The retail point-of-sale cyber criminal campaign (Target was patient zero, but Neiman Marcus and others were also affected) has a new name, and it's Russian: "Kaptoxa." Stolen data were quietly exfiltrated to servers in Russia. The US Secret Service continues to investigate, and the Department of Homeland Security quietly circulates advice on attack detection and mitigation to retailers. Speculation that Kaptoxa represents an attempt to "bring down the US economy" is surely preposterous (ordinary criminal motives are sufficient explanation) but does suggest the breach's seriousness and scope.
The other publicly known target, Neiman Marcus, was compromised in July 2013. The New York Times reports this breach was only fully contained last Sunday.
Wired notes that Target sustained a similar attack in 2005, and argues that relatively small financial damage led to a cost-benefit decision against security upgrades.
The long-predicted hack involving the Internet of things has come about: a refrigerator has been implicated in a spam campaign that ran between December 23 and January 6.
The Economist interviews Adi Shamir on the threat of acoustic cryptanalysis.
The BANLOAD banking Trojan, most active in Brazil, is found to employ some innovative techniques to evade detection and blocking.
In industry news, CipherCloud buys CloudUp Networks. Wall Street's crush on FireEye's Mandiant acquisition continues. Retail breaches fuel the market for cyber insurance, and Allianz teams with Thales to offer protection and policies.
US President Obama will speak on the NSA later today. Observers expect a change in meta-data storage, but not much else.
Today's issue includes events affecting Belgium, Brazil, China, France, India, Italy, Russia, South Africa, United Kingdom, United States..
Monday is Martin Luther King Day, and the CyberWire will observe the holiday with a one-day hiatus.
Malware in Target attack partly in Russian(USA Today) U.S. government report describes sophisticated cyber attack operation authorities are calling Kaptoxa, a Russian word that comes from a piece of code in the malware
Neiman Marcus computers were hacked as far back as July: NYT(Reuters via Yahoo!) Hackers breached the computer networks of luxury department store chain Neiman Marcus as far back as July, an attack that was not fully contained until Sunday, the New York Times reported, citing people briefed on the investigation
Target attackers may have struck others(Minneapolis Star-Tribune) The government put U.S. retailers on alert Thursday that the sophisticated data heist operation that struck Target Corp. has likely infected other companies with malicious software
Target Got Hacked Hard in 2005. Here's Why They Let It Happen Again(Wired) A gang of shadowy hackers tears through the systems of big-box retailers, making off with millions of credit and debit card numbers in a matter of weeks and generating headlines around the country. Target and Neiman Marcus in 2013? No: This oh-so-familiar attack occurred in 2005
Someone's refrigerator just took part in a malicious cyberattack(Quartz) Between December 23 and January 6, more than 100,000 internet-connected smart "things," including media players, smart televisions and at least one refrigerator, were part of a network of computers used to send 750,000 spam emails. So says a study just released by enterprise security company Proofpoint. This is the first time anyone in the security industry has proved that devices that are part of the internet of things are being used just as PCs have been for decades—as part of "zombie" networks of computers used to do everything from sending spam to mining bitcoin
Unsafe and sound(The Economist) Ciphers can now be broken by listening to the computers that use them. Eavesdropping, be it simply sticking an ear against a door or listening to and analysing the noises made by tapping different keys on a keyboard, is a stock-in-trade of spying. Listening to a computer itself, though, as it hums away doing its calculations, is a new idea. But it is one whose time has come, according to Adi Shamir, of the Weizmann Institute, in Israel, and his colleagues. And Dr Shamir should know. He donated the initial letter of his surname to the acronym "RSA", one of the most commonly used forms of encryption. Acoustic cryptanalysis, as the new method is known, threatens RSA's security
BANLOAD Limits Targets via Security Plugin(TrendLabs Security Intelligence Blog) The presence of a security product is normally seen as a deterrent or challenge for cybercriminals. However, that is not the case with this banking Trojan, specifically, a BANLOAD (also known as BANKER or BANBRA) variant. This malware actually limits its range of victims to online banking clients of Banco do Brasil. It does so by checking for the presence of a specific security product before it executes its malicious routines
Using an iPhone to Pay at Starbucks? Think Twice.(Brighthand) Starbucks has promised a future update to its iPhone barcode scanning app, aimed at fixing a security flaw which could leave a person's user name, email address, password, and location information open for a security-savvy thief to see
New TDoS market segment entrant introduces 96 SIM cards compatible custom GSM module, positions itself as market disruptor(Webroot Threat Blog) In need of a good example, that malicious adversaries are constantly striving to 'innovate', thereby disrupting underground market segments, rebooting TTPs' (tactics, techniques and procedures) life cycles, standardizing and industrializing their fraudulent/malicious 'know-how'? We're about to give you a pretty good one. Regular readers of Webroot's Threat Blog, are no strangers to the emerging TDoS (Telephony Denial of Service) underground market segment. Primarily relying on the active abuse of legitimate services, such as, for instance, Skype and ICQ, as well as to the efficient and mass abuse of non-attributable SIM cards, for the purpose of undermining the availability of a victim's/organization's
Massive RFI scans likely a free web app vuln scanner rather than bots(Intenet Storm Center) On 9 Jan, Bojan discussed reports of massive RFI scans. One of the repetitive artifacts consistent with almost all the reports we've received lately is that the attackers are attempting to include… I investigated a hunch, and it turns out this incredibly annoying script kiddie behavior is seemingly, rather than bots, thanks to the unfortunate misuse of the beta release of Vega, the free and open source web application scanner from Subgraph
ilmeteo.it hacked(Dynamoo) Popular Italian weather site ilmeteo.it appears to have been compromised this morning, with several legitimate .js files on the site altered to drive traffic towards a malicious hacked domain at karsons.co.uk
Underrated threats? Research into the evolving world of risk(Aon Risk Solutions) As part of our efforts to help companies stay abreast of emerging issues and learn what their peers are doing to manage risks and capture opportunities, we have conducted the fourth biennial Global Risk Management Survey (GRMS). It gathered input from 1,415 respondents from 70 countries in all regions of the world and from companies of all sizes and has the most comprehensive peer-provided risk data in the industry, capturing the latest risk trends and priorities companies face
Cloud security firm CipherCloud acquires CloudUp(FierceITSecurity) To address enterprises' cloud security and privacy concerns, cloud security firm CipherCloud has acquired CloudUp Networks, a provider of software-as-a-service application security, for an undisclosed consideration
BAE Systems Rebrands Cyber-Security Business in Commercial Push(Bloomberg) BAE Systems Plc (BA/) is rebranding its cyber-security operations as Europe's largest defense company seeks to gain business from more companies beyond its traditional government customers. Activities to protect computer networks will be called BAE Systems Applied Intelligence, replacing the Detica name as of Jan. 31, the London-based company said in a message to employees. "We are changing our name in January to closer align to the BAE Systems brand," it said in a separate e-mail
New CEO Kheradpir Lays Out Vision For Future Of Juniper Networks(CRN) At Juniper Networks (NSDQ:JNPR)' Global Partner Conference this week, new Juniper CEO Shaygan Kheradpir laid out his vision for both Juniper and its partners moving into 2014. That vision, he said, is centered around Juniper embracing hybrid cloud ecosystems, highly intelligent networks, and starting to view service provider and enterprise customers through a similar lens
Social Security Administration Wants Information on Private Cloud(Executive Mosaic) The Social Security Administration has issued a request for information on private cloud software packages as it seeks to automate processes, FCW reported Wednesday. Frank Konkel writes interested vendors are asked to submit data on product compliance such as a web-based portal, unified service catalog, performance monitoring, virtual machine life-cycle management, multitenancy, capacity planning and asset management
Cyber security talent goes to the highest bidder(Computing) When former White House cyber security co-ordinator Howard Schmidt congratulated the UK government for the launch of its Cyber Security Information Partnership scheme in March 2013, he said: "What you've been able to do in two years has taken us about 17 years to do"
Cyber Town Malvern(BBC) The historic spa town of Malvern in Worcestershire is rapidly becoming the centre of a hub of small companies specialising in a very 21st century occupation: defending people from Internet crime. Unlikely as it sounds, Malvern has been a centre of science expertise for decades. Now it's a place where innovation thrives outside big corporate labs. Peter Day finds out why
ATMs Face Deadline to Upgrade From Windows XP(BusinessWeek) One-dollar bills. Envelope-free deposits. Stamp dispensers. These are a few of the features that Wells Fargo (WFC), Bank of America (BAC), JPMorgan Chase (JPM), and other banks tout as the latest and greatest features of their fleets of ATMs. It's hardly stuff to set the heart racing
Panda Security Appoints Diego Navarrete as New CEO(MarketWatch) Panda Security , The Cloud Security Company, today announced the appointment of Diego Navarrete as CEO of the multinational computer security company. Navarrete joins Panda Security from IBM, and brings a wealth of experience in the software and security sectors
KoolSpan Bolsters Management Team with Appointment of Nigel Jones as Chief Financial Officer(KoolSpan) KoolSpan Inc, developer of patented, hardware-based mobile security applications, announced today that Nigel Jones has joined the company as Chief Financial Officer, effective immediately. Responsible for all financial aspects of KoolSpan's business, Jones is a telecom industry veteran with more than 15 years of experience in strategic financial management, fundraising, investor relations and mergers and acquisitions
INSIDE Secure Achieves New Level of Security for Enterprise Applications in Smartphones(The Wall Street Journal) INSIDE Secure (NYSE Euronext Paris: INSD), a leader in embedded security solutions for mobile and connected devices, today announced it has upgraded its SafeZone FIPS software cryptographic module to improve security for a broad array of smart connected devices. INSIDE's enhanced SafeZone cryptographic software enables developers for the first time to build FIPS 140-2 certified applications for Trusted Execution Environments (TEE) based on ARM TrustZone® frameworks
Computer Forensics in the Name of Social Justice(Consumer Electronics Net) Case & Point, which aims to serve indigent people who have been put on trial and lack the resources to utilize computer forensic evidence in their own defense, is pleased to announce that they have begun a campaign on Indiegogo.com to help raise funds to implement the initial infrastructure required to set up digital forensics lab. Case & Point is asking for $9,000 to obtain the necessary software and certain peripherals that are specific to digital forensics in a social justice cause
Ways to avoid a multi-million dollar security disaster(SC Magazine) From Adobe to Facebook, security breaches continue to be top-of-mind for both companies and users, and organizations around the globe are all wondering if they are next in line to deal with a breach of their own. Hackers may always be a few steps ahead of companies when it comes to cracking codes and stealing information, but as we dissect breach after breach, it's clear that companies are not helping their security cause — they are actually jeopardizing it in more ways than one. With a few simple steps, companies can take back control of their infrastructure and assure that their next breach is merely an inconvenience rather than a multi-million dollar catastrophe
Information Security Policy Templates(SANS Institute) Welcome to the SANS Security Policy Resource page, a consensus research project of the SANS community. The ultimate goal of the project is to offer everything you need for rapid development and implementation of information security policies. You'll find a great set of resources posted here already including policy templates for twenty-four important security requirements
Cover your webcam when you're not using it(Flanders News) Belgium's Federal Computer Crime Unit says it's "a good precaution" to tape up or cover your computer's webcam when you are not using it. There are cases of webcam hackers in Belgium that collect private footage of victims, in order to blackmail them later on. However, police immediately that it's not a widespread problem in Belgium, and that there is no reason to panic
Security Expert Bruce Schneier Says to Foil NSA Spies, Encrypt Everything(BloombergBusinessWeek) In the world of cybersecurity, Bruce Schneier is an unusually accessible voice for those of us who feel we don't quite understand what's going on. The author of 12 books, and a prolific blogger and speaker, Schneier helped the Guardian go through the top-secret documents from the U.S. National Security Agency leaked by Edward Snowden last year
How Asian dating sites cracked your biggest complaint—everyone lies online(Quartz) Online dating site OKCupid has found an inexplicable number of men happen to be exactly six feet tall and there are four times as many people who claim to earn $100,000 per year as there should be. False advertising, or misrepresentation, is standard in any marketplace; the dating market is no different
How you will connect with your connected car(Quartz) Connected cars are coming. General Motors will roll out a bunch of 2015-model Chevrolet cars with onboard fourth-generation (4G) mobile broadband. Google just announced the Open Automotive Alliance to push its Android operating system into cars. Most auto manufacturers are working to better use the internet connectivity in their cars. In a few years, they think, our cars will be like our smartphones—able to download apps, stream music, provide better navigation, and stay connected to the internet
Why wasn't healthcare.gov security properly tested?(SC Magazine) When the healthcare.gov website was launched on Oct. 1 it didn't take long for technical issues to hit the headlines. Americans trying to register for health care found the website unusable. There were glitches, extremely long loading times, and serious errors, but most worrying of all for anyone entrusting sensitive data to the system was the lack of security testing
So You Found An Obamacare Website Is Hackable. Now What?(Forbes) Two months ago, L.A.-based security researcher Kristian Erik Hermansen was signing up for Obamacare via the Covered California site. Given his background in finding vulnerabilities in software and websites, spotting security flaws is second nature to him so he couldn't help but notice problems with the California site, which has seen the most registrations for healthcare in the country
The Worst User Experience In Computer Security?(The New School of Information Security) I'd like to nominate Xfinity's "walled garden" for the worst user experience in computer security. For those not familiar, Xfinity has a "feature" called "Constant Guard" in which they monitor your internet for (I believe) DNS and IP connections for known botnet command and control services. When they think you have a bot, you see warnings, which are inserted into your web browsing via a MITM attack
Obama to end NSA holding of metadata(USA Today) President Obama will call Friday for ending the National Security Agency's ability to store phone data from millions of Americans, and he will ask Congress, the Justice Department and the intelligence community to help decide who should hold these records, officials said
Obama's NSA Speech: Just What Eisenhower Warned About?(NPR) On Jan. 17, 1961, President Eisenhower used his farewell address to warn Americans that: "We must guard against the acquisition of unwarranted influence, whether sought or unsought, by the military-industrial complex. The potential for the disastrous rise of misplaced power exists and will persist"
NSA defenders' shameless "national security" bait and switch(Salon) Mounting evidence shows surveillance has had no impact on preventing terrorism. Is the public paying attention? In order to have a genuinely constructive debate, data must be compiled, evidence must be amassed and verifiable truths must be presented. This truism is particularly significant when it comes to debates about security and liberty
Stone: NSA metadata program captures small fraction of calls(Politico) Contrary to public perceptions, the National Security Agency's controversial program to collect information on phone calls to, from and within the U.S., gathers such metadata on only a small percentage of U.S. telephone traffic, a member of President Barack Obama's surveillance review group said Thursday
Michael Hayden: Snowden 'mishaped' security debate(NBC Today) Retired General Michael Hayden, a former director of both the NSA and CIA says whistleblowing by former NSA contractor Edward Snowden has severely and irreversibly harmed the security agency's ability to perform its duties
Congress tries to curtail NSA spying, sort of(Nextgov) Buried in a soon-to-pass government spending bill is a ban on the monitoring of any specific U.S. citizen's phone calls and online activities. The small, vague passage, however, leaves wiggle room for the National Security Agency to continue sweeping up Americans' call and Internet data en masse
Will India Deliver Cyber Command For Armed Forces This Time?(Ground Report) India is very good at contemplating concepts but equally bad at implementing the same. The latest to add to this trend is the decision to constitute a cyber command for armed forces of India. India has also in the past released the cyber security policy but experts doubt about its effectiveness as it failed on many counts including privacy protection. This is so because India needs a techno legal cyber security framework that is presently missing. Meanwhile, sophisticated cyber attacks against India are rising
Litigation, Investigation, and Law Enforcement
HHS officials questioned on HealthCare.gov security at hearing(FierceHealthIT) Rep. Darrell Issa (R-Calif.) continued his quest for answers on the security of HealthCare.gov before its launch this fall today at a Committee on Oversight & Government Reform meeting, where he facilitated the questioning of three high level staff members of the U.S. Department of Health & Human Services
Jailed terrorist gets extra time for refusing to divulge USB stick password(Naked Security) A British man already in jail for terrorist activity was given another 4 months for refusing to give police the password to a memory stick that they couldn't crack. The convicted terrorist suddenly got his memory back when police said they were launching a new investigation into credit card fraud
Will Sabu face justice at some point?(CSO) It has been a while since Hector Xavier Monsegur, otherwise know as Sabu, signed his deal and decided to turn informant for law enforcement. He was arrested on June 7, 2011 after having led his merry band of ne'er do wells on a website compromise campaign that was all for, as they called it, the "lulz"
Cybertech — Cyber Security Conference and Exhibition(Tel Aviv, Israel, January 27 - 29, 2014) Cybertech Israel, the first event of its kind, will present world-leading companies in the field of cyber defense alongside young companies that offer unique solutions to advance the discipline of cyber...
U.S. Census Data Protection & Privacy Day(Suitland, Maryland, USA, January 28, 2014) The Census Bureau's Privacy Compliance Branch of the Policy Coordination Office is hosting a Data Protection and Privacy Day on January 28. This event is intended to provide a forum for Census employees...
2014 Cybersecurity Innovation Forum(Baltimore, Maryland, USA, January 28 - 30, 2014) The 2014 Cybersecurity Innovation Forum (CIF) is a three-day event, sponsored by the National Cybersecurity Center of Excellence (NCCoE) with DHS, NIST, and NSA as primary participating organizations.
Cyber Training Forum at NGA(Springfield, Virginia, USA, February 4, 2014) The 2014 Cyber Security Training Forum (CSTF) will take place at the NGA East Campus in Springfield, VA. This event is designed to provide education and training to the NGA Workforce, the Intelligence...
Security Analyst Summit 2014(Punta Cana, Dominican Republic, February 9 - 13, 2014) The Kaspersky Security Analyst Summit (SAS) is an annual event connecting anti-malware researchers and developers, global law enforcement agencies and CERTs and members of the security research community.
The Insider Threat: Protecting Data and Managing Risk(Online, February 11, 2014) As recent events have demonstrated, the threats from inside government have the potential to be more harmful than the hacking activities of our enemies. Protecting sensitive government information from...
Free OWASP Training and Meet Up(San Francisco, California, USA, February 24, 2014) OWASP is hosting a special security boot camp for all conference-goers: RSA Conference, Bsides SF, and TrustyCon as well as local developers. The training is recommended for developers who want to learn...
RSA Conference USA(San Francisco, California, USA, February 24 - 28, 2014) Hundreds of game-changing interactions will give you an unparalleled diversity of industry insight and information based on best practices, real implementation stories, and detailed case studies. Each...
Nellis AFB - Technology & Cyber Security Expo(Las Vegas, Nevada, USA, February 26, 2014) For over 12 years, the Armed Forces Communications & Electronics Association (AFCEA) - Las Vegas Chapter and FBC have been co-hosting the Annual Information Technology Expo at Nellis AFB. As was the case...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.