The CyberWire Daily Briefing 01.08.16

Cyber Trends

IoT at "the tipping point" in 2016, says government body (Electronics Weekly) The Digital Catapult has revealed its predictions for the UK's data industry in 2016. The Digital Catapult is the UK government's main technology business initiative for IoT applications

IoT security: Déjà vu, all over again (FierceITSecurity) As Internet of Thing devices proliferate at work and at home so do the vulnerable entry points for hackers

4 Cyber/Risk Predictions for 2016 (Hunt Scanlon Media via LinkedIn) Despite worrisome breaches in recent years, corporate America has a limited grasp of the growing and continually evolving threat of cyber incursions

Why C-Level Executives Need Training on Security Issues (Top Tech News) In the not-so-distant past, national banks proclaimed their power and security with giant pillars at their entrances, marble counters and thick glass separating bank tellers from bank patrons, and two-foot-thick vault doors that stood open during the day to show they were impenetrable

Legislation, Policy and Regulation

In France, A Balancing Act Between Liberty And Security (NPR) One year ago, gunmen stormed the Paris offices of satirical newspaper Charlie Hebdo and began a three-day killing spree that would claim 17 lives. Ten months later, in November, armed Islamist radicals struck the city again, killing scores at cafes and a concert hall

Australia 'may do dumb things' with crypto in 2016: EFF (ZDNet) Australia's approach to all things digital may be more clueful under Prime Minister Malcolm Turnbull, but there's still scope for some humiliating cyber stupidity

U.S. Tech Giants Join Forces Against U.K. Spying Plans (Bloomberg) Major global technology and telecommunications companies, from Microsoft to Google to Vodafone, have outlined their objections to a proposed U.K. law that they say would let British intelligence agencies engage in mass surveillance and force them to give the government access to encrypted communication

Microsoft, Google and Facebook slam government's encryption plans in Snoopers' Charter (V3) Microsoft, Google, Facebook, Twitter and Yahoo have criticised several aspects of the proposed Draft Investigatory Powers Bill in a joint submission to the government as opposition to the controversial legislation continues to mount

Facebook Inc., Google Inc., Microsoft Corp., Twitter Inc., Yahoo Inc. — written evidence (IPB0116) (Evidence Document: Parliament) National security is an important concern for Governments. Governments have a responsibility to protect people and their privacy. We believe a legal framework can protect both. Our companies want to help establish a framework for lawful requests for data that, consistent with principles of necessity and proportionality, protects the rights of the individual and supports legitimate investigations

Global Government Surveillance Reform (Reform Government Surveillance) The undersigned companies believe that it is time for the world's governments to address the practices and laws regulating government surveillance of individuals and access to their information

Max Levchin Wants to School Lawmakers on Encryption (Wall Street Journal) PayPal Inc.co-founder Max Levchin wants to make sure lawmakers know "what the hell they're talking about" when they talk about encryption

The Myth Of A Secure Back Door For Encryption (Xconomy) It seems like an appealing move — give the FBI and other law enforcement agencies, as well as our spy organizations, a back door — a "golden key" —to unlock encrypted communications to help catch criminals and terrorists and to protect Americans from harm

There's a huge debate over an encryption expert's plan solve the problem of online privacy (Business Insider) A veteran cryptographer has ignited furious debate over a proposal that could allegedly solve the "crypto war" over law enforcement access to encrypted data — but whose detractors think is incredibly dangerous

Top U.S. Officials to Meet With Tech CEOs on Terror Concerns (Wall Street Journal) Discussion to focus on whether social-media firms can do more to thwart terrorists

Revealed: White House seeks to enlist Silicon Valley to 'disrupt radicalization' (Guardian) Facebook, Twitter, Apple, Microsoft and YouTube will attend the meeting with intelligence agencies to discuss terrorists on social media and encryption

Obama's top national security officials to meet with Silicon Valley CEOs (Washington Post) Much of the national security leadership of the Obama administration is flying to California to seek tech firms' help in figuring out how to thwart terrorists who use the Internet to recruit and radicalize people and to plan attacks, according to U.S. officials

Why Is Islamic State So Hard to Beat? (Voice of America) Islamic State extremists have been bombed, strafed, derided and pushed back, yet they fight on

NSA Sides With Cruz in Surveillance Fight With Rubio (Inside Sources) A representative of the National Security Agency on Thursday said NSA is "confident" its new telephone surveillance program can strike the balance between privacy and national security, while giving the agency "access to a greater volume of call records" than it had previously

New National Security Tool Activated At Challenging Time (Lawfare) Late last year, a judge of the Foreign Intelligence Surveillance Court gave the green light to the National Security Agency to start using a new tool to help the government protect against international terrorism while balancing the legitimate need to protect privacy and civil liberties

IRS Dumps Proposal to Ask Charities for SSNs of Donors (Accounting Today) The Internal Revenue Service has dropped a proposed regulation giving tax-exempt organizations the option of providing the Social Security Numbers of their donors

Education Department cyber breach could dwarf OPM hack (Federal News Radio) The Education Department is facing the prospect of a cyber breach that would dwarf what the Office of Personnel Management experienced in 2015, warned a key lawmaker this week

Taking stock of Obama's cyber record (Politico) As the Obama administration begins its final year, a man who was there at the beginning says the president was slow to grasp the cybersecurity challenge. "I think that they could've pressed much more quickly to get a greater sense of security across federal civilian agencies," said Paul Kurtz, who headed cybersecurity policy for Obama's 2008-2009 transition team

Policy Makers Try To Define Security, Privacy With The IoT (iDigitalTimes) As our lives become increasingly technology driven, the amount of personal data collected, shared and exchanged along with privacy/security concerns of connected devices means government officials are taking a long look at what the IoT (Internet of Things) means for users, companies and policymakers in the future

Intelligence Community cyber center gets trio of leadership appointments (Federal Times) Almost one year ago, President Barack Obama announced a slate of initiatives to improve the nation's cybersecurity, including a new central clearinghouse for cyber threat information to be managed by the Intelligence Community

Products, Services, and Solutions

Benchmark Executive Search Launches Expanded Board of Director Practice (PRNewswire) Search firm expands Board practice to meet increased demand for Directors with Cyber Security, Physical Security, National Security and Risk Management Expertise

ProPublica Launches the Dark Web's First Major News Site (Wired) The so-called dark web, for all its notoriety as a haven for criminals and drug dealers, is slowly starting to look more and more like a more privacy-preserving mirror of the web as a whole. Now it's gained one more upstanding member: the non-profit news organization ProPublica

Kingston releases encrypted USB with keypad access (Help Net Security) Kingston released the DataTraveler 2000 encrypted USB 3.0 Flash drive, which offers hardware encryption and PIN protection with access through an onboard alphanumeric keypad. It's available in 16GB, 32GB and 64GB capacities and is backed by a three-year warranty

ThreatStream Adds Award Winning Security Solution Tripwire to its Integrated Partner Portfolio (MarketWired via EIN News) ThreatStream®, the pioneer of an enterprise-class threat intelligence management platform, today announced the addition of Tripwire to its portfolio of integrated solution partners. Tripwire delivers advanced threat, security and compliance solutions enabling enterprises, service providers and government agencies around the world to detect, prevent and respond to cyber security threats

Technologies, Techniques, and Standards

Blocking Shodan isn't some sort of magical fix that will protect your data (CSO) If an organization is exposing sensitive data to the Internet, blocking Shodan isn't going to fix the problem

My Account Was Hacked — Here's How to Control the Damages (Heimdal) Ok, let's set one thing clear from the beginning: you are not safe online. I am not safe online. Online safety is an oxymoron. Nobody is and never will be safe online

Figuring Out What Happened After a Data Breach (IBM Security Intelligence) What's your plan for when that inevitable network event or, worse, that data breach occurs? Is it to figure things out as you go or is it to plan things out in advance to the best of your abilities before the going gets rough?

Security breaches are inevitable, so how are you going to contain them? (IT Security Guru) Cyber security isn't working. Too many companies are being breached; and governments globally are recognising the need to invest heavily to protect vital services and infrastructure. However, today's defence in depth security models are not completely flawed; they are, perhaps, naïve

Does a data breach really affect your firm’s reputation? (Network World) The long-held view is that breached companies are cast aside by consumers, investors and shareholders. A breach isn't just a temporary glitch — it's a mistake, a faux pas, which you can't just shake off

You can't stop what you can't see: Mitigating third-party vendor risk (Help Net Security) Third-party vendors are a liability for host organizations, often unwittingly creating backdoors and exposing sensitive data. In fact, according to the Ponemon Institute "Aftermath of a Data Breach Study," 53 percent of organizations felt vulnerable to another breach due to negligent third parties including vendors and outsourcers

Marketplace

2016 — the rise of the cyber security and data breach reporting officer (IT Security Guru) A leading crime lawyer predicts 2016 to be the year where organisations appoint dedicated cyber security and data breach reporting officers as part of their legal compliance obligations

Notable tech decliners: GPRO, FIT, FEYE, AMBA, YNDX, MXWL, FUEL (Seeking Alpha) The Nasdaq is down 2.4%, and the S&P down 2%, as investors continue fleeing to safety amid ongoing Chinese worries. Not surprisingly, many high-beta tech names are seeing much steeper losses

Exclusive: Intel Reorganizes A Major Business (Fortune) Company vows that Wind River will keep supporting non-Intel devices

CACI wins place on DIA tech support contract (UPI) CACI International wins place on $6 billion IT contract

Authentic8 Expands Position in Federal Market (Power Engineering) Authentic8, creator of Silo, the cloud-based secure and policy-controlled browser, is expanding its investment in delivering solutions to the federal market. This investment comes on the heels of significant growth in the segment in 2015

Forbes Names Illumio as One of the World's "Hottest" Technology Companies (Sys-Con Media) Illumio, the adaptive security company, announced today that it has been recognized on two of Forbes "Hottest" lists as an industry breakout — the Hottest Startups of 2015 and the Hottest Cybersecurity Startups of 2015

Two More IBM Execs Hit the Road (Fortune) Big question: Can IBM replenish its ranks with fresh thinkers?

Research and Development

Researchers investigate the ethics of the Internet of Things (ZDNet) Privacy and security of IoT in the spotlight in £23m project

Security Patches, Mitigations, and Software Updates

Mozilla hastily backpedals on SHA-1 ban after impact larger than thought (FierceCIO) It has released an update that re-enables support for SHA-1

Mozilla Warns of SHA-1 Deprecation Side Effects (Threatpost) As promised, Mozilla officially began rejecting new SHA-1 certificates as of the first of the year. And as promised, there have been some usability issues

Cyber Attacks, Threats, and Vulnerabilities

ISIS Terrorists Kill Female Journalist, Hack Facebook Account (Hack Read) The terrorists first murdered the female journalist Ruqia Hassan and then hacked her Facebook account to spy on her contacts

U.S. firm blames Russian 'Sandworm' hackers for Ukraine outage (Reuters) U.S. cyber intelligence firm iSight Partners said on Thursday it has determined that a Russian hacking group known as Sandworm caused last month's unprecedented power outage in Ukraine

Russia Suspected in First-ever Cyberattack on Ukraine's Power Grid (Voice of America) In the last months of 2015, the conflict between Russia and Ukraine over Crimea's annexation and continuing strife in Ukraine's east appeared largely to be in stalemate. But now, with the new year, it appears the conflict is heating up again, and playing out on the region's electric grids

DDoS attacks against cloud provider Linode appear to be ruse for breach of user accounts (FierceITSecurity) Cloud hosting provider Linode has suffered a series of more than 30 distributed denial of service attacks that appear to be a diversion from a breach of user accounts

Linode Status Page (Linode) Due to protective measures taken to mitigate ongoing DDoS attacks, some customers may not be able to connect

DDoS attack on BBC may have been biggest in history (CSO) Last week's DDoS against the BBC may have been the largest in history

Rigging Compromise — Rig Exploit Kit (Talos ) Exploit Kits are one of the biggest threats that affects users, both inside and outside the enterprise, as it indiscriminately compromises simply by visiting a web site, delivering a malicious payload. One of the challenges with exploit kits is at any given time there are numerous kits active on the Internet. RIG is one of these exploit kits that is always around delivering malicious payloads to unsuspecting users. RIG first appeared in our telemetry back in November of 2013, back then we referred to it as Goon, today it's known as RIG

Cybercriminals target WhatsApp users with malware-laden spam attack (FierceITSecurity) Cybercriminals are sending bogus emails claiming to be providing official WhatsApp content, but delivering malware instead, according to a blog post by Comodo Antispam Labs

WhatsApp the subject of new malware attack (Comodo) The Comodo Antispam Labs (CASL) team has identified a new malware attack targeted specifically at businesses and consumers who might use WhatsApp, a multi-platform mobile phone messaging service that uses your phone's Internet connection to chat with and call other WhatsApp users

Lookout finds 13 malicious Brain Test apps in Google Play (FierceITSecurity) Researchers at security firm Lookout have uncovered 13 malicious apps in Google Play that matched the characteristics of Brain Test, an adware family that roots victims' Android devices

Brain Test re-emerges: 13 apps found in Google Play (Lookout) The malware family Brain Test, unfortunately, has made a comeback. Some variants attempt to gain root privilege, and persist factory resets and other efforts to remove it, especially on rooted devices

EZCast TV Streaming Dongle Leaves Home Networks Wide Open to Hackers (Infosecurity Magazine) In a plot point worthy of CSI: Cyber, the EZCast TV streaming device has been found to have a vulnerability that enables hackers to gain access to entire home networks

Konnichiwa, Rovnix! Aggressive Malware Hits Japanese Banks (IBM Security Intelligence) IBM X-Force researchers have discovered that the cybercrime gang operating the Rovnix Trojan has launched an aggressive new infection campaign in Japan

Chinese Bank Customers Targeted with SMS Phishing Campaign (Hack Read) You have heard about phishing but now you will learn about Smishing

'Spymel' Is Latest Example Of Attackers Using Signed Malware (Dark Reading) What was once reserved for targeted attacks is being increasingly used to distribute common crimeware payloads says Zscaler

The SLOTH attacks: why laziness about cryptography puts security at risk (Naked Security) The big "cryptographic cracking" story so far in 2016 is SLOTH, which is not only interesting and important, but also a VUWACONA, making it eye-catching as well

HTTPS Bicycle attack reveals password length, allows easier brute-forcing (Help Net Security) Dutch security researcher Guido Vranken has come up with a new attack that could allow attackers to discover the length of a user's password — and therefore make it easier to brute-force it — by analyzing a packet capture of the user's HTTPS traffic

New Discovery Around Juniper Backdoor Raises More Questions About the Company (Wired) When tech giant Juniper Networks made the startling announcement last month that it had uncovered two mysterious backdoors embedded in software running on some of its firewalls, certain people in the security community praised the company for being honest about its discovery

Feds Still Scrutinizing Networks Following Juniper Networks Hack (SIGNAL) The federal government cautioned its agencies and federal contractors of a network vulnerability that could let hackers access systems. The scurry to inform agencies and instruct them to patch for vulnerabilities occurred after the discovery of unauthorized code during a review of Juniper Networks software

The 'bogus boss' email scam costing firms millions (BBC) It's a boss's worst nightmare. You return from a trip to find that hundreds of thousands of dollars has been transferred out of company accounts — apparently at your instruction

Well-informed tech support scammers target Dell users (Help Net Security) Has Dell been breached and its databases containing customer's personal, computer and tech support data been pilfered?

Fitbit, warranty fraud, and hijacked accounts (Help Net Security) Online account hijackings usually end up with the account owners being the main victims, but there are fraudsters out there who are more interested in ripping off companies than end users

Comcast XFINITY flaw sounds Internet of Things security alarm (SC Magazine) The recently discovered flaws in Comcast's XFINITY smart home technology was met with the comment that yes, but everyone else is just as bad. Why should this be true of IoT devices?

New Blackphone 1 Vulnerability Highlights Continued Challenges In Mobile Security (CRN) After being heralded as one of the most secure options when it comes to mobile devices, new research out this week reveals a vulnerability in Silent Circle's Blackphone 1

Dirty data centers could be a threat in 2016 (Datacenter Dynamics) Rise in emergency cleans is a sign facilities are getting slack

How Bad Is Microsoft's Data Land-Grab? (Slate) Some critics misunderstand what the company is up to. That doesn't make it any more trustworthy

Millions of server logs injected with poem inviting them to jump in the river (Naked Security) "The internet is ours, and it is adorable," said hackers going by the name of masspoem4u who managed to insert a poem into millions of web servers' logs shortly before the new year

Litigation, Investigation, and Enforcement

European police smash ATM malware gang (ComputerWeekly) Cyber criminals caused substantial losses across Europe by using Tyupkin malware to access ATM cash cassettes

Отдам код в хорошие руки (Коммерсантъ) ФСБ пресекла продажу ключевого алгоритма "Яндекса"

On Heels of Oracle Settlement, FTC Burns Company For Security Practices (Dark Reading) Federal Trade Commission sticks medical software developer with $250,000 bill for lying about encryption capabilities

Judge rules post-breach lawsuit allowable against Boston Medical Center (FierceHealthIT) A lawsuit may soon be filed against Boston Medical Center Corp. (BMC) after a judge in the Massachusetts Superior Court ruled that a plaintiff had the right to sue the health system following a breach of their medical records

IRS employee arrested for stealing taxpayers' sensitive information (FierceGovernmentIT) An Internal Revenue Service employee whose job it was to assist identify theft victims was arrested last month for filing $1 million in false tax claims using stolen identities

T-Mobile's Binge On: When throttling may not break the rules (Ars Technica) CEO John Legere says throttling accusation is "semantics" and "bullshit"

John Legere asks EFF, "Who the f**k are you, and who pays you?" (Ars Technica) T-Mobile CEO takes on digital rights group that objected to video throttling

Design and Innovation

Google Translate glitch brands Russia "Mordor" (ITPro) Algorithm mistook Ukrainian insults for accurate descriptions of Russia and its officials

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

newly Noted Events

CISO Canada Summit (Montréal, Québec, Canada, Feb 21 - 23, 2016) Tactics and best practices for taking on enterprise IT security threats. The CISO Summit will bring together C-level IT security executives, industry analysts and solution providers to discuss challenges and best practices in a relaxed, yet focused business setting

CISO New York Summit (New York, New York, USA, Feb 25, 2016) A data breach is not only a PR nightmare, but cause for customers to turn to competitors, exposing sensitive company information and racking up fines from industry regulators. In order for organizations to operate smoothly, CISOs and IT security executives need to be ahead of the hackers, and kept abreast of the latest IT security topics and trends. Agenda sessions include panel discussions, think tanks, analyst Q&A sessions and much more

CISO Summit Europe (London, England, UK, Feb 28 - Mar 1, 2016) With the media covering the latest data breaches, cloud computing security questions going unanswered and hackers developing more sophisticated attacks, the IT department has a growing responsibility to protect customer and company data. The CISO Summit will bring together C-level IT security executives, industry analysts and solution providers to discuss challenges and best practices in a relaxed, yet focused business setting. Agenda sessions include engaging Keynote Presentations, Thought Leadership sessions, CISO Think Tanks, Analyst Q&As and much more

upcoming Events

FloCon 2016 (Daytona Beach, Florida, USA, Jan 11 - 14, 2016) The FloCon network security conference provides a forum for large-scale network flow analytics. Showcasing next-generation analytic techniques, FloCon is geared toward operational analysts, tool developers, researchers, and others interested in applying the latest analytics against large volumes of traffic

Breach Planning & Incident Response Summit: Proactive Collaboration Between Private Industry and Law Enforcement to Mitigate Damage (Odenton, Maryland, USA, Jan 12, 2016) The Cybersecurity Association of Maryland, Inc.(CAMI), Chesapeake Regional Tech Council, Maryland Chamber of Commerce, Chesapeake Innovation Center, Tech Council of Maryland are partnering together to host this event designed to attract and educate CIO's, CISO's, CEO and Compliance officials from small to mid-sized commercial firms on the practical actions taken by the government, firms and organizations post-hack

Cyber Security Breakdown: Chicago (Chicago, Illinois, USA, Jan 12, 2016) This half day session will provide you with the critical information you need to start formulating an effective response in the eventuality of a cyber security event. Rather than try and handle the breach during the chaos of the event, you'll understand how to build in advance, the best practices to respond effectively. Attend the Cyber Security Breakdown event that is focused on the unique issues and threats facing legal professionals

Insider Threat Program Development Training Course — Georgia (Atlanta, Georgia, USA, Jan 12 - 14, 2016) The National Insider Threat Special Interest Group website has some very "eye opening" examples of how "damaging and costly" an "insider threat incident" can be. The FBI Insider Threat Alert states companies victimized by current or former employees incur costs from $5,000 to $3 million. bring? Is your company required to establish an Insider Threat Program per the requirements of NISPOM Conforming Change 2? Insider Threat Defense has trained a substantial number of U.S. Government Agencies (DoD, IC), Defense Contractors, Critical Infrastructure Providers, Aviation Security Professionals, large and small businesses on Insider Threat Program Development and Insider Threat Risk Mitigation

FTC PrivacyCon (Washington, DC, USA, Jan 14, 2016) The Federal Trade Commission will in January hold a wide-ranging conference on security and privacy issues lead by all manner of whitehat security researchers and academics, industry representatives, consumer advocates

National Insider Threat Special Interest Group Meeting (Laurel, Maryland, USA, Jul 16, 2015) Topics to be discussed at the meeting; Insider Threat Program Development & Implementation, Behavioral Indicators Of Concern, Legal Considerations When Developing & Managing An Insider Threat Program. There is no cost to attend this meeting

POPL 2016 (St. Petersburg, Florida, USA, Jan 20 - 22, 2016) The annual Symposium on Principles of Programming Languages is a forum for the discussion of all aspects of programming languages and programming systems. Both theoretical and experimental papers are welcome, on topics ranging from formal frameworks to experience reports

Automotive Cyber Security Summit — Shanghai (Shanghai, China, Jan 21 - 22, 2016) The conference, which brings together automakers, suppliers, various connected-services providers and security specialists, will focus on government regulations, emerging automotive cyber security standards and new products and solutions designed to deal with the growing threats

SANS Institute: Information Security Training (Las Vegas, Nevada, USA, Sep 12 - 21, 2015) Information security training in Las Vegas from SANS Institute, the global leader in information security training. At SANS Network Security 2015, SANS offers more than 40 hands-on, immersion-style security training courses taught by real-world practitioners. The site of SANS Network Security 2015, September 12 - 21, is Caesars Palace, the majestic Las Vegas hotel

CyberTech 2016 (Tel Aviv, Israel, Jan 26 - 27, 2016) Cybertech is the most significant conference and exhibition of cyber technologies outside of the United States. Cybertech provided attendees with a unique and special opportunity to get acquainted with the latest innovations and solutions featured by the international cyber community. The conference's main focuses are on networking, strengthening alliances and forming new connections. Cybertech also provided an incredible platform for Business to Business interaction

Global Cybersecurity Innovation Summit (London, England, UK, Jan 26 - 27, 2016) SINET presents the Global Cybersecurity Innovation Summit, which focuses on providing thought leadership and building international public-private partnerships that will improve the protection of our respective homeland's critical infrastructures, national security and economic interests. Our objective is to advance innovation and the growth of the cybersecurity sector by providing a platform for cybersecurity businesses, particularly small and medium enterprises (SMEs), to connect with key UK, US, and international decision makers, system integrators, investors, government policy makers, academia and other influential business executives

Fort Meade IT & Cyber Day (Fort Meade, Maryland, USA, Jan 27, 2016) The Ft. Meade IT and Cyber Day is a one-day event held at the Officers' Club (Club Meade) on base. The event is held on-site, where industry vendors will have the opportunity to display their products and services to IT, Communications, Cyber and Intelligence personnel

ESA 2016 Leadership Summit (Chandler, Arizona, USA, Jan 31 - Feb 3, 2016) The electronic security industry is rapidly changing and continuously evolving. It's not enough to just survive. Businesses looking to thrive need to adapt to ensure their people, products, services and practices stay ahead of the curve. The Summit is a three-day conference filled with networking and educational opportunities dedicated to delivering business intelligence to electronic security companies and professionals that are ready to embrace innovation and grow