The CyberWire Daily Briefing 03.28.16

Summary

By The CyberWire Staff

Details of how hackers allegedly got into the control system of that dam in Rye, New York, emerge from the US Justice Department's indictment of seven Iranians. They're said to have found the dam's vulnerable systems by Google-dorking, and then worked their way in through there.

ISIS is said to respond to reverses on the ground by, first, conducting increasingly violent propaganda-of-the-deed outside its core territory (which it then celebrates online) and, second, within territory still under ISIS control, employing closely controlled legacy media and harshly repressive censorship. It's apparently not particularly active on the dark web, which is, as Defense One points out, "too slow and annoying for terrorists." Good for black markets, but not for information ops.

Trustwave researchers describe a cross-site scripting vulnerability in the widely used open source online shopping cart app Zen Cart.

Stolen code-signing certificates are finding their way into crimeware toolkits as criminals adapt to SHA-2, Symantec finds.

Researchers at Carbon Black are warning of a new ransomware strain, "PowerWare," which is fileless and written in the Windows PowerShell scripting language. Word documents crafted to induce victims to disable the Word preview sandbox and execute malicious macros are the vectors. Hospitals are particularly affected.

In industry news, cyber insurance underwriters continue to worry about the paucity of actuarial data.

Apple is apparently familiar with Cellebrite, engaged by the FBI in the San Bernardino jihad case. Observers think the Bureau will eventually have to disclose how they got into that iPhone (assuming it succeeds).

Notes.

Today's issue includes events affecting Belgium, Canada, European Union, India, Iran, Saudi Arabia, United Arab Emirates, United States

On the Podcast

Catch the CyberWire's Daily podcast this afternoon, including a discussion with BUFFERZONE Security of the ways in which hospitals are vulnerable to ransomware. We'll also hear from the University of Maryland's Jonathan Katz, who explains the importance of random numbers to cyber security.

Sponsored Events

Women in Cybersecurity (WiCYS) 2016 (Dallas, TX, March 31 - April 2, 2016)

Selected Reading

Cyber Trends

Data Ethics Dilemma?: Privacy in the Modern Age (Legaltech News) Big Data has changed our interaction with the world. What does it mean for ethics and privacy?

Your Favorite Movies and Cyber from Down Under (New America) New America's Peter Singer and Passcode's Sara Sorcher interview Walter Parkes, the noted screenwriter-turned-film producer who’s behind many of your all time favorite cybersecurity movies: Sneakers and WarGames. They talk about the hacker archetypes depicted in pop culture, why these movies resonate with this community, how fiction sometimes inspires real policy change in this field – and whose cybersecurity work he finds most fascinating

Legislation, Policy and Regulation

This war on math is still bullshit (TechCrunch) In the wake of Paris, San Bernardino, and now Brussels, the encryption debate has become such a potent cocktail of horror, idiocy, and farce that it has become hard to tease out any rational threads of discussion

Time to rewrite the rules on cyberattacks (Washington Post) About 30 miles north of New York City, in Rye, N.Y., sits the Arthur R. Bowman Dam, a reinforced-concrete gravity dam constructed a century ago for ice-making, and now primarily used for flood control, with a sluice gate that can control water permitted to flow downstream. Between Aug. 28 and Sept. 18, 2013, a hacker sneaked into computer systems that monitor the dam and move the sluice gate

U.S. National Security Agency Head Paid Secret Visit to Israel (Haaretz) Working visit dealt with deepening cooperation between Israeli and American intelligence units, especially against cyber attacks by Iran and Hezbollah

Marines forming new cyberwarrior unit (Stars and Stripes) The Marine Corps is standing up a new unit of cyberwarriors as the global battlefield evolves to include more and more computer networks

White House Petition Aims To Stop The JavaScript Scourge (InformationWeek) Is it time to put an end to JavaScript once and for all? Someone thinks so, and they've got the White House petition to prove it

Products, Services, and Solutions

Even Apple uses tech from the company allegedly helping the FBI crack an iPhone (BGR) There’s an entire industry devoted to cracking the iPhone and other smartphones

Technologies, Techniques, and Standards

Evaluating a NGFW? Here Is All You Need to Know (eSecurity Planet) Here is solid advice for evaluating a next-generation firewall (NGFW), from features to consider to questions to ask

How To Share Threat Intelligence Through CISA: 10 Things To Know (Dark Reading) If you want those liability protections the Cybersecurity Information Sharing Act promised, you must follow DHS's new guidelines

Confused by crypto? Here's what that password hashing stuff means in English (Register) Encryption, certificates, public and private keys – it's all here

No One Should Ever Pay to Remove a Bitcoin Ransomware Infection (Bitcoins Channel) Bitcoin ransomware has been a topic of considerable discussion in the media throughout 2015

Banks failing with password management, but why? (Help Net Security) A recent study shows some terrifying results: banks in the U.S. often have less secure password policies in place than do social media websites

Building a Resilient Cyber Defense (InfoRiskToday) Experts: New Framework Should Resist and Respond to Emerging Threats

Security doesn't just happen, cyber experts say (Business Insurance) Risk managers worrying about cyber threats have to be aware that not only can their systems be attacked for their data, but that criminals also may use their systems to commit cyber crimes against others, according to a security expert

Marketplace

Care in writing cyber cover warranted (Business Insurance) Lack of data on threats troubles insurers

Bromium raises $40M and hires a CFO (Silicon Valley Business Journal) Security startup Bromium raised $40 million in funding on Friday and hired a chief financial officer

Splunk: Is The Share Price Outrageous? (Seeking Alpha) Splunk shares have been in an extended downtrend since last summer and are selling for 36% less than they were 5 months ago. The company continues to beat consensus expectations significantly and to raise guidance almost continuously

Symantec Is A Value Trap (Seeking Alpha) Symantec seems like a good relative value play in its space. However, there are many reasons to dislike Symantec. And further still, there's a powerful bearish thesis that calls into question all of Symantec's profitability. Moreover, this bearish thesis is structural

IBM plans to open 250 cybersecurity managers designation in New Brunswick for future (Markets Morning) In collaboration, both New Brunswick premier Brian Gallant and IBM Canada would create approx. 100 full time jobs within company’s security division in Fredericton – pay range: US$ 50,000 to US$ 75,000 on an individual scale basis

NIST is looking for a few good cryptographers (FCW) The National Institute of Standards and Technology wants to hire more than a dozen cryptographers to deal with a growing portfolio, said Matthew Scholl, chief of NIST's Computer Security Division

Hackers Can Be Our Cybersecurity Allies (Wall Street Journal) It’s time to stop stigmatizing and start recruiting those whose technology skills could keep the country safe

What will it take to diversify the cyber workforce? (FCW) The cybersecurity field is dominated by white men, but the International Consortium of Minority Cybersecurity Professionals aims to help ensure that U.S. companies and government agencies have access to a full spectrum of talent -- and that all Americans have a shot at jobs in the increasingly critical cybersecurity arena

Cyber Attacks, Threats, and Vulnerabilities

The Dark Web Is Too Slow and Annoying for Terrorists (Defense One) For starters, a site on the dark web doesn’t do what jihadis need it to do: get their message out

Totalitarianism 101: The Islamic State’s Offline Propaganda Strategy (Lawfare) In the last few years, the Islamic State has expended a staggering amount of energy in pursuit of a position at the top of the global jihadist food chain. Given its sustained control over of huge tracts of land in Iraq and Syria, declaration of a transnational caliphate, and wide-ranging assaults against civilians from Paris to Jakarta, some would say it has achieved this with remarkable efficiency

ISIS's Campaign in Europe: March 2016 (Institute for the Study of War) ISIS is using its foreign fighters and safe haven in Iraq and Syria to execute a terror campaign within Europe. ISIS’s March 22 Brussels attacks support a larger strategy to punish, destabilize, and polarize the West

Ron Johnson on ISIS: 'Our critical infrastructure is vulnerable' (CNN) The Senate's homeland security chairman says he is "highly concerned" that infrastructure like power plants in the United States and Europe is vulnerable to ISIS attacks

Nine Lessons of Russian Propaganda (Small Wars Journal) After visiting repeatedly, I moved to Ukraine from the United States in 2012. My parents had been born in Ukraine and taught me some of the language during my childhood in Queens, NY

Google Search Technique Aided N.Y. Dam Hacker in Iran (Wall Street Journal) Iranian charged with hacking computer system that controlled New York dam used search process to identify the vulnerable system

TWSL2016-006: Multiple XSS Vulnerabilities reported for Zen Cart (Trustwave SpiderLabs Blog) Today Trustwave released a vulnerability advisory in conjunction with Zen Cart. Researchers from the SpiderLabs Research team at Trustwave recently found multiple Cross-Site Scripting (XSS) vulnerabilities in the popular online open source shopping cart application

Malware authors quickly adopt SHA-2 through stolen code-signing certificates (IDG via CSO) Malware pushers have adapted to new Windows restrictions on files signed with SHA-1-based digital certificates

New ransomware abuses Windows PowerShell, Word document macros (IDG via CSO) The PowerWare ransomware is written completely in the Windows PowerShell scripting language

Fileless Powerware Ransomware Found on Healthcare Network (Threatpost) Attackers are not through testing the limits of what they can do with new features in ransomware samples

Key takeaways from the rise of KeRanger malware (Trend Micro: Simply Security) The Mac versus PC debate is often framed in the context of cyber security

HTTPS may not be as safe as it once was (Trend Micro: Simply Security) Proper encryption is seen by many as the linchpin to the Internet's current and future success

Verizon says security breach leads to customer data leak (Reuters) Verizon Communications Inc (VZ.N) said an attacker had exploited a security vulnerability on its enterprise client portal to steal contact information of a number of customers

Facebook Safety Check develops glitch, checks on people far from Lahore blast (IDG via CSO) People as far away as the the UK and the US received notifications

Enterprise security: The easiest data breaches are the hardest to stop (ZDNet) Stealing sensitive data can be as easy as emailing a payroll staff member and requesting copies of everyone's W-2s

Litigation, Investigation, and Enforcement

Can Europe Connect the ISIS Dots? (Foregin Policy) The Brussels attacks expose yet again the bureaucratic walls that prevent European agencies from sharing intelligence on terror threats

Who Will Become a Terrorist? Research Yields Few Clues (New York Times) The brothers who carried out suicide bombings in Brussels last week had long, violent criminal records and had been regarded internationally as potential terrorists. But in San Bernardino, Calif., last year, one of the attackers was a county health inspector who lived a life of apparent suburban normality

How Belgian prisons became a breeding ground for Islamic extremism (Washington Post) Stephane Medot knows a thing or two about Belgian prisons

Who lives, dies in attacks can give clues about terror cells (AP via Yahoo! News) The bomb maker, the transporter, the landlord and the cipher. The four men slipped away after the Nov. 13 attacks in Paris, and all but one reappeared as key figures in the Islamic State cell that went on to attack Brussels

UAE finds 38 guilty in terror case, issues 11 life sentences (AP via Yahoo! News) The top security court in the United Arab Emirates on Sunday sentenced 38 people to prison in connection to a cell accused of plotting terrorist attacks and seeking to overthrow the government to create an Islamic state

Former NSA head to FBI: ‘Get over’ Apple dispute (The Hill) A former head of two intelligence agencies had a clear message on Friday for the government as it tries to get Apple to unlock an iPhone used by one of the San Bernardino shooters

Opinion: Why the FBI will eventually reveal its iPhone hack to Apple (Christian Science Monitor Passcode) Because of a two-year-old policy known as the Vulnerability Equities Process, the government may be compelled to disclose the flaw it is attempting to use for unlocking the San Bernardino shooter's iPhone

Iran Rebuffs U.S. Cyber-Attack Charges for Lack of Evidence (Bloomberg) Iran brushed aside cyber-attack charges brought against seven of its citizens by U.S. prosecutors, accusing Washington of putting millions of Iranians in danger with its own attacks on Iran’s nuclear program

From a dam in New York to the cyberattacks on Aramco (Al Arabiya) If engineers at a dam in New York hadn’t disconnected water gates from its electronic control center for maintenance work, a major disaster would have happened

Cyber-attackers follow VVIPs, spike in attacks before important meetings (Economic Times) A day before Prime Minister Narendra Modi's visit to Afghanistan in December 2015, the email account of India's then ambassador to the country Amar Sinha was hacked by cyber attackers when he downloaded a malicious MS Word document sent as an email attachment

How Clinton’s email scandal took root (Washington Post) Hillary Clinton’s email problems began in her first days as secretary of state

The Forgotten 1957 Trial That Explains Our Country’s Bizarre Whistleblower Laws (Politico) In John Nickerson’s trial, we see the early rumblings of tensions that plague leak prosecutions today

Russian investor, funds settle U.S. press release hacking case (Business Insurance) A Moscow-based hedge fund manager, his investment firms and two Paris-based funds have agreed to pay nearly $18 million to resolve a U.S. regulator's claims that they engaged in insider trading using hacked press releases from newswire services

Court: Essentially none of cryptocurrency firm’s assets “actually exist” (Ars Technica) Gemcoin videos claimed that "trusted" cryptocurrency was "backed" by amber mines

Design and Innovation

Software security needs a new perspective (TechCrunch) Source code bugs have been a constant in the software industry since the dawn of computers — and have ever been a major source of attacks, exploits and security incidents

How 4 Startups Are Harnessing AI In The Invisible Cyberwar (Dark Reading) Cybersecurity startups are setting their scopes on a potential goldmine of automated systems they hope will be more effective than hiring human enterprise security teams

It’s Your Fault Microsoft’s Teen AI Turned Into Such a Jerk (Wired) It was the unspooling of an unfortunate series of events involving artificial intelligence, human nature, and a very public experiment

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

newly Noted Events

Cloud Security Expo 2016 (London, England, UK, April 12 - 14, 2016) Cloud Security Expo is a cloud security event with over 80 dedicated cloud security exhibitors, seven streams of content, over 150 security speakers, and 40 real cloud security and compliance case studies. The conference will bring together the top business leaders and decision makers from across organisations and sectors already profiting from securing the cloud with confidence.

ACSC Conference 2016 (Canberra, Australia, April 12 - 14, 2016) The ACSC Conference 2016 will bring together experts from Australia and abroad to discuss trends, mitigations and advances in cyber security. CEOs, CIOs, CISOs, CTOs, ICT Managers, ITSAs, ITSPs, IRAP Assessors, Researchers, Risk managers – anyone with an interest in cyber security or connected to the internet would benefit from attending.

2016 Cybersecurity Symposium ( Coeur d’Alene, Idaho, USA, April 18 - 20, 2016) The Cybersecurity Symposium: Your Security, Your Future is an opportunity for academic researchers and software and system developers from industry and government to meet and discuss state of the art processes related to cybersecurity, which will include practice research and technologies. This symposium seeks submissions from academia, industry, and government to present innovative research, case studies, and best practices on all practical and theoretical aspects of cybersecurity.

6th European Data Protection Days (EDPD) (Berlin, Germany, April 25 - 26, 2016) The EDPD Conference will provide participants from the business side with all the important news and updates for the international data protection business at a high level. These include key developments such as the EU General Data Protection Regulation and the landmark decision by the European Court of Justice that the Commission’s US Safe Harbor decision is invalid.

3rd East Africa Cyber Defense Convention 2016 (Nairobi, Kenya, April 29, 2016) Building on the success of previous conventions series in the last two years and with insights from cybersecurity experts, participants at this conferene learn how organisations should successfully respond. Enhancing security, resiliency and reliability of a nation’s / organisation's cyber and communications infrastructure is a challenge that must be met, attendance of the 3rd Annual Cyber Security Convention 2016 will equip participants with a comprehensive range of clarifications and solutions.

Cyber Investing Summit 2016 (New York, New York, USA, May 3, 2016) The Cyber Investing Summit is an all-day conference focusing on the investment opportunities, trends and strategies available in the $100+ billion cyber security sector. Network with investment professionals, asset managers, industry experts, financial analysts, media and more.

Security of Things World (Berlin, Germany, June 27 - 28, 2016) Security. Privacy. Connected Devices. Exploring Security and the Internet of Things. A world class event focused on the next information security revolution. Be part of Security of Things World in June in Berlin to tailor your proposition to respond to the security concerns that preoccupy enterprise customers today and find pragmatic solutions to the most common security threats.

Security of Things World USA (San Diego, California, USA, November 3 - 4, 2016) Security. Privacy. Connected Devices. Exploring Security and the Internet of Things. A world class event focused on the next information security revolution. Be part of Security of Things World USA in November in San Diego to tailor your proposition to respond to the security concerns that preoccupy enterprise customers today and find pragmatic solutions to the most common security threats.

upcoming Events

Black Hat Asia 2016 (Singapore, March 29, 2016) Black Hat is returning to Asia again in 2016, and we have quite an event in store. Here the brightest professionals and researchers in the industry will come together for a total of four days — two days of deeply technical hands-on Trainings, followed by two days of the latest research and vulnerability disclosures at our Briefings

TU-Automotive Cybersecurity USA 2016 (Novi, Michigan, USA, March 29 - 30, 2016) TU-Automotive Cybersecurity dissects the real issues behind the headlines, helping you to apply technology and best practices to deliver robust security defenses and processes within a more secure ecosystem. The conference unites players from research labs, automakers, tier 1's, security researchers, and the complete supply chain to plan for the imminent future

Insider Threat Summit (Monterey, California, USA, March 29 - 30, 2016) The focus of the Insider Threat Summit is to discuss personnel security issues including cyber security challenges and capabilities, continuous evaluation of privileged identities and ethical physical security considerations. A heightened awareness of insider threats due to numerous newsworthy attacks and unauthorized leaks has brought us together for one main purpose: to better understand security challenges in order to better defend against insider threats

SecureWorld Boston (Boston, Massachussetts, USA, March 29 - 30, 2016) Join your fellow security professionals for affordable, high-quality cybersecurity training and education. Earn 12-16 CPE credits through 60+ educational elements learning from nationally recognized industry leaders. Attend featured keynotes, panel discussions & breakout sessions all while networking with local peers

Insider Threat Program Development Training (Washington, DC, USA, March 29 - 30, 2016) Insider Threat Defense announced it will hold a training class on Insider Threat Program Development (National Insider Threat Policy-NISPOM Conforming Change 2) on March 29-30, 2016, in Washington, DC. For a limited time the training is being offered at a discounted rate of $795. The training is comprehensive and provides students with the knowledge and resources to develop and implement a robust Insider Threat Program. Insider Threat Defense has trained a substantial number of organizations and has become the "Go To Company" for Insider Threat Program Development Training

Women in Cyber Security 2016 (Dallas, Texas, USA, March 31 - April 2, 2016) With support from National Science Foundation, Award #1303441 (Capacity Building in Cybersecurity: Broadening Participation of Women In Cybersecurity through the Women in Cybersecurity Conference and Professional Development), WiCyS is an effort to bring together women (students/faculty/researchers/professionals) in cybersecurity from academia, research and industry for sharing of knowledge/experience, networking and mentoring. Any individual or organization interested in supporting recruiting and retention efforts for women in cybersecurity is encouraged to participate

SANS Atlanta 2016 (Atlanta, Georgia, USA, April 4 - 9, 2016) Learn the most effective steps to prevent attacks and detect adversaries with actionable techniques that you can directly apply when you get back to work. Take advantage of tips and tricks from the experts so that you can win the battle against a wide range of cyber adversaries who want to harm your digital environment

Sponsor & Support

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter’s financial reach, or it might just not be the right time for you to do those things. That’s why we launched our new Patreon site, where we’ve created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you’ll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.