We're pleased to announce that our 5th Annual Women in Cyber Security reception (#cyberwomenconnect) will be held October 18th, 2018, in the new International Spy Museum at L'Enfant Plaza in Washington, DC. To sponsor the event or request an invitation, go here.
Don't forget to look up Cylance while you're there. Drop by booth 3911 in the North Hall and meet with their expert professional services staff, or attend one of their featured conference sessions. Or if you're in a festive mood, connect with them at the Digital Shadows Security Leaders' Party. Visit Cylance to learn more.
Switches and routers and hacktivists and spies.
Late on Friday, April 6th, and continuing into last weekend, what appear to be American hacktivists defaced Iranian and Russian websites with a crudely rendered American flag and the message, "Don't mess with our elections" (Reuters). The defacements were relatively primitive (the flag is old-school skid-work ASCII art, for one thing) but the incidents were nonetheless disruptive. The hackers exploited the recently disclosed Cisco CVE-2018-0171 Smart Install vulnerability to reset routers to their defaults and display their message (Bleeping Computer). Most observers are so far inclined to accept the hackers' claims at face value—patriots who took advantage of unpatched routers to mess with Russia and Iran (ITWire).
As they so often do, Motherboard has got in touch with people purporting to be the hacktivists to see what they're up to. (As the magazine put it, they were in touch with "someone in control of an email address left in the note.") The hackers who claimed responsibility told Motherboard, “We were tired of attacks from government-backed hackers on the United States and other countries. We simply wanted to send a message" (Motherboard).
The Cisco vulnerability has been exploited elsewhere, not just in Russia and Iran (and not just for hacktivist purposes), since it became known (Kaspersky Lab). Routers in general seem to be increasingly popular targets of cyberespionage (Bleeping Computer).
With debilitating breaches a common occurrence, most organizations today are turning to security technologies to protect valuable assets. Unfortunately, many of these organizations often get swept up in market frenzy, acquiring tactical tools that solve only part of the problem, are redundant or go underused. Check out CYBRIC’s timely and informative white paper and learn five steps to creating a security rationalization process enabling CISOs to optimize security infrastructure while improving the bottom line.
It can pay to be underestimated.
Kaspersky describes "Operation Parliament," a wide-ranging cyberespionage campaign that, since early 2017, has cloaked its activities by pretending to be the Gaza Cybergang, a well-known and not well-respected group of skids. The actor behind Operation Parliament appears anything but unsophisticated. The malware it used is still under study, but it does not appear to have any obvious relationship with previously seen attack code. Targets were carefully verified before infection, and Kaspersky says the unidentified operators did "just enough to achieve their goals." Most of the organizations targeted were in the Middle East and North Africa, but infections extended to Europe, South Korea, and North America as well. The campaign has slowed since the beginning of 2018, suggesting the spies got what they came for (SecurityWeek).
It’s easy to track, measure, improve and grow your security team with Cybrary’s business platform. Not only will your team have access to an expansive catalog of IT and Cyber Security learning resources, you can operate more efficiently with full visibility, without compromising company standards. Start your team's free training pilot today!
Sinkholing a long-standing criminal nuisance.
Proofpoint has successfully sinkholed what they call the oldest running infection chain: EITest. They told the CyberWire that the campaign, active since 2011, seems to have been "purely criminal" as opposed to state directed. The large network of compromised servers it used (about 51 thousand), and its concealment of its command-and-control infrastructure behind a domain generation algorithm, made it unusually resistant to takedown. EITest passed "filtered, high-quality traffic to threat actors operating exploit kits and web-based social engineering schemes."
Facebook goes to Capitol Hill.
In general during the hearings Facebook was determined to represent itself as a technology firm and not a media company. A media company would be expected to be held accountable for its content, whereas a technology company would generally be regarded as a content-neutral conduit for users' communications. Mr. Zuckerberg did indicate that Facebook remained committed to its advertising-based revenue model, and that he expected to come under more regulation in the future. For a foreshadowing of what such regulation might look like, see GDPR (SecurityWeek). He also declined to say that Facebook would be willing to curb its data collection, calling the issue too complicated to be easily addressed (Times).
The University of Cambridge wasn't pleased by Mr. Zuckerberg's suggestion that their researchers had been abusing Facebook data behind the company's back. As they pointed out, they've not only published research based on those data for years in peer-reviewed journals, but they've also had the cooperation of Facebook employees in their work (TechCrunch).
Join DomainTools for a threat intel best practices webinar and learn how a leading financial institution leverages MISP (Malware Information Sharing Platform) in their network security practice and managed service offerings. Watch the webinar today!
You may not be interested in Facebook, but Facebook is interested in you.
One of the challenging questions Mr. Zuckerberg faced from the House panel concerned shadow profiles, information Facebook maintains on people who aren't Facebook users. Shadow profiles include information gleaned from third-party Facebook users, and they can include "all sorts of information that could be used to identify a given person, their name and phone number, email addresses, physical addresses, and so on" (Popular Mechanics). Mr. Zuckerberg didn't directly answer the question, professing to have no familiarity with shadow profiles, and the issue remains open (Naked Security). Other observers noted that Facebook clearly has access to a great deal of metadata, and that such data can be, and often have been, used to organize a considerable amount of information about individuals. The Facebook CEO repeatedly told Senators and Representatives alike that his company was committed to safeguarding users' data, and that users remained in control of their data, but most observers thought this a less than forthcoming response (WIRED). As Popular Mechanics put it, "'Your data' doesn't mean what you think it means."
We're joining Akamai in their booth in RSA's North Expo Booth #3625. Thanks to Sponsor Akamai. Harnessing the cloud – without losing control.
GCHQ takes the offensive.
Speaking in Manchester early this week, GCHQ Director Jeremy Fleming said his organization had, in 2017, closely coordinated its offensive cyber operations with the Ministry of Defence to hit ISIS in ways that disrupted the terrorist group's command and control and ability to disseminate its messaging. He also said that GCHQ's attacks on ISIS has contributed to protecting British forces engaging ISIS. Significantly, he also used the occasion to call out Russia for bad behavior, saying that the nerve agent attack in Salisbury showed how "reckless" the Russian regime had become and "how little the Kremlin cares for the international rules-based order" (Bloomberg).
The uncomfortable and blurry line between the kinetic and the informational: preparing for cyberattacks after Salisbury.
Russian authorities continue to deny any involvement with the nerve agent attack in Salisbury last month. But the independent investigation they asked to reveal the whole matter as a British provocation hasn't turned out as Moscow presumably hoped. The OPCW's statement, released on April 11th, said in part, "The results of analysis by OPCW-designated laboratories of environmental and biomedical samples collected by the OPCW team confirm the findings of the United Kingdom relating to the identity of the toxic chemical that was used in Salisbury and severely injured three people."
An emergency follow-up meeting, requested by the British Government, will be held next week. Russia has long called the attack a British provocation. Russia's London embassy has also issued a statement in response to Yulia Skripal's decision to decline a visit from Russian consular personal to check on her welfare— this decision is understandable, one might think, in view of her experience with nerve agent poisoning, and anyway, as she put it, if she decides she wants to talk to them, they're not difficult to reach. The Russian embassy says it suspects that Ms Skripal is being held by British security services. As they put it, "the document only strengthens suspicions that we are dealing with a forcible isolation of the Russian citizen." Nobody really believes this (CNBC).
Russian President Putin's advisor Vladislav Surkov sees 2018 as marking the end of Russia's attempts to turn westward (Россия), terminating aspirations that go back to Tsar Peter the Great (Radio Free Europe | Radio Liberty). The US has issued economic sanctions and made noises about retaliation in cyberspace, but US Intelligence Community insiders differ over whether there's actually the political will to punish Russia effectively for misbehavior in cyberspace and elsewhere (NBC). Whether economic sanctions announced last week are hurting Moscow or not, they're being felt in London, where the City is nervous about disruption to Russian investment. Much oligarch money has found its way into the British stock (and real estate) market (Times).
Germany cautiously attributes a campaign against the Federal Republic's government and political networks to Russian state actors. Bundesamt für Verfassungsschutz chief Hans-Georg Maassen says they can't be sure it was Fancy Bear (Russia's GRU) and that the unlikely possibility of a false flag operation can't entirely be ruled out, but that they regard their attribution of the attacks to Russia as having "high likelihood" (Reuters).
A Secure World Foundation report concludes that cyberattacks against satellites are much likelier than kinetic kills. The study discerns signs of growing Chinese and Russian interest in this mode of attack. Interestingly, it conceives of the risk as largely a supply-chain problem, with Russian or Chinese suppliers of code and subcomponents building exploitable vulnerabilities into the satellites (and the ground stations that enable them to operate) whose manufacture and operation rely on a globalized network of suppliers (Secure World).
An AI arms race awaits its Sputnik moment.
Russia is bucking up, dramatically, its investment in artificial intelligence research and development. Washington types look on with alarm (SIGNAL). A new Sputnik moment will be difficult to discern, and at least as uncertain in its effects as was the original Sputnik moment. China's said to be all in on that AI arms race, too, and there are rumblings around the Pentagon and Capitol Hill that America is going to be left behind if the country doesn't wise up (C4ISRNET). So the US may see, not a missile gap, but a Skynet gap, emerge as an election issue over the next few years.
Attention to detail.
If you're an iOS user in China and should find yourself taken by an urge to use the emoji of Taiwan's flag, forget about it, and take that urge elsewhither. You're not even going to see that flag. Apple hasn't said why, but it's a safe bet, says Quartz that they got their marching orders on this one from Beijing. The other flag emojis that arrived with the iOS class of 2015 (Chad, Greenland, and the Holy See) are still there; maybe one of those will do.
Crime and punishment.
The US Securities and Exchange Commission (SEC) has halted sale of some $27 million in stock offered by cryptocurrency firm Longfin. The company's CEO, Venkat Meenavalli, and three others are charged with illegal sale of Longfin stock (New York Law Journal).
Courts and torts.
The European Court of Justice will hear the case of Max Schrems, the Austrian lawyer who complained to the Irish Data Commissioner about Facebook (whose European offices are in Dublin) and its transfer of his personal data to the United States for processing. Ireland's High Court bucked the case over to judges on the Continent for final disposition. The referral is viewed as a win for Herr Schrems, but justice will move slowly: the EU court is expected to rule on the matter in, perhaps, eighteen months (Computing).
Google is expected to face a fine and a "telling off" from the EU for anticompetitive practices, but observers think it unlikely that this will change Google's practices, operations, or bottom line (Computing).
A Federal class action suit filed in Manhattan alleges that Chase Bank credit cards have been unfairly gouging them by charging them cash advance fees on purchases of cryptocurrencies. The bank began doing so without warning in January, the plaintiffs allege (New York Law Journal).
Evidently having despaired of actually being able to do much about online crime, the Chief Constable of Devon and Cornwall advises victims to go ahead and sue big Internet players like Google and Facebook. If their platforms "facilitated crime," then take them to court, the plaintiff's bar having become the contemporary equivalent of the sheriff's posse (Computing). But there's more optimism, or at least money, in the UK's Home Office. Home Secretary Amber Rudd is releasing £9 million to help police agencies "crack down on the dark web" (Infosecurity Magazine).
As is their custom, Adobe and Microsoft released security fixes on Patch Tuesday (KrebsOnSecurity). Among the vulnerabilities Microsoft addressed were a SharePoint privilege escalation bug and an unusual fix for a wireless keyboard. Microsoft said the SharePoint vulnerability, although it had leaked before it was patched, had yet to be exploited in the wild (Bleeping Computer). Five of the remote code execution vulnerabilities Microsoft addressed dealt issues surrounding the ways fonts are rendered (TrendLabs). The usual wave of fixes aroused some complicated reactions, especially with respect to patches for an evidently undead Office 2007 and what appears to be a curiously incomplete fix for CVE-2018-0950 insofar as it affects Outlook (ComputerWorld).
AMD took the occasion of Patch Tuesday to roll out Spectre fixes for its chips (Threatpost).
Google looks back at 2017 and says that its PlayProtect removed 39 million potentially harmful Android apps over the course of the year (PPC Land).
On Monday IoT security start-up Armis announced that it had raised $30 million in a Series B round led by Bain (TechCrunch). Container security shop StackRox (they're also among the finalists at this coming week's RSA Innovation Sandbox) announced that they've closed a $25 million Series B round (Morningstar). Karamba Security, an automotive cybersecurity startup, has received $10 million in new funding from venture-debt firm Western Technology Investment (Venture Beat). Business-to-business security company Expel has raised $20 million in a Series B round (Crunchbase News). This Wednesday network security cloud vendor OPAQ Networks announced that it had raised $22.5 million in a Series B round led by Greenspring Associates, with continuing participation by Columbia Capital and Harmony Partners. The company's intention is to push further into the medium-business security-as-a-service market (BusinessWire).
Sequoia Capital's Israeli unit has announced a new cybersecurity venture fund, Cyberstarts, with initial funding of $50 million (CTECH). In the US, the Commonwealth of Virginia has established the Virginia Founders Fund, which the Center for Innovative Technology will administer to provide seed-stage venture capital in Virginia. It's not restricted to cybersecurity start-ups, but that sector can expect to receive a significant fraction of the money (Virginia Governor Northam).
Carbon Black is preparing for an IPO, with $100 million as a "placeholder" (TechCrunch). The company filed an S-1 with the SEC Monday (Xconomy). Zscaler, whose recent IPO attracted considerable attention, saw its stock surge early this week as analysts talked it up as a "key cloud-based cybersecurity play" (Marketwatch). And Prague-based Avast, the antivirus company that may have more customers than any others in the sector, is preparing for its own IPO. They're headed for the London Stock Exchange, and they're shooting for a $4 billion valuation (Reuters), which is thought to be the City's largest tech float ever (This is Money). Analysts call Avast "mature" and "untrendy," and they mean those as compliments (Bloomberg).
Splunk closed its acquisition of Phantom on Monday (BusinessWire). Palo Alto Networks announced its acquisition of endpoint security shop Secdo for a reported $100 million (GLOBES). Secdo is expected to enhance Palo Alto's data collection and visualization capabilities (CRN).
A changing of the guard at Intercede: Richard Parris, after twenty-six years at the helm, has stepped down as the Midlands company's CEO. He'll transition to a non-executive director's role. Klaas van der Leest is the new CEO (East Midlands).
Huawei, afflicted by official suspicion over security and exclusion from markets, has begun to cut its US labor force (KitGuru). Facebook says it doesn't expect any revenue impact over privacy concerns, but of course the jury's still out on that one (Wall Street Journal).
Today's issue includes events affecting China, European Union, Germany, Iran, Iraq, Ireland, Russia, Syria, United Kingdom, and United States.
A note to our readers: the annual RSA conference convenes this coming week, and the CyberWire will be there. If you'll be at San Francisco's Moscone Center, too, stop by and say hello to the CyberWire team. We'll be at the Akamai booth, #3625 in the North Hall. We hope to see you there (and thanks to Akamai for their kind hospitality).