Cyber Research

Cyber News

Cyber Info


 May, 2016







 In this issue



*         No Silver Bullet Will Kill Cybersecurity Threats

*         ISIS Cyberthreat: Puny but Gaining Power

*         Fisting Forum Hack Could Be Pain in the Butt for Troops

*         It's the Year 2020 ... How is Your Cybersecurity?

*         Latest Cyber Security News


about the Cyber Security News update

The Cyber News Update is an activity of the Cyber Research Center - Industrial Control Systems and intended to reach out to all Cyber Security Professionals interested in industrial / critical infrastructure threats, protection & resilience. For more information visit the CRC-ICS website at www.crc-ics.net or www.cyber-research-center.net


No Silver Bullet Will Kill Cybersecurity Threats

May 20, 2016

Time spent on compliance might be better spent actually doing something about security.

You want perfect data security? Dream on.

The need to protect corporate and personal information from unauthorized and possibly nefarious eyes was front and center this week at the MIT Sloan CIO Symposium in Cambridge, Mass.. But experts failed to agree about whether the forces of good are prevailing against the bad guys or even whether breaches are increasing—or are just more public than in the past.

There was consensus among C-level executives, however, that the hassle of complying with regulations actually diverts resources that could be better spent bolstering security.

Regulations with a security component include broad measures like the Sarbanes-Oxley Act governing corporate financial disclosures and Payment Card Industry rules for credit card transactions. But there are also a raft of mandates targeting specific industries. Examples include the Health Insurance Portability and Accountability Act or HIPAA covering health and medical information and the Federal Information Security Management Act that protects federal data and assets from “man-made threats.”

Add to that a welter of regulations from various states and foreign jurisdictions and you can see how the workload might get out of hand.

“Our security people spend 60% of their time optimizing documentation and 40% of their time doing the work,” said Anthony Christie, chief marketing officer for Level 3 Communications LVLT -0.06% , the big telecommunications company.

Niraj Jetly, chief information officer of NutriSavings, agreed.

Companies like NutriSavings, which works with businesses to encourage healthy diets for employees, rely on customers sharing data. But constant talk about breaches damages the trust consumers have in that process, Jetly said. “We have to stop these breaches but the regulations are not helping. We preach technology as CIOs, but we spend most of our time on paperwork.”

It is important not to confuse complying with security regulations with actual safety, added Roota Almeida, head of information security for Delta Dental of New Jersey. “Compliance does not equal security. Compliance plus X, Y, Z may equal security, but you need to do a lot of things after you’re compliant.”

Get Data Sheet, Fortune’s technology newsletter.

The fact that more data is being generated and collected—from appliances and cars bristling with sensors as well as cell phones and fitness devices—in the emerging Internet of things is raising the stakes for data security.

When company employees working at home access corporate networks via the same Wi-Fi that connects their refrigerators, Xboxes, and Nest thermostats, they could be exposing corporate assets to a whole new range of threats, said Ryan Mallory, vice president of global solutions architects for Equinix EQIX 0.24% , the big data center provider.

In that scenario, you have to trust that LG protects your refrigerator, Microsoft MSFT -0.79% protects your Xbox and Google GOOGL -0.59% protects your Nest. “That’s a lot of trust,” Mallory noted.

Cyber Thieves are Exploiting the Backbone of Global Banking

Perhaps it’s best to isolate the threat. Instead of building one big castle surrounded by one big moat, maybe a thousand little separately moated castles would be better.

Since it’s hard to prevent compromised hardware, it’s best to limit what a malicious person can do if that piece of hardware is compromised, said conference attendee Paddy Srinivasan, general manager and vice president of Xively LOGM -0.39% , an Internet of things technology company.

“We advise product manufacturers to limit the surface area of exposure to minimize the threat,” he said. “With a compromised device, it would be really bad if the hacker can listen to or communicate with other devices on the same network. If the only thing the hacker can do is spoof that particular device alone, then damage is a lot more limited.”

As to whether the cybersecurity situation in general has gone down hill over the past few years and whether the balance of power will shift in favor of the good guys going forward, there were a lot of opinions.

“Why does it look worse? The simple answer is because it is,” said Mark Morrison, chief information security officer for financial services firm State Street, STT -0.36% . He cited the changing demographic of attackers. Hackers started out mostly as individual actors trying to get famous or make a point but then morphed into organized criminals trying to steal money. But more recent attacks have come from ideological nation states and that is a change for the worse, he said.

“We’re not dealing with War Games and the guy in the basement any more, ” Morrison said.

Having said that, Morrison thinks things will improve going forward since IT professionals and the public at large are now more attuned to cybersecurity risks.

“This is an evolutionary process and it will get better. We’re growing at a faster rate than our adversaries.”

 “I can’t say whether it’ll be better or worse but it’ll be very different. With the Internet of everything, the threats and the attack surface will be 10, 100 times bigger than it is now. And the type of information available five years from now will be different, Things will be very different but not necessarily better.”

For one thing, she stated, hackers now realize how valuable protected health information is and are targeting it more. If a thief gets a credit card number the card can be cancelled, “But if I lose private information, X-rays, fingerprints, those things don’t change. It’s hard to get private again.”

More info http://fortune.com/2016/05/20/no-cure-for-cybersecurity-threats/

ISIS Cyberthreat: Puny but Gaining Power

May 20, 2016

The Islamic State group's cyberwar capabilities are unsophisticated, but they won't be that way for long.

That was the conclusion of a 25-page report released last week by Flashpoint.

The report, "Hacking for ISIS: The Emergent Cyber Threat Landscape," found that the Islamic State's "overall capabilities are neither advanced nor do they demonstrate sophisticated targeting."

However, the severity of the attacks by the groups supporters isn't likely to remain unsophisticated, it added.

"Their capability of hacking military or NSA servers in the United States is far-fetched, but it's not completely impossible," said Laith Alkhouri, Flashpoint's director of Middle East and North Africa research and one of the authors of the report.

"Concern is high, not because they have sophisticated hacking skills but because they're utilizing multiple ways of bringing in new talent, utilizing all the freely available tools online, trying to utilize malware that's already available and building their own malware," he told TechNewsWorld.


Script Kiddie Assassins

ISIS lacks the organization and skills of other cyber adversaries of the United States, noted another author of the report, Flashpoint Director of Security Research Allison Nixon.

"Chinese and Russian hackers are organized criminal gangs or nation-state supported groups," she told TechNewsWorld. "They're highly educated, highly skilled. They use custom malware and custom tools."

"On the other hand, ISIS supporters are more like script kiddies or hactivists. They have a low level of sophistication and engage in behavior patterns and use toolsets that we would see in any other attention-seeking group," Nixon continued.

"They're using open source tools and very old public exploits," she said. "They're only capable of hacking sites that aren't very well maintained in the first place."

Although ISIS hackers have some similarities to hactivists, they differ from them in at least one very important way. "Hacktivists don't threaten physical violence," Nixon said. "Physical violence is an important part of ISIS hackers."

"They're interested in translating these online threats into physical attacks," she added.

Attacks of Opportunity

The hacking tools of ISIS cyberwarriors are almost invariably going to be taken from publicly available open source projects because of the ease of obtaining such tools along with the fact that they can often be used successfully, the report noted.

Developing proprietary tools would require significant effort and resources to create a completely private toolset that is on par, or better than, what is already available publicly, it said.

Of course, actors may modify this publicly available software or write simple scripts, but it is unlikely these groups are building software from the ground up for their supporters to use, the report said.

"As pro-ISIS cyber attacks and capabilities have gradually increased over time but remained relatively unsophisticated, it is likely that in the short run, these actors will continue launching attacks of opportunity," it noted.

"Such attacks, include finding and exploiting vulnerabilities in websites owned by, for example, small businesses, and defacing these websites. Other attacks may include DDoS attacks," the report continued.

Hacking Powerhouse

Pro-ISIS cyberactors are demonstrating an upward trajectory, indicating that they will continue to improve and amplify pre-existing skills and strategies, the report said.

Such a trend was exemplified by the recent merger of multiple pro-ISIS cybergroups under one umbrella: the United Cyber Caliphate.

"We're starting to see these groups coalesce their brand. They're increasing their ranks in number. They're increasing their ranks in skill. They're increasing their ranks in languages, which means they're increasing the channels on which they operate and which they distribute their claims of responsibility," Alkhouri noted.

"That means they have a much more powerful message and a more robust structure than before," he continued. "They are coalescing their ranks to become a hacking a powerhouse."

U.S. Responds

The United States isn't ignoring the growing threat of ISIS in cyberspace. A new campaign was designed to disrupt the ability of the Islamic State to spread its message, attract new adherents, circulate orders from commanders and carry out day-to-day functions, like paying its fighters, according to a news report published last week.

While the Pentagon hasn't been shy about letting ISIS know U.S. cyberforces will be gunning for it, details have been in short supply.

"There doesn't seem to be any specifics on what they intend to do or how they intend to carry it out," said Lawrence Husick, co-chairman of the Foreign Policy Research Institute's Center for the Study of Terrorism.

"It may be as something as simple as finding some servers and executing an automated attack on those servers," he told TechNewsWorld, "or it may be something more complicated, like the use of directed malware or the disruption of encrypted channels used by ISIS on the dark Web."

Given how the military likes to keep its cyber cards close to its BDUs, it's a bit unusual that it's saying anything at all about its plans for ISIS. "I'm not sure why they chose to talk about it," said Richard Stiennon, author of There Will Be Cyberwar.

"It's better to take advantage of your ability to intercept and spoof messages without telling your adversary about it," he told TechNewsWorld.

Psych Op

However, there could be a domestic angle to the Pentagon's bravado about its cyberwar efforts. "There's a desire by the branches for more dollars from Congress for their cyber programs," Stiennon said.

On the other hand, prying money from Congress for cyber initiatives doesn't seem to be a problem. "For many years, Congress has pretty much given the military everything that it wants in the way of cyber," Husick said. "That's one area of the budget where they have really not had any problem at all."

The Pentagon's announcement of a cyber campaign could be an effective weapon against ISIS. "Deception and disruption are part of the game of warfare," he said. "There are times when you say something and do nothing, and there are other times when you do something and say nothing."

"They may be trying to get into the head of ISIS," said retired Rear Adm. James Barnett, head of the cybersecurity practice at Venable.

Nevertheless, he doesn't think the Pentagon is bluffing when it says it's going to escalate the cyberwar with ISIS.

"We may not hear about the operations for months, but at some point we'll hear about a coordinated strike, either in combination with conventional forces or something significant in cyberspace," he told TechNewsWorld.

Read more at http://www.technewsworld.com/story/83468.html

Fisting Forum Hack Could Be Pain in the Butt for Troops

May 13, 2016.

Instead of using a private email address to gain access to the bowels of the Internet, some members of the U.S. military apparently used their work accounts.

Three us.army.mil email addresses are associated with accounts on a sexual fetish forum, according to the security expert who revealed the breach this week. Email addresses belonging to the Polish military and Brazilian government are also implicated.

The breach of RoseButtBoard.com, a site dedicated to “extreme anal dilation and anal fisting,” is attributed to a gaping security hole caused by outdated software, which allowed a hacker to access account information on more than 100,000 users.

Vice News first reported the hack on Tuesday, after Australia-based web security expert Troy Hunt took steps to verify the authenticity of records for 107,303 accounts.

Hunt provided to U.S. News information about the .gov or .mil accounts involved, six in total, but did not provide the specific addresses, saying he personally avoids looking at individual account information for privacy reasons.

The U.S. Army indicated in a statement that using military email to register for a fisting forum would be improper. Federal communications systems including email “can be used for official and authorized purposes only,” the statement says.

The guidelines are laid out in Army Regulation 25-2, which bans personal use of government resources involving "pornography or obscene material,” as well as “transmission of chain letters” and online gambling.

“Online misconduct is inconsistent with these regulations and policies, and with the values Army professionals are obligated to uphold," the Army says. "The Army remains committed to ensuring all of our personnel use government communication systems appropriately, and to preventing and addressing actions inconsistent with these policies."

The number of government email addresses is significantly smaller than the roughly 15,000 Ashley Madison accounts registered to an address ending in .mil or .gov. That hack last year exposed an enormous number of people looking to have an affair, including “traditional marriage” campaigner Josh Duggar.

Hunt says affected email addresses belong to subscribers of haveibeenpwned.com, a site he maintains that allows people to see if they are affected by hacks. The addresses won’t be publicly searchable on that site, but can be checked by the verified owner of an email address -- a treatment given to Ashley Madison records and those from a handful of other hacked sites, including Adult Friend Finder and Naughty America.

Ironically, Hunt says curious people could learn if an email address is registered to an account on the fetish site by entering it with the forum’s password reset function.

The leaked account information includes usernames, email addresses, IP addresses and passwords.

“The data was sent to me by someone who trades in data breaches,” says Hunt, who authors web security courses and has repeatedly been recognized by Microsoft for his industry contributions. “This is often the way; data is hacked from systems then shared within select groups of people until someone eventually then sends it to me, too.”

An email seeking comment from the fetish forum’s administrator did receive a response. Most of the site’s discussion board are inaccessible to non-members.

Without a review of the site content it’s unclear if the average forum user risks any legal consequences, though members of the military are not free to do what they please in their personal lives. Military law, for example, still criminalizes adultery.

The Army isn't alone in having employees potentially misuse online resources. At federal agencies, in fact, there have been well-paid bureaucrats caught watching pornography. Federal workers theoretically could lose their jobs for doing so, but the resolution of such cases sometimes is unclear or can be prolonged. The Environmental Protection Agency’s inspector general reported last year that two employees earning $120,000 were caught watching porn on the job and were given paid administrative leave for nearly a year before attempts were made to fire them. One of the EPA workers retired, the other remained on paid leave at the time of public disclosure.

More Info http://www.usnews.com/news/articles/2016-05-13/fisting-forum-hack-bad-news-for-military-users



It's the Year 2020 ... How is Your Cybersecurity?

May 2, 2016.

What if, in 2020, wearable devices did not care about how many steps you took, and instead were concerned with your real-time emotional state? With networked devices tracking hormone levels, heart rates, facial expressions, voice tone and more, the internet could become a vast system of “emotion readers,” touching the most intimate aspects of human psychology. What if these technologies allowed people’s underlying mental, emotional and physical states to be tracked – and manipulated?

Whether for blackmail, “revenge porn” or other motives, cybercriminals and hostile governments in this world would find new ways to exploit data about emotion. The terms of cybersecurity would be redefined, as it became more important for people to manage and protect how their emotions and mindsets appeared to the monitors.

This is just one of several potential future cybersecurity scenarios dreamed up by a group of multidisciplinary experts recently. Here at the Center for Long-Term Cybersecurity, we asked them to think about what we could see happening in the near future of 2020. These are not predictions – it’s impossible to make precise forecasts about such a complex set of issues. Rather, the scenarios paint a landscape of future possibilities, exploring how emerging and unknown forces could intersect to reshape the relationship between humans and technology – and what it means to be “secure.”

And they raise pressing questions we should consider today as we lay the groundwork for a secure information technology environment in the future: how might individuals function in a world when they are no longer able to ignore the fact that literally everything they do online will likely be hacked or stolen? How could the proliferation of networked appliances, vehicles and devices transform what it means to have a “secure” society? What would be the consequences of almost unimaginably powerful algorithms predicting individual human behavior at the most granular scale?

Imagining scenarios

At the heart of our approach is scenario thinking, a proven methodology for identifying important driving forces and unexpected consequences that could shape the future. This approach often leads to more questions than answers, but what we identify can help guide us toward solutions as society and technology evolve.

In our scenario about emotion-sensing, for example, many questions arise:

·         How might biosensing technologies evolve, and what would be the effect of having sensors tracking massive numbers of individuals' emotions and mental states?

·         How will people respond when their most private and intimate experiences are understood by the internet better than they themselves understand them?

·         How might virtual reality, sentiment analysis, wearable devices and other “sensory” technologies intersect with domains such as marketing, politics and the workforce?

·         What are the potential cybersecurity risks and benefits that could come with the proliferation of sensors capable of capturing and interpreting emotions?

Our broad interdisciplinary group of experts on computer science, political science, neuroscience and other areas came from universities, the private sector, nonprofits and governments. They helped us develop that scenario, and four others, for the year 2020.

For example, imagine that two decades after the first dot-com bust, the advertising-driven business model for major internet companies has fallen apart. As overvalued web companies large and small collapse, criminals and companies alike race to gain ownership of underpriced but potentially valuable data assets. It’s a “war for data” under some of the worst possible circumstances: financial stress and sometimes panic, ambiguous property rights, opaque markets and data trolls everywhere.

In this world, cybersecurity and data security become inextricably intertwined. There are two key assets that criminals exploit: the datasets themselves, which become the principal targets of attack; and the humans who work on them, as the collapse of the industry leaves unemployed data scientists seeking new jobs. The questions that arise are difficult:

·         How might cybercriminals adapt to a more open and raucous data market?

·         If governments want to prevent certain datasets from having a “for-sale” sign attached to them, what kinds of options will they have?

·         What new systems or standards could emerge to verify the legitimacy or provenance of data? What does “buyer beware” look like in a fast-moving market for data?

·         What role should government play in making markets for data more efficient and secure?

What comes next?

This is just the beginning. In one of our other scenarios, we imagine that hackers have become so successful that the public’s default expectation about internet transactions flips from “we are basically safe” to “we are going to have our data stolen.” Another looks at the potential of predictive algorithms: if those improve to be able to predict individual behavior, all sorts of new attacks might occur. Still another looks at the Internet of Things, suggesting that governments may lead the way in IoT adoption – and could become both more effective and more vulnerable as a result.

The world in 2020 could look very different from today. Our scenarios are designed to serve as a starting point for conversation and debate among academic researchers, industry practitioners, and government policymakers. We invite the public to join us as well; please read the full-text scenarios and engage with them on Twitter (@cltcberkeley). We look forward to building a better cybersecurity future with you.

Read more: http://www.usnews.com/news/best-countries/articles/2016-05-02/cybersecurity-in-2020-will-the-internet-read-emotion



Latest Cyber Security News

Cyber Privacy

Google Issues Patch as Android Qualcomm Vulnerability Impacts 60 Percent of Devices: A flaw in mobile chip maker Qualcomm’s mobile processor, used in 60 percent of Android devices, allows attackers to take control over a targeted phone or tablet under specific conditions. Researchers at Duo Labs said the vulnerability is tied to Android’s problem-plagued mediaserver, coupled with a security hole in Qualcomm’s Secure Execution Environment (QSEE). ThreatPost, May 19, 2016

Mobile App RunKeeper acknowledges sharing user geo-location data with advertisers, pushes updates: RunKeeper announced Tuesday that it had found a bug in its Android code that resulted in the leaking of users’ location data to an unnamed third-party advertising service. The blog post came four days after the Norwegian Consumer Council filed a complaint against the Boston company. ars technica, May 17, 2016

Cyber Warning

MALWARE-LACED PORN APPS BEHIND WAVE OF ANDROID LOCKSCREEN ATTACKS: Incidents of Android lockscreen malware masquerading as porn apps are a growing concern to security analysts who are forecasting an uptick in attacks. Once infected, Android users bitten by this malware appear to be locked out of their device and are forced to undergo a complex extraction of the app to win back control of their phone or tablet. ThreatPost, May 14, 2016

CERBER RANSOMWARE ON THE RISE, FUELED BY DRIDEX BOTNETS: Starting in April security experts at FireEye spotted a massive uptick in Cerber ransomware attacks delivered via a rolling wave of spam. Researchers there link the Cerber outbreaks to the fact that attackers are now leveraging the same spam infrastructure credited for making the potent Dridex financial Trojan extremely dangerous. ThreatPost, May 13, 2016

US-CERT urges IT departments to patch actively exploited critical SAP Java vulnerability: A vulnerability in SAP Java platforms is being actively exploited, despite having been patched in 2010, DHS reported. The alert noted three dozen global enterprises have been breached by attackers using the unmitigated vulnerability, which was reported by the Boston-based application security firm Onapsis Inc. SearchSecurity, May 13, 2016

No more get-out-of-jail-free card for CryptXXX ransomware victims: For the past month, people infected with the CryptXXX ransomware had a way to recover their files without paying the hefty $500 fee to obtain the decryption key. On Tuesday, that reprieve came to an end. ars technica, May 11, 2016


Cyber Update

INSTAGRAM PATCHES BRUTE-FORCE AUTHENTICATION FLAWS: Facebook on Thursday patched a pair of vulnerabilities that enabled brute-force attacks against Instagram passwords, and also hardened its password policy. ThreatPost, May 20, 2016

Apple patches 67 bugs in OS El Capitan, refreshes Safari and iTunes: Apple yesterday updated OS X El Capitan to version 10.11.5, patching nearly 70 vulnerabilities as it began to wind down changes prior to the next iteration launching later this year. ITWorld, May 17, 2016

Information Security Management in the Organization

Cyber Security Management – C Suite

Too much time spent on compliance paperwork rather than on cybersecurity management: The need to protect corporate and personal information from unauthorized and possibly nefarious eyes was front and center this week at the MIT Sloan CIO Symposium in Cambridge, Mass.. But experts failed to agree about whether the forces of good are prevailing against the bad guys or even whether breaches are increasing—or are just more public than in the past. Fortune, May 20, 2016

Berkeley’s Center for Long-Term Cybersecurity: Five 2020 Scenarios Suggest Bleak Future: Cybersecurity is a fast-morphing technology, meaning that making any assumptions about what will be needed six months from now is difficult at best. Yet, a group of researchers at the University of California, Berkeley’s Center for Long-Term Cybersecurity (CLTC) are looking even further ahead to the year 2020. TechRepublic, May 17, 2016

Cyber Crime

Noodles & Company Probes Breach Claims: Noodles & Company [NASDAQ: NDLS], a fast-casual restaurant chain with more than 500 stores in 35 U.S. states, says it has hired outside investigators to probe reports of a credit card breach at some locations. KrebsOnSecurity, May 19, 2016

Then there were 117 million. LinkedIn password breach much bigger than thought: Login credentials for as many as 117 million LinkedIn accounts have been put up for sale online by someone who is seeking more than $2,200 for the haul, a security researcher said. ars technica, May 18, 2016

6 Shocking Intellectual Property Breaches: Typically, the measuring stick for the size and severity of a breach lies in exactly how many personally identifiable information (PII) records were exposed. With well-established legislation mandating transparency to customers and citizens when their information is lost by an organization, these stats are always made public, and such numbers are easily comparable between incidents. DarkReading, May 12, 2016

Wendy’s: Breach Affected 5% of Restaurants: Wendy’s said today that an investigation into a credit card breach at the nationwide fast-food chain uncovered malicious software on point-of-sale systems at fewer than 300 of the company’s 5,500 franchised stores. The company says the investigation into the breach is continuing, but that the malware has been removed from all affected locations. KrebsOnSecurity, May 11, 2016

Experts Comments on Data Breach at British Retailer Kiddicare: British retailer Kiddicare has suffered a data breach in which the personal details of nearly 800,000 customers have been stolen. The company said that the data had been taken from a version of its website that had been set up for testing purposes at the end of 2015. Customers have reported suspicious text messages that have not been sent by Kiddicare, suggesting that the hackers are using the personal details for targeted scams. Here to comment on this news are security experts from QA, Blancco Technology Group and WhiteHat Security. Information Secuirty Buzz, May 10, 2016

FDIC reports five ‘major incidents’ of cybersecurity breaches since fall: The Federal Deposit Insurance Corp. (FDIC) on Monday retroactively reported to Congress that five additional “major incidents” of data breaches have occurred since Oct. 30. FDIC also is launching “a new initiative to enhance security.” The Washington Post, May 9, 2016


Cyber Defense

5 Reasons Enterprises Still Worry About Cloud Security: The notion that the cloud is less secure than traditional networks and infrastructure is still a fear for many despite a recent survey that found that 55% of respondents had not experienced a cloud-related security incident in the last 12 months (survey was conducted from March – April 2016). DarkReading, May 19, 2016

The gravest dangers for CMS-based websites: Over a third of all websites on the Internet are powered by one of these four key open source platforms: WordPress, Joomla!, Drupal and Magento. HelpNetSecurity, May 19, 2016

PROTECTING CLOUD APIS CRITICAL TO MITIGATING TOTAL COMPROMISE: When it comes to cloud computing, APIs more or less drive everything, but in the eyes of some researchers, existing security controls around them haven’t kept pace. ThreatPost, May 19, 2016

Master Key to TeslaCrypt Released by Ransomware Gang: There’s rarely good news in the world of cybercrime. But for victims of the TeslaCrypt ransomware, there’s been a surprising twist, and one that provides relief. BankInfoSecurity, May 19, 2016

Microsoft Disables Dangerous Wi-Fi Sense on Windows 10: Microsoft has disabled its controversial Wi-Fi Sense feature, a component embedded in Windows 10 devices that shares access to WiFi networks to which you connect with any contacts you may have listed in Outlook and Skype — and, with an opt-in — your Facebook friends. KrebsOnSecurity, May 18, 2016

Google Ending Automatic Chrome Support For Flash: Google’s Chrome browser will begin to display HTML5 video and animation, when they’re available, on all but 10 websites starting in the fourth quarter of this year. It’s another serious blow to the Adobe Flash platform. InformationWeek, May 16, 2016

Researchers crack new version of CryptXXX ransomware: Researchers from Kaspersky Lab have developed a method of decrypting files affected with the latest version of CryptXXX, a malware program that combines ransomware and information-stealing capabilities. CIO, May 16, 2016

Cyber Security in Society

Cyber Privacy

Even basic phone logs can reveal deeply personal information, researchers find: The mass collection of telephone records by government surveillance programs poses a clear threat to the personal privacy of ordinary citizens, according to US researchers who used basic phone logs to identify people and uncover confidential information about their lives. TheGuardian, May 16, 2016

Who Will Own Your Data If the Tech Bubble Bursts?: Imagine that Silicon Valley’s nightmare comes true: The bubble bursts. Unicorns fall to their knees. The tech giants that once fought to attract talented developers with mini-golf and craft beer scramble to put out fires. TheAtlantic, May 13, 2016

Cyber Attack

Ubiquiti Networks Gear Used by ISPs Targeted By Worm: ISP equipment maker Ubiquiti Networks is fending off a stubborn worm targeting its networking equipment running outdated AirOS firmware. According to security experts, the worm is already being blamed for crippling networking gear in the Argentina, Brazil, Spain and the United States. ThreatPost, May 19, 2016

Cyber Espionage

Cyber espionage malware discovered in Ukraine: ESET researchers have discovered malware that has eluded the attention of anti-malware researchers since at least 2008. Detected by ESET as Win32/Prikormka, the malware is being used to carry out cyber-espionage activities in Ukraine, primarily targeting anti-government separatists in the self-declared Donetsk and Luhansk People’s Republics. ITProPortal, May 20, 2016

Cyber Underworld

Nuclear Exploit Kit: $100K monthly revenue installing Locky Ransomware on vulnerable computers: The Check Point Research team has uncovered the entire operation of one of the world’s largest attack infrastructures. Exploit Kits are a major part of the Malware-as-a-Service industry, which facilitate the execution of ransomware and banking trojans, among others. Their creators rent them to cybercriminals who use them to attack unsuspecting users. Nuclear is one of the top Exploit Kits, both in complexity and in spread. CheckPoint, May 17, 2016

Cybercriminal business model vulnerable to intervention: Cybercrime may be booming but its business model is vulnerable on many fronts, according to a new report. ITWorld, May 17, 2016

Cyber Readiness

Japan on Olympian hacking mission to test utilities, trains, telcos for 2020 Olympics: Japan will from next year conduct mock hacking exercises with governments including the United States and private sector organisations ahead of the 2020 Olympic games. TheRegister, May 20, 2016

Industry guru Tom Kellermann says cybersecurity vendors unable to morph with cybercrime problem: Today’s threat actors are more focused, funded and disruptive than ever. But the cybersecurity defense industry is not built to respond appropriately, says thought leader Tom Kellermann. What are security leaders overlooking? BankInfoSecurity, May 19, 2016

Cyber Gov

One Year After OPM Breach, KPMG Report Shows Federal Cybersecurity Continues to Struggle: Despite repeated high-profile breaches, federal government continues to struggle with its job of keeping personal data and public infrastructure safe. GovernmentTechnology, May 19, 2016

Cyber Politics

U.S. intelligence: Foreign hackers spying on campaigns: WASHINGTON — The United States sees evidence of hackers, possibly working for foreign governments, snooping on the presidential candidates, the nation’s intelligence chief said Wednesday. Government officials are assisting the campaigns tighten security as the race for the White House intensifies. FederalTimes, May 19, 2016

Financial Cyber Security

Ecuador Bank Says It Lost $12 Million in Swift 2015 Cyber Hack; Sues Wells Fargo for Loss: Cyber-criminals stole about $12 million from an Ecuadorean bank in a 2015 heist that bears all the hallmarks of later attacks against Bangladesh’s central bank and a small Vietnamese lender. Bloomberg, May 20, 2016

Old ATM malware is back and infecting machines everywhere: An old piece of ATM malware is back, and reportedly more dangerous and harder to detect than ever. According to security researchers from Kaspersky Labs, an updated piece of malware dubbed Skimer has infected numerous Windows-based ATMs across all corners of the globe. BGR, May 19, 2016

Banks, Regulators React to SWIFT Hack: Banks and regulators have begun reviewing SWIFT-related information security practices following the online heist of $81 million from Bangladesh Bank. Authorities say much of that money is still missing. BankInfoSecurity, May 19, 2016

SEC Chair Says Cybersecurity Is No. 1 Risk Facing Financial System: Cybersecurity is the biggest risk facing the financial system, says Mary Jo White, chair of the U.S. Securities and Exchange Commission. BankInfoSecurity, May 18, 2016

Secure the Village

How threat intelligence sharing can help deal with cybersecurity challenges: In the ever-shifting landscape of cyberthreats and attacks, having access to timely information and intelligence is vital and can make a big difference in protecting organizations and firms against data breaches and security incidents. TechCrunch, May 15, 2016

World Economic Forum: Fight Cybercrime Through Increased Public-Private Collaboration: The rising incidents of cybercrime could be easily checked if the private and public sectors learnt to trust each other and share relevant information regarding combating the vice, experts have said. The New Times, May 14, 2016

Cyber Miscellany

Cybersecurity investment to reach $400 million due to IoT threats: The cybersecurity industry could see a boost in venture capital, thanks to new threats the Internet of Things (IoT) provide to smart homes, autonomous cars, and future factories. ReadWrite, May 19, 2016





Cyber ReseArch

Cyber News

Cyber info


The content of this CRC-ICS Cyber News Update is provided for information purposes only. No claim is made as to the accuracy or authenticity of the content of this news update or incorporated into it by reference. No responsibility is taken for any information or services which may appear on any linked websites. The information provided is for individual expert use only.



Founded in 2015, the Cyber Research Center - Industrial Control Systems is a not for profit research & information sharing research center working on the future state of Physical & Cyber Protection and Resilience. CRC-ICS goals are to inform industries / critical infrastructures about the fast changing threats they are facing and the measures, controls and techniques that can be implemented to be prepared to deal with these cyber threats.



Cyber Research Center - Industrial Control Systems. 2016

www.crc-ics.net or www.cyber-research-center.net