The CyberWire Daily Briefing 12.1.17

Cyber Attacks, Threats, and Vulnerabilities

Over 100GB of Secret Credit Data Leaked Online (Infosecurity Magazine) Over 100GB of Secret Credit Data Leaked Online. National Credit Federation caught out by AWS misconfiguration

National Credit Federation leaked US citizen data through unsecured AWS bucket (ZDNet) Tens of thousands of customers of the credit repair service are believed to be affected.

Russian trolls' graphic tweets on racism, rape, and Satanism revealed (NBC News) NBC News uncovered graphic and offensive tweets sent by Russian trolls in an attempt to further divide an already-divided nation.

Kremlin: US trying to turn oligarchs against Putin (Washington Examiner) Russia alleges sanctions imposed on Russia following the 2014 annexation of Crimea are now being tightened to alienate Putin's business alli...

Even Highly Skilled Cyber-Thieves Make Stupid Mistakes, or Do They? (BleepingComputer) Cobalt, a highly-skilled group of hackers who target banks and financial institutions, may have committed a mistake and accidentally leaked a list of all their current targets, according to Yonathan Klijnsma, a security researcher with RiskIQ.

All U.S. government agencies have completed scanning for Kaspersky (Axios) 15% of agencies had the software.

Trust Your Security Vendor, 'They Have Access to Everything You Do,' Says F-Secure Research Chief (Security Week) The DHS ban on government agencies using Kaspersky Lab's security products has reverberated around the security industry. The concern is not simply whether the Moscow-based security firm has colluded with Russian intelligence, but how many other security firms could, through their own products, potentially collude with their own national intelligence agencies.

US 'orchestrated' Russian spies scandal, says Kaspersky founder (the Guardian) Eugene Kaspersky, head of Kaspersky Labs, hits out at FBI, media and government actors he claims organised a smear campaign

Windows security: New BSOD scam emerges from fake tech-support swamp (ZDNet) Scam uploads shot of victim's screen and tries to sell 'Windows Defender Essentials' for $25 via PayPal.

Popular Cryptocurrency Apps Expose Users to Data Theft (KoDDoS Blog) Researchers from the cybersecurity firm, High-Tech Bridge, recently conducted a study which concluded that the majority of cryptocurrency-related apps available on the Google Play store carry medium to severe security risks which could greatly compromise its users' security.

Attackers Inject Persistent Cryptomining in Browsers - Security Boulevard (Security Boulevard) Attackers have found a new technique to make cryptocurrency mining, or cryptomining, inside browsers persistent, or at least survive normal attempts of clo

How Cryptojacking Could Harm Your IT Environment (BizTech) Malicious online actors can infect your organization’s computers with malware, turning them into cryptomining machines hunting for bitcoin and wasting energy in the process.

RAT Distributed Via Google Drive Targets East Asia (Threatpost) Researchers say a new remote access Trojan dubbed UBoatRAT is targeting individuals or organizations linked to South Korea or video games industry.

How to prevent buddies from pranking you and burglars from getting in (NBC News) Voice-activated smart speakers are gaining in popularity — but a hacker or a mischievous buddy could cause havoc if you haven't secured your device.

Chinese hackers targeting Australian law firms for sensitive commercial information (ABC News) The Chinese espionage group known as the Codoso team or APT-19 has been causing havoc internationally but is turning its attention to Australia.

Cyber attack launched against prominent ship broker and international consultancy (Logistics Management) Clarksons PLC, the London-based shipbroker and ocean cargo consultancy, has confirmed that it is the latest victim of a sensational cyber attack. Shipping Cyber Security. Security of freight shipments.

Cobb government recovers from cyber attack (Atlanta Journal Constitution) Cobb County government was the victim of a cyber attack on Nov. 2, it was revealed during the Nov.

Oops: LinkedIn country subdomains SSL cert just expired (Register) Whew, networking is hard

Phishing Kit (Ab)Using Cloud Services (SANS Internet Storm Center) When you build a phishing kit, they are several critical points to address. You must generate a nice-looking page which will match as close as possible to the original one and you must work stealthily to not be blocked or, at least, be blocked as late as possible.

Entertainment the most effective lure for phishing attacks, claims PhishMe (V3) The effectiveness of phishing attacks has been falling for a number of years,Privacy,Security,Cloud Computing ,phishing,cyber attack,cyber crime,PhishMe,Enterprise Phishing Resiliency and Defence Report,Aaron Higbee

NHS DMARC Fail Leaves Patients Exposed to Phishing (Infosecurity Magazine) NHS DMARC Fail Leaves Patients Exposed to Phishing. Virtually all domains are unprotected, Agari claims

Security Patches, Mitigations, and Software Updates

Cisco Patches Critical Playback Bugs in WebEx Players (Threatpost) A Cisco Systems security advisory is urging users of its WebEx platform to patch six vulnerabilities that could allow attackers to execute remote code.

Patch of Dirty COW Vulnerability Incomplete, Researchers Claim (Security Week) The “Dirty COW” vulnerability (CVE-2016–5195) discovered last year in Linux was incompletely patched, Bindecy researchers say.

Apple’s “blank root password” fix needs a fix of its own – here it is (Naked Security) Bug, fix, bug, fix – but we’re still saying “Well done” to Apple for a superquick response to the “blank root password” vulnerability.

Cyber Trends

Credit card fraud down 29% for the first time (Help Net Security) For the first time in years, credit card fraud has dropped from 59% of total fraud found in the 2016 holiday week to 42% of total fraud found in 2017.

Online retail card fraud drops during Black Friday weekend (Chain Store Age) Online retailers — and consumers — have something new to be thankful for this holiday season: a decrease in online fraud.

How organizations across industries create and manage policies (Help Net Security) MetricStream evaluated 260+ organizations across 15 industries to understand the ways in which organizations create, communicate and manage policies.

2017 Enterprise Phishing Resiliency Report (PhishMe) Our 2017 Phishing Resiliency and Defense Report examines data gathered from our holistic services: phishing simulations, reporting, triage and intelligence. See how the data supports a proactive approach to combatting attacks.

Machine Learning 'Arms Race' Ahead, McAfee Warns (Datanami) Machine learning is becoming an essential tool for helping cyber defenders detect vulnerabilities, spot suspicious behavior and contain exploits. At the sa

2018 will herald the rise of the machine (learning) as cybercriminals get more strategic (CSO) This year was a punishing one on the security front, with massive attacks like WannaCry and NotPetya causing massive business damage and unprecedented data breaches spawning chaos for customers of Equifax, Medicare, and Yahoo.

Cybersecurity: A Marketer's Problem? (Media Post) Because my day job is investing in artificial intelligence, I end up thinking a lot about cybersecurity, which is the largest category of AI solutions.

2018: The year of advanced threat prevention (CSO Online) In 2018, leading organizations will adopt new technologies to help them decrease the attack surface and block attacks in real time.

Marketplace

There’s an implosion of early-stage VC funding, and no one’s talking about it (TechCrunch) Amid record amounts of capital raised by VCs worldwide, and a sharp rise in the number of private "unicorns," there has been a quiet, barely noticed implosion..

AWS pushes into the trillion-dollar cybersecurity market (CSO Online) Amazon Web Services (AWS) enters the cybersecurity market with the debut of its Amazon GuardDuty service.

FireEye: Never Forget Your Thesis (Seeking Alpha) The IoT thesis is still valid for bullish bets. YoY, sentiments have shifted towards more upsides. FireEye remains a BUY going by valuation multiples and demand

Here's Why the Best Is Yet to Come for Fortinet, Inc. (The Motley Fool) The data security provider is making progress in strategic areas, and it should continue to over the long term.

The Billion-Dollar Company Helping Governments Hack Our Phones (Fast Company) Implicated in attacks on dissidents, NSO has sought a deal with Blackstone and worked with Trump adviser Michael Flynn amid a cyberweapons gold rush.

The EU Will Foot the Bill for VLC Player's Public Bug Bounty Program (BleepingComputer) The European Union has announced this week that it will foot the bill for a bug bounty program that will run for the benefit of VLC Media Player, an open source cross-platform multimedia player.

Lyft gained from Uber’s scandals, sees revenue triple (TechCrunch) Lyft appears to have benefited from Uber's tough year. The U.S. rival has seen its revenue growth more than triple, according to a report from The..

Cybersecurity central: Outreach visit offers glimpse of new Colorado Springs center's work (Pueblo Chieftain) Small businesses and individuals are mistaken if they think cyberattacks mostly pose a threat to large companies and organizations, officials from the new Colorado Springs-based National Cybersecurity Center said Tuesday

Peter Thiel's powerful tech network reportedly predates PayPal and goes back to a college newspaper (CNBC) Peter's Thiel's network from the Stanford Review is older and potentially more powerful than the "PayPal mafia," according to a report.

Power Moves: Cybersecurity hires show Sourcefire's continuing influence (Technical.ly Baltimore) Dina Bruzek, who worked at Sourcefire and then Cisco following its acquisition, has a new management role with an Austin company. Plus, Bricata brings in more cybersecurity leaders.

Uber’s disastrous head of security will probably get another awesome job soon (The Outline) Joe Sullivan paid off hackers to cover up a data breach rather than disclose it to regulators and the public. What else has he been up to?

CrowdStrike Appoints Godfrey Sullivan to its Board of Directors (BusinessWire) CrowdStrike Inc., the leader in cloud-delivered endpoint protection, today announced the appointment of Godfrey Sullivan to its Board of Director

Social SafeGuard Announces Expansion to Board of Advisors (BusinessWire) Social SafeGuard, the leading provider of digital and social media security and compliance solutions, today announced it has expanded its Board of Adv

Products, Services, and Solutions

New infosec products of the week: December 1, 2017 (Help Net Security) Automated security and compliance solution for Docker containers CloudPassage unveiled Container Secure, a set of automated compliance and security control

Ivanti Automates Device Isolation and Remediation to Further Operationalize a Defense-in-Depth Security Strategy (Ivanti) Integrated console and workflows enable actions and policies to be applied to any mix of device types, enhancing security response and remediation

Oxygen Forensics Adds Nearly 20 New Features to Launch Oxygen Forensic® Detective X (Oxygen Forensics) New cloud service capabilities Added for Mi Cloud, Samsung Cloud, Facebook’s Workplace, & iTunes

Disk Encryption for Managed Service Providers Simplified by Jetico (BusinessWire) The updated central management component of Jetico’s disk encryption software provides simplified administration for Managed Service Providers (

SolarWinds MSP Announces RMM Platform Integration of Backup Documents and New Price of $1 per Workstation/Month (GlobeNewswire News Room) Users can more easily and cost-effectively protect key business documents from ransomware and data loss

Cylance Receives Top Rank in Next-Generation Endpoint Security Report From Enterprise Management Associates (BusinessWire) Cylance® Inc., the company that revolutionized the antivirus industry with AI-powered prevention that blocks everyday malware along with today&rsq

Credit monitoring services may not be worth the cost (CNBC) Financial and security experts have mixed opinions about whether credit monitoring services are worth the cost.

How to Safely Store Cryptocurrency - Review of 5 Safest Bitcoin Wallets (HackRead) $10,000. That’s the valuation achieved by Bitcoin on November 28, 2017! This is living testimony to the success and the value of cryptocurrencies. Alas! Li

Technologies, Techniques, and Standards

How to catch a hacker - Fishing out the cyber-criminals (Computer Business Review) Frank Denis from OVH looks at how cloud hosting providers can actively track and stop a hacker or a host of cybercriminals.

The Truth About Machine Learning In Cybersecurity: Defense (Forbes) A considerable number of articles cover machine learning and its ability to protect us from cyberattacks. Still, it's important to separate the hype from the reality and see what exactly machine learning (ML), deep learning (DL) and artificial intelligence (AI) algorithms can do right now in cybersecurity.

Four ways state and local CIOs can boost cybersecurity (State Scoop) Commentary: Tanium Security Director Andre McGregor draws on his experience with the FBI to lend state and local government tech teams advice for keeping their networks and data secure.

Thwarting Cyber Attacks on Retirement Plans (ASPPA) A stolen identity, a few clicks, and there it is — a handsome retirement plan balance, ripe for the picking. A recent blog entry,and the IRS, offer some ideas on how to protect retirement plans from identity theft.

GDPR: Who is responsible for what? (Security Boulevard) The EU General Data Protection Regulation (GDPR) and the Network Information Security (NIS) directive are already causing a flurry of activity among businesses. Who is ultimately responsible for cybersecurity seems to be attracting particularly intense discussion.

IBM Mainframe Users Unprepared For GDPR: Study (Media Post) Only one in four IBM mainframe users is already compliant with GDPR. What's holding back the other 75%?

Is your mainframe security GDPR compliant? (Enterprise Times) Macro 4 asked a number of mainframe customers "Do you think your current mainframe security is GDPR compliant?" Only 25% said Yes.

Dell’s Brett Hansen outlines the road to GDPR compliance in the US (Silicon Republic) Dell’s head of data security, Brett Hansen, discusses why GDPR is part of a larger discussion for US companies as well as EU firms.

After WannaCry knocked it offline, UK's National Health Service banks on new security center to improve cybersecurity (Healthcare Finance News) The new $27 million project will provide the NHS Security Operations Center with enhanced monitoring, vulnerability testing and malware analysis.

Protecting the virtualization layer from emerging threats (SearchSecurity) Protecting the virtualization layer of enterprise data centers from emerging threats can be a challenge, especially when those environments are becoming increasingly complex.

'Blocking and Tackling' in the New Age of Security (Dark Reading) In a pep talk to CISOs, the chief security strategist at PSCU advises teams to prioritize resilience in addition to security.

Design and Innovation

Snapchat takes a swipe at fake news (Naked Security) Snapchat is curating items based on what YOU like, not your echo chamber, fake-news spreading friends.

Blockchains are poised to kill off passwords, once and for all (MIT Technology Review) Many technologists think blockchains can revolutionize how we keep track of our identities.

Cryptography and radar won WW2 and today Quantum military technologies are similarly critical (NextBigFuture.com) Cryptography and radar won WW2 and today Quantum military technologies are similarly critical

The Army has a more optimistic view of AI than Elon Musk (C4ISRNET) Artificial intelligence is not a panacea to all military problems, but here are two fundamental ways it can aid decision makers.

Can gamification techniques help build cybersecurity skills? (SearchCompliance) Cybrary COO Kathie Miley discusses how implementing gamification techniques can help with cybersecurity training and offers tips on deploying such techniques.

Academia

Senate bill would establish new higher-ed data system by 2020 (FCW) A bipartisan bill would revamp the way the Department of Education collects higher-education data and relies on an obscure cybersecurity method to protect student data.

McAuliffe: Virginia Students Awarded $140K in Cyber Security Scholarships (NBC 29) Governor McAuliffe announced that Virginia students have been awarded a total of $140,000 in cyber security scholarships.

Legislation, Policy and Regulation

NATO is considering playing 'offensive defense' with its cyber-warfare rules (Business Insider) The doctrine could shift NATO's approach from being defensive to confronting hackers that officials say Russia, China and North Korea use.

Should Social Media be Considered Part of Critical Infrastructure? (Security Week) Russia interfered in the U.S. 2016 election, but did not materially affect it. That is the public belief of the U.S. intelligence community. It is a serious accusation and has prompted calls for additions to the official 16 critical infrastructure categories. One idea is that 'national elections' should be included. A second, less obviously, is that social media should be categorized as a critical industry.

DOD Taking Mission-Specific Approach to Growth in Cyber Threats (Avionics) The increasing frequency and widening attack vector of cyber warfare threats is forcing U.S. military officials to adopt a more mission-specific approach to defensive operations rather than attempting to defend entire networks. A greater emphasis on increasing cyber capabilities in the recently passed fiscal year 2018 National Defense Authorization Act (NDAA) conference report and a …

The US Should Modernize Election Systems to Prevent Hacking (WIRED) Opinion: Two senators argue that voting machines are critical infrastructure.

Uber breach signals need for tougher rules (The Daily Star) Uber's cover-up of a massive breach involving the personal details of about 57 million passengers and drivers draws global concern, and lends further support to calls for tougher privacy rules.

Spy chief Nick Warner to lead new national security agency (Canberra Times) Malcolm Turnbull has named a series of new security appointments

Meet Mike Pompeo, your likely new — and Trump-friendly — secretary of state (Vox) The current CIA director is known for his hawkish foreign policy — and for defending Trump at every turn.

Here’s what rumored Trump CIA pick Tom Cotton thinks about surveillance, Russia and other issues (TechCrunch) As rumors build that the Trump administration plans to boot Rex Tillerson from his post atop the State Department in order to replace him with Mike Pompeo,..

DISA’s No. 2 to be promoted to director (C4ISRNET) Rear Adm. Nancy Norton has been nominated to take over as Defense Information Systems Agency director.

The NSA Braces For Perfect Storm Of Cyber Risks (SIGNAL Magazine) A lightning strike last year delivered a new way for the NSA’s new deputy national manager for national security systems to illuminate the cybersecurity threat.

Russia Wants to Launch Backup DNS System by August 1, 2018 (BleepingComputer) The Russian government is currently discussing plans to build its own "independent internet infrastructure" that will be used by BRICS member states — Brazil, Russia, India, China, and South Africa.

BDMs: GDPR ‘Right to be Forgotten’ Requests Will Drain Company Resource (Infosecurity Magazine) Three-quarters of employees likely to exercise their right to be forgotten under GDPR

()

The Critical Difference Between Vulnerabilities Equities & Threat Equities (Dark Reading) Why the government has an obligation to share its knowledge of flaws in software and hardware to strengthen digital infrastructure in the face of growing cyberthreats.

Litigation, Investigation, and Enforcement

'Cyber Command attempted to influence 2012 election' (Korea Times) The military’s cyber warfare command engaged in suspicious online activities ahead of the general election in 2012 in an apparent bid to influence voters, a fact-finding team under the Ministry of National Defense said Thursday. Announcing the interim results of its investigation, the team said the Cyber Command under the Lee Myung-bak government created “operational guidance for psychological warfare” in cyberspace “to respond to election meddling by North Korean sympathizers in the general election.” The election took place April 11.

Feds Quietly Reveal Chinese State-Backed Hacking Operation (Foreign Policy) Prosecutors say Chinese hackers from a mysterious cybersecurity firm stole corporate secrets from three big firms.

Judge postpones Uber trade secret trial based on bombshell memo (Roadshow) A memo allegedly details how the company used vanishing messages and other tricks to steal secrets.

Uber's Shady Competitive Intelligence Unit Revealed in Court (Security Boulevard) Judge orders Uber to reveal unscrupulous competitive intelligence infrastructure amid revelations Uber targets competitors computers

Lawsuits Pile Up on Uber (Dark Reading) Washington AG files multimillion-dollar consumer protection lawsuit; multiple states also confirm they are investigating the Uber breach, which means more lawsuits may follow.

Russian MP’s Son Gets More Jail Time for Hacking Offenses (Infosecurity Magazine) Russian MP’s Son Gets More Jail Time for Hacking Offenses. Prolific hacker handed down a 14-year stretch

Google sued over iPhone ‘Safari Workaround’ data snooping (Naked Security) Did you use an iPhone in the UK between 1 June 2011 and 15 February 2012? If so, you’re one of an estimated 5.4 million who may be in line for compensation.

DoD continues to get poor marks for cyber incident response (Fifth Domain) A new Government Accountability Office report found the Department of Defense still has work to do when it comes to roles, responsibilities and training as it pertains to support national cyber incidents.

Drone Giant DJI To Feds: Your Allegations Are “Insane” (Fast Company) A newly-surfaced Immigration and Customs Enforcement memo alleges that DJI is feeding sensitive data to the Chinese government.

Epic Games sues 14-year-old cheater, mother launches rhetorical firestorm (Naked Security) I would run away if I were you, Epic Games: she’s scary, and she’s got good points.

Another exposed AWS S3 bucket found. Splitting oligarchs from the Kremlin? Cobalt blunders (or misdirects)? Black Friday card fraud down.