The CyberWire Daily Briefing 04.11.16

Cyber Trends

Offensive hackers should be part of enterprise DNA (CSO) Keeping adversaries at bay requires offensive hackers to infiltrate the DNA of tomorrow's enterprises

Dark web mapping reveals that half of the content is legal (Help Net Security) A recent global survey commissioned by the Centre for International Governance Innovation (CIGI) showed that seven in ten (71%) global citizens say the “dark net” – “an area of the internet only accessible via special web browsers that allow you to surf the web anonymously” – should be shut down

Surge in cyber attacks on the energy sector (Help Net Security) A new survey conducted by Dimensional Research, which was carried out in November 2015, assessed cyber security challenges faced by organizations in the energy sector. Study respondents included over 150 IT professionals in the energy, utilities, and oil and gas industries

Consumer concerns of a connected world (Help Net Security) While consumers see the tangible benefit of IoT (just 1 consumer in 10 says a world of connected devices won’t deliver such value), more than half also harbour concerns about the perceived risks and threats in a world of connected devices, according to a new Mobile Ecosystem Forum (MEF) survey

India Ranks Third in Financial Trojan Infections (InfoRiskToday) Security experts detail ways to detect, defeat banking trojans

Infiltrate take aways for a security newb (CSO) From Telco companies to hardware and ActionScript, criminals are targeting attacks and these offensive hackers teach how to thwart adversaries

Legislation, Policy and Regulation

Exclusive: How Chinese nuclear deal leaves UK vulnerable to catastrophic cyber attack (Express) George Osborne has been warned that granting the Chinese a large stake in Britain's nuclear energy infrastructure poses a "substantive" threat to UK national security

Senators Push For Tech Firms To Decrypt Smartphones (Dark Reading) A new bill, sponsored by US Senators Diane Feinstein and Richard Burr, would allow law enforcement to demand smartphone makers and other companies decrypt or otherwise unlock mobile devices

Draft of US Encryption Bill Leaks Online, Is Incredibly Stupid (Softpedia) Late Thursday night, a draft of a US bill created to address the country's stance on encryption leaked online, and cryptography experts along with civil advocates reacted accordingly, calling it everything from stupid to technically illiterate

Draft encryption bill puts rule of law above privacy concerns (Federal Times) A discussion draft leaked online of the first legislation to tackle the heated encryption debate that has pit law enforcement agencies seeking access against privacy and consumer advocates lobbying to maintain strong security

NSA data-sharing plan opens door to mass surveillance, say rights groups (Christian Science Monitor Passcode) Digital advocacy, privacy, and civil liberties group are urging the National Security Agency not to pursue a plan they argue could lead to widespread warrantless domestic surveillance

Military missions complicate insider threat protection (C4ISR & Networks) It has been almost four years since President Barack Obama issued the National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs, which identified six minimum standards that executive-branch agencies are required to include in their insider-threat programs

Products, Services, and Solutions

Tor aims to grow amid national debate over digital privacy (Christian Science Monitor Passcode) The Tor Project's new executive director Shari Steele is on a mission to change the image of the group's anonymous browser and make its 'clunky and hard to use' technology more user-friendly

Technologies, Techniques, and Standards

NIST's New Guidance Could Simplify Some Encryption (InfoRiskToday) Ciphers can be same length as information being encrypted

Petya Ransomware's Encryption Defeated and Password Generator Released (Bleeping Computer) An individual going by the twitter handle leostone was able to create an algorithm that can generate the password used to decrypt a Petya encrypted computer. In my test this, this algorithm was able to generate my key in 7 seconds

Handling Malware Samples (Internet Storm Center) I often have to analyze malware samples on Windows machines.That is not always by choice. Sometimes I have no other option

Smartphone Security Guide: The Easiest Way to Keep Your Phone & Data Safe (Heimdal Security) When it comes to smartphone security and privacy, people are usually divided into two major camps

Utility companies to stockpile $8 million spare parts in case of disaster (Marketplace) In the case of a mass terrorist or cyber-attack on the power grid, it could take 18 months to replace critical pieces of the infrastructure, according to a national research study. So eight of the nation's largest utility companies plan to launch a new company this month to stockpile the most important components of the electricity system

Securing Your Device: BYOD Platforms for Legal (Legaltech News) The evolution of mobile management and what it means for security, privacy, and the future of mobile lawyering

This list will help you painlessly recover from disaster (CSO) Organizations need to be ready so that disaster doesn’t cripple them and their bottom line

Marketplace

Hackers drive huge global IoT security market growth (ReadWrite) The widespread deployment of Internet of Things (IoT) technology is driving increased security breaches that will spark incredible growth in the IoT security industry

Why Hospital Boards Must Understand Healthcare Cybersecurity (HealthITSecurity) Healthcare cybersecurity is no longer just an IT issue, and management, as well as hospital boards need to know the deeper issues

The Military is Hiring a Rapid Cyber Respnse Team -- in Case Commissaries Get Hacked (Nextgov) Military base grocery stores are vulnerable to computer hackers, according to the Pentagon, which says it needs private cyber forensics investigators on call. If a payment system breach were to occur, the team would respond within an hour

UK cyber security company Darktrace embarks on funding round to secure $400m valuation (City A.M.) UK cyber security company Darktrace has turned to Silicon Valley in a bid to secure funding which would see the company valued at $400m (£283.2m)

College Grad Looking For a Job? The NSA Wants YOU! (Reason) National Security Agency is recruiting college students to work at its controversial Utah Data Center

Lookout Welcomes Bluebox Security (Dark Reading) Lookout, the global leader in securing mobility, today announced that it has entered into an agreement to acquire the technology assets of Bluebox Security, a mobile app security and analytics company that was the first to pioneer self-defending apps for consumers, BYOD employees and the extended enterprise

2016 IPO Prospects: SecureWorks Is Ready To List (Seeking Alpha) Dell agreed to acquire SecureWorks for an estimated $612 million in 2011. At the time of the acquisition, SecureWorks was trending at revenues north of $120 million

Fidelis Cybersecurity Expands at Port San Antonio (Port San Antonio) The Port, home to nearly 1,000 IT security professionals, welcomed the latest cyber firm to set up operations on the large campus

Security firm Intercede sees record sales (Leicester Mercury) Investment in security services for new markets has boosted a company's revenue

Top-ranked workplace among small firms, KnowBe4 blends cyber savvy, hard work and fun (Tampa Bay Times) Phishing. Ransomware. CEO fraud. These are the cybersecurity scams awash in the world start-up company KnowBe4 was created to defend against. Its business — providing security awareness training to banks, businesses and organizations — is booming as hacker attacks continue to escalate

Forcepoint CEO Steps Down After Rebranding From Raytheon|Websense (CRN) John McCormack has stepped down from the role of Forcepoint's CEO, CRN has learned, in the latest iteration of a series of sweeping changes at the Austin, Texas-based security vendor as it unites parts of Raytheon, Websense and other lines under a single brand

Ernst and Young Announces CrowdStrike’s George Kurtz as Entrepreneur Of The Year® 2016 Orange County Semifinalist (BusinessWire) Ernst & Young (EY) today announced that George Kurtz, co-founder and chief executive officer of CrowdStrike, is a semifinalist for the EY Entrepreneur Of The Year® 2016 Orange County Region Award

Research and Development

UW-led research team wins $7.5M MURI grant to defend against advanced cyberattacks (EurekAlerts!) A University of Washington-led research team has won a $7.5 million, five-year Multidisciplinary University Research Initiative (MURI) grant from the Department of Defense to better model and mount defenses against stealthy, continuous computer hacking attacks known as "advanced persistent threats"

Security Patches, Mitigations, and Software Updates

Juniper Completes Removal of Dual_EC (Threatpost) Juniper Networks hopes to remove any clouds of uncertainty that its networking gear might still have a backdoor that could allow the NSA or hackers to snoop on traffic running through its hardware

Microsoft Edge becomes an adblocker… of sorts (Naked Security) Microsoft is following what Apple did with Safari back in 2013, and Google did with Chrome in 2015

Now all WordPress.com sites can benefit from HTTPS encryption (Graham Cluley) There is some great news for those who believe in a more secure and more private web. WordPress, the world’s most popular blogging platform, has announced that all of the millions of users hosting their sites on the wordpress.com servers, will be able to force the use of HTTPS encryption – for free

Google Updates Safe Browsing Alerts for Network Admins (Threatpost) Google beefed up the way it displays Safe Browsing Alerts for Network Administrators this week, adding information about sites peddling unwanted and malicious software as well as those caught carrying out social engineering attacks

Cyber Attacks, Threats, and Vulnerabilities

Ukraine's embattled prime minister resigns as corruption scandals shake Europe (Los Angeles Times) Fallout from corruption scandals continued to roil Europe on Sunday, as Ukrainian Prime Minister Arseny Yatsenyuk announced that he would resign amid a growing political crisis

Consider the Panama Papers breach a warning (Computerworld) Hacks aimed at damaging reputations may rise in frequency

The Panama Papers Signal A New Kind of Cyber Attack (Fortune via Yahoo! Finance) As a trove of leaked documents dubbed the 'Panamanian Papers' ripple across several nations, world leaders are feeling the heat. Russian President Vladimir Putin has called the exposure of offshore bank accounts an American plot, while Iceland named a new prime minister and British Prime Minister David Cameron admitted that he profited from an offshore trust

Is Putin Behind the Panama Papers? (Newsweek) The “Panama Papers.” Does this strike anyone else as a very fishy story? It’s like something out of a cheap spy movie

Anonymous Hack Italian Job Portals, Leak Trove of Data Against New Labour Laws (Hack Read) Anonymous has leaked personal details of CEOs, managers and other employees of hotshot companies in Italy to protest against the new labour laws

Cyberattackers botch integration of Adobe Flash zero-day vulnerability in exploit kits (ZDNet) Users of Adobe Flash have a little more breathing space to patch their systems

Mindless Flash masses saved as exploit kit devs go astray with 0day (Register) Since-patched flaw was imperfectly targeted by incompetent crimeware

Home Brew iPhone Malware Kit Makes Spying On Apple Devices Easy (Forbes) Apple AAPL -1.23% makes some of the most secure smartphones on the planet, as the FBI has found all too apparent in recent weeks. But when one has access to an iPhone, it’s possible to quickly install malware that appears to be legitimate, as shown by a new software called Su-A-Cyder, which automates the process of creating quick and dirty spyware

Mobile Devices Used to Execute DNS Malware Against Home Routers (TrendLabs Security Intelligence Blog) Attacks against home routers have been going around for years—from malware that rigs routers to DNS rebinding attacks and backdoors, among others

Learning from Bait and Switch Mobile Ransomware (TrendLabs Security Intelligence Blog) We have recently caught sight of a mobile ransomware distributed by fake adult websites

Banking Trojan Targeting Android Devices Can Bypass 2FA (WatchPoint) A new banking Trojan discovered by ESET targets banking applications on Android devices. The malware can steal the login credentials of mobile banking customers and has the ability to bypass Two Factor Authentication (2FA) by intercepting and deleting SMS messages. Identified as Android/Spy.Agent.SI this malware can steal login credentials from 20 different mobile banking apps

Dridex Banking Trojan Evolves into Bitcoin Ransomware Distributor (Ohio Bitcoin) People active in the world of security will have heard of the Dridex malware before, which is a Trojan designed to infiltrate banking infrastructure. But it looks like Dridex is evolving, as it can now be deployed to steal payment card data as well

C&C Flaw Offers Glimpse into Dridex Operations (SecurityWeek) Researchers have gained access to a command and control (C&C) panel of the Dridex banking malware, which has allowed them to determine how much information has been stolen by cybercriminals and how much money they might be making

Dridex Malware Now Used For Stealing Payment Card Data (Dark Reading) An analysis of Dridex infrastructure shows dangerous changes, potentially new operators

SAP Java AS 7.4 Internet Communication Manager HTTP Request Denial of Service (Vulnerability Database) A vulnerability was found in SAP Java AS 7.4. It has been classified as problematic. This affects an unknown function of the component Internet Communication Manager. The manipulation as part of a HTTP Request leads to a denial of service vulnerability. This is going to have an impact on availability

IBM DB2 LUW contains a denial of service vulnerability (AusCERT Security Bulletin Summary) IBM DB2 LUW contains a denial of service vulnerability using a SELECT statement with subquery containing the AVG OLAP function on Oracle compatible database (CVE-2016-0215)

Beware of phishing emails sporting your home address! (Help Net Security) The latest (likely very successful) ransomware delivery campaign takes the form of spear-phishing emails targeting specific individuals and, for added credibility, includes their real-world home addresses and names

The 8 Most Convincing Phishing Schemes Of 2016 (Dark Reading) The year is young and high-profile phishing attacks keep coming seemingly every week. Here are eight reasons why security pros have to get serious about combating phishing

Lessons from the latest Verizon data breach (USA Today) Announcements of a data breach at a company or governmental agency have become so common that they no longer seem particularly startling. However the recent announcement by Verizon Enterprise Solutions that it had become a victim of a massive data breach is particularly noteworthy because Verizon Enterprise Solutions is the unit of Verizon that assists other companies when they become victims of data breaches

Malicious Documents Present Severe Security Threat for UK Law Firms (Legaltech News) For lawyers, the consequences of failing to protect the data with which they are entrusted can be immeasurably serious

How Last Year's OPM Hack Could Affect the Census (Nextgov) A recent hack exposing millions of people's background check information could undermine the Commerce Department's ability to collect data for the 2020 census, an official said this week

Millions of people are still running Windows XP (Naked Security) It’s been two years since Microsoft ended support for Windows XP, the popular operating system that’s been around since 2001 and which many people just don’t seem willing to let go

Hacked radio stations broadcast 90-minute explicit podcast (Naked Security) The broadcast signals for four US radio stations were hacked last Tuesday, hijacked by somebody who swapped the regular Taylor Swift-esque fare of pop music for a 90-minute, raunchy podcast

Faxing faux pas compromises patients' mental health records (Graham Cluley) For ten years doctors' offices have been sending confidential documents to a spa owner's fax machine

ShapeShift Bitcoin Trader Decides to Rebuild Service Following Cyber-Attack (Softpedia) On April 7, the ShapeShift Bitcoin trader suffered a data breach during which the company's servers were accessed by an unauthorized party that appears to have stolen some funds, but nothing belonging to its clients

Walmart mystery shopper scam resurfaces (CSO) Consumers are one again reporting the signs of the scam, which has existed on and off for years

Railways orders zone-wise audit of its online system to prevent cyber attack (India Today) Sources said the audit has been triggered after a web page of the Personnel department in Bhusawal Division of Central railways was hacked allegedly by terror outfit al-Qaeda in March this year

FBI Warns of Cyber Threat (Washington Free Beacon) DHS intel report downplayed cyber threat to power grid

Cyber-underworld price list revealed: $500 for company email inbox, $1,200 passports, etc (Register) $5/hr DDoS floods, $123 Gmail accounts, and so on

7 Profiles Of Highly Risky Insiders (Dark Reading) To understand who these insiders are and why they pose a risk, start by looking at the root of the problem

Academia

West Point cadets take part in cyber competition (KSL) A group of West Point cadets will be competing against other service academies this week in an annual cyber-defense exercise

Litigation, Investigation, and Enforcement

Researchers help shut down spam botnet that enslaved 4,000 Linux machines (Ars Technica) Mumblehard blasted the Internet with spam for more than a year

Why El Salvador Raided the Offices of Mossack Fonseca (Newsweek) Authorities in El Salvador on Friday raided the local offices of Panamanian law firm Mossack Fonseca, seizing documents and equipment, the country's attorney general's office said

Obama says Clinton never jeopardized national security in email case: Fox (Reuters) U.S. President Barack Obama said Democratic presidential front-runner Hillary Clinton never jeopardized national security in the handling of her emails as his secretary of state

Stoking encryption debate, US officials press Apple to unlock another iPhone (Christian Science Monitor Passcode) Despite dropping a case over the San Bernardino, Calif., iPhone, the Justice Department wants Apple's help in a similar New York case. Its pursuit of the case comes as lawmakers weigh a bill to force companies to help investigators retrieve data

John McAfee to the FBI: I'll be the pit bull snapping at your ankles forever (Business Insider) On Friday, the Department of Justice, yet again, assumed either that we, the American citizens, are idiots, or that we will, through fear, cave in to its arguments that to have security we must give up some personal privacy

Apple Vs. FBI: 5 Key Quotes From James Comey's Speech (InformationWeek) FBI Director James Comey gave a speech April 6 discussing the case against Apple and calling for not litigation but conversation that's fair, measured, and thoughtful -- and where participants are open to being wrong

US Serves up Cyber Justice Against Foreign Hackers (Daily Signal) A number of high-profile cases involving international cyberattacks on the U.S. have been unsealed for the public

Former 'Al-Sharq Al-Awsat' Editor 'Abd Al-Rahman Al-Rashed On 'Iran's Cyber Crimes' (MEMRI) Following the March 24, 2016 indictment of seven Iranian hackers for attacks on U.S. financial institutions and on the Bowmen Avenue Dam near Rye Brook, New York, 'Abd Al-Rahman Al-Rashed, former editor of the London-based Saudi daily Al-Sharq Al-Awsat, published an article on Arabnews.com

Navy officer, Taiwan native, accused of spying (Navy Times) A Navy officer born in Taiwan is accused of passing secrets to a foreign government, according a charge sheet provided by the Navy and sources familiar with it

Kolkata man in custody for Quick Heal forgery (Times of India) The city police have arrested the CEO and MD of a software firm in Kolkata after Quick Heal Technologies lodged an FIR, accusing him and others of forging documents to claim substantial shareholding in the company

Forensics uncover how brothers rigged the lottery (Naked Security) Self-deleting rootkit or no, forensics investigators have dissected the code that former lottery chief Eddie Tipton used to skirt a lottery system’s random number generator and score a $14.3 million jackpot

UK Teen That Sold DDoS Tools on the Dark Web Avoids Going to Prison (Softpedia) Grant Manser, 20, of Kidderminster, a town near Birmingham, in the UK, has pleaded guilty to selling DDoS stressers on the Dark Web that had been used to bring down servers and websites in the UK and many European countries

MP victim of alleged police cyber-bullying (Sky News) NSW police are investigating racist and sexist comments on NSW Greens MP Jenny Leong's Facebook page, allegedly posted by high-ranking police officers

GCHQ wizards helped prevent Harry Potter book from leaking online (Ars Technica) Harry Potter had friends in high places, according to the book's publisher

Design and Innovation

Microsoft’s Tay stumbled, but chatbots have bright future (News Observer) Computers unsettle us when they do things we don’t expect. Take the case of a Reddit user who goes by the screen-name “barney13.” When he asked Google Now – the intelligent assistant he accesses through his smartphone – to show him travel pictures he had taken in Nice, France, the digital helper showed him the photos, but also expressed its sympathy for the loss of his father, who had died in the city back in 2010

How to Prove You’re Bitcoin Creator Satoshi Nakamoto (Wired) Four months have passed since the world learned the name of Craig Wright, a man who, as WIRED wrote in December, either created Bitcoin or very badly wants someone to believe he did

Panama Papers claim another government. Dridex evolution. Magnitude EK botches 0-day implementation. US Senate decryption bill discussed.