The Syrian Electronic Army (SEA) successfully attacks US media outlets, including the Washington Post. The SEA (generally believed to operate on behalf of the Assad regime with significant Iranian support) used spoofed Outlook pages in a phishing campaign that compromised Outbrain as a way into media accounts.
The Chinese government continues its pressure on Tibetan sites, and TechWeek Europe alleges that cyber security researchers inadvertently aid the repression through ill-conceived honeypots.
North Korea conducts information operations against the South through what observers call an "army of trolls." Pakistani hackers continue to riot against Indian sites.
The US Department of Energy acknowledges a data breach (personal information compromised), and the New York Times recovers from what it calls (in the face of mild skepticism) an IT error as opposed to a cyber attack. Those who follow SCADA security will read with interest news of a glitch that opened a Florida prison's cells.
Obfuscation through feigned ineptitude cloaks a clever exploit kit targeting cyber security researchers.
Malware sandboxing appears to have plateaued in effectiveness. Researchers cast about for automated, non-signature-based approaches to malware detection.
China announces plans to investigate IBM, Oracle, and EMC as security risks. Understandable skittishness post-Snowden apart, the Chinese government is happy to retaliate against US strictures on Huawei and Lenovo. The US and China will inevitably grope toward a security modus vivendi.
The US Intelligence Community remains in domestic and international hot water over electronic surveillance, with new allegations of NSA privacy violations. The President's IAB shrinks surprisingly.
Today's issue includes events affecting Australia, China, Germany, India, Iran, Ireland, Israel, Republic of Korea, Democratic People's Republic of Korea, Pakistan, South Africa, Syria, United Kingdom, United States..
Cyber Attacks, Threats, and Vulnerabilities
Washington Post Hacked By Syrian Electronic Army(Dark Reading) The Syrian Electronic Army is taking credit for hacks of the Washington Post and other U.S. media targets earlier this week. In a blog posted Thursday, Washington Post Managing Editor Emilio Garcia-Ruiz wrote: "A few days ago, The Syrian Electronic Army, allegedly, subjected Post newsroom employees to a sophisticated phishing attack to gain password information
Washington Post Site Hacked After Successful Phishing Campaign(Krebs on Security) The Washington Post acknowledged today that a sophisticated phishing attack against its newsroom reporters led to the hacking of its Web site, which was seeded with code that redirected readers to the Web site of the Syrian Electronic Army hacker group. According to information obtained by KrebsOnSecurity, the hack began with a phishing campaign launched over the weekend that ultimately hooked one of the paper's lead sports writers
Oh, those crazy Syrian hackers: Now Wash Post, CNN, Time vandalised(The Register) Gawd darn it, can't anyone secure their websites? Syrian hacktivists claim they are the vandals responsible for scribbling over the websites of CNN, Time mag and The Washington Post yesterday. But these latest boasts by the Syrian Electronic Army (SEA) are somewhat misleading, according to computer security experts who say that the hacking crew actually ransacked Outbrain - a marketing biz used by WashingtonPost.com, Time.com and plenty of others to provided links to related articles and stuff online
The Dangers External Services Present To Your Website(Securi) Today the Washington Post reported that they were victims of hack, orchestrated by the Syrian Electronic Army. This attack is interesting because it sheds light into the anatomy of attacks that appear sophisticated, but is something we're seeing on a daily basis
Tibetans Under Cyber Attack — And The Security Industry Isn't Helping(TechWeek Europe) Tibetans are pummelled with cyber attacks, but the security industry is not helping, and may even be hindering, TechWeek hears. Cyber Repression: Every month or so, a report on the layest malware attack aimed at Tibetans will emerge. But the reality is the frequency and range of Internet-based assaults on the people of Tibet, as well as their families, friends and associates, are far greater than people know
NORKS build TROLL ARMY to tear down S Korean surfers(The Register) No we're not too hungry to concentrate on posting propaganda… North Korea has tasked 200 agents with the job of posting negative comments online, often using stolen online identities, in a bid to undermine the morale of their neighbours in the South
Department of Energy Hacked Again(Wall Street Journal) The United States Department of Energy notified employees via an email Wednesday that hackers gained personal information, such as names and social security numbers, of 14,000 current and former agency employees as the result of a hack that occurred in late July. This is the second attack this year that involved a breach of employee data
Don't Underestimate Directory Traversal Attacks(Dark Reading) About as simple to fix as they are to exploit, directory traversal vulnerabilities stand as a persistent threat in the application environment. And yet it is one which many developers and even security teams are unaware can lead attackers to gain valuable information about how a system is organized, to get access to sensitive files on the application server or even to easily leverage to start other attacks on that server or the rest of the network
Carpet-bombing the Internet with computing clusters(FierceITSecurity) A security researcher presenting at Def Con said that a single attacker could use distributed computing infrastructure - not a botnet, but an intentionally created attack cluster--to "carpet-bomb" the Internet
Personalized Exploit Kit Targets Researchers(Krebs on Security) As documented time and again on this blog, cybercrooks are often sloppy or lazy enough to leave behind important clues about who and where they are. But from time to time, cheeky crooks will dream up a trap designed to look like they're being sloppy when in fact they're trying to trick security researchers into being sloppy and infecting their computers with malware
Cracking Crypto Just Got a Little Easier(Threatpost) It's been a brutal month for crypto. Starting with the Black Hat conference, researchers, engineers and hackers have been unveiling new weaknesses and attacks in different cryptographic implementations that threaten the security of communication and commerce on the Web
Aussie ATM criminals embrace 3D printers for cashpoint crimes(Naked Security) As you can probably imagine, it didn't take long for controversial uses to emerge for 3D printers, and one of the most newsworthy was the idea of "printing" parts for firearms. Now, crooks in Sydney are printing their own ATM skimming devices
Security Patches, Mitigations, and Software Updates
Google to encrypt Cloud Storage data by default(CSO) Users can choose if they want to hold the encryption keys themselves. Google said Thursday it will by default encrypt data warehoused in its Cloud Storage service. The server-side encryption is now active for all new data written to Cloud Storage, and older data will be encrypted in the coming months, wrote Dave Barth, a Google product manager, in a blog post
The Increasing Failure Of Malware Sandboxing(Dark Reading) The past three years have seen many organizations adopt and deploy in-house dynamic sandboxing technologies tasked to detect and block specific classes of malware. Most advocates of the approach will point to malware samples that were detected via the sandbox, but missed by conventional antivirus signature systems, and seek to justify the investment through these simple metrics
Medical Hacking Poses a Terrifying Threat, in Theory(FreeNewsPos) In the world of hypothetical cybercrime, not much is scarier than the hacked medical device. Compromised pacemakers played a central role last year in an episode of Homeland and provided a macabre sidenote to this year's Black Hat conference for hackers
South Africa Cyber Threat Barometer(Wolf Pack) A scalpel in the right hands can save lives. In the wrong hands it can cause serious damage. Information is no different. Today it is the lifeblood that connects people, organisations and nations around the globe. Increasingly information traverses within cyber arteries powered by information and communication technologies (ICTs)
TESPOK cybersecurity report identifies banks, VOIP as top targets(CIO East Africa) Voice Over Internet Protocol is the biggest security threat facing enterprises in Kenya. William Makatiani, Director - Serianu Limited, says that from analysis of threats on traffic passing through the Kenya Internet Exchange Point (KIXP), firms were losing a lot of money through illegal use of VOIP. He was presenting at the launch of the first quarterly security report by the Telecommunications Service Providers Association of Kenya (TESPOK) held last week Thursday
NSA to set up new outpost in North Carolina, IBM to build super security lab(CicSource) Earlier this week, CivSource reported on $6 billion in awards made by the Department of Homeland Security (DHS) to 17 Big IT vendors for cybersecurity. Now, the NSA has announced that it will also be opening a new out post in North Carolina, and IBM made a strategic acquisition of Israeli company Trusteer in its effort to build a super security lab
Department of Homeland Security seeks big data vendors(FierceBigData) Uncle Sam wants you, big data vendors, to help guide his future big data expenditures. Apparently, the Department of Homeland Security has plans to make big data analysis an even bigger part of its mission in the near future and it wants to know what products are commercially available. But no, you can't just cold call them and make an appointment to pitch your wares. First you must compete for a presentation slot
IBM acquires Israel's Trusteer, Apple reportedly buys Matcha(Jerusalem Post) IBM says acquisition would bring together over 200 employees from the two companies for a cyber-security lab in Israel. The Israeli market saw acquisitions from two of the world's leading technology companies, as IBM announced its acquisition of cyber-security firm Trusteer and Apple reportedly snatched up TV application Matcha
Products, Services, and Solutions
Trsst Is A Secure Twitter For The Post–Snowden Internet(TechCrunch) In a world where tweeting is the new texting, there are some folks out there who want to broadcast their thoughts – but with an acceptable level of security. That's where Trsst comes in. It is, in short, an encrypted messaging platform that turns your short messages into a p2p style collaboration system
Data visualization: Beneficial but perilous(IT World) With more data visualization tools readily available, more kinds of people — not just data scientists or trained data analysts — are able to create data visualizations. That opens up the potential for the creation of misleading data visualizations
How to totally screw up privacy, while pretending to do privacy(CSO) Security and privacy aren't new. Security professionals have been beating the same drum for a decade, and yet security continues to be an afterthought for many organizations and developers, and the actual goal is frequently obscured by smoke and mirrors attempts to achieve it
What to expect with PCI DSS 3.0(Help Net Security) The PCI Security Standards Council (PCI SSC) published PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) 3.0 change highlights
Error 451 — Unavailable for Legal Reasons(Infosecurity Magazine) The Open Rights Group has launched a campaign for the adoption of a new HTTP 400 range status code: Error 451, designed to indicate that access to a page or website is unavailable by court order
How companies can use big data without inciting public backlash(FierceBigData) Many big data users are reluctant to reveal how they are collecting and using data on consumers in general and customers in particular. Such timidity is understandable, given that the public has been roughly awakened to the realities of what such data collection means in terms of their privacy--and it's certainly not happy about it
Gmail Is Not A Privacy Problem(InformationWeek) Is there really informed consent among Gmail users? The real privacy issue is we're all getting by on a lot of trust
Finding security clues in your network data(FierceITSecurity) In this Fixing Infosec series, we're asking experts this question: If IT security is losing the battle to keep enterprise data safe, what one thing can be done to dramatically improve data security? In this installment we turned to Jay Jacobs, a long-time information security practitioner. Jacobs is now a principal at Verizon Business and vice president of the Society of Information Risk Analysts. His advice is simple in theory, but difficult for most organizations in practice: for companies to collect and make better use of IT security clues within the data they already have
Research and Development
How Bad is it? — A Branching Activity Model to Estimate the Impact of Information Security Breaches(SSRN) This paper proposes an analysis framework and model for estimating the impact of information security breach episodes. Previous methods either lack empirical grounding or are not sufficiently rigorous, general or flexible. There has also been no consistent model that serves theoretical and empirical research, and also professional practice. The proposed framework adopts an ex ante decision frame consistent with rational economic decision-making, and measures breach consequences via the anticipated costs of recovery and restoration by all affected stakeholders. The proposed branching activity model is an event tree whose structure and branching conditions can be estimated using probabilistic inference from evidence – 'Indicators of Impact.' This approach can facilitate reliable model estimation when evidence is imperfect, incomplete, ambiguous, or contradictory. The proposed method should be especially useful for modeling consequences that extend beyond the breached organization, including cascading consequences in critical infrastructures. Monte Carlo methods can be used to estimate the distribution of aggregate measures of impact such as total cost. Non-economic aggregate measures of impact can also be estimated. The feasibility of the proposed framework and model is demonstrated through case studies of several publicly disclosed breach episodes
Malware bites and how to stop it(ECN) Antivirus software running on your computer has one big weak point - if a new virus is released before the antivirus provider knows about it or before the next scheduled antivirus software update, your system can be infected. Such zero-day infections are common
Researchers Seek Better Ways To Track Malware's Family Tree(Dark Reading) Following a program's evolution back to the author may not yet be a reality, but computer scientists are searching for more accurate measures of the relationships between software versions. Using basic features of software programs, researchers from Carnegie Mellon University have been able to organize related code into family trees, connecting initial versions to subsequent updates, using techniques that could allow malware analysts to more quickly triage unknown threats
Audit: NSA Repeatedly Broke Privacy Rules(Washington Post) The National Security Agency has broken privacy rules or overstepped its legal authority thousands of times each year since Congress granted the agency broad new powers in 2008, according to an internal audit and other top-secret documents
Spying Blind(Foreign Policy) The National Security Agency has an intelligence problem: It won't admit how dumb it is. The Obama administration's claim that the NSA is not spying on Americans rests on a fundamental assertion: That the intelligence agency is so good at distinguishing between innocent people and evildoers, and is so tightly overseen by Congress and the courts, that it doesn't routinely collect the communications of Americans en masse
NSA still in hot water(CBS News) The National Security Agency has had a challenging summer, and it appears things are about to get more difficult. A debate has raged all summer
Lies, Damned Lies, And The NSA(TechCrunch) Today the Washington Post reported documents demonstrating that the NSA breaks privacy laws "thousands of times" each year. Consider this the conclusion of what was the last-ditch argument put forth to defend the NSA: Yes, they have the capability to abrogate your Constitutional rights, but there is no evidence of abuse! Wrong. We now have proof that the NSA both wittingly and unwittingly
Obama upends intel panel(Politico) The White House dismissed the bulk of President Barack Obama's premier panel of outside intelligence advisers earlier this year, leaving the blue-ribbon commission largely vacant as the public furor built over the National Security Agency's widespread tracking of Americans' telephone calls
Cloud Panel Calls for Transparency While Warning Against Over-Reaction(Virtualization Review) Well before Edward Snowden leaked classified information that disclosed, among other things, the PRISM surveillance operation led by the U.S. government's National Security Agency (NSA), the Cloud Security Alliance (CSA) had established mechanisms for service providers to disclose their data-protection practices
Auditors praise DHS classification management(FiercGovIT) Auditors find that Homeland Security Department components are doing a good job implementing a 2009 executive order against over classification and subsequent law that specifically requires the homeland security secretary to develop strategy against over classification
Can DHS Be Trusted to Protect Gov't IT?(GovInfoSecurity) Bruce McConnell, who just stepped down as one of the federal government's top cybersecurity policymakers, says he understands why some lawmakers don't trust DHS with significant authority to safeguard government IT
Death By A Million Regulations(InformationWeek) It is long past time to assess the consequences of the endless laws, codes, rules, licenses and guidelines governing just about every human activity
Snowden Downloaded NSA Secrets While Working For Dell, Sources Say(Reuters) Former intelligence contractor Edward Snowden began downloading documents describing the U.S. government's electronic spying programs while he was working for Dell Inc in April 2012, almost a year earlier than previously reported, according to U.S. officials and other sources familiar with the matter
Court: Ability To Police U.S. Spying Program Limited(Washington Post) The leader of the secret court that is supposed to provide critical oversight of the governments vast spying programs said that its ability do so is limited and that it must trust the government to report when it improperly spies on Americans
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
Suits and Spooks NYC 2013(New York, New York, October 5, 2013) Since the landscape is foggy, the threat actors numerous and hard to identify, and the attacks proliferating on a daily basis, the focus of the next Suits and Spooks conference will be to identify non-state...
National SCADA Conference(Melbourne, Victoria, Australia, August 15 - 16, 2013) The 12th Annual National SCADA Conference, Australia's largest and longest running SCADA conference, will bring together many of the luminaries of the Australian and International SCADA community to evaluate...
SANS Thailand 201(Bangkok, Thailand, August 19 - 31, 2013) SANS hands-on advanced Information Security training is coming to Thailand this August! SANS is bringing our Web App Penetration Testing course to the Crowne Plaza Bangkok Lumpini Park in Bangkok, Thailand.
Defense Logistics Agency Tech Expo(Fort Belvoir, Virginia, USA, August 20, 2013) Industry exhibitors are invited to showcase and discuss the latest information services and technology to the personnel at the McNamara HQ Complex.
Human Cyber Forensics Forum(Washington, DC, USA, August 21, 2013) This forum brings together subject matter experts to discover and share new means of recognizing the human indicators related to cyber intrusions, and the evolution of these human indicators in the coming...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.