The CyberWire Daily Briefing 11.7.18

Summary

By The CyberWire Staff

The US midterms are over, with (as the Wall Street Journal puts it) “no significant foreign influence seen” by either officials or private companies watching the vote for cyberattacks. There were, of course, various ongoing influence operations spotted, but that sort of operation amounts to a new normal and can be expected to continue post-election.

Some of that disinformation will seek to shake confidence that the election was fairly conducted, as the US Department of Homeland Security emphasized in press briefings yesterday. All that matters to the adversaries is creating an impression that the vote was untrustworthy, as the Washington Post sums up DHS’s advice.

Facebook confirmed to TechCrunch that accounts the social network suspended this week were connected to Russian operators.

The apparent lack of hacking proper may remind older observers of what happened—for the most part nothing, really—at the end of the Y2K panic. But it’s also likely that, as Fifth Domain reflects, that the relatively smooth election was the result of some intelligent preparation over the past two years.

Those interested in nation-state threat actors and what might be expected of them may consult Nextgov’s account of China’s long game, Meduza’s guide to Russia’s GRU, and the Foundation for Defense of Democracies’ outline of Iran’s “cyber-enabled economic warfare.”

The Apache Software Foundations urges users of Struts 2.3.36 to update the Commons FileUpload library to avoid a remote-code execution flaw.

Trend Micro warns that a fake-banking app in Google Play is appearing in Spanish-language smishing attacks.

Learn how Cylance silences cyber attacks with Artificial Intelligence.

Notes.

Today's issue includes events affecting China, European Union, Iran, Myanmar, Pakistan, Russia, United Kingdom, United States

A year in, companies unsure of risk under China's Cyber Security Law, says Control Risks.

Over a year into China’s Cyber Security Law, Control Risks experts say its vague definition and application leaves multinational companies struggling to understand their risk. Further, how strictly the government will crack down and the extent of penalties for non-compliance remain open questions. Nonetheless, companies operating in China must understand their unique exposure and specific cyber, physical and procedural requirements. Let Control Risks help you make the critical decisions to seize your opportunities in China.

On the Podcast

In today's podcast, up later this afternoon, Justin Harvey from Accenture on notification laws and incident response. Our guest is Christian Lees from InfoArmor with thoughts on what they’re seeing trafficked on the dark web.

Sponsored Events

The Pesky Password Problem: Red and Blue Team Battle featuring Kevin Mitnick (Online, November 14, 2018) Kevin Mitnick and Roger Grimes debate one of security's most controversial issues: passwords. Hear the truth regarding effective passwords, password management and more in this unique webinar. Save your spot!

Cyber Security Summit: November 29 in Los Angeles (Los Angeles, California, United States, November 29, 2018) Sr. Level Executives are invited to learn about the latest threats & solutions in Cyber Security from experts from The CIA, The City of Los Angeles, Verizon, CenturyLink and more. Register with promo code cyberwire95 for $95 VIP admission (Regular price $350) https://CyberSummitUSA.com

Selected Reading

Cyber Attacks, Threats, and Vulnerabilities

China Is the Top Long-Term Threat in Cyberspace (Nextgov.com) Here’s what we can do about it.

What is the GRU? (Meduza) Who gets recruited to be a spy? Why are they exposed so often? Here are the most important things you should know about Russia’s intelligence community

Evolving Menace: Iran’s Use of Cyber-Enabled Economic Warfare (Foundation for Defense of Democracies) In 2016, the industrial computer security firm MalCrawler conducted an experiment: It created an elaborate network to observe the actions and gauge the intentions of malicious cyber operators.

Cyber criminals are targeting energy firms’ enterprise networks (New Statesman Tech) Most cyber attacks on energy and utilities firms take place within enterprise IT networks rather than industrial control systems, new research has revealed. In a new report, researchers at security ve

Facebook ties newly suspended accounts to the Kremlin: A ‘timely reminder’ of election meddling threat (Washington Post) Facebook said Tuesday it had “concerns” the more than 100 accounts it suspended days before the 2018 midterms were linked to the same Russian agents that spread disinformation online during the U.S. presidential race two years earlier.

Facebook connects Russia to 100+ accounts it removed ahead of mid-terms (TechCrunch) The 115 accounts Facebook took down yesterday for inauthentic behavior ahead of the mid-term elections may indeed have been linked to the Russia-based Internet Research Agency, according to a new statement from the company. It says that a site claiming association with the IRA today posted a list o…

Analysis | The Cybersecurity 202: Foreign adversaries will 'continue to push misinformation' after Election Day, official says (Washington Post) The government is tracking it.

No Significant Foreign Interference Seen on Midterm Vote (Wall Street Journal) U.S. security officials and social media firms said Tuesday they spotted a limited amount of disinformation that was deliberately disseminated.

Midterms Security Watch: Quiet Election Day early sign of cyber policy success (Fifth Domain) Fifth Domain is live-blogging security updates before, during and after the Nov. 6 midterms. Follow our tally of the Department of Homeland Security and other efforts to ensure election day integrity.

Unlike in 2016, there was no spike in misinformation this election cycle (The Conversation) The Iffy Quotient measured misinformation on social media in the run-up to the recent elections. Facebook has gotten better at combating untrustworthy links, but Twitter still struggles.

Facebook admits not doing enough to prevent Myanmar violence (AP NEWS) Facebook is admitting that it didn't do enough to prevent its services from being used to incite violence and spread hate in Myanmar.

Where’s the accountability Facebook? (TechCrunch) Facebook has yet again declined an invitation for its founder and CEO Mark Zuckerberg to answer international politicians’ questions about how disinformation spreads on his platform and undermines democratic processes. But policymakers aren’t giving up — and have upped the ante by…

Apache Struts 2.3.x vulnerable to two year old RCE flaw (Help Net Security) The Apache Software Foundation is urging users that run Apache Struts 2.3.26 to update the Commons FileUpload library to close a serious RCE flaw.

Struts 2.3 Vulnerable to Two Year old File Upload Flaw (SANS Internet Storm Center) Apache today released an advisory, urging users who run Apache Struts 2.3.x to update the commons-fileupload component...

WhatsApp ‘martinelli’ warning is a hoax, don’t forward it (Naked Security) A WhatsApp chain letter is warning of a malware-packing video called “martinelli”, and selling its lie with a grain of truth.

Fake Banking App Found on Google Play Used in SMiShing Scheme (TrendLabs Security Intelligence Blog) We found a malicious app on Google Play called Movil Secure on October 22, as part of a SMiShing scheme targeting Spanish-speaking users.

StatCounter web analytics script poisoned to steal Bitcoins (Graham Cluley) Malicious third-party script hijacked Bitcoin transactions.

Busting SIM Swappers and SIM Swap Myths (KrebsOnSecurity) KrebsOnSecurity recently had a chance to interview members of the REACT Task Force, a team of law enforcement officers and prosecutors based in Santa Clara, Calif. that has been tracking down individuals engaged in unauthorized “SIM swaps” — a complex form of mobile phone fraud that is often used to steal large amounts of cryptocurrencies and other items of value from victims.

Bluetooth Chip Bugs Affect Enterprise Wi-Fi, as Hackers Exploit Cisco 0-Day (Qualys Blog) In this latest roundup of cyber security news, we look at serious Bluetooth bugs, a zero-day vulnerability on Cisco software, a raft of Apple security fixes and a massive customer data breach at…

U-Boot's Trusted Boot Validation Bypassed (BleepingComputer) Memory handling issues in U-Boot open-source bootloader for embedded devices make possible multiple exploitation techniques that lead to arbitrary code execution.

Self-encrypting SSDs vulnerable to encryption bypass attacks (Help Net Security) Researchers have discovered security holes in the hardware encryption implementation of SSDs manufactured by Crucial and Samsung.

Attackers breached Statcounter to steal cryptocurrency from gate.io users (Help Net Security) Statcounter and gate.io have been compromised in a supply-chain attack, which resulted in gate.io customers getting their cryptocurrency stolen.

Pakistani banks hit by biggest cyber attack in country’s history (Samaa TV) Data of 19,864 cards from 22 banks dumped for sale on the dark web

Fake Elon Musk Twitter Bitcoin Scam Earned 180K in One Day (BleepingComputer) A widespread scam pretending to be from Elon Musk and utilizing a stream of hacked Twitter accounts and fake giveaway sites has earned scammers over 28 bitcoins or approximately $180,000 in a single day.

ThreatList: Despite Fraud Awareness, Password Reuse Persists for Half of U.S. Consumers (Threatpost) One-third of respondents in a new poll said that have been a victim of fraud or identity theft in the past.

Security Patches, Mitigations, and Software Updates

Serious XSS flaw discovered in Evernote for Windows, update now! (Naked Security) Online-note-sharing company Evernote has patched a hole that allowed attackers to infect notes shared via its service.

Android November update fixes flaws galore (Naked Security) Android’s November security bulletin is here and there’s more to patch, and more urgency about applying them.

Cyber Trends

Enterprise Sinking Under 100+ Critical Flaws Each Day (Infosecurity Magazine) Prioritizing patches is getting tougher, says Tenable

Alcide Report Finds 75% Will Increase the Number of Cloud Security Tools They Rely On Over the Next 12 Months (GlobeNewswire News Room) As Hybrid Cloud and Serverless Continue to Gain Ground, Organizations Rush to Keep Up; Fewer than Half Have Dedicated Cloud Security Teams

Consumers can't shake risky security habits (Help Net Security) Despite almost half of U.S. consumers (49 percent) believing their security habits make them vulnerable to information fraud or identity theft, 51 percent

Marketplace

Cybersecurity Supply And Demand Heat Map (CyberSeek) A granular snapshot of demand and supply data for cybersecurity jobs at the state and metro area levels

Former House Intel chief urges review of Huawei, ZTE role in Sprint (Seeking Alpha) Former House Intelligence Chairrman Mike Rogers -- speaking on a call set by the group Protect America's Wireless -- has called for close scrutiny of how Huawei and ZTE (ZTCOY -0.9%) would relate to a combination of Sprint (S +1%) and T-Mobile (TMUS +1.3%), Bloomberg reports.

Opponents to the T-Mobile, Sprint Merger Raise Security Concerns (SDxCentral) The AFLCIO and the Communications Workers of America filed arguments against the merger of T-Mobile and Sprint, citing security concerns.

Anti-fraud startup Fraugster score $14M Series B (TechCrunch) Fraugster, the Berlin-based startup that uses artificial intelligence to prevent fraud for online retailers, has raised $14 million in a Series B funding. The round is led by CommerzVentures, the venture capital subsidiary of Commerzbank, alongside early Fraugster investors Earlybird, Speedinvest, …

IBM chief Ginni Rometty bought US$3 million in company stock before Red Hat deal (CRN Australia) Show of confidence before mega-merger.

Symantec approached about takeover by Thoma Bravo: report (CRN Australia) Private equity giant Thoma Bravo makes its move.

Products, Services, and Solutions

FHOOSH Debuts Secure Mobile Data Live Streaming at Verizon and Nokia Operation Convergent Response Event (PRWeb) Cybersecurity innovator FHOOSH™, Inc. has teamed with Verizon to showcase extremely fast data protection solutions at the Verizon and Nokia-

BehavioSec Announces More Continuous Authentication Features and Patents Powering the Industry’s Strongest Behavioral Biometrics Platform (BusinessWire) BehavioSec, the first vendor to pioneer behavioral biometrics, today announced a series of new features to its BehavioSec Behavioral Biometrics Platfo

Login VSI announces Release 3 of Login PI for proactive monitoring (Help Net Security) Login PI R3 introduces a new concept named Deep Application Performance Testing, providing a view of application end-user experience.

Okta unveils identity capabilities to better secure the digital workspace (Help Net Security) Okta Identity Cloud to improve security for Workspace ONE customers adopting cloud technologies, while minimizing friction for end users and administrators.

Nitrokey FIDO U2F Available (UNITED NEWS NETWORK GmbH) Nitrokey's new USB key for secure two-factor authentication using FIDO U2F is now available

Best Anonymization Tools and Techniques for 2019 (HackRead) Follow us on Twitter @HackRead

Technologies, Techniques, and Standards

Experience an RDP attack? It’s your fault, not Microsoft’s (CSO Online) Follow Microsoft's basic security guidelines for Remote Desktop Protocol and you'll shut down hackers who try to exploit it.

Most CISOs just don't understand the hacker mentality says security chief (Computing) R Brown's Mike Koss says CISOs need to spend more time on the front line

5 security frameworks hospitals are adopting (Becker's Hospital Review) The NIST Cybersecurity Framework — a computer security guidance developed by the National Institute of Standards and Technology at the U.S. Department of Commerce — is the most commonly used security framework at hospitals today, according to the 2018 HealthCare's Most Wired survey

7 Simple but Effective Threat Hunting Tips from a Veteran Threat Hunter (Bricata) Threat hunting is the process of looking for malicious activities that have evaded existing detection measures; these threat hunting tips will improve your process. #bro #soc #threathunting

AI cybersecurity tools help spot threats before they cause harm (SearchEnterpriseAI) Hackers are utilizing AI tools, and security threats are proliferating. But security pros are turning these tools against attackers with their own AI cybersecurity strategies.

This is what the cyber security will look like once attackers weaponise AI (Computing) Artificial intelligence will enable threats to learn as they go, remaining undetected for longer

Enterprises Need to Stop Playing Catch-Me-If-You-Can With Their Containers (Infosecurity Magazine) Many enterprises aren’t even aware that they have deployed containers and orchestrated containerization.

Design and Innovation

Chinese surveillance grows stronger with technology that can recognise people from how they walk (The Telegraph) Chinese cities are rolling out a new “gait recognition” software that identifies people using their silhouettes and how they walk, even if their faces are obscured, in the latest tightening of the country's security.

This MIT PhD Wants to Replace America's Broken Voting Machines with Open Source Software, Chromebooks, and iPads (Motherboard) In 2006, Ben Adida wrote a 254-page PhD dissertation on "cryptographic voting systems." Now, he wants to fix America's broken voting machines.

Here’s Why All the Voting Machines Are Broken and the Lines Are Extremely Long (Motherboard) Voting machines are breaking down across the country and America’s voting technology is in desperate need of a complete overhaul.

Legislation, Policy and Regulation

European Commission emphasises importance of working together to support cyber defence (Computing) Differences in cyber preparedness between EU members could put cross-region systems at risk

In Cyberwar, There Are Some (Unspoken) Rules (Foreign Policy) A recent article argues that the lack of legal norms invites cyberconflict. But governments know the price of overreach and are refraining from unleashing their…

What Happens When the US Starts to ‘Defend Forward’ in Cyberspace? (Defense One) The author of DoD’s 2015 cyber strategy takes a look at the 2018 version.

How cyberspace makes the DoD think differently (Fifth Domain) Key Pentagon leaders assert nontraditional partnerships are critical in competing against top threats.

UK Regulator Calls for Tougher Rules on Personal Data Use (SecurityWeek) Britain's data commissioner warned that democracy is under threat because behavioral targeting techniques developed to sell products are now being used to promote political campaigns and candidates.

Litigation, Investigation, and Enforcement

Two more associates of Roger Stone testify before Mueller grand jury (Washington Post) Filmmaker David Lugo and attorney Tyler Nixon both told The Post last month that comedian Randy Credico acknowledged being the source of material for Stone’s statements about WikiLeaks.

Lawyer: My client didn’t steal 5,000 bitcoins, “Period” (Ars Technica) Charlie Shrem's attorney hits back in lawsuit brought by Winklevoss Capital Fund.

Police crack encrypted chat service IronChat and read 258,000 messages from suspected criminals (HOTforSecurity) Dutch police have revealed that they were able to spy on the communications of more than 100 suspected criminals, watching live as over a quarter of a million chat messages were exchanged. The encrypted messages were sent using IronChat, a supposedly...

AT&T Will Kick Internet Users Offline for Piracy (Motherboard) But critics say losing access to an essential utility is a problematic over-reaction to copyright infringement.

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

newly Noted Events

First Annual Maryland InfraGard Cybersecurity Conference (College Park, Maryland, USA, December 5, 2018) InfraGard is a partnership between the FBI and members of the private sector. The InfraGard program provides a vehicle for seamless public-private collaboration with government that expedites the timely exchange of information and promotes mutual learning opportunities relevant to the protection of Critical Infrastructure. With thousands of vetted members nationally, InfraGard's membership includes business executives, entrepreneurs, military and government officials, computer professionals, academia and state and local law enforcement; each dedicated to contributing industry specific insight and advancing national security.

upcoming Events

Cyber Security & Artificial Intelligence MENA Summit (Dubai, UAE, November 6 - 7, 2018) Cyber Security and Artificial Intelligence MENA Summit has been designed to bring you a remarkable opportunity to gain fresh insights into areas such as artificial intelligence and machine learning impact on cyber security and creating a solid cyber security foundation for the organization. Join us and get the answers to different questions as how to make cybersecurity strategy more dynamic to keep up with threats or how to get the most value out of cybersecurity automation investments. You will discover the crucial elements of cyber risk oversight and innovative methods which could be implemented against the cybercrime.

2nd Annual Aviation Cyber Security Summit Summit (London, England, UK, November 6 - 7, 2018) Now in its 2nd year, the Cyber Senate Aviation Cyber Security and Resilience Summit (AVCIP2018) will take place on 6th and 7th in London United Kingdom 2018. This two-day executive forum will include presentations, roundtable working groups and panel sessions. Together we will address the escalating cyber risk and resilience challenges associated with the adoption and convergence of operational technologies in enterprise facing architecture. Practitioners will gain further insight into how to best respond to evolving cyber threats, the importance of effective risk management throughout the aviation supply chain, innovations in detection and mitigation, configuration management and how can we incorporate resilience into critical control system components and business process.

Federal IT Security Conference: FITSC 2018 (College Park, Maryland, USA, November 7, 2018) Phoenix TS and Federal IT Security Institute (FITSI) are partnering to host the third annual Federal IT Security Conference (FITSC) this November. Speakers from NIST, DHS, the Defense Department as well as private industry will be in attendance discussing the themes and trends that are influencing the Federal/DoD cyber landscape. Attendance is free for government and military and can earn attendees up to 6 continuing education units (CEUs).

SINET Showcase (Washington, DC, USA, November 7 - 8, 2018) Highlighting and advancing innovation. SINET Showcase provides a platform to identify and highlight “best-of-class” security companies that are addressing the most pressing needs and requirements in Cybersecurity.

SecureWorld Seattle (Seattle, Washington, USA, November 7 - 8, 2018) Connecting, informing, and developing leaders in cybersecurity. SecureWorld conferences provide more content and facilitate more professional connections than any other event in the Information Security industry. Join your fellow InfoSec professionals for high-quality, affordable cybersecurity training and education. Earn 12-16 CPE credits through 60+ educational elements learning from nationally recognized industry leaders. Attend featured keynotes, panel discussions, breakout sessions, and solution vendor displays-all while networking with local peers.

Infosecurity North America (New York, New York, USA, November 14 - 15, 2018) With 23+ years of global experience creating leading information security events, Infosecurity Group is coming to New York in November 2018. Infosecurity North America will provide a focussed business event environment that facilitates valuable networking, immersive learning and leads the critical debate through cutting-edge content. The Infosecurity North America conference program provides access to the latest information security insight presented by leading experts, practitioners and thought leaders. The panel discussions, presentations, demos and workshop will provide you with the information and skills you need to strengthen your organization’s cyber defenses against the threats of tomorrow.

Kingdom Cyber Security (Riyadh, Saudi Arabia, November 20 - 21, 2018) Setting a game plan to boost cyber resilience at the national level.

API Security Summit (London, England, UK, November 21, 2018) The API Security Summit, taking place in London on the 21st of November 2018 will bring together the financial services community, regulators, fintechs, TPPs and associations from across UK and Europe to find solutions to the current lack of standardisation, debate what standards/legislation may emerge in 2019, and how to plan with these in mind.

Army Autonomy and Artificial Intelligence Symposium and Exposition (Detroit, Michigan, USA, November 28 - 29, 2018) This symposium will explore and showcase innovative ways the U.S. Army is developing critical capabilities in robotics, autonomy, machine learning, and artificial intelligence. The goals are to explore how the Army-Industry team can best collaborate to achieve cost-effective, innovative solutions to military problems, seamlessly reallocate resources as conditions change, and with the speed and efficiency that adversaries cannot match.

The Cyber Security Summit: Los Angeles (Los Angeles, California, USA, November 29, 2018) This event is an exclusive conference connecting Senior Level Executives responsible for protecting their company’s critical data with innovative solution providers & renowned information security experts. Learn from cyber security thought leaders and Engage in panel discussions focusing on trending cyber topics such as Sr. Leadership’s Best Approach to Cyber Defense, What’s Your Strategic Incident Response Plan?, Protecting your Enterprise from the Human Element and more. Your registration includes a catered breakfast, lunch, and cocktail reception. Receive half off your admission with promo code cyberwire50 at CyberSummitUSA.com and view details including the full agenda, participating solution providers & confirmed speakers. Tickets are normally $350, but only $175 with promo code.

Securing Digital ID 2018 (Alexandria, Virginia, USA, December 4 - 5, 2018) As an increasing number of transactions move online and are mobile-enabled, the conference will explore today’s complex world of digital identities and how they are used for strong authentication and remote authorization. Securing Digital ID is a unique event for executives, policy makers, product developers and engineers interested in identity security and authentication. The conference will be held in partnership with TWST Events on December 4-5, 2018 at the Hilton Alexandria Mark Center minutes from Washington, D.C.

International Cyber Risk Management Conference (Hamilton, Bermuda, December 6 - 7, 2018) Now in its fourth year in Canada, the International Cyber Risk Management Conference (ICRMC) has earned a reputation as one of the world’s most trusted cyber security forums. We are proud to bring ICRMC to Bermuda, the “world’s risk capital,” where we, with the support of a stellar advisory committee, will focus on cyber risk with an emphasis on insurance and risk-transfer solutions.

2018 Cloud Security Alliance Congress (Orlando, Florida, USA, December 10 - 12, 2018) Today, cloud represents the central IT system by which organizations will transform themselves over the coming years. As cloud represents the future of an agile enterprise, new technology trends, such as Internet of Things (IoT), FOG Computing, Block Chain and Artificial Intelligence will extend the benefits of cloud - but also create new attack vectors for ambitious and resourceful adversaries. Additionally, the compliance landscape continues to evolve creating new challenges in delivering, measuring, and communicating compliance through multitude of regulations across multiple jurisdictions. The Cloud Security Alliance and MIS Training Institute have partnered to host the 2018 Cloud Security Alliance Congress on December 10-12 at the Omni Orlando Resort in ChampionsGate, Florida. This year’s event welcomes world leading security experts and cloud providers to discuss global governance, the latest trends in technology, the threat landscape, security innovations, best practices and global governance in order to help organizations address the new frontiers in cloud security.

Sponsor & Support

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter’s financial reach, or it might just not be the right time for you to do those things. That’s why we launched our new Patreon site, where we’ve created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you’ll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.