The CyberWire Daily Briefing, 9.17.19

Cyber Attacks, Threats, and Vulnerabilities

The Islamic State Meets Southeast Asia (Foreign Affairs) ISIS seeks new outposts across the Indian Ocean.

ISIS leader calls on fighters to free detained comrades (Military Times) The leader of the Islamic State group released a new alleged audio recording Monday calling on members of the extremist group to do all they can to free IS detainees and women held in jails and camps.

Emotet is Back and Spamming Again (Infosecurity Magazine) New phishing campaign spotted in various languages

New Threat Actor Fraudulently Buys Digital Certificates to Spread Malware (Threatpost) ReversingLabs identified cybercriminals duping certificate authorities by impersonating legitimate entities and then selling the certificates on the black market.

Digital Certificates - Models for Trust and Targets for Misuse (ReversingLabs) Blog 6: A New Kind of Certificate Fraud: Executive Impersonation

Millions of Americans’ Medical Images and Data Are Available on the Internet. Anyone Can Take a Peek. — ProPublica (ProPublica) Hundreds of computer servers worldwide that store patient X-rays and MRIs are so insecure that anyone with a web browser or a few lines of computer code can view patient records. One expert warned about it for years.

Nexusguard Research Reveals 1,000% Increase in DNS Amplification Attacks Since Last Year (BusinessWire) DNS amplification attacks swelled in the second quarter of this year, with the amplified attacks spiking more than 1,000% compared with Q2 2018, accor

DNSSEC Fuels New Wave of DNS Amplification (Nexusguard) The continued adoption of DNSSEC as a solution DNS cache poisoning is now causing a new set of problems previously underestimated. Advanced protection is a must to safeguard DNS servers.

iPhone lockscreen bypass: iOS 13 tricked into showing your contacts (Naked Security) This time, José Rodríguez came up with a way to trick the iOS 13 beta into showing its address book without the need to unlock the screen.

RISK: Is This Your Webcam? You’re Being Watched (WizCase) Wizcase has uncovered a significant amount of private web-connected cameras worldwide that are readily accessible to the general public. From these exposed ...

Webcam Security Snafus Expose 15,000 Devices (Infosecurity Magazine) Poorly configured systems create major security and privacy risk

Israeli cyber experts identify serious security flaw in digital cameras (Langdon Ledger) The latest models of digital cameras are increasingly vulnerable to ransomware and malware attacks through their USB and WiFi connectivity, researchers at leading Israeli cybersecurity company Check Point Software Technologies revealed on Sunday.

Superstorm Sandy Victims At Risk In FEMA Personal Data Breach (CBS News) FEMA is warning that personal data shared with a contractor that supports its transitional shelter assistance program may have been stolen.

When PSD2 Opens More Doors: The Risks of Open Banking (TrendLabs Security Intelligence Blog) We looked into the security implications of the changing banking paradigm with PSD2 in place. Our research highlights the current and new risks that the financial industry will have to defend against, and predict how cybercriminals will abuse and attack Open Banking.

New IRONSCALES Research Finds Microsoft ATP Takes Up to 250 Days to Create Phishing Attack Signatures (PRWeb) IRONSCALES, the world’s first automated phishing prevention, detection and response platform, today revealed that Microsoft Office 365 Adva

Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload (TrendLabs Security Intelligence Blog) We analyze a Linux malware called Skidmap, which has notable rootkit capabilities, and delivers a cryptocurrency-mining malware.

UAE residents targeted by ‘Better than Netflix’ Facebook scam (Gulf News) Phishing scam designed to steal credit cards details aimed at UAE residents

Most Port Vulnerabilities Are Found in Three Ports (Infosecurity Magazine) Alert Logic report has some quick win advice for SMBs

Vulnerability Summary for the Week of September 9, 2019 (CISA) The CISA Weekly Vulnerability Summary Bulletin is created using information from the NIST NVD. In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available

Security Patches, Mitigations, and Software Updates

Password-exposing bug purged from LastPass extensions (Ars Technica) Google Project Zero finds and reports flaw in widely used password manager.

Google fixes Chromebook 2FA flaw in ‘built-in security key’ (Naked Security) Google has discovered a flaw in a Chromebook security feature which allows owners to press their device’s power button to initiate U2F 2FA.

Cyber Trends

OT networking personnel need to work with engineering to address safety impacts – it isn’t happening (Control Global) It is unacceptable to take almost 4 years to recognize there are engineering issues associated with a cyber attack intended to damage equipment. It is even more unacceptable that after almost 4 years, OT still doesn’t get it right. Stuxnet, Triton, and CrashOverride/Industroyer point out the need for control system and safety engineers to be trained in cyber security and to be an integral part of the cyber security process. This is also why there is a crying need for an ICS conference whose focus is ICS not networks.

Caroline Calloway: How my best friend made me an internet pariah (Times) Caroline Calloway is an Instagram star who attracted media attention in 2015 after posting gushing dispatches about her life as an American student studying history of art at Cambridge. Beautiful...

There’s something of the troll in all of us (Times) Harry Tuttle was the character played by Robert De Niro in Terry Gilliam’s Brazil, but @arrytuttle was a pro-Corbyn footsoldier in the Labour antisemitism Twitter wars. He used to tweet me...

Marketplace

VMRay Closes $10 Million Series B Round (Yahoo) VMRay, a provider of automated malware analysis and detection solutions, today announced that it has closed its series B round of funding in the amount of $10 million (€9 million) led by Digital+ Partners, one of the leading technology growth equity firms in Europe, and supplemented eCAPITAL, an early

Pentagon’s Former Top Hacker Wants His Startup to Inject Some Silicon Valley into the Defense Industry (Defense One) "If the nerds don’t show up and work on the mission of national defense...then I’m not sure who will," says Chris Lynch, of Rebellion Defense.

How this Maryland startup plans to secure U.S. companies' intellectual property (Baltimore Business Journal) Strider aims to help companies avoid being spied on by foreign entities, and better protect their intellectual property.

Digital Bazaar and SecureKey Join Forces to Develop Global Standards for Organizational Identity (Yahoo) Digital Bazaar (https://digitalbazaar.com/) and SecureKey Technologies (https://securekey.com/) recently announced a strategic collaboration to leverage new digital identity standards intended to enhance existing paper-based identity verification processes

D3 CONNECTED Global Sales Channel and Partner Program Demonstrates Significant Growth in Q2 2019 (BusinessWire) D3 Security is announcing that their Partner Program has experienced significant growth since its inception in October of last year.

Put a stop-gap in your cybersecurity skills gap. (eSentire) How do cybersecurity pros on one side and organizations on the other view the industry skills shortage? Get new insights on causes and solutions for one of our industry’s biggest challenges.

City of Los Angeles and Goren Holm Ventures Partner to Host BlockTankLA at CIS and Issue $25K Pilot and $25K Minimum Investment to Blockchain Startup (BusinessWire) City of L.A. and GHV will host contest & award $25K pilot and $25K min. investment to blockchain startup at CIS, the world's top blockchain summit.

The DataTribe Way – Giving Cybersecurity Startups an Unfair Advantage (LinkedIn) Awareness of the cybersecurity danger has skyrocketed in recent years. In 2004 the entire global cybersecurity market totaled $3.

Products, Services, and Solutions

Forescout Expands Integration with Microsoft Technologies for Device Visibility and Control Across Diverse Endpoints (Yahoo) Forescout expands integration with Microsoft technologies to improve security, compliance and control of endpoints across physical, virtual and public cloud.

Living On The Edge: Less Servers. Less Code. More Security (The Castle Blog) An adaptive authentication layer can now be implemented on the edge with our integration with Cloudflare. It's a codeless way of implementing online user account security.

Denim Group Announces ThreadFix’s Integration with UBsecure (BusinessWire) Denim Group Announces ThreadFix’s Integration with UBsecure

Technologies, Techniques, and Standards

Debunking Five Myths about Zero Trust (Infosecurity Magazine) Zero Trust's evolution over the last decade have created some misconceptions

7 Threat Hunting Benchmarks from a Survey of Security Pros | Bricata (Bricata) Threat hunting aims to find threats that didn't trigger an alert, yet it's still a new concept for many, so these threat hunting benchmarks are useful waypoints.

Commercial threat intelligence has become a key Army tool (Fifth Domain) Leaders at Army Cyber Command have stressed the importance of relying on commercial threat intelligence.

Cyber Command Learning from Challenges, General Says (MeriTalk) U.S. Cyber Command is learning from a host of challenges including maneuvering through congested information environments to combat adversaries, said Gen. Richard Angle, Cyber Command’s Deputy Commanding General (Operations), at AUSA’s ILW Hot Topics event today.

Design and Innovation

CISA Launches First Annual President's Cup Cybersecurity Competition (Dark Reading) Cyber security's comprehensive news site is now an online community for security professionals, outlining cyber threats and the technologies for defending against them.

Flirty or Friendzone? New AI Scans Your Texts for True Love (Wired) A new class of apps can use machine intelligence to determine if your text conversations are imbued with hidden romantic sparks.

Research and Development

IARPA launches HECTOR (Intelligence Community News) The Intelligence Advanced Research Projects Activity (IARPA), within the Office of the Director of National Intelligence, announced on September 16 a multi-year research effort called the Homomorph…

Imec and Singapore team up on hardware-based quantum cryptography (Bits&Chips) Imec and the National University of Singapore (NUS) join hands to develop the building blocks of a secure quantum internet, ie technologies for quantum key distribution (QKD) and random number generation (QRNG). The overarching objective is to develop a robust, scalable and cost-effective hardware platform.

Academia

National Science Foundation $1.4 million grant will help develop cyberinfrastructure across Midwest (MU News Bureau) To help solve the world’s grand challenges, researchers often rely on powerful computer systems and people that provide advanced capabilities to store, transfer and process large amounts of data.

Legislation, Policy and Regulation

US Cyber Command Signals More Aggressive Approach Involving Persistent Engagement Ahead of 2020 Election (CPO Magazine) U.S. cyber command is ready for more aggressive stance of persistent engagement around 2020 election and is prepared to take on a proactive approach including carrying out offensive cyber strikes.

How to Win the Battle Over Data (Foreign Affairs) As authoritarian governments seek to control information flows within their borders and engage in cyberattacks outside their borders, the United States needs to place data at the heart of a new approach to national security.

The Great Anti-China Tech Alliance (Foreign Policy) The United States and Europe will regret letting Beijing win the race to govern digital technology.

Tiny Pacific nation forges ahead with national cryptocurrency (Naked Security) The Marshall Islands is facing rising seas and financial isolation. But critics say their get-rich-quick cryptocurrency scheme won’t work.

Senate Republicans must lead with cheap, effective measures to secure US elections (Washington Examiner) On Election Day 2016, President Trump offered an unequivocal statement on how our elections should be run: “There’s something really nice about the old paper ballot system,” he told Fox News. “You don’t worry about hacking.”

First on CNN: Colorado becomes first state to ban barcodes for counting votes over security concerns (CNN) Citing security concerns, Colorado has become the first state to stop counting ballots with printed barcodes.

Nakasone touts success of Army cyber direct commission program (InsideDefense.com) The head of U.S. Cyber Command says he is pleased with the progress the Army's direct commissioning program for cyber officers has made in recruiting talent.

Congress should defy Dan Coats' last request on phone surveillance (TheHill) Section 215 of the Patriot Act permits the NSA to access records of not just a target but others with whom he communicates.

California Lawmakers Pass Only Minor Changes to Privacy Measure (Wall Street Journal) California legislators adjourned for the year without watering down a sweeping privacy law set to take effect in January, although they passed a handful of amendments intended to clarify parts of the legislation.

Litigation, Investigation, and Enforcement

WSJ News Exclusive | Amazon Changed Search Algorithm in Ways That Boost Its Own Products (Wall Street Journal) The e-commerce giant overcame internal dissent from engineers and lawyers, people familiar with the move say.

Amazon News on Twitter (Twitter) “.@WSJ story based on anonymous sources is wrong. We have not changed the criteria we use to rank search results to include profitability. We feature products customers want, regardless of whether they are our own brands or products offered by our selling partners.”

Exclusive: Election software used by Boris Johnson and Donald Trump caught in Facebook privacy row (The Telegraph) A widely-used political campaigning tool employed by Boris Johnson, Donald Trump, and the SNP has been buying data on British voters from a company accused by Facebook of violating its users' privacy.

Indicted Canadian intelligence official had access to allies’ secrets, official says (Washington Post) Cameron Ortis served as director general of the National Intelligence Coordination Center.

Secrets in hands of alleged RCMP spy would cause 'devastating' damage to Canada, allies: documents (CBC) The cache of classified intelligence material an RCMP official was allegedly preparing to share with a foreign entity or terrorist organization is so vital to Canada's national security that the country's intelligence agencies say its misuse strikes at the heart of Canada's sovereignty and security, documents seen by CBC News reveal.

Investigation into senior RCMP official stemmed from disruption of encrypted phone service: sources (Global News) Cameron Ortis was director general of the RCMP National Intelligence Coordination Centre, commissioner says.

What is 'Phantom Secure' cellphone case linked to possible RCMP security breach? (CBC) The investigation into top RCMP official Cameron Ortis began with a shadowy Vancouver-based company and a multimillion-dollar business that helped drug traffickers and money launderers around the world.

Who is Cameron Ortis and what has the RCMP accused him of? A guide to the story so far (The Globe and Mail) The RCMP has arrested one of their own high-ranking intelligence officials and accused him of breaching secrecy laws. Here’s what we know about his background, the charges against him and how Ottawa is responding

Cyber attack could have targeted Australia's electoral commissions (ABC News) Australia's security agencies were concerned that state and territory electoral commissions may also have been targeted as part of a cyber attack on federal political parties, according to previously confidential documents.

Investors Claim AT&T Created Fake Streaming Service Accounts to Hide Failure (New York Law Journal) According to an amended complaint filed last week in Manhattan federal court, AT&T management overreported the number of customers who had signed up for the company's $35-per-month product, leading investors to believe it was well-positioned to compete with cheaper online streaming services such as Netflix and Hulu.

Lisa Page bombshell: FBI couldn't prove Trump-Russia collusion before Mueller appointment (TheHill) To date, Lisa Page’s infamy has been driven mostly by the anti-Donald Trump text messages she exchanged with fellow FBI agent Peter Strzok as the two engaged in an affair while investigating the president for alleged election collusion with Russia. Yet, when history judges the former FBI lawyer years from now, her most consequential pronouncement may not have been typed on her bureau-issued Samsung smartphone to her colleague and lover.

JPMorgan Hacker Will Plead Guilty Over Role in Vast Cyber-Attack (Bloomberg) A Russian hacker at the center of an alleged scheme to steal financial data on more than 80 million JP Morgan Chase & Co. clients will plead guilty later this month, according to a U.S. court filing. Andrei Tyurin, who was extradited last year from the Republic of Georgia, is accused of performing key tasks that netted hundreds of millions of dollars in illicit proceeds from the hack of JPMorgan and other companies.

After 6 Years in Exile, Edward Snowden Explains Himself (Wired) In a new memoir and interview, the world’s most famous whistle-blower elucidates as never before why he stood up to mass surveillance—and his love for an internet that no longer exists.

Snowden calls on France's Macron to grant him asylum (MSN) Former U.S. National Security Agency contractor Edward Snowden, who leaked classified documents detailing government surveillance programs, is calling on French President Emmanuel Macron to grant him asylum.

Instigator of fatal Kansas swatting receives prison sentence (Ars Technica) Viner arranged the swatting after losing a reported $1.50 bet.

Bring your own context.