The CyberWire Daily Briefing 11.26.18

Cyber Attacks, Threats, and Vulnerabilities

US says China hacking increasing ahead of Trump-Xi meeting (Fifth Domain) Trade Representative Robert Lighthizer's report reflects U.S. skepticism and a possible source of new acrimony ahead of the meeting in Buenos Aires.

Phishing Used to Launch GreyEnergy’s ICS Attacks (Infosecurity Magazine) Security researcher analyzed content of phishing email used in ICS attacks

Russia far bigger threat than ISIS: British army chief (The Times of India) UK News: Chief of the General Staff Gen Carleton-Smith said Russia was "indisputably" a bigger threat than Islamic terrorist groups like Al Qaeda and IS, the B

Britain is wide open to cyber-attack (Times) About three years ago an employee at the Prykarpattyaoblenergo control centre in Ukraine was going through some papers at his desk when he noticed that his computer was running through the steps to...

CEE countries particularly at risk from cyber attack (Emerging Europe) A new report from the international law firm CMS has revealed that despite well over 100 separate cyber incidents being recorded across 18 CEE countries last year, less than a quarter of these have resulted in government or regulatory action. The Cybersecurity Challenge in Central and Eastern Europe published by CMS together with Legal Week Intelligence, examines how …

Russian hacker resurgence after midterms (TheHill) Russian hackers are back in the spotlight after the U.S. midterm elections, carrying out a widespread campaign that targeted the federal government, media outlets and think tanks.

Semmle Discovers Vulnerability in Ghostscript Interpreter Used to Process Postscript and PDF Files (Semmle) Semmle announced today that it discovered a vulnerability which could allow for remote takeover of systems running unpatched versions of Ghostscript, an interpreter that processes Postscript and PDF files.

Five Year Old Bug Spawns Router Botnet Monster (Hackaday) In the news has been yet another router botnet. [Hui Wang] and [RootKiter] of 360Netlab announced their discovery of what they call the “BCMUPnP_Hunter” rootkit. They estimate this botn…

L0rdix malware on dark web steals data, mines crypto & enslaves PCs as botnet (HackRead) There’s a new hacking tool circulating in the underground Dark Web forums that let cybercriminals target Microsoft Windows computers.

A Look into the Connection Between XLoader and FakeSpy, and Their Possible Ties With the Yanbian Gang (TrendLabs Security Intelligence Blog) XLoader and FakeSpy are two of the most prevalent malware families that emerged from the mobile threat landscape recently.

Black Friday special by Emotet: Filling inboxes with infected XML macros (WeLiveSecurity) ESET has detected another large Emotet campaign that probably is aiming to piggyback in on the start of busy shopping period with a Black Friday special of their own.

Old Printer Vulnerabilities Die Hard (Threatpost) New research on an old problem reveals despite efforts, the InfoSec professionals still have a way to go when it comes to securing printers.

Cryptocurrency ‘minting’ flaw could have leached money from exchanges (Naked Security) Ethereum’s complexity proves to be a rich source of bugs, again.

The US Postal Service exposed data of 60 million users (TechCrunch) A broken U.S. Postal Service API exposed more than 60 million users and allowed a researcher to pull millions of rows of data by sending wildcard requests to the server. The resulting security hole has been patched after repeated requests to the USPS. The USPS service, called InformedDelivery, allo…

PI System Software Maker, OSIsoft, Announced Breach (Infosecurity Magazine) OSIsoft data beach reportedly impacted all domain accounts

Spotify Phishers Hijack Music Fans’ Accounts (Threatpost) The credentials could be used to glean a variety of intel on the victims.

Half of all Phishing Sites Now Have the Padlock (KrebsOnSecurity) Maybe you were once advised to “look for the padlock” as a means of telling legitimate e-commerce sites from phishing or malware traps. Unfortunately, this has never been more useless advice

Hacker takeovers Drake's Fortnite account to yell racial slurs (HackRead) The official Fortnite account of the Canadian rapper Drake going by the handle of “Duddus647” was hacked in an attack on Thanksgiving weekend.

Security Patches, Mitigations, and Software Updates

Microsoft: Crash-causing Outlook 2010 security patches are now fixed (ZDNet) Microsoft's new Outlook 2010 update ought to provide the critical security fixes without the crashes.

Update now! Adobe Flash has another critical security vulnerability (Naked Security) Adobe’s Flash Player for Windows, Mac and Linux has a critical vulnerability that should be patched as a top priority.

Cyber Trends

The Balance of Cyberpower (The National Interest) We rank all the great cyberpowers.

Microsoft president says defending democracy is a big cybersecurity challenge (The Irish Times) ‘What we’re seeing is technology tools that some people . . . are turning into weapons’

For recent big data software vulnerabilities, botnets and coin mining are just the beginning (Help Net Security) Any company using Hadoop or Spark should be certain they have the capability to detect and respond to vulnerabilities in these systems rapidly.

Internal negligence to blame for most data breaches involving personal health information (Help Net Security) More than half of personal health information data breaches were because of internal issues with medical providers - not because of external parties.

Losses from business email compromise scams up by a third: ACCC (CRN Australia) ACCC said businesses lost $2.8m from online scams.

Concern Grows over Failure to Tackle Global Threats to Cybersecurity (World Economic Forum) World Economic Forum hosts first Annual Gathering of the Centre for Cybersecurity in Geneva, Switzerland

Marketplace

Security skills hard to find because industry is focusing on the wrong things, says panel (Computing) A panel of security experts at Computing's recent Enterprise Security and Risk Management event says looking for computer science degrees won't necessarily find you the right people for the job

Companies must deal with the growing problem of the security skills gap (Computing) The rate of technology change is accelerating, but people are struggling to learn new skills fast enough to keep up

Why the Pentagon and Silicon Valley Need to Get on the Same Page (Foreign Policy) An interview with the new head of the Pentagon’s Defense Innovation Unit.

China’s Tech Giants Are Looking Weaker Than Ever (Bloomberg) The startup phase is long gone. It’s time they show some financial maturity.

Facebook’s share stuffing wins Zuckerberg no thanks (The Telegraph) Who’s the biggest turkey in Silicon Valley this Thanksgiving?

I knew about Soros smear firm, says Facebook chief (Times) Sheryl Sandberg has changed her account of how much she knew about a PR firm that Facebook recruited to conduct smear campaigns against opponents. The chief operating officer of the social media...

Tech giants offer empty apologies because users can’t quit (TechCrunch) A true apology consists of a sincere acknowledgement of wrong-doing, a show of empathic remorse for why you wronged and the harm it caused and a promise of restitution by improving ones actions to make things right. Without the follow-through, saying sorry isn’t an apology, it’s a hollow ploy for f…

European privacy search engines aim to challenge Google (AP NEWS) In the battle for online privacy, Google is a U.S. Goliath facing a handful of European Davids. The backlash over Big Tech's collection of personal data offers new hope to a number of little-known search engines that promise to protect user privacy. Sites like Britain's Mojeek, France's Qwant, Unbubble in Germany and Swisscows don't track user data, filter results or show "behavioral" ads.

BlackBerry: Did Investors Sour On The $1.4 Billion Cylance Deal? (Seeking Alpha) BB sold off after announcing its $1.4 billion Cylance acquisition. Cylance's AI technology will fortify BB's cybersecurity offerings.

Bitcoin Mining Firm Giga Watt Declares Bankruptcy Owing Millions (CoinDesk) U.S.-based bitcoin mining firm Giga Watt has declared bankruptcy with millions still owed to creditors.

Cisco forecasts IP handset sales surge (CRN Australia) Security upgrades, cloud collaboration and softphone failures spark 30 percent growth.

Hackers are now earning more than $1 million for discovering iPhone X zero-day exploits in China (CyberByte Blog) There was a contest in Chengdu between November 16-17 this year in which white hat hackers earned more than $1 million for discovering exploits.

Why Bitcoin Is Plunging (This Time) (WIRED) Fractures in the bitcoin community and a possible government investigation have sent the value of the virtual currency spiraling down.

Israel Defence Ministry to provide G20 cyber security in $5m deal (Middle East Monitor) Israel's Defence Ministry will provide cyber security for the upcoming G20 summit after signing a $5 million deal with its Argentinian counterpart.

Products, Services, and Solutions

2018 Hacker Kids Gift Guide (Dark Reading) Fun gift choices that foster design thinking and coding skills in kids both young and old.

ISR America Announces New Federated Amazon Web Services API & CLI Access with CloudGate UNO (PR Newswire) ISR America Ltd., a cloud security provider, today announced the launch of the new Federated Amazon Web Services API &...

DAEATI chooses Trustonic IoT and device security for open rail control network (Trustonic) Trustonic security solutions support first Korean railway project to embrace secure IoT, smartphone use and a move to open networks

The Future of Social Media is Here - Trust and Security Are Back (MarketWatch) realfriends, the only intelligent and safe alternative to Facebook, is redefining the world of social communications

Janrain unveils next-gen customer identity management as a service (IDaaS) offering (Help Net Security) Janrain Identity Central allows companies to provide customer registration, authentication, consent management, as well as self-service account recovery.

Orkus Exits Stealth, Launches the Orkus Access Governance Platform So Enterprises Can Prevent Unauthorized Access in the Cloud (PR Newswire) Orkus, Inc., today announced it has formally entered the marketplace with the launch of the Orkus Access Governance...

Technologies, Techniques, and Standards

Can the grid be restarted after a cyber attack – it is not clear (Control Global) The recent DARPA Plum Island test to restart the grid after a cyber attack did not address process sensors. It is not clear the impact on grid restart if the process sensors are compromised.

Are we chasing the wrong zero days? (Help Net Security) Zero days became part of mainstream security after the world found out that Stuxnet was used to inflict physical damage on an Iranian nuclear facility.

Siemens beteiligt sich an Blockchain-Energieplattform (Cointelegraph) Die Energiesparte des deutschen Technologiekonzerns Siemens schließt sich der Open-Source-Blockchain-Plattform 'Energy Web Foundation' an.

Aircraft Giant Boeing Integrates Blockchain Technology into New Flight Software (blockchainreporter) Boeing and SparkCognition have teamed up to create SkyGrid, a new DLT-based aviation software…

A SWIFT response to threats: how the global financial network safeguards itself against compromise and theft (CSO) In the digital era, cyber-security is – or should be – a prime concern for Australian organisations of all stripes and sizes.

7 Real-Life Dangers That Threaten Cybersecurity (Dark Reading) Cybersecurity means more than bits and bytes; threats are out there IRL, and IT pros need to be prepared.

The Cybersecurity Mistakes Startups Make When They Get Big (Wall Street Journal) When small businesses start to boom, upgrading their cybersecurity usually gets left off the to-do list.

Creepy or Not, Face Scans Are Speeding up Airport Security (WIRED) Who cares if you hate it? This time- and effort-saving tech is spreading, and fast.

The Lie Generator: Inside the Black Mirror World of Polygraph Job Screenings (WIRED) Want to become a police officer, firefighter, or paramedic? A WIRED investigation finds government jobs are one of the last holdouts in using—and misusing—otherwise debunked polygraph technology.

Your Drone Can Give Cops a Surprising Amount of Your Data (WIRED) Crime investigators are gleaning a host of personal information from a recovered drone, such as where its owner lives, credit card numbers, and email addresses.

3 lessons the Army is taking from U.S. Cyber Command (Fifth Domain) The service has undergone a series of pilots to test what cyber capabilities brigade commanders should have at the tactical edge.

Here’s why Marine Raiders want to take down GPS, cellphones and a Russian navigation service (Marine Corps Times) The Raiders are looking to train its special operators for a fight with near-peer adversaries.

Design and Innovation

Influence of Artificial Intelligence and Machine Learning in Cybersecurity (Infosecurity Magazine) Why AI and Machine Learning are reflective of the predicted advancements in IT.

AI has an explainability problem (Computing) Rainbird CEO Ben Taylor on keeping humans at the centre of decision making

The passwordless web explained (Naked Security) Naked Security attempts to demystify passwordless web authentication.

Wanted: The ‘perfect babysitter.’ Must pass AI scan for respect and attitude. (Washington Post) A start-up that requires prospective babysitters to hand over their social media accounts says it uses “advanced artificial intelligence” to assess a sitter's risk of drug abuse, bullying and more.

Academia

University of Birmingham CISO: "I have severe doubts about the security of Facebook, and LinkedIn is going the same way" (Computing) The University of Birmingham faces security challenges from the local to the international level

Anne Barth: Training a coding, cyber workforce in WV (Daily Mail Opinion) (Charleston Gazette-Mail) We often hear that students in school today will work in jobs that don’t even exist right now. Even just 10 years ago, who knew that people would find work

NDSU Cyber Team Has Four Top Ten Finishes, Student Places in Top 50 Cyber Warriors Nationally (Digital Journal) North Dakota State University students excel at cybersecurity competitions and win national awards in several areas.

Legislation, Policy and Regulation

China In Breach Of Cyber-Security Pact (The National Law Review) It has been a fairly turbulent week in the cyber-espionage space following accusations that China&rsquo;s Ministry of Security Services is behind the surge of intellectual property theft from Australi

That Black Mirror episode with the social ratings? It’s happening IRL (Naked Security) Not picking up after your dog will cost you 10 points, for example, in China’s Black Mirror-esque plan to socially score citizens.

China's Xinjiang Region: A Surveillance State Unlike Any the World Has Ever Seen (SPIEGEL ONLINE) In western China, Beijing is using the most modern means available to control its Uighur minority. Tens of thousands have disappeared into re-education camps. A journey to an eerily quiet region.

Exclusive: Russia plans stiffer fines for tech firms that break... (Reuters) Russia plans to impose stiffer fines on technology firms that fail to comply wit...

Russia, stung by intelligence leaks, plans to tighten data protection (Reuters) Russia has drawn up draft legislation aimed at stopping leaks of personal inform...

NATO’s Cyber Operations Center – Will Russia Feel Threatened? (CyberDB) According to recent reporting, the North Atlantic Treaty Organization (NATO) announced that its Cyber Operations Center (COC) is expected to be fully staffed and functional by 2023. The new COC marks NATO’s understanding of the importance that cyberspace plays in conflict, particularly in times of political tensions that has resulted in cyber malfeasance that has …

Get Out Of My Face, Get Out of My Home: The Authoritarian Tipping Point (Forbes) We have all the necessary technology to go beyond Orwell's dystopian authoritarian predictions in his novel 1984: surveillance cameras, face recognition, digital assistants and AI analytics. We just need is a tipping point to create a powerful authoritarian regime that could control our every move.

Matthew Hedges: Cut defence links with emirates and impose sanctions, urge MPs (Times) Britain should threaten to withdraw its defence co-operation from the United Arab Emirates to secure the release of the jailed student Matthew Hedges, a senior Tory said yesterday. MPs also said it...

Analysis | The Cybersecurity 202: British parliament turns up heat on Facebook over privacy practices (Washington Post) There's a hearing tomorrow.

Businesses urged to pull adverts from tech giants hosting extremism (The Telegraph) Businesses have been urged to pull their advertising from tech firms that fail to take down extremist content following an investigation into five terror attacks that claimed 36 lives.

Washington Asks Allies to Drop Huawei (Wall Street Journal) The U.S. government has launched an outreach campaign to foreign allies to persuade wireless and internet providers to shun telecom equipment from China’s Huawei.

Huawei “surprised” by reports US is exerting pressure on allies (South China Morning Post) The Shenzhen-based company is caught in a vortex between the world’s two largest economies amid an escalating trade and technology war

Special Report: Is the US Ready to Escalate in Cyberspace? (Defense One) A barrage of cyber attacks have hit U.S. companies and institutions over the past decade. At long last, the United States says it’s ready to strike back.

Newly elected Republican senator could be Google’s fiercest critic (Ars Technica) There's growing appetite among Republicans for regulating big tech companies.

Head of Skripal-linked spy agency dies (BBC News) Gen Igor Korobov died aged 62 after "a serious and long illness", the Russian government says.

Litigation, Investigation, and Enforcement

Israeli NSO negotiated with Saudis advanced cyberattack capabilities sale, Haaretz reveals (Haaretz) Just months before crown prince launched a purge against his opponents, NSO offered Saudi intelligence officials a system to hack into cellular phones. NSO: We abide the law, our products are used to combat crime and terrorism

US ‘reveals how Tehran funds Hezbollah’s terror’ (Times) Iran funnelled “hundreds of millions” of US dollars through Russia and Syria to Middle East terrorists in a scheme masterminded by the director of a company that was registered in Britain...

U.K. Anti-Terrorism Efforts Are Terrifying to Anybody Who Favors Free Speech (Reason.com) Clicking the “wrong” link can get you interrogated by the authorities—and the situation may soon get worse.

Private Facebook documents seized by parliament (Computing) Documents allegedly contain email conversations about privacy controls that led to the Cambridge Analytica scandal

Ukrainian Police Nab Suspected RAT-Slinger (Infosecurity Magazine) Lviv man is alleged to have infected thousands around the world

First GDPR Sanction in Germany Fines Flirty Chat Platform EUR 20,000 (BleepingComputer) Following a hack that resulted in leaking online about 808,000 email addresses and over 1.8 million usernames and passwords, a social network website in Germany received a fine of EUR 20,000 from the Baden-Württemberg Data Protection Office.

Google accused of 'failing to comply' with EU competition authority's Google Shopping ruling (Computing) Google's own 'heads we win; tails you lose' remedy criticised for favouring only Google,Cloud and Infrastructure,

George Soros deputy calls on Congress to investigate Facebook 'smears' (The Telegraph) Facebook’s use of a public relations firm which sought to smear George Soros should be investigated by the US Congress, according to a senior official from the billionaire tycoon's Open Society Foundation.

How much for that app? U.S. top court hears Apple antitrust dispute (Rueters) When iPhone users want to edit blemishes out of their selfies, identify stars an...

Nine out of 10 reported cyber incidents never reach court (Computing) Whether it is because of legal risks, reputational damage or concerns over business continuity, reporting cyber incidents is rare and pursuing them legally is even more so,

Chinese businesswoman accused of jaywalking after AI camera spots her face on an advert (The Telegraph) Chinese police have admitted to wrongly shaming a famous businesswoman after a facial recognition system designed to catch jaywalkers mistook an advert on the side of a bus for her actual face.

The United States’ toughest biometric privacy law is facing a challenge from Six Flags (The Verge) The Illinois Supreme Court is hearing a case.

LinkedIn violated data protection by using 18M email addresses of non-members to buy targeted ads on Facebook (TechCrunch) LinkedIn, the social network for the working world with close to 600 million users, has been called out a number of times for how it is able to suggest uncanny connections to you, when it’s not even clear how or why LinkedIn would know enough to make those suggestions in the first place. Now,…

The phone went dark, then $1m was sucked out in SIM-swap crypto-heist (Naked Security) A Silicon Valley exec lost $1m in cryptocoin savings when a 21-year-old allegedly SIM-swapped his phone.

The FBI Created a Fake FedEx Website to Unmask a Cybercriminal (Motherboard) In an attempt to identify someone tricking a company into handing over cash, the FBI created a fake FedEx website, as well as deployed booby-trapped Word documents to reveal fraudsters' IP addresses.