The CyberWire Daily Briefing 1.4.18

Cyber Attacks, Threats, and Vulnerabilities

A Critical Intel Flaw Breaks Basic Security for Most Computers (WIRED) A Google-led team of researchers has found a critical chip flaw that developers are scrambling to patch in millions of computers.

Today's CPU vulnerability: what you need to know (Google Online Security Blog) Posted by Matt Linton, Senior Security Engineer and Pat Parseghian, Technical Program Manager [Google Cloud, G Suite, and Chrome customers...

Kernel panic! What are Meltdown and Spectre, the bugs affecting nearly every computer and device? (TechCrunch) If you're confused by the avalanche of early reports, denials, and conflicting statements about the massive security issues announced today, don't worry —..

Google told chipmakers about Spectre and Meltdown vulnerabilities last summer (Computing) The flaws affect all chipmakers, contrary to earlier reports and claims

The Clever Engineering Behind Intel's Chipocalypse (Motherboard) When computer security collides with computer efficiency.

Researchers Discover Two Major Flaws in the World’s Computers (New York Times) Called Meltdown, the first and most urgent flaw affects nearly all microprocessors made by Intel. The second, Spectre, affects most other chips.

Intel Says Major Security Flaw Affects Competitors AMD and ARM Too (Fortune) But the stock market has punished its share price.

Intel In Security Hot Seat Over Reported CPU Design Flaw (Threatpost) Intel is grappling with what many are calling a processor design flaw impacting CPUs used in Linux, Windows and some macOS systems.

Major Chip Flaws Confirmed as “Meltdown” and “Spectre” (Infosecurity Magazine) Major Chip Flaws Confirmed as “Meltdown” and “Spectre”. Impact of discoveries could be felt for years, claim researchers

F**CKWIT, aka KAISER, aka KPTI – Intel CPU flaw needs low-level OS patches (Naked Security) It’s known variously as F**KWIT, KAISER and KPTI – it’s an Intel CPU flaw that means we need to trade performance for security.

Critical flaws revealed to affect most Intel chips since 1995 (ZDNet) Most Intel processors and some ARM chips are confirmed to be vulnerable, putting billions of devices at risk of attacks. One of the security researchers said the bugs are "going to haunt us for years."

Spectre? Meltdown? F*CKWIT? Calm down and make yourself some tea (Graham Cluley) There is not much that consumers can do other than wait for security patches and mitigations to be released, and then apply them as a matter of priority.

Slowdowns expected as computer industry races to fix security flaws (The Sydney Morning Herald) Dubbed Meltdown and Spectre, a pair of newly-disclosed processor flaws are among the worst CPU security bugs ever found.

Upcoming patches for security flaw in Intel processors expected to slow down computers (Help Net Security) All computers using modern Intel chips - whether they run Windows, Linux or macOS - are expected to suffer a performance hit in the coming days.

Ukraine a "training ground" for Russian hacking attacks on west (SC Magazine) Ukraine has become a "training ground" for Russian hackers wishing to perpetrate cyber-attacks on the west, a Kyiv security expert has claimed.

Ad targeters exploit browsers' password managers to track users online (Help Net Security) Ad targeters are exploiting browsers' built-in login managers to covertly collect hashes of users' email addresses, to be used to track them across the web.

New Android Malware Disguised as Uber App (HackRead) New Android malware targets unsuspecting Uber user to steal their login credentials including username and password.

36 fake security apps removed from Google Play (Help Net Security) Posing as legitimate security solutions, and occasionally misusing the name of well-known AV vendors like Avast, the apps seemed to be doing the job.

Apps Disguised as Security Tools Bombard Users With Ads and Track Users' Location (TrendLabs Security Intelligence Blog) In early December, we found a total of 36 apps on Google Play that executed unwanted behavior. These apps posed as useful security tools under the names Security Defender, Security Keeper, Smart Security, Advanced Boost, and more. They also advertised a variety of capabilities: scanning, cleaning junk, saving battery, cooling the CPU, locking apps, as well as message security, WiFi security, and so on. The apps were actually able to perform these simple tasks, but they also secretly harvested user data, tracked user location, and aggressively pushed advertisements.

240,000 Homeland Security employees, case witnesses affected by data breach (ZDNet) A database used by the Department of Homeland Security's Office of the Inspector General has been confirmed as breached, affecting 247,167 current and former employees and individuals associated with the department's previous investigations.

Data Breach Affected More Than 240,000 Homeland Security Workers, IG Confirms (Nextgov.com) The breach also affected non-DHS employees who communicated with the department’s inspector general.

How reusing complex passwords gives your identity away (CSO Online) Researchers deanonymized anonymous Tor Mail accounts, raising awareness of the implications of reusing even complex passwords when creating an anonymous account.

Report: Most agencies vulnerable to phishing (Fifth Domain) Nearly half of agency email domains have adopted policies to collect data on unauthorized emails as mandated by an Oct. 16, 2017, Department of Homeland Security directive.

Security Patches, Mitigations, and Software Updates

Cloud infrastructure vendors begin responding to chip kernel vulnerability (TechCrunch) Several cloud vendors began responding to the chip kernel vulnerability that has the industry reeling today. Each Infrastructure as a Service vendor clearly..

Microsoft issues emergency Windows update for processor security bugs (The Verge) Microsoft is issuing a rare out-of-band security update to supported versions of Windows today. The software update is part of a number of fixes that will protect against a newly-discovered...

Critical Microprocessor Flaws Affect Nearly Every Machine (Dark Reading) Researchers release details of 'Meltdown' and 'Spectre' attacks that allow programs to steal sensitive data.

Google’s Project Zero team discovered critical CPU flaw last year (TechCrunch) In a blog post published minutes ago, Google’s Security team announced what they have done to protect Google Cloud customers against the chip vulnerability..

Apple Working on Patch for New Year's Eve macOS Flaw (Security Week) Apple is aware of the macOS vulnerability disclosed by a researcher on New Year’s Eve and the company plans on patching it later this month.

Cyber Trends

Q3 2017 Global DDoS Threat Landscape Report released (Help Net Security) Imperva Incapsula's Q3 2017 Global DDoS Threat Landscape Report features insights on attacks and mitigation. A third of network layer attacks were highly persistent.

Ransomware, Automation, and IoT Bots, Oh My! (Security Boulevard) Happy New Year to all our readers! In 2017, we conducted several studies and wrote several reports on the state of cyber security. Let’s take a look at how 2017 shaped up: How Lucrative is Confidential Data? Prime Bounty for Hackers, Top Concern for Businesses Radware’s annual Global Application & Network Security Report combines a The post Ransomware, Automation, and IoT Bots, Oh My! appeared first on Radware Blog.

CES is about showing off the latest gadgets. But what about their security flaws? (CNET) Connected devices will be all the rage at CES, but security experts see the trend setting us up for future attacks.

Users are compromising most security tech (PaymentsSource) Cybersecurity systems, as sophisticated as they are, are clearly not doing the job. And maybe they never will, given that in the end the effectiveness of those systems can be overridden by workers inside the organization, writes Tal Vegvizer, director of research and development for Bufferzone.

Ireland Not Prepared for Increased Cyber Criminality Warn Experts (Business World) Irish information security provider, Ward Solutions, has today claimed that 2018 will be the year that a full-scale cyber war breaks out between countries. The provider also predicts that nation states and law enforcement agencies around the world will begin to use cyber tactics offensively.

Marketplace

Barracuda Acquires PhishLine (Barracuda Networks) PhishLine's Social Engineering Simulation and Training Platform Expands Barracuda Solutions to Protect Against Email-borne Targeted Attacks Barracuda Networks, Inc . (NYSE: CUDA), a leading provider of cloud-enabled security and data protection solutions, today announced it has acquired PhishLine , LLC, a leading SaaS platform for social engineering simulation and training. Combining Barracuda's AI-driven protection against phishing and spear phishing with PhishLine's platform gives customers co

Network security firm AlgoSec raises $36 million from Claridge Israel (Reuters) Network security firm AlgoSec said on Wednesday it raised $36 million from investment firm Claridge Israel to help it expand globally.

Cybersecurity is Microsoft's New Year's resolution (IT Pro Portal) Diversity, privacy and the Paris accord also feature highly in priorities named by Microsoft executives.

GNR signs up Kaspersky Lab to bolster software portfolio (MicroscopeUK) Cyber security player becomes distributor's first signing of 2018 as it moves to expand its software portfolio

FRANCE : French government takes back control of communications interception platform from Thales (Intelligence Online) After having run into all sorts of problems since it struck up a major agreement with the electronics group in 2008, the French Ministry of Justice is to take judge-sanctioned communications

Georgia’s new cybersecurity campus is about to get much bigger (Atlanta Journal-Constitution) Th$35 million cybersecurity addition will be a few steps from the $60 million centerpiece still under construction in Augusta, Ga.

KPMG appoints cybersecurity expert David Ferbrache as Chief Technology Officer (Consultancy) KPMG has promoted government cybersecurity and company veteran to the role of Chief Technology Officer.

Products, Services, and Solutions

5 best Chrome antivirus extensions to protect your browser in 2018 (Windows Report) Analyzing the fast pace that cybercrime is increasing by these days, it’s becoming more and more essential to boost your online security. You can do …

Password managers grow up, target business users (CSO Online) Enterprise-class password managers fill key security gaps left by single sign-on (SSO) and cloud access solutions.

Twistlock 2.3 Advances Container Security with Serverless Support (eWEEK) Container security vendor adds new capabilities including per-layer vulnerability analysis as well as an improved Cloud Native App Firewall.

WISeKey QuoVadis continues the upgrade of its SuisseID Digital Identity Programme (GlobeNewswire News Room) WISeKey International Holding Ltd (WISeKey) (SIX:WIHN), a leading Swiss cybersecurity and IoT solutions company, today announced that its QuoVadis Trust Service Provider continues the further development and upgrade of its already successful and widely-used SuisseID digital identity programme.

Technologies, Techniques, and Standards

FTSE and Fortune firms are mistaken about their GDPR compliance (Computing) More than 90 per cent of the largest companies say that they are ready for the regulation, but few have taken the necessary steps

Building a program for GDPR compliance: Can you answer these key questions? (Help Net Security) To realistically achieve GDPR compliance in time for the May 25, 2018 deadline, organizations should first ask themselves the following questions.

6 Essential Steps to Secure Internet for Freelancers (Allconnect Connected Home Blog) More and more workers are punching their time cards at home, a trend that puts a focus on the security of home internet as

Locked Doors, Open Windows: Failures in Guarding Private Sector Information (The Cipher Brief) Not a day goes by that Americans don’t wake to the news of a new cyber intrusion affecting private sector or government networks, whether major cyber hacks at Target or Equifax, sloppy data breaches like those Verizon experienced, or nation-state-sponsored efforts like the WannaCry virus. Companies and institutions are pouring more time, attention and resources … Continue reading "Locked Doors, Open Windows: Failures in Guarding Private Sector Information"

Cybersecurity Perception vs Reality: Is Your Organization Actually Secure? (Secureworks) With an evolving cyberthreat landscape and increasing regulatory demands, organisations cannot afford to operate under misconceptions that lure them into a false sense of security.

Animals Adapt their Defenses Based on Predators – We Must Too (ThreatQuotient) Some animals bet on speed, others on protective shells, others on camouflage, the list goes on and on. Inventiveness is limitless but the objective is consistent: defend against “THE” main predator of the species concerned.

Key Questions any CEO Should ask Before Moving to the Cloud (Infosecurity Magazine) As your organization makes the move to the cloud, managing security risks should be on the top of your list.

Scan the dark web for threat intelligence (CSO Online) It may be possible to glean valuable security insights by monitoring the dark web.

Berger: NAFCU ramping up data security push in new year (CUInsight) NAFCU President and CEO Dan Berger asserted the association’s ongoing focus on winning passage of comprehensive data and cybersecurity legislation, one of the association’s top priorities for 2018, in an op-ed published yesterday in CUTimes. Berger noted that frequent data security breaches – in 2017 there were more than 1,200 reported by late November – …

Design and Innovation

Can we really automate how security analysts think? (CSO Online) Through a combination of human and machine intelligence, security will become smarter, faster, and more effective. It can't come soon enough.

America's Hottest Self-Driving Car Startup Just Joined Forces with VW and Hyundai (WIRED) Aurora, founded by a trio of robocar superstars, makes a big move toward commercialization.

Research and Development

The labs that protect against online warfare (BBC) A worrying form of conflict has begun – cyber-attacks aimed at infrastructure and society, all done without a shot being fired. Christian Borys visits some of those fighting back.

The Dark Side of Quantum Computing (Security Boulevard) Despite its promise, quantum computing has the potential to undermine the foundations of internet privacy and commerce.

Academia

Government-led Cyber Discovery programme gets 20,000 student sign ups in just six weeks (Computing) Youth-focused cyber security programme part of the CyberFirst initiative launched by Theresa May last year

It’s Time to Go Back to Basics to Address Cybersecurity Skills Shortages (FE News) Uber, Equifax, Yahoo: big-name data breaches have become so commonplace over the past year or two that the average consumer has almost become desensitised to them.

Israel to Train High Schoolers for Big Data Intelligence Jobs (CTECH) A new program is intended to provide Israel's intelligence arms, including Unit 8200, and the Mossad with pre-trained recruits

Legislation, Policy and Regulation

France says anti-fake news election law incoming (TechCrunch) France's president has said he plans to introduce new legislation aimed at curbing the spread of online fake news during election periods.

Trump roots on Iran's protesters, declares 'time for change' (Military Times) The Trump administration has thrown the weight of the U.S. government behind the protesters taking to the streets of Iran, rooting them on despite the risk of helping Iranian authorities dismiss a week of major demonstrations as the product of American instigation.

Cyber and Calvinball: What’s Missing From Trump’s National Security Strategy? (War on the Rocks) Editor’s Note: Please check out the full roundtable at our sister publication, the Texas National Security Review. President Donald Trump’s first National

China and Germany in a dust up over cybersecurity (CSO Online) Germany calls out China on their lack of progress on bilateral cybersecurity efforts, while China continues to target German companies for intellectual property theft.

2018: The year of the NIS Directive (Help Net Security) The NIS Directive is the first piece of EU-wide legislation on cybersecurity and, by May 9, 2018, all EU member countries will have to have it incorporated it into their own national laws.

Litigation, Investigation, and Enforcement

Former NSA contractor accused of hoarding secrets at home to plead guilty to one charge, but case to continue (Baltimore Sun) A former NSA contractor who was accused of stashing reams of classified information at his Glen Burnie home is to plead guilty to taking home a single secret document, federal prosecutors said Wednesday.

Ex-U.S. NSA contractor to plead guilty to massive theft of secret data (Reuters) A former U.S. National Security Agency contractor has agreed to plead guilty to stealing classified information, according to court filings on Wednesday, in what may have been the largest heist of U.S. government secrets in history.

Tony Blair ‘warned Trump’ that UK may have spied on him (Times) Tony Blair warned Donald Trump’s aides that British intelligence may have spied on them during the election, according to an explosive new book. The former prime minister met Jared Kushner...

Your Nigerian Prince is a 67 year old from Louisiana (Naked Security) Michael Neu said that he started as a victim before switching sides to become a middleman in the scams

Contrasting penalties for Metrobank, RCBC (Standard) Two of the nation’s biggest banks have received “huge” fines from the Bangko Sentral ng Pilipinas for internal fraud and involvement in a money laundering scam in a span of two years. But some bankers are puzzled over the contrasting penalties imposed on the two banks.

Mother of “swatting” victim wants cop criminally charged for shooting (Ars Technica) Call of Duty gamer allegedly made fake emergency call to Wichita cops.

Phishing to Rural America Leads to Six-figure Wire Fraud Losses (SANS Internet Storm Center) We often focus on malware and hacking in terms of the tools the criminals use, but often good old-fashioned deception is simple enough. A recent case I worked on involves phishing sent to rural real estate professionals (law firms, title companies, realtors, etc). It is particularly effective on targets that use the various web-mail / free e-mail services.

Meltdown and Spectre pose kernel-level threats. Bogus security apps expelled from the Play store.