The CyberWire Daily Briefing 01.12.16

Summary

By The CyberWire Staff

Arbor Networks describes a "multi-pronged" malware campaign targeting sites — most of them belonging to non-governmental organizations — in Southeast Asia. There's no formal attribution of the malware cluster ("Trochilus"), but observers see China as a suspect.

Post mortems on the BlackEnergy/SandWorm cyber attack on Western Ukraine's power grid continue. Observers see the incident as a bellwether, not an outlier, and warn utilities to expect more attacks in 2016.

Increasing sectarian and political tensions between Saudi Arabia and Iran inflame a guttering regional cyber riot in which many expect to see the governments themselves join (if they haven't already).

Proclamations of fealty to ISIS emerge from the Philippines. European governments continue to work toward closer cooperation against extremism and its resultant terror. The US Departments of State and Defense show signs of looking beyond technical approaches to fighting ISIS and toward aggressive counter-messaging. But some think the new style of information operations — even if it gets its messaging right — will soon be entangled with legal and organizational obstacles.

Akamai warns that a malicious search-engine-optimization scheme is using SQL injection to goose search hits.

European data center services provider Interxion discloses a breach in its CRM system that may have exposed sensitive customer information.

The Russian hacker "w0rm" claims to have broken into Citrix.

Trend Micro patches a remote-execution bug. Microsoft ends support for Windows 8 and older versions of IE.

The US House holds hearings this afternoon on the Wassenaar cyber export control regime. Industry fears Wassenaar will criminalize legitimate security research.

Notes.

Today's issue includes events affecting Australia, Belgium, China, European Union, France, India, Iraq, Myanmar, Netherlands, Palestine, Philippines, Romania, Russia, Syria, Ukraine, United Kingdom, United States, and and Yemen.

Selected Reading

Cyber Trends

No More Narrow Focus: Is 2016 the Year of Cyber-Risk? (Legaltech News) In 2016, businesses are moving away from the 'very narrow focus' on personal privacy and data breaches to broader cybersecurity issues

Most IT pros oppose government backdoor access (Help Net Security) Close to two-thirds of global IT professionals oppose giving governments backdoor access to encrypted information systems, and 59% feel that privacy is being compromised in an effort to implement stronger cybersecurity laws

Doing Your Civic Cyber Duty (Information Security Buzz) How often do you think about your own cybersecurity? Unless you work in the IT department of a major enterprise or government agency, there's a good chance you're not thinking about it as often as you should be

Wi-Fi and security are better together for SMBs (Help Net Security) Wireless adoption is growing fast globally, with Wi-Fi access becoming ubiquitous in businesses, stores, corporate environments and public spaces; literally everywhere we go

Payment card data attacks worry over half of UK and US businesses (SC Magazine) Well over half (60 percent) of US and 52 percent of UK enterprises feel that an attack on payment card data is likely or more than likely

Legislation, Policy and Regulation

Who Protects the Rights of Russian Internet Users? Not These Guys. (Global Voices) We already knew the Russian government wasn't feeling too charitable toward Internet freedom, what with the far-reaching plans by Russian state censor Roscomnadzor and other state bodies to continue tightening their grip on the RuNet. But while everyone and their mom wants to regulate and restrict online communications in Russia, not many government officials or even quasi-independent Internet experts are rushing to take the side of the users

Wassenaar: Cybersecurity and Export Control (US House of Representatives Committee on Oversight and Government Reform) Subcommittee on Information Technology. Hearing date: January 12, 2016, 2:00 PM. Purpose: To review the interagency export control policy and process implementing the 2013 Wassenaar Arrangement cybersecurity technologies additions. To review the Department of Commerce's (Commerce) rule-making process for implementing the Wassenaar export controls. To highlight the impact on American businesses and the cybersecurity industry. To discuss how the Department of State (State) and their interagency partners should proceed on cybersecurity matters at Wassenaar moving forward

The U.S. Must No Longer Accept China's Denial of Government-Sponsored Hack Attacks (Huffington Post) China's bitter battle to rewrite the rules of the Internet persisted in December in the historic town of Wuzhen. There, China held its second World Internet Conference. The theme was identical to last year's — "an interconnected world shared and governed by all" — but the context surrounding this WIC was quite different

Call to boost intel sharing to thwart 'Terrorism 2.0' (Times of India) Ministers demanded greater intelligence sharing to stop extremist groups slipping across borders to carry out attacks, urging concrete commitments at talks Monday to stem dangerous intel lapses

The debate over government 'backdoors' into encryption isn't just happening in the U.S. (Washington Post) Nearly 200 experts, companies and civil society groups from more than 40 countries are asking governments around the world to support strong encryption — and reject proposals that would undermine the digital security it provides

America's New Plan to Fight ISIS Online (DefenseOne) The State Department will diversify its one-way approach, while other agencies reach out to Silicon Valley

Why ISIS Cannot Be Negotiated With (DefenseOne) Jonathan Powell argues that talking to terrorists has brought peace in the past. But the Islamic State really is different

Products, Services, and Solutions

Parsons and FireEye Form Strategic Partnership to Provide Advanced Cybersecurity for Critical Infrastructure and IT Environments (Pasadena Business Now) Parsons — a technology-driven engineering services firm with expertise in infrastructure, defense, intelligence, and cybersecurity — and FireEye, Inc. (NASDAQ: FEYE), the leader in stopping today's advanced cyber attacks, today announced a strategic partnership to provide customers with enhanced protection for their critical infrastructure and IT environments through advanced technologies and services aimed at reducing risk and strengthening security

General Dynamics Cloud Solution Platform Receives FedRAMP Authorization (PRNewswire) General Dynamics Information Technology announced that its "GDIT Cloud" offering has received Federal Risk Authorization Management Program (FedRAMP&#8480) authorization

Microsemi builds better security into network time appliance (ITWorld) NTP processing has been moved from the CPU to an FPGA

Technologies, Techniques, and Standards

3 Things to Consider Before Hiring a Data Security Provider (Legaltech News) Not all firms are the same, but all share the need to secure their data. Experts offer some considerations for getting the ball rolling

The Incident Response "Fab Five" (Network World) CISOs should consider and coordinate incident detection and response in five areas: hosts, networks, threat intelligence, user behavior monitoring, and process automation

User behavior analytics: The equalizer for under-staffed security teams (Help Net Security) In a perfect world, security professionals would see a few alerts, recognize the pattern, identify the malware and the hacker, and solve the problem — all with only a few mouse clicks

7 Criteria For Enriching Digital Evidence (Dark Reading) Context is the essential ingredient that is missing from many digital forensic investigations

The Four Big Problems With Security Metrics (Dark Reading) Metrics can be very useful, but only if they track the things that matter

What cybersecurity spending strategies will best help enterprises? (TechTarget) Increased cybersecurity spending budgets don't happen very often, but when they do CISOs should take advantage of it. Here's how to strategize spending an increased security budget

10 absolutely critical lessons from the Cardinals-Astros hack that everyone should learn (Bob Sullivan) By now you've probably heard the sexy story of one major league baseball team hacking another in a perhaps the most famous case of corporate espionage to date

Marketplace

FireEye down 7.4% amid Wedbush/Piper notes, selloff in ex-momentum plays (Seeking Alpha) Wedbush's Steve Koenig (Neutral rating) has cut his FireEye (NASDAQ:FEYE) target by $6 to $21 following cautious Q4 checks with security resellers

FireEye Inc Sinks to All-Time Low as Cyber Stocks Get Hacked (Bidness Etc.) FireEye shares tanked more than 9% today to hit an all-time low at $16.51 during mid-day trading session

KnowBe4's Explosive Growth Fueled by Ransomware and Social Engineering Threats (Virtual Strategy Magazine) KnowBe4 sees continued dramatic increase of customer base, with over 350% annual and quarterly growth

Startup Spotlight: Vidder's Application Security (eSecurity Planet) Vidder offers a multi-pronged approach to application security based on a solution its founder created for the Department of Defense

Nice Systems to buy analytics firm Nexidia for $135 million in cash (Reuters) Israeli software provider Nice Systems on Monday agreed to buy analytics firm Nexidia for $135 million in cash to expand its growing analytics business

Tech IPO Candidates to Watch in 2016 (Bloomberg) Corporate software isn't sexy, but it's expected to make a strong showing on the public markets this year. Here's a cheat sheet with 14 companies to keep an eye on

DHS awards $1.7M contract to detect, mitigate DDoS attacks (Federal Times) One of the easiest ways to take down an organization's IT system is through a distributed denial of service (DDoS), in which attackers flood the network with requests causing it to crash. The Department of Homeland Security is trying out new ways to prevent and mitigate such attacks and just awarded a $1.7 million contract to Galois to build a collaboration platform to help the agency do just that

No security experience? Apply anyway (CSO) As we're facing an ever-increasing shortage of security personnel, it's time to change our recruitment tactics

ZeroFOX building out headquarters in former Pabst plant in South Baltimore (Baltimore Sun) Fast-growing cybersecurity startup ZeroFOX is making a castle-like former Pabst Brewing bottling facility in South Baltimore its headquarters as it looks to build momentum for an eventual public stock offering

Comodo Opens Office in Silicon Valley (Newswire Today) The Comodo organization, a global innovator and developer of cybersecurity solutions, today announced that it has opened its first office in the heart of Silicon Valley, in Santa Clara, California. The new location will house Comodo's expanded enterprise product management and product marketing team in the state-of-the-art TechMart building, which neighbors Levi's Stadium and the Santa Clara Convention Center

INSA Promotes Chuck Alsup to President (Washington Exec) It was announced on December 21st by Arlington, Va.-based INSA (The Intelligence and National Security Alliance) that it was promoted current Vice President of policy to President effective January 1st

Clearlake Capital Backed HEAT Software Announces CEO Succession Plan (BusinessWire) Jonathan Temple to step down; John Ferron appointed as new CEO

Research and Development

root9B Signs Collaborative Research and Development Agreement with Department of Homeland Security (PRNewswire) root9B, a root9B Technologies Company (OTCQB: RTNB) and a leading provider of advanced cybersecurity services and training for commercial and government clients, announced today it has signed a Collaborative Research and Development Agreement (CRADA) with the Department of Homeland Security (DHS). Under this agreement, root9B will work with DHS to improve the nation's overall computer network defense posture

Security Patches, Mitigations, and Software Updates

Trend Micro flaw could have allowed attacker to steal all passwords (PCWorld) Trend has patched that problem and another remote execution flaw

Google security researcher excoriates TrendMicro for critical AV defects (Ars Technica) "I don't even know what to say," exasperated researcher tells TrendMicro official

Microsoft To End Windows 8 Security Updates January 12 (Übergizmo) As you might have heard, in January of last year, Microsoft ended mainstream support for Windows 7. Now if you have long upgraded to Windows 8, the bad news is that your time has come. Just to remind you guys, Windows 8's security updates will be coming to an end on the 12th of January, 2016

The Sorry Legacy of Internet Explorer (Wired) Internet Explorer soon will be a thing of the past. Starting today, Microsoft will stop supporting Internet Explorer versions 7, 8, 9 and 10 on most operating systems, its biggest step yet toward phasing out one of the most contentious pieces of software ever written

Drupal moves to fix flaws in update process (Help Net Security) After IOActive researcher Fernando Arnaboldi publicly revealed three crucial vulnerabilities in Drupal's update process last Thursday, the Drupal Security Team published a response on the Drupal Groups page

Juniper to kill off Dual_EC RNG in ScreenOS following new backdoor revelations (Help Net Security) Juniper will finally(!) replace the Dual_EC pseudo-random number generator in ScreenOS with the same random number generation technology currently used in its products running Junos OS. At the same time, ScreenOS will also stop using the ANSI X9.31 number generator

Questions Linger as Juniper Removes Backdoored Dual_EC RNG (Threatpost) Juniper Networks announced late Friday it was removing the suspicious Dual_EC_DRBG random number generator from its ScreenOS operating system

Cyber Attacks, Threats, and Vulnerabilities

Asian cyber-spies fling Seven Pointed Dagger against Myanmar, NGOs (Register) Ninja malware in multi-pronged attack

BlackEnergy .XLS Dropper (Internet Storm Center) The malware used in the recent Ukranian cyber attack was (allegedly) delivered via a malicious spreadsheet. I analyzed this maldoc (97b7577d13cf5e3bf39cbe6d3f0a7732) and it's very simple: the macro runs automatically, writes an exe to disk (embedded as an array of bytes) and executes it. There's no obfuscation of the VBA code or encoding of the PE file

BlackEnergy and the Ukrainian power outage: What we really know (We Live Security) A lot of speculation, and some misinterpretation, has arisen surrounding the recent discovery of malware in Ukrainian energy distribution companies. ESET researchers have published a detailed analysis of the malware and its dangerous functionalities, which probably relate to the recent, massive power outage experienced by hundreds of thousands Ukrainian citizens

Cyberattack on the Ukrainian Electric Grid Exposes Regulatory Gaps in United States (Resilient Societies) A series of cyberattacks on the Ukrainian electric grid, starting on December 23 and continuing for several days, is a stark reminder that a 2005 federal law designed to protect the electric grid in the United States has never been comprehensively implemented

Successful Cyber Attack Ukraine Raises Fears Of Threats To Energy Infrastructure (Oilprice) It's finally happened. A theoretical major scenario that has worried governments and industry in U.S. and Western Europe has occurred. Power was cut, through a hacker attack, to up to 80,000 customers in Ukraine's Ivano-Frankivsk region for several hours on December 23, 2015

83% of InfoSec Pros Think (Another) Successful Cyberattack On Critical Infrastructure Likely In 2016 (Dark Reading) ISACA survey finds that a majority of cybersecurity professionals feel privacy is being compromised in effort to create stronger security regulation

Cyber Squirrel 1: What you need to know (Naked Security) The word "cyberwar" comes up quite a lot

Iran-Saudi Arabia row adds fuel for hackers on both sides (Christian Science Monitor Passcode) Renewed tension between longtime regional rivals Saudi Arabia and Iran appears to be spilling online, signaling a sectarian-motivated cyberconflict in the Middle East

A growing gang of Islamic State supporters is taking root in the Philippines (Washington Post) In a video released last week, members of at least three different insurgent groups from the Philippines pledged allegiance to the Islamic State's leader, Abu Bakr al-Baghdadi

Victoria's Barwon Health website targeted by pro-Palestinian hackers, medical records 'not at risk' (Australian Broadcasting Corporation) The Victorian health service's website was replaced by a pro-Palestinian message claiming the website was hacked by Akram Stelle

Indian hackers target Facebook sex chatting pages, fake profiles similar to Kochu Sundarikal (International Business Times) Hacking group Kerala Cyber Warriors from Kerala has started two operations, which it has called #‎OP_INDIAN_ONLINE_PROSTITUTION‬ and #OP_INDIAN_SEX_CHATTING against Facebook pages and online rackets related to prostitution and sex chats

Black Hat SEO campaign powered by SQL Injection (CSO) A new threat advisory from Akamai highlights a Black Hat SEO campaign that's leveraging SQL Injection as a means to generate links to website dedicated to stories about cheating

A Flaw on eBay's Site Allowed Hackers To Steal User's Passwords (Motherboard) A critical bug on eBay's website opened the door for malicious hackers to create fake login pages to steal passwords and harvest credentials

Interxion suffers security breach, customer contact details exposed (Graham Cluley) European data center services giant Interxion is informing customers that it has suffered a security breach, which has seen hackers access contact information stored in its CRM about corporate clients and prospects

I hacked Citrix, says Russian hacker w0rm (SC Magazine) Citrix, a US software company specialising in virtualisation and cloud computing, has reportedly been compromised by a Russian hacker called w0rm

Lessons from ATM Fraud Ring Arrests (BankInfoSecurity) European crime gang busted for 'jackpotting' attacks

Scammers target Dell customers after apparent data breach (CIO via CSO) A number of Dell customers claim to have been contacted by scammers who had access to specific customer information that should have only been available to Dell. The company says it hasn't been hacked but won't offer an explanation for the seemingly stolen data

How Nvidia breaks Chrome Incognito (charliehorse55) When I launched Diablo III, I didn't expect the pornography I had been looking at hours previously to be splashed on the screen

Wearables' motion sensors can be used to steal confidential data, say researchers (FierceMobileIT) Motion sensors in wearables provide a "pervasive attack surface" that could be exploited by attackers to steal confidential data, warned Tony Beltramelli and Sebastian Risi, two researchers at the IT University of Copenhagen

Hackers Love the Internet of Things Because Security Doesn't Sell Toasters (Inverse) A security professional on the weird economics of software vulnerability and why smart doorknobs should make us nervous

Academia

Kids start honing their cybersecurity skills early (Marketplace) Here's a list of companies that have something in common — something bad. Target, JP Morgan, Dairy Queen, eBay, Sony. They're all companies that have been hacked

Litigation, Investigation, and Enforcement

Defense IG to audit NSA's post-Snowden security measures (Fedscoop) The audit is one of a series ordered in a classified annex to the 2016 Intelligence Authorization Act

Exclusive: What DHS and the FBI learned from the OPM breach (FCW) A culture of poor cyber hygiene plagues the Office of Personnel Management and "likely aided the adversary" in the large-scale hack of the agency, according to a Department of Homeland Security and FBI report obtained by FCW. A lack of strong IT policies leaves OPM "at high risk for future intrusions," investigators concluded

DHS fails to meet certain information security requirements, DHS OIG says (FierceGovernmentIT) The Homeland Security Department has failed to meet the basic requirements set out in some information security policies, according to a report by the DHS Office of Inspector General

Chicago police must finally produce stingray records, judge orders (Ars Technica) Court knocks police for relying on generic FBI affidavit as argument for withholding

The NSA Told Me It Needs 4 Years to Answer a FOIA About a Coloring Book (Motherboard) Journalists covering the National Security Agency know that getting documents from it using the Freedom of Information Act can be a long and arduous process. But I never expected the agency to tell me to wait four years to get some basic information … about a children's coloring book

Ex-Cardinals exec: Yes, I hacked rival Astros' database (Naked Security) Chris Correa, former scouting director for the professional US baseball team St. Louis Cardinals, pleaded guilty on Friday to five counts of computer hacking and admitted he repeatedly accessed a proprietary database belonging to a rival team — the Houston Astros — without authorization

Design and Innovation

Amazon and Ford partner in IoT endeavor (FierceRetail) Amazon (NASDAQ:AMZN) is exploring a partnership with Ford that would allow its voice-activated technology to connect and control products between the car and home

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

newly Noted Events

CISO Dallas (Dallas, Texas, USA, April 14, 2016) With newspaper headlines covering the latest data breaches, cloud computing security questions going unanswered and hackers developing more sophisticated attacks, the IT department has a growing responsibility to protect customer and company data

CISO San Francisco (San Francisco, California, USA, April 26, 2016) The CISO Summit brings together C-level IT security executives, industry analysts and solution providers to discuss challenges and best practices in a relaxed, yet focused business setting. Agenda sessions include panel discussions, think tanks, analyst Q&A sessions and much more

CISO Houston (Houston, Texas, USA, April 28, 2016) A data breach is not only a PR nightmare, but cause for customers to turn to competitors, exposing sensitive company information and racking up fines from industry regulators. In order for organizations to operate smoothly, CISOs and IT security executives need to be ahead of the hackers, and kept abreast of the latest IT security topics and trends

CISO United States (Chicago, Illinois, USA, May 1 - 3, 2016) The CISO Summit will bring together C-level IT security executives, industry analysts and solution providers to discuss challenges and best practices in a relaxed, yet focused business setting. Agenda sessions include engaging Keynote Presentations, Thought Leadership sessions, CISO Think Tanks, Analyst Q&As and much more

upcoming Events

FloCon 2016 (Daytona Beach, Florida, USA, January 11 - 14, 2016) The FloCon network security conference provides a forum for large-scale network flow analytics. Showcasing next-generation analytic techniques, FloCon is geared toward operational analysts, tool developers, researchers, and others interested in applying the latest analytics against large volumes of traffic

Breach Planning & Incident Response Summit: Proactive Collaboration Between Private Industry and Law Enforcement to Mitigate Damage (Odenton, Maryland, USA, January 12, 2016) The Cybersecurity Association of Maryland, Inc.(CAMI), Chesapeake Regional Tech Council, Maryland Chamber of Commerce, Chesapeake Innovation Center, Tech Council of Maryland are partnering together to host this event designed to attract and educate CIO's, CISO's, CEO and Compliance officials from small to mid-sized commercial firms on the practical actions taken by the government, firms and organizations post-hack

Cyber Security Breakdown: Chicago (Chicago, Illinois, USA, January 12, 2016) This half day session will provide you with the critical information you need to start formulating an effective response in the eventuality of a cyber security event. Rather than try and handle the breach during the chaos of the event, you'll understand how to build in advance, the best practices to respond effectively. Attend the Cyber Security Breakdown event that is focused on the unique issues and threats facing legal professionals

Insider Threat Program Development Training Course — Georgia (Atlanta, Georgia, USA, January 12 - 14, 2016) The National Insider Threat Special Interest Group website has some very "eye opening" examples of how "damaging and costly" an "insider threat incident" can be. The FBI Insider Threat Alert states companies victimized by current or former employees incur costs from $5,000 to $3 million. bring? Is your company required to establish an Insider Threat Program per the requirements of NISPOM Conforming Change 2? Insider Threat Defense has trained a substantial number of U.S. Government Agencies (DoD, IC), Defense Contractors, Critical Infrastructure Providers, Aviation Security Professionals, large and small businesses on Insider Threat Program Development and Insider Threat Risk Mitigation

FTC PrivacyCon (Washington, DC, USA, January 14, 2016) The Federal Trade Commission will in January hold a wide-ranging conference on security and privacy issues lead by all manner of whitehat security researchers and academics, industry representatives, consumer advocates

National Insider Threat Special Interest Group Meeting (Laurel, Maryland, USA, July 16, 2015) Topics to be discussed at the meeting; Insider Threat Program Development & Implementation, Behavioral Indicators Of Concern, Legal Considerations When Developing & Managing An Insider Threat Program. There is no cost to attend this meeting

POPL 2016 (St. Petersburg, Florida, USA, January 20 - 22, 2016) The annual Symposium on Principles of Programming Languages is a forum for the discussion of all aspects of programming languages and programming systems. Both theoretical and experimental papers are welcome, on topics ranging from formal frameworks to experience reports

Automotive Cyber Security Summit — Shanghai (Shanghai, China, January 21 - 22, 2016) The conference, which brings together automakers, suppliers, various connected-services providers and security specialists, will focus on government regulations, emerging automotive cyber security standards and new products and solutions designed to deal with the growing threats

SANS Institute: Information Security Training (Las Vegas, Nevada, USA, September 12 - 21, 2015) Information security training in Las Vegas from SANS Institute, the global leader in information security training. At SANS Network Security 2015, SANS offers more than 40 hands-on, immersion-style security training courses taught by real-world practitioners. The site of SANS Network Security 2015, September 12 - 21, is Caesars Palace, the majestic Las Vegas hotel

CyberTech 2016 (Tel Aviv, Israel, January 26 - 27, 2016) Cybertech is the most significant conference and exhibition of cyber technologies outside of the United States. Cybertech provided attendees with a unique and special opportunity to get acquainted with the latest innovations and solutions featured by the international cyber community. The conference's main focuses are on networking, strengthening alliances and forming new connections. Cybertech also provided an incredible platform for Business to Business interaction

Global Cybersecurity Innovation Summit (London, England, UK, January 26 - 27, 2016) SINET presents the Global Cybersecurity Innovation Summit, which focuses on providing thought leadership and building international public-private partnerships that will improve the protection of our respective homeland's critical infrastructures, national security and economic interests. Our objective is to advance innovation and the growth of the cybersecurity sector by providing a platform for cybersecurity businesses, particularly small and medium enterprises (SMEs), to connect with key UK, US, and international decision makers, system integrators, investors, government policy makers, academia and other influential business executives

Fort Meade IT & Cyber Day (Fort Meade, Maryland, USA, January 27, 2016) The Ft. Meade IT and Cyber Day is a one-day event held at the Officers' Club (Club Meade) on base. The event is held on-site, where industry vendors will have the opportunity to display their products and services to IT, Communications, Cyber and Intelligence personnel

ESA 2016 Leadership Summit (Chandler, Arizona, USA, January 31 - February 3, 2016) The electronic security industry is rapidly changing and continuously evolving. It's not enough to just survive. Businesses looking to thrive need to adapt to ensure their people, products, services and practices stay ahead of the curve. The Summit is a three-day conference filled with networking and educational opportunities dedicated to delivering business intelligence to electronic security companies and professionals that are ready to embrace innovation and grow

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listens all over the world, companies trust the CyberWire to get the message out. Learn more.