The CyberWire Daily Briefing for 10.17.2012
MiniFlame is now reported to have spread beyond Lebanon, with reports of the espionage tool surfacing in Iran, Kuwait, and Qatar. Researchers haven't offered attribution yet, but various Middle Eastern news outlets blame the United States. (Infosec Island has a useful summary of what's known about miniFlame.)
The Izz ad-Din al-Qassam Cyber Fighters strike Capital One again, the second time the bank has been hit in the ongoing Islamist cyber campaign against US financial institutions. Santander UK says its storage of customer passwords in cookies presents no risk of compromise. Malware-bearing spam is spoofing British Airways e-tickets. Anyone wondering what an exploit can cost a local government might ask Naperville, Illinois: a recent hack is costing them $600k to fix.
Oracle has issued its expected patches. Three of them are rated critical, and warrant immediate action.
Internal fraud is rising globally, with Indonesia, Russia, and the US leading. Two reports independently suggest a significant lag in recognition and prevention of attacks: hackers on the average can exploit zero-day bugs for ten months; businesses normally don't detect a cyber intrusion for seven months.
Open-source intelligence tool Maltego tickles the dragon's tail by sweeping up tweets and other unprotected communications from the NSA's parking lot. A new "surveillance-resistant communications platform, Projecta, hits the market this week. Gartner's methods of determining its magic quadrants are released. Kaspersky confirms plans for a secure, Stuxnet-proof SCADA OS.
Those interested in active cyber defense should read the continuing exchange over its legality among Volokh Conspiracy blawgers.
Notes.
Today's issue includes events affecting Australia, Indonesia, Iran, Israel, Kuwait, Lebanon, Palestinian Territories, Qatar, Russia, South Africa, United Kingdom, and United States..
Cyber Attacks, Threats, and Vulnerabilities
Flame, miniFlame, the mystery of an on going cyber espionage campaigns (Infosec Island) Last May The Iranian Computer Emergency Response Team (MAHER) detected a new targeted malware which hit the country, that has been named Flame, also known as Flamer or Skywiper, due the name of its main attack module. MAHER wasnt the only one to detect the agent, also Kaspersky Lab and CrySyS Lab identified the new dangerous malware, recognized as a powerful cyber espionage tool kit, that hit mainly Windows systems of Middle East area. The researcher demonstrated the state-sponsored origin and the link with the cyber weapon Stuxnet dating, in a first analysis, the development of the agent to the same period of the famous virus that hit Iran
MiniFlame, 'extremely targeted' cyber attack hit Lebanon, Iran (Iran Independent News Service) MiniFlame, 'extremely targeted' cyber attack hit Lebanon, Iran. Researchers said today they have identified part of the powerful Flame cyber espionage program as a stand-alone, "highly flexible" spy program that centered its attacks on
Harmful Computer Virus Was Created by USA (Radio Cadena Agramonet) A recent article in the Washington Post said that the U.S. National Security Agency and the Central Intelligence Agency and Israeli military developed the virus. The new software -called miniFlame and detected last July- is able to take screenshots and
'miniFlame' Ignites Cyber Espionage - Kaspersky Lab's Uncovers new Malware (Techzone360) If you are like me – a tad paranoid and hence mindful of things related cyber warfare and espionage – you likely have the home page of the super sleuths at Kaspersky Lab (KL) book marked. However, if you are from the school of "what I don't know can't
MENA under another cyber attack (The North Africa Post) The software is capable of executing more precise attacks on targets and has already affected almost 50 "high-value" machines according to a Kaspersky Lab research report. The behavior of Miniflame is described as "scalpel for a focused surgical
Capital One Targeted Again in Cyber Attack Spree (Fox Business) Capital One's (COF) website was disrupted Tuesday as part of an ongoing string of cyber attacks on U.S. financial institutions by a group claiming to be allied with radical Muslims. A spokesperson said the bank experienced "intermittent" issues with
Warning! British Airways e-ticket receipt malware arriving in an inbox near you (Naked Security) Criminals are spamming out a malware via email, posing as an e-ticket from British Airways. Be on your guard - or risk ending up with an infected computer
Hacking may cost Naperville more than $600,000 (Daily Herald) Hackers who recently compromised the security of Napervilles website, email and other online services not only put the city into an informational black hole but also a financial black hole. City council members on Tuesday approved spending as much as $673,000 to acquire network security hardware and software, computer servers, and associated services necessary to bring the city back online after more than two weeks offline. The noncompetitive bid from Canadian-based N-Dimensions computer consultant includes $395,000 for hardware for security protection and hacker detection, $221,000 for consulting fees for network intrusion identification and analysis and $57,000 for a consultant for network restoration
Santander UK: Data Stored in Cookies Does Not Allow Access to Online Services (Softpedia) According to a security researcher, Santander UK stores highly sensitive information, including passwords and credit card numbers, in session cookies. The financial institution has come forward stating that the information stored in the cookies is not enough to compromise accounts. The data items stored within our cookies, if compromised, would not allow access to our online services on their own and our primary login processes do not rely on cookie data, Santander UK representatives told The H Security
Malware targeting Skype missed a trick (Help Net Security) Last week reports came out stating that the Dorkbot worm is now targeting Skype users. The worm fools users into downloading the malware, whose payload locks down machines
Security Patches, Mitigations, and Software Updates
3 Must-Fix Vulnerabilities Top Oracle CPU Patches (Dark Reading) Two CVSS 10.0 and one 9.0 flaws top the charts on a Critical Patch Update list chock full of remotely exploitable vulnerabilities
Oracle Critical Patch Update Advisory (Oracle) A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative but each advisory describes only the security fixes added since the previous Critical Patch Update advisory
Cyber Trends
Significant Spike In Internal Fraud Over Past Year, Kroll Global Fraud Report Reveals (Dark Reading) Information theft is widespread; U.S., Indonesia, and Russia report highest levels worldwide
Hackers Exploit 'Zero-Day' Bugs For 10 Months On Average Before They're Exposed (Forbes) Software vendors are constantly on the watch for so-called zero day vulnerabilitiesflaws in their code that hackers find and exploit before the first day companies become aware of them. But the term zero-day doesnt capture just how early hackers head-starts often are: Day zero, it seems, often lasts more than 300 days. Thats one of the findings of a broad study of hackers zero-day exploits by two researchers at the antivirus firm Symantec that they plan to present at the Association for Computing Machinerys Computer and Communications Security conference in Raleigh, North Carolina this week
Businesses take 7 months to detect intruders (IT News) Corporations are taking an average of seven months to detect system breaches despite most having access to forensic information in their logs, Verizon has warned. According to Bryan Sartin, vice president of Verizon's Research Investigations Solutions Knowledge (RISK) team, the statistic indicated a need for more security information sharing across organisations. That seven month window, the clues to the intrusion are there in plain English in the server logs, Sartin told the Australian Information Security Association (AISA) conference in Sydney this week
Can govts ever discuss cybersecurity without going over the top? (Cyberwarzone) It was always a safe bet to suggest, as Crikey did last week, that the tide of stupid would keep rising when it came to self-interested reports. As if pre-arranged, US security software giant McAfee stepped forward a few days later with an online safety survey to show how terrified Americans were about cybersecurity, including that 90% of Americans do not feel completely safe online and 25% had been exposed to a data breach. Cue inevitable dramatic headlines
Payments networks suffer costly cyber attack (iTWire) Speaking at Cebit's Future of Payments conference in Sydney today, Ivan Zasarsky, partner in the financial advisory services group of Deloitte Touche Tohmatsu said; "Every one of the major payments networks has had significant breaches," in recent years
Most people want control of information collected by data brokers (Help Net Security) As Congress examines how data brokers collect, aggregate and share consumers' personal information, a new survey by TrustedID shows that most people are confused about how data brokers operate and want
Marketplace
OIG finds 85 percent of VA encryption licenses lay dormant (Fierce Government IT) In a report (.pdf) dated Oct. 11, the OIG says the department has installed and activated only 65,000 of the Guardian Edge encryption licenses it bought since a massive data breach in 2006 involving records of 26.5 million active duty troops, veterans. and their family members
IBM Reports Q3 Earnings Mostly In Line With Expectations: $24.7B In Revenue, $4.2B Net Income, $3.62 EPS (TechCrunch) IBM just released its Q3 2012 financials. Big Blue's GAAP earnings came in at $3.8 billion, up 3% from the last quarter. Non-GAAP earnings were $4.2 billion. Overall, the company reported revenue of $24.7 billion, down from $25.8 billion in Q2
Intel Beats The Street With Q3 Revenues Of $13.5B (TechCrunch) Intel just reported its third quarter 2012 earnings with revenues of $13.5 billion, flat compared to the prior year. Intel's net income was $3 billion, up 5.1% compared to last year. Operating income was $3.8 billion, flat compared to a year ago. Its diluted earnings per share were at $0.58 cents per share, a 7.4% increase from last year
Mobile Milestone: The Number Of Smartphones In Use Passed 1 Billion In Q3, Says Strategy Analytics (TechCrunch) We are just getting into reporting season, where some (but not all) handset makers tell us how many handsets they've sold in the last three months, but Strategy Analytics has taken a punt to say that Q3 will be the quarter that we have hit a major milestone: there are now more than 1 billion smartphones in use worldwide — 1.038 billion, to be exact. It's taken 16 years to pass 1 billion, but the
How to get promoted in IT security (Help Net Security) Not only has landing a job become more difficult; it's also getting harder to get promoted once you have the job. Here are some tips to getting ahead in today's competitive, cutting-edge world of IT
Products, Services, and Solutions
Who is tweeting from the NSA's parking lot? (Computerworld) The open source intelligence platform Maltego shows the power of collating publicly available information. From Google Maps, the U.S. National Security Agency's parking lot has a larger footprint than the building itself. And for the high secrecy surrounding what goes on inside, there is plenty of information flowing just outside
New "Surveillance-Proof" App To Secure Communications Has Governments Nervous (Slate) Lately, Mike Janke has been getting what he calls the hairy eyeball from international government agencies. The 44-year-old former Navy SEAL commando, together with two of the worlds most renowned cryptographers, was always bound to ruffle some high-level feathers with his new projecta surveillance-resistant communications platform that makes complex encryption so simple your grandma can use it. This week, after more than two years of preparation, the finished product has hit the market
Gartner spells out magic behind quadrants - Blogger smackdown leads to reveal of research methods (The Register) Analyst group Gartner has detailed how it prepares its sometimes-controversial magic quadrants, revealing that a two-hour demo is sometimes part of the research process. Gartner already offers a detailed explanation of how it compiles its Magic Quadrants here. But in an exchange with governance, risk management and compliance consultant Michael Rasmussen, the firm has released more information about the spells it casts to make a Magic Quadrant
Communication Confidential: Startup Offers P2P Encrypted Voice, Text, Video (Dark Reading) Startup Silent Circle rolls out encrypted text, voice, video -- and soon, email -- for the ultra privacy- and security-conscious
Google's bid to fix Javascript, Dart, is ready for the real world (Ars Technica) Dart SDK's first developer-ready version is now available
LogRhythm Adds New Layer To Its SIEM 2.0 Big Data Security Analytics Platform (Dark Reading) Enables organizations to baseline normal, day-to-day activity across multiple dimensions of the enterprise
UK Fraud Launches New Total Risk Operation (Realwire) Leading fraud detection and prevention consultancy UKFraud (www. ukfraud. co. uk) has launched a new risk consultancy operation called Riskskill
GFI Software unveils VIPRE SDK for Windows (Help Net Security) GFI Software announced the availability of VIPRE 6.0 SDK (for Windows environments) adding several new security features that software developers, PC utility providers and other security vendors can
Bloxx launches VMware virtual appliance (Help Net Security) Bloxx released virtual appliance versions of its Web Filter and Secure Web Gateway. The virtual appliances have identical functionality to the current hardware appliances, making them an ideal choice
Multi-dimensional analytics tool for big data (Help Net Security) LogRhythm announced the enhancement of its SIEM 2.0 Big Data security analytics platform with the industry's first multi-dimensional behavioural analytics. Leveraging innovative and patent-pending
Fortinet unveils FortiOS 5.0 operating system (Help Net Security) Fortinet announced FortiOS 5.0, a security operating system that is the foundation for all Fortinet FortiGate integrated security platforms. This new release provides more security, intelligence
Kaspersky Lab confirms ongoing development of secure OS (Tech2) Experts at Kaspersky Lab recently announced the discovery of miniFlame, a small and highly flexible malicious program, which has been designed to steal data, and control infected systems during targeted cyber espionage operations
Kaspersky Lab and Facebook Partner to Make Social Networking Safer (The Herald) Kaspersky Lab believes that informed computer users are the first line of defense against cyber-crime. In addition to supplying Facebook with threat information, Kaspersky Lab will also contribute expert advice, tips and informative articles to the
Facebook expands blacklist of malicious URLs (CSO) Bolstering 'the link shim' tool is expected to help businesses, as well as consumers
Radware Launches New 'DDoS Warriors' Site (Dark Reading) Provides comprehensive analysis on DoS and DDoS attack tools, trends, and threats
Windows 8 Beats The Mac, Appsolutely (InformationWeek) Microsoft's new operating system looks how a modern OS should--big, bold, and centered around apps. Suddenly, it's Apple's turn to catch up
6 Reasons iOS 6 Jailbreaks Will Be Tough (InformationWeek) Glory hounds hoping to jailbreak Apple's newest devices won't have an easy time of it. Security experts detail the challenges
Cisco WebEx Now Works Sans Cloud (InformationWeek) Cisco also expands collaboration technologies it offers via partners, including a 'rendezvous conferencing' option for videoconferencing
Microsoft Surface Matches New iPad Price (InformationWeek) Microsoft's self-branded Windows 8 tablet comes in at a price that makes it competitive with offerings from rivals--and partners
Technologies, Techniques, and Standards
A False Sense Of Security (Dark Reading) Cutting-edge security technologies are critical to safeguarding data integrity. However, organizations need to also focus on developing effective policies and practices to fully protect crucial information assets
The Difficulties with Attribution in a Digital World (Infosec Island) Every two weeks the HP Security team invites you to join in a tweet chat on a topic plucked from the headlines dealing with what matters to you. Recently the conversation turned to attribution and it's many challenges in the digital world. I joined in the chat this week along with a bunch of smart people who dared ask some great questions - this is a summary of that 1 hour chat
System Down: Dealing With Catastrophic Risks In Payments (System Down: Dealing With Catastrophic Risks In Payments) The electronic payment system is a technical marvel. Whether you swipe, stick, type a pin, or sign it takes seconds for interconnected computer systems to verify that its you, make sure you are good for the money, credit the seller, and debit you. With direct deposit and direct debit much household management is on autopilot
Google: Cache Is King (InformationWeek) At HTML5 Developer conference, Google exec examines proper use of caching to speed up websites
Design and Innovation
And the 2012 Start TWS Competition Startups Are… (TechCrunch) It's that time of the year for one of the Israeli startup community's staple events, TWS. This year the event's founder, and Pops CEO, Yaron Orentstein is collaborating with Israel's most popular tech blog, Newsgeek.co.il to showcase some up and coming Israeli early-stage startups (and a couple from Europe)
Research and Development
Randomness and the Intel Ivy Bridge microprocessor (Infosecurity) Cryptography Research (CRI) has published its investigation into the random number generator used by the Intel Ivy Bridge processor, the processor that is likely to be used by the majority of new PCs and laptops now and for the immediate future
Academia
Should High Schools Teach Big Data? (InformationWeek) Given the anticipated shortage of data scientists, some high school educators have jumped in to expose students to big data concepts
Legislation, Policy, and Regulation
Roxon proposes compulsory reporting of online privacy breaches (Sydney Morning Herald) Companies would be required to notify customers if the security of their personal information was compromised under proposals released for discussion by the Gillard government today. Currently, organisations are encouraged to disclose data breaches to the Commonwealth Privacy Commissioner, but are not obliged to do so. Attorney-General Nicola Roxon this morning released a discussion paper to seek comment on whether organisations should be required to report breaches, what kind of breaches should have to be reported, who should be notified, and what penalties should apply for failure to comply
Cyber Security And Congress (Los Angeles Times) Speaking to a group of U.S. business leaders last week, Defense Secretary Leon E. Panetta issued a dire warning that foreign hackers are becoming increasingly sophisticated and that their online attacks on transportation systems, banks and other vital facilities are escalating. The worst-case scenario, he said, is a "cyber Pearl Harbor" perpetrated by state-sponsored hackers or terrorists that "would cause physical destruction and loss of life, paralyze and shock the nation and create a profound new sense of vulnerability"
Air Force Cyber Summit Set To Craft Service Requirements, Roles (AOL Defense) For years the Air Force has claimed to be the service most suited to understanding and operating in cyberspace and the service fought hard to be the Pentagon's lead on cyber issues. But top officers recently admitted that the service has never answered key questions such as how it works with the other services or whether it has legal standing to run global cyber missions
RI announces first statewide cyber security plan (Boston.com) Lincoln Chafee said Tuesday that the one-page plan focuses on ways to keep government operations running if there's a cyber attack. It calls for cyber security training for state employees who access state systems and for educating
DHS, Commerce, Treasury, GSA and DNI Target HSPD-12 Implementation (govWin) At a panel discussion on October 10, 2012, agency representatives from Department of Homeland Security (DHS), Commerce's National Institute of Standards and Technology (NIST), Treasury's Internal Revenue Service (IRS), the General Services
Cloud security: A closer look at FedRAMP (FCW.com) Security concerns typically provide the chief source of rain for the cloud parade, as worries about data leakage and other cyber maladies have caused federal IT managers to think twice about cloud computing
DOD Wants Military Cyber-Shock Troops to Battle Hackers (OilPrice.com) Then in May of this year the Department of Homeland Security revealed a string of attacks on the computer networks of natural gas companies. Again in June hackers broke into a smart meter monitoring system and reportedly reduced all the consumption
Preparing for Cyber War, Without a Map (Technology Review) While the Pentagon and the National Security Agency are believed to have the best technology and intelligence on computer security threats, they are supposed to protect only military computer and communications networks, known in government
UK government's Facebook login proposals don't hold water (Infosecurity) Earlier this month there was much discussion in leading UK national newspapers about a proposal to allow the use of social media credentials to access government websites. This was confirmed by the Government Digital Service blog, which has promised more details in the next few weeks
Litigation, Investigation, and Law Enforcement
Manchester police pay off 150,000 Pound fine for unencrypted USB key (Sophos) The UK Information Commissioner's Office (ICO) in the UK recently fined the Greater Manchester Police 150,000 for a data breach. To be fair, the cops took it on the chin. Yesterday, reports the ICO, they paid up
The Legality of Counterhacking: Baker Replies to Kerr (Volokh Conspiracy) Orin Kerr and I agree that "authorization" is the central, and undefined, key to criminal liability under the CFAA. In Orin's view, "authorization" can be determined by asking two questions: First, does the CFAA protect computers or data? And, second, who controls a computer, the data owner or the computer owner? It seems to me that the right answer to each question is "both." The CFAA can and should protect both computers and data stored on computers. Similarly, more than one person can have rights to data on a computer
More on Hacking Back: Kerr Replies to Baker (Volokh Conspiracy) In Stewart Baker's latest post for why hacking is lawful if someone else did it first, he makes a textual argument and a policy argument. I find both extremely weak. Stewart's first argument is that it's possible to read the statute as giving authorization rights to people who have rights in data rather than rights in computers because the statute doesn't textually distinguish between computers and underlying data. The statute just doesn't speak to that distinction, in Stewart's view: It's just an inkblot. So we can read the statute however we want. If you read the whole statute, though, that's plainly wrong. The statute repeatedly and consistently distinguishes between computers and data. The elements of the statute dealing with rights with computers are covered by the basic unauthorized access concept common to most of the different crimes listed in 1030(a). In contrast, the elements dealing with data are covered by the additional elements Congress required for the additional offenses listed in 1030(a). It's one of the most basic divisions in the statute
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
Anatomy of an Attack (New York, New York, Nov 15, 2012) Join Sophos security experts in exploring how threats like malware, Trojans, worms and spyware actually work and what you can do to protect your company, even if you're on a tight budget.
Cyber Maryland 2012 (Baltimore, Maryland, Oct 16 - 17, 2012) "Designed for information security insiders, business innovators and aspiring professionals, this two-day conference features national thought leaders, showcases business opportunities and provides outstanding networking. CyberMaryland 2012 is for technology companies, business leaders, students, emerging professionals, policy makers, elected officials, business services and entrepreneurs in public and private enterprise."
National Cyber Security Hall of Fame Inaugural Award Ceremony (Baltimore, Maryland, USA, Oct 17, 2012) Created to honor those who've created the cyber security industry, the National Cyber Security Hall of Fame celebrates its inaugural class this month.
Passwords^12 (, Jan 1, 1970) Passwords^12 is a 3-day conference only about passwords & PIN codes. With an "all-star" cast of speakers, including Joan Daemen (AES/SHA3), Jens Steube (alias "atom", hashcat author), Colin Percival (CSO FreeBSD, inventor of scrypt), Simon Marechal (John the Ripper co-developer), Frank Stajano (Cambridge) and many more, this will be the premier event for everything and anything related to password security. Passwords^12 is the first and only conference of its kind, bringing together academic institutions, researchers and security professionals from around the world. It's a not-for-profit and non-commercial conference. No sales personnel, no marketing managers and deep technical talks.
BayThreat (Sunnyvale, California, Dec 7 - 8, 2012) The theme for BayThreat is a new spin on the dichotomy of attacking and defending in information security. We're calling out all of the attackers and defenders that are on the front lines of the battle.