The CyberWire Daily Briefing 04.08.16

Cyber Trends

For Legal, More Pitfalls than Praise In Panama Papers ‘Ethical Hacking’ (Legaltech News) Deemed the biggest breach in history, the Panama Papers shines a spotlight on the rise of many law firms’ unpreparedness and susceptibility to ethical hacking

Privacy takes center stage in security discussions after years of being kept in the background (Cisco Blogs) With the International Association of Privacy Professionals gathering this week to discuss evolving regulatory requirements and rising customer expectations, there’s no better time to talk about privacy

1 in 5 enterprises admit of mobile data breach resulting from BYOD (Economic Times CIO) Data leakage threat more prevalent than ever as employees look to access sensitive corporate information on mobile devices outside corporate network

Tripwire Study: Energy Sector Sees Dramatic Rise in Successful Cyber Attacks (BusinessWire) Tripwire, Inc., a leading global provider of endpoint detection and response, security and compliance solutions, today announced the results of a study conducted for Tripwire by Dimensional Research

Reports find high security risks among policies for third-party vendors (SC Magazine) Two recent reports highlight the security and privacy threats posed by third-party vendors. The reports examine company's procedures for handling third-party vendor permissions and the ability of companies to track these vendors' activities

Organisations Are Shifting Their Cybersecurity Strategies From Reactive To Agile (RealWire) End users are now the most vulnerable point of entry into an organisation forcing them to shift away from fear-based to opportunity-based cybersecurity

Sifting suspicious user behavior to find real threats (GCN) Although only a fraction of all cyber activities are suspicious, pinpointing the problem is still a daunting task, a new report found

Legislation, Policy and Regulation

EU-US Privacy Shield may not pass muster, according to leaked extract (Ars Technica) EU data authorities might go to court if Commission forges ahead anyway

Can this video parody get Brits to care about online privacy? (TechCrunch) After John Oliver used humor to tackle the U.S. surveillance reform debate last year, to try to get Americans to care about online privacy

For Japan, Panama Papers are tool to skewer China (USA Today) The names of major public figures in Japan have been conspicuously absent from documents — the so-called Panama Papers — related to a growing international tax haven scandal, but that doesn’t mean the issue is being ignored in the world’s third-largest economy

China's Psychological War on Taiwan (National Interest) The uncertainty surrounding the cross-strait policy of Taiwan’s newly elected president, Tsai Ing-wen, has produced a great deal of unease and concern in Beijing

U.S. Adds China’s Internet Controls to List of Trade Barriers (New York Times) China’s notorious online controls have long been criticized as censorship by human rights groups, businesses, Chinese Internet users and others. Now they have earned a new label from the American government: trade barrier

Rogers’ nightmare: weaponization of cyber by terrorists (Defense Systems) While non-state actors today are not on par with nation states as far as cyber capabilities are concerned, terrorist groups, criminals, hackers and the like could possess destructive capabilities enjoyed by a small circle of nations in the not-so-distant future

Exclusive: White House declines to support encryption legislation - sources (Reuters) The White House is declining to offer public support for draft legislation that would empower judges to require technology companies such as Apple Inc to help law enforcement crack encrypted data, sources familiar with the discussions said

Opposition mounts to NSA’s data-sharing plans (The Hill) Civil liberties and government transparency groups are rallying to oppose a new plan that would allow the National Security Agency (NSA) to share more of the information that it collects about people’s communications and activity on the Internet with other federal agencies

Senator Markey wants government informed of aviation cyber attacks (Reuters) A U.S. senator on Thursday introduced legislation calling for airlines and aircraft manufacturers to disclose cyber security incidents to federal authorities, saying the aviation system lacks sufficient standards and oversight

Clapper takes extraordinary step of asking intel chiefs to lead document classification review () In a recent memo, National Intelligence Director James Clapper took the extraordinary step of asking intelligence directors to be more active in the process of reviewing their classification guidance and removing obsolete security requirements every five years

Hack the Pentagon an Olive Branch to Security Researchers (Threatpost) Lisa Wiswell’s phone rang off the hook last summer in the throes of the OPM hack. But she wasn’t just answering questions from those whose security clearance and personal data disappeared into the Chinese ether; there were also hackers on the other end of the line offering their help

Dateline

"An Executive's Guide to a Comprehensive Cybersecurity Risk Strategy" (The CyberWire) The way forward to better board-level and C-suite awareness and understanding of cyber security risk

Products, Services, and Solutions

Hexadite Adds Industry-First Mac and Linux Coverage to Intelligent Security Orchestration and Automation Platform (BusinessWire) Expanded OS support confirms commitment to automating incident response on every device

Dispel targets enterprises with broader privacy-as-a-service offering (FierceITSecurity) Dispel announced Thursday that it has broadened access to its privacy-as-a-service offering to Android devices and Linux operating systems with an eye toward the enterprise market

Technologies, Techniques, and Standards

An Overlooked Insider Threat? Many Fear Vendor-Related Breach: Survey (Legaltech News) As companies increasingly rely on vendors, many fail to take security concerns into account when allowing external access to their networks

Is Your Administrator a Cyber Security Weak Point? (FIN Alternatives) Last year will go down as the one in which cybersecurity made it to the top of the priority list for hedge funds

Don’t let embarrassment about a data breach cost you even more (Computer World) Cyberthieves prey on human nature for even more profit

Panama Papers and security best practices (FierceITSecurity) Well, the Panama Papers breach has certainly been in the news

Defenders Need to Embrace Offensive Security Skillsets (Threatpost) Defense may win football championships, but it gets steamrolled in computer security arenas

5 ways to become a smaller target for ransomware hackers (News & Advance) Hacking for ransom is on the rise — on pace to beat out last year's figures — and hits people where it hurts, locking them out of files, photos and critical records until they pay hackers a bounty to restore their access

Security Features Nobody Implements (Internet Storm Center) "Nobody" may be wording it a bit strong. But adoption of these security features is certainly not taking off. If you can think of any features I forgot, then please comment

Securing apps: scan code for vulnerabilities or rewrite from scratch? (CSO) How to remedy the epidemic of security incidents that result from exploits against defects in software

Inconsistent API Security Puts App Economy At Risk (Dark Reading) Better ownership and accountability needed in security APIs, report finds

Marketplace

KEYW awarded $152M contract for cyber training (Captial Gazette) Hanover-based KEYW Corporation will be paid $152 million over five years to provide cyber training to a U.S.-based customer, the company announced this week

BRIEF-KEYW holding announces intent for sale of Hexis Commercial Cyber Solutions Business (Reuters) Keyw outlines new strategic growth plan at analyst & investor day. Announces that it has executed letters of intent for sale of its Hexis commercial cyber solutions business

Here's What Dell and EMC Corp. Are Selling off as Acquisition Nears (AustinInno) Dell and EMC Corp. are shrinking their corporate footprints as they prepare for a merger in the second half of 2016

Meet Zerodium, the company that pays $1 million for Apple hacks (CNN Money) There's a vibrant underground market for tools to hack you, but one company is making offers out in the open

Is It Time to Dump Palo Alto Networks? (Guru Focus) Given the steep rise in Palo Alto Networks' share price, investors can consider booking profits

10 Top Tech Companies Poised For Massive Layoffs (InformationWeek) Tech workers across the nation may witness a massive pink slip parade this year, should one Wall Street analyst's prediction of more than 260,000 tech layoffs in 2016 come true. Here's at a look at the top 10 companies on his list and why they are there

French military upgrades telecommunication networks (C4ISR & Networks) Thales has been awarded two contracts to upgrade the French Ministry of Defense's data and telephony infrastructure networks

Tresys Welcomes Kemper as SVP of Business Development and Sales (BusinessWire) Tresys Technology, a global leader in cyber defense, announced today that Jackson Kemper III has joined the company as senior vice president of business development and sales

Amid FBI Scrutiny, 5 Cyber Execs Join a Maryland Encryption Firm (DC Inno) Bethesda, Md.-based cybersecurity firm KoolSpan, a 13-year-old tech company that specializes in providing encrypted communications to enterprise customers, is welcoming a new batch of board members

Research and Development

Solving Google reCAPTCHAs – without using humans (Naked Security) Three security researchers from Columbia University in New York recently published a paper with a rather dramatic sounding title: ✔︎ I’m not a human: Breaking the Google reCAPTCHA

I’m not a human: Breaking the Google reCAPTCHA (Black Hat Asia 2016) Since their inception, captchas have been widely used for preventing fraudsters from performing illicit actions

Security Patches, Mitigations, and Software Updates

Security updates available for Adobe Flash Player (Adobe Security Bulletin) Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and ChromeOS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of reports that CVE-2016-1019 is being actively exploited on systems running Windows 10 and earlier with Flash Player version 20.0.0.306 and earlier. Please refer to APSA16-01 for details

Have Adobe Flash? Update now against actively-exploited zero-day flaw (Graham Cluley) Emergency security update released as ransomware attacks launched

Killing a Zero-Day in the Egg: Adobe CVE-2016-1019 (Proofpoint) On April 2, 2016, Proofpoint researchers discovered that the Magnitude exploit kit (EK) [1] was successfully exploiting Adobe Flash version 20.0.0.306

Juniper Releases Update for ScreenOS (US-CERT) Juniper has released ScreenOS version 6.3.0r22 to address issues with encryption methods used in prior versions

Pro-face Clears GP-Pro EX HMI Holes (ISS Source) Pro-face created a module to mitigate one information disclosure and two buffer overflow vulnerabilities along with a hard-coded credentials hole in its GP-Pro EX HMI software, according to a report on ICS-CERT

Cyber Attacks, Threats, and Vulnerabilities

Anonymous Conducts Usual DDoS Attacks on Israel for #OpIsrael (Hack Read) The first attacks in connection with #OpIsrael occurred in 2013, wherein some divisions of the Anonymous hackers mutually launched multiple organized cyber-attacks against Israeli websites on the eve of the Holocaust Remembrance Day, on April 8

Experts: Annual 'Anonymous' cyber-attack effort largely unsophisticated, unsuccessful. (Jerusalem Post) Private Israeli websites faced a number of largely unsophisticated cyber-attacks on Thursday, following an annual call by the Anonymous hacking network to target Israeli sites on April 7

Anonymous’ ‘Hack Israel Day’ Could Impact the Entire World (re/code) Israel was hit by a massive cyber offensive today. But unlike other attacks (APTs, criminal campaigns, etc.) to hit the nation, this one has been announced in advance

Panama Papers breach was the result of lax security practices? (Help Net Security) News items based on the so-called “Panama Papers,” a set of 11.5 million documents leaked from the networks of Panama-based law firm Mossack Fonseca, keep popping up, but it’s still unknown who the person behind the leak is and how he or she managed to get ahold of the documents

Will The Panama Papers Make All Law Firms A Bigger Target? (Threat Brief) The massive haul of data from the Mossack Fonseca Panama Papers breach includes over 2.6 terabytes of data, the largest known breach in hacking history

Mac Adware OSX.Pirrit Unleashes Ad Overload, For Now (Threatpost) Researchers discovered a Mac OS X variant of the Windows-based Pirrit adware that creates a proxy server on infected Mac computers and injects ads into webpages. According to researchers at Boston-based Cybereason Labs, the adware, dubbed OSX.Pirrit, is mostly benign, serving up just ads, but has the potential to morph into something more sinister

Linux botnet attacks increase in scale (ZDNet) Linux-targeting malware family is a "high" risk, warn security researchers

New application level attack bodes ill for hybrid DDoS protection (Help Net Security) Imperva has recently witnessed a new type of DDoS attack they believe might become a go-to for cyber criminals looking to take sites and services down

135 million Arris modems vulnerable to reboot attacks (Graham Cluley) No password required

After Tax Fraud Spike, Payroll Firm Greenshades Ditches SSN/DOB Logins (KrebsOnSecurity) Online payroll management firm Greenshades.com is an object lesson in how not to do authentication

Latest tax-related data breach could affect employees and their children (CSO) Construction firm says employees and their children could be affected by security incident on tax vendor's network

Researchers release PoC exploit code to bypass broken IBM security patch (ZDNet) Broken patches for security issues are simply not enough

Kaspersky delves deep into Locky threat, which has spread to 114 countries (SC Magazine) A thorough analysis of the ransomware Locky by Kaspersky Lab has yielded a series of highly detailed insights on the pernicious software, according the company's Securelist blog post

The latest Flash zero-day was used to spread Cerber ransomware (PCWorld) Adobe plans to patch the flaw on Thursday

OK, panic—newly evolved ransomware is bad news for everyone (Ars Technica) Crypto-ransomware has turned every network intrusion into a potential payday

Ransomware, hospital hacking present growing cybersecurity threats (KOMO News) As MedStar Health worked toward restoring its major information technology systems after a massive cyberattack this week, cybersecurity experts say the incident may be the latest example of a much larger threat that could put patients across the country at risk

Victims paid more than $24 million to ransomware criminals in 2015 — and that's just the beginning (Business Insider via Yahoo! News) The US Departments of Justice (DOJ) and Homeland Security (DHS) last week provided new insights into the impact of ransomware and cyberattacks on public institutions and the public

Homeland Security's Ransomware Tip: Not Paying is the Only Current Solution (Inverse) Ransomware seems to be the trending method of cyber attack in 2016: Apple users have been hit, U.S. agencies have been targeted, and a California hospital last month paid $17,000 in ransom fees after malicious software shut down its computer systems. The style of online attack has become such a problem, in fact, that there’s now an international effort to deliver public guidance on the topic

Cyber fraudsters reap billions through email wire-transfer scams (Reuters via Business Insurance) Businesses have lost billions of dollars to fast-growing scams where fraudsters impersonate company executives in emails that order staff to transfer to accounts controlled by criminals, according to the U.S. Federal Bureau of Investigation

Dell Secureworks reports on economic upheaval in the hacker black market (SC Magazine) A new report from Dell Secureworks has highlighted new fluctuations in the hacker underground

The Global Cyber Crime Underground: What Are They and What Do They Sell? (Cyveillance) Cyber crime is projected to cost the global economy an astounding $445 billion. To put that amount into perspective, Russia’s national budget for 2014 was $440 billion

Overnight Healthcare: Watchdog finds security flaws in state ObamaCare exchanges (The Hill) A federal watchdog has found security flaws in state-run ObamaCare exchanges in California, Kentucky and Vermont, potentially putting millions of customers' data at risk

Covered California Website At Risk For Cyber Attack, Feds Say (CBS San Francisco) Federal investigators say the website for Covered California is at risk for a cyber-attack

FBI Quietly Admits to Multi-Year APT Attack, Sensitive Data Stolen (Threatpost) The FBI issued a rare bulletin admitting that a group named Advanced Persistent Threat 6 (APT6) hacked into US government computer systems as far back as 2011 and for years stole sensitive data

Who owns corporate data? Employees think they can just take it (Help Net Security) A third of all employees believe they own – or share ownership of – the corporate data they work on, with half thinking they can take the data with them when they leave, according to Veriato

Almost half of dropped USB sticks will get plugged in (Naked Security) People are still plugging in USB sticks scattered around parking lots, a new study has confirmed

Litigation, Investigation, and Enforcement

FBI debates sharing iPhone hacking details with Apple (CBS News) The FBI has not decided whether to share details with Apple about how the bureau hacked into an iPhone linked to a California terrorism investigation, FBI Director James Comey says

German police arrest international cyber ring suspect (Reuters) Police investigating a ring of global cyber criminals arrested the 22-year-old main suspect in Germany and carried out raids across several countries, prosecutors in the west German city of Koblenz said on Wednesday

European anti-terror efforts hobbled by lack of trust, shared intelligence (McClatchy) There’s no European equivalent of FBI that investigates cases across borders

First on CNN: Top U.S. intel official: Europe not taking advantage of terror tracking tools (CNN) A top U.S. counterterrorism official in charge of ensuring terrorists do not make it into the United States said European countries can do more to screen terrorists because they don't take full advantage of tools the U.S. has offered in the fight against terrorism

Mumblehard takedown ends army of Linux servers from spamming (We LIve Security) One year after the release of the technical analysis of the Mumblehard Linux botnet, we are pleased to report that it is no longer active. ESET, in cooperation with the Cyber Police of Ukraine and CyS Centrum LLC, have taken down the Mumblehard botnet, stopping all its spamming activities since February 29th, 2016

Mumblehard spam-spewing botnet floored (Register) Single point of failure key in takedown

Israelis arrested on suspicion of spying on Romanian anti-corruption prosecutor (Israel Hayom) Four Israelis, at least two of them former Mossad agents, are under investigation for spying on and intimidating Romanian anti-corruption prosecutor Laura Codruta Kovesi • Private Israeli intelligence company Black Cube reportedly hired to spy on Kovesi

Neutered random number generator let man rig million dollar lotteries (Ars Technica) RNG bypass code allowed security chief to know winning numbers in advance

Millions of child support records stolen, D.C. officials want answers (CSO) Two people have been arrested, but the stolen drives are still missing

Vengeful Hacker Risks Ten Years in Prison for DDoSing Security Firm's Website (Softpedia) A man from Oklahoma City is risking ten years in prison after harassing a security researcher that helped law enforcement catch and send to jail a fellow member of his hacking crew

Design and Innovation

In recent test, blockchain brings transparency to notorious credit default swaps (Ars Technica) Big banks partnered with data and software providers to try out blockchain

Biometrics Offers The ‘Perfect Balance’ Of Security And Usability (TechWeek Europt) Biometrics technology has been around for a while, now it’s time to utilise it properly, Intelligent Environments CTO tells TechWeekEurope

SDN Could Anchor Security for IoT, Federal Network Modernization (SIGNAL) Government conversations related to safeguarding cyberspace spin around policy as much as technology, particularly when it comes to sluggish efforts to modernize networks

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

newly Noted Events

ASIS 15th European Security Conference & Exhibition (London, England, UK, April 6 - 8, 2016) ASIS Europe 2016 invites you to join security professionals and experts from over Europe and beyond in one of the most dynamic centres of business and culture in the world.

Spring Conference 2016: Creating a Cybersecurity Communtiy (Los Angeles, California, USA, April 11, 2016) The ISACA Los Angeles Chapter provides affordable quality training on fundamental information systems auditing concepts and emerging technology risks, and an opportunity to network with other auditing and security professionals.The Spring Conference is the leading Information Systems IT governance, control, security and assurance event for the Southern California area.

Workforce 2.0: How to Cultivate Cybersecurity Professionals (Baltimore, Maryland, USA, April 12, 2016) Please join Passcode along with White House Chief Information Officer Tony Scott and other leading figures in digital security to explore the newest ideas and approaches to close the cybersecurity skills gap. At the event, Passcode will also launch its new Security Culture section that will unpack and illustrate the far-reaching and increasingly important role that digital security plays in daily life.

Cyber 7.0 (Laurel, Maryland, USA, June 22, 2016) Cyber 7.0 delves into the cyber threat to the nation’s critical infrastructure—transportation, health care, utilities, and energy, to name a few. How can government and industry work together to battle the threats to personal and public safety? For the seventh year, regional cyber experts, small entrepreneurs, large businesses, and government organizations come together to discuss, connect, and strategize. Be a part of the solution. Sponsor, exhibit, attend.

ISS World South Africa (Johannesburg, South Africa, July 10 - 12, 2016) ISS World South Africa is the world's largest gathering of Southern Africa Law Enforcement, Intelligence and Homeland Security Analysts as well as Telecom Operators responsible for Lawful Interception, Hi-Tech Electronic Investigations and Network Intelligence Gathering. ISS World Programs present the methodologies and tools for Law Enforcement, Public Safety and Government Intelligence Communities in the fight against drug trafficking, cyber money laundering, human trafficking, terrorism and other criminal activities conducted over today's telecommunications network and the Internet.

upcoming Events

SANS Atlanta 2016 (Atlanta, Georgia, USA, April 4 - 9, 2016) Learn the most effective steps to prevent attacks and detect adversaries with actionable techniques that you can directly apply when you get back to work. Take advantage of tips and tricks from the experts so that you can win the battle against a wide range of cyber adversaries who want to harm your digital environment

ISC West 2016 (Las Vegas, Nevada, USA, April 6 - 8, 2016) ISC West is the leading physical security event to unite the entire security channel, from dealers, installers, integrators, specifiers, consultants and end-users of physical, network and IT products. With over 1,000 exhibitors and brands, spanning hundreds of product categories, it's the Must-Attend event for the global security industry. ISC West is where the security community gathers to see new products and technologies first, to network with other security professionals, and to stay on top of emerging security risks with cutting edge education

Cybersecurity and Privacy Protection Conference (Cleveland, Ohio, USA, April 7 - 8, 2016) The Center for Cybersecurity and Privacy Protection 2016 Conference will bring together experienced government officials, in-house counsels, business executives, cyber insurance leaders, litigators, information security officers and privacy managers to discuss current developments and best practices in cybersecurity and privacy protection. The conference is aimed at identifying innovative strategies that integrate legal, managerial and technical approaches to managing cyber and privacy risks. Join us to connect and engage with leading experts who will address cyber and privacy risk-management strategies, regulatory compliance, civil litigation following high-profile data breaches, law enforcement cooperation and information-sharing models, incident-response and cyber-risk insurance.

Rock Stars of Risk-based Security (Washington, DC, USA, April 12, 2016) Virtually every company will be hacked, and today, experts accept that a 100% security solution is not feasible. Advanced risk assessment and mitigation is the order of the day. Rock Stars of Risk-Based Security is the must attend symposium of its kind in 2016 on this critical new reality.

Federal Security Summit 2016 (Washington, DC, USA, April 12, 2016) Advanced threats and more sophisticated hackers are making it increasingly difficult to protect mission-critical government systems and communications. The U.S. Government is probed 1.8 billion times per month, and 66% of these breaches take up to a year to be discovered. With over 200,000 new malicious programs created daily, what are agencies doing to fight off cyber attacks and keep systems secure? This interactive working breakfast panel will share best practices and solutions.

Threat Hunting & Incident Response Summit 2016 (New Orleans, Louisiana, USA, April 12 - 13, 2016) The Threat Hunting & Incident Response Summit 2016 focuses on specific hunting and incident response techniques and capabilities that can be used to identify, contain, and eliminate adversaries targeting your networks. Attend this summit to learn these skills directly from incident response and detection experts who are uncovering and stopping the most recent, sophisticated, and dangerous attacks against organizations