Stanford Daily) The inaugural Levchin Prize for Real World Cryptography was awarded Wednesday at the Real World Cryptography Conference (RWCC), held annually at Stanford. Phillip Rogaway, professor of computer science at UC Davis, as well as the international miTLS research team, each received $10,000 for their work on cryptography

Legislation, Policy, and Regulation

Dutch government rejects UK government approach to encryption legislation (SC Magazine) A position paper written by the Dutch government assesses the arguments for and against encryption backdoors but comes down firmly against downgrading the technology

Netherlands opposes backdoors, but encryption still under assault (Naked Security) The Dutch government has officially declared its opposition to any restrictions on the development or use of encryption products, even as Dutch lawmakers are weighing legislation that could mandate backdoor government access to encrypted communications

Mass-surveillance 'undermines security' and failed to stop 9/11 attacks, says ex-NSA officer (Graham Cluley) According to a former officer at the United States National Security Agency (NSA), bulk data collection has resulted in the loss of life before, and it will lead to more lives lost in the future. Draft billOn Wednesday, William Binney, former director of the NSA's Analytic Service Office, is scheduled to present evidence before the UK Parliament's Joint Committee on the Draft Investigatory Powers (IP) bill

Groups warn asbestos bill could spur online identity theft (The Hill) Public interest groups are launching an 11th-hour campaign to kill a Republican-backed bill aiming to reduce asbestos lawsuit fraud that could receive a vote Thursday

At CES, Feds prod companies to expand privacy efforts (Computerworld via CSO) FTC chief says consumer opt-in agreements need to be clarified

How 'Do Not Track' Ended Up Going Nowhere (Re/code) Back in 2010, the Federal Trade Commission pledged to give Internet users the power to determine if or when websites were allowed to track their behavior

Litigation, Investigation, and Law Enforcement

NSA Did Not Spy On Congress Members During Iran Nuclear Debate, Top Intel Officials Say: Report (International Business Times) Top U.S. intelligence officials told the House Intelligence Committee Wednesday that the National Security Agency (NSA) did not spy on Congress members during last year's Iran nuclear debate

State Department gave 'inaccurate' answer on Clinton email use, review says (Washington Post) Two years before the public learned of Hillary Clinton's private server, the State Department gave an "inaccurate and incomplete" response about her email use when it told an outside group that it had no documents about Clinton's email accounts beyond her government address, according to a report from the State Department's inspector general to be released Thursday

Clinton aides' cybersecurity emails go from 38,000 to one (Politico) The State Department has dramatically revised downward — from about 38,000 to one — its estimate of the number of pages of messages in Hillary Clinton aides' private email about training on cybersecurity threats and other computer-related issues

Islamic State video turns British attention to banned group (Reuters) If London-born convert Abu Rumaysah is confirmed as the front man in the latest Islamic State video, then he will be just the latest in a long line of militants to emerge from a banned group the authorities say breeds easy prey for jihadist recruiters

Exclusive — California shooter's visa record shows routine interview, no flags raised (Reuters) The record of San Bernardino shooter Tashfeen Malik's U.S. visa interview in Pakistan shows it was conducted without any obvious irregularities and triggered no significant suspicions, according to a source familiar with the official State Department file

Scanning for terrorism — brain fingerprinting offers new hope in anti-terrorism fight (Canberra Times) The challenges faced by counterterrorism authorities are numerous. They include determining whether a person jailed for terrorism-related offences — and now due for release — has been deradicalised by imprisonment, or is just faking it

The FBI's 'Unprecedented' Hacking Campaign Targeted Over a Thousand Computers (Motherboard) In the summer of 2015, two men from New York were charged with online child pornography crimes. The site the men allegedly visited was a Tor hidden service, which supposedly would protect the identity of its users and server location. What made the case stand out was that the Federal Bureau of Investigation (FBI) had used a hacking tool to identify the IP addresses of the individuals

EFF: T-Mobile breaks net neutrality rules with Binge On service (Help Net Security) In February 2015, the FCC has approved net neutrality rules "to preserve the Internet as a platform for innovation, free, expression and economic growth"

Uber to pay $20,000 in settlement on privacy issues with New York attorney general (CSO) Uber will also secure and restrict employee access to customer geo-location data

For a complete running list of events, please visit the Event Tracker.

Upcoming Events

FloCon 2016 (Daytona Beach, Florida, USA, Jan 11 - 14, 2016) The FloCon network security conference provides a forum for large-scale network flow analytics. Showcasing next-generation analytic techniques, FloCon is geared toward operational analysts, tool developers, researchers, and others interested in applying the latest analytics against large volumes of traffic

Breach Planning & Incident Response Summit: Proactive Collaboration Between Private Industry and Law Enforcement to Mitigate Damage (Odenton, Maryland, USA, Jan 12, 2016) The Cybersecurity Association of Maryland, Inc.(CAMI), Chesapeake Regional Tech Council, Maryland Chamber of Commerce, Chesapeake Innovation Center, Tech Council of Maryland are partnering together to host this event designed to attract and educate CIO's, CISO's, CEO and Compliance officials from small to mid-sized commercial firms on the practical actions taken by the government, firms and organizations post-hack

Cyber Security Breakdown: Chicago (Chicago, Illinois, USA, Jan 12, 2016) This half day session will provide you with the critical information you need to start formulating an effective response in the eventuality of a cyber security event. Rather than try and handle the breach during the chaos of the event, you'll understand how to build in advance, the best practices to respond effectively. Attend the Cyber Security Breakdown event that is focused on the unique issues and threats facing legal professionals

Insider Threat Program Development Training Course — Georgia (Atlanta, Georgia, USA, Jan 12 - 14, 2016) The National Insider Threat Special Interest Group website has some very "eye opening" examples of how "damaging and costly" an "insider threat incident" can be. The FBI Insider Threat Alert states companies victimized by current or former employees incur costs from $5,000 to $3 million. bring? Is your company required to establish an Insider Threat Program per the requirements of NISPOM Conforming Change 2? Insider Threat Defense has trained a substantial number of U.S. Government Agencies (DoD, IC), Defense Contractors, Critical Infrastructure Providers, Aviation Security Professionals, large and small businesses on Insider Threat Program Development and Insider Threat Risk Mitigation

FTC PrivacyCon (Washington, DC, USA, Jan 14, 2016) The Federal Trade Commission will in January hold a wide-ranging conference on security and privacy issues lead by all manner of whitehat security researchers and academics, industry representatives, consumer advocates

National Insider Threat Special Interest Group Meeting (Laurel, Maryland, USA, Jul 16, 2015) Topics to be discussed at the meeting; Insider Threat Program Development & Implementation, Behavioral Indicators Of Concern, Legal Considerations When Developing & Managing An Insider Threat Program. There is no cost to attend this meeting

POPL 2016 (St. Petersburg, Florida, USA, Jan 20 - 22, 2016) The annual Symposium on Principles of Programming Languages is a forum for the discussion of all aspects of programming languages and programming systems. Both theoretical and experimental papers are welcome, on topics ranging from formal frameworks to experience reports

Automotive Cyber Security Summit — Shanghai (Shanghai, China, Jan 21 - 22, 2016) The conference, which brings together automakers, suppliers, various connected-services providers and security specialists, will focus on government regulations, emerging automotive cyber security standards and new products and solutions designed to deal with the growing threats

SANS Institute: Information Security Training (Las Vegas, Nevada, USA, Sep 12 - 21, 2015) Information security training in Las Vegas from SANS Institute, the global leader in information security training. At SANS Network Security 2015, SANS offers more than 40 hands-on, immersion-style security training courses taught by real-world practitioners. The site of SANS Network Security 2015, September 12 - 21, is Caesars Palace, the majestic Las Vegas hotel

CyberTech 2016 (Tel Aviv, Israel, Jan 26 - 27, 2016) Cybertech is the most significant conference and exhibition of cyber technologies outside of the United States. Cybertech provided attendees with a unique and special opportunity to get acquainted with the latest innovations and solutions featured by the international cyber community. The conference's main focuses are on networking, strengthening alliances and forming new connections. Cybertech also provided an incredible platform for Business to Business interaction

Global Cybersecurity Innovation Summit (London, England, UK, Jan 26 - 27, 2016) SINET presents the Global Cybersecurity Innovation Summit, which focuses on providing thought leadership and building international public-private partnerships that will improve the protection of our respective homeland's critical infrastructures, national security and economic interests. Our objective is to advance innovation and the growth of the cybersecurity sector by providing a platform for cybersecurity businesses, particularly small and medium enterprises (SMEs), to connect with key UK, US, and international decision makers, system integrators, investors, government policy makers, academia and other influential business executives

Fort Meade IT & Cyber Day (Fort Meade, Maryland, USA, Jan 27, 2016) The Ft. Meade IT and Cyber Day is a one-day event held at the Officers' Club (Club Meade) on base. The event is held on-site, where industry vendors will have the opportunity to display their products and services to IT, Communications, Cyber and Intelligence personnel

ESA 2016 Leadership Summit (Chandler, Arizona, USA, Jan 31 - Feb 3, 2016) The electronic security industry is rapidly changing and continuously evolving. It's not enough to just survive. Businesses looking to thrive need to adapt to ensure their people, products, services and practices stay ahead of the curve. The Summit is a three-day conference filled with networking and educational opportunities dedicated to delivering business intelligence to electronic security companies and professionals that are ready to embrace innovation and grow