The New York Times and other victims of this week's Syrian Electronic Army (SEA) attack restore service. Analysts draw some lessons from the phishing-enabled campaign: choose domain registrars carefully (although nota bene: MelbourneIT has a strong security reputation), use registry locks (they helped soften the blow to Twitter), and don't neglect either DNSSEC or domain monitoring.
FireEye reminds us that the SEA has also hit international communications websites True Caller and Viber as well as media outlets. Other Internet brands (especially banks) are at risk of similar attack.
Krebs and Motherboard believe they've fingered some members of the SEA, which the SEA (whoever they are) denies. And at least one hacktivist, possibly American, has been working against the SEA to disrupt the Assad regime's infrastructure.
The Syrian civil war, amid its grief and tragedy, offers an object lesson in asymmetric warfare, a lesson likely to grow sharper should US-led punitive combat materialize over the next few weeks. Assad has considerable support in Iran and (to a lesser extent) Russia, both of which are capable of augmenting his regime's offensive cyber capabilities.
Several interesting exploits circulate in the wild. One affords another example of malware evolution: Kehilos is using legitimate blacklisting services to vet potential bots.
ITWorld declares secure email dead, but a great spike in Tor usage shows that demand for private, anonymous, and secure online communication remains unsatisfied.
French prosecutors open an investigation of PRISM. The US Secret Service traces recent high-profile retail POS crimes to an overseas cybergang.
Today's issue includes events affecting Australia, France, India, Iran, Russia, Syria, United Arab Emirates, United Kingdom, United States..
Please note that in observance of the US Labor Day holiday, the CyberWire will publish as normal tomorrow, then take a break Monday. We'll resume normal publication Tuesday.
Cyber Attacks, Threats, and Vulnerabilities
New York Times and Twitter UK stumble to their feet after 'spooky' Syrian Electronic Army hack(ITProPortal) The New York Times came back online after a hack of Internet registrar MelbourneIT allowed the Syrian Electronic Army to compromise the newspaper's website. The site was still experiencing intermittent connection issues, though. For those unable to access NYTimes.com, the paper is also publishing stories on news.nytco.com. In a blog post explaining the hack, Matthew Prince, CEO of security firm CloudFlare, categorised it as a "very spooky attack" since "MelbourneIT is known for having higher security than most registrars"
Phishing email grants hackers access to DNS records of major websites(SC Magazine) A phishing attack, one of the most common and oldest cyber tricks in the book, enabled hackers to hijack and modify the DNS records for several domains on Tuesday, including The New York Times, Twitter and the Huffington Post UK on Tuesday. Representatives of the impacted entities have said their systems are now operating normally, and there are no lingering or long-term effects. In fact, the companies were not even the ones targeted by the attackers, who claimed to be the Syrian Electronic Army, a band of pro-Assad hacktivists responsible for a number of IT takedowns in recent months
NYT/Twitter Hacks Show DNS Is Not Broken, But Domain Registrars Might Be(TrendLabs Security Intelligence Blog) The recent attacks on New York Times, Twitter and others while DNS-related, were not the result of a weakness in the DNS at all. They resulted from weaknesses in domain registrar infrastructure. The DNS components related to this event performed exactly as they were designed and instructed to do
Banks Vulnerable to Same Type of Attack That Hit Times Website(Americn Banker) Banks have good reason to pay attention to the cyberattack that hit the New York Times, Twitter and Huffington Post websites yesterday and apparently resumed on the Times site today — they are vulnerable to the same type of assault
Analysis: Syria, aided by Iran, could strike back at U.S. in cyberspace(Irish Times) If the United States attacks Syria, it will be the first time it strikes a country that is capable of waging retaliatory cyberspace attacks on American targets. The risk is heightened by Syria's alliance with Iran, which has built up its cyber capability in the past three years, and already gives the country technical and other support. If Iran stood with Syria in any fray with the United States that would significantly increase the cyber threat, security experts said
Syria, Iran armed for cyberwar with U.S.(Washington Times) Syria and its ally Iran have been building cyberattack capabilities for years and soon might have a chance to use their skills in a hot war for the first time. Former U.S. officials and cybersecurity scholars say Syria has a demonstrated cyberattack capability and could retaliate against anticipated Western military strikes against Syria for its suspected chemical weapons attack against civilians in the country's 2-year-old civil war
NY Times Caught In Syrian Hacker Attack(InformationWeek) Hacks amount to "warning shots," threatening more widespread cyberattacks should the U.S. and allies launch military campaign against Syria, warns security expert
Spear phishing led to DNS attack against the New York Times, others(PCWorld) The cyberattack that resulted in nytimes.com and some other high-profile websites being inaccessible to a large number of users Tuesday started with a targeted phishing attack against a reseller for Melbourne IT, an Australian domain registrar and IT services company
Who Built the Syrian Electronic Army?(Krebs on Security) A hacking group calling itself the Syrian Electronic Army (SEA) has been getting an unusual amount of press lately, most recently after hijacking the Web sites of The New York Times and The Washington Post, among others. But surprisingly little light has been shed on the individuals behind these headline-grabbing attacks. Beginning today, I'll be taking a closer look at this organization, starting with one of the group's core architects
Hacker points Syrian telecom website to AT&T, T-Mobile(ComputerWorld) The website of a Syrian telecommunications provider redirected to AT&T's website and then T-Mobile's on Wednesday, an apparent prank by a hacker who has been probing the country's Internet infrastructure for several days
Hackers target ISRO,BARC, ECIL, and Tata servers(Economic Times) The website of the Electronics Corporation of India Ltd (ECIL) was hacked and documents involving the Bhabha Atomic Research Centre (BARC) and Indian Space Research Organization (ISRO) were leaked by an online hacker on Saturday. They also claimed to have hacked Tata MotorsBSE 2.60 % site
Alamo Colleges fend off cyber attack(San Antonio Express) The Alamo Colleges shut down several computer systems Wednesday to protect them from a cyber attack, officials said. The community college district
Suspect Sendori software(Internet Storm Center) Reader Kevin wrote in to alert us of an interesting discovery regarding Sendori. Kevin stated that two of his clients were treated to malware via the auto-update system for Sendori. In particular, they had grabbed Sendori-Client-Win32/2.0.15 from 188.8.131.52 which is truly an IP attributed to Sendori via lookup results. Sendori's reputation is already a bit sketchy; search results for Sendori give immediate pause but this download in particular goes beyond the pale. With claims that "As of October 2012, Sendori has over 1,000,000 active users" this download is alarming and indicates something else is likely afoot with Sendori's site and/or updater process
Unpatched Mac bug gives attackers "super user" status by going back in time(Ars Technica) Researchers have made it easier to exploit a five-month-old security flaw that allows penetration testers and less-ethical hackers to gain nearly unfettered "root" access to Macs over which they already have limited control. The authentication bypass vulnerability was reported in March and resides in a Unix component known as sudo
Facebook Hijacked to Spread Chrome, Firefox Browser Malware(Infosecurity Magazine) Facebook is being used to spread malware again, this time through messages claiming to be from friends wanting to share videos. The "video link" of course opens a door for hackers to hijack users' Facebook accounts and web browsers
RODECAP spam scripts analysed(Blog de Seguridad de INTECO) After reading the abuse.ch post about the RODECAP botnet, we could get some samples of the scripts used by the botnet to send spam. From abuse.ch, sent us a dump of the communication from a RODECAP sample, so we started the analysis using the PCAP received and our scripts
New Malware Needs its Mouth Washed Out with Soap(Infosecurity Magazine) Most malware has a nasty disposition, hence the "mal" part of the word, and hackers have been known to build in very special messages that display mocking phrases to victims like "ha ha ha!" or "better luck next time," and so on. But hackers have now elevated trash-talking to the next level, with a bug that swears like a sailor
Simulated Attacks Show C–Level Executives Can Make Easy Targets for Spear-Phishers(Cyveillance) Wombat Security Technologies recently talked to Security Week about the on-going problem with executives falling for spear-phishing attacks. Wombat, which specializes in testing a company's vulnerability to phishing attacks, noted that executives are often the first to fall prey to attackers when it comes to clicking links and providing login data
Reverse-Engineering Renders Dropbox Vulnerable(Silicon Angle) Dropbox might be the most widely used cloud storage and sharing service in the world, with over 25 million users and adding about 200 million files daily, but its security is constantly being questioned, and not just because of the NSA
Java Native Layer Exploits Going Up(TrendLabs Security Intelligence Blog) Recently, security researchers disclosed two Java native layer exploits (CVE-2013-2465 and CVE-2013-2471). This caused us too look into native layer exploits more closely, as they have been becoming more common this year. At this year's Pwn2Own competition at CanSecWest, Joshua Drake showed CVE-2013-1491, which was exploitable on Java 7 running on Windows 8. CVE-2013-1493 has become a popular vulnerability to target in exploits kits such as Blackhole
Security Patches, Mitigations, and Software Updates
Google to Implement 5–Year Limit on Digital Certificates(Infosecurity Magazine) Compromised digital certificates have been a weak link in a few high-profile security incidents of late, prompting a discussion on how to more adequately lock them down. For its part, Google is planning to cap certificate validity at 60 months
Office 2003 soon to lose support too(ZDNet) It's not just Windows XP that reaches support end of life next April on Patch Tuesday, but Office 2003 as well. This was an extremely popular version of Office, and running it without security patches will be dangerous
Struggling With Attack Detection And Analysis(Dark Reading) New survey shows organizations don't know when they've been attacked and can't easily determine scope of attacks. Enterprises are increasingly finding it harder to detect attacks in a timely fashion or quickly determine the scope of attacks when they are discovered. A new survey out this week shows that while the majority of organizations seem confident in their ability to quickly analyze and respond to security alerts, many have a hard time finding attacks in real-time or even being sure they've experienced an attack
Growing Trend In Fraud, Identity Theft Being Camouflaged By DDoS Attacks, Cyber Security Company Says(HS Today) Calling it a "high risk factor," Prolexic, a firm that provides Distributed Denial of Service (DDoS) protection, said Wednesday it is sharing "attack signatures and details that are helpful to detect and stop DDoS attacks from the Drive DDoS toolkit, an attack tool often used as a source of distraction while criminals break into customer accounts at finance firms and e-Commerce businesses."
How cyber-risk savvy are you?(ABA Banking Journal) With all-the-time connectivity, comes all-the-time risk. Cyber insurance, which covers a form of 21st century peril, has emerged as a "must have" for banks. It is directly related to electronic banking, the internet, and being connected 7x24x365
Secure email is dead(IT World) As any married couple will tell you, trust is the most precious commodity. And, once it's gone, its almost impossible to get back. That maxim is just as applicable to the technology world when it comes to security and privacy. That's why a giant brick and mortar retailer like TJX can lose the credit card information belonging to tens of millions of customers and barely miss a beat, while a firm like the Dutch certificate authority DigiNotar (part of the U.S. based firm Vasco Data Security Intl.) can lose a few hundred certificates and be forced out of business. Put simply: when your business is trust, and there's a breach of that trust, you're out of busines
Cybersecurity queries surge in wake of Snowden claim(FreeNewsPos) Inquiries about tightening cybersecurity from local companies have "surged" since the Edward Snowden incident, consultants said yesterday at the region's first international conference on cybercrime and computer forensics
Tor usage up by more than 100% in August(The Register) Secure network usage spikes worldwide, reasons unknown. The privacy-enhancing Tor network has seen its total number of users per day more than double in the last month, reaching the highest levels since the project first began compiling usage statistics
Symantec Nominates Two New Board Members(Wall Street Journal) Major General Suzanne Vautrinot, retiring commander of the 24th Air Force, the Air Force Service Component of the United States Cyber Command; and -- Anita
Will Greifeld survive at Nasdaq?(FierceFinance) There's no denying that Robert Greifeld, the CEO of Nasdaq, is under pressure right now. Technology malfunctions have severely undermined its public reputation. The inability to find a merger partner has raised brows, leading to talk of missed opportunities. And the decision not to communicate more quickly about the recent 3-hour outage was thoroughly lambasted by many, perhaps most memorably by James Cramer, who went on something of rant
Products, Services, and Solutions
StrikeForce Technologies Inc.'s GuardedID Keystroke Encryption Patent Granted(Dark Reading) StrikeForce Technologies, Inc. (SFOR.OB), a company that specializes in Cyber Security for the prevention of Data Breaches, announced today that it has received an official Notice of Allowance from the United States Patent Office stating that their patent application "Methods and apparatus for securing keystrokes from being intercepted between the keyboard and a browser" has been allowed for issuance and a patent
HP releases Fortify Static Code Analyzer 4.0(Help Net Security) HP announced Fortify Static Code Analyzer (SCA) 4.0, delivering a new approach that enables organizations to assess the security of software up to 10 times faster than previous versions of the solution
VM–to–VM Traffic No Longer a Security Blind Spot(RSA Blog) VMware has done much to change the way IT operates the data center. For each of the last 10 years at VMworld, VMware always seems to unveil a new way it is taking another giant leap toward the realization of the total virtual data center
Baking Better Security into Software Development(Infosecurity Magazine) The infosecurity industry is largely reactive in nature — it reacts to threats against information. Those threats typically use software flaws as an entry point. It follows that if software flaws can be minimized, security costs can be reduced
New protection mechanism prevents mobile cross-app content stealing(Help Net Security) A group of researchers from Indiana University and Microsoft Research have recently published a paper detailing the risk of cross-origin attacks on two of the most popular mobile operating systems today - iOS and Android - and have introduced an origin-based protection mechanism of their own design
Some Tips for Smartphone Security(Syracuse New Times) Or maybe it's because of all the publicity surrounding the National Security Agency and PRISM. Whatever caused it, people are more aware of and concerned
Research and Development
Video: How quantum cryptography works(InfoWorld) According to InfoWorld's Roger Grimes, quantum cryptography is the last, best defense when it comes to security. Computers are becoming so powerful that they can break traditional cryptography, which relied on complex math to work. Once quantum computing comes into play, it's game over for conventional cryptography. Thus, quantum computing begats quantum cryptography. But how does quantum cryptography work, exactly
'Drawing a secure cryptographic code can be done in principle'(The Hindu) Quantum cryptography is considered extremely secure as it builds on the sensitive properties of quantum light. Prof. Charles Bennett of IBM Research, U.S., explained to Shubashree Desikan the basics of quantum cryptography, security and hacking. Prof. Bennett, along with Prof. Gilles Brassard, University of Montreal, Canada, discovered the BB84 protocol, which is the cornerstone of quantum cryptography. He was in Chennai to attend the Asian Quantum Information Science - 2013 conference
CDFAE(DC3) The National Centers of Digital Forensics Academic Excellence (CDFAE) program has been developed to foster the digital forensics field and encourages growth in supporting the National Initiative Cybersecurity Education (NICE) framework
Legislation, Policy, and Regulation
How New Zealand banned software patents without violating international law(Quartz) What do you do when you're a small country with a technology industry convinced that innovation requires the banning of software patents, but you've signed an international treaty that in theory obliges you to make software patentable? If you're New Zealand, you simply declare, in a historic and long-debated bit of just-passed legislation, that software isn't an invention in the first place
Obama's surveillance board packed with insiders(Politico) President Barack Obama pledged he'd appoint "outside experts" to review the country's surveillance practices, but he's since tapped largely insiders for the key posts. The group, formed to examine the policies and procedures at the National Security Agency as it tracks terrorism suspects' digital communications, is composed mostly of Washington types, many with connections to the very intelligence establishment they're now tasked with scrutinizing in the wake of Edward Snowden's leaks
Should the U.S. Protect Companies Against Hackers?(BLoomberg) Bob Stasio of Ronin Analytics disucsses the threat of retaliation against private companies for actions related to United States policy and whether the government should be involved in protecting companies' networks. He speaks on Bloomberg Television's "Market Makers"
Snowden impersonated NSA officials, sources say(NBC News) Edward Snowden accessed some secret national security documents by assuming the electronic identities of top NSA officials, said intelligence sources. "Every day, they are learning how brilliant [Snowden] was," said a former U.S. official with knowledge of the case. "This is why you don't hire brilliant people for jobs like this. You hire smart people. Brilliant people get you in trouble"
Firm That Vetted Snowden Defends Its Work(Wall Street Journal) The private company that conducted the last background check of former National Security Agency contractor Edward Snowden said it was the federal government's responsibility to catch any problems with its 2011 investigation of the man who has said he leaked top-secret documents
FISA Court Rolls Over, Plays Dead(Forbes) A newly declassified opinion shows FISA court "oversight" in the face of egregious, unconstitutional and potentially criminal government misconduct means nothing
U.S. Secret Service: Five Retailer Breaches Are Linked(Storefront Backtalk) If it seems like this spring and summer have seen a rash of supermarket-chain security breaches, it turns out there's a reason. Five recent cyberattacks against smaller retail chains all appear to have come from the same overseas criminal gang, according to the U.S. Secret Service. That includes the breach at Schnuck Markets that netted thieves as many as 2.4 million card numbers, four other breaches at chains a Secret Service spokesman declined to name, and a collection of retailers in Kentucky and Indiana who all shared the same local reseller who provided the POS remote-access software that thieves exploited
City of London police commissioner hits back at cyber–crime critics(ComputerWorldUK) Earlier this month the Police Commissioner for the City of London, Adrian Leppard, wrote an open letter to The Times in which he painted a distinctly positive view of cyber-crime protection in the UK. In response, Computerworld UK sourced the views of cyber-security experts and published a story - 'London Police Commissioner's cyber-crime open letter laughed at by industry - that grabbed the attention of Leppard himself
Agreeing to a BYOD policy could land an employee in jail(FierceMobileIT) By agreeing to a BYOD policy, employees could be dragged into civil or criminal litigation, warns Michael Kassner, a freelance writer and information security consultant. Employees could be required to give up their personal device to the courts or even have all of the data on the device searched, with possible legal ramifications for the owner, noted Kassner
Who owns IP in a BYOD environment?(FierceMobileIT) While BYOD has helped improve productivity for workers and provided IT flexibility for companies, it has also raised a number of sticking issues around privacy, legal liability and intellectual property ownership. When an employee creates content on a personally owned device, can the company claim ownership of that content? The answer, of course, is—it depends
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
SANS Thailand 2013(Bangkok, Thailand, August 19 - 31, 2013) SANS hands-on advanced Information Security training is coming to Thailand this August! SANS is bringing our Web App Penetration Testing course to the Crowne Plaza Bangkok Lumpini Park in Bangkok, Thailand.
SANS Thailand 201(Bangkok, Thailand, August 19 - 31, 2013) SANS hands-on advanced Information Security training is coming to Thailand this August! SANS is bringing our Web App Penetration Testing course to the Crowne Plaza Bangkok Lumpini Park in Bangkok, Thailand.
TechCrunch Disrupt San Francisco(San Francisco, California, September 7 - 11, 2013) For the fourth year in a row, TechCrunch Disrupt will take over the San Francisco Design Center Concourse, and we're bringing the hottest startups and best minds in the industry with us. Block off September...
SANS CyberCon Fall 2013(Online, September 9 - 14, 2013) With sequestration still in place, organizations are finding themselves with training budgets, but drastically reduced travel budgets. This one-of-a-kind online training event brings SANS' top instructors...
15th Annual AT&T Cyber Security Conference(New York, New York, USA, September 10, 2013) The AT&T Cyber Security Conference is an annual day-long conference offered by the AT&T Chief Security Office. Combining the expertise of its security experts, the scale and reliability of its global IP...
International Common Criteria Conference(Orlando, Florida, USA, September 10 - 11, 2013) FBC invites you to participate in the International Common Criteria Conference (ICCC) taking place in Orlando, Florida. This is the first time since 2000 that the ICCC is taking place in the U.S. The ICCC...
GrrCon(Grand Rapids, Michigan, USA, September 12 - 13, 2013) Says IT World, "Another hacker conference, this time in Michigan. The schedule looks to be bawdy, brash and anything but dull, with hackers promising to "pwn" you before you leave town. There are also...
cybergamut Technical Tuesday: Malware Analysis for the Masses(Columbia, Maryland, USA, September 17, 2013) With malware becoming more prevalent, and the pool of capable reversers falling short of overall need, there is a greater need to provide quick and efficient malware analysis for network defense. With...
GovConnects Business Breakfast: Surviving Sequestration(Elkridge, Maryland, USA, September 17, 2013) This Business Breakfast will feature presentations by seasoned professionals in the field of government contracting as they share best practices for dealing with current challenges of doing business in...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.