Washington, DC: the latest from the inaugural Billington CyberSecurity International Summit
Setting the Conditions for Self-Organized Cooperative Security: the Billington CyberSecurity International Summit (The CyberWire) Apart from two sessions conducted under Chatham House rules and closed to the media, here's an account of the day's discussions. After welcoming remarks from conference organizer Thomas K. Billington, Deputy Secretary Alejandro Mayorkas of the US Department of Homeland Security opened the proceedings with the first keynote address
U.S. officials: World needs to follow our lead on cyber norms - Fedscoop (Fedscoop) Even as the U.S. government shores up its own beleaguered cyber defenses, its officials are touting their progress setting cybersecurity standards — saying the rest of the world should follow the U.S. to protect itself online. Two U.S. officials — Deputy Homeland Security Secretary Alejandro Mayorkas and State Department Coordinator for Cyber Issues Chris Painter — implored a …
Cyber-Attack Against Ukrainian Critical Infrastructure (ICS-CERT) On December 23, 2015, Ukrainian power companies experienced unscheduled power outages impacting a large number of customers in Ukraine. In addition, there have also been reports of malware found in Ukrainian companies in a variety of critical infrastructure sectors. Public reports indicate that the BlackEnergy (BE) malware was discovered on the companies’ computer networks, however it is important to note that the role of BE in this event remains unknown pending further technical analysis
Cyber Attacks, Threats, and Vulnerabilities
Iceland PM steps aside after protests over Panama Papers revelations (the Guardian) Sigmundur Davíð Gunnlaugsson steps aside amid widespread anger over allegations his family attempted to hide millions in offshore account
Panama Papers: “It was an email server attack” (Naked Security) The Panama Papers – big breach, big news…but how did it happen?
'Panama Papers' leak details ties to insurance fraud in boat tragedy (Business Insurance) A fatal boating accident in upstate New York is cited among the 11 million documents released this week.
How an Aussie security firm broke the Panama Papers (CRN Australia) Nuix technology crunched the data for journalists.
Industry reactions to the Mossack Fonseca data breach (Help Net Security) The Panama Papers, a collection of 11.5 million files leaked from Panama-based law firm Mossack Fonseca, are now online. The documents show in detail just
Hackers branching out to law firms (Business Insurance) Move to "soft targets" opens door to merger & acquisition and potentially stock information for a bigger payday for cyber criminals.
Three-year-old IBM patch for critical Java flaw is broken (CSO Online) Security researchers have found that a patch released by IBM three years ago for a critical vulnerability in its own Java implementation is ineffective and can be easily bypassed to exploit the flaw again.
Black hat SEO campaign targets WordPress and Joomla installations (Help Net Security) In this Black hat SEO campaign, the attackers injected a fake jQuery script into the head section of the websites. It went unnoticed by random visitors.
Trojan found in more than 100 Android apps on Google Play Store (Graham Cluley) Researchers have uncovered a new strain of advertising spyware in more than 100 Android apps downloadable from the official Google Play Store.
Chrome extension was secretly redirecting users to ad pages (Naked Security) Somebody bought it and stuck in malicious code to redirect a user’s traffic through a proxy, show them ads and snoop on their web browsing.
Crypto ransomware targets called by name in spear-phishing blast (Ars Technica) Once the domain of espionage, personalized scams embraced by profit-driven scammers.
PowerWare or PoshCoder? Comparison and Decryption (AlienVault Blogs) PowerWare was brought to my attention by Carbon Black via their blog post. PowerWare is downloaded by a malicious macro-enabled Microsoft Word document that is distributed via a phishing email campaign. The malicious document in question attempts to convince the user to enable macros by informing them that the file is protected by Microsoft Office. This, of course, is a farce. Once the macro is enabled, the PowerWare payload will be downloaded and executed. PowerWare, unfortunately, is hitting
New Locky Ransomware Variant Implementing Changes in Communication Patterns (Check Point Software Blog) Recently, Check Point published a detailed report describing Locky, an emerging new ransomware threat, which was first reported on February 16, 2016. New characteristics related to its communication have now been observed in the wild.
Incident response teams dealing with 3 to 4 Ransomware incidents weekly (CSO Online) Ransomware has gone from a niche attack to a booming criminal market since its introduction in 2013. Dozens of organizations have faced Ransomware attacks this year, and some of them have turned to Stroz Friedberg for help. In an interview with Salted Hash, the company says they were dealing with three to four Ransomware cases per week in the first quarter of 2016.
BillGates Malware used in DDoS Attacks (Akamai Blog) By Bill Brenner, Akamai SIRT Senior Tech Writer Akamai's Security Intelligence Research Team (SIRT) continues to see the BillGates trojan/bot family of malware being used to launch DDoS attacks. Attackers who control the malware -- first disclosed on a Russian...
New Variant of TinyPOS Discovered (SecurityWeek) TinyPOS malware gathers input card data before the system can encrypt it, but is written in "'hand rolled' assembly language and comes in at only 5120 bytes."
Trump Thinks the U.S. Is Obsolete on Cyber. Are His Hotels Also? (Foreign Policy) Hackers reportedly stole credit card data from the GOP frontrunner's hotels.
Europe’s ports vulnerable as ships sail without oversight (Financial Times) Data show ships making unexplained stops in terrorist havens before entering European ports
Oculus Rift sparks Ts and Cs storm over sharing data with Facebook (Naked Security) Oculus Rift users can expect to share their “physical movements and dimensions when [using] a virtual reality headset” with Facebook and pals.
Hacker-for-Hire Market is Booming, Says New Report (WSJ) Intelligence analysts found that business is booming in underground markets for Russian and other hackers, according to a new report released Tuesday by security firm Dell SecureWorks Inc.
Security Patches, Mitigations, and Software Updates
Apple fixes iOS lock screen bypass that gives access to photos, contacts (CSO Online) Apple has reportedly fixed a vulnerability that could have allowed hackers to bypass the passcode on iPhone 6s and 6s Plus running iOS 9.3.1 in order to access the address book and photos.
WhatsApp is now encrypting all your messages, by default, all the time, end-to-end (Graham Cluley) WhatsApp has made a big announcement, that will help protect the privacy of its one billion users. End-to-end encryption on all communications sent via WhatsApp, enabled by default.
WhatsApp encrypts messages end-to-end: why you should care (Naked Security) WhatsApp has a chequered history when it comes to security and cryptography, so its news about end-to-end encryption makes happy reading.
WhatsApp’s new encryption won’t protect you unless you’re also doing all these things (Quartz) Intercepting your messages in transit is just one—indeed, possibly the least likely—of the ways someone might try to snoop on you.
YAFP (Yet Another Flash Patch) - SANS Internet Storm Center (SANS Internet Storm Center) SANS Internet Storm Center - A global cooperative cyber threat / internet security monitor and alert system. Featuring daily handler diaries with summarizing and analyzing new threats to networks and internet security events.
Rollout or Not: the Benefits and Risks of iOS Remote Hot Patching « Rollout or Not: the Benefits and Risks of iOS Remote Hot Patching (FireEye) FireEye has seen the development of various third-party solutions that allow developers to remotely hot patch an iOS app on a non-jailbroken device without going through Apple’s review process, leading to security risks. This blog examines Rollout.io, a commercial solution that addresses the remote patching problem while remaining focused on security.
Update your ManageEngine Password Manager Pro ASAP! (Help Net Security) A security researcher has revealed 8 security vulnerabilities in ManageEngine Password Manager Pro and has released details and PoC code for each of them.
Cyber Trends
We Must Stop The Race to Attribution After Each Cyberattack (Fabius Maximus website) Summary: Cybersecurity expert Emilio Iasiello discusses one of the key issues in cybersecurity — how do we determine who attacked us? Each attack brings forth rapid declarations by the govern…
Distrust of Vendors Raises Questions on Data Security, Regulatory Compliance (Legaltech News) A large number of companies are skeptical about how their vendors would behave in the event of a breach.
5 reasons you need to hire a Chief Privacy Officer (CSO Online) Businesses are increasingly relying on data, but they're overlooking another key aspect of data: privacy. In order to keep up with the growing regulations surrounding data privacy, it may be time to hire a Chief Privacy Officer.
Smart home convenience, efficiency come with a data security price (FierceITSecurity) While the Internet of Things promises great convenience for consumers and greater efficiency for enterprises, that convenience and efficiency could come at a price in terms of data security risk
Article 29 Working Party still not happy with Windows 10 privacy controls (SC Media) The EU privacy watchdog has told Microsoft despite changes to the install screen, there is still no clear message of how Microsoft plans to process users' data.
Former Scotland Yard detective discusses cybercrime and threat intelligence (CSO Online) Former Scotland Yard detective discusses cybercrime and threat intelligence. Steve Santorelli, passionate about Internet Security and committed to bringing folks together to attack the problem in many ways.
Marketplace
Baltimore, St. Louis, Philadelphia, Selected As Top Cities for Entrepreneur Support By Peer Group of 16 US Cities (CityBizList) Pioneer class of 16 “VilCap Communities” leaders has committed to invest over $1 million in local ventures through peer-selection
Envisioning the CISO of 2020 (InfoRiskToday) Ahmed Baig, founder of the CISO Council of UAE, says security leadership via fear, uncertainty and doubt is a thing of the past. In fact, future CISOs who use those
Cybersecurity Luminaries Join KoolSpans Boards as Escalating Surveillance and Privacy Risks Drive Unprecedented Demand for Mobile Encryption (News On 6) Renowned Experts including Dr. Edward Amoroso, Eran Feigenbaum, Daniel Garrie, Adam Meyers, and Amit Yoran Join KoolSpan’s Board of Directors and Advisory Board
Products, Services, and Solutions
ThreatTrack Launches VIPRE® Endpoint Security (Yahoo! Finance) Latest VIPRE for Business solution is powered by the new VIPRE anti-malware engine, which ranks among the top-performing antivirus products in the world, according to AV-Comparatives
Spikes Security and Osterman Research Publish First-Ever Report on Use of Isolation Technology to Prevent Web-Based Malware Attacks (Yahoo) Spikes Security™, the isolation security company, today announced the availability of the industry's first-ever research that documents the increasing role of isolation technology as a defense against ...
CYBERBIT, Elbit Systems' Subsidiary, Awarded Contract to Supply an Intelligence and Cyber System to a Customer in Africa (WDRB) Elbit Systems Ltd. (NASDAQ and TASE: ESLT) ("Elbit Systems"), announced today that its subsidiary, CYBERBIT Ltd. ("CYBERBIT"), was awarded contract to supply intelligence and cyber analysis and research systems for a country in Africa. The contract, that is in an amount that is not material to Elbit Systems, will be supplied over a two-year period
Telstra talent helps vendor target Australia's cryptolocker 'epidemic' (CRN Australia) Fast-growing Cylance seeks to add local resellers.
1Password 6.2 for Mac has a bigger brain, offers easier import from other password managers (FierceCIO) AgileBits has released version 6.2 of its 1Password for Mac, which offers a selection of new features and upgrades
Opera Software founder launches Vivaldi, a new browser (Help Net Security) The Vivaldi UI uses React and JavaScript, as well as Node.js. The core of the browser uses Chromium, ensuring pages render quickly and accurately.
Subgraph OS: A hardened OS that prioritizes security (Help Net Security) Subgraph, an open source security company based in Montreal, release the alpha version of Subgraph OS, designed to with security AND usability in mind.
Swipebuster lets you spy on Tinder users – privacy lesson or invasion? (Naked Security) If you’ve ever wanted to know if your friends or lovers are using the Tinder dating app, now there’s a tool for you to find out.
Technologies, Techniques, and Standards
NIST outlines process for creating strong encryption standards (Federal Times) Researchers acknowledge this might put them at odds with law enforcement but stood by the need to protect sensitive information.
SEBI: Commodity Exchanges Need CyberSec Policy (InfoRiskToday) SEBI urges commodity derivatives exchanges to put resilient cybersecurity defences in place to protect themselves from growing attacks. Security leaders say such
FTC debuts web tool for health app makers (Fedscoop) The Federal Trade Commission unveiled a new online tool to help mobile health app developers figure out what federal laws and regulations might apply to their products. The tool asks developers a series of yes-or-no questions, each related to one of four possibly applicable laws: the Health Insurance Portability and Accountability Act, the Federal Food, Drug
Avoiding Legal Landmines in Data Breach Response (Dark Reading) Building a legally defensible cybersecurity program means seeking out guidance from legal advisors before a serious incident forces you together.
A reality check for security leaders on insider risk (CSO Online) Mike Tierney shares his insights on successfully implementing processes to combat insider risk by engaging the right people at the right time in the program
A retailers guide to cyber security (Information Age) In recent times, mobile smart devices and cloud-based platforms have been the predominant sources of new security challenges and have received the majority of attention by businesses. Their proliferation has rapidly produced ‘perfect storm’ conditions, with the traditional security models and practices in place unable to keep pace with emerging threats. Added to this, the importance and amount of data retailers transmit within an omnichannel operational landscape makes the security challenge greater. >See also: How retailers can combat the growing tide of cyber attacks Last year, 38% more security incidents were reported than in 2014, but the increase in the retail sector was an enormous 154%. Here are the main security threats that retailers should address. 1. Making BYOD policies smart The benefits and risks with bring your own device (BYOD) at work are largely known. Data leakage and control of intellectual property is at the top of the risk list, as users can easily…
Take it to the boardroom: Elevating the cybersecurity discussion (Help Net Security) Appointing a chief information security officer (CISO) to take the lead in keeping corporate data safe is a step taken by many forward-thinking companies.
5 security bad habits (and easy ways to break them) (CSO Online) Your end-users are often the weakest link in your organization's security strategy. Here are five solutions to help users strengthen their security posture.
Design and Innovation
Brave will pay you to see ads with its ad-blocking browser (Naked Security) You’ll get micropayments in Bitcoin if you opt in to see ads that won’t bog down page loading, track you like a blood hound or mess with your privacy.
How you move your mouse could stop cybertheft (CNBC) Biometric technology has swiftly emerged as a go-to solution for improving digital security and how fast you type could soon stop hackers.
Research and Development
Phishing Attacks Prevented by SCAM (ISS Source) Educating employees on how to recognize phishing emails, those authentic-looking messages that encourage users to open a malicious hyperlink or attachment that
Academia
Wendy Hall Named Kluge Chair in Technology and Society (The Library of Congress) Dame Wendy Hall, professor of computer science at the University of Southampton, England, and an early pioneer in serious research on computing and the web, has arrived at the John W. Kluge Center at the Library of Congress as the Kluge Chair in Technology and Society.
Hands-On CyberSec Skills Needed (InfoRiskToday) Each year the skills gap estimate for cybersecurity goes up, with few concerted, industry-wide efforts to address the issue. What organizations in all sectors truly
Legislation, Policy, and Regulation
Cyber Command Gets 'First Wartime Assignment' in Fight against ISIS (Military.com) The DoD's relatively new Cyber Command has received its "first wartime assignment" in the fight against the Islamic State.
Russia, China Are Greatest Cyberthreats, but Iran Is Growing (ABC News) Russia and China present the greatest cyber security threat to the U.S., but Iran is trying to increase and spend more on its capabilities, the Navy admiral in charge of the military's Cyber Command told Congress Tuesday
Senators bash Obama over cyber war policy (TheHill) “The administration’s cyber policy as a whole remains detached from reality,” McCain said.
U.S. Cyber Command should be combatant command, DoD's top cyber warrior says (Military Times) The head of U.S. Cyber Command told Congress that his command should be elevated to become its own unified combatant command, a move that would make it one of the most powerful institutions in the Defense Department.
Rogers reignites CYBERCOM combatant command discussion (C4ISRNET) ADM Mike Rogers says operational concerns are his priority.
Senate Leaders Set to Expand Role of U.S. Cyber Command in New Defense Bill (USNI News) The Senate Armed Services Committee’s version of the defense authorization bill will call for making U.S. Cyber Command a functional combatant command and also recommend consolidating some geographic commands, the panel’s chairman and ranking member said Tuesday. When asked at a hearing whether Cyber Command was mature enough for such a step, Adm. Michael Rogers …
On cyber, the U.S. can't seem to balance security and privacy (Military Times) “Worst-case scenario is we don’t have dialogue and then we have a major event,” said Adm. Michael Rogers, head of U.S. Cyber Command. “We have got to figure out how we can do this.”
CIA drops plan to destroy most email records (FierceGovernmentIT) Facing widespread criticism, the Central Intelligence Agency has formally withdrawn its plan to destroy email records of most agency officials, the National Archives and Records Administration told the Federation of American Scientists
DNI Clapper Signs IC Transparency Council Charter (IC ON THE RECORD) On April 5, 2016, Director of National Intelligence James Clapper formalized the transition of the Intelligence Community Transparency Working Group into a permanent IC Transparency Council with his signature on the Council Charter. The IC’s Transparency Working Group, made up of senior officers from across the Intelligence Community, was established over two years ago to develop the Principles of Intelligence Transparency, which provide guidance to the Intelligence Community on being more transparent with the public, while protecting the sources and methods necessary for performing its national security mission. The Working Group then created an Implementation Plan to put these Principles into action across the community. Recognizing the importance of the transparency initiative, the DNI directed that the Working Group be elevated to a permanent entity in the form of a Council. With its Charter in place, the Council will be responsible for overseeing the Transparency Implementation Plan and ensuring that transparency becomes a comprehensive and sustainable practice within the Intelligence Community. Read IC Transparency Council Charter (photo by Brian Murphy, ODNI Public Affairs)
Poll: People Don't Mind Hacking to Fight Terrorism (Morning Consult) The Federal Bureau of Investigation’s solution to opening a locked iPhone used by a San Bernardino shooter reflects how public generally wants government policing to work, a new Morning Consult poll shows. Voters do, however, think law enforcement officials should tell manufacturers about any vulnerabilities they exploit during criminal investigations. (See poll toplines and crosstabs.) A healthy majority of registered voters (57 …
The impact of the new Trans-Atlantic privacy law (CSO Online) After 20 years of relative calm regarding the handling of personal data of EU citizens by U.S. companies, events over the past six months have instigated widespread reform. While the resolution is yet to be confirmed, the building blocks for a modern, cross-border data privacy agreement have begun to take shape.
Litigation, Investigation, and Law Enforcement
FBI Analyzing Data From San Bernardino iPhone for Leads (WSJ) The Federal Bureau of Investigation is still analyzing data on the iPhone used by a San Bernardino, Calif., terrorist and won’t decide whether to talk about what it has found until after that examination is complete, a senior FBI official said Tuesday.
How a federal spy case turned into a child pornography prosecution (Washington Post) An investigation in California illustrated the use of national security powers in a criminal matter.
Stolen federal equipment puts sensitive data of millions at risk - again (FierceGovernmentIT) U.S. Senate investigators expressed frustration with Obama administration officials following the theft of a laptop and portable hard drives from a federal building in Washington state
State Department: Don’t Ask Hillary Aides About Classified Info in Lawsuit (The Daily Beast) Lawyers object to any attempt to ask Huma Abedin, Cheryl Mills, and others about how information was handled—and are dead set against Clinton testifying.
FBI director: No rush to finish Clinton email probe before convention (POLITICO) Making sure the inquiry is done "well" is more important than speed, he said.
Man given jail time for sending gun emoji to ex (Naked Security) It’s a mere emoji, not a death threat, his lawyer argued. A judge disagreed, sending the gun-texting ex-boyfriend to prison for 3 months.