The CyberWire Daily Briefing 6.11.19

Cyber Attacks, Threats, and Vulnerabilities

Huawei Represents Massive Supply Chain Risk: Report (Dark Reading) The Chinese technology giant's enormous product and service footprint gives it access to more data than almost any other single organization, Recorded Future says.

Huawei security threat derives from its sheer scale, says analysis (the Guardian) Cybersecurity report warns Chinese tech firm’s breadth exposes customers to risk

The New Cyber Insecurity: Geopolitical and Supply Chain Risks From the Huawei Monoculture (Recorded Future) We explain how the breadth of technologies and services provided by Huawei is emblematic of an evolved and comprehensive technology supply chain threat.

Recorded Future Posts Assessment on Geopolitical and Supply Chain Risks From the Huawei Monoculture (CTOvision.com) I’ve been reading cyber threat intelligence assessments since the beginnings of the digital age. Not sure if I’ve seen a million of them but it sure seems like I have. I feel like the one I just read by Priscilla Moriuchi at Recorded Future is one of the best and I would like to endorse …

An Iranian Activist Wrote Dozens of Articles for Right-Wing Outlets. But Is He a Real Person? (The Intercept) The writer Heshmat Alavi pushes regime change in Iran. But an MEK defector says the controversial, exiled, opposition group created the persona.

Vulnerability Summary for the Week of June 3, 2019 (US-CERT) The NCCIC Weekly Vulnerability Summary Bulletin is created using information from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

Critical Flaws in Amcrest HDSeries Camera Allow Complete Takeover (Threatpost) Time's up on public disclosure of six serious bugs impacting the vendor’s IPM-721S model security camera.

Hack that cost Baltimore $18M a mystery after experts eye NSA link (UPI) Weeks after Baltimore fell victim to ransomware known as "RobbinHood," government officials and intelligence agencies don't have a clear picture of exactly what -- or who -- caused the crippling cyberattack.

Baltimore ransomware update: what city residents need to know about water bills, taxes, tickets and more (Baltimore Sun) Baltimore City officials say 65% of employees have email access and expect 95% of email addresses to be restored next week.

Microsoft warns of time-travelling equation exploit – are you safe? (Naked Security) An Office bug that was squashed back in 2017 is still in widespread use – make sure your computer hasn’t slipped through the patch cracks!

The GoldBrute botnet is trying to crack open 1.5 million RDP servers (Naked Security) Even its most optimistic users would have to concede that it’s been a bracing few weeks for anyone who relies on Microsoft’s Remote Desktop Protocol (RDP).

Cryptocurrency attack thwarted by npm team (Naked Security) Cryptocurrency users narrowly escaped losing all their funds last week after an attacker poisoned a digital wallet with malicious code that stole their blockchain access details.

Personal data of 900k Russians leaked online from 3 Russian banks (Indiablooms.com) Almost 900,000 Russians have had their personal data, including passport details, phone numbers, and work and home addresses, leaked online from three Russian banks and may now fall victim to spamming and even fraud, Russia's Kommersant newspaper reported on Monday, citing Moscow-based data security company DeviceLock.

Chinese Uni Exposes 8TB+ of Email Metadata (Infosecurity Magazine) Misconfigured Elasticsearch database again to blame

Amitabh Bachchan's Twitter hacked with photo of Pakistani PM Imran Khan (HackRead) Turkish hackers left a message protesting against Ireland on a Twitter account owned by India actor.

U.S. Customs and Border Protection says photos of travelers were taken in a data breach (Washington Post) CBP says photos of travelers have been compromised as part of a “malicious cyber-attack,” raising concerns over how expanding surveillance efforts could imperil privacy.

Border Agency’s Images of Travelers Stolen in Hack (New York Times) The government said tens of thousands of images of travelers and license plates had been hacked after they were transferred without authorization by a subcontractor.

CBP says photos of U.S. travelers, license plate images were stolen in data breach (TheHill) Photos of U.S travelers and license plate images were recently stolen from a database maintained by Customs and Border Protection (CBP), the agency confirmed on Monday.

CBP Says Thousands of Traveler Photos Stolen in ‘Malicious Cyber-Attack’ (Nextgov.com) The breach happened at one of the agency’s subcontractors and didn’t involve any data collected under its facial recognition program, officials said.

Photos Of Travelers Coming In And Out Of The US Have Been Hacked And Stolen (BuzzFeed News) A Border Patrol database of traveler photos and license plate images was "compromised by a malicious cyber-attack."

Hackers Stole a Border Agency Database of Traveler Photos (WIRED) In compromising a Customs and Border Protection subcontractor, hackers make off with photos of travelers and license plates.

This Is Exactly What Privacy Experts Said Would Happen (The Atlantic) CBP’s trove of biometric data is catnip for bad actors.

Troubled JRSS Cyber System Exposes DoD Data, Says DoD IG (Breaking Defense) JRSS is not secure enough so DoD data is at risk. Operators don’t have the tools they need to properly monitor and troubleshoot the system and the training to run it properly.

FBI Issues Warning on ‘Secure’ Websites Used For Phishing (BleepingComputer) FBI issued a public service announcement regarding TLS-secured websites being actively used by malicious actors in phishing campaigns to trick users into trusting attacker-controlled sites and handing over sensitive personal information.

'jesushelpme' Password Sums Up CyberSec Agency Security State (BleepingComputer) Agents of the Information Network Security Agency (INSA) - the top-level cyber security agency in Ethiopia, used laughingly weak credentials to protect their email accounts.

Can't get infected via email if your messages aren't delivered: Seven-hour slowdown hits Symantec cloud filters (Register) Wondering why your inbox was so clear? Bad news…

Security Patches, Mitigations, and Software Updates

Download the Windows 10 June Patch Tuesday Updates today (Windows Report) It's Patch Tuesday again. Microsoft will start releasing the June 2019 Patch Tuesday cumulative updates within the next few hours.

VLC Player Gets Patched for Two High Severity Bugs (Threatpost) Popular media player receives 33 security bug fixes, two of which are rated high severity.

Cyber Trends

Managing endpoint devices: As big a challenge today as it's ever been? (Computing) Client management has always been a tough job, but will adding IoT devices to the mix make it even more complicated?

Protecting against cyberthreats in the hospitality sector (Intelligent CIO Kuwait) The hospitality sector is facing up to an increase in cyberattacks and, as an industry known for holding huge amounts of data, it’s critical that CISOs and their teams know where the threats are coming from and how they can be defended against.

Cybercriminals Topmost Source of Distrust in India (Silicon India) Cybercriminals Topmost Source of Distrust in India - Cybercriminals remain the number one source of distrust in the Internet in India where 79 per cent of people say...

Marketplace

The top 11 VC investors in cybersecurity (PitchBook) Cybersecurity will likely continue to be a valuable industry as long as the internet and its accompanying threats persist. We took a look at the top investors in the sector.

IT Unemployment Rate Estimated at 20-Year Low (Wall Street Journal) Demand is surging for information-technology workers with advanced digital skills, as more companies seek help developing data analytics, artificial intelligence and other emerging business tools.

Why There's More To Cybersecurity Recruitment Than Just Job Titles (Forbes) When it comes to protecting a business against outside threats, it’s essential that those hiring cyber talent look beyond just the job title

IBM Lays Off 1,700 Employees as Part of Restructuring Plan (Yahoo) IBM's focus on expanding product offerings for customers bodes well. Also, the company's improving position in the hosted cloud, security and analytics are key positives.

Under fire by U.S. regulators, Chinese telecom lobbying skyrocketed in 2018 (Fast Company) ZTE, which is banned from purchasing key components from the U.S., increased its lobbying sixfold last year—from $570,000 to $3.7 million.

Thales Acquires Psibernetix for Decisive Technologies in Artificial Intelligence (Newswire Today) Thales announces it has acquired the artificial intelligence (AI) company Psibernetix to help create Certifiable Artificial Intelligence

Have I Been Pwned is looking for a new owner (TechCrunch) Troy Hunt has revealed he’s looking for an acquirer for the breach notification service he set up more than five years ago — aka: Have I Been Pwned. In a blog post discussing the future of the service, Hunt details how traffic to the site has exploded since January when he uploaded a ma…

Salesforce acquires Tableau Software in $15.7 billion deal (ZDNet) Salesforce is ramping up its analytics and digital transformation game with the massive purchase.

Raytheon, United Technologies Merger: Biggest Cybersecurity Due Diligence Ever? (MSSP Alert) Raytheon-United Technologies merger prompts intense cybersecurity due diligence to discover, mitigate & disclose potential breaches & malware attacks. Neither government contractor has suffered a major cyber incident in recent years, the duo says.

United Technologies, Raytheon Merger: Forcepoint, Cybersecurity, MSSP Questions (MSSP Alert) Raytheon & United Technologies merger: What are Raytheon's plans for Forcepoint cybersecurity business unit, MSSP & MDR (managed detection and response) assets?

Why the new Raytheon Technologies will eschew platforms for new technology development (Defense News) “Platform agnostic.”

United Technologies Is Making an Odd Takeover Offer for Raytheon (Barron's) United Technologies’ merger with Raytheon, announced Sunday, is an unusual one on Wall Street. It is an acquisition to be paid for with currency that doesn’t exist yet.

Trump fears Raytheon-UTC deal hurts competition. Not so fast, analyst says. (Washington Business Journal) President Donald Trump belied his trepidation on CNBC that the deal could reduce competition in the market, but aerospace and defense industry analyst Loren Thompson isn't sweating it.

Edgewise Networks Raises $11 Million in New Financing Led By .406 Ventures and Accomplice (Edgewise) Edgewise Networks raises $11 million in new funding led by .406 Ventures and Accomplice, with additional participation from Pillar.

Privitar locks down $40M to help businesses protect your data (Built In Boston) Photo via privitarWith every new data scandal that pops up in the news, calls for better data security and privacy have only grown louder.

GSA Issues Discovery BPA for Centers of Excellence (G2Xchange) The U.S. General Services Administration’s Technology Transformation Services, along with the team in GSA Region 1 Assisted Acquisition Services, issued the Centers of Excellence (CoE) Discovery Blanket Purchase Agreement (Discovery BPA) on May 21, 2019.

MongoDB Achieves Two Key Security Benchmarks (Yahoo) ISO/IEC 27001 certification achieved on first attempt; company earns DISA STIG approval to operate on US Department of Defense Networks

AI security startup Darktrace’s CEO defeats buzzword bingo with trust and transparency (TechCrunch) It takes a lot of trust to allow a company to come in and install a mystery box on their network to monitor for threats. It’s like inviting in a security guard to sit in your living room to make sure nobody breaks in. Yet that’s exactly what Darktrace does. (The box, not the security [&…

Products, Services, and Solutions

SecBI Amplifies Its Threat Detection Solution With Automated Response (PR Newswire) SecBI, a disruptive player in cyber threat management, today announced the extension of its agent-less, threat...

Introducing 1-Click Auto-Segmentation from Edgewise (Edgewise) Edgewise introduces 1-click zero trust auto-segmentation, allowing companies to microsegment networks without added complexity and cost, and provides provable ROI.

Cisco Catalyst Switches Embed Nozomi Networks Solution (Nozomi Networks) This week at Cisco Live!, Nozomi Networks is proudly introducing its solution for real-time cyber security and OT network visibility on Cisco Catalyst 9300 Series switches.Find out about this consolidated offering that gives industrial operators a powerful switching platform with built-in industrial cyber security capabilities.

Forcepoint goes to Amazon Web Services to support new edge security offering (Data Economy) The company is an established Equinix colocation user for its operations but it wants to get closer to its customers through the cloud.

Cisco simplifies intent-based networking and certifications (CRN Australia) More automation and new certifications star at Cisco Live.

Fortinet expands its partner focused Security as a Service Cloud offerings (BW CIOWORLD) Security-Fortinet now offers Appliance, Virtual Machine, Native Cloud and SaaS delivery of the Security Fabric

nuPSYS' IoT Solution Integrated with Cisco-Kinetic IoT Platform Showcased at CiscoLive 2019: Cisco-Innovations Booth (Yahoo) nuPSYS—an innovation leader in Internet of Things (IoT) solutions for Industrial-IoT & Operational Technology (OT), infrastructure, and networks—is pleased ...

Xton Expands Privileged Access Manger Integrations with Azure AD, YubiKey and ServiceNow (PR Newswire) Xton Technologies, a provider of privileged access management (PAM) solutions, announces that Xton Access Manager...

Technologies, Techniques, and Standards

Pentagon to Unveil New Cybersecurity Maturity Model Certification (CMMC) for Defense Contractors (JD Supra) The Department of Defense announced that it is developing a new cybersecurity standard and certification for defense contractors. It is named the...

FTP Logs Used to Determine Attack Vector (Sucuri Blog) We show how changing passwords is crucial to your website security. In this case, malicious users uploaded malware via FTP.

Under attack: How the DoD can best protect and defend against cyberthreats (Fifth Domain) Federal agencies, like the Defense Department, can turn the tide to more nimbly detect hackers and prevent future threats, but they must start rethinking now.

When Encryption Algorithms Fail, a Crypto Agility Plan Helps Protect Your Crown Jewels (Security Intelligence) A crypto agility plan can help minimize panic and chaos should the need arise to quickly switch encryption algorithms.

Online shops fear 2FA at checkout will increase abandoned carts (Naked Security) A report says the EU will lose $64b per year once new 2FA rules go into effect, but we support Strong Customer Authentication (SCA) wholeheartedly.

Xconomy: 3 Tips to Boost Security, Trust With Increasingly Remote Workforce (Xconomy) Employers are increasingly offering remote work options as a differentiator to attract top talent in today’s competitive hiring market. And, with modern

Network tokenization versus PCI tokenization: five key differences (Rambus) The concept of tokenization is not a new one in the payments industry. Solutions that replace sensitive data with a non-sensitive equivalent have been around for years in various forms. But as the digital payments ecosystem continues to expand, it is becoming increasingly apparent that ‘payment tokenization’ solutions, …

Design and Innovation

NARA considers blockchain to verify records amid rise in deepfake videos (Federal News Network) The National Archives and Records Administration considers a growing role in blockchain authenticating digital copies of its images and videos.

The important lessons of federal blockchain projects (Federal Times) There are challenges in data sharing and employee education slowing widespread government adoption of emerging technologies.

Fans Are Better Than Tech at Organizing Information Online (WIRED) Archive of Our Own, the fanfiction database recently nominated for a Hugo, has perfected a system of tagging that the rest of the web could emulate.

Research and Development

Thinking About Thinking: Exploring Bias in Cybersecurity with Insights from Cognitive Science (Forcepoint) When situations are less than clear cut, our initial reactions and decisions can be driven by unconscious biases.

Machine behavior: A field of study to explore intelligent machines as independent agents (Phys.org) In 1969, artificial-intelligence pioneer and Nobel laureate Herbert Simon proposed a new science, one that approached the study of artificial objects just as one would study natural objects.

The bright side of super intelligence (IOL Business Report) OPINION: The creation of superintelligent machines may still be decades away, but people already fear the impact it might have … writes Paul Stemmet.

Academia

Coventry University puts security at the heart of its cloud-first strategy (CSO Online) The school goes cloud-first but aims to lead its sector when it comes to cybersecurity.

Majesty of Cambridge science and technology honoured by The Queen (Business Weekly) Cambridge and East of England life science, industry and technology entrepreneurs figured large in the Queen’s birthday honours list. Dr Jane Osbourn, Vice-President of Research & Development at AstraZeneca and chair of the UK BioIndustry Association, and Darktrace co-founders Poppy Gustafsson and Jack Stockdale all won OBEs.

Legislation, Policy and Regulation

Estonia Speaks Out on Key Rules for Cyberspace (Just Security) Estonian President Kaljulaid stakes out bold positions on how international law applies in cyberspace.

US cannot ‘expect to stay safe,’ warns Iran’s foreign minister (Military Times) Iran’s foreign minister warned the U.S. on Monday that it “cannot expect to stay safe” after launching what he described as an economic war against Tehran, taking a hard-line stance amid a visit by Germany’s top diplomat seeking to defuse tensions.

Will China win the military AI race on the back of commercial technology? (C4ISRNET) Congressional hearing testimony suggests future competition with an uncertain outcome.

Tinder and the Russian Intelligence Services: It’s a Match! (Foreign Policy) Will Facebook and Twitter be next?

Russia Says Trump’s War on Huawei Risks ‘Destroying’ Tech World (Bloomberg) Russian 5G network may cost $7.7 billion to build, Akimov said. Deputy premier said conflict with Telegram’s Durov ‘painful’

Huawei Tells Parliament It’s No Security Threat, Aiming to Avoid a Ban (New York Times) British lawmakers questioned a Huawei executive on Monday about American allegations that the company poses a risk to national security.

UK carriers warn over ongoing Huawei 5G uncertainty: Report (TechCrunch) UK mobile network operators have drafted a letter urging the government for greater clarity on Chinese tech giant Huawei’s involvement in domestic 5G infrastructure, according to a report by the BBC. Huawei remains under a cloud of security suspicion attached to its relationship with the Chin…

Analysis | The Cybersecurity 202: Security experts alarmed that Trump may jettison Huawei penalties as part of trade deal (Washington Post) They worry Trump may bargain away national security for an economic advantage.

The White House needs to clarify its position on Huawei (CNBC) The White House needs to clarify its position on Huawei immediately, specifically whether American actions against the company fall under economic or national security concerns.

Trump is worried UTC-Raytheon merger will kill competition (CNN) Industrial conglomerate United Technologies and defense company Raytheon are set to merge, but the deal has at least one big critic: President Donald Trump.

Donald Trump on tech antitrust: ‘There’s something going on’ (The Verge) "We should be doing this. They’re our companies."

House passes bill to establish DHS cyber 'first responder' teams (TheHill) The House passed legislation by voice vote on Monday that would create “cyber incident response teams” at the Department of Homeland Security (DHS), which can be used to assist both government and private sector organizations after a data breach o

Why the intel community is at an inflection point with data (C4ISRNET) The Intelligence Community is entering a third inflection point, and the National Geospatial-Intelligence Agency is leading the way in adapting to it, says Principal Deputy Director of National Intelligence Sue Gordon.

Where is the investment in AI oversight, asks inspector general? (C4ISRNET) While developing artificial intelligence has become a priority for the Intelligence Community, the Inspector General of the Intelligence Community points out in a new report that there has been little investment in AI oversight.

Will the US ever get serious about security and privacy? (CSO Online) We have the ability to drastically reduce cybercrime. So why are we still failing?

Litigation, Investigation, and Enforcement

ICT industry readies for unprecedented probe (ITWeb) The US government gears up to investigate whether Amazon, Apple, Facebook and Google misused their massive market power.

Justice Department strikes deal with House Democrats over Mueller report evidence, Nadler says (CNN) House Judiciary Chairman Jerry Nadler said Monday that he has struck a deal with the Justice Department to begin providing Congress with some documents from the Mueller report related to obstruction of justice, putting off a looming court showdown between House Democrats and Justice over the report.

Laptops used in 2016 NC poll to be examined by feds – after 2.5 years (Naked Security) The e-voting vendor in North Carolina was spearphished days before the election but still went ahead and used remote access software.

Easter Bombings: Inside story on why the Sri Lankan intel chief was sacked (OneIndia) Sri Lanka's president, Maithripala Sirisena last week sacked the country's intelligence chief, Sisira Mendis. The action was taken after Mendis testified against the government in the Easter Sunday bombing probe by a parliamentary select committee.

DNS over HTTPS encryption will make it harder to block child-abuse images, warns UK's child exploitation watchdog (Computing) IWF's URL block list stops videos and images of child abuse from being accessed...

TalkTalk hacker Daniel Kelley, who also blackmailed company boss, jailed for four years (Computing) Kelley will serve the sentence in a young offenders' institution

They Just Won’t Die: Dark Web Drug Sellers Resist Police Crackdowns (New York Times) The notorious Silk Road site was shut down in 2013. Others have followed. But the online trafficking of illegal narcotics hasn’t abated.

Bring your own context.