The CyberWire Daily Briefing 1.31.18

Cyber Attacks, Threats, and Vulnerabilities

Strava CEO responds after the company's heatmap may have compromised secret US military bases worldwide (Business Insider) Strava CEO James Quarles said he would work with the military and government to address potentially sensitive data.

Strava’s privacy PR nightmare shows why you can’t trust social fitness apps to protect your data (MIT Technology Review) Companies still aren’t taking user privacy seriously enough, so you need to figure it out for yourself.

Worried about Strava? It’s not the only app mapping our every move (the Guardian) Giving away all manner of personal information is only a tap away on your phone settings, as the fitness tracking site’s blunder has shown, writes Guardian video games editor Keza MacDonald

The Strava Heat Map Shows Even Militaries Can't Keep Secrets from Social Data (WIRED) The US military is reexamining security policies after fitness tracker data shared on social media revealed bases and patrol routes

Iran hackers reportedly tried to phish Israeli nuclear scientists (Times of Israel) Emails sent to Israeli researchers contained links to news stories from a fake British media outlet, TV report says

Dutch Banks, Tax Agency Under DDoS Attacks a Week After Big Russian Hack Reveal (BleepingComputer) At least three Dutch banks and the Dutch tax office reported on Monday suffering coordinated DDoS attacks against their respective infrastructures.

Juha Saarinen: When hackers get hacked themselves (New Zealand Herald) By now, anyone who's glanced sideways at the internet and the IT systems that connect to it should be totally aware that it's a very unsafe place, riddled with hackers hell-bent on causing grief for innocent users.

Phishing Campaign Underscores Threat from Low Budget, Low Skilled Attackers (Dark Reading) For just over $1,000, a phishing operation successfully spied on members of the Tibetan community for 19 months, Toronto University's Citizen Lab found.

GPS tracking company reviews privacy settings amid fitness app security concerns (Military Times) The company that published a global heat map detailing sensitive military installations will simplify its privacy settings and review its app’s features to ensure it cannot be compromised by actors with bad intent, the company announced late Monday.

Researchers find new flaw in Oracle's MICROS retail systems (Computing) Vulnerability allows unauthorised access to sensitive data

Digital Extortion to Expand Beyond Ransomware (Dark Reading) In the future of digital extortion, ransomware isn't the only weapon, and database files and servers won't be the only targets.

Are organizations prepared for the ransomware threat? (Naked Security) When ransomware like WannaCry and Petya wreaked havoc on global organizations last year, many were left seemingly defenseless against this relentless, but not entirely new, threat.

Look Out: Chrome Extension Malware Has Evolved (WIRED) While helpful and creative, Chrome extensions have also become a new playground for hackers intent on stealing your data.

Google DoubleClick targeted by cyber-scammers looking to propagate Coinhive cryptocurrency mining malware (Computing) Coinhive exploits Javascript flaws to mine for cryptocurrencies at the expense of web users

Attackers disrupt business operations through stealthy crypto mining (Help Net Security) Either by slowing down computers or by crashing systems and applications, the WannaMine crypto mining worm is seriously affecting business operations and rendering some companies unable to operate for days and even weeks.

Cyber crooks are using HTTPS domains to deceive users (Computing) HTTPS does not in itself mean websites are secure and legitimate

Tor Proxy Used By Cybercriminals To Initiate Bitcoin Theft (HackRead) Tor proxy owners are replacing Bitcoin payment addresses to divert payments from ransomware victims to their own wallets.

Scammers become the scammed: Ransomware payments diverted with Tor proxy trickery (Register) Of course this does nothing for victims' encrypted files

Google deleted more crappy apps in 2017, most were killed off automatically (CNET) From a flashlight app that actually stole your money to a fake WhatsApp that millions of people downloaded, it’s been a busy year for Google's security team.

Deepfakes AI celebrity p[0]rn channel shut down by Discord (Naked Security) In 2015, Reddit admitted that in terms of privacy, it had blown it.

Agari: Business Email Compromise (BEC) Attacks Reach 96 Percent of Organizations (Sys-Con Media) Agari, a leading cybersecurity company, today published research revealing that 96 percent of organizations have received business email compromise (BEC) emails during the second half of 2017.

Most Threatening DNS Security Risks And How To Avoid Them (HackRead) The DNS or Domain Name System is one of the most necessary components for the internet functionality but how to protect it against attacks? Here's how.

Julian Assange duped by fake Sean Hannity account, tried to send “news” about Senate Democrat (Salon) “I felt bad. He really thought he was talking to Sean Hannity”

Rep. Devin Nunes Campaign Site Still Hosts Russian SEO Spam From Last Year's Hack (BleepingComputer) The campaign website of a controversial US politician was hacked last year and hosted Russian SEO spam, according to several sources.

Fools and their crypto (TechCrunch) I believe that the token sale economy will drive the next startup revolution. Just as sites like TechCrunch, organizations like Y Combinator and the men in..

Ethereum Startup Leaves Penis for Investors & Vanishes with $11 (HackRead) Ethereum startup Prodeum vanished into thin air after collecting $11 from investors for ICO and leaves behind a penis.

Cryptocurrency Scams Are Just Straight-Up Trolling at This Point (WIRED) US regulators and Facebook are finally coming for bogus ICOs.

Facebook Just Banned All Cryptocurrency Advertising (Motherboard) Facebook banned ads for "financial products and services that are frequently associated with misleading or deceptive promotional practices."

Security Patches, Mitigations, and Software Updates

Cisco Patches Critical Code Execution Flaw in Security Appliances (Security Week) Cisco patches critical remote code execution and denial-of-service (DoS) vulnerability in security devices running ASA software

Cisco VPNs have a remote code execution flaw, and it's bad (CSO Online) Cisco devices running Adaptive Security Appliance software have a remote code execution and denial of service bug. And it's as bad as it gets -- rated 10 out of 10 for severity.

Google Play is an 'order of magnitude' better at blocking malware (The Parallax) Google says it’s removing more malware than ever from its Google Play app store. But there are indications that the risks have also risen, as hackers see dollar signs in Android users.

Intel Chips Without Meltdown, Spectre Flaws Arriving This Year (eWEEK) Intel promises new processors to fix the Meltdown and Spectre vulnerabilities; attackers distribute cryptocurrency miners via the DoubleClick ad network; up to 30 million systems were impacted by an unauthorized Monero mining campaign; and Microsoft improves Azure cloud disaster recovery visibility.

Cyber Trends

Cybersecurity Is 'The No. 1 Threat to Our Nation': Jeh Johnson’s Legalweek Keynote (New York Law Journal) At Legalweek 2018 former U.S. Secretary of Homeland Security Jeh Johnson discussed cybersecurity’s growing role in national security.

OTX Trends Part 3 - Threat Actors (Alien Vault) By Javvad Malik and Chris DomanThis is the third of a three part series on trends identified by AlienVault in 2017.Part 1 focused on exploits and part 2 addressed malware. This part will discuss threat actors and patterns we have detected with OTX.Which threat actors should I be most concerned about?Which threat actors your organization should be most concerned about will vary greatly. A flower shop will have a very different threat profile from a defense contractor. Therefore below

Widespread API use heightens cybersecurity risks (Help Net Security) A new Imperva survey showed a heightened concern for cybersecurity risk related to widespread API use. Specifically, 63 percent of respondents are most worried about DDoS threats, bot attacks, and authentication enforcement for APIs.

10 Cybersecurity Threats Facing The Oil And Gas Industry (Chem.Info) The oil and gas industry is bracing for an increase in cyberattacks over the next year.

Most top US and EU e-retailers are putting their consumers at risk (Help Net Security) A study by 250ok has revealed that 87.6 percent of the root domains operated by top e-retailers in the United States and European Union are unable to protect consumers from phishing attacks.

Blurred Lines Between Networking and Security (Infosecurity Magazine) Networking and security used to be largely separate IT methodologies – not any longer.

Marketplace

Don’t Forget Cybersecurity in Your M&A Due Diligence (CFO) Traditionally, cybersecurity oversight in any merger and acquisition process has been relegated to an add-on check.

Navy plans to spend $100 million on cyber through new other transaction authority (FederalNewsRadio.com) The Navy's Space and Naval Warfare Systems Command is jumping on the OTA bandwagon, seeking to spend $100 million on 14 cyber technology areas.

Two Aussie founders sell cyber security start-up for $1B (ARN) Australian-born online fraud detection start-up, ThreatMetrix, has been acquired by the UK’s Relx Group in a cash deal worth $1.01 billion.

What we know about Chronicle, Alphabet's mysterious new company (Popular Science) It focuses on cybersecurity and uses machine learning.

U.S. Department of Defense Awards Booz Allen Hamilton $91.5M Contract to Provide Cybersecurity Support (BusinessWire) U.S. Department of Defense Awards Booz Allen $91.5M Contract to Provide Cybersecurity Support

Aporeto Bolsters Executive Team With Appointment of Jason Schmitt as CEO and Hussain Al-Shorafa as Vice President of Sales (BusinessWire) Aporeto, a new security model for containers, microservices and cloud applications, today announced two additions to their leadership team with Jason

Products, Services, and Solutions

Ivanti and CrowdStrike Forge Strategic Partnership to Deliver Advanced Endpoint Security (Ivanti) Alliance offers joint protection and response to incoming threats, so security and IT teams can act swiftly on the highest-priority alerts

GlobalSCAPE, Inc. Launches EFT Arcus: A Next Generation Cloud-Based Managed File Transfer Platform (BusinessWire) As organizations increasingly undergo digital business transformation, the silos that create complexity among people, processes and data are starting

Synopsys Expands Coverity Support for New Programming Languages, Secure Coding Standards, and DevOps Toolchain Integrations (PR Newswire) Synopsys, Inc. (Nasdaq: SNPS) today announced its Coverity®...

Denim Group Joins AWS US GovCloud Making ThreadFix Available to Federal Customers (BusinessWire) Premier application vulnerability correlation and resolution platform to be easily deployed in Government cloud environment

Guidewire Software : Schinnerer Launches Cyber Warranty for Technology Solution Providers | 4-Traders (SURPERFORMANCE) Victor O. Schinnerer & Company, a leading underwriting manager, in collaboration with Guidewire Software , a provider of software products to the Property & Casualty insurance... | janvier 30, 2018

FIME selected by mada payment system to develop next-gen testing and validation scheme (FIME) The online platform will streamline mada’s new product testing and certification process for member banks, and POI & card vendors.

What is Wickr, the new favourite app of dark net drug dealers? (Verdict) What Wickr offers is great in principal, but an underbelly of criminals have set up shop on the highly encrypted messaging app.

LoginRadius Launches Multi-factor Authentication (EIN News) LoginRadius releases Multi-factor Authentication as an additional layer of Security

Sarkari bot tool takes global malware to the cleaners (The Economic Times) Since the launch of the Cyber Swachhta Kendra or the Botnet Cleaning and Malware Analysis Centre last year, there has been a 51% decrease in malware infections in all networks in the country.

Power & utility cybersecurity begins and ends with secure messaging (Utility Dive) To mitigate cyber threats and the many dangers of email phishing, many power and utilities companies have begun to adopt secure messaging platforms, writes Vaporstream CEO Galina Datskovsky.

Blockchain Startup for Information Security Offers a New Approach to the Threat Detection (NewsBTC) PolySwarm allows IT experts around the world to monetize their security expertise by creating and maintaining specialized threat detection software.

Webroot Releases New Fulfillment Option for LogRhythm Customers (PR Newswire) Webroot, the Smarter Cybersecurity® company, and LogRhythm have...

Schneider Electric and Cylance partner on cyber security protection (Control Design) This agreement involves placing Cylance’s security capabilities within the Industrial Software Platform.

Review: BluVector enables machines to protect themselves (CSO Online) With machine learning that gets smarter and more network-aware over time, BluVector can tip the scales back in favor of defenders.

Technologies, Techniques, and Standards

ISACA Releases Guide to GDPR Implementation as May Deadline Approaches (BusinessWire) Publication provides practical advice on adopting and managing GDPR

NATO cyber defense center appointed to train, educate troops (Fifth Domain) The CCD-COE is a global leader in thinking on cyber operations, strategy and international law

Army Takes on Wicked Problems With the Internet of Battlefield Things (Meritalk) The Army’s work on the Internet of Battlefield Things (IoBT) is more than just a way to carve out a catchy name for the proliferation of smartphones, tablets, wearable devices, cameras and embedded devices that take the field with military forces. It also underscores the most important element of having those connected devices–the data collection and automated analytics capabilities required to make good use of the information they provide.

Enterprise plans for security automation and orchestration (CSO Online) Organizations want to merge threat intelligence with internal security telemetry, add custom functionality for security operations, and automate remediation tasks.

Learn from Coincheck’s $530m heist and ‘trust no one’ when dealing with cryptocurrencies, says Carbon Black security strategist (Business Insider Singapore) A hack of a Japanese cryptocurrency last Friday (Jan 26) which led to 260,000 customers affected by the heist of more than 500 million NEM coins, is a reminder that people should take precautions when protecting and using cryptocurrency.

GDPR, other regulations improve business digital defense strategies (SiliconANGLE) In recent years cybersecurity has become a global priority for businesses, consumers and governments alike.

Research and Development

Chinese satellite uses quantum cryptography for secure video conference between continents (MIT Technology Review) Quantum cryptography has never been possible over long distances. But the first quantum communications satellite is rewriting the record books.

Legislation, Policy and Regulation

The 2018 State of the Digital Union: The Seven Deadly Sins of Cyber Security We Must Face (War on the Rocks) When President Barack Obama made his first State of Union address, there were a series of key challenges for cyber security policy. There was increasing pr

What a Pentagon Report from the Year 2000 Got Right About Cyber War (Nextgov.com) Many of the issues that concern cyber strategists today were already clear at the turn of the century.

Developing Countries Want a Seat at the Offensive Cyber Capability Table (CyberDB) As 2018 commences, cyberspace remains in constant flux, a dynamic landscape that still favors hostile actors’ freedom of movement over the efforts of network defenders.

Cyber warfare set to surge in 2018 but expert says Britain is not prepared (Security Brief) Cyber war has exploded and is now quite literally on our doorstep - despite this an expert claims Britain's defences are severely underfunded.

‘Winter’ of cyber-threats is coming, experts warn (Times of Israel) At Tel Aviv conference, ex-CIA director David Petraeus says US-Israel collaboration in foiling attacks is 'far beyond what is being published in the media'

Cyber Attack Wouldn't Merit Nuclear Strike: Joint Chiefs Vice Chairman (Military.com) A cyber attack on U.S. infrastructure would not warrant a nuclear strike, the vice chairman of the Joint Chiefs said.

Trump expected to tap Army cyber warfare chief to lead NSA (POLITICO) The NSA is looking for a new leader after its current director, Admiral Mike Rogers, announced he will retire this spring, ending a near four-year run.

How Congress Can Help Protect US Companies From Cyberattack (The Daily Signal) Cyber threats are not going away, and they will only increase in intensity and quantity.

Defending our nation’s cyber services (TheHill) As the chief cybersecurity official for the Department of Homeland Security, Jeanette Manfra is laser-focused on preventing cyberattacks that could destabilize the U.S. financial system or open the federal government up to spying.

Secretaries of State in West Virginia & Kentucky Arm Candidates with Cybersecurity Playbook (Huntington News) To mark their states' candidate filing deadlines, Alison Lundergan Grimes, the Democratic Secretary of State of Kentucky, and Mac Warner, the Republican Secretary of State of West Virginia, are distributing the “Cybersecurity Campaign Playbook” to candidates in their states seeking to be on the ballot in 2018.

Wanted: a firewall to protect U.S. elections (Harvard Gazette) A new bipartisan initiative at Harvard Kennedy School picks up where the federal government leaves off, bringing together experts in national security, cybersecurity, and politics to develop practical strategies, tools, and guidance to help U.S. political campaigns protect themselves from cyber threats.

South Korea reveals $600m in illegal trades but is not planning to ban cryptocurrencies (Computing) 'No intention to ban or suppress cryptocurrency market'

Litigation, Investigation, and Enforcement

Blow for Snoopers’ Charter After Liberty Court Victory (Infosecurity Magazine) Blow for Snoopers’ Charter After Liberty Court Victory.Judges rule previous surveillance regime is unlawful

Feds shut down alleged $600 million cryptocurrency scam (Ars Technica) AriseBank project was endorsed by boxer Evander Holyfield.

Drugs Tripped Up Suspects In First Known ATM “Jackpotting” Attacks in the US (KrebsOnSecurity) On Jan. 27, 2018, KrebsOnSecurity published what this author thought was a scoop about the first known incidence of U.S. ATMs being hit with “jackpotting” attacks, a crime in which thieves deploy malware that forces cash machines to spit out money like a loose Las Vegas slot machine. As it happens, the first known jackpotting attacks in the United States were reported in November 2017 by local media on the west coast, although the reporters in those cases seem to have completely buried the lede.

US DoJ Launches Dark Web Drugs Taskforce (Infosecurity Magazine) US DoJ Launches Dark Web Drugs Taskforce. J-CODE is latest response to country’s opioid crisis

'We must find the golden path' – Israeli National Police CTO on the challenges of capturing cyber criminals (Independent.ie) Finding the 'golden path' in the hunt for criminals using encryption to 'go dark' is proving a challenge for the Israeli National Police (INP).

GoGet's customer database hacked, suspect arrested (CRN Australia) Personal details, including payment information could have been accessed.

Director of 'security firm' avoids jail for 'pretending to be Microsoft' in cyber scam (CRN) Director cold-called victims claiming their computers were infected and in some cases remotely locked machines until payment was made

Tech Support Scammers Fined in US, Jailed in UK (Security Week) Operators of a nationwide computer repair scam have been banned from the tech support business as part of settlements with the FTC and Ohio.

WeissLaw LLP Files Class Action Lawsuit Against Barracuda Networks, Inc. (Business Insider) WeissLaw LLP announced that a class action was commenced in the United States District Court for the Northern District...