The CyberWire Daily Briefing, 8.12.19

Dateline

Black Hat 2019: The Craziest, Most Terrifying Things We Saw (PCMAG) Black Hat is over for another year, but we'll be thinking of the fascinating and terrifying things we heard and saw for years to come.

#BHUSA: Schneier Advocates For Public Interest Technologists (Infosecurity Magazine) In his talk at Black Hat 2019 in Las Vegas, Bruce Schneier emphasized the importance of tech experts being involved in setting public policy though the role of public interest technologist.

Lawmakers embrace hackers in Vegas as 2020 election looms (FOX 61) Multiple members of congress, dozens of congressional staffers and members of the intelligence community are gathering in Las Vegas this weekend to rub shoulders with hackers at Def Con, one of the world's largest hacking conferences.

Automakers warm up to friendly hackers at cybersecurity conference (Reuters) At a conference where hackers can try their hand at picking locks and discover c...

Black Hat 2019: Addressing Supply-Chain Risk Starts with People, Microsoft Says (Threatpost) Hardware, software, services and people make up supply-chain risk — but the latter should be the guiding focus.

#BHUSA: Why Standards and DNS Are Key to Email Security (Infosecurity Magazine) Outlining standards and techniques used to combat phishing

Critical Windows 10 Warning: Millions Of Users At Risk (Forbes) All modern versions of Windows affected by firmware driver vulnerability revealed at the DEF CON hacker convention. Here's everything you need to know.

That 4G hotspot could be a hotbed for hackers (CNET) Security researchers found serious vulnerabilities with a line of devices that gave potential hackers full access.

Watch a Drone Take Over a Nearby Smart TV (Wired) Smart TVs continue to look dumber by the day.

A Remote-Start App Exposed Thousands of Cars to Hackers (WIRED) The bugs could have let an industrious hacker locate cars, unlock them, and start them up from anywhere with an internet connection.

This Teen Hacker Found Bugs in School Software That Exposed Millions of Records (WIRED) Some kids play in a band after school. Bill Demirkapi hacked two education software giants.

Hackers Take on Darpa's $10 Million Voting Machine (WIRED) At this year's Defcon hacking conference, Darpa brought the beginnings of what it hopes will be impervious hardware.

DARPA's $10 million voting machine couldn't be hacked at Defcon (for the wrong reasons) (CNET) The voting machine was supposed to be available for hackers to find security flaws. An unexpected bug stopped the experiment from starting until Defcon's day.

How Safecrackers Can Unlock an ATM in Minutes—Without Leaving a Trace (WIRED) At Defcon this week, security researcher Mike Davis will show how he can pick the lock of an ATM safe in no time, thanks to its electric leaks.

DEF CON 2019: Researchers Demo Hacking Google Home for RCE (Threatpost) Researcher show how they hacked Google Home smart speakers using the Megellan vulnerability.

Hackers Can Turn Everyday Speakers Into Acoustic Cyberweapons (WIRED) A security researcher has demonstrated how to force everyday commercial speakers to emit harmful sounds.

A sonic cyberattack could hijack a device's speakers (Yahoo) Weapons that injure crowds of people by emitting dangerous sounds may seem like the stuff of science fiction. Unfortunately, malicious hackers might be able to do just that -- but with Bluetooth- or WiFi-capable smartphones, headphones, speakers, or laptops.Researcher Matt Wixey is unveiling research

Inside the Hidden World of Hacking Elevator Phones (WIRED) Eavesdropping, reprogramming, talking to strangers: Welcome to the harmless and not-so-harmless fun of hacking elevator call boxes.

What a security researcher learned from monitoring traffic at Defcon (CNET) He spent thousands on a data-collecting monstrosity to figure out why people considered the security conference's network dangerous.

DEF CON 2019: New Class of SQLite Exploits Open Door to iPhone Hack (Threatpost) Researchers exploit a SQLite memory corruption issue outside of a browser.

#dianainitiative2019: Fight Against FUD With Education (Infosecurity Magazine) Increase education of problems and ask the right questions to defeat FUD.

#dianainitiative2019: Certifications, Careers and Prohibitors for Women in Cybersecurity (Infosecurity Magazine) A panel shared advice on careers and certification at the women's security conference.

ZeroFOX's new AI capabilities improve detection of deepfake videos (Help Net Security) ZeroFOX announced the latest evolution of its artificial intelligence (AI) capabilities with the release of new video analysis features.

Bishop Fox Introduces New AI-Based, OSP Tool at 2019 Black Hat Arsenal (AiThority) Bishop Fox, the largest private professional services firm focused on offensive security testing, has created a new AI-based,

Endgame, MRG Effitas and VMRay Partner on Machine Learning Static Evasion Contest (Yahoo) Cybersecurity vendors Endgame and VMRay, and testing house MRG Effitas, announced today that they have partnered under AI Village to launch the Machine Learning Static Evasion Contest at DEF CON 27. The second annual AI Village is a place where experts in artificial intelligence (AI) and security can

Black Hat Talk About ‘Time AI’ Causes Uproar, Is Deleted By Conference (Vice) A controversial sponsored talk at the Black Hat security conference caused an uproar among security professionals and prompted the conference to delete the talk from the internet.

Crown Sterling Issues Statement Regarding Recent Allegations Made at Black Hat 2019 (BusinessWire) Crown Sterling, an emerging digital cryptography firm, today issued a statement to address recent claims made at Black Hat 2019 regarding the company’

Black Hat 2019 | It's a Wrap! (SentinelOne) Missed out on all the Black Hat fun? Never mind, catch up with the latest innovations as we round up our final day at Black Hat USA 2019

Black Hat USA 2019 Cybersecurity Conference: Day 4 News (MSSP Alert) Black Hat USA 2019 conference news spans MSSPs, AT&T Cybersecurity, Carbon Black, BlackBerry, enSilo, ID Experts, SentinelOne, ThreatConnect, Virtru & more.

Cyber Attacks, Threats, and Vulnerabilities

U.K. Seeks Answers After Biggest Power Failure in a Decade (New York Times) The country’s energy regulator has asked for a report after around a million homes were left without electricity on Friday.

Cyber-attack ruled out in UK power outage (New York Post) Neither a cyber-attack nor unpredictable wind power generation were behind a power outage that left nearly one million people in England and Wales in the dark Friday. The outage stranded trains, di…

The Observer view on Britain’s blackout | Observer editorial (the Guardian) Last week’s widespread disruption illuminated the brittle nature of our infrastructure

The Evolution of Russia's Dark Web (PCMAG) Russia is the birthplace of the dark web, and its tech-savvy population includes some brilliant hackers. We talk to two researchers who will present a report on the topic here at Black Hat.

The Dark Side of Russia: How New Internet Laws and Nationalism Fuel Russian Cybercrime (IntSights) The Dark Side of Russia: How New Internet Laws and Nationalism Fuel Russian Cybercrime

Who is GOSSIPGIRL: Revisiting the Threat Actor Supergroup (Infosecurity Magazine) This whitepaper investigates the connection between Flame and the O.G. threat actor super group GOSSIPGIRL.

China’s cyber-spies make money on the side by hacking video games (MIT Technology Review) Just because you’re a world-class Chinese government hacker busy conducting espionage against geopolitical adversaries doesn’t mean you can’t make a little extra money on the side.The hackers behind a sophisticated seven-year Chinese government intelligence operation simultaneously use their talents to hack for personal profit by putting a bull’s-eye on targets in the cryptocurrency and video game industries, according to the American security firm FireEye.

Robocall blocking apps caught sending your data without permission (TechCrunch) Robocall-blocking apps promise to rid your life of spoofed and spam phone calls. But are they as trustworthy as they claim to be? One security researcher said many of these apps can violate your privacy as soon as they are opened. Dan Hastings, a senior security consultant at cybersecurity firm NCC…

Your Skype Translator calls may be heard by humans (Naked Security) A Skype Translator insider claims it’s good because humans are listening in and helping to train its artificial intelligence.

New Ursnif Variant Spreads Through Infected Word Documents (BankInfo Security) A new variant of the Ursnif Trojan is targeting vulnerable systems in an attempt to steal banking passwords and other credentials. The malware is spreading through

Google Reveals That Android Has Been Selling Phones with Pre-Loaded Malware (KoDDoS Blog) It came to prominence this week that tens of millions of smartphones with the Android operating system have dangerous malware preloaded.

Bishop Fox Finds Trove of Secrets on Amazon Elastic Block Store (Yahoo) Bishop Fox, the largest private professional services firm focused on offensive security testing, has discovered a flaw in Amazon's Elastic Block Store (Amazon EBS) that makes many users' virtual hard disk available to anyone on the internet. Security Associate

Say Cheese: Ransomware-ing a DSLR Camera (Check Point Research) Research by: Eyal Itkin TL;DR Cameras. We take them to every important life event, we bring them on our vacations, and we store them in a protective case to keep them safe during transit. Cameras are more than just a tool or toy; we entrust them with our very memories, and so they are very important... Click to Read More

Vulnerabilities found in more than 40 Windows device drivers that could be exploited to compromise PCs and servers (Computing) The drivers belong to 20 Microsoft-certified hardware and BIOS vendors, including Intel and Huawei

Screwed Drivers – Signed, Sealed, Delivered (Eclypsium) Download the PDF > Introduction Common Design Flaw In Dozens of Device Drivers Allows Widespread Windows Compromise As part of Eclypsium’s ongoing hardware and firmware security research, we have become increasingly interested in the area of insecure drivers and how they can be abused in an attack against a device.…

Nasty New Malware Waits Until You Visit A Pornsite, Then Starts Recording (Forbes) Did Black Mirror just come to life?

iNSYNQ Ransom Attack Began With Phishing Email (KrebsOnSecurity) A ransomware outbreak that hit QuickBooks cloud hosting firm iNSYNQ in mid-July appears to have started with an email phishing attack that snared an employee working in sales for the company, KrebsOnSecurity has learned.

Anatomy of an attack: How Coinbase was targeted with emails booby-trapped with Firefox zero-days (Register) Elaborate browser break-out betrayed by unusual behavior

Phishing: Watch out for this new version of trojan malware that spreads through malicious Word documents (CRYPTOID) Now researchers at cybersecurity firm Fortinet have identified a new version of Ursnif in the wild that is spreading via phishing emails containing weaponised Word documents.

Ransomware Attacks Shift Tactics (Security Boulevard) According to recent research, malicious encryption of shared network files is now the most popular form of ransomware attacks.

Smishing and vishing: How these cyber attacks work and how to prevent them (CSO Online) Smishing and vishing are types of phishing attacks that try to lure victims via SMS message and voice calls. Both rely on the same emotional appeals employed in traditional phishing scams and are designed to drive you into urgent action. The difference is the delivery method.

Blackmailed for Bitcoin – exchange rebuffs $3.5m ransom demand (Naked Security) Here’s a story of super-sized digital blackmail aimed at one of the biggest cryptocoin exchanges out there.

Instagram boots ad partner for location tracking and scraping stories (Naked Security) A “preferred Facebook Marketing Partner” is alleged to have tracked millions of Instagram users’ locations and stories.

Teenagers watching Fortnite streams targeted by hacking campaign (The Telegraph) Parents of children who watch gaming streams on Twitch or YouTube on their phones or computers may be at risk of fraud thanks to a six-month long hacking rampage that targeted gamers.

TfL Suspends Oyster Site After Credential Stuffing Blitz (Infosecurity Magazine) Customers encouraged not to reuse passwords

Parents, it’s time to delete Pet Chat from your child’s LeapPad (Naked Security) LeapFrog has done lots to fix the security of the LeapPad. Now all that’s left is for parents to scrape Pet Chat off of older tablets.

Officials: Elk County school district gets hit with cyber-attack, investigation is ongoing (WTAJ) The Ridgway Area School District reported that they were hit with an electronic virus on July 30, 2019. The virus locked network servers and files, limiting …

Officials: Elk County school targeted in national cyber attack, DHS investigating (WJAC) An Elk County school district is part of a Department of Homeland Security investigation after an apparent cyberattack targeted school districts, police departments and municipalities across the country, Ridgway Area School District officials wrote in a Facebook post. School officials say the school district was hit with an electronic virus July 30 that locked network servers and files and limited access to users.

8Chan Refugees Blow Their Anonymity (The Daily Beast) An unofficial new version of the hate-filled forum isn’t as anonymous as its users might hope.

Security Patches, Mitigations, and Software Updates

Security researchers find that DSLR cameras are vulnerable to ransomware attack (The Verge) Canon has issued a security advisory and firmware patch for the vulnerability

Valve fixes zero-day exploit for Steam in latest beta (Neowin) Valve has now begun fixing a zero-day exploit in Steam that could result in an escalation of privilege attack, after public criticism from the researcher who found it made headlines.

Cyber Trends

How tech is transforming the intelligence industry (TechCrunch) Shay Hershkovitz Contributor Share on Twitter Shay Hershkovitz is a Senior Research Fellow at The Intelligence Methodology Research Center (IMRC). At a conference on the future challenges of intelligence organizations held in 2018, former Director of National Intelligence Dan Coats argued that he t…

Opinion | Epstein Suicide Conspiracies Show How Our Information System Is Poisoned (New York Times) With each news cycle, the false-information system grows more efficient.

The age of cyber influencing (The Express Tribune) Like it or not, the age of cyber influencing is upon us and only time will tell what it is capable of

How physical systems integrators can monetize cybersecurity (SecurityInfoWatch) Using your current model for physical assessment and deployment can be mirrored when adding cybersecurity services

Vietnam suffers the most Southeast Asia offline cyber attacks Q2 2019 (KrASIA) The levels of Vietnamese spoken in hacker forums and on the dark web appears to have risen significantly in recent times.

Marketplace

‘Shark Tank’ Star Herjavec: Broadcom-Symantec Deal Is A Dinosaur ‘Buying Another Dinosaur’ (CRN) Robert Herjavec is skeptical that Broadcom's proposed $10.7 billion purchase of Symantec's enterprise security business will help the later catch up with the likes of CrowdStrike.

Apple's $1 Million Bug Bounty Comes Under Fire (Infosecurity Magazine) Apple’s $1 million bug bounty is being criticized.

McAfee buys container security startup NanoSec (ZDNet) McAfee intends to use NanoSec to bolster its MVISION Cloud and MVISION Server Protection products.

McAfee acquires Cupertino-based security platform NanoSec (Silicon Valley Business Journal) Cybersecurity company McAfee on Friday announced its acquisition of NanoSec, a Cupertino-based company that's focused on keeping applications secure. Neither company disclosed the financials behind the purchase.

Why Broadcom Is Buying Symantec's Enterprise Security Business For $10.7 Billion: Analysis (Forbes) Atherton Research's Principal Analyst and Futurist Jeb Su reviews Broadcom's $10.7 billion acquisition of Symantec's enterprise business.

Broadcom CEO says Symantec will focus on endpoint, web, and DLP (CRN Australia) CEO Hock Tan expects to nearly quadruple Symantec's enterprise security EBITDA.

ManTech eyes greater geospatial, automation capabilities in latest acquisition (Washington Technology) ManTech International already is a significant provider of cyber and IT services to NGA. The company sees its latest acquisition of a business co-founded one of their former executives as adding the geospatial and analytics piece.

G4S carve-out lacks compelling valuation bump (breakingviews.com) The British security firm is spinning off its cash-handling unit, a no-brainer given the shift to digital money. That allows more focus on its core business of guarding people and businesses. But a share price bump requires investors to place a high value on the latter.

Report: Palantir's U.S. government contracts top $1.5B (Silicon Valley Business Journal) Alex Karp, the head of Palantir, whose software has been used to target terrorists, at the company's headquarters in Palo Alto, Calif., on March 13, 2014. Karp says American companies have a moral obligation to support the country and its military no matter who is president.

Preclusio uses machine learning to comply with GDPR, other privacy regulations (TechCrunch) As privacy regulations like GDPR and the California Consumer Privacy Act proliferate, more startups are looking to help companies comply. Enter Preclusio, a member of the Y Combinator Summer 2019 class, which has developed a machine learning-fueled solution to help companies adhere to these privacy…

The Techlash Has Come to Stanford (Slate Magazine) Even in the famed computer science program, students are no longer sure they’d go to work for Facebook or Google.

New funding for York College 'Knowledge Park' gives startups room to grow (York Dispatch) Land purchased by York College more than 10 years ago will finally see a purpose, thanks to a state grant that will fund a Knowledge Park.

Products, Services, and Solutions

Denim Group Incorporates Jenkins Plugin into ThreadFix Vulnerability Management Platform (BusinessWire) Denim Group, the leading independent application security firm, today announced the latest version of their Jenkins Plugin to integrate with their fla

Technologies, Techniques, and Standards

Does the Solution to the Cyber Skills Gap Already Exist? (SIGNAL Magazine) The MITRE ATT&CK Framework may be as effective at enhancing cyber defense skills as it is at identifying the adversary’s antics.

How to give the military’s tactical information warriors a chance (Fifth Domain) When Jim Mattis stepped down as the Secretary of Defense, momentum for information operations slowed. Here's how Pentagon leaders could accelerate it again.

This 3-star Army general explains what multi-domain operations mean for you (Army Times) Lt. Gen. Eric Wesley heads the Army Futures Command Future Concepts Center.

Digital Stiletto: Army Pursues Precision Electronic Warfare (Breaking Defense) The US Army can't match Russia's battalions of powerful radio jammers. Instead, it wants to build a nimble high-tech David to defeat the EW Goliath.

Here Is How The Pentagon Comes Up With Code Words And Secret Project Nicknames (The Drive) We venture into the dark, fascinating, and often misunderstood world of the Defense Department's code word and nickname generating processes.

Design and Innovation

Twitter backs down, allows McConnell to post video of protestor threats (Ars Technica) Twitter has struggled to develop consistent moderation policies.

Think Twice When You Limit Online Speech to Curb Violence (Wired) Opinion: Silencing forums that spread mass violence can also silence the marginalized

Shoot-'Em-Up Videogames Don't Warp Minds—Big Tech Does (WIRED) It takes a lot of effort, research, and efficiency to manipulate people online and influence their behavior in the real world. Silicon Valley has it down to a science.

YouTube’s Susan Wojcicki: 'Where's the line of free speech – are you removing voices that should be heard?' (the Guardian) As the crisis-hit video site struggles to stem the flow of extreme content, the CEO talks about her role as the internet’s gatekeeper

White Nationalists Have Flocked to Telegram (Slate Magazine) The encrypted app was built for pro-democracy activists. Now it’s the latest stop for groups banned for hate speech by Facebook and Twitter.

Research and Development

Stanford University and Avast team up to examine cyber risks of connected homes (WhaTech) Internet security providers Avast have released a report, in conjunction with Stanford University, that looks at the growing adoption of IoT and connected devices in homes around the world, and how this is exposing home networks to increased risk of cyber attack.

Focus: Entangling Photon Sources on a Tiny Bridge (Physics) Researchers entangled a pair of atomic-scale light emitters in a micrometer-scale device, which could potentially be useful for quantum communication and cryptography.

Academia

Top secret teens: The high schoolers recruited by the National Security Agency (CNN) Summer's high school friends think she's monitoring their phones and listening in on their conversations. They speculate about the "wild things" she does at work and jokingly accuse her of being a spy.

NSA program trains high school students in work study program (SC Media) The National Security Agency (NSA) is tapping high school students, as part of a work study program, to polish their cyber skills and lure them into

Legislation, Policy and Regulation

Iran's Spies Are at War With Each Other (Foreign Policy) As international tensions rise, two different branches of the Iranian security state are increasingly butting heads.

Russian Intel Agencies Are a Toxic Stew of Competition and Sabotage (PCMAG) Western audiences might view the disarray in Russian's intelligence agencies as a good thing, but security expert Kimberly Zenz argues at Black Hat that it just encourages risky behavior.

Trump says US won't do business with Huawei (CNET) The trade war with China continues.

Foreign Ministry Spokesperson Hua Chunying's Remarks on August 9, 2019 (MInistry of Foreign Affairs of the People's Republic of China) ...Q: According to a report issued by the cyber-research firm FireEye, a hacker group working for the Chinese government attacked game companies and cryptocurrency providers for personal profit. FireEye said those hackers work for the Chinese government and are involved in commercial hacking behaviors for profit. I wonder what is your response?

Top DHS cyber official calls paper ballot backups necessary for 2020 election (CNN) The top cybersecurity official at the Department of Homeland Security said Friday that backup paper ballots would be a necessary part of 2020 election security.

Trump ‘In No Rush’ to Select Permanent Intelligence Chief (Wall Street Journal) President Trump said he was in no hurry to select a candidate for the nation’s permanent intelligence chief, after current and former national-security officials and Democratic lawmakers warned of instability following the ouster of the director of national intelligence and his top deputy.

Temporary spy chief calms unease over Trump's shakeup — for now (POLITICO) Joseph Maguire's selection comes after several months of instability in several key national security posts.

Passed over by Trump for top job, intel deputy chief Sue Gordon quits (NBC News) Gordon, a career CIA official, told the White House she would leave after learning she would be passed over as director of national intelligence.

Top intel official interrupted meeting to urge his deputy to resign (CNN) The country's No. 2 intelligence official, Sue Gordon, knew it was likely she would have to eventually step down from her post, but the timing of that decision became more urgent on Thursday after her boss -- outgoing spy chief Dan Coats -- interrupted a meeting she was holding on election security and asked his deputy to submit her letter of resignation, sources familiar with the events told CNN.

Air Force cyber commander departing (Fifth Domain) Maj. Gen. Robert Skinner is leaving AFCYBER.

New York State Toughens Data Security Laws (Cooley) On July 25, 2019, New York enacted a pair of data security laws. First, the Stop Hack and Improve Electronic Data Security Act (SHIELD Act) updates New York’s data security requirements. Second, th…

Litigation, Investigation, and Enforcement

Russia demands Google delete anti-government protest videos from YouTube (Deutsche Welle) Russia's media oversight agency has demanded Google take action to stop the spread of information about illegal mass protests. Thousands of its YouTube channels livestreamed one of Russia's biggest demos on Saturday.

Opinion | Egypt seized a U.S. art teacher over her Facebook posts. Trump must get her free. (Washington Post) The Trump administration must do more for Americans being held by the Sissi regime.

Senators Release New Details of Expanded Department of Homeland Security Watchdog Probe of Customs and Border Protection Surveillance of Journalists, Activists, and Lawyers (Sierra Sun Times) U.S. Senators Kamala D. Harris (D-CA), Tom Udall (D-NM), Elizabeth Warren (D-MA), and Richard Blumenthal (D-CT) on Thursday released customs border patrol logoa letter from the Department of Homeland Security (DHS) Inspector General (OIG) detailing its investigation into the alleged compiling of lists and targeted government surveillance of journalists, activists, and lawyers at the U.S.-Mexico border by Customs and Border Protection (CBP).

Amazon’s lead EU data regulator is asking questions about Alexa privacy (TechCrunch) Amazon’s lead data regulator in Europe, Luxembourg’s National Commission for Data Protection, has raised privacy concerns about its use of manual human reviews of Alexa AI voice assistant recordings. A spokesman for the regulator confirmed in an email to TechCrunch it is discussing the …

Judge voids share waiver by co-founder of $220m startup (Globes) Tel Aviv District Court judge Magen Altuvia found that Moshe Ben-Abu's partners deprived him of most of his stake in cybersecurity company Cyvera, which was sold to Palo Alto for $220 million.

Bring your own context.