Iranian hackers continue their DDoS campaign against US banks: BB&T is the latest victim. MiniFlame, apparently a Western espionage tool (InformationWeek thinks it's a US "cyberweapon") was discovered by accident during an investigation of a Flame command-and-control server, which leads observers to wonder how much other espionage malware is out there. (Flame watches Middle Eastern targets, they observe. What's watching North Korea?)
Rapid7 discovers a zero-day information disclosure vulnerability in Novell ZENWorks. Microsoft finds Nitol botnet code in Chinese free malware sites. Researchers demonstrate that pacemakers can be hacked to deliver lethal shocks, and analysts agree that the state of medical device security is "not encouraging."
Adobe and Apple both issue security upgrades.
Gartner predicts the Big Data will drive $232B in IT spending through 2016. Cyber Security Hall of Famer Whitfield Diffie offers the contrarian opinion that a degree of crime is good for the Internet. (He also likens security to reliability: neither is likely to be built in from the bottom up.)
Recent official concern over cyber security should make stock markets bullish on cyber equities, but instead a soft European market and US budget uncertainty have dragged share prices lower. The White House appears to have cleared Huawei of espionage, but concerns about that company and ZTE persist.
Canada's Harper government announces plans to double cyber security spending. Northrop Grumman opens a cyber range in Australia. Australia considers mandating breach disclosure. The Netherlands debates new cyber crime legislation. Volokh conspiracy blawgers wrap up their discussion of active defense.
Today's issue includes events affecting Australia, Brazil, Canada, China, Georgia, Germany, Greece, India, Iran, Japan, Lebanon, Netherlands, North Korea, Palestinian Territories, Qatar, Russia, Saudi Arabia, United Kingdom, United States..
Cyber Attacks, Threats, and Vulnerabilities
Iran Renews Internet Attacks On U.S. Banks(Wall Street Journal) Iranian hackers renewed a campaign of cyberattacks against U.S. banks this week, targeting Capital One Financial Corp. and BB&T Corp. and openly defying U.S. warnings to halt, U.S. officials and others involved in the investigation into the attacks said
7 MiniFlame Facts: How Much Espionage Malware Lurks?(InformationWeek) Just how much cyber-espionage malware is currently at large, and who does it target? Kaspersky Lab Monday revealed that in September 2012, its researchers discovered that a mysterious piece of code connected to the Flame malware, which they
Information Disclosure Zero-Day Discovered in Novell ZENworks(Threatpost) A zero-day vulnerability in Novell ZENworks Asset Management Software 7.5 gives access to any files with system privileges and could also allow an attacker to grab configuration parameters, including the backend credentials in clear text, according to Rapid7 exploit developer Juan Vazquez who discovered the vulnerability and wrote an exploit module for Metasploit
Nitol Botnet Shares Code with Other China-Based DDoS Malware(Threatpost) Microsoft has learned that much of the code used by the Nitol malware family is copied from free malware resources hosted on Chinese websites. Microsoft posted portions of the code online this week where similar lines used for denial of service attack functionality are present in Nitol and on the sites in question
Hacked Pacemakers Could Send Deadly Shocks(TechCrunch) The next frontier of computer hacking could be lifesaving medical devices: at a recent developer conference, a pacemaker was wirelessly hacked to send deadly 830 volt shocks
Medical Device Security in Need of Major Upgrade(Theatpost) Security researchers and hackers have spent the last 20 years or so tearing apart all manner of software and hardware, looking for vulnerabilities, attack vectors and bugs, and the advent of embedded and implantable devices has now drawn their attention to this new class of targets. Medical devices, both implantable and external, have become the subjects of quite a lot of research lately, and the results are not encouraging
Could Hackers Change Our Election Results?(Dark Reading) Many of the same vulnerabilities exist in electronic voting systems as the last time we elected a president, and new ones abound that could put voter databases at risk and undermine civic confidence
O2 drops Ericsson after outage(ComputerWeekly) O2 has blamed software provided by Ericsson for the outages its network suffered both last week and in July.
Security Patches, Mitigations, and Software Updates
Adobe Extends Security of Reader and Acrobat With Better Sandbox, Force ASLR(Threatpost) Adobe has upgraded the security capabilities of both Reader and Acrobat with new releases this week, extending the functionality of the sandbox and adding a feature that forces all of the DLLs loaded by the applications to use ASLR, regardless of whether they originally were compiled with ASLR enabled
Don't secure the internet, it needs crime: Diffie(ZDNet) While many people see securing the internet as a means to stopping cybercrime, former vice president for information security and cryptography at the Internet Corporation for Assigned Names and Numbers (ICANN) Whitfield Diffie thinks that internet
IT Pay Raises to Be Almost Twice National Average(ERE) Salaries for tech workers in the U.S. will rise almost twice the national average in 2013 — some will increase even more, up to 12 percent — a symptom of how competitive the competition for talent has become
Insecurity at Internet Security Firms (CHKP, FTNT, FIRE, PANW, IBM, INTC)(24/7 Wall Street) Internet security providers Check Point Software Technologies Ltd. (NASDAQ: CHKP) and Fortinet Inc. (NASDAQ: FTNT) both reported weaker than expected results for the third quarter and both lowered fourth quarter forecasts. Another competitor, Sourcefire Inc. (NASDAQ: FIRE) is falling just as far and just as fast in sympathy
The Warships of Silicon Valley(Wired Business) The giants of the technology world; Google, Amazon, Apple, Facebook, and Microsoft; are locked in a host of epic struggles
Canada To Beef Up Its Cyber Defenses(Wall Street Journal) Canada said it will more than double spending on defense against cyberattacks, amid heightened global worries over cyber warfare
Former Defense Official Calls Congressional Paralysis A Threat(GovExec.com) In an event at The George Washington Universitys Elliott School of International Affairs, Michele Flournoy, the undersecretary of Defense for policy from 2009 to 2012, said that Congress inability to pass a budget and set long term policy goals was detrimental to the government, especially in an incredibly complex and dynamic security environment worldwide
Web content management diminishing in importance, says GSA official(Fierce Government IT) The White House's digital government strategy directs agencies to streamline their backend web content management systems and create application programming interfaces, or APIs, for their content. But crafting APIs is far more important than focusing on web platforms, said Gray Brooks, API strategist at the General Services Administration's digital services innovation center
IC runs apps acquisition pilot(Fierce Government IT) The intelligence community is running an acquisition pilot under which qualified apps or widget developers can submit their code to a marketplace and be paid a nominal fee--but if the application's uptake is significant, be paid what it would have cost the federal government to otherwise purchase it, said Dawn Meyerriecks, assistant director of national intelligence for acquisition, technology and facilities
Google's CIO Dilemma(InformationWeek) CIOs torn are torn between wanting to back a company that represents the future and needing predictability. Google execs must now ask CIOs the right questions--and be prepared for stubborn answers
What Huawei, ZTE Must Do To Regain Trust(InformationWeek) The U.S. is not the only country scrutinizing the security of Chinese-made telecom equipment from Huawei and ZTE. Without major changes, significant contracts are at risk
QinetiQ Names TASC, GDIT Vet Bruce Feldman National Systems SVP(Govconwire) Qinetiq North America has appointed Bruce Feldman senior vice president for the national systems sector within the mission and information solutions operating unit, the company announced Monday. He will manage service delivery and technology development for contracts with both intelligence and defense customers
Google opens data center Kimono: Why cloud players will follow(ZDNet) Google and Facebook are opening up about their data centers. Why? It's the best asset to earn trust as a steward of your data. Web giants are throwing the doors open to their data centers in a move that would look bizarre in most industries. This go round it's Google, which is showing off its Lenoir, NC data center
IBM claims first with Hadoop data security suite(The Register) IBM is launching what it claims is the first data security system for Hadoop, as part of its biggest product rollout of security software and services yet seen from the company. Big Blue's not the highest profile security firm, but it has been buying in a lot of talent over the last three years and last year grouped staff and resources around a dedicated security unit. That team has now released a raft of new and updated products as part of a drive to make the company something for everything, from the datacenter to the mobile
Seagate unveils three new enterprise-class HDDs(Help Net Security) Seagate announced three new enterprise-class hard disk drives optimized for traditional data centers and emerging cloud infrastructures. Perfect for cloud bulk data storage, the Seagate Enterprise
Cloud-based document security from SealPath(Help Net Security) SealPath launched its cloud-based software solution for Professionals and Enterprise users. Using SealPath technology, documents containing sensitive business information are encrypted before they are
Cloud security application uses electronic fingerprint(Help Net Security) Intrinsic-ID launched Saturnus, an application that allows users to protect data with their mobile devices before sending it to the cloud. It is the first application that offers security based on the
Cisco and Citrix partner on networking and cloud(Help Net Security) Cisco and Citrix announced an expansion of their desktop virtualization partnership into three strategic areas: cloud networking, cloud orchestration, and mobile workstyles
Thales Intros World's Fastest Elliptic Curve HSMs(Dark Reading) "As the use of cryptography becomes a mainstream approach to protecting critical systems and valuable data, there is a requirement for algorithms that address the needs of important new markets. The rise of the smartphone and the emergence of
Adobe Reader and Acrobat get another layer of security(Ars Technica) Adobe announced new security features this week for its Reader and Acrobat XI products, including enhanced sandboxing, Force ASLR, PDF whitelisting, and Elliptic Curve Cryptography. In addition to a number of new features enhancing Reader's and
Microsoft says Surface screen outperforms iPad Retina display(Apple Insider) Microsoft says Surface screen outperforms iPad Retina display. By Neil Hughes. Even though Microsoft's new Surface has a lower resolution screen than the Retina display on the new iPad, one Microsoft engineer has argued that the Surface offers superior
Windows 8 leaves users 'dazed and confused'(BGR) Windows 8 Resistance. There's no doubt about it that Microsoft's (MSFT) upcoming Windows 8 is a huge upgrade. Gone is the Start menu and in its place is a Windows Phone-inspired Start screen populated with flat and colorful tiles for launching applications
SAP Launches Cloud Platform Built On Hana(InformationWeek) SAP's in-memory technology is the differentiator for application services and database services that will take on Oracle and Salesforce.com in the cloud
Technologies, Techniques, and Standards
Cyber Security Awareness Month - Day 17 - A Standard for Risk Management - ISO 27005(Internet Storm Center) A word that I'm hearing a lot these days from clients is "Risk". And yes, it has a capital R. Every time. Folks tend to think of any risk as unacceptable to the business. Every change control form now-a-days has a Risk Assessment and Risk Remediation sections, and any issue that crops up that wasn't anticipated now becomes a process failure that needs to be addressed
Electric Sector Security Metrics Motherload(Smart Grid Security) Not all are technical metrics, nor are they all technically, metrics. But in the space of just a few months this summer, North American electric utility executives and their security leadership have seen a spate of new guidance documents published that intend to help them manage, monitor, and measure the effectiveness of their cyber risk mitigation strategies and controls. Where once there was just the cross-sector ISO 27000 series to steer your security course by (or for Federal folks, FISMA), there are suddenly a near handful of freshly minted how-to manuals at their disposal
How to complywith updated NIST incident response guidelines(TechTarget) "Incident Handling Guide (SP 800-61) [PDF]. This third revision offers guidance on issues that have arisen since the last release in March 2008 with an emphasis on addressing new technologies and attack vectors, changing the prioritization criteria for incident response and facilitating information sharing. In this tip, we examine these major changes and discuss how to integrate them into a security and compliance program
Ask The Experts: Favorite Security Tools(infosec island) I'm in the risk management area of information security; I dont know enough about technical information security tools to give an informed opinion about them. However, my favorite information security tool is the Consensus Audit Groups Twenty Critical Security Controls for Effective Cyber Defense (which is very similar to MicroSolveds own 80/20 Rule of Information Security). The CAG as I call it gives me as a risk manager clearer, more proactive, and detailed information security guidance than any of the other standards such as the ISO or NIST
Time to rethink network management(Help Net Security) The acceleration in data speeds and volumes in telecom networks is increasing the need for real-time network management solutions, according to Napatech. Network probes have been identified
The Secure Operating System Equation(Dark Reading) Many experts like the idea of a purpose-built, secure operating system. It's just that adopting one is not so straightforward, even if it's specifically for security-strapped SCADA systems. Hardened, secure operating systems for sensitive computing environments are nothing new. Trustix, SELinux, Sidewinder SecureOS, and Green Hills Integrity are among many secure OSes, some that have survived for niche environments and others that have faded into obscurity
How One Midsize Bank Protects Against Hacks(InformationWeek) In light of ongoing hacktivist attacks on major banks, Lake Trust Credit Union information security pro shares insights on how a smaller bank stays secure without too-big-to-fail resources
Design and Innovation
FireEye Earns JPMorgan Chase Hall of Innovation Award(Equities.com) FireEye, Inc., the leader in stopping advanced cyber attacks, today announced that it was inducted into the JPMorgan Chase Hall of Innovation. FireEye received the award for helping protect JPMorgan Chase
UIT promotes cybersecurity on campus this month(Tufts Daily) In light of increased global awareness about the importance of password security on smartphones and tablets, UIT has declared mobile passwords its focus for the Department of Homeland Security's National Cyber Security Awareness month. Theft of cell
UW Tacoma forging jobs, training links in cyber security(Business Examiner) Cyber security is an industry ripe for growth in the South Sound – and one with zero current unemployment here, according to the University of Washington Center for Information Assurance and Cyber Security. Thus, the UW Tacoma campus is combining its
Dutch Govt Expresses Intent To Draft New Cybercrime Legislation(infosec island) On October 15th 2012, the Dutch Minister of Security & Justice (Ivo Opstelten) sent this letter (. pdf in Dutch) to the Dutch parliament expressing intentions to draft new cybercrime legislation in the Netherlands. Below is my Dutch-to-English translation of the entire letter
India Cyber Security: Need For More Robust Approach - Analysis(Eurasia Review) Even as, cyber wars, have become a reality across the globe, Indias' security czars have issued a report on Recommendations of the Joint Working Group (JWG) on Engagement with Private Sector on Cyber Security. The pork barreled Report which appears to be designed to benefit the large Information Technology sector in the country has a narrow focus that of convergence in public and private sector on cyber security. The motive is laudable yet the proposals appear to be too infirm to facilitate development of capabilities in meeting the challenges in the cyber domain in real time
Sen. Rockefeller asks Fortune 500 CEOs for cybersecurity best practices(Homeland Security Newswire) Last month, Senator Jay Rockefeller (D-West Virginia) sent a letter to the CEOs of fortune 500 companies asking them what cybersecurity practices they have adopted, how these practices were adopted, who developed them, and when they were developed. Many saw Rockefellers letter as an admission that the Obama administration does not have a basis for trying to impose cybersecurity practices on the private sector through the Cybersecurity Act of 2012. When the act failed to get through the house in early August, the Obama administration said it would consider an executive order to mandate the main clauses in the stalled act, but this has not happened yet
Measured Response to a Limited Threat(New York Times) Federal regulation will only crowd out innovation. The fact is that there is no evidence that anyone has ever died as a result of a cyber attack. And the evidence of cyber attacks causing physical destruction are limited to very subtle and targeted
The Cybersecurity debate(FederalNewsRadio.com) The nation's critical infrastructure needs to be improved to ward off a potential catastrophic cyber attack but the Cybersecurity Act of 2012 is stalled in Congress. What are the President's next steps and how much will this cost? Financial Analyst
Holes in US cyber security(Los Angeles Times) Any business that complied with these practices would have been immune to punitive damages if customers sued them in the event of a successful cyber attack, which is a sensible incentive to participate. Business groups are backing a bipartisan House
Chinese cyber-criminals caught laundering $48 mln through online games(Cyberwarzone) In Chinas largest ever cybercrime bust, the authorities have nabbed a gangsuspected of defrauding small-business owners of around 300 million (about $48 million)…The cyber-criminals contacted their victims through Chinese instant-messaging service QQ, where they offered naive users a link to a deal they couldnt refuse
Cyber crime can strangle your business, not just your IT(Cyberwarzone) A conference on the rising threat of cyber attacks emphasised the need for businesses to do more than merely comply with rulesAT RSAS EUROPE conference 2012 in London last week, the information security sector made a case for appropriating the old line about not knowing which 50 per cent of spending is wasted. In keynotes and executive briefings, RSA executives kept returning to the theme that too many businesses invest in the wrong areas of security. For some, dealing with the issue has simply become a box-ticking exercise that owes more to regulatory compliance than addressing actual threats
The Big Chill: How Obama Is Operating in Unprecedented Secrecy(Huffington Post) Prosecutors had filed 10 felony charges against Thomas Drake, a National Security Agency (NSA) whistleblower who allegedly provided classified information about mismanagement at the NSA to a Baltimore Sun reporter. But days before the trial was to
Obama Pursuing Leakers Sends Warning to Whistle-Blowers(Businessweek) "They want to destroy you personally," said Thomas Drake, a senior National Security Agency employee prosecuted in 2010 by Obama's Justice Department under the Espionage Act. The message to government workers seeking to expose waste, fraud and
The Legality of Counterhacking: Baker's Last Post(Volokh Conspiracy) Now the debate with Orin is actually getting somewhere. Sort of. Here's a scorecard: 1. Does authorization depend exclusively on ownership? Orin's latest post does a good job of showing that the CFAA often draws a coherent distinction between rights in data and rights in a computer, and that rights in the computer are the statute's principal focus. I don't disagree
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
Anatomy of an Attack(New York, New York, November 15, 2012) Join Sophos security experts in exploring how threats like malware, Trojans, worms and spyware actually work and what you can do to protect your company, even if you're on a tight budget.
ZeroNights(Moscow, Russia, November 19 - 20, 2012) ZeroNights is an international conference dedicated to the technical side of information security. The mission of the conference is to disseminate information about new attack methods, threats and defense...
Passwords^12(, January 1, 1970) Passwords^12 is a 3-day conference only about passwords & PIN codes. With an "all-star" cast of speakers, including Joan Daemen (AES/SHA3), Jens Steube (alias "atom", hashcat author), Colin Percival (CSO...
BayThreat(Sunnyvale, California, December 7 - 8, 2012) The theme for BayThreat is a new spin on the dichotomy of attacking and defending in information security. We're calling out all of the attackers and defenders that are on the front lines of the battle.
25th Annual FIRST Conference(Bangkok, Thailand, June 16 - 21, 2013) The annual FIRST conference provides a setting for conference participants to attend a wide range of presentations delivered by leading experts in both the CSIRT field and from the global security community.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.