The CyberWire Daily Briefing 01.14.16

Cyber Trends

Endpoint Exploitation Trends 2015 (Bromium) With the conclusion of 2015, we have the opportunity to review one of the busiest years for cyber security in recent memory. IT security teams were on guard, working hard to defend against various attacks, from the Hacking Team's data trove of zero-days and surveillance Trojans to an explosive surge in ransomware attacks and malvertising

Surge in endpoints drives need for security (Help Net Security) The two most transformative trends impacting IT service providers (ITSPs) are endpoint growth and demand for security services according to a new Autotask survey of more than 1,100 global ITSPs

Do Americans Care About Privacy? It Depends, Because Privacy Is Personal… (TechCrunch) There have been plenty of premature obituaries for privacy falling from the lips of tech company CEOs in recent years

Data breaches caused more often by known vulnerabilities; IT and security at odds (FierceBigData) A new survey of more than 300 C-level executives, conducted by BMC and Forbes Insights, revealed that known vulnerabilities are the leading cause of exposure to data breaches rather than new or emerging threats. Why are known vulnerabilities still a threat? Surprisingly, the threats and breaches continue due to internal frictions over what should be done and in what order

The Cost of a Data Breach and How to Avoid Paying it (Information Security Buzz) Over the past 12 months there have been several high-profile data breaches which have hit the headlines. Recently, almost 157,000 TalkTalk customers had their personal details hacked. A small percentage of the stolen data, including names and addresses, were put up for sale shortly after the attack

Business Confidence in Cloud Security Grows (Infosecurity Magazine) Businesses are increasingly comfortable with security measures put in place to protect cloud services and the data housed with them, new research has revealed, and most companies have formal policies for moving processes to the virtual realm. CISOs are also starting to play a critical role as the cloud takes over

Business interruption remains most feared risk; market vagaries rank second (Business Insurance) Business interruption tops the list of global business risks, according to Allianz Global Corporate & Specialty S.E.'s 2016 Allianz Risk Barometer, released Wednesday

Security pros worried about stolen credentials, alert volumes (CSO) The majority of security organizations received more alerts than they can handle and don't have a way to spot stolen credentials, according to a survey released today

Almost a quarter of companies are willing to pay $1m ransom to hackers (Beta News) We all know that cyber attacks can be enormously disruptive, but how far would companies go to prevent an attack?

Machina Research Cautions Operators as Global M2M Roaming Doubles in Last 12 Months (The Fast Mode) In a study by Machina Research commissioned by Starhome Mach, a global provider of roaming services, M2M roaming connections has doubled in the last 12 months, representing seven percent of global roaming connections

Prediction #7: Internet of Things becomes a security nightmare (Beta News) This one is simple — a confluence of anti-hacking paranoia combined with the Internet of Things (IoT), which will lead to any number of really, really bad events in 2016

IoT Security: $1-per-Thing To Protect Connected Devices (Dark Reading) Locking down the Internet of Things won't be cheap. Here's the math

Legislation, Policy and Regulation

"Closing that Internet Up": The Rise of Cyber Repression (Council on Foreign Relations) Donald Trump calls for "closing that Internet up" due to the rise of Islamic extremism, Hillary Clinton says the same thing, just a bit more diplomatically, asking the great disrupters to go to work disrupting the so-called Islamic State

No Backdoors But UK Government Still Wants Encryption Decrypted On Request… (TechCrunch) Yesterday the U.K. Home Secretary, Theresa May, spent two hours giving evidence to a joint select committee tasked with scrutinizing proposed new surveillance legislation

Opinion: Britain can't pwn the world (Christian Science Monitor) The draft Investigatory Powers Bill gives Britain the power to prohibit companies from providing truly secure online communications, thus undermining the Web. But no country should have the right to pwn — hacker speak for "own" — the Internet

This Cyber 'Safeguard' Is Hurting US Defenses (Defense One) Tech execs and DHS' cyber czar say a multinational pact keeps them from sharing information about intruders' tools

Wassenaar Arrangement could get a redo over cyber (FCW) Federal officials and industry experts who testified before a joint hearing of two House subcommittees on Jan. 12 agreed with lawmakers that the government should re-evaluate its support for an international arrangement that imposes export controls on intrusion and surveillance technologies among participating countries

Cyber absent in President's final State of the Union address (FierceGovernmentIT) When President Obama addressed Congress for his final State of the Union Address last night, he failed to include cybersecurity

63% of IT professionals are against governments having backdoor access to encrypted information systems: study (Economic Times CIO) Global poll reveals scepticism about data breach disclosures and anticipated hiring challenges due to cyber security skills gap, according to ISACA

U.S. must keep pace with China in cyberspace (FCW) Congress needs to act if the United States is to keep pace with China's investments in cyberspace, said Texas Republican Mac Thornberry, chairman of the House Armed Services Committee

Thornberry To Prioritize Third Offset, Cyber, Nuke Modernization, Special Ops (Defense News) US House Armed Services Chairman Rep. Mac Thornberry outlined his plans in the coming year to focus on the Pentagon's strategy to maintain American dominance for the next 25 years, cyber, nuclear modernization and special operations

A federal 'bug bounty' program? HackerOne's Katie Moussouris weighs in on the challenges (Fedscoop) The government "would have to be very targeted with some specific goals in mind rather than try and open it up for all hacking activity," she said

Lessons from 2015: investor-centered compliance takes center stage in U.S. (Reuters) The course of regulatory developments in the United States in 2015 showed a decided focus on investor protections, tracking illicit financial flows, protecting data and ensuring overall cyber security. Furthermore, there was continuing discussion of the independence and financial commitment firms must give to compliance leadership

Classified report, JRSS review amid DISA's hard look at cyber (C4ISR & Networks) The Defense Information Systems Agency is coordinating with the DoD CIO office, the National Security Agency and the military services in a sweeping review of cyber capabilities that could steer Defense Department operations in cyberspace going forward

Inspector General of the Intelligence Community Releases Its Semiannual Report (IC on the Record) IC IG is starting off 2016 on a redesigned, user-friendly foot with the public release of its Semiannual Report

Idaho Air National Guard to Help in Efforts Against Computer Hackers (Military.com) The Idaho National Guard is well-known for providing emergency assistance during floods, fires and other disasters. It will soon add computer hacking protection to its mission

John McAfee: Jeb Bush is a smart man, but his views on cybersecurity depress me (Business Insider) John McAfee is running for president as a member of the Libertarian party. This is an op-ed he wrote and gave us permission to run

Stacey Dixon Joins IARPA as Deputy Director (ExecutiveGov) Stacey Dixon, former deputy director of the InnoVision organization at the National Geospatial-Intelligence Agency , has joined the Intelligence Advanced Research Projects Activity as deputy director

Products, Services, and Solutions

Building Threat Analyst Centaurs Using Artificial Intelligence (Recorded Future) In chess, a "centaur" is a human and computer playing together as a team, to take advantage of their complementary strengths: the speed and storage capacity of the machine and the creativity and strategic eye of the human

Virtru Launches Hardware-Backed Encryption Key Management Service (Dark Reading) Gives users ultimate control over content and keys

Centrify Targets IT Outsourcing Market with Identity Management Tools (The VAR Guy) Security vendor Centrify says it is making outsourced IT safe for business through new identity management software that provides federated access control for both employees and third-party contractors working with a company's resources

Shape Security Brings Its Bot-Blinding Technology to Mobile Apps (re/code) Two years ago, the startup Shape Security emerged from stealth mode with an interesting new idea for protecting websites from some of the most common forms of attack. Today it announced it has applied the same ideas to protecting mobile apps

Spy Specialist Booz Allen Targets Data Skills Gap (Datanami) Seeking to address the growing shortage of data scientists as demand for those skills explodes, leading U.S. security specialist Booz Allen Hamilton released a data science platform aimed at "democratizing data" via a simplified analytics system

Kaspersky Lab partners with WISeKey for wearable security (ARN) Says wearable devices are increasingly used for mobile and contactless payments

Dashlane's Redesigned Software Can Now Automatically Update Your Passwords Across 500 Websites (TechCrunch) Dashlane, a password manager application that competes with the likes of 1Password and LastPass, among others, has just rolled out a significant update which not only gives the software a new look-and-feel, but also makes it capable of automatically updating your passwords on over 500 websites, thanks to the additional support for 300 more sites included in this release

Kingston's DataTraveler 2000 Provides Undisputed Security and Encryption (HackRead) A new USB device series has been launched by Kingston aiming to provide secure and tamper-proof thumb drive to IT professionals while on the go

Technologies, Techniques, and Standards

Planning, Training and Automation Are Key to Successful Cyber Hunting (SIGNAL) The season to hunt white-tailed deer draws to a close, and being an avid hunter, I'm already planning for the next season using information gleaned from this go-around in addition to maps, data from trail cameras, temperature input, moon phase and the movement patterns of game. While planning tools are plentiful, they mean little without automation on the back end to make sense of it all

Why stolen laptops still cause data breaches, and what's being done to stop them (PC World) One out of ten laptops is stolen each year, many containing sensitive corporate data. Some companies are taking steps to avoid data breaches from device theft

Shining a light on dark data: Securing information across the enterprise (CIO) How do you address the risks of breach and disclosure associated with redundant, obsolete or trivial data?

Distinguishing Threat Intelligence From Threat Data (SecurityWeek) Threat intelligence feeds have become a major component of many organizations' cybersecurity diet. A wide variety of security vendors offer up an equally wide assortment of threat feeds of the latest malware payloads, malicious domains, websites, IP addresses, and host-based indicators of compromise (IoCs)

Sharing information to boost cyber security (ITWeb) Today's cyber criminals share with each other. Whether they share ideas, code or compromised systems, and whether for a price or for free, the point is they collaborate effectively

To Stop Data Breaches, Prioritize Employee Education (Chief Learning Officer) The work of learning leaders may revolve around building organizational knowledge and skill development crucial to company success, but new research shows few are educating employees around smaller, seemingly innocuous behaviors that can have costly implications

Security: The reason to move to the cloud (ITProPortal) Rob Alexander, CIO of the large US financial firm Capital One, stood on stage at the AWS re:Invent event and told the audience "We can operate more securely on AWS than we can in our own data centres"

When Outsourcing Cyber Services Makes Sense (Govtech Works) Cybercrime costs the U.S. economy some $100 billion a year, according to the Center for Strategic and International Studies. And the threats only grow more intense, while at the same time, regulatory and compliance issues grow more complex. Economic uncertainty and the Cybersecurity Information Sharing Act signed into law in December cloud the revenue outlook for public and private sector institutions, alike

Buying More Security Products Won't Keep Your IT Safe (Lifehacker) Security vendors are constantly bringing out new offerings aimed at protecting organisations from the ever growing threat of cyberattacks. But it's not a numbers game and snapping up all of the latest and "greatest" security products won't guarantee your business will be protected from cybercriminals

Why more security predictions and how can you benefit? (CSO) Americans loves baseball, hotdogs, apple pie and predictions

Marketplace

Health Care GCs Should Brace for Major Data Breaches (Corporate Counsel) The health care industry suffered its largest data breaches ever in 2015, and should be getting ready for more large-scale attacks in 2016, according to cybersecurity attorney Mary Grob of McGuireWoods

From security laggards to cyber warriors (Healthcare IT News) Combatting apathy, ignorance and indecision

Six blockbuster security acquisitions you could see in 2016 (CRN) What's brewing in hottest area of IT?

IT Security Comes in From the Cold (Handelsblatt International Edition) Spy scandals and leaks have led to a growing demand for secure communication technology in Germany, resulting in the growth of specialist IT security firms. Now a Munich startup has Apple interested in an app that provides encryption for iPhones

Thoughts on Media Reports Around Check Point and CyberArk Walking Down the Aisle (FBR Flash) Last night, Israeli news source Haaretz reported Check Point (CHKP) could be in initial talks to acquire CyberArk (CYBR), a market leader in privileged account security. With $3.6 billion of cash in its coffer and steadily growing, Check Point has ample powder to do a deal of this size (&126;$1.5 billion) while strategically making sense

Cyberark Software Ltd (CYBR) Acquisition Rumors Send Stock Higher In Pre-Market (IR.net) This morning reports are surfacing that the Tel Aviv-based Check Point Software Technologies Ltd.(NASDAQ:CHKP) has begun discussions with Cyberark Software Ltd (NASDAQ:CYBR) concerning a possible acquisition of the company

Proofpoint, Rapid7 outperform following CyberArk M&A report (Seeking Alpha) On a day the Nasdaq is down 2.8%, Proofpoint (PFPT +0.9%) and Rapid7 (RPD +1.9%) have managed to stay green following a report stating security software peer CyberArk (up 20.5%) is in preliminary talks to be acquired by Check Point

FireEye Has A Commanding Lead In A Promising Industry (Seeking Alpha) FireEye has a strong grip on the rapidly growing specialized threat protection and analysis market. While financial issues continue to plague FireEye, these issues will likely start to subside moving forward. Although competition from the likes of Palo Alto Networks will pose a big challenge for FireEye, the company is more than capable of maintaining a strong market position

Formula Systems and IAI Agree to Acquire TSG for US$50 Million (PRNewswire) Formula Systems (1985) Ltd. (NASDAQ: FORTY), a leading software consulting services, computer-based business solutions and proprietary software products holding company, today announced that Israel Aerospace Industries (IAI) and Formula have entered into a definitive agreement for the purchase of TSG — a subsidiary and the military arm of Ness Technologies, engaged in the fields of command and control systems, intelligence, homeland security and cyber security

Trend Micro's tipping point: Acquisiton of HP's network defense products (CSO) Trend Micro takes over HP's next generation intrusion detection system

Shape Security Raises $25 Million to Expand "Botwall" Technology (SecurityWeek) Shape Security today announced that it has raised $25 Million in a Series D funding round to accelerate deployments of its Botwall Service, with specific plans to expand further in China

Prevalent Receives $8 Million in Series B Financing (PRNewswire) Spring Mountain Capital leads latest equity financing round to accelerate company growth and product innovation

Ann Arbor tech company Duo Security triples revenue for third consecutive year (Michigan Live) For the third consecutive year, Ann Arbor-based security provider Duo Security tripled revenue in 2015, as it now has more than one million users

Exabeam's Extensible UBA Supercharges Enterprise Security via Integration, Partners (Integration Developer News) As 2016 kicks off, User Behavior Analytics (UBA) will be a hot area for security investments, according to Gartner analysts. The reason: UBA can deliver big security results, especially when integrated with other security solutions

Vencore Lands $96M EAGLE II IT Sustainment Order (GovConWire) The Department of Homeland Security has awarded Vencore a five-year, $96 million task order to sustain information technology systems and applications for the U.S. Citizenship and Immigration Services agency

RSA president outlines cloud security strategy, IDaaS plans (TechTarget) RSA President Amit Yoran discusses how the security vendor is changing its focus and explains how cloud security will play an important role in RSA's new strategy

New TransUnion Unit to Offer Fraud, Cyber Risk Mgmt Services in Public Sector (ExecutiveBiz) TransUnion has launched a new business group that aims to help U.S. government organizations address tax fraud and data security challenges

Which certifications matter most for those new to security (CSO) I like classes. If I could be a professional student, I would. I was a teacher, so book learning has great value to me as does learning in a classroom

Who is IBM's new federal leader? (Washington Technology) With the retirement of Anne Altman, IBM Corp. has hired Sam Gordy, a Leidos executive, to take her spot as general manager of IBM Federal

Dell lands former FireEye security lead Pataky (Channelnomics) Channel veteran to lead worldwide sales

Fred Funk Named President for Cyber, Sigint at Vistronix (GovConWire) Fred Funk, formerly senior vice president of the national security group at Preferred Systems Solutions, has joined Vistronix as president of cyber and signals intelligence systems

Research and Development

Yahoo Releases Its Biggest-Ever Machine Learning Dataset To The Research Community (TechCrunch) Yahoo announced this morning that it's making the largest-ever machine learning dataset available to the academic research community through its ongoing program, Yahoo Labs Webscope

Searching Private Data, and Ensuring It Stays Private (Pacific Standard) The National Security Agency has your data. Is there a way to use it that won't further violate your privacy?

The Pentagon Is Worried About Hacked GPS (National Interest) The military wants to bring navigation back down to earth

Security Patches, Mitigations, and Software Updates

Cisco Releases Security Updates (US-Cert) Cisco has released security updates to address vulnerabilities in Wireless LAN Controller software, Identity Services Engine software, and Aironet 1800 Series Access Points. Exploitation of some of these vulnerabilities could allow a remote attacker to take control of an affected device

Cisco fixes unauthorized access flaws in access points, wireless LAN controllers (IDG via InfoWorld) The vulnerabilities could allow remote attackers to compromise the affected devices

OpenSSH 7.1p2 released with security fix for CVE-2016-0777 (Internet Storm Center) OpenSSH 7.1p2 has been released with a security fix for a vulnerability recently assigned to CVE-2016-0777. CVE 2016-0777 is a client information leak that could leak private keys to a malicious server. A workaround is available for previous versions of OpenSSH

Top Survival Tips For IE End-Of-Life (Dark Reading) If an immediate upgrade to the latest version is not an option for all your machines running Internet Explorer, here's how to mitigate your risk

Cyber Attacks, Threats, and Vulnerabilities

Ukrainian power grid was hit by "co-ordinated cyberattack" (Naked Security) Earlier this month, we wrote about a power outage in Ukraine that was blamed on hackers

US official sees more cyber attacks on industrial control systems (Reuters) A U.S. government cyber security official warned that authorities have seen an increase in attacks that penetrate industrial control system networks over the past year, and said they are vulnerable because they are exposed to the Internet

Will ISIS Turn to Cyber Warfare? (Government Technology) A cybersecurity software company has predicted that the terrorist group will target American businesses, utilities and presidential campaigns

Reporters Covering Truth of ISIS Rule Pursued by Executioners and Bombers (Time) The men and women who have been exposing the reality of life under in ISIS are being tracked down and murdered, according to one of the founding members of 'Raqqa Is Being Slaughtered Silently', an underground network of citizen journalists documenting life in ISIS-controlled Raqqa in northern Syria

ISIS' Illicit Networks (Cipher Brief) The Islamic State (ISIS) and the threat from terrorism has dominated the news for the past 18 months

Anonymous drives Nissan offline in dolphin hunting protest (BBC) Two of Nissan's main websites have been driven offline by a cyber-attack

U.S. sailor apologizes in Iran propaganda video (Navy Times) Iranian state TV released several videos Wednesday showing the 10 U.S.Navy sailors who were captured and detained after their boat drifted into waters claimed by the long-time American adversary

US Intelligence chief has his phone account hacked, calls forwarded to Free Palestine Movement (Tripwire: the State of Security) Normally when you see a headline referring to intelligence agencies and phone accounts being hacked, you expect in this day and age that it's law enforcement that is doing the hacking

Probe launched after mischiefmaker invades US spyboss's Verizon broadband account (Register) Wife's Yahoo! webmail inbox also penetrated

Another Security Flaw Found in Verizon's MyFiOS App (DSLReports) Just about a year ago we noted how Randy Westergren, senior software developer with XDA-Developers, had discovered a flaw in Verizon's MyFiOS app that exposed some Verizon customer information. The flaw also allowed attackers to view customer e-mails — and send e-mails from those accounts. While that flaw was resolved, Westergren this week stated he found another vulnerability that piggybacked off of the original flaw

Rare Silverlight Zero-Day Uncovered in Hacking Team Saga (Infosecurity Magazine) A rare Silverlight zero-day vulnerability has been uncovered, which would allow an attacker to gain full access to a compromised computer

eBay XSS bug left users vulnerable to (almost) undetectable phishing attacks (Naked Security) It's the same old familiar, cheery red-blue-yellow-green sans serif logo at the top of an eBay login page that we know so well

eBay XSS Flaw: How Websites Might Help Criminals Phish Customers' Passwords (Bitdefender Business Insights) It's 2016, and it would be nice to think that after several years of doing business online, companies have got a better handle on how to protect their websites from attacks

CryptoWall sent by Angler and Neutrino exploit kits or through malicious spam (Internet Storm Center) Since August 2015, actors using Angler exploit kit (EK) to send ransomware have occasionally switched back and forth between Angler EK and Neutrino EK

Radamant Ransomware distributed via Rig EK (Cyphort Labs) A new ransomware called Radamant has been discovered in early December 2015. On December 31, we found compromised websites redirecting to Rig Exploit Kit and downloading this ransomware

Ransomware a Threat to Cloud Services, Too (KrebsOnSecurity) Ransomware — malicious software that encrypts the victim's files and holds them hostage unless and until the victim pays a ransom in Bitcoin — has emerged as a potent and increasingly common threat online. But many Internet users are unaware that ransomware also can just as easily seize control over files stored on cloud services

Dozens of mobile health apps found vulnerable to security risks (Graham Cluley) Researchers have found that dozens of mobile health apps are vulnerable to at least two of the top ten mobile risks identified by the Open Web Application Security Project (OWASP) project

Skylake bug freezes systems under 'complex workloads' (FierceCIO) Intel said that its newest and latest Skylake microprocessor could crash or trigger unpredictable system behavior under certain scenarios

Faithless Fans Suffer Data Breach thanks to SQLi Flaw (Infosecurity Magazine) Nearly 20,000 fans of British electro band Faithless have had their personal details stolen, exposing them to follow-up phishing and fraud attacks, according to a report

Your smartwatch can give away your payment card's PIN code (Help Net Security) Smartwatches can be a perfectly useful and handy wearable device for some users, but it''s good to keep in mind that using them might mean opening yourself to an additional line of attack

Connected medical devices creating cybersecurity risks (Security News Desk) Lock the backdoor: connected medical devices creating cybersecurity risks

Most mobile financial and health apps have critical vulnerabilities, Arxan report finds (FierceMobileIT) Most mobile financial and health apps contain critical vulnerabilities, according to a new report from app security provider Arxan Technologies

The threat of shoulder surfing should not be underestimated (CSO) Normally when I see a column I don't agree with, I let it go. Highlighting something, whether for good or bad, brings more attention to it. However, I recently read an article criticizing security terms and tools in a way that trivializes significant security concerns. I believe it deserves to be set straight

Re-Booted Hell Hacking Forum on Dark Web Hacks Car Breathalyzers Manufactures (HackRead) A hacker dubbed as ROR[RG] reportedly hacked into LMG Holdings' data and dumped some of its internal documents on Dark Web

The Silk Road's Dark-Web Dream Is Dead (Wired) Not so long ago, the Silk Road was not only a bustling black market for drugs but a living representation of every cryptoanarchist's dream: a trusted trading ground on the Internet where neither the government's laws nor the Drug War they've spawned could reach. Today, that illicit narco-utopia is long gone, its once-secret server in an evidence storage room and its creator Ross Ulbricht fighting a last ditch appeal to escape life in prison

Academia

Cornell Tech forms cybersecurity research team (Cornell Chronicle) Cornell Tech has formed one of the world's leading research groups specializing in cybersecurity, privacy and cryptography. The four scientists in the group are known for their influence on industry, nonprofit and government practice, as well as for their highly cited, award-winning research

Litigation, Investigation, and Enforcement

FBI director says Pittsburgh-based cybercrime busts send key message (Pittsburgh Post-Gazette) Pittsburgh-based cybercrime busts have created as many fugitives as prisoners, but even where they have not brought arrests the charges have pinged the bad guys, FBI Director James B. Comey said at a South Side news conference Wednesday

MegalodonHTTP author arrested, Damballa assists Law Enforcement (Damballa: the Day Before Zero) MegalodonHTTP author arrestedLast month, the Norwegian police arrested five men in a joint effort with Europol as part of the OP Falling sTAR

Yahoo settles class action suit over scanning email for ad targeting (Naked Security) Yahoo has settled a class action lawsuit over automatically scanning email sent by non-Yahoo Mail customers — including attachments — without consent, in order to deliver targeted ads to Mail users

EFF says Cisco shouldn't get off the hook for torture in China (IDG via CSO) Cisco custom-built its "Golden Shield" technology for uses including repression, the group says

Design and Innovation

The Boy Who Could Change the World (Electronic Frontier Foundation) "One of the minor puzzles of American life is what question to ask people at parties and suchly to get to know them," a nineteen-year-old Aaron Swartz wrote in 2006

The Long and Winding History of Encryption (Atlantic) The technology that keeps your text messages private had its start on the banks of the Tigris River, 3500 years ago