The CyberWire Daily Briefing 9.12.17

Summary

By The CyberWire Staff

Early and ambiguous comments about the Equifax breach pointed to an Apache Struts vulnerability, with the suggestion that the vulnerability the attackers exploited was CVE-2017-9805, a bug Apache fixed on September 5, 2017. But according to Contrast Security and other observers, it now seems likelier that the hackers exploited CVE-2017-5638, a vulnerability that was patched in March of this year.

The Equifax breach continues to draw litigation from the plaintiff's bar and regulatory inquests from state and Federal government bodies. Its share price dropped another 8% yesterday (but its fall is providing a healthy tailwind for cybersecurity equities).

The persons unknown who demanded ransom from Equifax with a September 15 deadline now appear to be grifters unconnected with the hack. There's been no further public word on attribution.

MongoDB believes the recent wave of ransom attacks on users of its database products have a common cause: failure to set passwords for administrative accounts. The vendor says it hopes to improve its customers' security awareness.

Armis Labs announces its discovery of a Bluetooth-based attack vector affecting major operating systems. (They call it "BlueBorne.")

ICS-CERT has warned that Medfusion Syringe Pumps could be vulnerable to remote manipulation. Mitigations are available.

ZeroFOX research suggests that bots may be better than humans at getting their marks to swallow social media clickbait.

The US Department of Energy has announced research grants to improve electrical grid cyber-resilience.

A resurgent al Qaeda, one of its Pakistani spinoffs, and the Iranian government are vying for jihadist mindshare online.

Learn how Cylance silences cyber attacks with Artificial Intelligence.

Notes.

Today's issue includes events affecting Australia, Austria, Bangladesh, China, Estonia, European Union, Iran, Israel, Republic of Korea, Pakistan, Russia, Spain, Syria, United Kingdom, United States

A note to our readers: tomorrow the CyberWire will be back in Washington, covering the 8th annual Billington CyberSecurity Summit. Watch for live-tweets tomorrow and reports later this week.

Third party breaches are here to stay – here’s how to stop the threat.

Threat actors are always looking for the easiest, fastest, and most inexpensive way to get what they want – enter third party breaches. How can organizations prioritize their efforts to reduce third party risk? Learn more in a webinar with LookingGlass Cyber Solutions’ Senior Sales Engineer Ryan Curran on Thursday, September 14 @ 2pm ET. Ryan will discuss how to tell if your vendors are already compromised, and how to use threat intelligence for actionable intelligence on your vendors’ vulnerabilities. Sign up now.

On the Podcast

In today's podcast, we talk with our partners at Dragos, as CEO Robert M. Lee discusses deterrence. Our guest is Myke Cole, who's not only a cyber security analyst for the NYPD, but a fantasy writer as well. He's discussing the importance of empathy when considering your adversaries.

We'd also like to draw your attention to two Cylance videos, produced in partnership with the CyberWire. One is an interview with Gavin Millard, on embracing DevSecOps. In the other, Amar Singh discusses investing in cybersecurity for a return tomorrow.

Sponsored Events

EAGB Breakfast Series: Leading the Cyber Transformation (Baltimore, Maryland, USA, September 19, 2017) Join us to discuss how the Baltimore-Washington region’s ‘tech hub’ reputation has helped build a solid foundation in cyber activities. Our panelists will discuss the transformation that is underway on the commercial side of cyber.

Earn a master’s degree in cybersecurity from SANS (Online, September 28, 2017) Earn a master’s degree in cybersecurity from SANS, the world leader in information security training. Learn more at a free online information session on Thursday, September 28th, at 12:00 pm (noon) ET. For complete information on master’s degree and graduate certificate programs, visit www.sans.edu.

Maryland Cyber Day Marketplace: Information. Connections. Solutions. (Baltimore, Maryland, USA, October 10, 2017) Register today to participate. Hundreds of cybersecurity providers and buyers in one location on one day. Maryland Cyber Day Marketplace provides the opportunity for CYBERSECURITY BUYERS (commercial businesses, government agencies, academic institutions and non-profit organizations of any size in any industry) to connect with, get to know and purchase cybersecurity solutions from Maryland's CYBERSECURITY PROVIDERS. The day will be a combination of face-to-face meetings, technology demos, brief educational sessions, "Ask an Expert" information stations, networking and a wrap-up luncheon with a keynote speaker. Presented with our program partner the Better Business Bureau of Greater Maryland.

Florida’s Annual Cybersecurity Conference (Tampa, Florida, USA, October 27, 2017) Networking the Future, the Florida Center for Cybersecurity's fourth annual conference, will host hundreds of technical and non-technical stakeholders from industry, government, the military, and academia to explore emerging threats, best practices, and the latest research and trends.

Selected Reading

Cyber Attacks, Threats, and Vulnerabilities

Apache Foundation Refutes Involvement in Equifax Breach (Threatpost) The Vice President of the Apache Struts PMC says the attackers likely used an unknown Struts zero day or an earlier announced vulnerability.

Equifax attackers got in through an Apache Struts flaw? (Help Net Security) Have the attackers responsible for the Equifax data breach exploited an Apache Struts vulnerability to compromise the company's networks?

Equifax blames open-source software for its record-breaking security breach: Report (ZDNet) The credit rating giant claims an Apache Struts security hole was the real cause of its security breach of 143 million records. ZDNet examines the claim.

Apache Struts Flaw Reportedly Exploited in Equifax Hack (Security Week) A vulnerability affecting the Apache Struts 2 open-source development framework was reportedly used to breach U.S. credit reporting agency Equifax and gain access to customer data.

Apache Struts vulnerability likely behind Equifax breach, Congress launches probes (SC Media US) A vulnerability in Struts discovered in March is the likely culprit exploited by hackers.

Up to 44 million UK consumers may have had their identity put at... (HOTforSecurity) By now, you've no doubt read the news stories about the massive data breach at credit-reporting service Equifax which has put 143 million US customers at risk of identity theft. Hackers stole personally identifiable data including social security numbers... #databreach #equifax #identitytheft

The Self-Proclaimed Equifax Hackers Are Likely Nothing More Than Amateur Scammers (Motherboard) The alleged hackers already got their dark web site and email suspended over suspicions that they’re not really who they claim to be.

Equifax moves to fix weak PINs for “security freeze” on consumer credit reports (Ars Technica) Customers found PIN was just a date-time stamp, vulnerable to brute-forcing.

Equifax shares tumble another 8% after hack (TechCrunch) Credit score giant Equifax announced on Thursday that 143 million accounts were hacked. Since then, the stock has taken a nosedive as investors anticipate..

How Equifax failed miserably at handling its data breach (Help Net Security) How an organization handles the fallout of a data breach is what shows us if they care about users - and Equifax failed miserably at it.

The Equifax Breach: What You Should Know (KrebsOnSecurity) It remains unclear whether those responsible for stealing Social Security numbers and other data on as many as 143 million Americans from big-three credit bureau Equifax intend to sell this data to identity thieves.

The Equifax Breach Exposes America's Identity Crisis (WIRED) It's time to rethink the Social Security number's ubiquity.

Why the Equifax Leak Should Scare the Crap Out of You (TheWrap) Equifax's massive data breach put 143 million Americans at risk of identity theft, making it more severe than stolen credit card data or compromised emails

MongoDB Ransom Victims Had No Passwords on Accounts (Infosecurity Magazine) MongoDB Ransom Victims Had No Passwords on Accounts. Database provider tries to improve customers’ security awareness

Admin Accounts With No Passwords at the Heart of Recent MongoDB Ransom Attacks (BleepingComputer) The recent wave of ransom attacks on MongoDB databases happened because database owners forgot to set passwords on their administrator accounts, according to Davi Ottenheimer, Senior Director of Product Security at MongoDB, Inc.

The IoT Attack Vector “BlueBorne” Exposes Almost Every Connected Device (Armis) Armis Labs revealed a new attack vector endangering major mobile, desktop, and IoT operating systems, including Android, iOS, Windows, and Linux, and the devices using them. The new vector is dubbed “BlueBorne”, as it spread through the air (airborne) and attacks devices via Bluetooth.

Estonia's ID Card And The March Of Cryptography (Forbes) Last week a colleague pointed me to headlines touting that a critical security vulnerability had been identified in Estonia’s national identity card and its accompanying cryptographic system that underlies the country’s e-government system, powering everything from electronic contract signing to online voting.

Alert Over Bugs in Medfusion Syringe Pump Devices (Infosecurity Magazine) Alert Over Bugs in Medfusion Syringe Pump Devices. ICS-CERT releases mitigation advice

When is a bug not a bug? When Microsoft says ‘it’s a feature’ (Naked Security) A researcher who notified Microsoft that he’d found a vulnerability has been told by ‘a middleman’ that its severity is low

There's a major new Android vulnerability that you need to know about (Trusted Reviews) Android phones not running Android 8.0 Oreo could be at risk from a new vulnerability that allows malware to put fake overlays in front of users.

Former Al-Qaida Operatives Launch New Militant Group in Pakistan (VOA) Police vow action to seize members of group known as Ansar al-Sharia Pakistan

Bin Laden’s Son Is Poised to Unify Terrorists Worldwide (The Daily Beast) Hamza bin Laden isn’t just being prepared for a leadership role in his father’s organization. He’s now the figure best placed to reunify the global jihadi movement.

How Al-Qaeda Benefits From America's Political Divisions (The Atlantic) If the United States wishes to defeat bin Laden's heirs and the toxic potency of their message, it needs to recommit to its most basic values.

Iran State TV Airs Video Clip Glorifying Beheaded Fighter in Syria (VOA) Images of Mohsen Hojaji’s capture and beheading by IS in Iraq went viral in state-linked social media platforms and TV channels, and turned him into symbol of national solidarity and detestation against IS brutality

[Crime Bay's OPSEC advice] (Pastebin) Crime Bay takes the security of this service very seriously. Our staff will never prioritize business operations over security. Our focus on security is how we always work to keep our customers, operatives and service safe from law enforcement and other adversaries. We outline some of our security measures on this page because we disagree with security through obscurity as a method for keeping law enforcement out. Our users deserve to know and understand the measures we take to keep this site running and secure their accounts.

Security clearance backlog leads to risky interim passes (Washington Post) A government backlog of 700,000 security clearance reviews has led agencies like the Defense Department to inadvertently issue interim passes to criminals — even rapists and killers — fueling calls for better and faster vetting of people with access to the nation’s secrets.

Hackers Have Already Started to Weaponize Artificial Intelligence (Gizmodo) Last year, two data scientists from security firm ZeroFOX conducted an experiment to see who was better at getting Twitter users to click on malicious links, humans or an artificial intelligence. The researchers taught an AI to study the behavior of social network users, and then design and implement its own phishing bait. In tests, the artificial hacker was substantially better than its human competitors, composing and distributing more phishing tweets than humans, and with a substantially better conversion rate.

England expresses cyber attack concerns to FIFA before World Cup 2018 (The New Indian Express) England has told players, coaches and technical staff to avoid using public Wi-Fi networks over concerns sensitive personal and team information could be illegally obtained in Russia.

Safer Without: Analysis of South Korean Child Monitoring & Filtering Apps (The Citizen Lab) Analysis of Korean child monitoring apps reveals privacy & security flaws that demonstrate poor development practices & potentially put children at risk

Comodo Caught Breaking New CAA Standard One Day After It Went Into Effect (BleepingComputer) One day after the CAA (Certificate Authority Authorization) standard became obligatory on September 8, a German security researcher caught Comodo breaking the rules and issuing an SSL certificate it was not supposed to issue.

Security Patches, Mitigations, and Software Updates

iOS 11 Will Make It Even Harder for Cops to Extract Data (WIRED) Apple has added two features that could make the lives of law enforcement investigators significantly more difficult.

Google says its Safe Browsing tool now protects over 3 billion devices (TechCrunch) Google today announced that its Safe Browsing service, which keeps Chrome, Safari and Firefox users on the desktop and on mobile from visiting potentially..

Cyber Trends

The GDPR 'industry-wide education gap' needs to be addressed (Computing) The UK lags behind the rest of the world on GDPR knowledge, even though awareness is approaching 100 per cent

Poll: Majority of Small Business Owners Perceive Online Marketplaces Like Amazon as a Threat (BizBuySell) New BizBuySell survey reveals small business concern over the "Amazon Effect", cybersecurity and the current tax code.

Do IT modernization efforts increase security challenges? (Help Net Security) Most government IT executives believe that IT modernization projects increase security challenges as opposed to alleviate them, according to Unisys.

How to Keep Pace With the Shifting Sands of Cybersecurity (Infosecurity Magazine) Faced with the increasing threat of cybercrime, businesses can’t be reactive anymore.

Marketplace

Growing Cybersecurity Threat Projected to Push Cybersecurity Market to New Highs (Business Insider) According to a research report published by MarketsandMarkets, the cybersecurity market size is expected to grow from USD 137.85 Billion in 2017 to USD 231.94 Billion by 2022 and at a Compound Annual Growth Rate (CAGR) of 11.0% during the forecast period.

3 Hot Cybersecurity Stocks in Focus Post Equifax Data Breach (Zacks Investment Research) A cyber attack is good news for cybersecurity companies, because it increases the chances of security-related purchases by the companies and governments.

Could a continuing resolution put innovation on ice? (Defense News) Pentagon leaders want to integrate innovation into antiquated acquisition systems, but a CR may threaten progress.

Cybersecurity Stock Eyes Breakout After Equifax Hack (Investor's Business Daily) A Relative Strength Rating upgrade for FireEye shows improving technical performance.

Cybrary Secures $3.5 Million in Series A Funding (BusinessWire) Cybrary, the world’s first open-source cyber security and IT learning and certification preparation platform, has secured a $3.5 million Series

INTERVIEW: Falanx Group Ltd Acquisition and Appointment of Chief Technology Officer (DirectorsTalk Interviews) Falanx Group Ltd (LON:FLX), the global intelligence, security and cyber defence provider, has today announced the acquisition of AuditSec Services Ltd ("Au

Blackstone to launch IPO/sale of Vivint: WSJ (PE Hub) Blackstone Group is preparing a dual process for Vivint, the smart-home technology company it acquired in 2012, the Wall Street Journal reported. Blackstone recently invited investment bankers to pitch for the sale/IPO, the story said. A deal could value Vivint at more than $3 billion, or $6 billion including debt, the WSJ said.

KPN CISO paints a greater security picture (Help Net Security) Being the CISO of a huge and diverse company such as KPN requires great determination, and Jaya Baloo fits the bill on that score.

Oracle axed more than 1,000 employees in September (Computing) Cuts signify Oracle's continued restructuring towards the cloud

Plurilock expands U.S. locations, staff to meet demand for behavioral biometrics solution (BiometricUpdate) Plurilock Security Solutions has grown its U.S. footprint with two new East Coast locations and additional staff to expand commercial and government market access to its continuous user validation …

The most monocle-dropping tech acquisitions of the past five years (TechCrunch) This is a list of tech deals from the past half decade that were surprising because of their size, impact or seeming randomness. Some have paid off, while..

How DHS is thawing the industry-government deep freeze (FederalNewsRadio.com) DHS will host a third reverse industry day in October to further expand the discussion of how to get acquisition right.

KeyLogic Names Former NASA Executive John Marinaro as Vice President of Federal Civilian Division (KeyLogic) KeyLogic Systems, Inc., a leading professional services and engineering firm, today announced John D. Marinaro as Vice President of their Federal Civilian Division.

Redlock signals company growth with new appointments (Security Brief) RedLock's CEO says, "The talent that Ankur and Viswa bring to the table will further our ability to serve customers with cutting-edge solutions"

Deep Instinct Strengthens C-Suite with Senior Vice President of Sales for North America (Sys-Con Media) Deep Instinct, the first company to apply deep learning to cybersecurity, announced today the appointment of David Roth to Senior Vice President of Sales for North America. In his new role, Roth will be responsible for driving revenue growth, customer acquisition, channel engagement and securing a world-class marketing position. He will report directly to Deep Instinct’s CEO, Guy Caspi.

Former RSA Executive Chairman Art Coviello Joins Verodin’s Strategic Advisory Board (BusinessWire) Verodin today announced that Art Coviello, former RSA executive chairman and well known security strategist, has joined its strategic advisory board.

Products, Services, and Solutions

ThreatQuotient and PhishMe Partner to Offer Advanced Detection and Defense of Phishing Attacks (BusinessWire) ThreatQuotient announced a strategic partnership with PhishMe to enable security teams to normalize, enrich and track phishing threats in ThreatQ

Bay Dynamics Joins VMware Mobile Security Alliance to Enable Risk-Based Authentication & Authorization – Bay Dynamics (Bay Dynamics) Bay Dynamics, a leader in cyber risk analytics, announced today the company is joining the VMware Mobile Security Alliance to enable organizations to more effectively mitigate mobile threats. As part of its membership, integration between Bay Dynamics’ flagship cyber risk analytics platform, Risk Fabric®, and the VMware Workspace ONE digital workspace platform powered by VMware AirWatch technology will enable risk-based authentication and authorization for remote users.

Minerva Launches Enterprise-Grade Malware Vaccination Solution to Immunize Endpoints and Rapidly Contain Attacks (PRNewswire) Minerva, a leading provider of anti-evasion technology, today...

CFC launches dark web monitoring tool (Insurance Age) MGA says CFC BreachAlert will notify policyholders in real-time if any of their data is posted on the dark web.

DOSarrest Rolls Out all New DDoS Protection Software (Globe Newswire) DOSarrest Internet Security announced today that they have released their new DDoS protection software, along with a number of other advances and upgrades. This is DOSarrest’s 5th major release since starting in the fully managed cloud based DDoS protection service in 2007.

OnKöl taps Gemalto for IoT tech (Security Document World) Gemalto has announced the use of its IoT connectivity technology in OnKöl’s mHealth solution.

Israel's Biggest Bank Partners Microsoft to Offer Bank Guarantees on a Blockchain - CryptoCoinsNews (CryptoCoinsNews) Microsoft is partnering with Israel’s Bank Hapoalim on a blockchain-based platform to support digital bank guarantees for customers, according to The Times of Israel.

Verimatrix Enters Internet of Things Market with Cloud-based Platform to Secure Connected Devices and Services (markets.businessinsider.com) Vtegrity offers advanced security that addresses revenue threat landscape and lifecycle management

Bangladesh's First crowd-sourced penetration testing platform for hackers (The Daily Star) Beetles Cyber Security, a local tech firm has developed the country's first crowd-sourced penetration testing platform to build a trusted,

BrainChip Introduces World's First Commercial Hardware Acceleration of Neuromorphic Computing (Benzinga) Enables 16 channels of simultaneous video processing; provides a low power, up to 6x speed boost to BrainChip Studio's CPU-based Artificial Intelligence Software for Object Recognition; 7x more efficient than GPU-accelerated deep learning systems

Technologies, Techniques, and Standards

Cyberwar game tests politicians' ability to deal with a major attack (ZDNet) EU Cybrid cyber defence exercise is the first to involve senior politicians.

Why even smaller enterprises should consider nation-state quality cyber defenses (CSO Online) The modern threat landscape has evolved to the degree that even smaller enterprises may find themselves victim to a previously unthinkable attack.

Security: Will the Equifax Breach Bring an End to Social Security Numbers? (Formtek) On Thursday last week, Equifax announced that they had discovered in late July 2017 that their website had had been hacked.

What business can learn from the Equifax data breach (CSO Online) Security professionals need a systematic analysis process to make sure they aren’t the next Equifax when customer data is compromised.

If cyber threat sharing is a team sport, DHS needs more teammates (FederalNewsRadio.com) The Homeland Security Department’s Automated Indicator Sharing (AIS) is preparing to implement version 2.0 of STIX.

Auditors get guidance on SSH key management (Cyberscoop) A new guide for auditors says SSH key management should be on their checklist because the proliferation of unmanaged keys for the ubiquitous encryption protocol means IT networks can’t be guaranteed as secure. The guidance, “SSH: Practitioner Considerations,” was published Tuesday by the nonprofit global membership association, ISACA, previously known as the Information Systems Audit and Control Association...

SSH: Practitioner Consideration Guidance (SSH Communications Security) Best practices in order to deliver a new guidance for compliance and audit practitioners titled “SSH: Practitioner Considerations.”

It's the doctors who need help as breach notification looms (CRN Australia) [Comment] Healthcare companies of all sizes will be put under pressure.

How to protect your email account from Equifax hackers in 5 minutes (CSO Online) Use two-step verification to protect your email accounts from the Equifax hackers.

Why Relaxing Our Password Policies Might Actually Bolster User Safety (Dark Reading) Recent guidance from NIST may seem counterintuitive.

Threats on social media highlight need for strategic approach, Army leadership says (US Army) Soldiers and family members are facing the growing need to protect themselves from cyberthreats on social media, according to top leadership here. A Soldier within the U.S. Army Garrison Bavaria footprint recently received messages on a private Faceb...

7 Tips to Fight Gmail Phishing Attacks (Dark Reading) Popular email platforms like Gmail are prime phishing targets. Admins can adopt these steps to keep attackers at bay.

Gavin Millard: Embracing DevSecOps (Cylance) Matt Stephenson spends some time with Tenable's Technical Director for EMEA, Gavin Millard, to talk about Secure DevOps. Can a good container strategy change the course of security? A secure DevOps strategy could be the difference.

Amar Singh: Investing Today in Security for Tomorrow (Cylance) Cybersecurity expert Amar Singh breaks down the reasons why "Good Enough" just isn't "Good Enough," and how the right investment upfront can save you money down the road... and keep your data safe.

Data Protection and PCI Compliance (Thales) Read this complimentary guide for an easy-to-understand introduction to protecting payment card data and a reference framework you can use as you work with architects, operations, analysts, and assessors. This book covers not just the PCI DSS mandates themselves but also ways in which you can employ data protection techniques to reduce the scope of your PCI footprint.

Design and Innovation

GM and Cruise announce first mass-production self-driving car (TechCrunch) Kyle Vogt, CEO and founder of Cruise Automation, revealed very big news for his company and its owner GM, which acquired the startup last year. The news is..

GM and Cruise’s Self-Driving Car: Just Add Software (WIRED) General Motors says it's ready to mass produce driverless cars. It just has to figure out how to make them work.

The military turns to machines to fight machines [Commentary] (Defense News) Machine-aided cyber warfare attacks developed by nation states are posing a growing threat to national security.

Bitcoin Owes Success to Three Different Waves of Innovators (Cointelegraph) Cryptocurrency owes its present success to its multidisciplinary nature. Here’s who we have to thank.

How Apple's iPhone X Will Get Face Recognition Right When The Note 8 Got It So Wrong (Forbes) Last week I noticed a tweet that suggested you could unlock the Samsung Galaxy Note 8 using its face recognition with a photo on another phone. I chuckled and wondered if it had been faked somehow. It wasn't a fake, I've checked with my own review unit and it really is that bad.

This Facial-Recognition AI Knows Your Girlfriend's Face Better Than You Do (Lifehacker Australia) If someone showed you a group photo containing your boyfriend or girlfriend, you could probably spot them without much trouble. But what if the photo was...

Research and Development

Resilient Distribution Systems Lab Call Awards (Energy.gov) A reliable and resilient electric grid is critical not only to our national and economic security, but also to the everyday lives of American families.

Fact Sheet: DOE Award Selections for the Development of Next Generation Cybersecurity Technologies and Tools (Energy.gov) On September 12, 2017, the Department of Energy (DOE) announced the award of over $20 million to DOE’s National Laboratories and partners to support critical early stage research and development of next-generation tools, technologies, as well as building capacity throughout the energy sector for day-to-day operations such as cyber-threat information sharing, to strengthen protection of the Nation's electric grid and oil and gas infrastructure from the cyber threat.

China building world’s biggest quantum research facility (South China Morning Post) Centre could boost military’s code-breaking ability and navigation of stealth submarines

This tiny sensor could sleep for years between detection events (TechCrunch) It's easy enough to put an always-on camera somewhere it can live off solar power or the grid, but deep in nature, underground, or in other unusual..

For Combat-Ready Robots, Add a Dash of Humanity (SIGNAL Magazine) Human intuition can mean the difference between life or death. Some human perspective also could make artificial intelligence systems better at a variety of battlefield tasks.

How We'll Eventually Control Everything With Our Minds (Motherboard) Brain-controlled computers are currently helping paralyzed patients, but one day they might be used to control everything around you.

Concerns raised over claim that neural networks can detect sexuality (Naked Security) Researchers – whose previous work has sparked concern – scraped photos without seeking consent from dating sites

Naval exercise seeks to advance multidomain, collaborative tech (C4ISRNET) Through annual Advanced Naval Technology Exercises, the Navy is looking to identify both potential acquisition opportunities and mature technologies within concepts of warfare.

So much for that Voynich manuscript “solution” (Ars Technica) Librarians would have "rebutted it in a heartbeat," says medieval scholar.

Academia

How to Find School Cybersecurity Support (EfficientGov) Our education grants columnist explains why school cybersecurity leadership and grants protect schools, students, facilities and cyber assets.

K12 Federation Launches Nationwide Educational Cooperative to Focus on Cybersecurity, Technology Interoperability and Collaborative Solutions (PRNewswire) K12 Federation today announced the nationwide launch of its...

Legislation, Policy and Regulation

Moscow considering deeper cuts to U.S. diplomatic staff in Russia (Los Angeles Times) Moscow wants to ax an additional 155 U.S. personnel from diplomatic missions in Russia in further tit-for-tat.

Jeff Sessions urges Congress to reauthorize FISA 'promptly' (Washington Examiner) FISA is the legal basis for U.S. surveillance programs, and has faced scrutiny lately after it was revealed Section 702 of the law allowed f...

As China quietly invests in American tech startups, US struggles to respond (Defense News) Amid concerns from U.S. lawmakers and the Pentagon that China is “weaponizing” investment in early-stage technologies, Congress is considering legislation aimed at sealing regulatory gaps.

We need to tame the tech giants’ Wild West (Times) Stand down, everybody. A few days ago the worst ever Russian internet troll was found on Twitter. She, or more likely he, uses the name “Rosemary” and the photograph of a real US nurse and gun nut.

What to Tell an Alien About Russia’s Upcoming Elections (Moscow Times) The country's political system runs on the trust of its citizens

Pakistan should drop the pretence on cross-border terrorism (South China Morning Post) Beijing used BRICS summit to send its all-weather ally a message: it’s time for Islamabad to rethink its self-defeating narrative on Afghanistan and India

Equifax Data Breach Prompts Calls For Tougher Security Requirements On Data Aggregators (Dark Reading) Credit report bureau discloses breach that exposed data on 143 million US consumers.

DHS rebuked for inadequate cyber hiring (Federal Times) Both the chair of the House Homeland Security Committee’s cybersecurity subcommittee and its lead Democrat took aim at DHS for not taking advantage of all the authorities Congress gave to build the cyber workforce it needs.

Sen. Harris Opposes Resolution Equating Wikileaks to "Hostile" Spy Organization (THE DISTRICT SENTINEL news co-op) Sen. Kamala Harris (D-Calif.) sided with Ron Wyden (D-Ore.) to vote against a resolution calling on the US government to treat WikiLeaks like a “non-state hostile intelligence service.” Harris, a rumored presidential contender, joined with Wyden, a leading civil libertarian lawmaker, to oppose the legislation in a Senate Intelligence Committee vote on annual policy legislation. Harris said the language was reckless and vague, while Wyden focused much of his ire at the legal distinction the committee is attempting to create. “[T]he ambiguity in the bill…

Litigation, Investigation, and Enforcement

House panel will hold hearing on huge Equifax data breach (High Tech Beacon) Equifax, one of the country's three major credit bureaus, has been targeted by hackers in what could be one of the largest data breaches ever.

European banks at mercy of US regulators (Help Net Security) European banks are under disproportional enforcement pressure from US regulators. Since 2012, 97 percent of all fines have come from US regulators.

FBI gets Sputnik emails, critics see 'red line for media' crossed in Russia probe (Washington Examiner) Some press freedom advocates say Americans should be concerned regardless of whether the meeting between journalist Andrew Feinberg, an FBI...

EXCLUSIVE: Gowdy Wonders If Democrats Are ‘Fearful’ Trump Dossier Is ‘A Piece Of Fiction’ (The Daily Caller) Democrats are "fearful" that the Trump dossier is "a piece of fiction," one that the FBI used to form the basis of its investigation into whether the Trump campaign colluded with the Russian governmen

Republican Attempt to Deflect Trump-Russia Probes Could Backfire: Sources (US News and World Report) Republican lawmaker Devin Nunes' investigation into whether Obama administration officials used classified intelligence reports to discredit Donald Trump's 2016 campaign team could backfire on the congressman - and the president, sources familiar with the reports said.

White House hits back at Steve Bannon over sacking of FBI chief James Comey (Times) The White House clashed with President Trump’s former chief political strategist last night, disputing his claim that the dismissal of James Comey as head of the FBI had been a blunder of historic...

Equifax sued for Billions after 143 million data hack (HackRead) As reported yesterday, the credit reporting agency Equifax was hacked by unknown attackers. Now, it is being reported that the credit giant has been slappe

Public shame might force a revolution in computer security (MIT Technology Review) New incentives could make corporations work harder to keep our data safe.

Russian Lawmaker’ Son Pleads Guilty to $50M Hacking Scam (HackRead) Russian Lawmaker’s Son Pleads Guilty to Wire Fraud and Identity Theft Charges. In April 2017 HackRead.com reported how the 32-year Russian hacker Roman Sel

Russian cybcercriminal Roman Seleznev pleads guilty in Atlanta (United State's Attorney's Office for the Northern District of Georgia) Roman Seleznev has pleaded guilty to conspiracy to commit bank fraud for his role in the 2008 hack of RBS Worldpay. Seleznev was responsible for cashing out $2,178,349 associated with five hacked debit card numbers.

[Seleznev was kidnapped and will be cleared] (Embassy of Russia in the USA / Посольство России в США) По-прежнему считаем незаконным арест фактически похищенного американскими спецслужбами с территории третьего государства российского гражданина Р.Селезнева. По имеющейся информации, его адвокат будет...

Facebook fined €1.2M for privacy violations in Spain (TechCrunch) Another privacy-related fine for Facebook in Europe: The Spanish data protection regulator has issued a €1.2M (~$1.4M) fine against the social media..

Google files to appeal $2.73BN EU antitrust fine (TechCrunch) Google has filed a legal appeal against a record-breaking fine handed down by the European Commission this summer for anti-competitive behavior relating to..

Law making it illegal to collect data, photo of open land hangs in balance (Ars Technica) Court: “Collection of resource data constitutes the protected creation of speech.”

When modern day innovators begin to stray (TechCrunch) Qualcomm is leveraging this essential patent to distort the market for new smartphones by forcing companies that need to license the technology into paying..

This admin helped music pirates pilfer 1 billion copyrighted tracks (Ars Technica) RIAA nemesis ShareBeast did not respond to takedown notices, authorities said.

Neo-Nazi DailyStormer Booted Off By Austrian Domain Registrar (HackRead) Andrew Anglin, the administrator of the neo-nazi website DailyStormer, has no chill since he keeps on trying to make a comeback with his website on the reg

FireWatch dev uses DMCA against PewDiePie after streamed racial slur (Ars Technica) Campo Santo cuts off association with "propagator of despicable garbage."

PewDiePie Is Inexcusable but DMCA Takedowns Are Not the Way to Fight Him (Motherboard) Many games review videos are in violation of copyright law, but stay up anyway, for promotional reasons.

Study finds Reddit’s controversial ban of its most toxic subreddits actually worked (TechCrunch) It seems like just the other day that Reddit finally banned a handful of its most hateful and deplorable subreddits, including r/coontown and r/fatpeoplehate...

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

upcoming Events

Insider Threat Program Management With Legal Guidance Training Course (Laurel, Maryland, USA, September 12 - 13, 2017) Insider Threat Defense will hold a two-day training class, Insider Threat Program (ITP) Management With Legal Guidance (National Insider Threat Policy (NITP), NISPOM Conforming Change 2). For a limited time the training is being offered at a $1295. This training will provide the ITP Manager / Senior Official and Facility Security Officer with the knowledge and resources to achieve compliance with NITP /NISPOM CC2, and go beyond these regulations to establish a robust and effective ITP. Any individual involved with supporting an ITP will also gain valuable knowledge. A licensed attorney with extensive experience in Insider Threats and Employment Law will provide legal guidance related to ITP's, the collection, use and sharing of employee information, and employee computer user activity monitoring. Any organization (State Government Agencies, Businesses, Etc.) that are not required to implement an ITP, but are concerned with Insider Threat Risk Mitigation will also benefit greatly from this training.

PCI Security Standards Council: 2017 North America Community Meeting (Orlando, Florida, USA, September 12 - 14, 2017) Join your industry colleagues for three days of networking and one-of-a-kind partnership opportunities. Whether you want to learn more about updates in the payment industry or showcase a new product, you’ll find it all at the 2017 Community Meetings.

DSEI 2017 (London, England, UK, September 12 - 15, 2017) Defence and Security Equipment International (DSEI) is the world leading event that brings together the global defence and security sector to innovate and share knowledge. DSEI represents the entire supply chain on an unrivalled scale.

8th Annual Billington CyberSecurity Summit (Washington, DC, USA, September 13, 2017) The 8th Annual Billington CyberSecurity Summit September 13 in Washington D.C. brings together world-class cybersecurity thought leaders for high-level information sharing, unparalleled networking and public-private partnerships from a cross-section of civilian, military and intelligence agencies, industry and academia. Keynotes from The Honorable Daniel Coats, Director of National Intelligence, Representative William Hurd, R-Texas, General Joseph Votel, Commander, United States Central Command, Robert Joyce, Special Assistant to the President and Cybersecurity Coordinator, The White House, Grant Schneider, Acting CISO, Office of Management and Budget, (invited), plus CISOs from DHS, DoD, HHS and the CIO for USCYBERSOM. Full agenda <a href="http://www.billingtoncybersecurity.com/8th-annual-billington-cybersecurity-summit/agenda/" target="_blank">here</a>.

Cyber Security Summit: New York (New York, New York, USA, September 15, 2017) If you are a Senior Level Executive responsible for making your company’s decisions in regards to information security, then you are invited to register for the Cyber Security Summit: New York. Receive 50% off of a Full Summit Pass when you register with code CYBERWIRE50 (standard price of $350, now only $175 with code). Register at CyberSummitUSA.com. The Cyber Security Summit: New York is an exclusive conference connecting Senior Level Executives responsible for protecting their companies’ critical data with innovative solution providers & renowned information security experts. for details visit CyberSummitUSA.com.

Cyber Security Conference for Executives (Baltimore, Maryland, USA, September 19, 2017) The Johns Hopkins University Information Security Institute and COMPASS Cyber Security are hosting the 4th Annual Cyber Security Conference for Executives on Tuesday, September, 19. It will be held on the Homewood Campus of Johns Hopkins University. This year’s theme is, “Emerging Global Cyber Threats.” The conference will feature thought leaders across a variety of industries to address current cyber security threats to organizations and how executives can work to better protect their data.

4th Annual Industrial Control Cybersecurity Europe (London, England, UK, September 19 - 20, 2017) Against a backdrop of targeted Industrial Control System cyber attacks against energy firms in the Ukraine power industry, the massive attacks against the Norway oil and gas industry, cyber attacks on Saudi Aramco and the new and continued threats such as Crash Override malware, Stuxnet, Havex, Dragonfly, Black Energy, and the potential impact of ransomware like #Wannacry on industrial control systems, the Cyber Senate return for the 4th Annual Industrial Control Cybersecurity Europe meeting to bring key stakeholders together to address our responsibility in ensuring the safety, reliability and stability of our Critical National Infrastructure.

Cyber Everywhere: Collaboration, Integration, Automatio (Washington, DC, USA, September 20, 2017) We’ve seen all of the cyber headlines this year – new policies emerging, old policies evolving, the cyber workforce is multiplying, and rapidly growing connected devices are complicating governance. While the Federal government is focused on security, new adversaries and attack vectors still emerge hourly. What are the early grades on the new Administration’s response to the growing cyber threat? How can collaborative tactics and integrated intelligence tools strengthen a proactive cyber defense? Join us at the sixth annual Cyber Security Brainstorm on September 20 at the Newseum to discuss the cyber strategies and opportunities that can keep our Federal government one step ahead at all times.

10th Cyber Defence Summit (Dubai, UAE, September 20, 2017) Naseba’s 10th Cyber Defence Summit will address the importance of protecting critical infrastructure and sensitive information, help companies procure cyber security solutions and services, and create further awareness of cyber security among the youth of the UAE.

Maine Cyber Safety Institute (Waterville, Maine, USA, September 20 - 21, 2017) The Summit intends to help business protect themselves from possible losses. The Information Security Community, representing cyber professionals, found that 54% of anticipated cyberattacks against their organizations would be successful this year. Top causes for this exposure relates to a lack of skilled people, budget, and awareness. New techniques for mobility, using personal devices, and applications represent a more than 60% risk. Only 11% of organizations rate their defenses very effective (Schulze, 2017).

2017 Washington, D.C. CISO Executive Leadership Summit (Washington, DC, USA, September 21, 2017) Highly interactive sessions will provide many opportunities for attendees, speakers and panelists to be engaged in both learning and discussion. The objective for the day is to deliver high quality useful information that attendees can develop into an action plan. Key Areas of Focus Include: Strategy, Process Improvement and Alignment, Innovation and Technology; Career Management and Leadership Development.

Connect Security World (Marseille, France, September 25 2017 - September 27 2014) As IoT solutions are transitioning from hype to real deployments, the “Internet of insecure things” threat is gaining ground. To address unlimited risks, threats and vulnerabilities surrounding IoT, a new generation of connected devices and services is required, with better security and privacy by design. In its 6th edition, Connect Security World invites both digital security experts and IoT developers to discuss and define a true end-to-end security, from sensors to Cloud, from design and development to deployment.

(ISC)2 Security Congress (Austin, Texas, USA, September 25 - 27, 2017) (ISC)² Security Congress cybersecurity conference brings together nearly 1,500 cybersecurity professionals, offers 100+ educational and thought-leadership sessions, and fosters collaboration with forward-thinking organizations. The goal of our conference is to advance security leaders by arming them with the knowledge, tools and expertise to protect their organizations. (ISC)² members are eligible for special discounted pricing and will have opportunities to attend exclusive member events.

Connect Security World (Marseille, France, September 25 - 27, 2017) As IoT solutions are transitioning from hype to real deployments, the “Internet of insecure things” threat is gaining ground. To address unlimited risks, threats and vulnerabilities surrounding IoT, a new generation of connected devices and services is required, with better security and privacy by design. In its 6th edition, Connect Security World invites both digital security experts and IoT developers to discuss and define a true end-to-end security, from sensors to Cloud, from design and development to deployment. (Note: the call for speakers is open through April 4, 2017.)

SINET61 2017 (Sydney, Australia, September 26 - 27, 2017) Promoting cybersecurity on a global scale. SINET – Sydney provides a venue where international solution providers can engage with leaders of government, business and the investment community to advance innovative solutions to cybersecurity challenges.

O'Reilly Velocity Conference (New York, New York, USA, October 1 - 4, 2017) Learn how to manage, grow, and evolve your systems. If you're building and managing complex distributed systems and want to learn how to bake in resiliency, you need to be at Velocity.

24th International Computer Security Symposium and 9th SABSA World Congress (COSAC 2017) (Naas, County Kildare, Ireland, October 1 - 5, 2017) If you thought symposiums on information security and risk were all the same, look again! COSAC is an entirely different experience. Conceived by practising professionals for experienced professionals, it is the most participative and productive event of the year. Undoubtedly the world's best annual source of advice in Information Security, COSAC makes available to you, in a fully residential format, presenters and facilitators who are the very best in the world. Collectively they have many hundreds of years of practical experience, have published thousands of major articles and books, and have proven records of success all over the globe.

Cybersecurity Nexus North America 2017 (CSX) (Washington, DC, USA, October 2 - 4, 2017) Be a part of a global conversation with professionals facing the same challenges as you at the nexus—where all things cyber security meet. Cyber security doesn’t take a vacation and it doesn’t sleep. You need to be aware of the most effective tactics and tools to meet the ever-growing threat. CSX 2017 offers keynote speakers and sessions that dive deep into what you need to know now.

Atlanta Cyber Week (Atlanta, Georgia, USA, October 2 - 6, 2017) Atlanta Cyber Week is a public-private collaboration hosting multiple events during the first week of October that highlight the pillars of the region’s cybersecurity ecosystem and create an opportunity for meaningful interaction between growth oriented cybersecurity companies and our Fortune 1000 client base.

4th Annual Industrial Control Cyber Security USA Summit (Sacramento, California, USA, October 3 - 4, 2017) Against a backdrop of targeted Industrial Control System cyber attacks, such as those against energy firms in the Ukraine power industry, the massive attacks against the Norway oil and gas industry, cyber attacks on Saudi Aramco and the new and continued threats such as Crash Override malware, Stuxnet, Havex, Dragonfly, Black Energy, and the potential impact of ransomware like #Wannacry on industrial control systems, the Cyber Senate return for the 4th Annual Industrial Control Cybersecurity USA meeting to bring key stakeholders together to address our responsibility in ensuring the safety, reliability and stability of our Critical National Infrastructure

4th Annual Industrial Control Cyber Security Summit USA (Sacramento, California, USA, October 3 - 4, 2017) Against a backdrop of continued ICS targeted cyber attacks against energy firms in the Ukraine power industry (CRASHOVERRIDE), the massive attacks against the Norway oil and gas industry, cyber attacks on Saudi Aramco and the continued threats such as Stuxnet, Havex, Dragonfly, Black Energy, and the potential impact of ransome ware like #Wannacry on industrial control systems, the Cyber Senate return for the 4th Annual Industrial Control Cybersecurity Europe meeting to bring key stakeholders together to address our responsibility in ensuring the safety, reliability and stability of our Critical National Infrastructure.

CyberSecurity4Rail (Brussels, Belgium, October 4, 2017) Facilitated by Hit Rail, this conference will bring together experts in cybercrime and digital security, plus leaders in ICT and representatives from transport and railway companies, European organisations and international bodies, to discuss the threats and set out a vision for safer, more secure digital communications and data networks in the transport industry. CyberSecurity4Rail will draw on the experience of recent incidents and the expertise of those who are working to protect systems and prevent cyberthreat.

Infosecurity North America (Boston, Massachusetts, USA, October 4 - 5, 2017) Organized by Infosecurity Group, which has provided the global information security community with some of the largest, longest established conferences and expos over the past 22 years including Infosecurity Europe, Infosecurity North America will focus on bringing together the information security community and end users to discuss how to overcome the most pressing cybersecurity challenges today. The topics include malware, cloud security, governance, regulation and compliance, threats, professional development, application security and digital forensics.

Hacker Halted (Atlanta, Georgia, USA, October 9 - 10, 2017) The theme for Hacker Halted 2017 is The Art of Cyber War: Lessons from Sun Tzu. 2,500 years ago, Sun Tzu wrote 13 chapters on military strategy. Fast forward to today and we are still learning from those chapters and applying them in our newfound digital age. In an age where war is waged over cables and microchips instead of battlefields, one challenge is defining what war is and when war should be declared. Boundaries are being eroded as the globalization of technology continues its march across our physical landscape. Come learn strategies for Cyber War: Hacker Halted 2017.

European Cybersecurity Forum – CYBERSEC (Krakow, Poland, October 9 - 10, 2017) The Fourth Industrial Revolution is in full swing, giving a strong impulse to the growth of Europe’s innovation-driven economy that can compete with world’s economic superpowers. Let’s start the dialogue together to unlock our potential and use the opportunities ahead. CYBERSEC’s mission is to foster the building of a Europe-wide cybsersecurity system. Our goal is to create a dedicated collaborative platform for governments, international organisations, and key private-sector organisations.

Sponsor & Support

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter’s financial reach, or it might just not be the right time for you to do those things. That’s why we launched our new Patreon site, where we’ve created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you’ll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.