The CyberWire Daily Briefing 11.16.17

Summary

By The CyberWire Staff

The US released, publicly, revisions to the Vulnerabilities Equities Process (VEP), the policy that governs when and under what circumstances US agencies (in the Intelligence Community, for the most part, especially NSA) will disclose zero-days they discover. The principal effects of yesterday's White House announcement, which has received generally positive reviews, are said be a move toward greater transparency, more accountability, and better stakeholder representation in the process.

Observers see a recent increase in North Korean cyber op-tempo as a possible indication that Pyongyang is preparing to wage a wider cyberwar.

Questions about leaks from NSA (mostly those peddled by the Shadow Brokers) lead to speculation about a mole or moles remaining on the payroll at Fort Meade. Kaspersky Lab (hardly a disinterested party but not to be dismissed out of hand, either) releases the results of an internal study that suggests the much-discussed NSA worker's laptop that was protected by Kaspersky software was in fact riddled with other malware, and that such malicious code, not a Kaspersky security product, was the root cause of any compromise.

Armis Labs reports that Amazon Echo and Google Home are both susceptible to the Bluetooth vulnerability reported earlier this fall as BlueBorne.

Google's Play Store has seen a wave of malicious apps that have succeeded in bypassing the safeguards Mountain View has put in place to protect the store. Dr.Web, Malwarebytes, and McAfee have reported finding three new families of Android malware. ESET has discovered some multi-stage, evasive malware lurking in innocent-appearing apps.

Learn how Cylance silences cyber attacks with Artificial Intelligence.

Notes.

Today's issue includes events affecting China, European Union, Germany, Israel, Democratic Peoples Republic of Korea, Republic of Korea, Russia, United Kingdom, and United States.

Not all intelligence is created equal.

A well-informed cybersecurity strategy is essential to keeping your organization protected, but gathering global intelligence from various sources and locations is difficult. Your organization needs a partner with deep roots in cyber threat intelligence. The LookingGlass digital library (STRATISS) of strategic intelligence reports expands your understanding of the threat landscape and delivers the intelligence your decision makers want to their fingertips. Check out our intelligence here.

On the Podcast

In today's podcast we hear from our partners at Webroot, as David DuFour talks about the importance of communication with the board of directors. Our guest, Roy Katmor from Ensilo, describes how attacks unfold when they use social engineering.

Sponsored Events

Earn a master’s degree in cybersecurity from SANS (Online, November 21, 2017) Earn a master’s degree in cybersecurity from SANS, the world leader in information security training. Learn more at a free online information session on Tuesday, November 21st, at 1:00pm ET. For complete information on master’s degree and graduate certificate programs, visit www.sans.edu.

Cyber Security Summit: Los Angeles (Los Angeles, California, USA, November 29, 2017) Sr. Level Executives are invited to learn about the latest threats & solutions in Cyber Security on November 29 in Los Angeles. Register with promo code cyberwire50 for half off your admission (Regular price $350).

Selected Reading

Cyber Attacks, Threats, and Vulnerabilities

North Korea Getting Ready Wage a Global Cyber War, Experts Say (eWEEK) NEWS ANALYSIS: Sound computer hygiene will protect your organization from malware threats, even those launched by a North Korean dictator bent on cyber-war.

Researcher Provides Insight Into North Korea Cyber-Army Tactics (eWEEK) In a session at the SecTor security conference, a security researcher provides details on the tools and methods used by multiple attack groups operating out of North Korea.

Internal Kaspersky Investigation Says NSA Worker’s Computer Was Infested with Malware (Motherboard) The Russian cybersecurity firm released a new report that pushes back against accusations that it helped leak sensitive NSA materials and suggests that a backdoor found on worker’s machine could have allowed others to take files from his machine.

'Leaker' behind massive NSA breach possibly still working at agency (Security Brief) A cybersecurity expert has said it is a ‘stunning admission’ by the former CIA director about the NSA breach that is being touted as catastrophic.

Shadow Brokers cause ongoing headache for NSA (Naked Security) It’s not been a great few years for the NSA when it comes to breaches…

Russian Hackers Aren't the NSA's Biggest Problem (Bloomberg) The FBI and CIA recovered from colossal embarrassments by rebuilding their entire cultures.

Years after regulatory crackdown, some security cameras still open to hackers (Washington Post) Cybersecurity start-up claims flaws allow access to people’s video feeds

Hackers mimicking little kids can fool voice recognition systems (Naked Security) Misuse of the technology is going to rise right along with the popularity of voice apps, says a recent study.

Amazon Echo, Google Home Vulnerable to BlueBorne Attacks (Security Week) Amazon Echo and Google Home devices are vulnerable to attacks exploiting a series of recently disclosed Bluetooth flaws dubbed “BlueBorne.”

BlueBorne Information from the Research Team (Armis Labs) BlueBorne is an attack vector by which hackers can leverage Bluetooth connections to penetrate and take complete control over targeted devices.

Multi-stage malware appeared on Google Play targeting various apps (WeLiveSecurity) ESET researchers have discovered malware with improved ability to bypass Google Play’s protection mechanisms using multi-stage architecture and encryption.

Google Play Store Sees Sudden Surge of Malicious Apps (BleepingComputer) The Google Play Store is seeing a wave of malware-infested apps like never before. Four separate security companies have reported —or are preparing to release reports— on malware campaigns currently underway via Android apps available on the Play Store.

Ransomware: Ordinypt erpresst deutsche Nutzer (netzwelt) Deutsche Nutzer sollten im Internet derzeit besonders vorsichtig sein. Eine Ransomware namens "Ordinypt" hat es speziell auf deutsche Nutzer abgesehen, warnen die Sicherheitsanalysten von G Data....

Ransomware-spreading hackers sneak in through RDP (Naked Security) Sophos has uncovered a new niche in the world of cybercrime: ransomware infections where the crooks run the ransomware themselves

Malware spreading that mines cryptocurrency (Fortune) Watch out for web sites that steal your PC power

Researchers Hack Car Infotainment System and Find Sensitive User Data Inside (Motherboard) Contacts, call logs, text messages and other information from paired phones was stored unencrypted.

No boundaries: Exfiltration of personal data by session-replay scripts (Freedom to Tinker) This is the first post in our “No Boundaries” series, in which we reveal how third-party scripts on websites have been extracting personal information in increasingly intrusive ways.

Second OnePlus Factory App Discovered. This One Dumps Photos, WiFi & GPS Logs (BleepingComputer) A security researcher has found a second factory app that was included on OnePlus devices delivered to customers, and this one can be abused to dump the user's photos and videos, but also GPS, WiFi, Bluetooth, and various other logs.

DXC spills AWS private keys on public GitHub (Register) 'Unknown persons' spin up 244 VMs at cost of $64k. Whoops

Amazon S3 cloud storage security breach hits corporations (TechTarget) The Amazon Simple Storage Service (S3) has been giving big businesses –and their customers — big trouble.

Sharp rise in fileless attacks evading endpoint security (Help Net Security) A Ponemon Institute survey of 665 IT and security leaders unveiled a surge in fileless attacks evading endpoint security.

Forever 21 reports data breach, failed to turn on POS encryption (SC Media US) The clothing retailer Forever 21 reported today that some of its payment card systems had been breached when the installed encryption was not activated.

Confusion reigns over crypto vuln in Spanish electronic ID smartcards (Register) Certs revoked, but where are the updates?

Be Wary of Apparently Internal Emails, Report Says (FEDweek) Email fraud is getting more frequent and more sophisticated, including greater use of a tactic to which federal agencies are especially vulnerable, making

Ransomware Targets J. Sterling Morton High School Students With Fake Survey (BleepingComputer) An in-development ransomware has been discovered that is targeting the high school students of the J. Sterling Morton school district in Illinois.

Security Patches, Mitigations, and Software Updates

Cisco Warns of Critical Flaw in Voice OS-based Products (Threatpost) Cisco Systems issued patch that fixes a critical vulnerability impacting 12 products running the Cisco Voice Operating System software.

Firefox Quantum: Security and privacy improvements (Help Net Security) Learn more about the Firefox Quantum security and privacy improvements. Tracking Protection can now be enabled for regular browsing windows.

Patch Tuesday - Rapid7 Comment (Information Security Buzz) Microsoft has just released their patches for the month of November and Greg Wiseman, Rapid7’s Senior Security Researcher has provided his thoughts below. Greg Wiseman, Senior Security Researcher at Rapid7: “Web browser issues account for two-thirds of this month’s patched vulnerabilities, with 24 CVEs for Edge and 12 for Internet Explorer being fixed. Many of these are …

Cyber Trends

KnowBe4: “Six Cybersecurity Trends Organizations Need to Watch for in 2018” (PRWeb) New-school security awareness training company ID’s phishing, social engineering and ransomware trends as continuing to get worse in 2018

ISACA Research: Only Half of Organizations Say Their Leaders Are Digitally Literate (BusinessWire) ISACA's new Digital Transformation Barometer looks at the impact of digitally literate leaders on an organization's digital transformation initiatives

Oil and Gas Cybersecurity Conference Yields New Insights (Journal of Petroleum technology) Operators, vendors, academics, and government officials offered new insights into meeting the growing incidence of cyber-threats across the industry during the 12th Annual American Petroleum Institute Cybersecurity Conference on 7–8 November in The Woodlands, Texas.

Infosec expert viewpoint: IoT security initiatives (Help Net Security) In order to educate and promote safety, many IoT security initiatives have emerged in the past few years. Here's what nfosec experts think about them.

Bot-driven web traffic and its application security impact (Help Net Security) Research focused on highly targeted industries exposes the proliferation of bot-driven web traffic and its impact on organizations’ application security.

Marketplace

ReFirm Labs Announces $1.5 Million in Funding From Startup Studio DataTribe and Launches Firmware Validation Platform (GlobeNewswire News Room) National Security Agency veterans develop automated platform to detect firmware vulnerabilities in billions of IoT and other connected devices

Deal Street: Big Data Startup Raises $25 Million From Singtel Group (Bloomberg Quint) Your weekly dose of startup deals

Cybercom Challenges Industry: Be Agile, Precise (U.S. DEPARTMENT OF DEFENSE) At U.S. Cyber Command’s first-ever industry day, Cybercom leaders briefed nearly 400 members of private industry about the command’s acquisition priorities at the National Geospatial-Intelligence

Taking extra precaution, firms plan to spend more on cybersecurity (Indiana Lawyer) As the threat of cyberattacks continues to loom over professions including the law, legal practitioners are taking additional steps to protect themselves and their firms from harmful access to their data.

Emerging IT Security Technologies: 13 Categories, 26 Vendors (Dark Reading) A rundown of some of the hottest security product areas, and vendors helping to shape them.

Israeli support for AI slipping, Nvidia executive says (The Jerusalem Post) Japanese and Chinese supercomputers may leave start-up nation in the dust

Here's how some local companies are trying to close the cyber talent gap (Washington Business Journal) “We can’t sit around and expect the kind of talent we’re going to need is just going to show up,” says a Northrop Grumman executive. “Because it’s not.”

Companies turn to ‘war games’ to seek out cyber security talent (Business Tech) With demand for cyber security expertise exploding, but qualified people in short supply, war-gaming competitions have become key recruiting grounds for companies and government security agencies.

Experian warns of increased scrutiny after Equifax hack (Financial Times) Credit monitoring service says data hack has led to greater regulatory pressures

FireEye CEO Kevin Mandia joins Shape Security Board of Directors (GlobeNewswire News Room) Shape Security, provider of the leading platform for online application defense, today announced the appointment of Kevin Mandia, CEO of FireEye, to its board of directors.

Products, Services, and Solutions

Oxygen Forensic® Detective X Launches with New WhatsApp Extraction Features (Oxygen Forensics) Oxygen Forensics, a worldwide developer and provider of advanced forensic data examination tools for mobile devices, cloud services and drones, today announced that its new flagship product, Oxygen Forensic®® Detective X (version 10), which contains the industry-leading Oxygen Forensic®® Cloud Extractor, has added new WhatsApp extraction features.

New Quad9 DNS service means more private, secure browsing (IBM) IBM has collaborated with PCH and GCA to develop the new Quad9 DNS service. Learn about the latest evolution of collaborative defense for more secure, private internet browsing

Aqua Security Launches On-Demand Security Scanner for Container Images on AWS Marketplace (Aqua) Aqua Security today announced that it’s launched a pay per scan, on-demand vulnerability scanning service for Amazon Web Services (AWS) customers that build, store, or manage container images …

Cylance debuts consumer version of its AI based antivirus software (Computerworld New Zealand) Cylance, one of a new breed of developers of antivirus software that relies on artificial intelligence and machine learning for its functionality, has begun offering a consumer version of its product in New Zealand and Australia.

RapidFire Tools Introduces Detector SDS 2.0, Enhancing Functionality and Adding a New Service Tier (GlobeNewswire News Room) Enhancements include new “Bronze” level internal IT service offering, redesigned interface, new at-a-glance views, and automated threat alert workflows

SonicWall Launches New Lineup Of Professional Security Services (Channel Partners) Through the Partner Enabled Services Program, partners are vetted, granted status as a SonicWall Authorized Services Partner and given access to training, tools, sales, marketing and technical resources aimed at helping them deliver the new services.

Anomali To Provide Threat-Sharing Expertise To U.S. House of Representatives Homeland Security Subcommittee On Cybersecurity And Infrastructure Protection (BusinessWire) Anomali, a provider of market-leading threat intelligence solutions, announced today that it will be appearing before the U.S. House of Representative

Malwarebytes introduces new MSP program (ARN) Cybersecurity company, Malwarebytes, has taken the wrappers off a new managed service provider (MSP) program specifically aimed at the A/NZ market.

Technologies, Techniques, and Standards

How to stop Emotet malware from infecting your computer (Help Net Security) Learn more about how to stop Emotet malware, a dangerous banking Trojan has been around for several years and continues to evolve.

7 Ways E-Commerce Sites Must Battle Bots Stealing Credentials (Credit Union Times) Experts say the biggest website security threat comes from bots.

How Hacking Works (Motherboard) Motherboard's 2017 Hacking Week aims to demystify how the security industry really works.

Motherboard Hacking Livestream: Cracking MMORPGs (Motherboard) Join us on YouTube or Facebook to learn how hacking works.

Motherboard Hacking Livestream: How to Pwn a Router (Motherboard) Join us on YouTube or Facebook to learn how hacking works.

Design and Innovation

Facebook, Google and others join The Trust Project, an effort to increase transparency around online news (TechCrunch) "Fake news" and other misinformation, online propaganda, and satirical content people believe is true have filled the web via search engines and social..

Legislation, Policy and Regulation

Improving and Making the Vulnerability Equities Process Transparent is the Right Thing to Do (White House) There can be no doubt that America faces significant risk to our national security and public safety from cyber threats.

FACT SHEET: Vulnerabilities Equities Process (White House) The newly released Vulnerabilities Equities Process (VEP) Charter spells out how the Federal Government will handle the process that determines whether the Government will notify a private company about a cybersecurity flaw in its product or service or refrain from disclosing the flaw so it can be used for operational or intelligence gathering purposes.

Vulnerabilities Equities Policy and Process for the United States Government (White House) This document describes the Vulnerabilities Equities Policy and Process for departments and agencies of the United States Government (USG) to balance equities and make determinations regarding disclosure or restriction when the USG obtains knowledge of newly discovered and not publicly known vulnerabilities in information systems and technologies.

Cybersecurity pros take first peek at once secretive process behind US hacking toolkit (TheHill) The White House released a charter Wednesday publicly describing the principles, aims and values of the secretive process it uses to decide what hacking tools to keep in its arsenal and which it would report to tech companies to allow them to fix.

US clarifies handling of cybersecurity flaws (VEP) (WeLiveSecurity) US clarifies handling of cybersecurity flaws, publishes Vulnerabilities Equities Policy and Process

Trump administration releases rules on disclosing security flaws (ZDNet) The White House's cybersecurity coordinator said the rules are "vital" to ensuring a balance between public disclosure and retaining flaws for intelligence operations.

White House releases new VEP charter (Open Policy & Advocacy) This morning, the White House released a new version of the Vulnerabilities Equities Process (VEP). We want to thank Rob Joyce, and the rest of the NSC staff working on ...

Feds Explain Their Software Bug Stash—But Don’t Erase Concerns (WIRED) A new charter for the Vulnerabilities Equities Process sheds some light, but doesn't fix the underlying problems.

Trump administration pulls back curtain on secretive cybersecurity process (Washington Post) The rules guide government decisions over whether and when to disclose software flaws that can be turned into cyberweapons.

China’s Ministry of State Security Likely Influences National Network Vulnerability Publications (Recorded Future) Recorded Future analysis has uncovered evidence that CVEs are likely evaluated for their operational utility by the MSS before publication on CNNVD.

All’s fair in cyberwar (Korea JoongAng Daily) What got President Park Geun-hye interested in “cyber defense” was a short briefing by Korea University professor and cryptology expert Lim Jong-in. When he had three minutes in the 30-minute Ministry of National Defense report to the Blue House in J

Sessions: Surveillance Reform Could Be 'Exceedingly Damaging' to National Security (Nextgov) Getting a warrant before searching through information collected under Section 702 authorities would be burdensome, the attorney general told lawmakers.

IBM's Schneier: It's Time to Regulate IoT to Improve Cyber-Security (eWEEK) At the SecTor security conference in Toronto, IBM Resilient Systems CTO Bruce Schneier makes a case for more regulatory oversight for software and the internet of things.

Homeland Security Will Soon Have a Tough, Smart Leader at the Helm (The Daily Signal) Fixing broken policies will not be easy, but Kirstjen Nielsen is the right person for the job.

Business Cybersecurity Letter (Commonwealth of Pennsylvania Department of Banking and Securities) Deliberate cyberattacks and cyberthreats pose substantial risk to Pennsylvania’s financial infrastructure and national security.

Litigation, Investigation, and Enforcement

AP spreads 'Russia hacked DNC' claim as though it is gospel truth (ITWire) ANALYSIS The current reds-under-the-beds scare in the US is increasingly being sold by the media, with unproven claims often being paraded as fact.

Assange isn’t a dreamer, he’s a destroyer (Times) I remember when Julian Assange was the coolest thing on the planet. Back in 2010, on his first visit to London after his Wikileaks organisation revealed secrets of the US war on terror, I debated...

Will Equifax Ever Be Held Accountable For Its 'Rookie Mistakes'? (Forbes) For a few bracing weeks this fall, consumers harmed by Equifax, Wells Fargo or another financial institution had the right to their day in court.

Criminals make student data public in escalating demands for ransom (NBC News) Cyber criminals are increasingly targeting schools across the United States and holding student data for ransom.

Probable-Cause Warrant Needed for Cell-Tracking, Brooklyn Judge Rules (New York Law Journal) The decision may be the first time a state judge has ruled that a warrant based on probable cause rather than on a lesser standard is necessary before police deploy a cell site simulator.

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

newly Noted Events

cyberSecure (New York, New York, USA, December 4 - 5, 2017) cyberSecure is a unique cross-industry conference that moves beyond the technology of cyber risk management, data security and privacy. It brings together corporate leaders from multiple function areas who help shape policies, risk management strategy, compliance programs, and an organization’s cyber-incident response playbook. This two day event is designed to educate in-house counsel, compliance and privacy officers, risk managers, and CIO/CISOs about the current cybersecurity challenges affecting your business continuity.

upcoming Events

The 3rd Annual Billington INTERNATIONAL Cybersecurity Summit (Washington, DC, USA, November 21, 2017) The 3rd Annual Billington International Cybersecurity Summit on March 21 in Washington, D.C. at the National Press Club, will attract over 400 attendees at the leading forum on global cybersecurity in the nation’s capital. This year’s theme will be “Securing High Value Assets in Global Cyberspace.”

Aviation Cyber Security (London, England, UK, November 21 - 22, 2017) Join us on November 21/22 in London, England for the Cyber Senate Aviation Cyber Security Summit. We will address key issues such as the importance of information sharing and collaboration, supply chain and third party risk, incident response, integrating of cyber security and safety, IT and OT convergence, Security Operations Centres and much more as we further develop our collective insight in how we can mitigate risk and develop resilient end to end networks capable of delivering safety and value to all stakeholders.

Global Conference on Cyberspace (GCCS) (New Dehli, India, November 23 - 24, 2017) The Global Conference on Cyberspace (GCCS) aims to deliberate on the issues related to promotion of cooperation in cyberspace, norms for responsible behaviors in cyberspace and to enhance cyber capacity building. The fifth conference, planned to be the biggest in magnitude, shall take place at New Delhi, India on 23-24 November 2017.

AutoMobility LA (Los Angeles, California, USA, November 27 - 30, 2017) The Los Angeles Auto Show Press & Trade Days and Connected Car Expo have MERGED to form AutoMobility LA, the new auto industry’s first true trade show. Register to join us in Los Angeles this November.

INsecurity (National Harbor, Maryland, USA, November 29 - 30, 2017) Organized by Dark Reading, the web’s most trusted online community for the exchange of information about cybersecurity issues. INsecurity focuses on the everyday practices of the IT security department, and real-life methods that you can use to shore up your own enterprise defenses. It will also feature some of the industries most recognized and knowledgeable CISOs and IT security experts, in a setting that is conducive to interaction and conversation. Use Promo Code CYBERWIRE100 for $100 off the current rate.

INsecurity (National Harbor, Maryland, USA, November 29 - 30, 2017) INsecurity is for the defenders of enterprise security—those defending corporate networks—and offers real-world case studies, peer sharing and practical, actionable content for IT professionals grappling with security concerns. INsecurity will feature some of the industry’s most recognized and knowledgeable CISOs and IT security experts, in a setting that is conducive to interaction and conversation.You’ll have a chance to meet colleagues in the cybersecurity profession to discuss the everyday challenges you face in protecting enterprise data. And you’ll get in-depth insights on how other organizations perform security best practices, and how they manage their teams.

Cyber Security, Oil, Gas & Power 2017 (London, England, UK, November 29 - 30, 2017) ACI’s Cyber Security - Oil, Gas, Power Conference will bring together key stakeholders from energy majors and technology industries, to discuss the challenges and opportunities found in the current systems. The conference will also promote essential collaboration between decision makers and technology experts, in order to streamline solutions to resist cyber threats and attacks.

Cyber Security Summit Los Angeles (Los Angeles, California, USA, November 30, 2017) If you are a Senior Level Executive responsible for making your company’s decisions in regards to information security, then you are invited to register for the Cyber Security Summit: Los Angeles. Receive 50% off of a Full Summit Pass when you register with code CYBERWIRE50 (standard price of $350, now only $175 with code). Register at CyberSummitUSA.com. The Cyber Security Summit: Los Angeles is an exclusive conference connecting Senior Level Executives responsible for protecting their companies’ critical data with innovative solution providers & renowned information security experts. for details visit CyberSummitUSA.com.

cyberSecure (New York, New York, USA, December 4 - 5, 2017) cyberSecure is a unique cross-industry conference that moves beyond the technology of cyber risk management, data security and privacy. Unlike other cybersecurity events, cyberSecure brings together corporate leaders from multiple function areas who help shape policies, risk management strategy, compliance programs, and an organization’s cyber-incident response playbook. This two day event is designed to educate in-house counsel, compliance and privacy officers, risk managers, and CIO/CISOs about the current cybersecurity challenges affecting your business continuity.

National Insider Threat Special Interest Group Meeting (Virginia Chapter) (Herndon, Virginia, USA, December 5, 2017) The National Insider Threat Special Interest Group (NITSIG) is excited to announce it has established a Virginia Chapter. NITSIG Members and others may attend meetings at no charge. Attendees will receive comprehensive guidance and best practices for establishing and managing an Insider Threat Program. Anyone concerned with employee threat identification and mitigation will gain valuable knowledge from attending meetings. This meeting will focus on human resources interaction with an insider threat program and behavioral indicators of insider threat.

Cyber Security Indonesia 2017: Shaping National Capacity for Cyber Security (Jakarta, Indonesia, December 6 - 7, 2017) Cyber Security Indonesia 2017 exhibition and conference, brought to you by the organisers of the Indonesia Infrastructure Week, will bring cyber security solutions providers together with key government and private sector decision makers, buyers, and influencers in order to meet and do business and to advance resilience against cyber attack.

Third International Conference on Information Security and Digital Forensics (ISDF 2017) (Thessaloniki, Greece, December 8 - 10, 2017) A 3 day event, with presentations delivered by researchers from the international community, including presentations from keynote speakers and state-of-the-art lectures.

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listens all over the world, companies trust the CyberWire to get the message out. Learn more.

VEP gets more transparent. DPRK cyber op-tempo up? NSA mole hunt continues. BlueBorne vulnerabilities. Malware in Google Play.