The CyberWire Daily Briefing 10.16.12

Cyber Trends

Who's Securing Mobile Payments? - Consumers Expect Banks to Protect the Mobile Wallet (Bank Information Security) Google and Facebook are in the mobile payments arena. But consumers still expect their banking institutions to secure the mobile wallet, says Alphonse Pascual of Javelin. What role must banks play

Despite risks, organizations embracing cloud-based email (Help Net Security) Many organizations are holding off on migrating email to the cloud in order to first assess the security, compliance and other risks against uncertain cost benefits, according to Osterman Research

Cloud Computing Still in Its Infancy, Study Says (Windows IT Pro) That's one of the findings of a study released last month by the Cloud Security Alliance (CSA) and ISACA. The two organizations surveyed more than 250 participants ranging from end users to C-level executives and from organizations of all sizes

Cyber warfare to escalate in 2013: Kaspersky CEO (Nzweek) While Russian anti-virus software producer Kaspersky Lab announced the discovery of a new computer virus named "Mini-Flame", its co-founder and chief executive officer Eugene Kaspersky said the global cyber warfare is becoming more

Small Businesses Under-Estimating Cyber Threats (TheStreet.com) Small businesses have massively underestimated the threat posed by cybersecurity, according to research released on Monday by the National Cyber Security Alliance (NCSA) and Symantec (SYMC)

Merchants ineffectively fighting online fraud (Help Net Security) Although most merchants have made a concerted effort to fight e-commerce fraud, their methods are largely ineffective against fraudsters and off-putting to consumers, according to a new survey

India spews more spam than ever before, report finds (Naked Security) You can thank India for one out of six spam messages in your inbox, up from one in 10 when SophosLabs last put out its list of the Dirty Dozen top spam-relaying countries. The UK has upped its spam output as well, meaning it's rejoined the dirty dozen after an 18-month hiatus

Legislation, Policy and Regulation

States may join feds in regulating infrastructure cybersecurity (Homeland Security Newswire) Dealing with cybersecurity issues relating to U.S. inmfrastructure has largely been a federal responsibility, carried out through the North American Electric Reliability Corporation Critical Infrastructure Requirements (NERC-CIP). The limitations of these requirements have led state regulators to consider increasing state role in infrastructure protection. Smart Grid News reports that the NERC-CIP covers generation and transmission assets that qualify as critical, but estimates put 80-90 percent of grid assets outside the NERC-CIP responsibility

Senate to Reconsider IT Security Bill - Can Lawmakers Resolve Stalemate over Cybersecurity Act? (Govenment Information Security) Whether U.S. Defense Secretary Leon Panetta's dire outlook on cybersecurity is as stark as he outlined in a policy address last week [see In His Own Words: Panetta on Cyberthreats], his remarks provided the catalyst to get the Senate to reconsider cybersecurity legislation it blocked in August. Still, the fact that debate over the Cybersecurity Act of 2012 will be resurrected after the November U.S. elections doesn't mean significant cybersecurity legislation will be enacted this year."I will bring cybersecurity legislation back to the Senate floor when Congress returns in November," Senate Majority Leader Harry Reid, D-Nev., declared in a statement over the weekend. "My colleagues who profess to understand the urgency of the threat will have one more chance to back their words with action, and work with us to pass this bill

GOP senator backs Reid's push to revive cybersecurity legislation (The Hill) Plans to bring cybersecurity legislation back to the floor in November because only Congress has the authority to implement the tools needed to beef up the nation's defenses against a cyber attack. "It is imperative that Congress pass cyber security

Note to Senator Reid: Cybersecurity Differences Are About Policy, Not Politics (Heritage.org) A second camp believes that regulations are essentially worthless and even harmful to cybersecurity, because they can't keep up with the constantly evolving cyber realm. This camp points out that this standards-based system will likely be led by the

Panetta, Alexander stress urgency of cyberdefense (FCW.com) Keith Alexander, commander of U.S. Cyber Command and director of the National Security Agency, at a separate event on the same day. "Ninety percent of cyberspace is owned and operated by industry. But the government depends on that space to operate

The Significance of Panetta's Cyber Speech (Lawfare) What exactly is the threshold for a self-defensive offensive operation in response to a cyber attack? What counts as an imminent threat of cyberattack that would warrant a preemptive attack by the USG? The effectiveness of any deterrence posture

The inevitable blowback to high-tech warfare (Washington Post) Blowback is defined as "an unforeseen and unwanted effect, result, or set of repercussions," according to the Merriam-Webster Dictionary. Are some modern military techniques first employed by the United States coming back to haunt us? It would not be the first time. In a speech Thursday on cybersecurity, Defense Secretary Leon E. Panetta described as "probably the most destructive attack that the private sector has seen to date" the Shamoon computer virus that in August virtually destroyed 30,000 computers belonging to the Saudi Arabian state oil company Aramco

Canadian, German data protection watchdogs join forces (CSO) The German and Canadian data protection commissioners signed an agreement on Monday that aims to ensure people's digital privacy will be better protected if data travels across borders via the Web, the authorities announced. International cooperation could help put companies like Facebook and Google on a privacy leash

Du deadline: TRA to the rescue, extends SIM registration deadline (Emirates 24/7) The Telecommunications Regulatory Authority (TRA) has confirmed the extension of the deadline for the SIM registration of mobile subscribers. Etisalat and Du will extend the timeframe for the first category and include it in the second category due date since the licensees were unable to provide smooth mechanisms to facilitate, accelerate and stimulate subscribers to update their data

Cyber security panel high on India's agenda (Times of India) To counter cyber attacks in economic and social infrastructure development, the Indian government on Monday said it would set up a joint working group to engage the private sector and will start four pilot projects for the purpose."We hope to set up a permanent Joint Working Group (JWG) on cyber security and will start four pilot projects," national security advisor Shivshankar Menon said after releasing the JWG report on engaging the private sector on cyber security. The four pilot projects will include setting up a testing laboratory, a test audit, studying vulnerabilities of the critical information infrastructure and establishing a multi-disciplinary centre for excellence. The permanent JWG would be a roadmap for implementation of the recommendations of the group, said Menon

Netherlands - minister of justice concept proposition to parliament - police should be allowed to hack computers (Telegraaf) The Minister of Safety and Justice in the Netherlands, Minister Opstelten, haswritten a concept letter for parliament where he requests authority for Police and Justice permission to remotely hack into computers and better act against seriousforms of cybercrime. Besides remotely being able to break into computers, police should also beauthorized to remotely install software on those computers. And - here comes thecomplex part - not only for computers based in the Netherlands

Freedom on the net 2012 (Blogactiv) The work on the report on the European Unions policy in the field of digital freedom is now in progress. I will certainly come back to this subject more than once, but today let me focus on another document, prepared by the U.S. NGO Freedom House, which for several years has conducted a systematic study on the digital freedom, its violations and present trends. In addition to its research on the Internet, Freedom House prepares also its flagship products regular reports on the freedom in the world and on the freedom of the press

Google privacy policy rethink demanded by EU (BBC) Google is to be told by the EU to change the way it gathers personal information if it is to avoid "high risks to the privacy of users". Twelve recommendations were outlined in a letter signed by 24 of the EU's 27 data regulators, Reuters reported. It follows a nine-month investigation into the company's data collection practices

Products, Services, and Solutions

Eugene Kaspersky Unveils Plans for New Secure SCADA OS (Threatpost) Attacks against SCADA and industrial-control systems have become a major concern for private companies as well as government agencies, with executives and officials worried about the potential effects of a major compromise. Security experts in some circles have been warning about the possible ramifications of such an attack for some time now, and researchers have found scores of vulnerabilities in SCADA and ICS systems in the last couple of years. Now, engineers at Kaspersky Lab have begun work on new operating system designed to be a secure-by-design environment for the operation of SCADA and ICS systems

Survey of IT managers suggests preference for Microsoft mobile platforms (CSO) A ThinkEquity poll of U.S. IT managers found that 48 percent plan to standardize on Windows mobile OSes, like Windows Phone 8 and Windows RT

BYOD access solution with biometrics (Help Net Security) HID Global announced a solution for government agencies interested in securing iOS devices with access to sensitive data. The solution combines the ActivClient Mobile SDK for iOS with two sleeves

McAfee releases new Data Center Security Suites (Help Net Security) McAfee announced four new Data Center Security Suites to help secure servers and databases in the data center. The suites offer a unique combination of whitelisting, blacklisting and virtualization

Juniper MX Series (Help Net Security) Discover why routers in the Juniper MX Series, with their advanced feature sets and record breaking scale, are so popular among enterprises and network service providers. This authoritative book

IXIA : BreakingPoint Cyber Range Solutions Used During Pacific Endeavor (4-traders) Pacific Endeavor allowed the Ixia BreakingPoint cyber range solutions, along with our highly experienced cyber range team, to quickly create the exact conditions needed to battle test infrastructure and people and transform them both to be resilient

ERPScan Launches Version 2.1 Of Its SAP Security Monitoring Scanner (Dark Reading) ERPScan continuously monitors multiple SAP systems

Technologies, Techniques, and Standards

Gathering Threat Intelligence With Open Tools (Threatpost) Threat intelligence is one of the go-to buzz phrases for many people in the security industry right now, and it's thrown in so many contexts and situations, it's quickly becoming almost meaningless. Most people understand that they need to get better information about what's happening both on their own networks and in the broader landscape, but few people are talking about how exactly to go about gathering that data, outside of trying to sell you a SIEM installation

CyberAwareness Month - Day 15, Standards Body Soup (pt2), Same Soup Different Cook (Internet Storm Center) There are several new protocols that are on their way to being adopted in some form or another. In the previous article we covered how different standards bodies can cover and sometimes govern similar protocols and standards. Here we will discuss two emerging data center orriented standards and how they compete

Reverse Engineering Malware - What you need to know? (Infosec Nirvana) Every now and then, a nasty piece of Malware raises its ugly head and wreck havoc on the Enterprise Infrastructure. It is often necessary to analyze the Malware and understand its working so thatThe impact of the Malware on IT Systems can be ascertained ANDThe nature of preventative controls that can be put in place so that this threat does not spread further. In such scenarios, Reverse Engineering of the Malware becomes a requirement

Network complexity causes security incidents (Net-Security) Complex network security policies, such as those found in multi-vendor environments, are directly related to system outages and security breaches, according to AlgoSec. The survey found that more than 50 percent of respondents reported a security breach, system outage, or both, due to complex policies. The report highlights that nearly 94 percent of organizations have deployed multi-vendor environments and nearly 75 percent of organizations manually manage network security, despite the popular belief from roughly half of the respondents that consolidation would simplify management."Information systems complexity has grown exponentially yet we continue down the same path - adding more and more layers of complexity," said independent information security consultant Kevin Beaver of Principle Logic

This Week's Best IT & Security Governance Resources (AgileITGovernance) This week, Hord Tipton, the executive director for (ISC), the largest not-for-profit membership body of certified information security professionals worldwide, wrote a very useful article for security professionals that provides a framework for communicate with senior executives and board members. Reading the How to Communicate Security Strategy and Needs article is a must for any CISO or CIO who finds it difficult to translate complex security issues to a room full of directors that have no idea what hes talking about in order to ask for additional budget. PWC released its 2013 Global State of Information Security Survey

Addressing the DDoS Threat - Essential Steps Institutions Should Take (Bank Information Security) When it comes to fighting distributed denial of service attacks attacks, banking institutions must understand the threats against them, says Bill Wansley of Booz Allen Hamilton. Not all DDoS attacks are created equally, and varying attack vectors require different modes of detection and prevention. Wansley, a financial fraud and security consultant at Booz Allen Hamilton, says DDoS attacks happen frequently and they will continue

Podcast: Stopping the PhD Cybercriminal (ECTNews) The concept of intelligent containment of risk is an important approach to overall IT security. In today's environment, rapid and proactive containment of problems and breaches -- in addition to just trying to keep the bad guys out of your systems -- makes sense. To find out what other approaches to data security are gaining traction, listen to today's podcast featuring Kaivan Rahbari, senior vice president of risk management at FIS Global

Cryptoparties teach data privacy to the public (SBS) "Those who break the law have already probably learnt cryptography," says Asher Wolf. "Maybe a year ago, there were people out there that though that if we just lobbied the governments hard enough, if we just lobbied businesses hard enough they would

National cyber security month offers tips for staying safe online (FoxReno.com) Coordinated by the U.S. Department of Homeland Security, the Multi-State Information Sharing and Analysis Center (ISAC), the National Cyber Security Alliance, many governments, businesses, schools and other groups, National Cyber Security Awareness

Keeping Data Out Of The Insecure Cloud (Dark Reading) Companies looking to keep their data safe need to give their employees a choice of solid file-sharing services and apps. Otherwise, it's back to their insecure favorites

Marketplace

ARINC to Sell Defense Systems Engineering Business to Booz Allen (Govconwire) ARINC Inc. has entered into a definitive agreement with Booz Allen Hamilton (NYSE:BAH) to sell its Defense Systems Engineering & Support Division, ARINC announced Tuesday. Booz Allen will pay approximately $154 million in cash for the ARINC division. Booz Allen says it expects the transaction to be accretive to its earnings in fiscal 2014, which begins

Savvis Completes Acquisition of Ciber's Global IT Outsourcing Business (Govconwire) Savvis, a CenturyLink company (NYSE: CTL), has completed its purchase of client and vendor relationships, infrastructure, technology and facilities assets of Ciber's (NYSE:CBR) IT Outsourcing business in North America, Europe and India for $6 million in cash. "Savvis' acquisition of Ciber's ITO assets enhances and expands our capabilities in areas such as application-management services and

Op/ed: If Microsoft adopts Apple's app strategy, it's better to follow OS X than iOS (Ars Technica) Microsoft's decision to limit Metro apps to the Windows Store is the wrong one

Cyber warfare here to stay, Austin could play key role (KEN5) In the 1995 movie "Hackers," a team of tech-savvy youngsters stop a digital thief from stealing millions of dollars by "out-hacking" the hacker. What made for futuristic Hollywood flash more than 15 years ago is serious business today. At Lackland Air Force Base in San Antonio, the Air Force Cyber Command can launch electronic attacks from across the globe

NATO and DHS cyber-security company also manages US and Canadian electronic health records support (Darker Net) Okay, you will have heard about Cubic (which runs military support systems and public transit smart cards globally and whose chiefs run companies that organise global surveillance systems, such as TrapWire) and SERCO (manages health care systems and prisons in the UK as well as detention centres in Australia) and G4S (runs work-for-dole schemes and security systems). But what about SAIC? Yes, this is yet another multinational that as well as support for health and e-medical records systems just happens to be a NATO insider that provides and manages cyber security solutions and military support for the US Department of Homeland Security, the CIA and well, you name itSAIC (or Science Applications International Corporation to give its full title) is a US-based company in Vermont with global reach and offers a range of scientific, engineering, and technology applications for national security, energy and the environment, critical infrastructure, and health

India training half a million cyber security experts (Times Live) India aims to tackle a rise in cyberattacks by training up to 500,000 computer specialists over the next five years, officials say. India's security agencies said cyberwarfare has emerged as the top threat to national security with the country's systems subjected to frequent attacks from domestic saboteurs and foreign rivals. National Security Adviser Shivshankar Menon; top members of the National Association of Software Services Companies, the country's information-technology trade federation; and industry chambers off commerce discussed the public and private sector plan at a meeting Monday."Despite having a reputation as an IT powerhouse, India faces a shortfall of around 500,000 such experts," Data Security Council of India chief executive Kamlesh Bajaj said

Security Stocks Falter Before Earnings, Amid Threats FTNT CHKP (Investor's Business Daily) Defense Secretary Leon Panetta last week warned of a cyber Pearl Harbor as…Check Point Software Technologies (CHKP), which made its name building

Pragmatics Names Stanley Vet Michael Zaramba CFO (Govconwire) Pragmatics has appointed Michael Zaramba chief financial officer, where he will oversee the company's financial operations and report directly to CEO Dr. Long Nguyen. The company said Zaramba will be responsible for corporate accounting, financial strategy, business planning, tax functions and corporate acquisitions. Zaramba has 20 years experience in supporting corporate growth and expansion in

QinetiQ Names TASC, GDIT Vet Bruce Feldman National Systems SVP (Govconwire) Qinetiq North America has appointed Bruce Feldman senior vice president for the national systems sector within the mission and information solutions operating unit, the company announced Monday. He will manage service delivery and technology development for contracts with the intelligence community and the U.S. Defense Department. "Bruce comes to the company with more than 20

Research and Development

Facebook R&D Goes Global: Opens Engineering Office In London, Its First Outside The U.S. (TechCrunch) With the majority of Facebook's 1 billion users, and subscriber growth, now coming from outside the U.S., the company is taking ever more steps to building out its global footprint to reach that audience. To that end, today Facebook opened up an engineering center in London, its first outside of the U.S. and is now hiring for people to staff it, following through on an announcement it first made

Security Patches, Mitigations, and Software Updates

Facebook to exclude phone numbers from reverse lookup - for users of two-factor authentication, anyway (Naked Security) Facebook's SMS-based login security was a Catch-22. You had to give Facebook your phone number to improve security. But that exposed your phone number to the vagaries of the Facebook search system. That's now changed, but apparently only temporarily, while Facebook decides what happens next

Cyber Attacks, Threats, and Vulnerabilities

Researchers Identify Banks Targeted In Forthcoming Attack (Dark Reading) Bank of America, Chase, Citibank said to be among institutions under the gun from planned Gozi-Prinimalka malware attack. …In a blog published late last week, researchers at Trend Micro said they have analyzed the configuration files of the Gozi-Prinimalka malware that is being used in the attacks, and have developed a list of 26 institutions that are being targeted by the cybercriminals. According to Trend Micro, customers of the following financial institutions are at increased risk: Accurint; American Funds; Ameritrade; Bank of America; CapitalOne; Charles Schwab; Chase; Citibank; eTrade; Fidelity; Fifth Third Bank; HSBC; M&T Bank; Navy Federal Credit Union; PNC; Regions Financial Corporation; Scottrade; ShareBuilder; State Employees Credit Union; Suntrust; The Huntington National Bank; United States Automobile Association; USBank; Wachovia; Washington Mutual; and Wells Fargo

Flame, miniFlame, the mystery of an on going cyber espionage campaign (SecurityAffairs) Last May The Iranian Computer Emergency Response Team (MAHER) detected a new targeted malware which hit the country, that has been named Flame, also known as Flamer or Skywiper, due the name of its main attack module. MAHER wasnt the only one to detect the agent, also Kaspersky Lab and CrySyS Lab identified the new dangerous malware, recognized as a powerful cyber espionage tool kit, that hit mainly Windows systems of Middle East area. The researcher demonstrated the state-sponsored origin and the link with the cyber weapon Stuxnet dating, in a first analysis, the development of the agent to the same period of the famous virus that hit Iran

Santander's online banking keeps passwords in cookies (H-online) The retail web site for Santander bank has been discovered to be keeping customer passwords in plain text in cookies held while the user is logged in. The discovery was revealed on the Full Disclosure mailing list when an anonymous user posted details of how credit card numbers and other information was stored in session cookies. The H set out to verify whether the claims were correct

Hackers attack Haaretz Hebrew, English websites (Haaretz) Hackers attack Haaretz Hebrew, English websites. Haaretz's websites were brought down for parts of Wednesday due to a denial-of-service cyber attack; the technical staff was able to find its source and block the attack

Cyber attacks (Saudi Gazette) The recent cyber attack on the computer network of oil giant Saudi Aramco ended up affecting 30,000 computers and the company is still dealing with the effect of this attack on its computer network. Qatar gas giant RasGas was also the recent victim of

Exclusive: Recent White House Hacking Originated From Shanghai Jiaotong (The Epoch Times) Shanghai Jiaotong last rose to international notoriety in 2010, when it was named as one of two Chinese universities responsible for a massive cyber-attack on the servers of search giant Google as well as 20 other Western companies. Google came out

South Africa easy target for cyber criminals (IOL) Nigerian princes promise to share their vast inheritance, companies offer lottery winnings and fraudsters posing as local banks are looking to raid accounts. Cyber crime is on the rise, having claimed 556 million victims this year and SA is quickly emerging as a soft target for online fraudsters. A computer expert who works with the FBI and has South African links said: Its a war, and what astonishes me is how blas South Africans are about this threat.

Vulnerability Summary for the Week of October 8, 2012 (US-CERT) The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cyber Security Division (NCSD) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information

Explaining the Anonymous and WikiLeaks split (IT World) Confused (and saddened) by the recent split between Anonymous and WikiLeaks? Allow us to help explain it all so even your mom will understand

Academia

Prince George's Wins NSF Grant To Spread Security Education in Community (Campus Technology) tThe college, which has multiple locations in Maryland, is recognized by the National Security Agency and the Department of Homeland Security as a center of academic

Litigation, Investigation, and Enforcement

Congressman warns FTC: Leave Google alone (Ars Technica) Says antitrust action against Google "defies all logic"

Gary McKinnon saved from extradition after ten year fight (Naked Security) Gary McKinnon, the British hacker who has been fighting a high profile campaign for ten years to avoid extradition to the United States, has had his extradition blocked by the UK government

Cyber bullying on social media is at 'a breaking point,' says NDP MP (National Post) "Nowadays, with cyber bullying, with social media, it has gotten to a breaking point," said Morin, whose motion comes in the tragic wake of a bullying-related suicide that has captured the country's imagination. The death last week of Vancouver teen

Design and Innovation

ER Accelerator To Boost Seed Funding By $15K Per Startup For Winter 2013 Class (TechCrunch) Entrepreneurs Roundtable Accelerator has popped out more than a few successful startups. Centzy, Number Fire, Bespoke Post, and Triple Lift come to mind. Not to mention PublicStuff, which recently raised $5 million. But Jon Axelrod, Managing Director of ERA is no fan of resting on laurels, and so the accelerator is making a few important changes